Loading services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +18 −17 Original line number Original line Diff line number Diff line Loading @@ -13070,26 +13070,25 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { final boolean addingProfileRestricted = mUserManager.hasUserRestriction( final boolean addingProfileRestricted = mUserManager.hasUserRestriction( UserManager.DISALLOW_ADD_MANAGED_PROFILE, callingUserHandle); UserManager.DISALLOW_ADD_MANAGED_PROFILE, callingUserHandle); UserInfo parentUser = mUserManager.getProfileParent(callingUserId); if (mUserManager.getUserInfo(callingUserId).isProfile()) { final boolean addingProfileRestrictedOnParent = (parentUser != null) Slog.i(LOG_TAG, && mUserManager.hasUserRestriction( String.format("Calling user %d is a profile, cannot add another.", UserManager.DISALLOW_ADD_MANAGED_PROFILE, callingUserId)); UserHandle.of(parentUser.id)); // The check is called from inside a managed profile. A managed profile cannot // be provisioned from within another managed profile. Slog.i(LOG_TAG, String.format( return CODE_CANNOT_ADD_MANAGED_PROFILE; "When checking for managed profile provisioning: Has device owner? %b, adding" } + " profile restricted? %b, adding profile restricted on parent? %b", hasDeviceOwner, addingProfileRestricted, addingProfileRestrictedOnParent)); // If there's a device owner, the restriction on adding a managed profile must be set // If there's a device owner, the restriction on adding a managed profile must be set. // somewhere. if (hasDeviceOwner && !addingProfileRestricted) { if (hasDeviceOwner && !addingProfileRestricted && !addingProfileRestrictedOnParent) { Slog.wtf(LOG_TAG, "Has a device owner but no restriction on adding a profile."); Slog.wtf(LOG_TAG, "Has a device owner but no restriction on adding a profile."); } } // Do not allow adding a managed profile if there's a restriction, either on the current // Do not allow adding a managed profile if there's a restriction. // user or its parent user. if (addingProfileRestricted) { if (addingProfileRestricted || addingProfileRestrictedOnParent) { Slog.i(LOG_TAG, String.format( "Adding a profile is restricted: User %s Has device owner? %b", callingUserHandle, hasDeviceOwner)); return CODE_CANNOT_ADD_MANAGED_PROFILE; return CODE_CANNOT_ADD_MANAGED_PROFILE; } } // If there's a restriction on removing the managed profile then we have to take it // If there's a restriction on removing the managed profile then we have to take it Loading @@ -13098,6 +13097,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { !mUserManager.hasUserRestriction(UserManager.DISALLOW_REMOVE_MANAGED_PROFILE, !mUserManager.hasUserRestriction(UserManager.DISALLOW_REMOVE_MANAGED_PROFILE, callingUserHandle); callingUserHandle); if (!mUserManager.canAddMoreManagedProfiles(callingUserId, canRemoveProfile)) { if (!mUserManager.canAddMoreManagedProfiles(callingUserId, canRemoveProfile)) { Slog.i(LOG_TAG, String.format( "Cannot add more profiles: Can remove current? %b", canRemoveProfile)); return CODE_CANNOT_ADD_MANAGED_PROFILE; return CODE_CANNOT_ADD_MANAGED_PROFILE; } } } finally { } finally { services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java +4 −2 Original line number Original line Diff line number Diff line Loading @@ -3205,6 +3205,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { when(getServices().userManager.canAddMoreManagedProfiles(UserHandle.USER_SYSTEM, true)) when(getServices().userManager.canAddMoreManagedProfiles(UserHandle.USER_SYSTEM, true)) .thenReturn(true); .thenReturn(true); setUserSetupCompleteForUser(false, UserHandle.USER_SYSTEM); setUserSetupCompleteForUser(false, UserHandle.USER_SYSTEM); when(getServices().userManager.getProfileParent(UserHandle.USER_SYSTEM)).thenReturn(null); mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID; mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID; } } Loading Loading @@ -3246,6 +3247,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { when(getServices().userManager.canAddMoreManagedProfiles(UserHandle.USER_SYSTEM, true)) when(getServices().userManager.canAddMoreManagedProfiles(UserHandle.USER_SYSTEM, true)) .thenReturn(true); .thenReturn(true); setUserSetupCompleteForUser(true, UserHandle.USER_SYSTEM); setUserSetupCompleteForUser(true, UserHandle.USER_SYSTEM); when(getServices().userManager.getProfileParent(UserHandle.USER_SYSTEM)).thenReturn(null); mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID; mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID; } } Loading Loading @@ -3617,14 +3619,14 @@ public class DevicePolicyManagerTest extends DpmTestBase { when(getServices().ipackageManager.hasSystemFeature(PackageManager.FEATURE_MANAGED_USERS, 0)) when(getServices().ipackageManager.hasSystemFeature(PackageManager.FEATURE_MANAGED_USERS, 0)) .thenReturn(true); .thenReturn(true); when(getServices().userManagerForMock.isSplitSystemUser()).thenReturn(true); when(getServices().userManagerForMock.isSplitSystemUser()).thenReturn(false); when(getServices().userManager.getProfileParent(DpmMockContext.CALLER_USER_HANDLE)) when(getServices().userManager.getProfileParent(DpmMockContext.CALLER_USER_HANDLE)) .thenReturn(new UserInfo(UserHandle.USER_SYSTEM, "user system", 0)); .thenReturn(new UserInfo(UserHandle.USER_SYSTEM, "user system", 0)); when(getServices().userManager.canAddMoreManagedProfiles(DpmMockContext.CALLER_USER_HANDLE, when(getServices().userManager.canAddMoreManagedProfiles(DpmMockContext.CALLER_USER_HANDLE, true)).thenReturn(true); true)).thenReturn(true); setUserSetupCompleteForUser(false, DpmMockContext.CALLER_USER_HANDLE); setUserSetupCompleteForUser(false, DpmMockContext.CALLER_USER_HANDLE); mContext.binder.callingUid = DpmMockContext.CALLER_UID; mContext.binder.callingUid = DpmMockContext.ANOTHER_UID; } } public void testIsProvisioningAllowed_provisionManagedProfileWithDeviceOwner_primaryUser() public void testIsProvisioningAllowed_provisionManagedProfileWithDeviceOwner_primaryUser() Loading Loading
services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +18 −17 Original line number Original line Diff line number Diff line Loading @@ -13070,26 +13070,25 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { final boolean addingProfileRestricted = mUserManager.hasUserRestriction( final boolean addingProfileRestricted = mUserManager.hasUserRestriction( UserManager.DISALLOW_ADD_MANAGED_PROFILE, callingUserHandle); UserManager.DISALLOW_ADD_MANAGED_PROFILE, callingUserHandle); UserInfo parentUser = mUserManager.getProfileParent(callingUserId); if (mUserManager.getUserInfo(callingUserId).isProfile()) { final boolean addingProfileRestrictedOnParent = (parentUser != null) Slog.i(LOG_TAG, && mUserManager.hasUserRestriction( String.format("Calling user %d is a profile, cannot add another.", UserManager.DISALLOW_ADD_MANAGED_PROFILE, callingUserId)); UserHandle.of(parentUser.id)); // The check is called from inside a managed profile. A managed profile cannot // be provisioned from within another managed profile. Slog.i(LOG_TAG, String.format( return CODE_CANNOT_ADD_MANAGED_PROFILE; "When checking for managed profile provisioning: Has device owner? %b, adding" } + " profile restricted? %b, adding profile restricted on parent? %b", hasDeviceOwner, addingProfileRestricted, addingProfileRestrictedOnParent)); // If there's a device owner, the restriction on adding a managed profile must be set // If there's a device owner, the restriction on adding a managed profile must be set. // somewhere. if (hasDeviceOwner && !addingProfileRestricted) { if (hasDeviceOwner && !addingProfileRestricted && !addingProfileRestrictedOnParent) { Slog.wtf(LOG_TAG, "Has a device owner but no restriction on adding a profile."); Slog.wtf(LOG_TAG, "Has a device owner but no restriction on adding a profile."); } } // Do not allow adding a managed profile if there's a restriction, either on the current // Do not allow adding a managed profile if there's a restriction. // user or its parent user. if (addingProfileRestricted) { if (addingProfileRestricted || addingProfileRestrictedOnParent) { Slog.i(LOG_TAG, String.format( "Adding a profile is restricted: User %s Has device owner? %b", callingUserHandle, hasDeviceOwner)); return CODE_CANNOT_ADD_MANAGED_PROFILE; return CODE_CANNOT_ADD_MANAGED_PROFILE; } } // If there's a restriction on removing the managed profile then we have to take it // If there's a restriction on removing the managed profile then we have to take it Loading @@ -13098,6 +13097,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { !mUserManager.hasUserRestriction(UserManager.DISALLOW_REMOVE_MANAGED_PROFILE, !mUserManager.hasUserRestriction(UserManager.DISALLOW_REMOVE_MANAGED_PROFILE, callingUserHandle); callingUserHandle); if (!mUserManager.canAddMoreManagedProfiles(callingUserId, canRemoveProfile)) { if (!mUserManager.canAddMoreManagedProfiles(callingUserId, canRemoveProfile)) { Slog.i(LOG_TAG, String.format( "Cannot add more profiles: Can remove current? %b", canRemoveProfile)); return CODE_CANNOT_ADD_MANAGED_PROFILE; return CODE_CANNOT_ADD_MANAGED_PROFILE; } } } finally { } finally {
services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java +4 −2 Original line number Original line Diff line number Diff line Loading @@ -3205,6 +3205,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { when(getServices().userManager.canAddMoreManagedProfiles(UserHandle.USER_SYSTEM, true)) when(getServices().userManager.canAddMoreManagedProfiles(UserHandle.USER_SYSTEM, true)) .thenReturn(true); .thenReturn(true); setUserSetupCompleteForUser(false, UserHandle.USER_SYSTEM); setUserSetupCompleteForUser(false, UserHandle.USER_SYSTEM); when(getServices().userManager.getProfileParent(UserHandle.USER_SYSTEM)).thenReturn(null); mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID; mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID; } } Loading Loading @@ -3246,6 +3247,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { when(getServices().userManager.canAddMoreManagedProfiles(UserHandle.USER_SYSTEM, true)) when(getServices().userManager.canAddMoreManagedProfiles(UserHandle.USER_SYSTEM, true)) .thenReturn(true); .thenReturn(true); setUserSetupCompleteForUser(true, UserHandle.USER_SYSTEM); setUserSetupCompleteForUser(true, UserHandle.USER_SYSTEM); when(getServices().userManager.getProfileParent(UserHandle.USER_SYSTEM)).thenReturn(null); mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID; mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID; } } Loading Loading @@ -3617,14 +3619,14 @@ public class DevicePolicyManagerTest extends DpmTestBase { when(getServices().ipackageManager.hasSystemFeature(PackageManager.FEATURE_MANAGED_USERS, 0)) when(getServices().ipackageManager.hasSystemFeature(PackageManager.FEATURE_MANAGED_USERS, 0)) .thenReturn(true); .thenReturn(true); when(getServices().userManagerForMock.isSplitSystemUser()).thenReturn(true); when(getServices().userManagerForMock.isSplitSystemUser()).thenReturn(false); when(getServices().userManager.getProfileParent(DpmMockContext.CALLER_USER_HANDLE)) when(getServices().userManager.getProfileParent(DpmMockContext.CALLER_USER_HANDLE)) .thenReturn(new UserInfo(UserHandle.USER_SYSTEM, "user system", 0)); .thenReturn(new UserInfo(UserHandle.USER_SYSTEM, "user system", 0)); when(getServices().userManager.canAddMoreManagedProfiles(DpmMockContext.CALLER_USER_HANDLE, when(getServices().userManager.canAddMoreManagedProfiles(DpmMockContext.CALLER_USER_HANDLE, true)).thenReturn(true); true)).thenReturn(true); setUserSetupCompleteForUser(false, DpmMockContext.CALLER_USER_HANDLE); setUserSetupCompleteForUser(false, DpmMockContext.CALLER_USER_HANDLE); mContext.binder.callingUid = DpmMockContext.CALLER_UID; mContext.binder.callingUid = DpmMockContext.ANOTHER_UID; } } public void testIsProvisioningAllowed_provisionManagedProfileWithDeviceOwner_primaryUser() public void testIsProvisioningAllowed_provisionManagedProfileWithDeviceOwner_primaryUser() Loading
