Merge "[Bugfix]migrate user restrictions to DevicePolicyEngine" into 24D1-dev (ca45aa27) · Commits · e / os / android_frameworks_base

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+80 −22

Original line number	Diff line number	Diff line
		@@ -3397,7 +3397,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}
		maybeMigratePoliciesPostUpgradeToDevicePolicyEngineLocked();
		migratePoliciesToPolicyEngineLocked();

		}
		maybeStartSecurityLogMonitorOnActivityManagerReady();
		break;
		@@ -13179,21 +13178,42 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		CallerIdentity caller, EnforcingAdmin admin, String key, boolean enabled,
		boolean parent) {
		synchronized (getLockObject()) {

		int ownerType;
		if (isDeviceOwner(caller)) {
		ownerType = OWNER_TYPE_DEVICE_OWNER;
		} else if (isProfileOwnerOfOrganizationOwnedDevice(caller)) {
		ownerType = OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE;
		} else if (isProfileOwner(caller)) {
		ownerType = OWNER_TYPE_PROFILE_OWNER;
		} else {
		throw new IllegalStateException("Non-DO/Non-PO cannot set restriction " + key
		+ " while targetSdkVersion is less than UPSIDE_DOWN_CAKE");
		}
		setBackwardCompatibleUserRestrictionLocked(ownerType, admin, caller.getUserId(), key,
		enabled, parent);
		}
		}

		private void setBackwardCompatibleUserRestrictionLocked(
		int ownerType, EnforcingAdmin admin, int userId, String key, boolean enabled,
		boolean parent) {
		if (ownerType == OWNER_TYPE_DEVICE_OWNER) {
		if (UserRestrictionsUtils.isGlobal(OWNER_TYPE_DEVICE_OWNER, key)) {
		setGlobalUserRestrictionInternal(admin, key, enabled);
		} else {
		setLocalUserRestrictionInternal(admin, key, enabled, caller.getUserId());
		setLocalUserRestrictionInternal(admin, key, enabled, userId);
		}
		} else if (isProfileOwner(caller)) {
		} else if (ownerType == OWNER_TYPE_PROFILE_OWNER
		\|\| ownerType == OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE) {
		if (UserRestrictionsUtils.isGlobal(OWNER_TYPE_PROFILE_OWNER, key)
		\|\| (parent && isProfileOwnerOfOrganizationOwnedDevice(caller)
		\|\| (parent && ownerType == OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE
		&& UserRestrictionsUtils.isGlobal(
		OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE, key))) {
		setGlobalUserRestrictionInternal(admin, key, enabled);
		} else {
		int affectedUserId = parent
		? getProfileParentId(caller.getUserId()) : caller.getUserId();
		? getProfileParentId(userId) : userId;
		setLocalUserRestrictionInternal(admin, key, enabled, affectedUserId);
		}
		} else {
		@@ -13201,7 +13221,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		+ " while targetSdkVersion is less than UPSIDE_DOWN_CAKE");
		}
		}
		}

		@Override
		public void setUserRestrictionGlobally(String callerPackage, String key) {
		@@ -23734,6 +23753,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		Preconditions.checkCallAuthorization(
		hasCallingOrSelfPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS));
		return mInjector.binderWithCleanCallingIdentity(() -> {
		synchronized (getLockObject()) {
		boolean canForceMigration = forceMigration && !hasNonTestOnlyActiveAdmins();
		if (!canForceMigration && !shouldMigrateV1ToDevicePolicyEngine()) {
		return false;
		@@ -23741,6 +23761,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		boolean migrated = migrateV1PoliciesToDevicePolicyEngine();
		migrated &= migratePoliciesPostUpgradeToDevicePolicyEngineLocked();
		return migrated;
		}
		});
		}

		@@ -23784,6 +23805,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		try {
		migrateScreenCapturePolicyLocked();
		migrateLockTaskPolicyLocked();
		migrateUserRestrictionsLocked();
		return true;
		} catch (Exception e) {
		Slogf.e(LOG_TAG, e, "Error occurred during post upgrade migration to the device "
		@@ -24053,6 +24075,42 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		});
		}

		private void migrateUserRestrictionsLocked() {
		Binder.withCleanCallingIdentity(() -> {
		List<UserInfo> users = mUserManager.getUsers();
		for (UserInfo userInfo : users) {
		ActiveAdmin admin = getProfileOwnerOrDeviceOwnerLocked(userInfo.id);
		if (admin == null) continue;
		ComponentName adminComponent = admin.info.getComponent();
		int userId = userInfo.id;
		EnforcingAdmin enforcingAdmin = EnforcingAdmin.createEnterpriseEnforcingAdmin(
		adminComponent,
		userId,
		admin);
		int ownerType;
		if (isDeviceOwner(admin)) {
		ownerType = OWNER_TYPE_DEVICE_OWNER;
		} else if (isProfileOwnerOfOrganizationOwnedDevice(adminComponent, userId)) {
		ownerType = OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE;
		} else if (isProfileOwner(adminComponent, userId)) {
		ownerType = OWNER_TYPE_PROFILE_OWNER;
		} else {
		throw new IllegalStateException("Invalid DO/PO state");
		}

		for (final String restriction : admin.ensureUserRestrictions().keySet()) {
		setBackwardCompatibleUserRestrictionLocked(ownerType, enforcingAdmin, userId,
		restriction, /* enabled / true, / parent */ false);
		}
		for (final String restriction : admin.getParentActiveAdmin()
		.ensureUserRestrictions().keySet()) {
		setBackwardCompatibleUserRestrictionLocked(ownerType, enforcingAdmin, userId,
		restriction, /* enabled / true, / parent */ true);
		}
		}
		});
		}

		private List<PackageInfo> getInstalledPackagesOnUser(int userId) {
		return mInjector.binderWithCleanCallingIdentity(() ->
		mContext.getPackageManager().getInstalledPackagesAsUser(