Allow profile owners to set user restrictions

  public class DevicePolicyManager {

    method public void addPersistentPreferredActivity(android.content.ComponentName, android.content.IntentFilter, android.content.ComponentName);

    method public void addUserRestriction(android.content.ComponentName, java.lang.String);

    method public void clearPackagePersistentPreferredActivities(android.content.ComponentName, java.lang.String);

    method public void clearUserRestriction(android.content.ComponentName, java.lang.String);

    method public java.util.List<android.content.ComponentName> getActiveAdmins();

    method public android.os.Bundle getApplicationRestrictions(android.content.ComponentName, java.lang.String);

    method public boolean getCameraDisabled(android.content.ComponentName);

        }

        return null;

    }

    /**

     * Called by a profile or device owner to set a user restriction specified

     * by the key.

     * <p>

     * The calling device admin must be a profile or device owner; if it is not,

     * a security exception will be thrown.

     * 

     * @param admin Which {@link DeviceAdminReceiver} this request is associated

     *            with.

     * @param key The key of the restriction. See the constants in

     *            {@link android.os.UserManager} for the list of keys.

     */

    public void addUserRestriction(ComponentName admin, String key) {

        if (mService != null) {

            try {

                mService.setUserRestriction(admin, key, true);

            } catch (RemoteException e) {

                Log.w(TAG, "Failed talking with device policy service", e);

            }

        }

    }

    /**

     * Called by a profile or device owner to clear a user restriction specified

     * by the key.

     * <p>

     * The calling device admin must be a profile or device owner; if it is not,

     * a security exception will be thrown.

     * 

     * @param admin Which {@link DeviceAdminReceiver} this request is associated

     *            with.

     * @param key The key of the restriction. See the constants in

     *            {@link android.os.UserManager} for the list of keys.

     */

    public void clearUserRestriction(ComponentName admin, String key) {

        if (mService != null) {

            try {

                mService.setUserRestriction(admin, key, false);

            } catch (RemoteException e) {

                Log.w(TAG, "Failed talking with device policy service", e);

            }

        }

    }

}

    void setApplicationRestrictions(in ComponentName who, in String packageName, in Bundle settings);

    Bundle getApplicationRestrictions(in ComponentName who, in String packageName);

    void setUserRestriction(in ComponentName who, in String key, boolean enable);

}

    /**

     * Sets all the user-wide restrictions for this user.

     * Requires the MANAGE_USERS permission or profile/device owner

     * privileges.

     * Requires the MANAGE_USERS permission.

     * @param restrictions the Bundle containing all the restrictions.

     */

    public void setUserRestrictions(Bundle restrictions) {

    /**

     * Sets all the user-wide restrictions for the specified user.

     * Requires the MANAGE_USERS permission or profile/device owner

     * privileges.

     * Requires the MANAGE_USERS permission.

     * @param restrictions the Bundle containing all the restrictions.

     * @param userHandle the UserHandle of the user for whom to set the restrictions.

     */

    /**

     * Sets the value of a specific restriction.

     * Requires the MANAGE_USERS permission or profile/device owner

     * privileges.

     * Requires the MANAGE_USERS permission.

     * @param key the key of the restriction

     * @param value the value for the restriction

     */

    /**

     * @hide

     * Sets the value of a specific restriction on a specific user.

     * Requires the {@link android.Manifest.permission#MANAGE_USERS} permission or profile/device owner

     * privileges.

     * Requires the MANAGE_USERS permission.

     * @param key the key of the restriction

     * @param value the value for the restriction

     * @param userHandle the user whose restriction is to be changed.

import android.app.ActivityManager;

import android.app.ActivityManagerNative;

import android.app.ActivityThread;

import android.app.admin.DevicePolicyManager;

import android.app.IStopUserCallback;

import android.app.admin.DevicePolicyManager;

import android.content.BroadcastReceiver;

        if (userId != UserHandle.getCallingUserId()) {

            checkManageUsersPermission("getting profiles related to user " + userId);

        }

        final long ident = Binder.clearCallingIdentity();

        try {

            synchronized (mPackagesLock) {

            // Getting the service here is not good for testing purposes. However, this service

            // is not available when UserManagerService starts up so we need a lazy load.

                return getProfilesLocked(userId, enabledOnly);

            }

        } finally {

            Binder.restoreCallingIdentity(ident);

        }

    }

    /** Assume permissions already checked and caller's identity cleared */

    private List<UserInfo> getProfilesLocked(int userId, boolean enabledOnly) {

        // Getting the service here is not good for testing purposes.

        // However, this service is not available when UserManagerService starts

        // up so we need a lazy load.

        DevicePolicyManager dpm = null;

        if (enabledOnly) {

                    }

                } else {

                    Log.w(LOG_TAG,

                                "Attempting to reach DevicePolicyManager before it was started");

                        // TODO: There might be system apps that need to call this. Make sure that

                        // DevicePolicyManagerService is ready at that time (otherwise, any default

                        // value is a bad one).

                            "Attempting to reach DevicePolicyManager before it is started");

                    // TODO: There might be system apps that need to call this.

                    // Make sure that DevicePolicyManagerService is ready at that

                    // time (otherwise, any default value is a bad one).

                    throw new IllegalArgumentException(String.format(

                            "Attempting to get enabled profiles for %d before "

                                + "DevicePolicyManagerService has been started.", userId));

                                    + "DevicePolicyManagerService has been started.",

                            userId));

                }

            }

            users.add(profile);

        }

        return users;

    }

    }

    private boolean isProfileOf(UserInfo user, UserInfo profile) {

        return user.id == profile.id ||

        synchronized (mPackagesLock) {

            Bundle restrictions = mUserRestrictions.get(userId);

            return restrictions != null ? restrictions : Bundle.EMPTY;

            return restrictions != null ? new Bundle(restrictions) : new Bundle();

        }

    }

    @Override

    public void setUserRestrictions(Bundle restrictions, int userId) {

        checkProfileOwnerOrManageUsersPermission("setUserRestrictions");

        checkManageUsersPermission("setUserRestrictions");

        if (restrictions == null) return;

        synchronized (mPackagesLock) {

     * @param message used as message if SecurityException is thrown

     * @throws SecurityException if the caller is not system or root

     */

    private final void checkManageUsersPermission(String message) {

        final int uid = Binder.getCallingUid();

        if (missingManageUsersPermission(uid)) {

            throw new SecurityException("You need MANAGE_USERS permission to: " + message);

        }

    }

    /**

     * Enforces that only the system UID, root's UID, apps that have the

     * {@link android.Manifest.permission#MANAGE_USERS MANAGE_USERS}

     * permission, the profile owner, or the device owner can make certain calls to the

     * UserManager.

     *

     * @param message used as message if SecurityException is thrown

     * @throws SecurityException if the caller is not system, root, or device

     * owner

     */

    private final void checkProfileOwnerOrManageUsersPermission(String message) {

    private static final void checkManageUsersPermission(String message) {

        final int uid = Binder.getCallingUid();

        boolean isProfileOwner = false;

        if (mContext != null && mContext.getPackageManager() != null) {

            String[] pkgs = mContext.getPackageManager().getPackagesForUid(uid);

            DevicePolicyManager dpm =

                    (DevicePolicyManager) mContext.getSystemService(Context.DEVICE_POLICY_SERVICE);

            if (dpm != null) {

                for (String pkg : pkgs) {

                    if (dpm.isDeviceOwnerApp(pkg) || dpm.isProfileOwnerApp(pkg)) {

                        isProfileOwner = true;

                    }

                }

            }

        }

        if (missingManageUsersPermission(uid) && !isProfileOwner) {

            throw new SecurityException(

                    "You need MANAGE_USERS permission or device owner privileges to: " + message);

        }

    }

    private boolean missingManageUsersPermission(int uid) {

        return uid != Process.SYSTEM_UID && uid != 0

        if (uid != Process.SYSTEM_UID && uid != 0

                && ActivityManager.checkComponentPermission(

                        android.Manifest.permission.MANAGE_USERS,

                        uid, -1, true) != PackageManager.PERMISSION_GRANTED;

                        uid, -1, true) != PackageManager.PERMISSION_GRANTED) {

            throw new SecurityException("You need MANAGE_USERS permission to: " + message);

        }

    }

    private void writeBitmapLocked(UserInfo info, Bitmap bitmap) {

    public Bundle getApplicationRestrictionsForUser(String packageName, int userId) {

        if (UserHandle.getCallingUserId() != userId

                || !UserHandle.isSameApp(Binder.getCallingUid(), getUidForPackage(packageName))) {

            checkProfileOwnerOrManageUsersPermission(

                    "Only system or device owner can get restrictions for other users/apps");

            checkManageUsersPermission("Only system can get restrictions for other users/apps");

        }

        synchronized (mPackagesLock) {

            // Read the restrictions from XML

            int userId) {

        if (UserHandle.getCallingUserId() != userId

                || !UserHandle.isSameApp(Binder.getCallingUid(), getUidForPackage(packageName))) {

            checkProfileOwnerOrManageUsersPermission(

                    "Only system or device owner can set restrictions for other users/apps");

            checkManageUsersPermission("Only system can set restrictions for other users/apps");

        }

        synchronized (mPackagesLock) {

            // Write the restrictions to XML

    @Override

    public void removeRestrictions() {

        checkProfileOwnerOrManageUsersPermission(

                "Only system or device owner can remove restrictions");

        checkManageUsersPermission("Only system can remove restrictions");

        final int userHandle = UserHandle.getCallingUserId();

        removeRestrictionsForUser(userHandle, true);

    }