Add a resource config to define a default supervision component.

Bug: 124066840 Test: manual (overlay resource with component name and confirm only that component can be set as profile owner after setup is complete) Change-Id: If67ca69f03fda35ee8a2d5a43e96a9f1e64d8886
author: Michael Wachenschwanz <mwachens@google.com> 2019-04-25 15:49:55 -0700
committer: Michael Wachenschwanz <mwachens@google.com> 2019-05-01 20:46:44 -0700
commit: 3e1e24afdef4188c8362b03622a0f0f32e520a48 (patch)
tree: d7fa36e2e3261b57ebd2e2d177ebf5511b10b0e6
parent: 81894407855a3a4769b966f857ea867092c358ac (diff)
3 files changed, 31 insertions, 3 deletions
diff --git a/core/res/res/values/config.xml b/core/res/res/values/config.xml
index ccf8509c2f8f..bca0e937cb70 100644
--- a/core/res/res/values/config.xml
+++ b/core/res/res/values/config.xml
@@ -4087,4 +4087,8 @@
     <integer-array name="config_face_acquire_vendor_biometricprompt_ignorelist" translatable="false" >
     </integer-array>
 
+    <!-- The component name for the default profile supervisor, which can be set as a profile owner
+    even after user setup is complete. The defined component should be used for supervision purposes
+    only. The component must be part of a system app. -->
+    <string name="config_defaultSupervisionProfileOwnerComponent" translatable="false"></string>
 </resources>
diff --git a/core/res/res/values/symbols.xml b/core/res/res/values/symbols.xml
index 35113edbfcce..32bd58e20efa 100644
--- a/core/res/res/values/symbols.xml
+++ b/core/res/res/values/symbols.xml
@@ -3781,4 +3781,6 @@
   <java-symbol type="dimen" name="chooser_direct_share_label_placeholder_max_width" />
   <java-symbol type="layout" name="chooser_az_label_row" />
   <java-symbol type="string" name="chooser_all_apps_button_label" />
+
+  <java-symbol type="string" name="config_defaultSupervisionProfileOwnerComponent" />
 </resources>
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index c5a206882695..22231c0ab09b 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -8034,6 +8034,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
             throw new IllegalArgumentException("Component " + who
                     + " not installed for userId:" + userHandle);
         }
+
         final boolean hasIncompatibleAccountsOrNonAdb =
                 hasIncompatibleAccountsOrNonAdbNoLock(userHandle, who);
         synchronized (getLockObject()) {
@@ -8539,9 +8540,30 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
             return;
         }
         enforceCanManageProfileAndDeviceOwners();
-        if ((mIsWatch || hasUserSetupCompleted(userHandle)) && !isCallerWithSystemUid()) {
-            throw new IllegalStateException("Cannot set the profile owner on a user which is "
-                    + "already set-up");
+
+        if ((mIsWatch || hasUserSetupCompleted(userHandle))) {
+            if (!isCallerWithSystemUid()) {
+                throw new IllegalStateException("Cannot set the profile owner on a user which is "
+                        + "already set-up");
+            }
+
+            if (!mIsWatch) {
+                // Only the default supervision profile owner can be set as profile owner after SUW
+                final String supervisor = mContext.getResources().getString(
+                        com.android.internal.R.string
+                                .config_defaultSupervisionProfileOwnerComponent);
+                if (supervisor == null) {
+                    throw new IllegalStateException("Unable to set profile owner post-setup, no"
+                            + "default supervisor profile owner defined");
+                }
+
+                final ComponentName supervisorComponent = ComponentName.unflattenFromString(
+                        supervisor);
+                if (!owner.equals(supervisorComponent)) {
+                    throw new IllegalStateException("Unable to set non-default profile owner"
+                            + " post-setup " + owner);
+                }
+            }
         }
     }
author	Michael Wachenschwanz <mwachens@google.com>	2019-04-25 15:49:55 -0700
committer	Michael Wachenschwanz <mwachens@google.com>	2019-05-01 20:46:44 -0700
commit	3e1e24afdef4188c8362b03622a0f0f32e520a48 (patch)
tree	d7fa36e2e3261b57ebd2e2d177ebf5511b10b0e6
parent	81894407855a3a4769b966f857ea867092c358ac (diff)