DeviceAdminService must be protected with BIND_DEVICE_ADMIN.
Bug: 37625902
Bug: 36226832
Test: cts-tradefed run cts-dev --skip-device-info --skip-preconditions --skip-system-status-check com.android.compatibility.common.tradefed.targetprep.NetworkConnectivityChecker -a armeabi-v7a -l DEBUG -m CtsDevicePolicyManagerTestCases -t com.android.cts.devicepolicy.DeviceAdminServiceDeviceOwnerTest
Test: cts-tradefed run cts-dev --skip-device-info --skip-preconditions --skip-system-status-check com.android.compatibility.common.tradefed.targetprep.NetworkConnectivityChecker -a armeabi-v7a -l DEBUG -m CtsDevicePolicyManagerTestCases -t com.android.cts.devicepolicy.DeviceAdminServiceProfileOwnerTest
Change-Id: I0bee75d758b565c6587d0e9cabf63bec351a0669
diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java
index a939eb0..7855b92 100644
--- a/core/java/android/app/admin/DevicePolicyManager.java
+++ b/core/java/android/app/admin/DevicePolicyManager.java
@@ -1518,7 +1518,8 @@
* Service action: Action for a service that device owner and profile owner can optionally
* own. If a device owner or a profile owner has such a service, the system tries to keep
* a bound connection to it, in order to keep their process always running.
- * The service must not be exported.
+ * The service must be protected with the {@link android.Manifest.permission#BIND_DEVICE_ADMIN}
+ * permission.
*/
@SdkConstant(SdkConstantType.SERVICE_ACTION)
public static final String ACTION_DEVICE_ADMIN_SERVICE
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DeviceAdminServiceController.java b/services/devicepolicy/java/com/android/server/devicepolicy/DeviceAdminServiceController.java
index 97fa9d5..c7b8f02 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DeviceAdminServiceController.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DeviceAdminServiceController.java
@@ -15,6 +15,7 @@
*/
package com.android.server.devicepolicy;
+import android.Manifest.permission;
import android.annotation.NonNull;
import android.annotation.Nullable;
import android.app.admin.DevicePolicyManager;
@@ -115,10 +116,12 @@
return null;
}
final ServiceInfo si = list.get(0).serviceInfo;
- if (si.exported) {
- Log.e(TAG, "DeviceAdminService must not be exported: '"
+
+ if (!permission.BIND_DEVICE_ADMIN.equals(si.permission)) {
+ Log.e(TAG, "DeviceAdminService "
+ si.getComponentName().flattenToShortString()
- + "' will be ignored.");
+ + " must be protected with " + permission.BIND_DEVICE_ADMIN
+ + ".");
return null;
}
return si;