Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dff1f4fc authored by Rubin Xu's avatar Rubin Xu
Browse files

Block ADB from being able to remove COPE profile 

Set DISALLOW_REMOVE_MANAGED_PROFILE on user 0 on HSUM.
A bit hacky but should do the job.

Bug: 345713432
Test: manual
Change-Id: I211444b513d46bfe4e1ea947540607bee404fc5c
parent fcafa1c9

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+10 −0
Original line number Diff line number Diff line
@@ -4145,6 +4145,10 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
    private void clearOrgOwnedProfileOwnerUserRestrictions(UserHandle parentUserHandle) {

        mUserManager.setUserRestriction(

                UserManager.DISALLOW_REMOVE_MANAGED_PROFILE, false, parentUserHandle);

        if (mInjector.userManagerIsHeadlessSystemUserMode()) {

            mUserManager.setUserRestriction(UserManager.DISALLOW_REMOVE_MANAGED_PROFILE,

                    false, UserHandle.SYSTEM);

        }

        mUserManager.setUserRestriction(

                UserManager.DISALLOW_ADD_USER, false, parentUserHandle);

    }
@@ -17890,6 +17894,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
            mUserManager.setUserRestriction(UserManager.DISALLOW_REMOVE_MANAGED_PROFILE,

                    isProfileOwnerOnOrganizationOwnedDevice,

                    parentUser);

            if (mInjector.userManagerIsHeadlessSystemUserMode()) {

                // For HSUM, additionally set this on user 0 to block ADB from removing the profile.

                mUserManager.setUserRestriction(UserManager.DISALLOW_REMOVE_MANAGED_PROFILE,

                        isProfileOwnerOnOrganizationOwnedDevice,

                        UserHandle.SYSTEM);

            }

            mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_USER,

                    isProfileOwnerOnOrganizationOwnedDevice,

                    parentUser);