From a5478e42a8f65779bd4862a0caf42d08b092a20a Mon Sep 17 00:00:00 2001 From: Wen Zhang Date: Fri, 2 Feb 2024 12:01:12 +0000 Subject: [Bugfix]migrate user restrictions to DevicePolicyEngine Migrate user restrictions to DevicePolicyEngine, otherwise user restrictions will not be able to be queried when upgrading from Android 13 OTA to Android 14. Bug: 323452689 Bug: 318497672 Test: case 1:Android 13 upgrade to Android 14 1.install TestDPC on Android 13 2.set TestDPC as Device Owner 3.set disallow factory reset 4.update Android 14 via OTA 5.The reset to factory settings in the settings app is still unavailable. case 2:Android 14(bad version) upgrade to Android 14(new version) 1.install TestDPC on Android 13 2.set TestDPC as Device Owner 3.set disallow factory reset 4.update Android 14(bad version) via OTA 5.The reset to factory settings in the settings app is still available. 6.update Android 14(new version) via OTA 7.The reset to factory settings in the settings app is unavailable. (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:470c1eabca9f341e163a38a2327615e8fa3126ae) Merged-In: I7c63d52300a1c5aa0678f29c2e4b15195411517c Change-Id: I7c63d52300a1c5aa0678f29c2e4b15195411517c 24D1-dev is based on 24Q2-release. Therefore, we merged this CL to 24D1-dev. --- .../devicepolicy/DevicePolicyManagerService.java | 102 ++++++++++++++++----- 1 file changed, 80 insertions(+), 22 deletions(-) diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 5cc6d4081ee1..cd2fb160406f 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -3397,7 +3397,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } maybeMigratePoliciesPostUpgradeToDevicePolicyEngineLocked(); migratePoliciesToPolicyEngineLocked(); - } maybeStartSecurityLogMonitorOnActivityManagerReady(); break; @@ -13179,27 +13178,47 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { CallerIdentity caller, EnforcingAdmin admin, String key, boolean enabled, boolean parent) { synchronized (getLockObject()) { + + int ownerType; if (isDeviceOwner(caller)) { - if (UserRestrictionsUtils.isGlobal(OWNER_TYPE_DEVICE_OWNER, key)) { - setGlobalUserRestrictionInternal(admin, key, enabled); - } else { - setLocalUserRestrictionInternal(admin, key, enabled, caller.getUserId()); - } + ownerType = OWNER_TYPE_DEVICE_OWNER; + } else if (isProfileOwnerOfOrganizationOwnedDevice(caller)) { + ownerType = OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE; } else if (isProfileOwner(caller)) { - if (UserRestrictionsUtils.isGlobal(OWNER_TYPE_PROFILE_OWNER, key) - || (parent && isProfileOwnerOfOrganizationOwnedDevice(caller) - && UserRestrictionsUtils.isGlobal( - OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE, key))) { - setGlobalUserRestrictionInternal(admin, key, enabled); - } else { - int affectedUserId = parent - ? getProfileParentId(caller.getUserId()) : caller.getUserId(); - setLocalUserRestrictionInternal(admin, key, enabled, affectedUserId); - } + ownerType = OWNER_TYPE_PROFILE_OWNER; } else { throw new IllegalStateException("Non-DO/Non-PO cannot set restriction " + key + " while targetSdkVersion is less than UPSIDE_DOWN_CAKE"); } + setBackwardCompatibleUserRestrictionLocked(ownerType, admin, caller.getUserId(), key, + enabled, parent); + } + } + + private void setBackwardCompatibleUserRestrictionLocked( + int ownerType, EnforcingAdmin admin, int userId, String key, boolean enabled, + boolean parent) { + if (ownerType == OWNER_TYPE_DEVICE_OWNER) { + if (UserRestrictionsUtils.isGlobal(OWNER_TYPE_DEVICE_OWNER, key)) { + setGlobalUserRestrictionInternal(admin, key, enabled); + } else { + setLocalUserRestrictionInternal(admin, key, enabled, userId); + } + } else if (ownerType == OWNER_TYPE_PROFILE_OWNER + || ownerType == OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE) { + if (UserRestrictionsUtils.isGlobal(OWNER_TYPE_PROFILE_OWNER, key) + || (parent && ownerType == OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE + && UserRestrictionsUtils.isGlobal( + OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE, key))) { + setGlobalUserRestrictionInternal(admin, key, enabled); + } else { + int affectedUserId = parent + ? getProfileParentId(userId) : userId; + setLocalUserRestrictionInternal(admin, key, enabled, affectedUserId); + } + } else { + throw new IllegalStateException("Non-DO/Non-PO cannot set restriction " + key + + " while targetSdkVersion is less than UPSIDE_DOWN_CAKE"); } } @@ -23734,13 +23753,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { Preconditions.checkCallAuthorization( hasCallingOrSelfPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS)); return mInjector.binderWithCleanCallingIdentity(() -> { - boolean canForceMigration = forceMigration && !hasNonTestOnlyActiveAdmins(); - if (!canForceMigration && !shouldMigrateV1ToDevicePolicyEngine()) { - return false; + synchronized (getLockObject()) { + boolean canForceMigration = forceMigration && !hasNonTestOnlyActiveAdmins(); + if (!canForceMigration && !shouldMigrateV1ToDevicePolicyEngine()) { + return false; + } + boolean migrated = migrateV1PoliciesToDevicePolicyEngine(); + migrated &= migratePoliciesPostUpgradeToDevicePolicyEngineLocked(); + return migrated; } - boolean migrated = migrateV1PoliciesToDevicePolicyEngine(); - migrated &= migratePoliciesPostUpgradeToDevicePolicyEngineLocked(); - return migrated; }); } @@ -23784,6 +23805,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { try { migrateScreenCapturePolicyLocked(); migrateLockTaskPolicyLocked(); + migrateUserRestrictionsLocked(); return true; } catch (Exception e) { Slogf.e(LOG_TAG, e, "Error occurred during post upgrade migration to the device " @@ -24053,6 +24075,42 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { }); } + private void migrateUserRestrictionsLocked() { + Binder.withCleanCallingIdentity(() -> { + List users = mUserManager.getUsers(); + for (UserInfo userInfo : users) { + ActiveAdmin admin = getProfileOwnerOrDeviceOwnerLocked(userInfo.id); + if (admin == null) continue; + ComponentName adminComponent = admin.info.getComponent(); + int userId = userInfo.id; + EnforcingAdmin enforcingAdmin = EnforcingAdmin.createEnterpriseEnforcingAdmin( + adminComponent, + userId, + admin); + int ownerType; + if (isDeviceOwner(admin)) { + ownerType = OWNER_TYPE_DEVICE_OWNER; + } else if (isProfileOwnerOfOrganizationOwnedDevice(adminComponent, userId)) { + ownerType = OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE; + } else if (isProfileOwner(adminComponent, userId)) { + ownerType = OWNER_TYPE_PROFILE_OWNER; + } else { + throw new IllegalStateException("Invalid DO/PO state"); + } + + for (final String restriction : admin.ensureUserRestrictions().keySet()) { + setBackwardCompatibleUserRestrictionLocked(ownerType, enforcingAdmin, userId, + restriction, /* enabled */ true, /* parent */ false); + } + for (final String restriction : admin.getParentActiveAdmin() + .ensureUserRestrictions().keySet()) { + setBackwardCompatibleUserRestrictionLocked(ownerType, enforcingAdmin, userId, + restriction, /* enabled */ true, /* parent */ true); + } + } + }); + } + private List getInstalledPackagesOnUser(int userId) { return mInjector.binderWithCleanCallingIdentity(() -> mContext.getPackageManager().getInstalledPackagesAsUser( -- cgit v1.2.3-59-g8ed1b