Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / 8f2c1913dd0b6fbff89ee4f8e8f1bd6e8d587aa6^! / .
commit8f2c1913dd0b6fbff89ee4f8e8f1bd6e8d587aa6[log] [tgz]
authorEran Messeri <eranm@google.com>Tue Jan 29 11:04:06 2019 +0000
committerEran Messeri <eranm@google.com>Thu Jan 31 11:27:48 2019 +0000
treef7525f1301e2140cb63f799266c47538e040a22f
parentdb19aa43d0efd2cda1e62a10fb42feb6df148bab [diff]
Grant Device ID access to PO/DO delegates

Let the delegated certificate installer access device identifiers
(serial number, IMEI, meid) via the standard platform APIs.

This makes sense since the DO/PO can already access Device IDs and
there's no technical barrier from the DO/PO to send the Device IDs to
the app it nominated as the delegate.

To make things simpler for the delegate and DPC, let the delegate access
the Device IDs directly.

Bug: 120616022
Test: atest CtsDevicePolicyManagerTestCases:com.android.cts.devicepolicy.MixedDeviceOwnerTest#testDelegatedCertInstallerDirectly
Test: atest CtsDevicePolicyManagerTestCases:com.android.cts.devicepolicy.MixedManagedProfileOwnerTest#testDelegatedCertInstallerDirectly
Change-Id: I0c996eeb0d35e99821ca3dcfe1afda01cd5ceb2f

diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index a01a026..f176bc4 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

@@ -8364,16 +8364,22 @@
                 != PackageManager.PERMISSION_GRANTED) {
             return false;
         }
-        // Allow access to the device owner.
+
+        // Allow access to the device owner or delegate cert installer.
         ComponentName deviceOwner = getDeviceOwnerComponent(true);
-        if (deviceOwner != null && deviceOwner.getPackageName().equals(packageName)) {
+        if (deviceOwner != null && (deviceOwner.getPackageName().equals(packageName)
+                    || isCallerDelegate(packageName, uid, DELEGATION_CERT_INSTALL))) {
             return true;
         }
-        // Allow access to the profile owner for the specified user.
+        // Allow access to the profile owner for the specified user, or delegate cert installer
         ComponentName profileOwner = getProfileOwnerAsUser(userHandle);
-        if (profileOwner != null && profileOwner.getPackageName().equals(packageName)) {
+        if (profileOwner != null && (profileOwner.getPackageName().equals(packageName)
+                    || isCallerDelegate(packageName, uid, DELEGATION_CERT_INSTALL))) {
             return true;
         }
+
+        Log.w(LOG_TAG, String.format("Package if %s (uid=%d, pid=%d) cannot access Device IDs",
+                    packageName, uid, pid));
         return false;
     }