Only system can set app restrictions

Only system/root UIDs or components with MANAGE_USERS permission can set app restrictions. Apps should only be able to retrieve their own restrictions, but not set them. Change-Id: I1ebf30dc6ef5af12fa79230618f89b43aa7b1fb6
author: Esteban Talavera <etalavera@google.com> 2015-10-21 10:55:56 +0100
committer: Esteban Talavera <etalavera@google.com> 2015-10-21 10:55:56 +0100
commit: 2a5d6c6cbd0286ebca844d4fb8f4d3437ad1ecdd (patch)
tree: 7ffb8d1f631eecd3a96ca8ea5b5f9832a35d0efb
parent: 4fc74408656edd2590e22f0f413d90c9114931db (diff)
1 files changed, 3 insertions, 8 deletions
diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java
index de106a1d0d3c..84fc3836d4c7 100644
--- a/services/core/java/com/android/server/pm/UserManagerService.java
+++ b/services/core/java/com/android/server/pm/UserManagerService.java
@@ -576,8 +576,6 @@ public class UserManagerService extends IUserManager.Stub {
 
     @Override
     public Bundle getUserRestrictions(int userId) {
-        // checkManageUsersPermission("getUserRestrictions");
-
         synchronized (mPackagesLock) {
             Bundle restrictions = mUserRestrictions.get(userId);
             return restrictions != null ? new Bundle(restrictions) : new Bundle();
@@ -1648,7 +1646,7 @@ public class UserManagerService extends IUserManager.Stub {
     public Bundle getApplicationRestrictionsForUser(String packageName, int userId) {
         if (UserHandle.getCallingUserId() != userId
                 || !UserHandle.isSameApp(Binder.getCallingUid(), getUidForPackage(packageName))) {
-            checkManageUsersPermission("Only system can get restrictions for other users/apps");
+            checkManageUsersPermission("get application restrictions for other users/apps");
         }
         synchronized (mPackagesLock) {
             // Read the restrictions from XML
@@ -1659,10 +1657,7 @@ public class UserManagerService extends IUserManager.Stub {
     @Override
     public void setApplicationRestrictions(String packageName, Bundle restrictions,
             int userId) {
-        if (UserHandle.getCallingUserId() != userId
-                || !UserHandle.isSameApp(Binder.getCallingUid(), getUidForPackage(packageName))) {
-            checkManageUsersPermission("Only system can set restrictions for other users/apps");
-        }
+        checkManageUsersPermission("set application restrictions");
         synchronized (mPackagesLock) {
             if (restrictions == null || restrictions.isEmpty()) {
                 cleanAppRestrictionsForPackage(packageName, userId);
@@ -1683,7 +1678,7 @@ public class UserManagerService extends IUserManager.Stub {
 
     @Override
     public void removeRestrictions() {
-        checkManageUsersPermission("Only system can remove restrictions");
+        checkManageUsersPermission("remove restrictions");
         final int userHandle = UserHandle.getCallingUserId();
         removeRestrictionsForUser(userHandle, true);
     }
author	Esteban Talavera <etalavera@google.com>	2015-10-21 10:55:56 +0100
committer	Esteban Talavera <etalavera@google.com>	2015-10-21 10:55:56 +0100
commit	2a5d6c6cbd0286ebca844d4fb8f4d3437ad1ecdd (patch)
tree	7ffb8d1f631eecd3a96ca8ea5b5f9832a35d0efb
parent	4fc74408656edd2590e22f0f413d90c9114931db (diff)