Create DISALLOW_{ADD,REMOVE}_MANAGED_PROFILE user restrictions
Bug: 31952368
Test: runtest -c com.android.server.devicepolicy.DevicePolicyManagerTest frameworks-services
Test: runtest -c com.android.server.pm.UserManagerTest frameworks-services
Test: cts-tradefed run cts --module DevicePolicyManager --test com.android.cts.devicepolicy.UserRestrictionsTest
Change-Id: I240ab99c2409bbabffbc574bef202f2457026905
diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java
index bac7a76..05228ec 100644
--- a/services/core/java/com/android/server/pm/UserManagerService.java
+++ b/services/core/java/com/android/server/pm/UserManagerService.java
@@ -2269,8 +2269,11 @@
private UserInfo createUserInternal(String name, int flags, int parentId,
String[] disallowedPackages) {
- if (hasUserRestriction(UserManager.DISALLOW_ADD_USER, UserHandle.getCallingUserId())) {
- Log.w(LOG_TAG, "Cannot add user. DISALLOW_ADD_USER is enabled.");
+ String restriction = ((flags & UserInfo.FLAG_MANAGED_PROFILE) != 0)
+ ? UserManager.DISALLOW_ADD_MANAGED_PROFILE
+ : UserManager.DISALLOW_ADD_USER;
+ if (hasUserRestriction(restriction, UserHandle.getCallingUserId())) {
+ Log.w(LOG_TAG, "Cannot add user. " + restriction + " is enabled.");
return null;
}
return createUserInternalUnchecked(name, flags, parentId, disallowedPackages);
@@ -2541,9 +2544,16 @@
public boolean removeUser(int userHandle) {
Slog.i(LOG_TAG, "removeUser u" + userHandle);
checkManageOrCreateUsersPermission("Only the system can remove users");
- if (getUserRestrictions(UserHandle.getCallingUserId()).getBoolean(
- UserManager.DISALLOW_REMOVE_USER, false)) {
- Log.w(LOG_TAG, "Cannot remove user. DISALLOW_REMOVE_USER is enabled.");
+
+ final boolean isManagedProfile;
+ synchronized (mUsersLock) {
+ UserInfo userInfo = getUserInfoLU(userHandle);
+ isManagedProfile = userInfo != null && userInfo.isManagedProfile();
+ }
+ String restriction = isManagedProfile
+ ? UserManager.DISALLOW_REMOVE_MANAGED_PROFILE : UserManager.DISALLOW_REMOVE_USER;
+ if (getUserRestrictions(UserHandle.getCallingUserId()).getBoolean(restriction, false)) {
+ Log.w(LOG_TAG, "Cannot remove user. " + restriction + " is enabled.");
return false;
}
return removeUserUnchecked(userHandle);
diff --git a/services/core/java/com/android/server/pm/UserRestrictionsUtils.java b/services/core/java/com/android/server/pm/UserRestrictionsUtils.java
index 7ec3c19..e91cce1 100644
--- a/services/core/java/com/android/server/pm/UserRestrictionsUtils.java
+++ b/services/core/java/com/android/server/pm/UserRestrictionsUtils.java
@@ -75,12 +75,14 @@
UserManager.DISALLOW_USB_FILE_TRANSFER,
UserManager.DISALLOW_CONFIG_CREDENTIALS,
UserManager.DISALLOW_REMOVE_USER,
+ UserManager.DISALLOW_REMOVE_MANAGED_PROFILE,
UserManager.DISALLOW_DEBUGGING_FEATURES,
UserManager.DISALLOW_CONFIG_VPN,
UserManager.DISALLOW_CONFIG_TETHERING,
UserManager.DISALLOW_NETWORK_RESET,
UserManager.DISALLOW_FACTORY_RESET,
UserManager.DISALLOW_ADD_USER,
+ UserManager.DISALLOW_ADD_MANAGED_PROFILE,
UserManager.ENSURE_VERIFY_APPS,
UserManager.DISALLOW_CONFIG_CELL_BROADCASTS,
UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS,
@@ -124,6 +126,8 @@
UserManager.DISALLOW_NETWORK_RESET,
UserManager.DISALLOW_FACTORY_RESET,
UserManager.DISALLOW_ADD_USER,
+ UserManager.DISALLOW_ADD_MANAGED_PROFILE,
+ UserManager.DISALLOW_REMOVE_MANAGED_PROFILE,
UserManager.DISALLOW_CONFIG_CELL_BROADCASTS,
UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS,
UserManager.DISALLOW_MOUNT_PHYSICAL_MEDIA,
@@ -155,6 +159,13 @@
);
/**
+ * User restrictions that default to {@code true} for device owners.
+ */
+ private static final Set<String> DEFAULT_ENABLED_FOR_DEVICE_OWNERS = Sets.newArraySet(
+ UserManager.DISALLOW_ADD_MANAGED_PROFILE
+ );
+
+ /**
* Throws {@link IllegalArgumentException} if the given restriction name is invalid.
*/
public static boolean isValidRestriction(@NonNull String restriction) {
@@ -249,6 +260,13 @@
}
/**
+ * Returns the user restrictions that default to {@code true} for device owners.
+ */
+ public static @NonNull Set<String> getDefaultEnabledForDeviceOwner() {
+ return DEFAULT_ENABLED_FOR_DEVICE_OWNERS;
+ }
+
+ /**
* Takes restrictions that can be set by device owner, and sort them into what should be applied
* globally and what should be applied only on the current user.
*/