Loading services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +79 −24 Original line number Diff line number Diff line Loading @@ -9193,20 +9193,38 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { Objects.requireNonNull(who, "ComponentName is null"); } final int userHandle = caller.getUserId(); int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle; synchronized (getLockObject()) { ActiveAdmin ap; if (isPermissionCheckFlagEnabled()) { if (useDevicePolicyEngine(caller, /* delegateScope= */ null)) { // SUPPORT USES_POLICY_DISABLE_KEYGUARD_FEATURES ap = enforcePermissionAndGetEnforcingAdmin( EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin( who, MANAGE_DEVICE_POLICY_KEYGUARD, caller.getPackageName(), affectedUserId).getActiveAdmin(); affectedUserId); if (which == 0) { mDevicePolicyEngine.removeLocalPolicy( PolicyDefinition.KEYGUARD_DISABLED_FEATURES, admin, affectedUserId); } else { ap = getActiveAdminForCallerLocked( who, DeviceAdminInfo.USES_POLICY_DISABLE_KEYGUARD_FEATURES, parent); // TODO(b/273723433): revisit silent masking of features if (isManagedProfile(userHandle)) { if (parent) { if (isProfileOwnerOfOrganizationOwnedDevice(caller)) { which = which & PROFILE_KEYGUARD_FEATURES_AFFECT_OWNER; } else { which = which & NON_ORG_OWNED_PROFILE_KEYGUARD_FEATURES_AFFECT_OWNER; } } else { which = which & PROFILE_KEYGUARD_FEATURES; } } mDevicePolicyEngine.setLocalPolicy(PolicyDefinition.KEYGUARD_DISABLED_FEATURES, admin, new IntegerPolicyValue(which), affectedUserId); } invalidateBinderCaches(); } else { ActiveAdmin ap = getActiveAdminForCallerLocked( who, DeviceAdminInfo.USES_POLICY_DISABLE_KEYGUARD_FEATURES, parent); if (isManagedProfile(userHandle)) { if (parent) { if (isProfileOwnerOfOrganizationOwnedDevice(caller)) { Loading @@ -9223,6 +9241,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { saveSettingsLocked(userHandle); } } } if (SecurityLog.isLoggingEnabled()) { SecurityLog.writeEvent(SecurityLog.TAG_KEYGUARD_DISABLED_FEATURES_SET, caller.getPackageName(), userHandle, affectedUserId, which); Loading Loading @@ -9252,15 +9271,51 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { Preconditions.checkCallAuthorization( who == null || isCallingFromPackage(who.getPackageName(), caller.getUid()) || isSystemUid(caller)); int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle; final long ident = mInjector.binderClearCallingIdentity(); try { synchronized (getLockObject()) { if (who != null) { if (useDevicePolicyEngine(caller, /* delegateScope= */ null)) { EnforcingAdmin admin = getEnforcingAdminForCaller( who, who.getPackageName()); Integer features = mDevicePolicyEngine.getLocalPolicySetByAdmin( PolicyDefinition.KEYGUARD_DISABLED_FEATURES, admin, affectedUserId); return features == null ? 0 : features; } else { ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle, parent); return (admin != null) ? admin.disabledKeyguardFeatures : 0; } } if (useDevicePolicyEngine(caller, /* delegateScope= */ null)) { Integer features = mDevicePolicyEngine.getResolvedPolicy( PolicyDefinition.KEYGUARD_DISABLED_FEATURES, affectedUserId); return Binder.withCleanCallingIdentity(() -> { int combinedFeatures = features == null ? 0 : features; List<UserInfo> profiles = mUserManager.getProfiles(affectedUserId); for (UserInfo profile : profiles) { int profileId = profile.id; if (profileId == affectedUserId) { continue; } Integer profileFeatures = mDevicePolicyEngine.getResolvedPolicy( PolicyDefinition.KEYGUARD_DISABLED_FEATURES, profileId); if (profileFeatures != null) { combinedFeatures |= (profileFeatures & PROFILE_KEYGUARD_FEATURES_AFFECT_OWNER); } } return combinedFeatures; }); } final long ident = mInjector.binderClearCallingIdentity(); try { final List<ActiveAdmin> admins; if (!parent && isManagedProfile(userHandle)) { // If we are being asked about a managed profile, just return keyguard features Loading Loading @@ -9290,11 +9345,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } } return which; } } finally { mInjector.binderRestoreCallingIdentity(ident); } } } @Override public void setKeepUninstalledPackages(ComponentName who, String callerPackage, services/devicepolicy/java/com/android/server/devicepolicy/PolicyDefinition.java +8 −0 Original line number Diff line number Diff line Loading @@ -246,6 +246,14 @@ final class PolicyDefinition<V> { (Long value, Context context, Integer userId, PolicyKey policyKey) -> true, new LongPolicySerializer()); static PolicyDefinition<Integer> KEYGUARD_DISABLED_FEATURES = new PolicyDefinition<>( new NoArgsPolicyKey(DevicePolicyIdentifiers.KEYGUARD_DISABLED_FEATURES_POLICY), new FlagUnion(), POLICY_FLAG_LOCAL_ONLY_POLICY, // Nothing is enforced for keyguard features, we just need to store it (Integer value, Context context, Integer userId, PolicyKey policyKey) -> true, new IntegerPolicySerializer()); private static final Map<String, PolicyDefinition<?>> POLICY_DEFINITIONS = new HashMap<>(); private static Map<String, Integer> USER_RESTRICTION_FLAGS = new HashMap<>(); Loading Loading
services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +79 −24 Original line number Diff line number Diff line Loading @@ -9193,20 +9193,38 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { Objects.requireNonNull(who, "ComponentName is null"); } final int userHandle = caller.getUserId(); int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle; synchronized (getLockObject()) { ActiveAdmin ap; if (isPermissionCheckFlagEnabled()) { if (useDevicePolicyEngine(caller, /* delegateScope= */ null)) { // SUPPORT USES_POLICY_DISABLE_KEYGUARD_FEATURES ap = enforcePermissionAndGetEnforcingAdmin( EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin( who, MANAGE_DEVICE_POLICY_KEYGUARD, caller.getPackageName(), affectedUserId).getActiveAdmin(); affectedUserId); if (which == 0) { mDevicePolicyEngine.removeLocalPolicy( PolicyDefinition.KEYGUARD_DISABLED_FEATURES, admin, affectedUserId); } else { ap = getActiveAdminForCallerLocked( who, DeviceAdminInfo.USES_POLICY_DISABLE_KEYGUARD_FEATURES, parent); // TODO(b/273723433): revisit silent masking of features if (isManagedProfile(userHandle)) { if (parent) { if (isProfileOwnerOfOrganizationOwnedDevice(caller)) { which = which & PROFILE_KEYGUARD_FEATURES_AFFECT_OWNER; } else { which = which & NON_ORG_OWNED_PROFILE_KEYGUARD_FEATURES_AFFECT_OWNER; } } else { which = which & PROFILE_KEYGUARD_FEATURES; } } mDevicePolicyEngine.setLocalPolicy(PolicyDefinition.KEYGUARD_DISABLED_FEATURES, admin, new IntegerPolicyValue(which), affectedUserId); } invalidateBinderCaches(); } else { ActiveAdmin ap = getActiveAdminForCallerLocked( who, DeviceAdminInfo.USES_POLICY_DISABLE_KEYGUARD_FEATURES, parent); if (isManagedProfile(userHandle)) { if (parent) { if (isProfileOwnerOfOrganizationOwnedDevice(caller)) { Loading @@ -9223,6 +9241,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { saveSettingsLocked(userHandle); } } } if (SecurityLog.isLoggingEnabled()) { SecurityLog.writeEvent(SecurityLog.TAG_KEYGUARD_DISABLED_FEATURES_SET, caller.getPackageName(), userHandle, affectedUserId, which); Loading Loading @@ -9252,15 +9271,51 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { Preconditions.checkCallAuthorization( who == null || isCallingFromPackage(who.getPackageName(), caller.getUid()) || isSystemUid(caller)); int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle; final long ident = mInjector.binderClearCallingIdentity(); try { synchronized (getLockObject()) { if (who != null) { if (useDevicePolicyEngine(caller, /* delegateScope= */ null)) { EnforcingAdmin admin = getEnforcingAdminForCaller( who, who.getPackageName()); Integer features = mDevicePolicyEngine.getLocalPolicySetByAdmin( PolicyDefinition.KEYGUARD_DISABLED_FEATURES, admin, affectedUserId); return features == null ? 0 : features; } else { ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle, parent); return (admin != null) ? admin.disabledKeyguardFeatures : 0; } } if (useDevicePolicyEngine(caller, /* delegateScope= */ null)) { Integer features = mDevicePolicyEngine.getResolvedPolicy( PolicyDefinition.KEYGUARD_DISABLED_FEATURES, affectedUserId); return Binder.withCleanCallingIdentity(() -> { int combinedFeatures = features == null ? 0 : features; List<UserInfo> profiles = mUserManager.getProfiles(affectedUserId); for (UserInfo profile : profiles) { int profileId = profile.id; if (profileId == affectedUserId) { continue; } Integer profileFeatures = mDevicePolicyEngine.getResolvedPolicy( PolicyDefinition.KEYGUARD_DISABLED_FEATURES, profileId); if (profileFeatures != null) { combinedFeatures |= (profileFeatures & PROFILE_KEYGUARD_FEATURES_AFFECT_OWNER); } } return combinedFeatures; }); } final long ident = mInjector.binderClearCallingIdentity(); try { final List<ActiveAdmin> admins; if (!parent && isManagedProfile(userHandle)) { // If we are being asked about a managed profile, just return keyguard features Loading Loading @@ -9290,11 +9345,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } } return which; } } finally { mInjector.binderRestoreCallingIdentity(ident); } } } @Override public void setKeepUninstalledPackages(ComponentName who, String callerPackage,
services/devicepolicy/java/com/android/server/devicepolicy/PolicyDefinition.java +8 −0 Original line number Diff line number Diff line Loading @@ -246,6 +246,14 @@ final class PolicyDefinition<V> { (Long value, Context context, Integer userId, PolicyKey policyKey) -> true, new LongPolicySerializer()); static PolicyDefinition<Integer> KEYGUARD_DISABLED_FEATURES = new PolicyDefinition<>( new NoArgsPolicyKey(DevicePolicyIdentifiers.KEYGUARD_DISABLED_FEATURES_POLICY), new FlagUnion(), POLICY_FLAG_LOCAL_ONLY_POLICY, // Nothing is enforced for keyguard features, we just need to store it (Integer value, Context context, Integer userId, PolicyKey policyKey) -> true, new IntegerPolicySerializer()); private static final Map<String, PolicyDefinition<?>> POLICY_DEFINITIONS = new HashMap<>(); private static Map<String, Integer> USER_RESTRICTION_FLAGS = new HashMap<>(); Loading
