Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / cc391c2c13b30c494908309659509f8426af48ea / . / services / core / java / com / android / server / pm / UserRestrictionsUtils.java
blob: 6964e9db464f382e29aab00716362cb4926096ee [file] [log] [blame]
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]1/*
2 * Copyright (C) 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package com.android.server.pm;
18
19import com.google.android.collect.Sets;
20
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]21import com.android.internal.util.Preconditions;
22
23import android.annotation.NonNull;
24import android.annotation.Nullable;
Fyodor Kupolov9cbfc9e2015-10-07 15:52:33 -0700[diff] [blame]25import android.app.ActivityManager;
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]26import android.content.ContentResolver;
27import android.content.Context;
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]28import android.os.Binder;
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]29import android.os.Bundle;
Fyodor Kupolov9cbfc9e2015-10-07 15:52:33 -0700[diff] [blame]30import android.os.RemoteException;
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]31import android.os.UserHandle;
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]32import android.os.UserManager;
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]33import android.os.UserManagerInternal;
Mahaver Chopradea471e2015-12-17 11:02:37 +0000[diff] [blame]34import android.telephony.SubscriptionInfo;
35import android.telephony.SubscriptionManager;
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]36import android.util.Log;
Makoto Onuki1f1ceef2016-01-28 11:32:32 -0800[diff] [blame]37import android.util.Slog;
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]38import android.util.SparseArray;
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]39
40import org.xmlpull.v1.XmlPullParser;
41import org.xmlpull.v1.XmlSerializer;
42
43import java.io.IOException;
44import java.io.PrintWriter;
Mahaver Chopradea471e2015-12-17 11:02:37 +0000[diff] [blame]45import java.util.List;
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]46import java.util.Set;
47
Makoto Onukid45a4a22015-11-02 17:17:38 -0800[diff] [blame]48/**
Mahaver Chopradea471e2015-12-17 11:02:37 +0000[diff] [blame]49 * Utility methods for user restrictions.
Makoto Onukid45a4a22015-11-02 17:17:38 -0800[diff] [blame]50 *
51 * <p>See {@link UserManagerService} for the method suffixes.
52 */
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]53public class UserRestrictionsUtils {
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]54 private static final String TAG = "UserRestrictionsUtils";
55
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]56 private UserRestrictionsUtils() {
57 }
58
Makoto Onuki1f1ceef2016-01-28 11:32:32 -0800[diff] [blame]59 private static Set<String> newSetWithUniqueCheck(String[] strings) {
60 final Set<String> ret = Sets.newArraySet(strings);
61
62 // Make sure there's no overlap.
63 Preconditions.checkState(ret.size() == strings.length);
64 return ret;
65 }
66
67 public static final Set<String> USER_RESTRICTIONS = newSetWithUniqueCheck(new String[] {
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]68 UserManager.DISALLOW_CONFIG_WIFI,
Christine Franks1bade5d2017-10-10 15:41:50 -0700[diff] [blame]69 UserManager.DISALLOW_CONFIG_LOCALE,
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]70 UserManager.DISALLOW_MODIFY_ACCOUNTS,
71 UserManager.DISALLOW_INSTALL_APPS,
72 UserManager.DISALLOW_UNINSTALL_APPS,
73 UserManager.DISALLOW_SHARE_LOCATION,
74 UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES,
75 UserManager.DISALLOW_CONFIG_BLUETOOTH,
Lenka Trochtova63d5e4a72016-12-02 12:19:39 +0100[diff] [blame]76 UserManager.DISALLOW_BLUETOOTH,
Pavel Grafov7f4ad752017-03-28 13:44:04 +0100[diff] [blame]77 UserManager.DISALLOW_BLUETOOTH_SHARING,
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]78 UserManager.DISALLOW_USB_FILE_TRANSFER,
79 UserManager.DISALLOW_CONFIG_CREDENTIALS,
80 UserManager.DISALLOW_REMOVE_USER,
Esteban Talavera6c9116a2016-11-24 16:12:44 +0000[diff] [blame]81 UserManager.DISALLOW_REMOVE_MANAGED_PROFILE,
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]82 UserManager.DISALLOW_DEBUGGING_FEATURES,
83 UserManager.DISALLOW_CONFIG_VPN,
yuemingwa9772f362017-10-23 18:34:35 +0100[diff] [blame]84 UserManager.DISALLOW_CONFIG_DATE_TIME,
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]85 UserManager.DISALLOW_CONFIG_TETHERING,
86 UserManager.DISALLOW_NETWORK_RESET,
87 UserManager.DISALLOW_FACTORY_RESET,
88 UserManager.DISALLOW_ADD_USER,
Esteban Talavera6c9116a2016-11-24 16:12:44 +0000[diff] [blame]89 UserManager.DISALLOW_ADD_MANAGED_PROFILE,
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]90 UserManager.ENSURE_VERIFY_APPS,
91 UserManager.DISALLOW_CONFIG_CELL_BROADCASTS,
92 UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS,
93 UserManager.DISALLOW_APPS_CONTROL,
94 UserManager.DISALLOW_MOUNT_PHYSICAL_MEDIA,
95 UserManager.DISALLOW_UNMUTE_MICROPHONE,
96 UserManager.DISALLOW_ADJUST_VOLUME,
97 UserManager.DISALLOW_OUTGOING_CALLS,
98 UserManager.DISALLOW_SMS,
99 UserManager.DISALLOW_FUN,
100 UserManager.DISALLOW_CREATE_WINDOWS,
Charles He22ff6f9d2017-10-05 21:28:55 +0100[diff] [blame]101 UserManager.DISALLOW_SYSTEM_ERROR_DIALOGS,
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]102 UserManager.DISALLOW_CROSS_PROFILE_COPY_PASTE,
103 UserManager.DISALLOW_OUTGOING_BEAM,
104 UserManager.DISALLOW_WALLPAPER,
105 UserManager.DISALLOW_SAFE_BOOT,
106 UserManager.ALLOW_PARENT_PROFILE_APP_LINKING,
107 UserManager.DISALLOW_RECORD_AUDIO,
Fyodor Kupolov9cbfc9e2015-10-07 15:52:33 -0700[diff] [blame]108 UserManager.DISALLOW_CAMERA,
Mahaver Chopradea471e2015-12-17 11:02:37 +0000[diff] [blame]109 UserManager.DISALLOW_RUN_IN_BACKGROUND,
Oleksandr Peletskyi7f1f1df2016-01-18 15:40:21 +0100[diff] [blame]110 UserManager.DISALLOW_DATA_ROAMING,
Oleksandr Peletskyif2519812016-01-26 20:16:06 +0100[diff] [blame]111 UserManager.DISALLOW_SET_USER_ICON,
Mahaver Chopra3d9805d2016-07-07 16:25:05 +0100[diff] [blame]112 UserManager.DISALLOW_SET_WALLPAPER,
Tony Makc1205112016-07-22 16:02:59 +0100[diff] [blame]113 UserManager.DISALLOW_OEM_UNLOCK,
Esteban Talavera492b4722017-02-13 14:59:45 +0000[diff] [blame]114 UserManager.DISALLOW_UNMUTE_DEVICE,
Felipe Leme24d58932017-03-21 14:13:58 -0700[diff] [blame]115 UserManager.DISALLOW_AUTOFILL,
Pavel Grafovc4f87e92017-10-26 16:34:25 +0100[diff] [blame]116 UserManager.DISALLOW_USER_SWITCH,
117 UserManager.DISALLOW_UNIFIED_PASSWORD,
yuemingw5fe75dc2017-11-29 15:52:56 +0000[diff] [blame]118 UserManager.DISALLOW_CONFIG_LOCATION_MODE,
yuemingwc6ac29d2018-01-10 16:54:08 +0000[diff] [blame]119 UserManager.DISALLOW_AIRPLANE_MODE,
Rubin Xucc391c22018-01-02 20:37:35 +0000[diff] [blame^]120 UserManager.DISALLOW_CONFIG_BRIGHTNESS,
121 UserManager.DISALLOW_SHARE_INTO_MANAGED_PROFILE,
Makoto Onuki1f1ceef2016-01-28 11:32:32 -0800[diff] [blame]122 });
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]123
124 /**
125 * Set of user restriction which we don't want to persist.
126 */
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]127 private static final Set<String> NON_PERSIST_USER_RESTRICTIONS = Sets.newArraySet(
128 UserManager.DISALLOW_RECORD_AUDIO
129 );
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]130
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]131 /**
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]132 * User restrictions that cannot be set by profile owners of secondary users. When set by DO
133 * they will be applied to all users.
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]134 */
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]135 private static final Set<String> PRIMARY_USER_ONLY_RESTRICTIONS = Sets.newArraySet(
Lenka Trochtova63d5e4a72016-12-02 12:19:39 +0100[diff] [blame]136 UserManager.DISALLOW_BLUETOOTH,
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]137 UserManager.DISALLOW_USB_FILE_TRANSFER,
138 UserManager.DISALLOW_CONFIG_TETHERING,
139 UserManager.DISALLOW_NETWORK_RESET,
140 UserManager.DISALLOW_FACTORY_RESET,
141 UserManager.DISALLOW_ADD_USER,
142 UserManager.DISALLOW_CONFIG_CELL_BROADCASTS,
143 UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS,
144 UserManager.DISALLOW_MOUNT_PHYSICAL_MEDIA,
145 UserManager.DISALLOW_SMS,
146 UserManager.DISALLOW_FUN,
147 UserManager.DISALLOW_SAFE_BOOT,
Mahaver Chopradea471e2015-12-17 11:02:37 +0000[diff] [blame]148 UserManager.DISALLOW_CREATE_WINDOWS,
yuemingw5fe75dc2017-11-29 15:52:56 +0000[diff] [blame]149 UserManager.DISALLOW_DATA_ROAMING,
150 UserManager.DISALLOW_AIRPLANE_MODE
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]151 );
152
153 /**
Benjamin Franzff66fa92017-08-10 10:39:44 +0100[diff] [blame]154 * User restrictions that cannot be set by profile owners. Applied to all users.
155 */
156 private static final Set<String> DEVICE_OWNER_ONLY_RESTRICTIONS = Sets.newArraySet(
157 UserManager.DISALLOW_USER_SWITCH
158 );
159
160 /**
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]161 * User restrictions that can't be changed by device owner or profile owner.
162 */
163 private static final Set<String> IMMUTABLE_BY_OWNERS = Sets.newArraySet(
164 UserManager.DISALLOW_RECORD_AUDIO,
Mahaver Chopra3d9805d2016-07-07 16:25:05 +0100[diff] [blame]165 UserManager.DISALLOW_WALLPAPER,
166 UserManager.DISALLOW_OEM_UNLOCK
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]167 );
168
169 /**
170 * Special user restrictions that can be applied to a user as well as to all users globally,
171 * depending on callers. When device owner sets them, they'll be applied to all users.
172 */
173 private static final Set<String> GLOBAL_RESTRICTIONS = Sets.newArraySet(
174 UserManager.DISALLOW_ADJUST_VOLUME,
Pavel Grafov7f4ad752017-03-28 13:44:04 +0100[diff] [blame]175 UserManager.DISALLOW_BLUETOOTH_SHARING,
yuemingwa9772f362017-10-23 18:34:35 +0100[diff] [blame]176 UserManager.DISALLOW_CONFIG_DATE_TIME,
Charles He22ff6f9d2017-10-05 21:28:55 +0100[diff] [blame]177 UserManager.DISALLOW_SYSTEM_ERROR_DIALOGS,
Fyodor Kupolov9cbfc9e2015-10-07 15:52:33 -0700[diff] [blame]178 UserManager.DISALLOW_RUN_IN_BACKGROUND,
Tony Makc1205112016-07-22 16:02:59 +0100[diff] [blame]179 UserManager.DISALLOW_UNMUTE_MICROPHONE,
Esteban Talavera492b4722017-02-13 14:59:45 +0000[diff] [blame]180 UserManager.DISALLOW_UNMUTE_DEVICE
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]181 );
182
Makoto Onuki1f1ceef2016-01-28 11:32:32 -0800[diff] [blame]183 /**
Esteban Talavera6c9116a2016-11-24 16:12:44 +0000[diff] [blame]184 * User restrictions that default to {@code true} for device owners.
185 */
186 private static final Set<String> DEFAULT_ENABLED_FOR_DEVICE_OWNERS = Sets.newArraySet(
187 UserManager.DISALLOW_ADD_MANAGED_PROFILE
188 );
189
Pavel Grafov7f4ad752017-03-28 13:44:04 +0100[diff] [blame]190 /**
191 * User restrictions that default to {@code true} for managed profile owners.
192 *
193 * NB: {@link UserManager#DISALLOW_INSTALL_UNKNOWN_SOURCES} is also set by default but it is
194 * not set to existing profile owners unless they used to have INSTALL_NON_MARKET_APPS disabled
195 * in settings. So it is handled separately.
196 */
197 private static final Set<String> DEFAULT_ENABLED_FOR_MANAGED_PROFILES = Sets.newArraySet(
198 UserManager.DISALLOW_BLUETOOTH_SHARING
199 );
200
Pavel Grafovc4f87e92017-10-26 16:34:25 +0100[diff] [blame]201 /**
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]202 * Special user restrictions that are always applied to all users no matter who sets them.
203 */
204 private static final Set<String> PROFILE_GLOBAL_RESTRICTIONS = Sets.newArraySet(
yuemingw5fe75dc2017-11-29 15:52:56 +0000[diff] [blame]205 UserManager.ENSURE_VERIFY_APPS,
206 UserManager.DISALLOW_AIRPLANE_MODE
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]207 );
208
Esteban Talavera6c9116a2016-11-24 16:12:44 +0000[diff] [blame]209 /**
Makoto Onuki1f1ceef2016-01-28 11:32:32 -0800[diff] [blame]210 * Throws {@link IllegalArgumentException} if the given restriction name is invalid.
211 */
212 public static boolean isValidRestriction(@NonNull String restriction) {
213 if (!USER_RESTRICTIONS.contains(restriction)) {
Makoto Onukiad5619d2016-02-10 13:41:15 -0800[diff] [blame]214 Slog.e(TAG, "Unknown restriction: " + restriction);
Makoto Onuki1f1ceef2016-01-28 11:32:32 -0800[diff] [blame]215 return false;
216 }
217 return true;
218 }
219
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]220 public static void writeRestrictions(@NonNull XmlSerializer serializer,
221 @Nullable Bundle restrictions, @NonNull String tag) throws IOException {
222 if (restrictions == null) {
223 return;
224 }
225
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]226 serializer.startTag(null, tag);
Makoto Onukiac65e1e2015-11-20 15:33:17 -0800[diff] [blame]227 for (String key : restrictions.keySet()) {
228 if (NON_PERSIST_USER_RESTRICTIONS.contains(key)) {
229 continue; // Don't persist.
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]230 }
Makoto Onukiac65e1e2015-11-20 15:33:17 -0800[diff] [blame]231 if (USER_RESTRICTIONS.contains(key)) {
232 if (restrictions.getBoolean(key)) {
233 serializer.attribute(null, key, "true");
234 }
235 continue;
236 }
237 Log.w(TAG, "Unknown user restriction detected: " + key);
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]238 }
239 serializer.endTag(null, tag);
240 }
241
Esteban Talaverac48b20f2016-08-11 11:23:40 +0100[diff] [blame]242 public static void readRestrictions(XmlPullParser parser, Bundle restrictions) {
Fyodor Kupoloveafee022017-03-15 17:09:04 -0700[diff] [blame]243 restrictions.clear();
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]244 for (String key : USER_RESTRICTIONS) {
245 final String value = parser.getAttributeValue(null, key);
246 if (value != null) {
247 restrictions.putBoolean(key, Boolean.parseBoolean(value));
248 }
249 }
250 }
251
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]252 public static Bundle readRestrictions(XmlPullParser parser) {
253 final Bundle result = new Bundle();
254 readRestrictions(parser, result);
255 return result;
256 }
257
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]258 /**
259 * @return {@code in} itself when it's not null, or an empty bundle (which can writable).
260 */
261 public static Bundle nonNull(@Nullable Bundle in) {
262 return in != null ? in : new Bundle();
263 }
264
265 public static boolean isEmpty(@Nullable Bundle in) {
266 return (in == null) || (in.size() == 0);
267 }
268
269 /**
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]270 * Returns {@code true} if given bundle is not null and contains {@code true} for a given
271 * restriction.
272 */
273 public static boolean contains(@Nullable Bundle in, String restriction) {
274 return in != null && in.getBoolean(restriction);
275 }
276
277 /**
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]278 * Creates a copy of the {@code in} Bundle. If {@code in} is null, it'll return an empty
279 * bundle.
280 *
281 * <p>The resulting {@link Bundle} is always writable. (i.e. it won't return
282 * {@link Bundle#EMPTY})
283 */
284 public static @NonNull Bundle clone(@Nullable Bundle in) {
285 return (in != null) ? new Bundle(in) : new Bundle();
286 }
287
288 public static void merge(@NonNull Bundle dest, @Nullable Bundle in) {
289 Preconditions.checkNotNull(dest);
290 Preconditions.checkArgument(dest != in);
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]291 if (in == null) {
292 return;
293 }
294 for (String key : in.keySet()) {
295 if (in.getBoolean(key, false)) {
296 dest.putBoolean(key, true);
297 }
298 }
299 }
300
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]301 /**
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]302 * Merges a sparse array of restrictions bundles into one.
303 */
304 @Nullable
305 public static Bundle mergeAll(SparseArray<Bundle> restrictions) {
306 if (restrictions.size() == 0) {
307 return null;
308 } else {
309 final Bundle result = new Bundle();
310 for (int i = 0; i < restrictions.size(); i++) {
311 merge(result, restrictions.valueAt(i));
312 }
313 return result;
314 }
315 }
316
317 /**
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]318 * @return true if a restriction is settable by device owner.
319 */
320 public static boolean canDeviceOwnerChange(String restriction) {
321 return !IMMUTABLE_BY_OWNERS.contains(restriction);
322 }
323
324 /**
Makoto Onuki5485ed42015-12-09 11:38:23 -0800[diff] [blame]325 * @return true if a restriction is settable by profile owner. Note it takes a user ID because
326 * some restrictions can be changed by PO only when it's running on the system user.
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]327 */
Makoto Onuki5485ed42015-12-09 11:38:23 -0800[diff] [blame]328 public static boolean canProfileOwnerChange(String restriction, int userId) {
329 return !IMMUTABLE_BY_OWNERS.contains(restriction)
Benjamin Franzff66fa92017-08-10 10:39:44 +0100[diff] [blame]330 && !DEVICE_OWNER_ONLY_RESTRICTIONS.contains(restriction)
Makoto Onuki5485ed42015-12-09 11:38:23 -0800[diff] [blame]331 && !(userId != UserHandle.USER_SYSTEM
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]332 && PRIMARY_USER_ONLY_RESTRICTIONS.contains(restriction));
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]333 }
334
335 /**
Esteban Talavera6c9116a2016-11-24 16:12:44 +0000[diff] [blame]336 * Returns the user restrictions that default to {@code true} for device owners.
Nicolas Prevot2ea46fe2017-01-05 10:29:34 +0000[diff] [blame]337 * These user restrictions are local, though. ie only for the device owner's user id.
Esteban Talavera6c9116a2016-11-24 16:12:44 +0000[diff] [blame]338 */
339 public static @NonNull Set<String> getDefaultEnabledForDeviceOwner() {
340 return DEFAULT_ENABLED_FOR_DEVICE_OWNERS;
341 }
342
343 /**
Pavel Grafov7f4ad752017-03-28 13:44:04 +0100[diff] [blame]344 * Returns the user restrictions that default to {@code true} for managed profile owners.
345 */
346 public static @NonNull Set<String> getDefaultEnabledForManagedProfiles() {
347 return DEFAULT_ENABLED_FOR_MANAGED_PROFILES;
348 }
349
350 /**
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]351 * Takes restrictions that can be set by device owner, and sort them into what should be applied
352 * globally and what should be applied only on the current user.
353 */
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]354 public static void sortToGlobalAndLocal(@Nullable Bundle in, boolean isDeviceOwner,
355 int cameraRestrictionScope,
356 @NonNull Bundle global, @NonNull Bundle local) {
357 // Camera restriction (as well as all others) goes to at most one bundle.
358 if (cameraRestrictionScope == UserManagerInternal.CAMERA_DISABLED_GLOBALLY) {
359 global.putBoolean(UserManager.DISALLOW_CAMERA, true);
360 } else if (cameraRestrictionScope == UserManagerInternal.CAMERA_DISABLED_LOCALLY) {
361 local.putBoolean(UserManager.DISALLOW_CAMERA, true);
362 }
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]363 if (in == null || in.size() == 0) {
364 return;
365 }
366 for (String key : in.keySet()) {
367 if (!in.getBoolean(key)) {
368 continue;
369 }
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]370 if (isGlobal(isDeviceOwner, key)) {
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]371 global.putBoolean(key, true);
372 } else {
373 local.putBoolean(key, true);
374 }
375 }
376 }
377
378 /**
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]379 * Whether given user restriction should be enforced globally.
380 */
381 private static boolean isGlobal(boolean isDeviceOwner, String key) {
382 return (isDeviceOwner &&
Benjamin Franzff66fa92017-08-10 10:39:44 +0100[diff] [blame]383 (PRIMARY_USER_ONLY_RESTRICTIONS.contains(key) || GLOBAL_RESTRICTIONS.contains(key)))
384 || PROFILE_GLOBAL_RESTRICTIONS.contains(key)
385 || DEVICE_OWNER_ONLY_RESTRICTIONS.contains(key);
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]386 }
387
388 /**
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]389 * @return true if two Bundles contain the same user restriction.
390 * A null bundle and an empty bundle are considered to be equal.
391 */
392 public static boolean areEqual(@Nullable Bundle a, @Nullable Bundle b) {
393 if (a == b) {
394 return true;
395 }
396 if (isEmpty(a)) {
397 return isEmpty(b);
398 }
399 if (isEmpty(b)) {
400 return false;
401 }
402 for (String key : a.keySet()) {
403 if (a.getBoolean(key) != b.getBoolean(key)) {
404 return false;
405 }
406 }
407 for (String key : b.keySet()) {
408 if (a.getBoolean(key) != b.getBoolean(key)) {
409 return false;
410 }
411 }
412 return true;
413 }
414
415 /**
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]416 * Takes a new use restriction set and the previous set, and apply the restrictions that have
417 * changed.
Makoto Onukid45a4a22015-11-02 17:17:38 -0800[diff] [blame]418 *
Fyodor Kupolov9cbfc9e2015-10-07 15:52:33 -0700[diff] [blame]419 * <p>Note this method is called by {@link UserManagerService} without holding any locks.
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]420 */
Fyodor Kupolov9cbfc9e2015-10-07 15:52:33 -0700[diff] [blame]421 public static void applyUserRestrictions(Context context, int userId,
Makoto Onukid45a4a22015-11-02 17:17:38 -0800[diff] [blame]422 Bundle newRestrictions, Bundle prevRestrictions) {
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]423 for (String key : USER_RESTRICTIONS) {
424 final boolean newValue = newRestrictions.getBoolean(key);
425 final boolean prevValue = prevRestrictions.getBoolean(key);
426
427 if (newValue != prevValue) {
Fyodor Kupolov9cbfc9e2015-10-07 15:52:33 -0700[diff] [blame]428 applyUserRestriction(context, userId, key, newValue);
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]429 }
430 }
431 }
Fyodor Kupolov9cbfc9e2015-10-07 15:52:33 -0700[diff] [blame]432
Makoto Onukid45a4a22015-11-02 17:17:38 -0800[diff] [blame]433 /**
434 * Apply each user restriction.
435 *
Makoto Onuki28da2e32015-11-20 11:30:44 -0800[diff] [blame]436 * <p>See also {@link
437 * com.android.providers.settings.SettingsProvider#isGlobalOrSecureSettingRestrictedForUser},
438 * which should be in sync with this method.
Makoto Onukid45a4a22015-11-02 17:17:38 -0800[diff] [blame]439 */
Fyodor Kupolov9cbfc9e2015-10-07 15:52:33 -0700[diff] [blame]440 private static void applyUserRestriction(Context context, int userId, String key,
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]441 boolean newValue) {
Makoto Onuki1a2cd742015-11-16 13:51:27 -0800[diff] [blame]442 if (UserManagerService.DBG) {
443 Log.d(TAG, "Applying user restriction: userId=" + userId
444 + " key=" + key + " value=" + newValue);
445 }
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]446 // When certain restrictions are cleared, we don't update the system settings,
447 // because these settings are changeable on the Settings UI and we don't know the original
448 // value -- for example LOCATION_MODE might have been off already when the restriction was
449 // set, and in that case even if the restriction is lifted, changing it to ON would be
450 // wrong. So just don't do anything in such a case. If the user hopes to enable location
451 // later, they can do it on the Settings UI.
Benjamin Franz0ff13fc2016-07-12 13:42:21 +0100[diff] [blame]452 // WARNING: Remember that Settings.Global and Settings.Secure are changeable via adb.
453 // To prevent this from happening for a given user restriction, you have to add a check to
454 // SettingsProvider.isGlobalOrSecureSettingRestrictedForUser.
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]455
456 final ContentResolver cr = context.getContentResolver();
457 final long id = Binder.clearCallingIdentity();
458 try {
459 switch (key) {
Mahaver Chopradea471e2015-12-17 11:02:37 +0000[diff] [blame]460 case UserManager.DISALLOW_DATA_ROAMING:
461 if (newValue) {
462 // DISALLOW_DATA_ROAMING user restriction is set.
463
464 // Multi sim device.
Jeff Sharkey717f52f2018-01-04 16:04:11 -0700[diff] [blame]465 SubscriptionManager subscriptionManager = context
466 .getSystemService(SubscriptionManager.class);
Mahaver Chopradea471e2015-12-17 11:02:37 +0000[diff] [blame]467 final List<SubscriptionInfo> subscriptionInfoList =
468 subscriptionManager.getActiveSubscriptionInfoList();
469 if (subscriptionInfoList != null) {
470 for (SubscriptionInfo subInfo : subscriptionInfoList) {
471 android.provider.Settings.Global.putStringForUser(cr,
472 android.provider.Settings.Global.DATA_ROAMING
473 + subInfo.getSubscriptionId(), "0", userId);
474 }
475 }
476
477 // Single sim device.
478 android.provider.Settings.Global.putStringForUser(cr,
479 android.provider.Settings.Global.DATA_ROAMING, "0", userId);
480 }
481 break;
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]482 case UserManager.DISALLOW_SHARE_LOCATION:
483 if (newValue) {
484 android.provider.Settings.Secure.putIntForUser(cr,
485 android.provider.Settings.Secure.LOCATION_MODE,
486 android.provider.Settings.Secure.LOCATION_MODE_OFF,
487 userId);
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]488 }
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]489 break;
490 case UserManager.DISALLOW_DEBUGGING_FEATURES:
491 if (newValue) {
492 // Only disable adb if changing for system user, since it is global
493 // TODO: should this be admin user?
494 if (userId == UserHandle.USER_SYSTEM) {
495 android.provider.Settings.Global.putStringForUser(cr,
496 android.provider.Settings.Global.ADB_ENABLED, "0",
497 userId);
498 }
499 }
500 break;
501 case UserManager.ENSURE_VERIFY_APPS:
502 if (newValue) {
503 android.provider.Settings.Global.putStringForUser(
504 context.getContentResolver(),
505 android.provider.Settings.Global.PACKAGE_VERIFIER_ENABLE, "1",
506 userId);
507 android.provider.Settings.Global.putStringForUser(
508 context.getContentResolver(),
509 android.provider.Settings.Global.PACKAGE_VERIFIER_INCLUDE_ADB, "1",
510 userId);
511 }
512 break;
513 case UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES:
Suprabh Shuklae3745ee2017-02-02 20:01:11 -0800[diff] [blame]514 // Since Android O, the secure setting is not available to be changed by the
515 // user. Hence, when the restriction is cleared, we need to reset the state of
516 // the setting to its default value which is now 1.
517 android.provider.Settings.Secure.putIntForUser(cr,
518 android.provider.Settings.Secure.INSTALL_NON_MARKET_APPS,
519 newValue ? 0 : 1, userId);
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]520 break;
Fyodor Kupolov9cbfc9e2015-10-07 15:52:33 -0700[diff] [blame]521 case UserManager.DISALLOW_RUN_IN_BACKGROUND:
522 if (newValue) {
523 int currentUser = ActivityManager.getCurrentUser();
524 if (currentUser != userId && userId != UserHandle.USER_SYSTEM) {
525 try {
Sudheer Shankadc589ac2016-11-10 15:30:17 -0800[diff] [blame]526 ActivityManager.getService().stopUser(userId, false, null);
Fyodor Kupolov9cbfc9e2015-10-07 15:52:33 -0700[diff] [blame]527 } catch (RemoteException e) {
528 throw e.rethrowAsRuntimeException();
529 }
530 }
531 }
Lenka Trochtova6474f0e2016-03-24 16:43:10 +0100[diff] [blame]532 break;
533 case UserManager.DISALLOW_SAFE_BOOT:
534 // Unlike with the other restrictions, we want to propagate the new value to
535 // the system settings even if it is false. The other restrictions modify
536 // settings which could be manually changed by the user from the Settings app
537 // after the policies enforcing these restrictions have been revoked, so we
538 // leave re-setting of those settings to the user.
539 android.provider.Settings.Global.putInt(
540 context.getContentResolver(),
541 android.provider.Settings.Global.SAFE_BOOT_DISALLOWED,
542 newValue ? 1 : 0);
543 break;
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]544 }
Makoto Onuki4f160732015-10-27 17:15:38 -0700[diff] [blame]545 } finally {
546 Binder.restoreCallingIdentity(id);
547 }
548 }
549
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]550 public static void dumpRestrictions(PrintWriter pw, String prefix, Bundle restrictions) {
551 boolean noneSet = true;
552 if (restrictions != null) {
553 for (String key : restrictions.keySet()) {
554 if (restrictions.getBoolean(key, false)) {
555 pw.println(prefix + key);
556 noneSet = false;
557 }
558 }
Makoto Onuki068c54a2015-10-13 14:34:03 -0700[diff] [blame]559 if (noneSet) {
560 pw.println(prefix + "none");
561 }
562 } else {
563 pw.println(prefix + "null");
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]564 }
565 }
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]566
567 /**
568 * Moves a particular restriction from one array of bundles to another, e.g. for all users.
569 */
570 public static void moveRestriction(String restrictionKey, SparseArray<Bundle> srcRestrictions,
571 SparseArray<Bundle> destRestrictions) {
572 for (int i = 0; i < srcRestrictions.size(); i++) {
Pavel Grafov7f4ad752017-03-28 13:44:04 +0100[diff] [blame]573 final int key = srcRestrictions.keyAt(i);
574 final Bundle from = srcRestrictions.valueAt(i);
Pavel Grafov6a40f092016-10-25 15:46:51 +0100[diff] [blame]575 if (contains(from, restrictionKey)) {
576 from.remove(restrictionKey);
577 Bundle to = destRestrictions.get(key);
578 if (to == null) {
579 to = new Bundle();
580 destRestrictions.append(key, to);
581 }
582 to.putBoolean(restrictionKey, true);
583 // Don't keep empty bundles.
584 if (from.isEmpty()) {
585 srcRestrictions.removeAt(i);
586 i--;
587 }
588 }
589 }
590 }
Pavel Grafov7f4ad752017-03-28 13:44:04 +0100[diff] [blame]591
592 /**
593 * Returns whether restrictions differ between two bundles.
594 * @param oldRestrictions old bundle of restrictions.
595 * @param newRestrictions new bundle of restrictions
596 * @param restrictions restrictions of interest, if empty, all restrictions are checked.
597 */
598 public static boolean restrictionsChanged(Bundle oldRestrictions, Bundle newRestrictions,
599 String... restrictions) {
600 if (restrictions.length == 0) {
601 return areEqual(oldRestrictions, newRestrictions);
602 }
603 for (final String restriction : restrictions) {
604 if (oldRestrictions.getBoolean(restriction, false) !=
605 newRestrictions.getBoolean(restriction, false)) {
606 return true;
607 }
608 }
609 return false;
610 }
Makoto Onukia4f11972015-10-01 13:19:58 -0700[diff] [blame]611}