Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bb10ad22 authored by Yan Zhu's avatar Yan Zhu
Browse files

More DevicePolicyManager operations with safety checker for device management 

Bug: 175245108
Test: m update-api
atest \
CtsDevicePolicyManagerTestCases:DeviceOwnerTest#testDevicePolicySafetyCheckerIntegration \
CtsDevicePolicyManagerTestCases:ProfileOwnerTest#testDevicePolicySafetyCheckerIntegration

Change-Id: I861364041dabca7a76492f98a387548846da92d9
parent 6a6b8d43

core/api/test-current.txt

+18 −0
Original line number Diff line number Diff line
@@ -385,18 +385,35 @@ package android.app.admin { 
    method @NonNull public static String operationToString(int);

    method @RequiresPermission("android.permission.MANAGE_DEVICE_ADMINS") public void setNextOperationSafety(int, boolean);

    field public static final String ACTION_DATA_SHARING_RESTRICTION_APPLIED = "android.app.action.DATA_SHARING_RESTRICTION_APPLIED";

    field public static final int OPERATION_CLEAR_APPLICATION_USER_DATA = 23; // 0x17

    field public static final int OPERATION_CREATE_AND_MANAGE_USER = 5; // 0x5

    field public static final int OPERATION_INSTALL_CA_CERT = 24; // 0x18

    field public static final int OPERATION_INSTALL_KEY_PAIR = 25; // 0x19

    field public static final int OPERATION_INSTALL_SYSTEM_UPDATE = 26; // 0x1a

    field public static final int OPERATION_LOCK_NOW = 1; // 0x1

    field public static final int OPERATION_LOGOUT_USER = 9; // 0x9

    field public static final int OPERATION_REBOOT = 7; // 0x7

    field public static final int OPERATION_REMOVE_ACTIVE_ADMIN = 27; // 0x1b

    field public static final int OPERATION_REMOVE_KEY_PAIR = 28; // 0x1c

    field public static final int OPERATION_REMOVE_USER = 6; // 0x6

    field public static final int OPERATION_REQUEST_BUGREPORT = 29; // 0x1d

    field public static final int OPERATION_SET_ALWAYS_ON_VPN_PACKAGE = 30; // 0x1e

    field public static final int OPERATION_SET_APPLICATION_HIDDEN = 15; // 0xf

    field public static final int OPERATION_SET_APPLICATION_RESTRICTIONS = 16; // 0x10

    field public static final int OPERATION_SET_CAMERA_DISABLED = 31; // 0x1f

    field public static final int OPERATION_SET_FACTORY_RESET_PROTECTION_POLICY = 32; // 0x20

    field public static final int OPERATION_SET_GLOBAL_PRIVATE_DNS = 33; // 0x21

    field public static final int OPERATION_SET_KEEP_UNINSTALLED_PACKAGES = 17; // 0x11

    field public static final int OPERATION_SET_KEYGUARD_DISABLED = 12; // 0xc

    field public static final int OPERATION_SET_LOCK_TASK_FEATURES = 18; // 0x12

    field public static final int OPERATION_SET_LOCK_TASK_PACKAGES = 19; // 0x13

    field public static final int OPERATION_SET_LOGOUT_ENABLED = 34; // 0x22

    field public static final int OPERATION_SET_MASTER_VOLUME_MUTED = 35; // 0x23

    field public static final int OPERATION_SET_OVERRIDE_APNS_ENABLED = 36; // 0x24

    field public static final int OPERATION_SET_PACKAGES_SUSPENDED = 20; // 0x14

    field public static final int OPERATION_SET_PERMISSION_GRANT_STATE = 37; // 0x25

    field public static final int OPERATION_SET_PERMISSION_POLICY = 38; // 0x26

    field public static final int OPERATION_SET_RESTRICTIONS_PROVIDER = 39; // 0x27

    field public static final int OPERATION_SET_STATUS_BAR_DISABLED = 13; // 0xd

    field public static final int OPERATION_SET_SYSTEM_SETTING = 11; // 0xb

    field public static final int OPERATION_SET_SYSTEM_UPDATE_POLICY = 14; // 0xe
@@ -406,6 +423,7 @@ package android.app.admin { 
    field public static final int OPERATION_START_USER_IN_BACKGROUND = 3; // 0x3

    field public static final int OPERATION_STOP_USER = 4; // 0x4

    field public static final int OPERATION_SWITCH_USER = 2; // 0x2

    field public static final int OPERATION_UNINSTALL_CA_CERT = 40; // 0x28

    field public static final int OPERATION_WIPE_DATA = 8; // 0x8

  }

core/java/android/app/admin/DevicePolicyManager.java

+74 −2
Original line number Diff line number Diff line
@@ -2690,6 +2690,60 @@ public class DevicePolicyManager { 
    /** @hide */

    @TestApi

    public static final int OPERATION_SET_USER_CONTROL_DISABLED_PACKAGES = 22;

    /** @hide */

    @TestApi

    public static final int OPERATION_CLEAR_APPLICATION_USER_DATA = 23;

    /** @hide */

    @TestApi

    public static final int OPERATION_INSTALL_CA_CERT = 24;

    /** @hide */

    @TestApi

    public static final int OPERATION_INSTALL_KEY_PAIR = 25;

    /** @hide */

    @TestApi

    public static final int OPERATION_INSTALL_SYSTEM_UPDATE = 26;

    /** @hide */

    @TestApi

    public static final int OPERATION_REMOVE_ACTIVE_ADMIN = 27;

    /** @hide */

    @TestApi

    public static final int OPERATION_REMOVE_KEY_PAIR = 28;

    /** @hide */

    @TestApi

    public static final int OPERATION_REQUEST_BUGREPORT = 29;

    /** @hide */

    @TestApi

    public static final int OPERATION_SET_ALWAYS_ON_VPN_PACKAGE = 30;

    /** @hide */

    @TestApi

    public static final int OPERATION_SET_CAMERA_DISABLED = 31;

    /** @hide */

    @TestApi

    public static final int OPERATION_SET_FACTORY_RESET_PROTECTION_POLICY = 32;

    /** @hide */

    @TestApi

    public static final int OPERATION_SET_GLOBAL_PRIVATE_DNS = 33;

    /** @hide */

    @TestApi

    public static final int OPERATION_SET_LOGOUT_ENABLED = 34;

    /** @hide */

    @TestApi

    public static final int OPERATION_SET_MASTER_VOLUME_MUTED = 35;

    /** @hide */

    @TestApi

    public static final int OPERATION_SET_OVERRIDE_APNS_ENABLED = 36;

    /** @hide */

    @TestApi

    public static final int OPERATION_SET_PERMISSION_GRANT_STATE = 37;

    /** @hide */

    @TestApi

    public static final int OPERATION_SET_PERMISSION_POLICY = 38;

    /** @hide */

    @TestApi

    public static final int OPERATION_SET_RESTRICTIONS_PROVIDER = 39;

    /** @hide */

    @TestApi

    public static final int OPERATION_UNINSTALL_CA_CERT = 40;















    private static final String PREFIX_OPERATION = "OPERATION_";























@@ -2716,7 +2770,25 @@ public class DevicePolicyManager {













            OPERATION_SET_LOCK_TASK_PACKAGES,















            OPERATION_SET_PACKAGES_SUSPENDED,















            OPERATION_SET_TRUST_AGENT_CONFIGURATION,













            OPERATION_SET_USER_CONTROL_DISABLED_PACKAGES













            OPERATION_SET_USER_CONTROL_DISABLED_PACKAGES,













            OPERATION_CLEAR_APPLICATION_USER_DATA,













            OPERATION_INSTALL_CA_CERT,













            OPERATION_INSTALL_KEY_PAIR,













            OPERATION_INSTALL_SYSTEM_UPDATE,













            OPERATION_REMOVE_ACTIVE_ADMIN,













            OPERATION_REMOVE_KEY_PAIR,













            OPERATION_REQUEST_BUGREPORT,













            OPERATION_SET_ALWAYS_ON_VPN_PACKAGE,













            OPERATION_SET_CAMERA_DISABLED,













            OPERATION_SET_FACTORY_RESET_PROTECTION_POLICY,













            OPERATION_SET_GLOBAL_PRIVATE_DNS,













            OPERATION_SET_LOGOUT_ENABLED,













            OPERATION_SET_MASTER_VOLUME_MUTED,













            OPERATION_SET_OVERRIDE_APNS_ENABLED,













            OPERATION_SET_PERMISSION_GRANT_STATE,













            OPERATION_SET_PERMISSION_POLICY,













            OPERATION_SET_RESTRICTIONS_PROVIDER,













            OPERATION_UNINSTALL_CA_CERT















    })















    @Retention(RetentionPolicy.SOURCE)















    public static @interface DevicePolicyOperation {










@@ -9823,7 +9895,7 @@ public class DevicePolicyManager {













     * Designates a specific service component as the provider for making permission requests of a















     * local or remote administrator of the user.















     * <p/>













     * Only a profile owner can designate the restrictions provider.













     * Only a device owner or profile owner can designate the restrictions provider.















     *















     * @param admin Which {@link DeviceAdminReceiver} this request is associated with.















     * @param provider The component name of the service that implements

































services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java



+20
−0




























Original line number
Diff line number
Diff line








@@ -3383,6 +3383,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {



























        final CallerIdentity caller = getCallerIdentity();















        Preconditions.checkCallAuthorization(hasFullCrossUsersPermission(caller, userHandle));













        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_REMOVE_ACTIVE_ADMIN);















        enforceUserUnlocked(userHandle);





























        synchronized (getLockObject()) {










@@ -5143,6 +5144,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        }















        final CallerIdentity caller = getCallerIdentity(admin, callerPackage);















        Preconditions.checkCallAuthorization(canManageCaCerts(caller));













        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_INSTALL_CA_CERT);





























        final String alias = mInjector.binderWithCleanCallingIdentity(() -> {















            String installedAlias = mCertificateMonitor.installCaCert(










@@ -5174,6 +5176,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        }















        final CallerIdentity caller = getCallerIdentity(admin, callerPackage);















        Preconditions.checkCallAuthorization(canManageCaCerts(caller));













        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_UNINSTALL_CA_CERT);





























        mInjector.binderWithCleanCallingIdentity(() -> {















            mCertificateMonitor.uninstallCaCerts(caller.getUserHandle(), aliases);










@@ -5203,6 +5206,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        Preconditions.checkCallAuthorization((caller.hasAdminComponent()















                && (isProfileOwner(caller) || isDeviceOwner(caller)))















                || (caller.hasPackage() && (isCallerDelegate || isCredentialManagementApp)));













        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_INSTALL_KEY_PAIR);





























        final long id = mInjector.binderClearCallingIdentity();















        try {










@@ -5260,6 +5264,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        Preconditions.checkCallAuthorization((caller.hasAdminComponent()















                && (isProfileOwner(caller) || isDeviceOwner(caller)))















                || (caller.hasPackage() && (isCallerDelegate || isCredentialManagementApp)));













        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_REMOVE_KEY_PAIR);





























        final long id = Binder.clearCallingIdentity();















        try {










@@ -6157,6 +6162,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {



























        final CallerIdentity caller = getCallerIdentity(who);















        Preconditions.checkCallAuthorization(isDeviceOwner(caller) || isProfileOwner(caller));













        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_ALWAYS_ON_VPN_PACKAGE);





























        final int userId = caller.getUserId();















        mInjector.binderWithCleanCallingIdentity(() -> {










@@ -6500,6 +6506,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        CallerIdentity caller = getCallerIdentity(who);















        Preconditions.checkCallAuthorization(isDeviceOwner(caller)















                || isProfileOwnerOfOrganizationOwnedDevice(caller));













        checkCanExecuteOrThrowUnsafe(DevicePolicyManager













                .OPERATION_SET_FACTORY_RESET_PROTECTION_POLICY);





























        final int frpManagementAgentUid = getFrpManagementAgentUidOrThrow();















        synchronized (getLockObject()) {










@@ -7397,6 +7405,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        final CallerIdentity caller = getCallerIdentity(who);















        Preconditions.checkCallAuthorization(isDeviceOwner(caller));















        checkAllUsersAreAffiliatedWithDevice();













        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_REQUEST_BUGREPORT);





























        if (mBugreportCollectionManager.requestBugreport()) {















            DevicePolicyEventLogger










@@ -7506,6 +7515,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        if (parent) {















            Preconditions.checkCallAuthorization(isProfileOwnerOfOrganizationOwnedDevice(caller));















        }













        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_CAMERA_DISABLED);





























        final int userHandle = caller.getUserId();















        synchronized (getLockObject()) {










@@ -9256,6 +9266,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        Objects.requireNonNull(who, "ComponentName is null");















        final CallerIdentity caller = getCallerIdentity(who);















        Preconditions.checkCallAuthorization(isProfileOwner(caller) || isDeviceOwner(caller));













        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_RESTRICTIONS_PROVIDER);





























        synchronized (getLockObject()) {















            int userHandle = caller.getUserId();










@@ -11413,6 +11424,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        Objects.requireNonNull(who, "ComponentName is null");















        final CallerIdentity caller = getCallerIdentity(who);















        Preconditions.checkCallAuthorization(isProfileOwner(caller) || isDeviceOwner(caller));













        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_MASTER_VOLUME_MUTED);





























        synchronized (getLockObject()) {















            setUserRestriction(who, UserManager.DISALLOW_UNMUTE_DEVICE, on, /* parent */ false);










@@ -12384,6 +12396,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        Preconditions.checkCallAuthorization((caller.hasAdminComponent()















                && (isProfileOwner(caller) || isDeviceOwner(caller)))















                || (caller.hasPackage() && isCallerDelegate(caller, DELEGATION_PERMISSION_GRANT)));













        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_PERMISSION_POLICY);





























        synchronized (getLockObject()) {















            DevicePolicyData userPolicy = getUserData(caller.getUserId());










@@ -12419,6 +12432,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        Preconditions.checkCallAuthorization((caller.hasAdminComponent()















                && (isProfileOwner(caller) || isDeviceOwner(caller)))















                || (caller.hasPackage() && isCallerDelegate(caller, DELEGATION_PERMISSION_GRANT)));













        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_PERMISSION_GRANT_STATE);





























        synchronized (getLockObject()) {















            long ident = mInjector.binderClearCallingIdentity();










@@ -14395,6 +14409,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {



























        final CallerIdentity caller = getCallerIdentity(admin);















        Preconditions.checkCallAuthorization(isDeviceOwner(caller) || isProfileOwner(caller));













        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_CLEAR_APPLICATION_USER_DATA);





























        long ident = mInjector.binderClearCallingIdentity();















        try {










@@ -14426,6 +14441,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        Objects.requireNonNull(admin, "ComponentName is null");















        final CallerIdentity caller = getCallerIdentity(admin);















        Preconditions.checkCallAuthorization(isDeviceOwner(caller));













        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_LOGOUT_ENABLED);





























        synchronized (getLockObject()) {















            ActiveAdmin deviceOwner = getDeviceOwnerAdminLocked();










@@ -14793,6 +14809,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        Objects.requireNonNull(who, "ComponentName is null");















        final CallerIdentity caller = getCallerIdentity(who);















        Preconditions.checkCallAuthorization(isDeviceOwner(caller));













        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_OVERRIDE_APNS_ENABLED);



























        setOverrideApnsEnabledUnchecked(enabled);















    }
























@@ -14894,6 +14912,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        Objects.requireNonNull(who, "ComponentName is null");















        final CallerIdentity caller = getCallerIdentity(who);















        Preconditions.checkCallAuthorization(isDeviceOwner(caller));













        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_GLOBAL_PRIVATE_DNS);





























        switch (mode) {















            case PRIVATE_DNS_MODE_OPPORTUNISTIC:










@@ -14966,6 +14985,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        final CallerIdentity caller = getCallerIdentity(admin);















        Preconditions.checkCallAuthorization(isDeviceOwner(caller)















                || isProfileOwnerOfOrganizationOwnedDevice(caller));













        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_INSTALL_SYSTEM_UPDATE);





























        DevicePolicyEventLogger















                .createEvent(DevicePolicyEnums.INSTALL_SYSTEM_UPDATE)