Merge "User restriction to block adding SIMs" into main

    field public static final String DISALLOW_SHARE_INTO_MANAGED_PROFILE = "no_sharing_into_profile";

    field public static final String DISALLOW_SHARE_LOCATION = "no_share_location";

    field public static final String DISALLOW_SHARING_ADMIN_CONFIGURED_WIFI = "no_sharing_admin_configured_wifi";

    field @FlaggedApi("android.app.admin.flags.esim_management_enabled") public static final String DISALLOW_SIM_GLOBALLY = "no_sim_globally";

    field public static final String DISALLOW_SMS = "no_sms";

    field public static final String DISALLOW_SYSTEM_ERROR_DIALOGS = "no_system_error_dialogs";

    field @FlaggedApi("com.android.net.thread.flags.thread_user_restriction_enabled") public static final String DISALLOW_THREAD_NETWORK = "no_thread_network";

  description: "Emit a security log event when DPM.setBackupServiceEnabled is called"

  bug: "304999634"

}

flag {

  name: "esim_management_enabled"

  namespace: "enterprise"

  description: "Enable APIs to provision and manage eSIMs"

  bug: "295301164"

}

    @FlaggedApi("com.android.net.thread.flags.thread_user_restriction_enabled")

    public static final String DISALLOW_THREAD_NETWORK = "no_thread_network";

    /**

     * This user restriction specifies if the user is able to add SIMs to the device.

     *

     * <p>

     * This restriction blocks the download of embedded SIMs, and disables any physical SIMs.

     * If any embedded SIMs are already on the device, then they are removed. This restriction

     * does not affect SIMs provisioned to the device by device owners or profile owners.

     *

     * <p>

     * This restriction can only be set by a device owner or a profile owner of an

     * organization-owned managed profile.

     * In both cases, the restriction applies globally on the device.

     *

     * <p>

     * Holders of the permission

     * {@link android.Manifest.permission#MANAGE_DEVICE_POLICY_MOBILE_NETWORK}

     * can set this restriction using the DevicePolicyManager APIs mentioned below.

     *

     * <p>Default is <code>false</code>.

     *

     * <p>Key for user restrictions.

     * <p>Type: Boolean

     * @see DevicePolicyManager#addUserRestriction(ComponentName, String)

     * @see DevicePolicyManager#clearUserRestriction(ComponentName, String)

     * @see #getUserRestrictions()

     */

    @FlaggedApi(android.app.admin.flags.Flags.FLAG_ESIM_MANAGEMENT_ENABLED)

    public static final String DISALLOW_SIM_GLOBALLY =

            "no_sim_globally";

    /**

     * List of key values that can be passed into the various user restriction related methods

     * in {@link UserManager} & {@link DevicePolicyManager}.

            DISALLOW_GRANT_ADMIN,

            DISALLOW_NEAR_FIELD_COMMUNICATION_RADIO,

            DISALLOW_THREAD_NETWORK,

            DISALLOW_SIM_GLOBALLY,

    })

    @Retention(RetentionPolicy.SOURCE)

    public @interface UserRestrictionKey {}

            UserManager.DISALLOW_CELLULAR_2G,

            UserManager.DISALLOW_ULTRA_WIDEBAND_RADIO,

            UserManager.DISALLOW_CONFIG_DEFAULT_APPS,

            UserManager.DISALLOW_NEAR_FIELD_COMMUNICATION_RADIO

            UserManager.DISALLOW_NEAR_FIELD_COMMUNICATION_RADIO,

            UserManager.DISALLOW_SIM_GLOBALLY

    });

    public static final Set<String> DEPRECATED_USER_RESTRICTIONS = Sets.newArraySet(

     * Special user restrictions that profile owner of an organization-owned managed profile can

     * set on the parent profile instance to apply them globally.

     */

    private static final Set<String> PROFILE_OWNER_ORGANIZATION_OWNED_GLOBAL_RESTRICTIONS =

    private static final Set<String> PROFILE_OWNER_ORGANIZATION_OWNED_PARENT_GLOBAL_RESTRICTIONS =

            Sets.newArraySet(

                    UserManager.DISALLOW_AIRPLANE_MODE,

                    UserManager.DISALLOW_CONFIG_DATE_TIME,

                    UserManager.DISALLOW_NEAR_FIELD_COMMUNICATION_RADIO

            );

    /**

     * Special user restrictions that profile owner of an organization-owned managed profile can

     * set on the profile, which regular profile owners cannot set.

     */

    private static final Set<String> PROFILE_OWNER_ORGANIZATION_OWNED_PROFILE_RESTRICTIONS =

            Sets.newArraySet(

                    UserManager.DISALLOW_SIM_GLOBALLY

            );

    /**

     * Special user restrictions that profile owner of an organization-owned managed profile can

     * set on the parent profile instance to apply them on the personal profile.

    private static final Set<String> PROFILE_GLOBAL_RESTRICTIONS = Sets.newArraySet(

            UserManager.ENSURE_VERIFY_APPS,

            UserManager.DISALLOW_AIRPLANE_MODE,

            UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY

            UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY,

            UserManager.DISALLOW_SIM_GLOBALLY

    );

    /**

    }

    /**

     * @return true if a restriction is settable by profile owner.  Note it takes a boolean to say

     * if the relevant user is the {@link UserManager#isMainUser() MainUser}, because some

     * restrictions can be changed by PO only when it's running on the main user.

     * Checks whether a restriction is settable by a profile owner

     *

     * <p> Whether a restriction is settable by a profile owner is a property of the restriction and

     * defined statically by the restriction. It may depend on other context information, such

     * as whether the relevant user is the {@link UserManager#isMainUser() MainUser}.

     *

     * @param restriction the restrictions to check

     * @param isMainUser true if the relevant user is the {@link UserManager#isMainUser() MainUser}.

     *                   Some restrictions can be changed by PO only when it's running on the main

     *                   user.

     * @param isProfileOwnerOnOrgOwnedDevice true if the relevant user is the profile owner of an

     *                                       organization owned device. Some restrictions can only

     *                                       be set by PO when it's running as the profile owner

     *                                       on an organization owned device.

     * @return true if a restriction is settable by a profile owner

     */

    public static boolean canProfileOwnerChange(String restriction, boolean isMainUser) {

    public static boolean canProfileOwnerChange(

            String restriction,

            boolean isMainUser,

            boolean isProfileOwnerOnOrgOwnedDevice) {

        if (android.app.admin.flags.Flags.esimManagementEnabled()) {

            if (IMMUTABLE_BY_OWNERS.contains(restriction)) {

                return false;

            }

            if (DEVICE_OWNER_ONLY_RESTRICTIONS.contains(restriction)) {

                return false;

            }

            if (!isMainUser && MAIN_USER_ONLY_RESTRICTIONS.contains(restriction)) {

                return false;

            }

            if (!isProfileOwnerOnOrgOwnedDevice

                    && PROFILE_OWNER_ORGANIZATION_OWNED_PROFILE_RESTRICTIONS.contains(

                            restriction)) {

                return false;

            }

            return true;

        }

        return !IMMUTABLE_BY_OWNERS.contains(restriction)

                && !DEVICE_OWNER_ONLY_RESTRICTIONS.contains(restriction)

                && !(!isMainUser && MAIN_USER_ONLY_RESTRICTIONS.contains(restriction));

    }

    /**

     * @return true if a restriction is settable by profile owner of an organization owned device.

     * Checks whether a restriction is settable by a profile owner on the parent instance

     * of an organization owned device.

     *

     * <p> Whether a restriction is settable by a profile owner is a property of the restriction and

     * defined statically by the restriction.

     *

     * <p> Note: This is used to check whether a restriction can be set by a profile owner

     *     on the parent instance.

     *

     * @param restriction the restrictions to check

     * @return true if a restriction is settable by a profile owner on the parent instance

     */

    public static boolean canProfileOwnerOfOrganizationOwnedDeviceChange(String restriction) {

        return PROFILE_OWNER_ORGANIZATION_OWNED_GLOBAL_RESTRICTIONS.contains(restriction)

    public static boolean canParentOfProfileOwnerOfOrganizationOwnedDeviceChange(

            String restriction) {

        return PROFILE_OWNER_ORGANIZATION_OWNED_PARENT_GLOBAL_RESTRICTIONS.contains(restriction)

                || PROFILE_OWNER_ORGANIZATION_OWNED_LOCAL_RESTRICTIONS.contains(restriction);

    }

                MAIN_USER_ONLY_RESTRICTIONS.contains(key) || GLOBAL_RESTRICTIONS.contains(key)))

                || ((restrictionOwnerType

                == UserManagerInternal.OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE)

                && PROFILE_OWNER_ORGANIZATION_OWNED_GLOBAL_RESTRICTIONS.contains(key))

                && (PROFILE_OWNER_ORGANIZATION_OWNED_PARENT_GLOBAL_RESTRICTIONS.contains(key)))

                || PROFILE_GLOBAL_RESTRICTIONS.contains(key)

                || DEVICE_OWNER_ONLY_RESTRICTIONS.contains(key);

    }

            return;

        }

        for (final String restriction : doAdmin.userRestrictions.keySet()) {

            if (UserRestrictionsUtils.canProfileOwnerOfOrganizationOwnedDeviceChange(restriction)) {

            if (UserRestrictionsUtils.canParentOfProfileOwnerOfOrganizationOwnedDeviceChange(

                    restriction)) {

                parentAdmin.ensureUserRestrictions().putBoolean(

                        restriction, doAdmin.userRestrictions.getBoolean(restriction));

            }

    }

    private void checkAdminCanSetRestriction(CallerIdentity caller, boolean parent, String key) {

        boolean isProfileOwnerOfOrganizationOwnedDevice =

                isProfileOwnerOfOrganizationOwnedDevice(caller);

        if (parent) {

            Preconditions.checkCallAuthorization(

                    isProfileOwnerOfOrganizationOwnedDevice(caller));

                    isProfileOwnerOfOrganizationOwnedDevice);

        } else {

            Preconditions.checkCallAuthorization(

                    isDeviceOwner(caller) || isProfileOwner(caller));

            } else {

                boolean profileOwnerCanChangeOnItself = !parent

                        && UserRestrictionsUtils.canProfileOwnerChange(

                        key, caller.getUserId() == getMainUserId());

                            key,

                            caller.getUserId() == getMainUserId(),

                            isProfileOwnerOfOrganizationOwnedDevice);

                boolean orgOwnedProfileOwnerCanChangeGlobally = parent

                        && isProfileOwnerOfOrganizationOwnedDevice(caller)

                        && UserRestrictionsUtils.canProfileOwnerOfOrganizationOwnedDeviceChange(

                        key);

                        && isProfileOwnerOfOrganizationOwnedDevice

                        && UserRestrictionsUtils

                            .canParentOfProfileOwnerOfOrganizationOwnedDeviceChange(key);

                if (!profileOwnerCanChangeOnItself && !orgOwnedProfileOwnerCanChangeGlobally) {

                    throw new SecurityException("Profile owner cannot set user restriction "

                UserManager.DISALLOW_WIFI_TETHERING, new String[]{MANAGE_DEVICE_POLICY_WIFI});

        USER_RESTRICTION_PERMISSIONS.put(

                UserManager.ENSURE_VERIFY_APPS, new String[]{MANAGE_DEVICE_POLICY_INSTALL_UNKNOWN_SOURCES});

        USER_RESTRICTION_PERMISSIONS.put(

                UserManager.DISALLOW_SIM_GLOBALLY,

                new String[]{MANAGE_DEVICE_POLICY_MOBILE_NETWORK});

        // Restrictions not allowed to be set by admins.

        USER_RESTRICTION_PERMISSIONS.put(