Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / packages / apps / KeyChain / a77b69f650544cffd3a5daacc77fb4960f4ae6f9^1..a77b69f650544cffd3a5daacc77fb4960f4ae6f9 / .
commita77b69f650544cffd3a5daacc77fb4960f4ae6f9[log] [tgz]
authorJulia Reynolds <juliacr@google.com>Wed Jul 09 17:29:46 2014 +0000
committerAndroid (Google) Code Review <android-gerrit@google.com>Tue Jul 08 02:17:58 2014 +0000
tree318420a250d3d9f5240e231dc4481ce9cac04b33
parent60272dba8a8570f2fccd6a0d6552dfa4d0d89478 [diff]
parent3fb7449c95754dedca4220948561b5f8617b8b2c [diff]
Merge "Apply user restriction to KeyChainService."
diff --git a/src/com/android/keychain/KeyChainService.java b/src/com/android/keychain/KeyChainService.java
index 3d526e9..2564d03 100644
--- a/src/com/android/keychain/KeyChainService.java
+++ b/src/com/android/keychain/KeyChainService.java

@@ -28,6 +28,7 @@
 import android.os.Binder;
 import android.os.IBinder;
 import android.os.Process;
+import android.os.UserManager;
 import android.security.Credentials;
 import android.security.IKeyChainService;
 import android.security.KeyChain;
@@ -125,6 +126,7 @@
 
         @Override public void installCaCertificate(byte[] caCertificate) {
             checkCertInstallerOrSystemCaller();
+            checkUserRestriction();
             try {
                 synchronized (mTrustedCertificateStore) {
                     mTrustedCertificateStore.installCertificate(parseCertificate(caCertificate));
@@ -145,6 +147,7 @@
         @Override public boolean reset() {
             // only Settings should be able to reset
             checkSystemCaller();
+            checkUserRestriction();
             removeAllGrants(mDatabaseHelper.getWritableDatabase());
             boolean ok = true;
             synchronized (mTrustedCertificateStore) {
@@ -164,6 +167,7 @@
         @Override public boolean deleteCaCertificate(String alias) {
             // only Settings should be able to delete
             checkSystemCaller();
+            checkUserRestriction();
             boolean ok = true;
             synchronized (mTrustedCertificateStore) {
                 ok = deleteCertificateEntry(alias);
@@ -198,6 +202,12 @@
                 throw new IllegalStateException(actual);
             }
         }
+        private void checkUserRestriction() {
+            UserManager um = (UserManager) getSystemService(USER_SERVICE);
+            if (um.hasUserRestriction(UserManager.DISALLOW_CONFIG_CREDENTIALS)) {
+                throw new SecurityException("User cannot modify credentials");
+            }
+        }
         /**
          * Returns null if actually caller is expected, otherwise return bad package to report
          */