diff options
author | Amith Yamasani <yamasani@google.com> | 2015-06-22 13:00:32 -0700 |
---|---|---|
committer | Amith Yamasani <yamasani@google.com> | 2015-06-23 12:01:36 -0700 |
commit | 0bf8f7cc3982164a9e11ea4a25ed930e466f1dd8 (patch) | |
tree | d609c7539fadf8421397533a79ef7f224bdd6e8a /services/devicepolicy | |
parent | dd7705bbf26dc940ba314807f58dc9a81de452af (diff) | |
download | frameworks_base-0bf8f7cc3982164a9e11ea4a25ed930e466f1dd8.zip frameworks_base-0bf8f7cc3982164a9e11ea4a25ed930e466f1dd8.tar.gz frameworks_base-0bf8f7cc3982164a9e11ea4a25ed930e466f1dd8.tar.bz2 |
Runtime permissions cannot be set on legacy apps by device policy
Clarify docs that runtime permissions can be granted or revoked by
a profile owner/device owner only for MNC apps and not legacy apps.
Check the targetSdkVersion and return false if legacy app.
Remove all policy flags from permissions when cleaning up
a device or profile owner.
Bug: 21835304
Bug: 21889278
Change-Id: I4271394737990983449048d112a1830f9d0f2d78
Diffstat (limited to 'services/devicepolicy')
-rw-r--r-- | services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 74adc6b..e44a7ab 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -4217,11 +4217,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { long ident = Binder.clearCallingIdentity(); try { clearUserRestrictions(new UserHandle(UserHandle.USER_OWNER)); + AppGlobals.getPackageManager().updatePermissionFlagsForAllApps( + PackageManager.FLAG_PERMISSION_POLICY_FIXED, + 0, UserHandle.USER_OWNER); if (mDeviceOwner != null) { mDeviceOwner.clearDeviceOwner(); mDeviceOwner.writeOwnerFile(); updateDeviceOwnerLocked(); } + } catch (RemoteException re) { } finally { Binder.restoreCallingIdentity(ident); } @@ -4388,10 +4392,14 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { long ident = Binder.clearCallingIdentity(); try { clearUserRestrictions(callingUser); + AppGlobals.getPackageManager().updatePermissionFlagsForAllApps( + PackageManager.FLAG_PERMISSION_POLICY_FIXED, + 0, callingUser.getIdentifier()); if (mDeviceOwner != null) { mDeviceOwner.removeProfileOwner(userId); mDeviceOwner.writeOwnerFile(); } + } catch (RemoteException re) { } finally { Binder.restoreCallingIdentity(ident); } @@ -6390,21 +6398,27 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { getActiveAdminForCallerLocked(admin, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER); long ident = Binder.clearCallingIdentity(); try { - PackageManager packageManager = mContext.getPackageManager(); + final ApplicationInfo ai = AppGlobals.getPackageManager() + .getApplicationInfo(packageName, 0, user.getIdentifier()); + final int targetSdkVersion = ai == null ? 0 : ai.targetSdkVersion; + if (targetSdkVersion < android.os.Build.VERSION_CODES.MNC) { + return false; + } + final PackageManager packageManager = mContext.getPackageManager(); switch (grantState) { case DevicePolicyManager.PERMISSION_GRANT_STATE_GRANTED: { + packageManager.grantRuntimePermission(packageName, permission, user); packageManager.updatePermissionFlags(permission, packageName, PackageManager.FLAG_PERMISSION_POLICY_FIXED, PackageManager.FLAG_PERMISSION_POLICY_FIXED, user); - packageManager.grantRuntimePermission(packageName, permission, user); } break; case DevicePolicyManager.PERMISSION_GRANT_STATE_DENIED: { + packageManager.revokeRuntimePermission(packageName, + permission, user); packageManager.updatePermissionFlags(permission, packageName, PackageManager.FLAG_PERMISSION_POLICY_FIXED, PackageManager.FLAG_PERMISSION_POLICY_FIXED, user); - packageManager.revokeRuntimePermission(packageName, - permission, user); } break; case DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT: { |