Merge "Add a DISALLOW_ADD_PRIVATE_PROFILE user restriction" into main (328ffcac) · Commits · e / os / android_frameworks_base

core/java/android/os/UserManager.java

+19 −0

Original line number	Diff line number	Diff line
		@@ -1001,6 +1001,24 @@ public class UserManager {
		*/
		public static final String DISALLOW_ADD_CLONE_PROFILE = "no_add_clone_profile";

		/**
		* Specifies if a user is disallowed from creating a private profile.
		* <p>The default value for an unmanaged user is <code>false</code>.
		* For users with a device owner set, the default is <code>true</code>.
		*
		* <p>Holders of the permission
		* {@link android.Manifest.permission#MANAGE_DEVICE_POLICY_PROFILES}
		* can set this restriction using the DevicePolicyManager APIs mentioned below.
		*
		* <p>Key for user restrictions.
		* <p>Type: Boolean
		* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
		* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
		* @see #getUserRestrictions()
		* @hide
		*/
		public static final String DISALLOW_ADD_PRIVATE_PROFILE = "no_add_private_profile";

		/**
		* Specifies if a user is disallowed from disabling application verification. The default
		* value is <code>false</code>.
		@@ -1895,6 +1913,7 @@ public class UserManager {
		DISALLOW_ADD_USER,
		DISALLOW_ADD_MANAGED_PROFILE,
		DISALLOW_ADD_CLONE_PROFILE,
		DISALLOW_ADD_PRIVATE_PROFILE,
		ENSURE_VERIFY_APPS,
		DISALLOW_CONFIG_CELL_BROADCASTS,
		DISALLOW_CONFIG_MOBILE_NETWORKS,

services/core/java/com/android/server/pm/UserManagerService.java

+3 −0

Original line number	Diff line number	Diff line
		@@ -4787,11 +4787,14 @@ public class UserManagerService extends IUserManager.Stub {
		// default check is for DISALLOW_ADD_USER
		// If new user is of type CLONE, check if creation of clone profile is allowed
		// If new user is of type MANAGED, check if creation of managed profile is allowed
		// If new user is of type PRIVATE, check if creation of private profile is allowed
		String restriction = UserManager.DISALLOW_ADD_USER;
		if (UserManager.isUserTypeCloneProfile(userType)) {
		restriction = UserManager.DISALLOW_ADD_CLONE_PROFILE;
		} else if (UserManager.isUserTypeManagedProfile(userType)) {
		restriction = UserManager.DISALLOW_ADD_MANAGED_PROFILE;
		} else if (UserManager.isUserTypePrivateProfile(userType)) {
		restriction = UserManager.DISALLOW_ADD_PRIVATE_PROFILE;
		}

		enforceUserRestriction(restriction, UserHandle.getCallingUserId(),

services/core/java/com/android/server/pm/UserRestrictionsUtils.java

+3 −1

Original line number	Diff line number	Diff line
		@@ -103,6 +103,7 @@ public class UserRestrictionsUtils {
		UserManager.DISALLOW_ADD_USER,
		UserManager.DISALLOW_ADD_MANAGED_PROFILE,
		UserManager.DISALLOW_ADD_CLONE_PROFILE,
		UserManager.DISALLOW_ADD_PRIVATE_PROFILE,
		UserManager.ENSURE_VERIFY_APPS,
		UserManager.DISALLOW_CONFIG_CELL_BROADCASTS,
		UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS,
		@@ -212,7 +213,8 @@ public class UserRestrictionsUtils {
		private static final Set<String> IMMUTABLE_BY_OWNERS = Sets.newArraySet(
		UserManager.DISALLOW_RECORD_AUDIO,
		UserManager.DISALLOW_WALLPAPER,
		UserManager.DISALLOW_OEM_UNLOCK
		UserManager.DISALLOW_OEM_UNLOCK,
		UserManager.DISALLOW_ADD_PRIVATE_PROFILE
		);

		/**

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+34 −0

Original line number	Diff line number	Diff line
		@@ -2594,6 +2594,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_CLONE_PROFILE, true,
		userHandle);
		}
		// Enforcing the restriction of private profile creation in case device owner is set.
		if (!mUserManager.hasUserRestriction(
		UserManager.DISALLOW_ADD_PRIVATE_PROFILE, userHandle)) {
		mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_PRIVATE_PROFILE, true,
		userHandle);
		}
		// Creation of managed profile is restricted in case device owner is set, enforcing this
		// restriction by setting user level restriction at time of device owner setup.
		if (!mUserManager.hasUserRestriction(
		@@ -4036,6 +4042,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_CLONE_PROFILE,
		false, user);
		}

		// When a device owner is set, the system automatically restricts adding a
		// private profile.
		// Remove this restriction when the device owner is cleared.
		if (mUserManager.hasUserRestriction(UserManager.DISALLOW_ADD_PRIVATE_PROFILE,
		user)) {
		mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_PRIVATE_PROFILE,
		false, user);
		}
		}
		} else {
		// ManagedProvisioning/DPC sets DISALLOW_ADD_USER. Clear to recover to the original state
		@@ -4061,6 +4076,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		false,
		userHandle);
		}

		// When a device owner is set, the system automatically restricts adding a
		// private profile.
		// Remove this restriction when the device owner is cleared.
		if (mUserManager.hasUserRestriction(UserManager.DISALLOW_ADD_PRIVATE_PROFILE,
		userHandle)) {
		mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_PRIVATE_PROFILE,
		false, userHandle);
		}
		}
		}

		@@ -9423,6 +9447,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_CLONE_PROFILE,
		true,
		UserHandle.of(u));

		// Restrict adding a private profile when a device owner is set.
		mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_PRIVATE_PROFILE,
		true,
		UserHandle.of(u));
		}
		} else {
		mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_MANAGED_PROFILE,
		@@ -9435,6 +9464,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_CLONE_PROFILE,
		true,
		UserHandle.of(userId));
		mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_PRIVATE_PROFILE,
		true,
		UserHandle.of(userId));
		}
		// TODO Send to system too?
		sendOwnerChangedBroadcast(DevicePolicyManager.ACTION_DEVICE_OWNER_CHANGED, userId);
		@@ -13199,6 +13231,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		UserManager.ALLOW_PARENT_PROFILE_APP_LINKING, new String[]{MANAGE_DEVICE_POLICY_PROFILES});
		USER_RESTRICTION_PERMISSIONS.put(
		UserManager.DISALLOW_ADD_CLONE_PROFILE, new String[]{MANAGE_DEVICE_POLICY_PROFILES});
		USER_RESTRICTION_PERMISSIONS.put(
		UserManager.DISALLOW_ADD_PRIVATE_PROFILE, new String[]{MANAGE_DEVICE_POLICY_PROFILES});
		USER_RESTRICTION_PERMISSIONS.put(
		UserManager.DISALLOW_ADD_USER, new String[]{MANAGE_DEVICE_POLICY_MODIFY_USERS});
		USER_RESTRICTION_PERMISSIONS.put(

services/devicepolicy/java/com/android/server/devicepolicy/PolicyDefinition.java

+1 −0

Original line number	Diff line number	Diff line
		@@ -426,6 +426,7 @@ final class PolicyDefinition<V> {
		USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ADD_USER, /* flags= */ 0);
		USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ADD_MANAGED_PROFILE, /* flags= */ 0);
		USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ADD_CLONE_PROFILE, /* flags= */ 0);
		USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ADD_PRIVATE_PROFILE, /* flags= */ 0);
		USER_RESTRICTION_FLAGS.put(UserManager.ENSURE_VERIFY_APPS, POLICY_FLAG_GLOBAL_ONLY_POLICY);
		USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_CELL_BROADCASTS, /* flags= */ 0);
		USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS, /* flags= */ 0);