Resolve policies that could be set locally and globally

    field @NonNull public static final android.app.admin.TargetUser GLOBAL;

    field @NonNull public static final android.app.admin.TargetUser LOCAL_USER;

    field @NonNull public static final android.app.admin.TargetUser PARENT_USER;

    field @NonNull public static final android.app.admin.TargetUser UNKNOWN_USER;

  }

  public final class UnsafeStateException extends java.lang.IllegalStateException implements android.os.Parcelable {

     */

    public static final String LOCK_TASK_POLICY = "lockTask";

    // TODO: Expose this as SystemAPI once we add the query API

    /**

     * @hide

     */

    public static final String USER_CONTROL_DISABLED_PACKAGES = "userControlDisabledPackages";

    /**

     * This object is a single place to tack on invalidation and disable calls.  All

     * binder caches in this class derive from this Config, so all can be invalidated or

     */

    public static final int GLOBAL_USER_ID = -3;

    /**

     * @hide

     */

    public static final int UNKNOWN_USER_ID = -3;

    /**

     * Indicates that the policy relates to the user the admin is installed on.

     */

    @NonNull

    public static final TargetUser GLOBAL = new TargetUser(GLOBAL_USER_ID);

    /**

     * Indicates that the policy relates to some unknown user on the device. For example, if Admin1

     * has set a global policy on a device and Admin2 has set a conflicting local

     * policy on some other secondary user, Admin1 will get a policy update callback with

     * {@code UNKNOWN_USER} as the target user.

     */

    @NonNull

    public static final TargetUser UNKNOWN_USER = new TargetUser(UNKNOWN_USER_ID);

    private final int mUserId;

    /**

        }

        List<String> protectedPackages = (owner == null || owner.protectedPackages == null)

                ? Collections.emptyList() : owner.protectedPackages;

                ? null : owner.protectedPackages;

        mInjector.binderWithCleanCallingIdentity(() ->

                mInjector.getPackageManagerInternal().setOwnerProtectedPackages(

                        targetUserId, protectedPackages));

                        admin,

                        caller.getUserId());

            } else {

                LockTaskPolicy currentPolicy = mDevicePolicyEngine.getLocalPolicy(

                LockTaskPolicy currentPolicy = mDevicePolicyEngine.getLocalPolicySetByAdmin(

                        PolicyDefinition.LOCK_TASK,

                        caller.getUserId()).getPoliciesSetByAdmins().get(admin);

                        admin,

                        caller.getUserId());

                LockTaskPolicy policy;

                if (currentPolicy == null) {

                    policy = new LockTaskPolicy(Set.of(packages));

        }

        if (isCoexistenceEnabled(caller)) {

            LockTaskPolicy policy = mDevicePolicyEngine.getLocalPolicy(

                    PolicyDefinition.LOCK_TASK, userHandle).getCurrentResolvedPolicy();

            LockTaskPolicy policy = mDevicePolicyEngine.getResolvedPolicy(

                    PolicyDefinition.LOCK_TASK, userHandle);

            if (policy == null) {

                return new String[0];

            } else {

        // TODO(b/260560985): This is not the right check, as the flag could be enabled but there

        //  could be an admin that hasn't targeted U.

        if (isCoexistenceFlagEnabled()) {

            LockTaskPolicy policy = mDevicePolicyEngine.getLocalPolicy(

                    PolicyDefinition.LOCK_TASK, userId).getCurrentResolvedPolicy();

            LockTaskPolicy policy = mDevicePolicyEngine.getResolvedPolicy(

                    PolicyDefinition.LOCK_TASK, userId);

            if (policy == null) {

                return false;

            }

        }

        if (isCoexistenceEnabled(caller)) {

            EnforcingAdmin admin = EnforcingAdmin.createEnterpriseEnforcingAdmin(who, userHandle);

            LockTaskPolicy currentPolicy = mDevicePolicyEngine.getLocalPolicy(

            LockTaskPolicy currentPolicy = mDevicePolicyEngine.getLocalPolicySetByAdmin(

                    PolicyDefinition.LOCK_TASK,

                    caller.getUserId()).getPoliciesSetByAdmins().get(admin);

                    admin,

                    caller.getUserId());

            if (currentPolicy == null) {

                throw new IllegalArgumentException("Can't set a lock task flags without setting "

                        + "lock task packages first.");

        }

        if (isCoexistenceEnabled(caller)) {

            LockTaskPolicy policy = mDevicePolicyEngine.getLocalPolicy(

                    PolicyDefinition.LOCK_TASK, userHandle).getCurrentResolvedPolicy();

            LockTaskPolicy policy = mDevicePolicyEngine.getResolvedPolicy(

                    PolicyDefinition.LOCK_TASK, userHandle);

            if (policy == null) {

                // We default on the power button menu, in order to be consistent with pre-P

                // behaviour.

        checkCanExecuteOrThrowUnsafe(

                DevicePolicyManager.OPERATION_SET_USER_CONTROL_DISABLED_PACKAGES);

        if (isCoexistenceEnabled(caller)) {

            if (packages.isEmpty()) {

                removeUserControlDisabledPackages(caller);

            } else {

                addUserControlDisabledPackages(caller, new HashSet<>(packages));

            }

        } else {

            synchronized (getLockObject()) {

                ActiveAdmin owner = getDeviceOrProfileOwnerAdminLocked(caller.getUserId());

                if (!Objects.equals(owner.protectedPackages, packages)) {

                    pushUserControlDisabledPackagesLocked(caller.getUserId());

                }

            }

        }

        DevicePolicyEventLogger

                .createEvent(DevicePolicyEnums.SET_USER_CONTROL_DISABLED_PACKAGES)

                .write();

    }

    private void addUserControlDisabledPackages(CallerIdentity caller, Set<String> packages) {

        if (isCallerDeviceOwner(caller)) {

            mDevicePolicyEngine.setGlobalPolicy(

                    PolicyDefinition.USER_CONTROLLED_DISABLED_PACKAGES,

                    // TODO(b/260573124): add correct enforcing admin when permission changes are

                    //  merged.

                    EnforcingAdmin.createEnterpriseEnforcingAdmin(

                            caller.getComponentName(), caller.getUserId()),

                    packages);

        } else {

            mDevicePolicyEngine.setLocalPolicy(

                    PolicyDefinition.USER_CONTROLLED_DISABLED_PACKAGES,

                    // TODO(b/260573124): add correct enforcing admin when permission changes are

                    //  merged.

                    EnforcingAdmin.createEnterpriseEnforcingAdmin(

                            caller.getComponentName(), caller.getUserId()),

                    packages,

                    caller.getUserId());

        }

    }

    private void removeUserControlDisabledPackages(CallerIdentity caller) {

        if (isCallerDeviceOwner(caller)) {

            mDevicePolicyEngine.removeGlobalPolicy(

                    PolicyDefinition.USER_CONTROLLED_DISABLED_PACKAGES,

                    // TODO(b/260573124): add correct enforcing admin when permission changes are

                    //  merged.

                    EnforcingAdmin.createEnterpriseEnforcingAdmin(

                            caller.getComponentName(), caller.getUserId()));

        } else {

            mDevicePolicyEngine.removeLocalPolicy(

                    PolicyDefinition.USER_CONTROLLED_DISABLED_PACKAGES,

                    // TODO(b/260573124): add correct enforcing admin when permission changes are

                    //  merged.

                    EnforcingAdmin.createEnterpriseEnforcingAdmin(

                            caller.getComponentName(), caller.getUserId()),

                    caller.getUserId());

        }

    }

    private boolean isCallerDeviceOwner(CallerIdentity caller) {

        synchronized (getLockObject()) {

            return getDeviceOwnerUserIdUncheckedLocked() == caller.getUserId();

        }

    }

    @Override

    public List<String> getUserControlDisabledPackages(ComponentName who) {

        Objects.requireNonNull(who, "ComponentName is null");

        Preconditions.checkCallAuthorization(isDefaultDeviceOwner(caller) || isProfileOwner(caller)

                || isFinancedDeviceOwner(caller));

        if (isCoexistenceEnabled(caller)) {

            // This retrieves the policy for the calling user only, DOs for example can't know

            // what's enforced globally or on another user.

            Set<String> packages = mDevicePolicyEngine.getResolvedPolicy(

                    PolicyDefinition.USER_CONTROLLED_DISABLED_PACKAGES,

                    caller.getUserId());

            return packages == null ? Collections.emptyList() : packages.stream().toList();

        } else {

            synchronized (getLockObject()) {

                ActiveAdmin deviceOwner = getDeviceOrProfileOwnerAdminLocked(caller.getUserId());

                return deviceOwner.protectedPackages != null

                        ? deviceOwner.protectedPackages : Collections.emptyList();

            }

        }

    }

    @Override

    public void setCommonCriteriaModeEnabled(ComponentName who, boolean enabled) {