diff options
author | Tony Mak <tonymak@google.com> | 2017-08-10 14:19:43 +0100 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2017-09-21 20:29:39 +0000 |
commit | ce8518bd2be0a496a5c4725bae461234fa98bddd (patch) | |
tree | 2f46f2ff81dc4493a137a86fc0adf72d83e89f08 | |
parent | a6134112500b199b875285458917ad2f67c05d58 (diff) | |
download | base-ce8518bd2be0a496a5c4725bae461234fa98bddd.tar.gz |
DPC should not be allowed to grant development permission
Test: cts-tradefed run cts-dev --module CtsDevicePolicyManagerTestCases --t com.android.cts.devicepolicy.MixedDeviceOwnerTest#testPermissionGrant_developmentPermission
Test: cts-tradefed run cts-dev --module CtsDevicePolicyManagerTestCases --t com.android.cts.devicepolicy.MixedProfileOwnerTest#testPermissionGrant_developmentPermission
Test: cts-tradefed run cts-dev --module CtsDevicePolicyManagerTestCases --t com.android.cts.devicepolicy.MixedDeviceOwnerTest#testPermissionGrant
Test: cts-tradefed run cts-dev --module CtsDevicePolicyManagerTestCases --t com.android.cts.devicepolicy.MixedProfileOwnerTest#testPermissionGrant
Test: Run "Permissions lockdown" test in CtsVerifier
Bug: 62623498
Merged-In: If83d8edd0eea99145421e967ae47fdc264a5cf7c
Change-Id: I129bfe850981cf0b3646b7c1cf19c8a3ec69f512
(cherry picked from commit d05d2bac845048f84eebad8060d28332b6eda259)
-rw-r--r-- | services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 911bb2a70173..55a1a459f202 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -98,6 +98,7 @@ import android.content.pm.PackageManager; import android.content.pm.PackageManager.NameNotFoundException; import android.content.pm.PackageManagerInternal; import android.content.pm.ParceledListSlice; +import android.content.pm.PermissionInfo; import android.content.pm.ResolveInfo; import android.content.pm.ServiceInfo; import android.content.pm.StringParceledListSlice; @@ -151,6 +152,7 @@ import android.telephony.TelephonyManager; import android.text.TextUtils; import android.util.ArrayMap; import android.util.ArraySet; +import android.util.EventLog; import android.util.Log; import android.util.Pair; import android.util.Slog; @@ -9543,6 +9545,10 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { < android.os.Build.VERSION_CODES.M) { return false; } + if (!isRuntimePermission(permission)) { + EventLog.writeEvent(0x534e4554, "62623498", user.getIdentifier(), ""); + return false; + } final PackageManager packageManager = mInjector.getPackageManager(); switch (grantState) { case DevicePolicyManager.PERMISSION_GRANT_STATE_GRANTED: { @@ -9569,6 +9575,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return true; } catch (SecurityException se) { return false; + } catch (NameNotFoundException e) { + return false; } finally { mInjector.binderRestoreCallingIdentity(ident); } @@ -9618,6 +9626,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } } + public boolean isRuntimePermission(String permissionName) throws NameNotFoundException { + final PackageManager packageManager = mInjector.getPackageManager(); + PermissionInfo permissionInfo = packageManager.getPermissionInfo(permissionName, 0); + return (permissionInfo.protectionLevel & PermissionInfo.PROTECTION_MASK_BASE) + == PermissionInfo.PROTECTION_DANGEROUS; + } + @Override public boolean isProvisioningAllowed(String action, String packageName) { Preconditions.checkNotNull(packageName); |