From 56e9c33cc91f461c79ce8ffe9330f96f21e16216 Mon Sep 17 00:00:00 2001
From: Sumedh Sen <sumedhsen@google.com>
Date: Thu, 23 Mar 2023 16:29:47 -0700
Subject: [RESTRICT AUTOMERGE] Prevent installing apps in policy restricted
 work profile using ADB

If DISALLOW_DEBUGGING_FEATURES or DISALLOW_INSTALL_APPS restrictions are
set on a work profile, prevent side loading of APKs using ADB in the
work profile.

Bug: 257443065
Test: atest CtsPackageInstallTestCases:UserRestrictionInstallTest


(cherry picked from commit febe3918020a94b2af48ade98eb6a49cdd4a3bdf)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b988a09db551d9a8b2aeb0e8eb88e610605709e8)
Merged-In: I169a1f72c84528ca606b6a4da165d4fbcd02b08d
Change-Id: I169a1f72c84528ca606b6a4da165d4fbcd02b08d
---
 .../android/server/pm/InstallPackageHelper.java    | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/services/core/java/com/android/server/pm/InstallPackageHelper.java b/services/core/java/com/android/server/pm/InstallPackageHelper.java
index c32a57c68ede..259701166147 100644
--- a/services/core/java/com/android/server/pm/InstallPackageHelper.java
+++ b/services/core/java/com/android/server/pm/InstallPackageHelper.java
@@ -2093,9 +2093,25 @@ final class InstallPackageHelper {
                     // The caller explicitly specified INSTALL_ALL_USERS flag.
                     // Thus, updating the settings to install the app for all users.
                     for (int currentUserId : allUsers) {
-                        ps.setInstalled(true, currentUserId);
-                        ps.setEnabled(COMPONENT_ENABLED_STATE_DEFAULT, userId,
-                                installerPackageName);
+                        // If the app is already installed for the currentUser,
+                        // keep it as installed as we might be updating the app at this place.
+                        // If not currently installed, check if the currentUser is restricted by
+                        // DISALLOW_INSTALL_APPS or DISALLOW_DEBUGGING_FEATURES device policy.
+                        // Install / update the app if the user isn't restricted. Skip otherwise.
+                        final boolean installedForCurrentUser = ArrayUtils.contains(
+                                installedForUsers, currentUserId);
+                        final boolean restrictedByPolicy =
+                                mPm.isUserRestricted(currentUserId,
+                                        UserManager.DISALLOW_INSTALL_APPS)
+                                || mPm.isUserRestricted(currentUserId,
+                                        UserManager.DISALLOW_DEBUGGING_FEATURES);
+                        if (installedForCurrentUser || !restrictedByPolicy) {
+                            ps.setInstalled(true, currentUserId);
+                            ps.setEnabled(COMPONENT_ENABLED_STATE_DEFAULT, currentUserId,
+                                    installerPackageName);
+                        } else {
+                            ps.setInstalled(false, currentUserId);
+                        }
                     }
                 }
 
-- 
cgit v1.2.3-59-g8ed1b