commit | d7008c0ba385aa836a603186a007b8e14df34bcc | [log] [tgz] |
---|---|---|
author | Pavel Grafov <pgrafov@google.com> | Wed Apr 10 12:47:25 2019 +0100 |
committer | android-build-team Robot <android-build-team-robot@google.com> | Tue Apr 16 06:05:39 2019 +0000 |
tree | b9a0ffcd9cbd81b99e2f0df6e25d4a8853f1aa29 | |
parent | c7c26cc8e9cdcaa8621b10984be1748f55474c24 [diff] |
Limit IsSeparateProfileChallengeAllowed to system callers Fixes: 128599668 Test: build, set up separate challenge Change-Id: I2fef9ab13614627c0f1bcca04759d0974fc6181a (cherry picked from commit 1b6301cf2430f192c9842a05fc22984d782bade9)
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index cb52931..00b8366 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -3930,6 +3930,9 @@ @Override public boolean isSeparateProfileChallengeAllowed(int userHandle) { + if (!isCallerWithSystemUid()) { + throw new SecurityException("Caller must be system"); + } ComponentName profileOwner = getProfileOwner(userHandle); // Profile challenge is supported on N or newer release. return profileOwner != null &&