diff options
| author | Sinduran Sivarajan <sinduran@google.com> | 2025-02-03 08:47:40 -0800 |
|---|---|---|
| committer | Julian Veit <Claymore1298@gmail.com> | 2025-04-18 14:14:09 +0200 |
| commit | 7764127511974b62a33ed3fc8ecd47a9402d9b98 (patch) | |
| tree | 1eb976a9b102ee961c13f0428cdb60428936facc | |
| parent | ad9dde8be74e91ab2d05a257fc8e68c5ff0b7d8b (diff) | |
Disable "Developer options" by default for managed profiles.u14.0
Bug: 382064697
Test: go/work-profile-creation-developer-access
Flag: EXEMPT bugfix
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:73b54cdf4b70831c4f952d7556274609cb46214e)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a44611648b44ceee8e2337dfba92398475c72602)
Merged-In: Ibe6b721f2552d9e72aba0582a2eed4ba87178c7c
Change-Id: Ibe6b721f2552d9e72aba0582a2eed4ba87178c7c
| -rw-r--r-- | services/core/java/com/android/server/pm/UserRestrictionsUtils.java | 3 | ||||
| -rw-r--r-- | services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java | 38 |
2 files changed, 27 insertions, 14 deletions
diff --git a/services/core/java/com/android/server/pm/UserRestrictionsUtils.java b/services/core/java/com/android/server/pm/UserRestrictionsUtils.java index c2f74a8895cb..9f870fdaee44 100644 --- a/services/core/java/com/android/server/pm/UserRestrictionsUtils.java +++ b/services/core/java/com/android/server/pm/UserRestrictionsUtils.java @@ -301,7 +301,8 @@ public class UserRestrictionsUtils { * in settings. So it is handled separately. */ private static final Set<String> DEFAULT_ENABLED_FOR_MANAGED_PROFILES = Sets.newArraySet( - UserManager.DISALLOW_BLUETOOTH_SHARING + UserManager.DISALLOW_BLUETOOTH_SHARING, + UserManager.DISALLOW_DEBUGGING_FEATURES ); /** diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index ac656224b8c1..00ad402bf7dd 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -2672,16 +2672,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } } - /** - * Apply default restrictions that haven't been applied to a given admin yet. - */ + /** Apply default restrictions that haven't been applied to a given admin yet. */ private void maybeSetDefaultRestrictionsForAdminLocked(int userId, ActiveAdmin admin) { - Set<String> defaultRestrictions = - UserRestrictionsUtils.getDefaultEnabledForManagedProfiles(); - if (defaultRestrictions.equals(admin.defaultEnabledRestrictionsAlreadySet)) { + Set<String> newDefaultRestrictions = new HashSet( + UserRestrictionsUtils.getDefaultEnabledForManagedProfiles()); + newDefaultRestrictions.removeAll(admin.defaultEnabledRestrictionsAlreadySet); + if (newDefaultRestrictions.isEmpty()) { return; // The same set of default restrictions has been already applied. } - for (String restriction : defaultRestrictions) { + + for (String restriction : newDefaultRestrictions) { mDevicePolicyEngine.setLocalPolicy( PolicyDefinition.getPolicyDefinitionForUserRestriction(restriction), EnforcingAdmin.createEnterpriseEnforcingAdmin( @@ -2690,9 +2690,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { new BooleanPolicyValue(true), userId); } - admin.defaultEnabledRestrictionsAlreadySet.addAll(defaultRestrictions); + admin.defaultEnabledRestrictionsAlreadySet.addAll(newDefaultRestrictions); Slogf.i(LOG_TAG, "Enabled the following restrictions by default: " - + defaultRestrictions); + + newDefaultRestrictions); } private void setDeviceOwnershipSystemPropertyLocked() { @@ -10027,7 +10027,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return false; } - if (isAdb(caller)) { + boolean isAdb = isAdb(caller); + if (isAdb) { // Log profile owner provisioning was started using adb. MetricsLogger.action(mContext, PROVISIONING_ENTRY_POINT_ADB, LOG_TAG_PROFILE_OWNER); DevicePolicyEventLogger @@ -10049,6 +10050,17 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { maybeSetDefaultRestrictionsForAdminLocked(userHandle, admin); ensureUnknownSourcesRestrictionForProfileOwnerLocked(userHandle, admin, true /* newOwner */); + if (isAdb) { + // DISALLOW_DEBUGGING_FEATURES is being added to newly-created + // work profile by default due to b/382064697 . This would have + // impacted certain CTS test flows when they interact with the + // work profile via ADB (for example installing an app into the + // work profile). Remove DISALLOW_DEBUGGING_FEATURES here to + // reduce the potential impact. + setLocalUserRestrictionInternal( + EnforcingAdmin.createEnterpriseEnforcingAdmin(who, userHandle), + UserManager.DISALLOW_DEBUGGING_FEATURES, false, userHandle); + } } sendOwnerChangedBroadcast(DevicePolicyManager.ACTION_PROFILE_OWNER_CHANGED, userHandle); @@ -10960,7 +10972,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (mOwners.hasDeviceOwner()) { return false; } - + final ComponentName profileOwner = getProfileOwnerAsUser(userId); if (profileOwner == null) { return false; @@ -10969,7 +10981,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (isManagedProfile(userId)) { return false; } - + return true; } private void enforceCanQueryLockTaskLocked(ComponentName who, String callerPackageName) { @@ -24045,7 +24057,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } }); } - + private void migrateUserControlDisabledPackagesLocked() { Binder.withCleanCallingIdentity(() -> { List<UserInfo> users = mUserManager.getUsers(); |