Fix is installed check condition in DevicePolicyManagerService
DPMS#setDelegatedScopes generally enforces the delegate is installed in
the device, but this check should be skipped on DELEGATION_CERT_INSTALL
scopes on pre-N. Additionally the check is also skipped when clearing up
delegations on pre-N. The check was extracted to a separate function for
clarity.
Bug: 35234284
Test: cts-tradefed run cts-dev --module CtsDevicePolicyManagerTestCases --test com.android.cts.devicepolicy.ProfileOwnerTestApi23#testDelegatedCertInstaller
Change-Id: Ib723b58243f901af907e368017b1ae0bb101360d
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 620d441..65a4d3a 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -4875,6 +4875,28 @@
}
/**
+ * Determine whether DPMS should check if a delegate package is already installed before
+ * granting it new delegations via {@link #setDelegatedScopes}.
+ */
+ private static boolean shouldCheckIfDelegatePackageIsInstalled(String delegatePackage,
+ int targetSdk, List<String> scopes) {
+ // 1) Never skip is installed check from N.
+ if (targetSdk >= Build.VERSION_CODES.N) {
+ return true;
+ }
+ // 2) Skip if DELEGATION_CERT_INSTALL is the only scope being given.
+ if (scopes.size() == 1 && scopes.get(0).equals(DELEGATION_CERT_INSTALL)) {
+ return false;
+ }
+ // 3) Skip if all previously granted scopes are being cleared.
+ if (scopes.isEmpty()) {
+ return false;
+ }
+ // Otherwise it should check that delegatePackage is installed.
+ return true;
+ }
+
+ /**
* Set the scopes of a device owner or profile owner delegate.
*
* @param who the device owner or profile owner.
@@ -4900,8 +4922,8 @@
// Ensure calling process is device/profile owner.
getActiveAdminForCallerLocked(who, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER);
// Ensure the delegate is installed (skip this for DELEGATION_CERT_INSTALL in pre-N).
- if (scopes.size() == 1 && scopes.get(0).equals(DELEGATION_CERT_INSTALL) ||
- getTargetSdk(who.getPackageName(), userId) >= Build.VERSION_CODES.N) {
+ if (shouldCheckIfDelegatePackageIsInstalled(delegatePackage,
+ getTargetSdk(who.getPackageName(), userId), scopes)) {
// Throw when the delegate package is not installed.
if (!isPackageInstalledForUser(delegatePackage, userId)) {
throw new IllegalArgumentException("Package " + delegatePackage
@@ -5119,8 +5141,10 @@
final String currentPackage = policy.mDelegationMap.keyAt(i);
final List<String> currentScopes = policy.mDelegationMap.valueAt(i);
- if (!currentPackage.equals(delegatePackage) && currentScopes.remove(scope)) {
- setDelegatedScopes(who, currentPackage, currentScopes);
+ if (!currentPackage.equals(delegatePackage) && currentScopes.contains(scope)) {
+ final List<String> newScopes = new ArrayList(currentScopes);
+ newScopes.remove(scope);
+ setDelegatedScopes(who, currentPackage, newScopes);
}
}
}