Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 46b8ac9e authored by Yan Zhu's avatar Yan Zhu
Browse files

New DevicePolicyManager operations with safety checker for device and package management 

Bug: 175245108
Test: m update-api
Test: atest CtsDevicePolicyManagerTestCases:DeviceOwnerTest#testDevicePolicySafetyCheckerIntegration
Change-Id: I0de9f3237abc9ba21c4ff8eeaca4797a52088f15
parent 1d6e9e97

core/api/test-current.txt

+12 −0
Original line number Diff line number Diff line
@@ -384,6 +384,18 @@ package android.app.admin { 
    field public static final int OPERATION_LOGOUT_USER = 9; // 0x9

    field public static final int OPERATION_REBOOT = 7; // 0x7

    field public static final int OPERATION_REMOVE_USER = 6; // 0x6

    field public static final int OPERATION_SET_APPLICATION_HIDDEN = 15; // 0xf

    field public static final int OPERATION_SET_APPLICATION_RESTRICTIONS = 16; // 0x10

    field public static final int OPERATION_SET_KEEP_UNINSTALLED_PACKAGES = 17; // 0x11

    field public static final int OPERATION_SET_KEYGUARD_DISABLED = 12; // 0xc

    field public static final int OPERATION_SET_LOCK_TASK_FEATURES = 18; // 0x12

    field public static final int OPERATION_SET_LOCK_TASK_PACKAGES = 19; // 0x13

    field public static final int OPERATION_SET_PACKAGES_SUSPENDED = 20; // 0x14

    field public static final int OPERATION_SET_STATUS_BAR_DISABLED = 13; // 0xd

    field public static final int OPERATION_SET_SYSTEM_SETTING = 11; // 0xb

    field public static final int OPERATION_SET_SYSTEM_UPDATE_POLICY = 14; // 0xe

    field public static final int OPERATION_SET_TRUST_AGENT_CONFIGURATION = 21; // 0x15

    field public static final int OPERATION_SET_USER_CONTROL_DISABLED_PACKAGES = 22; // 0x16

    field public static final int OPERATION_SET_USER_RESTRICTION = 10; // 0xa

    field public static final int OPERATION_START_USER_IN_BACKGROUND = 3; // 0x3

    field public static final int OPERATION_STOP_USER = 4; // 0x4

core/java/android/app/admin/DevicePolicyManager.java

+49 −1
Original line number Diff line number Diff line
@@ -2624,6 +2624,42 @@ public class DevicePolicyManager { 
    /** @hide */

    @TestApi

    public static final int OPERATION_SET_USER_RESTRICTION = 10;

    /** @hide */

    @TestApi

    public static final int OPERATION_SET_SYSTEM_SETTING = 11;

    /** @hide */

    @TestApi

    public static final int OPERATION_SET_KEYGUARD_DISABLED = 12;

    /** @hide */

    @TestApi

    public static final int OPERATION_SET_STATUS_BAR_DISABLED = 13;

    /** @hide */

    @TestApi

    public static final int OPERATION_SET_SYSTEM_UPDATE_POLICY = 14;

    /** @hide */

    @TestApi

    public static final int OPERATION_SET_APPLICATION_HIDDEN = 15;

    /** @hide */

    @TestApi

    public static final int OPERATION_SET_APPLICATION_RESTRICTIONS = 16;

    /** @hide */

    @TestApi

    public static final int OPERATION_SET_KEEP_UNINSTALLED_PACKAGES = 17;

    /** @hide */

    @TestApi

    public static final int OPERATION_SET_LOCK_TASK_FEATURES = 18;

    /** @hide */

    @TestApi

    public static final int OPERATION_SET_LOCK_TASK_PACKAGES = 19;

    /** @hide */

    @TestApi

    public static final int OPERATION_SET_PACKAGES_SUSPENDED = 20;

    /** @hide */

    @TestApi

    public static final int OPERATION_SET_TRUST_AGENT_CONFIGURATION = 21;

    /** @hide */

    @TestApi

    public static final int OPERATION_SET_USER_CONTROL_DISABLED_PACKAGES = 22;















    private static final String PREFIX_OPERATION = "OPERATION_";























@@ -2638,7 +2674,19 @@ public class DevicePolicyManager {













            OPERATION_REBOOT,















            OPERATION_WIPE_DATA,















            OPERATION_LOGOUT_USER,













            OPERATION_SET_USER_RESTRICTION













            OPERATION_SET_USER_RESTRICTION,













            OPERATION_SET_SYSTEM_SETTING,













            OPERATION_SET_KEYGUARD_DISABLED,













            OPERATION_SET_STATUS_BAR_DISABLED,













            OPERATION_SET_SYSTEM_UPDATE_POLICY,













            OPERATION_SET_APPLICATION_HIDDEN,













            OPERATION_SET_APPLICATION_RESTRICTIONS,













            OPERATION_SET_KEEP_UNINSTALLED_PACKAGES,













            OPERATION_SET_LOCK_TASK_FEATURES,













            OPERATION_SET_LOCK_TASK_PACKAGES,













            OPERATION_SET_PACKAGES_SUSPENDED,













            OPERATION_SET_TRUST_AGENT_CONFIGURATION,













            OPERATION_SET_USER_CONTROL_DISABLED_PACKAGES















    })















    @Retention(RetentionPolicy.SOURCE)















    public static @interface DevicePolicyOperation {

































services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java



+17
−0




























Original line number
Diff line number
Diff line








@@ -7468,6 +7468,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        Preconditions.checkCallAuthorization((caller.hasAdminComponent() &&  isDeviceOwner(caller))















                || (caller.hasPackage()















                && isCallerDelegate(caller, DELEGATION_KEEP_UNINSTALLED_PACKAGES)));













        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_KEEP_UNINSTALLED_PACKAGES);





























        synchronized (getLockObject()) {















            // Get the device owner










@@ -8937,6 +8938,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        Preconditions.checkCallAuthorization((caller.hasAdminComponent()















                && (isProfileOwner(caller) || isDeviceOwner(caller)))















                || (caller.hasPackage() && isCallerDelegate(caller, DELEGATION_APP_RESTRICTIONS)));













        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_APPLICATION_RESTRICTIONS);





























        mInjector.binderWithCleanCallingIdentity(() -> {















            mUserManager.setApplicationRestrictions(packageName, settings,









@@ -8962,6 +8964,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        synchronized (getLockObject()) {















            ActiveAdmin ap = getActiveAdminForCallerLocked(admin,















                    DeviceAdminInfo.USES_POLICY_DISABLE_KEYGUARD_FEATURES, parent);













            checkCanExecuteOrThrowUnsafe(













                    DevicePolicyManager.OPERATION_SET_TRUST_AGENT_CONFIGURATION);



























            ap.trustAgentInfos.put(agent.flattenToString(), new TrustAgentInfo(args));















            saveSettingsLocked(userHandle);















        }










@@ -9901,6 +9906,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        Preconditions.checkCallAuthorization((caller.hasAdminComponent()















                && (isProfileOwner(caller) || isDeviceOwner(caller)))















                || (caller.hasPackage() && isCallerDelegate(caller, DELEGATION_PACKAGE_ACCESS)));













        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_PACKAGES_SUSPENDED);





























        String[] result = null;















        synchronized (getLockObject()) {










@@ -10108,6 +10114,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













                mInjector.binderWithCleanCallingIdentity(() ->















                        enforcePackageIsSystemPackage(packageName, userId));















            }













            checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_APPLICATION_HIDDEN);



























            result = mInjector.binderWithCleanCallingIdentity(() -> mIPackageManager















                    .setApplicationHiddenSettingAsUser(packageName, hidden, userId));















        }










@@ -10706,6 +10714,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {



























        synchronized (getLockObject()) {















            enforceCanCallLockTaskLocked(caller);













            checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_LOCK_TASK_PACKAGES);















            final int userHandle = caller.getUserId();















            setLockTaskPackagesLocked(userHandle, new ArrayList<>(Arrays.asList(packages)));















        }










@@ -10758,6 +10767,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        final int userHandle = caller.getUserId();















        synchronized (getLockObject()) {















            enforceCanCallLockTaskLocked(caller);













            checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_LOCK_TASK_FEATURES);















            setLockTaskFeaturesLocked(userHandle, flags);















        }















    }










@@ -10886,6 +10896,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        Preconditions.checkStringNotEmpty(setting, "String setting is null or empty");















        final CallerIdentity caller = getCallerIdentity(who);















        Preconditions.checkCallAuthorization(isProfileOwner(caller) || isDeviceOwner(caller));













        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_SYSTEM_SETTING);





























        synchronized (getLockObject()) {















            if (!SYSTEM_SETTINGS_ALLOWLIST.contains(setting)) {










@@ -11187,6 +11198,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        if (isManagedProfile(userId)) {















            throw new SecurityException("Managed profile cannot disable keyguard");















        }













        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_KEYGUARD_DISABLED);





























        long ident = mInjector.binderClearCallingIdentity();















        try {










@@ -11226,6 +11238,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













            if (isManagedProfile(userId)) {















                throw new SecurityException("Managed profile cannot disable status bar");















            }













            checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_STATUS_BAR_DISABLED);



























            DevicePolicyData policy = getUserData(userId);















            if (policy.mStatusBarDisabled != disabled) {















                boolean isLockTaskMode = false;










@@ -11893,6 +11907,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        synchronized (getLockObject()) {















            Preconditions.checkCallAuthorization(isProfileOwnerOfOrganizationOwnedDevice(caller)















                    || isDeviceOwner(caller));













            checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_SYSTEM_UPDATE_POLICY);





























            if (policy == null) {















                mOwners.clearSystemUpdatePolicy();










@@ -15039,6 +15054,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        Preconditions.checkNotNull(packages, "packages is null");















        final CallerIdentity caller = getCallerIdentity(who);















        Preconditions.checkCallAuthorization(isDeviceOwner(caller));













        checkCanExecuteOrThrowUnsafe(













                DevicePolicyManager.OPERATION_SET_USER_CONTROL_DISABLED_PACKAGES);





























        synchronized (getLockObject()) {















            setUserControlDisabledPackagesLocked(caller.getUserId(), packages);