summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
author Priyanka Advani (xWF) <padvani@google.com> 2024-08-30 22:10:24 +0000
committer Android (Google) Code Review <android-gerrit@google.com> 2024-08-30 22:10:24 +0000
commit1e86bd39ecead37d15ce75fde80429c2bb3256a9 (patch)
treea9493624a6bb6bac1d16645011b49d39aa5255ec
parent66513108fec466c45fb55006982bb3ad8b2e7b69 (diff)
parent41a748103e1b50a726f5dbb3c42c57360b50ee8d (diff)
Merge changes from topic "revert-28993807-hdop-cleaup-KJEMMYZIMI" into main
* changes: Revert "Clean up fully rolled out DeletePrivateSpaceUnderRestriction" Revert "Clean up fully rolled out PolicyEngineMigrationV2Enabled" Revert "Clean up fully rolled out HeadlessDeviceOwnerDelegateSec..." Revert "Clean up fully rolled out DmrhSetAppRestrictions" Revert "Clean up fully rolled out DevicePolicySizeTrackingIntern..." Revert "Clean up fully rolled out AllowScreenBrightnessControlOnCope" Revert "Clean up fully rolled out PermissionMigrationForZeroTrus..." Revert "Clean up fully rolled out HeadlessSingleUserFixes" Revert "Clean up fully rolled out HeadlessDeviceOwnerProvisionin..."
Diffstat
-rw-r--r--core/api/current.txt4
-rw-r--r--core/api/test-current.txt8
-rw-r--r--core/java/android/app/admin/AccountTypePolicyKey.java5
-rw-r--r--core/java/android/app/admin/BundlePolicyValue.java5
-rw-r--r--core/java/android/app/admin/ComponentNamePolicyValue.java5
-rw-r--r--core/java/android/app/admin/DevicePolicyIdentifiers.java4
-rw-r--r--core/java/android/app/admin/DevicePolicyManager.java33
-rw-r--r--core/java/android/app/admin/EnforcingAdmin.java4
-rw-r--r--core/java/android/app/admin/LockTaskPolicy.java7
-rw-r--r--core/java/android/app/admin/PackagePermissionPolicyKey.java7
-rw-r--r--core/java/android/app/admin/PackagePolicyKey.java5
-rw-r--r--core/java/android/app/admin/PackageSetPolicyValue.java7
-rw-r--r--core/java/android/app/admin/StringPolicyValue.java5
-rw-r--r--core/java/android/app/admin/UserRestrictionPolicyKey.java5
-rw-r--r--core/java/android/app/admin/flags/flags.aconfig75
-rw-r--r--packages/SystemUI/multivalentTests/src/com/android/keyguard/KeyguardSecurityContainerControllerTest.kt4
-rw-r--r--packages/SystemUI/multivalentTests/src/com/android/systemui/authentication/domain/interactor/AuthenticationInteractorTest.kt3
-rw-r--r--packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainerController.java8
-rw-r--r--packages/SystemUI/src/com/android/systemui/authentication/domain/interactor/AuthenticationInteractor.kt8
-rw-r--r--services/devicepolicy/java/com/android/server/devicepolicy/ActiveAdmin.java5
-rw-r--r--services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyEngine.java90
-rw-r--r--services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java201
22 files changed, 397 insertions, 101 deletions
diff --git a/core/api/current.txt b/core/api/current.txt
index ddfd364cc55d..4e6dacff290e 100644
--- a/core/api/current.txt
+++ b/core/api/current.txt
@@ -7964,13 +7964,13 @@ package android.app.admin {
field public static final String LOCK_TASK_POLICY = "lockTask";
field public static final String PACKAGES_SUSPENDED_POLICY = "packagesSuspended";
field public static final String PACKAGE_UNINSTALL_BLOCKED_POLICY = "packageUninstallBlocked";
- field public static final String PASSWORD_COMPLEXITY_POLICY = "passwordComplexity";
+ field @FlaggedApi("android.app.admin.flags.policy_engine_migration_v2_enabled") public static final String PASSWORD_COMPLEXITY_POLICY = "passwordComplexity";
field public static final String PERMISSION_GRANT_POLICY = "permissionGrant";
field public static final String PERSISTENT_PREFERRED_ACTIVITY_POLICY = "persistentPreferredActivity";
field public static final String RESET_PASSWORD_TOKEN_POLICY = "resetPasswordToken";
field public static final String SECURITY_LOGGING_POLICY = "securityLogging";
field public static final String STATUS_BAR_DISABLED_POLICY = "statusBarDisabled";
- field public static final String USB_DATA_SIGNALING_POLICY = "usbDataSignaling";
+ field @FlaggedApi("android.app.admin.flags.policy_engine_migration_v2_enabled") public static final String USB_DATA_SIGNALING_POLICY = "usbDataSignaling";
field public static final String USER_CONTROL_DISABLED_PACKAGES_POLICY = "userControlDisabledPackages";
}
diff --git a/core/api/test-current.txt b/core/api/test-current.txt
index a1aa679f01a9..009d08245da2 100644
--- a/core/api/test-current.txt
+++ b/core/api/test-current.txt
@@ -597,19 +597,19 @@ package android.app.admin {
method @RequiresPermission(android.Manifest.permission.FORCE_DEVICE_POLICY_MANAGER_LOGS) public long forceNetworkLogs();
method @RequiresPermission(android.Manifest.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS) public void forceRemoveActiveAdmin(@NonNull android.content.ComponentName, int);
method @RequiresPermission(android.Manifest.permission.FORCE_DEVICE_POLICY_MANAGER_LOGS) public long forceSecurityLogs();
- method @RequiresPermission("android.permission.MANAGE_DEVICE_POLICY_STORAGE_LIMIT") public void forceSetMaxPolicyStorageLimit(int);
+ method @FlaggedApi("android.app.admin.flags.device_policy_size_tracking_internal_bug_fix_enabled") @RequiresPermission("android.permission.MANAGE_DEVICE_POLICY_STORAGE_LIMIT") public void forceSetMaxPolicyStorageLimit(int);
method public void forceUpdateUserSetupComplete(int);
method @NonNull public java.util.Set<java.lang.String> getDefaultCrossProfilePackages();
method @Deprecated public int getDeviceOwnerType(@NonNull android.content.ComponentName);
method @Nullable public String getDevicePolicyManagementRoleHolderUpdaterPackage();
method @NonNull public java.util.Set<java.lang.String> getDisallowedSystemApps(@NonNull android.content.ComponentName, int, @NonNull String);
- method @RequiresPermission(android.Manifest.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS) public int getHeadlessDeviceOwnerMode();
+ method @FlaggedApi("android.app.admin.flags.headless_device_owner_provisioning_fix_enabled") @RequiresPermission(android.Manifest.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS) public int getHeadlessDeviceOwnerMode();
method public long getLastBugReportRequestTime();
method public long getLastNetworkLogRetrievalTime();
method public long getLastSecurityLogRetrievalTime();
method public java.util.List<java.lang.String> getOwnerInstalledCaCerts(@NonNull android.os.UserHandle);
method @NonNull @RequiresPermission(android.Manifest.permission.MANAGE_DEVICE_ADMINS) public java.util.Set<java.lang.String> getPolicyExemptApps();
- method @RequiresPermission("android.permission.MANAGE_DEVICE_POLICY_STORAGE_LIMIT") public int getPolicySizeForAdmin(@NonNull android.app.admin.EnforcingAdmin);
+ method @FlaggedApi("android.app.admin.flags.device_policy_size_tracking_internal_bug_fix_enabled") @RequiresPermission("android.permission.MANAGE_DEVICE_POLICY_STORAGE_LIMIT") public int getPolicySizeForAdmin(@NonNull android.app.admin.EnforcingAdmin);
method public boolean isCurrentInputMethodSetByOwner();
method public boolean isFactoryResetProtectionPolicySupported();
method @RequiresPermission(anyOf={android.Manifest.permission.MANAGE_USERS, android.Manifest.permission.INTERACT_ACROSS_USERS}) public boolean isNewUserDisclaimerAcknowledged();
@@ -680,7 +680,7 @@ package android.app.admin {
}
public final class EnforcingAdmin implements android.os.Parcelable {
- ctor public EnforcingAdmin(@NonNull String, @NonNull android.app.admin.Authority, @NonNull android.os.UserHandle, @Nullable android.content.ComponentName);
+ ctor @FlaggedApi("android.app.admin.flags.device_policy_size_tracking_internal_bug_fix_enabled") public EnforcingAdmin(@NonNull String, @NonNull android.app.admin.Authority, @NonNull android.os.UserHandle, @Nullable android.content.ComponentName);
}
public final class FlagUnion extends android.app.admin.ResolutionMechanism<java.lang.Integer> {
diff --git a/core/java/android/app/admin/AccountTypePolicyKey.java b/core/java/android/app/admin/AccountTypePolicyKey.java
index 515c1c66b2a3..02e492bb06aa 100644
--- a/core/java/android/app/admin/AccountTypePolicyKey.java
+++ b/core/java/android/app/admin/AccountTypePolicyKey.java
@@ -24,6 +24,7 @@ import android.annotation.NonNull;
import android.annotation.Nullable;
import android.annotation.SystemApi;
import android.annotation.TestApi;
+import android.app.admin.flags.Flags;
import android.os.Bundle;
import android.os.Parcel;
@@ -53,7 +54,9 @@ public final class AccountTypePolicyKey extends PolicyKey {
@TestApi
public AccountTypePolicyKey(@NonNull String key, @NonNull String accountType) {
super(key);
- PolicySizeVerifier.enforceMaxStringLength(accountType, "accountType");
+ if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) {
+ PolicySizeVerifier.enforceMaxStringLength(accountType, "accountType");
+ }
mAccountType = Objects.requireNonNull((accountType));
}
diff --git a/core/java/android/app/admin/BundlePolicyValue.java b/core/java/android/app/admin/BundlePolicyValue.java
index 00e67e64502a..c993671f4fc1 100644
--- a/core/java/android/app/admin/BundlePolicyValue.java
+++ b/core/java/android/app/admin/BundlePolicyValue.java
@@ -18,6 +18,7 @@ package android.app.admin;
import android.annotation.NonNull;
import android.annotation.Nullable;
+import android.app.admin.flags.Flags;
import android.os.Bundle;
import android.os.Parcel;
@@ -30,7 +31,9 @@ public final class BundlePolicyValue extends PolicyValue<Bundle> {
public BundlePolicyValue(Bundle value) {
super(value);
- PolicySizeVerifier.enforceMaxBundleFieldsLength(value);
+ if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) {
+ PolicySizeVerifier.enforceMaxBundleFieldsLength(value);
+ }
}
private BundlePolicyValue(Parcel source) {
diff --git a/core/java/android/app/admin/ComponentNamePolicyValue.java b/core/java/android/app/admin/ComponentNamePolicyValue.java
index f092b7bb5538..a7a2f7d27e0d 100644
--- a/core/java/android/app/admin/ComponentNamePolicyValue.java
+++ b/core/java/android/app/admin/ComponentNamePolicyValue.java
@@ -18,6 +18,7 @@ package android.app.admin;
import android.annotation.NonNull;
import android.annotation.Nullable;
+import android.app.admin.flags.Flags;
import android.content.ComponentName;
import android.os.Parcel;
@@ -30,7 +31,9 @@ public final class ComponentNamePolicyValue extends PolicyValue<ComponentName> {
public ComponentNamePolicyValue(@NonNull ComponentName value) {
super(value);
- PolicySizeVerifier.enforceMaxComponentNameLength(value);
+ if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) {
+ PolicySizeVerifier.enforceMaxComponentNameLength(value);
+ }
}
private ComponentNamePolicyValue(Parcel source) {
diff --git a/core/java/android/app/admin/DevicePolicyIdentifiers.java b/core/java/android/app/admin/DevicePolicyIdentifiers.java
index c0e435c04d3c..156512a90295 100644
--- a/core/java/android/app/admin/DevicePolicyIdentifiers.java
+++ b/core/java/android/app/admin/DevicePolicyIdentifiers.java
@@ -16,6 +16,8 @@
package android.app.admin;
+import static android.app.admin.flags.Flags.FLAG_POLICY_ENGINE_MIGRATION_V2_ENABLED;
+
import android.annotation.FlaggedApi;
import android.annotation.NonNull;
import android.annotation.SystemApi;
@@ -183,11 +185,13 @@ public final class DevicePolicyIdentifiers {
/**
* String identifier for {@link DevicePolicyManager#setUsbDataSignalingEnabled}.
*/
+ @FlaggedApi(FLAG_POLICY_ENGINE_MIGRATION_V2_ENABLED)
public static final String USB_DATA_SIGNALING_POLICY = "usbDataSignaling";
/**
* String identifier for {@link DevicePolicyManager#setRequiredPasswordComplexity}.
*/
+ @FlaggedApi(FLAG_POLICY_ENGINE_MIGRATION_V2_ENABLED)
public static final String PASSWORD_COMPLEXITY_POLICY = "passwordComplexity";
/**
diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java
index 0f54cb7bc35e..d31d8f27844a 100644
--- a/core/java/android/app/admin/DevicePolicyManager.java
+++ b/core/java/android/app/admin/DevicePolicyManager.java
@@ -54,8 +54,10 @@ import static android.Manifest.permission.REQUEST_PASSWORD_COMPLEXITY;
import static android.Manifest.permission.SET_TIME;
import static android.Manifest.permission.SET_TIME_ZONE;
import static android.app.admin.DeviceAdminInfo.HEADLESS_DEVICE_OWNER_MODE_UNSUPPORTED;
+import static android.app.admin.flags.Flags.FLAG_DEVICE_POLICY_SIZE_TRACKING_INTERNAL_BUG_FIX_ENABLED;
import static android.app.admin.flags.Flags.FLAG_DEVICE_THEFT_API_ENABLED;
import static android.app.admin.flags.Flags.FLAG_DEVICE_POLICY_SIZE_TRACKING_ENABLED;
+import static android.app.admin.flags.Flags.FLAG_HEADLESS_DEVICE_OWNER_PROVISIONING_FIX_ENABLED;
import static android.app.admin.flags.Flags.onboardingBugreportV2Enabled;
import static android.app.admin.flags.Flags.onboardingConsentlessBugreports;
import static android.app.admin.flags.Flags.FLAG_IS_MTE_POLICY_ENFORCED;
@@ -10476,6 +10478,10 @@ public class DevicePolicyManager {
@WorkerThread
public void setApplicationRestrictions(@Nullable ComponentName admin, String packageName,
Bundle settings) {
+ if (!Flags.dmrhSetAppRestrictions()) {
+ throwIfParentInstance("setApplicationRestrictions");
+ }
+
if (mService != null) {
try {
mService.setApplicationRestrictions(admin, mContext.getPackageName(), packageName,
@@ -11880,6 +11886,9 @@ public class DevicePolicyManager {
@WorkerThread
public @NonNull Bundle getApplicationRestrictions(
@Nullable ComponentName admin, String packageName) {
+ if (!Flags.dmrhSetAppRestrictions()) {
+ throwIfParentInstance("getApplicationRestrictions");
+ }
if (mService != null) {
try {
@@ -14224,11 +14233,21 @@ public class DevicePolicyManager {
*/
public @NonNull DevicePolicyManager getParentProfileInstance(@NonNull ComponentName admin) {
throwIfParentInstance("getParentProfileInstance");
- UserManager um = mContext.getSystemService(UserManager.class);
- if (!um.isManagedProfile()) {
- throw new SecurityException("The current user does not have a parent profile.");
+ try {
+ if (Flags.dmrhSetAppRestrictions()) {
+ UserManager um = mContext.getSystemService(UserManager.class);
+ if (!um.isManagedProfile()) {
+ throw new SecurityException("The current user does not have a parent profile.");
+ }
+ } else {
+ if (!mService.isManagedProfile(admin)) {
+ throw new SecurityException("The current user does not have a parent profile.");
+ }
+ }
+ return new DevicePolicyManager(mContext, mService, true);
+ } catch (RemoteException e) {
+ throw e.rethrowFromSystemServer();
}
- return new DevicePolicyManager(mContext, mService, true);
}
/**
@@ -17790,6 +17809,7 @@ public class DevicePolicyManager {
*/
@TestApi
@RequiresPermission(permission.MANAGE_DEVICE_POLICY_STORAGE_LIMIT)
+ @FlaggedApi(FLAG_DEVICE_POLICY_SIZE_TRACKING_INTERNAL_BUG_FIX_ENABLED)
public void forceSetMaxPolicyStorageLimit(int storageLimit) {
if (mService != null) {
try {
@@ -17807,6 +17827,7 @@ public class DevicePolicyManager {
*/
@TestApi
@RequiresPermission(permission.MANAGE_DEVICE_POLICY_STORAGE_LIMIT)
+ @FlaggedApi(FLAG_DEVICE_POLICY_SIZE_TRACKING_INTERNAL_BUG_FIX_ENABLED)
public int getPolicySizeForAdmin(@NonNull EnforcingAdmin admin) {
if (mService != null) {
try {
@@ -17825,9 +17846,13 @@ public class DevicePolicyManager {
* @hide
*/
@TestApi
+ @FlaggedApi(FLAG_HEADLESS_DEVICE_OWNER_PROVISIONING_FIX_ENABLED)
@RequiresPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS)
@DeviceAdminInfo.HeadlessDeviceOwnerMode
public int getHeadlessDeviceOwnerMode() {
+ if (!Flags.headlessDeviceOwnerProvisioningFixEnabled()) {
+ return HEADLESS_DEVICE_OWNER_MODE_UNSUPPORTED;
+ }
if (mService != null) {
try {
return mService.getHeadlessDeviceOwnerMode(mContext.getPackageName());
diff --git a/core/java/android/app/admin/EnforcingAdmin.java b/core/java/android/app/admin/EnforcingAdmin.java
index 5f9bb9c22893..f70a53f61671 100644
--- a/core/java/android/app/admin/EnforcingAdmin.java
+++ b/core/java/android/app/admin/EnforcingAdmin.java
@@ -16,6 +16,9 @@
package android.app.admin;
+import static android.app.admin.flags.Flags.FLAG_DEVICE_POLICY_SIZE_TRACKING_INTERNAL_BUG_FIX_ENABLED;
+
+import android.annotation.FlaggedApi;
import android.annotation.NonNull;
import android.annotation.Nullable;
import android.annotation.SystemApi;
@@ -61,6 +64,7 @@ public final class EnforcingAdmin implements Parcelable {
*
* @hide
*/
+ @FlaggedApi(FLAG_DEVICE_POLICY_SIZE_TRACKING_INTERNAL_BUG_FIX_ENABLED)
@TestApi
public EnforcingAdmin(
@NonNull String packageName, @NonNull Authority authority,
diff --git a/core/java/android/app/admin/LockTaskPolicy.java b/core/java/android/app/admin/LockTaskPolicy.java
index ab32d46a05ad..68b4ad84d81a 100644
--- a/core/java/android/app/admin/LockTaskPolicy.java
+++ b/core/java/android/app/admin/LockTaskPolicy.java
@@ -19,6 +19,7 @@ package android.app.admin;
import android.annotation.NonNull;
import android.annotation.Nullable;
import android.annotation.SystemApi;
+import android.app.admin.flags.Flags;
import android.os.Parcel;
import android.os.Parcelable;
@@ -134,8 +135,10 @@ public final class LockTaskPolicy extends PolicyValue<LockTaskPolicy> {
}
private void setPackagesInternal(Set<String> packages) {
- for (String p : packages) {
- PolicySizeVerifier.enforceMaxPackageNameLength(p);
+ if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) {
+ for (String p : packages) {
+ PolicySizeVerifier.enforceMaxPackageNameLength(p);
+ }
}
mPackages = new HashSet<>(packages);
}
diff --git a/core/java/android/app/admin/PackagePermissionPolicyKey.java b/core/java/android/app/admin/PackagePermissionPolicyKey.java
index 226c576d9bc3..1a04f6c908bc 100644
--- a/core/java/android/app/admin/PackagePermissionPolicyKey.java
+++ b/core/java/android/app/admin/PackagePermissionPolicyKey.java
@@ -25,6 +25,7 @@ import android.annotation.NonNull;
import android.annotation.Nullable;
import android.annotation.SystemApi;
import android.annotation.TestApi;
+import android.app.admin.flags.Flags;
import android.os.Bundle;
import android.os.Parcel;
import android.os.Parcelable;
@@ -58,8 +59,10 @@ public final class PackagePermissionPolicyKey extends PolicyKey {
public PackagePermissionPolicyKey(@NonNull String identifier, @NonNull String packageName,
@NonNull String permissionName) {
super(identifier);
- PolicySizeVerifier.enforceMaxPackageNameLength(packageName);
- PolicySizeVerifier.enforceMaxStringLength(permissionName, "permissionName");
+ if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) {
+ PolicySizeVerifier.enforceMaxPackageNameLength(packageName);
+ PolicySizeVerifier.enforceMaxStringLength(permissionName, "permissionName");
+ }
mPackageName = Objects.requireNonNull((packageName));
mPermissionName = Objects.requireNonNull((permissionName));
}
diff --git a/core/java/android/app/admin/PackagePolicyKey.java b/core/java/android/app/admin/PackagePolicyKey.java
index 8fa21dbb0a2e..9e31a23aec91 100644
--- a/core/java/android/app/admin/PackagePolicyKey.java
+++ b/core/java/android/app/admin/PackagePolicyKey.java
@@ -24,6 +24,7 @@ import android.annotation.NonNull;
import android.annotation.Nullable;
import android.annotation.SystemApi;
import android.annotation.TestApi;
+import android.app.admin.flags.Flags;
import android.os.Bundle;
import android.os.Parcel;
import android.os.Parcelable;
@@ -54,7 +55,9 @@ public final class PackagePolicyKey extends PolicyKey {
@TestApi
public PackagePolicyKey(@NonNull String key, @NonNull String packageName) {
super(key);
- PolicySizeVerifier.enforceMaxPackageNameLength(packageName);
+ if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) {
+ PolicySizeVerifier.enforceMaxPackageNameLength(packageName);
+ }
mPackageName = Objects.requireNonNull((packageName));
}
diff --git a/core/java/android/app/admin/PackageSetPolicyValue.java b/core/java/android/app/admin/PackageSetPolicyValue.java
index 24c50b0994d7..8b253a23a299 100644
--- a/core/java/android/app/admin/PackageSetPolicyValue.java
+++ b/core/java/android/app/admin/PackageSetPolicyValue.java
@@ -18,6 +18,7 @@ package android.app.admin;
import android.annotation.NonNull;
import android.annotation.Nullable;
+import android.app.admin.flags.Flags;
import android.os.Parcel;
import java.util.HashSet;
@@ -31,8 +32,10 @@ public final class PackageSetPolicyValue extends PolicyValue<Set<String>> {
public PackageSetPolicyValue(@NonNull Set<String> value) {
super(value);
- for (String packageName : value) {
- PolicySizeVerifier.enforceMaxPackageNameLength(packageName);
+ if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) {
+ for (String packageName : value) {
+ PolicySizeVerifier.enforceMaxPackageNameLength(packageName);
+ }
}
}
diff --git a/core/java/android/app/admin/StringPolicyValue.java b/core/java/android/app/admin/StringPolicyValue.java
index bb07c23163ea..6efe9ad0dbed 100644
--- a/core/java/android/app/admin/StringPolicyValue.java
+++ b/core/java/android/app/admin/StringPolicyValue.java
@@ -18,6 +18,7 @@ package android.app.admin;
import android.annotation.NonNull;
import android.annotation.Nullable;
+import android.app.admin.flags.Flags;
import android.os.Parcel;
import java.util.Objects;
@@ -29,7 +30,9 @@ public final class StringPolicyValue extends PolicyValue<String> {
public StringPolicyValue(@NonNull String value) {
super(value);
- PolicySizeVerifier.enforceMaxStringLength(value, "policyValue");
+ if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) {
+ PolicySizeVerifier.enforceMaxStringLength(value, "policyValue");
+ }
}
private StringPolicyValue(Parcel source) {
diff --git a/core/java/android/app/admin/UserRestrictionPolicyKey.java b/core/java/android/app/admin/UserRestrictionPolicyKey.java
index 16cfba4414d5..9054287cb7a0 100644
--- a/core/java/android/app/admin/UserRestrictionPolicyKey.java
+++ b/core/java/android/app/admin/UserRestrictionPolicyKey.java
@@ -21,6 +21,7 @@ import static android.app.admin.PolicyUpdateReceiver.EXTRA_POLICY_KEY;
import android.annotation.NonNull;
import android.annotation.SystemApi;
import android.annotation.TestApi;
+import android.app.admin.flags.Flags;
import android.os.Bundle;
import android.os.Parcel;
@@ -44,7 +45,9 @@ public final class UserRestrictionPolicyKey extends PolicyKey {
@TestApi
public UserRestrictionPolicyKey(@NonNull String identifier, @NonNull String restriction) {
super(identifier);
- PolicySizeVerifier.enforceMaxStringLength(restriction, "restriction");
+ if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) {
+ PolicySizeVerifier.enforceMaxStringLength(restriction, "restriction");
+ }
mRestriction = Objects.requireNonNull(restriction);
}
diff --git a/core/java/android/app/admin/flags/flags.aconfig b/core/java/android/app/admin/flags/flags.aconfig
index e940a7bb96ad..edbbd5b22ddd 100644
--- a/core/java/android/app/admin/flags/flags.aconfig
+++ b/core/java/android/app/admin/flags/flags.aconfig
@@ -4,7 +4,6 @@
package: "android.app.admin.flags"
container: "system"
-# Fully rolled out and must not be used.
flag {
name: "policy_engine_migration_v2_enabled"
is_exported: true
@@ -29,6 +28,16 @@ flag {
}
flag {
+ name: "device_policy_size_tracking_internal_bug_fix_enabled"
+ namespace: "enterprise"
+ description: "Bug fix for tracking the total policy size and have a max threshold"
+ bug: "281543351"
+ metadata {
+ purpose: PURPOSE_BUGFIX
+ }
+}
+
+flag {
name: "onboarding_bugreport_v2_enabled"
is_exported: true
namespace: "enterprise"
@@ -68,6 +77,13 @@ flag {
}
flag {
+ name: "permission_migration_for_zero_trust_impl_enabled"
+ namespace: "enterprise"
+ description: "(Implementation) Migrate existing APIs to permission based, and enable DMRH to call them to collect Zero Trust signals."
+ bug: "289520697"
+}
+
+flag {
name: "device_theft_api_enabled"
is_exported: true
namespace: "enterprise"
@@ -210,6 +226,33 @@ flag {
}
flag {
+ name: "headless_device_owner_provisioning_fix_enabled"
+ namespace: "enterprise"
+ description: "Fix provisioning for single-user headless DO"
+ bug: "289515470"
+ metadata {
+ purpose: PURPOSE_BUGFIX
+ }
+}
+
+flag {
+ name: "dmrh_set_app_restrictions"
+ namespace: "enterprise"
+ description: "Allow DMRH to set application restrictions (both on the profile and the parent)"
+ bug: "328758346"
+ metadata {
+ purpose: PURPOSE_BUGFIX
+ }
+}
+
+flag {
+ name: "allow_screen_brightness_control_on_cope"
+ namespace: "enterprise"
+ description: "Allow COPE admin to control screen brightness and timeout."
+ bug: "323894620"
+}
+
+flag {
name: "always_persist_do"
namespace: "enterprise"
description: "Always write device_owners2.xml so that migration flags aren't lost"
@@ -227,6 +270,16 @@ flag {
}
flag {
+ name: "headless_device_owner_delegate_security_logging_bug_fix"
+ namespace: "enterprise"
+ description: "Fix delegate security logging for single user headless DO."
+ bug: "289515470"
+ metadata {
+ purpose: PURPOSE_BUGFIX
+ }
+}
+
+flag {
name: "headless_single_user_bad_device_admin_state_fix"
namespace: "enterprise"
description: "Fix the bad state in DPMS caused by an earlier bug related to the headless single user change"
@@ -247,6 +300,16 @@ flag {
}
flag {
+ name: "delete_private_space_under_restriction"
+ namespace: "enterprise"
+ description: "Delete private space if user restriction is set"
+ bug: "328758346"
+ metadata {
+ purpose: PURPOSE_BUGFIX
+ }
+}
+
+flag {
name: "unmanaged_mode_migration"
namespace: "enterprise"
description: "Migrate APIs for unmanaged mode"
@@ -257,6 +320,16 @@ flag {
}
flag {
+ name: "headless_single_user_fixes"
+ namespace: "enterprise"
+ description: "Various fixes for headless single user mode"
+ bug: "289515470"
+ metadata {
+ purpose: PURPOSE_BUGFIX
+ }
+}
+
+flag {
name: "backup_connected_apps_settings"
namespace: "enterprise"
description: "backup and restore connected work and personal apps user settings across devices"
diff --git a/packages/SystemUI/multivalentTests/src/com/android/keyguard/KeyguardSecurityContainerControllerTest.kt b/packages/SystemUI/multivalentTests/src/com/android/keyguard/KeyguardSecurityContainerControllerTest.kt
index 15c5e2485a45..fabc357c2a68 100644
--- a/packages/SystemUI/multivalentTests/src/com/android/keyguard/KeyguardSecurityContainerControllerTest.kt
+++ b/packages/SystemUI/multivalentTests/src/com/android/keyguard/KeyguardSecurityContainerControllerTest.kt
@@ -18,8 +18,10 @@
package com.android.keyguard
import android.app.admin.DevicePolicyManager
+import android.app.admin.flags.Flags as DevicePolicyFlags
import android.content.res.Configuration
import android.media.AudioManager
+import android.platform.test.annotations.EnableFlags
import android.telephony.TelephonyManager
import android.testing.TestableLooper.RunWithLooper
import android.testing.TestableResources
@@ -938,6 +940,7 @@ class KeyguardSecurityContainerControllerTest : SysuiTestCase() {
}
@Test
+ @EnableFlags(DevicePolicyFlags.FLAG_HEADLESS_SINGLE_USER_FIXES)
fun showAlmostAtWipeDialog_calledOnMainUser_setsCorrectUserType() {
val mainUserId = 10
@@ -954,6 +957,7 @@ class KeyguardSecurityContainerControllerTest : SysuiTestCase() {
}
@Test
+ @EnableFlags(DevicePolicyFlags.FLAG_HEADLESS_SINGLE_USER_FIXES)
fun showAlmostAtWipeDialog_calledOnNonMainUser_setsCorrectUserType() {
val secondaryUserId = 10
val mainUserId = 0
diff --git a/packages/SystemUI/multivalentTests/src/com/android/systemui/authentication/domain/interactor/AuthenticationInteractorTest.kt b/packages/SystemUI/multivalentTests/src/com/android/systemui/authentication/domain/interactor/AuthenticationInteractorTest.kt
index 080b48af2af1..0c5e726e17aa 100644
--- a/packages/SystemUI/multivalentTests/src/com/android/systemui/authentication/domain/interactor/AuthenticationInteractorTest.kt
+++ b/packages/SystemUI/multivalentTests/src/com/android/systemui/authentication/domain/interactor/AuthenticationInteractorTest.kt
@@ -17,6 +17,8 @@
package com.android.systemui.authentication.domain.interactor
import android.app.admin.DevicePolicyManager
+import android.app.admin.flags.Flags as DevicePolicyFlags
+import android.platform.test.annotations.EnableFlags
import androidx.test.ext.junit.runners.AndroidJUnit4
import androidx.test.filters.SmallTest
import com.android.internal.widget.LockPatternUtils
@@ -412,6 +414,7 @@ class AuthenticationInteractorTest : SysuiTestCase() {
}
@Test
+ @EnableFlags(DevicePolicyFlags.FLAG_HEADLESS_SINGLE_USER_FIXES)
fun upcomingWipe() =
testScope.runTest {
val upcomingWipe by collectLastValue(underTest.upcomingWipe)
diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainerController.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainerController.java
index 2d28a189f84d..61f9800c351b 100644
--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainerController.java
+++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainerController.java
@@ -35,6 +35,7 @@ import static com.android.systemui.flags.Flags.LOCKSCREEN_ENABLE_LANDSCAPE;
import android.app.ActivityManager;
import android.app.admin.DevicePolicyManager;
+import android.app.admin.flags.Flags;
import android.content.Intent;
import android.content.res.ColorStateList;
import android.content.res.Configuration;
@@ -1139,7 +1140,12 @@ public class KeyguardSecurityContainerController extends ViewController<Keyguard
int remainingBeforeWipe, int failedAttempts) {
int userType = USER_TYPE_PRIMARY;
if (expiringUserId == userId) {
- int primaryUser = mainUserId != null ? mainUserId : UserHandle.USER_SYSTEM;
+ int primaryUser = UserHandle.USER_SYSTEM;
+ if (Flags.headlessSingleUserFixes()) {
+ if (mainUserId != null) {
+ primaryUser = mainUserId;
+ }
+ }
// TODO: http://b/23522538
if (expiringUserId != primaryUser) {
userType = USER_TYPE_SECONDARY_USER;
diff --git a/packages/SystemUI/src/com/android/systemui/authentication/domain/interactor/AuthenticationInteractor.kt b/packages/SystemUI/src/com/android/systemui/authentication/domain/interactor/AuthenticationInteractor.kt
index 3080e1978b2a..fcba425f0956 100644
--- a/packages/SystemUI/src/com/android/systemui/authentication/domain/interactor/AuthenticationInteractor.kt
+++ b/packages/SystemUI/src/com/android/systemui/authentication/domain/interactor/AuthenticationInteractor.kt
@@ -16,6 +16,7 @@
package com.android.systemui.authentication.domain.interactor
+import android.app.admin.flags.Flags
import android.os.UserHandle
import com.android.internal.widget.LockPatternUtils
import com.android.internal.widget.LockPatternView
@@ -288,7 +289,12 @@ constructor(
private suspend fun getWipeTarget(): WipeTarget {
// Check which profile has the strictest policy for failed authentication attempts.
val userToBeWiped = repository.getProfileWithMinFailedUnlockAttemptsForWipe()
- val primaryUser = selectedUserInteractor.getMainUserId() ?: UserHandle.USER_SYSTEM
+ val primaryUser =
+ if (Flags.headlessSingleUserFixes()) {
+ selectedUserInteractor.getMainUserId() ?: UserHandle.USER_SYSTEM
+ } else {
+ UserHandle.USER_SYSTEM
+ }
return when (userToBeWiped) {
selectedUserInteractor.getSelectedUserId() ->
if (userToBeWiped == primaryUser) {
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/ActiveAdmin.java b/services/devicepolicy/java/com/android/server/devicepolicy/ActiveAdmin.java
index b982098fefa4..5eec0124a9e3 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/ActiveAdmin.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/ActiveAdmin.java
@@ -1325,6 +1325,11 @@ class ActiveAdmin {
pw.print("encryptionRequested=");
pw.println(encryptionRequested);
+ if (!Flags.policyEngineMigrationV2Enabled()) {
+ pw.print("mUsbDataSignaling=");
+ pw.println(mUsbDataSignalingEnabled);
+ }
+
pw.print("disableCallerId=");
pw.println(disableCallerId);
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyEngine.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyEngine.java
index 4beb6a8a3480..a08af72586ee 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyEngine.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyEngine.java
@@ -230,9 +230,11 @@ final class DevicePolicyEngine {
synchronized (mLock) {
PolicyState<V> localPolicyState = getLocalPolicyStateLocked(policyDefinition, userId);
- if (!handleAdminPolicySizeLimit(localPolicyState, enforcingAdmin, value,
- policyDefinition, userId)) {
- return;
+ if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) {
+ if (!handleAdminPolicySizeLimit(localPolicyState, enforcingAdmin, value,
+ policyDefinition, userId)) {
+ return;
+ }
}
if (policyDefinition.isNonCoexistablePolicy()) {
@@ -352,7 +354,9 @@ final class DevicePolicyEngine {
}
PolicyState<V> localPolicyState = getLocalPolicyStateLocked(policyDefinition, userId);
- decreasePolicySizeForAdmin(localPolicyState, enforcingAdmin);
+ if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) {
+ decreasePolicySizeForAdmin(localPolicyState, enforcingAdmin);
+ }
if (policyDefinition.isNonCoexistablePolicy()) {
setNonCoexistableLocalPolicyLocked(policyDefinition, localPolicyState,
@@ -496,9 +500,11 @@ final class DevicePolicyEngine {
synchronized (mLock) {
PolicyState<V> globalPolicyState = getGlobalPolicyStateLocked(policyDefinition);
- if (!handleAdminPolicySizeLimit(globalPolicyState, enforcingAdmin, value,
- policyDefinition, UserHandle.USER_ALL)) {
- return;
+ if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) {
+ if (!handleAdminPolicySizeLimit(globalPolicyState, enforcingAdmin, value,
+ policyDefinition, UserHandle.USER_ALL)) {
+ return;
+ }
}
// TODO(b/270999567): Move error handling for DISALLOW_CELLULAR_2G into the code
// that honors the restriction once there's an API available
@@ -565,7 +571,9 @@ final class DevicePolicyEngine {
synchronized (mLock) {
PolicyState<V> policyState = getGlobalPolicyStateLocked(policyDefinition);
- decreasePolicySizeForAdmin(policyState, enforcingAdmin);
+ if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) {
+ decreasePolicySizeForAdmin(policyState, enforcingAdmin);
+ }
boolean policyChanged = policyState.removePolicy(enforcingAdmin);
@@ -1731,23 +1739,25 @@ final class DevicePolicyEngine {
pw.println();
}
pw.decreaseIndent();
- pw.println();
+ if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) {
+ pw.println();
- pw.println("Default admin policy size limit: " + DEFAULT_POLICY_SIZE_LIMIT);
- pw.println("Current admin policy size limit: " + mPolicySizeLimit);
- pw.println("Admin Policies size: ");
- for (int i = 0; i < mAdminPolicySize.size(); i++) {
- int userId = mAdminPolicySize.keyAt(i);
- pw.printf("User %d:\n", userId);
- pw.increaseIndent();
- for (EnforcingAdmin admin : mAdminPolicySize.get(userId).keySet()) {
- pw.printf("Admin : " + admin + " : " + mAdminPolicySize.get(userId).get(
- admin));
- pw.println();
+ pw.println("Default admin policy size limit: " + DEFAULT_POLICY_SIZE_LIMIT);
+ pw.println("Current admin policy size limit: " + mPolicySizeLimit);
+ pw.println("Admin Policies size: ");
+ for (int i = 0; i < mAdminPolicySize.size(); i++) {
+ int userId = mAdminPolicySize.keyAt(i);
+ pw.printf("User %d:\n", userId);
+ pw.increaseIndent();
+ for (EnforcingAdmin admin : mAdminPolicySize.get(userId).keySet()) {
+ pw.printf("Admin : " + admin + " : " + mAdminPolicySize.get(userId).get(
+ admin));
+ pw.println();
+ }
+ pw.decreaseIndent();
}
pw.decreaseIndent();
}
- pw.decreaseIndent();
}
}
@@ -2008,21 +2018,23 @@ final class DevicePolicyEngine {
private void writeEnforcingAdminSizeInner(TypedXmlSerializer serializer)
throws IOException {
- if (mAdminPolicySize != null) {
- for (int i = 0; i < mAdminPolicySize.size(); i++) {
- int userId = mAdminPolicySize.keyAt(i);
- for (EnforcingAdmin admin : mAdminPolicySize.get(
- userId).keySet()) {
- serializer.startTag(/* namespace= */ null,
- TAG_ENFORCING_ADMIN_AND_SIZE);
- serializer.startTag(/* namespace= */ null, TAG_ENFORCING_ADMIN);
- admin.saveToXml(serializer);
- serializer.endTag(/* namespace= */ null, TAG_ENFORCING_ADMIN);
- serializer.startTag(/* namespace= */ null, TAG_POLICY_SUM_SIZE);
- serializer.attributeInt(/* namespace= */ null, ATTR_POLICY_SUM_SIZE,
- mAdminPolicySize.get(userId).get(admin));
- serializer.endTag(/* namespace= */ null, TAG_POLICY_SUM_SIZE);
- serializer.endTag(/* namespace= */ null, TAG_ENFORCING_ADMIN_AND_SIZE);
+ if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) {
+ if (mAdminPolicySize != null) {
+ for (int i = 0; i < mAdminPolicySize.size(); i++) {
+ int userId = mAdminPolicySize.keyAt(i);
+ for (EnforcingAdmin admin : mAdminPolicySize.get(
+ userId).keySet()) {
+ serializer.startTag(/* namespace= */ null,
+ TAG_ENFORCING_ADMIN_AND_SIZE);
+ serializer.startTag(/* namespace= */ null, TAG_ENFORCING_ADMIN);
+ admin.saveToXml(serializer);
+ serializer.endTag(/* namespace= */ null, TAG_ENFORCING_ADMIN);
+ serializer.startTag(/* namespace= */ null, TAG_POLICY_SUM_SIZE);
+ serializer.attributeInt(/* namespace= */ null, ATTR_POLICY_SUM_SIZE,
+ mAdminPolicySize.get(userId).get(admin));
+ serializer.endTag(/* namespace= */ null, TAG_POLICY_SUM_SIZE);
+ serializer.endTag(/* namespace= */ null, TAG_ENFORCING_ADMIN_AND_SIZE);
+ }
}
}
}
@@ -2030,6 +2042,9 @@ final class DevicePolicyEngine {
private void writeMaxPolicySizeInner(TypedXmlSerializer serializer)
throws IOException {
+ if (!Flags.devicePolicySizeTrackingInternalBugFixEnabled()) {
+ return;
+ }
serializer.startTag(/* namespace= */ null, TAG_MAX_POLICY_SIZE_LIMIT);
serializer.attributeInt(
/* namespace= */ null, ATTR_POLICY_SUM_SIZE, mPolicySizeLimit);
@@ -2177,6 +2192,9 @@ final class DevicePolicyEngine {
private void readMaxPolicySizeInner(TypedXmlPullParser parser)
throws XmlPullParserException, IOException {
+ if (!Flags.devicePolicySizeTrackingInternalBugFixEnabled()) {
+ return;
+ }
mPolicySizeLimit = parser.getAttributeInt(/* namespace= */ null, ATTR_POLICY_SUM_SIZE);
}
}
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 470025a67dee..886ae7ad7e50 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -1328,7 +1328,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
Bundle prevRestrictions) {
resetCrossProfileIntentFiltersIfNeeded(userId, newRestrictions, prevRestrictions);
resetUserVpnIfNeeded(userId, newRestrictions, prevRestrictions);
- removePrivateSpaceIfRestrictionIsSet(userId, newRestrictions, prevRestrictions);
+ if (Flags.deletePrivateSpaceUnderRestriction()) {
+ removePrivateSpaceIfRestrictionIsSet(userId, newRestrictions, prevRestrictions);
+ }
}
private void resetUserVpnIfNeeded(
@@ -3693,6 +3695,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
}
revertTransferOwnershipIfNecessaryLocked();
+ if (!Flags.policyEngineMigrationV2Enabled()) {
+ updateUsbDataSignal(mContext, isUsbDataSignalingEnabledInternalLocked());
+ }
}
// Check whether work apps were paused via suspension and unsuspend if necessary.
@@ -7151,7 +7156,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
// If there is a profile owner, redirect to that; otherwise query the device owner.
ComponentName aliasChooser = getProfileOwnerAsUser(caller.getUserId());
- boolean isDoUser = caller.getUserId() == getDeviceOwnerUserId();
+ boolean isDoUser = Flags.headlessSingleUserFixes()
+ ? caller.getUserId() == getDeviceOwnerUserId()
+ : caller.getUserHandle().isSystem();
if (aliasChooser == null && isDoUser) {
synchronized (getLockObject()) {
final ActiveAdmin deviceOwnerAdmin = getDeviceOwnerAdminLocked();
@@ -8161,7 +8168,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
// First check whether the admin is allowed to wipe the device/user/profile.
final String restriction;
boolean shouldFactoryReset = userId == UserHandle.USER_SYSTEM;
- if (getHeadlessDeviceOwnerModeForDeviceOwner()
+ if (Flags.headlessSingleUserFixes() && getHeadlessDeviceOwnerModeForDeviceOwner()
== HEADLESS_DEVICE_OWNER_MODE_SINGLE_USER) {
shouldFactoryReset = userId == getMainUserId();
}
@@ -8185,7 +8192,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
adminPackage,
userId)) {
// Legacy mode
- wipeDevice = getHeadlessDeviceOwnerModeForDeviceOwner()
+ wipeDevice = Flags.headlessSingleUserFixes()
+ && getHeadlessDeviceOwnerModeForDeviceOwner()
== HEADLESS_DEVICE_OWNER_MODE_SINGLE_USER ? isMainUser : isSystemUser;
} else {
// Explicit behaviour
@@ -9369,7 +9377,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
void sendDeviceOwnerOrProfileOwnerCommand(String action, Bundle extras, int userId) {
if (userId == UserHandle.USER_ALL) {
- if (getHeadlessDeviceOwnerModeForDeviceOwner()
+ if (Flags.headlessDeviceOwnerDelegateSecurityLoggingBugFix()
+ && getHeadlessDeviceOwnerModeForDeviceOwner()
== HEADLESS_DEVICE_OWNER_MODE_SINGLE_USER) {
userId = mOwners.getDeviceOwnerUserId();
} else {
@@ -11855,7 +11864,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
}
setBackwardsCompatibleAppRestrictions(
caller, packageName, restrictions, caller.getUserHandle());
- } else {
+ } else if (Flags.dmrhSetAppRestrictions()) {
final boolean isRoleHolder;
if (who != null) {
// DO or PO
@@ -11902,6 +11911,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
caller.getUserHandle());
});
}
+ } else {
+ Preconditions.checkCallAuthorization((caller.hasAdminComponent()
+ && (isProfileOwner(caller) || isDefaultDeviceOwner(caller)))
+ || (caller.hasPackage() && isCallerDelegate(caller,
+ DELEGATION_APP_RESTRICTIONS)));
+ mInjector.binderWithCleanCallingIdentity(() -> {
+ mUserManager.setApplicationRestrictions(packageName, restrictions,
+ caller.getUserHandle());
+ });
}
DevicePolicyEventLogger
@@ -12434,6 +12452,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
}
if (packageList != null) {
+ if (!Flags.devicePolicySizeTrackingInternalBugFixEnabled()) {
+ for (String pkg : packageList) {
+ PolicySizeVerifier.enforceMaxPackageNameLength(pkg);
+ }
+ }
+
List<InputMethodInfo> enabledImes = mInjector.binderWithCleanCallingIdentity(() ->
InputMethodManagerInternal.get().getEnabledInputMethodListAsUser(userId));
if (enabledImes != null) {
@@ -13232,7 +13256,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
return Bundle.EMPTY;
}
return policies.get(enforcingAdmin).getValue();
- } else {
+ } else if (Flags.dmrhSetAppRestrictions()) {
final boolean isRoleHolder;
if (who != null) {
// Caller is DO or PO. They cannot call this on parent
@@ -13275,6 +13299,19 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
return bundle != null ? bundle : Bundle.EMPTY;
});
}
+
+ } else {
+ Preconditions.checkCallAuthorization((caller.hasAdminComponent()
+ && (isProfileOwner(caller) || isDefaultDeviceOwner(caller)))
+ || (caller.hasPackage() && isCallerDelegate(caller,
+ DELEGATION_APP_RESTRICTIONS)));
+ return mInjector.binderWithCleanCallingIdentity(() -> {
+ Bundle bundle = mUserManager.getApplicationRestrictions(packageName,
+ caller.getUserHandle());
+ // if no restrictions were saved, mUserManager.getApplicationRestrictions
+ // returns null, but DPM method should return an empty Bundle as per JavaDoc
+ return bundle != null ? bundle : Bundle.EMPTY;
+ });
}
}
@@ -14283,6 +14320,10 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
return;
}
+ if (!Flags.devicePolicySizeTrackingInternalBugFixEnabled()) {
+ PolicySizeVerifier.enforceMaxStringLength(accountType, "account type");
+ }
+
CallerIdentity caller = getCallerIdentity(who, callerPackageName);
synchronized (getLockObject()) {
int affectedUser = getAffectedUser(parent);
@@ -14893,6 +14934,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
public void setLockTaskPackages(ComponentName who, String callerPackageName, String[] packages)
throws SecurityException {
Objects.requireNonNull(packages, "packages is null");
+ if (!Flags.devicePolicySizeTrackingInternalBugFixEnabled()) {
+ for (String pkg : packages) {
+ PolicySizeVerifier.enforceMaxPackageNameLength(pkg);
+ }
+ }
CallerIdentity caller = getCallerIdentity(who, callerPackageName);
checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_LOCK_TASK_PACKAGES);
@@ -15173,7 +15219,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
final CallerIdentity caller = getCallerIdentity(who);
Preconditions.checkCallAuthorization(
isProfileOwner(caller) || isDefaultDeviceOwner(caller));
- if (parent) {
+ if (Flags.allowScreenBrightnessControlOnCope() && parent) {
Preconditions.checkCallAuthorization(isProfileOwnerOfOrganizationOwnedDevice(caller));
}
checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_SYSTEM_SETTING);
@@ -15184,7 +15230,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
"Permission denial: device owners cannot update %1$s", setting));
}
int affectedUser;
- if (parent) {
+ if (Flags.allowScreenBrightnessControlOnCope() && parent) {
affectedUser = getProfileParentId(caller.getUserId());
} else {
affectedUser = caller.getUserId();
@@ -16776,11 +16822,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
mContext.sendBroadcastAsUser(intent, UserHandle.of(userId));
}
- final UserHandle user = UserHandle.of(userId);
- final String roleHolderPackage = getRoleHolderPackageNameOnUser(
- RoleManager.ROLE_DEVICE_POLICY_MANAGEMENT, userId);
- if (roleHolderPackage != null) {
- broadcastExplicitIntentToPackage(intent, roleHolderPackage, user);
+ if (Flags.permissionMigrationForZeroTrustImplEnabled()) {
+ final UserHandle user = UserHandle.of(userId);
+ final String roleHolderPackage = getRoleHolderPackageNameOnUser(
+ RoleManager.ROLE_DEVICE_POLICY_MANAGEMENT, userId);
+ if (roleHolderPackage != null) {
+ broadcastExplicitIntentToPackage(intent, roleHolderPackage, user);
+ }
}
}
});
@@ -16788,10 +16836,18 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
@Override
public SystemUpdateInfo getPendingSystemUpdate(ComponentName admin, String callerPackage) {
- CallerIdentity caller = getCallerIdentity(admin, callerPackage);
- enforcePermissions(new String[] {NOTIFY_PENDING_SYSTEM_UPDATE,
- MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES}, caller.getPackageName(),
- caller.getUserId());
+ if (Flags.permissionMigrationForZeroTrustImplEnabled()) {
+ CallerIdentity caller = getCallerIdentity(admin, callerPackage);
+ enforcePermissions(new String[] {NOTIFY_PENDING_SYSTEM_UPDATE,
+ MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES}, caller.getPackageName(),
+ caller.getUserId());
+ } else {
+ Objects.requireNonNull(admin, "ComponentName is null");
+
+ final CallerIdentity caller = getCallerIdentity(admin);
+ Preconditions.checkCallAuthorization(
+ isDefaultDeviceOwner(caller) || isProfileOwner(caller));
+ }
return mOwners.getSystemUpdateInfo();
}
@@ -17335,10 +17391,17 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
@Nullable ComponentName componentName, @UserIdInt int callingUserId) {
synchronized (getLockObject()) {
int deviceOwnerUserId = -1;
- deviceOwnerUserId = mInjector.userManagerIsHeadlessSystemUserMode()
- && getHeadlessDeviceOwnerModeForDeviceAdmin(componentName, callingUserId)
- == HEADLESS_DEVICE_OWNER_MODE_AFFILIATED
- ? UserHandle.USER_SYSTEM : callingUserId;
+ if (Flags.headlessDeviceOwnerProvisioningFixEnabled()) {
+ deviceOwnerUserId = mInjector.userManagerIsHeadlessSystemUserMode()
+ && getHeadlessDeviceOwnerModeForDeviceAdmin(componentName, callingUserId)
+ == HEADLESS_DEVICE_OWNER_MODE_AFFILIATED
+ ? UserHandle.USER_SYSTEM : callingUserId;
+ } else {
+ deviceOwnerUserId = mInjector.userManagerIsHeadlessSystemUserMode()
+ && getHeadlessDeviceOwnerModeForDeviceOwner()
+ == HEADLESS_DEVICE_OWNER_MODE_AFFILIATED
+ ? UserHandle.USER_SYSTEM : callingUserId;
+ }
Slogf.i(LOG_TAG, "Calling user %d, device owner will be set on user %d",
callingUserId, deviceOwnerUserId);
// hasIncompatibleAccountsOrNonAdb doesn't matter since the caller is not adb.
@@ -18637,7 +18700,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
// Backup service has to be enabled on the main user in order for it to be enabled on
// secondary users.
- if (isDeviceOwner(caller) && getHeadlessDeviceOwnerModeForDeviceOwner()
+ if (Flags.headlessSingleUserFixes() && isDeviceOwner(caller)
+ && getHeadlessDeviceOwnerModeForDeviceOwner()
== HEADLESS_DEVICE_OWNER_MODE_SINGLE_USER) {
toggleBackupServiceActive(UserHandle.USER_SYSTEM, enabled);
}
@@ -21378,7 +21442,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
final CallerIdentity caller = getCallerIdentity(callerPackage);
- enforcePermission(MANAGE_DEVICE_POLICY_CERTIFICATES, caller.getPackageName());
+ if (Flags.permissionMigrationForZeroTrustImplEnabled()) {
+ enforcePermission(MANAGE_DEVICE_POLICY_CERTIFICATES, caller.getPackageName());
+ } else {
+ Preconditions.checkCallAuthorization(
+ isDefaultDeviceOwner(caller) || isProfileOwner(caller)
+ || isCallerDelegate(caller, DELEGATION_CERT_INSTALL));
+ }
synchronized (getLockObject()) {
final ActiveAdmin requiredAdmin = getDeviceOrProfileOwnerAdminLocked(
caller.getUserId());
@@ -21977,9 +22047,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
final long identity = Binder.clearCallingIdentity();
try {
boolean isSingleUserMode;
- int headlessDeviceOwnerMode = getHeadlessDeviceOwnerModeForDeviceAdmin(
- deviceAdmin, caller.getUserId());
- isSingleUserMode = headlessDeviceOwnerMode == HEADLESS_DEVICE_OWNER_MODE_SINGLE_USER;
+ if (Flags.headlessDeviceOwnerProvisioningFixEnabled()) {
+ int headlessDeviceOwnerMode = getHeadlessDeviceOwnerModeForDeviceAdmin(
+ deviceAdmin, caller.getUserId());
+ isSingleUserMode =
+ headlessDeviceOwnerMode == HEADLESS_DEVICE_OWNER_MODE_SINGLE_USER;
+ } else {
+ isSingleUserMode =
+ getHeadlessDeviceOwnerModeForDeviceOwner()
+ == HEADLESS_DEVICE_OWNER_MODE_SINGLE_USER;
+ }
if (Flags.headlessSingleMinTargetSdk()
&& mInjector.userManagerIsHeadlessSystemUserMode()
@@ -22378,17 +22455,35 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
Objects.requireNonNull(packageName, "Admin package name must be provided");
final CallerIdentity caller = getCallerIdentity(packageName);
- synchronized (getLockObject()) {
- EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
- /* admin= */ null, MANAGE_DEVICE_POLICY_USB_DATA_SIGNALLING,
- caller.getPackageName(),
- caller.getUserId());
+ if (!Flags.policyEngineMigrationV2Enabled()) {
+ Preconditions.checkCallAuthorization(
+ isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller),
+ "USB data signaling can only be controlled by a device owner or "
+ + "a profile owner on an organization-owned device.");
Preconditions.checkState(canUsbDataSignalingBeDisabled(),
"USB data signaling cannot be disabled.");
- mDevicePolicyEngine.setGlobalPolicy(
- PolicyDefinition.USB_DATA_SIGNALING,
- enforcingAdmin,
- new BooleanPolicyValue(enabled));
+ }
+
+ synchronized (getLockObject()) {
+ if (Flags.policyEngineMigrationV2Enabled()) {
+ EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
+ /* admin= */ null, MANAGE_DEVICE_POLICY_USB_DATA_SIGNALLING,
+ caller.getPackageName(),
+ caller.getUserId());
+ Preconditions.checkState(canUsbDataSignalingBeDisabled(),
+ "USB data signaling cannot be disabled.");
+ mDevicePolicyEngine.setGlobalPolicy(
+ PolicyDefinition.USB_DATA_SIGNALING,
+ enforcingAdmin,
+ new BooleanPolicyValue(enabled));
+ } else {
+ ActiveAdmin admin = getProfileOwnerOrDeviceOwnerLocked(caller.getUserId());
+ if (admin.mUsbDataSignalingEnabled != enabled) {
+ admin.mUsbDataSignalingEnabled = enabled;
+ saveSettingsLocked(caller.getUserId());
+ updateUsbDataSignal(mContext, isUsbDataSignalingEnabledInternalLocked());
+ }
+ }
}
DevicePolicyEventLogger
.createEvent(DevicePolicyEnums.SET_USB_DATA_SIGNALING)
@@ -22410,10 +22505,24 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
@Override
public boolean isUsbDataSignalingEnabled(String packageName) {
final CallerIdentity caller = getCallerIdentity(packageName);
- Boolean enabled = mDevicePolicyEngine.getResolvedPolicy(
- PolicyDefinition.USB_DATA_SIGNALING,
- caller.getUserId());
- return enabled == null || enabled;
+ if (Flags.policyEngineMigrationV2Enabled()) {
+ Boolean enabled = mDevicePolicyEngine.getResolvedPolicy(
+ PolicyDefinition.USB_DATA_SIGNALING,
+ caller.getUserId());
+ return enabled == null || enabled;
+ } else {
+ synchronized (getLockObject()) {
+ // If the caller is an admin, return the policy set by itself. Otherwise
+ // return the device-wide policy.
+ if (isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(
+ caller)) {
+ return getProfileOwnerOrDeviceOwnerLocked(
+ caller.getUserId()).mUsbDataSignalingEnabled;
+ } else {
+ return isUsbDataSignalingEnabledInternalLocked();
+ }
+ }
+ }
}
private boolean isUsbDataSignalingEnabledInternalLocked() {
@@ -24766,6 +24875,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
@Override
public void setMaxPolicyStorageLimit(String callerPackageName, int storageLimit) {
+ if (!Flags.devicePolicySizeTrackingInternalBugFixEnabled()) {
+ return;
+ }
CallerIdentity caller = getCallerIdentity(callerPackageName);
enforcePermission(MANAGE_PROFILE_AND_DEVICE_OWNERS, caller.getPackageName(),
caller.getUserId());
@@ -24779,6 +24891,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
@Override
public int getMaxPolicyStorageLimit(String callerPackageName) {
+ if (!Flags.devicePolicySizeTrackingInternalBugFixEnabled()) {
+ return -1;
+ }
CallerIdentity caller = getCallerIdentity(callerPackageName);
enforcePermission(MANAGE_PROFILE_AND_DEVICE_OWNERS, caller.getPackageName(),
caller.getUserId());
@@ -24788,6 +24903,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
@Override
public void forceSetMaxPolicyStorageLimit(String callerPackageName, int storageLimit) {
+ if (!Flags.devicePolicySizeTrackingInternalBugFixEnabled()) {
+ return;
+ }
CallerIdentity caller = getCallerIdentity(callerPackageName);
enforcePermission(MANAGE_DEVICE_POLICY_STORAGE_LIMIT, caller.getPackageName(),
caller.getUserId());
@@ -24798,6 +24916,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
@Override
public int getPolicySizeForAdmin(
String callerPackageName, android.app.admin.EnforcingAdmin admin) {
+ if (!Flags.devicePolicySizeTrackingInternalBugFixEnabled()) {
+ return -1;
+ }
CallerIdentity caller = getCallerIdentity(callerPackageName);
enforcePermission(MANAGE_DEVICE_POLICY_STORAGE_LIMIT, caller.getPackageName(),
caller.getUserId());
generated by cgit v1.2.3-59-g8ed1b (git 2.39.0) at 2025-10-29 05:55:07 +0000