Disable provisioning in COMP mode (6ad0e194) · Commits · e / os / android_frameworks_base

core/java/android/app/admin/DevicePolicyManager.java

+1 −11

Original line number	Diff line number	Diff line
		@@ -1941,16 +1941,6 @@ public class DevicePolicyManager {
		*/
		public static final int CODE_SPLIT_SYSTEM_USER_DEVICE_SYSTEM_USER = 14;

		/**
		* Result code for {@link #checkProvisioningPreCondition}.
		*
		* <p>Returned for {@link #ACTION_PROVISION_MANAGED_PROFILE} when adding a managed profile is
		* disallowed by {@link UserManager#DISALLOW_ADD_MANAGED_PROFILE}.
		*
		* @hide
		*/
		public static final int CODE_ADD_MANAGED_PROFILE_DISALLOWED = 15;

		/**
		* Result codes for {@link #checkProvisioningPreCondition} indicating all the provisioning pre
		* conditions.
		@@ -1963,7 +1953,7 @@ public class DevicePolicyManager {
		CODE_USER_SETUP_COMPLETED, CODE_NOT_SYSTEM_USER, CODE_HAS_PAIRED,
		CODE_MANAGED_USERS_NOT_SUPPORTED, CODE_SYSTEM_USER, CODE_CANNOT_ADD_MANAGED_PROFILE,
		CODE_NOT_SYSTEM_USER_SPLIT, CODE_DEVICE_ADMIN_NOT_SUPPORTED,
		CODE_SPLIT_SYSTEM_USER_DEVICE_SYSTEM_USER, CODE_ADD_MANAGED_PROFILE_DISALLOWED
		CODE_SPLIT_SYSTEM_USER_DEVICE_SYSTEM_USER
		})
		public @interface ProvisioningPreCondition {}

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+64 −23

Original line number	Diff line number	Diff line
		@@ -23,7 +23,6 @@ import static android.app.ActivityManager.LOCK_TASK_MODE_NONE;
		import static android.app.admin.DeviceAdminReceiver.EXTRA_TRANSFER_OWNERSHIP_ADMIN_EXTRAS_BUNDLE;
		import static android.app.admin.DevicePolicyManager.ACTION_PROVISION_MANAGED_USER;
		import static android.app.admin.DevicePolicyManager.CODE_ACCOUNTS_NOT_EMPTY;
		import static android.app.admin.DevicePolicyManager.CODE_ADD_MANAGED_PROFILE_DISALLOWED;
		import static android.app.admin.DevicePolicyManager.CODE_CANNOT_ADD_MANAGED_PROFILE;
		import static android.app.admin.DevicePolicyManager.CODE_DEVICE_ADMIN_NOT_SUPPORTED;
		import static android.app.admin.DevicePolicyManager.CODE_HAS_DEVICE_OWNER;
		@@ -4099,6 +4098,12 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		if (mUserManager.hasUserRestriction(UserManager.DISALLOW_ADD_USER, userHandle)) {
		mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_USER, false, userHandle);
		}
		// When a device owner is set, the system automatically restricts adding a managed profile.
		// Remove this restriction when the device owner is cleared.
		if (mUserManager.hasUserRestriction(UserManager.DISALLOW_ADD_MANAGED_PROFILE, userHandle)) {
		mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_MANAGED_PROFILE, false,
		userHandle);
		}
		}

		/**
		@@ -7976,10 +7981,19 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		updateDeviceOwnerLocked();
		setDeviceOwnerSystemPropertyLocked();

		mInjector.binderWithCleanCallingIdentity(() -> {
		// Restrict adding a managed profile when a device owner is set on the device.
		// That is to prevent the co-existence of a managed profile and a device owner
		// on the same device.
		// Instead, the device may be provisioned with an organization-owned managed
		// profile, such that the admin on that managed profile has extended management
		// capabilities that can affect the entire device (but not access private data
		// on the primary profile).
		mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_MANAGED_PROFILE, true,
		UserHandle.of(userId));
		// TODO Send to system too?
		mInjector.binderWithCleanCallingIdentity(
		() -> sendOwnerChangedBroadcast(DevicePolicyManager.ACTION_DEVICE_OWNER_CHANGED,
		userId));
		sendOwnerChangedBroadcast(DevicePolicyManager.ACTION_DEVICE_OWNER_CHANGED, userId);
		});
		mDeviceAdminServiceController.startServiceForOwner(
		admin.getPackageName(), userId, "set-device-owner");

		@@ -8234,6 +8248,17 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		throw new IllegalArgumentException("Not active admin: " + who);
		}

		UserInfo parentUser = mUserManager.getProfileParent(userHandle);
		// When trying to set a profile owner on a new user, it may be that this user is
		// a profile - but it may not be a managed profile if there's a restriction on the
		// parent to add managed profiles (e.g. if the device has a device owner).
		if (parentUser != null && mUserManager.hasUserRestriction(
		UserManager.DISALLOW_ADD_MANAGED_PROFILE,
		UserHandle.of(parentUser.id))) {
		Slog.i(LOG_TAG, "Cannot set profile owner because of restriction.");
		return false;
		}

		if (isAdb()) {
		// Log profile owner provisioning was started using adb.
		MetricsLogger.action(mContext, PROVISIONING_ENTRY_POINT_ADB, LOG_TAG_PROFILE_OWNER);
		@@ -12293,25 +12318,41 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		final long ident = mInjector.binderClearCallingIdentity();
		try {
		final UserHandle callingUserHandle = UserHandle.of(callingUserId);
		final ComponentName ownerAdmin = getOwnerComponent(packageName, callingUserId);
		if (mUserManager.hasUserRestriction(UserManager.DISALLOW_ADD_MANAGED_PROFILE,
		callingUserHandle)) {
		// An admin can initiate provisioning if it has set the restriction.
		if (ownerAdmin == null \|\| isAdminAffectedByRestriction(ownerAdmin,
		UserManager.DISALLOW_ADD_MANAGED_PROFILE, callingUserId)) {
		return CODE_ADD_MANAGED_PROFILE_DISALLOWED;
		}
		}
		boolean canRemoveProfile = true;
		if (mUserManager.hasUserRestriction(UserManager.DISALLOW_REMOVE_MANAGED_PROFILE,
		callingUserHandle)) {
		// We can remove a profile if the admin itself has set the restriction.
		if (ownerAdmin == null \|\| isAdminAffectedByRestriction(ownerAdmin,
		UserManager.DISALLOW_REMOVE_MANAGED_PROFILE,
		callingUserId)) {
		canRemoveProfile = false;
		final boolean hasDeviceOwner;
		synchronized (getLockObject()) {
		hasDeviceOwner = getDeviceOwnerAdminLocked() != null;
		}

		final boolean addingProfileRestricted = mUserManager.hasUserRestriction(
		UserManager.DISALLOW_ADD_MANAGED_PROFILE, callingUserHandle);

		UserInfo parentUser = mUserManager.getProfileParent(callingUserId);
		final boolean addingProfileRestrictedOnParent = (parentUser != null)
		&& mUserManager.hasUserRestriction(
		UserManager.DISALLOW_ADD_MANAGED_PROFILE,
		UserHandle.of(parentUser.id));

		Slog.i(LOG_TAG, String.format(
		"When checking for managed profile provisioning: Has device owner? %b, adding"
		+ " profile restricted? %b, adding profile restricted on parent? %b",
		hasDeviceOwner, addingProfileRestricted, addingProfileRestrictedOnParent));

		// If there's a device owner, the restriction on adding a managed profile must be set
		// somewhere.
		if (hasDeviceOwner && !addingProfileRestricted && !addingProfileRestrictedOnParent) {
		Slog.wtf(LOG_TAG, "Has a device owner but no restriction on adding a profile.");
		}

		// Do not allow adding a managed profile if there's a restriction, either on the current
		// user or its parent user.
		if (addingProfileRestricted \|\| addingProfileRestrictedOnParent) {
		return CODE_CANNOT_ADD_MANAGED_PROFILE;
		}
		// If there's a restriction on removing the managed profile then we have to take it
		// into account when checking whether more profiles can be added.
		boolean canRemoveProfile =
		!mUserManager.hasUserRestriction(UserManager.DISALLOW_REMOVE_MANAGED_PROFILE,
		callingUserHandle);
		if (!mUserManager.canAddMoreManagedProfiles(callingUserId, canRemoveProfile)) {
		return CODE_CANNOT_ADD_MANAGED_PROFILE;
		}

services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java

+67 −186

File changed.

Preview size limit exceeded, changes collapsed.