Loading core/java/android/app/admin/flags/flags.aconfig +10 −0 Original line number Original line Diff line number Diff line Loading @@ -342,6 +342,16 @@ flag { } } } } flag { name: "active_admin_cleanup" namespace: "enterprise" description: "Remove ActiveAdmin from EnforcingAdmin and related cleanups" bug: "335663055" metadata { purpose: PURPOSE_BUGFIX } } flag { flag { name: "user_provisioning_same_state" name: "user_provisioning_same_state" namespace: "enterprise" namespace: "enterprise" Loading services/devicepolicy/java/com/android/server/devicepolicy/ActiveAdmin.java +3 −0 Original line number Original line Diff line number Diff line Loading @@ -371,6 +371,9 @@ class ActiveAdmin { } } ActiveAdmin(int userId, boolean permissionBased) { ActiveAdmin(int userId, boolean permissionBased) { if (Flags.activeAdminCleanup()) { throw new UnsupportedOperationException("permission based admin no longer supported"); } if (permissionBased == false) { if (permissionBased == false) { throw new IllegalArgumentException("Can only pass true for permissionBased admin"); throw new IllegalArgumentException("Can only pass true for permissionBased admin"); } } Loading services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyData.java +12 −9 Original line number Original line Diff line number Diff line Loading @@ -21,6 +21,7 @@ import android.annotation.Nullable; import android.annotation.UserIdInt; import android.annotation.UserIdInt; import android.app.admin.DeviceAdminInfo; import android.app.admin.DeviceAdminInfo; import android.app.admin.DevicePolicyManager; import android.app.admin.DevicePolicyManager; import android.app.admin.flags.Flags; import android.content.ComponentName; import android.content.ComponentName; import android.os.FileUtils; import android.os.FileUtils; import android.os.PersistableBundle; import android.os.PersistableBundle; Loading Loading @@ -124,17 +125,18 @@ class DevicePolicyData { final ArrayList<ActiveAdmin> mAdminList = new ArrayList<>(); final ArrayList<ActiveAdmin> mAdminList = new ArrayList<>(); final ArrayList<ComponentName> mRemovingAdmins = new ArrayList<>(); final ArrayList<ComponentName> mRemovingAdmins = new ArrayList<>(); // Some DevicePolicyManager APIs can be called by (1) a DPC or (2) an app with permissions that /** // isn't a DPC. For the latter, the caller won't have to provide a ComponentName and won't be * @deprecated Do not use. Policies set by permission holders must go into DevicePolicyEngine. // mapped to an ActiveAdmin. This permission-based admin should be used to persist policies */ // set by the permission-based caller. This admin should not be added to mAdminMap or mAdminList @Deprecated // since a lot of methods in DPMS assume the ActiveAdmins here have a valid ComponentName. // Instead, use variants of DPMS active admin getters to include the permission-based admin. ActiveAdmin mPermissionBasedAdmin; ActiveAdmin mPermissionBasedAdmin; // Create or get the permission-based admin. The permission-based admin will not have a // Create or get the permission-based admin. The permission-based admin will not have a // DeviceAdminInfo or ComponentName. // DeviceAdminInfo or ComponentName. ActiveAdmin createOrGetPermissionBasedAdmin(int userId) { ActiveAdmin createOrGetPermissionBasedAdmin(int userId) { if (Flags.activeAdminCleanup()) { throw new UnsupportedOperationException("permission based admin no longer supported"); } if (mPermissionBasedAdmin == null) { if (mPermissionBasedAdmin == null) { mPermissionBasedAdmin = new ActiveAdmin(userId, /* permissionBased= */ true); mPermissionBasedAdmin = new ActiveAdmin(userId, /* permissionBased= */ true); } } Loading @@ -147,7 +149,7 @@ class DevicePolicyData { // This is the list of component allowed to start lock task mode. // This is the list of component allowed to start lock task mode. List<String> mLockTaskPackages = new ArrayList<>(); List<String> mLockTaskPackages = new ArrayList<>(); /** @deprecated moved to {@link ActiveAdmin#protectedPackages}. */ /** @deprecated moved to DevicePolicyEngine. */ @Deprecated @Deprecated @Nullable @Nullable List<String> mUserControlDisabledPackages; List<String> mUserControlDisabledPackages; Loading Loading @@ -280,7 +282,7 @@ class DevicePolicyData { } } } } if (policyData.mPermissionBasedAdmin != null) { if (!Flags.activeAdminCleanup() && policyData.mPermissionBasedAdmin != null) { out.startTag(null, "permission-based-admin"); out.startTag(null, "permission-based-admin"); policyData.mPermissionBasedAdmin.writeToXml(out); policyData.mPermissionBasedAdmin.writeToXml(out); out.endTag(null, "permission-based-admin"); out.endTag(null, "permission-based-admin"); Loading Loading @@ -521,7 +523,8 @@ class DevicePolicyData { } catch (RuntimeException e) { } catch (RuntimeException e) { Slogf.w(TAG, e, "Failed loading admin %s", name); Slogf.w(TAG, e, "Failed loading admin %s", name); } } } else if ("permission-based-admin".equals(tag)) { } else if (!Flags.activeAdminCleanup() && "permission-based-admin".equals(tag)) { ActiveAdmin ap = new ActiveAdmin(policy.mUserId, /* permissionBased= */ true); ActiveAdmin ap = new ActiveAdmin(policy.mUserId, /* permissionBased= */ true); ap.readFromXml(parser, /* overwritePolicies= */ false); ap.readFromXml(parser, /* overwritePolicies= */ false); policy.mPermissionBasedAdmin = ap; policy.mPermissionBasedAdmin = ap; Loading services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +86 −43 Original line number Original line Diff line number Diff line Loading @@ -3978,7 +3978,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { final int N = admins.size(); final int N = admins.size(); for (int i = 0; i < N; i++) { for (int i = 0; i < N; i++) { ActiveAdmin admin = admins.get(i); ActiveAdmin admin = admins.get(i); if ((admin.isPermissionBased || admin.info.usesPolicy(DeviceAdminInfo.USES_POLICY_EXPIRE_PASSWORD)) if (((!Flags.activeAdminCleanup() && admin.isPermissionBased) || admin.info.usesPolicy(DeviceAdminInfo.USES_POLICY_EXPIRE_PASSWORD)) && admin.passwordExpirationTimeout > 0L && admin.passwordExpirationTimeout > 0L && now >= admin.passwordExpirationDate - EXPIRATION_GRACE_PERIOD_MS && now >= admin.passwordExpirationDate - EXPIRATION_GRACE_PERIOD_MS && admin.passwordExpirationDate > 0L) { && admin.passwordExpirationDate > 0L) { Loading Loading @@ -5575,13 +5576,25 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { caller.getUserId()); caller.getUserId()); Preconditions.checkArgument(!calledOnParent || isProfileOwner(caller)); Preconditions.checkArgument(!calledOnParent || isProfileOwner(caller)); ActiveAdmin activeAdmin = admin.getActiveAdmin(); final ActiveAdmin activeAdmin; if (Flags.activeAdminCleanup()) { if (admin.hasAuthority(EnforcingAdmin.DPC_AUTHORITY)) { synchronized (getLockObject()) { activeAdmin = getActiveAdminUncheckedLocked( admin.getComponentName(), admin.getUserId()); } } else { activeAdmin = null; } } else { activeAdmin = admin.getActiveAdmin(); } // We require the caller to explicitly clear any password quality requirements set // We require the caller to explicitly clear any password quality requirements set // on the parent DPM instance, to avoid the case where password requirements are // on the parent DPM instance, to avoid the case where password requirements are // specified in the form of quality on the parent but complexity on the profile // specified in the form of quality on the parent but complexity on the profile // itself. // itself. if (!calledOnParent) { if (activeAdmin != null && !calledOnParent) { final boolean hasQualityRequirementsOnParent = activeAdmin.hasParentActiveAdmin() final boolean hasQualityRequirementsOnParent = activeAdmin.hasParentActiveAdmin() && activeAdmin.getParentActiveAdmin().mPasswordPolicy.quality && activeAdmin.getParentActiveAdmin().mPasswordPolicy.quality != PASSWORD_QUALITY_UNSPECIFIED; != PASSWORD_QUALITY_UNSPECIFIED; Loading @@ -5605,20 +5618,22 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } } mInjector.binderWithCleanCallingIdentity(() -> { mInjector.binderWithCleanCallingIdentity(() -> { if (activeAdmin != null) { // Reset the password policy. // Reset the password policy. if (calledOnParent) { if (calledOnParent) { activeAdmin.getParentActiveAdmin().mPasswordPolicy = new PasswordPolicy(); activeAdmin.getParentActiveAdmin().mPasswordPolicy = new PasswordPolicy(); } else { } else { activeAdmin.mPasswordPolicy = new PasswordPolicy(); activeAdmin.mPasswordPolicy = new PasswordPolicy(); } } updatePasswordQualityCacheForUserGroup(caller.getUserId()); } synchronized (getLockObject()) { synchronized (getLockObject()) { updatePasswordValidityCheckpointLocked(caller.getUserId(), calledOnParent); updatePasswordValidityCheckpointLocked(caller.getUserId(), calledOnParent); } } updatePasswordQualityCacheForUserGroup(caller.getUserId()); saveSettingsLocked(caller.getUserId()); saveSettingsLocked(caller.getUserId()); }); }); DevicePolicyEventLogger DevicePolicyEventLogger .createEvent(DevicePolicyEnums.SET_PASSWORD_COMPLEXITY) .createEvent(DevicePolicyEnums.SET_PASSWORD_COMPLEXITY) .setAdmin(caller.getPackageName()) .setAdmin(caller.getPackageName()) Loading Loading @@ -6299,28 +6314,33 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { final int callingUserId = caller.getUserId(); final int callingUserId = caller.getUserId(); ComponentName adminComponent = null; ComponentName adminComponent = null; synchronized (getLockObject()) { synchronized (getLockObject()) { ActiveAdmin admin; // Make sure the caller has any active admin with the right policy or // Make sure the caller has any active admin with the right policy or // the required permission. // the required permission. if (Flags.lockNowCoexistence()) { if (Flags.lockNowCoexistence()) { admin = enforcePermissionsAndGetEnforcingAdmin( EnforcingAdmin enforcingAdmin = enforcePermissionsAndGetEnforcingAdmin( /* admin= */ null, /* admin= */ null, /* permissions= */ new String[]{MANAGE_DEVICE_POLICY_LOCK, LOCK_DEVICE}, /* permissions= */ new String[]{MANAGE_DEVICE_POLICY_LOCK, LOCK_DEVICE}, /* deviceAdminPolicy= */ USES_POLICY_FORCE_LOCK, /* deviceAdminPolicy= */ USES_POLICY_FORCE_LOCK, caller.getPackageName(), caller.getPackageName(), getAffectedUser(parent) getAffectedUser(parent) ).getActiveAdmin(); ); if (Flags.activeAdminCleanup()) { adminComponent = enforcingAdmin.getComponentName(); } else { ActiveAdmin admin = enforcingAdmin.getActiveAdmin(); adminComponent = admin == null ? null : admin.info.getComponent(); } } else { } else { admin = getActiveAdminOrCheckPermissionForCallerLocked( ActiveAdmin admin = getActiveAdminOrCheckPermissionForCallerLocked( null, null, DeviceAdminInfo.USES_POLICY_FORCE_LOCK, DeviceAdminInfo.USES_POLICY_FORCE_LOCK, parent, parent, LOCK_DEVICE); LOCK_DEVICE); adminComponent = admin == null ? null : admin.info.getComponent(); } } checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_LOCK_NOW); checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_LOCK_NOW); final long ident = mInjector.binderClearCallingIdentity(); final long ident = mInjector.binderClearCallingIdentity(); try { try { adminComponent = admin == null ? null : admin.info.getComponent(); if (adminComponent != null) { if (adminComponent != null) { // For Profile Owners only, callers with only permission not allowed. // For Profile Owners only, callers with only permission not allowed. if ((flags & DevicePolicyManager.FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY) != 0) { if ((flags & DevicePolicyManager.FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY) != 0) { Loading Loading @@ -7789,7 +7809,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { USES_POLICY_WIPE_DATA, USES_POLICY_WIPE_DATA, caller.getPackageName(), caller.getPackageName(), factoryReset ? UserHandle.USER_ALL : getAffectedUser(calledOnParentInstance)); factoryReset ? UserHandle.USER_ALL : getAffectedUser(calledOnParentInstance)); ActiveAdmin admin = enforcingAdmin.getActiveAdmin(); checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_WIPE_DATA); checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_WIPE_DATA); Loading @@ -7798,10 +7817,20 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { calledByProfileOwnerOnOrgOwnedDevice, calledOnParentInstance); calledByProfileOwnerOnOrgOwnedDevice, calledOnParentInstance); } } int userId = admin != null ? admin.getUserHandle().getIdentifier() int userId; ActiveAdmin admin = null; if (Flags.activeAdminCleanup()) { userId = enforcingAdmin.getUserId(); Slogf.i(LOG_TAG, "wipeDataWithReason(%s): admin=%s, user=%d", wipeReasonForUser, enforcingAdmin, userId); } else { admin = enforcingAdmin.getActiveAdmin(); userId = admin != null ? admin.getUserHandle().getIdentifier() : caller.getUserId(); : caller.getUserId(); Slogf.i(LOG_TAG, "wipeDataWithReason(%s): admin=%s, user=%d", wipeReasonForUser, admin, Slogf.i(LOG_TAG, "wipeDataWithReason(%s): admin=%s, user=%d", wipeReasonForUser, admin, userId); userId); } if (calledByProfileOwnerOnOrgOwnedDevice) { if (calledByProfileOwnerOnOrgOwnedDevice) { // When wipeData is called on the parent instance, it implies wiping the entire device. // When wipeData is called on the parent instance, it implies wiping the entire device. if (calledOnParentInstance) { if (calledOnParentInstance) { Loading @@ -7822,6 +7851,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { final String adminName; final String adminName; final ComponentName adminComp; final ComponentName adminComp; if (Flags.activeAdminCleanup()) { adminComp = enforcingAdmin.getComponentName(); adminName = adminComp != null ? adminComp.flattenToShortString() : enforcingAdmin.getPackageName(); event.setAdmin(enforcingAdmin.getPackageName()); // Not including any HSUM handling here because the "else" branch in the "flag off" // case below is unreachable under normal circumstances and for permission-based // callers admin won't be null. } else { if (admin != null) { if (admin != null) { if (admin.isPermissionBased) { if (admin.isPermissionBased) { adminComp = null; adminComp = null; Loading @@ -7843,6 +7882,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { userId = UserHandle.USER_SYSTEM; userId = UserHandle.USER_SYSTEM; } } } } } event.write(); event.write(); String internalReason = String.format( String internalReason = String.format( Loading Loading @@ -8328,7 +8368,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { List<ActiveAdmin> admins = getActiveAdminsForLockscreenPoliciesLocked(userHandle); List<ActiveAdmin> admins = getActiveAdminsForLockscreenPoliciesLocked(userHandle); for (int i = 0; i < admins.size(); i++) { for (int i = 0; i < admins.size(); i++) { ActiveAdmin admin = admins.get(i); ActiveAdmin admin = admins.get(i); if (admin.isPermissionBased || admin.info.usesPolicy(DeviceAdminInfo.USES_POLICY_EXPIRE_PASSWORD)) { if ((!Flags.activeAdminCleanup() && admin.isPermissionBased) || admin.info.usesPolicy(DeviceAdminInfo.USES_POLICY_EXPIRE_PASSWORD)) { affectedUserIds.add(admin.getUserHandle().getIdentifier()); affectedUserIds.add(admin.getUserHandle().getIdentifier()); long timeout = admin.passwordExpirationTimeout; long timeout = admin.passwordExpirationTimeout; admin.passwordExpirationDate = admin.passwordExpirationDate = Loading Loading @@ -8422,7 +8463,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { */ */ private int getUserIdToWipeForFailedPasswords(ActiveAdmin admin) { private int getUserIdToWipeForFailedPasswords(ActiveAdmin admin) { final int userId = admin.getUserHandle().getIdentifier(); final int userId = admin.getUserHandle().getIdentifier(); if (admin.isPermissionBased) { if (!Flags.activeAdminCleanup() && admin.isPermissionBased) { return userId; return userId; } } final ComponentName component = admin.info.getComponent(); final ComponentName component = admin.info.getComponent(); Loading Loading @@ -16326,7 +16367,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (admin.mPasswordPolicy.quality < minPasswordQuality) { if (admin.mPasswordPolicy.quality < minPasswordQuality) { return false; return false; } } return admin.isPermissionBased || admin.info.usesPolicy(DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD); return (!Flags.activeAdminCleanup() && admin.isPermissionBased) || admin.info.usesPolicy(DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD); } } @Override @Override Loading Loading @@ -23410,7 +23452,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return EnforcingAdmin.createDeviceAdminEnforcingAdmin(admin.info.getComponent(), userId, return EnforcingAdmin.createDeviceAdminEnforcingAdmin(admin.info.getComponent(), userId, admin); admin); } } admin = getUserData(userId).createOrGetPermissionBasedAdmin(userId); admin = Flags.activeAdminCleanup() ? null : getUserData(userId).createOrGetPermissionBasedAdmin(userId); return EnforcingAdmin.createEnforcingAdmin(caller.getPackageName(), userId, admin); return EnforcingAdmin.createEnforcingAdmin(caller.getPackageName(), userId, admin); } } Loading @@ -23433,8 +23476,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } } } } } } admin = Flags.activeAdminCleanup() admin = getUserData(userId).createOrGetPermissionBasedAdmin(userId); ? null : getUserData(userId).createOrGetPermissionBasedAdmin(userId); return EnforcingAdmin.createEnforcingAdmin(packageName, userId, admin); return EnforcingAdmin.createEnforcingAdmin(packageName, userId, admin); } } services/devicepolicy/java/com/android/server/devicepolicy/EnforcingAdmin.java +9 −0 Original line number Original line Diff line number Diff line Loading @@ -23,6 +23,7 @@ import android.app.admin.DeviceAdminAuthority; import android.app.admin.DpcAuthority; import android.app.admin.DpcAuthority; import android.app.admin.RoleAuthority; import android.app.admin.RoleAuthority; import android.app.admin.UnknownAuthority; import android.app.admin.UnknownAuthority; import android.app.admin.flags.Flags; import android.content.ComponentName; import android.content.ComponentName; import android.os.UserHandle; import android.os.UserHandle; Loading Loading @@ -295,9 +296,17 @@ final class EnforcingAdmin { @Nullable @Nullable public ActiveAdmin getActiveAdmin() { public ActiveAdmin getActiveAdmin() { if (Flags.activeAdminCleanup()) { throw new UnsupportedOperationException("getActiveAdmin() no longer supported"); } return mActiveAdmin; return mActiveAdmin; } } @Nullable ComponentName getComponentName() { return mComponentName; } @NonNull @NonNull android.app.admin.EnforcingAdmin getParcelableAdmin() { android.app.admin.EnforcingAdmin getParcelableAdmin() { Authority authority; Authority authority; Loading Loading
core/java/android/app/admin/flags/flags.aconfig +10 −0 Original line number Original line Diff line number Diff line Loading @@ -342,6 +342,16 @@ flag { } } } } flag { name: "active_admin_cleanup" namespace: "enterprise" description: "Remove ActiveAdmin from EnforcingAdmin and related cleanups" bug: "335663055" metadata { purpose: PURPOSE_BUGFIX } } flag { flag { name: "user_provisioning_same_state" name: "user_provisioning_same_state" namespace: "enterprise" namespace: "enterprise" Loading
services/devicepolicy/java/com/android/server/devicepolicy/ActiveAdmin.java +3 −0 Original line number Original line Diff line number Diff line Loading @@ -371,6 +371,9 @@ class ActiveAdmin { } } ActiveAdmin(int userId, boolean permissionBased) { ActiveAdmin(int userId, boolean permissionBased) { if (Flags.activeAdminCleanup()) { throw new UnsupportedOperationException("permission based admin no longer supported"); } if (permissionBased == false) { if (permissionBased == false) { throw new IllegalArgumentException("Can only pass true for permissionBased admin"); throw new IllegalArgumentException("Can only pass true for permissionBased admin"); } } Loading
services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyData.java +12 −9 Original line number Original line Diff line number Diff line Loading @@ -21,6 +21,7 @@ import android.annotation.Nullable; import android.annotation.UserIdInt; import android.annotation.UserIdInt; import android.app.admin.DeviceAdminInfo; import android.app.admin.DeviceAdminInfo; import android.app.admin.DevicePolicyManager; import android.app.admin.DevicePolicyManager; import android.app.admin.flags.Flags; import android.content.ComponentName; import android.content.ComponentName; import android.os.FileUtils; import android.os.FileUtils; import android.os.PersistableBundle; import android.os.PersistableBundle; Loading Loading @@ -124,17 +125,18 @@ class DevicePolicyData { final ArrayList<ActiveAdmin> mAdminList = new ArrayList<>(); final ArrayList<ActiveAdmin> mAdminList = new ArrayList<>(); final ArrayList<ComponentName> mRemovingAdmins = new ArrayList<>(); final ArrayList<ComponentName> mRemovingAdmins = new ArrayList<>(); // Some DevicePolicyManager APIs can be called by (1) a DPC or (2) an app with permissions that /** // isn't a DPC. For the latter, the caller won't have to provide a ComponentName and won't be * @deprecated Do not use. Policies set by permission holders must go into DevicePolicyEngine. // mapped to an ActiveAdmin. This permission-based admin should be used to persist policies */ // set by the permission-based caller. This admin should not be added to mAdminMap or mAdminList @Deprecated // since a lot of methods in DPMS assume the ActiveAdmins here have a valid ComponentName. // Instead, use variants of DPMS active admin getters to include the permission-based admin. ActiveAdmin mPermissionBasedAdmin; ActiveAdmin mPermissionBasedAdmin; // Create or get the permission-based admin. The permission-based admin will not have a // Create or get the permission-based admin. The permission-based admin will not have a // DeviceAdminInfo or ComponentName. // DeviceAdminInfo or ComponentName. ActiveAdmin createOrGetPermissionBasedAdmin(int userId) { ActiveAdmin createOrGetPermissionBasedAdmin(int userId) { if (Flags.activeAdminCleanup()) { throw new UnsupportedOperationException("permission based admin no longer supported"); } if (mPermissionBasedAdmin == null) { if (mPermissionBasedAdmin == null) { mPermissionBasedAdmin = new ActiveAdmin(userId, /* permissionBased= */ true); mPermissionBasedAdmin = new ActiveAdmin(userId, /* permissionBased= */ true); } } Loading @@ -147,7 +149,7 @@ class DevicePolicyData { // This is the list of component allowed to start lock task mode. // This is the list of component allowed to start lock task mode. List<String> mLockTaskPackages = new ArrayList<>(); List<String> mLockTaskPackages = new ArrayList<>(); /** @deprecated moved to {@link ActiveAdmin#protectedPackages}. */ /** @deprecated moved to DevicePolicyEngine. */ @Deprecated @Deprecated @Nullable @Nullable List<String> mUserControlDisabledPackages; List<String> mUserControlDisabledPackages; Loading Loading @@ -280,7 +282,7 @@ class DevicePolicyData { } } } } if (policyData.mPermissionBasedAdmin != null) { if (!Flags.activeAdminCleanup() && policyData.mPermissionBasedAdmin != null) { out.startTag(null, "permission-based-admin"); out.startTag(null, "permission-based-admin"); policyData.mPermissionBasedAdmin.writeToXml(out); policyData.mPermissionBasedAdmin.writeToXml(out); out.endTag(null, "permission-based-admin"); out.endTag(null, "permission-based-admin"); Loading Loading @@ -521,7 +523,8 @@ class DevicePolicyData { } catch (RuntimeException e) { } catch (RuntimeException e) { Slogf.w(TAG, e, "Failed loading admin %s", name); Slogf.w(TAG, e, "Failed loading admin %s", name); } } } else if ("permission-based-admin".equals(tag)) { } else if (!Flags.activeAdminCleanup() && "permission-based-admin".equals(tag)) { ActiveAdmin ap = new ActiveAdmin(policy.mUserId, /* permissionBased= */ true); ActiveAdmin ap = new ActiveAdmin(policy.mUserId, /* permissionBased= */ true); ap.readFromXml(parser, /* overwritePolicies= */ false); ap.readFromXml(parser, /* overwritePolicies= */ false); policy.mPermissionBasedAdmin = ap; policy.mPermissionBasedAdmin = ap; Loading
services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +86 −43 Original line number Original line Diff line number Diff line Loading @@ -3978,7 +3978,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { final int N = admins.size(); final int N = admins.size(); for (int i = 0; i < N; i++) { for (int i = 0; i < N; i++) { ActiveAdmin admin = admins.get(i); ActiveAdmin admin = admins.get(i); if ((admin.isPermissionBased || admin.info.usesPolicy(DeviceAdminInfo.USES_POLICY_EXPIRE_PASSWORD)) if (((!Flags.activeAdminCleanup() && admin.isPermissionBased) || admin.info.usesPolicy(DeviceAdminInfo.USES_POLICY_EXPIRE_PASSWORD)) && admin.passwordExpirationTimeout > 0L && admin.passwordExpirationTimeout > 0L && now >= admin.passwordExpirationDate - EXPIRATION_GRACE_PERIOD_MS && now >= admin.passwordExpirationDate - EXPIRATION_GRACE_PERIOD_MS && admin.passwordExpirationDate > 0L) { && admin.passwordExpirationDate > 0L) { Loading Loading @@ -5575,13 +5576,25 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { caller.getUserId()); caller.getUserId()); Preconditions.checkArgument(!calledOnParent || isProfileOwner(caller)); Preconditions.checkArgument(!calledOnParent || isProfileOwner(caller)); ActiveAdmin activeAdmin = admin.getActiveAdmin(); final ActiveAdmin activeAdmin; if (Flags.activeAdminCleanup()) { if (admin.hasAuthority(EnforcingAdmin.DPC_AUTHORITY)) { synchronized (getLockObject()) { activeAdmin = getActiveAdminUncheckedLocked( admin.getComponentName(), admin.getUserId()); } } else { activeAdmin = null; } } else { activeAdmin = admin.getActiveAdmin(); } // We require the caller to explicitly clear any password quality requirements set // We require the caller to explicitly clear any password quality requirements set // on the parent DPM instance, to avoid the case where password requirements are // on the parent DPM instance, to avoid the case where password requirements are // specified in the form of quality on the parent but complexity on the profile // specified in the form of quality on the parent but complexity on the profile // itself. // itself. if (!calledOnParent) { if (activeAdmin != null && !calledOnParent) { final boolean hasQualityRequirementsOnParent = activeAdmin.hasParentActiveAdmin() final boolean hasQualityRequirementsOnParent = activeAdmin.hasParentActiveAdmin() && activeAdmin.getParentActiveAdmin().mPasswordPolicy.quality && activeAdmin.getParentActiveAdmin().mPasswordPolicy.quality != PASSWORD_QUALITY_UNSPECIFIED; != PASSWORD_QUALITY_UNSPECIFIED; Loading @@ -5605,20 +5618,22 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } } mInjector.binderWithCleanCallingIdentity(() -> { mInjector.binderWithCleanCallingIdentity(() -> { if (activeAdmin != null) { // Reset the password policy. // Reset the password policy. if (calledOnParent) { if (calledOnParent) { activeAdmin.getParentActiveAdmin().mPasswordPolicy = new PasswordPolicy(); activeAdmin.getParentActiveAdmin().mPasswordPolicy = new PasswordPolicy(); } else { } else { activeAdmin.mPasswordPolicy = new PasswordPolicy(); activeAdmin.mPasswordPolicy = new PasswordPolicy(); } } updatePasswordQualityCacheForUserGroup(caller.getUserId()); } synchronized (getLockObject()) { synchronized (getLockObject()) { updatePasswordValidityCheckpointLocked(caller.getUserId(), calledOnParent); updatePasswordValidityCheckpointLocked(caller.getUserId(), calledOnParent); } } updatePasswordQualityCacheForUserGroup(caller.getUserId()); saveSettingsLocked(caller.getUserId()); saveSettingsLocked(caller.getUserId()); }); }); DevicePolicyEventLogger DevicePolicyEventLogger .createEvent(DevicePolicyEnums.SET_PASSWORD_COMPLEXITY) .createEvent(DevicePolicyEnums.SET_PASSWORD_COMPLEXITY) .setAdmin(caller.getPackageName()) .setAdmin(caller.getPackageName()) Loading Loading @@ -6299,28 +6314,33 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { final int callingUserId = caller.getUserId(); final int callingUserId = caller.getUserId(); ComponentName adminComponent = null; ComponentName adminComponent = null; synchronized (getLockObject()) { synchronized (getLockObject()) { ActiveAdmin admin; // Make sure the caller has any active admin with the right policy or // Make sure the caller has any active admin with the right policy or // the required permission. // the required permission. if (Flags.lockNowCoexistence()) { if (Flags.lockNowCoexistence()) { admin = enforcePermissionsAndGetEnforcingAdmin( EnforcingAdmin enforcingAdmin = enforcePermissionsAndGetEnforcingAdmin( /* admin= */ null, /* admin= */ null, /* permissions= */ new String[]{MANAGE_DEVICE_POLICY_LOCK, LOCK_DEVICE}, /* permissions= */ new String[]{MANAGE_DEVICE_POLICY_LOCK, LOCK_DEVICE}, /* deviceAdminPolicy= */ USES_POLICY_FORCE_LOCK, /* deviceAdminPolicy= */ USES_POLICY_FORCE_LOCK, caller.getPackageName(), caller.getPackageName(), getAffectedUser(parent) getAffectedUser(parent) ).getActiveAdmin(); ); if (Flags.activeAdminCleanup()) { adminComponent = enforcingAdmin.getComponentName(); } else { ActiveAdmin admin = enforcingAdmin.getActiveAdmin(); adminComponent = admin == null ? null : admin.info.getComponent(); } } else { } else { admin = getActiveAdminOrCheckPermissionForCallerLocked( ActiveAdmin admin = getActiveAdminOrCheckPermissionForCallerLocked( null, null, DeviceAdminInfo.USES_POLICY_FORCE_LOCK, DeviceAdminInfo.USES_POLICY_FORCE_LOCK, parent, parent, LOCK_DEVICE); LOCK_DEVICE); adminComponent = admin == null ? null : admin.info.getComponent(); } } checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_LOCK_NOW); checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_LOCK_NOW); final long ident = mInjector.binderClearCallingIdentity(); final long ident = mInjector.binderClearCallingIdentity(); try { try { adminComponent = admin == null ? null : admin.info.getComponent(); if (adminComponent != null) { if (adminComponent != null) { // For Profile Owners only, callers with only permission not allowed. // For Profile Owners only, callers with only permission not allowed. if ((flags & DevicePolicyManager.FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY) != 0) { if ((flags & DevicePolicyManager.FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY) != 0) { Loading Loading @@ -7789,7 +7809,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { USES_POLICY_WIPE_DATA, USES_POLICY_WIPE_DATA, caller.getPackageName(), caller.getPackageName(), factoryReset ? UserHandle.USER_ALL : getAffectedUser(calledOnParentInstance)); factoryReset ? UserHandle.USER_ALL : getAffectedUser(calledOnParentInstance)); ActiveAdmin admin = enforcingAdmin.getActiveAdmin(); checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_WIPE_DATA); checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_WIPE_DATA); Loading @@ -7798,10 +7817,20 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { calledByProfileOwnerOnOrgOwnedDevice, calledOnParentInstance); calledByProfileOwnerOnOrgOwnedDevice, calledOnParentInstance); } } int userId = admin != null ? admin.getUserHandle().getIdentifier() int userId; ActiveAdmin admin = null; if (Flags.activeAdminCleanup()) { userId = enforcingAdmin.getUserId(); Slogf.i(LOG_TAG, "wipeDataWithReason(%s): admin=%s, user=%d", wipeReasonForUser, enforcingAdmin, userId); } else { admin = enforcingAdmin.getActiveAdmin(); userId = admin != null ? admin.getUserHandle().getIdentifier() : caller.getUserId(); : caller.getUserId(); Slogf.i(LOG_TAG, "wipeDataWithReason(%s): admin=%s, user=%d", wipeReasonForUser, admin, Slogf.i(LOG_TAG, "wipeDataWithReason(%s): admin=%s, user=%d", wipeReasonForUser, admin, userId); userId); } if (calledByProfileOwnerOnOrgOwnedDevice) { if (calledByProfileOwnerOnOrgOwnedDevice) { // When wipeData is called on the parent instance, it implies wiping the entire device. // When wipeData is called on the parent instance, it implies wiping the entire device. if (calledOnParentInstance) { if (calledOnParentInstance) { Loading @@ -7822,6 +7851,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { final String adminName; final String adminName; final ComponentName adminComp; final ComponentName adminComp; if (Flags.activeAdminCleanup()) { adminComp = enforcingAdmin.getComponentName(); adminName = adminComp != null ? adminComp.flattenToShortString() : enforcingAdmin.getPackageName(); event.setAdmin(enforcingAdmin.getPackageName()); // Not including any HSUM handling here because the "else" branch in the "flag off" // case below is unreachable under normal circumstances and for permission-based // callers admin won't be null. } else { if (admin != null) { if (admin != null) { if (admin.isPermissionBased) { if (admin.isPermissionBased) { adminComp = null; adminComp = null; Loading @@ -7843,6 +7882,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { userId = UserHandle.USER_SYSTEM; userId = UserHandle.USER_SYSTEM; } } } } } event.write(); event.write(); String internalReason = String.format( String internalReason = String.format( Loading Loading @@ -8328,7 +8368,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { List<ActiveAdmin> admins = getActiveAdminsForLockscreenPoliciesLocked(userHandle); List<ActiveAdmin> admins = getActiveAdminsForLockscreenPoliciesLocked(userHandle); for (int i = 0; i < admins.size(); i++) { for (int i = 0; i < admins.size(); i++) { ActiveAdmin admin = admins.get(i); ActiveAdmin admin = admins.get(i); if (admin.isPermissionBased || admin.info.usesPolicy(DeviceAdminInfo.USES_POLICY_EXPIRE_PASSWORD)) { if ((!Flags.activeAdminCleanup() && admin.isPermissionBased) || admin.info.usesPolicy(DeviceAdminInfo.USES_POLICY_EXPIRE_PASSWORD)) { affectedUserIds.add(admin.getUserHandle().getIdentifier()); affectedUserIds.add(admin.getUserHandle().getIdentifier()); long timeout = admin.passwordExpirationTimeout; long timeout = admin.passwordExpirationTimeout; admin.passwordExpirationDate = admin.passwordExpirationDate = Loading Loading @@ -8422,7 +8463,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { */ */ private int getUserIdToWipeForFailedPasswords(ActiveAdmin admin) { private int getUserIdToWipeForFailedPasswords(ActiveAdmin admin) { final int userId = admin.getUserHandle().getIdentifier(); final int userId = admin.getUserHandle().getIdentifier(); if (admin.isPermissionBased) { if (!Flags.activeAdminCleanup() && admin.isPermissionBased) { return userId; return userId; } } final ComponentName component = admin.info.getComponent(); final ComponentName component = admin.info.getComponent(); Loading Loading @@ -16326,7 +16367,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (admin.mPasswordPolicy.quality < minPasswordQuality) { if (admin.mPasswordPolicy.quality < minPasswordQuality) { return false; return false; } } return admin.isPermissionBased || admin.info.usesPolicy(DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD); return (!Flags.activeAdminCleanup() && admin.isPermissionBased) || admin.info.usesPolicy(DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD); } } @Override @Override Loading Loading @@ -23410,7 +23452,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return EnforcingAdmin.createDeviceAdminEnforcingAdmin(admin.info.getComponent(), userId, return EnforcingAdmin.createDeviceAdminEnforcingAdmin(admin.info.getComponent(), userId, admin); admin); } } admin = getUserData(userId).createOrGetPermissionBasedAdmin(userId); admin = Flags.activeAdminCleanup() ? null : getUserData(userId).createOrGetPermissionBasedAdmin(userId); return EnforcingAdmin.createEnforcingAdmin(caller.getPackageName(), userId, admin); return EnforcingAdmin.createEnforcingAdmin(caller.getPackageName(), userId, admin); } } Loading @@ -23433,8 +23476,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } } } } } } admin = Flags.activeAdminCleanup() admin = getUserData(userId).createOrGetPermissionBasedAdmin(userId); ? null : getUserData(userId).createOrGetPermissionBasedAdmin(userId); return EnforcingAdmin.createEnforcingAdmin(packageName, userId, admin); return EnforcingAdmin.createEnforcingAdmin(packageName, userId, admin); } }
services/devicepolicy/java/com/android/server/devicepolicy/EnforcingAdmin.java +9 −0 Original line number Original line Diff line number Diff line Loading @@ -23,6 +23,7 @@ import android.app.admin.DeviceAdminAuthority; import android.app.admin.DpcAuthority; import android.app.admin.DpcAuthority; import android.app.admin.RoleAuthority; import android.app.admin.RoleAuthority; import android.app.admin.UnknownAuthority; import android.app.admin.UnknownAuthority; import android.app.admin.flags.Flags; import android.content.ComponentName; import android.content.ComponentName; import android.os.UserHandle; import android.os.UserHandle; Loading Loading @@ -295,9 +296,17 @@ final class EnforcingAdmin { @Nullable @Nullable public ActiveAdmin getActiveAdmin() { public ActiveAdmin getActiveAdmin() { if (Flags.activeAdminCleanup()) { throw new UnsupportedOperationException("getActiveAdmin() no longer supported"); } return mActiveAdmin; return mActiveAdmin; } } @Nullable ComponentName getComponentName() { return mComponentName; } @NonNull @NonNull android.app.admin.EnforcingAdmin getParcelableAdmin() { android.app.admin.EnforcingAdmin getParcelableAdmin() { Authority authority; Authority authority; Loading
