Migrate personal apps suspension to policy engine

Bug: 273494642 Bug: 251401809 Test: atest OrgOwnedProfileOwnerTest Test: btest android.devicepolicy.cts.DeviceManagementCoexistenceTest Change-Id: I75f49a6046f1dd8e329f54abb8d872ab001f9f4a
author: Kholoud Mohamed <kholoudm@google.com> 2023-05-03 15:42:48 +0000
committer: Kholoud Mohamed <kholoudm@google.com> 2023-05-04 07:56:13 +0000
commit: fe8a834a6efcc6378778ed515be24e857dd811c0 (patch)
tree: c08eb96209dcd4afb97f4ae5d9336b041a2dc4ba
parent: 3b2c9426e492a517da8bdbc95781574c38a81b2d (diff)
4 files changed, 67 insertions, 12 deletions
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 97987096fa86..debfedcd1806 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -3435,7 +3435,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
             // Given that the parent user has just started, profile should be locked.
             updatePersonalAppsSuspension(profileUserHandle, false /* unlocked */);
         } else {
-            suspendPersonalAppsInternal(userHandle, false);
+            suspendPersonalAppsInternal(userHandle, profileUserHandle, false);
         }
     }
 
@@ -7714,7 +7714,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
         }
 
         // Unsuspend personal apps if needed.
-        suspendPersonalAppsInternal(parentId, false);
+        suspendPersonalAppsInternal(parentId, getManagedUserId(parentId), false);
 
         // Notify FRP agent, LSS and WindowManager to ensure they don't hold on to stale policies.
         final int frpAgentUid = getFrpManagementAgentUid();
@@ -20845,7 +20845,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
         }
 
         final int parentUserId = getProfileParentId(profileUserId);
-        suspendPersonalAppsInternal(parentUserId, shouldSuspend);
+        suspendPersonalAppsInternal(parentUserId, profileUserId, shouldSuspend);
         return shouldSuspend;
     }
 
@@ -20929,23 +20929,40 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
         return notificationState;
     }
 
-    private void suspendPersonalAppsInternal(int userId, boolean suspended) {
-        if (getUserData(userId).mAppsSuspended == suspended) {
+    private void suspendPersonalAppsInternal(
+            int parentUserId, int profileUserId, boolean suspended) {
+        if (getUserData(parentUserId).mAppsSuspended == suspended) {
             return;
         }
         Slogf.i(LOG_TAG, "%s personal apps for user %d", suspended ? "Suspending" : "Unsuspending",
-                userId);
+                parentUserId);
 
-        if (suspended) {
-            suspendPersonalAppsInPackageManager(userId);
+        if (isPolicyEngineForFinanceFlagEnabled()) {
+            // TODO(b/280602237): migrate properly
+            ActiveAdmin profileOwner = getProfileOwnerAdminLocked(profileUserId);
+            if (profileOwner != null) {
+                EnforcingAdmin admin = EnforcingAdmin.createEnterpriseEnforcingAdmin(
+                        profileOwner.info.getComponent(),
+                        profileUserId,
+                        profileOwner);
+                mDevicePolicyEngine.setLocalPolicy(
+                        PolicyDefinition.PERSONAL_APPS_SUSPENDED,
+                        admin,
+                        new BooleanPolicyValue(suspended),
+                        parentUserId);
+            }
         } else {
-            mInjector.getPackageManagerInternal().unsuspendForSuspendingPackage(
-                    PLATFORM_PACKAGE_NAME, userId);
+            if (suspended) {
+                suspendPersonalAppsInPackageManager(parentUserId);
+            } else {
+                mInjector.getPackageManagerInternal().unsuspendForSuspendingPackage(
+                        PLATFORM_PACKAGE_NAME, parentUserId);
+            }
         }
 
         synchronized (getLockObject()) {
-            getUserData(userId).mAppsSuspended = suspended;
-            saveSettingsLocked(userId);
+            getUserData(parentUserId).mAppsSuspended = suspended;
+            saveSettingsLocked(parentUserId);
         }
     }
 
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/PolicyDefinition.java b/services/devicepolicy/java/com/android/server/devicepolicy/PolicyDefinition.java
index 17c84f9916dd..8030bb7b4fd9 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/PolicyDefinition.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/PolicyDefinition.java
@@ -323,6 +323,14 @@ final class PolicyDefinition<V> {
             PolicyEnforcerCallbacks::setScreenCaptureDisabled,
             new BooleanPolicySerializer());
 
+    static PolicyDefinition<Boolean> PERSONAL_APPS_SUSPENDED = new PolicyDefinition<>(
+            new NoArgsPolicyKey(DevicePolicyIdentifiers.PERSONAL_APPS_SUSPENDED_POLICY),
+            new MostRecent<>(),
+            POLICY_FLAG_LOCAL_ONLY_POLICY,
+            PolicyEnforcerCallbacks::setPersonalAppsSuspended,
+            new BooleanPolicySerializer());
+
+
     private static final Map<String, PolicyDefinition<?>> POLICY_DEFINITIONS = new HashMap<>();
     private static Map<String, Integer> USER_RESTRICTION_FLAGS = new HashMap<>();
 
@@ -352,6 +360,8 @@ final class PolicyDefinition<V> {
                 PERMITTED_INPUT_METHODS);
         POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.SCREEN_CAPTURE_DISABLED_POLICY,
                 SCREEN_CAPTURE_DISABLED);
+        POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PERSONAL_APPS_SUSPENDED_POLICY,
+                PERSONAL_APPS_SUSPENDED);
 
         // User Restriction Policies
         USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_MODIFY_ACCOUNTS, /* flags= */ 0);
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/PolicyEnforcerCallbacks.java b/services/devicepolicy/java/com/android/server/devicepolicy/PolicyEnforcerCallbacks.java
index 816a9848d5b3..454337fcf141 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/PolicyEnforcerCallbacks.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/PolicyEnforcerCallbacks.java
@@ -16,6 +16,8 @@
 
 package com.android.server.devicepolicy;
 
+import static com.android.server.pm.PackageManagerService.PLATFORM_PACKAGE_NAME;
+
 import android.annotation.NonNull;
 import android.annotation.Nullable;
 import android.app.AppGlobals;
@@ -46,6 +48,7 @@ import android.util.Slog;
 import android.view.IWindowManager;
 
 import com.android.internal.os.BackgroundThread;
+import com.android.internal.util.ArrayUtils;
 import com.android.server.LocalServices;
 import com.android.server.pm.UserManagerInternal;
 import com.android.server.utils.Slogf;
@@ -275,4 +278,28 @@ final class PolicyEnforcerCallbacks {
             }
         });
     }
+
+    static boolean setPersonalAppsSuspended(
+            @Nullable Boolean suspended, @NonNull Context context, int userId,
+            @NonNull PolicyKey policyKey) {
+        Binder.withCleanCallingIdentity(() -> {
+            if (suspended != null && suspended) {
+                suspendPersonalAppsInPackageManager(context, userId);
+            } else {
+                LocalServices.getService(PackageManagerInternal.class)
+                        .unsuspendForSuspendingPackage(PLATFORM_PACKAGE_NAME, userId);
+            }
+        });
+        return true;
+    }
+
+    private static void suspendPersonalAppsInPackageManager(Context context, int userId) {
+        final String[] appsToSuspend = PersonalAppsSuspensionHelper.forUser(context, userId)
+                .getPersonalAppsForSuspension();
+        final String[] failedApps = LocalServices.getService(PackageManagerInternal.class)
+                .setPackagesSuspendedByAdmin(userId, appsToSuspend, true);
+        if (!ArrayUtils.isEmpty(failedApps)) {
+            Slogf.wtf(LOG_TAG, "Failed to suspend apps: " + String.join(",", failedApps));
+        }
+    }
 }
diff --git a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
index 57755a9525fc..2ea56f659297 100644
--- a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
+++ b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
@@ -7497,6 +7497,7 @@ public class DevicePolicyManagerTest extends DpmTestBase {
      * Tests the case when the user turns the profile back on when the apps are already suspended.
      */
     @Test
+    @Ignore("b/277916462")
     public void testMaximumProfileTimeOff_turnOnAfterDeadline() throws Exception {
         prepareMocksForSetMaximumProfileTimeOff();
author	Kholoud Mohamed <kholoudm@google.com>	2023-05-03 15:42:48 +0000
committer	Kholoud Mohamed <kholoudm@google.com>	2023-05-04 07:56:13 +0000
commit	fe8a834a6efcc6378778ed515be24e857dd811c0 (patch)
tree	c08eb96209dcd4afb97f4ae5d9336b041a2dc4ba
parent	3b2c9426e492a517da8bdbc95781574c38a81b2d (diff)