Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a9c51e7f authored by Alex Johnston's avatar Alex Johnston
Browse files

Remove requireAutoTime on upgrade 

* In Android 11, setRequireAutoTime was deprecated.
  The user restriction DISALLOW_CONFIG_DATE_TIME
  should be used instead to enforce time policies.
* When removing the DO, requireAutoTime needs to
  be set to false
* When transferring policies from the DO to the
  COPE PO, the user restriction should be used instead
  of requireAutoTime. This is because requireAutoTime
  can never be turned false for the COPE PO

Manual testing steps - Scenario 1
* Flash device with Android Q build and set up
  device in DO mode
* Apply some policies using TestDPC, including requireAutoTime
* Flash device with Android R build and do not wipe
* Replicate issue by checking date time cannot be removed
* Flash device with Android S build and do not wipe
* Verify date time restriction can be removed

Manual testing steps - Scenario 2
* Flash device with Android Q build and set up
  device in DO mode
* Apply some policies using TestDPC, including requireAutoTime
* Flash device with Android S build and do not wipe
* Verify DO restriction has been set on parent admin
* Verify date time restriction can be removed

Bug: 165026695
Test: atest com.android.server.devicepolicy.DevicePolicyManagerTest
      Manual testing
Change-Id: I76344fe2df7475b6411362b4aff806a5cbf053a7
parent ad227b1c

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+45 −1
Original line number Original line Diff line number Diff line
@@ -2086,12 +2086,19 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { 
















        // The following policies weren't available to PO, but will be available after migration.







        // The following policies weren't available to PO, but will be available after migration.











        parentAdmin.disableCamera = doAdmin.disableCamera;







        parentAdmin.disableCamera = doAdmin.disableCamera;











        parentAdmin.requireAutoTime = doAdmin.requireAutoTime;














        parentAdmin.disableScreenCapture = doAdmin.disableScreenCapture;







        parentAdmin.disableScreenCapture = doAdmin.disableScreenCapture;











        parentAdmin.accountTypesWithManagementDisabled.addAll(







        parentAdmin.accountTypesWithManagementDisabled.addAll(











                doAdmin.accountTypesWithManagementDisabled);







                doAdmin.accountTypesWithManagementDisabled);



























        moveDoUserRestrictionsToCopeParent(doAdmin, parentAdmin);







        moveDoUserRestrictionsToCopeParent(doAdmin, parentAdmin);



























        // From Android 11, {@link setAutoTimeRequired} is no longer used. The user restriction














        // {@link UserManager#DISALLOW_CONFIG_DATE_TIME} should be used to enforce auto time














        // settings instead.














        if (doAdmin.requireAutoTime) {














            parentAdmin.ensureUserRestrictions().putBoolean(














                    UserManager.DISALLOW_CONFIG_DATE_TIME, true);














        }











    }







    }



























    private void moveDoUserRestrictionsToCopeParent(ActiveAdmin doAdmin, ActiveAdmin parentAdmin) {







    private void moveDoUserRestrictionsToCopeParent(ActiveAdmin doAdmin, ActiveAdmin parentAdmin) {










@@ -2361,6 +2368,41 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {









        saveSettingsLocked(user.getIdentifier());







        saveSettingsLocked(user.getIdentifier());











    }







    }






























    /**














     * Fix left-over restrictions and auto-time policy during COMP -> COPE migration.














     *














     * When a COMP device with requireAutoTime policy set was migrated to an














     * organization-owned profile, a DISALLOW_CONFIG_DATE_TIME restriction is set














     * on user 0 from the DO user, which becomes unremovable by the organization-owned














     * profile owner. Fix this by force removing that restriction. Also revert the














     * parentAdmin.requireAutoTime bit (since the COPE PO cannot unset this bit)














     * and replace it with DISALLOW_CONFIG_DATE_TIME on the correct














     * admin, in line with the deprecation recommendation of setAutoTimeRequired().














     */














    private void fixupAutoTimeRestrictionDuringOrganizationOwnedDeviceMigration() {














        for (UserInfo ui : mUserManager.getUsers()) {














            final int userId = ui.id;














            if (isProfileOwnerOfOrganizationOwnedDevice(userId)) {














                final ActiveAdmin parent = getProfileOwnerAdminLocked(userId).parentAdmin;














                if (parent != null && parent.requireAutoTime) {














                    // Remove deprecated requireAutoTime














                    parent.requireAutoTime = false;














                    saveSettingsLocked(userId);



























                    // Remove user restrictions set by the device owner before the upgrade to














                    // Android 11.














                    mUserManagerInternal.setDevicePolicyUserRestrictions(UserHandle.USER_SYSTEM,














                            new Bundle(), new RestrictionsSet(), /* isDeviceOwner */ false);



























                    // Apply user restriction to parent active admin instead














                    parent.ensureUserRestrictions().putBoolean(














                            UserManager.DISALLOW_CONFIG_DATE_TIME, true);














                    pushUserRestrictions(userId);














                }














            }














        }














    }
























    private ComponentName findAdminComponentWithPackageLocked(String packageName, int userId) {







    private ComponentName findAdminComponentWithPackageLocked(String packageName, int userId) {











        final DevicePolicyData policy = getUserData(userId);







        final DevicePolicyData policy = getUserData(userId);











        final int n = policy.mAdminList.size();







        final int n = policy.mAdminList.size();










@@ -3020,6 +3062,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {









    private void onLockSettingsReady() {







    private void onLockSettingsReady() {











        synchronized (getLockObject()) {







        synchronized (getLockObject()) {











            migrateUserRestrictionsIfNecessaryLocked();







            migrateUserRestrictionsIfNecessaryLocked();














            fixupAutoTimeRestrictionDuringOrganizationOwnedDeviceMigration();











            performPolicyVersionUpgrade();







            performPolicyVersionUpgrade();











        }







        }











        getUserData(UserHandle.USER_SYSTEM);







        getUserData(UserHandle.USER_SYSTEM);










@@ -8574,6 +8617,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {









            admin.defaultEnabledRestrictionsAlreadySet.clear();







            admin.defaultEnabledRestrictionsAlreadySet.clear();











            admin.forceEphemeralUsers = false;







            admin.forceEphemeralUsers = false;











            admin.isNetworkLoggingEnabled = false;







            admin.isNetworkLoggingEnabled = false;














            admin.requireAutoTime = false;











            mUserManagerInternal.setForceEphemeralUsers(admin.forceEphemeralUsers);







            mUserManagerInternal.setForceEphemeralUsers(admin.forceEphemeralUsers);











        }







        }











        final DevicePolicyData policyData = getUserData(userId);







        final DevicePolicyData policyData = getUserData(userId);