Android/frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "Layer user restrictions"

Browse Source
This commit is contained in:
Makoto Onuki
2015-10-27 22:49:04 +00:00
committed by Android (Google) Code Review
parent decb832094 068c54a5be
commit e9ef528ec7
20 changed files with 1410 additions and 443 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
core/java/android/app/admin/DevicePolicyManagerInternal.java
View File

@@ -16,6 +16,8 @@
package android.app.admin;
import android.os.Bundle;
import java.util.List;
/**
@@ -69,4 +71,13 @@ public abstract class DevicePolicyManagerInternal {
* @return true if the uid is an active admin with the given policy.
*/
public abstract boolean isActiveAdminWithPolicy(int uid, int reqPolicy);
/**
* Takes a {@link Bundle} containing "base" user restrictions stored in
* {@link com.android.server.pm.UserManagerService}, mixes restrictions set by the device owner
* and the profile owner and returns the merged restrictions.
*
* This method always returns a new {@link Bundle}.
*/
public abstract Bundle getComposedUserRestrictions(int userId, Bundle inBundle);
}

2
core/java/android/os/IUserManager.aidl
View File

@@ -55,14 +55,12 @@ interface IUserManager {
int getUserHandle(int userSerialNumber);
Bundle getUserRestrictions(int userHandle);
boolean hasUserRestriction(in String restrictionKey, int userHandle);
void setUserRestrictions(in Bundle restrictions, int userHandle);
void setUserRestriction(String key, boolean value, int userId);
void setSystemControlledUserRestriction(String key, boolean value, int userId);
void setApplicationRestrictions(in String packageName, in Bundle restrictions,
int userHandle);
Bundle getApplicationRestrictions(in String packageName);
Bundle getApplicationRestrictionsForUser(in String packageName, int userHandle);
void removeRestrictions();
void setDefaultGuestRestrictions(in Bundle restrictions);
Bundle getDefaultGuestRestrictions();
boolean markGuestForDeletion(int userHandle);

171
core/java/android/os/UserManager.java
View File

@@ -21,6 +21,7 @@ import android.annotation.SystemApi;
import android.app.ActivityManager;
import android.app.ActivityManagerNative;
import android.app.admin.DevicePolicyManager;
import android.content.ComponentName;
import android.content.Context;
import android.content.pm.UserInfo;
import android.content.res.Resources;
@@ -55,7 +56,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_MODIFY_ACCOUNTS = "no_modify_accounts";
@@ -67,7 +69,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_CONFIG_WIFI = "no_config_wifi";
@@ -78,7 +81,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_INSTALL_APPS = "no_install_apps";
@@ -89,7 +93,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_UNINSTALL_APPS = "no_uninstall_apps";
@@ -102,7 +107,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_SHARE_LOCATION = "no_share_location";
@@ -114,7 +120,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_INSTALL_UNKNOWN_SOURCES = "no_install_unknown_sources";
@@ -127,7 +134,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_CONFIG_BLUETOOTH = "no_config_bluetooth";
@@ -139,7 +147,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_USB_FILE_TRANSFER = "no_usb_file_transfer";
@@ -150,7 +159,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_CONFIG_CREDENTIALS = "no_config_credentials";
@@ -163,7 +173,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_REMOVE_USER = "no_remove_user";
@@ -174,7 +185,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_DEBUGGING_FEATURES = "no_debugging_features";
@@ -187,7 +199,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_CONFIG_VPN = "no_config_vpn";
@@ -199,7 +212,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_CONFIG_TETHERING = "no_config_tethering";
@@ -213,7 +227,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_NETWORK_RESET = "no_network_reset";
@@ -227,7 +242,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_FACTORY_RESET = "no_factory_reset";
@@ -241,7 +257,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_ADD_USER = "no_add_user";
@@ -252,7 +269,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String ENSURE_VERIFY_APPS = "ensure_verify_apps";
@@ -266,7 +284,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_CONFIG_CELL_BROADCASTS = "no_config_cell_broadcasts";
@@ -280,7 +299,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_CONFIG_MOBILE_NETWORKS = "no_config_mobile_networks";
@@ -300,7 +320,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_APPS_CONTROL = "no_control_apps";
@@ -312,7 +333,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_MOUNT_PHYSICAL_MEDIA = "no_physical_media";
@@ -324,7 +346,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_UNMUTE_MICROPHONE = "no_unmute_microphone";
@@ -336,7 +359,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_ADJUST_VOLUME = "no_adjust_volume";
@@ -350,7 +374,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_OUTGOING_CALLS = "no_outgoing_calls";
@@ -361,7 +386,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_SMS = "no_sms";
@@ -373,7 +399,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_FUN = "no_fun";
@@ -393,7 +420,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_CREATE_WINDOWS = "no_create_windows";
@@ -406,7 +434,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_CROSS_PROFILE_COPY_PASTE = "no_cross_profile_copy_paste";
@@ -417,7 +446,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_OUTGOING_BEAM = "no_outgoing_beam";
@@ -426,7 +456,8 @@ public class UserManager {
* Hidden user restriction to disallow access to wallpaper manager APIs. This user restriction
* is always set for managed profiles.
* @hide
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_WALLPAPER = "no_wallpaper";
@@ -438,7 +469,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String DISALLOW_SAFE_BOOT = "no_safe_boot";
@@ -447,7 +479,8 @@ public class UserManager {
* Specifies if a user is not allowed to record audio. This restriction is always enabled for
* background users. The default value is <code>false</code>.
*
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
* @hide
*/
@@ -466,7 +499,8 @@ public class UserManager {
*
* <p/>Key for user restrictions.
* <p/>Type: Boolean
* @see #setUserRestrictions(Bundle)
* @see DevicePolicyManager#addUserRestriction(ComponentName, String)
* @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
* @see #getUserRestrictions()
*/
public static final String ALLOW_PARENT_PROFILE_APP_LINKING
@@ -740,36 +774,20 @@ public class UserManager {
}
/**
* Sets all the user-wide restrictions for this user.
* Requires the MANAGE_USERS permission.
* @param restrictions the Bundle containing all the restrictions.
* @deprecated use {@link android.app.admin.DevicePolicyManager#addUserRestriction(
* android.content.ComponentName, String)} or
* {@link android.app.admin.DevicePolicyManager#clearUserRestriction(
* android.content.ComponentName, String)} instead.
* This will no longer work. Use {@link #setUserRestriction(String, boolean)} instead.
*/
@Deprecated
public void setUserRestrictions(Bundle restrictions) {
setUserRestrictions(restrictions, Process.myUserHandle());
throw new UnsupportedOperationException("This method is no longer supported");
}
/**
* Sets all the user-wide restrictions for the specified user.
* Requires the MANAGE_USERS permission.
* @param restrictions the Bundle containing all the restrictions.
* @param userHandle the UserHandle of the user for whom to set the restrictions.
* @deprecated use {@link android.app.admin.DevicePolicyManager#addUserRestriction(
* android.content.ComponentName, String)} or
* {@link android.app.admin.DevicePolicyManager#clearUserRestriction(
* android.content.ComponentName, String)} instead.
* This will no longer work. Use {@link #setUserRestriction(String, boolean, UserHandle)}
* instead.
*/
@Deprecated
public void setUserRestrictions(Bundle restrictions, UserHandle userHandle) {
try {
mService.setUserRestrictions(restrictions, userHandle.getIdentifier());
} catch (RemoteException re) {
Log.w(TAG, "Could not set user restrictions", re);
}
throw new UnsupportedOperationException("This method is no longer supported");
}
/**
@@ -784,9 +802,7 @@ public class UserManager {
*/
@Deprecated
public void setUserRestriction(String key, boolean value) {
Bundle bundle = getUserRestrictions();
bundle.putBoolean(key, value);
setUserRestrictions(bundle);
setUserRestriction(key, value, Process.myUserHandle());
}
/**
@@ -882,9 +898,8 @@ public class UserManager {
try {
user = mService.createUser(name, flags);
if (user != null && !user.isAdmin()) {
Bundle userRestrictions = mService.getUserRestrictions(user.id);
addDefaultUserRestrictions(userRestrictions);
mService.setUserRestrictions(userRestrictions, user.id);
mService.setUserRestriction(DISALLOW_SMS, true, user.id);
mService.setUserRestriction(DISALLOW_OUTGOING_CALLS, true, user.id);
}
} catch (RemoteException re) {
Log.w(TAG, "Could not create a user", re);
@@ -899,27 +914,22 @@ public class UserManager {
* @hide
*/
public UserInfo createGuest(Context context, String name) {
UserInfo guest = createUser(name, UserInfo.FLAG_GUEST);
if (guest != null) {
Settings.Secure.putStringForUser(context.getContentResolver(),
Settings.Secure.SKIP_FIRST_USE_HINTS, "1", guest.id);
try {
Bundle guestRestrictions = mService.getDefaultGuestRestrictions();
guestRestrictions.putBoolean(DISALLOW_SMS, true);
guestRestrictions.putBoolean(DISALLOW_INSTALL_UNKNOWN_SOURCES, true);
mService.setUserRestrictions(guestRestrictions, guest.id);
} catch (RemoteException re) {
Log.w(TAG, "Could not update guest restrictions");
UserInfo guest = null;
try {
guest = mService.createUser(name, UserInfo.FLAG_GUEST);
if (guest != null) {
Settings.Secure.putStringForUser(context.getContentResolver(),
Settings.Secure.SKIP_FIRST_USE_HINTS, "1", guest.id);
mService.setUserRestriction(DISALLOW_SMS, true, guest.id);
mService.setUserRestriction(DISALLOW_INSTALL_UNKNOWN_SOURCES, true, guest.id);
}
} catch (RemoteException re) {
Log.w(TAG, "Could not create a user", re);
}
return guest;
}
private static void addDefaultUserRestrictions(Bundle restrictions) {
restrictions.putBoolean(DISALLOW_OUTGOING_CALLS, true);
restrictions.putBoolean(DISALLOW_SMS, true);
}
/**
* Creates a user with the specified name and options as a profile of another user.
* Requires {@link android.Manifest.permission#MANAGE_USERS} permission.
@@ -1465,15 +1475,6 @@ public class UserManager {
return false;
}
/** @hide */
public void removeRestrictions() {
try {
mService.removeRestrictions();
} catch (RemoteException re) {
Log.w(TAG, "Could not change restrictions pin");
}
}
/**
* @hide
* Set restrictions that should apply to any future guest user that's created.

63
core/java/android/os/UserManagerInternal.java Normal file
View File

@@ -0,0 +1,63 @@
/*
* Copyright (C) 2015 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package android.os;
/**
* @hide Only for use within the system server.
*/
public abstract class UserManagerInternal {
/**
* Lock that must be held when calling certain methods in this class.
*
* This is used to avoid dead lock between
* {@link com.android.server.pm.UserManagerService} and
* {@link com.android.server.devicepolicy.DevicePolicyManagerService}. This lock should not
* be newly taken while holding the DPMS lock, which would cause a dead lock. Take this
* lock first before taking the DPMS lock to avoid that.
*/
public abstract Object getUserRestrictionsLock();
/**
* Called by {@link com.android.server.devicepolicy.DevicePolicyManagerService} to get
* {@link com.android.server.pm.UserManagerService} to update effective user restrictions.
*
* Must be called while taking the {@link #getUserRestrictionsLock()} lock.
*/
public abstract void updateEffectiveUserRestrictionsRL(int userId);
/**
* Called by {@link com.android.server.devicepolicy.DevicePolicyManagerService} to get
* {@link com.android.server.pm.UserManagerService} to update effective user restrictions.
*
* Must be called while taking the {@link #getUserRestrictionsLock()} lock.
*/
public abstract void updateEffectiveUserRestrictionsForAllUsersRL();
/**
* Returns the "base" user restrictions.
*
* Used by {@link com.android.server.devicepolicy.DevicePolicyManagerService} for upgrading
* from MNC.
*/
public abstract Bundle getBaseUserRestrictions(int userId);
/**
* Called by {@link com.android.server.devicepolicy.DevicePolicyManagerService} for upgrading
* from MNC.
*/
public abstract void setBaseUserRestrictionsByDpmsForMigration(int userId,
Bundle baseRestrictions);
}