Merge "migrate keyguard disabled features" into udc-dev am: e4b09c2227 am: 2dc45e4756 (578254e8) · Commits · e / os / android_frameworks_base

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+79 −24

Original line number	Diff line number	Diff line
		@@ -9193,20 +9193,38 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		Objects.requireNonNull(who, "ComponentName is null");
		}


		final int userHandle = caller.getUserId();
		int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle;
		synchronized (getLockObject()) {
		ActiveAdmin ap;
		if (isPermissionCheckFlagEnabled()) {
		if (useDevicePolicyEngine(caller, /* delegateScope= */ null)) {
		// SUPPORT USES_POLICY_DISABLE_KEYGUARD_FEATURES
		ap = enforcePermissionAndGetEnforcingAdmin(
		EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin(
		who, MANAGE_DEVICE_POLICY_KEYGUARD, caller.getPackageName(),
		affectedUserId).getActiveAdmin();
		affectedUserId);
		if (which == 0) {
		mDevicePolicyEngine.removeLocalPolicy(
		PolicyDefinition.KEYGUARD_DISABLED_FEATURES, admin, affectedUserId);
		} else {
		ap = getActiveAdminForCallerLocked(
		who, DeviceAdminInfo.USES_POLICY_DISABLE_KEYGUARD_FEATURES, parent);
		// TODO(b/273723433): revisit silent masking of features
		if (isManagedProfile(userHandle)) {
		if (parent) {
		if (isProfileOwnerOfOrganizationOwnedDevice(caller)) {
		which = which & PROFILE_KEYGUARD_FEATURES_AFFECT_OWNER;
		} else {
		which = which
		& NON_ORG_OWNED_PROFILE_KEYGUARD_FEATURES_AFFECT_OWNER;
		}
		} else {
		which = which & PROFILE_KEYGUARD_FEATURES;
		}
		}
		mDevicePolicyEngine.setLocalPolicy(PolicyDefinition.KEYGUARD_DISABLED_FEATURES,
		admin, new IntegerPolicyValue(which), affectedUserId);
		}
		invalidateBinderCaches();
		} else {
		ActiveAdmin ap = getActiveAdminForCallerLocked(
		who, DeviceAdminInfo.USES_POLICY_DISABLE_KEYGUARD_FEATURES, parent);
		if (isManagedProfile(userHandle)) {
		if (parent) {
		if (isProfileOwnerOfOrganizationOwnedDevice(caller)) {
		@@ -9223,6 +9241,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		saveSettingsLocked(userHandle);
		}
		}
		}
		if (SecurityLog.isLoggingEnabled()) {
		SecurityLog.writeEvent(SecurityLog.TAG_KEYGUARD_DISABLED_FEATURES_SET,
		caller.getPackageName(), userHandle, affectedUserId, which);
		@@ -9252,15 +9271,51 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		Preconditions.checkCallAuthorization(
		who == null \|\| isCallingFromPackage(who.getPackageName(), caller.getUid())
		\|\| isSystemUid(caller));
		int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle;

		final long ident = mInjector.binderClearCallingIdentity();
		try {
		synchronized (getLockObject()) {
		if (who != null) {
		if (useDevicePolicyEngine(caller, /* delegateScope= */ null)) {
		EnforcingAdmin admin = getEnforcingAdminForCaller(
		who, who.getPackageName());
		Integer features = mDevicePolicyEngine.getLocalPolicySetByAdmin(
		PolicyDefinition.KEYGUARD_DISABLED_FEATURES,
		admin,
		affectedUserId);
		return features == null ? 0 : features;
		} else {
		ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle, parent);
		return (admin != null) ? admin.disabledKeyguardFeatures : 0;
		}
		}

		if (useDevicePolicyEngine(caller, /* delegateScope= */ null)) {
		Integer features = mDevicePolicyEngine.getResolvedPolicy(
		PolicyDefinition.KEYGUARD_DISABLED_FEATURES,
		affectedUserId);

		return Binder.withCleanCallingIdentity(() -> {
		int combinedFeatures = features == null ? 0 : features;
		List<UserInfo> profiles = mUserManager.getProfiles(affectedUserId);
		for (UserInfo profile : profiles) {
		int profileId = profile.id;
		if (profileId == affectedUserId) {
		continue;
		}
		Integer profileFeatures = mDevicePolicyEngine.getResolvedPolicy(
		PolicyDefinition.KEYGUARD_DISABLED_FEATURES,
		profileId);
		if (profileFeatures != null) {
		combinedFeatures \|= (profileFeatures
		& PROFILE_KEYGUARD_FEATURES_AFFECT_OWNER);
		}
		}
		return combinedFeatures;
		});
		}

		final long ident = mInjector.binderClearCallingIdentity();
		try {
		final List<ActiveAdmin> admins;
		if (!parent && isManagedProfile(userHandle)) {
		// If we are being asked about a managed profile, just return keyguard features
		@@ -9290,11 +9345,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}
		}
		return which;
		}
		} finally {
		mInjector.binderRestoreCallingIdentity(ident);
		}
		}
		}

		@Override
		public void setKeepUninstalledPackages(ComponentName who, String callerPackage,

services/devicepolicy/java/com/android/server/devicepolicy/PolicyDefinition.java

+8 −0

Original line number	Diff line number	Diff line
		@@ -246,6 +246,14 @@ final class PolicyDefinition<V> {
		(Long value, Context context, Integer userId, PolicyKey policyKey) -> true,
		new LongPolicySerializer());

		static PolicyDefinition<Integer> KEYGUARD_DISABLED_FEATURES = new PolicyDefinition<>(
		new NoArgsPolicyKey(DevicePolicyIdentifiers.KEYGUARD_DISABLED_FEATURES_POLICY),
		new FlagUnion(),
		POLICY_FLAG_LOCAL_ONLY_POLICY,
		// Nothing is enforced for keyguard features, we just need to store it
		(Integer value, Context context, Integer userId, PolicyKey policyKey) -> true,
		new IntegerPolicySerializer());

		private static final Map<String, PolicyDefinition<?>> POLICY_DEFINITIONS = new HashMap<>();
		private static Map<String, Integer> USER_RESTRICTION_FLAGS = new HashMap<>();