Failing setPackagesSuspended if user has a DO / PO

Device or profile owners should be suspending packages via DevicePolicyManager. If an app with SUSPEND_APPS tries use the PackageManager api on a user with a DO or a PO, the call should fail Test: gts-tradefed run gts-dev -m SuspendApps Bug: 78132137 Change-Id: If478db0726073c2e59dba3a7049cc16c56d9f3d5
2018-04-17 13:53:18 -07:00
parent 069c5b58b0
commit 7ea5378f89
3 changed files with 24 additions and 20 deletions
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -13625,25 +13625,15 @@ public class PackageManagerService extends IPackageManager.Stub
            // install reason correctly.
            return installReason;
        }
-
-        final IDevicePolicyManager dpm = IDevicePolicyManager.Stub.asInterface(
-            ServiceManager.getService(Context.DEVICE_POLICY_SERVICE));
-        if (dpm != null) {
-            ComponentName owner = null;
-            try {
-                owner = dpm.getDeviceOwnerComponent(true /* callingUserOnly */);
-                if (owner == null) {
-                    owner = dpm.getProfileOwner(UserHandle.getUserId(installerUid));
-                }
-            } catch (RemoteException e) {
-            }
-            if (owner != null && owner.getPackageName().equals(installerPackageName)) {
-                // If the install is being performed by a device or profile owner, the install
-                // reason should be enterprise policy.
-                return PackageManager.INSTALL_REASON_POLICY;
-            }
+        final String ownerPackage = mProtectedPackages.getDeviceOwnerOrProfileOwnerPackage(
+                UserHandle.getUserId(installerUid));
+        if (ownerPackage != null && ownerPackage.equals(installerPackageName)) {
+            // If the install is being performed by a device or profile owner, the install
+            // reason should be enterprise policy.
+            return PackageManager.INSTALL_REASON_POLICY;
        }

+
        if (installReason == PackageManager.INSTALL_REASON_POLICY) {
            // If the install is being performed by a regular app (i.e. neither system app nor
            // device or profile owner), we have no reason to believe that the app is acting on
@@ -14040,7 +14030,11 @@ public class PackageManagerService extends IPackageManager.Stub
            throw new IllegalArgumentException("CallingPackage " + callingPackage + " does not"
                    + " belong to calling app id " + UserHandle.getAppId(callingUid));
        }
-
+        if (!PLATFORM_PACKAGE_NAME.equals(callingPackage)
+                && mProtectedPackages.getDeviceOwnerOrProfileOwnerPackage(userId) != null) {
+            throw new UnsupportedOperationException("Cannot suspend/unsuspend packages. User "
+                    + userId + " has an active DO or PO");
+        }
        if (ArrayUtils.isEmpty(packageNames)) {
            return packageNames;
        }
--- a/services/core/java/com/android/server/pm/ProtectedPackages.java
+++ b/services/core/java/com/android/server/pm/ProtectedPackages.java
@@ -88,6 +88,13 @@ public class ProtectedPackages {
        return false;
    }

+    public synchronized String getDeviceOwnerOrProfileOwnerPackage(int userId) {
+        if (mDeviceOwnerUserId == userId) {
+            return mDeviceOwnerPackage;
+        }
+        return mProfileOwnerPackages.get(userId);
+    }
+
    /**
     * Returns {@code true} if a given package is protected. Otherwise, returns {@code false}.
     *
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -73,6 +73,9 @@ import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker
 import static com.android.server.devicepolicy.TransferOwnershipMetadataManager.ADMIN_TYPE_DEVICE_OWNER;
 import static com.android.server.devicepolicy.TransferOwnershipMetadataManager.ADMIN_TYPE_PROFILE_OWNER;

+
+import static com.android.server.pm.PackageManagerService.PLATFORM_PACKAGE_NAME;
+
 import static org.xmlpull.v1.XmlPullParser.END_DOCUMENT;
 import static org.xmlpull.v1.XmlPullParser.END_TAG;
 import static org.xmlpull.v1.XmlPullParser.TEXT;
@@ -9193,8 +9196,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {

            long id = mInjector.binderClearCallingIdentity();
            try {
-                return mIPackageManager.setPackagesSuspendedAsUser(
-                        packageNames, suspended, null, null, null, "android", callingUserId);
+                return mIPackageManager.setPackagesSuspendedAsUser(packageNames, suspended,
+                        null, null, null, PLATFORM_PACKAGE_NAME, callingUserId);
            } catch (RemoteException re) {
                // Shouldn't happen.
                Slog.e(LOG_TAG, "Failed talking to the package manager", re);