DPM: Disallow some DeviceAdmin policies for ProfileOwners

A profile owner should only have control over the profile. All of the following device admin APIs that affect the device beyond the profile that they are called from are now disallowed: - Camera enable/disable - Keyguard - Wipe external storage @bug 14434826 Change-Id: I69acfdf6f654f48b5db91aeb3ea86662d7857075
author: Robin Lee <rgl@google.com> 2014-05-20 16:26:49 +0100
committer: Robin Lee <rgl@google.com> 2014-05-21 09:40:19 +0000
commit: a9ee6729538941a2b866d83ecbd891645f0ccc16 (patch)
tree: e721d80004ee09b67fdf1ef3251682599473d9d1 /services/devicepolicy
parent: c12aab2afe2930c400850831488a4225ac29d99b (diff)
download: frameworks_base-a9ee6729538941a2b866d83ecbd891645f0ccc16.zip
frameworks_base-a9ee6729538941a2b866d83ecbd891645f0ccc16.tar.gz
frameworks_base-a9ee6729538941a2b866d83ecbd891645f0ccc16.tar.bz2
1 files changed, 6 insertions, 0 deletions
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index e2cd4e2..35fdef9 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -2411,6 +2411,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
             return;
         }
         enforceCrossUserPermission(userHandle);
+        if ((flags & DevicePolicyManager.WIPE_EXTERNAL_STORAGE) != 0) {
+            enforceNotManagedProfile(userHandle, "wipe external storage");
+        }
         synchronized (this) {
             // This API can only be called by an active device admin,
             // so try to retrieve it to check that the caller is one.
@@ -2863,6 +2866,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
             return;
         }
         enforceCrossUserPermission(userHandle);
+        enforceNotManagedProfile(userHandle, "enable/disable cameras");
         synchronized (this) {
             if (who == null) {
                 throw new NullPointerException("ComponentName is null");
@@ -2912,6 +2916,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
             return;
         }
         enforceCrossUserPermission(userHandle);
+        enforceNotManagedProfile(userHandle, "disable keyguard features");
         synchronized (this) {
             if (who == null) {
                 throw new NullPointerException("ComponentName is null");
@@ -2935,6 +2940,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
             return 0;
         }
         enforceCrossUserPermission(userHandle);
+        enforceNotManagedProfile(userHandle, "list disabled keyguard features");
         synchronized (this) {
             if (who != null) {
                 ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle);
author	Robin Lee <rgl@google.com>	2014-05-20 16:26:49 +0100
committer	Robin Lee <rgl@google.com>	2014-05-21 09:40:19 +0000
commit	a9ee6729538941a2b866d83ecbd891645f0ccc16 (patch)
tree	e721d80004ee09b67fdf1ef3251682599473d9d1 /services/devicepolicy
parent	c12aab2afe2930c400850831488a4225ac29d99b (diff)
download	frameworks_base-a9ee6729538941a2b866d83ecbd891645f0ccc16.zip frameworks_base-a9ee6729538941a2b866d83ecbd891645f0ccc16.tar.gz frameworks_base-a9ee6729538941a2b866d83ecbd891645f0ccc16.tar.bz2