Merge "Device-wide unknown sources block option for DPC."
diff --git a/api/current.txt b/api/current.txt
index f6dad08..6ce400f 100755
--- a/api/current.txt
+++ b/api/current.txt
@@ -33734,6 +33734,7 @@
field public static final java.lang.String DISALLOW_FUN = "no_fun";
field public static final java.lang.String DISALLOW_INSTALL_APPS = "no_install_apps";
field public static final java.lang.String DISALLOW_INSTALL_UNKNOWN_SOURCES = "no_install_unknown_sources";
+ field public static final java.lang.String DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY = "no_install_unknown_sources_globally";
field public static final java.lang.String DISALLOW_MODIFY_ACCOUNTS = "no_modify_accounts";
field public static final java.lang.String DISALLOW_MOUNT_PHYSICAL_MEDIA = "no_physical_media";
field public static final java.lang.String DISALLOW_NETWORK_RESET = "no_network_reset";
diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java
index fc67c10..1839263 100644
--- a/core/java/android/app/admin/DevicePolicyManager.java
+++ b/core/java/android/app/admin/DevicePolicyManager.java
@@ -7404,6 +7404,10 @@
* If any app targeting {@link android.os.Build.VERSION_CODES#O} or higher calls this method
* with {@link android.provider.Settings.Secure#INSTALL_NON_MARKET_APPS},
* an {@link UnsupportedOperationException} is thrown.
+ *
+ * Starting from Android Q, the device and profile owner can also call
+ * {@link UserManager#DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY} to restrict unknown sources for
+ * all users.
* </strong>
*
* @param admin Which {@link DeviceAdminReceiver} this request is associated with.
diff --git a/core/java/android/os/UserManager.java b/core/java/android/os/UserManager.java
index b0891050..1282170 100644
--- a/core/java/android/os/UserManager.java
+++ b/core/java/android/os/UserManager.java
@@ -256,6 +256,7 @@
/**
* Specifies if a user is disallowed from enabling the
* "Unknown Sources" setting, that allows installation of apps from unknown sources.
+ * Unknown sources exclude adb and special apps such as trusted app stores.
* The default value is <code>false</code>.
*
* <p>Key for user restrictions.
@@ -267,6 +268,22 @@
public static final String DISALLOW_INSTALL_UNKNOWN_SOURCES = "no_install_unknown_sources";
/**
+ * This restriction is a device-wide version of {@link DISALLOW_INSTALL_UNKNOWN_SOURCES}.
+ *
+ * Specifies if all users on the device are disallowed from enabling the
+ * "Unknown Sources" setting, that allows installation of apps from unknown sources.
+ * The default value is <code>false</code>.
+ *
+ * <p>Key for user restrictions.
+ * <p>Type: Boolean
+ * @see DevicePolicyManager#addUserRestriction(ComponentName, String)
+ * @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
+ * @see #getUserRestrictions()
+ */
+ public static final String DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY =
+ "no_install_unknown_sources_globally";
+
+ /**
* Specifies if a user is disallowed from configuring bluetooth.
* This does <em>not</em> restrict the user from turning bluetooth on or off.
* The default value is <code>false</code>.
@@ -1669,8 +1686,9 @@
/**
* @hide
* Returns whether the given user has been disallowed from performing certain actions
- * or setting certain settings through UserManager. This method disregards restrictions
- * set by device policy.
+ * or setting certain settings through UserManager (e.g. this type of restriction would prevent
+ * the guest user from doing certain things, such as making calls). This method disregards
+ * restrictions set by device policy.
* @param restrictionKey the string key representing the restriction
* @param userHandle the UserHandle of the user for whom to retrieve the restrictions.
*/
diff --git a/packages/PackageInstaller/src/com/android/packageinstaller/PackageInstallerActivity.java b/packages/PackageInstaller/src/com/android/packageinstaller/PackageInstallerActivity.java
index 580308a..8c29a25 100644
--- a/packages/PackageInstaller/src/com/android/packageinstaller/PackageInstallerActivity.java
+++ b/packages/PackageInstaller/src/com/android/packageinstaller/PackageInstallerActivity.java
@@ -430,9 +430,14 @@
// Check for unknown sources restriction
final int unknownSourcesRestrictionSource = mUserManager.getUserRestrictionSource(
UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES, Process.myUserHandle());
- if ((unknownSourcesRestrictionSource & UserManager.RESTRICTION_SOURCE_SYSTEM) != 0) {
+ final int unknownSourcesGlobalRestrictionSource = mUserManager.getUserRestrictionSource(
+ UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY, Process.myUserHandle());
+ final int systemRestriction = UserManager.RESTRICTION_SOURCE_SYSTEM
+ & (unknownSourcesRestrictionSource | unknownSourcesGlobalRestrictionSource);
+ if (systemRestriction != 0) {
showDialogInner(DLG_UNKNOWN_SOURCES_RESTRICTED_FOR_USER);
- } else if (unknownSourcesRestrictionSource != UserManager.RESTRICTION_NOT_SET) {
+ } else if (unknownSourcesRestrictionSource != UserManager.RESTRICTION_NOT_SET
+ || unknownSourcesGlobalRestrictionSource != UserManager.RESTRICTION_NOT_SET) {
startActivity(new Intent(Settings.ACTION_SHOW_ADMIN_SUPPORT_DETAILS));
finish();
} else {
diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
index 3d193db..18ec9c3 100644
--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
+++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
@@ -870,7 +870,11 @@
}
}
if (newRestrictions.getBoolean(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES)
- != prevRestrictions.getBoolean(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES)) {
+ != prevRestrictions.getBoolean(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES) ||
+ newRestrictions.getBoolean(
+ UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY)
+ != prevRestrictions.getBoolean(
+ UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY)) {
final long identity = Binder.clearCallingIdentity();
try {
synchronized (mLock) {
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 296d7ae..329b1da 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -23099,7 +23099,9 @@
return false;
}
}
- if (sUserManager.hasUserRestriction(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES, userId)) {
+ if (sUserManager.hasUserRestriction(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES, userId)
+ || sUserManager.hasUserRestriction(
+ UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY, userId)) {
return false;
}
if (mExternalSourcesPolicy != null) {
diff --git a/services/core/java/com/android/server/pm/UserRestrictionsUtils.java b/services/core/java/com/android/server/pm/UserRestrictionsUtils.java
index 3f28ee6..1315502 100644
--- a/services/core/java/com/android/server/pm/UserRestrictionsUtils.java
+++ b/services/core/java/com/android/server/pm/UserRestrictionsUtils.java
@@ -16,10 +16,6 @@
package com.android.server.pm;
-import com.google.android.collect.Sets;
-
-import com.android.internal.util.Preconditions;
-
import android.annotation.NonNull;
import android.annotation.Nullable;
import android.app.ActivityManager;
@@ -42,6 +38,10 @@
import android.util.Slog;
import android.util.SparseArray;
+import com.android.internal.util.Preconditions;
+
+import com.google.android.collect.Sets;
+
import org.xmlpull.v1.XmlPullParser;
import org.xmlpull.v1.XmlSerializer;
@@ -77,6 +77,7 @@
UserManager.DISALLOW_UNINSTALL_APPS,
UserManager.DISALLOW_SHARE_LOCATION,
UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
+ UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY,
UserManager.DISALLOW_CONFIG_BLUETOOTH,
UserManager.DISALLOW_BLUETOOTH,
UserManager.DISALLOW_BLUETOOTH_SHARING,
@@ -211,7 +212,8 @@
*/
private static final Set<String> PROFILE_GLOBAL_RESTRICTIONS = Sets.newArraySet(
UserManager.ENSURE_VERIFY_APPS,
- UserManager.DISALLOW_AIRPLANE_MODE
+ UserManager.DISALLOW_AIRPLANE_MODE,
+ UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY
);
/**
@@ -517,13 +519,18 @@
userId);
}
break;
+ case UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY:
+ setInstallMarketAppsRestriction(cr, userId, getNewUserRestrictionSetting(
+ context, userId, UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
+ newValue));
+ break;
case UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES:
// Since Android O, the secure setting is not available to be changed by the
// user. Hence, when the restriction is cleared, we need to reset the state of
// the setting to its default value which is now 1.
- android.provider.Settings.Secure.putIntForUser(cr,
- android.provider.Settings.Secure.INSTALL_NON_MARKET_APPS,
- newValue ? 0 : 1, userId);
+ setInstallMarketAppsRestriction(cr, userId, getNewUserRestrictionSetting(
+ context, userId, UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY,
+ newValue));
break;
case UserManager.DISALLOW_RUN_IN_BACKGROUND:
if (newValue) {
@@ -813,4 +820,16 @@
}
return false;
}
+
+ private static void setInstallMarketAppsRestriction(ContentResolver cr, int userId,
+ int settingValue) {
+ android.provider.Settings.Secure.putIntForUser(
+ cr, android.provider.Settings.Secure.INSTALL_NON_MARKET_APPS, settingValue, userId);
+ }
+
+ private static int getNewUserRestrictionSetting(Context context, int userId,
+ String userRestriction, boolean newValue) {
+ return (newValue || UserManager.get(context).hasUserRestriction(userRestriction,
+ UserHandle.of(userId))) ? 0 : 1;
+ }
}
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index e76afa3..eeb4ad3 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -10106,13 +10106,15 @@
if (setting.equals(Settings.Secure.INSTALL_NON_MARKET_APPS)) {
if (getTargetSdk(who.getPackageName(), callingUserId) >= Build.VERSION_CODES.O) {
throw new UnsupportedOperationException(Settings.Secure.INSTALL_NON_MARKET_APPS
- + " is deprecated. Please use the user restriction "
- + UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES + " instead.");
+ + " is deprecated. Please use one of the user restrictions "
+ + UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES + " or "
+ + UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY + " instead.");
}
if (!mUserManager.isManagedProfile(callingUserId)) {
Slog.e(LOG_TAG, "Ignoring setSecureSetting request for "
+ setting + ". User restriction "
- + UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES
+ + UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES + " or "
+ + UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY
+ " should be used instead.");
} else {
try {