Loading services/core/java/android/os/UserManagerInternal.java +26 −8 Original line number Diff line number Diff line Loading @@ -15,6 +15,7 @@ */ package android.os; import android.annotation.IntDef; import android.annotation.NonNull; import android.annotation.Nullable; import android.annotation.UserIdInt; Loading @@ -22,13 +23,24 @@ import android.content.Context; import android.content.pm.UserInfo; import android.graphics.Bitmap; import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; /** * @hide Only for use within the system server. */ public abstract class UserManagerInternal { public static final int CAMERA_NOT_DISABLED = 0; public static final int CAMERA_DISABLED_LOCALLY = 1; public static final int CAMERA_DISABLED_GLOBALLY = 2; public static final int OWNER_TYPE_DEVICE_OWNER = 0; public static final int OWNER_TYPE_PROFILE_OWNER = 1; public static final int OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE = 2; public static final int OWNER_TYPE_NO_OWNER = 3; @Retention(RetentionPolicy.SOURCE) @IntDef(value = {OWNER_TYPE_DEVICE_OWNER, OWNER_TYPE_PROFILE_OWNER, OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE, OWNER_TYPE_NO_OWNER}) public @interface OwnerType { } public interface UserRestrictionsListener { /** Loading @@ -47,13 +59,19 @@ public abstract class UserManagerInternal { * * @param userId target user id for the local restrictions. * @param restrictions a bundle of user restrictions. * @param isDeviceOwner whether {@code userId} corresponds to device owner user id. * @param cameraRestrictionScope is camera disabled and if so what is the scope of restriction. * Should be one of {@link #CAMERA_NOT_DISABLED}, {@link #CAMERA_DISABLED_LOCALLY} or * {@link #CAMERA_DISABLED_GLOBALLY} * @param restrictionOwnerType determines which admin {@code userId} corresponds to. * The admin can be either * {@link UserManagerInternal#OWNER_TYPE_DEVICE_OWNER}, * {@link UserManagerInternal#OWNER_TYPE_PROFILE_OWNER}, * {@link UserManagerInternal#OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE} * or {@link UserManagerInternal#OWNER_TYPE_NO_OWNER}. * If the admin is a DEVICE_OWNER or a PROFILE_OWNER_ORG_OWNED_DEVICE then * a restriction may be applied globally depending on which restriction it is, * otherwise it will be applied just on the current user. * @see OwnerType */ public abstract void setDevicePolicyUserRestrictions(int userId, @Nullable Bundle restrictions, boolean isDeviceOwner, int cameraRestrictionScope); @OwnerType int restrictionOwnerType); /** * Returns the "base" user restrictions. Loading services/core/java/com/android/server/pm/UserManagerService.java +8 −7 Original line number Diff line number Diff line Loading @@ -1634,13 +1634,14 @@ public class UserManagerService extends IUserManager.Stub { * See {@link UserManagerInternal#setDevicePolicyUserRestrictions} */ private void setDevicePolicyUserRestrictionsInner(@UserIdInt int userId, @Nullable Bundle restrictions, boolean isDeviceOwner, int cameraRestrictionScope) { @Nullable Bundle restrictions, @UserManagerInternal.OwnerType int restrictionOwnerType) { final Bundle global = new Bundle(); final Bundle local = new Bundle(); // Sort restrictions into local and global ensuring they don't overlap. UserRestrictionsUtils.sortToGlobalAndLocal(restrictions, isDeviceOwner, cameraRestrictionScope, global, local); UserRestrictionsUtils.sortToGlobalAndLocal(restrictions, restrictionOwnerType, global, local); boolean globalChanged, localChanged; synchronized (mRestrictionsLock) { Loading @@ -1650,7 +1651,7 @@ public class UserManagerService extends IUserManager.Stub { localChanged = updateRestrictionsIfNeededLR( userId, local, mDevicePolicyLocalUserRestrictions); if (isDeviceOwner) { if (restrictionOwnerType == UserManagerInternal.OWNER_TYPE_DEVICE_OWNER) { // Remember the global restriction owner userId to be able to make a distinction // in getUserRestrictionSource on who set local policies. mDeviceOwnerUserId = userId; Loading Loading @@ -4484,9 +4485,9 @@ public class UserManagerService extends IUserManager.Stub { private class LocalService extends UserManagerInternal { @Override public void setDevicePolicyUserRestrictions(@UserIdInt int userId, @Nullable Bundle restrictions, boolean isDeviceOwner, int cameraRestrictionScope) { UserManagerService.this.setDevicePolicyUserRestrictionsInner(userId, restrictions, isDeviceOwner, cameraRestrictionScope); @Nullable Bundle restrictions, @OwnerType int restrictionOwnerType) { UserManagerService.this.setDevicePolicyUserRestrictionsInner(userId, restrictions, restrictionOwnerType); } @Override Loading services/core/java/com/android/server/pm/UserRestrictionsUtils.java +23 −14 Original line number Diff line number Diff line Loading @@ -194,7 +194,18 @@ public class UserRestrictionsUtils { UserManager.DISALLOW_SYSTEM_ERROR_DIALOGS, UserManager.DISALLOW_RUN_IN_BACKGROUND, UserManager.DISALLOW_UNMUTE_MICROPHONE, UserManager.DISALLOW_UNMUTE_DEVICE UserManager.DISALLOW_UNMUTE_DEVICE, UserManager.DISALLOW_CAMERA ); /** * Special user restrictions that are applied globally when set by the profile owner of a * managed profile that was created during the device provisioning flow. */ private static final Set<String> PROFILE_OWNER_ORGANIZATION_OWNED_GLOBAL_RESTRICTIONS = Sets.newArraySet( UserManager.DISALLOW_CONFIG_DATE_TIME, UserManager.DISALLOW_CAMERA ); /** Loading Loading @@ -419,15 +430,9 @@ public class UserRestrictionsUtils { * Takes restrictions that can be set by device owner, and sort them into what should be applied * globally and what should be applied only on the current user. */ public static void sortToGlobalAndLocal(@Nullable Bundle in, boolean isDeviceOwner, int cameraRestrictionScope, @NonNull Bundle global, @NonNull Bundle local) { // Camera restriction (as well as all others) goes to at most one bundle. if (cameraRestrictionScope == UserManagerInternal.CAMERA_DISABLED_GLOBALLY) { global.putBoolean(UserManager.DISALLOW_CAMERA, true); } else if (cameraRestrictionScope == UserManagerInternal.CAMERA_DISABLED_LOCALLY) { local.putBoolean(UserManager.DISALLOW_CAMERA, true); } public static void sortToGlobalAndLocal(@Nullable Bundle in, @UserManagerInternal.OwnerType int restrictionOwnerType, @NonNull Bundle global, @NonNull Bundle local) { if (in == null || in.size() == 0) { return; } Loading @@ -435,7 +440,7 @@ public class UserRestrictionsUtils { if (!in.getBoolean(key)) { continue; } if (isGlobal(isDeviceOwner, key)) { if (isGlobal(restrictionOwnerType, key)) { global.putBoolean(key, true); } else { local.putBoolean(key, true); Loading @@ -446,9 +451,13 @@ public class UserRestrictionsUtils { /** * Whether given user restriction should be enforced globally. */ private static boolean isGlobal(boolean isDeviceOwner, String key) { return (isDeviceOwner && (PRIMARY_USER_ONLY_RESTRICTIONS.contains(key) || GLOBAL_RESTRICTIONS.contains(key))) private static boolean isGlobal(@UserManagerInternal.OwnerType int restrictionOwnerType, String key) { return ((restrictionOwnerType == UserManagerInternal.OWNER_TYPE_DEVICE_OWNER) && ( PRIMARY_USER_ONLY_RESTRICTIONS.contains(key) || GLOBAL_RESTRICTIONS.contains(key))) || ((restrictionOwnerType == UserManagerInternal.OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE) && PROFILE_OWNER_ORGANIZATION_OWNED_GLOBAL_RESTRICTIONS.contains(key)) || PROFILE_GLOBAL_RESTRICTIONS.contains(key) || DEVICE_OWNER_ONLY_RESTRICTIONS.contains(key); } Loading services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +35 −24 Original line number Diff line number Diff line Loading @@ -5574,8 +5574,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } } private void enforceProfileOwnerOfCorpOwnedDevice(ActiveAdmin admin) { if (!isProfileOwnerOfOrganizationOwnedDevicte(admin)) { private void enforceProfileOwnerOfOrganizationOwnedDevice(ActiveAdmin admin) { if (!isProfileOwnerOfOrganizationOwnedDevice(admin)) { throw new SecurityException(String.format("Provided admin %s is either not a profile " + "owner or not on a corporate-owned device.", admin)); } Loading Loading @@ -6645,7 +6645,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } boolean calledByProfileOwnerOnOrgOwnedDevice = isProfileOwnerOfOrganizationOwnedDevicte(admin); isProfileOwnerOfOrganizationOwnedDevice(admin); if (calledOnParentInstance && !calledByProfileOwnerOnOrgOwnedDevice) { throw new SecurityException("Wiping the entire device can only be done by a profile" Loading Loading @@ -8026,7 +8026,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { * {@code getActiveAdminForCallerLocked} or one of the similar variants, not caller-supplied * input. */ private boolean isProfileOwnerOfOrganizationOwnedDevicte(@Nullable ActiveAdmin admin) { private boolean isProfileOwnerOfOrganizationOwnedDevice(@Nullable ActiveAdmin admin) { if (admin == null) { return false; } Loading Loading @@ -10229,8 +10229,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { synchronized (getLockObject()) { final boolean isDeviceOwner = mOwners.isDeviceOwnerUserId(userId); final Bundle userRestrictions; // Whether device owner enforces camera restriction. boolean disallowCameraGlobally = false; final int restrictionOwnerType; if (isDeviceOwner) { final ActiveAdmin deviceOwner = getDeviceOwnerAdminLocked(); Loading @@ -10238,33 +10237,45 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { return; // Shouldn't happen. } userRestrictions = deviceOwner.userRestrictions; // DO can disable camera globally. disallowCameraGlobally = deviceOwner.disableCamera; addOrRemoveDisableCameraRestriction(userRestrictions, deviceOwner); restrictionOwnerType = UserManagerInternal.OWNER_TYPE_DEVICE_OWNER; } else { final ActiveAdmin profileOwner = getProfileOwnerAdminLocked(userId); userRestrictions = profileOwner != null ? profileOwner.userRestrictions : null; } addOrRemoveDisableCameraRestriction(userRestrictions, userId); // Whether any admin enforces camera restriction. final int cameraRestrictionScope = getCameraRestrictionScopeLocked(userId, disallowCameraGlobally); if (isProfileOwnerOfOrganizationOwnedDevice(profileOwner)) { restrictionOwnerType = UserManagerInternal.OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE; } else if (profileOwner != null) { restrictionOwnerType = UserManagerInternal.OWNER_TYPE_PROFILE_OWNER; } else { restrictionOwnerType = UserManagerInternal.OWNER_TYPE_NO_OWNER; } } mUserManagerInternal.setDevicePolicyUserRestrictions(userId, userRestrictions, isDeviceOwner, cameraRestrictionScope); restrictionOwnerType); } } /** * Get the scope of camera restriction for a given user if any. */ private int getCameraRestrictionScopeLocked(int userId, boolean disallowCameraGlobally) { if (disallowCameraGlobally) { return UserManagerInternal.CAMERA_DISABLED_GLOBALLY; } else if (getCameraDisabled( /* who= */ null, userId, /* mergeDeviceOwnerRestriction= */ false)) { return UserManagerInternal.CAMERA_DISABLED_LOCALLY; } return UserManagerInternal.CAMERA_NOT_DISABLED; private void addOrRemoveDisableCameraRestriction(Bundle userRestrictions, ActiveAdmin admin) { if (userRestrictions == null) return; if (admin.disableCamera) { userRestrictions.putBoolean(UserManager.DISALLOW_CAMERA, true); } else { userRestrictions.remove(UserManager.DISALLOW_CAMERA); } } private void addOrRemoveDisableCameraRestriction(Bundle userRestrictions, int userId) { if (userRestrictions == null) return; if (getCameraDisabled(/* who= */ null, userId, /* mergeDeviceOwnerRestriction= */ false)) { userRestrictions.putBoolean(UserManager.DISALLOW_CAMERA, true); } else { userRestrictions.remove(UserManager.DISALLOW_CAMERA); } } @Override Loading services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java +57 −31 Original line number Diff line number Diff line Loading @@ -26,9 +26,6 @@ import static android.app.admin.DevicePolicyManager.PASSWORD_COMPLEXITY_MEDIUM; import static android.app.admin.DevicePolicyManager.PASSWORD_COMPLEXITY_NONE; import static android.app.admin.DevicePolicyManager.WIPE_EUICC; import static android.app.admin.PasswordMetrics.computeForPassword; import static android.os.UserManagerInternal.CAMERA_DISABLED_GLOBALLY; import static android.os.UserManagerInternal.CAMERA_DISABLED_LOCALLY; import static android.os.UserManagerInternal.CAMERA_NOT_DISABLED; import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_NONE; import static com.android.internal.widget.LockPatternUtils.EscrowTokenStateChangeCallback; Loading Loading @@ -83,6 +80,7 @@ import android.os.Bundle; import android.os.Process; import android.os.UserHandle; import android.os.UserManager; import android.os.UserManagerInternal; import android.platform.test.annotations.Presubmit; import android.provider.Settings; import android.security.KeyChain; Loading Loading @@ -1155,9 +1153,8 @@ public class DevicePolicyManagerTest extends DpmTestBase { MockUtils.checkUserHandle(UserHandle.USER_SYSTEM)); verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(UserHandle.USER_SYSTEM), eq(null), eq(true), eq(CAMERA_NOT_DISABLED)); eq(UserHandle.USER_SYSTEM), eq(null), eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER)); verify(getServices().usageStatsManagerInternal).setActiveAdminApps( null, UserHandle.USER_SYSTEM); Loading Loading @@ -1726,8 +1723,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(UserHandle.USER_SYSTEM), MockUtils.checkUserRestrictions(defaultRestrictions), eq(true) /* isDeviceOwner */, eq(CAMERA_NOT_DISABLED) eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER) ); reset(getServices().userManagerInternal); Loading @@ -1742,7 +1738,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(UserHandle.USER_SYSTEM), MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER), eq(true), eq(CAMERA_NOT_DISABLED)); eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER)); reset(getServices().userManagerInternal); dpm.addUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS); Loading @@ -1750,7 +1746,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { eq(UserHandle.USER_SYSTEM), MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS, UserManager.DISALLOW_ADD_USER), eq(true), eq(CAMERA_NOT_DISABLED)); eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER)); reset(getServices().userManagerInternal); DpmTestUtils.assertRestrictions( Loading @@ -1768,7 +1764,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(UserHandle.USER_SYSTEM), MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS), eq(true), eq(CAMERA_NOT_DISABLED)); eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER)); reset(getServices().userManagerInternal); DpmTestUtils.assertRestrictions( Loading @@ -1784,7 +1780,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(UserHandle.USER_SYSTEM), MockUtils.checkUserRestrictions(), eq(true), eq(CAMERA_NOT_DISABLED)); eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER)); reset(getServices().userManagerInternal); assertNoDeviceOwnerRestrictions(); Loading @@ -1798,7 +1794,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { eq(UserHandle.USER_SYSTEM), MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADJUST_VOLUME, UserManager.DISALLOW_UNMUTE_MICROPHONE), eq(true), eq(CAMERA_NOT_DISABLED)); eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER)); reset(getServices().userManagerInternal); dpm.clearUserRestriction(admin1, UserManager.DISALLOW_ADJUST_VOLUME); Loading @@ -1810,7 +1806,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(UserHandle.USER_SYSTEM), MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER), eq(true), eq(CAMERA_NOT_DISABLED)); eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER)); reset(getServices().userManagerInternal); dpm.addUserRestriction(admin1, UserManager.DISALLOW_FUN); Loading @@ -1818,16 +1814,16 @@ public class DevicePolicyManagerTest extends DpmTestBase { eq(UserHandle.USER_SYSTEM), MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN, UserManager.DISALLOW_ADD_USER), eq(true), eq(CAMERA_NOT_DISABLED)); eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER)); reset(getServices().userManagerInternal); dpm.setCameraDisabled(admin1, true); verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(UserHandle.USER_SYSTEM), // DISALLOW_CAMERA will be applied to both local and global. // DISALLOW_CAMERA will be applied globally. MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN, UserManager.DISALLOW_ADD_USER), eq(true), eq(CAMERA_DISABLED_GLOBALLY)); UserManager.DISALLOW_ADD_USER, UserManager.DISALLOW_CAMERA), eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER)); reset(getServices().userManagerInternal); } Loading Loading @@ -1873,7 +1869,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(DpmMockContext.CALLER_USER_HANDLE), MockUtils.checkUserRestrictions(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES), eq(false), eq(CAMERA_NOT_DISABLED)); eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER)); reset(getServices().userManagerInternal); dpm.addUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS); Loading @@ -1881,7 +1877,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { eq(DpmMockContext.CALLER_USER_HANDLE), MockUtils.checkUserRestrictions(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES, UserManager.DISALLOW_OUTGOING_CALLS), eq(false), eq(CAMERA_NOT_DISABLED)); eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER)); reset(getServices().userManagerInternal); DpmTestUtils.assertRestrictions( Loading @@ -1904,7 +1900,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(DpmMockContext.CALLER_USER_HANDLE), MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS), eq(false), eq(CAMERA_NOT_DISABLED)); eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER)); reset(getServices().userManagerInternal); DpmTestUtils.assertRestrictions( Loading @@ -1925,7 +1921,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(DpmMockContext.CALLER_USER_HANDLE), MockUtils.checkUserRestrictions(), eq(false), eq(CAMERA_NOT_DISABLED)); eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER)); reset(getServices().userManagerInternal); DpmTestUtils.assertRestrictions( Loading @@ -1947,20 +1943,52 @@ public class DevicePolicyManagerTest extends DpmTestBase { eq(DpmMockContext.CALLER_USER_HANDLE), MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADJUST_VOLUME, UserManager.DISALLOW_UNMUTE_MICROPHONE), eq(false), eq(CAMERA_NOT_DISABLED)); eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER)); reset(getServices().userManagerInternal); dpm.setCameraDisabled(admin1, true); verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(DpmMockContext.CALLER_USER_HANDLE), MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADJUST_VOLUME, UserManager.DISALLOW_UNMUTE_MICROPHONE), eq(false), eq(CAMERA_DISABLED_LOCALLY)); UserManager.DISALLOW_UNMUTE_MICROPHONE, UserManager.DISALLOW_CAMERA), eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER)); reset(getServices().userManagerInternal); // TODO Make sure restrictions are written to the file. } public void testSetUserRestriction_asPoOfOrgOwnedDevice() throws Exception { setupProfileOwner(); final long ident = mServiceContext.binder.clearCallingIdentity(); configureContextForAccess(mServiceContext, true); mServiceContext.binder.callingUid = UserHandle.getUid(DpmMockContext.CALLER_USER_HANDLE, DpmMockContext.CALLER_MANAGED_PROVISIONING_UID); try { runAsCaller(mServiceContext, dpms, dpm -> { dpm.markProfileOwnerOnOrganizationOwnedDevice(admin1); }); } finally { mServiceContext.binder.restoreCallingIdentity(ident); } dpm.addUserRestriction(admin1, UserManager.DISALLOW_CONFIG_DATE_TIME); verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(DpmMockContext.CALLER_USER_HANDLE), MockUtils.checkUserRestrictions(UserManager.DISALLOW_CONFIG_DATE_TIME), eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE)); reset(getServices().userManagerInternal); dpm.setCameraDisabled(admin1, true); verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(DpmMockContext.CALLER_USER_HANDLE), MockUtils.checkUserRestrictions(UserManager.DISALLOW_CONFIG_DATE_TIME, UserManager.DISALLOW_CAMERA), eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE)); reset(getServices().userManagerInternal); } public void testDefaultEnabledUserRestrictions() throws Exception { mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS); Loading Loading @@ -1995,8 +2023,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(UserHandle.USER_SYSTEM), MockUtils.checkUserRestrictions(defaultRestrictions), eq(true) /* isDeviceOwner */, eq(CAMERA_NOT_DISABLED) eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER) ); reset(getServices().userManagerInternal); Loading Loading @@ -2038,8 +2065,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { verify(getServices().userManagerInternal, atLeast(1)).setDevicePolicyUserRestrictions( eq(UserHandle.USER_SYSTEM), MockUtils.checkUserRestrictions(newDefaultEnabledRestriction), eq(true) /* isDeviceOwner */, eq(CAMERA_NOT_DISABLED) eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER) ); reset(getServices().userManagerInternal); Loading Loading
services/core/java/android/os/UserManagerInternal.java +26 −8 Original line number Diff line number Diff line Loading @@ -15,6 +15,7 @@ */ package android.os; import android.annotation.IntDef; import android.annotation.NonNull; import android.annotation.Nullable; import android.annotation.UserIdInt; Loading @@ -22,13 +23,24 @@ import android.content.Context; import android.content.pm.UserInfo; import android.graphics.Bitmap; import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; /** * @hide Only for use within the system server. */ public abstract class UserManagerInternal { public static final int CAMERA_NOT_DISABLED = 0; public static final int CAMERA_DISABLED_LOCALLY = 1; public static final int CAMERA_DISABLED_GLOBALLY = 2; public static final int OWNER_TYPE_DEVICE_OWNER = 0; public static final int OWNER_TYPE_PROFILE_OWNER = 1; public static final int OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE = 2; public static final int OWNER_TYPE_NO_OWNER = 3; @Retention(RetentionPolicy.SOURCE) @IntDef(value = {OWNER_TYPE_DEVICE_OWNER, OWNER_TYPE_PROFILE_OWNER, OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE, OWNER_TYPE_NO_OWNER}) public @interface OwnerType { } public interface UserRestrictionsListener { /** Loading @@ -47,13 +59,19 @@ public abstract class UserManagerInternal { * * @param userId target user id for the local restrictions. * @param restrictions a bundle of user restrictions. * @param isDeviceOwner whether {@code userId} corresponds to device owner user id. * @param cameraRestrictionScope is camera disabled and if so what is the scope of restriction. * Should be one of {@link #CAMERA_NOT_DISABLED}, {@link #CAMERA_DISABLED_LOCALLY} or * {@link #CAMERA_DISABLED_GLOBALLY} * @param restrictionOwnerType determines which admin {@code userId} corresponds to. * The admin can be either * {@link UserManagerInternal#OWNER_TYPE_DEVICE_OWNER}, * {@link UserManagerInternal#OWNER_TYPE_PROFILE_OWNER}, * {@link UserManagerInternal#OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE} * or {@link UserManagerInternal#OWNER_TYPE_NO_OWNER}. * If the admin is a DEVICE_OWNER or a PROFILE_OWNER_ORG_OWNED_DEVICE then * a restriction may be applied globally depending on which restriction it is, * otherwise it will be applied just on the current user. * @see OwnerType */ public abstract void setDevicePolicyUserRestrictions(int userId, @Nullable Bundle restrictions, boolean isDeviceOwner, int cameraRestrictionScope); @OwnerType int restrictionOwnerType); /** * Returns the "base" user restrictions. Loading
services/core/java/com/android/server/pm/UserManagerService.java +8 −7 Original line number Diff line number Diff line Loading @@ -1634,13 +1634,14 @@ public class UserManagerService extends IUserManager.Stub { * See {@link UserManagerInternal#setDevicePolicyUserRestrictions} */ private void setDevicePolicyUserRestrictionsInner(@UserIdInt int userId, @Nullable Bundle restrictions, boolean isDeviceOwner, int cameraRestrictionScope) { @Nullable Bundle restrictions, @UserManagerInternal.OwnerType int restrictionOwnerType) { final Bundle global = new Bundle(); final Bundle local = new Bundle(); // Sort restrictions into local and global ensuring they don't overlap. UserRestrictionsUtils.sortToGlobalAndLocal(restrictions, isDeviceOwner, cameraRestrictionScope, global, local); UserRestrictionsUtils.sortToGlobalAndLocal(restrictions, restrictionOwnerType, global, local); boolean globalChanged, localChanged; synchronized (mRestrictionsLock) { Loading @@ -1650,7 +1651,7 @@ public class UserManagerService extends IUserManager.Stub { localChanged = updateRestrictionsIfNeededLR( userId, local, mDevicePolicyLocalUserRestrictions); if (isDeviceOwner) { if (restrictionOwnerType == UserManagerInternal.OWNER_TYPE_DEVICE_OWNER) { // Remember the global restriction owner userId to be able to make a distinction // in getUserRestrictionSource on who set local policies. mDeviceOwnerUserId = userId; Loading Loading @@ -4484,9 +4485,9 @@ public class UserManagerService extends IUserManager.Stub { private class LocalService extends UserManagerInternal { @Override public void setDevicePolicyUserRestrictions(@UserIdInt int userId, @Nullable Bundle restrictions, boolean isDeviceOwner, int cameraRestrictionScope) { UserManagerService.this.setDevicePolicyUserRestrictionsInner(userId, restrictions, isDeviceOwner, cameraRestrictionScope); @Nullable Bundle restrictions, @OwnerType int restrictionOwnerType) { UserManagerService.this.setDevicePolicyUserRestrictionsInner(userId, restrictions, restrictionOwnerType); } @Override Loading
services/core/java/com/android/server/pm/UserRestrictionsUtils.java +23 −14 Original line number Diff line number Diff line Loading @@ -194,7 +194,18 @@ public class UserRestrictionsUtils { UserManager.DISALLOW_SYSTEM_ERROR_DIALOGS, UserManager.DISALLOW_RUN_IN_BACKGROUND, UserManager.DISALLOW_UNMUTE_MICROPHONE, UserManager.DISALLOW_UNMUTE_DEVICE UserManager.DISALLOW_UNMUTE_DEVICE, UserManager.DISALLOW_CAMERA ); /** * Special user restrictions that are applied globally when set by the profile owner of a * managed profile that was created during the device provisioning flow. */ private static final Set<String> PROFILE_OWNER_ORGANIZATION_OWNED_GLOBAL_RESTRICTIONS = Sets.newArraySet( UserManager.DISALLOW_CONFIG_DATE_TIME, UserManager.DISALLOW_CAMERA ); /** Loading Loading @@ -419,15 +430,9 @@ public class UserRestrictionsUtils { * Takes restrictions that can be set by device owner, and sort them into what should be applied * globally and what should be applied only on the current user. */ public static void sortToGlobalAndLocal(@Nullable Bundle in, boolean isDeviceOwner, int cameraRestrictionScope, @NonNull Bundle global, @NonNull Bundle local) { // Camera restriction (as well as all others) goes to at most one bundle. if (cameraRestrictionScope == UserManagerInternal.CAMERA_DISABLED_GLOBALLY) { global.putBoolean(UserManager.DISALLOW_CAMERA, true); } else if (cameraRestrictionScope == UserManagerInternal.CAMERA_DISABLED_LOCALLY) { local.putBoolean(UserManager.DISALLOW_CAMERA, true); } public static void sortToGlobalAndLocal(@Nullable Bundle in, @UserManagerInternal.OwnerType int restrictionOwnerType, @NonNull Bundle global, @NonNull Bundle local) { if (in == null || in.size() == 0) { return; } Loading @@ -435,7 +440,7 @@ public class UserRestrictionsUtils { if (!in.getBoolean(key)) { continue; } if (isGlobal(isDeviceOwner, key)) { if (isGlobal(restrictionOwnerType, key)) { global.putBoolean(key, true); } else { local.putBoolean(key, true); Loading @@ -446,9 +451,13 @@ public class UserRestrictionsUtils { /** * Whether given user restriction should be enforced globally. */ private static boolean isGlobal(boolean isDeviceOwner, String key) { return (isDeviceOwner && (PRIMARY_USER_ONLY_RESTRICTIONS.contains(key) || GLOBAL_RESTRICTIONS.contains(key))) private static boolean isGlobal(@UserManagerInternal.OwnerType int restrictionOwnerType, String key) { return ((restrictionOwnerType == UserManagerInternal.OWNER_TYPE_DEVICE_OWNER) && ( PRIMARY_USER_ONLY_RESTRICTIONS.contains(key) || GLOBAL_RESTRICTIONS.contains(key))) || ((restrictionOwnerType == UserManagerInternal.OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE) && PROFILE_OWNER_ORGANIZATION_OWNED_GLOBAL_RESTRICTIONS.contains(key)) || PROFILE_GLOBAL_RESTRICTIONS.contains(key) || DEVICE_OWNER_ONLY_RESTRICTIONS.contains(key); } Loading
services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +35 −24 Original line number Diff line number Diff line Loading @@ -5574,8 +5574,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } } private void enforceProfileOwnerOfCorpOwnedDevice(ActiveAdmin admin) { if (!isProfileOwnerOfOrganizationOwnedDevicte(admin)) { private void enforceProfileOwnerOfOrganizationOwnedDevice(ActiveAdmin admin) { if (!isProfileOwnerOfOrganizationOwnedDevice(admin)) { throw new SecurityException(String.format("Provided admin %s is either not a profile " + "owner or not on a corporate-owned device.", admin)); } Loading Loading @@ -6645,7 +6645,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } boolean calledByProfileOwnerOnOrgOwnedDevice = isProfileOwnerOfOrganizationOwnedDevicte(admin); isProfileOwnerOfOrganizationOwnedDevice(admin); if (calledOnParentInstance && !calledByProfileOwnerOnOrgOwnedDevice) { throw new SecurityException("Wiping the entire device can only be done by a profile" Loading Loading @@ -8026,7 +8026,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { * {@code getActiveAdminForCallerLocked} or one of the similar variants, not caller-supplied * input. */ private boolean isProfileOwnerOfOrganizationOwnedDevicte(@Nullable ActiveAdmin admin) { private boolean isProfileOwnerOfOrganizationOwnedDevice(@Nullable ActiveAdmin admin) { if (admin == null) { return false; } Loading Loading @@ -10229,8 +10229,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { synchronized (getLockObject()) { final boolean isDeviceOwner = mOwners.isDeviceOwnerUserId(userId); final Bundle userRestrictions; // Whether device owner enforces camera restriction. boolean disallowCameraGlobally = false; final int restrictionOwnerType; if (isDeviceOwner) { final ActiveAdmin deviceOwner = getDeviceOwnerAdminLocked(); Loading @@ -10238,33 +10237,45 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { return; // Shouldn't happen. } userRestrictions = deviceOwner.userRestrictions; // DO can disable camera globally. disallowCameraGlobally = deviceOwner.disableCamera; addOrRemoveDisableCameraRestriction(userRestrictions, deviceOwner); restrictionOwnerType = UserManagerInternal.OWNER_TYPE_DEVICE_OWNER; } else { final ActiveAdmin profileOwner = getProfileOwnerAdminLocked(userId); userRestrictions = profileOwner != null ? profileOwner.userRestrictions : null; } addOrRemoveDisableCameraRestriction(userRestrictions, userId); // Whether any admin enforces camera restriction. final int cameraRestrictionScope = getCameraRestrictionScopeLocked(userId, disallowCameraGlobally); if (isProfileOwnerOfOrganizationOwnedDevice(profileOwner)) { restrictionOwnerType = UserManagerInternal.OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE; } else if (profileOwner != null) { restrictionOwnerType = UserManagerInternal.OWNER_TYPE_PROFILE_OWNER; } else { restrictionOwnerType = UserManagerInternal.OWNER_TYPE_NO_OWNER; } } mUserManagerInternal.setDevicePolicyUserRestrictions(userId, userRestrictions, isDeviceOwner, cameraRestrictionScope); restrictionOwnerType); } } /** * Get the scope of camera restriction for a given user if any. */ private int getCameraRestrictionScopeLocked(int userId, boolean disallowCameraGlobally) { if (disallowCameraGlobally) { return UserManagerInternal.CAMERA_DISABLED_GLOBALLY; } else if (getCameraDisabled( /* who= */ null, userId, /* mergeDeviceOwnerRestriction= */ false)) { return UserManagerInternal.CAMERA_DISABLED_LOCALLY; } return UserManagerInternal.CAMERA_NOT_DISABLED; private void addOrRemoveDisableCameraRestriction(Bundle userRestrictions, ActiveAdmin admin) { if (userRestrictions == null) return; if (admin.disableCamera) { userRestrictions.putBoolean(UserManager.DISALLOW_CAMERA, true); } else { userRestrictions.remove(UserManager.DISALLOW_CAMERA); } } private void addOrRemoveDisableCameraRestriction(Bundle userRestrictions, int userId) { if (userRestrictions == null) return; if (getCameraDisabled(/* who= */ null, userId, /* mergeDeviceOwnerRestriction= */ false)) { userRestrictions.putBoolean(UserManager.DISALLOW_CAMERA, true); } else { userRestrictions.remove(UserManager.DISALLOW_CAMERA); } } @Override Loading
services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java +57 −31 Original line number Diff line number Diff line Loading @@ -26,9 +26,6 @@ import static android.app.admin.DevicePolicyManager.PASSWORD_COMPLEXITY_MEDIUM; import static android.app.admin.DevicePolicyManager.PASSWORD_COMPLEXITY_NONE; import static android.app.admin.DevicePolicyManager.WIPE_EUICC; import static android.app.admin.PasswordMetrics.computeForPassword; import static android.os.UserManagerInternal.CAMERA_DISABLED_GLOBALLY; import static android.os.UserManagerInternal.CAMERA_DISABLED_LOCALLY; import static android.os.UserManagerInternal.CAMERA_NOT_DISABLED; import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_NONE; import static com.android.internal.widget.LockPatternUtils.EscrowTokenStateChangeCallback; Loading Loading @@ -83,6 +80,7 @@ import android.os.Bundle; import android.os.Process; import android.os.UserHandle; import android.os.UserManager; import android.os.UserManagerInternal; import android.platform.test.annotations.Presubmit; import android.provider.Settings; import android.security.KeyChain; Loading Loading @@ -1155,9 +1153,8 @@ public class DevicePolicyManagerTest extends DpmTestBase { MockUtils.checkUserHandle(UserHandle.USER_SYSTEM)); verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(UserHandle.USER_SYSTEM), eq(null), eq(true), eq(CAMERA_NOT_DISABLED)); eq(UserHandle.USER_SYSTEM), eq(null), eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER)); verify(getServices().usageStatsManagerInternal).setActiveAdminApps( null, UserHandle.USER_SYSTEM); Loading Loading @@ -1726,8 +1723,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(UserHandle.USER_SYSTEM), MockUtils.checkUserRestrictions(defaultRestrictions), eq(true) /* isDeviceOwner */, eq(CAMERA_NOT_DISABLED) eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER) ); reset(getServices().userManagerInternal); Loading @@ -1742,7 +1738,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(UserHandle.USER_SYSTEM), MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER), eq(true), eq(CAMERA_NOT_DISABLED)); eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER)); reset(getServices().userManagerInternal); dpm.addUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS); Loading @@ -1750,7 +1746,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { eq(UserHandle.USER_SYSTEM), MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS, UserManager.DISALLOW_ADD_USER), eq(true), eq(CAMERA_NOT_DISABLED)); eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER)); reset(getServices().userManagerInternal); DpmTestUtils.assertRestrictions( Loading @@ -1768,7 +1764,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(UserHandle.USER_SYSTEM), MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS), eq(true), eq(CAMERA_NOT_DISABLED)); eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER)); reset(getServices().userManagerInternal); DpmTestUtils.assertRestrictions( Loading @@ -1784,7 +1780,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(UserHandle.USER_SYSTEM), MockUtils.checkUserRestrictions(), eq(true), eq(CAMERA_NOT_DISABLED)); eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER)); reset(getServices().userManagerInternal); assertNoDeviceOwnerRestrictions(); Loading @@ -1798,7 +1794,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { eq(UserHandle.USER_SYSTEM), MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADJUST_VOLUME, UserManager.DISALLOW_UNMUTE_MICROPHONE), eq(true), eq(CAMERA_NOT_DISABLED)); eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER)); reset(getServices().userManagerInternal); dpm.clearUserRestriction(admin1, UserManager.DISALLOW_ADJUST_VOLUME); Loading @@ -1810,7 +1806,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(UserHandle.USER_SYSTEM), MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADD_USER), eq(true), eq(CAMERA_NOT_DISABLED)); eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER)); reset(getServices().userManagerInternal); dpm.addUserRestriction(admin1, UserManager.DISALLOW_FUN); Loading @@ -1818,16 +1814,16 @@ public class DevicePolicyManagerTest extends DpmTestBase { eq(UserHandle.USER_SYSTEM), MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN, UserManager.DISALLOW_ADD_USER), eq(true), eq(CAMERA_NOT_DISABLED)); eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER)); reset(getServices().userManagerInternal); dpm.setCameraDisabled(admin1, true); verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(UserHandle.USER_SYSTEM), // DISALLOW_CAMERA will be applied to both local and global. // DISALLOW_CAMERA will be applied globally. MockUtils.checkUserRestrictions(UserManager.DISALLOW_FUN, UserManager.DISALLOW_ADD_USER), eq(true), eq(CAMERA_DISABLED_GLOBALLY)); UserManager.DISALLOW_ADD_USER, UserManager.DISALLOW_CAMERA), eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER)); reset(getServices().userManagerInternal); } Loading Loading @@ -1873,7 +1869,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(DpmMockContext.CALLER_USER_HANDLE), MockUtils.checkUserRestrictions(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES), eq(false), eq(CAMERA_NOT_DISABLED)); eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER)); reset(getServices().userManagerInternal); dpm.addUserRestriction(admin1, UserManager.DISALLOW_OUTGOING_CALLS); Loading @@ -1881,7 +1877,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { eq(DpmMockContext.CALLER_USER_HANDLE), MockUtils.checkUserRestrictions(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES, UserManager.DISALLOW_OUTGOING_CALLS), eq(false), eq(CAMERA_NOT_DISABLED)); eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER)); reset(getServices().userManagerInternal); DpmTestUtils.assertRestrictions( Loading @@ -1904,7 +1900,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(DpmMockContext.CALLER_USER_HANDLE), MockUtils.checkUserRestrictions(UserManager.DISALLOW_OUTGOING_CALLS), eq(false), eq(CAMERA_NOT_DISABLED)); eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER)); reset(getServices().userManagerInternal); DpmTestUtils.assertRestrictions( Loading @@ -1925,7 +1921,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(DpmMockContext.CALLER_USER_HANDLE), MockUtils.checkUserRestrictions(), eq(false), eq(CAMERA_NOT_DISABLED)); eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER)); reset(getServices().userManagerInternal); DpmTestUtils.assertRestrictions( Loading @@ -1947,20 +1943,52 @@ public class DevicePolicyManagerTest extends DpmTestBase { eq(DpmMockContext.CALLER_USER_HANDLE), MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADJUST_VOLUME, UserManager.DISALLOW_UNMUTE_MICROPHONE), eq(false), eq(CAMERA_NOT_DISABLED)); eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER)); reset(getServices().userManagerInternal); dpm.setCameraDisabled(admin1, true); verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(DpmMockContext.CALLER_USER_HANDLE), MockUtils.checkUserRestrictions(UserManager.DISALLOW_ADJUST_VOLUME, UserManager.DISALLOW_UNMUTE_MICROPHONE), eq(false), eq(CAMERA_DISABLED_LOCALLY)); UserManager.DISALLOW_UNMUTE_MICROPHONE, UserManager.DISALLOW_CAMERA), eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER)); reset(getServices().userManagerInternal); // TODO Make sure restrictions are written to the file. } public void testSetUserRestriction_asPoOfOrgOwnedDevice() throws Exception { setupProfileOwner(); final long ident = mServiceContext.binder.clearCallingIdentity(); configureContextForAccess(mServiceContext, true); mServiceContext.binder.callingUid = UserHandle.getUid(DpmMockContext.CALLER_USER_HANDLE, DpmMockContext.CALLER_MANAGED_PROVISIONING_UID); try { runAsCaller(mServiceContext, dpms, dpm -> { dpm.markProfileOwnerOnOrganizationOwnedDevice(admin1); }); } finally { mServiceContext.binder.restoreCallingIdentity(ident); } dpm.addUserRestriction(admin1, UserManager.DISALLOW_CONFIG_DATE_TIME); verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(DpmMockContext.CALLER_USER_HANDLE), MockUtils.checkUserRestrictions(UserManager.DISALLOW_CONFIG_DATE_TIME), eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE)); reset(getServices().userManagerInternal); dpm.setCameraDisabled(admin1, true); verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(DpmMockContext.CALLER_USER_HANDLE), MockUtils.checkUserRestrictions(UserManager.DISALLOW_CONFIG_DATE_TIME, UserManager.DISALLOW_CAMERA), eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE)); reset(getServices().userManagerInternal); } public void testDefaultEnabledUserRestrictions() throws Exception { mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS); Loading Loading @@ -1995,8 +2023,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(UserHandle.USER_SYSTEM), MockUtils.checkUserRestrictions(defaultRestrictions), eq(true) /* isDeviceOwner */, eq(CAMERA_NOT_DISABLED) eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER) ); reset(getServices().userManagerInternal); Loading Loading @@ -2038,8 +2065,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { verify(getServices().userManagerInternal, atLeast(1)).setDevicePolicyUserRestrictions( eq(UserHandle.USER_SYSTEM), MockUtils.checkUserRestrictions(newDefaultEnabledRestriction), eq(true) /* isDeviceOwner */, eq(CAMERA_NOT_DISABLED) eq(UserManagerInternal.OWNER_TYPE_DEVICE_OWNER) ); reset(getServices().userManagerInternal); Loading
