Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 56400a44 authored by Nicolas Prevot's avatar Nicolas Prevot
Browse files

Check user restriction DISALLOW_REMOVE_USER in isProvisioningAllowed. 

If DISALLOW_REMOVE_USER is set and there is already a managed profile:
isProvisioningAllowed() should return false

BUG:32629873
Test: adb shell am instrument -e class com.android.server.devicepolicy.DevicePolicyManagerTest -w
com.android.frameworks.servicestests/android.support.test.runner.AndroidJUnitRunner
Change-Id: I093bed0a4a54f83decf11716ebfd50dd4f17c089
parent 2cf7c483

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+3 −1
Original line number Diff line number Diff line
@@ -8686,9 +8686,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
                // Managed user cannot have a managed profile.

                return false;

            }

            boolean canRemoveProfile

                    = !mUserManager.hasUserRestriction(UserManager.DISALLOW_REMOVE_USER);

            final long ident = mInjector.binderClearCallingIdentity();

            try {

                if (!mUserManager.canAddMoreManagedProfiles(callingUserId, true)) {

                if (!mUserManager.canAddMoreManagedProfiles(callingUserId, canRemoveProfile)) {

                    return false;

                }

            } finally {

services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java

+20 −0
Original line number Diff line number Diff line
@@ -2178,6 +2178,26 @@ public class DevicePolicyManagerTest extends DpmTestBase { 
        assertProvisioningAllowed(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, true);

    }



    public void testIsProvisioningAllowed_provisionManagedProfileCantRemoveUser_primaryUser()

            throws Exception {

        setDeviceOwner();



        when(mContext.ipackageManager.hasSystemFeature(PackageManager.FEATURE_MANAGED_USERS, 0))

                .thenReturn(true);

        when(mContext.userManagerForMock.isSplitSystemUser()).thenReturn(true);

        when(mContext.userManager.hasUserRestriction(UserManager.DISALLOW_REMOVE_USER))

                .thenReturn(true);

        when(mContext.userManager.canAddMoreManagedProfiles(DpmMockContext.CALLER_USER_HANDLE,

                false /* we can't remove a managed profile*/)).thenReturn(false);

        when(mContext.userManager.canAddMoreManagedProfiles(DpmMockContext.CALLER_USER_HANDLE,

                true)).thenReturn(true);

        setUserSetupCompleteForUser(false, DpmMockContext.CALLER_USER_HANDLE);



        mContext.binder.callingUid = DpmMockContext.CALLER_UID;



        assertProvisioningAllowed(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, false);

    }



    public void testForceUpdateUserSetupComplete_permission() {

        // GIVEN the permission MANAGE_PROFILE_AND_DEVICE_OWNERS is not granted

        try {