Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / frameworks / base / c5185f2bf1bf15ea0cfd72d30167fcbb1d61d437^! / .
commitc5185f2bf1bf15ea0cfd72d30167fcbb1d61d437[log] [tgz]
authorJason Monk <jmonk@google.com>Tue Jun 24 11:12:42 2014 -0400
committerJason Monk <jmonk@google.com>Tue Jun 24 14:12:20 2014 -0400
treed09199dfc2cebe8035aefef14a321724f1e98141
parent9e58b3c61c119c884b62c16b3e1a99b991a1d1bf [diff]
The profile owner shouldn't control lock task

Since managed profiles are started on bootup, the managed profile
would be allowed to set an app (possibly itself) as a lock task
app and then run itself on bootup and constantly control the
device.  This privelege should be restricted to device owners.

Change-Id: I4a93aabd6054cbe75076ef0517fce03ffa74dc93

diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java
index df6be8b..4351f9d 100644
--- a/core/java/android/app/admin/DevicePolicyManager.java
+++ b/core/java/android/app/admin/DevicePolicyManager.java

@@ -2349,7 +2349,7 @@
      * <p>Any packages that shares uid with an allowed package will also be allowed
      * to activate lock task.
      *
-     * This function can only be called by the device owner or the profile owner.
+     * This function can only be called by the device owner.
      * @param packages The list of packages allowed to enter lock task mode
      *
      * @see Activity#startLockTask()

diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 2801f4f..9c38bbc 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

@@ -3732,7 +3732,7 @@
     /**
      * Sets which packages may enter lock task mode.
      *
-     * This function can only be called by the device owner or the profile owner.
+     * This function can only be called by the device owner.
      * @param components The list of components allowed to enter lock task mode.
      */
     public void setLockTaskPackages(String[] packages) throws SecurityException {
@@ -3741,15 +3741,13 @@
         String[] packageNames = mContext.getPackageManager().getPackagesForUid(uid);
 
         synchronized (this) {
-            // Check whether any of the package name is the device owner or the profile owner.
+            // Check whether any of the package name is the device owner.
             for (int i=0; i<packageNames.length; i++) {
                 String packageName = packageNames[i];
                 int userHandle = UserHandle.getUserId(uid);
-                String profileOwnerPackage = getProfileOwner(userHandle);
-                if (isDeviceOwner(packageName) ||
-                    (profileOwnerPackage != null && profileOwnerPackage.equals(packageName))) {
+                if (isDeviceOwner(packageName)) {
 
-                    // If a package name is the device owner or the profile owner,
+                    // If a package name is the device owner,
                     // we update the component list.
                     DevicePolicyData policy = getUserData(userHandle);
                     policy.mLockTaskPackages.clear();