Add security check for clearDeviceInitializer in the service.

Bug: 19230954
Change-Id: I5c648492bef0d2b579b6f59b91afc890e3092d36

5 files changed, 18 insertions, 10 deletions

diff --git a/api/current.txt b/api/current.txt
index b96d241..7a348ea 100644
--- a/api/current.txt
+++ b/api/current.txt
@@ -5458,7 +5458,7 @@ package android.app.admin {
     method public void addPersistentPreferredActivity(android.content.ComponentName, android.content.IntentFilter, android.content.ComponentName);
     method public void addUserRestriction(android.content.ComponentName, java.lang.String);
     method public void clearCrossProfileIntentFilters(android.content.ComponentName);
-    method public void clearDeviceInitializerApp();
+    method public void clearDeviceInitializerApp(android.content.ComponentName);
     method public void clearDeviceOwnerApp(java.lang.String);
     method public void clearPackagePersistentPreferredActivities(android.content.ComponentName, java.lang.String);
     method public void clearUserRestriction(android.content.ComponentName, java.lang.String);
diff --git a/api/system-current.txt b/api/system-current.txt
index 65df354..4755fe7 100644
--- a/api/system-current.txt
+++ b/api/system-current.txt
@@ -5552,7 +5552,7 @@ package android.app.admin {
     method public void addPersistentPreferredActivity(android.content.ComponentName, android.content.IntentFilter, android.content.ComponentName);
     method public void addUserRestriction(android.content.ComponentName, java.lang.String);
     method public void clearCrossProfileIntentFilters(android.content.ComponentName);
-    method public void clearDeviceInitializerApp();
+    method public void clearDeviceInitializerApp(android.content.ComponentName);
     method public void clearDeviceOwnerApp(java.lang.String);
     method public void clearPackagePersistentPreferredActivities(android.content.ComponentName, java.lang.String);
     method public void clearProfileOwner(android.content.ComponentName);
diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java
index add7130..3d587b6 100644
--- a/core/java/android/app/admin/DevicePolicyManager.java
+++ b/core/java/android/app/admin/DevicePolicyManager.java
@@ -2476,12 +2476,14 @@ public class DevicePolicyManager {
     /**
      * Removes the device initializer, so that it will not be invoked on user initialization for any
      * subsequently created users. This method can be called by either the device owner or device
-     * initializer itself.
+     * initializer itself. The caller must be an active administrator.
+     *
+     * @param who Which {@link DeviceAdminReceiver} this request is associated with.
      */
-    public void clearDeviceInitializerApp() {
+    public void clearDeviceInitializerApp(ComponentName who) {
         if (mService != null) {
             try {
-                mService.clearDeviceInitializer(mContext.getPackageName());
+                mService.clearDeviceInitializer(who);
             } catch (RemoteException re) {
                 Log.w(TAG, "Failed to clear device initializer");
             }
diff --git a/core/java/android/app/admin/IDevicePolicyManager.aidl b/core/java/android/app/admin/IDevicePolicyManager.aidl
index 5e58fe0..5cbab4b 100644
--- a/core/java/android/app/admin/IDevicePolicyManager.aidl
+++ b/core/java/android/app/admin/IDevicePolicyManager.aidl
@@ -202,7 +202,7 @@ interface IDevicePolicyManager {
 
     boolean setUserEnabled(in ComponentName who);
     boolean isDeviceInitializer(String packageName);
-    void clearDeviceInitializer(String packageName);
+    void clearDeviceInitializer(in ComponentName who);
     boolean setDeviceInitializer(in ComponentName who, in ComponentName initializer, String initializerName);
     String getDeviceInitializer();
 }
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index aa9d8dd..fc9ff76 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -3940,15 +3940,21 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
     }
 
     @Override
-    public void clearDeviceInitializer(String packageName) {
+    public void clearDeviceInitializer(ComponentName who) {
         if (!mHasFeature) {
             return;
         }
-        if (packageName == null) {
-            throw new NullPointerException("packageName is null");
+        Preconditions.checkNotNull(who, "ComponentName is null");
+
+        ActiveAdmin admin = getActiveAdminUncheckedLocked(who, UserHandle.getCallingUserId());
+
+        if (admin.getUid() != Binder.getCallingUid()) {
+            throw new SecurityException("Admin " + who + " is not owned by uid "
+                    + Binder.getCallingUid());
         }
 
-        if (!isDeviceInitializer(packageName) && !isDeviceOwner(packageName)) {
+        if (!isDeviceInitializer(admin.info.getPackageName())
+                && !isDeviceOwner(admin.info.getPackageName())) {
             throw new SecurityException(
                     "clearDeviceInitializer can only be called by the device initializer/owner");
         }