Merge "Apply user restriction to KeyChainService."
diff --git a/src/com/android/keychain/KeyChainService.java b/src/com/android/keychain/KeyChainService.java
index 3d526e9..2564d03 100644
--- a/src/com/android/keychain/KeyChainService.java
+++ b/src/com/android/keychain/KeyChainService.java
@@ -28,6 +28,7 @@
import android.os.Binder;
import android.os.IBinder;
import android.os.Process;
+import android.os.UserManager;
import android.security.Credentials;
import android.security.IKeyChainService;
import android.security.KeyChain;
@@ -125,6 +126,7 @@
@Override public void installCaCertificate(byte[] caCertificate) {
checkCertInstallerOrSystemCaller();
+ checkUserRestriction();
try {
synchronized (mTrustedCertificateStore) {
mTrustedCertificateStore.installCertificate(parseCertificate(caCertificate));
@@ -145,6 +147,7 @@
@Override public boolean reset() {
// only Settings should be able to reset
checkSystemCaller();
+ checkUserRestriction();
removeAllGrants(mDatabaseHelper.getWritableDatabase());
boolean ok = true;
synchronized (mTrustedCertificateStore) {
@@ -164,6 +167,7 @@
@Override public boolean deleteCaCertificate(String alias) {
// only Settings should be able to delete
checkSystemCaller();
+ checkUserRestriction();
boolean ok = true;
synchronized (mTrustedCertificateStore) {
ok = deleteCertificateEntry(alias);
@@ -198,6 +202,12 @@
throw new IllegalStateException(actual);
}
}
+ private void checkUserRestriction() {
+ UserManager um = (UserManager) getSystemService(USER_SERVICE);
+ if (um.hasUserRestriction(UserManager.DISALLOW_CONFIG_CREDENTIALS)) {
+ throw new SecurityException("User cannot modify credentials");
+ }
+ }
/**
* Returns null if actually caller is expected, otherwise return bad package to report
*/