diff options
| -rw-r--r-- | core/java/android/app/supervision/SupervisionManagerInternal.java (renamed from services/supervision/java/com/android/server/supervision/SupervisionManagerInternal.java) | 11 | ||||
| -rw-r--r-- | services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java | 92 | ||||
| -rw-r--r-- | services/supervision/java/com/android/server/supervision/SupervisionService.java | 12 | ||||
| -rw-r--r-- | services/supervision/java/com/android/server/supervision/SupervisionUserData.java | 4 | ||||
| -rw-r--r-- | services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerServiceTestable.java | 6 | ||||
| -rw-r--r-- | services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java | 58 | ||||
| -rw-r--r-- | services/tests/servicestests/src/com/android/server/devicepolicy/MockSystemServices.java | 5 | ||||
| -rw-r--r-- | services/tests/servicestests/src/com/android/server/supervision/SupervisionServiceTest.kt | 4 |
8 files changed, 163 insertions, 29 deletions
diff --git a/services/supervision/java/com/android/server/supervision/SupervisionManagerInternal.java b/core/java/android/app/supervision/SupervisionManagerInternal.java index 5df9dd521092..d571e14ff5fa 100644 --- a/services/supervision/java/com/android/server/supervision/SupervisionManagerInternal.java +++ b/core/java/android/app/supervision/SupervisionManagerInternal.java @@ -14,11 +14,11 @@ * limitations under the License. */ -package com.android.server.supervision; +package android.app.supervision; import android.annotation.Nullable; import android.annotation.UserIdInt; -import android.os.Bundle; +import android.os.PersistableBundle; /** * Local system service interface for {@link SupervisionService}. @@ -35,6 +35,11 @@ public abstract class SupervisionManagerInternal { public abstract boolean isSupervisionEnabledForUser(@UserIdInt int userId); /** + * Returns whether the supervision lock screen needs to be shown. + */ + public abstract boolean isSupervisionLockscreenEnabledForUser(@UserIdInt int userId); + + /** * Set whether supervision is enabled for the specified user. * * @param userId The user to set the supervision state for @@ -50,5 +55,5 @@ public abstract class SupervisionManagerInternal { * @param options Optional configuration parameters for the supervision lock screen */ public abstract void setSupervisionLockscreenEnabledForUser( - @UserIdInt int userId, boolean enabled, @Nullable Bundle options); + @UserIdInt int userId, boolean enabled, @Nullable PersistableBundle options); } diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 28eec5ca7319..90c3dff86280 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -376,6 +376,7 @@ import android.app.backup.IBackupManager; import android.app.compat.CompatChanges; import android.app.role.OnRoleHoldersChangedListener; import android.app.role.RoleManager; +import android.app.supervision.SupervisionManagerInternal; import android.app.trust.TrustManager; import android.app.usage.UsageStatsManagerInternal; import android.compat.annotation.ChangeId; @@ -926,6 +927,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { final UsageStatsManagerInternal mUsageStatsManagerInternal; final TelephonyManager mTelephonyManager; final RoleManager mRoleManager; + final SupervisionManagerInternal mSupervisionManagerInternal; + private final LockPatternUtils mLockPatternUtils; private final LockSettingsInternal mLockSettingsInternal; private final DeviceAdminServiceController mDeviceAdminServiceController; @@ -2082,6 +2085,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { boolean isAdminInstalledCaCertAutoApproved() { return false; } + + @Nullable + SupervisionManagerInternal getSupervisionManager() { + return LocalServices.getService(SupervisionManagerInternal.class); + } } /** @@ -2113,6 +2121,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { mIPermissionManager = Objects.requireNonNull(injector.getIPermissionManager()); mTelephonyManager = Objects.requireNonNull(injector.getTelephonyManager()); mRoleManager = Objects.requireNonNull(injector.getRoleManager()); + if (Flags.secondaryLockscreenApiEnabled()) { + mSupervisionManagerInternal = injector.getSupervisionManager(); + } else { + mSupervisionManagerInternal = null; + } mLocalService = new LocalService(); mLockPatternUtils = injector.newLockPatternUtils(); @@ -2234,7 +2247,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return Collections.unmodifiableSet(packageNames); } - private @Nullable String getDefaultRoleHolderPackageName(int resId) { String packageNameAndSignature = mContext.getString(resId); @@ -14585,34 +14597,76 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } } + private boolean hasActiveSupervisionTestAdminLocked(@UserIdInt int userId) { + ensureLocked(); + if (mConstants.USE_TEST_ADMIN_AS_SUPERVISION_COMPONENT) { + final DevicePolicyData policy = getUserData(userId); + for (ActiveAdmin admin : policy.mAdminMap.values()) { + if (admin != null && admin.testOnlyAdmin) { + return true; + } + } + } + return false; + } + @Override public void setSecondaryLockscreenEnabled(ComponentName who, boolean enabled, PersistableBundle options) { - Objects.requireNonNull(who, "ComponentName is null"); - - // Check can set secondary lockscreen enabled - final CallerIdentity caller = getCallerIdentity(who); - Preconditions.checkCallAuthorization( - isDefaultDeviceOwner(caller) || isProfileOwner(caller)); - Preconditions.checkCallAuthorization(!isManagedProfile(caller.getUserId()), - "User %d is not allowed to call setSecondaryLockscreenEnabled", + if (Flags.secondaryLockscreenApiEnabled()) { + final CallerIdentity caller = getCallerIdentity(); + final boolean isRoleHolder = isCallerSystemSupervisionRoleHolder(caller); + synchronized (getLockObject()) { + // TODO(b/378102594): Remove access for test admins. + final boolean isTestAdmin = hasActiveSupervisionTestAdminLocked(caller.getUserId()); + Preconditions.checkCallAuthorization(isRoleHolder || isTestAdmin, + "Caller (%d) is not the SYSTEM_SUPERVISION role holder", caller.getUserId()); + } - synchronized (getLockObject()) { - // Allow testOnly admins to bypass supervision config requirement. - Preconditions.checkCallAuthorization(isAdminTestOnlyLocked(who, caller.getUserId()) - || isSupervisionComponentLocked(caller.getComponentName()), "Admin %s is not " - + "the default supervision component", caller.getComponentName()); - DevicePolicyData policy = getUserData(caller.getUserId()); - policy.mSecondaryLockscreenEnabled = enabled; - saveSettingsLocked(caller.getUserId()); + if (mSupervisionManagerInternal != null) { + mSupervisionManagerInternal.setSupervisionLockscreenEnabledForUser( + caller.getUserId(), enabled, options); + } else { + synchronized (getLockObject()) { + DevicePolicyData policy = getUserData(caller.getUserId()); + policy.mSecondaryLockscreenEnabled = enabled; + saveSettingsLocked(caller.getUserId()); + } + } + } else { + Objects.requireNonNull(who, "ComponentName is null"); + + // Check can set secondary lockscreen enabled + final CallerIdentity caller = getCallerIdentity(who); + Preconditions.checkCallAuthorization( + isDefaultDeviceOwner(caller) || isProfileOwner(caller)); + Preconditions.checkCallAuthorization(!isManagedProfile(caller.getUserId()), + "User %d is not allowed to call setSecondaryLockscreenEnabled", + caller.getUserId()); + + synchronized (getLockObject()) { + // Allow testOnly admins to bypass supervision config requirement. + Preconditions.checkCallAuthorization(isAdminTestOnlyLocked(who, caller.getUserId()) + || isSupervisionComponentLocked(caller.getComponentName()), + "Admin %s is not the default supervision component", + caller.getComponentName()); + DevicePolicyData policy = getUserData(caller.getUserId()); + policy.mSecondaryLockscreenEnabled = enabled; + saveSettingsLocked(caller.getUserId()); + } } } @Override public boolean isSecondaryLockscreenEnabled(@NonNull UserHandle userHandle) { - synchronized (getLockObject()) { - return getUserData(userHandle.getIdentifier()).mSecondaryLockscreenEnabled; + if (Flags.secondaryLockscreenApiEnabled() && mSupervisionManagerInternal != null) { + return mSupervisionManagerInternal.isSupervisionLockscreenEnabledForUser( + userHandle.getIdentifier()); + } else { + synchronized (getLockObject()) { + return getUserData(userHandle.getIdentifier()).mSecondaryLockscreenEnabled; + } } } diff --git a/services/supervision/java/com/android/server/supervision/SupervisionService.java b/services/supervision/java/com/android/server/supervision/SupervisionService.java index 67e254782f6d..53a25dd454ef 100644 --- a/services/supervision/java/com/android/server/supervision/SupervisionService.java +++ b/services/supervision/java/com/android/server/supervision/SupervisionService.java @@ -21,10 +21,11 @@ import android.annotation.Nullable; import android.annotation.UserIdInt; import android.app.admin.DevicePolicyManagerInternal; import android.app.supervision.ISupervisionManager; +import android.app.supervision.SupervisionManagerInternal; import android.content.ComponentName; import android.content.Context; import android.content.pm.UserInfo; -import android.os.Bundle; +import android.os.PersistableBundle; import android.os.RemoteException; import android.os.ResultReceiver; import android.os.ShellCallback; @@ -179,8 +180,15 @@ public class SupervisionService extends ISupervisionManager.Stub { } @Override + public boolean isSupervisionLockscreenEnabledForUser(@UserIdInt int userId) { + synchronized (getLockObject()) { + return getUserDataLocked(userId).supervisionLockScreenEnabled; + } + } + + @Override public void setSupervisionLockscreenEnabledForUser( - @UserIdInt int userId, boolean enabled, @Nullable Bundle options) { + @UserIdInt int userId, boolean enabled, @Nullable PersistableBundle options) { synchronized (getLockObject()) { SupervisionUserData data = getUserDataLocked(userId); data.supervisionLockScreenEnabled = enabled; diff --git a/services/supervision/java/com/android/server/supervision/SupervisionUserData.java b/services/supervision/java/com/android/server/supervision/SupervisionUserData.java index 56162372f740..1dd48f581bf4 100644 --- a/services/supervision/java/com/android/server/supervision/SupervisionUserData.java +++ b/services/supervision/java/com/android/server/supervision/SupervisionUserData.java @@ -19,7 +19,7 @@ package com.android.server.supervision; import android.annotation.NonNull; import android.annotation.Nullable; import android.annotation.UserIdInt; -import android.os.Bundle; +import android.os.PersistableBundle; import android.util.IndentingPrintWriter; /** User specific data, used internally by the {@link SupervisionService}. */ @@ -27,7 +27,7 @@ public class SupervisionUserData { public final @UserIdInt int userId; public boolean supervisionEnabled; public boolean supervisionLockScreenEnabled; - @Nullable public Bundle supervisionLockScreenOptions; + @Nullable public PersistableBundle supervisionLockScreenOptions; public SupervisionUserData(@UserIdInt int userId) { this.userId = userId; diff --git a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerServiceTestable.java b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerServiceTestable.java index 698bda335f83..4c381eb4429e 100644 --- a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerServiceTestable.java +++ b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerServiceTestable.java @@ -24,6 +24,7 @@ import android.app.PendingIntent; import android.app.admin.DevicePolicyManagerInternal; import android.app.admin.DevicePolicyManagerLiteInternal; import android.app.backup.IBackupManager; +import android.app.supervision.SupervisionManagerInternal; import android.app.usage.UsageStatsManagerInternal; import android.content.Context; import android.content.Intent; @@ -488,6 +489,11 @@ public class DevicePolicyManagerServiceTestable extends DevicePolicyManagerServi public Context createContextAsUser(UserHandle user) { return context; } + + @Override + SupervisionManagerInternal getSupervisionManager() { + return services.supervisionManagerInternal; + } } static class TransferOwnershipMetadataManagerMockInjector extends diff --git a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java index 9524fb24556b..cf5dc4bec71c 100644 --- a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java +++ b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java @@ -109,6 +109,7 @@ import android.app.admin.PasswordMetrics; import android.app.admin.PreferentialNetworkServiceConfig; import android.app.admin.SystemUpdatePolicy; import android.app.admin.WifiSsidPolicy; +import android.app.admin.flags.Flags; import android.app.role.RoleManager; import android.content.BroadcastReceiver; import android.content.ComponentName; @@ -134,6 +135,10 @@ import android.os.Process; import android.os.UserHandle; import android.os.UserManager; import android.platform.test.annotations.Presubmit; +import android.platform.test.annotations.RequiresFlagsDisabled; +import android.platform.test.annotations.RequiresFlagsEnabled; +import android.platform.test.flag.junit.CheckFlagsRule; +import android.platform.test.flag.junit.DeviceFlagsValueProvider; import android.provider.DeviceConfig; import android.provider.Settings; import android.security.KeyChain; @@ -165,6 +170,7 @@ import org.hamcrest.Matcher; import org.junit.After; import org.junit.Before; import org.junit.Ignore; +import org.junit.Rule; import org.junit.Test; import org.mockito.Mockito; import org.mockito.internal.util.collections.Sets; @@ -207,6 +213,9 @@ public class DevicePolicyManagerTest extends DpmTestBase { public static final String INVALID_CALLING_IDENTITY_MSG = "Calling identity is not authorized"; public static final String ONGOING_CALL_MSG = "ongoing call on the device"; + @Rule + public final CheckFlagsRule mCheckFlagsRule = DeviceFlagsValueProvider.createCheckFlagsRule(); + // TODO replace all instances of this with explicit {@link #mServiceContext}. @Deprecated private DpmMockContext mContext; @@ -4903,6 +4912,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { } @Test + @RequiresFlagsDisabled(Flags.FLAG_SECONDARY_LOCKSCREEN_API_ENABLED) public void testSecondaryLockscreen_profileOwner() throws Exception { mContext.binder.callingUid = DpmMockContext.CALLER_UID; @@ -4931,6 +4941,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { } @Test + @RequiresFlagsDisabled(Flags.FLAG_SECONDARY_LOCKSCREEN_API_ENABLED) public void testSecondaryLockscreen_deviceOwner() throws Exception { mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID; @@ -4949,6 +4960,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { } @Test + @RequiresFlagsDisabled(Flags.FLAG_SECONDARY_LOCKSCREEN_API_ENABLED) public void testSecondaryLockscreen_nonOwner() throws Exception { mContext.binder.callingUid = DpmMockContext.CALLER_UID; @@ -4965,6 +4977,7 @@ public class DevicePolicyManagerTest extends DpmTestBase { } @Test + @RequiresFlagsDisabled(Flags.FLAG_SECONDARY_LOCKSCREEN_API_ENABLED) public void testSecondaryLockscreen_nonSupervisionApp() throws Exception { mContext.binder.callingUid = DpmMockContext.CALLER_UID; @@ -4997,6 +5010,51 @@ public class DevicePolicyManagerTest extends DpmTestBase { } @Test + @RequiresFlagsEnabled(Flags.FLAG_SECONDARY_LOCKSCREEN_API_ENABLED) + public void testIsSecondaryLockscreenEnabled() throws Exception { + mContext.binder.callingUid = DpmMockContext.CALLER_UID; + + verifyIsSecondaryLockscreenEnabled(false); + verifyIsSecondaryLockscreenEnabled(true); + } + + private void verifyIsSecondaryLockscreenEnabled(boolean expected) throws Exception { + reset(getServices().supervisionManagerInternal); + + doReturn(expected).when(getServices().supervisionManagerInternal) + .isSupervisionLockscreenEnabledForUser(anyInt()); + + final boolean enabled = dpm.isSecondaryLockscreenEnabled(UserHandle.of(CALLER_USER_HANDLE)); + verify(getServices().supervisionManagerInternal) + .isSupervisionLockscreenEnabledForUser(CALLER_USER_HANDLE); + + assertThat(enabled).isEqualTo(expected); + } + + @Test + @RequiresFlagsEnabled(Flags.FLAG_SECONDARY_LOCKSCREEN_API_ENABLED) + public void testSetSecondaryLockscreenEnabled() throws Exception { + mContext.binder.callingUid = DpmMockContext.CALLER_UID; + + verifySetSecondaryLockscreenEnabled(false); + verifySetSecondaryLockscreenEnabled(true); + } + + private void verifySetSecondaryLockscreenEnabled(boolean enabled) throws Exception { + reset(getServices().supervisionManagerInternal); + + dpm.setSecondaryLockscreenEnabled(admin1, enabled); + verify(getServices().supervisionManagerInternal).setSupervisionLockscreenEnabledForUser( + CALLER_USER_HANDLE, enabled, null); + + reset(getServices().supervisionManagerInternal); + + dpm.setSecondaryLockscreenEnabled(enabled, new PersistableBundle()); + verify(getServices().supervisionManagerInternal).setSupervisionLockscreenEnabledForUser( + eq(CALLER_USER_HANDLE), eq(enabled), any(PersistableBundle.class)); + } + + @Test public void testIsDeviceManaged() throws Exception { mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID; setupDeviceOwner(); diff --git a/services/tests/servicestests/src/com/android/server/devicepolicy/MockSystemServices.java b/services/tests/servicestests/src/com/android/server/devicepolicy/MockSystemServices.java index 2e200a9268f5..3e4448c1dafa 100644 --- a/services/tests/servicestests/src/com/android/server/devicepolicy/MockSystemServices.java +++ b/services/tests/servicestests/src/com/android/server/devicepolicy/MockSystemServices.java @@ -35,6 +35,7 @@ import android.app.NotificationManager; import android.app.admin.DevicePolicyManager; import android.app.backup.IBackupManager; import android.app.role.RoleManager; +import android.app.supervision.SupervisionManagerInternal; import android.app.usage.UsageStatsManagerInternal; import android.content.BroadcastReceiver; import android.content.ComponentName; @@ -77,8 +78,8 @@ import com.android.internal.util.test.FakeSettingsProvider; import com.android.internal.widget.LockPatternUtils; import com.android.internal.widget.LockSettingsInternal; import com.android.server.AlarmManagerInternal; -import com.android.server.pdb.PersistentDataBlockManagerInternal; import com.android.server.net.NetworkPolicyManagerInternal; +import com.android.server.pdb.PersistentDataBlockManagerInternal; import com.android.server.pm.PackageManagerLocal; import com.android.server.pm.UserManagerInternal; import com.android.server.pm.pkg.PackageState; @@ -149,6 +150,7 @@ public class MockSystemServices { public final BuildMock buildMock = new BuildMock(); public final File dataDir; public final PolicyPathProvider pathProvider; + public final SupervisionManagerInternal supervisionManagerInternal; private final Map<String, PackageState> mTestPackageStates = new ArrayMap<>(); @@ -203,6 +205,7 @@ public class MockSystemServices { roleManager = realContext.getSystemService(RoleManager.class); roleManagerForMock = mock(RoleManagerForMock.class); subscriptionManager = mock(SubscriptionManager.class); + supervisionManagerInternal = mock(SupervisionManagerInternal.class); // Package manager is huge, so we use a partial mock instead. packageManager = spy(realContext.getPackageManager()); diff --git a/services/tests/servicestests/src/com/android/server/supervision/SupervisionServiceTest.kt b/services/tests/servicestests/src/com/android/server/supervision/SupervisionServiceTest.kt index 79b0623640f6..8290e1cfb9db 100644 --- a/services/tests/servicestests/src/com/android/server/supervision/SupervisionServiceTest.kt +++ b/services/tests/servicestests/src/com/android/server/supervision/SupervisionServiceTest.kt @@ -20,7 +20,7 @@ import android.app.admin.DevicePolicyManagerInternal import android.content.ComponentName import android.content.Context import android.content.pm.UserInfo -import android.os.Bundle +import android.os.PersistableBundle import android.platform.test.annotations.RequiresFlagsEnabled import android.platform.test.flag.junit.DeviceFlagsValueProvider import androidx.test.ext.junit.runners.AndroidJUnit4 @@ -139,7 +139,7 @@ class SupervisionServiceTest { assertThat(userData.supervisionLockScreenEnabled).isFalse() assertThat(userData.supervisionLockScreenOptions).isNull() - service.mInternal.setSupervisionLockscreenEnabledForUser(USER_ID, true, Bundle()) + service.mInternal.setSupervisionLockscreenEnabledForUser(USER_ID, true, PersistableBundle()) userData = service.getUserDataLocked(USER_ID) assertThat(userData.supervisionLockScreenEnabled).isTrue() assertThat(userData.supervisionLockScreenOptions).isNotNull() |