Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 43c3ed12 authored by Adam Bookatz's avatar Adam Bookatz
Browse files

Guests can config wifi, but not shared wifi 

With the new usage of "shared wifi" vs. "private wifi", we wish to allow
Guests to use the latter but not the former. So we update their
restrictions accordingly, both for new and pre-existing guests.

Moreover, since the headless system user will now also make use of the
shared vs. private distinction, we make system user restrictions
customizable via the standard mechanism. That is, we deprecate
config_defaultFirstUserRestrictions (which now, for convenience,
continues to exist but only as an overwritable default), and instead
rely on config_user_types.xml (as we do for all other user types).

Moves the instantiation of LocalService to be earlier otherwise we can
call it before it has been initialized, crashing the system. This was
already possible before, but probably didn't come up in practice.

Test: manual
Flag: android.multiuser.user_restriction_config_wifi_shared_private
Bug: 390240471
Bug: 428282717
Change-Id: I1a6f4f4a16fe062c0659d9b2ed326d7b2f72eaa0
parent 48aa12b0

core/res/res/values/config.xml

+2 −1
Original line number Diff line number Diff line
@@ -4790,7 +4790,8 @@ 
    <string name="config_defaultDndDeniedPackages" translatable="false"></string>



    <!-- User restrictions set on the SYSTEM user when it is first created.

         Note: Also update appropriate overlay files. -->

         @deprecated Set the System's default-restrictions in config_user_types.xml, which

         overwrites this value anyway, instead.  -->

    <string-array translatable="false" name="config_defaultFirstUserRestrictions">

    </string-array>

core/res/res/xml/config_user_types.xml

+0 −2
Original line number Diff line number Diff line
@@ -33,8 +33,6 @@ same in both cases. 
Currently, only profiles (not full or system users) can be freely customized/defined.

Full users (i.e. non-system, non-profile) users cannot be defined, and the only property of them

that can be customized are the default-restrictions.

System users cannot be customized here; their default-restrictions must be set using

com.android.internal.R.array.config_defaultFirstUserRestrictions.



The following example modifies two AOSP user types (the FULL user android.os.usertype.full.SECONDARY

and the PROFILE user android.os.usertype.profile.MANAGED) and creates a new PROFILE user type

services/core/java/com/android/server/pm/UserManagerService.java

+45 −22
Original line number Diff line number Diff line
@@ -594,7 +594,7 @@ public class UserManagerService extends IUserManager.Stub { 


    private IAppOpsService mAppOpsService;



    private final LocalService mLocalService;

    private final LocalService mLocalService = new LocalService();



    @GuardedBy("mUserRestrictionsListeners")

    private final ArrayList<UserRestrictionsListener> mUserRestrictionsListeners =
@@ -1133,7 +1133,6 @@ public class UserManagerService extends IUserManager.Stub { 
            sInstance = this;

        }

        mSystemPackageInstaller = new UserSystemPackageInstaller(this, mUserTypes);

        mLocalService = new LocalService();

        LocalServices.addService(UserManagerInternal.class, mLocalService);

        mLockPatternUtils = new LockPatternUtils(mContext);

        mUserStates.put(UserHandle.USER_SYSTEM, UserState.STATE_BOOTING);
@@ -5094,6 +5093,7 @@ public class UserManagerService extends IUserManager.Stub { 
                }

            }

            // DISALLOW_CONFIG_WIFI was made a default guest restriction some time during version 6.

            // This will later be removed (replaced) after version 11.

            final List<UserInfo> guestUsers = getGuestUsers();

            for (int i = 0; i < guestUsers.size(); i++) {

                final UserInfo guestUser = guestUsers.get(i);
@@ -5218,6 +5218,41 @@ public class UserManagerService extends IUserManager.Stub { 
        // if (userVersion < 12) {

        Slog.i(LOG_TAG, "Forcing an upgrade due to flagged changes");

        final boolean forceWrite = true; // treat as an upgrade no matter what to handle flagging

        if (android.multiuser.Flags.userRestrictionConfigWifiSharedPrivate()) {

            // DISALLOW_CONFIG_WIFI_SHARED replaced DISALLOW_CONFIG_WIFI as the guest restriction.

            if (mGuestRestrictions.getBoolean(UserManager.DISALLOW_CONFIG_WIFI) &&

                    !mGuestRestrictions.getBoolean(UserManager.DISALLOW_CONFIG_WIFI_SHARED)) {

                mGuestRestrictions.remove(UserManager.DISALLOW_CONFIG_WIFI);

                mGuestRestrictions.putBoolean(UserManager.DISALLOW_CONFIG_WIFI_SHARED, true);

            }

            final List<UserInfo> guestUsers = getGuestUsers();

            for (int i = 0; i < guestUsers.size(); i++) {

                final UserInfo guest = guestUsers.get(i);

                if (guest != null

                        && hasUserRestriction(UserManager.DISALLOW_CONFIG_WIFI, guest.id)

                        && !hasUserRestriction(UserManager.DISALLOW_CONFIG_WIFI_SHARED, guest.id)) {

                    setUserRestriction(UserManager.DISALLOW_CONFIG_WIFI, false, guest.id);

                    setUserRestriction(UserManager.DISALLOW_CONFIG_WIFI_SHARED, true, guest.id);

                }

            }

        } else {

            // Flag turned off. Undo Wifi restriction change.

            if (!mGuestRestrictions.getBoolean(UserManager.DISALLOW_CONFIG_WIFI) &&

                    mGuestRestrictions.getBoolean(UserManager.DISALLOW_CONFIG_WIFI_SHARED)) {

                mGuestRestrictions.putBoolean(UserManager.DISALLOW_CONFIG_WIFI, true);

                mGuestRestrictions.remove(UserManager.DISALLOW_CONFIG_WIFI_SHARED);

            }

            final List<UserInfo> guestUsers = getGuestUsers();

            for (int i = 0; i < guestUsers.size(); i++) {

                final UserInfo guest = guestUsers.get(i);

                if (guest != null

                        && !hasUserRestriction(UserManager.DISALLOW_CONFIG_WIFI, guest.id)

                        && hasUserRestriction(UserManager.DISALLOW_CONFIG_WIFI_SHARED, guest.id)) {

                    setUserRestriction(UserManager.DISALLOW_CONFIG_WIFI, true, guest.id);

                    setUserRestriction(UserManager.DISALLOW_CONFIG_WIFI_SHARED, false, guest.id);

                }

            }

        }

        if (android.multiuser.Flags.hsuNotAdmin()) {

            // The HSU should never have been an Admin.

            synchronized (mUsersLock) {
@@ -5392,37 +5427,25 @@ public class UserManagerService extends IUserManager.Stub { 
    @GuardedBy({"mPackagesLock"})

    private void fallbackToSingleUserLP() {

        // Create the system user

        final String systemUserType = isDefaultHeadlessSystemUserMode()

        final String sysUserTypeString = isDefaultHeadlessSystemUserMode()

                ? UserManager.USER_TYPE_SYSTEM_HEADLESS

                : UserManager.USER_TYPE_FULL_SYSTEM;

        final int flags = mUserTypes.get(systemUserType).getDefaultUserInfoFlags()

                | UserInfo.FLAG_INITIALIZED;

        final UserTypeDetails sysUserTypeDetails = mUserTypes.get(sysUserTypeString);

        final int flags = sysUserTypeDetails.getDefaultUserInfoFlags() | UserInfo.FLAG_INITIALIZED;

        final UserInfo system = new UserInfo(UserHandle.USER_SYSTEM,

                /* name= */ null, /* iconPath= */ null, flags, systemUserType);

                /* name= */ null, /* iconPath= */ null, flags, sysUserTypeString);

        final UserData userData = putUserInfo(system);

        userData.userProperties = new UserProperties(

                mUserTypes.get(userData.info.userType).getDefaultUserPropertiesReference());

                sysUserTypeDetails.getDefaultUserPropertiesReference());

        mNextSerialNumber = MIN_USER_ID;

        mUserVersion = USER_VERSION;

        mUserTypeVersion = UserTypeFactory.getUserTypeVersion();



        final Bundle restrictions = new Bundle();

        try {

            final String[] defaultFirstUserRestrictions = getContextResources().getStringArray(

                    com.android.internal.R.array.config_defaultFirstUserRestrictions);

            for (String userRestriction : defaultFirstUserRestrictions) {

                if (UserRestrictionsUtils.isValidRestriction(userRestriction)) {

                    restrictions.putBoolean(userRestriction, true);

                }

            }

        } catch (Resources.NotFoundException e) {

            Slog.e(LOG_TAG, "Couldn't find resource: config_defaultFirstUserRestrictions", e);

        }



        Bundle restrictions = new Bundle();

        sysUserTypeDetails.addDefaultRestrictionsTo(restrictions);

        if (!restrictions.isEmpty()) {

            synchronized (mRestrictionsLock) {

                mBaseUserRestrictions.updateRestrictions(UserHandle.USER_SYSTEM,

                        restrictions);

                mBaseUserRestrictions.updateRestrictions(UserHandle.USER_SYSTEM, restrictions);

            }

        }

services/core/java/com/android/server/pm/UserTypeDetails.java

+2 −21
Original line number Diff line number Diff line
@@ -90,8 +90,6 @@ public final class UserTypeDetails { 


    /**

     * List of User Restrictions to apply by default to newly created users of this type.

     * <p>Does not apply to SYSTEM users (since they are not formally created); for them use

     * {@link com.android.internal.R.array#config_defaultFirstUserRestrictions} instead.

     * The Bundle is of the form used by {@link UserRestrictionsUtils}.

     */

    private final @Nullable Bundle mDefaultRestrictions;
@@ -402,25 +400,8 @@ public final class UserTypeDetails { 
        mDefaultUserProperties.println(pw, prefix);



        final String restrictionsPrefix = prefix + "    ";

        if (isSystem()) {

            pw.print(prefix); pw.println("config_defaultFirstUserRestrictions: ");

            try {

                final Bundle restrictions = new Bundle();

                final String[] defaultFirstUserRestrictions = Resources.getSystem().getStringArray(

                        com.android.internal.R.array.config_defaultFirstUserRestrictions);

                for (String userRestriction : defaultFirstUserRestrictions) {

                    if (UserRestrictionsUtils.isValidRestriction(userRestriction)) {

                        restrictions.putBoolean(userRestriction, true);

                    }

                }

                UserRestrictionsUtils.dumpRestrictions(pw, restrictionsPrefix, restrictions);

            } catch (Resources.NotFoundException e) {

                pw.print(restrictionsPrefix); pw.println("none - resource not found");

            }

        } else {

        pw.print(prefix); pw.println("mDefaultRestrictions: ");

        UserRestrictionsUtils.dumpRestrictions(pw, restrictionsPrefix, mDefaultRestrictions);

        }



        pw.print(prefix); pw.print("mProfileParentRequired: "); pw.println(mProfileParentRequired);

        pw.print(prefix); pw.print("mIconBadge: "); pw.println(mIconBadge);

services/core/java/com/android/server/pm/UserTypeFactory.java

+34 −3
Original line number Diff line number Diff line
@@ -66,6 +66,7 @@ import java.util.function.Consumer; 
 *

 * This class is responsible both for defining the AOSP use types, as well as reading in customized

 * user types from {@link com.android.internal.R.xml#config_user_types}.

 * Recall that config_user_types values, if defined, will overwrite the AOSP defaults set here.

 *

 * Tests are located in {@link UserManagerServiceUserTypeTest}.

 * @hide
@@ -439,7 +440,8 @@ public final class UserTypeFactory { 
                .setName(USER_TYPE_FULL_SYSTEM)

                .setBaseType(FLAG_SYSTEM | FLAG_FULL)

                .setDefaultUserInfoPropertyFlags(FLAG_PRIMARY | FLAG_ADMIN | FLAG_MAIN)

                .setMaxAllowed(1);

                .setMaxAllowed(1)

                .setDefaultRestrictions(getDefaultSystemUserRestrictions());

    }



    /**
@@ -452,7 +454,32 @@ public final class UserTypeFactory { 
                .setBaseType(FLAG_SYSTEM)

                .setDefaultUserInfoPropertyFlags(FLAG_PRIMARY

                        | (android.multiuser.Flags.hsuNotAdmin() ? 0 : FLAG_ADMIN))

                .setMaxAllowed(1);

                .setMaxAllowed(1)

                .setDefaultRestrictions(getDefaultHeadlessSystemUserRestrictions());

    }



    /** Gets the deprecated config_defaultFirstUserRestrictions as system default restrictions. */

    private static Bundle getDefaultSystemUserRestrictions() {

        // For historical reasons, we will default to config_defaultFirstUserRestrictions. But

        // really that config is deprecated; OEMs should just use config_user_types instead.

        final Bundle restrictions = new Bundle();

        try {

            final String[] defaultFirstUserRestrictions = Resources.getSystem().getStringArray(

                    com.android.internal.R.array.config_defaultFirstUserRestrictions);

            for (String userRestriction : defaultFirstUserRestrictions) {

                if (UserRestrictionsUtils.isValidRestriction(userRestriction)) {

                    restrictions.putBoolean(userRestriction, true);

                }

            }

        } catch (Resources.NotFoundException e) {

            Slog.e(LOG_TAG, "Couldn't find resource: config_defaultFirstUserRestrictions", e);

        }

        return restrictions;

    }



    private static Bundle getDefaultHeadlessSystemUserRestrictions() {

        final Bundle restrictions = getDefaultSystemUserRestrictions();

        return restrictions;

    }



    private static Bundle getDefaultSecondaryUserRestrictions() {
@@ -465,7 +492,11 @@ public final class UserTypeFactory { 
    private static Bundle getDefaultGuestUserRestrictions() {

        // Guest inherits the secondary user's restrictions, plus has some extra ones.

        final Bundle restrictions = getDefaultSecondaryUserRestrictions();

        if (android.multiuser.Flags.userRestrictionConfigWifiSharedPrivate()) {

            restrictions.putBoolean(UserManager.DISALLOW_CONFIG_WIFI_SHARED, true);

        } else {

            restrictions.putBoolean(UserManager.DISALLOW_CONFIG_WIFI, true);

        }

        restrictions.putBoolean(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES, true);

        restrictions.putBoolean(UserManager.DISALLOW_CONFIG_CREDENTIALS, true);

        return restrictions;