Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 29217e3f authored by Sinduran Sivarajan's avatar Sinduran Sivarajan Committed by Android Build Coastguard Worker
Browse files

Disable "Developer options" by default for managed profiles. 

Bug: 382064697
Test: go/work-profile-creation-developer-access
Flag: EXEMPT bugfix
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:73b54cdf4b70831c4f952d7556274609cb46214e)
Merged-In: Ibe6b721f2552d9e72aba0582a2eed4ba87178c7c
Change-Id: Ibe6b721f2552d9e72aba0582a2eed4ba87178c7c
parent 419a0c16

services/core/java/com/android/server/pm/UserRestrictionsUtils.java

+2 −1
Original line number Diff line number Diff line
@@ -309,7 +309,8 @@ public class UserRestrictionsUtils { 
     * in settings. So it is handled separately.

     */

    private static final Set<String> DEFAULT_ENABLED_FOR_MANAGED_PROFILES = Sets.newArraySet(

            UserManager.DISALLOW_BLUETOOTH_SHARING

            UserManager.DISALLOW_BLUETOOTH_SHARING,

            UserManager.DISALLOW_DEBUGGING_FEATURES

    );



    /**

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+23 −11
Original line number Diff line number Diff line
@@ -2723,16 +2723,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
        }

    }













    /**













     * Apply default restrictions that haven't been applied to a given admin yet.













     */













    /** Apply default restrictions that haven't been applied to a given admin yet. */















    private void maybeSetDefaultRestrictionsForAdminLocked(int userId, ActiveAdmin admin) {













        Set<String> defaultRestrictions =













                UserRestrictionsUtils.getDefaultEnabledForManagedProfiles();













        if (defaultRestrictions.equals(admin.defaultEnabledRestrictionsAlreadySet)) {













        Set<String> newDefaultRestrictions = new HashSet(













            UserRestrictionsUtils.getDefaultEnabledForManagedProfiles());













        newDefaultRestrictions.removeAll(admin.defaultEnabledRestrictionsAlreadySet);













        if (newDefaultRestrictions.isEmpty()) {















            return; // The same set of default restrictions has been already applied.















        }













        for (String restriction : defaultRestrictions) {

























        for (String restriction : newDefaultRestrictions) {















            mDevicePolicyEngine.setLocalPolicy(















                    PolicyDefinition.getPolicyDefinitionForUserRestriction(restriction),















                    EnforcingAdmin.createEnterpriseEnforcingAdmin(









@@ -2740,10 +2740,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {













                            admin.getUserHandle().getIdentifier()),















                    new BooleanPolicyValue(true),















                    userId);













            admin.defaultEnabledRestrictionsAlreadySet.add(restriction);













            Slogf.i(LOG_TAG, "Enabled the following restriction by default: " + restriction);















        }













        admin.defaultEnabledRestrictionsAlreadySet.addAll(defaultRestrictions);













        Slogf.i(LOG_TAG, "Enabled the following restrictions by default: "













                + defaultRestrictions);















    }





























    private void maybeStartSecurityLogMonitorOnActivityManagerReady() {










@@ -10329,7 +10328,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {













                return false;















            }



























            if (isAdb(caller)) {













            boolean isAdb = isAdb(caller);













            if (isAdb) {















                // Log profile owner provisioning was started using adb.















                MetricsLogger.action(mContext, PROVISIONING_ENTRY_POINT_ADB, LOG_TAG_PROFILE_OWNER);















                DevicePolicyEventLogger









@@ -10352,6 +10352,18 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {













                    ensureUnknownSourcesRestrictionForProfileOwnerLocked(userHandle, admin,















                            true /* newOwner */);















                }













                if(isAdb) {













                    // DISALLOW_DEBUGGING_FEATURES is being added to newly-created













                    // work profile by default due to b/382064697 . This would have













                    //  impacted certain CTS test flows when they interact with the













                    // work profile via ADB (for example installing an app into the













                    // work profile). Remove DISALLOW_DEBUGGING_FEATURES here to













                    // reduce the potential impact.













                    setLocalUserRestrictionInternal(













                        EnforcingAdmin.createEnterpriseEnforcingAdmin(who, userHandle),













                        UserManager.DISALLOW_DEBUGGING_FEATURES, false, userHandle);













                }



























                sendOwnerChangedBroadcast(DevicePolicyManager.ACTION_PROFILE_OWNER_CHANGED,















                        userHandle);















            });