Check caller owns admin for per-admin getters.
Currently some functions allow the caller to check policy
enforced by a particular admin by passing a non-null "who"
argument. This circumvents package visibility rules. There is no
legitimate reason for an 3rd party app to query policies for
arbitrary admins. With this change whenever "who" is not null,
the code will ensure that the admin referenced by "who" is owned
by the caller.
Exception to the above are methods that are also called by
Setting to query policy for a particular admin for policy
transparency. For those methods callers with QUERY_ADMIN_POLICY
permission are allowed to query per-admin policy:
* getMaximumFailedPasswordsForWipe
* getMaximumTimeToLock
* getPasswordQuality
There is no legitimate reason for an 3rd party app to query
policies for arbitrary admins. Code search for
getPasswordHistoryLength and getPasswordMinimum* methods doesn't
return any priviledged usage of these methods inside Android.
getPasswordQuality is used by Settings, hence the system uid is
exempt.
+ removed redundant system or root UID checks when querying
permission.
Bug: 204995407
Test: atest android.devicepolicy.cts.NoAdminLeakingTest
Test: atest android.devicepolicy.cts.ResetPasswordWithTokenTest
Test: atest com.android.cts.devicepolicy.MixedDeviceOwnerTest#testPasswordRequirementsApi
Change-Id: I443ed1f6dcd5e5b161c99dd09a4b2aef9f8ef0a7
1 file changed