DPMS: Fix access control check for password sufficiency
Fix access control check for isActivePasswordSufficient, such that the
DPC can call it on the parent profile DPM instance.
In Change-Id: I97ca0d40a01673939e64c23f357fc38ca5427a8f an additional access
control check was imposed as a result of a refactoring.
That check required the caller to hold the cross-user permission (which
is a system-privileged permission) to check password sufficiency.
This is fixed by introducing an uchecked internal variant of the
method for getting password metrics, since caller authorization is
checked prior to calling it.
Bug: 173484959
Bug: 173483046
Test: atest com.android.cts.devicepolicy.ManagedProfileTest#testDevicePolicyManagerParentSupport
Test: Manual, created a work profile with a google.com account.
Change-Id: Id23a8d9e70c1b438fc12cb3ea408273964dde97b
(cherry picked from commit 7672301be44a2820683098e91998b93c56e2e45a)
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index e8861c4..20b6b6d 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -4152,14 +4152,18 @@
public PasswordMetrics getPasswordMinimumMetrics(@UserIdInt int userHandle) {
final CallerIdentity caller = getCallerIdentity();
Preconditions.checkCallAuthorization(hasFullCrossUsersPermission(caller, userHandle));
+ return getPasswordMinimumMetricsUnchecked(userHandle);
+ }
+
+ private PasswordMetrics getPasswordMinimumMetricsUnchecked(@UserIdInt int userId) {
if (!mHasFeature) {
new PasswordMetrics(CREDENTIAL_TYPE_NONE);
}
- Preconditions.checkArgumentNonnegative(userHandle, "Invalid userId");
+ Preconditions.checkArgumentNonnegative(userId, "Invalid userId");
ArrayList<PasswordMetrics> adminMetrics = new ArrayList<>();
synchronized (getLockObject()) {
- List<ActiveAdmin> admins = getActiveAdminsForLockscreenPoliciesLocked(userHandle);
+ List<ActiveAdmin> admins = getActiveAdminsForLockscreenPoliciesLocked(userId);
for (ActiveAdmin admin : admins) {
adminMetrics.add(admin.mPasswordPolicy.getMinMetrics());
}
@@ -4293,7 +4297,7 @@
private boolean isPasswordSufficientForUserWithoutCheckpointLocked(
@NonNull PasswordMetrics metrics, @UserIdInt int userId) {
final int complexity = getEffectivePasswordComplexityRequirementLocked(userId);
- PasswordMetrics minMetrics = getPasswordMinimumMetrics(userId);
+ PasswordMetrics minMetrics = getPasswordMinimumMetricsUnchecked(userId);
final List<PasswordValidationError> passwordValidationErrors =
PasswordMetrics.validatePasswordMetrics(
minMetrics, complexity, false, metrics);
@@ -4583,7 +4587,7 @@
final int callingUid = caller.getUid();
final int userHandle = UserHandle.getUserId(callingUid);
synchronized (getLockObject()) {
- final PasswordMetrics minMetrics = getPasswordMinimumMetrics(userHandle);
+ final PasswordMetrics minMetrics = getPasswordMinimumMetricsUnchecked(userHandle);
final List<PasswordValidationError> validationErrors;
final int complexity = getEffectivePasswordComplexityRequirementLocked(userHandle);
// TODO: Consider changing validation API to take LockscreenCredential.
