From 242f4b125939276be866bb0a637b89bfbc5aa880 Mon Sep 17 00:00:00 2001 From: Amith Yamasani Date: Tue, 14 Oct 2014 16:06:13 -0700 Subject: [PATCH] Fix admin policies in managed profiles Some of the admin policies are throwing security exceptions in a managed profile without being documented correctly and others shouldn't be throwing security exceptions. Changed setCameraDisabled() to not throw an exception. It now just prevents work profile apps from using the camera. Changed wipeData() to allow passing in ERASE_EXTERNAL_STORAGE. In secondary users/profiles, this is just going to remove the user, so the flag is harmless. Updated documentation for setKeyguardDisabledFeatures() and resetPassword() to indicate that they cannot be called in a managed profile. Bug: 17987913 Change-Id: I8060be4c2d32bdd4edb46ce543551fabb9c8c983 --- core/java/android/app/admin/DevicePolicyManager.java | 12 +++++++----- .../server/devicepolicy/DevicePolicyManagerService.java | 4 ---- 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java index 2eba29a8adfe..a9d16bcb6ac8 100644 --- a/core/java/android/app/admin/DevicePolicyManager.java +++ b/core/java/android/app/admin/DevicePolicyManager.java @@ -1335,7 +1335,7 @@ public class DevicePolicyManager { * {@link DeviceAdminInfo#USES_POLICY_RESET_PASSWORD} to be able to call * this method; if it has not, a security exception will be thrown. * - * Can not be called from a managed profile. + *

Calling this from a managed profile will throw a security exception. * * @param password The new password for the user. * @param flags May be 0 or {@link #RESET_PASSWORD_REQUIRE_ENTRY}. @@ -1881,8 +1881,8 @@ public class DevicePolicyManager { /** * Called by an application that is administering the device to disable all cameras - * on the device. After setting this, no applications will be able to access any cameras - * on the device. + * on the device, for this user. After setting this, no applications running as this user + * will be able to access any cameras on the device. * *

The calling device admin must have requested * {@link DeviceAdminInfo#USES_POLICY_DISABLE_CAMERA} to be able to call @@ -1902,8 +1902,8 @@ public class DevicePolicyManager { } /** - * Determine whether or not the device's cameras have been disabled either by the current - * admin, if specified, or all admins. + * Determine whether or not the device's cameras have been disabled for this user, + * either by the current admin, if specified, or all admins. * @param admin The name of the admin component to check, or null to check if any admins * have disabled the camera */ @@ -2012,6 +2012,8 @@ public class DevicePolicyManager { * {@link DeviceAdminInfo#USES_POLICY_DISABLE_KEYGUARD_FEATURES} to be able to call * this method; if it has not, a security exception will be thrown. * + *

Calling this from a managed profile will throw a security exception. + * * @param admin Which {@link DeviceAdminReceiver} this request is associated with. * @param which {@link #KEYGUARD_DISABLE_FEATURES_NONE} (default), * {@link #KEYGUARD_DISABLE_WIDGETS_ALL}, {@link #KEYGUARD_DISABLE_SECURE_CAMERA}, diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index f8f20dc458c0..7dc2de2abd5d 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -2924,9 +2924,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return; } enforceCrossUserPermission(userHandle); - if ((flags & DevicePolicyManager.WIPE_EXTERNAL_STORAGE) != 0) { - enforceNotManagedProfile(userHandle, "wipe external storage"); - } synchronized (this) { // This API can only be called by an active device admin, // so try to retrieve it to check that the caller is one. @@ -3526,7 +3523,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return; } enforceCrossUserPermission(userHandle); - enforceNotManagedProfile(userHandle, "enable/disable cameras"); synchronized (this) { if (who == null) { throw new NullPointerException("ComponentName is null"); -- 2.11.0