diff options
3 files changed, 132 insertions, 220 deletions
diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java index 2aac94c6f5da..714dc50fb316 100644 --- a/core/java/android/app/admin/DevicePolicyManager.java +++ b/core/java/android/app/admin/DevicePolicyManager.java @@ -1942,16 +1942,6 @@ public class DevicePolicyManager { public static final int CODE_SPLIT_SYSTEM_USER_DEVICE_SYSTEM_USER = 14; /** - * Result code for {@link #checkProvisioningPreCondition}. - * - * <p>Returned for {@link #ACTION_PROVISION_MANAGED_PROFILE} when adding a managed profile is - * disallowed by {@link UserManager#DISALLOW_ADD_MANAGED_PROFILE}. - * - * @hide - */ - public static final int CODE_ADD_MANAGED_PROFILE_DISALLOWED = 15; - - /** * Result codes for {@link #checkProvisioningPreCondition} indicating all the provisioning pre * conditions. * @@ -1963,7 +1953,7 @@ public class DevicePolicyManager { CODE_USER_SETUP_COMPLETED, CODE_NOT_SYSTEM_USER, CODE_HAS_PAIRED, CODE_MANAGED_USERS_NOT_SUPPORTED, CODE_SYSTEM_USER, CODE_CANNOT_ADD_MANAGED_PROFILE, CODE_NOT_SYSTEM_USER_SPLIT, CODE_DEVICE_ADMIN_NOT_SUPPORTED, - CODE_SPLIT_SYSTEM_USER_DEVICE_SYSTEM_USER, CODE_ADD_MANAGED_PROFILE_DISALLOWED + CODE_SPLIT_SYSTEM_USER_DEVICE_SYSTEM_USER }) public @interface ProvisioningPreCondition {} diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 2a08f5c2de12..bc4604ef5ad0 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -23,7 +23,6 @@ import static android.app.ActivityManager.LOCK_TASK_MODE_NONE; import static android.app.admin.DeviceAdminReceiver.EXTRA_TRANSFER_OWNERSHIP_ADMIN_EXTRAS_BUNDLE; import static android.app.admin.DevicePolicyManager.ACTION_PROVISION_MANAGED_USER; import static android.app.admin.DevicePolicyManager.CODE_ACCOUNTS_NOT_EMPTY; -import static android.app.admin.DevicePolicyManager.CODE_ADD_MANAGED_PROFILE_DISALLOWED; import static android.app.admin.DevicePolicyManager.CODE_CANNOT_ADD_MANAGED_PROFILE; import static android.app.admin.DevicePolicyManager.CODE_DEVICE_ADMIN_NOT_SUPPORTED; import static android.app.admin.DevicePolicyManager.CODE_HAS_DEVICE_OWNER; @@ -4099,6 +4098,12 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { if (mUserManager.hasUserRestriction(UserManager.DISALLOW_ADD_USER, userHandle)) { mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_USER, false, userHandle); } + // When a device owner is set, the system automatically restricts adding a managed profile. + // Remove this restriction when the device owner is cleared. + if (mUserManager.hasUserRestriction(UserManager.DISALLOW_ADD_MANAGED_PROFILE, userHandle)) { + mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_MANAGED_PROFILE, false, + userHandle); + } } /** @@ -7976,10 +7981,19 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { updateDeviceOwnerLocked(); setDeviceOwnerSystemPropertyLocked(); - // TODO Send to system too? - mInjector.binderWithCleanCallingIdentity( - () -> sendOwnerChangedBroadcast(DevicePolicyManager.ACTION_DEVICE_OWNER_CHANGED, - userId)); + mInjector.binderWithCleanCallingIdentity(() -> { + // Restrict adding a managed profile when a device owner is set on the device. + // That is to prevent the co-existence of a managed profile and a device owner + // on the same device. + // Instead, the device may be provisioned with an organization-owned managed + // profile, such that the admin on that managed profile has extended management + // capabilities that can affect the entire device (but not access private data + // on the primary profile). + mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_MANAGED_PROFILE, true, + UserHandle.of(userId)); + // TODO Send to system too? + sendOwnerChangedBroadcast(DevicePolicyManager.ACTION_DEVICE_OWNER_CHANGED, userId); + }); mDeviceAdminServiceController.startServiceForOwner( admin.getPackageName(), userId, "set-device-owner"); @@ -8234,6 +8248,17 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { throw new IllegalArgumentException("Not active admin: " + who); } + UserInfo parentUser = mUserManager.getProfileParent(userHandle); + // When trying to set a profile owner on a new user, it may be that this user is + // a profile - but it may not be a managed profile if there's a restriction on the + // parent to add managed profiles (e.g. if the device has a device owner). + if (parentUser != null && mUserManager.hasUserRestriction( + UserManager.DISALLOW_ADD_MANAGED_PROFILE, + UserHandle.of(parentUser.id))) { + Slog.i(LOG_TAG, "Cannot set profile owner because of restriction."); + return false; + } + if (isAdb()) { // Log profile owner provisioning was started using adb. MetricsLogger.action(mContext, PROVISIONING_ENTRY_POINT_ADB, LOG_TAG_PROFILE_OWNER); @@ -12293,25 +12318,41 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { final long ident = mInjector.binderClearCallingIdentity(); try { final UserHandle callingUserHandle = UserHandle.of(callingUserId); - final ComponentName ownerAdmin = getOwnerComponent(packageName, callingUserId); - if (mUserManager.hasUserRestriction(UserManager.DISALLOW_ADD_MANAGED_PROFILE, - callingUserHandle)) { - // An admin can initiate provisioning if it has set the restriction. - if (ownerAdmin == null || isAdminAffectedByRestriction(ownerAdmin, - UserManager.DISALLOW_ADD_MANAGED_PROFILE, callingUserId)) { - return CODE_ADD_MANAGED_PROFILE_DISALLOWED; - } - } - boolean canRemoveProfile = true; - if (mUserManager.hasUserRestriction(UserManager.DISALLOW_REMOVE_MANAGED_PROFILE, - callingUserHandle)) { - // We can remove a profile if the admin itself has set the restriction. - if (ownerAdmin == null || isAdminAffectedByRestriction(ownerAdmin, - UserManager.DISALLOW_REMOVE_MANAGED_PROFILE, - callingUserId)) { - canRemoveProfile = false; - } + final boolean hasDeviceOwner; + synchronized (getLockObject()) { + hasDeviceOwner = getDeviceOwnerAdminLocked() != null; + } + + final boolean addingProfileRestricted = mUserManager.hasUserRestriction( + UserManager.DISALLOW_ADD_MANAGED_PROFILE, callingUserHandle); + + UserInfo parentUser = mUserManager.getProfileParent(callingUserId); + final boolean addingProfileRestrictedOnParent = (parentUser != null) + && mUserManager.hasUserRestriction( + UserManager.DISALLOW_ADD_MANAGED_PROFILE, + UserHandle.of(parentUser.id)); + + Slog.i(LOG_TAG, String.format( + "When checking for managed profile provisioning: Has device owner? %b, adding" + + " profile restricted? %b, adding profile restricted on parent? %b", + hasDeviceOwner, addingProfileRestricted, addingProfileRestrictedOnParent)); + + // If there's a device owner, the restriction on adding a managed profile must be set + // somewhere. + if (hasDeviceOwner && !addingProfileRestricted && !addingProfileRestrictedOnParent) { + Slog.wtf(LOG_TAG, "Has a device owner but no restriction on adding a profile."); + } + + // Do not allow adding a managed profile if there's a restriction, either on the current + // user or its parent user. + if (addingProfileRestricted || addingProfileRestrictedOnParent) { + return CODE_CANNOT_ADD_MANAGED_PROFILE; } + // If there's a restriction on removing the managed profile then we have to take it + // into account when checking whether more profiles can be added. + boolean canRemoveProfile = + !mUserManager.hasUserRestriction(UserManager.DISALLOW_REMOVE_MANAGED_PROFILE, + callingUserHandle); if (!mUserManager.canAddMoreManagedProfiles(callingUserId, canRemoveProfile)) { return CODE_CANNOT_ADD_MANAGED_PROFILE; } diff --git a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java index 175c7565a005..354367465606 100644 --- a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java +++ b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java @@ -32,6 +32,7 @@ import static com.android.internal.widget.LockPatternUtils.EscrowTokenStateChang import static com.android.server.testutils.TestUtils.assertExpectException; import static org.mockito.Matchers.any; +import static org.mockito.Matchers.anyBoolean; import static org.mockito.Matchers.anyInt; import static org.mockito.Matchers.anyLong; import static org.mockito.Matchers.anyObject; @@ -272,6 +273,29 @@ public class DevicePolicyManagerTest extends DpmTestBase { }).when(getServices().userManager).getApplicationRestrictions( anyString(), any(UserHandle.class)); + // Emulate UserManager.setUserRestriction/getUserRestrictions + final Map<UserHandle, Bundle> userRestrictions = new HashMap<>(); + + doAnswer((Answer<Void>) invocation -> { + String key = (String) invocation.getArguments()[0]; + boolean value = (Boolean) invocation.getArguments()[1]; + UserHandle user = (UserHandle) invocation.getArguments()[2]; + Bundle userBundle = userRestrictions.getOrDefault(user, new Bundle()); + userBundle.putBoolean(key, value); + + userRestrictions.put(user, userBundle); + return null; + }).when(getServices().userManager).setUserRestriction( + anyString(), anyBoolean(), any(UserHandle.class)); + + doAnswer((Answer<Boolean>) invocation -> { + String key = (String) invocation.getArguments()[0]; + UserHandle user = (UserHandle) invocation.getArguments()[1]; + Bundle userBundle = userRestrictions.getOrDefault(user, new Bundle()); + return userBundle.getBoolean(key); + }).when(getServices().userManager).hasUserRestriction( + anyString(), any(UserHandle.class)); + // Add the first secondary user. getServices().addUser(DpmMockContext.CALLER_USER_HANDLE, 0, UserManager.USER_TYPE_FULL_SECONDARY); @@ -819,10 +843,8 @@ public class DevicePolicyManagerTest extends DpmTestBase { final int MANAGED_PROFILE_ADMIN_UID = UserHandle.getUid(MANAGED_PROFILE_USER_ID, DpmMockContext.SYSTEM_UID); - // Setup device owner. mContext.binder.callingUid = DpmMockContext.SYSTEM_UID; mContext.packageName = admin1.getPackageName(); - setupDeviceOwner(); // Add a managed profile belonging to the system user. addManagedProfile(admin1, MANAGED_PROFILE_ADMIN_UID, admin1); @@ -830,18 +852,13 @@ public class DevicePolicyManagerTest extends DpmTestBase { // Change the parent user's password. dpm.reportPasswordChanged(UserHandle.USER_SYSTEM); - // Both the device owner and the managed profile owner should receive this broadcast. + // The managed profile owner should receive this broadcast. final Intent intent = new Intent(DeviceAdminReceiver.ACTION_PASSWORD_CHANGED); intent.setComponent(admin1); intent.putExtra(Intent.EXTRA_USER, UserHandle.of(UserHandle.USER_SYSTEM)); verify(mContext.spiedContext, times(1)).sendBroadcastAsUser( MockUtils.checkIntent(intent), - MockUtils.checkUserHandle(UserHandle.USER_SYSTEM), - eq(null), - any(Bundle.class)); - verify(mContext.spiedContext, times(1)).sendBroadcastAsUser( - MockUtils.checkIntent(intent), MockUtils.checkUserHandle(MANAGED_PROFILE_USER_ID), eq(null), any(Bundle.class)); @@ -861,12 +878,11 @@ public class DevicePolicyManagerTest extends DpmTestBase { final int MANAGED_PROFILE_ADMIN_UID = UserHandle.getUid(MANAGED_PROFILE_USER_ID, DpmMockContext.SYSTEM_UID); - // Setup device owner. + // Configure system as having separate profile challenge. mContext.binder.callingUid = DpmMockContext.SYSTEM_UID; mContext.packageName = admin1.getPackageName(); doReturn(true).when(getServices().lockPatternUtils) .isSeparateProfileChallengeEnabled(MANAGED_PROFILE_USER_ID); - setupDeviceOwner(); // Add a managed profile belonging to the system user. addManagedProfile(admin1, MANAGED_PROFILE_ADMIN_UID, admin1); @@ -951,6 +967,10 @@ public class DevicePolicyManagerTest extends DpmTestBase { verify(getServices().iactivityManager, times(1)).updateDeviceOwner( eq(admin1.getPackageName())); + verify(getServices().userManager, times(1)).setUserRestriction( + eq(UserManager.DISALLOW_ADD_MANAGED_PROFILE), + eq(true), eq(UserHandle.SYSTEM)); + verify(mContext.spiedContext, times(1)).sendBroadcastAsUser( MockUtils.checkIntentAction(DevicePolicyManager.ACTION_DEVICE_OWNER_CHANGED), MockUtils.checkUserHandle(UserHandle.USER_SYSTEM)); @@ -2002,12 +2022,11 @@ public class DevicePolicyManagerTest extends DpmTestBase { assertNoDeviceOwnerRestrictions(); - // Initialize DPMS again and check that the user restriction wasn't enabled again. reset(getServices().userManagerInternal); - initializeDpms(); - assertTrue(dpm.isDeviceOwnerApp(admin1.getPackageName())); - assertNotNull(dpms.getDeviceOwnerAdminLocked()); + // Ensure the DISALLOW_REMOVE_MANAGED_PROFILES restriction doesn't show up as a + // restriction to the device owner. + dpm.addUserRestriction(admin1, UserManager.DISALLOW_REMOVE_MANAGED_PROFILE); assertNoDeviceOwnerRestrictions(); } @@ -2981,7 +3000,6 @@ public class DevicePolicyManagerTest extends DpmTestBase { setup_nonSplitUser_withDo_primaryUser(); final int MANAGED_PROFILE_USER_ID = 18; final int MANAGED_PROFILE_ADMIN_UID = UserHandle.getUid(MANAGED_PROFILE_USER_ID, 1308); - addManagedProfile(admin1, MANAGED_PROFILE_ADMIN_UID, admin1); when(getServices().userManager.canAddMoreManagedProfiles(UserHandle.USER_SYSTEM, false /* we can't remove a managed profile */)).thenReturn(false); when(getServices().userManager.canAddMoreManagedProfiles(UserHandle.USER_SYSTEM, @@ -3026,41 +3044,16 @@ public class DevicePolicyManagerTest extends DpmTestBase { DevicePolicyManager.CODE_HAS_DEVICE_OWNER); assertProvisioningAllowed(DevicePolicyManager.ACTION_PROVISION_MANAGED_DEVICE, false); - // COMP mode is allowed. + // COMP mode NOT is allowed. assertCheckProvisioningPreCondition(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, - DevicePolicyManager.CODE_OK); - assertProvisioningAllowed(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, true); + DevicePolicyManager.CODE_CANNOT_ADD_MANAGED_PROFILE); + assertProvisioningAllowed(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, false); - // And other DPCs can also provision a managed profile (DO + BYOD case). + // And other DPCs can NOT provision a managed profile. assertCheckProvisioningPreCondition( DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, DpmMockContext.ANOTHER_PACKAGE_NAME, - DevicePolicyManager.CODE_OK); - assertProvisioningAllowed(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, true, - DpmMockContext.ANOTHER_PACKAGE_NAME, DpmMockContext.ANOTHER_UID); - } - - public void testProvisioning_nonSplitUser_withDo_primaryUser_restrictedByDo() throws Exception { - setup_nonSplitUser_withDo_primaryUser(); - mContext.packageName = admin1.getPackageName(); - mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS); - // The DO should be allowed to initiate provisioning if it set the restriction itself, but - // other packages should be forbidden. - when(getServices().userManager.hasUserRestriction( - eq(UserManager.DISALLOW_ADD_MANAGED_PROFILE), - eq(UserHandle.getUserHandleForUid(mContext.binder.callingUid)))) - .thenReturn(true); - when(getServices().userManager.getUserRestrictionSource( - eq(UserManager.DISALLOW_ADD_MANAGED_PROFILE), - eq(UserHandle.getUserHandleForUid(mContext.binder.callingUid)))) - .thenReturn(UserManager.RESTRICTION_SOURCE_DEVICE_OWNER); - assertCheckProvisioningPreCondition(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, - DevicePolicyManager.CODE_OK); - assertProvisioningAllowed(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, true); - assertCheckProvisioningPreCondition( - DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, - DpmMockContext.ANOTHER_PACKAGE_NAME, - DevicePolicyManager.CODE_ADD_MANAGED_PROFILE_DISALLOWED); + DevicePolicyManager.CODE_CANNOT_ADD_MANAGED_PROFILE); assertProvisioningAllowed(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, false, DpmMockContext.ANOTHER_PACKAGE_NAME, DpmMockContext.ANOTHER_UID); } @@ -3081,31 +3074,46 @@ public class DevicePolicyManagerTest extends DpmTestBase { eq(UserHandle.getUserHandleForUid(mContext.binder.callingUid)))) .thenReturn(UserManager.RESTRICTION_SOURCE_SYSTEM); assertCheckProvisioningPreCondition(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, - DevicePolicyManager.CODE_ADD_MANAGED_PROFILE_DISALLOWED); + DevicePolicyManager.CODE_CANNOT_ADD_MANAGED_PROFILE); assertProvisioningAllowed(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, false); assertCheckProvisioningPreCondition( DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, DpmMockContext.ANOTHER_PACKAGE_NAME, - DevicePolicyManager.CODE_ADD_MANAGED_PROFILE_DISALLOWED); + DevicePolicyManager.CODE_CANNOT_ADD_MANAGED_PROFILE); assertProvisioningAllowed(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, false, DpmMockContext.ANOTHER_PACKAGE_NAME, DpmMockContext.ANOTHER_UID); } - public void testCheckProvisioningPreCondition_nonSplitUser_comp() throws Exception { + public void testCheckCannotSetProfileOwnerWithDeviceOwner() throws Exception { + setup_nonSplitUser_withDo_primaryUser(); + final int managedProfileUserId = 18; + final int managedProfileAdminUid = UserHandle.getUid(managedProfileUserId, 1308); + + final int userId = UserHandle.getUserId(managedProfileAdminUid); + getServices().addUser(userId, 0, UserManager.USER_TYPE_PROFILE_MANAGED, + UserHandle.USER_SYSTEM); + mContext.callerPermissions.addAll(OWNER_SETUP_PERMISSIONS); + setUpPackageManagerForFakeAdmin(admin1, managedProfileAdminUid, admin1); + dpm.setActiveAdmin(admin1, false, userId); + assertFalse(dpm.setProfileOwner(admin1, null, userId)); + mContext.callerPermissions.removeAll(OWNER_SETUP_PERMISSIONS); + } + + public void testCheckProvisioningPreCondition_nonSplitUser_attemptingComp() throws Exception { setup_nonSplitUser_withDo_primaryUser_ManagedProfile(); mContext.packageName = admin1.getPackageName(); mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS); // We can delete the managed profile to create a new one, so provisioning is allowed. assertCheckProvisioningPreCondition(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, - DevicePolicyManager.CODE_OK); - assertProvisioningAllowed(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, true); + DevicePolicyManager.CODE_CANNOT_ADD_MANAGED_PROFILE); + assertProvisioningAllowed(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, false); assertCheckProvisioningPreCondition( DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, DpmMockContext.ANOTHER_PACKAGE_NAME, - DevicePolicyManager.CODE_OK); - assertProvisioningAllowed(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, true, + DevicePolicyManager.CODE_CANNOT_ADD_MANAGED_PROFILE); + assertProvisioningAllowed(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, false, DpmMockContext.ANOTHER_PACKAGE_NAME, DpmMockContext.ANOTHER_UID); } @@ -3133,8 +3141,8 @@ public class DevicePolicyManagerTest extends DpmTestBase { // But the device owner can still do it because it has set the restriction itself. assertCheckProvisioningPreCondition(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, - DevicePolicyManager.CODE_OK); - assertProvisioningAllowed(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, true); + DevicePolicyManager.CODE_CANNOT_ADD_MANAGED_PROFILE); + assertProvisioningAllowed(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, false); } private void setup_splitUser_firstBoot_systemUser() throws Exception { @@ -3329,6 +3337,8 @@ public class DevicePolicyManagerTest extends DpmTestBase { when(getServices().ipackageManager.hasSystemFeature(PackageManager.FEATURE_MANAGED_USERS, 0)) .thenReturn(true); when(getServices().userManagerForMock.isSplitSystemUser()).thenReturn(true); + when(getServices().userManager.getProfileParent(DpmMockContext.CALLER_USER_HANDLE)) + .thenReturn(new UserInfo(UserHandle.USER_SYSTEM, "user system", 0)); when(getServices().userManager.canAddMoreManagedProfiles(DpmMockContext.CALLER_USER_HANDLE, true)).thenReturn(true); setUserSetupCompleteForUser(false, DpmMockContext.CALLER_USER_HANDLE); @@ -3341,7 +3351,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { setup_provisionManagedProfileWithDeviceOwner_primaryUser(); setUpPackageManagerForAdmin(admin1, mContext.binder.callingUid); mContext.packageName = admin1.getPackageName(); - assertProvisioningAllowed(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, true); + assertProvisioningAllowed(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, false); } public void testCheckProvisioningPreCondition_provisionManagedProfileWithDeviceOwner_primaryUser() @@ -3349,9 +3359,9 @@ public class DevicePolicyManagerTest extends DpmTestBase { setup_provisionManagedProfileWithDeviceOwner_primaryUser(); mContext.callerPermissions.add(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS); - // COMP mode is allowed. + // COMP mode is NOT allowed. assertCheckProvisioningPreCondition(DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE, - DevicePolicyManager.CODE_OK); + DevicePolicyManager.CODE_CANNOT_ADD_MANAGED_PROFILE); } private void setup_provisionManagedProfileCantRemoveUser_primaryUser() throws Exception { @@ -3868,11 +3878,6 @@ public class DevicePolicyManagerTest extends DpmTestBase { List<UserHandle> targetUsers = dpm.getBindDeviceAdminTargetUsers(admin1); MoreAsserts.assertEmpty(targetUsers); - // Setup a managed profile managed by the same admin. - final int MANAGED_PROFILE_USER_ID = 15; - final int MANAGED_PROFILE_ADMIN_UID = UserHandle.getUid(MANAGED_PROFILE_USER_ID, 20456); - addManagedProfile(admin1, MANAGED_PROFILE_ADMIN_UID, admin1); - // Add a secondary user, it should never talk with. final int ANOTHER_USER_ID = 36; getServices().addUser(ANOTHER_USER_ID, 0, UserManager.USER_TYPE_FULL_SECONDARY); @@ -3882,30 +3887,11 @@ public class DevicePolicyManagerTest extends DpmTestBase { targetUsers = dpm.getBindDeviceAdminTargetUsers(admin1); MoreAsserts.assertEmpty(targetUsers); - mContext.binder.callingUid = MANAGED_PROFILE_ADMIN_UID; - targetUsers = dpm.getBindDeviceAdminTargetUsers(admin1); - MoreAsserts.assertEmpty(targetUsers); - // Setting affiliation ids final Set<String> userAffiliationIds = Collections.singleton("some.affiliation-id"); mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID; dpm.setAffiliationIds(admin1, userAffiliationIds); - mContext.binder.callingUid = MANAGED_PROFILE_ADMIN_UID; - dpm.setAffiliationIds(admin1, userAffiliationIds); - - // Calling from device owner admin, the result list should just contain the managed - // profile user id. - mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID; - targetUsers = dpm.getBindDeviceAdminTargetUsers(admin1); - MoreAsserts.assertContentsInAnyOrder(targetUsers, UserHandle.of(MANAGED_PROFILE_USER_ID)); - - // Calling from managed profile admin, the result list should just contain the system - // user id. - mContext.binder.callingUid = MANAGED_PROFILE_ADMIN_UID; - targetUsers = dpm.getBindDeviceAdminTargetUsers(admin1); - MoreAsserts.assertContentsInAnyOrder(targetUsers, UserHandle.SYSTEM); - // Changing affiliation ids in one dpm.setAffiliationIds(admin1, Collections.singleton("some-different-affiliation-id")); @@ -3919,38 +3905,6 @@ public class DevicePolicyManagerTest extends DpmTestBase { MoreAsserts.assertEmpty(targetUsers); } - public void testGetBindDeviceAdminTargetUsers_differentPackage() throws Exception { - // Setup a device owner. - mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID; - setupDeviceOwner(); - - // Set up a managed profile managed by different package. - final int MANAGED_PROFILE_USER_ID = 15; - final int MANAGED_PROFILE_ADMIN_UID = UserHandle.getUid(MANAGED_PROFILE_USER_ID, 20456); - final ComponentName adminDifferentPackage = - new ComponentName("another.package", "whatever.class"); - addManagedProfile(adminDifferentPackage, MANAGED_PROFILE_ADMIN_UID, admin2); - - // Setting affiliation ids - final Set<String> userAffiliationIds = Collections.singleton("some-affiliation-id"); - dpm.setAffiliationIds(admin1, userAffiliationIds); - - mContext.binder.callingUid = MANAGED_PROFILE_ADMIN_UID; - dpm.setAffiliationIds(adminDifferentPackage, userAffiliationIds); - - // Calling from device owner admin, we should get zero bind device admin target users as - // their packages are different. - mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID; - List<UserHandle> targetUsers = dpm.getBindDeviceAdminTargetUsers(admin1); - MoreAsserts.assertEmpty(targetUsers); - - // Calling from managed profile admin, we should still get zero target users for the same - // reason. - mContext.binder.callingUid = MANAGED_PROFILE_ADMIN_UID; - targetUsers = dpm.getBindDeviceAdminTargetUsers(adminDifferentPackage); - MoreAsserts.assertEmpty(targetUsers); - } - private void verifyLockTaskState(int userId) throws Exception { verifyLockTaskState(userId, new String[0], DevicePolicyManager.LOCK_TASK_FEATURE_GLOBAL_ACTIONS); @@ -3987,79 +3941,6 @@ public class DevicePolicyManagerTest extends DpmTestBase { () -> dpm.setLockTaskFeatures(who, flags)); } - public void testLockTaskPolicyAllowedForAffiliatedUsers() throws Exception { - // Setup a device owner. - mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID; - setupDeviceOwner(); - // Lock task policy is updated when loading user data. - verifyLockTaskState(UserHandle.USER_SYSTEM); - - // Set up a managed profile managed by different package (package name shouldn't matter) - final int MANAGED_PROFILE_USER_ID = 15; - final int MANAGED_PROFILE_ADMIN_UID = UserHandle.getUid(MANAGED_PROFILE_USER_ID, 20456); - final ComponentName adminDifferentPackage = - new ComponentName("another.package", "whatever.class"); - addManagedProfile(adminDifferentPackage, MANAGED_PROFILE_ADMIN_UID, admin2); - verifyLockTaskState(MANAGED_PROFILE_USER_ID); - - // Setup a PO on the secondary user - mContext.binder.callingUid = DpmMockContext.CALLER_UID; - setAsProfileOwner(admin3); - verifyLockTaskState(DpmMockContext.CALLER_USER_HANDLE); - - // The DO can still set lock task packages - final String[] doPackages = {"doPackage1", "doPackage2"}; - final int flags = DevicePolicyManager.LOCK_TASK_FEATURE_NOTIFICATIONS - | DevicePolicyManager.LOCK_TASK_FEATURE_HOME - | DevicePolicyManager.LOCK_TASK_FEATURE_OVERVIEW; - verifyCanSetLockTask(DpmMockContext.CALLER_SYSTEM_USER_UID, UserHandle.USER_SYSTEM, admin1, doPackages, flags); - - final String[] secondaryPoPackages = {"secondaryPoPackage1", "secondaryPoPackage2"}; - final int secondaryPoFlags = DevicePolicyManager.LOCK_TASK_FEATURE_NOTIFICATIONS - | DevicePolicyManager.LOCK_TASK_FEATURE_HOME - | DevicePolicyManager.LOCK_TASK_FEATURE_OVERVIEW; - verifyCanNotSetLockTask(DpmMockContext.CALLER_UID, admin3, secondaryPoPackages, secondaryPoFlags); - - // Managed profile is unaffiliated - shouldn't be able to setLockTaskPackages. - mContext.binder.callingUid = MANAGED_PROFILE_ADMIN_UID; - final String[] poPackages = {"poPackage1", "poPackage2"}; - final int poFlags = DevicePolicyManager.LOCK_TASK_FEATURE_NOTIFICATIONS - | DevicePolicyManager.LOCK_TASK_FEATURE_HOME - | DevicePolicyManager.LOCK_TASK_FEATURE_OVERVIEW; - verifyCanNotSetLockTask(MANAGED_PROFILE_ADMIN_UID, adminDifferentPackage, poPackages, poFlags); - - // Setting same affiliation ids - final Set<String> userAffiliationIds = Collections.singleton("some-affiliation-id"); - mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID; - dpm.setAffiliationIds(admin1, userAffiliationIds); - - mContext.binder.callingUid = MANAGED_PROFILE_ADMIN_UID; - dpm.setAffiliationIds(adminDifferentPackage, userAffiliationIds); - - // Now the managed profile can set lock task packages. - dpm.setLockTaskPackages(adminDifferentPackage, poPackages); - MoreAsserts.assertEquals(poPackages, dpm.getLockTaskPackages(adminDifferentPackage)); - assertTrue(dpm.isLockTaskPermitted("poPackage1")); - assertFalse(dpm.isLockTaskPermitted("doPackage2")); - // And it can set lock task features. - dpm.setLockTaskFeatures(adminDifferentPackage, poFlags); - verifyLockTaskState(MANAGED_PROFILE_USER_ID, poPackages, poFlags); - - // Unaffiliate the profile, lock task mode no longer available on the profile. - dpm.setAffiliationIds(adminDifferentPackage, Collections.emptySet()); - assertFalse(dpm.isLockTaskPermitted("poPackage1")); - // Lock task packages cleared when loading user data and when the user becomes unaffiliated. - verify(getServices().iactivityManager, times(2)).updateLockTaskPackages( - MANAGED_PROFILE_USER_ID, new String[0]); - verify(getServices().iactivityTaskManager, times(2)).updateLockTaskFeatures( - MANAGED_PROFILE_USER_ID, DevicePolicyManager.LOCK_TASK_FEATURE_NONE); - - // Verify that lock task packages were not cleared for the DO - mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID; - assertTrue(dpm.isLockTaskPermitted("doPackage1")); - - } - public void testLockTaskPolicyForProfileOwner() throws Exception { // Setup a PO mContext.binder.callingUid = DpmMockContext.CALLER_UID; |