Loading core/java/android/app/admin/DevicePolicyManager.java +9 −9 Original line number Diff line number Diff line Loading @@ -5718,8 +5718,8 @@ public class DevicePolicyManager { * System apps can always bypass VPN. * <p> Note that the system doesn't update the allowlist when packages are installed or * uninstalled, the admin app must call this method to keep the list up to date. * <p> When {@code lockdownEnabled} is false {@code lockdownWhitelist} is ignored . When * {@code lockdownEnabled} is {@code true} and {@code lockdownWhitelist} is {@code null} or * <p> When {@code lockdownEnabled} is false {@code lockdownAllowlist} is ignored . When * {@code lockdownEnabled} is {@code true} and {@code lockdownAllowlist} is {@code null} or * empty, only system apps can bypass VPN. * <p> Setting always-on VPN package to {@code null} or using * {@link #setAlwaysOnVpnPackage(ComponentName, String, boolean)} clears lockdown allowlist. Loading @@ -5728,24 +5728,24 @@ public class DevicePolicyManager { * to remove an existing always-on VPN configuration * @param lockdownEnabled {@code true} to disallow networking when the VPN is not connected or * {@code false} otherwise. This has no effect when clearing. * @param lockdownWhitelist Packages that will be able to access the network directly when VPN * @param lockdownAllowlist Packages that will be able to access the network directly when VPN * is in lockdown mode but not connected. Has no effect when clearing. * @throws SecurityException if {@code admin} is not a device or a profile * owner. * @throws NameNotFoundException if {@code vpnPackage} or one of * {@code lockdownWhitelist} is not installed. * {@code lockdownAllowlist} is not installed. * @throws UnsupportedOperationException if {@code vpnPackage} exists but does * not support being set as always-on, or if always-on VPN is not * available. */ public void setAlwaysOnVpnPackage(@NonNull ComponentName admin, @Nullable String vpnPackage, boolean lockdownEnabled, @Nullable Set<String> lockdownWhitelist) boolean lockdownEnabled, @Nullable Set<String> lockdownAllowlist) throws NameNotFoundException { throwIfParentInstance("setAlwaysOnVpnPackage"); if (mService != null) { try { mService.setAlwaysOnVpnPackage(admin, vpnPackage, lockdownEnabled, lockdownWhitelist == null ? null : new ArrayList<>(lockdownWhitelist)); lockdownAllowlist == null ? null : new ArrayList<>(lockdownAllowlist)); } catch (ServiceSpecificException e) { switch (e.errorCode) { case ERROR_VPN_PACKAGE_NOT_FOUND: Loading Loading @@ -5820,9 +5820,9 @@ public class DevicePolicyManager { throwIfParentInstance("getAlwaysOnVpnLockdownWhitelist"); if (mService != null) { try { final List<String> whitelist = mService.getAlwaysOnVpnLockdownWhitelist(admin); return whitelist == null ? null : new HashSet<>(whitelist); final List<String> allowlist = mService.getAlwaysOnVpnLockdownAllowlist(admin); return allowlist == null ? null : new HashSet<>(allowlist); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } Loading core/java/android/app/admin/FreezePeriod.java +10 −10 Original line number Diff line number Diff line Loading @@ -39,8 +39,8 @@ import java.util.List; public class FreezePeriod { private static final String TAG = "FreezePeriod"; private static final int DUMMY_YEAR = 2001; static final int DAYS_IN_YEAR = 365; // 365 since DUMMY_YEAR is not a leap year private static final int SENTINEL_YEAR = 2001; static final int DAYS_IN_YEAR = 365; // 365 since SENTINEL_YEAR is not a leap year private final MonthDay mStart; private final MonthDay mEnd; Loading @@ -60,9 +60,9 @@ public class FreezePeriod { */ public FreezePeriod(MonthDay start, MonthDay end) { mStart = start; mStartDay = mStart.atYear(DUMMY_YEAR).getDayOfYear(); mStartDay = mStart.atYear(SENTINEL_YEAR).getDayOfYear(); mEnd = end; mEndDay = mEnd.atYear(DUMMY_YEAR).getDayOfYear(); mEndDay = mEnd.atYear(SENTINEL_YEAR).getDayOfYear(); } /** Loading Loading @@ -166,9 +166,9 @@ public class FreezePeriod { endYearAdjustment = 1; } } final LocalDate startDate = LocalDate.ofYearDay(DUMMY_YEAR, mStartDay).withYear( final LocalDate startDate = LocalDate.ofYearDay(SENTINEL_YEAR, mStartDay).withYear( now.getYear() + startYearAdjustment); final LocalDate endDate = LocalDate.ofYearDay(DUMMY_YEAR, mEndDay).withYear( final LocalDate endDate = LocalDate.ofYearDay(SENTINEL_YEAR, mEndDay).withYear( now.getYear() + endYearAdjustment); return new Pair<>(startDate, endDate); } Loading @@ -176,13 +176,13 @@ public class FreezePeriod { @Override public String toString() { DateTimeFormatter formatter = DateTimeFormatter.ofPattern("MMM dd"); return LocalDate.ofYearDay(DUMMY_YEAR, mStartDay).format(formatter) + " - " + LocalDate.ofYearDay(DUMMY_YEAR, mEndDay).format(formatter); return LocalDate.ofYearDay(SENTINEL_YEAR, mStartDay).format(formatter) + " - " + LocalDate.ofYearDay(SENTINEL_YEAR, mEndDay).format(formatter); } /** @hide */ private static MonthDay dayOfYearToMonthDay(int dayOfYear) { LocalDate date = LocalDate.ofYearDay(DUMMY_YEAR, dayOfYear); LocalDate date = LocalDate.ofYearDay(SENTINEL_YEAR, dayOfYear); return MonthDay.of(date.getMonth(), date.getDayOfMonth()); } Loading @@ -191,7 +191,7 @@ public class FreezePeriod { * @hide */ private static int dayOfYearDisregardLeapYear(LocalDate date) { return date.withYear(DUMMY_YEAR).getDayOfYear(); return date.withYear(SENTINEL_YEAR).getDayOfYear(); } /** Loading core/java/android/app/admin/IDevicePolicyManager.aidl +2 −2 Original line number Diff line number Diff line Loading @@ -197,12 +197,12 @@ interface IDevicePolicyManager { void setCertInstallerPackage(in ComponentName who, String installerPackage); String getCertInstallerPackage(in ComponentName who); boolean setAlwaysOnVpnPackage(in ComponentName who, String vpnPackage, boolean lockdown, in List<String> lockdownWhitelist); boolean setAlwaysOnVpnPackage(in ComponentName who, String vpnPackage, boolean lockdown, in List<String> lockdownAllowlist); String getAlwaysOnVpnPackage(in ComponentName who); String getAlwaysOnVpnPackageForUser(int userHandle); boolean isAlwaysOnVpnLockdownEnabled(in ComponentName who); boolean isAlwaysOnVpnLockdownEnabledForUser(int userHandle); List<String> getAlwaysOnVpnLockdownWhitelist(in ComponentName who); List<String> getAlwaysOnVpnLockdownAllowlist(in ComponentName who); void addPersistentPreferredActivity(in ComponentName admin, in IntentFilter filter, in ComponentName activity); void clearPackagePersistentPreferredActivities(in ComponentName admin, String packageName); Loading services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +49 −49 Original line number Diff line number Diff line Loading @@ -480,38 +480,38 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { private static final int STATUS_BAR_DISABLE2_MASK = StatusBarManager.DISABLE2_QUICK_SETTINGS; private static final Set<String> SECURE_SETTINGS_WHITELIST; private static final Set<String> SECURE_SETTINGS_DEVICEOWNER_WHITELIST; private static final Set<String> GLOBAL_SETTINGS_WHITELIST; private static final Set<String> SECURE_SETTINGS_ALLOWLIST; private static final Set<String> SECURE_SETTINGS_DEVICEOWNER_ALLOWLIST; private static final Set<String> GLOBAL_SETTINGS_ALLOWLIST; private static final Set<String> GLOBAL_SETTINGS_DEPRECATED; private static final Set<String> SYSTEM_SETTINGS_WHITELIST; private static final Set<String> SYSTEM_SETTINGS_ALLOWLIST; private static final Set<Integer> DA_DISALLOWED_POLICIES; // A collection of user restrictions that are deprecated and should simply be ignored. private static final Set<String> DEPRECATED_USER_RESTRICTIONS; private static final String AB_DEVICE_KEY = "ro.build.ab_update"; static { SECURE_SETTINGS_WHITELIST = new ArraySet<>(); SECURE_SETTINGS_WHITELIST.add(Settings.Secure.DEFAULT_INPUT_METHOD); SECURE_SETTINGS_WHITELIST.add(Settings.Secure.SKIP_FIRST_USE_HINTS); SECURE_SETTINGS_WHITELIST.add(Settings.Secure.INSTALL_NON_MARKET_APPS); SECURE_SETTINGS_DEVICEOWNER_WHITELIST = new ArraySet<>(); SECURE_SETTINGS_DEVICEOWNER_WHITELIST.addAll(SECURE_SETTINGS_WHITELIST); SECURE_SETTINGS_DEVICEOWNER_WHITELIST.add(Settings.Secure.LOCATION_MODE); GLOBAL_SETTINGS_WHITELIST = new ArraySet<>(); GLOBAL_SETTINGS_WHITELIST.add(Settings.Global.ADB_ENABLED); GLOBAL_SETTINGS_WHITELIST.add(Settings.Global.ADB_WIFI_ENABLED); GLOBAL_SETTINGS_WHITELIST.add(Settings.Global.AUTO_TIME); GLOBAL_SETTINGS_WHITELIST.add(Settings.Global.AUTO_TIME_ZONE); GLOBAL_SETTINGS_WHITELIST.add(Settings.Global.DATA_ROAMING); GLOBAL_SETTINGS_WHITELIST.add(Settings.Global.USB_MASS_STORAGE_ENABLED); GLOBAL_SETTINGS_WHITELIST.add(Settings.Global.WIFI_SLEEP_POLICY); GLOBAL_SETTINGS_WHITELIST.add(Settings.Global.STAY_ON_WHILE_PLUGGED_IN); GLOBAL_SETTINGS_WHITELIST.add(Settings.Global.WIFI_DEVICE_OWNER_CONFIGS_LOCKDOWN); GLOBAL_SETTINGS_WHITELIST.add(Settings.Global.PRIVATE_DNS_MODE); GLOBAL_SETTINGS_WHITELIST.add(Settings.Global.PRIVATE_DNS_SPECIFIER); SECURE_SETTINGS_ALLOWLIST = new ArraySet<>(); SECURE_SETTINGS_ALLOWLIST.add(Settings.Secure.DEFAULT_INPUT_METHOD); SECURE_SETTINGS_ALLOWLIST.add(Settings.Secure.SKIP_FIRST_USE_HINTS); SECURE_SETTINGS_ALLOWLIST.add(Settings.Secure.INSTALL_NON_MARKET_APPS); SECURE_SETTINGS_DEVICEOWNER_ALLOWLIST = new ArraySet<>(); SECURE_SETTINGS_DEVICEOWNER_ALLOWLIST.addAll(SECURE_SETTINGS_ALLOWLIST); SECURE_SETTINGS_DEVICEOWNER_ALLOWLIST.add(Settings.Secure.LOCATION_MODE); GLOBAL_SETTINGS_ALLOWLIST = new ArraySet<>(); GLOBAL_SETTINGS_ALLOWLIST.add(Settings.Global.ADB_ENABLED); GLOBAL_SETTINGS_ALLOWLIST.add(Settings.Global.ADB_WIFI_ENABLED); GLOBAL_SETTINGS_ALLOWLIST.add(Settings.Global.AUTO_TIME); GLOBAL_SETTINGS_ALLOWLIST.add(Settings.Global.AUTO_TIME_ZONE); GLOBAL_SETTINGS_ALLOWLIST.add(Settings.Global.DATA_ROAMING); GLOBAL_SETTINGS_ALLOWLIST.add(Settings.Global.USB_MASS_STORAGE_ENABLED); GLOBAL_SETTINGS_ALLOWLIST.add(Settings.Global.WIFI_SLEEP_POLICY); GLOBAL_SETTINGS_ALLOWLIST.add(Settings.Global.STAY_ON_WHILE_PLUGGED_IN); GLOBAL_SETTINGS_ALLOWLIST.add(Settings.Global.WIFI_DEVICE_OWNER_CONFIGS_LOCKDOWN); GLOBAL_SETTINGS_ALLOWLIST.add(Settings.Global.PRIVATE_DNS_MODE); GLOBAL_SETTINGS_ALLOWLIST.add(Settings.Global.PRIVATE_DNS_SPECIFIER); GLOBAL_SETTINGS_DEPRECATED = new ArraySet<>(); GLOBAL_SETTINGS_DEPRECATED.add(Settings.Global.BLUETOOTH_ON); Loading @@ -520,11 +520,11 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { GLOBAL_SETTINGS_DEPRECATED.add(Settings.Global.NETWORK_PREFERENCE); GLOBAL_SETTINGS_DEPRECATED.add(Settings.Global.WIFI_ON); SYSTEM_SETTINGS_WHITELIST = new ArraySet<>(); SYSTEM_SETTINGS_WHITELIST.add(Settings.System.SCREEN_BRIGHTNESS); SYSTEM_SETTINGS_WHITELIST.add(Settings.System.SCREEN_BRIGHTNESS_FLOAT); SYSTEM_SETTINGS_WHITELIST.add(Settings.System.SCREEN_BRIGHTNESS_MODE); SYSTEM_SETTINGS_WHITELIST.add(Settings.System.SCREEN_OFF_TIMEOUT); SYSTEM_SETTINGS_ALLOWLIST = new ArraySet<>(); SYSTEM_SETTINGS_ALLOWLIST.add(Settings.System.SCREEN_BRIGHTNESS); SYSTEM_SETTINGS_ALLOWLIST.add(Settings.System.SCREEN_BRIGHTNESS_FLOAT); SYSTEM_SETTINGS_ALLOWLIST.add(Settings.System.SCREEN_BRIGHTNESS_MODE); SYSTEM_SETTINGS_ALLOWLIST.add(Settings.System.SCREEN_OFF_TIMEOUT); DA_DISALLOWED_POLICIES = new ArraySet<>(); DA_DISALLOWED_POLICIES.add(DeviceAdminInfo.USES_POLICY_DISABLE_CAMERA); Loading Loading @@ -1231,13 +1231,13 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { String startUserSessionMessage = null; String endUserSessionMessage = null; // The whitelist of packages that can access cross profile calendar APIs. // This whitelist should be in default an empty list, which indicates that no package // is whitelisted. // The allowlist of packages that can access cross profile calendar APIs. // This allowlist should be in default an empty list, which indicates that no package // is allowed. List<String> mCrossProfileCalendarPackages = Collections.emptyList(); // The whitelist of packages that the admin has enabled to be able to request consent from // the user to communicate cross-profile. By default, no packages are whitelisted, which is // The allowlist of packages that the admin has enabled to be able to request consent from // the user to communicate cross-profile. By default, no packages are allowed, which is // represented as an empty list. List<String> mCrossProfilePackages = Collections.emptyList(); Loading Loading @@ -2818,7 +2818,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { final IIntentSender.Stub mLocalSender = new IIntentSender.Stub() { @Override public void send(int code, Intent intent, String resolvedType, IBinder whitelistToken, public void send(int code, Intent intent, String resolvedType, IBinder allowlistToken, IIntentReceiver finishedReceiver, String requiredPermission, Bundle options) { final int status = intent.getIntExtra( PackageInstaller.EXTRA_STATUS, PackageInstaller.STATUS_FAILURE); Loading Loading @@ -7067,7 +7067,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { */ @Override public boolean setAlwaysOnVpnPackage(ComponentName who, String vpnPackage, boolean lockdown, List<String> lockdownWhitelist) List<String> lockdownAllowlist) throws SecurityException { enforceProfileOrDeviceOwner(who); Loading @@ -7079,10 +7079,10 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { DevicePolicyManager.ERROR_VPN_PACKAGE_NOT_FOUND, vpnPackage); } if (vpnPackage != null && lockdown && lockdownWhitelist != null) { for (String packageName : lockdownWhitelist) { if (vpnPackage != null && lockdown && lockdownAllowlist != null) { for (String packageName : lockdownAllowlist) { if (!isPackageInstalledForUser(packageName, userId)) { Slog.w(LOG_TAG, "Non-existent package in VPN whitelist: " + packageName); Slog.w(LOG_TAG, "Non-existent package in VPN allowlist: " + packageName); throw new ServiceSpecificException( DevicePolicyManager.ERROR_VPN_PACKAGE_NOT_FOUND, packageName); } Loading @@ -7090,7 +7090,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } // If some package is uninstalled after the check above, it will be ignored by CM. if (!mInjector.getConnectivityManager().setAlwaysOnVpnPackageForUser( userId, vpnPackage, lockdown, lockdownWhitelist)) { userId, vpnPackage, lockdown, lockdownAllowlist)) { throw new UnsupportedOperationException(); } DevicePolicyEventLogger Loading @@ -7098,7 +7098,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { .setAdmin(who) .setStrings(vpnPackage) .setBoolean(lockdown) .setInt(lockdownWhitelist != null ? lockdownWhitelist.size() : 0) .setInt(lockdownAllowlist != null ? lockdownAllowlist.size() : 0) .write(); }); synchronized (getLockObject()) { Loading Loading @@ -7151,7 +7151,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } @Override public List<String> getAlwaysOnVpnLockdownWhitelist(ComponentName admin) public List<String> getAlwaysOnVpnLockdownAllowlist(ComponentName admin) throws SecurityException { enforceProfileOrDeviceOwner(admin); Loading Loading @@ -11911,7 +11911,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { return; } if (!GLOBAL_SETTINGS_WHITELIST.contains(setting) if (!GLOBAL_SETTINGS_ALLOWLIST.contains(setting) && !UserManager.isDeviceInDemoMode(mContext)) { throw new SecurityException(String.format( "Permission denial: device owners cannot update %1$s", setting)); Loading Loading @@ -11939,7 +11939,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { synchronized (getLockObject()) { getActiveAdminForCallerLocked(who, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER); if (!SYSTEM_SETTINGS_WHITELIST.contains(setting)) { if (!SYSTEM_SETTINGS_ALLOWLIST.contains(setting)) { throw new SecurityException(String.format( "Permission denial: device owners cannot update %1$s", setting)); } Loading Loading @@ -12083,12 +12083,12 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { getActiveAdminForCallerLocked(who, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER); if (isDeviceOwner(who, callingUserId)) { if (!SECURE_SETTINGS_DEVICEOWNER_WHITELIST.contains(setting) if (!SECURE_SETTINGS_DEVICEOWNER_ALLOWLIST.contains(setting) && !isCurrentUserDemo()) { throw new SecurityException(String.format( "Permission denial: Device owners cannot update %1$s", setting)); } } else if (!SECURE_SETTINGS_WHITELIST.contains(setting) && !isCurrentUserDemo()) { } else if (!SECURE_SETTINGS_ALLOWLIST.contains(setting) && !isCurrentUserDemo()) { throw new SecurityException(String.format( "Permission denial: Profile owners cannot update %1$s", setting)); } Loading Loading @@ -13859,7 +13859,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { @Override public void markProfileOwnerOnOrganizationOwnedDevice(ComponentName who, int userId) { // As the caller is the system, it must specify the component name of the profile owner // as a sanity / safety check. // as a safety check. Objects.requireNonNull(who); if (!mHasFeature) { Loading Loading @@ -13895,7 +13895,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { @GuardedBy("getLockObject()") private void markProfileOwnerOnOrganizationOwnedDeviceUncheckedLocked( ComponentName who, int userId) { // Sanity check: Make sure that the user has a profile owner and that the specified // Make sure that the user has a profile owner and that the specified // component is the profile owner of that user. if (!isProfileOwner(who, userId)) { throw new IllegalArgumentException(String.format( Loading
core/java/android/app/admin/DevicePolicyManager.java +9 −9 Original line number Diff line number Diff line Loading @@ -5718,8 +5718,8 @@ public class DevicePolicyManager { * System apps can always bypass VPN. * <p> Note that the system doesn't update the allowlist when packages are installed or * uninstalled, the admin app must call this method to keep the list up to date. * <p> When {@code lockdownEnabled} is false {@code lockdownWhitelist} is ignored . When * {@code lockdownEnabled} is {@code true} and {@code lockdownWhitelist} is {@code null} or * <p> When {@code lockdownEnabled} is false {@code lockdownAllowlist} is ignored . When * {@code lockdownEnabled} is {@code true} and {@code lockdownAllowlist} is {@code null} or * empty, only system apps can bypass VPN. * <p> Setting always-on VPN package to {@code null} or using * {@link #setAlwaysOnVpnPackage(ComponentName, String, boolean)} clears lockdown allowlist. Loading @@ -5728,24 +5728,24 @@ public class DevicePolicyManager { * to remove an existing always-on VPN configuration * @param lockdownEnabled {@code true} to disallow networking when the VPN is not connected or * {@code false} otherwise. This has no effect when clearing. * @param lockdownWhitelist Packages that will be able to access the network directly when VPN * @param lockdownAllowlist Packages that will be able to access the network directly when VPN * is in lockdown mode but not connected. Has no effect when clearing. * @throws SecurityException if {@code admin} is not a device or a profile * owner. * @throws NameNotFoundException if {@code vpnPackage} or one of * {@code lockdownWhitelist} is not installed. * {@code lockdownAllowlist} is not installed. * @throws UnsupportedOperationException if {@code vpnPackage} exists but does * not support being set as always-on, or if always-on VPN is not * available. */ public void setAlwaysOnVpnPackage(@NonNull ComponentName admin, @Nullable String vpnPackage, boolean lockdownEnabled, @Nullable Set<String> lockdownWhitelist) boolean lockdownEnabled, @Nullable Set<String> lockdownAllowlist) throws NameNotFoundException { throwIfParentInstance("setAlwaysOnVpnPackage"); if (mService != null) { try { mService.setAlwaysOnVpnPackage(admin, vpnPackage, lockdownEnabled, lockdownWhitelist == null ? null : new ArrayList<>(lockdownWhitelist)); lockdownAllowlist == null ? null : new ArrayList<>(lockdownAllowlist)); } catch (ServiceSpecificException e) { switch (e.errorCode) { case ERROR_VPN_PACKAGE_NOT_FOUND: Loading Loading @@ -5820,9 +5820,9 @@ public class DevicePolicyManager { throwIfParentInstance("getAlwaysOnVpnLockdownWhitelist"); if (mService != null) { try { final List<String> whitelist = mService.getAlwaysOnVpnLockdownWhitelist(admin); return whitelist == null ? null : new HashSet<>(whitelist); final List<String> allowlist = mService.getAlwaysOnVpnLockdownAllowlist(admin); return allowlist == null ? null : new HashSet<>(allowlist); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } Loading
core/java/android/app/admin/FreezePeriod.java +10 −10 Original line number Diff line number Diff line Loading @@ -39,8 +39,8 @@ import java.util.List; public class FreezePeriod { private static final String TAG = "FreezePeriod"; private static final int DUMMY_YEAR = 2001; static final int DAYS_IN_YEAR = 365; // 365 since DUMMY_YEAR is not a leap year private static final int SENTINEL_YEAR = 2001; static final int DAYS_IN_YEAR = 365; // 365 since SENTINEL_YEAR is not a leap year private final MonthDay mStart; private final MonthDay mEnd; Loading @@ -60,9 +60,9 @@ public class FreezePeriod { */ public FreezePeriod(MonthDay start, MonthDay end) { mStart = start; mStartDay = mStart.atYear(DUMMY_YEAR).getDayOfYear(); mStartDay = mStart.atYear(SENTINEL_YEAR).getDayOfYear(); mEnd = end; mEndDay = mEnd.atYear(DUMMY_YEAR).getDayOfYear(); mEndDay = mEnd.atYear(SENTINEL_YEAR).getDayOfYear(); } /** Loading Loading @@ -166,9 +166,9 @@ public class FreezePeriod { endYearAdjustment = 1; } } final LocalDate startDate = LocalDate.ofYearDay(DUMMY_YEAR, mStartDay).withYear( final LocalDate startDate = LocalDate.ofYearDay(SENTINEL_YEAR, mStartDay).withYear( now.getYear() + startYearAdjustment); final LocalDate endDate = LocalDate.ofYearDay(DUMMY_YEAR, mEndDay).withYear( final LocalDate endDate = LocalDate.ofYearDay(SENTINEL_YEAR, mEndDay).withYear( now.getYear() + endYearAdjustment); return new Pair<>(startDate, endDate); } Loading @@ -176,13 +176,13 @@ public class FreezePeriod { @Override public String toString() { DateTimeFormatter formatter = DateTimeFormatter.ofPattern("MMM dd"); return LocalDate.ofYearDay(DUMMY_YEAR, mStartDay).format(formatter) + " - " + LocalDate.ofYearDay(DUMMY_YEAR, mEndDay).format(formatter); return LocalDate.ofYearDay(SENTINEL_YEAR, mStartDay).format(formatter) + " - " + LocalDate.ofYearDay(SENTINEL_YEAR, mEndDay).format(formatter); } /** @hide */ private static MonthDay dayOfYearToMonthDay(int dayOfYear) { LocalDate date = LocalDate.ofYearDay(DUMMY_YEAR, dayOfYear); LocalDate date = LocalDate.ofYearDay(SENTINEL_YEAR, dayOfYear); return MonthDay.of(date.getMonth(), date.getDayOfMonth()); } Loading @@ -191,7 +191,7 @@ public class FreezePeriod { * @hide */ private static int dayOfYearDisregardLeapYear(LocalDate date) { return date.withYear(DUMMY_YEAR).getDayOfYear(); return date.withYear(SENTINEL_YEAR).getDayOfYear(); } /** Loading
core/java/android/app/admin/IDevicePolicyManager.aidl +2 −2 Original line number Diff line number Diff line Loading @@ -197,12 +197,12 @@ interface IDevicePolicyManager { void setCertInstallerPackage(in ComponentName who, String installerPackage); String getCertInstallerPackage(in ComponentName who); boolean setAlwaysOnVpnPackage(in ComponentName who, String vpnPackage, boolean lockdown, in List<String> lockdownWhitelist); boolean setAlwaysOnVpnPackage(in ComponentName who, String vpnPackage, boolean lockdown, in List<String> lockdownAllowlist); String getAlwaysOnVpnPackage(in ComponentName who); String getAlwaysOnVpnPackageForUser(int userHandle); boolean isAlwaysOnVpnLockdownEnabled(in ComponentName who); boolean isAlwaysOnVpnLockdownEnabledForUser(int userHandle); List<String> getAlwaysOnVpnLockdownWhitelist(in ComponentName who); List<String> getAlwaysOnVpnLockdownAllowlist(in ComponentName who); void addPersistentPreferredActivity(in ComponentName admin, in IntentFilter filter, in ComponentName activity); void clearPackagePersistentPreferredActivities(in ComponentName admin, String packageName); Loading
services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +49 −49 Original line number Diff line number Diff line Loading @@ -480,38 +480,38 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { private static final int STATUS_BAR_DISABLE2_MASK = StatusBarManager.DISABLE2_QUICK_SETTINGS; private static final Set<String> SECURE_SETTINGS_WHITELIST; private static final Set<String> SECURE_SETTINGS_DEVICEOWNER_WHITELIST; private static final Set<String> GLOBAL_SETTINGS_WHITELIST; private static final Set<String> SECURE_SETTINGS_ALLOWLIST; private static final Set<String> SECURE_SETTINGS_DEVICEOWNER_ALLOWLIST; private static final Set<String> GLOBAL_SETTINGS_ALLOWLIST; private static final Set<String> GLOBAL_SETTINGS_DEPRECATED; private static final Set<String> SYSTEM_SETTINGS_WHITELIST; private static final Set<String> SYSTEM_SETTINGS_ALLOWLIST; private static final Set<Integer> DA_DISALLOWED_POLICIES; // A collection of user restrictions that are deprecated and should simply be ignored. private static final Set<String> DEPRECATED_USER_RESTRICTIONS; private static final String AB_DEVICE_KEY = "ro.build.ab_update"; static { SECURE_SETTINGS_WHITELIST = new ArraySet<>(); SECURE_SETTINGS_WHITELIST.add(Settings.Secure.DEFAULT_INPUT_METHOD); SECURE_SETTINGS_WHITELIST.add(Settings.Secure.SKIP_FIRST_USE_HINTS); SECURE_SETTINGS_WHITELIST.add(Settings.Secure.INSTALL_NON_MARKET_APPS); SECURE_SETTINGS_DEVICEOWNER_WHITELIST = new ArraySet<>(); SECURE_SETTINGS_DEVICEOWNER_WHITELIST.addAll(SECURE_SETTINGS_WHITELIST); SECURE_SETTINGS_DEVICEOWNER_WHITELIST.add(Settings.Secure.LOCATION_MODE); GLOBAL_SETTINGS_WHITELIST = new ArraySet<>(); GLOBAL_SETTINGS_WHITELIST.add(Settings.Global.ADB_ENABLED); GLOBAL_SETTINGS_WHITELIST.add(Settings.Global.ADB_WIFI_ENABLED); GLOBAL_SETTINGS_WHITELIST.add(Settings.Global.AUTO_TIME); GLOBAL_SETTINGS_WHITELIST.add(Settings.Global.AUTO_TIME_ZONE); GLOBAL_SETTINGS_WHITELIST.add(Settings.Global.DATA_ROAMING); GLOBAL_SETTINGS_WHITELIST.add(Settings.Global.USB_MASS_STORAGE_ENABLED); GLOBAL_SETTINGS_WHITELIST.add(Settings.Global.WIFI_SLEEP_POLICY); GLOBAL_SETTINGS_WHITELIST.add(Settings.Global.STAY_ON_WHILE_PLUGGED_IN); GLOBAL_SETTINGS_WHITELIST.add(Settings.Global.WIFI_DEVICE_OWNER_CONFIGS_LOCKDOWN); GLOBAL_SETTINGS_WHITELIST.add(Settings.Global.PRIVATE_DNS_MODE); GLOBAL_SETTINGS_WHITELIST.add(Settings.Global.PRIVATE_DNS_SPECIFIER); SECURE_SETTINGS_ALLOWLIST = new ArraySet<>(); SECURE_SETTINGS_ALLOWLIST.add(Settings.Secure.DEFAULT_INPUT_METHOD); SECURE_SETTINGS_ALLOWLIST.add(Settings.Secure.SKIP_FIRST_USE_HINTS); SECURE_SETTINGS_ALLOWLIST.add(Settings.Secure.INSTALL_NON_MARKET_APPS); SECURE_SETTINGS_DEVICEOWNER_ALLOWLIST = new ArraySet<>(); SECURE_SETTINGS_DEVICEOWNER_ALLOWLIST.addAll(SECURE_SETTINGS_ALLOWLIST); SECURE_SETTINGS_DEVICEOWNER_ALLOWLIST.add(Settings.Secure.LOCATION_MODE); GLOBAL_SETTINGS_ALLOWLIST = new ArraySet<>(); GLOBAL_SETTINGS_ALLOWLIST.add(Settings.Global.ADB_ENABLED); GLOBAL_SETTINGS_ALLOWLIST.add(Settings.Global.ADB_WIFI_ENABLED); GLOBAL_SETTINGS_ALLOWLIST.add(Settings.Global.AUTO_TIME); GLOBAL_SETTINGS_ALLOWLIST.add(Settings.Global.AUTO_TIME_ZONE); GLOBAL_SETTINGS_ALLOWLIST.add(Settings.Global.DATA_ROAMING); GLOBAL_SETTINGS_ALLOWLIST.add(Settings.Global.USB_MASS_STORAGE_ENABLED); GLOBAL_SETTINGS_ALLOWLIST.add(Settings.Global.WIFI_SLEEP_POLICY); GLOBAL_SETTINGS_ALLOWLIST.add(Settings.Global.STAY_ON_WHILE_PLUGGED_IN); GLOBAL_SETTINGS_ALLOWLIST.add(Settings.Global.WIFI_DEVICE_OWNER_CONFIGS_LOCKDOWN); GLOBAL_SETTINGS_ALLOWLIST.add(Settings.Global.PRIVATE_DNS_MODE); GLOBAL_SETTINGS_ALLOWLIST.add(Settings.Global.PRIVATE_DNS_SPECIFIER); GLOBAL_SETTINGS_DEPRECATED = new ArraySet<>(); GLOBAL_SETTINGS_DEPRECATED.add(Settings.Global.BLUETOOTH_ON); Loading @@ -520,11 +520,11 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { GLOBAL_SETTINGS_DEPRECATED.add(Settings.Global.NETWORK_PREFERENCE); GLOBAL_SETTINGS_DEPRECATED.add(Settings.Global.WIFI_ON); SYSTEM_SETTINGS_WHITELIST = new ArraySet<>(); SYSTEM_SETTINGS_WHITELIST.add(Settings.System.SCREEN_BRIGHTNESS); SYSTEM_SETTINGS_WHITELIST.add(Settings.System.SCREEN_BRIGHTNESS_FLOAT); SYSTEM_SETTINGS_WHITELIST.add(Settings.System.SCREEN_BRIGHTNESS_MODE); SYSTEM_SETTINGS_WHITELIST.add(Settings.System.SCREEN_OFF_TIMEOUT); SYSTEM_SETTINGS_ALLOWLIST = new ArraySet<>(); SYSTEM_SETTINGS_ALLOWLIST.add(Settings.System.SCREEN_BRIGHTNESS); SYSTEM_SETTINGS_ALLOWLIST.add(Settings.System.SCREEN_BRIGHTNESS_FLOAT); SYSTEM_SETTINGS_ALLOWLIST.add(Settings.System.SCREEN_BRIGHTNESS_MODE); SYSTEM_SETTINGS_ALLOWLIST.add(Settings.System.SCREEN_OFF_TIMEOUT); DA_DISALLOWED_POLICIES = new ArraySet<>(); DA_DISALLOWED_POLICIES.add(DeviceAdminInfo.USES_POLICY_DISABLE_CAMERA); Loading Loading @@ -1231,13 +1231,13 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { String startUserSessionMessage = null; String endUserSessionMessage = null; // The whitelist of packages that can access cross profile calendar APIs. // This whitelist should be in default an empty list, which indicates that no package // is whitelisted. // The allowlist of packages that can access cross profile calendar APIs. // This allowlist should be in default an empty list, which indicates that no package // is allowed. List<String> mCrossProfileCalendarPackages = Collections.emptyList(); // The whitelist of packages that the admin has enabled to be able to request consent from // the user to communicate cross-profile. By default, no packages are whitelisted, which is // The allowlist of packages that the admin has enabled to be able to request consent from // the user to communicate cross-profile. By default, no packages are allowed, which is // represented as an empty list. List<String> mCrossProfilePackages = Collections.emptyList(); Loading Loading @@ -2818,7 +2818,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { final IIntentSender.Stub mLocalSender = new IIntentSender.Stub() { @Override public void send(int code, Intent intent, String resolvedType, IBinder whitelistToken, public void send(int code, Intent intent, String resolvedType, IBinder allowlistToken, IIntentReceiver finishedReceiver, String requiredPermission, Bundle options) { final int status = intent.getIntExtra( PackageInstaller.EXTRA_STATUS, PackageInstaller.STATUS_FAILURE); Loading Loading @@ -7067,7 +7067,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { */ @Override public boolean setAlwaysOnVpnPackage(ComponentName who, String vpnPackage, boolean lockdown, List<String> lockdownWhitelist) List<String> lockdownAllowlist) throws SecurityException { enforceProfileOrDeviceOwner(who); Loading @@ -7079,10 +7079,10 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { DevicePolicyManager.ERROR_VPN_PACKAGE_NOT_FOUND, vpnPackage); } if (vpnPackage != null && lockdown && lockdownWhitelist != null) { for (String packageName : lockdownWhitelist) { if (vpnPackage != null && lockdown && lockdownAllowlist != null) { for (String packageName : lockdownAllowlist) { if (!isPackageInstalledForUser(packageName, userId)) { Slog.w(LOG_TAG, "Non-existent package in VPN whitelist: " + packageName); Slog.w(LOG_TAG, "Non-existent package in VPN allowlist: " + packageName); throw new ServiceSpecificException( DevicePolicyManager.ERROR_VPN_PACKAGE_NOT_FOUND, packageName); } Loading @@ -7090,7 +7090,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } // If some package is uninstalled after the check above, it will be ignored by CM. if (!mInjector.getConnectivityManager().setAlwaysOnVpnPackageForUser( userId, vpnPackage, lockdown, lockdownWhitelist)) { userId, vpnPackage, lockdown, lockdownAllowlist)) { throw new UnsupportedOperationException(); } DevicePolicyEventLogger Loading @@ -7098,7 +7098,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { .setAdmin(who) .setStrings(vpnPackage) .setBoolean(lockdown) .setInt(lockdownWhitelist != null ? lockdownWhitelist.size() : 0) .setInt(lockdownAllowlist != null ? lockdownAllowlist.size() : 0) .write(); }); synchronized (getLockObject()) { Loading Loading @@ -7151,7 +7151,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } @Override public List<String> getAlwaysOnVpnLockdownWhitelist(ComponentName admin) public List<String> getAlwaysOnVpnLockdownAllowlist(ComponentName admin) throws SecurityException { enforceProfileOrDeviceOwner(admin); Loading Loading @@ -11911,7 +11911,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { return; } if (!GLOBAL_SETTINGS_WHITELIST.contains(setting) if (!GLOBAL_SETTINGS_ALLOWLIST.contains(setting) && !UserManager.isDeviceInDemoMode(mContext)) { throw new SecurityException(String.format( "Permission denial: device owners cannot update %1$s", setting)); Loading Loading @@ -11939,7 +11939,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { synchronized (getLockObject()) { getActiveAdminForCallerLocked(who, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER); if (!SYSTEM_SETTINGS_WHITELIST.contains(setting)) { if (!SYSTEM_SETTINGS_ALLOWLIST.contains(setting)) { throw new SecurityException(String.format( "Permission denial: device owners cannot update %1$s", setting)); } Loading Loading @@ -12083,12 +12083,12 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { getActiveAdminForCallerLocked(who, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER); if (isDeviceOwner(who, callingUserId)) { if (!SECURE_SETTINGS_DEVICEOWNER_WHITELIST.contains(setting) if (!SECURE_SETTINGS_DEVICEOWNER_ALLOWLIST.contains(setting) && !isCurrentUserDemo()) { throw new SecurityException(String.format( "Permission denial: Device owners cannot update %1$s", setting)); } } else if (!SECURE_SETTINGS_WHITELIST.contains(setting) && !isCurrentUserDemo()) { } else if (!SECURE_SETTINGS_ALLOWLIST.contains(setting) && !isCurrentUserDemo()) { throw new SecurityException(String.format( "Permission denial: Profile owners cannot update %1$s", setting)); } Loading Loading @@ -13859,7 +13859,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { @Override public void markProfileOwnerOnOrganizationOwnedDevice(ComponentName who, int userId) { // As the caller is the system, it must specify the component name of the profile owner // as a sanity / safety check. // as a safety check. Objects.requireNonNull(who); if (!mHasFeature) { Loading Loading @@ -13895,7 +13895,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { @GuardedBy("getLockObject()") private void markProfileOwnerOnOrganizationOwnedDeviceUncheckedLocked( ComponentName who, int userId) { // Sanity check: Make sure that the user has a profile owner and that the specified // Make sure that the user has a profile owner and that the specified // component is the profile owner of that user. if (!isProfileOwner(who, userId)) { throw new IllegalArgumentException(String.format(
