Limit IsSeparateProfileChallengeAllowed to system callers

author Pavel Grafov <pgrafov@google.com>

Wed, 10 Apr 2019 11:47:25 +0000 (12:47 +0100)

committer syphyr <syphyr@gmail.com>

Wed, 5 Jun 2019 19:09:05 +0000 (21:09 +0200)
author Pavel Grafov <pgrafov@google.com>
Wed, 10 Apr 2019 11:47:25 +0000 (12:47 +0100)
committer syphyr <syphyr@gmail.com>
Wed, 5 Jun 2019 19:09:05 +0000 (21:09 +0200)
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

index b211f91..fe0ee09 100644 (file)
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -3156,6 +3156,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
  
      @Override
      public boolean isSeparateProfileChallengeAllowed(int userHandle) {
+        if (!isCallerWithSystemUid()) {
+            throw new SecurityException("Caller must be system");
+        }
          ComponentName profileOwner = getProfileOwner(userHandle);
          // Profile challenge is supported on N or newer release.
          return profileOwner != null &&
author	Pavel Grafov <pgrafov@google.com>
	Wed, 10 Apr 2019 11:47:25 +0000 (12:47 +0100)
committer	syphyr <syphyr@gmail.com>
	Wed, 5 Jun 2019 19:09:05 +0000 (21:09 +0200)