summaryrefslogtreecommitdiffstats
path: root/services
diff options
context:
space:
mode:
authorRubin Xu <rubinxu@google.com>2015-03-03 17:34:05 +0000
committerRubin Xu <rubinxu@google.com>2015-03-20 10:11:29 +0000
commitec32b56cc22658ecb549390fe0096fc6d7b5ac2a (patch)
tree2ace07be4296e350e87ea95bf212e4e4ca0f1e5d /services
parentf2104b11a8b9111a07d80ee8de66a42f57e4d102 (diff)
downloadframeworks_base-ec32b56cc22658ecb549390fe0096fc6d7b5ac2a.zip
frameworks_base-ec32b56cc22658ecb549390fe0096fc6d7b5ac2a.tar.gz
frameworks_base-ec32b56cc22658ecb549390fe0096fc6d7b5ac2a.tar.bz2
Add DelegatedCertInstaller API in DPMS
Allow device/profile owner to delegate certificate APIs to third-party certificate installer apps. Bug: 19551274 Change-Id: Iaf9abb5ecb1dc0975fa98ea14408fe392d52fbf4
Diffstat (limited to 'services')
-rw-r--r--services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java71
1 files changed, 70 insertions, 1 deletions
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 663c919..d07cd98 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -166,6 +166,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
private static final String ATTR_PERMISSION_PROVIDER = "permission-provider";
private static final String ATTR_SETUP_COMPLETE = "setup-complete";
+ private static final String ATTR_DELEGATED_CERT_INSTALLER = "delegated-cert-installer";
+
private static final Set<String> DEVICE_OWNER_USER_RESTRICTIONS;
static {
DEVICE_OWNER_USER_RESTRICTIONS = new HashSet();
@@ -286,6 +288,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
ComponentName mRestrictionsProvider;
+ String mDelegatedCertInstallerPackage;
+
public DevicePolicyData(int userHandle) {
mUserHandle = userHandle;
}
@@ -948,6 +952,21 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
syncDeviceCapabilitiesLocked(policy);
saveSettingsLocked(policy.mUserHandle);
}
+
+ if (policy.mDelegatedCertInstallerPackage != null &&
+ (packageName == null
+ || packageName.equals(policy.mDelegatedCertInstallerPackage))) {
+ try {
+ // Check if delegated cert installer package is removed.
+ if (pm.getPackageInfo(
+ policy.mDelegatedCertInstallerPackage, 0, userHandle) == null) {
+ policy.mDelegatedCertInstallerPackage = null;
+ saveSettingsLocked(policy.mUserHandle);
+ }
+ } catch (RemoteException e) {
+ // Shouldn't happen
+ }
+ }
}
}
@@ -1332,6 +1351,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
out.attribute(null, ATTR_SETUP_COMPLETE,
Boolean.toString(true));
}
+ if (policy.mDelegatedCertInstallerPackage != null) {
+ out.attribute(null, ATTR_DELEGATED_CERT_INSTALLER,
+ policy.mDelegatedCertInstallerPackage);
+ }
+
final int N = policy.mAdminList.size();
for (int i=0; i<N; i++) {
@@ -1439,6 +1463,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
if (userSetupComplete != null && Boolean.toString(true).equals(userSetupComplete)) {
policy.mUserSetupComplete = true;
}
+ policy.mDelegatedCertInstallerPackage = parser.getAttributeValue(null,
+ ATTR_DELEGATED_CERT_INSTALLER);
type = parser.next();
int outerDepth = parser.getDepth();
@@ -2878,7 +2904,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
@Override
public void enforceCanManageCaCerts(ComponentName who) {
if (who == null) {
- mContext.enforceCallingOrSelfPermission(MANAGE_CA_CERTIFICATES, null);
+ if (!isCallerDelegatedCertInstaller()) {
+ mContext.enforceCallingOrSelfPermission(MANAGE_CA_CERTIFICATES, null);
+ }
} else {
synchronized (this) {
getActiveAdminForCallerLocked(who, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER);
@@ -2886,6 +2914,25 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
}
}
+ private boolean isCallerDelegatedCertInstaller() {
+ final int callingUid = Binder.getCallingUid();
+ final int userHandle = UserHandle.getUserId(callingUid);
+ synchronized (this) {
+ final DevicePolicyData policy = getUserData(userHandle);
+ if (policy.mDelegatedCertInstallerPackage == null) {
+ return false;
+ }
+
+ try {
+ int uid = mContext.getPackageManager().getPackageUid(
+ policy.mDelegatedCertInstallerPackage, userHandle);
+ return uid == callingUid;
+ } catch (NameNotFoundException e) {
+ return false;
+ }
+ }
+ }
+
@Override
public boolean installCaCert(ComponentName admin, byte[] certBuffer) throws RemoteException {
enforceCanManageCaCerts(admin);
@@ -3036,6 +3083,28 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
}.execute();
}
+ @Override
+ public void setCertInstallerPackage(ComponentName who, String installerPackage)
+ throws SecurityException {
+ int userHandle = UserHandle.getCallingUserId();
+ synchronized (this) {
+ getActiveAdminForCallerLocked(who, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER);
+ DevicePolicyData policy = getUserData(userHandle);
+ policy.mDelegatedCertInstallerPackage = installerPackage;
+ saveSettingsLocked(userHandle);
+ }
+ }
+
+ @Override
+ public String getCertInstallerPackage(ComponentName who) throws SecurityException {
+ int userHandle = UserHandle.getCallingUserId();
+ synchronized (this) {
+ getActiveAdminForCallerLocked(who, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER);
+ DevicePolicyData policy = getUserData(userHandle);
+ return policy.mDelegatedCertInstallerPackage;
+ }
+ }
+
private void wipeDataLocked(boolean wipeExtRequested, String reason) {
// If the SD card is encrypted and non-removable, we have to force a wipe.
boolean forceExtWipe = !Environment.isExternalStorageRemovable() && isExtStorageEncrypted();