Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 46bedf31 authored by Eran Messeri's avatar Eran Messeri
Browse files

Restrict adding managed profile in DO devices 

On devices that have a Device Owner, or had a Device Owner and Profile
Owner and the managed profile was removed, apply the restriction
for adding a managed profile.

This would prevent such devices from getting into the DO+PO mode, which
is no longer supported in R.

Bug: 149006203
Test: Manual, set TestDPC as the Device Owner, upgrade it, observe TestDPC cannot create a managed profile.
Test: Manual, have a device with different DO and PO packages, remove PO, observe it cannot be re-added.
Change-Id: Iea48049a671071d2ad075b5e4c9ae3ce830975d3
parent d021b285

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+23 −0
Original line number Diff line number Diff line
@@ -2691,6 +2691,27 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { 
        }

    }













    /**













     * If the device is in Device Owner mode, apply the restriction on adding













     * a managed profile.













     */













    @GuardedBy("getLockObject()")













    void applyManagedProfileRestrictionIfDeviceOwnerLocked() {













        final int doUserId = mOwners.getDeviceOwnerUserId();













        if (doUserId == UserHandle.USER_NULL) {













            logIfVerbose("No DO found, skipping application of restriction.");













            return;













        }

























        final UserHandle doUserHandle = UserHandle.of(doUserId);













        // Set the restriction if not set.













        if (!mUserManager.hasUserRestriction(













                UserManager.DISALLOW_ADD_MANAGED_PROFILE, doUserHandle)) {













            mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_MANAGED_PROFILE, true,













                    doUserHandle);













        }













    }



























    /** Apply default restrictions that haven't been applied to profile owners yet. */















    private void maybeSetDefaultProfileOwnerUserRestrictions() {















        synchronized (getLockObject()) {










@@ -3899,6 +3920,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













                maybeStartSecurityLogMonitorOnActivityManagerReady();















                synchronized (getLockObject()) {















                    migrateToProfileOnOrganizationOwnedDeviceIfCompLocked();













                    applyManagedProfileRestrictionIfDeviceOwnerLocked();















                }















                final int userId = getManagedUserId(UserHandle.USER_SYSTEM);















                if (userId >= 0) {










@@ -8762,6 +8784,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        mOwners.writeProfileOwner(userId);















        deleteTransferOwnershipBundleLocked(userId);















        toggleBackupServiceActive(userId, true);













        applyManagedProfileRestrictionIfDeviceOwnerLocked();















    }





























    @Override