Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2095d130 authored by Sinduran Sivarajan's avatar Sinduran Sivarajan Committed by Android Build Coastguard Worker
Browse files

Disable "Developer options" by default for managed profiles. 

Bug: 382064697
Test: go/work-profile-creation-developer-access
Flag: EXEMPT bugfix
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:73b54cdf4b70831c4f952d7556274609cb46214e)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:aa90264c4dc194b74008523feb6b86e0ecc2c556)
Merged-In: Ibe6b721f2552d9e72aba0582a2eed4ba87178c7c
Change-Id: Ibe6b721f2552d9e72aba0582a2eed4ba87178c7c
parent 60335b2e

services/core/java/com/android/server/pm/UserRestrictionsUtils.java

+2 −1
Original line number Diff line number Diff line
@@ -282,7 +282,8 @@ public class UserRestrictionsUtils { 
     * in settings. So it is handled separately.

     */

    private static final Set<String> DEFAULT_ENABLED_FOR_MANAGED_PROFILES = Sets.newArraySet(

            UserManager.DISALLOW_BLUETOOTH_SHARING

            UserManager.DISALLOW_BLUETOOTH_SHARING,

            UserManager.DISALLOW_DEBUGGING_FEATURES

    );



    /**

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+29 −21
Original line number Diff line number Diff line
@@ -2663,13 +2663,14 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
     * Apply default restrictions that haven't been applied to a given admin yet.

     */

    private void maybeSetDefaultRestrictionsForAdminLocked(int userId, ActiveAdmin admin) {

        Set<String> defaultRestrictions =

                UserRestrictionsUtils.getDefaultEnabledForManagedProfiles();

        if (defaultRestrictions.equals(admin.defaultEnabledRestrictionsAlreadySet)) {

        final Set<String> restrictionsToSet =

            new ArraySet<>(UserRestrictionsUtils.getDefaultEnabledForManagedProfiles());

        restrictionsToSet.removeAll(admin.defaultEnabledRestrictionsAlreadySet);

        if (restrictionsToSet.isEmpty()) {

            return; // The same set of default restrictions has been already applied.

        }

        if (isPolicyEngineForFinanceFlagEnabled()) {

            for (String restriction : defaultRestrictions) {

            for (String restriction : restrictionsToSet) {

                mDevicePolicyEngine.setLocalPolicy(

                        PolicyDefinition.getPolicyDefinitionForUserRestriction(restriction),

                        EnforcingAdmin.createEnterpriseEnforcingAdmin(
@@ -2678,9 +2679,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
                        new BooleanPolicyValue(true),

                        userId);

            }

            admin.defaultEnabledRestrictionsAlreadySet.addAll(defaultRestrictions);

            admin.defaultEnabledRestrictionsAlreadySet.addAll(restrictionsToSet);

            Slogf.i(LOG_TAG, "Enabled the following restrictions by default: " +

                    defaultRestrictions);

                    restrictionsToSet);

            return;

        }









@@ -2688,14 +2689,10 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {



























        if (VERBOSE_LOG) {















            Slogf.d(LOG_TAG, "Default enabled restrictions: "













                    + defaultRestrictions













                    + restrictionsToSet















                    + ". Restrictions already enabled: "















                    + admin.defaultEnabledRestrictionsAlreadySet);















        }

























        final Set<String> restrictionsToSet = new ArraySet<>(defaultRestrictions);













        restrictionsToSet.removeAll(admin.defaultEnabledRestrictionsAlreadySet);













        if (!restrictionsToSet.isEmpty()) {















        for (final String restriction : restrictionsToSet) {















            admin.ensureUserRestrictions().putBoolean(restriction, true);















        }









@@ -2703,7 +2700,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {













        Slogf.i(LOG_TAG, "Enabled the following restrictions by default: " + restrictionsToSet);















        saveUserRestrictionsLocked(userId);















    }













    }





























    private void setDeviceOwnershipSystemPropertyLocked() {















        final boolean deviceProvisioned =










@@ -10192,7 +10188,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {













                return false;















            }



























            if (isAdb(caller)) {













            boolean isAdb = isAdb(caller);













            if (isAdb) {















                // Log profile owner provisioning was started using adb.















                MetricsLogger.action(mContext, PROVISIONING_ENTRY_POINT_ADB, LOG_TAG_PROFILE_OWNER);















                DevicePolicyEventLogger









@@ -10214,6 +10211,17 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {













                    maybeSetDefaultRestrictionsForAdminLocked(userHandle, admin);















                    ensureUnknownSourcesRestrictionForProfileOwnerLocked(userHandle, admin,















                            true /* newOwner */);













                    if (isAdb) {













                        // DISALLOW_DEBUGGING_FEATURES is being added to newly-created













                        // work profile by default due to b/382064697 . This would have













                        //  impacted certain CTS test flows when they interact with the













                        // work profile via ADB (for example installing an app into the













                        // work profile). Remove DISALLOW_DEBUGGING_FEATURES here to













                        // reduce the potential impact.













                        setLocalUserRestrictionInternal(













                            EnforcingAdmin.createEnterpriseEnforcingAdmin(who, userHandle),













                            UserManager.DISALLOW_DEBUGGING_FEATURES, false, userHandle);













                    }















                }















                sendOwnerChangedBroadcast(DevicePolicyManager.ACTION_PROFILE_OWNER_CHANGED,















                        userHandle);