Changed parameters in setDevicePolicyUserRestriction
In the new COPE mode, some user restrictions should be applied globally
when called by the Work Profile PO. This CL introduces a new @IntDef int
parameter, called admin, which can be either DEVICE_OWNER, PROFILE_OWNER or
PROFILE_OWNER_ORG_OWNED_DEVICE.
If admin is PROFILE_OWNER_ORG_OWNER_DEVICE then specific user restrictions
will be added to the global bundle instead of the local bundle.
This CL also removes the parameter cameraRestrictionScope and isDeviceOwner.
Bug: 138709470
Test: UserRestrictionsUtilsTest
DevicePolicyManagerTest
UserRestrictionsTest
Change-Id: Iaa0abbac47708d2d54bcf6c3df582414dff5a6c3
diff --git a/services/core/java/android/os/UserManagerInternal.java b/services/core/java/android/os/UserManagerInternal.java
index 9a7cb3f..a2e9341 100644
--- a/services/core/java/android/os/UserManagerInternal.java
+++ b/services/core/java/android/os/UserManagerInternal.java
@@ -15,6 +15,7 @@
*/
package android.os;
+import android.annotation.IntDef;
import android.annotation.NonNull;
import android.annotation.Nullable;
import android.annotation.UserIdInt;
@@ -22,13 +23,24 @@
import android.content.pm.UserInfo;
import android.graphics.Bitmap;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+
/**
* @hide Only for use within the system server.
*/
public abstract class UserManagerInternal {
- public static final int CAMERA_NOT_DISABLED = 0;
- public static final int CAMERA_DISABLED_LOCALLY = 1;
- public static final int CAMERA_DISABLED_GLOBALLY = 2;
+
+ public static final int OWNER_TYPE_DEVICE_OWNER = 0;
+ public static final int OWNER_TYPE_PROFILE_OWNER = 1;
+ public static final int OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE = 2;
+ public static final int OWNER_TYPE_NO_OWNER = 3;
+
+ @Retention(RetentionPolicy.SOURCE)
+ @IntDef(value = {OWNER_TYPE_DEVICE_OWNER, OWNER_TYPE_PROFILE_OWNER,
+ OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE, OWNER_TYPE_NO_OWNER})
+ public @interface OwnerType {
+ }
public interface UserRestrictionsListener {
/**
@@ -47,13 +59,19 @@
*
* @param userId target user id for the local restrictions.
* @param restrictions a bundle of user restrictions.
- * @param isDeviceOwner whether {@code userId} corresponds to device owner user id.
- * @param cameraRestrictionScope is camera disabled and if so what is the scope of restriction.
- * Should be one of {@link #CAMERA_NOT_DISABLED}, {@link #CAMERA_DISABLED_LOCALLY} or
- * {@link #CAMERA_DISABLED_GLOBALLY}
+ * @param restrictionOwnerType determines which admin {@code userId} corresponds to.
+ * The admin can be either
+ * {@link UserManagerInternal#OWNER_TYPE_DEVICE_OWNER},
+ * {@link UserManagerInternal#OWNER_TYPE_PROFILE_OWNER},
+ * {@link UserManagerInternal#OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE}
+ * or {@link UserManagerInternal#OWNER_TYPE_NO_OWNER}.
+ * If the admin is a DEVICE_OWNER or a PROFILE_OWNER_ORG_OWNED_DEVICE then
+ * a restriction may be applied globally depending on which restriction it is,
+ * otherwise it will be applied just on the current user.
+ * @see OwnerType
*/
public abstract void setDevicePolicyUserRestrictions(int userId, @Nullable Bundle restrictions,
- boolean isDeviceOwner, int cameraRestrictionScope);
+ @OwnerType int restrictionOwnerType);
/**
* Returns the "base" user restrictions.
diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java
index 8144338..faff394 100644
--- a/services/core/java/com/android/server/pm/UserManagerService.java
+++ b/services/core/java/com/android/server/pm/UserManagerService.java
@@ -1634,13 +1634,14 @@
* See {@link UserManagerInternal#setDevicePolicyUserRestrictions}
*/
private void setDevicePolicyUserRestrictionsInner(@UserIdInt int userId,
- @Nullable Bundle restrictions, boolean isDeviceOwner, int cameraRestrictionScope) {
+ @Nullable Bundle restrictions,
+ @UserManagerInternal.OwnerType int restrictionOwnerType) {
final Bundle global = new Bundle();
final Bundle local = new Bundle();
// Sort restrictions into local and global ensuring they don't overlap.
- UserRestrictionsUtils.sortToGlobalAndLocal(restrictions, isDeviceOwner,
- cameraRestrictionScope, global, local);
+ UserRestrictionsUtils.sortToGlobalAndLocal(restrictions, restrictionOwnerType, global,
+ local);
boolean globalChanged, localChanged;
synchronized (mRestrictionsLock) {
@@ -1650,7 +1651,7 @@
localChanged = updateRestrictionsIfNeededLR(
userId, local, mDevicePolicyLocalUserRestrictions);
- if (isDeviceOwner) {
+ if (restrictionOwnerType == UserManagerInternal.OWNER_TYPE_DEVICE_OWNER) {
// Remember the global restriction owner userId to be able to make a distinction
// in getUserRestrictionSource on who set local policies.
mDeviceOwnerUserId = userId;
@@ -4484,9 +4485,9 @@
private class LocalService extends UserManagerInternal {
@Override
public void setDevicePolicyUserRestrictions(@UserIdInt int userId,
- @Nullable Bundle restrictions, boolean isDeviceOwner, int cameraRestrictionScope) {
- UserManagerService.this.setDevicePolicyUserRestrictionsInner(userId, restrictions,
- isDeviceOwner, cameraRestrictionScope);
+ @Nullable Bundle restrictions, @OwnerType int restrictionOwnerType) {
+ UserManagerService.this.setDevicePolicyUserRestrictionsInner(userId,
+ restrictions, restrictionOwnerType);
}
@Override
diff --git a/services/core/java/com/android/server/pm/UserRestrictionsUtils.java b/services/core/java/com/android/server/pm/UserRestrictionsUtils.java
index 3be51c5..f071c65 100644
--- a/services/core/java/com/android/server/pm/UserRestrictionsUtils.java
+++ b/services/core/java/com/android/server/pm/UserRestrictionsUtils.java
@@ -194,7 +194,18 @@
UserManager.DISALLOW_SYSTEM_ERROR_DIALOGS,
UserManager.DISALLOW_RUN_IN_BACKGROUND,
UserManager.DISALLOW_UNMUTE_MICROPHONE,
- UserManager.DISALLOW_UNMUTE_DEVICE
+ UserManager.DISALLOW_UNMUTE_DEVICE,
+ UserManager.DISALLOW_CAMERA
+ );
+
+ /**
+ * Special user restrictions that are applied globally when set by the profile owner of a
+ * managed profile that was created during the device provisioning flow.
+ */
+ private static final Set<String> PROFILE_OWNER_ORGANIZATION_OWNED_GLOBAL_RESTRICTIONS =
+ Sets.newArraySet(
+ UserManager.DISALLOW_CONFIG_DATE_TIME,
+ UserManager.DISALLOW_CAMERA
);
/**
@@ -419,15 +430,9 @@
* Takes restrictions that can be set by device owner, and sort them into what should be applied
* globally and what should be applied only on the current user.
*/
- public static void sortToGlobalAndLocal(@Nullable Bundle in, boolean isDeviceOwner,
- int cameraRestrictionScope,
- @NonNull Bundle global, @NonNull Bundle local) {
- // Camera restriction (as well as all others) goes to at most one bundle.
- if (cameraRestrictionScope == UserManagerInternal.CAMERA_DISABLED_GLOBALLY) {
- global.putBoolean(UserManager.DISALLOW_CAMERA, true);
- } else if (cameraRestrictionScope == UserManagerInternal.CAMERA_DISABLED_LOCALLY) {
- local.putBoolean(UserManager.DISALLOW_CAMERA, true);
- }
+ public static void sortToGlobalAndLocal(@Nullable Bundle in,
+ @UserManagerInternal.OwnerType int restrictionOwnerType, @NonNull Bundle global,
+ @NonNull Bundle local) {
if (in == null || in.size() == 0) {
return;
}
@@ -435,7 +440,7 @@
if (!in.getBoolean(key)) {
continue;
}
- if (isGlobal(isDeviceOwner, key)) {
+ if (isGlobal(restrictionOwnerType, key)) {
global.putBoolean(key, true);
} else {
local.putBoolean(key, true);
@@ -446,9 +451,13 @@
/**
* Whether given user restriction should be enforced globally.
*/
- private static boolean isGlobal(boolean isDeviceOwner, String key) {
- return (isDeviceOwner &&
- (PRIMARY_USER_ONLY_RESTRICTIONS.contains(key) || GLOBAL_RESTRICTIONS.contains(key)))
+ private static boolean isGlobal(@UserManagerInternal.OwnerType int restrictionOwnerType,
+ String key) {
+ return ((restrictionOwnerType == UserManagerInternal.OWNER_TYPE_DEVICE_OWNER) && (
+ PRIMARY_USER_ONLY_RESTRICTIONS.contains(key) || GLOBAL_RESTRICTIONS.contains(key)))
+ || ((restrictionOwnerType
+ == UserManagerInternal.OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE)
+ && PROFILE_OWNER_ORGANIZATION_OWNED_GLOBAL_RESTRICTIONS.contains(key))
|| PROFILE_GLOBAL_RESTRICTIONS.contains(key)
|| DEVICE_OWNER_ONLY_RESTRICTIONS.contains(key);
}