From df30c7d2e0bd59a1ed92d63bd1b4dc9c320e2ab6 Mon Sep 17 00:00:00 2001 From: Eric Sandness Date: Tue, 27 Mar 2018 09:56:40 +0100 Subject: [PATCH] Permission Check For DPM.isDeviceProvisioned Require the caller of DPM.isDeviceProvisioned() to hold the MANAGE_USERS permission. The only callers should be within the framework itself, or apps involved in device provisioning which already hold this permission. Bug: 62343414 Test: Set TestDPC as Device Owner and use it to reset password Test: com.android.server.devicepolicy.DevicePolicyManagerTest Test: com.android.server.locksettings.LockSettingsServiceTests Test: com.google.android.gts.devicepolicy.DevicePolicyManagerTest Change-Id: Ie53deb5ba8679a5b431f2a8da60ec9710c44d56f --- core/java/android/app/admin/DevicePolicyManager.java | 1 + .../android/server/devicepolicy/DevicePolicyManagerService.java | 1 + 2 files changed, 2 insertions(+) diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java index 4cb7f89cec5cb..4b729ff2fd2a8 100644 --- a/core/java/android/app/admin/DevicePolicyManager.java +++ b/core/java/android/app/admin/DevicePolicyManager.java @@ -8754,6 +8754,7 @@ public class DevicePolicyManager { * @hide */ @SystemApi + @RequiresPermission(android.Manifest.permission.MANAGE_USERS) public boolean isDeviceProvisioned() { try { return mService.isDeviceProvisioned(); diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 56c98072bae13..39ae8bbdaa4a5 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -11815,6 +11815,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { @Override public boolean isDeviceProvisioned() { + enforceManageUsers(); synchronized (this) { return getUserDataUnchecked(UserHandle.USER_SYSTEM).mUserSetupComplete; }