Allow primary user only restrictions to be set on main user. (295f8382) · Commits · e / os / android_frameworks_base

services/core/java/com/android/server/pm/UserRestrictionsUtils.java

+9 −9

Original line number	Diff line number	Diff line
		@@ -167,10 +167,10 @@ public class UserRestrictionsUtils {
		);

		/**
		* User restrictions that cannot be set by profile owners of secondary users. When set by DO
		* they will be applied to all users.
		* User restrictions that can only be set by profile owners on the main user, or by device
		* owners. When set by DO they will be applied to all users.
		*/
		private static final Set<String> PRIMARY_USER_ONLY_RESTRICTIONS = Sets.newArraySet(
		private static final Set<String> MAIN_USER_ONLY_RESTRICTIONS = Sets.newArraySet(
		UserManager.DISALLOW_BLUETOOTH,
		UserManager.DISALLOW_USB_FILE_TRANSFER,
		UserManager.DISALLOW_CONFIG_TETHERING,
		@@ -454,14 +454,14 @@ public class UserRestrictionsUtils {
		}

		/**
		* @return true if a restriction is settable by profile owner. Note it takes a user ID because
		* some restrictions can be changed by PO only when it's running on the system user.
		* @return true if a restriction is settable by profile owner. Note it takes a boolean to say
		* if the relevant user is the {@link UserManager#isMainUser() MainUser}, because some
		* restrictions can be changed by PO only when it's running on the main user.
		*/
		public static boolean canProfileOwnerChange(String restriction, int userId) {
		public static boolean canProfileOwnerChange(String restriction, boolean isMainUser) {
		return !IMMUTABLE_BY_OWNERS.contains(restriction)
		&& !DEVICE_OWNER_ONLY_RESTRICTIONS.contains(restriction)
		&& !(userId != UserHandle.USER_SYSTEM
		&& PRIMARY_USER_ONLY_RESTRICTIONS.contains(restriction));
		&& !(!isMainUser && MAIN_USER_ONLY_RESTRICTIONS.contains(restriction));
		}

		/**
		@@ -494,7 +494,7 @@ public class UserRestrictionsUtils {
		public static boolean isGlobal(@UserManagerInternal.OwnerType int restrictionOwnerType,
		String key) {
		return ((restrictionOwnerType == UserManagerInternal.OWNER_TYPE_DEVICE_OWNER) && (
		PRIMARY_USER_ONLY_RESTRICTIONS.contains(key) \|\| GLOBAL_RESTRICTIONS.contains(key)))
		MAIN_USER_ONLY_RESTRICTIONS.contains(key) \|\| GLOBAL_RESTRICTIONS.contains(key)))
		\|\| ((restrictionOwnerType
		== UserManagerInternal.OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE)
		&& PROFILE_OWNER_ORGANIZATION_OWNED_GLOBAL_RESTRICTIONS.contains(key))

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+9 −8

Original line number	Diff line number	Diff line
		@@ -9000,12 +9000,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}

		private @UserIdInt int getMainUserId() {
		UserHandle mainUser = mUserManager.getMainUser();
		if (mainUser == null) {
		int mainUserId = mUserManagerInternal.getMainUserId();
		if (mainUserId == UserHandle.USER_NULL) {
		Slogf.d(LOG_TAG, "getMainUserId(): no main user, returning USER_SYSTEM");
		return UserHandle.USER_SYSTEM;
		}
		return mainUser.getIdentifier();
		return mainUserId;
		}

		// TODO(b/240562946): Remove api as owner name is not used.
		@@ -11912,10 +11912,10 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		Preconditions.checkCallAuthorization(isDeviceOwner(caller) \|\| isProfileOwner(caller));
		}

		int userHandle = caller.getUserId();
		int userId = caller.getUserId();
		synchronized (getLockObject()) {
		final ActiveAdmin activeAdmin = getParentOfAdminIfRequired(
		getProfileOwnerOrDeviceOwnerLocked(userHandle), parent);
		getProfileOwnerOrDeviceOwnerLocked(userId), parent);

		if (isDefaultDeviceOwner(caller)) {
		if (!UserRestrictionsUtils.canDeviceOwnerChange(key)) {
		@@ -11932,7 +11932,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		"Cannot use the parent instance in Financed Device Owner mode");
		} else {
		boolean profileOwnerCanChangeOnItself = !parent
		&& UserRestrictionsUtils.canProfileOwnerChange(key, userHandle);
		&& UserRestrictionsUtils.canProfileOwnerChange(
		key, userId == getMainUserId());
		boolean orgOwnedProfileOwnerCanChangesGlobally = parent
		&& isProfileOwnerOfOrganizationOwnedDevice(caller)
		&& UserRestrictionsUtils.canProfileOwnerOfOrganizationOwnedDeviceChange(
		@@ -11951,7 +11952,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		} else {
		restrictions.remove(key);
		}
		saveUserRestrictionsLocked(userHandle);
		saveUserRestrictionsLocked(userId);
		}
		final int eventId = enabledFromThisOwner
		? DevicePolicyEnums.ADD_USER_RESTRICTION
		@@ -11965,7 +11966,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		final int eventTag = enabledFromThisOwner
		? SecurityLog.TAG_USER_RESTRICTION_ADDED
		: SecurityLog.TAG_USER_RESTRICTION_REMOVED;
		SecurityLog.writeEvent(eventTag, who.getPackageName(), userHandle, key);
		SecurityLog.writeEvent(eventTag, who.getPackageName(), userId, key);
		}
		}

services/tests/servicestests/src/com/android/server/pm/UserRestrictionsUtilsTest.java

+13 −14

Original line number	Diff line number	Diff line
		@@ -20,7 +20,6 @@ import static com.android.server.devicepolicy.DpmTestUtils.assertRestrictions;
		import static com.android.server.devicepolicy.DpmTestUtils.newRestrictions;

		import android.os.Bundle;
		import android.os.UserHandle;
		import android.os.UserManager;
		import android.platform.test.annotations.Presubmit;
		import android.test.AndroidTestCase;
		@@ -77,30 +76,30 @@ public class UserRestrictionsUtilsTest extends AndroidTestCase {
		assertTrue(UserRestrictionsUtils.canDeviceOwnerChange(UserManager.DISALLOW_USER_SWITCH));
		}

		public void testCanProfileOwnerChange() {
		int user = UserHandle.USER_SYSTEM;
		public void testCanProfileOwnerChange_mainUser() {
		assertFalse(UserRestrictionsUtils.canProfileOwnerChange(
		UserManager.DISALLOW_RECORD_AUDIO, user));
		UserManager.DISALLOW_RECORD_AUDIO, true));
		assertFalse(UserRestrictionsUtils.canProfileOwnerChange(
		UserManager.DISALLOW_WALLPAPER, user));
		UserManager.DISALLOW_WALLPAPER, true));
		assertFalse(UserRestrictionsUtils.canProfileOwnerChange(
		UserManager.DISALLOW_USER_SWITCH, user));
		UserManager.DISALLOW_USER_SWITCH, true));
		assertTrue(UserRestrictionsUtils.canProfileOwnerChange(
		UserManager.DISALLOW_ADD_USER, user));
		UserManager.DISALLOW_ADD_USER, true));
		assertTrue(UserRestrictionsUtils.canProfileOwnerChange(
		UserManager.DISALLOW_ADJUST_VOLUME, user));
		UserManager.DISALLOW_ADJUST_VOLUME, true));
		}

		user = 10;
		public void testCanProfileOwnerChange_notMainUser() {
		assertFalse(UserRestrictionsUtils.canProfileOwnerChange(
		UserManager.DISALLOW_RECORD_AUDIO, user));
		UserManager.DISALLOW_RECORD_AUDIO, false));
		assertFalse(UserRestrictionsUtils.canProfileOwnerChange(
		UserManager.DISALLOW_WALLPAPER, user));
		UserManager.DISALLOW_WALLPAPER, false));
		assertFalse(UserRestrictionsUtils.canProfileOwnerChange(
		UserManager.DISALLOW_ADD_USER, user));
		UserManager.DISALLOW_ADD_USER, false));
		assertFalse(UserRestrictionsUtils.canProfileOwnerChange(
		UserManager.DISALLOW_USER_SWITCH, user));
		UserManager.DISALLOW_USER_SWITCH, false));
		assertTrue(UserRestrictionsUtils.canProfileOwnerChange(
		UserManager.DISALLOW_ADJUST_VOLUME, user));
		UserManager.DISALLOW_ADJUST_VOLUME, false));
		}

		public void testMoveRestriction() {