summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRubin Xu <rubinxu@google.com>2021-09-24 14:59:04 +0100
committerRubin Xu <rubinxu@google.com>2021-09-24 14:30:39 +0000
commitefae78ed2b46bb7807765c21fdea857b648ad130 (patch)
tree7191f8ddf13a37f2518dc8d1f15ee232d6b72189
parent4dd980077c4f4e6338fff0976602e3e277f947eb (diff)
Lockdown DPMS.getOrganizationNameForUser()
Only allow system components to call this hidden API. Bug: 192368508 Test: atest FrameworksServicesTests:DevicePolicyManagerTest Change-Id: I740943195f016b30607d4103a54ca0fe04d31f8a
Diffstat
-rw-r--r--services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java1
-rw-r--r--services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java6
2 files changed, 7 insertions, 0 deletions
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 193d92a3b2ff..bd0d430c7291 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -14060,6 +14060,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
final CallerIdentity caller = getCallerIdentity();
Preconditions.checkCallAuthorization(hasFullCrossUsersPermission(caller, userHandle));
+ Preconditions.checkCallAuthorization(canManageUsers(caller));
Preconditions.checkCallAuthorization(isManagedProfile(userHandle),
"You can not get organization name outside a managed profile, userId = %d",
userHandle);
diff --git a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
index 7b20bf0f6bc7..63e4efc1cce0 100644
--- a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
+++ b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
@@ -7753,6 +7753,12 @@ public class DevicePolicyManagerTest extends DpmTestBase {
DpmMockContext.CALLER_SYSTEM_USER_UID, admin1.getPackageName(), MODE_DEFAULT);
}
+ @Test
+ public void testGetOrganizationNameForUser_calledByNonPrivilegedApp_throwsException() {
+ assertExpectException(SecurityException.class, "Calling identity is not authorized",
+ () -> dpm.getOrganizationNameForUser(UserHandle.USER_SYSTEM));
+ }
+
private void setupVpnAuthorization(String userVpnPackage, int userVpnUid) {
final AppOpsManager.PackageOps vpnOp = new AppOpsManager.PackageOps(userVpnPackage,
userVpnUid, List.of(new AppOpsManager.OpEntry(
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-03 06:06:41 +0000