Runtime permissions cannot be set on legacy apps by device policy

Clarify docs that runtime permissions can be granted or revoked by a profile owner/device owner only for MNC apps and not legacy apps. Check the targetSdkVersion and return false if legacy app. Remove all policy flags from permissions when cleaning up a device or profile owner. Bug: 21835304 Bug: 21889278 Change-Id: I4271394737990983449048d112a1830f9d0f2d78
author: Amith Yamasani <yamasani@google.com> 2015-06-22 13:00:32 -0700
committer: Amith Yamasani <yamasani@google.com> 2015-06-23 12:01:36 -0700
commit: 0bf8f7cc3982164a9e11ea4a25ed930e466f1dd8 (patch)
tree: d609c7539fadf8421397533a79ef7f224bdd6e8a /services/devicepolicy
parent: dd7705bbf26dc940ba314807f58dc9a81de452af (diff)
download: frameworks_base-0bf8f7cc3982164a9e11ea4a25ed930e466f1dd8.zip
frameworks_base-0bf8f7cc3982164a9e11ea4a25ed930e466f1dd8.tar.gz
frameworks_base-0bf8f7cc3982164a9e11ea4a25ed930e466f1dd8.tar.bz2
1 files changed, 18 insertions, 4 deletions
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 74adc6b..e44a7ab 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -4217,11 +4217,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
             long ident = Binder.clearCallingIdentity();
             try {
                 clearUserRestrictions(new UserHandle(UserHandle.USER_OWNER));
+                AppGlobals.getPackageManager().updatePermissionFlagsForAllApps(
+                        PackageManager.FLAG_PERMISSION_POLICY_FIXED,
+                        0, UserHandle.USER_OWNER);
                 if (mDeviceOwner != null) {
                     mDeviceOwner.clearDeviceOwner();
                     mDeviceOwner.writeOwnerFile();
                     updateDeviceOwnerLocked();
                 }
+            } catch (RemoteException re) {
             } finally {
                 Binder.restoreCallingIdentity(ident);
             }
@@ -4388,10 +4392,14 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
             long ident = Binder.clearCallingIdentity();
             try {
                 clearUserRestrictions(callingUser);
+                AppGlobals.getPackageManager().updatePermissionFlagsForAllApps(
+                        PackageManager.FLAG_PERMISSION_POLICY_FIXED,
+                        0, callingUser.getIdentifier());
                 if (mDeviceOwner != null) {
                     mDeviceOwner.removeProfileOwner(userId);
                     mDeviceOwner.writeOwnerFile();
                 }
+            } catch (RemoteException re) {
             } finally {
                 Binder.restoreCallingIdentity(ident);
             }
@@ -6390,21 +6398,27 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
             getActiveAdminForCallerLocked(admin, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER);
             long ident = Binder.clearCallingIdentity();
             try {
-                PackageManager packageManager = mContext.getPackageManager();
+                final ApplicationInfo ai = AppGlobals.getPackageManager()
+                        .getApplicationInfo(packageName, 0, user.getIdentifier());
+                final int targetSdkVersion = ai == null ? 0 : ai.targetSdkVersion;
+                if (targetSdkVersion < android.os.Build.VERSION_CODES.MNC) {
+                    return false;
+                }
+                final PackageManager packageManager = mContext.getPackageManager();
                 switch (grantState) {
                     case DevicePolicyManager.PERMISSION_GRANT_STATE_GRANTED: {
+                        packageManager.grantRuntimePermission(packageName, permission, user);
                         packageManager.updatePermissionFlags(permission, packageName,
                                 PackageManager.FLAG_PERMISSION_POLICY_FIXED,
                                 PackageManager.FLAG_PERMISSION_POLICY_FIXED, user);
-                        packageManager.grantRuntimePermission(packageName, permission, user);
                     } break;
 
                     case DevicePolicyManager.PERMISSION_GRANT_STATE_DENIED: {
+                        packageManager.revokeRuntimePermission(packageName,
+                                permission, user);
                         packageManager.updatePermissionFlags(permission, packageName,
                                 PackageManager.FLAG_PERMISSION_POLICY_FIXED,
                                 PackageManager.FLAG_PERMISSION_POLICY_FIXED, user);
-                        packageManager.revokeRuntimePermission(packageName,
-                                permission, user);
                     } break;
 
                     case DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT: {
author	Amith Yamasani <yamasani@google.com>	2015-06-22 13:00:32 -0700
committer	Amith Yamasani <yamasani@google.com>	2015-06-23 12:01:36 -0700
commit	0bf8f7cc3982164a9e11ea4a25ed930e466f1dd8 (patch)
tree	d609c7539fadf8421397533a79ef7f224bdd6e8a /services/devicepolicy
parent	dd7705bbf26dc940ba314807f58dc9a81de452af (diff)
download	frameworks_base-0bf8f7cc3982164a9e11ea4a25ed930e466f1dd8.zip frameworks_base-0bf8f7cc3982164a9e11ea4a25ed930e466f1dd8.tar.gz frameworks_base-0bf8f7cc3982164a9e11ea4a25ed930e466f1dd8.tar.bz2