diff options
22 files changed, 397 insertions, 101 deletions
diff --git a/core/api/current.txt b/core/api/current.txt index ddfd364cc55d..4e6dacff290e 100644 --- a/core/api/current.txt +++ b/core/api/current.txt @@ -7964,13 +7964,13 @@ package android.app.admin { field public static final String LOCK_TASK_POLICY = "lockTask"; field public static final String PACKAGES_SUSPENDED_POLICY = "packagesSuspended"; field public static final String PACKAGE_UNINSTALL_BLOCKED_POLICY = "packageUninstallBlocked"; - field public static final String PASSWORD_COMPLEXITY_POLICY = "passwordComplexity"; + field @FlaggedApi("android.app.admin.flags.policy_engine_migration_v2_enabled") public static final String PASSWORD_COMPLEXITY_POLICY = "passwordComplexity"; field public static final String PERMISSION_GRANT_POLICY = "permissionGrant"; field public static final String PERSISTENT_PREFERRED_ACTIVITY_POLICY = "persistentPreferredActivity"; field public static final String RESET_PASSWORD_TOKEN_POLICY = "resetPasswordToken"; field public static final String SECURITY_LOGGING_POLICY = "securityLogging"; field public static final String STATUS_BAR_DISABLED_POLICY = "statusBarDisabled"; - field public static final String USB_DATA_SIGNALING_POLICY = "usbDataSignaling"; + field @FlaggedApi("android.app.admin.flags.policy_engine_migration_v2_enabled") public static final String USB_DATA_SIGNALING_POLICY = "usbDataSignaling"; field public static final String USER_CONTROL_DISABLED_PACKAGES_POLICY = "userControlDisabledPackages"; } diff --git a/core/api/test-current.txt b/core/api/test-current.txt index a1aa679f01a9..009d08245da2 100644 --- a/core/api/test-current.txt +++ b/core/api/test-current.txt @@ -597,19 +597,19 @@ package android.app.admin { method @RequiresPermission(android.Manifest.permission.FORCE_DEVICE_POLICY_MANAGER_LOGS) public long forceNetworkLogs(); method @RequiresPermission(android.Manifest.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS) public void forceRemoveActiveAdmin(@NonNull android.content.ComponentName, int); method @RequiresPermission(android.Manifest.permission.FORCE_DEVICE_POLICY_MANAGER_LOGS) public long forceSecurityLogs(); - method @RequiresPermission("android.permission.MANAGE_DEVICE_POLICY_STORAGE_LIMIT") public void forceSetMaxPolicyStorageLimit(int); + method @FlaggedApi("android.app.admin.flags.device_policy_size_tracking_internal_bug_fix_enabled") @RequiresPermission("android.permission.MANAGE_DEVICE_POLICY_STORAGE_LIMIT") public void forceSetMaxPolicyStorageLimit(int); method public void forceUpdateUserSetupComplete(int); method @NonNull public java.util.Set<java.lang.String> getDefaultCrossProfilePackages(); method @Deprecated public int getDeviceOwnerType(@NonNull android.content.ComponentName); method @Nullable public String getDevicePolicyManagementRoleHolderUpdaterPackage(); method @NonNull public java.util.Set<java.lang.String> getDisallowedSystemApps(@NonNull android.content.ComponentName, int, @NonNull String); - method @RequiresPermission(android.Manifest.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS) public int getHeadlessDeviceOwnerMode(); + method @FlaggedApi("android.app.admin.flags.headless_device_owner_provisioning_fix_enabled") @RequiresPermission(android.Manifest.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS) public int getHeadlessDeviceOwnerMode(); method public long getLastBugReportRequestTime(); method public long getLastNetworkLogRetrievalTime(); method public long getLastSecurityLogRetrievalTime(); method public java.util.List<java.lang.String> getOwnerInstalledCaCerts(@NonNull android.os.UserHandle); method @NonNull @RequiresPermission(android.Manifest.permission.MANAGE_DEVICE_ADMINS) public java.util.Set<java.lang.String> getPolicyExemptApps(); - method @RequiresPermission("android.permission.MANAGE_DEVICE_POLICY_STORAGE_LIMIT") public int getPolicySizeForAdmin(@NonNull android.app.admin.EnforcingAdmin); + method @FlaggedApi("android.app.admin.flags.device_policy_size_tracking_internal_bug_fix_enabled") @RequiresPermission("android.permission.MANAGE_DEVICE_POLICY_STORAGE_LIMIT") public int getPolicySizeForAdmin(@NonNull android.app.admin.EnforcingAdmin); method public boolean isCurrentInputMethodSetByOwner(); method public boolean isFactoryResetProtectionPolicySupported(); method @RequiresPermission(anyOf={android.Manifest.permission.MANAGE_USERS, android.Manifest.permission.INTERACT_ACROSS_USERS}) public boolean isNewUserDisclaimerAcknowledged(); @@ -680,7 +680,7 @@ package android.app.admin { } public final class EnforcingAdmin implements android.os.Parcelable { - ctor public EnforcingAdmin(@NonNull String, @NonNull android.app.admin.Authority, @NonNull android.os.UserHandle, @Nullable android.content.ComponentName); + ctor @FlaggedApi("android.app.admin.flags.device_policy_size_tracking_internal_bug_fix_enabled") public EnforcingAdmin(@NonNull String, @NonNull android.app.admin.Authority, @NonNull android.os.UserHandle, @Nullable android.content.ComponentName); } public final class FlagUnion extends android.app.admin.ResolutionMechanism<java.lang.Integer> { diff --git a/core/java/android/app/admin/AccountTypePolicyKey.java b/core/java/android/app/admin/AccountTypePolicyKey.java index 515c1c66b2a3..02e492bb06aa 100644 --- a/core/java/android/app/admin/AccountTypePolicyKey.java +++ b/core/java/android/app/admin/AccountTypePolicyKey.java @@ -24,6 +24,7 @@ import android.annotation.NonNull; import android.annotation.Nullable; import android.annotation.SystemApi; import android.annotation.TestApi; +import android.app.admin.flags.Flags; import android.os.Bundle; import android.os.Parcel; @@ -53,7 +54,9 @@ public final class AccountTypePolicyKey extends PolicyKey { @TestApi public AccountTypePolicyKey(@NonNull String key, @NonNull String accountType) { super(key); - PolicySizeVerifier.enforceMaxStringLength(accountType, "accountType"); + if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) { + PolicySizeVerifier.enforceMaxStringLength(accountType, "accountType"); + } mAccountType = Objects.requireNonNull((accountType)); } diff --git a/core/java/android/app/admin/BundlePolicyValue.java b/core/java/android/app/admin/BundlePolicyValue.java index 00e67e64502a..c993671f4fc1 100644 --- a/core/java/android/app/admin/BundlePolicyValue.java +++ b/core/java/android/app/admin/BundlePolicyValue.java @@ -18,6 +18,7 @@ package android.app.admin; import android.annotation.NonNull; import android.annotation.Nullable; +import android.app.admin.flags.Flags; import android.os.Bundle; import android.os.Parcel; @@ -30,7 +31,9 @@ public final class BundlePolicyValue extends PolicyValue<Bundle> { public BundlePolicyValue(Bundle value) { super(value); - PolicySizeVerifier.enforceMaxBundleFieldsLength(value); + if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) { + PolicySizeVerifier.enforceMaxBundleFieldsLength(value); + } } private BundlePolicyValue(Parcel source) { diff --git a/core/java/android/app/admin/ComponentNamePolicyValue.java b/core/java/android/app/admin/ComponentNamePolicyValue.java index f092b7bb5538..a7a2f7d27e0d 100644 --- a/core/java/android/app/admin/ComponentNamePolicyValue.java +++ b/core/java/android/app/admin/ComponentNamePolicyValue.java @@ -18,6 +18,7 @@ package android.app.admin; import android.annotation.NonNull; import android.annotation.Nullable; +import android.app.admin.flags.Flags; import android.content.ComponentName; import android.os.Parcel; @@ -30,7 +31,9 @@ public final class ComponentNamePolicyValue extends PolicyValue<ComponentName> { public ComponentNamePolicyValue(@NonNull ComponentName value) { super(value); - PolicySizeVerifier.enforceMaxComponentNameLength(value); + if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) { + PolicySizeVerifier.enforceMaxComponentNameLength(value); + } } private ComponentNamePolicyValue(Parcel source) { diff --git a/core/java/android/app/admin/DevicePolicyIdentifiers.java b/core/java/android/app/admin/DevicePolicyIdentifiers.java index c0e435c04d3c..156512a90295 100644 --- a/core/java/android/app/admin/DevicePolicyIdentifiers.java +++ b/core/java/android/app/admin/DevicePolicyIdentifiers.java @@ -16,6 +16,8 @@ package android.app.admin; +import static android.app.admin.flags.Flags.FLAG_POLICY_ENGINE_MIGRATION_V2_ENABLED; + import android.annotation.FlaggedApi; import android.annotation.NonNull; import android.annotation.SystemApi; @@ -183,11 +185,13 @@ public final class DevicePolicyIdentifiers { /** * String identifier for {@link DevicePolicyManager#setUsbDataSignalingEnabled}. */ + @FlaggedApi(FLAG_POLICY_ENGINE_MIGRATION_V2_ENABLED) public static final String USB_DATA_SIGNALING_POLICY = "usbDataSignaling"; /** * String identifier for {@link DevicePolicyManager#setRequiredPasswordComplexity}. */ + @FlaggedApi(FLAG_POLICY_ENGINE_MIGRATION_V2_ENABLED) public static final String PASSWORD_COMPLEXITY_POLICY = "passwordComplexity"; /** diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java index 0f54cb7bc35e..d31d8f27844a 100644 --- a/core/java/android/app/admin/DevicePolicyManager.java +++ b/core/java/android/app/admin/DevicePolicyManager.java @@ -54,8 +54,10 @@ import static android.Manifest.permission.REQUEST_PASSWORD_COMPLEXITY; import static android.Manifest.permission.SET_TIME; import static android.Manifest.permission.SET_TIME_ZONE; import static android.app.admin.DeviceAdminInfo.HEADLESS_DEVICE_OWNER_MODE_UNSUPPORTED; +import static android.app.admin.flags.Flags.FLAG_DEVICE_POLICY_SIZE_TRACKING_INTERNAL_BUG_FIX_ENABLED; import static android.app.admin.flags.Flags.FLAG_DEVICE_THEFT_API_ENABLED; import static android.app.admin.flags.Flags.FLAG_DEVICE_POLICY_SIZE_TRACKING_ENABLED; +import static android.app.admin.flags.Flags.FLAG_HEADLESS_DEVICE_OWNER_PROVISIONING_FIX_ENABLED; import static android.app.admin.flags.Flags.onboardingBugreportV2Enabled; import static android.app.admin.flags.Flags.onboardingConsentlessBugreports; import static android.app.admin.flags.Flags.FLAG_IS_MTE_POLICY_ENFORCED; @@ -10476,6 +10478,10 @@ public class DevicePolicyManager { @WorkerThread public void setApplicationRestrictions(@Nullable ComponentName admin, String packageName, Bundle settings) { + if (!Flags.dmrhSetAppRestrictions()) { + throwIfParentInstance("setApplicationRestrictions"); + } + if (mService != null) { try { mService.setApplicationRestrictions(admin, mContext.getPackageName(), packageName, @@ -11880,6 +11886,9 @@ public class DevicePolicyManager { @WorkerThread public @NonNull Bundle getApplicationRestrictions( @Nullable ComponentName admin, String packageName) { + if (!Flags.dmrhSetAppRestrictions()) { + throwIfParentInstance("getApplicationRestrictions"); + } if (mService != null) { try { @@ -14224,11 +14233,21 @@ public class DevicePolicyManager { */ public @NonNull DevicePolicyManager getParentProfileInstance(@NonNull ComponentName admin) { throwIfParentInstance("getParentProfileInstance"); - UserManager um = mContext.getSystemService(UserManager.class); - if (!um.isManagedProfile()) { - throw new SecurityException("The current user does not have a parent profile."); + try { + if (Flags.dmrhSetAppRestrictions()) { + UserManager um = mContext.getSystemService(UserManager.class); + if (!um.isManagedProfile()) { + throw new SecurityException("The current user does not have a parent profile."); + } + } else { + if (!mService.isManagedProfile(admin)) { + throw new SecurityException("The current user does not have a parent profile."); + } + } + return new DevicePolicyManager(mContext, mService, true); + } catch (RemoteException e) { + throw e.rethrowFromSystemServer(); } - return new DevicePolicyManager(mContext, mService, true); } /** @@ -17790,6 +17809,7 @@ public class DevicePolicyManager { */ @TestApi @RequiresPermission(permission.MANAGE_DEVICE_POLICY_STORAGE_LIMIT) + @FlaggedApi(FLAG_DEVICE_POLICY_SIZE_TRACKING_INTERNAL_BUG_FIX_ENABLED) public void forceSetMaxPolicyStorageLimit(int storageLimit) { if (mService != null) { try { @@ -17807,6 +17827,7 @@ public class DevicePolicyManager { */ @TestApi @RequiresPermission(permission.MANAGE_DEVICE_POLICY_STORAGE_LIMIT) + @FlaggedApi(FLAG_DEVICE_POLICY_SIZE_TRACKING_INTERNAL_BUG_FIX_ENABLED) public int getPolicySizeForAdmin(@NonNull EnforcingAdmin admin) { if (mService != null) { try { @@ -17825,9 +17846,13 @@ public class DevicePolicyManager { * @hide */ @TestApi + @FlaggedApi(FLAG_HEADLESS_DEVICE_OWNER_PROVISIONING_FIX_ENABLED) @RequiresPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS) @DeviceAdminInfo.HeadlessDeviceOwnerMode public int getHeadlessDeviceOwnerMode() { + if (!Flags.headlessDeviceOwnerProvisioningFixEnabled()) { + return HEADLESS_DEVICE_OWNER_MODE_UNSUPPORTED; + } if (mService != null) { try { return mService.getHeadlessDeviceOwnerMode(mContext.getPackageName()); diff --git a/core/java/android/app/admin/EnforcingAdmin.java b/core/java/android/app/admin/EnforcingAdmin.java index 5f9bb9c22893..f70a53f61671 100644 --- a/core/java/android/app/admin/EnforcingAdmin.java +++ b/core/java/android/app/admin/EnforcingAdmin.java @@ -16,6 +16,9 @@ package android.app.admin; +import static android.app.admin.flags.Flags.FLAG_DEVICE_POLICY_SIZE_TRACKING_INTERNAL_BUG_FIX_ENABLED; + +import android.annotation.FlaggedApi; import android.annotation.NonNull; import android.annotation.Nullable; import android.annotation.SystemApi; @@ -61,6 +64,7 @@ public final class EnforcingAdmin implements Parcelable { * * @hide */ + @FlaggedApi(FLAG_DEVICE_POLICY_SIZE_TRACKING_INTERNAL_BUG_FIX_ENABLED) @TestApi public EnforcingAdmin( @NonNull String packageName, @NonNull Authority authority, diff --git a/core/java/android/app/admin/LockTaskPolicy.java b/core/java/android/app/admin/LockTaskPolicy.java index ab32d46a05ad..68b4ad84d81a 100644 --- a/core/java/android/app/admin/LockTaskPolicy.java +++ b/core/java/android/app/admin/LockTaskPolicy.java @@ -19,6 +19,7 @@ package android.app.admin; import android.annotation.NonNull; import android.annotation.Nullable; import android.annotation.SystemApi; +import android.app.admin.flags.Flags; import android.os.Parcel; import android.os.Parcelable; @@ -134,8 +135,10 @@ public final class LockTaskPolicy extends PolicyValue<LockTaskPolicy> { } private void setPackagesInternal(Set<String> packages) { - for (String p : packages) { - PolicySizeVerifier.enforceMaxPackageNameLength(p); + if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) { + for (String p : packages) { + PolicySizeVerifier.enforceMaxPackageNameLength(p); + } } mPackages = new HashSet<>(packages); } diff --git a/core/java/android/app/admin/PackagePermissionPolicyKey.java b/core/java/android/app/admin/PackagePermissionPolicyKey.java index 226c576d9bc3..1a04f6c908bc 100644 --- a/core/java/android/app/admin/PackagePermissionPolicyKey.java +++ b/core/java/android/app/admin/PackagePermissionPolicyKey.java @@ -25,6 +25,7 @@ import android.annotation.NonNull; import android.annotation.Nullable; import android.annotation.SystemApi; import android.annotation.TestApi; +import android.app.admin.flags.Flags; import android.os.Bundle; import android.os.Parcel; import android.os.Parcelable; @@ -58,8 +59,10 @@ public final class PackagePermissionPolicyKey extends PolicyKey { public PackagePermissionPolicyKey(@NonNull String identifier, @NonNull String packageName, @NonNull String permissionName) { super(identifier); - PolicySizeVerifier.enforceMaxPackageNameLength(packageName); - PolicySizeVerifier.enforceMaxStringLength(permissionName, "permissionName"); + if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) { + PolicySizeVerifier.enforceMaxPackageNameLength(packageName); + PolicySizeVerifier.enforceMaxStringLength(permissionName, "permissionName"); + } mPackageName = Objects.requireNonNull((packageName)); mPermissionName = Objects.requireNonNull((permissionName)); } diff --git a/core/java/android/app/admin/PackagePolicyKey.java b/core/java/android/app/admin/PackagePolicyKey.java index 8fa21dbb0a2e..9e31a23aec91 100644 --- a/core/java/android/app/admin/PackagePolicyKey.java +++ b/core/java/android/app/admin/PackagePolicyKey.java @@ -24,6 +24,7 @@ import android.annotation.NonNull; import android.annotation.Nullable; import android.annotation.SystemApi; import android.annotation.TestApi; +import android.app.admin.flags.Flags; import android.os.Bundle; import android.os.Parcel; import android.os.Parcelable; @@ -54,7 +55,9 @@ public final class PackagePolicyKey extends PolicyKey { @TestApi public PackagePolicyKey(@NonNull String key, @NonNull String packageName) { super(key); - PolicySizeVerifier.enforceMaxPackageNameLength(packageName); + if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) { + PolicySizeVerifier.enforceMaxPackageNameLength(packageName); + } mPackageName = Objects.requireNonNull((packageName)); } diff --git a/core/java/android/app/admin/PackageSetPolicyValue.java b/core/java/android/app/admin/PackageSetPolicyValue.java index 24c50b0994d7..8b253a23a299 100644 --- a/core/java/android/app/admin/PackageSetPolicyValue.java +++ b/core/java/android/app/admin/PackageSetPolicyValue.java @@ -18,6 +18,7 @@ package android.app.admin; import android.annotation.NonNull; import android.annotation.Nullable; +import android.app.admin.flags.Flags; import android.os.Parcel; import java.util.HashSet; @@ -31,8 +32,10 @@ public final class PackageSetPolicyValue extends PolicyValue<Set<String>> { public PackageSetPolicyValue(@NonNull Set<String> value) { super(value); - for (String packageName : value) { - PolicySizeVerifier.enforceMaxPackageNameLength(packageName); + if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) { + for (String packageName : value) { + PolicySizeVerifier.enforceMaxPackageNameLength(packageName); + } } } diff --git a/core/java/android/app/admin/StringPolicyValue.java b/core/java/android/app/admin/StringPolicyValue.java index bb07c23163ea..6efe9ad0dbed 100644 --- a/core/java/android/app/admin/StringPolicyValue.java +++ b/core/java/android/app/admin/StringPolicyValue.java @@ -18,6 +18,7 @@ package android.app.admin; import android.annotation.NonNull; import android.annotation.Nullable; +import android.app.admin.flags.Flags; import android.os.Parcel; import java.util.Objects; @@ -29,7 +30,9 @@ public final class StringPolicyValue extends PolicyValue<String> { public StringPolicyValue(@NonNull String value) { super(value); - PolicySizeVerifier.enforceMaxStringLength(value, "policyValue"); + if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) { + PolicySizeVerifier.enforceMaxStringLength(value, "policyValue"); + } } private StringPolicyValue(Parcel source) { diff --git a/core/java/android/app/admin/UserRestrictionPolicyKey.java b/core/java/android/app/admin/UserRestrictionPolicyKey.java index 16cfba4414d5..9054287cb7a0 100644 --- a/core/java/android/app/admin/UserRestrictionPolicyKey.java +++ b/core/java/android/app/admin/UserRestrictionPolicyKey.java @@ -21,6 +21,7 @@ import static android.app.admin.PolicyUpdateReceiver.EXTRA_POLICY_KEY; import android.annotation.NonNull; import android.annotation.SystemApi; import android.annotation.TestApi; +import android.app.admin.flags.Flags; import android.os.Bundle; import android.os.Parcel; @@ -44,7 +45,9 @@ public final class UserRestrictionPolicyKey extends PolicyKey { @TestApi public UserRestrictionPolicyKey(@NonNull String identifier, @NonNull String restriction) { super(identifier); - PolicySizeVerifier.enforceMaxStringLength(restriction, "restriction"); + if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) { + PolicySizeVerifier.enforceMaxStringLength(restriction, "restriction"); + } mRestriction = Objects.requireNonNull(restriction); } diff --git a/core/java/android/app/admin/flags/flags.aconfig b/core/java/android/app/admin/flags/flags.aconfig index e940a7bb96ad..edbbd5b22ddd 100644 --- a/core/java/android/app/admin/flags/flags.aconfig +++ b/core/java/android/app/admin/flags/flags.aconfig @@ -4,7 +4,6 @@ package: "android.app.admin.flags" container: "system" -# Fully rolled out and must not be used. flag { name: "policy_engine_migration_v2_enabled" is_exported: true @@ -29,6 +28,16 @@ flag { } flag { + name: "device_policy_size_tracking_internal_bug_fix_enabled" + namespace: "enterprise" + description: "Bug fix for tracking the total policy size and have a max threshold" + bug: "281543351" + metadata { + purpose: PURPOSE_BUGFIX + } +} + +flag { name: "onboarding_bugreport_v2_enabled" is_exported: true namespace: "enterprise" @@ -68,6 +77,13 @@ flag { } flag { + name: "permission_migration_for_zero_trust_impl_enabled" + namespace: "enterprise" + description: "(Implementation) Migrate existing APIs to permission based, and enable DMRH to call them to collect Zero Trust signals." + bug: "289520697" +} + +flag { name: "device_theft_api_enabled" is_exported: true namespace: "enterprise" @@ -210,6 +226,33 @@ flag { } flag { + name: "headless_device_owner_provisioning_fix_enabled" + namespace: "enterprise" + description: "Fix provisioning for single-user headless DO" + bug: "289515470" + metadata { + purpose: PURPOSE_BUGFIX + } +} + +flag { + name: "dmrh_set_app_restrictions" + namespace: "enterprise" + description: "Allow DMRH to set application restrictions (both on the profile and the parent)" + bug: "328758346" + metadata { + purpose: PURPOSE_BUGFIX + } +} + +flag { + name: "allow_screen_brightness_control_on_cope" + namespace: "enterprise" + description: "Allow COPE admin to control screen brightness and timeout." + bug: "323894620" +} + +flag { name: "always_persist_do" namespace: "enterprise" description: "Always write device_owners2.xml so that migration flags aren't lost" @@ -227,6 +270,16 @@ flag { } flag { + name: "headless_device_owner_delegate_security_logging_bug_fix" + namespace: "enterprise" + description: "Fix delegate security logging for single user headless DO." + bug: "289515470" + metadata { + purpose: PURPOSE_BUGFIX + } +} + +flag { name: "headless_single_user_bad_device_admin_state_fix" namespace: "enterprise" description: "Fix the bad state in DPMS caused by an earlier bug related to the headless single user change" @@ -247,6 +300,16 @@ flag { } flag { + name: "delete_private_space_under_restriction" + namespace: "enterprise" + description: "Delete private space if user restriction is set" + bug: "328758346" + metadata { + purpose: PURPOSE_BUGFIX + } +} + +flag { name: "unmanaged_mode_migration" namespace: "enterprise" description: "Migrate APIs for unmanaged mode" @@ -257,6 +320,16 @@ flag { } flag { + name: "headless_single_user_fixes" + namespace: "enterprise" + description: "Various fixes for headless single user mode" + bug: "289515470" + metadata { + purpose: PURPOSE_BUGFIX + } +} + +flag { name: "backup_connected_apps_settings" namespace: "enterprise" description: "backup and restore connected work and personal apps user settings across devices" diff --git a/packages/SystemUI/multivalentTests/src/com/android/keyguard/KeyguardSecurityContainerControllerTest.kt b/packages/SystemUI/multivalentTests/src/com/android/keyguard/KeyguardSecurityContainerControllerTest.kt index 15c5e2485a45..fabc357c2a68 100644 --- a/packages/SystemUI/multivalentTests/src/com/android/keyguard/KeyguardSecurityContainerControllerTest.kt +++ b/packages/SystemUI/multivalentTests/src/com/android/keyguard/KeyguardSecurityContainerControllerTest.kt @@ -18,8 +18,10 @@ package com.android.keyguard import android.app.admin.DevicePolicyManager +import android.app.admin.flags.Flags as DevicePolicyFlags import android.content.res.Configuration import android.media.AudioManager +import android.platform.test.annotations.EnableFlags import android.telephony.TelephonyManager import android.testing.TestableLooper.RunWithLooper import android.testing.TestableResources @@ -938,6 +940,7 @@ class KeyguardSecurityContainerControllerTest : SysuiTestCase() { } @Test + @EnableFlags(DevicePolicyFlags.FLAG_HEADLESS_SINGLE_USER_FIXES) fun showAlmostAtWipeDialog_calledOnMainUser_setsCorrectUserType() { val mainUserId = 10 @@ -954,6 +957,7 @@ class KeyguardSecurityContainerControllerTest : SysuiTestCase() { } @Test + @EnableFlags(DevicePolicyFlags.FLAG_HEADLESS_SINGLE_USER_FIXES) fun showAlmostAtWipeDialog_calledOnNonMainUser_setsCorrectUserType() { val secondaryUserId = 10 val mainUserId = 0 diff --git a/packages/SystemUI/multivalentTests/src/com/android/systemui/authentication/domain/interactor/AuthenticationInteractorTest.kt b/packages/SystemUI/multivalentTests/src/com/android/systemui/authentication/domain/interactor/AuthenticationInteractorTest.kt index 080b48af2af1..0c5e726e17aa 100644 --- a/packages/SystemUI/multivalentTests/src/com/android/systemui/authentication/domain/interactor/AuthenticationInteractorTest.kt +++ b/packages/SystemUI/multivalentTests/src/com/android/systemui/authentication/domain/interactor/AuthenticationInteractorTest.kt @@ -17,6 +17,8 @@ package com.android.systemui.authentication.domain.interactor import android.app.admin.DevicePolicyManager +import android.app.admin.flags.Flags as DevicePolicyFlags +import android.platform.test.annotations.EnableFlags import androidx.test.ext.junit.runners.AndroidJUnit4 import androidx.test.filters.SmallTest import com.android.internal.widget.LockPatternUtils @@ -412,6 +414,7 @@ class AuthenticationInteractorTest : SysuiTestCase() { } @Test + @EnableFlags(DevicePolicyFlags.FLAG_HEADLESS_SINGLE_USER_FIXES) fun upcomingWipe() = testScope.runTest { val upcomingWipe by collectLastValue(underTest.upcomingWipe) diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainerController.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainerController.java index 2d28a189f84d..61f9800c351b 100644 --- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainerController.java +++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainerController.java @@ -35,6 +35,7 @@ import static com.android.systemui.flags.Flags.LOCKSCREEN_ENABLE_LANDSCAPE; import android.app.ActivityManager; import android.app.admin.DevicePolicyManager; +import android.app.admin.flags.Flags; import android.content.Intent; import android.content.res.ColorStateList; import android.content.res.Configuration; @@ -1139,7 +1140,12 @@ public class KeyguardSecurityContainerController extends ViewController<Keyguard int remainingBeforeWipe, int failedAttempts) { int userType = USER_TYPE_PRIMARY; if (expiringUserId == userId) { - int primaryUser = mainUserId != null ? mainUserId : UserHandle.USER_SYSTEM; + int primaryUser = UserHandle.USER_SYSTEM; + if (Flags.headlessSingleUserFixes()) { + if (mainUserId != null) { + primaryUser = mainUserId; + } + } // TODO: http://b/23522538 if (expiringUserId != primaryUser) { userType = USER_TYPE_SECONDARY_USER; diff --git a/packages/SystemUI/src/com/android/systemui/authentication/domain/interactor/AuthenticationInteractor.kt b/packages/SystemUI/src/com/android/systemui/authentication/domain/interactor/AuthenticationInteractor.kt index 3080e1978b2a..fcba425f0956 100644 --- a/packages/SystemUI/src/com/android/systemui/authentication/domain/interactor/AuthenticationInteractor.kt +++ b/packages/SystemUI/src/com/android/systemui/authentication/domain/interactor/AuthenticationInteractor.kt @@ -16,6 +16,7 @@ package com.android.systemui.authentication.domain.interactor +import android.app.admin.flags.Flags import android.os.UserHandle import com.android.internal.widget.LockPatternUtils import com.android.internal.widget.LockPatternView @@ -288,7 +289,12 @@ constructor( private suspend fun getWipeTarget(): WipeTarget { // Check which profile has the strictest policy for failed authentication attempts. val userToBeWiped = repository.getProfileWithMinFailedUnlockAttemptsForWipe() - val primaryUser = selectedUserInteractor.getMainUserId() ?: UserHandle.USER_SYSTEM + val primaryUser = + if (Flags.headlessSingleUserFixes()) { + selectedUserInteractor.getMainUserId() ?: UserHandle.USER_SYSTEM + } else { + UserHandle.USER_SYSTEM + } return when (userToBeWiped) { selectedUserInteractor.getSelectedUserId() -> if (userToBeWiped == primaryUser) { diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/ActiveAdmin.java b/services/devicepolicy/java/com/android/server/devicepolicy/ActiveAdmin.java index b982098fefa4..5eec0124a9e3 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/ActiveAdmin.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/ActiveAdmin.java @@ -1325,6 +1325,11 @@ class ActiveAdmin { pw.print("encryptionRequested="); pw.println(encryptionRequested); + if (!Flags.policyEngineMigrationV2Enabled()) { + pw.print("mUsbDataSignaling="); + pw.println(mUsbDataSignalingEnabled); + } + pw.print("disableCallerId="); pw.println(disableCallerId); diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyEngine.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyEngine.java index 4beb6a8a3480..a08af72586ee 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyEngine.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyEngine.java @@ -230,9 +230,11 @@ final class DevicePolicyEngine { synchronized (mLock) { PolicyState<V> localPolicyState = getLocalPolicyStateLocked(policyDefinition, userId); - if (!handleAdminPolicySizeLimit(localPolicyState, enforcingAdmin, value, - policyDefinition, userId)) { - return; + if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) { + if (!handleAdminPolicySizeLimit(localPolicyState, enforcingAdmin, value, + policyDefinition, userId)) { + return; + } } if (policyDefinition.isNonCoexistablePolicy()) { @@ -352,7 +354,9 @@ final class DevicePolicyEngine { } PolicyState<V> localPolicyState = getLocalPolicyStateLocked(policyDefinition, userId); - decreasePolicySizeForAdmin(localPolicyState, enforcingAdmin); + if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) { + decreasePolicySizeForAdmin(localPolicyState, enforcingAdmin); + } if (policyDefinition.isNonCoexistablePolicy()) { setNonCoexistableLocalPolicyLocked(policyDefinition, localPolicyState, @@ -496,9 +500,11 @@ final class DevicePolicyEngine { synchronized (mLock) { PolicyState<V> globalPolicyState = getGlobalPolicyStateLocked(policyDefinition); - if (!handleAdminPolicySizeLimit(globalPolicyState, enforcingAdmin, value, - policyDefinition, UserHandle.USER_ALL)) { - return; + if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) { + if (!handleAdminPolicySizeLimit(globalPolicyState, enforcingAdmin, value, + policyDefinition, UserHandle.USER_ALL)) { + return; + } } // TODO(b/270999567): Move error handling for DISALLOW_CELLULAR_2G into the code // that honors the restriction once there's an API available @@ -565,7 +571,9 @@ final class DevicePolicyEngine { synchronized (mLock) { PolicyState<V> policyState = getGlobalPolicyStateLocked(policyDefinition); - decreasePolicySizeForAdmin(policyState, enforcingAdmin); + if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) { + decreasePolicySizeForAdmin(policyState, enforcingAdmin); + } boolean policyChanged = policyState.removePolicy(enforcingAdmin); @@ -1731,23 +1739,25 @@ final class DevicePolicyEngine { pw.println(); } pw.decreaseIndent(); - pw.println(); + if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) { + pw.println(); - pw.println("Default admin policy size limit: " + DEFAULT_POLICY_SIZE_LIMIT); - pw.println("Current admin policy size limit: " + mPolicySizeLimit); - pw.println("Admin Policies size: "); - for (int i = 0; i < mAdminPolicySize.size(); i++) { - int userId = mAdminPolicySize.keyAt(i); - pw.printf("User %d:\n", userId); - pw.increaseIndent(); - for (EnforcingAdmin admin : mAdminPolicySize.get(userId).keySet()) { - pw.printf("Admin : " + admin + " : " + mAdminPolicySize.get(userId).get( - admin)); - pw.println(); + pw.println("Default admin policy size limit: " + DEFAULT_POLICY_SIZE_LIMIT); + pw.println("Current admin policy size limit: " + mPolicySizeLimit); + pw.println("Admin Policies size: "); + for (int i = 0; i < mAdminPolicySize.size(); i++) { + int userId = mAdminPolicySize.keyAt(i); + pw.printf("User %d:\n", userId); + pw.increaseIndent(); + for (EnforcingAdmin admin : mAdminPolicySize.get(userId).keySet()) { + pw.printf("Admin : " + admin + " : " + mAdminPolicySize.get(userId).get( + admin)); + pw.println(); + } + pw.decreaseIndent(); } pw.decreaseIndent(); } - pw.decreaseIndent(); } } @@ -2008,21 +2018,23 @@ final class DevicePolicyEngine { private void writeEnforcingAdminSizeInner(TypedXmlSerializer serializer) throws IOException { - if (mAdminPolicySize != null) { - for (int i = 0; i < mAdminPolicySize.size(); i++) { - int userId = mAdminPolicySize.keyAt(i); - for (EnforcingAdmin admin : mAdminPolicySize.get( - userId).keySet()) { - serializer.startTag(/* namespace= */ null, - TAG_ENFORCING_ADMIN_AND_SIZE); - serializer.startTag(/* namespace= */ null, TAG_ENFORCING_ADMIN); - admin.saveToXml(serializer); - serializer.endTag(/* namespace= */ null, TAG_ENFORCING_ADMIN); - serializer.startTag(/* namespace= */ null, TAG_POLICY_SUM_SIZE); - serializer.attributeInt(/* namespace= */ null, ATTR_POLICY_SUM_SIZE, - mAdminPolicySize.get(userId).get(admin)); - serializer.endTag(/* namespace= */ null, TAG_POLICY_SUM_SIZE); - serializer.endTag(/* namespace= */ null, TAG_ENFORCING_ADMIN_AND_SIZE); + if (Flags.devicePolicySizeTrackingInternalBugFixEnabled()) { + if (mAdminPolicySize != null) { + for (int i = 0; i < mAdminPolicySize.size(); i++) { + int userId = mAdminPolicySize.keyAt(i); + for (EnforcingAdmin admin : mAdminPolicySize.get( + userId).keySet()) { + serializer.startTag(/* namespace= */ null, + TAG_ENFORCING_ADMIN_AND_SIZE); + serializer.startTag(/* namespace= */ null, TAG_ENFORCING_ADMIN); + admin.saveToXml(serializer); + serializer.endTag(/* namespace= */ null, TAG_ENFORCING_ADMIN); + serializer.startTag(/* namespace= */ null, TAG_POLICY_SUM_SIZE); + serializer.attributeInt(/* namespace= */ null, ATTR_POLICY_SUM_SIZE, + mAdminPolicySize.get(userId).get(admin)); + serializer.endTag(/* namespace= */ null, TAG_POLICY_SUM_SIZE); + serializer.endTag(/* namespace= */ null, TAG_ENFORCING_ADMIN_AND_SIZE); + } } } } @@ -2030,6 +2042,9 @@ final class DevicePolicyEngine { private void writeMaxPolicySizeInner(TypedXmlSerializer serializer) throws IOException { + if (!Flags.devicePolicySizeTrackingInternalBugFixEnabled()) { + return; + } serializer.startTag(/* namespace= */ null, TAG_MAX_POLICY_SIZE_LIMIT); serializer.attributeInt( /* namespace= */ null, ATTR_POLICY_SUM_SIZE, mPolicySizeLimit); @@ -2177,6 +2192,9 @@ final class DevicePolicyEngine { private void readMaxPolicySizeInner(TypedXmlPullParser parser) throws XmlPullParserException, IOException { + if (!Flags.devicePolicySizeTrackingInternalBugFixEnabled()) { + return; + } mPolicySizeLimit = parser.getAttributeInt(/* namespace= */ null, ATTR_POLICY_SUM_SIZE); } } diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 470025a67dee..886ae7ad7e50 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -1328,7 +1328,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { Bundle prevRestrictions) { resetCrossProfileIntentFiltersIfNeeded(userId, newRestrictions, prevRestrictions); resetUserVpnIfNeeded(userId, newRestrictions, prevRestrictions); - removePrivateSpaceIfRestrictionIsSet(userId, newRestrictions, prevRestrictions); + if (Flags.deletePrivateSpaceUnderRestriction()) { + removePrivateSpaceIfRestrictionIsSet(userId, newRestrictions, prevRestrictions); + } } private void resetUserVpnIfNeeded( @@ -3693,6 +3695,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } revertTransferOwnershipIfNecessaryLocked(); + if (!Flags.policyEngineMigrationV2Enabled()) { + updateUsbDataSignal(mContext, isUsbDataSignalingEnabledInternalLocked()); + } } // Check whether work apps were paused via suspension and unsuspend if necessary. @@ -7151,7 +7156,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // If there is a profile owner, redirect to that; otherwise query the device owner. ComponentName aliasChooser = getProfileOwnerAsUser(caller.getUserId()); - boolean isDoUser = caller.getUserId() == getDeviceOwnerUserId(); + boolean isDoUser = Flags.headlessSingleUserFixes() + ? caller.getUserId() == getDeviceOwnerUserId() + : caller.getUserHandle().isSystem(); if (aliasChooser == null && isDoUser) { synchronized (getLockObject()) { final ActiveAdmin deviceOwnerAdmin = getDeviceOwnerAdminLocked(); @@ -8161,7 +8168,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // First check whether the admin is allowed to wipe the device/user/profile. final String restriction; boolean shouldFactoryReset = userId == UserHandle.USER_SYSTEM; - if (getHeadlessDeviceOwnerModeForDeviceOwner() + if (Flags.headlessSingleUserFixes() && getHeadlessDeviceOwnerModeForDeviceOwner() == HEADLESS_DEVICE_OWNER_MODE_SINGLE_USER) { shouldFactoryReset = userId == getMainUserId(); } @@ -8185,7 +8192,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { adminPackage, userId)) { // Legacy mode - wipeDevice = getHeadlessDeviceOwnerModeForDeviceOwner() + wipeDevice = Flags.headlessSingleUserFixes() + && getHeadlessDeviceOwnerModeForDeviceOwner() == HEADLESS_DEVICE_OWNER_MODE_SINGLE_USER ? isMainUser : isSystemUser; } else { // Explicit behaviour @@ -9369,7 +9377,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { void sendDeviceOwnerOrProfileOwnerCommand(String action, Bundle extras, int userId) { if (userId == UserHandle.USER_ALL) { - if (getHeadlessDeviceOwnerModeForDeviceOwner() + if (Flags.headlessDeviceOwnerDelegateSecurityLoggingBugFix() + && getHeadlessDeviceOwnerModeForDeviceOwner() == HEADLESS_DEVICE_OWNER_MODE_SINGLE_USER) { userId = mOwners.getDeviceOwnerUserId(); } else { @@ -11855,7 +11864,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } setBackwardsCompatibleAppRestrictions( caller, packageName, restrictions, caller.getUserHandle()); - } else { + } else if (Flags.dmrhSetAppRestrictions()) { final boolean isRoleHolder; if (who != null) { // DO or PO @@ -11902,6 +11911,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { caller.getUserHandle()); }); } + } else { + Preconditions.checkCallAuthorization((caller.hasAdminComponent() + && (isProfileOwner(caller) || isDefaultDeviceOwner(caller))) + || (caller.hasPackage() && isCallerDelegate(caller, + DELEGATION_APP_RESTRICTIONS))); + mInjector.binderWithCleanCallingIdentity(() -> { + mUserManager.setApplicationRestrictions(packageName, restrictions, + caller.getUserHandle()); + }); } DevicePolicyEventLogger @@ -12434,6 +12452,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } if (packageList != null) { + if (!Flags.devicePolicySizeTrackingInternalBugFixEnabled()) { + for (String pkg : packageList) { + PolicySizeVerifier.enforceMaxPackageNameLength(pkg); + } + } + List<InputMethodInfo> enabledImes = mInjector.binderWithCleanCallingIdentity(() -> InputMethodManagerInternal.get().getEnabledInputMethodListAsUser(userId)); if (enabledImes != null) { @@ -13232,7 +13256,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return Bundle.EMPTY; } return policies.get(enforcingAdmin).getValue(); - } else { + } else if (Flags.dmrhSetAppRestrictions()) { final boolean isRoleHolder; if (who != null) { // Caller is DO or PO. They cannot call this on parent @@ -13275,6 +13299,19 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return bundle != null ? bundle : Bundle.EMPTY; }); } + + } else { + Preconditions.checkCallAuthorization((caller.hasAdminComponent() + && (isProfileOwner(caller) || isDefaultDeviceOwner(caller))) + || (caller.hasPackage() && isCallerDelegate(caller, + DELEGATION_APP_RESTRICTIONS))); + return mInjector.binderWithCleanCallingIdentity(() -> { + Bundle bundle = mUserManager.getApplicationRestrictions(packageName, + caller.getUserHandle()); + // if no restrictions were saved, mUserManager.getApplicationRestrictions + // returns null, but DPM method should return an empty Bundle as per JavaDoc + return bundle != null ? bundle : Bundle.EMPTY; + }); } } @@ -14283,6 +14320,10 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return; } + if (!Flags.devicePolicySizeTrackingInternalBugFixEnabled()) { + PolicySizeVerifier.enforceMaxStringLength(accountType, "account type"); + } + CallerIdentity caller = getCallerIdentity(who, callerPackageName); synchronized (getLockObject()) { int affectedUser = getAffectedUser(parent); @@ -14893,6 +14934,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { public void setLockTaskPackages(ComponentName who, String callerPackageName, String[] packages) throws SecurityException { Objects.requireNonNull(packages, "packages is null"); + if (!Flags.devicePolicySizeTrackingInternalBugFixEnabled()) { + for (String pkg : packages) { + PolicySizeVerifier.enforceMaxPackageNameLength(pkg); + } + } CallerIdentity caller = getCallerIdentity(who, callerPackageName); checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_LOCK_TASK_PACKAGES); @@ -15173,7 +15219,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { final CallerIdentity caller = getCallerIdentity(who); Preconditions.checkCallAuthorization( isProfileOwner(caller) || isDefaultDeviceOwner(caller)); - if (parent) { + if (Flags.allowScreenBrightnessControlOnCope() && parent) { Preconditions.checkCallAuthorization(isProfileOwnerOfOrganizationOwnedDevice(caller)); } checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_SYSTEM_SETTING); @@ -15184,7 +15230,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { "Permission denial: device owners cannot update %1$s", setting)); } int affectedUser; - if (parent) { + if (Flags.allowScreenBrightnessControlOnCope() && parent) { affectedUser = getProfileParentId(caller.getUserId()); } else { affectedUser = caller.getUserId(); @@ -16776,11 +16822,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { mContext.sendBroadcastAsUser(intent, UserHandle.of(userId)); } - final UserHandle user = UserHandle.of(userId); - final String roleHolderPackage = getRoleHolderPackageNameOnUser( - RoleManager.ROLE_DEVICE_POLICY_MANAGEMENT, userId); - if (roleHolderPackage != null) { - broadcastExplicitIntentToPackage(intent, roleHolderPackage, user); + if (Flags.permissionMigrationForZeroTrustImplEnabled()) { + final UserHandle user = UserHandle.of(userId); + final String roleHolderPackage = getRoleHolderPackageNameOnUser( + RoleManager.ROLE_DEVICE_POLICY_MANAGEMENT, userId); + if (roleHolderPackage != null) { + broadcastExplicitIntentToPackage(intent, roleHolderPackage, user); + } } } }); @@ -16788,10 +16836,18 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public SystemUpdateInfo getPendingSystemUpdate(ComponentName admin, String callerPackage) { - CallerIdentity caller = getCallerIdentity(admin, callerPackage); - enforcePermissions(new String[] {NOTIFY_PENDING_SYSTEM_UPDATE, - MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES}, caller.getPackageName(), - caller.getUserId()); + if (Flags.permissionMigrationForZeroTrustImplEnabled()) { + CallerIdentity caller = getCallerIdentity(admin, callerPackage); + enforcePermissions(new String[] {NOTIFY_PENDING_SYSTEM_UPDATE, + MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES}, caller.getPackageName(), + caller.getUserId()); + } else { + Objects.requireNonNull(admin, "ComponentName is null"); + + final CallerIdentity caller = getCallerIdentity(admin); + Preconditions.checkCallAuthorization( + isDefaultDeviceOwner(caller) || isProfileOwner(caller)); + } return mOwners.getSystemUpdateInfo(); } @@ -17335,10 +17391,17 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Nullable ComponentName componentName, @UserIdInt int callingUserId) { synchronized (getLockObject()) { int deviceOwnerUserId = -1; - deviceOwnerUserId = mInjector.userManagerIsHeadlessSystemUserMode() - && getHeadlessDeviceOwnerModeForDeviceAdmin(componentName, callingUserId) - == HEADLESS_DEVICE_OWNER_MODE_AFFILIATED - ? UserHandle.USER_SYSTEM : callingUserId; + if (Flags.headlessDeviceOwnerProvisioningFixEnabled()) { + deviceOwnerUserId = mInjector.userManagerIsHeadlessSystemUserMode() + && getHeadlessDeviceOwnerModeForDeviceAdmin(componentName, callingUserId) + == HEADLESS_DEVICE_OWNER_MODE_AFFILIATED + ? UserHandle.USER_SYSTEM : callingUserId; + } else { + deviceOwnerUserId = mInjector.userManagerIsHeadlessSystemUserMode() + && getHeadlessDeviceOwnerModeForDeviceOwner() + == HEADLESS_DEVICE_OWNER_MODE_AFFILIATED + ? UserHandle.USER_SYSTEM : callingUserId; + } Slogf.i(LOG_TAG, "Calling user %d, device owner will be set on user %d", callingUserId, deviceOwnerUserId); // hasIncompatibleAccountsOrNonAdb doesn't matter since the caller is not adb. @@ -18637,7 +18700,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // Backup service has to be enabled on the main user in order for it to be enabled on // secondary users. - if (isDeviceOwner(caller) && getHeadlessDeviceOwnerModeForDeviceOwner() + if (Flags.headlessSingleUserFixes() && isDeviceOwner(caller) + && getHeadlessDeviceOwnerModeForDeviceOwner() == HEADLESS_DEVICE_OWNER_MODE_SINGLE_USER) { toggleBackupServiceActive(UserHandle.USER_SYSTEM, enabled); } @@ -21378,7 +21442,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { final CallerIdentity caller = getCallerIdentity(callerPackage); - enforcePermission(MANAGE_DEVICE_POLICY_CERTIFICATES, caller.getPackageName()); + if (Flags.permissionMigrationForZeroTrustImplEnabled()) { + enforcePermission(MANAGE_DEVICE_POLICY_CERTIFICATES, caller.getPackageName()); + } else { + Preconditions.checkCallAuthorization( + isDefaultDeviceOwner(caller) || isProfileOwner(caller) + || isCallerDelegate(caller, DELEGATION_CERT_INSTALL)); + } synchronized (getLockObject()) { final ActiveAdmin requiredAdmin = getDeviceOrProfileOwnerAdminLocked( caller.getUserId()); @@ -21977,9 +22047,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { final long identity = Binder.clearCallingIdentity(); try { boolean isSingleUserMode; - int headlessDeviceOwnerMode = getHeadlessDeviceOwnerModeForDeviceAdmin( - deviceAdmin, caller.getUserId()); - isSingleUserMode = headlessDeviceOwnerMode == HEADLESS_DEVICE_OWNER_MODE_SINGLE_USER; + if (Flags.headlessDeviceOwnerProvisioningFixEnabled()) { + int headlessDeviceOwnerMode = getHeadlessDeviceOwnerModeForDeviceAdmin( + deviceAdmin, caller.getUserId()); + isSingleUserMode = + headlessDeviceOwnerMode == HEADLESS_DEVICE_OWNER_MODE_SINGLE_USER; + } else { + isSingleUserMode = + getHeadlessDeviceOwnerModeForDeviceOwner() + == HEADLESS_DEVICE_OWNER_MODE_SINGLE_USER; + } if (Flags.headlessSingleMinTargetSdk() && mInjector.userManagerIsHeadlessSystemUserMode() @@ -22378,17 +22455,35 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { Objects.requireNonNull(packageName, "Admin package name must be provided"); final CallerIdentity caller = getCallerIdentity(packageName); - synchronized (getLockObject()) { - EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin( - /* admin= */ null, MANAGE_DEVICE_POLICY_USB_DATA_SIGNALLING, - caller.getPackageName(), - caller.getUserId()); + if (!Flags.policyEngineMigrationV2Enabled()) { + Preconditions.checkCallAuthorization( + isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller), + "USB data signaling can only be controlled by a device owner or " + + "a profile owner on an organization-owned device."); Preconditions.checkState(canUsbDataSignalingBeDisabled(), "USB data signaling cannot be disabled."); - mDevicePolicyEngine.setGlobalPolicy( - PolicyDefinition.USB_DATA_SIGNALING, - enforcingAdmin, - new BooleanPolicyValue(enabled)); + } + + synchronized (getLockObject()) { + if (Flags.policyEngineMigrationV2Enabled()) { + EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin( + /* admin= */ null, MANAGE_DEVICE_POLICY_USB_DATA_SIGNALLING, + caller.getPackageName(), + caller.getUserId()); + Preconditions.checkState(canUsbDataSignalingBeDisabled(), + "USB data signaling cannot be disabled."); + mDevicePolicyEngine.setGlobalPolicy( + PolicyDefinition.USB_DATA_SIGNALING, + enforcingAdmin, + new BooleanPolicyValue(enabled)); + } else { + ActiveAdmin admin = getProfileOwnerOrDeviceOwnerLocked(caller.getUserId()); + if (admin.mUsbDataSignalingEnabled != enabled) { + admin.mUsbDataSignalingEnabled = enabled; + saveSettingsLocked(caller.getUserId()); + updateUsbDataSignal(mContext, isUsbDataSignalingEnabledInternalLocked()); + } + } } DevicePolicyEventLogger .createEvent(DevicePolicyEnums.SET_USB_DATA_SIGNALING) @@ -22410,10 +22505,24 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public boolean isUsbDataSignalingEnabled(String packageName) { final CallerIdentity caller = getCallerIdentity(packageName); - Boolean enabled = mDevicePolicyEngine.getResolvedPolicy( - PolicyDefinition.USB_DATA_SIGNALING, - caller.getUserId()); - return enabled == null || enabled; + if (Flags.policyEngineMigrationV2Enabled()) { + Boolean enabled = mDevicePolicyEngine.getResolvedPolicy( + PolicyDefinition.USB_DATA_SIGNALING, + caller.getUserId()); + return enabled == null || enabled; + } else { + synchronized (getLockObject()) { + // If the caller is an admin, return the policy set by itself. Otherwise + // return the device-wide policy. + if (isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice( + caller)) { + return getProfileOwnerOrDeviceOwnerLocked( + caller.getUserId()).mUsbDataSignalingEnabled; + } else { + return isUsbDataSignalingEnabledInternalLocked(); + } + } + } } private boolean isUsbDataSignalingEnabledInternalLocked() { @@ -24766,6 +24875,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public void setMaxPolicyStorageLimit(String callerPackageName, int storageLimit) { + if (!Flags.devicePolicySizeTrackingInternalBugFixEnabled()) { + return; + } CallerIdentity caller = getCallerIdentity(callerPackageName); enforcePermission(MANAGE_PROFILE_AND_DEVICE_OWNERS, caller.getPackageName(), caller.getUserId()); @@ -24779,6 +24891,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public int getMaxPolicyStorageLimit(String callerPackageName) { + if (!Flags.devicePolicySizeTrackingInternalBugFixEnabled()) { + return -1; + } CallerIdentity caller = getCallerIdentity(callerPackageName); enforcePermission(MANAGE_PROFILE_AND_DEVICE_OWNERS, caller.getPackageName(), caller.getUserId()); @@ -24788,6 +24903,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public void forceSetMaxPolicyStorageLimit(String callerPackageName, int storageLimit) { + if (!Flags.devicePolicySizeTrackingInternalBugFixEnabled()) { + return; + } CallerIdentity caller = getCallerIdentity(callerPackageName); enforcePermission(MANAGE_DEVICE_POLICY_STORAGE_LIMIT, caller.getPackageName(), caller.getUserId()); @@ -24798,6 +24916,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public int getPolicySizeForAdmin( String callerPackageName, android.app.admin.EnforcingAdmin admin) { + if (!Flags.devicePolicySizeTrackingInternalBugFixEnabled()) { + return -1; + } CallerIdentity caller = getCallerIdentity(callerPackageName); enforcePermission(MANAGE_DEVICE_POLICY_STORAGE_LIMIT, caller.getPackageName(), caller.getUserId()); |