Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / c6ac29d34fcebf3d392dfb729f0085a87bceb6c9 / . / services / core / java / com / android / server / pm / UserRestrictionsUtils.java
blob: b6a094c8c04e73f8132fb8a1c6eb4dcf430417f9 [file] [log] [blame]
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1/*
2 * Copyright (C) 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package com.android.server.pm;
18
19import com.google.android.collect.Sets;
20
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]21import com.android.internal.util.Preconditions;
22
23import android.annotation.NonNull;
24import android.annotation.Nullable;
Fyodor Kupolov9cbfc9e2015-10-07 15:52:33 -0700[diff] [blame]25import android.app.ActivityManager;
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]26import android.content.ContentResolver;
27import android.content.Context;
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]28import android.os.Binder;
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]29import android.os.Bundle;
Fyodor Kupolov9cbfc9e2015-10-07 15:52:33 -0700[diff] [blame]30import android.os.RemoteException;
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]31import android.os.UserHandle;
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]32import android.os.UserManager;
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]33import android.os.UserManagerInternal;
Mahaver Chopradea471e2015-12-17 11:02:37 +0000[diff] [blame]34import android.telephony.SubscriptionInfo;
35import android.telephony.SubscriptionManager;
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]36import android.util.Log;
Makoto Onuki1f1ceef2016-01-28 11:32:32 -0800[diff] [blame]37import android.util.Slog;
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]38import android.util.SparseArray;
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]39
40import org.xmlpull.v1.XmlPullParser;
41import org.xmlpull.v1.XmlSerializer;
42
43import java.io.IOException;
44import java.io.PrintWriter;
Mahaver Chopradea471e2015-12-17 11:02:37 +0000[diff] [blame]45import java.util.List;
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]46import java.util.Set;
47
Makoto Onukid45a4a22015-11-02 17:17:38 -0800[diff] [blame]48/**
Mahaver Chopradea471e2015-12-17 11:02:37 +0000[diff] [blame]49 * Utility methods for user restrictions.
Makoto Onukid45a4a22015-11-02 17:17:38 -0800[diff] [blame]50 *
51 * <p>See {@link UserManagerService} for the method suffixes.
52 */
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]53public class UserRestrictionsUtils {
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]54 private static final String TAG = "UserRestrictionsUtils";
55
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]56 private UserRestrictionsUtils() {
57 }
58
Makoto Onuki1f1ceef2016-01-28 11:32:32 -0800[diff] [blame]59 private static Set<String> newSetWithUniqueCheck(String[] strings) {
60 final Set<String> ret = Sets.newArraySet(strings);
61
62 // Make sure there's no overlap.
63 Preconditions.checkState(ret.size() == strings.length);
64 return ret;
65 }
66
67 public static final Set<String> USER_RESTRICTIONS = newSetWithUniqueCheck(new String[] {
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]68 UserManager.DISALLOW_CONFIG_WIFI,
Christine Franks1bade5d2017-10-10 15:41:50 -0700[diff] [blame]69 UserManager.DISALLOW_CONFIG_LOCALE,
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]70 UserManager.DISALLOW_MODIFY_ACCOUNTS,
71 UserManager.DISALLOW_INSTALL_APPS,
72 UserManager.DISALLOW_UNINSTALL_APPS,
73 UserManager.DISALLOW_SHARE_LOCATION,
74 UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
75 UserManager.DISALLOW_CONFIG_BLUETOOTH,
Lenka Trochtova63d5e4a72016-12-02 12:19:39 +0100[diff] [blame]76 UserManager.DISALLOW_BLUETOOTH,
Pavel Grafov7f4ad752017-03-28 13:44:04 +0100[diff] [blame]77 UserManager.DISALLOW_BLUETOOTH_SHARING,
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]78 UserManager.DISALLOW_USB_FILE_TRANSFER,
79 UserManager.DISALLOW_CONFIG_CREDENTIALS,
80 UserManager.DISALLOW_REMOVE_USER,
Esteban Talavera6c9116a2016-11-24 16:12:44 +0000[diff] [blame]81 UserManager.DISALLOW_REMOVE_MANAGED_PROFILE,
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]82 UserManager.DISALLOW_DEBUGGING_FEATURES,
83 UserManager.DISALLOW_CONFIG_VPN,
yuemingwa9772f362017-10-23 18:34:35 +0100[diff] [blame]84 UserManager.DISALLOW_CONFIG_DATE_TIME,
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]85 UserManager.DISALLOW_CONFIG_TETHERING,
86 UserManager.DISALLOW_NETWORK_RESET,
87 UserManager.DISALLOW_FACTORY_RESET,
88 UserManager.DISALLOW_ADD_USER,
Esteban Talavera6c9116a2016-11-24 16:12:44 +0000[diff] [blame]89 UserManager.DISALLOW_ADD_MANAGED_PROFILE,
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]90 UserManager.ENSURE_VERIFY_APPS,
91 UserManager.DISALLOW_CONFIG_CELL_BROADCASTS,
92 UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS,
93 UserManager.DISALLOW_APPS_CONTROL,
94 UserManager.DISALLOW_MOUNT_PHYSICAL_MEDIA,
95 UserManager.DISALLOW_UNMUTE_MICROPHONE,
96 UserManager.DISALLOW_ADJUST_VOLUME,
97 UserManager.DISALLOW_OUTGOING_CALLS,
98 UserManager.DISALLOW_SMS,
99 UserManager.DISALLOW_FUN,
100 UserManager.DISALLOW_CREATE_WINDOWS,
Charles He22ff6f9d2017-10-05 21:28:55 +0100[diff] [blame]101 UserManager.DISALLOW_SYSTEM_ERROR_DIALOGS,
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]102 UserManager.DISALLOW_CROSS_PROFILE_COPY_PASTE,
103 UserManager.DISALLOW_OUTGOING_BEAM,
104 UserManager.DISALLOW_WALLPAPER,
105 UserManager.DISALLOW_SAFE_BOOT,
106 UserManager.ALLOW_PARENT_PROFILE_APP_LINKING,
107 UserManager.DISALLOW_RECORD_AUDIO,
Fyodor Kupolov9cbfc9e2015-10-07 15:52:33 -0700[diff] [blame]108 UserManager.DISALLOW_CAMERA,
Mahaver Chopradea471e2015-12-17 11:02:37 +0000[diff] [blame]109 UserManager.DISALLOW_RUN_IN_BACKGROUND,
Oleksandr Peletskyi7f1f1df2016-01-18 15:40:21 +0100[diff] [blame]110 UserManager.DISALLOW_DATA_ROAMING,
Oleksandr Peletskyif2519812016-01-26 20:16:06 +0100[diff] [blame]111 UserManager.DISALLOW_SET_USER_ICON,
Mahaver Chopra3d9805d2016-07-07 16:25:05 +0100[diff] [blame]112 UserManager.DISALLOW_SET_WALLPAPER,
Tony Makc1205112016-07-22 16:02:59 +0100[diff] [blame]113 UserManager.DISALLOW_OEM_UNLOCK,
Esteban Talavera492b4722017-02-13 14:59:45 +0000[diff] [blame]114 UserManager.DISALLOW_UNMUTE_DEVICE,
Felipe Leme24d58932017-03-21 14:13:58 -0700[diff] [blame]115 UserManager.DISALLOW_AUTOFILL,
Pavel Grafovc4f87e92017-10-26 16:34:25 +0100[diff] [blame]116 UserManager.DISALLOW_USER_SWITCH,
117 UserManager.DISALLOW_UNIFIED_PASSWORD,
yuemingw5fe75dc2017-11-29 15:52:56 +0000[diff] [blame]118 UserManager.DISALLOW_CONFIG_LOCATION_MODE,
yuemingwc6ac29d2018-01-10 16:54:08 +0000[diff] [blame^]119 UserManager.DISALLOW_AIRPLANE_MODE,
120 UserManager.DISALLOW_CONFIG_BRIGHTNESS
Makoto Onuki1f1ceef2016-01-28 11:32:32 -0800[diff] [blame]121 });
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]122
123 /**
124 * Set of user restriction which we don't want to persist.
125 */
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]126 private static final Set<String> NON_PERSIST_USER_RESTRICTIONS = Sets.newArraySet(
127 UserManager.DISALLOW_RECORD_AUDIO
128 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]129
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]130 /**
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]131 * User restrictions that cannot be set by profile owners of secondary users. When set by DO
132 * they will be applied to all users.
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]133 */
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]134 private static final Set<String> PRIMARY_USER_ONLY_RESTRICTIONS = Sets.newArraySet(
Lenka Trochtova63d5e4a72016-12-02 12:19:39 +0100[diff] [blame]135 UserManager.DISALLOW_BLUETOOTH,
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]136 UserManager.DISALLOW_USB_FILE_TRANSFER,
137 UserManager.DISALLOW_CONFIG_TETHERING,
138 UserManager.DISALLOW_NETWORK_RESET,
139 UserManager.DISALLOW_FACTORY_RESET,
140 UserManager.DISALLOW_ADD_USER,
141 UserManager.DISALLOW_CONFIG_CELL_BROADCASTS,
142 UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS,
143 UserManager.DISALLOW_MOUNT_PHYSICAL_MEDIA,
144 UserManager.DISALLOW_SMS,
145 UserManager.DISALLOW_FUN,
146 UserManager.DISALLOW_SAFE_BOOT,
Mahaver Chopradea471e2015-12-17 11:02:37 +0000[diff] [blame]147 UserManager.DISALLOW_CREATE_WINDOWS,
yuemingw5fe75dc2017-11-29 15:52:56 +0000[diff] [blame]148 UserManager.DISALLOW_DATA_ROAMING,
149 UserManager.DISALLOW_AIRPLANE_MODE
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]150 );
151
152 /**
Benjamin Franzff66fa92017-08-10 10:39:44 +0100[diff] [blame]153 * User restrictions that cannot be set by profile owners. Applied to all users.
154 */
155 private static final Set<String> DEVICE_OWNER_ONLY_RESTRICTIONS = Sets.newArraySet(
156 UserManager.DISALLOW_USER_SWITCH
157 );
158
159 /**
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]160 * User restrictions that can't be changed by device owner or profile owner.
161 */
162 private static final Set<String> IMMUTABLE_BY_OWNERS = Sets.newArraySet(
163 UserManager.DISALLOW_RECORD_AUDIO,
Mahaver Chopra3d9805d2016-07-07 16:25:05 +0100[diff] [blame]164 UserManager.DISALLOW_WALLPAPER,
165 UserManager.DISALLOW_OEM_UNLOCK
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]166 );
167
168 /**
169 * Special user restrictions that can be applied to a user as well as to all users globally,
170 * depending on callers. When device owner sets them, they'll be applied to all users.
171 */
172 private static final Set<String> GLOBAL_RESTRICTIONS = Sets.newArraySet(
173 UserManager.DISALLOW_ADJUST_VOLUME,
Pavel Grafov7f4ad752017-03-28 13:44:04 +0100[diff] [blame]174 UserManager.DISALLOW_BLUETOOTH_SHARING,
yuemingwa9772f362017-10-23 18:34:35 +0100[diff] [blame]175 UserManager.DISALLOW_CONFIG_DATE_TIME,
Charles He22ff6f9d2017-10-05 21:28:55 +0100[diff] [blame]176 UserManager.DISALLOW_SYSTEM_ERROR_DIALOGS,
Fyodor Kupolov9cbfc9e2015-10-07 15:52:33 -0700[diff] [blame]177 UserManager.DISALLOW_RUN_IN_BACKGROUND,
Tony Makc1205112016-07-22 16:02:59 +0100[diff] [blame]178 UserManager.DISALLOW_UNMUTE_MICROPHONE,
Esteban Talavera492b4722017-02-13 14:59:45 +0000[diff] [blame]179 UserManager.DISALLOW_UNMUTE_DEVICE
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]180 );
181
Makoto Onuki1f1ceef2016-01-28 11:32:32 -0800[diff] [blame]182 /**
Esteban Talavera6c9116a2016-11-24 16:12:44 +0000[diff] [blame]183 * User restrictions that default to {@code true} for device owners.
184 */
185 private static final Set<String> DEFAULT_ENABLED_FOR_DEVICE_OWNERS = Sets.newArraySet(
186 UserManager.DISALLOW_ADD_MANAGED_PROFILE
187 );
188
Pavel Grafov7f4ad752017-03-28 13:44:04 +0100[diff] [blame]189 /**
190 * User restrictions that default to {@code true} for managed profile owners.
191 *
192 * NB: {@link UserManager#DISALLOW_INSTALL_UNKNOWN_SOURCES} is also set by default but it is
193 * not set to existing profile owners unless they used to have INSTALL_NON_MARKET_APPS disabled
194 * in settings. So it is handled separately.
195 */
196 private static final Set<String> DEFAULT_ENABLED_FOR_MANAGED_PROFILES = Sets.newArraySet(
197 UserManager.DISALLOW_BLUETOOTH_SHARING
198 );
199
Pavel Grafovc4f87e92017-10-26 16:34:25 +0100[diff] [blame]200 /**
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]201 * Special user restrictions that are always applied to all users no matter who sets them.
202 */
203 private static final Set<String> PROFILE_GLOBAL_RESTRICTIONS = Sets.newArraySet(
yuemingw5fe75dc2017-11-29 15:52:56 +0000[diff] [blame]204 UserManager.ENSURE_VERIFY_APPS,
205 UserManager.DISALLOW_AIRPLANE_MODE
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]206 );
207
Esteban Talavera6c9116a2016-11-24 16:12:44 +0000[diff] [blame]208 /**
Makoto Onuki1f1ceef2016-01-28 11:32:32 -0800[diff] [blame]209 * Throws {@link IllegalArgumentException} if the given restriction name is invalid.
210 */
211 public static boolean isValidRestriction(@NonNull String restriction) {
212 if (!USER_RESTRICTIONS.contains(restriction)) {
Makoto Onukiad5619d2016-02-10 13:41:15 -0800[diff] [blame]213 Slog.e(TAG, "Unknown restriction: " + restriction);
Makoto Onuki1f1ceef2016-01-28 11:32:32 -0800[diff] [blame]214 return false;
215 }
216 return true;
217 }
218
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]219 public static void writeRestrictions(@NonNull XmlSerializer serializer,
220 @Nullable Bundle restrictions, @NonNull String tag) throws IOException {
221 if (restrictions == null) {
222 return;
223 }
224
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]225 serializer.startTag(null, tag);
Makoto Onukiac65e1e2015-11-20 15:33:17 -0800[diff] [blame]226 for (String key : restrictions.keySet()) {
227 if (NON_PERSIST_USER_RESTRICTIONS.contains(key)) {
228 continue; // Don't persist.
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]229 }
Makoto Onukiac65e1e2015-11-20 15:33:17 -0800[diff] [blame]230 if (USER_RESTRICTIONS.contains(key)) {
231 if (restrictions.getBoolean(key)) {
232 serializer.attribute(null, key, "true");
233 }
234 continue;
235 }
236 Log.w(TAG, "Unknown user restriction detected: " + key);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]237 }
238 serializer.endTag(null, tag);
239 }
240
Esteban Talaverac48b20f2016-08-11 11:23:40 +0100[diff] [blame]241 public static void readRestrictions(XmlPullParser parser, Bundle restrictions) {
Fyodor Kupoloveafee022017-03-15 17:09:04 -0700[diff] [blame]242 restrictions.clear();
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]243 for (String key : USER_RESTRICTIONS) {
244 final String value = parser.getAttributeValue(null, key);
245 if (value != null) {
246 restrictions.putBoolean(key, Boolean.parseBoolean(value));
247 }
248 }
249 }
250
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]251 public static Bundle readRestrictions(XmlPullParser parser) {
252 final Bundle result = new Bundle();
253 readRestrictions(parser, result);
254 return result;
255 }
256
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]257 /**
258 * @return {@code in} itself when it's not null, or an empty bundle (which can writable).
259 */
260 public static Bundle nonNull(@Nullable Bundle in) {
261 return in != null ? in : new Bundle();
262 }
263
264 public static boolean isEmpty(@Nullable Bundle in) {
265 return (in == null) || (in.size() == 0);
266 }
267
268 /**
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]269 * Returns {@code true} if given bundle is not null and contains {@code true} for a given
270 * restriction.
271 */
272 public static boolean contains(@Nullable Bundle in, String restriction) {
273 return in != null && in.getBoolean(restriction);
274 }
275
276 /**
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]277 * Creates a copy of the {@code in} Bundle. If {@code in} is null, it'll return an empty
278 * bundle.
279 *
280 * <p>The resulting {@link Bundle} is always writable. (i.e. it won't return
281 * {@link Bundle#EMPTY})
282 */
283 public static @NonNull Bundle clone(@Nullable Bundle in) {
284 return (in != null) ? new Bundle(in) : new Bundle();
285 }
286
287 public static void merge(@NonNull Bundle dest, @Nullable Bundle in) {
288 Preconditions.checkNotNull(dest);
289 Preconditions.checkArgument(dest != in);
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]290 if (in == null) {
291 return;
292 }
293 for (String key : in.keySet()) {
294 if (in.getBoolean(key, false)) {
295 dest.putBoolean(key, true);
296 }
297 }
298 }
299
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]300 /**
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]301 * Merges a sparse array of restrictions bundles into one.
302 */
303 @Nullable
304 public static Bundle mergeAll(SparseArray<Bundle> restrictions) {
305 if (restrictions.size() == 0) {
306 return null;
307 } else {
308 final Bundle result = new Bundle();
309 for (int i = 0; i < restrictions.size(); i++) {
310 merge(result, restrictions.valueAt(i));
311 }
312 return result;
313 }
314 }
315
316 /**
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]317 * @return true if a restriction is settable by device owner.
318 */
319 public static boolean canDeviceOwnerChange(String restriction) {
320 return !IMMUTABLE_BY_OWNERS.contains(restriction);
321 }
322
323 /**
Makoto Onuki5485ed42015-12-09 11:38:23 -0800[diff] [blame]324 * @return true if a restriction is settable by profile owner. Note it takes a user ID because
325 * some restrictions can be changed by PO only when it's running on the system user.
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]326 */
Makoto Onuki5485ed42015-12-09 11:38:23 -0800[diff] [blame]327 public static boolean canProfileOwnerChange(String restriction, int userId) {
328 return !IMMUTABLE_BY_OWNERS.contains(restriction)
Benjamin Franzff66fa92017-08-10 10:39:44 +0100[diff] [blame]329 && !DEVICE_OWNER_ONLY_RESTRICTIONS.contains(restriction)
Makoto Onuki5485ed42015-12-09 11:38:23 -0800[diff] [blame]330 && !(userId != UserHandle.USER_SYSTEM
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]331 && PRIMARY_USER_ONLY_RESTRICTIONS.contains(restriction));
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]332 }
333
334 /**
Esteban Talavera6c9116a2016-11-24 16:12:44 +0000[diff] [blame]335 * Returns the user restrictions that default to {@code true} for device owners.
Nicolas Prevot2ea46fe2017-01-05 10:29:34 +0000[diff] [blame]336 * These user restrictions are local, though. ie only for the device owner's user id.
Esteban Talavera6c9116a2016-11-24 16:12:44 +0000[diff] [blame]337 */
338 public static @NonNull Set<String> getDefaultEnabledForDeviceOwner() {
339 return DEFAULT_ENABLED_FOR_DEVICE_OWNERS;
340 }
341
342 /**
Pavel Grafov7f4ad752017-03-28 13:44:04 +0100[diff] [blame]343 * Returns the user restrictions that default to {@code true} for managed profile owners.
344 */
345 public static @NonNull Set<String> getDefaultEnabledForManagedProfiles() {
346 return DEFAULT_ENABLED_FOR_MANAGED_PROFILES;
347 }
348
349 /**
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]350 * Takes restrictions that can be set by device owner, and sort them into what should be applied
351 * globally and what should be applied only on the current user.
352 */
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]353 public static void sortToGlobalAndLocal(@Nullable Bundle in, boolean isDeviceOwner,
354 int cameraRestrictionScope,
355 @NonNull Bundle global, @NonNull Bundle local) {
356 // Camera restriction (as well as all others) goes to at most one bundle.
357 if (cameraRestrictionScope == UserManagerInternal.CAMERA_DISABLED_GLOBALLY) {
358 global.putBoolean(UserManager.DISALLOW_CAMERA, true);
359 } else if (cameraRestrictionScope == UserManagerInternal.CAMERA_DISABLED_LOCALLY) {
360 local.putBoolean(UserManager.DISALLOW_CAMERA, true);
361 }
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]362 if (in == null || in.size() == 0) {
363 return;
364 }
365 for (String key : in.keySet()) {
366 if (!in.getBoolean(key)) {
367 continue;
368 }
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]369 if (isGlobal(isDeviceOwner, key)) {
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]370 global.putBoolean(key, true);
371 } else {
372 local.putBoolean(key, true);
373 }
374 }
375 }
376
377 /**
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]378 * Whether given user restriction should be enforced globally.
379 */
380 private static boolean isGlobal(boolean isDeviceOwner, String key) {
381 return (isDeviceOwner &&
Benjamin Franzff66fa92017-08-10 10:39:44 +0100[diff] [blame]382 (PRIMARY_USER_ONLY_RESTRICTIONS.contains(key) || GLOBAL_RESTRICTIONS.contains(key)))
383 || PROFILE_GLOBAL_RESTRICTIONS.contains(key)
384 || DEVICE_OWNER_ONLY_RESTRICTIONS.contains(key);
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]385 }
386
387 /**
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]388 * @return true if two Bundles contain the same user restriction.
389 * A null bundle and an empty bundle are considered to be equal.
390 */
391 public static boolean areEqual(@Nullable Bundle a, @Nullable Bundle b) {
392 if (a == b) {
393 return true;
394 }
395 if (isEmpty(a)) {
396 return isEmpty(b);
397 }
398 if (isEmpty(b)) {
399 return false;
400 }
401 for (String key : a.keySet()) {
402 if (a.getBoolean(key) != b.getBoolean(key)) {
403 return false;
404 }
405 }
406 for (String key : b.keySet()) {
407 if (a.getBoolean(key) != b.getBoolean(key)) {
408 return false;
409 }
410 }
411 return true;
412 }
413
414 /**
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]415 * Takes a new use restriction set and the previous set, and apply the restrictions that have
416 * changed.
Makoto Onukid45a4a22015-11-02 17:17:38 -0800[diff] [blame]417 *
Fyodor Kupolov9cbfc9e2015-10-07 15:52:33 -0700[diff] [blame]418 * <p>Note this method is called by {@link UserManagerService} without holding any locks.
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]419 */
Fyodor Kupolov9cbfc9e2015-10-07 15:52:33 -0700[diff] [blame]420 public static void applyUserRestrictions(Context context, int userId,
Makoto Onukid45a4a22015-11-02 17:17:38 -0800[diff] [blame]421 Bundle newRestrictions, Bundle prevRestrictions) {
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]422 for (String key : USER_RESTRICTIONS) {
423 final boolean newValue = newRestrictions.getBoolean(key);
424 final boolean prevValue = prevRestrictions.getBoolean(key);
425
426 if (newValue != prevValue) {
Fyodor Kupolov9cbfc9e2015-10-07 15:52:33 -0700[diff] [blame]427 applyUserRestriction(context, userId, key, newValue);
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]428 }
429 }
430 }
Fyodor Kupolov9cbfc9e2015-10-07 15:52:33 -0700[diff] [blame]431
Makoto Onukid45a4a22015-11-02 17:17:38 -0800[diff] [blame]432 /**
433 * Apply each user restriction.
434 *
Makoto Onuki28da2e32015-11-20 11:30:44 -0800[diff] [blame]435 * <p>See also {@link
436 * com.android.providers.settings.SettingsProvider#isGlobalOrSecureSettingRestrictedForUser},
437 * which should be in sync with this method.
Makoto Onukid45a4a22015-11-02 17:17:38 -0800[diff] [blame]438 */
Fyodor Kupolov9cbfc9e2015-10-07 15:52:33 -0700[diff] [blame]439 private static void applyUserRestriction(Context context, int userId, String key,
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]440 boolean newValue) {
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]441 if (UserManagerService.DBG) {
442 Log.d(TAG, "Applying user restriction: userId=" + userId
443 + " key=" + key + " value=" + newValue);
444 }
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]445 // When certain restrictions are cleared, we don't update the system settings,
446 // because these settings are changeable on the Settings UI and we don't know the original
447 // value -- for example LOCATION_MODE might have been off already when the restriction was
448 // set, and in that case even if the restriction is lifted, changing it to ON would be
449 // wrong. So just don't do anything in such a case. If the user hopes to enable location
450 // later, they can do it on the Settings UI.
Benjamin Franz0ff13fc2016-07-12 13:42:21 +0100[diff] [blame]451 // WARNING: Remember that Settings.Global and Settings.Secure are changeable via adb.
452 // To prevent this from happening for a given user restriction, you have to add a check to
453 // SettingsProvider.isGlobalOrSecureSettingRestrictedForUser.
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]454
455 final ContentResolver cr = context.getContentResolver();
456 final long id = Binder.clearCallingIdentity();
457 try {
458 switch (key) {
Mahaver Chopradea471e2015-12-17 11:02:37 +0000[diff] [blame]459 case UserManager.DISALLOW_DATA_ROAMING:
460 if (newValue) {
461 // DISALLOW_DATA_ROAMING user restriction is set.
462
463 // Multi sim device.
Jeff Sharkey717f52f2018-01-04 16:04:11 -0700[diff] [blame]464 SubscriptionManager subscriptionManager = context
465 .getSystemService(SubscriptionManager.class);
Mahaver Chopradea471e2015-12-17 11:02:37 +0000[diff] [blame]466 final List<SubscriptionInfo> subscriptionInfoList =
467 subscriptionManager.getActiveSubscriptionInfoList();
468 if (subscriptionInfoList != null) {
469 for (SubscriptionInfo subInfo : subscriptionInfoList) {
470 android.provider.Settings.Global.putStringForUser(cr,
471 android.provider.Settings.Global.DATA_ROAMING
472 + subInfo.getSubscriptionId(), "0", userId);
473 }
474 }
475
476 // Single sim device.
477 android.provider.Settings.Global.putStringForUser(cr,
478 android.provider.Settings.Global.DATA_ROAMING, "0", userId);
479 }
480 break;
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]481 case UserManager.DISALLOW_SHARE_LOCATION:
482 if (newValue) {
483 android.provider.Settings.Secure.putIntForUser(cr,
484 android.provider.Settings.Secure.LOCATION_MODE,
485 android.provider.Settings.Secure.LOCATION_MODE_OFF,
486 userId);
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]487 }
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]488 break;
489 case UserManager.DISALLOW_DEBUGGING_FEATURES:
490 if (newValue) {
491 // Only disable adb if changing for system user, since it is global
492 // TODO: should this be admin user?
493 if (userId == UserHandle.USER_SYSTEM) {
494 android.provider.Settings.Global.putStringForUser(cr,
495 android.provider.Settings.Global.ADB_ENABLED, "0",
496 userId);
497 }
498 }
499 break;
500 case UserManager.ENSURE_VERIFY_APPS:
501 if (newValue) {
502 android.provider.Settings.Global.putStringForUser(
503 context.getContentResolver(),
504 android.provider.Settings.Global.PACKAGE_VERIFIER_ENABLE, "1",
505 userId);
506 android.provider.Settings.Global.putStringForUser(
507 context.getContentResolver(),
508 android.provider.Settings.Global.PACKAGE_VERIFIER_INCLUDE_ADB, "1",
509 userId);
510 }
511 break;
512 case UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES:
Suprabh Shuklae3745ee2017-02-02 20:01:11 -0800[diff] [blame]513 // Since Android O, the secure setting is not available to be changed by the
514 // user. Hence, when the restriction is cleared, we need to reset the state of
515 // the setting to its default value which is now 1.
516 android.provider.Settings.Secure.putIntForUser(cr,
517 android.provider.Settings.Secure.INSTALL_NON_MARKET_APPS,
518 newValue ? 0 : 1, userId);
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]519 break;
Fyodor Kupolov9cbfc9e2015-10-07 15:52:33 -0700[diff] [blame]520 case UserManager.DISALLOW_RUN_IN_BACKGROUND:
521 if (newValue) {
522 int currentUser = ActivityManager.getCurrentUser();
523 if (currentUser != userId && userId != UserHandle.USER_SYSTEM) {
524 try {
Sudheer Shankadc589ac2016-11-10 15:30:17 -0800[diff] [blame]525 ActivityManager.getService().stopUser(userId, false, null);
Fyodor Kupolov9cbfc9e2015-10-07 15:52:33 -0700[diff] [blame]526 } catch (RemoteException e) {
527 throw e.rethrowAsRuntimeException();
528 }
529 }
530 }
Lenka Trochtova6474f0e2016-03-24 16:43:10 +0100[diff] [blame]531 break;
532 case UserManager.DISALLOW_SAFE_BOOT:
533 // Unlike with the other restrictions, we want to propagate the new value to
534 // the system settings even if it is false. The other restrictions modify
535 // settings which could be manually changed by the user from the Settings app
536 // after the policies enforcing these restrictions have been revoked, so we
537 // leave re-setting of those settings to the user.
538 android.provider.Settings.Global.putInt(
539 context.getContentResolver(),
540 android.provider.Settings.Global.SAFE_BOOT_DISALLOWED,
541 newValue ? 1 : 0);
542 break;
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]543 }
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]544 } finally {
545 Binder.restoreCallingIdentity(id);
546 }
547 }
548
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]549 public static void dumpRestrictions(PrintWriter pw, String prefix, Bundle restrictions) {
550 boolean noneSet = true;
551 if (restrictions != null) {
552 for (String key : restrictions.keySet()) {
553 if (restrictions.getBoolean(key, false)) {
554 pw.println(prefix + key);
555 noneSet = false;
556 }
557 }
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]558 if (noneSet) {
559 pw.println(prefix + "none");
560 }
561 } else {
562 pw.println(prefix + "null");
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]563 }
564 }
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]565
566 /**
567 * Moves a particular restriction from one array of bundles to another, e.g. for all users.
568 */
569 public static void moveRestriction(String restrictionKey, SparseArray<Bundle> srcRestrictions,
570 SparseArray<Bundle> destRestrictions) {
571 for (int i = 0; i < srcRestrictions.size(); i++) {
Pavel Grafov7f4ad752017-03-28 13:44:04 +0100[diff] [blame]572 final int key = srcRestrictions.keyAt(i);
573 final Bundle from = srcRestrictions.valueAt(i);
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]574 if (contains(from, restrictionKey)) {
575 from.remove(restrictionKey);
576 Bundle to = destRestrictions.get(key);
577 if (to == null) {
578 to = new Bundle();
579 destRestrictions.append(key, to);
580 }
581 to.putBoolean(restrictionKey, true);
582 // Don't keep empty bundles.
583 if (from.isEmpty()) {
584 srcRestrictions.removeAt(i);
585 i--;
586 }
587 }
588 }
589 }
Pavel Grafov7f4ad752017-03-28 13:44:04 +0100[diff] [blame]590
591 /**
592 * Returns whether restrictions differ between two bundles.
593 * @param oldRestrictions old bundle of restrictions.
594 * @param newRestrictions new bundle of restrictions
595 * @param restrictions restrictions of interest, if empty, all restrictions are checked.
596 */
597 public static boolean restrictionsChanged(Bundle oldRestrictions, Bundle newRestrictions,
598 String... restrictions) {
599 if (restrictions.length == 0) {
600 return areEqual(oldRestrictions, newRestrictions);
601 }
602 for (final String restriction : restrictions) {
603 if (oldRestrictions.getBoolean(restriction, false) !=
604 newRestrictions.getBoolean(restriction, false)) {
605 return true;
606 }
607 }
608 return false;
609 }
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]610}