diff options
6 files changed, 119 insertions, 0 deletions
diff --git a/api/current.txt b/api/current.txt index a307fa430ac3..7a329e1fa815 100644 --- a/api/current.txt +++ b/api/current.txt @@ -6836,6 +6836,7 @@ package android.app.admin { method public boolean isDeviceOwnerApp(String); method public boolean isEphemeralUser(@NonNull android.content.ComponentName); method public boolean isLockTaskPermitted(String); + method public boolean isLockdownAdminConfiguredNetworks(@NonNull android.content.ComponentName); method public boolean isLogoutEnabled(); method public boolean isManagedProfile(@NonNull android.content.ComponentName); method public boolean isMasterVolumeMuted(@NonNull android.content.ComponentName); @@ -6900,6 +6901,7 @@ package android.app.admin { method public void setLocationEnabled(@NonNull android.content.ComponentName, boolean); method public void setLockTaskFeatures(@NonNull android.content.ComponentName, int); method public void setLockTaskPackages(@NonNull android.content.ComponentName, @NonNull String[]) throws java.lang.SecurityException; + method public void setLockdownAdminConfiguredNetworks(@NonNull android.content.ComponentName, boolean); method public void setLogoutEnabled(@NonNull android.content.ComponentName, boolean); method public void setLongSupportMessage(@NonNull android.content.ComponentName, @Nullable CharSequence); method public void setMasterVolumeMuted(@NonNull android.content.ComponentName, boolean); diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java index 54a64ef3f392..f8024aab9d41 100644 --- a/core/java/android/app/admin/DevicePolicyManager.java +++ b/core/java/android/app/admin/DevicePolicyManager.java @@ -8605,6 +8605,55 @@ public class DevicePolicyManager { } /** + * Called by a device owner or a profile owner of an organization-owned managed profile to + * control whether the user can change networks configured by the admin. + * <p> + * WiFi network configuration lockdown is controlled by a global settings + * {@link android.provider.Settings.Global#WIFI_DEVICE_OWNER_CONFIGS_LOCKDOWN} and calling + * this API effectively modifies the global settings. Previously device owners can also + * control this directly via {@link #setGlobalSetting} but they are recommended to switch + * to this API. + * + * @param admin admin Which {@link DeviceAdminReceiver} this request is associated + * with. + * @param lockdown Whether the admin configured networks should be unmodifiable by the + * user. + * @throws SecurityException if caller is not a device owner or a profile owner of an + * organization-owned managed profile. + */ + public void setLockdownAdminConfiguredNetworks(@NonNull ComponentName admin, boolean lockdown) { + throwIfParentInstance("setLockdownAdminConfiguredNetworks"); + if (mService != null) { + try { + mService.setLockdownAdminConfiguredNetworks(admin, lockdown); + } catch (RemoteException e) { + throw e.rethrowFromSystemServer(); + } + } + } + + /** + * Called by a device owner or a profile owner of an organization-owned managed profile to + * determine whether the user is prevented from modifying networks configured by the admin. + * + * @param admin admin Which {@link DeviceAdminReceiver} this request is associated + * with. + * @throws SecurityException if caller is not a device owner or a profile owner of an + * organization-owned managed profile. + */ + public boolean isLockdownAdminConfiguredNetworks(@NonNull ComponentName admin) { + throwIfParentInstance("setLockdownAdminConfiguredNetworks"); + if (mService != null) { + try { + return mService.isLockdownAdminConfiguredNetworks(admin); + } catch (RemoteException e) { + throw e.rethrowFromSystemServer(); + } + } + return false; + } + + /** * Called by a device owner or a profile owner of an organization-owned managed * profile to set the system wall clock time. This only takes effect if called when * {@link android.provider.Settings.Global#AUTO_TIME} is 0, otherwise {@code false} diff --git a/core/java/android/app/admin/IDevicePolicyManager.aidl b/core/java/android/app/admin/IDevicePolicyManager.aidl index f649286206bb..a2c0856717f5 100644 --- a/core/java/android/app/admin/IDevicePolicyManager.aidl +++ b/core/java/android/app/admin/IDevicePolicyManager.aidl @@ -263,6 +263,9 @@ interface IDevicePolicyManager { void setSystemSetting(in ComponentName who, in String setting, in String value); void setSecureSetting(in ComponentName who, in String setting, in String value); + void setLockdownAdminConfiguredNetworks(in ComponentName who, boolean lockdown); + boolean isLockdownAdminConfiguredNetworks(in ComponentName who); + void setLocationEnabled(in ComponentName who, boolean locationEnabled); boolean setTime(in ComponentName who, long millis); diff --git a/core/proto/android/stats/devicepolicy/device_policy_enums.proto b/core/proto/android/stats/devicepolicy/device_policy_enums.proto index 0ae11a106a54..0f03e69e6c93 100644 --- a/core/proto/android/stats/devicepolicy/device_policy_enums.proto +++ b/core/proto/android/stats/devicepolicy/device_policy_enums.proto @@ -156,4 +156,5 @@ enum EventId { SET_PACKAGES_PROTECTED = 129; SET_FACTORY_RESET_PROTECTION = 130; SET_COMMON_CRITERIA_MODE = 131; + ALLOW_MODIFICATION_OF_ADMIN_CONFIGURED_NETWORKS = 132; } diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 14bd72b0fd21..8f153b9e809e 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -11344,6 +11344,37 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } @Override + public void setLockdownAdminConfiguredNetworks(ComponentName who, boolean lockdown) { + if (!mHasFeature) { + return; + } + Preconditions.checkNotNull(who, "ComponentName is null"); + enforceDeviceOwnerOrProfileOwnerOnOrganizationOwnedDevice(who); + + mInjector.binderWithCleanCallingIdentity(() -> + mInjector.settingsGlobalPutInt(Global.WIFI_DEVICE_OWNER_CONFIGS_LOCKDOWN, + lockdown ? 1 : 0)); + + DevicePolicyEventLogger + .createEvent(DevicePolicyEnums.ALLOW_MODIFICATION_OF_ADMIN_CONFIGURED_NETWORKS) + .setAdmin(who) + .setBoolean(lockdown) + .write(); + } + + @Override + public boolean isLockdownAdminConfiguredNetworks(ComponentName who) { + if (!mHasFeature) { + return false; + } + Preconditions.checkNotNull(who, "ComponentName is null"); + enforceDeviceOwnerOrProfileOwnerOnOrganizationOwnedDevice(who); + + return mInjector.binderWithCleanCallingIdentity(() -> + mInjector.settingsGlobalGetInt(Global.WIFI_DEVICE_OWNER_CONFIGS_LOCKDOWN, 0) > 0); + } + + @Override public void setLocationEnabled(ComponentName who, boolean locationEnabled) { Objects.requireNonNull(who, "ComponentName is null"); enforceDeviceOwner(who); diff --git a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java index 632a2c1edfae..43e9570dfe84 100644 --- a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java +++ b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java @@ -3723,6 +3723,39 @@ public class DevicePolicyManagerTest extends DpmTestBase { assertEquals(-1, dpm.getLastSecurityLogRetrievalTime()); } + public void testSetLockdownAdminConfiguredNetworksWithDO() throws Exception { + mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID; + setupDeviceOwner(); + dpm.setLockdownAdminConfiguredNetworks(admin1, true); + verify(getServices().settings).settingsGlobalPutInt( + Settings.Global.WIFI_DEVICE_OWNER_CONFIGS_LOCKDOWN, 1); + + dpm.setLockdownAdminConfiguredNetworks(admin1, false); + verify(getServices().settings).settingsGlobalPutInt( + Settings.Global.WIFI_DEVICE_OWNER_CONFIGS_LOCKDOWN, 0); + } + + public void testSetLockdownAdminConfiguredNetworksWithPO() throws Exception { + setupProfileOwner(); + assertExpectException(SecurityException.class, null, + () -> dpm.setLockdownAdminConfiguredNetworks(admin1, false)); + verify(getServices().settings, never()).settingsGlobalPutInt( + Settings.Global.WIFI_DEVICE_OWNER_CONFIGS_LOCKDOWN, 0); + } + + public void testSetLockdownAdminConfiguredNetworksWithPOOfOrganizationOwnedDevice() + throws Exception { + setupProfileOwner(); + configureProfileOwnerOfOrgOwnedDevice(admin1, DpmMockContext.CALLER_USER_HANDLE); + dpm.setLockdownAdminConfiguredNetworks(admin1, true); + verify(getServices().settings).settingsGlobalPutInt( + Settings.Global.WIFI_DEVICE_OWNER_CONFIGS_LOCKDOWN, 1); + + dpm.setLockdownAdminConfiguredNetworks(admin1, false); + verify(getServices().settings).settingsGlobalPutInt( + Settings.Global.WIFI_DEVICE_OWNER_CONFIGS_LOCKDOWN, 0); + } + public void testSetSystemSettingFailWithNonWhitelistedSettings() throws Exception { mContext.binder.callingUid = DpmMockContext.CALLER_SYSTEM_USER_UID; setupDeviceOwner(); |