Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f13a6fb6 authored by Alex Johnston's avatar Alex Johnston
Browse files

Add new APIs to control modification of admin configured networks 

* Historically, only the device owner could prevent the user from modifying
  networks that have been configured by the device owner.
* In New COPE mode, the COPE profile owner should now be able to prevent the
  user from modifying networks as well as the device owner.
* This CL adds new APIs which are callable by the device owner or profile
  owner of an organization-owned managed profile. These new API can be used
  to toggle the global setting WIFI_DEVICE_OWNER_CONFIGS_LOCKDOWN, instead of
  setting the global setting directly.
* This CL only affects networks configured by the admin, is does not prevent
  the user from creating more network configurations.

Bug: 147476790
Test: manual testing with TestDPC
      atest com.android.server.devicepolicy.DevicePolicyManagerTest
      atest com.android.cts.devicepolicy.MixedDeviceOwnerTest#testAdminConfiguredNetworks
      atest com.android.cts.devicepolicy.OrgOwnedProfileOwnerTest#testAdminConfiguredNetworks

Change-Id: Ia16e639922bb08cdacd9a3766d978ac150b693c5
parent bfcda416

api/current.txt

+2 −0
Original line number Diff line number Diff line
@@ -6836,6 +6836,7 @@ package android.app.admin { 
    method public boolean isDeviceOwnerApp(String);

    method public boolean isEphemeralUser(@NonNull android.content.ComponentName);

    method public boolean isLockTaskPermitted(String);

    method public boolean isLockdownAdminConfiguredNetworks(@NonNull android.content.ComponentName);

    method public boolean isLogoutEnabled();

    method public boolean isManagedProfile(@NonNull android.content.ComponentName);

    method public boolean isMasterVolumeMuted(@NonNull android.content.ComponentName);
@@ -6900,6 +6901,7 @@ package android.app.admin { 
    method public void setLocationEnabled(@NonNull android.content.ComponentName, boolean);

    method public void setLockTaskFeatures(@NonNull android.content.ComponentName, int);

    method public void setLockTaskPackages(@NonNull android.content.ComponentName, @NonNull String[]) throws java.lang.SecurityException;

    method public void setLockdownAdminConfiguredNetworks(@NonNull android.content.ComponentName, boolean);

    method public void setLogoutEnabled(@NonNull android.content.ComponentName, boolean);

    method public void setLongSupportMessage(@NonNull android.content.ComponentName, @Nullable CharSequence);

    method public void setMasterVolumeMuted(@NonNull android.content.ComponentName, boolean);

core/java/android/app/admin/DevicePolicyManager.java

+49 −0
Original line number Diff line number Diff line
@@ -8604,6 +8604,55 @@ public class DevicePolicyManager { 
        }

    }













    /**













     * Called by a device owner or a profile owner of an organization-owned managed profile to













     * control whether the user can change networks configured by the admin.













     * <p>













     * WiFi network configuration lockdown is controlled by a global settings













     * {@link android.provider.Settings.Global#WIFI_DEVICE_OWNER_CONFIGS_LOCKDOWN} and calling













     * this API effectively modifies the global settings. Previously device owners can also













     * control this directly via {@link #setGlobalSetting} but they are recommended to switch













     * to this API.













     *













     * @param admin             admin Which {@link DeviceAdminReceiver} this request is associated













     *                          with.













     * @param lockdown Whether the admin configured networks should be unmodifiable by the













     *                          user.













     * @throws SecurityException if caller is not a device owner or a profile owner of an













     *                           organization-owned managed profile.













     */













    public void setLockdownAdminConfiguredNetworks(@NonNull ComponentName admin, boolean lockdown) {













        throwIfParentInstance("setLockdownAdminConfiguredNetworks");













        if (mService != null) {













            try {













                mService.setLockdownAdminConfiguredNetworks(admin, lockdown);













            } catch (RemoteException e) {













                throw e.rethrowFromSystemServer();













            }













        }













    }

























    /**













     * Called by a device owner or a profile owner of an organization-owned managed profile to













     * determine whether the user is prevented from modifying networks configured by the admin.













     *













     * @param admin             admin Which {@link DeviceAdminReceiver} this request is associated













     *                          with.













     * @throws SecurityException if caller is not a device owner or a profile owner of an













     *                           organization-owned managed profile.













     */













    public boolean isLockdownAdminConfiguredNetworks(@NonNull ComponentName admin) {













        throwIfParentInstance("setLockdownAdminConfiguredNetworks");













        if (mService != null) {













            try {













                return mService.isLockdownAdminConfiguredNetworks(admin);













            } catch (RemoteException e) {













                throw e.rethrowFromSystemServer();













            }













        }













        return false;













    }



























    /**















     * Called by a device owner or a profile owner of an organization-owned managed















     * profile to set the system wall clock time. This only takes effect if called when

































core/java/android/app/admin/IDevicePolicyManager.aidl



+3
−0




























Original line number
Diff line number
Diff line








@@ -263,6 +263,9 @@ interface IDevicePolicyManager {













    void setSystemSetting(in ComponentName who, in String setting, in String value);















    void setSecureSetting(in ComponentName who, in String setting, in String value);





























    void setLockdownAdminConfiguredNetworks(in ComponentName who, boolean lockdown);













    boolean isLockdownAdminConfiguredNetworks(in ComponentName who);





























    void setLocationEnabled(in ComponentName who, boolean locationEnabled);































    boolean setTime(in ComponentName who, long millis);

































core/proto/android/stats/devicepolicy/device_policy_enums.proto



+1
−0




























Original line number
Diff line number
Diff line








@@ -156,4 +156,5 @@ enum EventId {













  SET_PACKAGES_PROTECTED = 129;















  SET_FACTORY_RESET_PROTECTION = 130;















  SET_COMMON_CRITERIA_MODE = 131;













  ALLOW_MODIFICATION_OF_ADMIN_CONFIGURED_NETWORKS = 132;















}
























services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java



+31
−0




























Original line number
Diff line number
Diff line








@@ -11343,6 +11343,37 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {













        }















    }



























    @Override













    public void setLockdownAdminConfiguredNetworks(ComponentName who, boolean lockdown) {













        if (!mHasFeature) {













            return;













        }













        Preconditions.checkNotNull(who, "ComponentName is null");













        enforceDeviceOwnerOrProfileOwnerOnOrganizationOwnedDevice(who);

























        mInjector.binderWithCleanCallingIdentity(() ->













                mInjector.settingsGlobalPutInt(Global.WIFI_DEVICE_OWNER_CONFIGS_LOCKDOWN,













                        lockdown ? 1 : 0));

























        DevicePolicyEventLogger













                .createEvent(DevicePolicyEnums.ALLOW_MODIFICATION_OF_ADMIN_CONFIGURED_NETWORKS)













                .setAdmin(who)













                .setBoolean(lockdown)













                .write();













    }

























    @Override













    public boolean isLockdownAdminConfiguredNetworks(ComponentName who) {













        if (!mHasFeature) {













            return false;













        }













        Preconditions.checkNotNull(who, "ComponentName is null");













        enforceDeviceOwnerOrProfileOwnerOnOrganizationOwnedDevice(who);

























        return mInjector.binderWithCleanCallingIdentity(() ->













                mInjector.settingsGlobalGetInt(Global.WIFI_DEVICE_OWNER_CONFIGS_LOCKDOWN, 0) > 0);













    }



























    @Override















    public void setLocationEnabled(ComponentName who, boolean locationEnabled) {















        Objects.requireNonNull(who, "ComponentName is null");