Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 73b54cdf authored by Sinduran Sivarajan's avatar Sinduran Sivarajan
Browse files

Disable "Developer options" by default for managed profiles. 

Bug: 382064697
Test: go/work-profile-creation-developer-access
Flag: EXEMPT bugfix
Change-Id: Ibe6b721f2552d9e72aba0582a2eed4ba87178c7c
parent 64122384

services/core/java/com/android/server/pm/UserRestrictionsUtils.java

+2 −1
Original line number Diff line number Diff line
@@ -309,7 +309,8 @@ public class UserRestrictionsUtils { 
     * in settings. So it is handled separately.

     */

    private static final Set<String> DEFAULT_ENABLED_FOR_MANAGED_PROFILES = Sets.newArraySet(

            UserManager.DISALLOW_BLUETOOTH_SHARING

            UserManager.DISALLOW_BLUETOOTH_SHARING,

            UserManager.DISALLOW_DEBUGGING_FEATURES

    );



    /**

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+23 −11
Original line number Diff line number Diff line
@@ -2723,16 +2723,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
        }

    }













    /**













     * Apply default restrictions that haven't been applied to a given admin yet.













     */













    /** Apply default restrictions that haven't been applied to a given admin yet. */















    private void maybeSetDefaultRestrictionsForAdminLocked(int userId, ActiveAdmin admin) {













        Set<String> defaultRestrictions =













                UserRestrictionsUtils.getDefaultEnabledForManagedProfiles();













        if (defaultRestrictions.equals(admin.defaultEnabledRestrictionsAlreadySet)) {













        Set<String> newDefaultRestrictions = new HashSet(













            UserRestrictionsUtils.getDefaultEnabledForManagedProfiles());













        newDefaultRestrictions.removeAll(admin.defaultEnabledRestrictionsAlreadySet);













        if (newDefaultRestrictions.isEmpty()) {















            return; // The same set of default restrictions has been already applied.















        }













        for (String restriction : defaultRestrictions) {

























        for (String restriction : newDefaultRestrictions) {















            mDevicePolicyEngine.setLocalPolicy(















                    PolicyDefinition.getPolicyDefinitionForUserRestriction(restriction),















                    EnforcingAdmin.createEnterpriseEnforcingAdmin(









@@ -2740,10 +2740,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {













                            admin.getUserHandle().getIdentifier()),















                    new BooleanPolicyValue(true),















                    userId);













            admin.defaultEnabledRestrictionsAlreadySet.add(restriction);













            Slogf.i(LOG_TAG, "Enabled the following restriction by default: " + restriction);















        }













        admin.defaultEnabledRestrictionsAlreadySet.addAll(defaultRestrictions);













        Slogf.i(LOG_TAG, "Enabled the following restrictions by default: "













                + defaultRestrictions);















    }





























    private void maybeStartSecurityLogMonitorOnActivityManagerReady() {










@@ -10282,7 +10281,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {













                return false;















            }



























            if (isAdb(caller)) {













            boolean isAdb = isAdb(caller);













            if (isAdb) {















                // Log profile owner provisioning was started using adb.















                MetricsLogger.action(mContext, PROVISIONING_ENTRY_POINT_ADB, LOG_TAG_PROFILE_OWNER);















                DevicePolicyEventLogger









@@ -10305,6 +10305,18 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {













                    ensureUnknownSourcesRestrictionForProfileOwnerLocked(userHandle, admin,















                            true /* newOwner */);















                }













                if(isAdb) {













                    // DISALLOW_DEBUGGING_FEATURES is being added to newly-created













                    // work profile by default due to b/382064697 . This would have













                    //  impacted certain CTS test flows when they interact with the













                    // work profile via ADB (for example installing an app into the













                    // work profile). Remove DISALLOW_DEBUGGING_FEATURES here to













                    // reduce the potential impact.













                    setLocalUserRestrictionInternal(













                        EnforcingAdmin.createEnterpriseEnforcingAdmin(who, userHandle),













                        UserManager.DISALLOW_DEBUGGING_FEATURES, false, userHandle);













                }



























                sendOwnerChangedBroadcast(DevicePolicyManager.ACTION_PROFILE_OWNER_CHANGED,















                        userHandle);















            });