diff options
author | Benjamin Franz <bfranz@google.com> | 2015-01-14 18:22:42 +0000 |
---|---|---|
committer | Benjamin Franz <bfranz@google.com> | 2015-01-22 16:16:16 +0000 |
commit | fadb2b3a27e4c23f5c566e6f7eadfaed9e23e68c (patch) | |
tree | 7a5d4e5a1f8185d6e4ba159b7858704b96d779cf /services/devicepolicy/java | |
parent | 1a6dd2985ef1eab036f6fc77cf723e3f12832e93 (diff) | |
download | frameworks_base-fadb2b3a27e4c23f5c566e6f7eadfaed9e23e68c.zip frameworks_base-fadb2b3a27e4c23f5c566e6f7eadfaed9e23e68c.tar.gz frameworks_base-fadb2b3a27e4c23f5c566e6f7eadfaed9e23e68c.tar.bz2 |
Avoid SecurityException when calling getUserData
Currently we risk getting a SecurityException in a number of places,
where getUserData is called for a different user than the calling user.
To avoid this, the caller is cleared in a helper function.
Bug: 18662452
Change-Id: Ibc131c602e52d9f013fe739a9c18e693181ded67
Diffstat (limited to 'services/devicepolicy/java')
-rw-r--r-- | services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java | 63 |
1 files changed, 42 insertions, 21 deletions
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 579fae4..6d6ac1e 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -989,6 +989,25 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } } + /** + * Creates and loads the policy data from xml for data that is shared between + * various profiles of a user. In contrast to {@link #getUserData(int)} + * it allows access to data of users other than the calling user. + * + * This function should only be used for shared data, e.g. everything regarding + * passwords and should be removed once multiple screen locks are present. + * @param userHandle the user for whom to load the policy data + * @return + */ + DevicePolicyData getUserDataUnchecked(int userHandle) { + long ident = Binder.clearCallingIdentity(); + try { + return getUserData(userHandle); + } finally { + Binder.restoreCallingIdentity(ident); + } + } + void removeUserData(int userHandle) { synchronized (this) { if (userHandle == UserHandle.USER_OWNER) { @@ -1927,7 +1946,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // Return strictest policy for this user and profiles that are visible from this user. List<UserInfo> profiles = mUserManager.getProfiles(userHandle); for (UserInfo userInfo : profiles) { - DevicePolicyData policy = getUserData(userInfo.id); + DevicePolicyData policy = getUserDataUnchecked(userInfo.id); final int N = policy.mAdminList.size(); for (int i=0; i<N; i++) { ActiveAdmin admin = policy.mAdminList.get(i); @@ -1974,7 +1993,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // Return strictest policy for this user and profiles that are visible from this user. List<UserInfo> profiles = mUserManager.getProfiles(userHandle); for (UserInfo userInfo : profiles) { - DevicePolicyData policy = getUserData(userInfo.id); + DevicePolicyData policy = getUserDataUnchecked(userInfo.id); final int N = policy.mAdminList.size(); for (int i=0; i<N; i++) { ActiveAdmin admin = policy.mAdminList.get(i); @@ -2021,7 +2040,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // Return strictest policy for this user and profiles that are visible from this user. List<UserInfo> profiles = mUserManager.getProfiles(userHandle); for (UserInfo userInfo : profiles) { - DevicePolicyData policy = getUserData(userInfo.id); + DevicePolicyData policy = getUserDataUnchecked(userInfo.id); final int N = policy.mAdminList.size(); for (int i = 0; i < N; i++) { ActiveAdmin admin = policy.mAdminList.get(i); @@ -2082,7 +2101,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { List<UserInfo> profiles = mUserManager.getProfiles(userHandle); for (UserInfo userInfo : profiles) { - DevicePolicyData policy = getUserData(userInfo.id); + DevicePolicyData policy = getUserDataUnchecked(userInfo.id); final int N = policy.mAdminList.size(); for (int i = 0; i < N; i++) { ActiveAdmin admin = policy.mAdminList.get(i); @@ -2180,7 +2199,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { List<UserInfo> profiles = mUserManager.getProfiles(userHandle); for (UserInfo userInfo : profiles) { - DevicePolicyData policy = getUserData(userInfo.id); + DevicePolicyData policy = getUserDataUnchecked(userInfo.id); final int N = policy.mAdminList.size(); for (int i = 0; i < N; i++) { ActiveAdmin admin = policy.mAdminList.get(i); @@ -2237,7 +2256,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // Return strictest policy for this user and profiles that are visible from this user. List<UserInfo> profiles = mUserManager.getProfiles(userHandle); for (UserInfo userInfo : profiles) { - DevicePolicyData policy = getUserData(userInfo.id); + DevicePolicyData policy = getUserDataUnchecked(userInfo.id); final int N = policy.mAdminList.size(); for (int i=0; i<N; i++) { ActiveAdmin admin = policy.mAdminList.get(i); @@ -2281,7 +2300,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // Return strictest policy for this user and profiles that are visible from this user. List<UserInfo> profiles = mUserManager.getProfiles(userHandle); for (UserInfo userInfo : profiles) { - DevicePolicyData policy = getUserData(userInfo.id); + DevicePolicyData policy = getUserDataUnchecked(userInfo.id); final int N = policy.mAdminList.size(); for (int i=0; i<N; i++) { ActiveAdmin admin = policy.mAdminList.get(i); @@ -2328,7 +2347,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // Return strictest policy for this user and profiles that are visible from this user. List<UserInfo> profiles = mUserManager.getProfiles(userHandle); for (UserInfo userInfo : profiles) { - DevicePolicyData policy = getUserData(userInfo.id); + DevicePolicyData policy = getUserDataUnchecked(userInfo.id); final int N = policy.mAdminList.size(); for (int i=0; i<N; i++) { ActiveAdmin admin = policy.mAdminList.get(i); @@ -2375,7 +2394,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // Return strictest policy for this user and profiles that are visible from this user. List<UserInfo> profiles = mUserManager.getProfiles(userHandle); for (UserInfo userInfo : profiles) { - DevicePolicyData policy = getUserData(userInfo.id); + DevicePolicyData policy = getUserDataUnchecked(userInfo.id); final int N = policy.mAdminList.size(); for (int i = 0; i < N; i++) { ActiveAdmin admin = policy.mAdminList.get(i); @@ -2422,7 +2441,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // Return strictest policy for this user and profiles that are visible from this user. List<UserInfo> profiles = mUserManager.getProfiles(userHandle); for (UserInfo userInfo : profiles) { - DevicePolicyData policy = getUserData(userInfo.id); + DevicePolicyData policy = getUserDataUnchecked(userInfo.id); final int N = policy.mAdminList.size(); for (int i=0; i<N; i++) { ActiveAdmin admin = policy.mAdminList.get(i); @@ -2469,7 +2488,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // Return strictest policy for this user and profiles that are visible from this user. List<UserInfo> profiles = mUserManager.getProfiles(userHandle); for (UserInfo userInfo : profiles) { - DevicePolicyData policy = getUserData(userInfo.id); + DevicePolicyData policy = getUserDataUnchecked(userInfo.id); final int N = policy.mAdminList.size(); for (int i=0; i<N; i++) { ActiveAdmin admin = policy.mAdminList.get(i); @@ -2494,8 +2513,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // If the user this is called from is part of a profile group, that is the parent // of the group. UserInfo parent = getProfileParent(userHandle); - int id = parent == null ? userHandle : parent.id; - DevicePolicyData policy = getUserData(id); + int id = (parent == null) ? userHandle : parent.id; + DevicePolicyData policy = getUserDataUnchecked(id); // This API can only be called by an active device admin, // so try to retrieve it to check that the caller is one. @@ -2525,7 +2544,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { DeviceAdminInfo.USES_POLICY_WATCH_LOGIN); // The active password is stored in the parent. - DevicePolicyData policy = getUserData(getProfileParent(userHandle).id); + UserInfo parent = getProfileParent(userHandle); + int id = (parent == null) ? userHandle : parent.id; + DevicePolicyData policy = getUserDataUnchecked(id); return policy.mFailedPasswordAttempts; } @@ -2588,7 +2609,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { int count = 0; ActiveAdmin strictestAdmin = null; for (UserInfo userInfo : mUserManager.getProfiles(userHandle)) { - DevicePolicyData policy = getUserData(userInfo.id); + DevicePolicyData policy = getUserDataUnchecked(userInfo.id); for (ActiveAdmin admin : policy.mAdminList) { if (admin.maximumFailedPasswordsForWipe == ActiveAdmin.DEF_MAXIMUM_FAILED_PASSWORDS_FOR_WIPE) { @@ -2801,7 +2822,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // Return strictest policy for this user and profiles that are visible from this user. List<UserInfo> profiles = mUserManager.getProfiles(userHandle); for (UserInfo userInfo : profiles) { - DevicePolicyData policy = getUserData(userInfo.id); + DevicePolicyData policy = getUserDataUnchecked(userInfo.id); final int N = policy.mAdminList.size(); for (int i=0; i<N; i++) { ActiveAdmin admin = policy.mAdminList.get(i); @@ -3123,7 +3144,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { List<UserInfo> profiles = mUserManager.getProfiles(userHandle); for (UserInfo userInfo : profiles) { int profileId = userInfo.id; - DevicePolicyData policy = getUserData(profileId); + DevicePolicyData policy = getUserDataUnchecked(profileId); final int N = policy.mAdminList.size(); if (N > 0) { for (int i=0; i<N; i++) { @@ -4243,7 +4264,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // and return null. boolean allAdminsHaveOptions = true; for (UserInfo userInfo : profiles) { - DevicePolicyData policy = getUserData(userInfo.id); + DevicePolicyData policy = getUserDataUnchecked(userInfo.id); final int N = policy.mAdminList.size(); for (int i=0; i < N; i++) { final ActiveAdmin active = policy.mAdminList.get(i); @@ -4474,7 +4495,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { for (int i = 0; i < PROFILES_SIZE; ++i) { // Just loop though all admins, only device or profiles // owners can have permitted lists set. - DevicePolicyData policy = getUserData(profiles.get(i).id); + DevicePolicyData policy = getUserDataUnchecked(profiles.get(i).id); final int N = policy.mAdminList.size(); for (int j = 0; j < N; j++) { ActiveAdmin admin = policy.mAdminList.get(j); @@ -4639,7 +4660,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { for (int i = 0; i < PROFILES_SIZE; ++i) { // Just loop though all admins, only device or profiles // owners can have permitted lists set. - DevicePolicyData policy = getUserData(profiles.get(i).id); + DevicePolicyData policy = getUserDataUnchecked(profiles.get(i).id); final int N = policy.mAdminList.size(); for (int j = 0; j < N; j++) { ActiveAdmin admin = policy.mAdminList.get(j); @@ -5428,7 +5449,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return Collections.emptyList(); } - DevicePolicyData policy = getUserData(profileId); + DevicePolicyData policy = getUserDataUnchecked(profileId); ActiveAdmin admin = policy.mAdminMap.get(ownerComponent); if (admin == null || admin.crossProfileWidgetProviders == null |