Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3461e849 authored by Sinduran Sivarajan's avatar Sinduran Sivarajan
Browse files

Disable "Developer options" by default for managed profiles. 

Bug: 382064697
Test: go/work-profile-creation-developer-access
Flag: EXEMPT bugfix
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:73b54cdf4b70831c4f952d7556274609cb46214e)
Merged-In: Ibe6b721f2552d9e72aba0582a2eed4ba87178c7c
Change-Id: Ibe6b721f2552d9e72aba0582a2eed4ba87178c7c
parent 49e51b4d

services/core/java/com/android/server/pm/UserRestrictionsUtils.java

+2 −1
Original line number Diff line number Diff line
@@ -282,7 +282,8 @@ public class UserRestrictionsUtils { 
     * in settings. So it is handled separately.

     */

    private static final Set<String> DEFAULT_ENABLED_FOR_MANAGED_PROFILES = Sets.newArraySet(

            UserManager.DISALLOW_BLUETOOTH_SHARING

            UserManager.DISALLOW_BLUETOOTH_SHARING,

            UserManager.DISALLOW_DEBUGGING_FEATURES

    );



    /**

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+30 −21
Original line number Diff line number Diff line
@@ -2663,13 +2663,14 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
     * Apply default restrictions that haven't been applied to a given admin yet.

     */

    private void maybeSetDefaultRestrictionsForAdminLocked(int userId, ActiveAdmin admin) {

        Set<String> defaultRestrictions =

                UserRestrictionsUtils.getDefaultEnabledForManagedProfiles();

        if (defaultRestrictions.equals(admin.defaultEnabledRestrictionsAlreadySet)) {

        final Set<String> restrictionsToSet =

            new ArraySet<>(UserRestrictionsUtils.getDefaultEnabledForManagedProfiles());

        restrictionsToSet.removeAll(admin.defaultEnabledRestrictionsAlreadySet);

        if (restrictionsToSet.isEmpty()) {

            return; // The same set of default restrictions has been already applied.

        }

        if (isPolicyEngineForFinanceFlagEnabled()) {

            for (String restriction : defaultRestrictions) {

            for (String restriction : restrictionsToSet) {

                mDevicePolicyEngine.setLocalPolicy(

                        PolicyDefinition.getPolicyDefinitionForUserRestriction(restriction),

                        EnforcingAdmin.createEnterpriseEnforcingAdmin(
@@ -2678,9 +2679,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
                        new BooleanPolicyValue(true),

                        userId);

            }

            admin.defaultEnabledRestrictionsAlreadySet.addAll(defaultRestrictions);

            admin.defaultEnabledRestrictionsAlreadySet.addAll(restrictionsToSet);

            Slogf.i(LOG_TAG, "Enabled the following restrictions by default: " +

                    defaultRestrictions);

                    restrictionsToSet);

            return;

        }









@@ -2688,14 +2689,10 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {



























        if (VERBOSE_LOG) {















            Slogf.d(LOG_TAG, "Default enabled restrictions: "













                    + defaultRestrictions













                    + restrictionsToSet















                    + ". Restrictions already enabled: "















                    + admin.defaultEnabledRestrictionsAlreadySet);















        }

























        final Set<String> restrictionsToSet = new ArraySet<>(defaultRestrictions);













        restrictionsToSet.removeAll(admin.defaultEnabledRestrictionsAlreadySet);













        if (!restrictionsToSet.isEmpty()) {















        for (final String restriction : restrictionsToSet) {















            admin.ensureUserRestrictions().putBoolean(restriction, true);















        }









@@ -2703,7 +2700,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {













        Slogf.i(LOG_TAG, "Enabled the following restrictions by default: " + restrictionsToSet);















        saveUserRestrictionsLocked(userId);















    }













    }





























    private void setDeviceOwnershipSystemPropertyLocked() {















        final boolean deviceProvisioned =










@@ -10192,7 +10188,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {













                return false;















            }



























            if (isAdb(caller)) {













            boolean isAdb = isAdb(caller);













            if (isAdb) {















                // Log profile owner provisioning was started using adb.















                MetricsLogger.action(mContext, PROVISIONING_ENTRY_POINT_ADB, LOG_TAG_PROFILE_OWNER);















                DevicePolicyEventLogger









@@ -10214,7 +10211,19 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {













                    maybeSetDefaultRestrictionsForAdminLocked(userHandle, admin);















                    ensureUnknownSourcesRestrictionForProfileOwnerLocked(userHandle, admin,















                            true /* newOwner */);













                    if (isAdb) {













                        // DISALLOW_DEBUGGING_FEATURES is being added to newly-created













                        // work profile by default due to b/382064697 . This would have













                        //  impacted certain CTS test flows when they interact with the













                        // work profile via ADB (for example installing an app into the













                        // work profile). Remove DISALLOW_DEBUGGING_FEATURES here to













                        // reduce the potential impact.













                        setLocalUserRestrictionInternal(













                            EnforcingAdmin.createEnterpriseEnforcingAdmin(who, userHandle),













                            UserManager.DISALLOW_DEBUGGING_FEATURES, false, userHandle);















                    }













                }



























                sendOwnerChangedBroadcast(DevicePolicyManager.ACTION_PROFILE_OWNER_CHANGED,















                        userHandle);















            });