Limit IsSeparateProfileChallengeAllowed to system callers

Fixes: 128599668 Test: build, set up separate challenge Change-Id: I2fef9ab13614627c0f1bcca04759d0974fc6181a (cherry picked from commit 1b6301cf2430f192c9842a05fc22984d782bade9)
author: Pavel Grafov <pgrafov@google.com> 2019-04-10 12:47:25 +0100
committer: android-build-team Robot <android-build-team-robot@google.com> 2019-04-16 22:39:09 +0000
commit: dcf3d9f84bbd556c9e9d2c9b76c97bd32cda4e3b (patch)
tree: 950ad015eaf8c08280b7503e7677a247dfeed0cd
parent: bac376dd4095c1ef930aff46e457af6a50956a31 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 11fe76383c76..4c0646ceed86 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -3930,6 +3930,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
 
     @Override
     public boolean isSeparateProfileChallengeAllowed(int userHandle) {
+        if (!isCallerWithSystemUid()) {
+            throw new SecurityException("Caller must be system");
+        }
         ComponentName profileOwner = getProfileOwner(userHandle);
         // Profile challenge is supported on N or newer release.
         return profileOwner != null &&
author	Pavel Grafov <pgrafov@google.com>	2019-04-10 12:47:25 +0100
committer	android-build-team Robot <android-build-team-robot@google.com>	2019-04-16 22:39:09 +0000
commit	dcf3d9f84bbd556c9e9d2c9b76c97bd32cda4e3b (patch)
tree	950ad015eaf8c08280b7503e7677a247dfeed0cd
parent	bac376dd4095c1ef930aff46e457af6a50956a31 (diff)