Limit IsSeparateProfileChallengeAllowed to system callers

Fixes: 128599668 Test: build, set up separate challenge Change-Id: I2fef9ab13614627c0f1bcca04759d0974fc6181a (cherry picked from commit 1b6301cf2430f192c9842a05fc22984d782bade9)
author: Pavel Grafov <pgrafov@google.com> 2019-04-10 12:47:25 +0100
committer: Greg Wroblewski <musashi@google.com> 2019-04-15 12:17:10 -0700
commit: 65b5375649c0f14574c87a95f86c36f389083fe6 (patch)
tree: efabb10b0ba7c7675209551add9e4568406c9b3d
parent: f6f3295956bf55be5b2608252790056939178ee0 (diff)
download: base-65b5375649c0f14574c87a95f86c36f389083fe6.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 77cb99f64eed..b0e06eb4de10 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -3428,6 +3428,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
 
     @Override
     public boolean isSeparateProfileChallengeAllowed(int userHandle) {
+        if (!isCallerWithSystemUid()) {
+            throw new SecurityException("Caller must be system");
+        }
         ComponentName profileOwner = getProfileOwner(userHandle);
         // Profile challenge is supported on N or newer release.
         return profileOwner != null &&
author	Pavel Grafov <pgrafov@google.com>	2019-04-10 12:47:25 +0100
committer	Greg Wroblewski <musashi@google.com>	2019-04-15 12:17:10 -0700
commit	65b5375649c0f14574c87a95f86c36f389083fe6 (patch)
tree	efabb10b0ba7c7675209551add9e4568406c9b3d
parent	f6f3295956bf55be5b2608252790056939178ee0 (diff)
download	base-65b5375649c0f14574c87a95f86c36f389083fe6.tar.gz