Loading core/java/android/content/pm/PackageManager.java +18 −0 Original line number Diff line number Diff line Loading @@ -665,6 +665,15 @@ public abstract class PackageManager { */ public static final int INSTALL_FAILED_INTERNAL_ERROR = -110; /** * Installation failed return code: this is passed to the {@link IPackageInstallObserver} by * {@link #installPackage(android.net.Uri, IPackageInstallObserver, int)} * if the system failed to install the package because the user is restricted from installing * apps. * @hide */ public static final int INSTALL_FAILED_USER_RESTRICTED = -111; /** * Flag parameter for {@link #deletePackage} to indicate that you don't want to delete the * package's data directory. Loading Loading @@ -709,6 +718,15 @@ public abstract class PackageManager { */ public static final int DELETE_FAILED_DEVICE_POLICY_MANAGER = -2; /** * Deletion failed return code: this is passed to the * {@link IPackageDeleteObserver} by {@link #deletePackage()} if the system * failed to delete the package since the user is restricted. * * @hide */ public static final int DELETE_FAILED_USER_RESTRICTED = -3; /** * Return code that is passed to the {@link IPackageMoveObserver} by * {@link #movePackage(android.net.Uri, IPackageMoveObserver)} when the Loading core/java/android/os/IUserManager.aidl +3 −0 Original line number Diff line number Diff line Loading @@ -17,6 +17,7 @@ package android.os; import android.os.Bundle; import android.os.ParcelFileDescriptor; import android.content.pm.UserInfo; import android.graphics.Bitmap; Loading @@ -37,4 +38,6 @@ interface IUserManager { void wipeUser(int userHandle); int getUserSerialNumber(int userHandle); int getUserHandle(int userSerialNumber); Bundle getUserRestrictions(int userHandle); void setUserRestrictions(in Bundle restrictions, int userHandle); } core/java/android/os/UserManager.java +65 −0 Original line number Diff line number Diff line Loading @@ -35,6 +35,42 @@ public class UserManager { private final IUserManager mService; private final Context mContext; /** * @hide * Key for user restrictions. Specifies if a user is allowed to add or remove accounts. * Type: Boolean * @see #setUserRestrictions(Bundle) * @see #getUserRestrictions() */ public static final String ALLOW_MODIFY_ACCOUNTS = "modify_accounts"; /** * @hide * Key for user restrictions. Specifies if a user is allowed to change Wi-Fi access points. * Type: Boolean * @see #setUserRestrictions(Bundle) * @see #getUserRestrictions() */ public static final String ALLOW_CONFIG_WIFI = "config_wifi"; /** * @hide * Key for user restrictions. Specifies if a user is allowed to install applications. * Type: Boolean * @see #setUserRestrictions(Bundle) * @see #getUserRestrictions() */ public static final String ALLOW_INSTALL_APPS = "install_apps"; /** * @hide * Key for user restrictions. Specifies if a user is allowed to uninstall applications. * Type: Boolean * @see #setUserRestrictions(Bundle) * @see #getUserRestrictions() */ public static final String ALLOW_UNINSTALL_APPS = "uninstall_apps"; /** @hide */ public UserManager(Context context, IUserManager service) { mService = service; Loading Loading @@ -132,6 +168,35 @@ public class UserManager { } } /** @hide */ public Bundle getUserRestrictions() { return getUserRestrictions(Process.myUserHandle()); } /** @hide */ public Bundle getUserRestrictions(UserHandle userHandle) { try { return mService.getUserRestrictions(userHandle.getIdentifier()); } catch (RemoteException re) { Log.w(TAG, "Could not get user restrictions", re); return Bundle.EMPTY; } } /** @hide */ public void setUserRestrictions(Bundle restrictions) { setUserRestrictions(restrictions, Process.myUserHandle()); } /** @hide */ public void setUserRestrictions(Bundle restrictions, UserHandle userHandle) { try { mService.setUserRestrictions(restrictions, userHandle.getIdentifier()); } catch (RemoteException re) { Log.w(TAG, "Could not set user restrictions", re); } } /** * Return the serial number for a user. This is a device-unique * number assigned to that user; if the user is deleted and then a new Loading services/java/com/android/server/DevicePolicyManagerService.java +1 −1 Original line number Diff line number Diff line Loading @@ -1889,7 +1889,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { mHandler.post(new Runnable() { public void run() { try { ActivityManagerNative.getDefault().switchUser(0); ActivityManagerNative.getDefault().switchUser(UserHandle.USER_OWNER); ((UserManager) mContext.getSystemService(Context.USER_SERVICE)) .removeUser(userHandle); } catch (RemoteException re) { Loading services/java/com/android/server/accounts/AccountManagerService.java +23 −0 Original line number Diff line number Diff line Loading @@ -21,6 +21,7 @@ import android.accounts.Account; import android.accounts.AccountAndUser; import android.accounts.AccountAuthenticatorResponse; import android.accounts.AccountManager; import android.accounts.AccountManagerResponse; import android.accounts.AuthenticatorDescription; import android.accounts.GrantCredentialsPermissionActivity; import android.accounts.IAccountAuthenticator; Loading Loading @@ -526,6 +527,9 @@ public class AccountManagerService } if (account == null) throw new IllegalArgumentException("account is null"); checkAuthenticateAccountsPermission(account); if (!canUserModifyAccounts(Binder.getCallingUid())) { return false; } UserAccounts accounts = getUserAccountsForCaller(); // fails if the account already exists Loading Loading @@ -679,6 +683,14 @@ public class AccountManagerService checkManageAccountsPermission(); UserHandle user = Binder.getCallingUserHandle(); UserAccounts accounts = getUserAccountsForCaller(); if (!canUserModifyAccounts(Binder.getCallingUid())) { try { response.onError(AccountManager.ERROR_CODE_UNSUPPORTED_OPERATION, "User cannot modify accounts"); } catch (RemoteException re) { } } long identityToken = clearCallingIdentity(); cancelNotification(getSigninRequiredNotificationId(accounts, account), user); Loading Loading @@ -2312,6 +2324,17 @@ public class AccountManagerService Manifest.permission.USE_CREDENTIALS); } private boolean canUserModifyAccounts(int callingUid) { if (callingUid != android.os.Process.myUid()) { Bundle restrictions = getUserManager().getUserRestrictions( new UserHandle(UserHandle.getUserId(callingUid))); if (!restrictions.getBoolean(UserManager.ALLOW_MODIFY_ACCOUNTS)) { return false; } } return true; } public void updateAppPermission(Account account, String authTokenType, int uid, boolean value) throws RemoteException { final int callingUid = getCallingUid(); Loading Loading
core/java/android/content/pm/PackageManager.java +18 −0 Original line number Diff line number Diff line Loading @@ -665,6 +665,15 @@ public abstract class PackageManager { */ public static final int INSTALL_FAILED_INTERNAL_ERROR = -110; /** * Installation failed return code: this is passed to the {@link IPackageInstallObserver} by * {@link #installPackage(android.net.Uri, IPackageInstallObserver, int)} * if the system failed to install the package because the user is restricted from installing * apps. * @hide */ public static final int INSTALL_FAILED_USER_RESTRICTED = -111; /** * Flag parameter for {@link #deletePackage} to indicate that you don't want to delete the * package's data directory. Loading Loading @@ -709,6 +718,15 @@ public abstract class PackageManager { */ public static final int DELETE_FAILED_DEVICE_POLICY_MANAGER = -2; /** * Deletion failed return code: this is passed to the * {@link IPackageDeleteObserver} by {@link #deletePackage()} if the system * failed to delete the package since the user is restricted. * * @hide */ public static final int DELETE_FAILED_USER_RESTRICTED = -3; /** * Return code that is passed to the {@link IPackageMoveObserver} by * {@link #movePackage(android.net.Uri, IPackageMoveObserver)} when the Loading
core/java/android/os/IUserManager.aidl +3 −0 Original line number Diff line number Diff line Loading @@ -17,6 +17,7 @@ package android.os; import android.os.Bundle; import android.os.ParcelFileDescriptor; import android.content.pm.UserInfo; import android.graphics.Bitmap; Loading @@ -37,4 +38,6 @@ interface IUserManager { void wipeUser(int userHandle); int getUserSerialNumber(int userHandle); int getUserHandle(int userSerialNumber); Bundle getUserRestrictions(int userHandle); void setUserRestrictions(in Bundle restrictions, int userHandle); }
core/java/android/os/UserManager.java +65 −0 Original line number Diff line number Diff line Loading @@ -35,6 +35,42 @@ public class UserManager { private final IUserManager mService; private final Context mContext; /** * @hide * Key for user restrictions. Specifies if a user is allowed to add or remove accounts. * Type: Boolean * @see #setUserRestrictions(Bundle) * @see #getUserRestrictions() */ public static final String ALLOW_MODIFY_ACCOUNTS = "modify_accounts"; /** * @hide * Key for user restrictions. Specifies if a user is allowed to change Wi-Fi access points. * Type: Boolean * @see #setUserRestrictions(Bundle) * @see #getUserRestrictions() */ public static final String ALLOW_CONFIG_WIFI = "config_wifi"; /** * @hide * Key for user restrictions. Specifies if a user is allowed to install applications. * Type: Boolean * @see #setUserRestrictions(Bundle) * @see #getUserRestrictions() */ public static final String ALLOW_INSTALL_APPS = "install_apps"; /** * @hide * Key for user restrictions. Specifies if a user is allowed to uninstall applications. * Type: Boolean * @see #setUserRestrictions(Bundle) * @see #getUserRestrictions() */ public static final String ALLOW_UNINSTALL_APPS = "uninstall_apps"; /** @hide */ public UserManager(Context context, IUserManager service) { mService = service; Loading Loading @@ -132,6 +168,35 @@ public class UserManager { } } /** @hide */ public Bundle getUserRestrictions() { return getUserRestrictions(Process.myUserHandle()); } /** @hide */ public Bundle getUserRestrictions(UserHandle userHandle) { try { return mService.getUserRestrictions(userHandle.getIdentifier()); } catch (RemoteException re) { Log.w(TAG, "Could not get user restrictions", re); return Bundle.EMPTY; } } /** @hide */ public void setUserRestrictions(Bundle restrictions) { setUserRestrictions(restrictions, Process.myUserHandle()); } /** @hide */ public void setUserRestrictions(Bundle restrictions, UserHandle userHandle) { try { mService.setUserRestrictions(restrictions, userHandle.getIdentifier()); } catch (RemoteException re) { Log.w(TAG, "Could not set user restrictions", re); } } /** * Return the serial number for a user. This is a device-unique * number assigned to that user; if the user is deleted and then a new Loading
services/java/com/android/server/DevicePolicyManagerService.java +1 −1 Original line number Diff line number Diff line Loading @@ -1889,7 +1889,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { mHandler.post(new Runnable() { public void run() { try { ActivityManagerNative.getDefault().switchUser(0); ActivityManagerNative.getDefault().switchUser(UserHandle.USER_OWNER); ((UserManager) mContext.getSystemService(Context.USER_SERVICE)) .removeUser(userHandle); } catch (RemoteException re) { Loading
services/java/com/android/server/accounts/AccountManagerService.java +23 −0 Original line number Diff line number Diff line Loading @@ -21,6 +21,7 @@ import android.accounts.Account; import android.accounts.AccountAndUser; import android.accounts.AccountAuthenticatorResponse; import android.accounts.AccountManager; import android.accounts.AccountManagerResponse; import android.accounts.AuthenticatorDescription; import android.accounts.GrantCredentialsPermissionActivity; import android.accounts.IAccountAuthenticator; Loading Loading @@ -526,6 +527,9 @@ public class AccountManagerService } if (account == null) throw new IllegalArgumentException("account is null"); checkAuthenticateAccountsPermission(account); if (!canUserModifyAccounts(Binder.getCallingUid())) { return false; } UserAccounts accounts = getUserAccountsForCaller(); // fails if the account already exists Loading Loading @@ -679,6 +683,14 @@ public class AccountManagerService checkManageAccountsPermission(); UserHandle user = Binder.getCallingUserHandle(); UserAccounts accounts = getUserAccountsForCaller(); if (!canUserModifyAccounts(Binder.getCallingUid())) { try { response.onError(AccountManager.ERROR_CODE_UNSUPPORTED_OPERATION, "User cannot modify accounts"); } catch (RemoteException re) { } } long identityToken = clearCallingIdentity(); cancelNotification(getSigninRequiredNotificationId(accounts, account), user); Loading Loading @@ -2312,6 +2324,17 @@ public class AccountManagerService Manifest.permission.USE_CREDENTIALS); } private boolean canUserModifyAccounts(int callingUid) { if (callingUid != android.os.Process.myUid()) { Bundle restrictions = getUserManager().getUserRestrictions( new UserHandle(UserHandle.getUserId(callingUid))); if (!restrictions.getBoolean(UserManager.ALLOW_MODIFY_ACCOUNTS)) { return false; } } return true; } public void updateAppPermission(Account account, String authTokenType, int uid, boolean value) throws RemoteException { final int callingUid = getCallingUid(); Loading
