From 408baf70dabdd2d7ed9703e5cb7690319b1a41ed Mon Sep 17 00:00:00 2001 From: Elis Elliott Date: Thu, 16 Feb 2023 18:44:17 +0000 Subject: Always create an EnforcingAdmin with a non-null ActiveAdmin. Test: btest android.devicepolicy.cts.DeviceManagementCoexistenceTest Change-Id: I45525c7d3f09dc389a0b90de09afabc3fb03d939 --- .../devicepolicy/DevicePolicyManagerService.java | 52 +++++++++++++++------- 1 file changed, 37 insertions(+), 15 deletions(-) diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 3c3cb2b49ba3..c804c9ea16b5 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -22467,7 +22467,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } else { // If the permission maps to no policy (null) this means that any active admin // has permission. - return getActiveAdminForUidLocked(null, caller.getUid()) != null; + return isCallerActiveAdminOrDelegate(caller, null); } } catch (SecurityException e) { // A security exception means there is not an active admin with permission and @@ -22506,23 +22506,25 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { private EnforcingAdmin getEnforcingAdminForCaller(@Nullable ComponentName who, String callerPackageName) { - CallerIdentity caller = getCallerIdentity(callerPackageName); + CallerIdentity caller = getCallerIdentity(who, callerPackageName); int userId = caller.getUserId(); ActiveAdmin admin; - synchronized (getLockObject()) { - admin = getActiveAdminUncheckedLocked(who, userId); - } - if (isDeviceOwner(caller) || isProfileOwner(caller)) { - return EnforcingAdmin.createEnterpriseEnforcingAdmin(who, userId, admin); - } - if (isCallerDelegate(caller)) { - ComponentName profileOwner = mOwners.getProfileOwnerComponent(caller.getUserId()); - ComponentName dpc = profileOwner != null ? profileOwner : - mOwners.getDeviceOwnerComponent(); - ActiveAdmin dpcAdmin = getDeviceOrProfileOwnerAdminLocked(caller.getUserId()); - return EnforcingAdmin.createEnterpriseEnforcingAdmin(dpc, userId, dpcAdmin); + if (isDeviceOwner(caller) || isProfileOwner(caller) || isCallerDelegate(caller)) { + ComponentName component; + synchronized (getLockObject()) { + if (who != null) { + admin = getActiveAdminUncheckedLocked(who, userId); + component = who; + } else { + admin = getDeviceOrProfileOwnerAdminLocked(userId); + component = admin.info.getComponent(); + } + } + return EnforcingAdmin.createEnterpriseEnforcingAdmin(component, userId, admin); } - if (getActiveAdminUncheckedLocked(who, userId) != null) { + // Check for non-DPC active admins. + admin = getActiveAdminForCaller(who, caller); + if (admin != null) { return EnforcingAdmin.createDeviceAdminEnforcingAdmin(who, userId, admin); } if (admin == null) { @@ -23137,6 +23139,26 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { }); } + private ActiveAdmin getActiveAdminForCaller(@Nullable ComponentName who, + CallerIdentity caller) { + synchronized (getLockObject()) { + if (who != null) { + return getActiveAdminUncheckedLocked(who, caller.getUserId()); + } + return mInjector.binderWithCleanCallingIdentity(() -> { + List activeAdmins = getActiveAdmins(caller.getUserId()); + if (activeAdmins != null) { + for (ComponentName admin : activeAdmins) { + if (admin.getPackageName().equals(caller.getPackageName())) { + return getActiveAdminUncheckedLocked(admin, caller.getUserId()); + } + } + } + return null; + }); + } + } + // TODO(b/266808047): This will return false for DeviceAdmins not targetting U, which is // inconsistent with the migration logic that allows migration with old DeviceAdmins. private boolean canAddActiveAdminIfPolicyEngineEnabled(String packageName, int userId) { -- cgit v1.2.3-59-g8ed1b