diff options
author | Nicolas Prevot <nprevot@google.com> | 2015-07-28 20:41:12 +0100 |
---|---|---|
committer | Rubin Xu <rubinxu@google.com> | 2015-07-31 09:32:15 +0100 |
commit | e2a4a6ff8a83a4216824b2d40a323e56814d0463 (patch) | |
tree | 77de6d34bad24e105523e1272c4213dd6574e86d | |
parent | 7157c2ca81cb2c942a1e94cf1a0344babf6a8bd6 (diff) | |
download | frameworks_base-e2a4a6ff8a83a4216824b2d40a323e56814d0463.zip frameworks_base-e2a4a6ff8a83a4216824b2d40a323e56814d0463.tar.gz frameworks_base-e2a4a6ff8a83a4216824b2d40a323e56814d0463.tar.bz2 |
Don't always transfer device owner status to other users.
A device owner cannot use device or profile owner policies on
other users unless it is profile owner there. Also limit device
initializer to system apps only.
Bug: 21800830
Change-Id: Ie1abbd891945b91b17ecdf7f73ba93aaa19819be
-rw-r--r-- | services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 5d05f32..0f85af6 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -1277,11 +1277,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { && !hasUserSetupCompleted(userId); if (reqPolicy == DeviceAdminInfo.USES_POLICY_DEVICE_OWNER) { - if (ownsDevice || (userId == UserHandle.USER_OWNER && ownsInitialization)) { + if ((userId == UserHandle.USER_OWNER && (ownsDevice || ownsInitialization)) + || (ownsDevice && ownsProfile)) { return true; } } else if (reqPolicy == DeviceAdminInfo.USES_POLICY_PROFILE_OWNER) { - if (ownsDevice || ownsProfile || ownsInitialization) { + if ((userId == UserHandle.USER_OWNER && ownsDevice) || ownsProfile + || ownsInitialization) { return true; } } else { @@ -4236,6 +4238,17 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { throw new IllegalArgumentException("Invalid component name " + initializer + " for device initializer"); } + boolean isInitializerSystemApp; + try { + isInitializerSystemApp = isSystemApp(AppGlobals.getPackageManager(), + initializer.getPackageName(), Binder.getCallingUserHandle().getIdentifier()); + } catch (RemoteException | IllegalArgumentException e) { + isInitializerSystemApp = false; + Slog.e(LOG_TAG, "Fail to check if device initialzer is system app.", e); + } + if (!isInitializerSystemApp) { + throw new IllegalArgumentException("Only system app can be set as device initializer."); + } synchronized (this) { enforceCanSetDeviceInitializer(who); |