diff options
| author | 2023-05-09 16:30:18 +0000 | |
|---|---|---|
| committer | 2023-05-09 20:12:50 +0000 | |
| commit | a42e8e4bc7a956398232f116205f93b39b0ad78f (patch) | |
| tree | 172083eaf3f68f32ef7449f4d88cf8985dd4b8cf | |
| parent | d38421d06eeee42d7aab01c207a71f1eafd33722 (diff) | |
Migrate existing policies to the policy engine
Migrated policies that are stored in DPMS only
Fixes: 258811766
Bug: 273494642
Test: btest a.d.c.UserControlDisabledPackagesTest#setUserControlDisabledPackages_policyMigration_works*
Test: btest a.d.c.PermitInputMethodsTest#setPermittedInputMethods_policyMigration_works*
Test: btest a.d.c.AccountManagementTest#setAccountManagementDisabled_policyMigration_works*
Test: btest a.d.c.ScreenCaptureDisabledTest#setScreenCaptureDisabled_policyMigration_works*
Change-Id: I320ba9a56e66ce2bf1833ff6e33b1c3d9e36013e
Merged-In: I320ba9a56e66ce2bf1833ff6e33b1c3d9e36013e
| -rw-r--r-- | services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java | 193 |
1 files changed, 169 insertions, 24 deletions
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 02c6d6849cca..85be10d424ba 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -12294,13 +12294,18 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin( who, MANAGE_DEVICE_POLICY_INPUT_METHODS, caller.getPackageName(), userId); - mDevicePolicyEngine.setLocalPolicy( - PolicyDefinition.PERMITTED_INPUT_METHODS, - admin, - packageList == null - ? null - : new StringSetPolicyValue(new HashSet<>(packageList)), - userId); + if (packageList == null) { + mDevicePolicyEngine.removeLocalPolicy( + PolicyDefinition.PERMITTED_INPUT_METHODS, + admin, + userId); + } else { + mDevicePolicyEngine.setLocalPolicy( + PolicyDefinition.PERMITTED_INPUT_METHODS, + admin, + new StringSetPolicyValue(new HashSet<>(packageList)), + userId); + } } else { ActiveAdmin admin = getParentOfAdminIfRequired( getProfileOwnerOrDeviceOwnerLocked(caller.getUserId()), @@ -12337,14 +12342,14 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } CallerIdentity caller; - if (isPermissionCheckFlagEnabled()) { + if (isPolicyEngineForFinanceFlagEnabled()) { caller = getCallerIdentity(who, callerPackageName); } else { caller = getCallerIdentity(who); Objects.requireNonNull(who, "ComponentName is null"); } - if (!isPermissionCheckFlagEnabled()) { + if (!isPolicyEngineForFinanceFlagEnabled()) { if (calledOnParentInstance) { Preconditions.checkCallAuthorization( isProfileOwnerOfOrganizationOwnedDevice(caller)); @@ -14268,7 +14273,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { resultSet.add(accountType); } } - } else { caller = getCallerIdentity(); Preconditions.checkCallAuthorization(hasFullCrossUsersPermission(caller, userId)); @@ -24065,13 +24069,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { private boolean hasNonTestOnlyActiveAdmins() { return mInjector.binderWithCleanCallingIdentity(() -> { for (UserInfo userInfo : mUserManager.getUsers()) { - List<ComponentName> activeAdmins = getActiveAdmins(userInfo.id); - if (activeAdmins == null) { - continue; - } - for (ComponentName admin : activeAdmins) { - if (!isAdminTestOnlyLocked(admin, userInfo.id)) { - return true; + synchronized (getLockObject()) { + List<ComponentName> activeAdmins = getActiveAdmins(userInfo.id); + if (activeAdmins == null) { + continue; + } + for (ComponentName admin : activeAdmins) { + if (!isAdminTestOnlyLocked(admin, userInfo.id)) { + return true; + } } } } @@ -24081,7 +24087,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { private boolean shouldMigrateToDevicePolicyEngine() { return mInjector.binderWithCleanCallingIdentity(() -> - isPermissionCheckFlagEnabled() && !mOwners.isMigratedToPolicyEngine()); + (isPermissionCheckFlagEnabled() || isPolicyEngineForFinanceFlagEnabled()) + && !mOwners.isMigratedToPolicyEngine()); } /** @@ -24090,13 +24097,21 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { private boolean migratePoliciesToDevicePolicyEngine() { return mInjector.binderWithCleanCallingIdentity(() -> { try { - Slogf.i(LOG_TAG, "Started device policies migration to the device policy engine."); - migrateAutoTimezonePolicy(); - migratePermissionGrantStatePolicies(); - // TODO(b/258811766): add migration logic for all policies + synchronized (getLockObject()) { + Slogf.i(LOG_TAG, + "Started device policies migration to the device policy engine."); + if (isUnicornFlagEnabled()) { + migrateAutoTimezonePolicy(); + migratePermissionGrantStatePolicies(); + } + migrateScreenCapturePolicyLocked(); + migratePermittedInputMethodsPolicyLocked(); + migrateAccountManagementDisabledPolicyLocked(); + migrateUserControlDisabledPackagesLocked(); - mOwners.markMigrationToPolicyEngine(); - return true; + mOwners.markMigrationToPolicyEngine(); + return true; + } } catch (Exception e) { mDevicePolicyEngine.clearAllPolicies(); Slogf.e(LOG_TAG, e, "Error occurred during device policy migration, will " @@ -24160,6 +24175,136 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } } + private void migrateScreenCapturePolicyLocked() { + Binder.withCleanCallingIdentity(() -> { + if (mPolicyCache.getScreenCaptureDisallowedUser() == UserHandle.USER_NULL) { + return; + } + ActiveAdmin admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked(); + if (admin != null + && ((isDeviceOwner(admin) && admin.disableScreenCapture) + || (admin.getParentActiveAdmin() != null + && admin.getParentActiveAdmin().disableScreenCapture))) { + EnforcingAdmin enforcingAdmin = EnforcingAdmin.createEnterpriseEnforcingAdmin( + admin.info.getComponent(), + admin.getUserHandle().getIdentifier(), + admin); + mDevicePolicyEngine.setGlobalPolicy( + PolicyDefinition.SCREEN_CAPTURE_DISABLED, + enforcingAdmin, + new BooleanPolicyValue(true)); + } + + List<UserInfo> users = mUserManager.getUsers(); + for (UserInfo userInfo : users) { + ActiveAdmin profileOwner = getProfileOwnerLocked(userInfo.id); + if (profileOwner != null && profileOwner.disableScreenCapture) { + EnforcingAdmin enforcingAdmin = EnforcingAdmin.createEnterpriseEnforcingAdmin( + profileOwner.info.getComponent(), + profileOwner.getUserHandle().getIdentifier(), + profileOwner); + mDevicePolicyEngine.setLocalPolicy( + PolicyDefinition.SCREEN_CAPTURE_DISABLED, + enforcingAdmin, + new BooleanPolicyValue(true), + profileOwner.getUserHandle().getIdentifier()); + } + } + }); + } + + private void migratePermittedInputMethodsPolicyLocked() { + Binder.withCleanCallingIdentity(() -> { + List<UserInfo> users = mUserManager.getUsers(); + for (UserInfo userInfo : users) { + ActiveAdmin admin = getProfileOwnerOrDeviceOwnerLocked(userInfo.id); + if (admin != null) { + EnforcingAdmin enforcingAdmin = EnforcingAdmin.createEnterpriseEnforcingAdmin( + admin.info.getComponent(), + admin.getUserHandle().getIdentifier(), + admin); + if (admin.permittedInputMethods != null) { + mDevicePolicyEngine.setLocalPolicy( + PolicyDefinition.PERMITTED_INPUT_METHODS, + enforcingAdmin, + new StringSetPolicyValue( + new HashSet<>(admin.permittedInputMethods)), + admin.getUserHandle().getIdentifier()); + } + if (admin.getParentActiveAdmin() != null + && admin.getParentActiveAdmin().permittedInputMethods != null) { + mDevicePolicyEngine.setLocalPolicy( + PolicyDefinition.PERMITTED_INPUT_METHODS, + enforcingAdmin, + new StringSetPolicyValue( + new HashSet<>(admin.getParentActiveAdmin() + .permittedInputMethods)), + getProfileParentId(admin.getUserHandle().getIdentifier())); + } + } + } + }); + } + + private void migrateAccountManagementDisabledPolicyLocked() { + Binder.withCleanCallingIdentity(() -> { + List<UserInfo> users = mUserManager.getUsers(); + for (UserInfo userInfo : users) { + ActiveAdmin admin = getProfileOwnerOrDeviceOwnerLocked(userInfo.id); + if (admin != null) { + EnforcingAdmin enforcingAdmin = EnforcingAdmin.createEnterpriseEnforcingAdmin( + admin.info.getComponent(), + admin.getUserHandle().getIdentifier(), + admin); + for (String accountType : admin.accountTypesWithManagementDisabled) { + mDevicePolicyEngine.setLocalPolicy( + PolicyDefinition.ACCOUNT_MANAGEMENT_DISABLED(accountType), + enforcingAdmin, + new BooleanPolicyValue(true), + admin.getUserHandle().getIdentifier()); + } + if (admin.getParentActiveAdmin() != null) { + for (String accountType : admin.getParentActiveAdmin() + .accountTypesWithManagementDisabled) { + mDevicePolicyEngine.setLocalPolicy( + PolicyDefinition.ACCOUNT_MANAGEMENT_DISABLED(accountType), + enforcingAdmin, + new BooleanPolicyValue(true), + getProfileParentId(admin.getUserHandle().getIdentifier())); + } + } + } + } + }); + } + + private void migrateUserControlDisabledPackagesLocked() { + Binder.withCleanCallingIdentity(() -> { + List<UserInfo> users = mUserManager.getUsers(); + for (UserInfo userInfo : users) { + ActiveAdmin admin = getProfileOwnerOrDeviceOwnerLocked(userInfo.id); + if (admin != null && admin.protectedPackages != null) { + EnforcingAdmin enforcingAdmin = EnforcingAdmin.createEnterpriseEnforcingAdmin( + admin.info.getComponent(), + admin.getUserHandle().getIdentifier(), + admin); + if (isDeviceOwner(admin)) { + mDevicePolicyEngine.setGlobalPolicy( + PolicyDefinition.USER_CONTROLLED_DISABLED_PACKAGES, + enforcingAdmin, + new StringSetPolicyValue(new HashSet<>(admin.protectedPackages))); + } else { + mDevicePolicyEngine.setLocalPolicy( + PolicyDefinition.USER_CONTROLLED_DISABLED_PACKAGES, + enforcingAdmin, + new StringSetPolicyValue(new HashSet<>(admin.protectedPackages)), + admin.getUserHandle().getIdentifier()); + } + } + } + }); + } + private List<PackageInfo> getInstalledPackagesOnUser(int userId) { return mInjector.binderWithCleanCallingIdentity(() -> mContext.getPackageManager().getInstalledPackagesAsUser( |