Limit IsSeparateProfileChallengeAllowed to system callers

Fixes: 128599668 Test: build, set up separate challenge Change-Id: I2fef9ab13614627c0f1bcca04759d0974fc6181a (cherry picked from commit 1b6301cf2430f192c9842a05fc22984d782bade9)
author: Pavel Grafov <pgrafov@google.com> 2019-04-10 12:47:25 +0100
committer: android-build-team Robot <android-build-team-robot@google.com> 2019-07-23 20:21:17 +0000
commit: aa868bc15c3fc9383146d303a84daca8a86f0487 (patch)
tree: f0236ce1865a130b910d48ff9db9dae7786d2bda
parent: 052ed9419bd91914decc277a84b99f6e296275dd (diff)
download: base-aa868bc15c3fc9383146d303a84daca8a86f0487.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 77cb99f64eed..b0e06eb4de10 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -3428,6 +3428,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
 
     @Override
     public boolean isSeparateProfileChallengeAllowed(int userHandle) {
+        if (!isCallerWithSystemUid()) {
+            throw new SecurityException("Caller must be system");
+        }
         ComponentName profileOwner = getProfileOwner(userHandle);
         // Profile challenge is supported on N or newer release.
         return profileOwner != null &&
author	Pavel Grafov <pgrafov@google.com>	2019-04-10 12:47:25 +0100
committer	android-build-team Robot <android-build-team-robot@google.com>	2019-07-23 20:21:17 +0000
commit	aa868bc15c3fc9383146d303a84daca8a86f0487 (patch)
tree	f0236ce1865a130b910d48ff9db9dae7786d2bda
parent	052ed9419bd91914decc277a84b99f6e296275dd (diff)
download	base-aa868bc15c3fc9383146d303a84daca8a86f0487.tar.gz