Loading services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +134 −4 Original line number Diff line number Diff line Loading @@ -9675,8 +9675,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (Flags.setKeyguardDisabledFeaturesCoexistence()) { return Binder.withCleanCallingIdentity(() -> { if (!parent && isManagedProfile(userHandle)) { return mDevicePolicyEngine.getResolvedPolicy( Integer resolvedPolicy = mDevicePolicyEngine.getResolvedPolicy( PolicyDefinition.KEYGUARD_DISABLED_FEATURES, userHandle); return resolvedPolicy == null ? 0 : resolvedPolicy; } int targetUserId = getProfileParentUserIfRequested(userHandle, parent); Loading Loading @@ -11966,9 +11967,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } } @Override public List<PersistableBundle> getTrustAgentConfiguration(ComponentName admin, ComponentName agent, int userHandle, boolean parent) { private List<PersistableBundle> getTrustAgentConfigurationPreKeyguardDisabledFeaturesCoexistence (ComponentName admin, ComponentName agent, int userHandle, boolean parent) { if (!mHasFeature || !mLockPatternUtils.hasSecureLockScreen()) { return null; } Loading Loading @@ -12024,6 +12024,136 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } } @Override public List<PersistableBundle> getTrustAgentConfiguration(ComponentName who, ComponentName agent, int userHandle, boolean parent) { if (!Flags.setKeyguardDisabledFeaturesCoexistence()) { return getTrustAgentConfigurationPreKeyguardDisabledFeaturesCoexistence( who, agent, userHandle, parent); } if (!mHasFeature || !mLockPatternUtils.hasSecureLockScreen()) { return null; } Objects.requireNonNull(agent, "agent null"); Preconditions.checkArgumentNonnegative(userHandle, "Invalid userId"); final CallerIdentity caller = getCallerIdentity(who); Preconditions.checkCallAuthorization(hasFullCrossUsersPermission(caller, userHandle)); synchronized (getLockObject()) { final String componentName = agent.flattenToString(); if (who != null) { final ActiveAdmin ap = getActiveAdminUncheckedLocked(who, userHandle, parent); if (ap == null) return null; TrustAgentInfo trustAgentInfo = ap.trustAgentInfos.get(componentName); if (trustAgentInfo == null || trustAgentInfo.options == null) return null; List<PersistableBundle> result = new ArrayList<>(); result.add(trustAgentInfo.options); return result; } // Return strictest policy for this user and profiles that are visible from this user. List<PersistableBundle> result = null; // Search through all admins that use KEYGUARD_DISABLE_TRUST_AGENTS and keep track // of the options. If any admin doesn't have options, discard options for the rest // and return null. List<LockscreenPolicy> lockscreenPolicies = getEnforcingAdminsForLockscreenPoliciesLocked( PolicyDefinition.KEYGUARD_DISABLED_FEATURES, getProfileParentUserIfRequested(userHandle, parent)); boolean allAdminsHaveOptions = true; for (LockscreenPolicy policy : lockscreenPolicies) { final TrustAgentInfo info; if (policy.admin.getComponentName() != null) { ActiveAdmin activeAdmin = getActiveAdminUncheckedLocked( policy.admin.getComponentName(), policy.admin.getUserId()); int activeAdminUserId = activeAdmin.getUserHandle().getIdentifier(); if (policy.targetUserId == activeAdminUserId) { // Policy set by a DPC on its ownn user info = activeAdmin.trustAgentInfos.get(componentName); } else if (activeAdmin.hasParentActiveAdmin() && policy.targetUserId == getProfileParentId(activeAdminUserId)) { // Policy set by DPC on the parent instance. activeAdmin = activeAdmin.getParentActiveAdmin(); info = activeAdmin.trustAgentInfos.get(componentName); } else { Slogf.w(LOG_TAG, "Target user is not the admin's user nor its parent." + " DPCs can’t set any policies on arbitrary users." + " Assuming no policy."); info = null; } } else { // Policy is enforced by non-DPC, and only DPC can set trust agent // configurations. Slogf.i(LOG_TAG, "No ActiveAdmin for enforcing admin=%s", policy.admin); info = null; } Integer policyValue = policy.policy.getValue(); final int disabledFeatures = policyValue == null ? 0 : policyValue.intValue(); final boolean disablesTrust = (disabledFeatures & DevicePolicyManager.KEYGUARD_DISABLE_TRUST_AGENTS) != 0; if (info != null && info.options != null && !info.options.isEmpty()) { if (disablesTrust) { if (result == null) { result = new ArrayList<>(); } result.add(info.options); } else { Slogf.w(LOG_TAG, "Ignoring %s because it has trust options but " + "doesn't declare KEYGUARD_DISABLE_TRUST_AGENTS", policy.admin); } } else if (disablesTrust) { allAdminsHaveOptions = false; break; } } return allAdminsHaveOptions ? result : null; } } private record LockscreenPolicy( int targetUserId, EnforcingAdmin admin, PolicyValue<Integer> policy) {} private List<LockscreenPolicy> getEnforcingAdminsForLockscreenPoliciesLocked( PolicyDefinition<Integer> policyDefinition, int userHandle) { List<LockscreenPolicy> result = new ArrayList<>(); if (isSeparateProfileChallengeEnabled(userHandle)) { // If this profile has a separate challenge, only return policies targeting itself. mDevicePolicyEngine.getLocalPoliciesSetByAdmins(policyDefinition, userHandle) .entrySet().forEach((e) -> result.add(new LockscreenPolicy(userHandle, e.getKey(), e.getValue()))); return result; } // Otherwise, this user is either a full user, or it's a profile with unified challenge. // In both cases we query the parent user who owns the credential (the parent user of a full // user is itself), plus any profile of the parent user who has unified challenge since // the policy of a unified challenge profile is enforced on the parent. return mInjector.binderWithCleanCallingIdentity(() -> { for (UserInfo userInfo : mUserManager.getProfiles(userHandle)) { boolean shouldIncludeLockscreenPolicy = userInfo.id == userHandle || userInfo.id == getProfileParentId(userHandle) || (userInfo.isManagedProfile() && mLockPatternUtils.isProfileWithUnifiedChallenge(userInfo.id)); if (shouldIncludeLockscreenPolicy) { mDevicePolicyEngine .getLocalPoliciesSetByAdmins(policyDefinition, userInfo.id) .entrySet() .forEach((e) -> { result.add(new LockscreenPolicy( userInfo.id, e.getKey(), e.getValue())); }); } } return result; }); } @Override public void setRestrictionsProvider(ComponentName who, ComponentName permissionProvider) { Objects.requireNonNull(who, "ComponentName is null"); Loading
services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +134 −4 Original line number Diff line number Diff line Loading @@ -9675,8 +9675,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (Flags.setKeyguardDisabledFeaturesCoexistence()) { return Binder.withCleanCallingIdentity(() -> { if (!parent && isManagedProfile(userHandle)) { return mDevicePolicyEngine.getResolvedPolicy( Integer resolvedPolicy = mDevicePolicyEngine.getResolvedPolicy( PolicyDefinition.KEYGUARD_DISABLED_FEATURES, userHandle); return resolvedPolicy == null ? 0 : resolvedPolicy; } int targetUserId = getProfileParentUserIfRequested(userHandle, parent); Loading Loading @@ -11966,9 +11967,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } } @Override public List<PersistableBundle> getTrustAgentConfiguration(ComponentName admin, ComponentName agent, int userHandle, boolean parent) { private List<PersistableBundle> getTrustAgentConfigurationPreKeyguardDisabledFeaturesCoexistence (ComponentName admin, ComponentName agent, int userHandle, boolean parent) { if (!mHasFeature || !mLockPatternUtils.hasSecureLockScreen()) { return null; } Loading Loading @@ -12024,6 +12024,136 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } } @Override public List<PersistableBundle> getTrustAgentConfiguration(ComponentName who, ComponentName agent, int userHandle, boolean parent) { if (!Flags.setKeyguardDisabledFeaturesCoexistence()) { return getTrustAgentConfigurationPreKeyguardDisabledFeaturesCoexistence( who, agent, userHandle, parent); } if (!mHasFeature || !mLockPatternUtils.hasSecureLockScreen()) { return null; } Objects.requireNonNull(agent, "agent null"); Preconditions.checkArgumentNonnegative(userHandle, "Invalid userId"); final CallerIdentity caller = getCallerIdentity(who); Preconditions.checkCallAuthorization(hasFullCrossUsersPermission(caller, userHandle)); synchronized (getLockObject()) { final String componentName = agent.flattenToString(); if (who != null) { final ActiveAdmin ap = getActiveAdminUncheckedLocked(who, userHandle, parent); if (ap == null) return null; TrustAgentInfo trustAgentInfo = ap.trustAgentInfos.get(componentName); if (trustAgentInfo == null || trustAgentInfo.options == null) return null; List<PersistableBundle> result = new ArrayList<>(); result.add(trustAgentInfo.options); return result; } // Return strictest policy for this user and profiles that are visible from this user. List<PersistableBundle> result = null; // Search through all admins that use KEYGUARD_DISABLE_TRUST_AGENTS and keep track // of the options. If any admin doesn't have options, discard options for the rest // and return null. List<LockscreenPolicy> lockscreenPolicies = getEnforcingAdminsForLockscreenPoliciesLocked( PolicyDefinition.KEYGUARD_DISABLED_FEATURES, getProfileParentUserIfRequested(userHandle, parent)); boolean allAdminsHaveOptions = true; for (LockscreenPolicy policy : lockscreenPolicies) { final TrustAgentInfo info; if (policy.admin.getComponentName() != null) { ActiveAdmin activeAdmin = getActiveAdminUncheckedLocked( policy.admin.getComponentName(), policy.admin.getUserId()); int activeAdminUserId = activeAdmin.getUserHandle().getIdentifier(); if (policy.targetUserId == activeAdminUserId) { // Policy set by a DPC on its ownn user info = activeAdmin.trustAgentInfos.get(componentName); } else if (activeAdmin.hasParentActiveAdmin() && policy.targetUserId == getProfileParentId(activeAdminUserId)) { // Policy set by DPC on the parent instance. activeAdmin = activeAdmin.getParentActiveAdmin(); info = activeAdmin.trustAgentInfos.get(componentName); } else { Slogf.w(LOG_TAG, "Target user is not the admin's user nor its parent." + " DPCs can’t set any policies on arbitrary users." + " Assuming no policy."); info = null; } } else { // Policy is enforced by non-DPC, and only DPC can set trust agent // configurations. Slogf.i(LOG_TAG, "No ActiveAdmin for enforcing admin=%s", policy.admin); info = null; } Integer policyValue = policy.policy.getValue(); final int disabledFeatures = policyValue == null ? 0 : policyValue.intValue(); final boolean disablesTrust = (disabledFeatures & DevicePolicyManager.KEYGUARD_DISABLE_TRUST_AGENTS) != 0; if (info != null && info.options != null && !info.options.isEmpty()) { if (disablesTrust) { if (result == null) { result = new ArrayList<>(); } result.add(info.options); } else { Slogf.w(LOG_TAG, "Ignoring %s because it has trust options but " + "doesn't declare KEYGUARD_DISABLE_TRUST_AGENTS", policy.admin); } } else if (disablesTrust) { allAdminsHaveOptions = false; break; } } return allAdminsHaveOptions ? result : null; } } private record LockscreenPolicy( int targetUserId, EnforcingAdmin admin, PolicyValue<Integer> policy) {} private List<LockscreenPolicy> getEnforcingAdminsForLockscreenPoliciesLocked( PolicyDefinition<Integer> policyDefinition, int userHandle) { List<LockscreenPolicy> result = new ArrayList<>(); if (isSeparateProfileChallengeEnabled(userHandle)) { // If this profile has a separate challenge, only return policies targeting itself. mDevicePolicyEngine.getLocalPoliciesSetByAdmins(policyDefinition, userHandle) .entrySet().forEach((e) -> result.add(new LockscreenPolicy(userHandle, e.getKey(), e.getValue()))); return result; } // Otherwise, this user is either a full user, or it's a profile with unified challenge. // In both cases we query the parent user who owns the credential (the parent user of a full // user is itself), plus any profile of the parent user who has unified challenge since // the policy of a unified challenge profile is enforced on the parent. return mInjector.binderWithCleanCallingIdentity(() -> { for (UserInfo userInfo : mUserManager.getProfiles(userHandle)) { boolean shouldIncludeLockscreenPolicy = userInfo.id == userHandle || userInfo.id == getProfileParentId(userHandle) || (userInfo.isManagedProfile() && mLockPatternUtils.isProfileWithUnifiedChallenge(userInfo.id)); if (shouldIncludeLockscreenPolicy) { mDevicePolicyEngine .getLocalPoliciesSetByAdmins(policyDefinition, userInfo.id) .entrySet() .forEach((e) -> { result.add(new LockscreenPolicy( userInfo.id, e.getKey(), e.getValue())); }); } } return result; }); } @Override public void setRestrictionsProvider(ComponentName who, ComponentName permissionProvider) { Objects.requireNonNull(who, "ComponentName is null");
