New permission to manage device admins

The previously used permission was doing double duty as the permission that device admins to check for to ensure that calls are coming from valid system components. MANAGE_DEVICE_ADMINS is system|signature and is now required to add/remove device admins. Required for: Bug: 9856348 Change-Id: I64385d2ec734c3957af21b5a5d9cffd8a3bcd299
2013-07-19 12:39:17 -07:00
parent 5846f7c9d8
commit a418cf21c9
5 changed files with 17 additions and 2 deletions
--- a/api/current.txt
+++ b/api/current.txt
@@ -72,6 +72,7 @@ package android {
    field public static final java.lang.String LOCATION_HARDWARE = "android.permission.LOCATION_HARDWARE";
    field public static final java.lang.String MANAGE_ACCOUNTS = "android.permission.MANAGE_ACCOUNTS";
    field public static final java.lang.String MANAGE_APP_TOKENS = "android.permission.MANAGE_APP_TOKENS";
+    field public static final java.lang.String MANAGE_DEVICE_ADMINS = "android.permission.MANAGE_DEVICE_ADMINS";
    field public static final java.lang.String MANAGE_DOCUMENTS = "android.permission.MANAGE_DOCUMENTS";
    field public static final java.lang.String MASTER_CLEAR = "android.permission.MASTER_CLEAR";
    field public static final java.lang.String MODIFY_AUDIO_SETTINGS = "android.permission.MODIFY_AUDIO_SETTINGS";
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -1901,6 +1901,13 @@
        android:description="@string/permdesc_bindDeviceAdmin"
        android:protectionLevel="signature" />

+    <!-- Required to add or remove another application as a device admin.
+         <p/>Not for use by third-party apps. -->
+    <permission android:name="android.permission.MANAGE_DEVICE_ADMINS"
+        android:label="@string/permlab_manageDeviceAdmins"
+        android:description="@string/permdesc_manageDeviceAdmins"
+        android:protectionLevel="signature|system" />
+
    <!-- Allows low-level access to setting the orientation (actually
         rotation) of the screen.
         <p>Not for use by third-party applications. -->
--- a/core/res/res/values/strings.xml
+++ b/core/res/res/values/strings.xml
@@ -1020,6 +1020,12 @@
    <string name="permdesc_bindDeviceAdmin">Allows the holder to send intents to
        a device administrator. Should never be needed for normal apps.</string>

+    <!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
+    <string name="permlab_manageDeviceAdmins">add or remove a device admin</string>
+    <!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
+    <string name="permdesc_manageDeviceAdmins">Allows the holder to add or remove active device
+        administrators. Should never be needed for normal apps.</string>
+
    <!-- Title of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
    <string name="permlab_setOrientation">change screen orientation</string>
    <!-- Description of an application permission, listed so the user can choose whether they want to allow the application to do this. -->
--- a/packages/Keyguard/AndroidManifest.xml
+++ b/packages/Keyguard/AndroidManifest.xml
@@ -35,6 +35,7 @@
    <uses-permission android:name="android.permission.WRITE_SECURE_SETTINGS" />
    <uses-permission android:name="android.permission.BIND_APPWIDGET" />
    <uses-permission android:name="android.permission.INTERNAL_SYSTEM_WINDOW" />
+    <uses-permission android:name="android.permission.MANAGE_DEVICE_ADMINS" />
    <uses-permission android:name="android.permission.BIND_DEVICE_ADMIN" />
    <uses-permission android:name="android.permission.CHANGE_COMPONENT_ENABLED_STATE" />

--- a/services/java/com/android/server/DevicePolicyManagerService.java
+++ b/services/java/com/android/server/DevicePolicyManagerService.java
@@ -1043,7 +1043,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
     */
    public void setActiveAdmin(ComponentName adminReceiver, boolean refreshing, int userHandle) {
        mContext.enforceCallingOrSelfPermission(
-                android.Manifest.permission.BIND_DEVICE_ADMIN, null);
+                android.Manifest.permission.MANAGE_DEVICE_ADMINS, null);
        enforceCrossUserPermission(userHandle);

        DevicePolicyData policy = getUserData(userHandle);
@@ -1146,7 +1146,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
                    return;
                }
                mContext.enforceCallingOrSelfPermission(
-                        android.Manifest.permission.BIND_DEVICE_ADMIN, null);
+                        android.Manifest.permission.MANAGE_DEVICE_ADMINS, null);
            }
            long ident = Binder.clearCallingIdentity();
            try {