Check caller owns admin for per-admin getters.
Currently some functions allow the caller to check policy enforced by a particular admin by passing a non-null "who" argument. This circumvents package visibility rules. There is no legitimate reason for an 3rd party app to query policies for arbitrary admins. With this change whenever "who" is not null, the code will ensure that the admin referenced by "who" is owned by the caller. Exception to the above are methods that are also called by Setting to query policy for a particular admin for policy transparency. For those methods callers with QUERY_ADMIN_POLICY permission are allowed to query per-admin policy: * getMaximumFailedPasswordsForWipe * getMaximumTimeToLock * getPasswordQuality There is no legitimate reason for an 3rd party app to query policies for arbitrary admins. Code search for getPasswordHistoryLength and getPasswordMinimum* methods doesn't return any priviledged usage of these methods inside Android. getPasswordQuality is used by Settings, hence the system uid is exempt. + removed redundant system or root UID checks when querying permission. Bug: 204995407 Test: atest android.devicepolicy.cts.NoAdminLeakingTest Test: atest android.devicepolicy.cts.ResetPasswordWithTokenTest Test: atest com.android.cts.devicepolicy.MixedDeviceOwnerTest#testPasswordRequirementsApi Change-Id: I443ed1f6dcd5e5b161c99dd09a4b2aef9f8ef0a7
Loading
Please register or sign in to comment