Merge "Add backwards compatibility support for setUserRestrictions" into udc-dev (1e9f6dc4) · Commits · e / os / android_frameworks_base

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+183 −96

Original line number	Diff line number	Diff line
		@@ -2609,7 +2609,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		ActiveAdmin profileOwner, boolean newOwner) {
		if (newOwner \|\| mInjector.settingsSecureGetIntForUser(
		Settings.Secure.UNKNOWN_SOURCES_DEFAULT_REVERSED, 0, userId) != 0) {
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		mDevicePolicyEngine.setLocalPolicy(
		PolicyDefinition.getPolicyDefinitionForUserRestriction(
		UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES),
		@@ -2637,7 +2637,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		if (defaultRestrictions.equals(admin.defaultEnabledRestrictionsAlreadySet)) {
		return; // The same set of default restrictions has been already applied.
		}
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		for (String restriction : defaultRestrictions) {
		mDevicePolicyEngine.setLocalPolicy(
		PolicyDefinition.getPolicyDefinitionForUserRestriction(restriction),
		@@ -8703,18 +8703,25 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		synchronized (getLockObject()) {
		Preconditions.checkCallAuthorization(!isManagedProfile(caller.getUserId()),
		"Managed profile cannot set auto time required");

		if (isPolicyEngineForFinanceFlagEnabled()) {
		EnforcingAdmin admin = getEnforcingAdminForCaller(who, who.getPackageName());
		setGlobalUserRestrictionInternal(
		admin, UserManager.DISALLOW_CONFIG_DATE_TIME, required);
		} else {
		ActiveAdmin admin = getProfileOwnerOrDeviceOwnerLocked(caller.getUserId());
		if (admin.requireAutoTime != required) {
		admin.requireAutoTime = required;
		saveSettingsLocked(caller.getUserId());
		requireAutoTimeChanged = true;
		}
		}
		// requireAutoTime is now backed by DISALLOW_CONFIG_DATE_TIME restriction, so propagate
		// updated restrictions to the framework.
		// requireAutoTime is now backed by DISALLOW_CONFIG_DATE_TIME restriction, so
		// propagate updated restrictions to the framework.
		if (requireAutoTimeChanged) {
		pushUserRestrictions(caller.getUserId());
		}
		}
		}
		// Turn AUTO_TIME on in settings if it is required
		if (required) {
		mInjector.binderWithCleanCallingIdentity(
		@@ -8736,6 +8743,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		if (!mHasFeature) {
		return false;
		}
		if (isPolicyEngineForFinanceFlagEnabled()) {
		Boolean required = mDevicePolicyEngine.getResolvedPolicy(
		PolicyDefinition.getPolicyDefinitionForUserRestriction(
		UserManager.DISALLOW_CONFIG_DATE_TIME),
		mInjector.binderGetCallingUserHandle().getIdentifier());
		return required != null && required;
		} else {
		synchronized (getLockObject()) {
		ActiveAdmin deviceOwner = getDeviceOwnerAdminLocked();
		if (deviceOwner != null && deviceOwner.requireAutoTime) {
		@@ -8754,6 +8768,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		return false;
		}
		}
		}

		/**
		* Set whether auto time is enabled on the device.
		@@ -9048,7 +9063,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}

		CallerIdentity caller;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		caller = getCallerIdentity(who, callerPackageName);
		} else {
		caller = getCallerIdentity(who);
		@@ -9057,14 +9072,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {

		checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_CAMERA_DISABLED);

		ActiveAdmin admin;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
		who,
		MANAGE_DEVICE_POLICY_CAMERA,
		caller.getPackageName(),
		getProfileParentUserIfRequested(userId, parent));
		admin = enforcingAdmin.getActiveAdmin();

		setBackwardCompatibleUserRestriction(
		caller, enforcingAdmin, UserManager.DISALLOW_CAMERA, disabled, parent);
		} else {
		Objects.requireNonNull(who, "ComponentName is null");
		if (parent) {
		@@ -9072,12 +9088,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		isProfileOwnerOfOrganizationOwnedDevice(caller));
		}
		synchronized (getLockObject()) {
		admin = getActiveAdminForCallerLocked(who,
		ActiveAdmin admin = getActiveAdminForCallerLocked(who,
		DeviceAdminInfo.USES_POLICY_DISABLE_CAMERA, parent);
		}
		}

		synchronized (getLockObject()) {
		if (admin.disableCamera != disabled) {
		admin.disableCamera = disabled;
		saveSettingsLocked(userId);
		@@ -9085,9 +9097,10 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}
		// Tell the user manager that the restrictions have changed.
		pushUserRestrictions(userId);
		}

		final int affectedUserId = parent ? getProfileParentId(userId) : userId;
		if (SecurityLog.isLoggingEnabled()) {
		if (SecurityLog.isLoggingEnabled() && who != null) {
		SecurityLog.writeEvent(SecurityLog.TAG_CAMERA_POLICY_SET,
		who.getPackageName(), userId, affectedUserId, disabled ? 1 : 0);
		}
		@@ -9110,12 +9123,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		return false;
		}
		CallerIdentity caller;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		caller = getCallerIdentity(who, callerPackageName);
		} else {
		caller = getCallerIdentity(who);
		}
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		Preconditions.checkCallAuthorization(
		hasFullCrossUsersPermission(caller, userHandle)
		\|\| isCameraServerUid(caller)
		@@ -9131,6 +9144,22 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}
		}

		int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle;

		if (isPolicyEngineForFinanceFlagEnabled()) {
		PolicyDefinition<Boolean> policy =
		PolicyDefinition.getPolicyDefinitionForUserRestriction(
		UserManager.DISALLOW_CAMERA);
		if (who != null) {
		EnforcingAdmin admin = getEnforcingAdminForCaller(who, callerPackageName);
		return Boolean.TRUE.equals(
		mDevicePolicyEngine.getLocalPolicySetByAdmin(
		policy, admin, affectedUserId));
		} else {
		return Boolean.TRUE.equals(
		mDevicePolicyEngine.getResolvedPolicy(policy, affectedUserId));
		}
		} else {
		synchronized (getLockObject()) {
		if (who != null) {
		ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle, parent);
		@@ -9143,14 +9172,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}

		// Return the strictest policy across all participating admins.
		List<ActiveAdmin> admins;
		final int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle;
		if (isPermissionCheckFlagEnabled()) {
		admins = getActiveAdminsForAffectedUserInclPermissionBasedAdminLocked(
		affectedUserId);
		} else {
		admins = getActiveAdminsForAffectedUserLocked(affectedUserId);
		}
		List<ActiveAdmin> admins = getActiveAdminsForAffectedUserLocked(affectedUserId);

		// Determine whether or not the device camera is disabled for any active admins.
		for (ActiveAdmin activeAdmin : admins) {
		if (activeAdmin.disableCamera) {
		@@ -9160,6 +9183,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		return false;
		}
		}
		}

		@Override
		public void setKeyguardDisabledFeatures(
		@@ -13065,35 +13089,30 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		key,
		caller.getPackageName(),
		affectedUserId);
		if (mInjector.isChangeEnabled(ENABLE_COEXISTENCE_CHANGE, callerPackage, userId)) {
		PolicyDefinition<Boolean> policyDefinition =
		PolicyDefinition.getPolicyDefinitionForUserRestriction(key);
		if (enabledFromThisOwner) {
		mDevicePolicyEngine.setLocalPolicy(
		policyDefinition,
		admin,
		new BooleanPolicyValue(true),
		affectedUserId);
		setLocalUserRestrictionInternal(
		admin, key, /* enabled= */ true, affectedUserId);
		} else {
		// Remove any local and global policy that was set by the admin
		if (!policyDefinition.isLocalOnlyPolicy()) {
		mDevicePolicyEngine.removeGlobalPolicy(
		policyDefinition,
		admin);
		setGlobalUserRestrictionInternal(admin, key, /* enabled= */ false);
		}
		if (!policyDefinition.isGlobalOnlyPolicy()) {
		mDevicePolicyEngine.removeLocalPolicy(
		policyDefinition,
		admin,
		userId);
		setLocalUserRestrictionInternal(admin, key, /* enabled= */ false, userId);

		int parentUserId = getProfileParentId(userId);
		if (parentUserId != userId) {
		mDevicePolicyEngine.removeLocalPolicy(
		policyDefinition,
		admin,
		parentUserId);
		setLocalUserRestrictionInternal(
		admin, key, /* enabled= */ false, parentUserId);
		}
		}
		}
		} else {
		setBackwardCompatibleUserRestriction(
		caller, admin, key, enabledFromThisOwner, parent);
		}
		} else {
		Objects.requireNonNull(who, "ComponentName is null");
		@@ -13151,6 +13170,31 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		logUserRestrictionCall(key, enabledFromThisOwner, parent, caller);
		}

		private void setBackwardCompatibleUserRestriction(
		CallerIdentity caller, EnforcingAdmin admin, String key, boolean enabled,
		boolean parent) {
		synchronized (getLockObject()) {
		if (isDeviceOwner(caller)) {
		if (UserRestrictionsUtils.isGlobal(OWNER_TYPE_DEVICE_OWNER, key)) {
		setGlobalUserRestrictionInternal(admin, key, enabled);
		} else {
		setLocalUserRestrictionInternal(admin, key, enabled, caller.getUserId());
		}
		} else if (isProfileOwner(caller)) {
		if (UserRestrictionsUtils.isGlobal(OWNER_TYPE_PROFILE_OWNER, key)
		\|\| (parent && isProfileOwnerOfOrganizationOwnedDevice(caller)
		&& UserRestrictionsUtils.isGlobal(
		OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE, key))) {
		setGlobalUserRestrictionInternal(admin, key, enabled);
		} else {
		int affectedUserId = parent
		? getProfileParentId(caller.getUserId()) : caller.getUserId();
		setLocalUserRestrictionInternal(admin, key, enabled, affectedUserId);
		}
		}
		}
		}

		@Override
		public void setUserRestrictionGlobally(String callerPackage, String key) {
		final CallerIdentity caller = getCallerIdentity(callerPackage);
		@@ -13164,6 +13208,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		throw new IllegalStateException("Feature flag is not enabled.");
		}

		if (!mInjector.isChangeEnabled(
		ENABLE_COEXISTENCE_CHANGE, callerPackage, caller.getUserId())) {
		throw new IllegalStateException("Calling package is not targeting Android U.");
		}

		EnforcingAdmin admin = enforcePermissionForUserRestriction(
		/* who= */ null,
		key,
		@@ -13171,12 +13220,43 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		caller.getUserId()
		);

		setGlobalUserRestrictionInternal(admin, key, /* enabled= */ true);

		logUserRestrictionCall(key, /* enabled= / true, / parent= */ false, caller);
		}

		private void setLocalUserRestrictionInternal(
		EnforcingAdmin admin, String key, boolean enabled, int userId) {
		PolicyDefinition<Boolean> policyDefinition =
		PolicyDefinition.getPolicyDefinitionForUserRestriction(key);
		if (enabled) {
		mDevicePolicyEngine.setLocalPolicy(
		policyDefinition,
		admin,
		new BooleanPolicyValue(true),
		userId);
		} else {
		mDevicePolicyEngine.removeLocalPolicy(
		policyDefinition,
		admin,
		userId);
		}
		}

		private void setGlobalUserRestrictionInternal(
		EnforcingAdmin admin, String key, boolean enabled) {
		PolicyDefinition<Boolean> policyDefinition =
		PolicyDefinition.getPolicyDefinitionForUserRestriction(key);
		if (enabled) {
		mDevicePolicyEngine.setGlobalPolicy(
		PolicyDefinition.getPolicyDefinitionForUserRestriction(key),
		admin,
		new BooleanPolicyValue(true));

		logUserRestrictionCall(key, /* enabled= / true, / parent= */ false, caller);
		} else {
		mDevicePolicyEngine.removeGlobalPolicy(
		policyDefinition,
		admin);
		}
		}

		private void logUserRestrictionCall(
		@@ -13279,10 +13359,17 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}

		if (isPolicyEngineForFinanceFlagEnabled()) {
		int targetUserId = parent
		? getProfileParentId(caller.getUserId()) : caller.getUserId();
		EnforcingAdmin admin = getEnforcingAdminForCaller(who, callerPackage);
		return getUserRestrictionsFromPolicyEngine(
		admin,
		parent ? getProfileParentId(caller.getUserId()) : caller.getUserId());
		Bundle restrictions = getUserRestrictionsFromPolicyEngine(admin, targetUserId);
		// Add global restrictions set by the admin as well if admin is not targeting Android U.
		if (!mInjector.isChangeEnabled(
		ENABLE_COEXISTENCE_CHANGE, callerPackage, caller.getUserId())) {
		restrictions.putAll(
		getUserRestrictionsFromPolicyEngine(admin, UserHandle.USER_ALL));
		}
		return restrictions;
		} else {
		Objects.requireNonNull(who, "ComponentName is null");
		Preconditions.checkCallAuthorization(isDefaultDeviceOwner(caller)