From 052ed9419bd91914decc277a84b99f6e296275dd Mon Sep 17 00:00:00 2001 From: Varun Shah Date: Wed, 20 Mar 2019 11:10:33 -0700 Subject: Added missing permission check to isPackageDeviceAdminOnAnyUser. Added a check for the MANAGE_USERS permission to PackageManagerService#isPackageDeviceAdminOnAnyUser. To test that the method is still usable: 1) Enable virtual storage via: adb shell sm set-virtual-disk true 2) Follow instructions by clicking on notification to set up virtual storage 3) Go to Settings -> Apps & notifications -> See all X apps 4) Click on any non-system app (example Instagram) 5) Tap Storage and you should see a "Change" button (if not, choose another app) 6) Tap Change and you should see Internal and Virtual storage options listed 7) The above step confirms the method is still usable by Settings Bug: 128599183 Test: SafetyNet logging (steps listed above) Change-Id: I989f1daf52a71f6c778ebd81baa6f1bf83e9a718 Merged-In: I36521fa43daab399e08869647326a7ac32d1e512 (cherry picked from commit 18e7dedf6c35f07daf8b7239d501737745ac7f43) --- services/core/java/com/android/server/pm/PackageManagerService.java | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java index d6b572835950..132f3040d207 100644 --- a/services/core/java/com/android/server/pm/PackageManagerService.java +++ b/services/core/java/com/android/server/pm/PackageManagerService.java @@ -19446,6 +19446,12 @@ public class PackageManagerService extends IPackageManager.Stub @Override public boolean isPackageDeviceAdminOnAnyUser(String packageName) { final int callingUid = Binder.getCallingUid(); + if (checkUidPermission(android.Manifest.permission.MANAGE_USERS, callingUid) + != PERMISSION_GRANTED) { + EventLog.writeEvent(0x534e4554, "128599183", -1, ""); + throw new SecurityException(android.Manifest.permission.MANAGE_USERS + + " permission is required to call this API"); + } if (getInstantAppPackageName(callingUid) != null && !isCallerSameApp(packageName, callingUid)) { return false; -- cgit v1.2.3 From aa868bc15c3fc9383146d303a84daca8a86f0487 Mon Sep 17 00:00:00 2001 From: Pavel Grafov Date: Wed, 10 Apr 2019 12:47:25 +0100 Subject: Limit IsSeparateProfileChallengeAllowed to system callers Fixes: 128599668 Test: build, set up separate challenge Change-Id: I2fef9ab13614627c0f1bcca04759d0974fc6181a (cherry picked from commit 1b6301cf2430f192c9842a05fc22984d782bade9) --- .../com/android/server/devicepolicy/DevicePolicyManagerService.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 77cb99f64eed..b0e06eb4de10 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -3428,6 +3428,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public boolean isSeparateProfileChallengeAllowed(int userHandle) { + if (!isCallerWithSystemUid()) { + throw new SecurityException("Caller must be system"); + } ComponentName profileOwner = getProfileOwner(userHandle); // Profile challenge is supported on N or newer release. return profileOwner != null && -- cgit v1.2.3