Failing setPackagesSuspended if user has a DO / PO
Device or profile owners should be suspending packages via
DevicePolicyManager. If an app with SUSPEND_APPS tries use the
PackageManager api on a user with a DO or a PO, the call should fail
Test: gts-tradefed run gts-dev -m SuspendApps
Bug: 78132137
Change-Id: If478db0726073c2e59dba3a7049cc16c56d9f3d5
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 50ac4db..43679ca 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -13625,25 +13625,15 @@
// install reason correctly.
return installReason;
}
-
- final IDevicePolicyManager dpm = IDevicePolicyManager.Stub.asInterface(
- ServiceManager.getService(Context.DEVICE_POLICY_SERVICE));
- if (dpm != null) {
- ComponentName owner = null;
- try {
- owner = dpm.getDeviceOwnerComponent(true /* callingUserOnly */);
- if (owner == null) {
- owner = dpm.getProfileOwner(UserHandle.getUserId(installerUid));
- }
- } catch (RemoteException e) {
- }
- if (owner != null && owner.getPackageName().equals(installerPackageName)) {
- // If the install is being performed by a device or profile owner, the install
- // reason should be enterprise policy.
- return PackageManager.INSTALL_REASON_POLICY;
- }
+ final String ownerPackage = mProtectedPackages.getDeviceOwnerOrProfileOwnerPackage(
+ UserHandle.getUserId(installerUid));
+ if (ownerPackage != null && ownerPackage.equals(installerPackageName)) {
+ // If the install is being performed by a device or profile owner, the install
+ // reason should be enterprise policy.
+ return PackageManager.INSTALL_REASON_POLICY;
}
+
if (installReason == PackageManager.INSTALL_REASON_POLICY) {
// If the install is being performed by a regular app (i.e. neither system app nor
// device or profile owner), we have no reason to believe that the app is acting on
@@ -14040,7 +14030,11 @@
throw new IllegalArgumentException("CallingPackage " + callingPackage + " does not"
+ " belong to calling app id " + UserHandle.getAppId(callingUid));
}
-
+ if (!PLATFORM_PACKAGE_NAME.equals(callingPackage)
+ && mProtectedPackages.getDeviceOwnerOrProfileOwnerPackage(userId) != null) {
+ throw new UnsupportedOperationException("Cannot suspend/unsuspend packages. User "
+ + userId + " has an active DO or PO");
+ }
if (ArrayUtils.isEmpty(packageNames)) {
return packageNames;
}
diff --git a/services/core/java/com/android/server/pm/ProtectedPackages.java b/services/core/java/com/android/server/pm/ProtectedPackages.java
index e67364a..a374e14 100644
--- a/services/core/java/com/android/server/pm/ProtectedPackages.java
+++ b/services/core/java/com/android/server/pm/ProtectedPackages.java
@@ -88,6 +88,13 @@
return false;
}
+ public synchronized String getDeviceOwnerOrProfileOwnerPackage(int userId) {
+ if (mDeviceOwnerUserId == userId) {
+ return mDeviceOwnerPackage;
+ }
+ return mProfileOwnerPackages.get(userId);
+ }
+
/**
* Returns {@code true} if a given package is protected. Otherwise, returns {@code false}.
*
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index e07b89f..51ce7c2 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -73,6 +73,9 @@
import static com.android.server.devicepolicy.TransferOwnershipMetadataManager.ADMIN_TYPE_DEVICE_OWNER;
import static com.android.server.devicepolicy.TransferOwnershipMetadataManager.ADMIN_TYPE_PROFILE_OWNER;
+
+import static com.android.server.pm.PackageManagerService.PLATFORM_PACKAGE_NAME;
+
import static org.xmlpull.v1.XmlPullParser.END_DOCUMENT;
import static org.xmlpull.v1.XmlPullParser.END_TAG;
import static org.xmlpull.v1.XmlPullParser.TEXT;
@@ -9193,8 +9196,8 @@
long id = mInjector.binderClearCallingIdentity();
try {
- return mIPackageManager.setPackagesSuspendedAsUser(
- packageNames, suspended, null, null, null, "android", callingUserId);
+ return mIPackageManager.setPackagesSuspendedAsUser(packageNames, suspended,
+ null, null, null, PLATFORM_PACKAGE_NAME, callingUserId);
} catch (RemoteException re) {
// Shouldn't happen.
Slog.e(LOG_TAG, "Failed talking to the package manager", re);