From 0b7dd1e6c8422da0a21c1631244bec7a2af5085a Mon Sep 17 00:00:00 2001 From: Kenny Guy Date: Thu, 12 Mar 2015 17:14:38 +0000 Subject: Allowing profile to set a subset of keyguard restrictions. Allow admins in managed profiles disable trust related keyguard features (trust agents and finger prints) for the parent user. Allow admins in managed profiles to control whether notifications from the profile are redacted on the keyguard. Bug: 18581512 Change-Id: Ic2323671f63781630206cc2efcc8e27ee58c38e6 --- .../devicepolicy/DevicePolicyManagerService.java | 70 +++++++++++++++++----- 1 file changed, 56 insertions(+), 14 deletions(-) (limited to 'services/devicepolicy/java') diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 67c198f..43e6f76 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -245,6 +245,17 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { GLOBAL_SETTINGS_WHITELIST.add(Settings.Global.STAY_ON_WHILE_PLUGGED_IN); } + // Keyguard features that when set of a profile will affect the profiles + // parent user. + private static final int PROFILE_KEYGUARD_FEATURES_AFFECT_OWNER = + DevicePolicyManager.KEYGUARD_DISABLE_TRUST_AGENTS + | DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT; + + // Keyguard features that are allowed to be set on a managed profile + private static final int PROFILE_KEYGUARD_FEATURES = + PROFILE_KEYGUARD_FEATURES_AFFECT_OWNER + | DevicePolicyManager.KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS; + final Context mContext; final UserManager mUserManager; final PowerManager.WakeLock mWakeLock; @@ -3956,7 +3967,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } Preconditions.checkNotNull(who, "ComponentName is null"); final int userHandle = UserHandle.getCallingUserId(); - enforceNotManagedProfile(userHandle, "disable keyguard features"); + if (isManagedProfile(userHandle)) { + which = which & PROFILE_KEYGUARD_FEATURES; + } synchronized (this) { ActiveAdmin ap = getActiveAdminForCallerLocked(who, DeviceAdminInfo.USES_POLICY_DISABLE_KEYGUARD_FEATURES); @@ -3977,21 +3990,50 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return 0; } enforceCrossUserPermission(userHandle); - synchronized (this) { - if (who != null) { - ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle); - return (admin != null) ? admin.disabledKeyguardFeatures : 0; - } + long ident = Binder.clearCallingIdentity(); + try { + synchronized (this) { + if (who != null) { + ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle); + return (admin != null) ? admin.disabledKeyguardFeatures : 0; + } - // Determine which keyguard features are disabled for any active admins. - DevicePolicyData policy = getUserData(userHandle); - final int N = policy.mAdminList.size(); - int which = 0; - for (int i = 0; i < N; i++) { - ActiveAdmin admin = policy.mAdminList.get(i); - which |= admin.disabledKeyguardFeatures; + UserInfo user = mUserManager.getUserInfo(userHandle); + final List profiles; + if (user.isManagedProfile()) { + // If we are being asked about a managed profile just return + // keyguard features disabled by admins in the profile. + profiles = new ArrayList(1); + profiles.add(user); + } else { + // Otherwise return those set by admins in the user + // and its profiles. + profiles = mUserManager.getProfiles(userHandle); + } + + // Determine which keyguard features are disabled by any active admin. + int which = 0; + for (UserInfo userInfo : profiles) { + DevicePolicyData policy = getUserData(userInfo.id); + final int N = policy.mAdminList.size(); + for (int i = 0; i < N; i++) { + ActiveAdmin admin = policy.mAdminList.get(i); + if (userInfo.id == userHandle || !userInfo.isManagedProfile()) { + // If we are being asked explictly about this user + // return all disabled features even if its a managed profile. + which |= admin.disabledKeyguardFeatures; + } else { + // Otherwise a managed profile is only allowed to disable + // some features on the parent user. + which |= (admin.disabledKeyguardFeatures + & PROFILE_KEYGUARD_FEATURES_AFFECT_OWNER); + } + } + } + return which; } - return which; + } finally { + Binder.restoreCallingIdentity(ident); } } -- cgit v1.1