diff options
| -rw-r--r-- | core/java/android/app/admin/DevicePolicyManager.java | 5 | ||||
| -rw-r--r-- | services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java | 18 |
2 files changed, 17 insertions, 6 deletions
diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java index 73980a50e567..47fd87d446ff 100644 --- a/core/java/android/app/admin/DevicePolicyManager.java +++ b/core/java/android/app/admin/DevicePolicyManager.java @@ -6363,6 +6363,9 @@ public class DevicePolicyManager { /** * Sets the device owner information to be shown on the lock screen. * <p> + * Device owner information set using this method overrides any owner information manually set + * by the user and prevents the user from further changing it. + * <p> * If the device owner information is {@code null} or empty then the device owner info is * cleared and the user owner info is shown on the lock screen if it is set. * <p> @@ -6372,6 +6375,8 @@ public class DevicePolicyManager { * If the device owner information needs to be localized, it is the responsibility of the * {@link DeviceAdminReceiver} to listen to the {@link Intent#ACTION_LOCALE_CHANGED} broadcast * and set a new version of this string accordingly. + * <p> + * May be called by the device owner or the profile owner of an organization-owned device. * * @param admin The name of the admin component to check. * @param info Device owner information which will be displayed instead of the user owner info. diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index f04c1c421666..b26468476b49 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -6685,6 +6685,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { mUserManager.setUserRestriction( UserManager.DISALLOW_REMOVE_MANAGED_PROFILE, false, UserHandle.SYSTEM); + + // Device-wide policies set by the profile owner need to be cleaned up here. + mLockPatternUtils.setDeviceOwnerInfo(null); } finally { mInjector.binderRestoreCallingIdentity(ident); } @@ -8334,14 +8337,17 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } synchronized (getLockObject()) { - getActiveAdminForCallerLocked(who, DeviceAdminInfo.USES_POLICY_DEVICE_OWNER); - long token = mInjector.binderClearCallingIdentity(); - try { - mLockPatternUtils.setDeviceOwnerInfo(info != null ? info.toString() : null); - } finally { - mInjector.binderRestoreCallingIdentity(token); + ActiveAdmin admin = getActiveAdminForCallerLocked(who, + DeviceAdminInfo.USES_POLICY_PROFILE_OWNER); + if (!isProfileOwnerOfOrganizationOwnedDevice(admin) && !isDeviceOwner(admin)) { + throw new SecurityException("Only Device Owner or Profile Owner of" + + " organization-owned device can set screen lock info."); } } + + mInjector.binderWithCleanCallingIdentity(() -> + mLockPatternUtils.setDeviceOwnerInfo(info != null ? info.toString() : null)); + DevicePolicyEventLogger .createEvent(DevicePolicyEnums.SET_DEVICE_OWNER_LOCK_SCREEN_INFO) .setAdmin(who) |