Block Policies From Device Admin Targetting Q

If a device admin app targets Android Q or above, and it is not a device owner or profile owner, throw a SecurityException if it attempts to control the following policies: - DeviceAdminInfo.USES_POLICY_DISABLE_CAMERA - DeviceAdminInfo.USES_POLICY_DISABLE_KEYGUARD_FEATURES - DeviceAdminInfo.USES_POLICY_EXPIRE_PASSWORD - DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD The set of policies available to a device admin targetting Android P or below is unchanged. Bug: 111546201 Test: com.android.server.devicepolicy.DevicePolicyManagerTest Test: com.android.cts.devicepolicy.DeviceAdminHostSideTestApi24 Test: com.android.cts.devicepolicy.DeviceAdminHostSideTestApi29 Test: com.android.cts.devicepolicy.ManagedProfileTest Change-Id: Idcd0b4b91ad2fa363535c718928d382c7da054d4
author: Eric Sandness <sandness@google.com> 2018-08-10 13:28:46 +0100
committer: Eric Sandness <sandness@google.com> 2018-09-05 18:47:42 +0100
commit: ca5969d6e0b0dd288bf3316ca4973de5837442fc (patch)
tree: 1b581c6c72b90ec88a87a3e7756819e7191dcba0 /core/java
parent: 2b3bcce1d4c0a1c76a8d9e2b942c54f8acb95b11 (diff)
1 files changed, 15 insertions, 22 deletions
diff --git a/core/java/android/app/admin/DeviceAdminInfo.java b/core/java/android/app/admin/DeviceAdminInfo.java
index 5fbe5b398488..cae3cf5b44c3 100644
--- a/core/java/android/app/admin/DeviceAdminInfo.java
+++ b/core/java/android/app/admin/DeviceAdminInfo.java
@@ -73,12 +73,10 @@ public final class DeviceAdminInfo implements Parcelable {
      * that the user can select, via {@link DevicePolicyManager#setPasswordQuality}
      * and {@link DevicePolicyManager#setPasswordMinimumLength}.
      *
-     * <p>To control this policy, the device admin must have a "limit-password"
-     * tag in the "uses-policies" section of its meta-data.
-     *
-     * <p>This policy is deprecated for use by a device admin.  In future releases, it will
-     * only be possible for a device owner or profile owner to enforce constraints on user
-     * passwords.
+     * <p>To control this policy, the device admin must be a device owner or profile owner,
+     * and must have a "limit-password" tag in the "uses-policies" section of its meta-data.
+     * If used by a device owner, the policy only affects the primary user and its profiles,
+     * but not any secondary users on the device.
      */
     public static final int USES_POLICY_LIMIT_PASSWORD = 0;
 
@@ -138,11 +136,10 @@ public final class DeviceAdminInfo implements Parcelable {
      * A type of policy that this device admin can use: force the user to
      * change their password after an administrator-defined time limit.
      *
-     * <p>To control this policy, the device admin must have an "expire-password"
-     * tag in the "uses-policies" section of its meta-data.
-     *
-     * <p>This policy is deprecated for use by a device admin.  In future releases, it will
-     * only be possible for a device owner or profile owner to enforce password expiry.
+     * <p>To control this policy, the device admin must be a device owner or profile owner,
+     * and must have an "expire-password" tag in the "uses-policies" section of its meta-data.
+     * If used by a device owner, the policy only affects the primary user and its profiles,
+     * but not any secondary users on the device.
      */
     public static final int USES_POLICY_EXPIRE_PASSWORD = 6;
 
@@ -157,23 +154,19 @@ public final class DeviceAdminInfo implements Parcelable {
     /**
      * A type of policy that this device admin can use: disables use of all device cameras.
      *
-     * <p>To control this policy, the device admin must have a "disable-camera"
-     * tag in the "uses-policies" section of its meta-data.
-     *
-     * <p>This policy is deprecated for use by a device admin.  In future releases, it will
-     * only be possible for a device owner or profile owner to disable use of the camera.
+     * <p>To control this policy, the device admin must be a device owner or profile owner,
+     * and must have a "disable-camera" tag in the "uses-policies" section of its meta-data.
+     * If used by a device owner, the policy affects all users on the device.
      */
     public static final int USES_POLICY_DISABLE_CAMERA = 8;
 
     /**
      * A type of policy that this device admin can use: disables use of keyguard features.
      *
-     * <p>To control this policy, the device admin must have a "disable-keyguard-features"
-     * tag in the "uses-policies" section of its meta-data.
-     *
-     * <p>This policy is deprecated for use by a device admin.  In future releases, it will
-     * only be possible for a device owner or profile owner to disable use of keyguard
-     * features.
+     * <p>To control this policy, the device admin must be a device owner or profile owner,
+     * and must have a "disable-keyguard-features" tag in the "uses-policies" section of its
+     * meta-data.  If used by a device owner, the policy only affects the primary user and
+     * its profiles, but not any secondary users on the device.
      */
     public static final int USES_POLICY_DISABLE_KEYGUARD_FEATURES = 9;
author	Eric Sandness <sandness@google.com>	2018-08-10 13:28:46 +0100
committer	Eric Sandness <sandness@google.com>	2018-09-05 18:47:42 +0100
commit	ca5969d6e0b0dd288bf3316ca4973de5837442fc (patch)
tree	1b581c6c72b90ec88a87a3e7756819e7191dcba0 /core/java
parent	2b3bcce1d4c0a1c76a8d9e2b942c54f8acb95b11 (diff)