diff options
5 files changed, 82 insertions, 18 deletions
diff --git a/core/java/android/os/IUserManager.aidl b/core/java/android/os/IUserManager.aidl index 3324f6fe4589..427add19f14f 100644 --- a/core/java/android/os/IUserManager.aidl +++ b/core/java/android/os/IUserManager.aidl @@ -83,4 +83,6 @@ interface IUserManager { boolean someUserHasSeedAccount(in String accountName, in String accountType); boolean isManagedProfile(int userId); boolean isDemoUser(int userId); + UserInfo createProfileForUserEvenWhenDisallowed(in String name, int flags, int userHandle, + in String[] disallowedPackages); } diff --git a/core/java/android/os/UserManager.java b/core/java/android/os/UserManager.java index c7e5e6308a8a..c656b066a51d 100644 --- a/core/java/android/os/UserManager.java +++ b/core/java/android/os/UserManager.java @@ -1374,6 +1374,24 @@ public class UserManager { } /** + * Similar to {@link #createProfileForUser(String, int, int, String[])} + * except bypassing the checking of {@link UserManager#DISALLOW_ADD_USER}. + * Requires {@link android.Manifest.permission#MANAGE_USERS} permission. + * + * @see #createProfileForUser(String, int, int, String[]) + * @hide + */ + public UserInfo createProfileForUserEvenWhenDisallowed(String name, int flags, + @UserIdInt int userHandle, String[] disallowedPackages) { + try { + return mService.createProfileForUserEvenWhenDisallowed(name, flags, userHandle, + disallowedPackages); + } catch (RemoteException re) { + throw re.rethrowFromSystemServer(); + } + } + + /** * Creates a restricted profile with the specified name. This method also sets necessary * restrictions and adds shared accounts. * diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java index 9146bec2af49..c0de214c5833 100644 --- a/services/core/java/com/android/server/pm/UserManagerService.java +++ b/services/core/java/com/android/server/pm/UserManagerService.java @@ -97,6 +97,7 @@ import com.android.server.LocalServices; import com.android.server.SystemService; import com.android.server.am.UserState; import com.android.server.storage.DeviceStorageMonitorInternal; + import libcore.io.IoUtils; import libcore.util.Objects; @@ -2189,6 +2190,13 @@ public class UserManagerService extends IUserManager.Stub { } @Override + public UserInfo createProfileForUserEvenWhenDisallowed(String name, int flags, int userId, + String[] disallowedPackages) { + checkManageOrCreateUsersPermission(flags); + return createUserInternalUnchecked(name, flags, userId, disallowedPackages); + } + + @Override public UserInfo createUser(String name, int flags) { checkManageOrCreateUsersPermission(flags); return createUserInternal(name, flags, UserHandle.USER_NULL); @@ -2204,17 +2212,17 @@ public class UserManagerService extends IUserManager.Stub { Log.w(LOG_TAG, "Cannot add user. DISALLOW_ADD_USER is enabled."); return null; } + return createUserInternalUnchecked(name, flags, parentId, disallowedPackages); + } + + private UserInfo createUserInternalUnchecked(String name, int flags, int parentId, + String[] disallowedPackages) { DeviceStorageMonitorInternal dsm = LocalServices .getService(DeviceStorageMonitorInternal.class); if (dsm.isMemoryLow()) { Log.w(LOG_TAG, "Cannot add user. Not enough space on disk."); return null; } - return createUserInternalUnchecked(name, flags, parentId, disallowedPackages); - } - - private UserInfo createUserInternalUnchecked(String name, int flags, int parentId, - String[] disallowedPackages) { if (ActivityManager.isLowRamDeviceStatic()) { return null; } diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index e7772f339f7a..c30d30f1a8a0 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -8621,19 +8621,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } synchronized (this) { if (mOwners.hasDeviceOwner()) { - if (!mInjector.userManagerIsSplitSystemUser()) { - // Only split-system-user systems support managed-profiles in combination with - // device-owner. - return false; - } - if (mOwners.getDeviceOwnerUserId() != UserHandle.USER_SYSTEM) { - // Only system device-owner supports managed-profiles. Non-system device-owner - // doesn't. - return false; - } - if (callingUserId == UserHandle.USER_SYSTEM) { - // Managed-profiles cannot be setup on the system user, only regular users. - return false; + // STOPSHIP Only allow creating a managed profile if allowed by the device + // owner. http://b/31952368 + if (mInjector.userManagerIsSplitSystemUser()) { + if (callingUserId == UserHandle.USER_SYSTEM) { + // Managed-profiles cannot be setup on the system user. + return false; + } } } } diff --git a/services/tests/servicestests/src/com/android/server/pm/UserManagerTest.java b/services/tests/servicestests/src/com/android/server/pm/UserManagerTest.java index 0fb2c9fb28dc..1f0422b4ed50 100644 --- a/services/tests/servicestests/src/com/android/server/pm/UserManagerTest.java +++ b/services/tests/servicestests/src/com/android/server/pm/UserManagerTest.java @@ -237,6 +237,38 @@ public class UserManagerTest extends AndroidTestCase { } } + // Make sure createProfile would fail if we have DISALLOW_ADD_USER. + @MediumTest + public void testCreateProfileForUser_disallowAddUser() throws Exception { + final int primaryUserId = mUserManager.getPrimaryUser().id; + final UserHandle primaryUserHandle = new UserHandle(primaryUserId); + mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_USER, true, primaryUserHandle); + try { + UserInfo userInfo = createProfileForUser("Managed", + UserInfo.FLAG_MANAGED_PROFILE, primaryUserId); + assertNull(userInfo); + } finally { + mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_USER, false, + primaryUserHandle); + } + } + + // Make sure createProfileEvenWhenDisallowedForUser bypass DISALLOW_ADD_USER. + @MediumTest + public void testCreateProfileForUserEvenWhenDisallowed() throws Exception { + final int primaryUserId = mUserManager.getPrimaryUser().id; + final UserHandle primaryUserHandle = new UserHandle(primaryUserId); + mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_USER, true, primaryUserHandle); + try { + UserInfo userInfo = createProfileEvenWhenDisallowedForUser("Managed", + UserInfo.FLAG_MANAGED_PROFILE, primaryUserId); + assertNotNull(userInfo); + } finally { + mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_USER, false, + primaryUserHandle); + } + } + @MediumTest public void testAddRestrictedProfile() throws Exception { UserInfo userInfo = createRestrictedProfile("Profile"); @@ -474,6 +506,16 @@ public class UserManagerTest extends AndroidTestCase { return profile; } + private UserInfo createProfileEvenWhenDisallowedForUser(String name, int flags, + int userHandle) { + UserInfo profile = mUserManager.createProfileForUserEvenWhenDisallowed( + name, flags, userHandle, null); + if (profile != null) { + usersToRemove.add(profile.id); + } + return profile; + } + private UserInfo createRestrictedProfile(String name) { UserInfo profile = mUserManager.createRestrictedProfile(name); if (profile != null) { |