1 /* 2 * Copyright (C) 2022 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package com.android.server.devicepolicy; 18 19 import static com.android.server.devicepolicy.DevicePolicyEngine.DEVICE_LOCK_CONTROLLER_ROLE; 20 import static com.android.server.devicepolicy.DevicePolicyEngine.SYSTEM_SUPERVISION_ROLE; 21 22 import android.annotation.NonNull; 23 import android.annotation.Nullable; 24 import android.app.admin.AccountTypePolicyKey; 25 import android.app.admin.BooleanPolicyValue; 26 import android.app.admin.DevicePolicyIdentifiers; 27 import android.app.admin.DevicePolicyManager; 28 import android.app.admin.IntegerPolicyValue; 29 import android.app.admin.IntentFilterPolicyKey; 30 import android.app.admin.LockTaskPolicy; 31 import android.app.admin.NoArgsPolicyKey; 32 import android.app.admin.PackagePermissionPolicyKey; 33 import android.app.admin.PackagePolicyKey; 34 import android.app.admin.PolicyKey; 35 import android.app.admin.PolicyValue; 36 import android.app.admin.UserRestrictionPolicyKey; 37 import android.app.admin.flags.Flags; 38 import android.content.ComponentName; 39 import android.content.Context; 40 import android.content.IntentFilter; 41 import android.os.Bundle; 42 import android.os.UserManager; 43 44 import com.android.internal.util.function.QuadFunction; 45 import com.android.modules.utils.TypedXmlPullParser; 46 import com.android.modules.utils.TypedXmlSerializer; 47 import com.android.server.utils.Slogf; 48 49 import org.xmlpull.v1.XmlPullParserException; 50 51 import java.io.IOException; 52 import java.util.HashMap; 53 import java.util.LinkedHashMap; 54 import java.util.List; 55 import java.util.Map; 56 import java.util.Objects; 57 import java.util.Set; 58 import java.util.concurrent.CompletableFuture; 59 60 final class PolicyDefinition<V> { 61 62 static final String TAG = "PolicyDefinition"; 63 64 private static final int POLICY_FLAG_NONE = 0; 65 66 // Only use this flag if a policy can not be applied locally. 67 private static final int POLICY_FLAG_GLOBAL_ONLY_POLICY = 1; 68 69 // Only use this flag if a policy can not be applied globally. 70 private static final int POLICY_FLAG_LOCAL_ONLY_POLICY = 1 << 1; 71 72 // Only use this flag if a policy is inheritable by child profile from parent. 73 private static final int POLICY_FLAG_INHERITABLE = 1 << 2; 74 75 // Use this flag if admin policies should be treated independently of each other and should not 76 // have any resolution logic applied, this should only be used for very limited policies were 77 // this would make sense and the enforcing logic should handle it appropriately, e.g. 78 // application restrictions set by different admins for a single package should not be merged, 79 // but saved and queried independent of each other. 80 // Currently, support is added for local only policies, if you need to add a non coexistable 81 // global policy please add support. 82 private static final int POLICY_FLAG_NON_COEXISTABLE_POLICY = 1 << 3; 83 84 // Add this flag to any policy that is a user restriction, the reason for this is that there 85 // are some special APIs to handle user restriction policies and this is the way we can identify 86 // them. 87 private static final int POLICY_FLAG_USER_RESTRICTION_POLICY = 1 << 4; 88 89 // Only invoke the policy enforcer callback when the policy value changes, and do not invoke the 90 // callback in other cases such as device reboots. 91 private static final int POLICY_FLAG_SKIP_ENFORCEMENT_IF_UNCHANGED = 1 << 5; 92 93 private static final MostRestrictive<Boolean> FALSE_MORE_RESTRICTIVE = new MostRestrictive<>( 94 List.of(new BooleanPolicyValue(false), new BooleanPolicyValue(true))); 95 96 private static final MostRestrictive<Boolean> TRUE_MORE_RESTRICTIVE = new MostRestrictive<>( 97 List.of(new BooleanPolicyValue(true), new BooleanPolicyValue(false))); 98 99 static PolicyDefinition<Integer> AUTO_TIME_ZONE = new PolicyDefinition<>( 100 new NoArgsPolicyKey(DevicePolicyIdentifiers.AUTO_TIMEZONE_POLICY), 101 // Auto time zone is enabled by default. Enabled state has higher priority given it 102 // means the time will be more precise and other applications can rely on that for 103 // their purposes. 104 new TopPriority<>(List.of( 105 EnforcingAdmin.getRoleAuthorityOf(SYSTEM_SUPERVISION_ROLE), 106 EnforcingAdmin.getRoleAuthorityOf(DEVICE_LOCK_CONTROLLER_ROLE), 107 EnforcingAdmin.DPC_AUTHORITY)), 108 POLICY_FLAG_GLOBAL_ONLY_POLICY, 109 PolicyEnforcerCallbacks::setAutoTimeZonePolicy, 110 new IntegerPolicySerializer()); 111 112 static final PolicyDefinition<Integer> GENERIC_PERMISSION_GRANT = 113 new PolicyDefinition<>( 114 new PackagePermissionPolicyKey(DevicePolicyIdentifiers.PERMISSION_GRANT_POLICY), 115 // TODO: is this really the best mechanism, what makes denied more 116 // restrictive than 117 // granted? 118 new MostRestrictive<>( 119 List.of( 120 new IntegerPolicyValue( 121 DevicePolicyManager.PERMISSION_GRANT_STATE_DENIED), 122 new IntegerPolicyValue( 123 DevicePolicyManager.PERMISSION_GRANT_STATE_GRANTED), 124 new IntegerPolicyValue( 125 DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT))), 126 POLICY_FLAG_LOCAL_ONLY_POLICY, 127 PolicyEnforcerCallbacks::setPermissionGrantState, 128 new IntegerPolicySerializer()); 129 PERMISSION_GRANT( @onNull String packageName, @NonNull String permissionName)130 static PolicyDefinition<Integer> PERMISSION_GRANT( 131 @NonNull String packageName, @NonNull String permissionName) { 132 Objects.requireNonNull(packageName, "packageName must not be null"); 133 Objects.requireNonNull(permissionName, "permissionName must not be null"); 134 return GENERIC_PERMISSION_GRANT.createPolicyDefinition( 135 new PackagePermissionPolicyKey( 136 DevicePolicyIdentifiers.PERMISSION_GRANT_POLICY, 137 packageName, 138 permissionName)); 139 } 140 141 static PolicyDefinition<Boolean> SECURITY_LOGGING = new PolicyDefinition<>( 142 new NoArgsPolicyKey(DevicePolicyIdentifiers.SECURITY_LOGGING_POLICY), 143 TRUE_MORE_RESTRICTIVE, 144 POLICY_FLAG_GLOBAL_ONLY_POLICY, 145 PolicyEnforcerCallbacks::enforceSecurityLogging, 146 new BooleanPolicySerializer()); 147 148 static PolicyDefinition<Boolean> AUDIT_LOGGING = new PolicyDefinition<>( 149 new NoArgsPolicyKey(DevicePolicyIdentifiers.AUDIT_LOGGING_POLICY), 150 TRUE_MORE_RESTRICTIVE, 151 POLICY_FLAG_GLOBAL_ONLY_POLICY, 152 PolicyEnforcerCallbacks::enforceAuditLogging, 153 new BooleanPolicySerializer()); 154 155 static PolicyDefinition<LockTaskPolicy> LOCK_TASK = new PolicyDefinition<>( 156 new NoArgsPolicyKey(DevicePolicyIdentifiers.LOCK_TASK_POLICY), 157 new TopPriority<>(List.of( 158 EnforcingAdmin.getRoleAuthorityOf(DEVICE_LOCK_CONTROLLER_ROLE), 159 EnforcingAdmin.DPC_AUTHORITY)), 160 POLICY_FLAG_LOCAL_ONLY_POLICY, 161 (LockTaskPolicy value, Context context, Integer userId, PolicyKey policyKey) -> 162 PolicyEnforcerCallbacks.setLockTask(value, context, userId), 163 new LockTaskPolicySerializer()); 164 165 static PolicyDefinition<Set<String>> USER_CONTROLLED_DISABLED_PACKAGES = 166 new PolicyDefinition<>( 167 new NoArgsPolicyKey( 168 DevicePolicyIdentifiers.USER_CONTROL_DISABLED_PACKAGES_POLICY), 169 new PackageSetUnion(), 170 PolicyEnforcerCallbacks::setUserControlDisabledPackages, 171 new PackageSetPolicySerializer()); 172 173 static PolicyDefinition<ComponentName> GENERIC_PERSISTENT_PREFERRED_ACTIVITY = 174 new PolicyDefinition<>( 175 new IntentFilterPolicyKey( 176 DevicePolicyIdentifiers.PERSISTENT_PREFERRED_ACTIVITY_POLICY), 177 new TopPriority<>(List.of( 178 EnforcingAdmin.getRoleAuthorityOf(DEVICE_LOCK_CONTROLLER_ROLE), 179 EnforcingAdmin.DPC_AUTHORITY)), 180 POLICY_FLAG_LOCAL_ONLY_POLICY, 181 PolicyEnforcerCallbacks::addPersistentPreferredActivity, 182 new ComponentNamePolicySerializer()); 183 PERSISTENT_PREFERRED_ACTIVITY( @onNull IntentFilter intentFilter)184 static PolicyDefinition<ComponentName> PERSISTENT_PREFERRED_ACTIVITY( 185 @NonNull IntentFilter intentFilter) { 186 Objects.requireNonNull(intentFilter, "intentFilter must not be null"); 187 return GENERIC_PERSISTENT_PREFERRED_ACTIVITY.createPolicyDefinition( 188 new IntentFilterPolicyKey( 189 DevicePolicyIdentifiers.PERSISTENT_PREFERRED_ACTIVITY_POLICY, 190 intentFilter)); 191 } 192 193 static PolicyDefinition<Boolean> GENERIC_PACKAGE_UNINSTALL_BLOCKED = 194 new PolicyDefinition<>( 195 new PackagePolicyKey( 196 DevicePolicyIdentifiers.PACKAGE_UNINSTALL_BLOCKED_POLICY), 197 TRUE_MORE_RESTRICTIVE, 198 POLICY_FLAG_LOCAL_ONLY_POLICY, 199 PolicyEnforcerCallbacks::setUninstallBlocked, 200 new BooleanPolicySerializer()); 201 PACKAGE_UNINSTALL_BLOCKED(@onNull String packageName)202 static PolicyDefinition<Boolean> PACKAGE_UNINSTALL_BLOCKED(@NonNull String packageName) { 203 Objects.requireNonNull(packageName, "packageName must not be null"); 204 return GENERIC_PACKAGE_UNINSTALL_BLOCKED.createPolicyDefinition( 205 new PackagePolicyKey( 206 DevicePolicyIdentifiers.PACKAGE_UNINSTALL_BLOCKED_POLICY, packageName)); 207 } 208 209 static PolicyDefinition<Bundle> GENERIC_APPLICATION_RESTRICTIONS = 210 new PolicyDefinition<>( 211 new PackagePolicyKey( 212 DevicePolicyIdentifiers.APPLICATION_RESTRICTIONS_POLICY), 213 // Don't need to take in a resolution mechanism since its never used, but might 214 // need some refactoring to not always assume a non-null mechanism. 215 new MostRecent<>(), 216 // Only invoke the enforcement callback during policy change and not other state 217 POLICY_FLAG_LOCAL_ONLY_POLICY | POLICY_FLAG_INHERITABLE 218 | POLICY_FLAG_NON_COEXISTABLE_POLICY 219 | POLICY_FLAG_SKIP_ENFORCEMENT_IF_UNCHANGED, 220 PolicyEnforcerCallbacks::setApplicationRestrictions, 221 new BundlePolicySerializer()); 222 APPLICATION_RESTRICTIONS(@onNull String packageName)223 static PolicyDefinition<Bundle> APPLICATION_RESTRICTIONS(@NonNull String packageName) { 224 Objects.requireNonNull(packageName, "packageName must not be null"); 225 return GENERIC_APPLICATION_RESTRICTIONS.createPolicyDefinition( 226 new PackagePolicyKey( 227 DevicePolicyIdentifiers.APPLICATION_RESTRICTIONS_POLICY, packageName)); 228 } 229 230 static PolicyDefinition<Long> RESET_PASSWORD_TOKEN = new PolicyDefinition<>( 231 new NoArgsPolicyKey(DevicePolicyIdentifiers.RESET_PASSWORD_TOKEN_POLICY), 232 // Don't need to take in a resolution mechanism since its never used, but might 233 // need some refactoring to not always assume a non-null mechanism. 234 new MostRecent<>(), 235 POLICY_FLAG_LOCAL_ONLY_POLICY | POLICY_FLAG_NON_COEXISTABLE_POLICY, 236 // DevicePolicyManagerService handles the enforcement, this just takes care of storage 237 PolicyEnforcerCallbacks::noOp, 238 new LongPolicySerializer()); 239 240 static PolicyDefinition<Integer> KEYGUARD_DISABLED_FEATURES = new PolicyDefinition<>( 241 new NoArgsPolicyKey(DevicePolicyIdentifiers.KEYGUARD_DISABLED_FEATURES_POLICY), 242 new FlagUnion(), 243 POLICY_FLAG_LOCAL_ONLY_POLICY, 244 // Nothing is enforced for keyguard features, we just need to store it 245 PolicyEnforcerCallbacks::noOp, 246 new IntegerPolicySerializer()); 247 248 static PolicyDefinition<Boolean> GENERIC_APPLICATION_HIDDEN = 249 new PolicyDefinition<>( 250 new PackagePolicyKey( 251 DevicePolicyIdentifiers.APPLICATION_HIDDEN_POLICY), 252 // TODO(b/276713779): Don't need to take in a resolution mechanism since its 253 // never used, but might need some refactoring to not always assume a non-null 254 // mechanism. 255 TRUE_MORE_RESTRICTIVE, 256 POLICY_FLAG_LOCAL_ONLY_POLICY | POLICY_FLAG_INHERITABLE, 257 PolicyEnforcerCallbacks::setApplicationHidden, 258 new BooleanPolicySerializer()); 259 APPLICATION_HIDDEN(@onNull String packageName)260 static PolicyDefinition<Boolean> APPLICATION_HIDDEN(@NonNull String packageName) { 261 Objects.requireNonNull(packageName, "packageName must not be null"); 262 return GENERIC_APPLICATION_HIDDEN.createPolicyDefinition( 263 new PackagePolicyKey( 264 DevicePolicyIdentifiers.APPLICATION_HIDDEN_POLICY, packageName)); 265 } 266 267 static PolicyDefinition<Boolean> GENERIC_ACCOUNT_MANAGEMENT_DISABLED = 268 new PolicyDefinition<>( 269 new AccountTypePolicyKey( 270 DevicePolicyIdentifiers.ACCOUNT_MANAGEMENT_DISABLED_POLICY), 271 TRUE_MORE_RESTRICTIVE, 272 POLICY_FLAG_LOCAL_ONLY_POLICY | POLICY_FLAG_INHERITABLE, 273 // Nothing is enforced, we just need to store it 274 PolicyEnforcerCallbacks::noOp, 275 new BooleanPolicySerializer()); 276 ACCOUNT_MANAGEMENT_DISABLED(@onNull String accountType)277 static PolicyDefinition<Boolean> ACCOUNT_MANAGEMENT_DISABLED(@NonNull String accountType) { 278 Objects.requireNonNull(accountType, "accountType must not be null"); 279 return GENERIC_ACCOUNT_MANAGEMENT_DISABLED.createPolicyDefinition( 280 new AccountTypePolicyKey( 281 DevicePolicyIdentifiers.ACCOUNT_MANAGEMENT_DISABLED_POLICY, accountType)); 282 } 283 284 static PolicyDefinition<Set<String>> PERMITTED_INPUT_METHODS = new PolicyDefinition<>( 285 new NoArgsPolicyKey(DevicePolicyIdentifiers.PERMITTED_INPUT_METHODS_POLICY), 286 (Flags.usePolicyIntersectionForPermittedInputMethods() 287 ? new StringSetIntersection() 288 : new MostRecent<>()), 289 POLICY_FLAG_LOCAL_ONLY_POLICY | POLICY_FLAG_INHERITABLE, 290 PolicyEnforcerCallbacks::noOp, 291 new PackageSetPolicySerializer()); 292 293 294 static PolicyDefinition<Boolean> SCREEN_CAPTURE_DISABLED = new PolicyDefinition<>( 295 new NoArgsPolicyKey(DevicePolicyIdentifiers.SCREEN_CAPTURE_DISABLED_POLICY), 296 TRUE_MORE_RESTRICTIVE, 297 POLICY_FLAG_INHERITABLE, 298 PolicyEnforcerCallbacks::setScreenCaptureDisabled, 299 new BooleanPolicySerializer()); 300 301 static PolicyDefinition<Boolean> PERSONAL_APPS_SUSPENDED = new PolicyDefinition<>( 302 new NoArgsPolicyKey(DevicePolicyIdentifiers.PERSONAL_APPS_SUSPENDED_POLICY), 303 new MostRecent<>(), 304 POLICY_FLAG_LOCAL_ONLY_POLICY | POLICY_FLAG_INHERITABLE, 305 PolicyEnforcerCallbacks::setPersonalAppsSuspended, 306 new BooleanPolicySerializer()); 307 308 static PolicyDefinition<Boolean> USB_DATA_SIGNALING = new PolicyDefinition<>( 309 new NoArgsPolicyKey(DevicePolicyIdentifiers.USB_DATA_SIGNALING_POLICY), 310 // usb data signaling is enabled by default, hence disabling it is more restrictive. 311 FALSE_MORE_RESTRICTIVE, 312 POLICY_FLAG_GLOBAL_ONLY_POLICY, 313 (Boolean value, Context context, Integer userId, PolicyKey policyKey) -> 314 PolicyEnforcerCallbacks.setUsbDataSignalingEnabled(value, context), 315 new BooleanPolicySerializer()); 316 317 static PolicyDefinition<Integer> CONTENT_PROTECTION = new PolicyDefinition<>( 318 new NoArgsPolicyKey(DevicePolicyIdentifiers.CONTENT_PROTECTION_POLICY), 319 new MostRecent<>(), 320 POLICY_FLAG_LOCAL_ONLY_POLICY, 321 PolicyEnforcerCallbacks::setContentProtectionPolicy, 322 new IntegerPolicySerializer()); 323 324 static PolicyDefinition<Integer> APP_FUNCTIONS = new PolicyDefinition<>( 325 new NoArgsPolicyKey(DevicePolicyIdentifiers.APP_FUNCTIONS_POLICY), 326 new MostRestrictive<>( 327 List.of( 328 new IntegerPolicyValue( 329 DevicePolicyManager.APP_FUNCTIONS_DISABLED), 330 new IntegerPolicyValue( 331 DevicePolicyManager.APP_FUNCTIONS_DISABLED_CROSS_PROFILE), 332 new IntegerPolicyValue( 333 DevicePolicyManager.APP_FUNCTIONS_NOT_CONTROLLED_BY_POLICY))), 334 POLICY_FLAG_LOCAL_ONLY_POLICY, 335 PolicyEnforcerCallbacks::noOp, 336 new IntegerPolicySerializer()); 337 338 static PolicyDefinition<Integer> PASSWORD_COMPLEXITY = new PolicyDefinition<>( 339 new NoArgsPolicyKey(DevicePolicyIdentifiers.PASSWORD_COMPLEXITY_POLICY), 340 new MostRestrictive<>( 341 List.of( 342 new IntegerPolicyValue( 343 DevicePolicyManager.PASSWORD_COMPLEXITY_HIGH), 344 new IntegerPolicyValue( 345 DevicePolicyManager.PASSWORD_COMPLEXITY_MEDIUM), 346 new IntegerPolicyValue( 347 DevicePolicyManager.PASSWORD_COMPLEXITY_LOW), 348 new IntegerPolicyValue( 349 DevicePolicyManager.PASSWORD_COMPLEXITY_NONE))), 350 POLICY_FLAG_LOCAL_ONLY_POLICY, 351 PolicyEnforcerCallbacks::noOp, 352 new IntegerPolicySerializer()); 353 354 static PolicyDefinition<Set<String>> PACKAGES_SUSPENDED = 355 new PolicyDefinition<>( 356 new NoArgsPolicyKey( 357 DevicePolicyIdentifiers.PACKAGES_SUSPENDED_POLICY), 358 new PackageSetUnion(), 359 PolicyEnforcerCallbacks::noOp, 360 new PackageSetPolicySerializer()); 361 362 static PolicyDefinition<Integer> MEMORY_TAGGING = new PolicyDefinition<>( 363 new NoArgsPolicyKey( 364 DevicePolicyIdentifiers.MEMORY_TAGGING_POLICY), 365 new TopPriority<>(List.of(EnforcingAdmin.DPC_AUTHORITY)), 366 PolicyEnforcerCallbacks::setMtePolicy, 367 new IntegerPolicySerializer()); 368 369 static PolicyDefinition<Integer> AUTO_TIME = new PolicyDefinition<>( 370 new NoArgsPolicyKey(DevicePolicyIdentifiers.AUTO_TIME_POLICY), 371 new TopPriority<>(List.of( 372 EnforcingAdmin.getRoleAuthorityOf(SYSTEM_SUPERVISION_ROLE), 373 EnforcingAdmin.getRoleAuthorityOf(DEVICE_LOCK_CONTROLLER_ROLE), 374 EnforcingAdmin.DPC_AUTHORITY)), 375 POLICY_FLAG_GLOBAL_ONLY_POLICY, 376 PolicyEnforcerCallbacks::setAutoTimePolicy, 377 new IntegerPolicySerializer()); 378 379 private static final Map<String, PolicyDefinition<?>> POLICY_DEFINITIONS = new HashMap<>(); 380 private static Map<String, Integer> USER_RESTRICTION_FLAGS = new HashMap<>(); 381 382 // TODO(b/277218360): Revisit policies that should be marked as global-only. 383 static { POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.AUTO_TIMEZONE_POLICY, AUTO_TIME_ZONE)384 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.AUTO_TIMEZONE_POLICY, AUTO_TIME_ZONE); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PERMISSION_GRANT_POLICY, GENERIC_PERMISSION_GRANT)385 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PERMISSION_GRANT_POLICY, 386 GENERIC_PERMISSION_GRANT); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.SECURITY_LOGGING_POLICY, SECURITY_LOGGING)387 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.SECURITY_LOGGING_POLICY, 388 SECURITY_LOGGING); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.AUDIT_LOGGING_POLICY, AUDIT_LOGGING)389 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.AUDIT_LOGGING_POLICY, 390 AUDIT_LOGGING); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.LOCK_TASK_POLICY, LOCK_TASK)391 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.LOCK_TASK_POLICY, LOCK_TASK); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.USER_CONTROL_DISABLED_PACKAGES_POLICY, USER_CONTROLLED_DISABLED_PACKAGES)392 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.USER_CONTROL_DISABLED_PACKAGES_POLICY, 393 USER_CONTROLLED_DISABLED_PACKAGES); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PERSISTENT_PREFERRED_ACTIVITY_POLICY, GENERIC_PERSISTENT_PREFERRED_ACTIVITY)394 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PERSISTENT_PREFERRED_ACTIVITY_POLICY, 395 GENERIC_PERSISTENT_PREFERRED_ACTIVITY); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PACKAGE_UNINSTALL_BLOCKED_POLICY, GENERIC_PACKAGE_UNINSTALL_BLOCKED)396 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PACKAGE_UNINSTALL_BLOCKED_POLICY, 397 GENERIC_PACKAGE_UNINSTALL_BLOCKED); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.APPLICATION_RESTRICTIONS_POLICY, GENERIC_APPLICATION_RESTRICTIONS)398 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.APPLICATION_RESTRICTIONS_POLICY, 399 GENERIC_APPLICATION_RESTRICTIONS); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.RESET_PASSWORD_TOKEN_POLICY, RESET_PASSWORD_TOKEN)400 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.RESET_PASSWORD_TOKEN_POLICY, 401 RESET_PASSWORD_TOKEN); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.KEYGUARD_DISABLED_FEATURES_POLICY, KEYGUARD_DISABLED_FEATURES)402 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.KEYGUARD_DISABLED_FEATURES_POLICY, 403 KEYGUARD_DISABLED_FEATURES); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.APPLICATION_HIDDEN_POLICY, GENERIC_APPLICATION_HIDDEN)404 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.APPLICATION_HIDDEN_POLICY, 405 GENERIC_APPLICATION_HIDDEN); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.ACCOUNT_MANAGEMENT_DISABLED_POLICY, GENERIC_ACCOUNT_MANAGEMENT_DISABLED)406 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.ACCOUNT_MANAGEMENT_DISABLED_POLICY, 407 GENERIC_ACCOUNT_MANAGEMENT_DISABLED); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PERMITTED_INPUT_METHODS_POLICY, PERMITTED_INPUT_METHODS)408 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PERMITTED_INPUT_METHODS_POLICY, 409 PERMITTED_INPUT_METHODS); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.SCREEN_CAPTURE_DISABLED_POLICY, SCREEN_CAPTURE_DISABLED)410 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.SCREEN_CAPTURE_DISABLED_POLICY, 411 SCREEN_CAPTURE_DISABLED); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PERSONAL_APPS_SUSPENDED_POLICY, PERSONAL_APPS_SUSPENDED)412 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PERSONAL_APPS_SUSPENDED_POLICY, 413 PERSONAL_APPS_SUSPENDED); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.USB_DATA_SIGNALING_POLICY, USB_DATA_SIGNALING)414 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.USB_DATA_SIGNALING_POLICY, 415 USB_DATA_SIGNALING); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.CONTENT_PROTECTION_POLICY, CONTENT_PROTECTION)416 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.CONTENT_PROTECTION_POLICY, 417 CONTENT_PROTECTION); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.APP_FUNCTIONS_POLICY, APP_FUNCTIONS)418 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.APP_FUNCTIONS_POLICY, 419 APP_FUNCTIONS); 420 // Intentionally not flagged since if the flag is flipped off on a device already 421 // having PASSWORD_COMPLEXITY policy in the on-device XML, it will cause the 422 // deserialization logic to break due to seeing an unknown tag. POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PASSWORD_COMPLEXITY_POLICY, PASSWORD_COMPLEXITY)423 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PASSWORD_COMPLEXITY_POLICY, 424 PASSWORD_COMPLEXITY); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PACKAGES_SUSPENDED_POLICY, PACKAGES_SUSPENDED)425 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PACKAGES_SUSPENDED_POLICY, 426 PACKAGES_SUSPENDED); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.MEMORY_TAGGING_POLICY, MEMORY_TAGGING)427 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.MEMORY_TAGGING_POLICY, 428 MEMORY_TAGGING); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.AUTO_TIME_POLICY, AUTO_TIME)429 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.AUTO_TIME_POLICY, AUTO_TIME); 430 431 // User Restriction Policies USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_MODIFY_ACCOUNTS, 0)432 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_MODIFY_ACCOUNTS, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_WIFI, 0)433 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_WIFI, /* flags= */ 0); USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_CHANGE_WIFI_STATE, POLICY_FLAG_GLOBAL_ONLY_POLICY)434 USER_RESTRICTION_FLAGS.put( 435 UserManager.DISALLOW_CHANGE_WIFI_STATE, POLICY_FLAG_GLOBAL_ONLY_POLICY); USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_WIFI_TETHERING, POLICY_FLAG_GLOBAL_ONLY_POLICY)436 USER_RESTRICTION_FLAGS.put( 437 UserManager.DISALLOW_WIFI_TETHERING, POLICY_FLAG_GLOBAL_ONLY_POLICY); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_GRANT_ADMIN, 0)438 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_GRANT_ADMIN, /* flags= */ 0); 439 // TODO: set as global only once we get rid of the mapping USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_SHARING_ADMIN_CONFIGURED_WIFI, 0)440 USER_RESTRICTION_FLAGS.put( 441 UserManager.DISALLOW_SHARING_ADMIN_CONFIGURED_WIFI, /* flags= */ 0); USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_WIFI_DIRECT, POLICY_FLAG_GLOBAL_ONLY_POLICY)442 USER_RESTRICTION_FLAGS.put( 443 UserManager.DISALLOW_WIFI_DIRECT, POLICY_FLAG_GLOBAL_ONLY_POLICY); USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_ADD_WIFI_CONFIG, POLICY_FLAG_GLOBAL_ONLY_POLICY)444 USER_RESTRICTION_FLAGS.put( 445 UserManager.DISALLOW_ADD_WIFI_CONFIG, POLICY_FLAG_GLOBAL_ONLY_POLICY); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_LOCALE, 0)446 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_LOCALE, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_INSTALL_APPS, 0)447 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_INSTALL_APPS, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_UNINSTALL_APPS, 0)448 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_UNINSTALL_APPS, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SHARE_LOCATION, 0)449 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SHARE_LOCATION, /* flags= */ 0); USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_AIRPLANE_MODE, POLICY_FLAG_GLOBAL_ONLY_POLICY)450 USER_RESTRICTION_FLAGS.put( 451 UserManager.DISALLOW_AIRPLANE_MODE, POLICY_FLAG_GLOBAL_ONLY_POLICY); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_BRIGHTNESS, 0)452 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_BRIGHTNESS, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_AMBIENT_DISPLAY, 0)453 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_AMBIENT_DISPLAY, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_SCREEN_TIMEOUT, 0)454 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_SCREEN_TIMEOUT, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES, 0)455 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY, POLICY_FLAG_GLOBAL_ONLY_POLICY)456 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY, 457 POLICY_FLAG_GLOBAL_ONLY_POLICY); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_BLUETOOTH, 0)458 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_BLUETOOTH, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_BLUETOOTH, 0)459 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_BLUETOOTH, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_BLUETOOTH_SHARING, 0)460 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_BLUETOOTH_SHARING, /* flags= */ 0); 461 // This effectively always applies globally, but it can be set on the profile 462 // parent, check the javadocs on the restriction for more info. USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_USB_FILE_TRANSFER, 0)463 USER_RESTRICTION_FLAGS.put( 464 UserManager.DISALLOW_USB_FILE_TRANSFER, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_CREDENTIALS, 0)465 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_CREDENTIALS, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_REMOVE_USER, 0)466 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_REMOVE_USER, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_REMOVE_MANAGED_PROFILE, 0)467 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_REMOVE_MANAGED_PROFILE, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_DEBUGGING_FEATURES, 0)468 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_DEBUGGING_FEATURES, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_VPN, 0)469 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_VPN, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_LOCATION, 0)470 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_LOCATION, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_DATE_TIME, 0)471 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_DATE_TIME, /* flags= */ 0); USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_CONFIG_TETHERING, 0)472 USER_RESTRICTION_FLAGS.put( 473 UserManager.DISALLOW_CONFIG_TETHERING, /* flags= */ 0); 474 // This effectively always applies globally, but it can be set on the profile 475 // parent, check the javadocs on the restriction for more info. USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_NETWORK_RESET, 0)476 USER_RESTRICTION_FLAGS.put( 477 UserManager.DISALLOW_NETWORK_RESET, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_FACTORY_RESET, 0)478 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_FACTORY_RESET, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ADD_USER, 0)479 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ADD_USER, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ADD_MANAGED_PROFILE, 0)480 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ADD_MANAGED_PROFILE, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ADD_CLONE_PROFILE, 0)481 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ADD_CLONE_PROFILE, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ADD_PRIVATE_PROFILE, 0)482 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ADD_PRIVATE_PROFILE, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.ENSURE_VERIFY_APPS, POLICY_FLAG_GLOBAL_ONLY_POLICY)483 USER_RESTRICTION_FLAGS.put(UserManager.ENSURE_VERIFY_APPS, POLICY_FLAG_GLOBAL_ONLY_POLICY); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_CELL_BROADCASTS, 0)484 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_CELL_BROADCASTS, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS, 0)485 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_APPS_CONTROL, 0)486 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_APPS_CONTROL, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_MOUNT_PHYSICAL_MEDIA, 0)487 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_MOUNT_PHYSICAL_MEDIA, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_UNMUTE_MICROPHONE, 0)488 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_UNMUTE_MICROPHONE, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ADJUST_VOLUME, 0)489 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ADJUST_VOLUME, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_OUTGOING_CALLS, 0)490 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_OUTGOING_CALLS, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SMS, 0)491 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SMS, /* flags= */ 0); 492 // TODO: check if its global only USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_FUN, 0)493 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_FUN, /* flags= */ 0); 494 // TODO: check if its global only USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CREATE_WINDOWS, 0)495 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CREATE_WINDOWS, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SYSTEM_ERROR_DIALOGS, 0)496 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SYSTEM_ERROR_DIALOGS, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CROSS_PROFILE_COPY_PASTE, 0)497 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CROSS_PROFILE_COPY_PASTE, /* flags= */ 0); 498 // TODO: check if its global only USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_OUTGOING_BEAM, 0)499 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_OUTGOING_BEAM, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_WALLPAPER, 0)500 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_WALLPAPER, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SET_WALLPAPER, 0)501 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SET_WALLPAPER, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SAFE_BOOT, 0)502 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SAFE_BOOT, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_RECORD_AUDIO, 0)503 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_RECORD_AUDIO, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_RUN_IN_BACKGROUND, 0)504 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_RUN_IN_BACKGROUND, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CAMERA, 0)505 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CAMERA, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_UNMUTE_DEVICE, 0)506 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_UNMUTE_DEVICE, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_DATA_ROAMING, 0)507 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_DATA_ROAMING, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SET_USER_ICON, 0)508 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SET_USER_ICON, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_OEM_UNLOCK, 0)509 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_OEM_UNLOCK, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_UNIFIED_PASSWORD, 0)510 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_UNIFIED_PASSWORD, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.ALLOW_PARENT_PROFILE_APP_LINKING, 0)511 USER_RESTRICTION_FLAGS.put(UserManager.ALLOW_PARENT_PROFILE_APP_LINKING, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_AUTOFILL, 0)512 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_AUTOFILL, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONTENT_CAPTURE, 0)513 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONTENT_CAPTURE, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONTENT_SUGGESTIONS, 0)514 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONTENT_SUGGESTIONS, /* flags= */ 0); USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_USER_SWITCH, POLICY_FLAG_GLOBAL_ONLY_POLICY)515 USER_RESTRICTION_FLAGS.put( 516 UserManager.DISALLOW_USER_SWITCH, POLICY_FLAG_GLOBAL_ONLY_POLICY); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SHARE_INTO_MANAGED_PROFILE, 0)517 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SHARE_INTO_MANAGED_PROFILE, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_PRINTING, 0)518 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_PRINTING, /* flags= */ 0); USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_CONFIG_PRIVATE_DNS, POLICY_FLAG_GLOBAL_ONLY_POLICY)519 USER_RESTRICTION_FLAGS.put( 520 UserManager.DISALLOW_CONFIG_PRIVATE_DNS, POLICY_FLAG_GLOBAL_ONLY_POLICY); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_MICROPHONE_TOGGLE, 0)521 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_MICROPHONE_TOGGLE, /* flags= */ 0); 522 // TODO: According the UserRestrictionsUtils, this is global only, need to confirm. USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CAMERA_TOGGLE, 0)523 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CAMERA_TOGGLE, /* flags= */ 0); 524 // TODO: check if its global only USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_BIOMETRIC, 0)525 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_BIOMETRIC, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_DEFAULT_APPS, 0)526 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_DEFAULT_APPS, /* flags= */ 0); USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_CELLULAR_2G, POLICY_FLAG_GLOBAL_ONLY_POLICY)527 USER_RESTRICTION_FLAGS.put( 528 UserManager.DISALLOW_CELLULAR_2G, POLICY_FLAG_GLOBAL_ONLY_POLICY); USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_ULTRA_WIDEBAND_RADIO, POLICY_FLAG_GLOBAL_ONLY_POLICY)529 USER_RESTRICTION_FLAGS.put( 530 UserManager.DISALLOW_ULTRA_WIDEBAND_RADIO, POLICY_FLAG_GLOBAL_ONLY_POLICY); USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_NEAR_FIELD_COMMUNICATION_RADIO, POLICY_FLAG_GLOBAL_ONLY_POLICY)531 USER_RESTRICTION_FLAGS.put( 532 UserManager.DISALLOW_NEAR_FIELD_COMMUNICATION_RADIO, 533 POLICY_FLAG_GLOBAL_ONLY_POLICY); USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_SIM_GLOBALLY, POLICY_FLAG_GLOBAL_ONLY_POLICY)534 USER_RESTRICTION_FLAGS.put( 535 UserManager.DISALLOW_SIM_GLOBALLY, 536 POLICY_FLAG_GLOBAL_ONLY_POLICY); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ASSIST_CONTENT, 0)537 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ASSIST_CONTENT, /* flags= */ 0); 538 if (com.android.net.thread.platform.flags.Flags.threadUserRestrictionEnabled()) { USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_THREAD_NETWORK, POLICY_FLAG_GLOBAL_ONLY_POLICY)539 USER_RESTRICTION_FLAGS.put( 540 UserManager.DISALLOW_THREAD_NETWORK, POLICY_FLAG_GLOBAL_ONLY_POLICY); 541 } 542 for (String key : USER_RESTRICTION_FLAGS.keySet()) { createAndAddUserRestrictionPolicyDefinition(key, USER_RESTRICTION_FLAGS.get(key))543 createAndAddUserRestrictionPolicyDefinition(key, USER_RESTRICTION_FLAGS.get(key)); 544 } 545 } 546 547 private final PolicyKey mPolicyKey; 548 private final ResolutionMechanism<V> mResolutionMechanism; 549 private final int mPolicyFlags; 550 // A function that accepts policy to apply, context, userId, callback arguments, and returns 551 // true if the policy has been enforced successfully. 552 private final QuadFunction<V, Context, Integer, PolicyKey, CompletableFuture<Boolean>> 553 mPolicyEnforcerCallback; 554 private final PolicySerializer<V> mPolicySerializer; 555 createPolicyDefinition(PolicyKey key)556 private PolicyDefinition<V> createPolicyDefinition(PolicyKey key) { 557 return new PolicyDefinition<>(key, mResolutionMechanism, mPolicyFlags, 558 mPolicyEnforcerCallback, mPolicySerializer); 559 } 560 getPolicyDefinitionForUserRestriction( @serManager.UserRestrictionKey String restriction)561 static PolicyDefinition<Boolean> getPolicyDefinitionForUserRestriction( 562 @UserManager.UserRestrictionKey String restriction) { 563 String key = DevicePolicyIdentifiers.getIdentifierForUserRestriction(restriction); 564 565 if (!POLICY_DEFINITIONS.containsKey(key)) { 566 throw new IllegalArgumentException("Unsupported user restriction " + restriction); 567 } 568 // All user restrictions are of type boolean 569 return (PolicyDefinition<Boolean>) POLICY_DEFINITIONS.get(key); 570 } 571 572 @NonNull getPolicyKey()573 PolicyKey getPolicyKey() { 574 return mPolicyKey; 575 } 576 577 @NonNull getResolutionMechanism()578 ResolutionMechanism<V> getResolutionMechanism() { 579 return mResolutionMechanism; 580 } 581 /** 582 * Returns {@code true} if the policy is a global policy by nature and can't be applied locally. 583 */ isGlobalOnlyPolicy()584 boolean isGlobalOnlyPolicy() { 585 return (mPolicyFlags & POLICY_FLAG_GLOBAL_ONLY_POLICY) != 0; 586 } 587 588 /** 589 * Returns {@code true} if the policy is a local policy by nature and can't be applied globally. 590 */ isLocalOnlyPolicy()591 boolean isLocalOnlyPolicy() { 592 return (mPolicyFlags & POLICY_FLAG_LOCAL_ONLY_POLICY) != 0; 593 } 594 595 /** 596 * Returns {@code true} if the policy is inheritable by child profiles. 597 */ isInheritable()598 boolean isInheritable() { 599 return (mPolicyFlags & POLICY_FLAG_INHERITABLE) != 0; 600 } 601 602 /** 603 * Returns {@code true} if the policy engine should not try to resolve policies set by different 604 * admins and should just store it and pass it on to the enforcing logic. 605 */ isNonCoexistablePolicy()606 boolean isNonCoexistablePolicy() { 607 return (mPolicyFlags & POLICY_FLAG_NON_COEXISTABLE_POLICY) != 0; 608 } 609 isUserRestrictionPolicy()610 boolean isUserRestrictionPolicy() { 611 return (mPolicyFlags & POLICY_FLAG_USER_RESTRICTION_POLICY) != 0; 612 } 613 shouldSkipEnforcementIfNotChanged()614 boolean shouldSkipEnforcementIfNotChanged() { 615 return (mPolicyFlags & POLICY_FLAG_SKIP_ENFORCEMENT_IF_UNCHANGED) != 0; 616 } 617 618 @Nullable resolvePolicy(LinkedHashMap<EnforcingAdmin, PolicyValue<V>> adminsPolicy)619 PolicyValue<V> resolvePolicy(LinkedHashMap<EnforcingAdmin, PolicyValue<V>> adminsPolicy) { 620 return mResolutionMechanism.resolve(adminsPolicy); 621 } 622 enforcePolicy(@ullable V value, Context context, int userId)623 CompletableFuture<Boolean> enforcePolicy(@Nullable V value, Context context, int userId) { 624 return mPolicyEnforcerCallback.apply(value, context, userId, mPolicyKey); 625 } 626 createAndAddUserRestrictionPolicyDefinition( String restriction, int flags)627 private static void createAndAddUserRestrictionPolicyDefinition( 628 String restriction, int flags) { 629 String identifier = DevicePolicyIdentifiers.getIdentifierForUserRestriction(restriction); 630 UserRestrictionPolicyKey key = new UserRestrictionPolicyKey(identifier, restriction); 631 flags |= (POLICY_FLAG_USER_RESTRICTION_POLICY | POLICY_FLAG_INHERITABLE); 632 PolicyDefinition<Boolean> definition = new PolicyDefinition<>( 633 key, 634 TRUE_MORE_RESTRICTIVE, 635 flags, 636 PolicyEnforcerCallbacks::setUserRestriction, 637 new BooleanPolicySerializer()); 638 POLICY_DEFINITIONS.put(key.getIdentifier(), definition); 639 } 640 641 /** 642 * Callers must ensure that {@code policyType} have implemented an appropriate 643 * {@link Object#equals} implementation. 644 */ PolicyDefinition( @onNull PolicyKey key, ResolutionMechanism<V> resolutionMechanism, QuadFunction<V, Context, Integer, PolicyKey, CompletableFuture<Boolean>> policyEnforcerCallback, PolicySerializer<V> policySerializer)645 private PolicyDefinition( 646 @NonNull PolicyKey key, 647 ResolutionMechanism<V> resolutionMechanism, 648 QuadFunction<V, Context, Integer, PolicyKey, CompletableFuture<Boolean>> 649 policyEnforcerCallback, 650 PolicySerializer<V> policySerializer) { 651 this(key, resolutionMechanism, POLICY_FLAG_NONE, policyEnforcerCallback, policySerializer); 652 } 653 654 /** 655 * Callers must ensure that custom {@code policyKeys} and {@code V} have an appropriate 656 * {@link Object#equals} and {@link Object#hashCode()} implementation. 657 */ PolicyDefinition( @onNull PolicyKey policyKey, ResolutionMechanism<V> resolutionMechanism, int policyFlags, QuadFunction<V, Context, Integer, PolicyKey, CompletableFuture<Boolean>> policyEnforcerCallback, PolicySerializer<V> policySerializer)658 private PolicyDefinition( 659 @NonNull PolicyKey policyKey, 660 ResolutionMechanism<V> resolutionMechanism, 661 int policyFlags, 662 QuadFunction<V, Context, Integer, PolicyKey, CompletableFuture<Boolean>> 663 policyEnforcerCallback, 664 PolicySerializer<V> policySerializer) { 665 Objects.requireNonNull(policyKey); 666 mPolicyKey = policyKey; 667 mResolutionMechanism = resolutionMechanism; 668 mPolicyFlags = policyFlags; 669 mPolicyEnforcerCallback = policyEnforcerCallback; 670 mPolicySerializer = policySerializer; 671 672 if (isNonCoexistablePolicy() && !isLocalOnlyPolicy()) { 673 throw new UnsupportedOperationException("Non-coexistable global policies not supported," 674 + "please add support."); 675 } 676 } 677 678 @Nullable readFromXml(TypedXmlPullParser parser)679 static <V> PolicyDefinition<V> readFromXml(TypedXmlPullParser parser) 680 throws XmlPullParserException, IOException { 681 // TODO: can we avoid casting? 682 PolicyKey policyKey = readPolicyKeyFromXml(parser); 683 if (policyKey == null) { 684 Slogf.wtf(TAG, "Error parsing PolicyDefinition, PolicyKey is null."); 685 return null; 686 } 687 PolicyDefinition<V> genericPolicyDefinition = 688 (PolicyDefinition<V>) POLICY_DEFINITIONS.get(policyKey.getIdentifier()); 689 if (genericPolicyDefinition == null) { 690 Slogf.wtf(TAG, "Unknown generic policy key: " + policyKey); 691 return null; 692 } 693 return genericPolicyDefinition.createPolicyDefinition(policyKey); 694 } 695 696 @Nullable readPolicyKeyFromXml(TypedXmlPullParser parser)697 static PolicyKey readPolicyKeyFromXml(TypedXmlPullParser parser) 698 throws XmlPullParserException, IOException { 699 PolicyKey policyKey = PolicyKey.readGenericPolicyKeyFromXml(parser); 700 if (policyKey == null) { 701 Slogf.wtf(TAG, "Error parsing PolicyKey, GenericPolicyKey is null"); 702 return null; 703 } 704 PolicyDefinition<?> genericPolicyDefinition = 705 POLICY_DEFINITIONS.get(policyKey.getIdentifier()); 706 if (genericPolicyDefinition == null) { 707 Slogf.wtf(TAG, "Error parsing PolicyKey, Unknown generic policy key: " + policyKey); 708 return null; 709 } 710 return genericPolicyDefinition.mPolicyKey.readFromXml(parser); 711 } 712 savePolicyValueToXml(TypedXmlSerializer serializer, V value)713 void savePolicyValueToXml(TypedXmlSerializer serializer, V value) 714 throws IOException { 715 mPolicySerializer.saveToXml(serializer, value); 716 } 717 718 @Nullable readPolicyValueFromXml(TypedXmlPullParser parser)719 PolicyValue<V> readPolicyValueFromXml(TypedXmlPullParser parser) { 720 return mPolicySerializer.readFromXml(parser); 721 } 722 723 @Override toString()724 public String toString() { 725 return "PolicyDefinition{ mPolicyKey= " + mPolicyKey + ", mResolutionMechanism= " 726 + mResolutionMechanism + ", mPolicyFlags= " + mPolicyFlags + " }"; 727 } 728 } 729