Revert "Revert "Enable unicorn APIs"" (dc1ee13c) · Commits · e / os / android_frameworks_base

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+38 −38

Original line number	Diff line number	Diff line
		@@ -6051,7 +6051,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		@Override
		public void lockNow(int flags, String callerPackageName, boolean parent) {
		CallerIdentity caller;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		caller = getCallerIdentity(callerPackageName);
		} else {
		caller = getCallerIdentity();
		@@ -6063,7 +6063,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		ActiveAdmin admin;
		// Make sure the caller has any active admin with the right policy or
		// the required permission.
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		admin = enforcePermissionAndGetEnforcingAdmin(
		/* admin= */ null,
		/* permission= */ MANAGE_DEVICE_POLICY_LOCK,
		@@ -8917,13 +8917,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}

		CallerIdentity caller;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		caller = getCallerIdentity(who, callerPackageName);
		} else {
		caller = getCallerIdentity(who);
		}

		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		// The effect of this policy is device-wide.
		enforcePermission(SET_TIME, caller.getPackageName(), UserHandle.USER_ALL);
		} else {
		@@ -8951,13 +8951,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		return false;
		}
		CallerIdentity caller;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		caller = getCallerIdentity(who, callerPackageName);
		} else {
		caller = getCallerIdentity(who);
		}

		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		enforceCanQuery(SET_TIME, caller.getPackageName(), UserHandle.USER_ALL);
		} else {
		Objects.requireNonNull(who, "ComponentName is null");
		@@ -8986,7 +8986,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		caller = getCallerIdentity(who);
		}

		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		// The effect of this policy is device-wide.
		EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
		who,
		@@ -9026,13 +9026,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}

		CallerIdentity caller;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		caller = getCallerIdentity(who, callerPackageName);
		} else {
		caller = getCallerIdentity(who);
		}

		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		// The effect of this policy is device-wide.
		enforceCanQuery(SET_TIME_ZONE, caller.getPackageName(), UserHandle.USER_ALL);
		} else {
		@@ -9335,7 +9335,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}

		CallerIdentity caller;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		caller = getCallerIdentity(who, callerPackageName);
		} else {
		caller = getCallerIdentity(who);
		@@ -9345,7 +9345,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		final int userHandle = caller.getUserId();
		int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle;
		synchronized (getLockObject()) {
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		// SUPPORT USES_POLICY_DISABLE_KEYGUARD_FEATURES
		EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin(
		who, MANAGE_DEVICE_POLICY_KEYGUARD, caller.getPackageName(),
		@@ -9424,7 +9424,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {

		synchronized (getLockObject()) {
		if (who != null) {
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		EnforcingAdmin admin = getEnforcingAdminForPackage(
		who, who.getPackageName(), userHandle);
		Integer features = mDevicePolicyEngine.getLocalPolicySetByAdmin(
		@@ -9439,7 +9439,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}
		}

		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		Integer features = mDevicePolicyEngine.getResolvedPolicy(
		PolicyDefinition.KEYGUARD_DISABLED_FEATURES,
		affectedUserId);
		@@ -11636,7 +11636,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		final CallerIdentity caller = getCallerIdentity(who, callerPackage);
		checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_APPLICATION_RESTRICTIONS);

		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
		who,
		MANAGE_DEVICE_POLICY_APP_RESTRICTIONS,
		@@ -13063,7 +13063,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		String packageName) {
		final CallerIdentity caller = getCallerIdentity(who, callerPackage);

		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		EnforcingAdmin enforcingAdmin = enforceCanQueryAndGetEnforcingAdmin(
		who,
		MANAGE_DEVICE_POLICY_APP_RESTRICTIONS,
		@@ -13133,7 +13133,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		final CallerIdentity caller = getCallerIdentity(who, callerPackage);
		ActiveAdmin admin;

		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
		who,
		MANAGE_DEVICE_POLICY_PACKAGE_STATE,
		@@ -13230,7 +13230,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		public boolean isPackageSuspended(ComponentName who, String callerPackage, String packageName) {
		final CallerIdentity caller = getCallerIdentity(who, callerPackage);

		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		enforcePermission(
		MANAGE_DEVICE_POLICY_PACKAGE_STATE,
		caller.getPackageName(),
		@@ -13836,7 +13836,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		boolean hidden, boolean parent) {
		CallerIdentity caller = getCallerIdentity(who, callerPackage);
		final int userId = parent ? getProfileParentId(caller.getUserId()) : caller.getUserId();
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		// TODO: We need to ensure the delegate with DELEGATION_PACKAGE_ACCESS can do this
		enforcePermission(MANAGE_DEVICE_POLICY_PACKAGE_STATE, caller.getPackageName(), userId);
		} else {
		@@ -13855,7 +13855,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		boolean result;
		synchronized (getLockObject()) {
		if (parent) {
		if (!isPermissionCheckFlagEnabled()) {
		if (!isPolicyEngineForFinanceFlagEnabled()) {
		Preconditions.checkCallAuthorization(
		isProfileOwnerOfOrganizationOwnedDevice(
		caller.getUserId()) && isManagedProfile(caller.getUserId()));
		@@ -13872,7 +13872,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		Slogf.v(LOG_TAG, "calling pm.setApplicationHiddenSettingAsUser(%s, %b, %d)",
		packageName, hidden, userId);
		}
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		EnforcingAdmin admin = getEnforcingAdminForCaller(who, callerPackage);
		mDevicePolicyEngine.setLocalPolicy(
		PolicyDefinition.APPLICATION_HIDDEN(packageName),
		@@ -13911,7 +13911,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		String packageName, boolean parent) {
		CallerIdentity caller = getCallerIdentity(who, callerPackage);
		int userId = parent ? getProfileParentId(caller.getUserId()) : caller.getUserId();
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		// TODO: Also support DELEGATION_PACKAGE_ACCESS
		enforcePermission(MANAGE_DEVICE_POLICY_PACKAGE_STATE, caller.getPackageName(), userId);
		} else {
		@@ -13923,7 +13923,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {

		synchronized (getLockObject()) {
		if (parent) {
		if (!isPermissionCheckFlagEnabled()) {
		if (!isPolicyEngineForFinanceFlagEnabled()) {
		Preconditions.checkCallAuthorization(
		isProfileOwnerOfOrganizationOwnedDevice(caller.getUserId())
		&& isManagedProfile(caller.getUserId()));
		@@ -14115,13 +14115,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		enforceMaxStringLength(accountType, "account type");

		CallerIdentity caller;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		caller = getCallerIdentity(who, callerPackageName);
		} else {
		caller = getCallerIdentity(who);
		}
		synchronized (getLockObject()) {
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		int affectedUser = getAffectedUser(parent);
		EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
		who,
		@@ -14184,7 +14184,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		CallerIdentity caller;
		Preconditions.checkArgumentNonnegative(userId, "Invalid userId");
		final ArraySet<String> resultSet = new ArraySet<>();
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		int affectedUser = parent ? getProfileParentId(userId) : userId;
		caller = getCallerIdentity(callerPackageName);
		if (!hasPermission(MANAGE_DEVICE_POLICY_ACCOUNT_MANAGEMENT,
		@@ -15555,12 +15555,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		public boolean setStatusBarDisabled(ComponentName who, String callerPackageName,
		boolean disabled) {
		CallerIdentity caller;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		caller = getCallerIdentity(who, callerPackageName);
		} else {
		caller = getCallerIdentity(who);
		}
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		enforcePermission(MANAGE_DEVICE_POLICY_STATUS_BAR, caller.getPackageName(),
		UserHandle.USER_ALL);
		} else {
		@@ -15571,7 +15571,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {

		int userId = caller.getUserId();
		synchronized (getLockObject()) {
		if (!isPermissionCheckFlagEnabled()) {
		if (!isPolicyEngineForFinanceFlagEnabled()) {
		Preconditions.checkCallAuthorization(isUserAffiliatedWithDeviceLocked(userId),
		"Admin " + who + " is neither the device owner or affiliated "
		+ "user's profile owner.");
		@@ -15630,7 +15630,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		@Override
		public boolean isStatusBarDisabled(String callerPackage) {
		final CallerIdentity caller = getCallerIdentity(callerPackage);
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		enforceCanQuery(
		MANAGE_DEVICE_POLICY_STATUS_BAR, caller.getPackageName(), caller.getUserId());
		} else {
		@@ -15640,7 +15640,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {

		int userId = caller.getUserId();
		synchronized (getLockObject()) {
		if (!isPermissionCheckFlagEnabled()) {
		if (!isPolicyEngineForFinanceFlagEnabled()) {
		Preconditions.checkCallAuthorization(isUserAffiliatedWithDeviceLocked(userId),
		"Admin " + callerPackage
		+ " is neither the device owner or affiliated user's profile owner.");
		@@ -16801,7 +16801,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}
		}
		EnforcingAdmin enforcingAdmin;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
		admin,
		MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS,
		@@ -16972,7 +16972,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		public int getPermissionGrantState(ComponentName admin, String callerPackage,
		String packageName, String permission) throws RemoteException {
		final CallerIdentity caller = getCallerIdentity(admin, callerPackage);
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		enforceCanQuery(MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS, caller.getPackageName(),
		caller.getUserId());
		} else {
		@@ -19110,14 +19110,14 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		throw new IllegalArgumentException("token must be at least 32-byte long");
		}
		CallerIdentity caller;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		caller = getCallerIdentity(admin, callerPackageName);
		} else {
		caller = getCallerIdentity(admin);
		}
		final int userId = caller.getUserId();

		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
		admin,
		MANAGE_DEVICE_POLICY_RESET_PASSWORD,
		@@ -19173,7 +19173,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		return false;
		}
		CallerIdentity caller;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		caller = getCallerIdentity(admin, callerPackageName);
		} else {
		caller = getCallerIdentity(admin);
		@@ -19181,7 +19181,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		final int userId = caller.getUserId();
		boolean result = false;

		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
		admin,
		MANAGE_DEVICE_POLICY_RESET_PASSWORD,
		@@ -19220,14 +19220,14 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		return false;
		}
		CallerIdentity caller;
		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		caller = getCallerIdentity(admin, callerPackageName);
		} else {
		caller = getCallerIdentity(admin);
		}
		int userId = caller.getUserId();

		if (isPermissionCheckFlagEnabled()) {
		if (isPolicyEngineForFinanceFlagEnabled()) {
		EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
		admin,
		MANAGE_DEVICE_POLICY_RESET_PASSWORD,

services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java

+13 −0

Original line number	Diff line number	Diff line
		@@ -1512,6 +1512,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		* Validates that when the device owner is removed, the reset password token is cleared
		*/
		@Test
		@Ignore("b/277916462")
		public void testClearDeviceOwner_clearResetPasswordToken() throws Exception {
		mContext.callerPermissions.add(android.Manifest.permission.MANAGE_DEVICE_ADMINS);
		mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
		@@ -2602,6 +2603,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		}

		@Test
		@Ignore("b/277916462")
		public void testSetApplicationHiddenWithDO() throws Exception {
		mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
		setupDeviceOwner();
		@@ -2627,6 +2629,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		}

		@Test
		@Ignore("b/277916462")
		public void testSetApplicationHiddenWithPOOfOrganizationOwnedDevice() throws Exception {
		final int MANAGED_PROFILE_USER_ID = CALLER_USER_HANDLE;
		final int MANAGED_PROFILE_ADMIN_UID =
		@@ -4373,6 +4376,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		}

		@Test
		@Ignore("b/277916462")
		public void testSetAutoTimeZoneEnabledModifiesSetting() throws Exception {
		mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
		setupDeviceOwner();
		@@ -4384,6 +4388,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		}

		@Test
		@Ignore("b/277916462")
		public void testSetAutoTimeZoneEnabledWithPOOnUser0() throws Exception {
		mContext.binder.callingUid = DpmMockContext.SYSTEM_UID;
		setupProfileOwnerOnUser0();
		@@ -4395,6 +4400,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		}

		@Test
		@Ignore("b/277916462")
		public void testSetAutoTimeZoneEnabledFailWithPONotOnUser0() throws Exception {
		setupProfileOwner();
		assertExpectException(SecurityException.class, null,
		@@ -4404,6 +4410,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		}

		@Test
		@Ignore("b/277916462")
		public void testSetAutoTimeZoneEnabledWithPOOfOrganizationOwnedDevice() throws Exception {
		setupProfileOwner();
		configureProfileOwnerOfOrgOwnedDevice(admin1, CALLER_USER_HANDLE);
		@@ -5377,6 +5384,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		}

		@Test
		@Ignore("b/277916462")
		public void testResetPasswordWithToken() throws Exception {
		mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
		setupDeviceOwner();
		@@ -5411,6 +5419,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		}

		@Test
		@Ignore("b/277916462")
		public void resetPasswordWithToken_NumericPin() throws Exception {
		mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
		setupDeviceOwner();
		@@ -5431,6 +5440,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		}

		@Test
		@Ignore("b/277916462")
		public void resetPasswordWithToken_EmptyPassword() throws Exception {
		mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID;
		setupDeviceOwner();
		@@ -7251,6 +7261,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		}

		@Test
		@Ignore("b/277916462")
		public void testCanProfileOwnerResetPasswordWhenLocked() throws Exception {
		setDeviceEncryptionPerUser();
		setupProfileOwner();
		@@ -7314,6 +7325,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		}

		@Test
		@Ignore("b/277916462")
		public void testSetAccountTypesWithManagementDisabledOnManagedProfile() throws Exception {
		setupProfileOwner();

		@@ -7333,6 +7345,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		}

		@Test
		@Ignore("b/277916462")
		public void testSetAccountTypesWithManagementDisabledOnOrgOwnedManagedProfile()
		throws Exception {
		mContext.callerPermissions.add(permission.INTERACT_ACROSS_USERS);