Merge "Don't ignore updated policies on PO/DO." into qt-dev

2019-04-25 18:40:11 +00:00
parent dcc2255eb1 e4d398c917
commit 07806b3d78
1 changed files with 17 additions and 5 deletions
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -1377,7 +1377,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
            }
        }

-        void readFromXml(XmlPullParser parser)
+        void readFromXml(XmlPullParser parser, boolean shouldOverridePolicies)
                throws XmlPullParserException, IOException {
            int outerDepth = parser.getDepth();
            int type;
@@ -1388,7 +1388,10 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
                }
                String tag = parser.getName();
                if (TAG_POLICIES.equals(tag)) {
-                    info.readPoliciesFromXml(parser);
+                    if (shouldOverridePolicies) {
+                        Log.d(LOG_TAG, "Overriding device admin policies from XML.");
+                        info.readPoliciesFromXml(parser);
+                    }
                } else if (TAG_PASSWORD_QUALITY.equals(tag)) {
                    minimumPasswordMetrics.quality = Integer.parseInt(
                            parser.getAttributeValue(null, ATTR_VALUE));
@@ -1516,9 +1519,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
                    }
                } else if (TAG_PARENT_ADMIN.equals(tag)) {
                    Preconditions.checkState(!isParent);
-
                    parentAdmin = new ActiveAdmin(info, /* parent */ true);
-                    parentAdmin.readFromXml(parser);
+                    parentAdmin.readFromXml(parser, shouldOverridePolicies);
                } else if (TAG_ORGANIZATION_COLOR.equals(tag)) {
                    organizationColor = Integer.parseInt(
                            parser.getAttributeValue(null, ATTR_VALUE));
@@ -3324,8 +3326,10 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
                                    + userHandle);
                        }
                        if (dai != null) {
+                            boolean shouldOverwritePolicies =
+                                    shouldOverwritePoliciesFromXml(dai.getComponent(), userHandle);
                            ActiveAdmin ap = new ActiveAdmin(dai, /* parent */ false);
-                            ap.readFromXml(parser);
+                            ap.readFromXml(parser, shouldOverwritePolicies);
                            policy.mAdminMap.put(ap.info.getComponent(), ap);
                        }
                    } catch (RuntimeException e) {
@@ -3435,6 +3439,14 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
        }
    }

+    private boolean shouldOverwritePoliciesFromXml(
+            ComponentName deviceAdminComponent, int userHandle) {
+        // http://b/123415062: If DA, overwrite with the stored policies that were agreed by the
+        // user to prevent apps from sneaking additional policies into updates.
+        return !isProfileOwner(deviceAdminComponent, userHandle)
+                && !isDeviceOwner(deviceAdminComponent, userHandle);
+    }
+
    private void updateLockTaskPackagesLocked(List<String> packages, int userId) {
        long ident = mInjector.binderClearCallingIdentity();
        try {