Loading core/java/android/app/admin/DevicePolicyIdentifiers.java +23 −0 Original line number Diff line number Diff line Loading @@ -203,6 +203,29 @@ public final class DevicePolicyIdentifiers { @FlaggedApi(android.app.admin.flags.Flags.FLAG_SET_MTE_POLICY_COEXISTENCE) public static final String MEMORY_TAGGING_POLICY = "memoryTagging"; /** * String identifier for {@link DevicePolicyManager#setManagedProfileContactsAccessPolicy}. * * @hide */ public static final String MANAGED_PROFILE_CONTACTS_ACCESS_POLICY = "managedProfileContactsAccess"; /** * String identifier for {@link DevicePolicyManager#setManagedProfileCallerIdAccessPolicy}. * * @hide */ public static final String MANAGED_PROFILE_CALLER_ID_ACCESS_POLICY = "managedProfileCallerIdAccess"; /** * String identifier for {@link DevicePolicyManager#setMaximumTimeToLock}. * @hide */ public static final String MAX_TIME_TO_LOCK_POLICY = "maxTimeToLock"; /** * @hide */ Loading services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +59 −2 Original line number Diff line number Diff line Loading @@ -337,6 +337,7 @@ import android.app.admin.DeviceAdminReceiver; import android.app.admin.DevicePolicyCache; import android.app.admin.DevicePolicyDrawableResource; import android.app.admin.DevicePolicyEventLogger; import android.app.admin.DevicePolicyIdentifiers; import android.app.admin.DevicePolicyManager; import android.app.admin.DevicePolicyManager.AppFunctionsPolicy; import android.app.admin.DevicePolicyManager.DeviceOwnerType; Loading Loading @@ -16846,8 +16847,14 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { Preconditions.checkCallAuthorization(canQueryAdminPolicy(getCallerIdentity())); return Binder.withCleanCallingIdentity(() -> { // TODO(b/414733570): Handle legacy policies that are not stored in DPE first. if (PolicyDefinition.LEGACY_POLICIES.contains(policyIdentifier)) { android.app.admin.EnforcingAdmin legacyAdmin = getEnforcingAdminForLegacyPolicies(policyIdentifier, userId); if (legacyAdmin == null) { return Collections.emptyList(); } return Collections.singletonList(legacyAdmin); } PolicyDefinition<?> policyDefinition = PolicyDefinition.getPolicyDefinitionForIdentifier(policyIdentifier); Loading Loading @@ -16883,6 +16890,56 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { }); } /** * Checks for legacy policies that are stored in {@link ActiveAdmin} and returns the enforcing * admin encapsulated in {@link android.app.admin.EnforcingAdmin}. * If the policy is not enforced, returns {@code null}. */ @Nullable private android.app.admin.EnforcingAdmin getEnforcingAdminForLegacyPolicies(String identifier, int userId) { ActiveAdmin admin = null; switch (identifier) { case DevicePolicyIdentifiers.MANAGED_PROFILE_CALLER_ID_ACCESS_POLICY: if (getCrossProfileCallerIdDisabledForUser(userId)) { synchronized (getLockObject()) { // If the policy is set, only PO can set it. admin = getProfileOwnerAdminLocked(userId); } } break; case DevicePolicyIdentifiers.MANAGED_PROFILE_CONTACTS_ACCESS_POLICY: if (getCrossProfileContactsSearchDisabledForUser(userId)) { synchronized (getLockObject()) { // If the policy is set, only PO can set it. admin = getProfileOwnerAdminLocked(userId); } } break; case DevicePolicyIdentifiers.MAX_TIME_TO_LOCK_POLICY: // Return the strictest policy across all participating admins. final List<ActiveAdmin> admins = getActiveAdminsForLockscreenPoliciesLocked(userId); long time = Long.MAX_VALUE; for (final ActiveAdmin activeAdmin : admins) { if (activeAdmin.maximumTimeToUnlock > 0 && activeAdmin.maximumTimeToUnlock < time) { time = activeAdmin.maximumTimeToUnlock; admin = activeAdmin; } } break; default: throw new IllegalArgumentException( "Legacy policy " + identifier + " is not handled."); } if (admin != null) { return EnforcingAdmin.createEnterpriseEnforcingAdmin(admin.info.getComponent(), admin.getUserHandle().getIdentifier()).getParcelableAdmin(); } return null; } private boolean isUserRestrictionPolicyEnforcedBySystem( PolicyDefinition<?> policyDefinition, int userId) { // User restriction can be enforced by the system aside from admins, until they're services/devicepolicy/java/com/android/server/devicepolicy/PolicyDefinition.java +14 −0 Original line number Diff line number Diff line Loading @@ -378,6 +378,12 @@ final class PolicyDefinition<V> { PolicyEnforcerCallbacks::setAutoTimePolicy, new IntegerPolicySerializer()); // The policies that are not yet supported by DevicePolicyEngine, thus don't have definition. static final Set<String> LEGACY_POLICIES = Set.of( DevicePolicyIdentifiers.MANAGED_PROFILE_CALLER_ID_ACCESS_POLICY, DevicePolicyIdentifiers.MANAGED_PROFILE_CONTACTS_ACCESS_POLICY, DevicePolicyIdentifiers.MAX_TIME_TO_LOCK_POLICY); private static final Map<String, PolicyDefinition<?>> POLICY_DEFINITIONS = new HashMap<>(); private static Map<String, Integer> USER_RESTRICTION_FLAGS = new HashMap<>(); Loading Loading @@ -552,6 +558,14 @@ final class PolicyDefinition<V> { GENERIC_POLICY_DEFINITIONS.add(GENERIC_APPLICATION_RESTRICTIONS); GENERIC_POLICY_DEFINITIONS.add(GENERIC_APPLICATION_HIDDEN); GENERIC_POLICY_DEFINITIONS.add(GENERIC_ACCOUNT_MANAGEMENT_DISABLED); for (String legacyPolicy: LEGACY_POLICIES) { if (POLICY_DEFINITIONS.containsKey(legacyPolicy)) { throw new IllegalStateException("Policy with identifier (" + legacyPolicy + ") is already defined as legacy policy. Remove it from LEGACY_POLICIES " + "before adding a definition."); } } } private final PolicyKey mPolicyKey; Loading services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java +21 −0 Original line number Diff line number Diff line Loading @@ -8934,6 +8934,27 @@ public class DevicePolicyManagerTest extends DpmTestBase { assertThat(enforcingAdmins.getFirst().getPackageName()).isEqualTo(admin2.getPackageName()); } @Test public void getEnforcingAdminsForPolicy_legacyPolicy() throws Exception { // Configure the admin and set the policy. final int userId = 80; final int dpcAdminAppId = 20320; final int dpcAdminUid = UserHandle.getUid(userId, dpcAdminAppId); setUpProfileOwnerAdmin(admin1, dpcAdminUid); reset(getServices().powerManagerInternal); reset(getServices().settings); dpm.setMaximumTimeToLock(admin1, 10); // Give necessary permission. mContext.callerPermissions.add(permission.QUERY_ADMIN_POLICY); List<EnforcingAdmin> enforcingAdmins = dpm.getEnforcingAdminsForPolicy( DevicePolicyIdentifiers.MAX_TIME_TO_LOCK_POLICY, userId).getAllAdmins(); assertThat(enforcingAdmins.size()).isEqualTo(1); assertThat(enforcingAdmins.getFirst().getPackageName()).isEqualTo(admin1.getPackageName()); } private void setupVpnAuthorization(String userVpnPackage, int userVpnUid) { final AppOpsManager.PackageOps vpnOp = new AppOpsManager.PackageOps(userVpnPackage, userVpnUid, List.of(new AppOpsManager.OpEntry( Loading Loading
core/java/android/app/admin/DevicePolicyIdentifiers.java +23 −0 Original line number Diff line number Diff line Loading @@ -203,6 +203,29 @@ public final class DevicePolicyIdentifiers { @FlaggedApi(android.app.admin.flags.Flags.FLAG_SET_MTE_POLICY_COEXISTENCE) public static final String MEMORY_TAGGING_POLICY = "memoryTagging"; /** * String identifier for {@link DevicePolicyManager#setManagedProfileContactsAccessPolicy}. * * @hide */ public static final String MANAGED_PROFILE_CONTACTS_ACCESS_POLICY = "managedProfileContactsAccess"; /** * String identifier for {@link DevicePolicyManager#setManagedProfileCallerIdAccessPolicy}. * * @hide */ public static final String MANAGED_PROFILE_CALLER_ID_ACCESS_POLICY = "managedProfileCallerIdAccess"; /** * String identifier for {@link DevicePolicyManager#setMaximumTimeToLock}. * @hide */ public static final String MAX_TIME_TO_LOCK_POLICY = "maxTimeToLock"; /** * @hide */ Loading
services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +59 −2 Original line number Diff line number Diff line Loading @@ -337,6 +337,7 @@ import android.app.admin.DeviceAdminReceiver; import android.app.admin.DevicePolicyCache; import android.app.admin.DevicePolicyDrawableResource; import android.app.admin.DevicePolicyEventLogger; import android.app.admin.DevicePolicyIdentifiers; import android.app.admin.DevicePolicyManager; import android.app.admin.DevicePolicyManager.AppFunctionsPolicy; import android.app.admin.DevicePolicyManager.DeviceOwnerType; Loading Loading @@ -16846,8 +16847,14 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { Preconditions.checkCallAuthorization(canQueryAdminPolicy(getCallerIdentity())); return Binder.withCleanCallingIdentity(() -> { // TODO(b/414733570): Handle legacy policies that are not stored in DPE first. if (PolicyDefinition.LEGACY_POLICIES.contains(policyIdentifier)) { android.app.admin.EnforcingAdmin legacyAdmin = getEnforcingAdminForLegacyPolicies(policyIdentifier, userId); if (legacyAdmin == null) { return Collections.emptyList(); } return Collections.singletonList(legacyAdmin); } PolicyDefinition<?> policyDefinition = PolicyDefinition.getPolicyDefinitionForIdentifier(policyIdentifier); Loading Loading @@ -16883,6 +16890,56 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { }); } /** * Checks for legacy policies that are stored in {@link ActiveAdmin} and returns the enforcing * admin encapsulated in {@link android.app.admin.EnforcingAdmin}. * If the policy is not enforced, returns {@code null}. */ @Nullable private android.app.admin.EnforcingAdmin getEnforcingAdminForLegacyPolicies(String identifier, int userId) { ActiveAdmin admin = null; switch (identifier) { case DevicePolicyIdentifiers.MANAGED_PROFILE_CALLER_ID_ACCESS_POLICY: if (getCrossProfileCallerIdDisabledForUser(userId)) { synchronized (getLockObject()) { // If the policy is set, only PO can set it. admin = getProfileOwnerAdminLocked(userId); } } break; case DevicePolicyIdentifiers.MANAGED_PROFILE_CONTACTS_ACCESS_POLICY: if (getCrossProfileContactsSearchDisabledForUser(userId)) { synchronized (getLockObject()) { // If the policy is set, only PO can set it. admin = getProfileOwnerAdminLocked(userId); } } break; case DevicePolicyIdentifiers.MAX_TIME_TO_LOCK_POLICY: // Return the strictest policy across all participating admins. final List<ActiveAdmin> admins = getActiveAdminsForLockscreenPoliciesLocked(userId); long time = Long.MAX_VALUE; for (final ActiveAdmin activeAdmin : admins) { if (activeAdmin.maximumTimeToUnlock > 0 && activeAdmin.maximumTimeToUnlock < time) { time = activeAdmin.maximumTimeToUnlock; admin = activeAdmin; } } break; default: throw new IllegalArgumentException( "Legacy policy " + identifier + " is not handled."); } if (admin != null) { return EnforcingAdmin.createEnterpriseEnforcingAdmin(admin.info.getComponent(), admin.getUserHandle().getIdentifier()).getParcelableAdmin(); } return null; } private boolean isUserRestrictionPolicyEnforcedBySystem( PolicyDefinition<?> policyDefinition, int userId) { // User restriction can be enforced by the system aside from admins, until they're
services/devicepolicy/java/com/android/server/devicepolicy/PolicyDefinition.java +14 −0 Original line number Diff line number Diff line Loading @@ -378,6 +378,12 @@ final class PolicyDefinition<V> { PolicyEnforcerCallbacks::setAutoTimePolicy, new IntegerPolicySerializer()); // The policies that are not yet supported by DevicePolicyEngine, thus don't have definition. static final Set<String> LEGACY_POLICIES = Set.of( DevicePolicyIdentifiers.MANAGED_PROFILE_CALLER_ID_ACCESS_POLICY, DevicePolicyIdentifiers.MANAGED_PROFILE_CONTACTS_ACCESS_POLICY, DevicePolicyIdentifiers.MAX_TIME_TO_LOCK_POLICY); private static final Map<String, PolicyDefinition<?>> POLICY_DEFINITIONS = new HashMap<>(); private static Map<String, Integer> USER_RESTRICTION_FLAGS = new HashMap<>(); Loading Loading @@ -552,6 +558,14 @@ final class PolicyDefinition<V> { GENERIC_POLICY_DEFINITIONS.add(GENERIC_APPLICATION_RESTRICTIONS); GENERIC_POLICY_DEFINITIONS.add(GENERIC_APPLICATION_HIDDEN); GENERIC_POLICY_DEFINITIONS.add(GENERIC_ACCOUNT_MANAGEMENT_DISABLED); for (String legacyPolicy: LEGACY_POLICIES) { if (POLICY_DEFINITIONS.containsKey(legacyPolicy)) { throw new IllegalStateException("Policy with identifier (" + legacyPolicy + ") is already defined as legacy policy. Remove it from LEGACY_POLICIES " + "before adding a definition."); } } } private final PolicyKey mPolicyKey; Loading
services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java +21 −0 Original line number Diff line number Diff line Loading @@ -8934,6 +8934,27 @@ public class DevicePolicyManagerTest extends DpmTestBase { assertThat(enforcingAdmins.getFirst().getPackageName()).isEqualTo(admin2.getPackageName()); } @Test public void getEnforcingAdminsForPolicy_legacyPolicy() throws Exception { // Configure the admin and set the policy. final int userId = 80; final int dpcAdminAppId = 20320; final int dpcAdminUid = UserHandle.getUid(userId, dpcAdminAppId); setUpProfileOwnerAdmin(admin1, dpcAdminUid); reset(getServices().powerManagerInternal); reset(getServices().settings); dpm.setMaximumTimeToLock(admin1, 10); // Give necessary permission. mContext.callerPermissions.add(permission.QUERY_ADMIN_POLICY); List<EnforcingAdmin> enforcingAdmins = dpm.getEnforcingAdminsForPolicy( DevicePolicyIdentifiers.MAX_TIME_TO_LOCK_POLICY, userId).getAllAdmins(); assertThat(enforcingAdmins.size()).isEqualTo(1); assertThat(enforcingAdmins.getFirst().getPackageName()).isEqualTo(admin1.getPackageName()); } private void setupVpnAuthorization(String userVpnPackage, int userVpnUid) { final AppOpsManager.PackageOps vpnOp = new AppOpsManager.PackageOps(userVpnPackage, userVpnUid, List.of(new AppOpsManager.OpEntry( Loading
