Introduce feature flags for all APIs that should be flag-protected. (f6b49183) · Commits · e / os / android_frameworks_base

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+46 −49

Original line number	Diff line number	Diff line
		@@ -6395,7 +6395,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		@Override
		public void lockNow(int flags, String callerPackageName, boolean parent) {
		CallerIdentity caller;
		if (isUnicornFlagEnabled()) {
		if (Flags.lockNowCoexistence()) {
		caller = getCallerIdentity(callerPackageName);
		} else {
		caller = getCallerIdentity();
		@@ -6407,7 +6407,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		ActiveAdmin admin;
		// Make sure the caller has any active admin with the right policy or
		// the required permission.
		if (isUnicornFlagEnabled()) {
		if (Flags.lockNowCoexistence()) {
		admin = enforcePermissionsAndGetEnforcingAdmin(
		/* admin= */ null,
		/* permissions= */ new String[]{MANAGE_DEVICE_POLICY_LOCK, LOCK_DEVICE},
		@@ -9179,13 +9179,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}

		CallerIdentity caller;
		if (isUnicornFlagEnabled()) {
		if (Flags.setAutoTimeEnabledCoexistence()) {
		caller = getCallerIdentity(who, callerPackageName);
		} else {
		caller = getCallerIdentity(who);
		}

		if (isUnicornFlagEnabled()) {
		if (Flags.setAutoTimeEnabledCoexistence()) {
		// The effect of this policy is device-wide.
		enforcePermission(SET_TIME, caller.getPackageName(), UserHandle.USER_ALL);
		} else {
		@@ -9213,13 +9213,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		return false;
		}
		CallerIdentity caller;
		if (isUnicornFlagEnabled()) {
		if (Flags.setAutoTimeEnabledCoexistence()) {
		caller = getCallerIdentity(who, callerPackageName);
		} else {
		caller = getCallerIdentity(who);
		}

		if (isUnicornFlagEnabled()) {
		if (Flags.setAutoTimeEnabledCoexistence()) {
		enforceCanQuery(SET_TIME, caller.getPackageName(), UserHandle.USER_ALL);
		} else {
		Objects.requireNonNull(who, "ComponentName is null");
		@@ -9242,13 +9242,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}

		CallerIdentity caller;
		if (isUnicornFlagEnabled()) {
		if (Flags.setAutoTimeZoneEnabledCoexistence()) {
		caller = getCallerIdentity(who, callerPackageName);
		} else {
		caller = getCallerIdentity(who);
		}

		if (isUnicornFlagEnabled()) {
		if (Flags.setAutoTimeZoneEnabledCoexistence()) {
		// The effect of this policy is device-wide.
		EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
		who,
		@@ -9288,13 +9288,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}

		CallerIdentity caller;
		if (isUnicornFlagEnabled()) {
		if (Flags.setAutoTimeZoneEnabledCoexistence()) {
		caller = getCallerIdentity(who, callerPackageName);
		} else {
		caller = getCallerIdentity(who);
		}

		if (isUnicornFlagEnabled()) {
		if (Flags.setAutoTimeZoneEnabledCoexistence()) {
		// The effect of this policy is device-wide.
		enforceCanQuery(SET_TIME_ZONE, caller.getPackageName(), UserHandle.USER_ALL);
		} else {
		@@ -9544,7 +9544,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}

		CallerIdentity caller;
		if (isUnicornFlagEnabled()) {
		if (Flags.setKeyguardDisabledFeaturesCoexistence()) {
		caller = getCallerIdentity(who, callerPackageName);
		} else {
		caller = getCallerIdentity(who);
		@@ -9554,7 +9554,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		final int userHandle = caller.getUserId();
		int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle;
		synchronized (getLockObject()) {
		if (isUnicornFlagEnabled()) {
		if (Flags.setKeyguardDisabledFeaturesCoexistence()) {
		// SUPPORT USES_POLICY_DISABLE_KEYGUARD_FEATURES
		EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin(
		who, MANAGE_DEVICE_POLICY_KEYGUARD, caller.getPackageName(),
		@@ -9633,7 +9633,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {

		synchronized (getLockObject()) {
		if (who != null) {
		if (isUnicornFlagEnabled()) {
		if (Flags.setKeyguardDisabledFeaturesCoexistence()) {
		EnforcingAdmin admin = getEnforcingAdminForPackage(
		who, who.getPackageName(), userHandle);
		Integer features = mDevicePolicyEngine.getLocalPolicySetByAdmin(
		@@ -9652,7 +9652,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		// the different behaviour between a profile with separate challenge vs a profile with
		// unified challenge, which was part of getActiveAdminsForLockscreenPoliciesLocked()
		// before the migration.
		if (isUnicornFlagEnabled()) {
		if (Flags.setKeyguardDisabledFeaturesCoexistence()) {
		Integer features = mDevicePolicyEngine.getResolvedPolicy(
		PolicyDefinition.KEYGUARD_DISABLED_FEATURES,
		affectedUserId);
		@@ -11845,7 +11845,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		throw new IllegalArgumentException("Invalid package name: " + validationResult);
		}

		if (isUnicornFlagEnabled()) {
		if (Flags.setApplicationRestrictionsCoexistence()) {
		EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
		who,
		MANAGE_DEVICE_POLICY_APP_RESTRICTIONS,
		@@ -13228,7 +13228,10 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		String packageName, boolean parent) {
		final CallerIdentity caller = getCallerIdentity(who, callerPackage);

		if (isUnicornFlagEnabled()) {
		// IMPORTANT: The code behind the if branch is OUTDATED and requires additional work before
		// enabling the feature flag below.
		// TODO(b/369141952): Update DPM.getApplicationRestrictions coexistence code
		if (Flags.setApplicationRestrictionsCoexistence()) {
		EnforcingAdmin enforcingAdmin = enforceCanQueryAndGetEnforcingAdmin(
		who,
		MANAGE_DEVICE_POLICY_APP_RESTRICTIONS,
		@@ -13328,14 +13331,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		final CallerIdentity caller = getCallerIdentity(who, callerPackage);
		ActiveAdmin admin;

		if (isUnicornFlagEnabled()) {
		EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
		who,
		MANAGE_DEVICE_POLICY_PACKAGE_STATE,
		caller.getPackageName(),
		caller.getUserId());
		admin = enforcingAdmin.getActiveAdmin();
		} else {
		Preconditions.checkCallAuthorization((caller.hasAdminComponent()
		&& (isProfileOwner(caller) \|\| isDefaultDeviceOwner(caller)))
		\|\| (caller.hasPackage() && isCallerDelegate(caller,
		@@ -13343,7 +13338,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		synchronized (getLockObject()) {
		admin = getProfileOwnerOrDeviceOwnerLocked(caller.getUserId());
		}
		}
		checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_PACKAGES_SUSPENDED);

		// Must remove the exempt apps from the input before calling PM, then add them back to
		@@ -15585,12 +15579,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		public boolean setStatusBarDisabled(ComponentName who, String callerPackageName,
		boolean disabled) {
		CallerIdentity caller;
		if (isUnicornFlagEnabled()) {
		if (isSetStatusBarDisabledCoexistenceEnabled()) {
		caller = getCallerIdentity(who, callerPackageName);
		} else {
		caller = getCallerIdentity(who);
		}
		if (isUnicornFlagEnabled()) {
		if (isSetStatusBarDisabledCoexistenceEnabled()) {
		enforcePermission(MANAGE_DEVICE_POLICY_STATUS_BAR, caller.getPackageName(),
		UserHandle.USER_ALL);
		} else {
		@@ -15601,7 +15595,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {

		int userId = caller.getUserId();
		synchronized (getLockObject()) {
		if (!isUnicornFlagEnabled()) {
		if (!isSetStatusBarDisabledCoexistenceEnabled()) {
		Preconditions.checkCallAuthorization(isUserAffiliatedWithDeviceLocked(userId),
		"Admin " + who + " is neither the device owner or affiliated "
		+ "user's profile owner.");
		@@ -15660,7 +15654,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		@Override
		public boolean isStatusBarDisabled(String callerPackage) {
		final CallerIdentity caller = getCallerIdentity(callerPackage);
		if (isUnicornFlagEnabled()) {
		if (isSetStatusBarDisabledCoexistenceEnabled()) {
		enforceCanQuery(
		MANAGE_DEVICE_POLICY_STATUS_BAR, caller.getPackageName(), caller.getUserId());
		} else {
		@@ -15670,7 +15664,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {

		int userId = caller.getUserId();
		synchronized (getLockObject()) {
		if (!isUnicornFlagEnabled()) {
		if (!isSetStatusBarDisabledCoexistenceEnabled()) {
		Preconditions.checkCallAuthorization(isUserAffiliatedWithDeviceLocked(userId),
		"Admin " + callerPackage
		+ " is neither the device owner or affiliated user's profile owner.");
		@@ -16862,7 +16856,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}
		}
		EnforcingAdmin enforcingAdmin;
		if (isUnicornFlagEnabled()) {
		if (Flags.setPermissionGrantStateCoexistence()) {
		enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
		admin,
		MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS,
		@@ -17047,7 +17041,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		public int getPermissionGrantState(ComponentName admin, String callerPackage,
		String packageName, String permission) throws RemoteException {
		final CallerIdentity caller = getCallerIdentity(admin, callerPackage);
		if (isUnicornFlagEnabled()) {
		if (Flags.setPermissionGrantStateCoexistence()) {
		enforceCanQuery(MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS, caller.getPackageName(),
		caller.getUserId());
		} else {
		@@ -19331,14 +19325,14 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		throw new IllegalArgumentException("token must be at least 32-byte long");
		}
		CallerIdentity caller;
		if (isUnicornFlagEnabled()) {
		if (Flags.resetPasswordWithTokenCoexistence()) {
		caller = getCallerIdentity(admin, callerPackageName);
		} else {
		caller = getCallerIdentity(admin);
		}
		final int userId = caller.getUserId();

		if (isUnicornFlagEnabled()) {
		if (Flags.resetPasswordWithTokenCoexistence()) {
		EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
		admin,
		MANAGE_DEVICE_POLICY_RESET_PASSWORD,
		@@ -19394,7 +19388,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		return false;
		}
		CallerIdentity caller;
		if (isUnicornFlagEnabled()) {
		if (Flags.resetPasswordWithTokenCoexistence()) {
		caller = getCallerIdentity(admin, callerPackageName);
		} else {
		caller = getCallerIdentity(admin);
		@@ -19402,7 +19396,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		final int userId = caller.getUserId();
		boolean result = false;

		if (isUnicornFlagEnabled()) {
		if (Flags.resetPasswordWithTokenCoexistence()) {
		EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
		admin,
		MANAGE_DEVICE_POLICY_RESET_PASSWORD,
		@@ -19441,14 +19435,14 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		return false;
		}
		CallerIdentity caller;
		if (isUnicornFlagEnabled()) {
		if (Flags.resetPasswordWithTokenCoexistence()) {
		caller = getCallerIdentity(admin, callerPackageName);
		} else {
		caller = getCallerIdentity(admin);
		}
		int userId = caller.getUserId();

		if (isUnicornFlagEnabled()) {
		if (Flags.resetPasswordWithTokenCoexistence()) {
		EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
		admin,
		MANAGE_DEVICE_POLICY_RESET_PASSWORD,
		@@ -19490,7 +19484,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		Objects.requireNonNull(token);

		CallerIdentity caller;
		if (isUnicornFlagEnabled()) {
		if (Flags.resetPasswordWithTokenCoexistence()) {
		caller = getCallerIdentity(admin, callerPackageName);
		} else {
		caller = getCallerIdentity(admin);
		@@ -19500,7 +19494,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		boolean result = false;
		final String password = passwordOrNull != null ? passwordOrNull : "";

		if (isUnicornFlagEnabled()) {
		if (Flags.resetPasswordWithTokenCoexistence()) {
		EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
		admin,
		MANAGE_DEVICE_POLICY_RESET_PASSWORD,
		@@ -19531,7 +19525,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}

		if (result) {
		if (isUnicornFlagEnabled()) {
		if (Flags.resetPasswordWithTokenCoexistence()) {
		DevicePolicyEventLogger
		.createEvent(DevicePolicyEnums.RESET_PASSWORD_WITH_TOKEN)
		.setAdmin(callerPackageName)
		@@ -23812,7 +23806,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		DEFAULT_VALUE_PERMISSION_BASED_ACCESS_FLAG);
		}

		static boolean isUnicornFlagEnabled() {
		private static boolean isSetStatusBarDisabledCoexistenceEnabled() {
		return false;
		}

		@@ -24255,8 +24249,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		synchronized (getLockObject()) {
		Slogf.i(LOG_TAG,
		"Started device policies migration to the device policy engine.");
		if (isUnicornFlagEnabled()) {
		// TODO(b/359188869): Move this to the current migration method.
		if (Flags.setAutoTimeZoneEnabledCoexistence()) {
		migrateAutoTimezonePolicy();
		}
		if (Flags.setPermissionGrantStateCoexistence()) {
		migratePermissionGrantStatePolicies();
		}
		migratePermittedInputMethodsPolicyLocked();

services/devicepolicy/java/com/android/server/devicepolicy/PolicyEnforcerCallbacks.java

+2 −2

Original line number	Diff line number	Diff line
		@@ -78,7 +78,7 @@ final class PolicyEnforcerCallbacks {
		}

		static boolean setAutoTimezoneEnabled(@Nullable Boolean enabled, @NonNull Context context) {
		if (!DevicePolicyManagerService.isUnicornFlagEnabled()) {
		if (!Flags.setAutoTimeZoneEnabledCoexistence()) {
		Slogf.w(LOG_TAG, "Trying to enforce setAutoTimezoneEnabled while flag is off.");
		return true;
		}
		@@ -95,7 +95,7 @@ final class PolicyEnforcerCallbacks {
		static boolean setPermissionGrantState(
		@Nullable Integer grantState, @NonNull Context context, int userId,
		@NonNull PolicyKey policyKey) {
		if (!DevicePolicyManagerService.isUnicornFlagEnabled()) {
		if (!Flags.setPermissionGrantStateCoexistence()) {
		Slogf.w(LOG_TAG, "Trying to enforce setPermissionGrantState while flag is off.");
		return true;
		}