Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ad99d757 authored by Salud Lemus's avatar Salud Lemus
Browse files

Use device owner type to restrict a financed device owner 

The restriction is to limit the APIs a financed device owner can
call.

Bug: 215754643
Test: atest com.android.server.devicepolicy.DevicePolicyManagerTest

Change-Id: Ic38b50d7388b277ad74d2c22182bc1e711a1aea4
parent 1e4e6962

core/api/test-current.txt

+2 −0
Original line number Diff line number Diff line
@@ -461,6 +461,7 @@ package android.app.admin { 
    method @RequiresPermission(android.Manifest.permission.FORCE_DEVICE_POLICY_MANAGER_LOGS) public long forceSecurityLogs();

    method public void forceUpdateUserSetupComplete(int);

    method @NonNull public java.util.Set<java.lang.String> getDefaultCrossProfilePackages();

    method public int getDeviceOwnerType(@NonNull android.content.ComponentName);

    method @NonNull public java.util.Set<java.lang.String> getDisallowedSystemApps(@NonNull android.content.ComponentName, int, @NonNull String);

    method public long getLastBugReportRequestTime();

    method public long getLastNetworkLogRetrievalTime();
@@ -476,6 +477,7 @@ package android.app.admin { 
    method @RequiresPermission(allOf={android.Manifest.permission.MANAGE_DEVICE_ADMINS, android.Manifest.permission.INTERACT_ACROSS_USERS_FULL}) public void setActiveAdmin(@NonNull android.content.ComponentName, boolean, int);

    method @RequiresPermission(android.Manifest.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS) public boolean setDeviceOwner(@NonNull android.content.ComponentName, @Nullable String, int);

    method @RequiresPermission(android.Manifest.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS) public boolean setDeviceOwnerOnly(@NonNull android.content.ComponentName, @Nullable String, int);

    method public void setDeviceOwnerType(@NonNull android.content.ComponentName, int);

    method @RequiresPermission(android.Manifest.permission.MANAGE_DEVICE_ADMINS) public void setNextOperationSafety(int, int);

    field public static final String ACTION_DATA_SHARING_RESTRICTION_APPLIED = "android.app.action.DATA_SHARING_RESTRICTION_APPLIED";

    field public static final String ACTION_DEVICE_POLICY_CONSTANTS_CHANGED = "android.app.action.DEVICE_POLICY_CONSTANTS_CHANGED";

core/java/android/app/admin/DevicePolicyManager.java

+48 −0
Original line number Diff line number Diff line
@@ -454,6 +454,52 @@ public class DevicePolicyManager { 
     * <li>{@link #EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE}, optional</li>

     * </ul>

     *

     * <p>Once the device admin app is set as the device owner, the following APIs are available for

     * managing polices on the device:

     * <ul>

     * <li>{@link #isDeviceManaged()}</li>

     * <li>{@link #isUninstallBlocked(ComponentName, String)}</li>

     * <li>{@link #setUninstallBlocked(ComponentName, String, boolean)}</li>

     * <li>{@link #setUserControlDisabledPackages(ComponentName, List)}</li>

     * <li>{@link #getUserControlDisabledPackages(ComponentName)}</li>

     * <li>{@link #setOrganizationName(ComponentName, CharSequence)}</li>

     * <li>{@link #setShortSupportMessage(ComponentName, CharSequence)}</li>

     * <li>{@link #isBackupServiceEnabled(ComponentName)}</li>

     * <li>{@link #setBackupServiceEnabled(ComponentName, boolean)}</li>

     * <li>{@link #isLockTaskPermitted(String)}</li>

     * <li>{@link #setLockTaskFeatures(ComponentName, int)}, where the following lock task features

     * can be set (otherwise a {@link SecurityException} will be thrown):</li>

     * <ul>

     *     <li>{@link #LOCK_TASK_FEATURE_SYSTEM_INFO}</li>

     *     <li>{@link #LOCK_TASK_FEATURE_KEYGUARD}</li>

     *     <li>{@link #LOCK_TASK_FEATURE_HOME}</li>

     *     <li>{@link #LOCK_TASK_FEATURE_GLOBAL_ACTIONS}</li>

     *     <li>{@link #LOCK_TASK_FEATURE_NOTIFICATIONS}</li>

     * </ul>

     * <li>{@link #setLockTaskPackages(ComponentName, String[])}</li>

     * <li>{@link #addPersistentPreferredActivity(ComponentName, IntentFilter, ComponentName)}</li>

     * <li>{@link #clearPackagePersistentPreferredActivities(ComponentName, String)} </li>

     * <li>{@link #wipeData(int)}</li>

     * <li>{@link #isDeviceOwnerApp(String)}</li>

     * <li>{@link #clearDeviceOwnerApp(String)}</li>

     * <li>{@link #setPermissionGrantState(ComponentName, String, String, int)}, where

     * {@link permission#READ_PHONE_STATE} is the <b>only</b> permission that can be

     * {@link #PERMISSION_GRANT_STATE_GRANTED}, {@link #PERMISSION_GRANT_STATE_DENIED}, or

     * {@link #PERMISSION_GRANT_STATE_DEFAULT} and can <b>only</b> be applied to the device admin

     * app (otherwise a {@link SecurityException} will be thrown)</li>

     * <li>{@link #addUserRestriction(ComponentName, String)}, where the following user restrictions

     * are permitted (otherwise a {@link SecurityException} will be thrown):</li>

     * <ul>

     *     <li>{@link UserManager#DISALLOW_ADD_USER}</li>

     *     <li>{@link UserManager#DISALLOW_DEBUGGING_FEATURES}</li>

     *     <li>{@link UserManager#DISALLOW_INSTALL_UNKNOWN_SOURCES}</li>

     *     <li>{@link UserManager#DISALLOW_SAFE_BOOT}</li>

     *     <li>{@link UserManager#DISALLOW_CONFIG_DATE_TIME}</li>

     *     <li>{@link UserManager#DISALLOW_OUTGOING_CALLS}</li>

     * </ul>

     * <li>{@link #clearUserRestriction(ComponentName, String)}</li>

     * </ul>

     *

     * @hide

     */

    @SdkConstant(SdkConstantType.ACTIVITY_INTENT_ACTION)
@@ -14577,6 +14623,7 @@ public class DevicePolicyManager { 
     *

     * @hide

     */

    @TestApi

    public void setDeviceOwnerType(@NonNull ComponentName admin,

            @DeviceOwnerType int deviceOwnerType) {

        throwIfParentInstance("setDeviceOwnerType");
@@ -14600,6 +14647,7 @@ public class DevicePolicyManager { 
     *

     * @hide

     */

    @TestApi

    @DeviceOwnerType

    public int getDeviceOwnerType(@NonNull ComponentName admin) {

        throwIfParentInstance("getDeviceOwnerType");

services/core/java/com/android/server/pm/UserRestrictionsUtils.java

+22 −0
Original line number Diff line number Diff line
@@ -284,6 +284,19 @@ public class UserRestrictionsUtils { 
            UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY

    );



    /**

     * User restrictions available to a device owner whose type is

     * {@link android.app.admin.DevicePolicyManager#DEVICE_OWNER_TYPE_FINANCED}.

     */

    private static final Set<String> FINANCED_DEVICE_OWNER_RESTRICTIONS = Sets.newArraySet(

            UserManager.DISALLOW_ADD_USER,

            UserManager.DISALLOW_DEBUGGING_FEATURES,

            UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,

            UserManager.DISALLOW_SAFE_BOOT,

            UserManager.DISALLOW_CONFIG_DATE_TIME,

            UserManager.DISALLOW_OUTGOING_CALLS

    );



    /**

     * Returns whether the given restriction name is valid (and logs it if it isn't).

     */
@@ -457,6 +470,15 @@ public class UserRestrictionsUtils { 
        return DEFAULT_ENABLED_FOR_MANAGED_PROFILES;

    }



    /**

     * @return {@code true} only if the restriction is allowed for financed devices and can be set

     * by a device owner. Otherwise, {@code false} would be returned.

     */

    public static boolean canFinancedDeviceOwnerChange(String restriction) {

        return FINANCED_DEVICE_OWNER_RESTRICTIONS.contains(restriction)

                && canDeviceOwnerChange(restriction);

    }



    /**

     * Whether given user restriction should be enforced globally.

     */