Merge cherrypicks of [8714308, 8712886, 8712887, 8712888, 8714213, 8714214] into oc-m8-releaseandroid-8.1.0_r67 oreo-m8-release

Change-Id: I5f456aec8c43107e95b063c5e16f917bdd21b9e9
author: android-build-team Robot <android-build-team-robot@google.com> 2019-07-23 20:21:24 +0000
committer: android-build-team Robot <android-build-team-robot@google.com> 2019-07-23 20:21:24 +0000
commit: 3c1937306af31353aaecf045fb801ec3c126000f (patch)
tree: f0236ce1865a130b910d48ff9db9dae7786d2bda
parent: d3f6644bebfc7b393417f547501b5a501bfa5c39 (diff)
parent: aa868bc15c3fc9383146d303a84daca8a86f0487 (diff)
download: base-oreo-m8-release.tar.gz
2 files changed, 9 insertions, 0 deletions
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index d6b572835950..132f3040d207 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -19446,6 +19446,12 @@ public class PackageManagerService extends IPackageManager.Stub
     @Override
     public boolean isPackageDeviceAdminOnAnyUser(String packageName) {
         final int callingUid = Binder.getCallingUid();
+        if (checkUidPermission(android.Manifest.permission.MANAGE_USERS, callingUid)
+                != PERMISSION_GRANTED) {
+            EventLog.writeEvent(0x534e4554, "128599183", -1, "");
+            throw new SecurityException(android.Manifest.permission.MANAGE_USERS
+                    + " permission is required to call this API");
+        }
         if (getInstantAppPackageName(callingUid) != null
                 && !isCallerSameApp(packageName, callingUid)) {
             return false;
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 77cb99f64eed..b0e06eb4de10 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -3428,6 +3428,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
 
     @Override
     public boolean isSeparateProfileChallengeAllowed(int userHandle) {
+        if (!isCallerWithSystemUid()) {
+            throw new SecurityException("Caller must be system");
+        }
         ComponentName profileOwner = getProfileOwner(userHandle);
         // Profile challenge is supported on N or newer release.
         return profileOwner != null &&
author	android-build-team Robot <android-build-team-robot@google.com>	2019-07-23 20:21:24 +0000
committer	android-build-team Robot <android-build-team-robot@google.com>	2019-07-23 20:21:24 +0000
commit	3c1937306af31353aaecf045fb801ec3c126000f (patch)
tree	f0236ce1865a130b910d48ff9db9dae7786d2bda
parent	d3f6644bebfc7b393417f547501b5a501bfa5c39 (diff)
parent	aa868bc15c3fc9383146d303a84daca8a86f0487 (diff)
download	base-oreo-m8-release.tar.gz