Changed parameters in setDevicePolicyUserRestriction (ece5cdb8) · Commits · e / os / android_frameworks_base

services/core/java/android/os/UserManagerInternal.java

+26 −8

Original line number	Diff line number	Diff line
		@@ -15,6 +15,7 @@
		*/
		package android.os;

		import android.annotation.IntDef;
		import android.annotation.NonNull;
		import android.annotation.Nullable;
		import android.annotation.UserIdInt;
		@@ -22,13 +23,24 @@ import android.content.Context;
		import android.content.pm.UserInfo;
		import android.graphics.Bitmap;

		import java.lang.annotation.Retention;
		import java.lang.annotation.RetentionPolicy;

		/**
		* @hide Only for use within the system server.
		*/
		public abstract class UserManagerInternal {
		public static final int CAMERA_NOT_DISABLED = 0;
		public static final int CAMERA_DISABLED_LOCALLY = 1;
		public static final int CAMERA_DISABLED_GLOBALLY = 2;

		public static final int OWNER_TYPE_DEVICE_OWNER = 0;
		public static final int OWNER_TYPE_PROFILE_OWNER = 1;
		public static final int OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE = 2;
		public static final int OWNER_TYPE_NO_OWNER = 3;

		@Retention(RetentionPolicy.SOURCE)
		@IntDef(value = {OWNER_TYPE_DEVICE_OWNER, OWNER_TYPE_PROFILE_OWNER,
		OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE, OWNER_TYPE_NO_OWNER})
		public @interface OwnerType {
		}

		public interface UserRestrictionsListener {
		/**
		@@ -47,13 +59,19 @@ public abstract class UserManagerInternal {
		*
		* @param userId target user id for the local restrictions.
		* @param restrictions a bundle of user restrictions.
		* @param isDeviceOwner whether {@code userId} corresponds to device owner user id.
		* @param cameraRestrictionScope is camera disabled and if so what is the scope of restriction.
		* Should be one of {@link #CAMERA_NOT_DISABLED}, {@link #CAMERA_DISABLED_LOCALLY} or
		* {@link #CAMERA_DISABLED_GLOBALLY}
		* @param restrictionOwnerType determines which admin {@code userId} corresponds to.
		* The admin can be either
		* {@link UserManagerInternal#OWNER_TYPE_DEVICE_OWNER},
		* {@link UserManagerInternal#OWNER_TYPE_PROFILE_OWNER},
		* {@link UserManagerInternal#OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE}
		* or {@link UserManagerInternal#OWNER_TYPE_NO_OWNER}.
		* If the admin is a DEVICE_OWNER or a PROFILE_OWNER_ORG_OWNED_DEVICE then
		* a restriction may be applied globally depending on which restriction it is,
		* otherwise it will be applied just on the current user.
		* @see OwnerType
		*/
		public abstract void setDevicePolicyUserRestrictions(int userId, @Nullable Bundle restrictions,
		boolean isDeviceOwner, int cameraRestrictionScope);
		@OwnerType int restrictionOwnerType);

		/**
		* Returns the "base" user restrictions.

services/core/java/com/android/server/pm/UserManagerService.java

+8 −7

Original line number	Diff line number	Diff line
		@@ -1634,13 +1634,14 @@ public class UserManagerService extends IUserManager.Stub {
		* See {@link UserManagerInternal#setDevicePolicyUserRestrictions}
		*/
		private void setDevicePolicyUserRestrictionsInner(@UserIdInt int userId,
		@Nullable Bundle restrictions, boolean isDeviceOwner, int cameraRestrictionScope) {
		@Nullable Bundle restrictions,
		@UserManagerInternal.OwnerType int restrictionOwnerType) {
		final Bundle global = new Bundle();
		final Bundle local = new Bundle();

		// Sort restrictions into local and global ensuring they don't overlap.
		UserRestrictionsUtils.sortToGlobalAndLocal(restrictions, isDeviceOwner,
		cameraRestrictionScope, global, local);
		UserRestrictionsUtils.sortToGlobalAndLocal(restrictions, restrictionOwnerType, global,
		local);

		boolean globalChanged, localChanged;
		synchronized (mRestrictionsLock) {
		@@ -1650,7 +1651,7 @@ public class UserManagerService extends IUserManager.Stub {
		localChanged = updateRestrictionsIfNeededLR(
		userId, local, mDevicePolicyLocalUserRestrictions);

		if (isDeviceOwner) {
		if (restrictionOwnerType == UserManagerInternal.OWNER_TYPE_DEVICE_OWNER) {
		// Remember the global restriction owner userId to be able to make a distinction
		// in getUserRestrictionSource on who set local policies.
		mDeviceOwnerUserId = userId;
		@@ -4484,9 +4485,9 @@ public class UserManagerService extends IUserManager.Stub {
		private class LocalService extends UserManagerInternal {
		@Override
		public void setDevicePolicyUserRestrictions(@UserIdInt int userId,
		@Nullable Bundle restrictions, boolean isDeviceOwner, int cameraRestrictionScope) {
		UserManagerService.this.setDevicePolicyUserRestrictionsInner(userId, restrictions,
		isDeviceOwner, cameraRestrictionScope);
		@Nullable Bundle restrictions, @OwnerType int restrictionOwnerType) {
		UserManagerService.this.setDevicePolicyUserRestrictionsInner(userId,
		restrictions, restrictionOwnerType);
		}

		@Override

services/core/java/com/android/server/pm/UserRestrictionsUtils.java

+23 −14

Original line number	Diff line number	Diff line
		@@ -194,7 +194,18 @@ public class UserRestrictionsUtils {
		UserManager.DISALLOW_SYSTEM_ERROR_DIALOGS,
		UserManager.DISALLOW_RUN_IN_BACKGROUND,
		UserManager.DISALLOW_UNMUTE_MICROPHONE,
		UserManager.DISALLOW_UNMUTE_DEVICE
		UserManager.DISALLOW_UNMUTE_DEVICE,
		UserManager.DISALLOW_CAMERA
		);

		/**
		* Special user restrictions that are applied globally when set by the profile owner of a
		* managed profile that was created during the device provisioning flow.
		*/
		private static final Set<String> PROFILE_OWNER_ORGANIZATION_OWNED_GLOBAL_RESTRICTIONS =
		Sets.newArraySet(
		UserManager.DISALLOW_CONFIG_DATE_TIME,
		UserManager.DISALLOW_CAMERA
		);

		/**
		@@ -419,15 +430,9 @@ public class UserRestrictionsUtils {
		* Takes restrictions that can be set by device owner, and sort them into what should be applied
		* globally and what should be applied only on the current user.
		*/
		public static void sortToGlobalAndLocal(@Nullable Bundle in, boolean isDeviceOwner,
		int cameraRestrictionScope,
		@NonNull Bundle global, @NonNull Bundle local) {
		// Camera restriction (as well as all others) goes to at most one bundle.
		if (cameraRestrictionScope == UserManagerInternal.CAMERA_DISABLED_GLOBALLY) {
		global.putBoolean(UserManager.DISALLOW_CAMERA, true);
		} else if (cameraRestrictionScope == UserManagerInternal.CAMERA_DISABLED_LOCALLY) {
		local.putBoolean(UserManager.DISALLOW_CAMERA, true);
		}
		public static void sortToGlobalAndLocal(@Nullable Bundle in,
		@UserManagerInternal.OwnerType int restrictionOwnerType, @NonNull Bundle global,
		@NonNull Bundle local) {
		if (in == null \|\| in.size() == 0) {
		return;
		}
		@@ -435,7 +440,7 @@ public class UserRestrictionsUtils {
		if (!in.getBoolean(key)) {
		continue;
		}
		if (isGlobal(isDeviceOwner, key)) {
		if (isGlobal(restrictionOwnerType, key)) {
		global.putBoolean(key, true);
		} else {
		local.putBoolean(key, true);
		@@ -446,9 +451,13 @@ public class UserRestrictionsUtils {
		/**
		* Whether given user restriction should be enforced globally.
		*/
		private static boolean isGlobal(boolean isDeviceOwner, String key) {
		return (isDeviceOwner &&
		(PRIMARY_USER_ONLY_RESTRICTIONS.contains(key) \|\| GLOBAL_RESTRICTIONS.contains(key)))
		private static boolean isGlobal(@UserManagerInternal.OwnerType int restrictionOwnerType,
		String key) {
		return ((restrictionOwnerType == UserManagerInternal.OWNER_TYPE_DEVICE_OWNER) && (
		PRIMARY_USER_ONLY_RESTRICTIONS.contains(key) \|\| GLOBAL_RESTRICTIONS.contains(key)))
		\|\| ((restrictionOwnerType
		== UserManagerInternal.OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE)
		&& PROFILE_OWNER_ORGANIZATION_OWNED_GLOBAL_RESTRICTIONS.contains(key))
		\|\| PROFILE_GLOBAL_RESTRICTIONS.contains(key)
		\|\| DEVICE_OWNER_ONLY_RESTRICTIONS.contains(key);
		}

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+35 −24

Original line number	Diff line number	Diff line
		@@ -5568,8 +5568,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		}
		}

		private void enforceProfileOwnerOfCorpOwnedDevice(ActiveAdmin admin) {
		if (!isProfileOwnerOfOrganizationOwnedDevicte(admin)) {
		private void enforceProfileOwnerOfOrganizationOwnedDevice(ActiveAdmin admin) {
		if (!isProfileOwnerOfOrganizationOwnedDevice(admin)) {
		throw new SecurityException(String.format("Provided admin %s is either not a profile "
		+ "owner or not on a corporate-owned device.", admin));
		}
		@@ -6639,7 +6639,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		}

		boolean calledByProfileOwnerOnOrgOwnedDevice =
		isProfileOwnerOfOrganizationOwnedDevicte(admin);
		isProfileOwnerOfOrganizationOwnedDevice(admin);

		if (calledOnParentInstance && !calledByProfileOwnerOnOrgOwnedDevice) {
		throw new SecurityException("Wiping the entire device can only be done by a profile"
		@@ -8020,7 +8020,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		* {@code getActiveAdminForCallerLocked} or one of the similar variants, not caller-supplied
		* input.
		*/
		private boolean isProfileOwnerOfOrganizationOwnedDevicte(@Nullable ActiveAdmin admin) {
		private boolean isProfileOwnerOfOrganizationOwnedDevice(@Nullable ActiveAdmin admin) {
		if (admin == null) {
		return false;
		}
		@@ -10223,8 +10223,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		synchronized (getLockObject()) {
		final boolean isDeviceOwner = mOwners.isDeviceOwnerUserId(userId);
		final Bundle userRestrictions;
		// Whether device owner enforces camera restriction.
		boolean disallowCameraGlobally = false;
		final int restrictionOwnerType;

		if (isDeviceOwner) {
		final ActiveAdmin deviceOwner = getDeviceOwnerAdminLocked();
		@@ -10232,33 +10231,45 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
		return; // Shouldn't happen.
		}
		userRestrictions = deviceOwner.userRestrictions;
		// DO can disable camera globally.
		disallowCameraGlobally = deviceOwner.disableCamera;
		addOrRemoveDisableCameraRestriction(userRestrictions, deviceOwner);
		restrictionOwnerType = UserManagerInternal.OWNER_TYPE_DEVICE_OWNER;
		} else {
		final ActiveAdmin profileOwner = getProfileOwnerAdminLocked(userId);
		userRestrictions = profileOwner != null ? profileOwner.userRestrictions : null;
		}
		addOrRemoveDisableCameraRestriction(userRestrictions, userId);

		// Whether any admin enforces camera restriction.
		final int cameraRestrictionScope =
		getCameraRestrictionScopeLocked(userId, disallowCameraGlobally);
		if (isProfileOwnerOfOrganizationOwnedDevice(profileOwner)) {
		restrictionOwnerType =
		UserManagerInternal.OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE;
		} else if (profileOwner != null) {
		restrictionOwnerType = UserManagerInternal.OWNER_TYPE_PROFILE_OWNER;
		} else {
		restrictionOwnerType = UserManagerInternal.OWNER_TYPE_NO_OWNER;
		}
		}

		mUserManagerInternal.setDevicePolicyUserRestrictions(userId, userRestrictions,
		isDeviceOwner, cameraRestrictionScope);
		restrictionOwnerType);
		}
		}

		/**
		* Get the scope of camera restriction for a given user if any.
		*/
		private int getCameraRestrictionScopeLocked(int userId, boolean disallowCameraGlobally) {
		if (disallowCameraGlobally) {
		return UserManagerInternal.CAMERA_DISABLED_GLOBALLY;
		} else if (getCameraDisabled(
		/* who= / null, userId, / mergeDeviceOwnerRestriction= */ false)) {
		return UserManagerInternal.CAMERA_DISABLED_LOCALLY;
		}
		return UserManagerInternal.CAMERA_NOT_DISABLED;
		private void addOrRemoveDisableCameraRestriction(Bundle userRestrictions, ActiveAdmin admin) {
		if (userRestrictions == null) return;
		if (admin.disableCamera) {
		userRestrictions.putBoolean(UserManager.DISALLOW_CAMERA, true);
		} else {
		userRestrictions.remove(UserManager.DISALLOW_CAMERA);
		}
		}

		private void addOrRemoveDisableCameraRestriction(Bundle userRestrictions, int userId) {
		if (userRestrictions == null) return;
		if (getCameraDisabled(/* who= / null, userId, / mergeDeviceOwnerRestriction= */
		false)) {
		userRestrictions.putBoolean(UserManager.DISALLOW_CAMERA, true);
		} else {
		userRestrictions.remove(UserManager.DISALLOW_CAMERA);
		}
		}

		@Override

services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java

+57 −31

Original line number	Diff line number	Diff line
		@@ -26,9 +26,6 @@ import static android.app.admin.DevicePolicyManager.PASSWORD_COMPLEXITY_MEDIUM;
		import static android.app.admin.DevicePolicyManager.PASSWORD_COMPLEXITY_NONE;
		import static android.app.admin.DevicePolicyManager.WIPE_EUICC;
		import static android.app.admin.PasswordMetrics.computeForPassword;
		import static android.os.UserManagerInternal.CAMERA_DISABLED_GLOBALLY;
		import static android.os.UserManagerInternal.CAMERA_DISABLED_LOCALLY;
		import static android.os.UserManagerInternal.CAMERA_NOT_DISABLED;

		import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_NONE;
		import static com.android.internal.widget.LockPatternUtils.EscrowTokenStateChangeCallback;
		@@ -82,6 +79,7 @@ import android.os.Bundle;
		import android.os.Process;
		import android.os.UserHandle;
		import android.os.UserManager;
		import android.os.UserManagerInternal;
		import android.platform.test.annotations.Presubmit;
		import android.provider.Settings;
		import android.security.KeyChain;
		@@ -1154,9 +1152,8 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		MockUtils.checkUserHandle(UserHandle.USER_SYSTEM));

		verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions(
		eq(UserHandle.USER_SYSTEM),
		eq(null),
		eq(true), eq(CAMERA_NOT_DISABLED));
		eq(UserHandle.USER_SYSTEM), eq(null),
		eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER));

		verify(getServices().usageStatsManagerInternal).setActiveAdminApps(
		null, UserHandle.USER_SYSTEM);
		@@ -1725,8 +1722,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions(
		eq(UserHandle.USER_SYSTEM),
		MockUtils.checkUserRestrictions(defaultRestrictions),
		eq(true) /* isDeviceOwner */,
		eq(CAMERA_NOT_DISABLED)
		eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER)
		);
		reset(getServices().userManagerInternal);

		@@ -1741,7 +1737,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions(
		eq(UserHandle.USER_SYSTEM),
		MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER),
		eq(true), eq(CAMERA_NOT_DISABLED));
		eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER));
		reset(getServices().userManagerInternal);

		dpm.addUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
		@@ -1749,7 +1745,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		eq(UserHandle.USER_SYSTEM),
		MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS,
		UserManager.DISALLOW_ADD_USER),
		eq(true), eq(CAMERA_NOT_DISABLED));
		eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER));
		reset(getServices().userManagerInternal);

		DpmTestUtils.assertRestrictions(
		@@ -1767,7 +1763,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions(
		eq(UserHandle.USER_SYSTEM),
		MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
		eq(true), eq(CAMERA_NOT_DISABLED));
		eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER));
		reset(getServices().userManagerInternal);

		DpmTestUtils.assertRestrictions(
		@@ -1783,7 +1779,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions(
		eq(UserHandle.USER_SYSTEM),
		MockUtils.checkUserRestrictions(),
		eq(true), eq(CAMERA_NOT_DISABLED));
		eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER));
		reset(getServices().userManagerInternal);

		assertNoDeviceOwnerRestrictions();
		@@ -1797,7 +1793,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		eq(UserHandle.USER_SYSTEM),
		MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADJUST_VOLUME,
		UserManager.DISALLOW_UNMUTE_MICROPHONE),
		eq(true), eq(CAMERA_NOT_DISABLED));
		eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER));
		reset(getServices().userManagerInternal);

		dpm.clearUserRestriction(admin1, UserManager.DISALLOW_ADJUST_VOLUME);
		@@ -1809,7 +1805,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions(
		eq(UserHandle.USER_SYSTEM),
		MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER),
		eq(true), eq(CAMERA_NOT_DISABLED));
		eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER));
		reset(getServices().userManagerInternal);

		dpm.addUserRestriction(admin1, UserManager.DISALLOW_FUN);
		@@ -1817,16 +1813,16 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		eq(UserHandle.USER_SYSTEM),
		MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN,
		UserManager.DISALLOW_ADD_USER),
		eq(true), eq(CAMERA_NOT_DISABLED));
		eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER));
		reset(getServices().userManagerInternal);

		dpm.setCameraDisabled(admin1, true);
		verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions(
		eq(UserHandle.USER_SYSTEM),
		// DISALLOW_CAMERA will be applied to both local and global.
		// DISALLOW_CAMERA will be applied globally.
		MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN,
		UserManager.DISALLOW_ADD_USER),
		eq(true), eq(CAMERA_DISABLED_GLOBALLY));
		UserManager.DISALLOW_ADD_USER, UserManager.DISALLOW_CAMERA),
		eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER));
		reset(getServices().userManagerInternal);
		}

		@@ -1872,7 +1868,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions(
		eq(DpmMockContext.CALLER_USER_HANDLE),
		MockUtils.checkUserRestrictions(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES),
		eq(false), eq(CAMERA_NOT_DISABLED));
		eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER));
		reset(getServices().userManagerInternal);

		dpm.addUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS);
		@@ -1880,7 +1876,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		eq(DpmMockContext.CALLER_USER_HANDLE),
		MockUtils.checkUserRestrictions(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
		UserManager.DISALLOW_OUTGOING_CALLS),
		eq(false), eq(CAMERA_NOT_DISABLED));
		eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER));
		reset(getServices().userManagerInternal);

		DpmTestUtils.assertRestrictions(
		@@ -1903,7 +1899,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions(
		eq(DpmMockContext.CALLER_USER_HANDLE),
		MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS),
		eq(false), eq(CAMERA_NOT_DISABLED));
		eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER));
		reset(getServices().userManagerInternal);

		DpmTestUtils.assertRestrictions(
		@@ -1924,7 +1920,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions(
		eq(DpmMockContext.CALLER_USER_HANDLE),
		MockUtils.checkUserRestrictions(),
		eq(false), eq(CAMERA_NOT_DISABLED));
		eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER));
		reset(getServices().userManagerInternal);

		DpmTestUtils.assertRestrictions(
		@@ -1946,20 +1942,52 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		eq(DpmMockContext.CALLER_USER_HANDLE),
		MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADJUST_VOLUME,
		UserManager.DISALLOW_UNMUTE_MICROPHONE),
		eq(false), eq(CAMERA_NOT_DISABLED));
		eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER));
		reset(getServices().userManagerInternal);

		dpm.setCameraDisabled(admin1, true);
		verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions(
		eq(DpmMockContext.CALLER_USER_HANDLE),
		MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADJUST_VOLUME,
		UserManager.DISALLOW_UNMUTE_MICROPHONE),
		eq(false), eq(CAMERA_DISABLED_LOCALLY));
		UserManager.DISALLOW_UNMUTE_MICROPHONE, UserManager.DISALLOW_CAMERA),
		eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER));
		reset(getServices().userManagerInternal);

		// TODO Make sure restrictions are written to the file.
		}

		public void testSetUserRestriction_asPoOfOrgOwnedDevice() throws Exception {
		setupProfileOwner();

		final long ident = mServiceContext.binder.clearCallingIdentity();
		configureContextForAccess(mServiceContext, true);

		mServiceContext.binder.callingUid =
		UserHandle.getUid(DpmMockContext.CALLER_USER_HANDLE,
		DpmMockContext.CALLER_MANAGED_PROVISIONING_UID);
		try {
		runAsCaller(mServiceContext, dpms, dpm -> {
		dpm.markProfileOwnerOnOrganizationOwnedDevice(admin1);
		});
		} finally {
		mServiceContext.binder.restoreCallingIdentity(ident);
		}

		dpm.addUserRestriction(admin1, UserManager.DISALLOW_CONFIG_DATE_TIME);
		verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions(
		eq(DpmMockContext.CALLER_USER_HANDLE),
		MockUtils.checkUserRestrictions(UserManager.DISALLOW_CONFIG_DATE_TIME),
		eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE));
		reset(getServices().userManagerInternal);

		dpm.setCameraDisabled(admin1, true);
		verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions(
		eq(DpmMockContext.CALLER_USER_HANDLE),
		MockUtils.checkUserRestrictions(UserManager.DISALLOW_CONFIG_DATE_TIME,
		UserManager.DISALLOW_CAMERA),
		eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE));
		reset(getServices().userManagerInternal);
		}

		public void testDefaultEnabledUserRestrictions() throws Exception {
		mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS);
		@@ -1994,8 +2022,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions(
		eq(UserHandle.USER_SYSTEM),
		MockUtils.checkUserRestrictions(defaultRestrictions),
		eq(true) /* isDeviceOwner */,
		eq(CAMERA_NOT_DISABLED)
		eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER)
		);
		reset(getServices().userManagerInternal);

		@@ -2037,8 +2064,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
		verify(getServices().userManagerInternal, atLeast(1)).setDevicePolicyUserRestrictions(
		eq(UserHandle.USER_SYSTEM),
		MockUtils.checkUserRestrictions(newDefaultEnabledRestriction),
		eq(true) /* isDeviceOwner */,
		eq(CAMERA_NOT_DISABLED)
		eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER)
		);
		reset(getServices().userManagerInternal);