Move DO protected packages to ActiveAdmin (ca761783) · Commits · e / os / android_frameworks_base

services/devicepolicy/java/com/android/server/devicepolicy/ActiveAdmin.java

+20 −3

Original line number	Diff line number	Diff line
		@@ -157,13 +157,14 @@ class ActiveAdmin {
		private static final String TAG_SSID_ALLOWLIST = "ssid-allowlist";
		private static final String TAG_SSID_DENYLIST = "ssid-denylist";
		private static final String TAG_SSID = "ssid";
		private static final String ATTR_VALUE = "value";
		private static final String ATTR_LAST_NETWORK_LOGGING_NOTIFICATION = "last-notification";
		private static final String ATTR_NUM_NETWORK_LOGGING_NOTIFICATIONS = "num-notifications";
		private static final String TAG_PREFERENTIAL_NETWORK_SERVICE_CONFIGS =
		"preferential_network_service_configs";
		private static final String TAG_PREFERENTIAL_NETWORK_SERVICE_CONFIG =
		"preferential_network_service_config";
		private static final String TAG_PROTECTED_PACKAGES = "protected_packages";
		private static final String ATTR_VALUE = "value";
		private static final String ATTR_LAST_NETWORK_LOGGING_NOTIFICATION = "last-notification";
		private static final String ATTR_NUM_NETWORK_LOGGING_NOTIFICATIONS = "num-notifications";

		DeviceAdminInfo info;

		@@ -253,6 +254,9 @@ class ActiveAdmin {
		// List of package names to keep cached.
		List<String> keepUninstalledPackages;

		// List of packages for which the user cannot invoke "clear data" or "force stop".
		List<String> protectedPackages;

		// Wi-Fi SSID restriction policy.
		WifiSsidPolicy mWifiSsidPolicy;

		@@ -505,6 +509,7 @@ class ActiveAdmin {
		permittedNotificationListeners);
		writePackageListToXml(out, TAG_KEEP_UNINSTALLED_PACKAGES, keepUninstalledPackages);
		writePackageListToXml(out, TAG_METERED_DATA_DISABLED_PACKAGES, meteredDisabledPackages);
		writePackageListToXml(out, TAG_PROTECTED_PACKAGES, protectedPackages);
		if (hasUserRestrictions()) {
		UserRestrictionsUtils.writeRestrictions(
		out, userRestrictions, TAG_USER_RESTRICTIONS);
		@@ -771,6 +776,8 @@ class ActiveAdmin {
		keepUninstalledPackages = readPackageList(parser, tag);
		} else if (TAG_METERED_DATA_DISABLED_PACKAGES.equals(tag)) {
		meteredDisabledPackages = readPackageList(parser, tag);
		} else if (TAG_PROTECTED_PACKAGES.equals(tag)) {
		protectedPackages = readPackageList(parser, tag);
		} else if (TAG_USER_RESTRICTIONS.equals(tag)) {
		userRestrictions = UserRestrictionsUtils.readRestrictions(parser);
		} else if (TAG_DEFAULT_ENABLED_USER_RESTRICTIONS.equals(tag)) {
		@@ -1210,6 +1217,16 @@ class ActiveAdmin {
		pw.println(keepUninstalledPackages);
		}

		if (meteredDisabledPackages != null) {
		pw.print("meteredDisabledPackages=");
		pw.println(meteredDisabledPackages);
		}

		if (protectedPackages != null) {
		pw.print("protectedPackages=");
		pw.println(protectedPackages);
		}

		pw.print("organizationColor=");
		pw.println(organizationColor);

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyData.java

+13 −15

Original line number	Diff line number	Diff line
		@@ -17,6 +17,7 @@
		package com.android.server.devicepolicy;

		import android.annotation.NonNull;
		import android.annotation.Nullable;
		import android.annotation.UserIdInt;
		import android.app.admin.DeviceAdminInfo;
		import android.app.admin.DevicePolicyManager;
		@@ -129,8 +130,10 @@ class DevicePolicyData {
		// This is the list of component allowed to start lock task mode.
		List<String> mLockTaskPackages = new ArrayList<>();

		// List of packages protected by device owner
		List<String> mUserControlDisabledPackages = new ArrayList<>();
		/** @deprecated moved to {@link ActiveAdmin#protectedPackages}. */
		@Deprecated
		@Nullable
		List<String> mUserControlDisabledPackages;

		// Bitfield of feature flags to be enabled during LockTask mode.
		// We default on the power button menu, in order to be consistent with pre-P behaviour.
		@@ -364,13 +367,6 @@ class DevicePolicyData {
		out.endTag(null, TAG_OWNER_INSTALLED_CA_CERT);
		}

		for (int i = 0, size = policyData.mUserControlDisabledPackages.size(); i < size; i++) {
		String packageName = policyData.mUserControlDisabledPackages.get(i);
		out.startTag(null, TAG_PROTECTED_PACKAGES);
		out.attribute(null, ATTR_NAME, packageName);
		out.endTag(null, TAG_PROTECTED_PACKAGES);
		}

		if (policyData.mAppsSuspended) {
		out.startTag(null, TAG_APPS_SUSPENDED);
		out.attributeBoolean(null, ATTR_VALUE, policyData.mAppsSuspended);
		@@ -473,7 +469,7 @@ class DevicePolicyData {
		policy.mAdminMap.clear();
		policy.mAffiliationIds.clear();
		policy.mOwnerInstalledCaCerts.clear();
		policy.mUserControlDisabledPackages.clear();
		policy.mUserControlDisabledPackages = null;
		while ((type = parser.next()) != XmlPullParser.END_DOCUMENT
		&& (type != XmlPullParser.END_TAG \|\| parser.getDepth() > outerDepth)) {
		if (type == XmlPullParser.END_TAG \|\| type == XmlPullParser.TEXT) {
		@@ -561,15 +557,19 @@ class DevicePolicyData {
		policy.mCurrentInputMethodSet = true;
		} else if (TAG_OWNER_INSTALLED_CA_CERT.equals(tag)) {
		policy.mOwnerInstalledCaCerts.add(parser.getAttributeValue(null, ATTR_ALIAS));
		} else if (TAG_PROTECTED_PACKAGES.equals(tag)) {
		policy.mUserControlDisabledPackages.add(
		parser.getAttributeValue(null, ATTR_NAME));
		} else if (TAG_APPS_SUSPENDED.equals(tag)) {
		policy.mAppsSuspended =
		parser.getAttributeBoolean(null, ATTR_VALUE, false);
		} else if (TAG_BYPASS_ROLE_QUALIFICATIONS.equals(tag)) {
		policy.mBypassDevicePolicyManagementRoleQualifications = true;
		policy.mCurrentRoleHolder = parser.getAttributeValue(null, ATTR_VALUE);
		// Deprecated tags below
		} else if (TAG_PROTECTED_PACKAGES.equals(tag)) {
		if (policy.mUserControlDisabledPackages == null) {
		policy.mUserControlDisabledPackages = new ArrayList<>();
		}
		policy.mUserControlDisabledPackages.add(
		parser.getAttributeValue(null, ATTR_NAME));
		} else {
		Slogf.w(TAG, "Unknown tag: %s", tag);
		XmlUtils.skipCurrentTag(parser);
		@@ -674,8 +674,6 @@ class DevicePolicyData {
		pw.increaseIndent();
		pw.print("mPasswordOwner="); pw.println(mPasswordOwner);
		pw.print("mPasswordTokenHandle="); pw.println(Long.toHexString(mPasswordTokenHandle));
		pw.print("mUserControlDisabledPackages=");
		pw.println(mUserControlDisabledPackages);
		pw.print("mAppsSuspended="); pw.println(mAppsSuspended);
		pw.print("mUserSetupComplete="); pw.println(mUserSetupComplete);
		pw.print("mAffiliationIds="); pw.println(mAffiliationIds);

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+35 −36

Original line number	Diff line number	Diff line
		@@ -536,7 +536,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		// to decide whether an existing policy in the {@link #DEVICE_POLICIES_XML} needs to
		// be upgraded. See {@link PolicyVersionUpgrader} on instructions how to add an upgrade
		// step.
		static final int DPMS_VERSION = 2;
		static final int DPMS_VERSION = 3;

		static {
		SECURE_SETTINGS_ALLOWLIST = new ArraySet<>();
		@@ -1908,38 +1908,11 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		if (userHandle == UserHandle.USER_SYSTEM) {
		mStateCache.setDeviceProvisioned(policy.mUserSetupComplete);
		}

		migrateDeviceOwnerProtectedPackagesToOwners(userHandle, policy);
		}
		return policy;
		}
		}

		/**
		* Only used by {@link #getUserData(int)} to migrate <b>existing</b> device owner protected
		* packages that were stored in {@link DevicePolicyData#mUserControlDisabledPackages} to
		* {@link Owners} because the device owner protected packages are now stored on a per device
		* owner basis instead of on a per user basis.
		*
		* Any calls to {@link #setUserControlDisabledPackages(ComponentName, List)} would now store
		* the device owner protected packages in {@link Owners} instead of {@link DevicePolicyData}.
		* @param userHandle The device owner user
		* @param policy The policy data of the device owner user
		*/
		private void migrateDeviceOwnerProtectedPackagesToOwners(
		int userHandle, DevicePolicyData policy) {
		ComponentName deviceOwnerComponent = getOwnerComponent(userHandle);
		if (isDeviceOwner(deviceOwnerComponent, userHandle)
		&& !policy.mUserControlDisabledPackages.isEmpty()) {
		mOwners.setDeviceOwnerProtectedPackages(
		deviceOwnerComponent.getPackageName(),
		policy.mUserControlDisabledPackages);

		policy.mUserControlDisabledPackages = new ArrayList<>();
		saveSettingsLocked(userHandle);
		}
		}

		/**
		* Creates and loads the policy data from xml for data that is shared between
		* various profiles of a user. In contrast to {@link #getUserData(int)}
		@@ -3182,6 +3155,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		void handleStartUser(int userId) {
		synchronized (getLockObject()) {
		pushScreenCapturePolicy(userId);
		pushUserControlDisabledPackagesLocked(userId);
		}
		pushUserRestrictions(userId);
		// When system user is started (device boot), load cache for all users.
		@@ -3204,6 +3178,20 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		startOwnerService(userId, "start-user");
		}

		// TODO(b/218639412): Once PM stores these on a per-user basis, push even empty lists to handle
		// DO/PO removal correctly.
		void pushUserControlDisabledPackagesLocked(int userId) {
		if (userId != mOwners.getDeviceOwnerUserId()) {
		return;
		}
		ActiveAdmin deviceOwner = getDeviceOwnerAdminLocked();
		if (deviceOwner == null \|\| deviceOwner.protectedPackages == null) {
		return;
		}
		mInjector.getPackageManagerInternal().setDeviceOwnerProtectedPackages(
		deviceOwner.info.getPackageName(), deviceOwner.protectedPackages);
		}

		@Override
		void handleUnlockUser(int userId) {
		startOwnerService(userId, "unlock-user");
		@@ -8795,6 +8783,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		setNetworkLoggingActiveInternal(false);
		deleteTransferOwnershipBundleLocked(userId);
		toggleBackupServiceActive(UserHandle.USER_SYSTEM, true);
		pushUserControlDisabledPackagesLocked(userId);
		}

		private void clearApplicationRestrictions(int userId) {
		@@ -8979,7 +8968,6 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		policy.mLockTaskPackages.clear();
		updateLockTaskPackagesLocked(policy.mLockTaskPackages, userId);
		policy.mLockTaskFeatures = DevicePolicyManager.LOCK_TASK_FEATURE_NONE;
		policy.mUserControlDisabledPackages.clear();
		saveSettingsLocked(userId);

		try {
		@@ -16976,14 +16964,23 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		DevicePolicyManager.OPERATION_SET_USER_CONTROL_DISABLED_PACKAGES);

		synchronized (getLockObject()) {
		mOwners.setDeviceOwnerProtectedPackages(who.getPackageName(), packages);
		ActiveAdmin deviceOwner = getDeviceOwnerAdminLocked();
		if (!Objects.equals(deviceOwner.protectedPackages, packages)) {
		deviceOwner.protectedPackages = packages.isEmpty() ? null : packages;
		saveSettingsLocked(caller.getUserId());
		}
		}

		mInjector.binderWithCleanCallingIdentity(
		() -> mInjector.getPackageManagerInternal().setDeviceOwnerProtectedPackages(
		who.getPackageName(), packages));

		DevicePolicyEventLogger
		.createEvent(DevicePolicyEnums.SET_USER_CONTROL_DISABLED_PACKAGES)
		.setAdmin(who)
		.setStrings(packages.toArray(new String[packages.size()]))
		.write();
		}
		}

		@Override
		public List<String> getUserControlDisabledPackages(ComponentName who) {
		@@ -16994,7 +16991,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		isDefaultDeviceOwner(caller) \|\| isFinancedDeviceOwner(caller));

		synchronized (getLockObject()) {
		return mOwners.getDeviceOwnerProtectedPackages(who.getPackageName());
		ActiveAdmin deviceOwner = getDeviceOwnerAdminLocked();
		return deviceOwner.protectedPackages != null
		? deviceOwner.protectedPackages : Collections.emptyList();
		}
		}

services/devicepolicy/java/com/android/server/devicepolicy/Owners.java

+0 −52

Original line number	Diff line number	Diff line
		@@ -31,7 +31,6 @@ import android.os.Binder;
		import android.os.Process;
		import android.os.UserHandle;
		import android.os.UserManager;
		import android.util.ArrayMap;
		import android.util.ArraySet;
		import android.util.IndentingPrintWriter;
		import android.util.Pair;
		@@ -49,7 +48,6 @@ import com.android.server.wm.ActivityTaskManagerInternal;
		import java.io.File;
		import java.time.LocalDate;
		import java.util.ArrayList;
		import java.util.Collections;
		import java.util.List;
		import java.util.Objects;
		import java.util.Set;
		@@ -108,12 +106,6 @@ class Owners {

		notifyChangeLocked();
		pushToActivityTaskManagerLocked();

		for (ArrayMap.Entry<String, List<String>> entry :
		mData.mDeviceOwnerProtectedPackages.entrySet()) {
		mPackageManagerInternal.setDeviceOwnerProtectedPackages(
		entry.getKey(), entry.getValue());
		}
		}
		}

		@@ -247,12 +239,6 @@ class Owners {
		void clearDeviceOwner() {
		synchronized (mData) {
		mData.mDeviceOwnerTypes.remove(mData.mDeviceOwner.packageName);
		List<String> protectedPackages =
		mData.mDeviceOwnerProtectedPackages.remove(mData.mDeviceOwner.packageName);
		if (protectedPackages != null) {
		mPackageManagerInternal.setDeviceOwnerProtectedPackages(
		mData.mDeviceOwner.packageName, new ArrayList<>());
		}
		mData.mDeviceOwner = null;
		mData.mDeviceOwnerUserId = UserHandle.USER_NULL;

		@@ -296,12 +282,6 @@ class Owners {
		synchronized (mData) {
		Integer previousDeviceOwnerType = mData.mDeviceOwnerTypes.remove(
		mData.mDeviceOwner.packageName);
		List<String> previousProtectedPackages =
		mData.mDeviceOwnerProtectedPackages.remove(mData.mDeviceOwner.packageName);
		if (previousProtectedPackages != null) {
		mPackageManagerInternal.setDeviceOwnerProtectedPackages(
		mData.mDeviceOwner.packageName, new ArrayList<>());
		}
		// We don't set a name because it's not used anyway.
		// See DevicePolicyManagerService#getDeviceOwnerName
		mData.mDeviceOwner = new OwnerInfo(null, target,
		@@ -313,10 +293,6 @@ class Owners {
		mData.mDeviceOwnerTypes.put(
		mData.mDeviceOwner.packageName, previousDeviceOwnerType);
		}
		if (previousProtectedPackages != null) {
		mData.mDeviceOwnerProtectedPackages.put(
		mData.mDeviceOwner.packageName, previousProtectedPackages);
		}
		notifyChangeLocked();
		pushToActivityTaskManagerLocked();
		}
		@@ -504,34 +480,6 @@ class Owners {
		}
		}

		void setDeviceOwnerProtectedPackages(String packageName, List<String> protectedPackages) {
		synchronized (mData) {
		if (!hasDeviceOwner()) {
		Slog.e(TAG,
		"Attempting to set device owner protected packages when there is no "
		+ "device owner");
		return;
		} else if (!mData.mDeviceOwner.packageName.equals(packageName)) {
		Slog.e(TAG, "Attempting to set device owner protected packages when the provided "
		+ "package name " + packageName
		+ " does not match the device owner package name");
		return;
		}

		mData.mDeviceOwnerProtectedPackages.put(packageName, protectedPackages);
		mPackageManagerInternal.setDeviceOwnerProtectedPackages(packageName, protectedPackages);
		writeDeviceOwner();
		}
		}

		List<String> getDeviceOwnerProtectedPackages(String packageName) {
		synchronized (mData) {
		return mData.mDeviceOwnerProtectedPackages.containsKey(packageName)
		? mData.mDeviceOwnerProtectedPackages.get(packageName)
		: Collections.emptyList();
		}
		}

		void writeDeviceOwner() {
		synchronized (mData) {
		pushToDevicePolicyManager();

services/devicepolicy/java/com/android/server/devicepolicy/OwnersData.java

+8 −17

Original line number	Diff line number	Diff line
		@@ -91,8 +91,10 @@ class OwnersData {
		// Device owner type for a managed device.
		final ArrayMap<String, Integer> mDeviceOwnerTypes = new ArrayMap<>();

		final ArrayMap<String, List<String>> mDeviceOwnerProtectedPackages = new ArrayMap<>();

		/** @deprecated moved to {@link ActiveAdmin#protectedPackages}. */
		@Deprecated
		@Nullable
		ArrayMap<String, List<String>> mDeviceOwnerProtectedPackages;

		// Internal state for the profile owner packages.
		final ArrayMap<Integer, OwnerInfo> mProfileOwners = new ArrayMap<>();
		@@ -366,21 +368,6 @@ class OwnersData {
		}
		}

		if (!mDeviceOwnerProtectedPackages.isEmpty()) {
		for (ArrayMap.Entry<String, List<String>> entry :
		mDeviceOwnerProtectedPackages.entrySet()) {
		List<String> protectedPackages = entry.getValue();

		out.startTag(null, TAG_DEVICE_OWNER_PROTECTED_PACKAGES);
		out.attribute(null, ATTR_PACKAGE, entry.getKey());
		out.attributeInt(null, ATTR_SIZE, protectedPackages.size());
		for (int i = 0, size = protectedPackages.size(); i < size; i++) {
		out.attribute(null, ATTR_NAME + i, protectedPackages.get(i));
		}
		out.endTag(null, TAG_DEVICE_OWNER_PROTECTED_PACKAGES);
		}
		}

		if (mSystemUpdatePolicy != null) {
		out.startTag(null, TAG_SYSTEM_UPDATE_POLICY);
		mSystemUpdatePolicy.saveToXml(out);
		@@ -444,6 +431,7 @@ class OwnersData {
		null, ATTR_DEVICE_OWNER_TYPE_VALUE, DEVICE_OWNER_TYPE_DEFAULT);
		mDeviceOwnerTypes.put(packageName, deviceOwnerType);
		break;
		// Deprecated fields below.
		case TAG_DEVICE_OWNER_PROTECTED_PACKAGES:
		packageName = parser.getAttributeValue(null, ATTR_PACKAGE);
		int protectedPackagesSize = parser.getAttributeInt(null, ATTR_SIZE, 0);
		@@ -451,6 +439,9 @@ class OwnersData {
		for (int i = 0; i < protectedPackagesSize; i++) {
		protectedPackages.add(parser.getAttributeValue(null, ATTR_NAME + i));
		}
		if (mDeviceOwnerProtectedPackages == null) {
		mDeviceOwnerProtectedPackages = new ArrayMap<>();
		}
		mDeviceOwnerProtectedPackages.put(packageName, protectedPackages);
		break;
		default: