Prevent installing apps in policy restricted work profile using ADB

If DISALLOW_DEBUGGING_FEATURES or DISALLOW_INSTALL_APPS restrictions are set on a work profile, prevent side loading of APKs using ADB in the work profile. Bug: 257443065 Test: atest CtsPackageInstallTestCases:UserRestrictionInstallTest Merged-In: I169a1f72c84528ca606b6a4da165d4fbcd02b08d Change-Id: I169a1f72c84528ca606b6a4da165d4fbcd02b08d (cherry picked from commit febe3918020a94b2af48ade98eb6a49cdd4a3bdf)
author: Sumedh Sen <sumedhsen@google.com> 2023-03-23 16:29:47 -0700
committer: Sumedh Sen <sumedhsen@google.com> 2023-04-13 20:34:32 +0000
commit: 4b755a5a0b428d5d06aac9481d517a91db84fa0d (patch)
tree: ef8f0080d9619f30412eb81f614f1d64caab6d52
parent: f304ffc940529866ac613b9e131a594a10154e28 (diff)
1 files changed, 20 insertions, 4 deletions
diff --git a/services/core/java/com/android/server/pm/InstallPackageHelper.java b/services/core/java/com/android/server/pm/InstallPackageHelper.java
index 5f424edb15c4..131eeca1b3a9 100644
--- a/services/core/java/com/android/server/pm/InstallPackageHelper.java
+++ b/services/core/java/com/android/server/pm/InstallPackageHelper.java
@@ -2265,10 +2265,26 @@ final class InstallPackageHelper {
                     // The caller explicitly specified INSTALL_ALL_USERS flag.
                     // Thus, updating the settings to install the app for all users.
                     for (int currentUserId : allUsers) {
-                        ps.setInstalled(true, currentUserId);
-                        if (!installRequest.isApplicationEnabledSettingPersistent()) {
-                            ps.setEnabled(COMPONENT_ENABLED_STATE_DEFAULT, currentUserId,
-                                    installerPackageName);
+                        // If the app is already installed for the currentUser,
+                        // keep it as installed as we might be updating the app at this place.
+                        // If not currently installed, check if the currentUser is restricted by
+                        // DISALLOW_INSTALL_APPS or DISALLOW_DEBUGGING_FEATURES device policy.
+                        // Install / update the app if the user isn't restricted. Skip otherwise.
+                        final boolean installedForCurrentUser = ArrayUtils.contains(
+                                installedForUsers, currentUserId);
+                        final boolean restrictedByPolicy =
+                                mPm.isUserRestricted(currentUserId,
+                                        UserManager.DISALLOW_INSTALL_APPS)
+                                || mPm.isUserRestricted(currentUserId,
+                                        UserManager.DISALLOW_DEBUGGING_FEATURES);
+                        if (installedForCurrentUser || !restrictedByPolicy) {
+                            ps.setInstalled(true, currentUserId);
+                            if (!installRequest.isApplicationEnabledSettingPersistent()) {
+                                ps.setEnabled(COMPONENT_ENABLED_STATE_DEFAULT, currentUserId,
+                                        installerPackageName);
+                            }
+                        } else {
+                            ps.setInstalled(false, currentUserId);
                         }
                     }
                 }
author	Sumedh Sen <sumedhsen@google.com>	2023-03-23 16:29:47 -0700
committer	Sumedh Sen <sumedhsen@google.com>	2023-04-13 20:34:32 +0000
commit	4b755a5a0b428d5d06aac9481d517a91db84fa0d (patch)
tree	ef8f0080d9619f30412eb81f614f1d64caab6d52
parent	f304ffc940529866ac613b9e131a594a10154e28 (diff)