Device or profile owner can let another app manage app restrictions
The device or profile owner can allow another
package to set app restrictions for any app in that user
Similar to the way it can give permission to access
CA certificate related APIs from M.
Bug: 22541936
Change-Id: I0c1b0804ad300dfa4fbdc1c7721c5d8653d77861
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 810ee6b..c9810fc 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -193,6 +193,8 @@
private static final String ATTR_PERMISSION_POLICY = "permission-policy";
private static final String ATTR_DELEGATED_CERT_INSTALLER = "delegated-cert-installer";
+ private static final String ATTR_APPLICATION_RESTRICTIONS_MANAGER
+ = "application-restrictions-manager";
private static final int STATUS_BAR_DISABLE_MASK =
StatusBarManager.DISABLE_EXPAND |
@@ -322,6 +324,8 @@
boolean doNotAskCredentialsOnBoot = false;
+ String mApplicationRestrictionsManagingPackage;
+
public DevicePolicyData(int userHandle) {
mUserHandle = userHandle;
}
@@ -1035,19 +1039,15 @@
saveSettingsLocked(policy.mUserHandle);
}
- if (policy.mDelegatedCertInstallerPackage != null &&
- (packageName == null
- || packageName.equals(policy.mDelegatedCertInstallerPackage))) {
- try {
- // Check if delegated cert installer package is removed.
- if (mIPackageManager.getPackageInfo(
- policy.mDelegatedCertInstallerPackage, 0, userHandle) == null) {
- policy.mDelegatedCertInstallerPackage = null;
- saveSettingsLocked(policy.mUserHandle);
- }
- } catch (RemoteException e) {
- // Shouldn't happen
- }
+ // Check if delegated cert installer or app restrictions managing packages are removed.
+ if (isRemovedPackage(packageName, policy.mDelegatedCertInstallerPackage, userHandle)) {
+ policy.mDelegatedCertInstallerPackage = null;
+ saveSettingsLocked(policy.mUserHandle);
+ }
+ if (isRemovedPackage(
+ packageName, policy.mApplicationRestrictionsManagingPackage, userHandle)) {
+ policy.mApplicationRestrictionsManagingPackage = null;
+ saveSettingsLocked(policy.mUserHandle);
}
}
if (removed) {
@@ -1056,6 +1056,18 @@
}
}
+ private boolean isRemovedPackage(String changedPackage, String targetPackage, int userHandle) {
+ try {
+ return targetPackage != null
+ && (changedPackage == null || changedPackage.equals(targetPackage))
+ && mIPackageManager.getPackageInfo(targetPackage, 0, userHandle) == null;
+ } catch (RemoteException e) {
+ // Shouldn't happen
+ }
+
+ return false;
+ }
+
/**
* Unit test will subclass it to inject mocks.
*/
@@ -1795,6 +1807,10 @@
out.attribute(null, ATTR_DELEGATED_CERT_INSTALLER,
policy.mDelegatedCertInstallerPackage);
}
+ if (policy.mApplicationRestrictionsManagingPackage != null) {
+ out.attribute(null, ATTR_APPLICATION_RESTRICTIONS_MANAGER,
+ policy.mApplicationRestrictionsManagingPackage);
+ }
final int N = policy.mAdminList.size();
for (int i=0; i<N; i++) {
@@ -1920,6 +1936,8 @@
}
policy.mDelegatedCertInstallerPackage = parser.getAttributeValue(null,
ATTR_DELEGATED_CERT_INSTALLER);
+ policy.mApplicationRestrictionsManagingPackage = parser.getAttributeValue(null,
+ ATTR_APPLICATION_RESTRICTIONS_MANAGER);
type = parser.next();
int outerDepth = parser.getDepth();
@@ -4815,6 +4833,7 @@
DevicePolicyData policy = getUserData(userId);
policy.mPermissionPolicy = DevicePolicyManager.PERMISSION_POLICY_PROMPT;
policy.mDelegatedCertInstallerPackage = null;
+ policy.mApplicationRestrictionsManagingPackage = null;
policy.mStatusBarDisabled = false;
saveSettingsLocked(userId);
@@ -5187,18 +5206,68 @@
}
@Override
- public void setApplicationRestrictions(ComponentName who, String packageName, Bundle settings) {
- Preconditions.checkNotNull(who, "ComponentName is null");
- final UserHandle userHandle = new UserHandle(UserHandle.getCallingUserId());
+ public void setApplicationRestrictionsManagingPackage(ComponentName admin, String packageName) {
+ final int userHandle = mInjector.userHandleGetCallingUserId();
synchronized (this) {
- getActiveAdminForCallerLocked(who, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER);
+ getActiveAdminForCallerLocked(admin, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER);
+ DevicePolicyData policy = getUserData(userHandle);
+ policy.mApplicationRestrictionsManagingPackage = packageName;
+ saveSettingsLocked(userHandle);
+ }
+ }
- long id = mInjector.binderClearCallingIdentity();
- try {
- mUserManager.setApplicationRestrictions(packageName, settings, userHandle);
- } finally {
- mInjector.binderRestoreCallingIdentity(id);
+ @Override
+ public String getApplicationRestrictionsManagingPackage(ComponentName admin) {
+ final int userHandle = mInjector.userHandleGetCallingUserId();
+ synchronized (this) {
+ getActiveAdminForCallerLocked(admin, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER);
+ DevicePolicyData policy = getUserData(userHandle);
+ return policy.mApplicationRestrictionsManagingPackage;
+ }
+ }
+
+ @Override
+ public boolean isCallerApplicationRestrictionsManagingPackage() {
+ final int callingUid = mInjector.binderGetCallingUid();
+ final int userHandle = UserHandle.getUserId(callingUid);
+ synchronized (this) {
+ final DevicePolicyData policy = getUserData(userHandle);
+ if (policy.mApplicationRestrictionsManagingPackage == null) {
+ return false;
}
+
+ try {
+ int uid = mContext.getPackageManager().getPackageUid(
+ policy.mApplicationRestrictionsManagingPackage, userHandle);
+ return uid == callingUid;
+ } catch (NameNotFoundException e) {
+ return false;
+ }
+ }
+ }
+
+ private void enforceCanManageApplicationRestrictions(ComponentName who) {
+ if (who != null) {
+ synchronized (this) {
+ getActiveAdminForCallerLocked(who, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER);
+ }
+ } else if (!isCallerApplicationRestrictionsManagingPackage()) {
+ throw new SecurityException(
+ "No admin component given, and caller cannot manage application restrictions "
+ + "for other apps.");
+ }
+ }
+
+ @Override
+ public void setApplicationRestrictions(ComponentName who, String packageName, Bundle settings) {
+ enforceCanManageApplicationRestrictions(who);
+
+ final UserHandle userHandle = mInjector.binderGetCallingUserHandle();
+ final long id = mInjector.binderClearCallingIdentity();
+ try {
+ mUserManager.setApplicationRestrictions(packageName, settings, userHandle);
+ } finally {
+ mInjector.binderRestoreCallingIdentity(id);
}
}
@@ -5764,21 +5833,17 @@
@Override
public Bundle getApplicationRestrictions(ComponentName who, String packageName) {
- Preconditions.checkNotNull(who, "ComponentName is null");
- final UserHandle userHandle = new UserHandle(UserHandle.getCallingUserId());
+ enforceCanManageApplicationRestrictions(who);
- synchronized (this) {
- getActiveAdminForCallerLocked(who, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER);
-
- long id = mInjector.binderClearCallingIdentity();
- try {
- Bundle bundle = mUserManager.getApplicationRestrictions(packageName, userHandle);
- // if no restrictions were saved, mUserManager.getApplicationRestrictions
- // returns null, but DPM method should return an empty Bundle as per JavaDoc
- return bundle != null ? bundle : Bundle.EMPTY;
- } finally {
- mInjector.binderRestoreCallingIdentity(id);
- }
+ final UserHandle userHandle = mInjector.binderGetCallingUserHandle();
+ final long id = mInjector.binderClearCallingIdentity();
+ try {
+ Bundle bundle = mUserManager.getApplicationRestrictions(packageName, userHandle);
+ // if no restrictions were saved, mUserManager.getApplicationRestrictions
+ // returns null, but DPM method should return an empty Bundle as per JavaDoc
+ return bundle != null ? bundle : Bundle.EMPTY;
+ } finally {
+ mInjector.binderRestoreCallingIdentity(id);
}
}
diff --git a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
index 565ef4b..7747fd9 100644
--- a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
+++ b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
@@ -944,6 +944,88 @@
assertEquals(0, dpm.getApplicationRestrictions(admin1, "pkg2").size());
}
+ public void testApplicationRestrictionsManagingApp() throws Exception {
+ setAsProfileOwner(admin1);
+
+ final String appRestrictionsManagerPackage = "com.google.app.restrictions.manager";
+ final int appRestrictionsManagerAppId = 20987;
+ final int appRestrictionsManagerUid = UserHandle.getUid(
+ DpmMockContext.CALLER_USER_HANDLE, appRestrictionsManagerAppId);
+ doReturn(appRestrictionsManagerUid).when(mContext.packageManager).getPackageUid(
+ eq(appRestrictionsManagerPackage),
+ eq(DpmMockContext.CALLER_USER_HANDLE));
+ mContext.binder.callingUid = appRestrictionsManagerUid;
+
+ // appRestrictionsManager package shouldn't be able to manage restrictions as the PO hasn't
+ // delegated that permission yet.
+ assertFalse(dpm.isCallerApplicationRestrictionsManagingPackage());
+ Bundle rest = new Bundle();
+ rest.putString("KEY_STRING", "Foo1");
+ try {
+ dpm.setApplicationRestrictions(null, "pkg1", rest);
+ fail("Didn't throw expected SecurityException");
+ } catch (SecurityException expected) {
+ MoreAsserts.assertContainsRegex(
+ "caller cannot manage application restrictions", expected.getMessage());
+ }
+ try {
+ dpm.getApplicationRestrictions(null, "pkg1");
+ fail("Didn't throw expected SecurityException");
+ } catch (SecurityException expected) {
+ MoreAsserts.assertContainsRegex(
+ "caller cannot manage application restrictions", expected.getMessage());
+ }
+
+ // Check via the profile owner that no restrictions were set.
+ mContext.binder.callingUid = DpmMockContext.CALLER_UID;
+ assertEquals(0, dpm.getApplicationRestrictions(admin1, "pkg1").size());
+
+ // Let appRestrictionsManagerPackage manage app restrictions
+ dpm.setApplicationRestrictionsManagingPackage(admin1, appRestrictionsManagerPackage);
+ assertEquals(appRestrictionsManagerPackage,
+ dpm.getApplicationRestrictionsManagingPackage(admin1));
+
+ // Now that package should be able to set and retrieve app restrictions.
+ mContext.binder.callingUid = appRestrictionsManagerUid;
+ assertTrue(dpm.isCallerApplicationRestrictionsManagingPackage());
+ dpm.setApplicationRestrictions(null, "pkg1", rest);
+ Bundle returned = dpm.getApplicationRestrictions(null, "pkg1");
+ assertEquals(1, returned.size(), 1);
+ assertEquals("Foo1", returned.get("KEY_STRING"));
+
+ // The same app running on a separate user shouldn't be able to manage app restrictions.
+ mContext.binder.callingUid = UserHandle.getUid(
+ UserHandle.USER_SYSTEM, appRestrictionsManagerAppId);
+ assertFalse(dpm.isCallerApplicationRestrictionsManagingPackage());
+ try {
+ dpm.setApplicationRestrictions(null, "pkg1", rest);
+ fail("Didn't throw expected SecurityException");
+ } catch (SecurityException expected) {
+ MoreAsserts.assertContainsRegex(
+ "caller cannot manage application restrictions", expected.getMessage());
+ }
+
+ // The DPM is still able to manage app restrictions, even if it allowed another app to do it
+ // too.
+ mContext.binder.callingUid = DpmMockContext.CALLER_UID;
+ assertEquals(returned, dpm.getApplicationRestrictions(admin1, "pkg1"));
+ dpm.setApplicationRestrictions(admin1, "pkg1", null);
+ assertEquals(0, dpm.getApplicationRestrictions(admin1, "pkg1").size());
+
+ // Removing the ability for the package to manage app restrictions.
+ dpm.setApplicationRestrictionsManagingPackage(admin1, null);
+ assertNull(dpm.getApplicationRestrictionsManagingPackage(admin1));
+ mContext.binder.callingUid = appRestrictionsManagerUid;
+ assertFalse(dpm.isCallerApplicationRestrictionsManagingPackage());
+ try {
+ dpm.setApplicationRestrictions(null, "pkg1", null);
+ fail("Didn't throw expected SecurityException");
+ } catch (SecurityException expected) {
+ MoreAsserts.assertContainsRegex(
+ "caller cannot manage application restrictions", expected.getMessage());
+ }
+ }
+
public void testSetUserRestriction_asDo() throws Exception {
mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
mContext.callerPermissions.add(permission.MANAGE_USERS);