import android.annotation.UserIdInt;
import android.app.Activity;
import android.app.ActivityManager;
+import android.app.ActivityManagerInternal;
import android.app.ActivityManagerNative;
import android.app.AlarmManager;
import android.app.AppGlobals;
import android.content.pm.PackageManager.NameNotFoundException;
import android.content.pm.PackageManagerInternal;
import android.content.pm.ParceledListSlice;
+import android.content.pm.PermissionInfo;
import android.content.pm.ResolveInfo;
import android.content.pm.ServiceInfo;
import android.content.pm.UserInfo;
import android.security.IKeyChainService;
import android.security.KeyChain;
import android.security.KeyChain.KeyChainConnection;
+import android.security.KeyStore;
import android.service.persistentdata.PersistentDataBlockManager;
import android.telephony.TelephonyManager;
import android.text.TextUtils;
import android.util.ArrayMap;
import android.util.ArraySet;
+import android.util.EventLog;
import android.util.Log;
import android.util.Pair;
import android.util.Slog;
}
private void setDeviceOwnerSystemPropertyLocked() {
- // Device owner may still be provisioned, do not set the read-only system property yet.
- // Wear devices don't set device_provisioned until the device is paired, so allow
- // device_owner property to be set without that.
- if (!mIsWatch
- && mInjector.settingsGlobalGetInt(Settings.Global.DEVICE_PROVISIONED, 0) == 0) {
+ final boolean deviceProvisioned =
+ mInjector.settingsGlobalGetInt(Settings.Global.DEVICE_PROVISIONED, 0) != 0;
+ // If the device is not provisioned and there is currently no device owner, do not set the
+ // read-only system property yet, since Device owner may still be provisioned. For Wear
+ // devices, if there is already a device owner then it's OK to set the property to true now,
+ // regardless the provision state.
+ final boolean isWatchWithDeviceOwner = mIsWatch && mOwners.hasDeviceOwner();
+ if (!isWatchWithDeviceOwner && !deviceProvisioned) {
return;
}
// Still at the first stage of CryptKeeper double bounce, mOwners.hasDeviceOwner is
@Override
public boolean isSeparateProfileChallengeAllowed(int userHandle) {
+ if (!isCallerWithSystemUid()) {
+ throw new SecurityException("Caller must be system");
+ }
ComponentName profileOwner = getProfileOwner(userHandle);
// Profile challenge is supported on N or newer release.
return profileOwner != null &&
}
boolean legacyApp = false;
- if (ai.targetSdkVersion <= Build.VERSION_CODES.M) {
- legacyApp = true;
+ if (ai != null) {
+ if (ai.targetSdkVersion <= Build.VERSION_CODES.M) {
+ legacyApp = true;
+ }
}
final int rawStatus = getEncryptionStatus();
intent.setComponent(mOwners.getDeviceOwnerComponent());
intent.setDataAndType(bugreportUri, RemoteBugreportUtils.BUGREPORT_MIMETYPE);
intent.putExtra(DeviceAdminReceiver.EXTRA_BUGREPORT_HASH, bugreportHash);
- mContext.grantUriPermission(mOwners.getDeviceOwnerComponent().getPackageName(),
- bugreportUri, Intent.FLAG_GRANT_READ_URI_PERMISSION);
+ intent.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
+
+ LocalServices.getService(ActivityManagerInternal.class)
+ .grantUriPermissionFromIntent(Process.SHELL_UID,
+ mOwners.getDeviceOwnerComponent().getPackageName(),
+ intent, mOwners.getDeviceOwnerUserId());
mContext.sendBroadcastAsUser(intent, UserHandle.of(mOwners.getDeviceOwnerUserId()));
}
} catch (FileNotFoundException e) {
}
/**
+ * @hide
+ */
+ @Override
+ public boolean requireSecureKeyguard(int userHandle) {
+ if (!mHasFeature) {
+ return false;
+ }
+
+ int passwordQuality = getPasswordQuality(null, userHandle, false);
+ if (passwordQuality > DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED) {
+ return true;
+ }
+
+ int encryptionStatus = getStorageEncryptionStatus(null, userHandle);
+ if (encryptionStatus == DevicePolicyManager.ENCRYPTION_STATUS_ACTIVE
+ || encryptionStatus == DevicePolicyManager.ENCRYPTION_STATUS_ACTIVATING) {
+ return true;
+ }
+
+ final int keyguardDisabledFeatures = getKeyguardDisabledFeatures(null, userHandle, false);
+ return (keyguardDisabledFeatures & DevicePolicyManager.KEYGUARD_DISABLE_TRUST_AGENTS) != 0;
+ }
+
+
+ /**
* Gets the disabled state for features in keyguard for the given admin,
* or the aggregate of all active admins if who is null.
*/
if (!mHasFeature) {
return null;
}
+ enforceManageUsers();
synchronized (this) {
List<String> result = null;
// If we have multiple profiles we return the intersection of the
< android.os.Build.VERSION_CODES.M) {
return false;
}
+ if (!isRuntimePermission(permission)) {
+ EventLog.writeEvent(0x534e4554, "62623498", user.getIdentifier(), "");
+ return false;
+ }
final PackageManager packageManager = mContext.getPackageManager();
switch (grantState) {
case DevicePolicyManager.PERMISSION_GRANT_STATE_GRANTED: {
return true;
} catch (SecurityException se) {
return false;
+ } catch (NameNotFoundException e) {
+ return false;
} finally {
mInjector.binderRestoreCallingIdentity(ident);
}
}
}
+ public boolean isRuntimePermission(String permissionName) throws NameNotFoundException {
+ final PackageManager packageManager = mContext.getPackageManager();
+ PermissionInfo permissionInfo = packageManager.getPermissionInfo(permissionName, 0);
+ return (permissionInfo.protectionLevel & PermissionInfo.PROTECTION_MASK_BASE)
+ == PermissionInfo.PROTECTION_DANGEROUS;
+ }
+
@Override
public boolean isProvisioningAllowed(String action) {
if (!mHasFeature) {