Merge "Introduce feature flags for all APIs that should be flag-protected." into main
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 6314b85..57a7b93 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -6395,7 +6395,7 @@
@Override
public void lockNow(int flags, String callerPackageName, boolean parent) {
CallerIdentity caller;
- if (isUnicornFlagEnabled()) {
+ if (Flags.lockNowCoexistence()) {
caller = getCallerIdentity(callerPackageName);
} else {
caller = getCallerIdentity();
@@ -6407,7 +6407,7 @@
ActiveAdmin admin;
// Make sure the caller has any active admin with the right policy or
// the required permission.
- if (isUnicornFlagEnabled()) {
+ if (Flags.lockNowCoexistence()) {
admin = enforcePermissionsAndGetEnforcingAdmin(
/* admin= */ null,
/* permissions= */ new String[]{MANAGE_DEVICE_POLICY_LOCK, LOCK_DEVICE},
@@ -9179,13 +9179,13 @@
}
CallerIdentity caller;
- if (isUnicornFlagEnabled()) {
+ if (Flags.setAutoTimeEnabledCoexistence()) {
caller = getCallerIdentity(who, callerPackageName);
} else {
caller = getCallerIdentity(who);
}
- if (isUnicornFlagEnabled()) {
+ if (Flags.setAutoTimeEnabledCoexistence()) {
// The effect of this policy is device-wide.
enforcePermission(SET_TIME, caller.getPackageName(), UserHandle.USER_ALL);
} else {
@@ -9213,13 +9213,13 @@
return false;
}
CallerIdentity caller;
- if (isUnicornFlagEnabled()) {
+ if (Flags.setAutoTimeEnabledCoexistence()) {
caller = getCallerIdentity(who, callerPackageName);
} else {
caller = getCallerIdentity(who);
}
- if (isUnicornFlagEnabled()) {
+ if (Flags.setAutoTimeEnabledCoexistence()) {
enforceCanQuery(SET_TIME, caller.getPackageName(), UserHandle.USER_ALL);
} else {
Objects.requireNonNull(who, "ComponentName is null");
@@ -9242,13 +9242,13 @@
}
CallerIdentity caller;
- if (isUnicornFlagEnabled()) {
+ if (Flags.setAutoTimeZoneEnabledCoexistence()) {
caller = getCallerIdentity(who, callerPackageName);
} else {
caller = getCallerIdentity(who);
}
- if (isUnicornFlagEnabled()) {
+ if (Flags.setAutoTimeZoneEnabledCoexistence()) {
// The effect of this policy is device-wide.
EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
who,
@@ -9288,13 +9288,13 @@
}
CallerIdentity caller;
- if (isUnicornFlagEnabled()) {
+ if (Flags.setAutoTimeZoneEnabledCoexistence()) {
caller = getCallerIdentity(who, callerPackageName);
} else {
caller = getCallerIdentity(who);
}
- if (isUnicornFlagEnabled()) {
+ if (Flags.setAutoTimeZoneEnabledCoexistence()) {
// The effect of this policy is device-wide.
enforceCanQuery(SET_TIME_ZONE, caller.getPackageName(), UserHandle.USER_ALL);
} else {
@@ -9544,7 +9544,7 @@
}
CallerIdentity caller;
- if (isUnicornFlagEnabled()) {
+ if (Flags.setKeyguardDisabledFeaturesCoexistence()) {
caller = getCallerIdentity(who, callerPackageName);
} else {
caller = getCallerIdentity(who);
@@ -9554,7 +9554,7 @@
final int userHandle = caller.getUserId();
int affectedUserId = parent ? getProfileParentId(userHandle) : userHandle;
synchronized (getLockObject()) {
- if (isUnicornFlagEnabled()) {
+ if (Flags.setKeyguardDisabledFeaturesCoexistence()) {
// SUPPORT USES_POLICY_DISABLE_KEYGUARD_FEATURES
EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin(
who, MANAGE_DEVICE_POLICY_KEYGUARD, caller.getPackageName(),
@@ -9633,7 +9633,7 @@
synchronized (getLockObject()) {
if (who != null) {
- if (isUnicornFlagEnabled()) {
+ if (Flags.setKeyguardDisabledFeaturesCoexistence()) {
EnforcingAdmin admin = getEnforcingAdminForPackage(
who, who.getPackageName(), userHandle);
Integer features = mDevicePolicyEngine.getLocalPolicySetByAdmin(
@@ -9652,7 +9652,7 @@
// the different behaviour between a profile with separate challenge vs a profile with
// unified challenge, which was part of getActiveAdminsForLockscreenPoliciesLocked()
// before the migration.
- if (isUnicornFlagEnabled()) {
+ if (Flags.setKeyguardDisabledFeaturesCoexistence()) {
Integer features = mDevicePolicyEngine.getResolvedPolicy(
PolicyDefinition.KEYGUARD_DISABLED_FEATURES,
affectedUserId);
@@ -11845,7 +11845,7 @@
throw new IllegalArgumentException("Invalid package name: " + validationResult);
}
- if (isUnicornFlagEnabled()) {
+ if (Flags.setApplicationRestrictionsCoexistence()) {
EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
who,
MANAGE_DEVICE_POLICY_APP_RESTRICTIONS,
@@ -13228,7 +13228,10 @@
String packageName, boolean parent) {
final CallerIdentity caller = getCallerIdentity(who, callerPackage);
- if (isUnicornFlagEnabled()) {
+ // IMPORTANT: The code behind the if branch is OUTDATED and requires additional work before
+ // enabling the feature flag below.
+ // TODO(b/369141952): Update DPM.getApplicationRestrictions coexistence code
+ if (Flags.setApplicationRestrictionsCoexistence()) {
EnforcingAdmin enforcingAdmin = enforceCanQueryAndGetEnforcingAdmin(
who,
MANAGE_DEVICE_POLICY_APP_RESTRICTIONS,
@@ -13328,21 +13331,12 @@
final CallerIdentity caller = getCallerIdentity(who, callerPackage);
ActiveAdmin admin;
- if (isUnicornFlagEnabled()) {
- EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
- who,
- MANAGE_DEVICE_POLICY_PACKAGE_STATE,
- caller.getPackageName(),
- caller.getUserId());
- admin = enforcingAdmin.getActiveAdmin();
- } else {
- Preconditions.checkCallAuthorization((caller.hasAdminComponent()
- && (isProfileOwner(caller) || isDefaultDeviceOwner(caller)))
- || (caller.hasPackage() && isCallerDelegate(caller,
- DELEGATION_PACKAGE_ACCESS)));
- synchronized (getLockObject()) {
- admin = getProfileOwnerOrDeviceOwnerLocked(caller.getUserId());
- }
+ Preconditions.checkCallAuthorization((caller.hasAdminComponent()
+ && (isProfileOwner(caller) || isDefaultDeviceOwner(caller)))
+ || (caller.hasPackage() && isCallerDelegate(caller,
+ DELEGATION_PACKAGE_ACCESS)));
+ synchronized (getLockObject()) {
+ admin = getProfileOwnerOrDeviceOwnerLocked(caller.getUserId());
}
checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_SET_PACKAGES_SUSPENDED);
@@ -15585,12 +15579,12 @@
public boolean setStatusBarDisabled(ComponentName who, String callerPackageName,
boolean disabled) {
CallerIdentity caller;
- if (isUnicornFlagEnabled()) {
+ if (isSetStatusBarDisabledCoexistenceEnabled()) {
caller = getCallerIdentity(who, callerPackageName);
} else {
caller = getCallerIdentity(who);
}
- if (isUnicornFlagEnabled()) {
+ if (isSetStatusBarDisabledCoexistenceEnabled()) {
enforcePermission(MANAGE_DEVICE_POLICY_STATUS_BAR, caller.getPackageName(),
UserHandle.USER_ALL);
} else {
@@ -15601,7 +15595,7 @@
int userId = caller.getUserId();
synchronized (getLockObject()) {
- if (!isUnicornFlagEnabled()) {
+ if (!isSetStatusBarDisabledCoexistenceEnabled()) {
Preconditions.checkCallAuthorization(isUserAffiliatedWithDeviceLocked(userId),
"Admin " + who + " is neither the device owner or affiliated "
+ "user's profile owner.");
@@ -15660,7 +15654,7 @@
@Override
public boolean isStatusBarDisabled(String callerPackage) {
final CallerIdentity caller = getCallerIdentity(callerPackage);
- if (isUnicornFlagEnabled()) {
+ if (isSetStatusBarDisabledCoexistenceEnabled()) {
enforceCanQuery(
MANAGE_DEVICE_POLICY_STATUS_BAR, caller.getPackageName(), caller.getUserId());
} else {
@@ -15670,7 +15664,7 @@
int userId = caller.getUserId();
synchronized (getLockObject()) {
- if (!isUnicornFlagEnabled()) {
+ if (!isSetStatusBarDisabledCoexistenceEnabled()) {
Preconditions.checkCallAuthorization(isUserAffiliatedWithDeviceLocked(userId),
"Admin " + callerPackage
+ " is neither the device owner or affiliated user's profile owner.");
@@ -16862,7 +16856,7 @@
}
}
EnforcingAdmin enforcingAdmin;
- if (isUnicornFlagEnabled()) {
+ if (Flags.setPermissionGrantStateCoexistence()) {
enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
admin,
MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS,
@@ -17047,7 +17041,7 @@
public int getPermissionGrantState(ComponentName admin, String callerPackage,
String packageName, String permission) throws RemoteException {
final CallerIdentity caller = getCallerIdentity(admin, callerPackage);
- if (isUnicornFlagEnabled()) {
+ if (Flags.setPermissionGrantStateCoexistence()) {
enforceCanQuery(MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS, caller.getPackageName(),
caller.getUserId());
} else {
@@ -19331,14 +19325,14 @@
throw new IllegalArgumentException("token must be at least 32-byte long");
}
CallerIdentity caller;
- if (isUnicornFlagEnabled()) {
+ if (Flags.resetPasswordWithTokenCoexistence()) {
caller = getCallerIdentity(admin, callerPackageName);
} else {
caller = getCallerIdentity(admin);
}
final int userId = caller.getUserId();
- if (isUnicornFlagEnabled()) {
+ if (Flags.resetPasswordWithTokenCoexistence()) {
EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
admin,
MANAGE_DEVICE_POLICY_RESET_PASSWORD,
@@ -19394,7 +19388,7 @@
return false;
}
CallerIdentity caller;
- if (isUnicornFlagEnabled()) {
+ if (Flags.resetPasswordWithTokenCoexistence()) {
caller = getCallerIdentity(admin, callerPackageName);
} else {
caller = getCallerIdentity(admin);
@@ -19402,7 +19396,7 @@
final int userId = caller.getUserId();
boolean result = false;
- if (isUnicornFlagEnabled()) {
+ if (Flags.resetPasswordWithTokenCoexistence()) {
EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
admin,
MANAGE_DEVICE_POLICY_RESET_PASSWORD,
@@ -19441,14 +19435,14 @@
return false;
}
CallerIdentity caller;
- if (isUnicornFlagEnabled()) {
+ if (Flags.resetPasswordWithTokenCoexistence()) {
caller = getCallerIdentity(admin, callerPackageName);
} else {
caller = getCallerIdentity(admin);
}
int userId = caller.getUserId();
- if (isUnicornFlagEnabled()) {
+ if (Flags.resetPasswordWithTokenCoexistence()) {
EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
admin,
MANAGE_DEVICE_POLICY_RESET_PASSWORD,
@@ -19490,7 +19484,7 @@
Objects.requireNonNull(token);
CallerIdentity caller;
- if (isUnicornFlagEnabled()) {
+ if (Flags.resetPasswordWithTokenCoexistence()) {
caller = getCallerIdentity(admin, callerPackageName);
} else {
caller = getCallerIdentity(admin);
@@ -19500,7 +19494,7 @@
boolean result = false;
final String password = passwordOrNull != null ? passwordOrNull : "";
- if (isUnicornFlagEnabled()) {
+ if (Flags.resetPasswordWithTokenCoexistence()) {
EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
admin,
MANAGE_DEVICE_POLICY_RESET_PASSWORD,
@@ -19531,7 +19525,7 @@
}
if (result) {
- if (isUnicornFlagEnabled()) {
+ if (Flags.resetPasswordWithTokenCoexistence()) {
DevicePolicyEventLogger
.createEvent(DevicePolicyEnums.RESET_PASSWORD_WITH_TOKEN)
.setAdmin(callerPackageName)
@@ -23812,7 +23806,7 @@
DEFAULT_VALUE_PERMISSION_BASED_ACCESS_FLAG);
}
- static boolean isUnicornFlagEnabled() {
+ private static boolean isSetStatusBarDisabledCoexistenceEnabled() {
return false;
}
@@ -24255,8 +24249,11 @@
synchronized (getLockObject()) {
Slogf.i(LOG_TAG,
"Started device policies migration to the device policy engine.");
- if (isUnicornFlagEnabled()) {
+ // TODO(b/359188869): Move this to the current migration method.
+ if (Flags.setAutoTimeZoneEnabledCoexistence()) {
migrateAutoTimezonePolicy();
+ }
+ if (Flags.setPermissionGrantStateCoexistence()) {
migratePermissionGrantStatePolicies();
}
migratePermittedInputMethodsPolicyLocked();
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/PolicyEnforcerCallbacks.java b/services/devicepolicy/java/com/android/server/devicepolicy/PolicyEnforcerCallbacks.java
index 8068d46..4d9abf1 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/PolicyEnforcerCallbacks.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/PolicyEnforcerCallbacks.java
@@ -78,7 +78,7 @@
}
static boolean setAutoTimezoneEnabled(@Nullable Boolean enabled, @NonNull Context context) {
- if (!DevicePolicyManagerService.isUnicornFlagEnabled()) {
+ if (!Flags.setAutoTimeZoneEnabledCoexistence()) {
Slogf.w(LOG_TAG, "Trying to enforce setAutoTimezoneEnabled while flag is off.");
return true;
}
@@ -95,7 +95,7 @@
static boolean setPermissionGrantState(
@Nullable Integer grantState, @NonNull Context context, int userId,
@NonNull PolicyKey policyKey) {
- if (!DevicePolicyManagerService.isUnicornFlagEnabled()) {
+ if (!Flags.setPermissionGrantStateCoexistence()) {
Slogf.w(LOG_TAG, "Trying to enforce setPermissionGrantState while flag is off.");
return true;
}