Remove default Device Owner restrictions (ce273df3) · Commits · e / os / android_frameworks_base

api/current.txt

+2 −2

Original line number	Diff line number	Diff line
		@@ -35753,7 +35753,7 @@ package android.os {
		method @Deprecated public void setUserRestrictions(android.os.Bundle, android.os.UserHandle);
		method public static boolean supportsMultipleUsers();
		field public static final String ALLOW_PARENT_PROFILE_APP_LINKING = "allow_parent_profile_app_linking";
		field public static final String DISALLOW_ADD_MANAGED_PROFILE = "no_add_managed_profile";
		field @Deprecated public static final String DISALLOW_ADD_MANAGED_PROFILE = "no_add_managed_profile";
		field public static final String DISALLOW_ADD_USER = "no_add_user";
		field public static final String DISALLOW_ADJUST_VOLUME = "no_adjust_volume";
		field public static final String DISALLOW_AIRPLANE_MODE = "no_airplane_mode";
		@@ -35792,7 +35792,7 @@ package android.os {
		field public static final String DISALLOW_OUTGOING_BEAM = "no_outgoing_beam";
		field public static final String DISALLOW_OUTGOING_CALLS = "no_outgoing_calls";
		field public static final String DISALLOW_PRINTING = "no_printing";
		field public static final String DISALLOW_REMOVE_MANAGED_PROFILE = "no_remove_managed_profile";
		field @Deprecated public static final String DISALLOW_REMOVE_MANAGED_PROFILE = "no_remove_managed_profile";
		field public static final String DISALLOW_REMOVE_USER = "no_remove_user";
		field public static final String DISALLOW_SAFE_BOOT = "no_safe_boot";
		field public static final String DISALLOW_SET_USER_ICON = "no_set_user_icon";

core/java/android/os/UserManager.java

+10 −0

Original line number	Diff line number	Diff line
		@@ -442,7 +442,13 @@ public class UserManager {
		* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
		* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
		* @see #getUserRestrictions()
		* @deprecated As the ability to have a managed profile on a fully-managed device has been
		* removed from the platform, this restriction will be silently ignored when applied by the
		* device owner.
		* When the device is provisioned with a managed profile on an organization-owned device,
		* the managed profile could not be removed anyway.
		*/
		@Deprecated
		public static final String DISALLOW_REMOVE_MANAGED_PROFILE = "no_remove_managed_profile";

		/**
		@@ -589,7 +595,11 @@ public class UserManager {
		* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
		* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
		* @see #getUserRestrictions()
		* @deprecated As the ability to have a managed profile on a fully-managed device has been
		* removed from the platform, this restriction will be silently ignored when applied by the
		* device owner.
		*/
		@Deprecated
		public static final String DISALLOW_ADD_MANAGED_PROFILE = "no_add_managed_profile";

		/**

services/core/java/com/android/server/pm/UserRestrictionsUtils.java

+0 −15

Original line number	Diff line number	Diff line
		@@ -207,13 +207,6 @@ public class UserRestrictionsUtils {
		UserManager.DISALLOW_CAMERA
		);

		/**
		* User restrictions that default to {@code true} for device owners.
		*/
		private static final Set<String> DEFAULT_ENABLED_FOR_DEVICE_OWNERS = Sets.newArraySet(
		UserManager.DISALLOW_ADD_MANAGED_PROFILE
		);

		/**
		* User restrictions that default to {@code true} for managed profile owners.
		*
		@@ -417,14 +410,6 @@ public class UserRestrictionsUtils {
		return PROFILE_OWNER_ORGANIZATION_OWNED_GLOBAL_RESTRICTIONS.contains(restriction);
		}

		/**
		* Returns the user restrictions that default to {@code true} for device owners.
		* These user restrictions are local, though. ie only for the device owner's user id.
		*/
		public static @NonNull Set<String> getDefaultEnabledForDeviceOwner() {
		return DEFAULT_ENABLED_FOR_DEVICE_OWNERS;
		}

		/**
		* Returns the user restrictions that default to {@code true} for managed profile owners.
		*/

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+12 −24

Original line number	Diff line number	Diff line
		@@ -430,6 +430,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		private static final Set<String> GLOBAL_SETTINGS_DEPRECATED;
		private static final Set<String> SYSTEM_SETTINGS_WHITELIST;
		private static final Set<Integer> DA_DISALLOWED_POLICIES;
		// A collection of user restrictions that are deprecated and should simply be ignored.
		private static final Set<String> DEPRECATED_USER_RESTRICTIONS;
		private static final String AB_DEVICE_KEY = "ro.build.ab_update";

		static {
		@@ -471,6 +473,10 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		DA_DISALLOWED_POLICIES.add(DeviceAdminInfo.USES_POLICY_DISABLE_KEYGUARD_FEATURES);
		DA_DISALLOWED_POLICIES.add(DeviceAdminInfo.USES_POLICY_EXPIRE_PASSWORD);
		DA_DISALLOWED_POLICIES.add(DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD);

		DEPRECATED_USER_RESTRICTIONS = Sets.newHashSet(
		UserManager.DISALLOW_ADD_MANAGED_PROFILE,
		UserManager.DISALLOW_REMOVE_MANAGED_PROFILE);
		}

		/**
		@@ -2400,7 +2406,6 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		setDeviceOwnerSystemPropertyLocked();
		findOwnerComponentIfNecessaryLocked();
		migrateUserRestrictionsIfNecessaryLocked();
		maybeSetDefaultDeviceOwnerUserRestrictionsLocked();

		// TODO PO may not have a class name either due to b/17652534. Address that too.

		@@ -2408,15 +2413,6 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		}
		}

		/** Apply default restrictions that haven't been applied to device owners yet. */
		private void maybeSetDefaultDeviceOwnerUserRestrictionsLocked() {
		final ActiveAdmin deviceOwner = getDeviceOwnerAdminLocked();
		if (deviceOwner != null) {
		maybeSetDefaultRestrictionsForAdminLocked(mOwners.getDeviceOwnerUserId(),
		deviceOwner, UserRestrictionsUtils.getDefaultEnabledForDeviceOwner());
		}
		}

		/** Apply default restrictions that haven't been applied to profile owners yet. */
		private void maybeSetDefaultProfileOwnerUserRestrictions() {
		synchronized (getLockObject()) {
		@@ -8030,18 +8026,6 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		updateDeviceOwnerLocked();
		setDeviceOwnerSystemPropertyLocked();

		final Set<String> restrictions =
		UserRestrictionsUtils.getDefaultEnabledForDeviceOwner();
		if (!restrictions.isEmpty()) {
		for (String restriction : restrictions) {
		activeAdmin.ensureUserRestrictions().putBoolean(restriction, true);
		}
		activeAdmin.defaultEnabledRestrictionsAlreadySet.addAll(restrictions);
		Slog.i(LOG_TAG, "Enabled the following restrictions by default: " + restrictions);

		saveUserRestrictionsLocked(userId, /* parent = */ false);
		}

		long ident = mInjector.binderClearCallingIdentity();
		try {
		// TODO Send to system too?
		@@ -10384,8 +10368,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		if (deviceOwner == null) {
		return; // Shouldn't happen.
		}
		userRestrictions = deviceOwner.userRestrictions;
		addOrRemoveDisableCameraRestriction(userRestrictions, deviceOwner);
		userRestrictions = addOrRemoveDisableCameraRestriction(
		deviceOwner.userRestrictions, deviceOwner);
		restrictionOwnerType = UserManagerInternal.OWNER_TYPE_DEVICE_OWNER;
		originatingUserId = deviceOwner.getUserHandle().getIdentifier();
		} else {
		@@ -10419,6 +10403,10 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		userRestrictions, userId);
		}
		}
		// Remove deprecated restrictions.
		for (String deprecatedRestriction: DEPRECATED_USER_RESTRICTIONS) {
		userRestrictions.remove(deprecatedRestriction);
		}
		mUserManagerInternal.setDevicePolicyUserRestrictions(originatingUserId,
		userRestrictions, restrictionOwnerType);
		}

services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java

+2 −89

Original line number	Diff line number	Diff line
		@@ -100,7 +100,6 @@ import com.android.internal.widget.LockscreenCredential;
		import com.android.server.LocalServices;
		import com.android.server.SystemService;
		import com.android.server.devicepolicy.DevicePolicyManagerService.RestrictionsListener;
		import com.android.server.pm.UserRestrictionsUtils;

		import org.hamcrest.BaseMatcher;
		import org.hamcrest.Description;
		@@ -1163,7 +1162,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {

		verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions(
		eq(UserHandle.USER_SYSTEM),
		eq(null),
		MockUtils.checkUserRestrictions(),
		eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER));

		verify(getServices().usageStatsManagerInternal).setActiveAdminApps(
		@@ -1719,28 +1718,6 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		assertTrue(dpm.setDeviceOwner(admin1, "owner-name",
		UserHandle.USER_SYSTEM));

		// Check that the user restrictions that are enabled by default are set. Then unset them.
		final String[] defaultRestrictions = UserRestrictionsUtils
		.getDefaultEnabledForDeviceOwner().toArray(new String[0]);
		DpmTestUtils.assertRestrictions(
		DpmTestUtils.newRestrictions(defaultRestrictions),
		dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
		);
		DpmTestUtils.assertRestrictions(
		DpmTestUtils.newRestrictions(defaultRestrictions),
		dpm.getUserRestrictions(admin1)
		);
		verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions(
		eq(UserHandle.USER_SYSTEM),
		MockUtils.checkUserRestrictions(defaultRestrictions),
		eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER)
		);
		reset(getServices().userManagerInternal);

		for (String restriction : defaultRestrictions) {
		dpm.clearUserRestriction(admin1, restriction);
		}

		assertNoDeviceOwnerRestrictions();
		reset(getServices().userManagerInternal);

		@@ -2004,7 +1981,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		reset(getServices().userManagerInternal);
		}

		public void testDefaultEnabledUserRestrictions() throws Exception {
		public void testNoDefaultEnabledUserRestrictions() throws Exception {
		mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
		mContext.callerPermissions.add(permission.MANAGE_USERS);
		mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
		@@ -2022,29 +1999,6 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		assertTrue(dpm.setDeviceOwner(admin1, "owner-name",
		UserHandle.USER_SYSTEM));

		// Check that the user restrictions that are enabled by default are set. Then unset them.
		String[] defaultRestrictions = UserRestrictionsUtils
		.getDefaultEnabledForDeviceOwner().toArray(new String[0]);
		assertTrue(defaultRestrictions.length > 0);
		DpmTestUtils.assertRestrictions(
		DpmTestUtils.newRestrictions(defaultRestrictions),
		dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
		);
		DpmTestUtils.assertRestrictions(
		DpmTestUtils.newRestrictions(defaultRestrictions),
		dpm.getUserRestrictions(admin1)
		);
		verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions(
		eq(UserHandle.USER_SYSTEM),
		MockUtils.checkUserRestrictions(defaultRestrictions),
		eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER)
		);
		reset(getServices().userManagerInternal);

		for (String restriction : defaultRestrictions) {
		dpm.clearUserRestriction(admin1, restriction);
		}

		assertNoDeviceOwnerRestrictions();

		// Initialize DPMS again and check that the user restriction wasn't enabled again.
		@@ -2054,47 +2008,6 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		assertNotNull(dpms.getDeviceOwnerAdminLocked());

		assertNoDeviceOwnerRestrictions();

		// Add a new restriction to the default set, initialize DPMS, and check that the restriction
		// is set as it wasn't enabled during setDeviceOwner.
		final String newDefaultEnabledRestriction = UserManager.DISALLOW_REMOVE_MANAGED_PROFILE;
		assertFalse(UserRestrictionsUtils
		.getDefaultEnabledForDeviceOwner().contains(newDefaultEnabledRestriction));
		UserRestrictionsUtils
		.getDefaultEnabledForDeviceOwner().add(newDefaultEnabledRestriction);
		try {
		reset(getServices().userManagerInternal);
		initializeDpms();
		assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
		assertNotNull(dpms.getDeviceOwnerAdminLocked());

		DpmTestUtils.assertRestrictions(
		DpmTestUtils.newRestrictions(newDefaultEnabledRestriction),
		dpms.getDeviceOwnerAdminLocked().ensureUserRestrictions()
		);
		DpmTestUtils.assertRestrictions(
		DpmTestUtils.newRestrictions(newDefaultEnabledRestriction),
		dpm.getUserRestrictions(admin1)
		);
		verify(getServices().userManagerInternal, atLeast(1)).setDevicePolicyUserRestrictions(
		eq(UserHandle.USER_SYSTEM),
		MockUtils.checkUserRestrictions(newDefaultEnabledRestriction),
		eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER)
		);
		reset(getServices().userManagerInternal);

		// Remove the restriction.
		dpm.clearUserRestriction(admin1, newDefaultEnabledRestriction);

		// Initialize DPMS again. The restriction shouldn't be enabled for a second time.
		initializeDpms();
		assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName()));
		assertNotNull(dpms.getDeviceOwnerAdminLocked());
		assertNoDeviceOwnerRestrictions();
		} finally {
		UserRestrictionsUtils
		.getDefaultEnabledForDeviceOwner().remove(newDefaultEnabledRestriction);
		}
		}

		private void assertNoDeviceOwnerRestrictions() {