1 /* 2 * Copyright (C) 2020 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package com.android.server.devicepolicy; 18 19 import android.annotation.NonNull; 20 import android.annotation.Nullable; 21 import android.annotation.UserIdInt; 22 import android.app.admin.DeviceAdminInfo; 23 import android.app.admin.DevicePolicyManager; 24 import android.content.ComponentName; 25 import android.os.FileUtils; 26 import android.os.PersistableBundle; 27 import android.os.UserHandle; 28 import android.util.ArrayMap; 29 import android.util.ArraySet; 30 import android.util.DebugUtils; 31 import android.util.IndentingPrintWriter; 32 import android.util.Xml; 33 34 import com.android.internal.util.JournaledFile; 35 import com.android.internal.util.XmlUtils; 36 import com.android.modules.utils.TypedXmlPullParser; 37 import com.android.modules.utils.TypedXmlSerializer; 38 import com.android.server.utils.Slogf; 39 40 import org.xmlpull.v1.XmlPullParser; 41 import org.xmlpull.v1.XmlPullParserException; 42 43 import java.io.File; 44 import java.io.FileInputStream; 45 import java.io.FileNotFoundException; 46 import java.io.FileOutputStream; 47 import java.io.IOException; 48 import java.util.ArrayList; 49 import java.util.List; 50 import java.util.Set; 51 import java.util.function.Function; 52 53 class DevicePolicyData { 54 private static final String TAG_ACCEPTED_CA_CERTIFICATES = "accepted-ca-certificate"; 55 private static final String TAG_LOCK_TASK_COMPONENTS = "lock-task-component"; 56 private static final String TAG_LOCK_TASK_FEATURES = "lock-task-features"; 57 private static final String TAG_STATUS_BAR = "statusbar"; 58 private static final String TAG_APPS_SUSPENDED = "apps-suspended"; 59 private static final String TAG_SECONDARY_LOCK_SCREEN = "secondary-lock-screen"; 60 private static final String TAG_DO_NOT_ASK_CREDENTIALS_ON_BOOT = 61 "do-not-ask-credentials-on-boot"; 62 private static final String TAG_AFFILIATION_ID = "affiliation-id"; 63 private static final String TAG_LAST_SECURITY_LOG_RETRIEVAL = "last-security-log-retrieval"; 64 private static final String TAG_LAST_BUG_REPORT_REQUEST = "last-bug-report-request"; 65 private static final String TAG_LAST_NETWORK_LOG_RETRIEVAL = "last-network-log-retrieval"; 66 private static final String TAG_ADMIN_BROADCAST_PENDING = "admin-broadcast-pending"; 67 private static final String TAG_CURRENT_INPUT_METHOD_SET = "current-ime-set"; 68 private static final String TAG_OWNER_INSTALLED_CA_CERT = "owner-installed-ca-cert"; 69 private static final String TAG_INITIALIZATION_BUNDLE = "initialization-bundle"; 70 private static final String TAG_PASSWORD_TOKEN_HANDLE = "password-token"; 71 private static final String TAG_PROTECTED_PACKAGES = "protected-packages"; 72 private static final String TAG_BYPASS_ROLE_QUALIFICATIONS = "bypass-role-qualifications"; 73 private static final String TAG_KEEP_PROFILES_RUNNING = "keep-profiles-running"; 74 private static final String ATTR_VALUE = "value"; 75 private static final String ATTR_ALIAS = "alias"; 76 private static final String ATTR_ID = "id"; 77 private static final String ATTR_PERMISSION_PROVIDER = "permission-provider"; 78 private static final String ATTR_NAME = "name"; 79 private static final String ATTR_DISABLED = "disabled"; 80 private static final String ATTR_SETUP_COMPLETE = "setup-complete"; 81 private static final String ATTR_PROVISIONING_STATE = "provisioning-state"; 82 private static final String ATTR_PERMISSION_POLICY = "permission-policy"; 83 private static final String ATTR_DEVICE_PROVISIONING_CONFIG_APPLIED = 84 "device-provisioning-config-applied"; 85 private static final String ATTR_DEVICE_PAIRED = "device-paired"; 86 private static final String ATTR_NEW_USER_DISCLAIMER = "new-user-disclaimer"; 87 88 // Values of ATTR_NEW_USER_DISCLAIMER 89 static final String NEW_USER_DISCLAIMER_ACKNOWLEDGED = "acked"; 90 static final String NEW_USER_DISCLAIMER_NOT_NEEDED = "not_needed"; 91 static final String NEW_USER_DISCLAIMER_NEEDED = "needed"; 92 93 private static final String ATTR_FACTORY_RESET_FLAGS = "factory-reset-flags"; 94 private static final String ATTR_FACTORY_RESET_REASON = "factory-reset-reason"; 95 96 // NOTE: must be public because of DebugUtils.flagsToString() 97 public static final int FACTORY_RESET_FLAG_ON_BOOT = 1; 98 public static final int FACTORY_RESET_FLAG_WIPE_EXTERNAL_STORAGE = 2; 99 public static final int FACTORY_RESET_FLAG_WIPE_EUICC = 4; 100 public static final int FACTORY_RESET_FLAG_WIPE_FACTORY_RESET_PROTECTION = 8; 101 102 private static final String TAG = DevicePolicyManagerService.LOG_TAG; 103 private static final boolean VERBOSE_LOG = false; // DO NOT SUBMIT WITH TRUE 104 105 int mFailedPasswordAttempts = 0; 106 boolean mPasswordValidAtLastCheckpoint = true; 107 108 final @UserIdInt int mUserId; 109 int mPasswordOwner = -1; 110 long mLastMaximumTimeToLock = -1; 111 boolean mUserSetupComplete = false; 112 boolean mBypassDevicePolicyManagementRoleQualifications = false; 113 String mCurrentRoleHolder; 114 boolean mPaired = false; 115 int mUserProvisioningState; 116 int mPermissionPolicy; 117 118 int mFactoryResetFlags; 119 String mFactoryResetReason; 120 121 boolean mDeviceProvisioningConfigApplied = false; 122 123 final ArrayMap<ComponentName, ActiveAdmin> mAdminMap = new ArrayMap<>(); 124 final ArrayList<ActiveAdmin> mAdminList = new ArrayList<>(); 125 final ArrayList<ComponentName> mRemovingAdmins = new ArrayList<>(); 126 127 // TODO(b/35385311): Keep track of metadata in TrustedCertificateStore instead. 128 final ArraySet<String> mAcceptedCaCertificates = new ArraySet<>(); 129 130 // This is the list of component allowed to start lock task mode. 131 List<String> mLockTaskPackages = new ArrayList<>(); 132 133 /** @deprecated moved to DevicePolicyEngine. */ 134 @Deprecated 135 @Nullable 136 List<String> mUserControlDisabledPackages; 137 138 // Bitfield of feature flags to be enabled during LockTask mode. 139 // We default on the power button menu, in order to be consistent with pre-P behaviour. 140 int mLockTaskFeatures = DevicePolicyManager.LOCK_TASK_FEATURE_GLOBAL_ACTIONS; 141 142 boolean mStatusBarDisabled = false; 143 144 ComponentName mRestrictionsProvider; 145 146 // Map of delegate package to delegation scopes 147 final ArrayMap<String, List<String>> mDelegationMap = new ArrayMap<>(); 148 149 boolean mDoNotAskCredentialsOnBoot = false; 150 151 Set<String> mAffiliationIds = new ArraySet<>(); 152 153 long mLastSecurityLogRetrievalTime = -1; 154 155 long mLastBugReportRequestTime = -1; 156 157 long mLastNetworkLogsRetrievalTime = -1; 158 159 boolean mCurrentInputMethodSet = false; 160 161 boolean mSecondaryLockscreenEnabled = false; 162 163 // TODO(b/35385311): Keep track of metadata in TrustedCertificateStore instead. 164 Set<String> mOwnerInstalledCaCerts = new ArraySet<>(); 165 166 // Used for initialization of users created by createAndManageUser. 167 boolean mAdminBroadcastPending = false; 168 PersistableBundle mInitBundle = null; 169 170 long mPasswordTokenHandle = 0; 171 172 // Whether user's apps are suspended. This flag should only be written AFTER all the needed 173 // apps were suspended or unsuspended. 174 boolean mAppsSuspended = false; 175 176 // Whether it's necessary to show a disclaimer (that the device is managed) after the user 177 // starts. 178 String mNewUserDisclaimer = NEW_USER_DISCLAIMER_NOT_NEEDED; 179 180 /** 181 * Effective state of the feature flag. It is updated to the current configuration value 182 * during boot and doesn't change value after than unless overridden by test code. 183 */ 184 boolean mEffectiveKeepProfilesRunning = false; 185 DevicePolicyData(@serIdInt int userId)186 DevicePolicyData(@UserIdInt int userId) { 187 mUserId = userId; 188 } 189 190 /** 191 * Serializes DevicePolicyData object as XML. 192 */ store(DevicePolicyData policyData, JournaledFile file)193 static boolean store(DevicePolicyData policyData, JournaledFile file) { 194 FileOutputStream stream = null; 195 File chooseForWrite = null; 196 try { 197 chooseForWrite = file.chooseForWrite(); 198 if (VERBOSE_LOG) { 199 Slogf.v(TAG, "Storing data for user %d on %s ", policyData.mUserId, chooseForWrite); 200 } 201 stream = new FileOutputStream(chooseForWrite, false); 202 TypedXmlSerializer out = Xml.resolveSerializer(stream); 203 out.startDocument(null, true); 204 205 out.startTag(null, "policies"); 206 if (policyData.mRestrictionsProvider != null) { 207 out.attribute(null, ATTR_PERMISSION_PROVIDER, 208 policyData.mRestrictionsProvider.flattenToString()); 209 } 210 if (policyData.mUserSetupComplete) { 211 if (VERBOSE_LOG) Slogf.v(TAG, "setting %s to true", ATTR_SETUP_COMPLETE); 212 out.attributeBoolean(null, ATTR_SETUP_COMPLETE, true); 213 } 214 if (policyData.mPaired) { 215 out.attributeBoolean(null, ATTR_DEVICE_PAIRED, true); 216 } 217 if (policyData.mDeviceProvisioningConfigApplied) { 218 out.attributeBoolean(null, ATTR_DEVICE_PROVISIONING_CONFIG_APPLIED, true); 219 } 220 if (policyData.mUserProvisioningState != DevicePolicyManager.STATE_USER_UNMANAGED) { 221 out.attributeInt(null, ATTR_PROVISIONING_STATE, policyData.mUserProvisioningState); 222 } 223 if (policyData.mPermissionPolicy != DevicePolicyManager.PERMISSION_POLICY_PROMPT) { 224 out.attributeInt(null, ATTR_PERMISSION_POLICY, policyData.mPermissionPolicy); 225 } 226 if (NEW_USER_DISCLAIMER_NEEDED.equals(policyData.mNewUserDisclaimer)) { 227 out.attribute(null, ATTR_NEW_USER_DISCLAIMER, policyData.mNewUserDisclaimer); 228 } 229 230 if (policyData.mFactoryResetFlags != 0) { 231 if (VERBOSE_LOG) { 232 Slogf.v(TAG, "Storing factory reset flags for user %d: %s", policyData.mUserId, 233 factoryResetFlagsToString(policyData.mFactoryResetFlags)); 234 } 235 out.attributeInt(null, ATTR_FACTORY_RESET_FLAGS, policyData.mFactoryResetFlags); 236 } 237 if (policyData.mFactoryResetReason != null) { 238 out.attribute(null, ATTR_FACTORY_RESET_REASON, policyData.mFactoryResetReason); 239 } 240 241 // Serialize delegations. 242 for (int i = 0; i < policyData.mDelegationMap.size(); ++i) { 243 final String delegatePackage = policyData.mDelegationMap.keyAt(i); 244 final List<String> scopes = policyData.mDelegationMap.valueAt(i); 245 246 // Every "delegation" tag serializes the information of one delegate-scope pair. 247 for (String scope : scopes) { 248 out.startTag(null, "delegation"); 249 out.attribute(null, "delegatePackage", delegatePackage); 250 out.attribute(null, "scope", scope); 251 out.endTag(null, "delegation"); 252 } 253 } 254 255 final int n = policyData.mAdminList.size(); 256 for (int i = 0; i < n; i++) { 257 ActiveAdmin ap = policyData.mAdminList.get(i); 258 if (ap != null) { 259 out.startTag(null, "admin"); 260 out.attribute(null, "name", ap.info.getComponent().flattenToString()); 261 ap.writeToXml(out); 262 out.endTag(null, "admin"); 263 } 264 } 265 266 if (policyData.mPasswordOwner >= 0) { 267 out.startTag(null, "password-owner"); 268 out.attributeInt(null, "value", policyData.mPasswordOwner); 269 out.endTag(null, "password-owner"); 270 } 271 272 if (policyData.mFailedPasswordAttempts != 0) { 273 out.startTag(null, "failed-password-attempts"); 274 out.attributeInt(null, "value", policyData.mFailedPasswordAttempts); 275 out.endTag(null, "failed-password-attempts"); 276 } 277 278 for (int i = 0; i < policyData.mAcceptedCaCertificates.size(); i++) { 279 out.startTag(null, TAG_ACCEPTED_CA_CERTIFICATES); 280 out.attribute(null, ATTR_NAME, policyData.mAcceptedCaCertificates.valueAt(i)); 281 out.endTag(null, TAG_ACCEPTED_CA_CERTIFICATES); 282 } 283 284 for (int i = 0; i < policyData.mLockTaskPackages.size(); i++) { 285 String component = policyData.mLockTaskPackages.get(i); 286 out.startTag(null, TAG_LOCK_TASK_COMPONENTS); 287 out.attribute(null, "name", component); 288 out.endTag(null, TAG_LOCK_TASK_COMPONENTS); 289 } 290 291 if (policyData.mLockTaskFeatures != DevicePolicyManager.LOCK_TASK_FEATURE_NONE) { 292 out.startTag(null, TAG_LOCK_TASK_FEATURES); 293 out.attributeInt(null, ATTR_VALUE, policyData.mLockTaskFeatures); 294 out.endTag(null, TAG_LOCK_TASK_FEATURES); 295 } 296 297 if (policyData.mSecondaryLockscreenEnabled) { 298 out.startTag(null, TAG_SECONDARY_LOCK_SCREEN); 299 out.attributeBoolean(null, ATTR_VALUE, true); 300 out.endTag(null, TAG_SECONDARY_LOCK_SCREEN); 301 } 302 303 if (policyData.mStatusBarDisabled) { 304 out.startTag(null, TAG_STATUS_BAR); 305 out.attributeBoolean(null, ATTR_DISABLED, policyData.mStatusBarDisabled); 306 out.endTag(null, TAG_STATUS_BAR); 307 } 308 309 if (policyData.mDoNotAskCredentialsOnBoot) { 310 out.startTag(null, TAG_DO_NOT_ASK_CREDENTIALS_ON_BOOT); 311 out.endTag(null, TAG_DO_NOT_ASK_CREDENTIALS_ON_BOOT); 312 } 313 314 for (String id : policyData.mAffiliationIds) { 315 out.startTag(null, TAG_AFFILIATION_ID); 316 out.attribute(null, ATTR_ID, id); 317 out.endTag(null, TAG_AFFILIATION_ID); 318 } 319 320 if (policyData.mLastSecurityLogRetrievalTime >= 0) { 321 out.startTag(null, TAG_LAST_SECURITY_LOG_RETRIEVAL); 322 out.attributeLong(null, ATTR_VALUE, policyData.mLastSecurityLogRetrievalTime); 323 out.endTag(null, TAG_LAST_SECURITY_LOG_RETRIEVAL); 324 } 325 326 if (policyData.mLastBugReportRequestTime >= 0) { 327 out.startTag(null, TAG_LAST_BUG_REPORT_REQUEST); 328 out.attributeLong(null, ATTR_VALUE, policyData.mLastBugReportRequestTime); 329 out.endTag(null, TAG_LAST_BUG_REPORT_REQUEST); 330 } 331 332 if (policyData.mLastNetworkLogsRetrievalTime >= 0) { 333 out.startTag(null, TAG_LAST_NETWORK_LOG_RETRIEVAL); 334 out.attributeLong(null, ATTR_VALUE, policyData.mLastNetworkLogsRetrievalTime); 335 out.endTag(null, TAG_LAST_NETWORK_LOG_RETRIEVAL); 336 } 337 338 if (policyData.mAdminBroadcastPending) { 339 out.startTag(null, TAG_ADMIN_BROADCAST_PENDING); 340 out.attributeBoolean(null, ATTR_VALUE, policyData.mAdminBroadcastPending); 341 out.endTag(null, TAG_ADMIN_BROADCAST_PENDING); 342 } 343 344 if (policyData.mInitBundle != null) { 345 out.startTag(null, TAG_INITIALIZATION_BUNDLE); 346 policyData.mInitBundle.saveToXml(out); 347 out.endTag(null, TAG_INITIALIZATION_BUNDLE); 348 } 349 350 if (policyData.mPasswordTokenHandle != 0) { 351 out.startTag(null, TAG_PASSWORD_TOKEN_HANDLE); 352 out.attributeLong(null, ATTR_VALUE, policyData.mPasswordTokenHandle); 353 out.endTag(null, TAG_PASSWORD_TOKEN_HANDLE); 354 } 355 356 if (policyData.mCurrentInputMethodSet) { 357 out.startTag(null, TAG_CURRENT_INPUT_METHOD_SET); 358 out.endTag(null, TAG_CURRENT_INPUT_METHOD_SET); 359 } 360 361 for (final String cert : policyData.mOwnerInstalledCaCerts) { 362 out.startTag(null, TAG_OWNER_INSTALLED_CA_CERT); 363 out.attribute(null, ATTR_ALIAS, cert); 364 out.endTag(null, TAG_OWNER_INSTALLED_CA_CERT); 365 } 366 367 if (policyData.mAppsSuspended) { 368 out.startTag(null, TAG_APPS_SUSPENDED); 369 out.attributeBoolean(null, ATTR_VALUE, policyData.mAppsSuspended); 370 out.endTag(null, TAG_APPS_SUSPENDED); 371 } 372 373 if (policyData.mBypassDevicePolicyManagementRoleQualifications) { 374 out.startTag(null, TAG_BYPASS_ROLE_QUALIFICATIONS); 375 out.attribute(null, ATTR_VALUE, policyData.mCurrentRoleHolder); 376 out.endTag(null, TAG_BYPASS_ROLE_QUALIFICATIONS); 377 } 378 379 if (policyData.mEffectiveKeepProfilesRunning) { 380 out.startTag(null, TAG_KEEP_PROFILES_RUNNING); 381 out.attributeBoolean(null, ATTR_VALUE, policyData.mEffectiveKeepProfilesRunning); 382 out.endTag(null, TAG_KEEP_PROFILES_RUNNING); 383 } 384 385 out.endTag(null, "policies"); 386 387 out.endDocument(); 388 stream.flush(); 389 FileUtils.sync(stream); 390 stream.close(); 391 file.commit(); 392 return true; 393 } catch (XmlPullParserException | IOException e) { 394 Slogf.w(TAG, e, "failed writing file %s", chooseForWrite); 395 try { 396 if (stream != null) { 397 stream.close(); 398 } 399 } catch (IOException ex) { 400 // Ignore 401 } 402 file.rollback(); 403 return false; 404 } 405 } 406 407 /** 408 * @param adminInfoSupplier function that queries DeviceAdminInfo from PackageManager 409 * @param ownerComponent device or profile owner component if any. 410 */ load(DevicePolicyData policy, JournaledFile journaledFile, Function<ComponentName, DeviceAdminInfo> adminInfoSupplier, ComponentName ownerComponent)411 static void load(DevicePolicyData policy, JournaledFile journaledFile, 412 Function<ComponentName, DeviceAdminInfo> adminInfoSupplier, 413 ComponentName ownerComponent) { 414 FileInputStream stream = null; 415 File file = journaledFile.chooseForRead(); 416 if (VERBOSE_LOG) Slogf.v(TAG, "Loading data for user %d from %s", policy.mUserId, file); 417 boolean needsRewrite = false; 418 try { 419 stream = new FileInputStream(file); 420 TypedXmlPullParser parser = Xml.resolvePullParser(stream); 421 422 int type; 423 while ((type = parser.next()) != XmlPullParser.END_DOCUMENT 424 && type != XmlPullParser.START_TAG) { 425 } 426 String tag = parser.getName(); 427 if (!"policies".equals(tag)) { 428 throw new XmlPullParserException( 429 "Settings do not start with policies tag: found " + tag); 430 } 431 432 // Extract the permission provider component name if available 433 String permissionProvider = parser.getAttributeValue(null, ATTR_PERMISSION_PROVIDER); 434 if (permissionProvider != null) { 435 policy.mRestrictionsProvider = 436 ComponentName.unflattenFromString(permissionProvider); 437 } 438 String userSetupComplete = parser.getAttributeValue(null, ATTR_SETUP_COMPLETE); 439 if (Boolean.toString(true).equals(userSetupComplete)) { 440 if (VERBOSE_LOG) Slogf.v(TAG, "setting mUserSetupComplete to true"); 441 policy.mUserSetupComplete = true; 442 } 443 String paired = parser.getAttributeValue(null, ATTR_DEVICE_PAIRED); 444 if (Boolean.toString(true).equals(paired)) { 445 policy.mPaired = true; 446 } 447 String deviceProvisioningConfigApplied = parser.getAttributeValue(null, 448 ATTR_DEVICE_PROVISIONING_CONFIG_APPLIED); 449 if (Boolean.toString(true).equals(deviceProvisioningConfigApplied)) { 450 policy.mDeviceProvisioningConfigApplied = true; 451 } 452 int provisioningState = parser.getAttributeInt(null, ATTR_PROVISIONING_STATE, -1); 453 if (provisioningState != -1) { 454 policy.mUserProvisioningState = provisioningState; 455 } 456 int permissionPolicy = parser.getAttributeInt(null, ATTR_PERMISSION_POLICY, -1); 457 if (permissionPolicy != -1) { 458 policy.mPermissionPolicy = permissionPolicy; 459 } 460 policy.mNewUserDisclaimer = parser.getAttributeValue(null, ATTR_NEW_USER_DISCLAIMER); 461 462 policy.mFactoryResetFlags = parser.getAttributeInt(null, ATTR_FACTORY_RESET_FLAGS, 0); 463 if (VERBOSE_LOG) { 464 Slogf.v(TAG, "Restored factory reset flags for user %d: %s", policy.mUserId, 465 factoryResetFlagsToString(policy.mFactoryResetFlags)); 466 } 467 policy.mFactoryResetReason = parser.getAttributeValue(null, ATTR_FACTORY_RESET_REASON); 468 469 int outerDepth = parser.getDepth(); 470 policy.mLockTaskPackages.clear(); 471 policy.mAdminList.clear(); 472 policy.mAdminMap.clear(); 473 policy.mAffiliationIds.clear(); 474 policy.mOwnerInstalledCaCerts.clear(); 475 policy.mUserControlDisabledPackages = null; 476 while ((type = parser.next()) != XmlPullParser.END_DOCUMENT 477 && (type != XmlPullParser.END_TAG || parser.getDepth() > outerDepth)) { 478 if (type == XmlPullParser.END_TAG || type == XmlPullParser.TEXT) { 479 continue; 480 } 481 tag = parser.getName(); 482 if ("admin".equals(tag)) { 483 String name = parser.getAttributeValue(null, "name"); 484 try { 485 DeviceAdminInfo dai = adminInfoSupplier.apply( 486 ComponentName.unflattenFromString(name)); 487 488 if (dai != null) { 489 // b/123415062: If DA, overwrite with the stored policies that were 490 // agreed by the user to prevent apps from sneaking additional policies 491 // into updates. 492 boolean overwritePolicies = !dai.getComponent().equals(ownerComponent); 493 ActiveAdmin ap = new ActiveAdmin(dai, /* parent */ false); 494 ap.readFromXml(parser, overwritePolicies); 495 policy.mAdminMap.put(ap.info.getComponent(), ap); 496 } 497 } catch (RuntimeException e) { 498 Slogf.w(TAG, e, "Failed loading admin %s", name); 499 } 500 } else if ("delegation".equals(tag)) { 501 // Parse delegation info. 502 final String delegatePackage = parser.getAttributeValue(null, 503 "delegatePackage"); 504 final String scope = parser.getAttributeValue(null, "scope"); 505 506 // Get a reference to the scopes list for the delegatePackage. 507 List<String> scopes = policy.mDelegationMap.get(delegatePackage); 508 // Or make a new list if none was found. 509 if (scopes == null) { 510 scopes = new ArrayList<>(); 511 policy.mDelegationMap.put(delegatePackage, scopes); 512 } 513 // Add the new scope to the list of delegatePackage if it's not already there. 514 if (!scopes.contains(scope)) { 515 scopes.add(scope); 516 } 517 } else if ("failed-password-attempts".equals(tag)) { 518 policy.mFailedPasswordAttempts = parser.getAttributeInt(null, "value"); 519 } else if ("password-owner".equals(tag)) { 520 policy.mPasswordOwner = parser.getAttributeInt(null, "value"); 521 } else if (TAG_ACCEPTED_CA_CERTIFICATES.equals(tag)) { 522 policy.mAcceptedCaCertificates.add(parser.getAttributeValue(null, ATTR_NAME)); 523 } else if (TAG_LOCK_TASK_COMPONENTS.equals(tag)) { 524 policy.mLockTaskPackages.add(parser.getAttributeValue(null, "name")); 525 } else if (TAG_LOCK_TASK_FEATURES.equals(tag)) { 526 policy.mLockTaskFeatures = parser.getAttributeInt(null, ATTR_VALUE); 527 } else if (TAG_SECONDARY_LOCK_SCREEN.equals(tag)) { 528 policy.mSecondaryLockscreenEnabled = 529 parser.getAttributeBoolean(null, ATTR_VALUE, false); 530 } else if (TAG_STATUS_BAR.equals(tag)) { 531 policy.mStatusBarDisabled = 532 parser.getAttributeBoolean(null, ATTR_DISABLED, false); 533 } else if (TAG_DO_NOT_ASK_CREDENTIALS_ON_BOOT.equals(tag)) { 534 policy.mDoNotAskCredentialsOnBoot = true; 535 } else if (TAG_AFFILIATION_ID.equals(tag)) { 536 policy.mAffiliationIds.add(parser.getAttributeValue(null, ATTR_ID)); 537 } else if (TAG_LAST_SECURITY_LOG_RETRIEVAL.equals(tag)) { 538 policy.mLastSecurityLogRetrievalTime = 539 parser.getAttributeLong(null, ATTR_VALUE); 540 } else if (TAG_LAST_BUG_REPORT_REQUEST.equals(tag)) { 541 policy.mLastBugReportRequestTime = 542 parser.getAttributeLong(null, ATTR_VALUE); 543 } else if (TAG_LAST_NETWORK_LOG_RETRIEVAL.equals(tag)) { 544 policy.mLastNetworkLogsRetrievalTime = 545 parser.getAttributeLong(null, ATTR_VALUE); 546 } else if (TAG_ADMIN_BROADCAST_PENDING.equals(tag)) { 547 String pending = parser.getAttributeValue(null, ATTR_VALUE); 548 policy.mAdminBroadcastPending = Boolean.toString(true).equals(pending); 549 } else if (TAG_INITIALIZATION_BUNDLE.equals(tag)) { 550 policy.mInitBundle = PersistableBundle.restoreFromXml(parser); 551 } else if (TAG_PASSWORD_TOKEN_HANDLE.equals(tag)) { 552 policy.mPasswordTokenHandle = parser.getAttributeLong(null, ATTR_VALUE); 553 } else if (TAG_CURRENT_INPUT_METHOD_SET.equals(tag)) { 554 policy.mCurrentInputMethodSet = true; 555 } else if (TAG_OWNER_INSTALLED_CA_CERT.equals(tag)) { 556 policy.mOwnerInstalledCaCerts.add(parser.getAttributeValue(null, ATTR_ALIAS)); 557 } else if (TAG_APPS_SUSPENDED.equals(tag)) { 558 policy.mAppsSuspended = 559 parser.getAttributeBoolean(null, ATTR_VALUE, false); 560 } else if (TAG_BYPASS_ROLE_QUALIFICATIONS.equals(tag)) { 561 policy.mBypassDevicePolicyManagementRoleQualifications = true; 562 policy.mCurrentRoleHolder = parser.getAttributeValue(null, ATTR_VALUE); 563 } else if (TAG_KEEP_PROFILES_RUNNING.equals(tag)) { 564 policy.mEffectiveKeepProfilesRunning = parser.getAttributeBoolean( 565 null, ATTR_VALUE, false); 566 // Deprecated tags below 567 } else if (TAG_PROTECTED_PACKAGES.equals(tag)) { 568 if (policy.mUserControlDisabledPackages == null) { 569 policy.mUserControlDisabledPackages = new ArrayList<>(); 570 } 571 policy.mUserControlDisabledPackages.add( 572 parser.getAttributeValue(null, ATTR_NAME)); 573 } else { 574 Slogf.w(TAG, "Unknown tag: %s", tag); 575 XmlUtils.skipCurrentTag(parser); 576 } 577 } 578 } catch (FileNotFoundException e) { 579 // Don't be noisy, this is normal if we haven't defined any policies. 580 } catch (NullPointerException | NumberFormatException | XmlPullParserException | IOException 581 | IndexOutOfBoundsException e) { 582 Slogf.w(TAG, e, "failed parsing %s", file); 583 } 584 try { 585 if (stream != null) { 586 stream.close(); 587 } 588 } catch (IOException e) { 589 // Ignore 590 } 591 592 // Generate a list of admins from the admin map 593 policy.mAdminList.addAll(policy.mAdminMap.values()); 594 } 595 validatePasswordOwner()596 void validatePasswordOwner() { 597 if (mPasswordOwner >= 0) { 598 boolean haveOwner = false; 599 for (int i = mAdminList.size() - 1; i >= 0; i--) { 600 if (mAdminList.get(i).getUid() == mPasswordOwner) { 601 haveOwner = true; 602 break; 603 } 604 } 605 if (!haveOwner) { 606 Slogf.w(TAG, "Previous password owner %s no longer active; disabling", 607 mPasswordOwner); 608 mPasswordOwner = -1; 609 } 610 } 611 } 612 setDelayedFactoryReset(@onNull String reason, boolean wipeExtRequested, boolean wipeEuicc, boolean wipeResetProtectionData)613 void setDelayedFactoryReset(@NonNull String reason, boolean wipeExtRequested, boolean wipeEuicc, 614 boolean wipeResetProtectionData) { 615 mFactoryResetReason = reason; 616 617 mFactoryResetFlags = FACTORY_RESET_FLAG_ON_BOOT; 618 if (wipeExtRequested) { 619 mFactoryResetFlags |= FACTORY_RESET_FLAG_WIPE_EXTERNAL_STORAGE; 620 } 621 if (wipeEuicc) { 622 mFactoryResetFlags |= FACTORY_RESET_FLAG_WIPE_EUICC; 623 } 624 if (wipeResetProtectionData) { 625 mFactoryResetFlags |= FACTORY_RESET_FLAG_WIPE_FACTORY_RESET_PROTECTION; 626 } 627 } 628 isNewUserDisclaimerAcknowledged()629 boolean isNewUserDisclaimerAcknowledged() { 630 if (mNewUserDisclaimer == null) { 631 if (mUserId == UserHandle.USER_SYSTEM) { 632 return true; 633 } 634 Slogf.w(TAG, "isNewUserDisclaimerAcknowledged(%d): mNewUserDisclaimer is null", 635 mUserId); 636 return false; 637 } 638 switch (mNewUserDisclaimer) { 639 case NEW_USER_DISCLAIMER_ACKNOWLEDGED: 640 case NEW_USER_DISCLAIMER_NOT_NEEDED: 641 return true; 642 case NEW_USER_DISCLAIMER_NEEDED: 643 return false; 644 default: 645 Slogf.w(TAG, "isNewUserDisclaimerAcknowledged(%d): invalid value %d", mUserId, 646 mNewUserDisclaimer); 647 return false; 648 } 649 } 650 dump(IndentingPrintWriter pw)651 void dump(IndentingPrintWriter pw) { 652 pw.println(); 653 pw.println("Enabled Device Admins (User " + mUserId + ", provisioningState: " 654 + mUserProvisioningState + "):"); 655 final int n = mAdminList.size(); 656 for (int i = 0; i < n; i++) { 657 ActiveAdmin ap = mAdminList.get(i); 658 if (ap != null) { 659 pw.increaseIndent(); 660 pw.print(ap.info.getComponent().flattenToShortString()); 661 pw.println(":"); 662 pw.increaseIndent(); 663 ap.dump(pw); 664 pw.decreaseIndent(); 665 pw.decreaseIndent(); 666 } 667 } 668 if (!mRemovingAdmins.isEmpty()) { 669 pw.increaseIndent(); 670 pw.println("Removing Device Admins (User " + mUserId + "): " + mRemovingAdmins); 671 pw.decreaseIndent(); 672 } 673 pw.println(); 674 pw.increaseIndent(); 675 pw.print("mPasswordOwner="); pw.println(mPasswordOwner); 676 pw.print("mPasswordTokenHandle="); pw.println(Long.toHexString(mPasswordTokenHandle)); 677 pw.print("mAppsSuspended="); pw.println(mAppsSuspended); 678 pw.print("mUserSetupComplete="); pw.println(mUserSetupComplete); 679 pw.print("mAffiliationIds="); pw.println(mAffiliationIds); 680 pw.print("mNewUserDisclaimer="); pw.println(mNewUserDisclaimer); 681 if (mFactoryResetFlags != 0) { 682 pw.print("mFactoryResetFlags="); pw.print(mFactoryResetFlags); 683 pw.print(" ("); 684 pw.print(factoryResetFlagsToString(mFactoryResetFlags)); 685 pw.println(')'); 686 } 687 if (mFactoryResetReason != null) { 688 pw.print("mFactoryResetReason="); pw.println(mFactoryResetReason); 689 } 690 if (mDelegationMap.size() != 0) { 691 pw.println("mDelegationMap="); 692 pw.increaseIndent(); 693 for (int i = 0; i < mDelegationMap.size(); i++) { 694 List<String> delegationScopes = mDelegationMap.valueAt(i); 695 pw.println(mDelegationMap.keyAt(i) + "[size=" + delegationScopes.size() 696 + "]"); 697 pw.increaseIndent(); 698 for (int j = 0; j < delegationScopes.size(); j++) { 699 pw.println(j + ": " + delegationScopes.get(j)); 700 } 701 pw.decreaseIndent(); 702 } 703 pw.decreaseIndent(); 704 } 705 pw.decreaseIndent(); 706 } 707 factoryResetFlagsToString(int flags)708 static String factoryResetFlagsToString(int flags) { 709 return DebugUtils.flagsToString(DevicePolicyData.class, "FACTORY_RESET_FLAG_", flags); 710 } 711 } 712