Merge "Enable unicorn APIs" into udc-dev am: a8b0dcfaef (ce15af46) · Commits · e / os / android_frameworks_base

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+38 −38

Original line number	Diff line number	Diff line
		@@ -6038,7 +6038,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		@Override
		public void lockNow(int flags, String callerPackageName, boolean parent) {
		CallerIdentity caller;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		caller = getCallerIdentity(callerPackageName);
		} else {
		caller = getCallerIdentity();
		@@ -6050,7 +6050,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		ActiveAdmin admin;
		// Make sure the caller has any active admin with the right policy or
		// the required permission.
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		admin = enforcePermissionAndGetEnforcingAdmin(
		/* admin= */ null,
		/* permission= */ MANAGE_DEVICE_POLICY_LOCK,
		@@ -8901,13 +8901,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}

		CallerIdentity caller;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		caller = getCallerIdentity(who, callerPackageName);
		} else {
		caller = getCallerIdentity(who);
		}

		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		// The effect of this policy is device-wide.
		enforcePermission(SET_TIME, caller.getPackageName(), UserHandle.USER_ALL);
		} else {
		@@ -8935,13 +8935,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		return false;
		}
		CallerIdentity caller;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		caller = getCallerIdentity(who, callerPackageName);
		} else {
		caller = getCallerIdentity(who);
		}

		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		enforceCanQuery(SET_TIME, caller.getPackageName(), UserHandle.USER_ALL);
		} else {
		Objects.requireNonNull(who, "ComponentName is null");
		@@ -8970,7 +8970,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		caller = getCallerIdentity(who);
		}

		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		// The effect of this policy is device-wide.
		EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
		who,
		@@ -9010,13 +9010,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}

		CallerIdentity caller;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		caller = getCallerIdentity(who, callerPackageName);
		} else {
		caller = getCallerIdentity(who);
		}

		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		// The effect of this policy is device-wide.
		enforceCanQuery(SET_TIME_ZONE, caller.getPackageName(), UserHandle.USER_ALL);
		} else {
		@@ -9319,7 +9319,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}

		CallerIdentity caller;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		caller = getCallerIdentity(who, callerPackageName);
		} else {
		caller = getCallerIdentity(who);
		@@ -9329,7 +9329,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		final int userHandle = caller.getUserId();
		int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle;
		synchronized (getLockObject()) {
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		// SUPPORT USES_POLICY_DISABLE_KEYGUARD_FEATURES
		EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin(
		who, MANAGE_DEVICE_POLICY_KEYGUARD, caller.getPackageName(),
		@@ -9408,7 +9408,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {

		synchronized (getLockObject()) {
		if (who != null) {
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		EnforcingAdmin admin = getEnforcingAdminForCaller(
		who, who.getPackageName());
		Integer features = mDevicePolicyEngine.getLocalPolicySetByAdmin(
		@@ -9422,7 +9422,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}
		}

		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		Integer features = mDevicePolicyEngine.getResolvedPolicy(
		PolicyDefinition.KEYGUARD_DISABLED_FEATURES,
		affectedUserId);
		@@ -11617,7 +11617,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		final CallerIdentity caller = getCallerIdentity(who, callerPackage);
		checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_APPLICATION_RESTRICTIONS);

		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
		who,
		MANAGE_DEVICE_POLICY_APP_RESTRICTIONS,
		@@ -12993,7 +12993,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		String packageName) {
		final CallerIdentity caller = getCallerIdentity(who, callerPackage);

		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		EnforcingAdmin enforcingAdmin = enforceCanQueryAndGetEnforcingAdmin(
		who,
		MANAGE_DEVICE_POLICY_APP_RESTRICTIONS,
		@@ -13063,7 +13063,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		final CallerIdentity caller = getCallerIdentity(who, callerPackage);
		ActiveAdmin admin;

		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
		who,
		MANAGE_DEVICE_POLICY_PACKAGE_STATE,
		@@ -13160,7 +13160,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		public boolean isPackageSuspended(ComponentName who, String callerPackage, String packageName) {
		final CallerIdentity caller = getCallerIdentity(who, callerPackage);

		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		enforcePermission(
		MANAGE_DEVICE_POLICY_PACKAGE_STATE,
		caller.getPackageName(),
		@@ -13766,7 +13766,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		boolean hidden, boolean parent) {
		CallerIdentity caller = getCallerIdentity(who, callerPackage);
		final int userId = parent ? getProfileParentId(caller.getUserId()) : caller.getUserId();
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		// TODO: We need to ensure the delegate with DELEGATION_PACKAGE_ACCESS can do this
		enforcePermission(MANAGE_DEVICE_POLICY_PACKAGE_STATE, caller.getPackageName(), userId);
		} else {
		@@ -13785,7 +13785,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		boolean result;
		synchronized (getLockObject()) {
		if (parent) {
		if (!isPermissionCheckFlagEnabled()) {
		if (!isPolicyEngineForFinanceFlagEnabled()) {
		Preconditions.checkCallAuthorization(
		isProfileOwnerOfOrganizationOwnedDevice(
		caller.getUserId()) && isManagedProfile(caller.getUserId()));
		@@ -13802,7 +13802,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		Slogf.v(LOG_TAG, "calling pm.setApplicationHiddenSettingAsUser(%s, %b, %d)",
		packageName, hidden, userId);
		}
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		EnforcingAdmin admin = getEnforcingAdminForCaller(who, callerPackage);
		mDevicePolicyEngine.setLocalPolicy(
		PolicyDefinition.APPLICATION_HIDDEN(packageName),
		@@ -13841,7 +13841,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		String packageName, boolean parent) {
		CallerIdentity caller = getCallerIdentity(who, callerPackage);
		int userId = parent ? getProfileParentId(caller.getUserId()) : caller.getUserId();
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		// TODO: Also support DELEGATION_PACKAGE_ACCESS
		enforcePermission(MANAGE_DEVICE_POLICY_PACKAGE_STATE, caller.getPackageName(), userId);
		} else {
		@@ -13853,7 +13853,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {

		synchronized (getLockObject()) {
		if (parent) {
		if (!isPermissionCheckFlagEnabled()) {
		if (!isPolicyEngineForFinanceFlagEnabled()) {
		Preconditions.checkCallAuthorization(
		isProfileOwnerOfOrganizationOwnedDevice(caller.getUserId())
		&& isManagedProfile(caller.getUserId()));
		@@ -14042,13 +14042,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		return;
		}
		CallerIdentity caller;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		caller = getCallerIdentity(who, callerPackageName);
		} else {
		caller = getCallerIdentity(who);
		}
		synchronized (getLockObject()) {
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		int affectedUser = getAffectedUser(parent);
		EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
		who,
		@@ -14111,7 +14111,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		CallerIdentity caller;
		Preconditions.checkArgumentNonnegative(userId, "Invalid userId");
		final ArraySet<String> resultSet = new ArraySet<>();
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		int affectedUser = parent ? getProfileParentId(userId) : userId;
		caller = getCallerIdentity(callerPackageName);
		if (!hasPermission(MANAGE_DEVICE_POLICY_ACCOUNT_MANAGEMENT,
		@@ -15462,12 +15462,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		public boolean setStatusBarDisabled(ComponentName who, String callerPackageName,
		boolean disabled) {
		CallerIdentity caller;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		caller = getCallerIdentity(who, callerPackageName);
		} else {
		caller = getCallerIdentity(who);
		}
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		enforcePermission(MANAGE_DEVICE_POLICY_STATUS_BAR, caller.getPackageName(),
		UserHandle.USER_ALL);
		} else {
		@@ -15478,7 +15478,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {

		int userId = caller.getUserId();
		synchronized (getLockObject()) {
		if (!isPermissionCheckFlagEnabled()) {
		if (!isPolicyEngineForFinanceFlagEnabled()) {
		Preconditions.checkCallAuthorization(isUserAffiliatedWithDeviceLocked(userId),
		"Admin " + who + " is neither the device owner or affiliated "
		+ "user's profile owner.");
		@@ -15537,7 +15537,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		@Override
		public boolean isStatusBarDisabled(String callerPackage) {
		final CallerIdentity caller = getCallerIdentity(callerPackage);
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		enforceCanQuery(
		MANAGE_DEVICE_POLICY_STATUS_BAR, caller.getPackageName(), caller.getUserId());
		} else {
		@@ -15547,7 +15547,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {

		int userId = caller.getUserId();
		synchronized (getLockObject()) {
		if (!isPermissionCheckFlagEnabled()) {
		if (!isPolicyEngineForFinanceFlagEnabled()) {
		Preconditions.checkCallAuthorization(isUserAffiliatedWithDeviceLocked(userId),
		"Admin " + callerPackage
		+ " is neither the device owner or affiliated user's profile owner.");
		@@ -16684,7 +16684,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}
		}
		EnforcingAdmin enforcingAdmin;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
		admin,
		MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS,
		@@ -16855,7 +16855,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		public int getPermissionGrantState(ComponentName admin, String callerPackage,
		String packageName, String permission) throws RemoteException {
		final CallerIdentity caller = getCallerIdentity(admin, callerPackage);
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		enforceCanQuery(MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS, caller.getPackageName(),
		caller.getUserId());
		} else {
		@@ -18986,14 +18986,14 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		throw new IllegalArgumentException("token must be at least 32-byte long");
		}
		CallerIdentity caller;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		caller = getCallerIdentity(admin, callerPackageName);
		} else {
		caller = getCallerIdentity(admin);
		}
		final int userId = caller.getUserId();

		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
		admin,
		MANAGE_DEVICE_POLICY_RESET_PASSWORD,
		@@ -19049,7 +19049,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		return false;
		}
		CallerIdentity caller;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		caller = getCallerIdentity(admin, callerPackageName);
		} else {
		caller = getCallerIdentity(admin);
		@@ -19057,7 +19057,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		final int userId = caller.getUserId();
		boolean result = false;

		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
		admin,
		MANAGE_DEVICE_POLICY_RESET_PASSWORD,
		@@ -19096,14 +19096,14 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		return false;
		}
		CallerIdentity caller;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		caller = getCallerIdentity(admin, callerPackageName);
		} else {
		caller = getCallerIdentity(admin);
		}
		int userId = caller.getUserId();

		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
		admin,
		MANAGE_DEVICE_POLICY_RESET_PASSWORD,

services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java

+13 −0

Original line number	Diff line number	Diff line
		@@ -1511,6 +1511,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		* Validates that when the device owner is removed, the reset password token is cleared
		*/
		@Test
		@Ignore("b/277916462")
		public void testClearDeviceOwner_clearResetPasswordToken() throws Exception {
		mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
		mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
		@@ -2601,6 +2602,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		}

		@Test
		@Ignore("b/277916462")
		public void testSetApplicationHiddenWithDO() throws Exception {
		mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
		setupDeviceOwner();
		@@ -2626,6 +2628,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		}

		@Test
		@Ignore("b/277916462")
		public void testSetApplicationHiddenWithPOOfOrganizationOwnedDevice() throws Exception {
		final int MANAGED_PROFILE_USER_ID = CALLER_USER_HANDLE;
		final int MANAGED_PROFILE_ADMIN_UID =
		@@ -4372,6 +4375,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		}

		@Test
		@Ignore("b/277916462")
		public void testSetAutoTimeZoneEnabledModifiesSetting() throws Exception {
		mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
		setupDeviceOwner();
		@@ -4383,6 +4387,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		}

		@Test
		@Ignore("b/277916462")
		public void testSetAutoTimeZoneEnabledWithPOOnUser0() throws Exception {
		mContext.binder.callingUid = DpmMockContext.SYSTEM_UID;
		setupProfileOwnerOnUser0();
		@@ -4394,6 +4399,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		}

		@Test
		@Ignore("b/277916462")
		public void testSetAutoTimeZoneEnabledFailWithPONotOnUser0() throws Exception {
		setupProfileOwner();
		assertExpectException(SecurityException.class, null,
		@@ -4403,6 +4409,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		}

		@Test
		@Ignore("b/277916462")
		public void testSetAutoTimeZoneEnabledWithPOOfOrganizationOwnedDevice() throws Exception {
		setupProfileOwner();
		configureProfileOwnerOfOrgOwnedDevice(admin1, CALLER_USER_HANDLE);
		@@ -5376,6 +5383,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		}

		@Test
		@Ignore("b/277916462")
		public void testResetPasswordWithToken() throws Exception {
		mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
		setupDeviceOwner();
		@@ -5410,6 +5418,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		}

		@Test
		@Ignore("b/277916462")
		public void resetPasswordWithToken_NumericPin() throws Exception {
		mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
		setupDeviceOwner();
		@@ -5430,6 +5439,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		}

		@Test
		@Ignore("b/277916462")
		public void resetPasswordWithToken_EmptyPassword() throws Exception {
		mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
		setupDeviceOwner();
		@@ -7250,6 +7260,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		}

		@Test
		@Ignore("b/277916462")
		public void testCanProfileOwnerResetPasswordWhenLocked() throws Exception {
		setDeviceEncryptionPerUser();
		setupProfileOwner();
		@@ -7313,6 +7324,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		}

		@Test
		@Ignore("b/277916462")
		public void testSetAccountTypesWithManagementDisabledOnManagedProfile() throws Exception {
		setupProfileOwner();

		@@ -7332,6 +7344,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		}

		@Test
		@Ignore("b/277916462")
		public void testSetAccountTypesWithManagementDisabledOnOrgOwnedManagedProfile()
		throws Exception {
		mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS);