From a9c51e7fb84c441ffcbaf5f34089b3119d28662a Mon Sep 17 00:00:00 2001 From: Alex Johnston Date: Mon, 19 Apr 2021 14:07:42 +0100 Subject: Remove requireAutoTime on upgrade * In Android 11, setRequireAutoTime was deprecated. The user restriction DISALLOW_CONFIG_DATE_TIME should be used instead to enforce time policies. * When removing the DO, requireAutoTime needs to be set to false * When transferring policies from the DO to the COPE PO, the user restriction should be used instead of requireAutoTime. This is because requireAutoTime can never be turned false for the COPE PO Manual testing steps - Scenario 1 * Flash device with Android Q build and set up device in DO mode * Apply some policies using TestDPC, including requireAutoTime * Flash device with Android R build and do not wipe * Replicate issue by checking date time cannot be removed * Flash device with Android S build and do not wipe * Verify date time restriction can be removed Manual testing steps - Scenario 2 * Flash device with Android Q build and set up device in DO mode * Apply some policies using TestDPC, including requireAutoTime * Flash device with Android S build and do not wipe * Verify DO restriction has been set on parent admin * Verify date time restriction can be removed Bug: 165026695 Test: atest com.android.server.devicepolicy.DevicePolicyManagerTest Manual testing Change-Id: I76344fe2df7475b6411362b4aff806a5cbf053a7 --- .../devicepolicy/DevicePolicyManagerService.java | 46 +++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index bc130e2c1e5b..5d85b8168da3 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -2086,12 +2086,19 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { // The following policies weren't available to PO, but will be available after migration. parentAdmin.disableCamera = doAdmin.disableCamera; - parentAdmin.requireAutoTime = doAdmin.requireAutoTime; parentAdmin.disableScreenCapture = doAdmin.disableScreenCapture; parentAdmin.accountTypesWithManagementDisabled.addAll( doAdmin.accountTypesWithManagementDisabled); moveDoUserRestrictionsToCopeParent(doAdmin, parentAdmin); + + // From Android 11, {@link setAutoTimeRequired} is no longer used. The user restriction + // {@link UserManager#DISALLOW_CONFIG_DATE_TIME} should be used to enforce auto time + // settings instead. + if (doAdmin.requireAutoTime) { + parentAdmin.ensureUserRestrictions().putBoolean( + UserManager.DISALLOW_CONFIG_DATE_TIME, true); + } } private void moveDoUserRestrictionsToCopeParent(ActiveAdmin doAdmin, ActiveAdmin parentAdmin) { @@ -2361,6 +2368,41 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { saveSettingsLocked(user.getIdentifier()); } + /** + * Fix left-over restrictions and auto-time policy during COMP -> COPE migration. + * + * When a COMP device with requireAutoTime policy set was migrated to an + * organization-owned profile, a DISALLOW_CONFIG_DATE_TIME restriction is set + * on user 0 from the DO user, which becomes unremovable by the organization-owned + * profile owner. Fix this by force removing that restriction. Also revert the + * parentAdmin.requireAutoTime bit (since the COPE PO cannot unset this bit) + * and replace it with DISALLOW_CONFIG_DATE_TIME on the correct + * admin, in line with the deprecation recommendation of setAutoTimeRequired(). + */ + private void fixupAutoTimeRestrictionDuringOrganizationOwnedDeviceMigration() { + for (UserInfo ui : mUserManager.getUsers()) { + final int userId = ui.id; + if (isProfileOwnerOfOrganizationOwnedDevice(userId)) { + final ActiveAdmin parent = getProfileOwnerAdminLocked(userId).parentAdmin; + if (parent != null && parent.requireAutoTime) { + // Remove deprecated requireAutoTime + parent.requireAutoTime = false; + saveSettingsLocked(userId); + + // Remove user restrictions set by the device owner before the upgrade to + // Android 11. + mUserManagerInternal.setDevicePolicyUserRestrictions(UserHandle.USER_SYSTEM, + new Bundle(), new RestrictionsSet(), /* isDeviceOwner */ false); + + // Apply user restriction to parent active admin instead + parent.ensureUserRestrictions().putBoolean( + UserManager.DISALLOW_CONFIG_DATE_TIME, true); + pushUserRestrictions(userId); + } + } + } + } + private ComponentName findAdminComponentWithPackageLocked(String packageName, int userId) { final DevicePolicyData policy = getUserData(userId); final int n = policy.mAdminList.size(); @@ -3020,6 +3062,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { private void onLockSettingsReady() { synchronized (getLockObject()) { migrateUserRestrictionsIfNecessaryLocked(); + fixupAutoTimeRestrictionDuringOrganizationOwnedDeviceMigration(); performPolicyVersionUpgrade(); } getUserData(UserHandle.USER_SYSTEM); @@ -8574,6 +8617,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { admin.defaultEnabledRestrictionsAlreadySet.clear(); admin.forceEphemeralUsers = false; admin.isNetworkLoggingEnabled = false; + admin.requireAutoTime = false; mUserManagerInternal.setForceEphemeralUsers(admin.forceEphemeralUsers); } final DevicePolicyData policyData = getUserData(userId); -- cgit v1.2.3-59-g8ed1b