Merge "Deprecate UM's Application Restrictions APIs to use DPM's." into main

package android.app.admin;

import static android.app.admin.flags.Flags.FLAG_SPLIT_CREATE_MANAGED_PROFILE_ENABLED;

import static android.Manifest.permission.INTERACT_ACROSS_USERS;

import static android.Manifest.permission.INTERACT_ACROSS_USERS_FULL;

import static android.Manifest.permission.LOCK_DEVICE;

import static android.app.admin.DeviceAdminInfo.HEADLESS_DEVICE_OWNER_MODE_UNSUPPORTED;

import static android.app.admin.flags.Flags.FLAG_DEVICE_THEFT_API_ENABLED;

import static android.app.admin.flags.Flags.FLAG_REMOVE_MANAGED_PROFILE_ENABLED;

import static android.app.admin.flags.Flags.FLAG_SECONDARY_LOCKSCREEN_API_ENABLED;

import static android.app.admin.flags.Flags.FLAG_SPLIT_CREATE_MANAGED_PROFILE_ENABLED;

import static android.app.admin.flags.Flags.onboardingBugreportV2Enabled;

import static android.app.admin.flags.Flags.onboardingConsentlessBugreports;

import static android.app.admin.flags.Flags.FLAG_SECONDARY_LOCKSCREEN_API_ENABLED;

import static android.content.Intent.LOCAL_FLAG_FROM_SYSTEM;

import static android.net.NetworkCapabilities.NET_ENTERPRISE_ID_1;

import static android.os.Build.VERSION_CODES.UPSIDE_DOWN_CAKE;

     * in the calling user, as well as the parent user of an organization-owned managed profile via

     * the {@link DevicePolicyManager} instance returned by

     * {@link #getParentProfileInstance(ComponentName)}. App restrictions set by the device policy

     * management role holder are not returned by

     * {@link UserManager#getApplicationRestrictions(String)}. The target application should use

     * management role holder are returned by

     * {@link UserManager#getApplicationRestrictions(String)} but the target application should use

     * {@link android.content.RestrictionsManager#getApplicationRestrictionsPerAdmin} to retrieve

     * them, alongside any app restrictions the profile or device owner might have set.

     *

        }

    }

    /**

     * Similar to the public variant of {@link #setApplicationRestrictions} but for use by the

     * system.

     *

     * <p>Called by a system service only, meaning that the caller's UID must be equal to

     * {@link Process#SYSTEM_UID}.

     *

     * @throws SecurityException if caller is not permitted to set Mte policy

     * @throws UnsupportedOperationException if the device does not support MTE

     * @param systemEntity  The service entity that adds the restriction. A application restriction

     *                     set by a service entity can only be cleared by the same entity. This can

     *                     be just the calling package name, or any string of the caller's choice

     *                     can be used.

     * @param packageName The name of the package to update restricted settings for.

     * @param settings A {@link Bundle} to be parsed by the receiving application, conveying a new

     *            set of active restrictions.

     * @throws SecurityException if {@code admin} is not a device or profile owner.

     * @see #setDelegatedScopes

     * @see #DELEGATION_APP_RESTRICTIONS

     * @see UserManager#KEY_RESTRICTIONS_PENDING

     * @hide

     */

    @WorkerThread

    public void setApplicationRestrictionsBySystem(

            @NonNull String systemEntity, String packageName, Bundle settings) {

        throwIfParentInstance("setApplicationRestrictions");

        if (mService != null) {

            try {

                mService.setApplicationRestrictionsBySystem(

                    systemEntity, packageName, myUserId(), settings);

            } catch (RemoteException e) {

                throw e.rethrowFromSystemServer();

            }

        }

    }

    /**

     * Sets a list of configuration features to enable for a trust agent component. This is meant to

     * be used in conjunction with {@link #KEYGUARD_DISABLE_TRUST_AGENTS}, which disables all trust

        return null;

    }

    /**

     * Similar to the public variant of {@link #getApplicationRestrictions} but for use by the

     * system.

     *

     * <p>Called by a system service only, meaning that the caller's UID must be equal to

     * {@link Process#SYSTEM_UID}.

     *

     * @param systemEntity  The service entity that adds the restriction. A application restriction

     *                     set by a service entity can only be cleared by the same entity. This can

     *                     be just the calling package name, or any string of the caller's choice

     *                     can be used.

     * @param packageName The name of the package to fetch restricted settings of.

     * @return {@link Bundle} of settings corresponding to what was set last time

     *         {@link DevicePolicyManager#setApplicationRestrictions} was called, or an empty

     *         {@link Bundle} if no restrictions have been set.

     * @throws SecurityException if {@code admin} is not a device or profile owner.

     * @see #setDelegatedScopes

     * @see #DELEGATION_APP_RESTRICTIONS

     * @hide

     */

    @WorkerThread

    public @NonNull Bundle getApplicationRestrictionsBySystem(

            @NonNull String systemEntity, @NonNull String packageName) {

        if (mService != null) {

            try {

                return mService.getApplicationRestrictionsBySystem(

                        systemEntity, packageName, myUserId());

            } catch (RemoteException e) {

                throw e.rethrowFromSystemServer();

            }

        }

        return null;

    }

    /**

     * Called by a profile owner, device owner or a holder of any permission that is associated with

     * a user restriction to set a user restriction specified by the key.

    /**

     * Returns a map of admin to {@link Bundle} map of restrictions set by the admins for the

     * provided {@code packageName} in the provided {@code userId}

     * provided {@code packageName} in the provided {@code userId}.

     *

     * <p> App restrictions set by the DPC are always put at the front of the returned list.

     */

    public abstract List<Bundle> getApplicationRestrictionsPerAdminForUser(

            String packageName, @UserIdInt int userId);

    Bundle getApplicationRestrictions(in ComponentName who, in String callerPackage, in String packageName, in boolean parent);

    boolean setApplicationRestrictionsManagingPackage(in ComponentName admin, in String packageName);

    String getApplicationRestrictionsManagingPackage(in ComponentName admin);

    void setApplicationRestrictionsBySystem(in String systemEntity, in String packageName, in int userId, in Bundle settings);

    Bundle getApplicationRestrictionsBySystem(in String systemEntity, in String packageName, in int userId);

    boolean isCallerApplicationRestrictionsManagingPackage(in String callerPackage);

    void setRestrictionsProvider(in ComponentName who, in ComponentName provider);

 bug: "359188153"

}

flag {

  name: "app_restrictions_coexistence"

  namespace: "supervision"

  description: "Enables coexistence support for setApplicationRestrictions."

  bug: "359188153"

  metadata {

    purpose: PURPOSE_BUGFIX

  }

}

flag {

 name: "set_auto_time_enabled_coexistence"

 is_exported: true

     *

     * <p>Starting from Android version {@link android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE},

     * it is possible for there to be multiple managing apps on the device with the ability to set

     * restrictions, e.g. an Enterprise Device Policy Controller (DPC) and a Supervision admin.

     * This API will only to return the restrictions set by the DPCs. To retrieve restrictions

     * set by all managing apps, use

     * app restrictions, e.g. an Enterprise Device Policy Controller (DPC) and a Supervision admin.

     * This method will always return the app restrictions set by the DPC, if the DPC has set one.

     * Beginning from SDK level 36.1, if the DPC has not set any app restriction while other

     * managing apps have set some, this method will return app restrictions set by one of those

     * managing apps. There is no guarantee on which managing apps app restriction will be returned.

     * To retrieve restrictions set by all managing apps, use

     * {@link android.content.RestrictionsManager#getApplicationRestrictionsPerAdmin} instead.

     *

     * @param packageName the package name of the calling application

    /**

     * <p>Starting from Android version {@link android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE},

     * it is possible for there to be multiple managing apps on the device with the ability to set

     * restrictions, e.g. an Enterprise Device Policy Controller (DPC) and a Supervision admin.

     * This API will only to return the restrictions set by the DPCs. To retrieve restrictions

     * set by all managing apps, use

     * app restrictions, e.g. an Enterprise Device Policy Controller (DPC) and a Supervision admin.

     * This method will always return the app restrictions set by the DPC, if the DPC has set one.

     * Beginning from SDK level 36.1, if the DPC has not set any app restriction while other

     * managing apps have set some, this method will return app restrictions set by one of those

     * managing apps. There is no guarantee on which managing apps app restriction will be returned.

     * To retrieve restrictions set by all managing apps, use

     * {@link android.content.RestrictionsManager#getApplicationRestrictionsPerAdmin} instead.

     *

     * @deprecated Retrieve restrictions set by all agents using

     * {@link android.content.RestrictionsManager#getApplicationRestrictionsPerAdmin} and merge the

     * result.

     * @hide

     */

    @WorkerThread