Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a9ee6729 authored by Robin Lee's avatar Robin Lee
Browse files

DPM: Disallow some DeviceAdmin policies for ProfileOwners 

A profile owner should only have control over the profile. All of the
following device admin APIs that affect the device beyond the profile
that they are called from are now disallowed:

 - Camera enable/disable
 - Keyguard
 - Wipe external storage

@bug 14434826

Change-Id: I69acfdf6f654f48b5db91aeb3ea86662d7857075
parent c12aab2a

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+6 −0
Original line number Diff line number Diff line
@@ -2411,6 +2411,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
            return;

        }

        enforceCrossUserPermission(userHandle);

        if ((flags & DevicePolicyManager.WIPE_EXTERNAL_STORAGE) != 0) {

            enforceNotManagedProfile(userHandle, "wipe external storage");

        }

        synchronized (this) {

            // This API can only be called by an active device admin,

            // so try to retrieve it to check that the caller is one.
@@ -2863,6 +2866,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
            return;

        }

        enforceCrossUserPermission(userHandle);

        enforceNotManagedProfile(userHandle, "enable/disable cameras");

        synchronized (this) {

            if (who == null) {

                throw new NullPointerException("ComponentName is null");
@@ -2912,6 +2916,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
            return;

        }

        enforceCrossUserPermission(userHandle);

        enforceNotManagedProfile(userHandle, "disable keyguard features");

        synchronized (this) {

            if (who == null) {

                throw new NullPointerException("ComponentName is null");
@@ -2935,6 +2940,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
            return 0;

        }

        enforceCrossUserPermission(userHandle);

        enforceNotManagedProfile(userHandle, "list disabled keyguard features");

        synchronized (this) {

            if (who != null) {

                ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle);