Merge "Remove headless flag" into main

            "enable_permission_based_access";

    private static final boolean DEFAULT_VALUE_PERMISSION_BASED_ACCESS_FLAG = false;

    private static final String ENABLE_DEVICE_POLICY_ENGINE_FOR_FINANCE_FLAG =

            "enable_device_policy_engine";

    private static final boolean DEFAULT_ENABLE_DEVICE_POLICY_ENGINE_FOR_FINANCE_FLAG = true;

    // TODO(b/265683382) remove the flag after rollout.

    public static final boolean DEFAULT_KEEP_PROFILES_RUNNING_FLAG = false;

    // TODO(b/261999445) remove the flag after rollout.

    private static final String HEADLESS_FLAG = "headless";

    private static final boolean DEFAULT_HEADLESS_FLAG = true;

    // TODO(b/266831522) remove the flag after rollout.

    private static final String APPLICATION_EXEMPTIONS_FLAG = "application_exemptions";

    private static final boolean DEFAULT_APPLICATION_EXEMPTIONS_FLAG = true;

    }

    private void clearDeviceOwnerUserRestriction(UserHandle userHandle) {

        if (isHeadlessFlagEnabled()) {

        for (int userId : mUserManagerInternal.getUserIds()) {

            UserHandle user = UserHandle.of(userId);

            // ManagedProvisioning/DPC sets DISALLOW_ADD_USER. Clear to recover to the

                        false, user);

            }

        }

        } else {

            // ManagedProvisioning/DPC sets DISALLOW_ADD_USER. Clear to recover to the original state

            if (mUserManager.hasUserRestriction(UserManager.DISALLOW_ADD_USER, userHandle)) {

                mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_USER, false,

                        userHandle);

            }

            // When a device owner is set, the system automatically restricts adding a

            // managed profile.

            // Remove this restriction when the device owner is cleared.

            if (mUserManager.hasUserRestriction(UserManager.DISALLOW_ADD_MANAGED_PROFILE,

                    userHandle)) {

                mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_MANAGED_PROFILE,

                        false,

                        userHandle);

            }

            // When a device owner is set, the system automatically restricts adding a clone

            // profile.

            // Remove this restriction when the device owner is cleared.

            if (mUserManager.hasUserRestriction(UserManager.DISALLOW_ADD_CLONE_PROFILE,

                    userHandle)) {

                mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_CLONE_PROFILE,

                        false,

                        userHandle);

            }

            // When a device owner is set, the system automatically restricts adding a

            // private profile.

            // Remove this restriction when the device owner is cleared.

            if (mUserManager.hasUserRestriction(UserManager.DISALLOW_ADD_PRIVATE_PROFILE,

                    userHandle)) {

                mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_PRIVATE_PROFILE,

                        false, userHandle);

            }

        }

    }

    /**

                hasCallingOrSelfPermission(permission.TRIGGER_LOST_MODE));

        synchronized (getLockObject()) {

            // TODO(b/261999445): Remove

            ActiveAdmin admin;

            if (isHeadlessFlagEnabled()) {

                admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked();

            } else {

                admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked(

                        UserHandle.USER_SYSTEM);

            }

            ActiveAdmin admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked();

            Preconditions.checkState(admin != null,

                    "Lost mode location updates can only be sent on an organization-owned device.");

            mInjector.binderWithCleanCallingIdentity(() -> {

                // profile, such that the admin on that managed profile has extended management

                // capabilities that can affect the entire device (but not access private data

                // on the primary profile).

                if (isHeadlessFlagEnabled()) {

                for (int u : mUserManagerInternal.getUserIds()) {

                    mUserManager.setUserRestriction(

                            UserManager.DISALLOW_ADD_MANAGED_PROFILE, true,

                            true,

                            UserHandle.of(u));

                }

                } else {

                    mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_MANAGED_PROFILE,

                            true,

                            UserHandle.of(userId));

                    // Restrict adding a clone profile when a device owner is set on the device.

                    // That is to prevent the co-existence of a clone profile and a device owner

                    // on the same device.

                    // CDD for reference : https://source.android.com/compatibility/12/android-12-cdd#95_multi-user_support

                    mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_CLONE_PROFILE,

                            true,

                            UserHandle.of(userId));

                    mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_PRIVATE_PROFILE,

                            true,

                            UserHandle.of(userId));

                }

                // TODO Send to system too?

                sendOwnerChangedBroadcast(DevicePolicyManager.ACTION_DEVICE_OWNER_CHANGED, userId);

            });

        synchronized (getLockObject()) {

            // Only DO or COPE PO can turn on CC mode, so take a shortcut here and only look at

            // their ActiveAdmin, instead of iterating through all admins.

            ActiveAdmin admin;

            // TODO(b/261999445): remove

            if (isHeadlessFlagEnabled()) {

                admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked();

            } else {

                admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked(

                        UserHandle.USER_SYSTEM);

            }

            ActiveAdmin admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked();

            return admin != null ? admin.mCommonCriteriaMode : false;

        }

    }

    }

    private void disallowAddUser() {

        if (!isHeadlessFlagEnabled() || mIsAutomotive) {

        if (mIsAutomotive) {

            // Auto still enables adding users due to the communal nature of those devices

            if (mInjector.userManagerIsHeadlessSystemUserMode()) {

                Slogf.i(LOG_TAG, "Not setting DISALLOW_ADD_USER on headless system user mode.");

    }

    private boolean isUsbDataSignalingEnabledInternalLocked() {

        // TODO(b/261999445): remove

        ActiveAdmin admin;

        if (isHeadlessFlagEnabled()) {

            admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked();

        } else {

            admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked(

                    UserHandle.USER_SYSTEM);

        }

        ActiveAdmin admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked();

        return admin == null || admin.mUsbDataSignalingEnabled;

    }

    @Override

    public int getMinimumRequiredWifiSecurityLevel() {

        synchronized (getLockObject()) {

            ActiveAdmin admin;

            // TODO(b/261999445): remove

            if (isHeadlessFlagEnabled()) {

                admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked();

            } else {

                admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked(

                        UserHandle.USER_SYSTEM);

            }

            ActiveAdmin admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked();

            return (admin == null) ? DevicePolicyManager.WIFI_SECURITY_OPEN

                    : admin.mWifiMinimumSecurityLevel;

        }

                            || isProfileOwnerOfOrganizationOwnedDevice(caller));

        }

        synchronized (getLockObject()) {

            // TODO(b/261999445): Remove

            ActiveAdmin admin;

            if (isHeadlessFlagEnabled()) {

                admin =

            ActiveAdmin admin =

                        getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked();

            } else {

                admin =

                        getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked(

                                UserHandle.USER_SYSTEM);

            }

            if (admin != null) {

                final String memtagProperty = "arm64.memtag.bootctl";

                            || isSystemUid(caller));

        }

        synchronized (getLockObject()) {

            // TODO(b/261999445): Remove

            ActiveAdmin admin;

            if (isHeadlessFlagEnabled()) {

                admin =

            ActiveAdmin admin =

                        getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked();

            } else {

                admin =

                        getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked(

                                UserHandle.USER_SYSTEM);

            }

            return admin != null

                    ? admin.mtePolicy

                    : DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY;

        }

    }

    private boolean isHeadlessFlagEnabled() {

        return DeviceConfig.getBoolean(

                NAMESPACE_DEVICE_POLICY_MANAGER,

                HEADLESS_FLAG,

                DEFAULT_HEADLESS_FLAG);

    }

    @Override

    public ManagedSubscriptionsPolicy getManagedSubscriptionsPolicy() {

        synchronized (getLockObject()) {