1 /* 2 * Copyright (C) 2022 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package com.android.server.devicepolicy; 18 19 import static com.android.server.devicepolicy.DevicePolicyEngine.DEVICE_LOCK_CONTROLLER_ROLE; 20 21 import android.annotation.NonNull; 22 import android.annotation.Nullable; 23 import android.app.admin.AccountTypePolicyKey; 24 import android.app.admin.BooleanPolicyValue; 25 import android.app.admin.DevicePolicyIdentifiers; 26 import android.app.admin.DevicePolicyManager; 27 import android.app.admin.IntegerPolicyValue; 28 import android.app.admin.IntentFilterPolicyKey; 29 import android.app.admin.LockTaskPolicy; 30 import android.app.admin.NoArgsPolicyKey; 31 import android.app.admin.PackagePermissionPolicyKey; 32 import android.app.admin.PackagePolicyKey; 33 import android.app.admin.PolicyKey; 34 import android.app.admin.PolicyValue; 35 import android.app.admin.UserRestrictionPolicyKey; 36 import android.content.ComponentName; 37 import android.content.Context; 38 import android.content.IntentFilter; 39 import android.os.Bundle; 40 import android.os.UserManager; 41 42 import com.android.internal.util.function.QuadFunction; 43 import com.android.modules.utils.TypedXmlPullParser; 44 import com.android.modules.utils.TypedXmlSerializer; 45 import com.android.server.utils.Slogf; 46 47 import org.xmlpull.v1.XmlPullParserException; 48 49 import java.io.IOException; 50 import java.util.HashMap; 51 import java.util.LinkedHashMap; 52 import java.util.List; 53 import java.util.Map; 54 import java.util.Objects; 55 import java.util.Set; 56 57 final class PolicyDefinition<V> { 58 59 static final String TAG = "PolicyDefinition"; 60 61 private static final int POLICY_FLAG_NONE = 0; 62 63 // Only use this flag if a policy can not be applied locally. 64 private static final int POLICY_FLAG_GLOBAL_ONLY_POLICY = 1; 65 66 // Only use this flag if a policy can not be applied globally. 67 private static final int POLICY_FLAG_LOCAL_ONLY_POLICY = 1 << 1; 68 69 // Only use this flag if a policy is inheritable by child profile from parent. 70 private static final int POLICY_FLAG_INHERITABLE = 1 << 2; 71 72 // Use this flag if admin policies should be treated independently of each other and should not 73 // have any resolution logic applied, this should only be used for very limited policies were 74 // this would make sense and the enforcing logic should handle it appropriately, e.g. 75 // application restrictions set by different admins for a single package should not be merged, 76 // but saved and queried independent of each other. 77 // Currently, support is added for local only policies, if you need to add a non coexistable 78 // global policy please add support. 79 private static final int POLICY_FLAG_NON_COEXISTABLE_POLICY = 1 << 3; 80 81 // Add this flag to any policy that is a user restriction, the reason for this is that there 82 // are some special APIs to handle user restriction policies and this is the way we can identify 83 // them. 84 private static final int POLICY_FLAG_USER_RESTRICTION_POLICY = 1 << 4; 85 86 // Only invoke the policy enforcer callback when the policy value changes, and do not invoke the 87 // callback in other cases such as device reboots. 88 private static final int POLICY_FLAG_SKIP_ENFORCEMENT_IF_UNCHANGED = 1 << 5; 89 90 private static final MostRestrictive<Boolean> FALSE_MORE_RESTRICTIVE = new MostRestrictive<>( 91 List.of(new BooleanPolicyValue(false), new BooleanPolicyValue(true))); 92 93 private static final MostRestrictive<Boolean> TRUE_MORE_RESTRICTIVE = new MostRestrictive<>( 94 List.of(new BooleanPolicyValue(true), new BooleanPolicyValue(false))); 95 96 static PolicyDefinition<Boolean> AUTO_TIMEZONE = new PolicyDefinition<>( 97 new NoArgsPolicyKey(DevicePolicyIdentifiers.AUTO_TIMEZONE_POLICY), 98 // auto timezone is disabled by default, hence enabling it is more restrictive. 99 TRUE_MORE_RESTRICTIVE, 100 POLICY_FLAG_GLOBAL_ONLY_POLICY, 101 (Boolean value, Context context, Integer userId, PolicyKey policyKey) -> 102 PolicyEnforcerCallbacks.setAutoTimezoneEnabled(value, context), 103 new BooleanPolicySerializer()); 104 105 // This is saved in the static map sPolicyDefinitions so that we're able to reconstruct the 106 // actual policy with the correct arguments (packageName and permission name) 107 // when reading the policies from xml. 108 static final PolicyDefinition<Integer> GENERIC_PERMISSION_GRANT = 109 new PolicyDefinition<>( 110 new PackagePermissionPolicyKey(DevicePolicyIdentifiers.PERMISSION_GRANT_POLICY), 111 // TODO: is this really the best mechanism, what makes denied more 112 // restrictive than 113 // granted? 114 new MostRestrictive<>( 115 List.of( 116 new IntegerPolicyValue( 117 DevicePolicyManager.PERMISSION_GRANT_STATE_DENIED), 118 new IntegerPolicyValue( 119 DevicePolicyManager.PERMISSION_GRANT_STATE_GRANTED), 120 new IntegerPolicyValue( 121 DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT))), 122 POLICY_FLAG_LOCAL_ONLY_POLICY, 123 PolicyEnforcerCallbacks::setPermissionGrantState, 124 new IntegerPolicySerializer()); 125 126 /** 127 * Passing in {@code null} for {@code packageName} or {@code permissionName} will return a 128 * {@link #GENERIC_PERMISSION_GRANT}. 129 */ PERMISSION_GRANT( @onNull String packageName, @NonNull String permissionName)130 static PolicyDefinition<Integer> PERMISSION_GRANT( 131 @NonNull String packageName, @NonNull String permissionName) { 132 if (packageName == null || permissionName == null) { 133 return GENERIC_PERMISSION_GRANT; 134 } 135 return GENERIC_PERMISSION_GRANT.createPolicyDefinition( 136 new PackagePermissionPolicyKey( 137 DevicePolicyIdentifiers.PERMISSION_GRANT_POLICY, 138 packageName, 139 permissionName)); 140 } 141 142 static PolicyDefinition<Boolean> SECURITY_LOGGING = new PolicyDefinition<>( 143 new NoArgsPolicyKey(DevicePolicyIdentifiers.SECURITY_LOGGING_POLICY), 144 TRUE_MORE_RESTRICTIVE, 145 POLICY_FLAG_GLOBAL_ONLY_POLICY, 146 PolicyEnforcerCallbacks::enforceSecurityLogging, 147 new BooleanPolicySerializer()); 148 149 static PolicyDefinition<Boolean> AUDIT_LOGGING = new PolicyDefinition<>( 150 new NoArgsPolicyKey(DevicePolicyIdentifiers.AUDIT_LOGGING_POLICY), 151 TRUE_MORE_RESTRICTIVE, 152 POLICY_FLAG_GLOBAL_ONLY_POLICY, 153 PolicyEnforcerCallbacks::enforceAuditLogging, 154 new BooleanPolicySerializer()); 155 156 static PolicyDefinition<LockTaskPolicy> LOCK_TASK = new PolicyDefinition<>( 157 new NoArgsPolicyKey(DevicePolicyIdentifiers.LOCK_TASK_POLICY), 158 new TopPriority<>(List.of( 159 EnforcingAdmin.getRoleAuthorityOf(DEVICE_LOCK_CONTROLLER_ROLE), 160 EnforcingAdmin.DPC_AUTHORITY)), 161 POLICY_FLAG_LOCAL_ONLY_POLICY, 162 (LockTaskPolicy value, Context context, Integer userId, PolicyKey policyKey) -> 163 PolicyEnforcerCallbacks.setLockTask(value, context, userId), 164 new LockTaskPolicySerializer()); 165 166 static PolicyDefinition<Set<String>> USER_CONTROLLED_DISABLED_PACKAGES = 167 new PolicyDefinition<>( 168 new NoArgsPolicyKey( 169 DevicePolicyIdentifiers.USER_CONTROL_DISABLED_PACKAGES_POLICY), 170 new PackageSetUnion(), 171 PolicyEnforcerCallbacks::setUserControlDisabledPackages, 172 new PackageSetPolicySerializer()); 173 174 // This is saved in the static map sPolicyDefinitions so that we're able to reconstruct the 175 // actual policy with the correct arguments (i.e. packageName) when reading the policies from 176 // xml. 177 static PolicyDefinition<ComponentName> GENERIC_PERSISTENT_PREFERRED_ACTIVITY = 178 new PolicyDefinition<>( 179 new IntentFilterPolicyKey( 180 DevicePolicyIdentifiers.PERSISTENT_PREFERRED_ACTIVITY_POLICY), 181 new TopPriority<>(List.of( 182 EnforcingAdmin.getRoleAuthorityOf(DEVICE_LOCK_CONTROLLER_ROLE), 183 EnforcingAdmin.DPC_AUTHORITY)), 184 POLICY_FLAG_LOCAL_ONLY_POLICY, 185 PolicyEnforcerCallbacks::addPersistentPreferredActivity, 186 new ComponentNamePolicySerializer()); 187 188 /** 189 * Passing in {@code null} for {@code intentFilter} will return 190 * {@link #GENERIC_PERSISTENT_PREFERRED_ACTIVITY}. 191 */ PERSISTENT_PREFERRED_ACTIVITY( IntentFilter intentFilter)192 static PolicyDefinition<ComponentName> PERSISTENT_PREFERRED_ACTIVITY( 193 IntentFilter intentFilter) { 194 if (intentFilter == null) { 195 return GENERIC_PERSISTENT_PREFERRED_ACTIVITY; 196 } 197 return GENERIC_PERSISTENT_PREFERRED_ACTIVITY.createPolicyDefinition( 198 new IntentFilterPolicyKey( 199 DevicePolicyIdentifiers.PERSISTENT_PREFERRED_ACTIVITY_POLICY, 200 intentFilter)); 201 } 202 203 // This is saved in the static map sPolicyDefinitions so that we're able to reconstruct the 204 // actual policy with the correct arguments (i.e. packageName) when reading the policies from 205 // xml. 206 static PolicyDefinition<Boolean> GENERIC_PACKAGE_UNINSTALL_BLOCKED = 207 new PolicyDefinition<>( 208 new PackagePolicyKey( 209 DevicePolicyIdentifiers.PACKAGE_UNINSTALL_BLOCKED_POLICY), 210 TRUE_MORE_RESTRICTIVE, 211 POLICY_FLAG_LOCAL_ONLY_POLICY, 212 PolicyEnforcerCallbacks::setUninstallBlocked, 213 new BooleanPolicySerializer()); 214 215 /** 216 * Passing in {@code null} for {@code packageName} will return 217 * {@link #GENERIC_PACKAGE_UNINSTALL_BLOCKED}. 218 */ PACKAGE_UNINSTALL_BLOCKED( String packageName)219 static PolicyDefinition<Boolean> PACKAGE_UNINSTALL_BLOCKED( 220 String packageName) { 221 if (packageName == null) { 222 return GENERIC_PACKAGE_UNINSTALL_BLOCKED; 223 } 224 return GENERIC_PACKAGE_UNINSTALL_BLOCKED.createPolicyDefinition( 225 new PackagePolicyKey( 226 DevicePolicyIdentifiers.PACKAGE_UNINSTALL_BLOCKED_POLICY, packageName)); 227 } 228 229 // This is saved in the static map sPolicyDefinitions so that we're able to reconstruct the 230 // actual policy with the correct arguments (i.e. packageName) when reading the policies from 231 // xml. 232 static PolicyDefinition<Bundle> GENERIC_APPLICATION_RESTRICTIONS = 233 new PolicyDefinition<>( 234 new PackagePolicyKey( 235 DevicePolicyIdentifiers.APPLICATION_RESTRICTIONS_POLICY), 236 // Don't need to take in a resolution mechanism since its never used, but might 237 // need some refactoring to not always assume a non-null mechanism. 238 new MostRecent<>(), 239 // Only invoke the enforcement callback during policy change and not other state 240 POLICY_FLAG_LOCAL_ONLY_POLICY | POLICY_FLAG_INHERITABLE 241 | POLICY_FLAG_NON_COEXISTABLE_POLICY 242 | POLICY_FLAG_SKIP_ENFORCEMENT_IF_UNCHANGED, 243 PolicyEnforcerCallbacks::setApplicationRestrictions, 244 new BundlePolicySerializer()); 245 246 /** 247 * Passing in {@code null} for {@code packageName} will return 248 * {@link #GENERIC_APPLICATION_RESTRICTIONS}. 249 */ APPLICATION_RESTRICTIONS(String packageName)250 static PolicyDefinition<Bundle> APPLICATION_RESTRICTIONS(String packageName) { 251 if (packageName == null) { 252 return GENERIC_APPLICATION_RESTRICTIONS; 253 } 254 return GENERIC_APPLICATION_RESTRICTIONS.createPolicyDefinition( 255 new PackagePolicyKey( 256 DevicePolicyIdentifiers.APPLICATION_RESTRICTIONS_POLICY, packageName)); 257 } 258 259 static PolicyDefinition<Long> RESET_PASSWORD_TOKEN = new PolicyDefinition<>( 260 new NoArgsPolicyKey(DevicePolicyIdentifiers.RESET_PASSWORD_TOKEN_POLICY), 261 // Don't need to take in a resolution mechanism since its never used, but might 262 // need some refactoring to not always assume a non-null mechanism. 263 new MostRecent<>(), 264 POLICY_FLAG_LOCAL_ONLY_POLICY | POLICY_FLAG_NON_COEXISTABLE_POLICY, 265 // DevicePolicyManagerService handles the enforcement, this just takes care of storage 266 PolicyEnforcerCallbacks::noOp, 267 new LongPolicySerializer()); 268 269 static PolicyDefinition<Integer> KEYGUARD_DISABLED_FEATURES = new PolicyDefinition<>( 270 new NoArgsPolicyKey(DevicePolicyIdentifiers.KEYGUARD_DISABLED_FEATURES_POLICY), 271 new FlagUnion(), 272 POLICY_FLAG_LOCAL_ONLY_POLICY, 273 // Nothing is enforced for keyguard features, we just need to store it 274 PolicyEnforcerCallbacks::noOp, 275 new IntegerPolicySerializer()); 276 277 // This is saved in the static map sPolicyDefinitions so that we're able to reconstruct the 278 // actual policy with the correct arguments (i.e. packageName) when reading the policies from 279 // xml. 280 static PolicyDefinition<Boolean> GENERIC_APPLICATION_HIDDEN = 281 new PolicyDefinition<>( 282 new PackagePolicyKey( 283 DevicePolicyIdentifiers.APPLICATION_HIDDEN_POLICY), 284 // TODO(b/276713779): Don't need to take in a resolution mechanism since its 285 // never used, but might need some refactoring to not always assume a non-null 286 // mechanism. 287 TRUE_MORE_RESTRICTIVE, 288 POLICY_FLAG_LOCAL_ONLY_POLICY | POLICY_FLAG_INHERITABLE, 289 PolicyEnforcerCallbacks::setApplicationHidden, 290 new BooleanPolicySerializer()); 291 292 /** 293 * Passing in {@code null} for {@code packageName} will return 294 * {@link #GENERIC_APPLICATION_HIDDEN}. 295 */ APPLICATION_HIDDEN(String packageName)296 static PolicyDefinition<Boolean> APPLICATION_HIDDEN(String packageName) { 297 if (packageName == null) { 298 return GENERIC_APPLICATION_HIDDEN; 299 } 300 return GENERIC_APPLICATION_HIDDEN.createPolicyDefinition( 301 new PackagePolicyKey( 302 DevicePolicyIdentifiers.APPLICATION_HIDDEN_POLICY, packageName)); 303 } 304 305 // This is saved in the static map sPolicyDefinitions so that we're able to reconstruct the 306 // actual policy with the correct arguments (i.e. packageName) when reading the policies from 307 // xml. 308 static PolicyDefinition<Boolean> GENERIC_ACCOUNT_MANAGEMENT_DISABLED = 309 new PolicyDefinition<>( 310 new AccountTypePolicyKey( 311 DevicePolicyIdentifiers.ACCOUNT_MANAGEMENT_DISABLED_POLICY), 312 TRUE_MORE_RESTRICTIVE, 313 POLICY_FLAG_LOCAL_ONLY_POLICY | POLICY_FLAG_INHERITABLE, 314 // Nothing is enforced, we just need to store it 315 PolicyEnforcerCallbacks::noOp, 316 new BooleanPolicySerializer()); 317 318 /** 319 * Passing in {@code null} for {@code accountType} will return 320 * {@link #GENERIC_ACCOUNT_MANAGEMENT_DISABLED}. 321 */ ACCOUNT_MANAGEMENT_DISABLED(String accountType)322 static PolicyDefinition<Boolean> ACCOUNT_MANAGEMENT_DISABLED(String accountType) { 323 if (accountType == null) { 324 return GENERIC_ACCOUNT_MANAGEMENT_DISABLED; 325 } 326 return GENERIC_ACCOUNT_MANAGEMENT_DISABLED.createPolicyDefinition( 327 new AccountTypePolicyKey( 328 DevicePolicyIdentifiers.ACCOUNT_MANAGEMENT_DISABLED_POLICY, accountType)); 329 } 330 331 static PolicyDefinition<Set<String>> PERMITTED_INPUT_METHODS = new PolicyDefinition<>( 332 new NoArgsPolicyKey(DevicePolicyIdentifiers.PERMITTED_INPUT_METHODS_POLICY), 333 new MostRecent<>(), 334 POLICY_FLAG_LOCAL_ONLY_POLICY | POLICY_FLAG_INHERITABLE, 335 PolicyEnforcerCallbacks::noOp, 336 new PackageSetPolicySerializer()); 337 338 339 static PolicyDefinition<Boolean> SCREEN_CAPTURE_DISABLED = new PolicyDefinition<>( 340 new NoArgsPolicyKey(DevicePolicyIdentifiers.SCREEN_CAPTURE_DISABLED_POLICY), 341 TRUE_MORE_RESTRICTIVE, 342 POLICY_FLAG_INHERITABLE, 343 PolicyEnforcerCallbacks::setScreenCaptureDisabled, 344 new BooleanPolicySerializer()); 345 346 static PolicyDefinition<Boolean> PERSONAL_APPS_SUSPENDED = new PolicyDefinition<>( 347 new NoArgsPolicyKey(DevicePolicyIdentifiers.PERSONAL_APPS_SUSPENDED_POLICY), 348 new MostRecent<>(), 349 POLICY_FLAG_LOCAL_ONLY_POLICY | POLICY_FLAG_INHERITABLE, 350 PolicyEnforcerCallbacks::setPersonalAppsSuspended, 351 new BooleanPolicySerializer()); 352 353 static PolicyDefinition<Boolean> USB_DATA_SIGNALING = new PolicyDefinition<>( 354 new NoArgsPolicyKey(DevicePolicyIdentifiers.USB_DATA_SIGNALING_POLICY), 355 // usb data signaling is enabled by default, hence disabling it is more restrictive. 356 FALSE_MORE_RESTRICTIVE, 357 POLICY_FLAG_GLOBAL_ONLY_POLICY, 358 (Boolean value, Context context, Integer userId, PolicyKey policyKey) -> 359 PolicyEnforcerCallbacks.setUsbDataSignalingEnabled(value, context), 360 new BooleanPolicySerializer()); 361 362 static PolicyDefinition<Integer> CONTENT_PROTECTION = new PolicyDefinition<>( 363 new NoArgsPolicyKey(DevicePolicyIdentifiers.CONTENT_PROTECTION_POLICY), 364 new MostRecent<>(), 365 POLICY_FLAG_LOCAL_ONLY_POLICY, 366 PolicyEnforcerCallbacks::setContentProtectionPolicy, 367 new IntegerPolicySerializer()); 368 369 static PolicyDefinition<Integer> PASSWORD_COMPLEXITY = new PolicyDefinition<>( 370 new NoArgsPolicyKey(DevicePolicyIdentifiers.PASSWORD_COMPLEXITY_POLICY), 371 new MostRestrictive<>( 372 List.of( 373 new IntegerPolicyValue( 374 DevicePolicyManager.PASSWORD_COMPLEXITY_HIGH), 375 new IntegerPolicyValue( 376 DevicePolicyManager.PASSWORD_COMPLEXITY_MEDIUM), 377 new IntegerPolicyValue( 378 DevicePolicyManager.PASSWORD_COMPLEXITY_LOW), 379 new IntegerPolicyValue( 380 DevicePolicyManager.PASSWORD_COMPLEXITY_NONE))), 381 POLICY_FLAG_LOCAL_ONLY_POLICY, 382 PolicyEnforcerCallbacks::noOp, 383 new IntegerPolicySerializer()); 384 385 static PolicyDefinition<Set<String>> PACKAGES_SUSPENDED = 386 new PolicyDefinition<>( 387 new NoArgsPolicyKey( 388 DevicePolicyIdentifiers.PACKAGES_SUSPENDED_POLICY), 389 new PackageSetUnion(), 390 PolicyEnforcerCallbacks::noOp, 391 new PackageSetPolicySerializer()); 392 393 private static final Map<String, PolicyDefinition<?>> POLICY_DEFINITIONS = new HashMap<>(); 394 private static Map<String, Integer> USER_RESTRICTION_FLAGS = new HashMap<>(); 395 396 // TODO(b/277218360): Revisit policies that should be marked as global-only. 397 static { POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.AUTO_TIMEZONE_POLICY, AUTO_TIMEZONE)398 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.AUTO_TIMEZONE_POLICY, AUTO_TIMEZONE); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PERMISSION_GRANT_POLICY, GENERIC_PERMISSION_GRANT)399 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PERMISSION_GRANT_POLICY, 400 GENERIC_PERMISSION_GRANT); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.SECURITY_LOGGING_POLICY, SECURITY_LOGGING)401 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.SECURITY_LOGGING_POLICY, 402 SECURITY_LOGGING); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.AUDIT_LOGGING_POLICY, AUDIT_LOGGING)403 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.AUDIT_LOGGING_POLICY, 404 AUDIT_LOGGING); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.LOCK_TASK_POLICY, LOCK_TASK)405 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.LOCK_TASK_POLICY, LOCK_TASK); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.USER_CONTROL_DISABLED_PACKAGES_POLICY, USER_CONTROLLED_DISABLED_PACKAGES)406 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.USER_CONTROL_DISABLED_PACKAGES_POLICY, 407 USER_CONTROLLED_DISABLED_PACKAGES); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PERSISTENT_PREFERRED_ACTIVITY_POLICY, GENERIC_PERSISTENT_PREFERRED_ACTIVITY)408 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PERSISTENT_PREFERRED_ACTIVITY_POLICY, 409 GENERIC_PERSISTENT_PREFERRED_ACTIVITY); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PACKAGE_UNINSTALL_BLOCKED_POLICY, GENERIC_PACKAGE_UNINSTALL_BLOCKED)410 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PACKAGE_UNINSTALL_BLOCKED_POLICY, 411 GENERIC_PACKAGE_UNINSTALL_BLOCKED); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.APPLICATION_RESTRICTIONS_POLICY, GENERIC_APPLICATION_RESTRICTIONS)412 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.APPLICATION_RESTRICTIONS_POLICY, 413 GENERIC_APPLICATION_RESTRICTIONS); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.RESET_PASSWORD_TOKEN_POLICY, RESET_PASSWORD_TOKEN)414 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.RESET_PASSWORD_TOKEN_POLICY, 415 RESET_PASSWORD_TOKEN); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.KEYGUARD_DISABLED_FEATURES_POLICY, KEYGUARD_DISABLED_FEATURES)416 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.KEYGUARD_DISABLED_FEATURES_POLICY, 417 KEYGUARD_DISABLED_FEATURES); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.APPLICATION_HIDDEN_POLICY, GENERIC_APPLICATION_HIDDEN)418 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.APPLICATION_HIDDEN_POLICY, 419 GENERIC_APPLICATION_HIDDEN); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.ACCOUNT_MANAGEMENT_DISABLED_POLICY, GENERIC_ACCOUNT_MANAGEMENT_DISABLED)420 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.ACCOUNT_MANAGEMENT_DISABLED_POLICY, 421 GENERIC_ACCOUNT_MANAGEMENT_DISABLED); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PERMITTED_INPUT_METHODS_POLICY, PERMITTED_INPUT_METHODS)422 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PERMITTED_INPUT_METHODS_POLICY, 423 PERMITTED_INPUT_METHODS); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.SCREEN_CAPTURE_DISABLED_POLICY, SCREEN_CAPTURE_DISABLED)424 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.SCREEN_CAPTURE_DISABLED_POLICY, 425 SCREEN_CAPTURE_DISABLED); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PERSONAL_APPS_SUSPENDED_POLICY, PERSONAL_APPS_SUSPENDED)426 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PERSONAL_APPS_SUSPENDED_POLICY, 427 PERSONAL_APPS_SUSPENDED); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.USB_DATA_SIGNALING_POLICY, USB_DATA_SIGNALING)428 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.USB_DATA_SIGNALING_POLICY, 429 USB_DATA_SIGNALING); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.CONTENT_PROTECTION_POLICY, CONTENT_PROTECTION)430 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.CONTENT_PROTECTION_POLICY, 431 CONTENT_PROTECTION); 432 // Intentionally not flagged since if the flag is flipped off on a device already 433 // having PASSWORD_COMPLEXITY policy in the on-device XML, it will cause the 434 // deserialization logic to break due to seeing an unknown tag. POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PASSWORD_COMPLEXITY_POLICY, PASSWORD_COMPLEXITY)435 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PASSWORD_COMPLEXITY_POLICY, 436 PASSWORD_COMPLEXITY); POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PACKAGES_SUSPENDED_POLICY, PACKAGES_SUSPENDED)437 POLICY_DEFINITIONS.put(DevicePolicyIdentifiers.PACKAGES_SUSPENDED_POLICY, 438 PACKAGES_SUSPENDED); 439 440 // User Restriction Policies USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_MODIFY_ACCOUNTS, 0)441 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_MODIFY_ACCOUNTS, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_WIFI, 0)442 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_WIFI, /* flags= */ 0); USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_CHANGE_WIFI_STATE, POLICY_FLAG_GLOBAL_ONLY_POLICY)443 USER_RESTRICTION_FLAGS.put( 444 UserManager.DISALLOW_CHANGE_WIFI_STATE, POLICY_FLAG_GLOBAL_ONLY_POLICY); USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_WIFI_TETHERING, POLICY_FLAG_GLOBAL_ONLY_POLICY)445 USER_RESTRICTION_FLAGS.put( 446 UserManager.DISALLOW_WIFI_TETHERING, POLICY_FLAG_GLOBAL_ONLY_POLICY); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_GRANT_ADMIN, 0)447 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_GRANT_ADMIN, /* flags= */ 0); 448 // TODO: set as global only once we get rid of the mapping USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_SHARING_ADMIN_CONFIGURED_WIFI, 0)449 USER_RESTRICTION_FLAGS.put( 450 UserManager.DISALLOW_SHARING_ADMIN_CONFIGURED_WIFI, /* flags= */ 0); USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_WIFI_DIRECT, POLICY_FLAG_GLOBAL_ONLY_POLICY)451 USER_RESTRICTION_FLAGS.put( 452 UserManager.DISALLOW_WIFI_DIRECT, POLICY_FLAG_GLOBAL_ONLY_POLICY); USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_ADD_WIFI_CONFIG, POLICY_FLAG_GLOBAL_ONLY_POLICY)453 USER_RESTRICTION_FLAGS.put( 454 UserManager.DISALLOW_ADD_WIFI_CONFIG, POLICY_FLAG_GLOBAL_ONLY_POLICY); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_LOCALE, 0)455 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_LOCALE, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_INSTALL_APPS, 0)456 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_INSTALL_APPS, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_UNINSTALL_APPS, 0)457 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_UNINSTALL_APPS, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SHARE_LOCATION, 0)458 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SHARE_LOCATION, /* flags= */ 0); USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_AIRPLANE_MODE, POLICY_FLAG_GLOBAL_ONLY_POLICY)459 USER_RESTRICTION_FLAGS.put( 460 UserManager.DISALLOW_AIRPLANE_MODE, POLICY_FLAG_GLOBAL_ONLY_POLICY); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_BRIGHTNESS, 0)461 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_BRIGHTNESS, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_AMBIENT_DISPLAY, 0)462 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_AMBIENT_DISPLAY, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_SCREEN_TIMEOUT, 0)463 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_SCREEN_TIMEOUT, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES, 0)464 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY, POLICY_FLAG_GLOBAL_ONLY_POLICY)465 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY, 466 POLICY_FLAG_GLOBAL_ONLY_POLICY); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_BLUETOOTH, 0)467 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_BLUETOOTH, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_BLUETOOTH, 0)468 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_BLUETOOTH, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_BLUETOOTH_SHARING, 0)469 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_BLUETOOTH_SHARING, /* flags= */ 0); 470 // This effectively always applies globally, but it can be set on the profile 471 // parent, check the javadocs on the restriction for more info. USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_USB_FILE_TRANSFER, 0)472 USER_RESTRICTION_FLAGS.put( 473 UserManager.DISALLOW_USB_FILE_TRANSFER, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_CREDENTIALS, 0)474 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_CREDENTIALS, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_REMOVE_USER, 0)475 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_REMOVE_USER, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_REMOVE_MANAGED_PROFILE, 0)476 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_REMOVE_MANAGED_PROFILE, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_DEBUGGING_FEATURES, 0)477 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_DEBUGGING_FEATURES, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_VPN, 0)478 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_VPN, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_LOCATION, 0)479 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_LOCATION, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_DATE_TIME, 0)480 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_DATE_TIME, /* flags= */ 0); USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_CONFIG_TETHERING, 0)481 USER_RESTRICTION_FLAGS.put( 482 UserManager.DISALLOW_CONFIG_TETHERING, /* flags= */ 0); 483 // This effectively always applies globally, but it can be set on the profile 484 // parent, check the javadocs on the restriction for more info. USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_NETWORK_RESET, 0)485 USER_RESTRICTION_FLAGS.put( 486 UserManager.DISALLOW_NETWORK_RESET, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_FACTORY_RESET, 0)487 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_FACTORY_RESET, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ADD_USER, 0)488 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ADD_USER, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ADD_MANAGED_PROFILE, 0)489 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ADD_MANAGED_PROFILE, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ADD_CLONE_PROFILE, 0)490 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ADD_CLONE_PROFILE, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ADD_PRIVATE_PROFILE, 0)491 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ADD_PRIVATE_PROFILE, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.ENSURE_VERIFY_APPS, POLICY_FLAG_GLOBAL_ONLY_POLICY)492 USER_RESTRICTION_FLAGS.put(UserManager.ENSURE_VERIFY_APPS, POLICY_FLAG_GLOBAL_ONLY_POLICY); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_CELL_BROADCASTS, 0)493 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_CELL_BROADCASTS, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS, 0)494 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_APPS_CONTROL, 0)495 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_APPS_CONTROL, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_MOUNT_PHYSICAL_MEDIA, 0)496 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_MOUNT_PHYSICAL_MEDIA, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_UNMUTE_MICROPHONE, 0)497 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_UNMUTE_MICROPHONE, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ADJUST_VOLUME, 0)498 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ADJUST_VOLUME, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_OUTGOING_CALLS, 0)499 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_OUTGOING_CALLS, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SMS, 0)500 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SMS, /* flags= */ 0); 501 // TODO: check if its global only USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_FUN, 0)502 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_FUN, /* flags= */ 0); 503 // TODO: check if its global only USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CREATE_WINDOWS, 0)504 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CREATE_WINDOWS, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SYSTEM_ERROR_DIALOGS, 0)505 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SYSTEM_ERROR_DIALOGS, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CROSS_PROFILE_COPY_PASTE, 0)506 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CROSS_PROFILE_COPY_PASTE, /* flags= */ 0); 507 // TODO: check if its global only USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_OUTGOING_BEAM, 0)508 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_OUTGOING_BEAM, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_WALLPAPER, 0)509 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_WALLPAPER, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SET_WALLPAPER, 0)510 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SET_WALLPAPER, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SAFE_BOOT, 0)511 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SAFE_BOOT, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_RECORD_AUDIO, 0)512 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_RECORD_AUDIO, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_RUN_IN_BACKGROUND, 0)513 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_RUN_IN_BACKGROUND, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CAMERA, 0)514 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CAMERA, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_UNMUTE_DEVICE, 0)515 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_UNMUTE_DEVICE, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_DATA_ROAMING, 0)516 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_DATA_ROAMING, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SET_USER_ICON, 0)517 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SET_USER_ICON, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_OEM_UNLOCK, 0)518 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_OEM_UNLOCK, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_UNIFIED_PASSWORD, 0)519 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_UNIFIED_PASSWORD, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.ALLOW_PARENT_PROFILE_APP_LINKING, 0)520 USER_RESTRICTION_FLAGS.put(UserManager.ALLOW_PARENT_PROFILE_APP_LINKING, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_AUTOFILL, 0)521 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_AUTOFILL, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONTENT_CAPTURE, 0)522 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONTENT_CAPTURE, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONTENT_SUGGESTIONS, 0)523 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONTENT_SUGGESTIONS, /* flags= */ 0); USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_USER_SWITCH, POLICY_FLAG_GLOBAL_ONLY_POLICY)524 USER_RESTRICTION_FLAGS.put( 525 UserManager.DISALLOW_USER_SWITCH, POLICY_FLAG_GLOBAL_ONLY_POLICY); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SHARE_INTO_MANAGED_PROFILE, 0)526 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_SHARE_INTO_MANAGED_PROFILE, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_PRINTING, 0)527 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_PRINTING, /* flags= */ 0); USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_CONFIG_PRIVATE_DNS, POLICY_FLAG_GLOBAL_ONLY_POLICY)528 USER_RESTRICTION_FLAGS.put( 529 UserManager.DISALLOW_CONFIG_PRIVATE_DNS, POLICY_FLAG_GLOBAL_ONLY_POLICY); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_MICROPHONE_TOGGLE, 0)530 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_MICROPHONE_TOGGLE, /* flags= */ 0); 531 // TODO: According the UserRestrictionsUtils, this is global only, need to confirm. USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CAMERA_TOGGLE, 0)532 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CAMERA_TOGGLE, /* flags= */ 0); 533 // TODO: check if its global only USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_BIOMETRIC, 0)534 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_BIOMETRIC, /* flags= */ 0); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_DEFAULT_APPS, 0)535 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_CONFIG_DEFAULT_APPS, /* flags= */ 0); USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_CELLULAR_2G, POLICY_FLAG_GLOBAL_ONLY_POLICY)536 USER_RESTRICTION_FLAGS.put( 537 UserManager.DISALLOW_CELLULAR_2G, POLICY_FLAG_GLOBAL_ONLY_POLICY); USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_ULTRA_WIDEBAND_RADIO, POLICY_FLAG_GLOBAL_ONLY_POLICY)538 USER_RESTRICTION_FLAGS.put( 539 UserManager.DISALLOW_ULTRA_WIDEBAND_RADIO, POLICY_FLAG_GLOBAL_ONLY_POLICY); USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_SIM_GLOBALLY, POLICY_FLAG_GLOBAL_ONLY_POLICY)540 USER_RESTRICTION_FLAGS.put( 541 UserManager.DISALLOW_SIM_GLOBALLY, 542 POLICY_FLAG_GLOBAL_ONLY_POLICY); USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ASSIST_CONTENT, 0)543 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ASSIST_CONTENT, /* flags= */ 0); 544 if (com.android.net.thread.platform.flags.Flags.threadUserRestrictionEnabled()) { USER_RESTRICTION_FLAGS.put( UserManager.DISALLOW_THREAD_NETWORK, POLICY_FLAG_GLOBAL_ONLY_POLICY)545 USER_RESTRICTION_FLAGS.put( 546 UserManager.DISALLOW_THREAD_NETWORK, POLICY_FLAG_GLOBAL_ONLY_POLICY); 547 } USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ASSIST_CONTENT, 0)548 USER_RESTRICTION_FLAGS.put(UserManager.DISALLOW_ASSIST_CONTENT, /* flags= */ 0); 549 for (String key : USER_RESTRICTION_FLAGS.keySet()) { createAndAddUserRestrictionPolicyDefinition(key, USER_RESTRICTION_FLAGS.get(key))550 createAndAddUserRestrictionPolicyDefinition(key, USER_RESTRICTION_FLAGS.get(key)); 551 } 552 } 553 554 private final PolicyKey mPolicyKey; 555 private final ResolutionMechanism<V> mResolutionMechanism; 556 private final int mPolicyFlags; 557 // A function that accepts policy to apply, context, userId, callback arguments, and returns 558 // true if the policy has been enforced successfully. 559 private final QuadFunction<V, Context, Integer, PolicyKey, Boolean> mPolicyEnforcerCallback; 560 private final PolicySerializer<V> mPolicySerializer; 561 createPolicyDefinition(PolicyKey key)562 private PolicyDefinition<V> createPolicyDefinition(PolicyKey key) { 563 return new PolicyDefinition<>(key, mResolutionMechanism, mPolicyFlags, 564 mPolicyEnforcerCallback, mPolicySerializer); 565 } 566 getPolicyDefinitionForUserRestriction( @serManager.UserRestrictionKey String restriction)567 static PolicyDefinition<Boolean> getPolicyDefinitionForUserRestriction( 568 @UserManager.UserRestrictionKey String restriction) { 569 String key = DevicePolicyIdentifiers.getIdentifierForUserRestriction(restriction); 570 571 if (!POLICY_DEFINITIONS.containsKey(key)) { 572 throw new IllegalArgumentException("Unsupported user restriction " + restriction); 573 } 574 // All user restrictions are of type boolean 575 return (PolicyDefinition<Boolean>) POLICY_DEFINITIONS.get(key); 576 } 577 578 @NonNull getPolicyKey()579 PolicyKey getPolicyKey() { 580 return mPolicyKey; 581 } 582 583 @NonNull getResolutionMechanism()584 ResolutionMechanism<V> getResolutionMechanism() { 585 return mResolutionMechanism; 586 } 587 /** 588 * Returns {@code true} if the policy is a global policy by nature and can't be applied locally. 589 */ isGlobalOnlyPolicy()590 boolean isGlobalOnlyPolicy() { 591 return (mPolicyFlags & POLICY_FLAG_GLOBAL_ONLY_POLICY) != 0; 592 } 593 594 /** 595 * Returns {@code true} if the policy is a local policy by nature and can't be applied globally. 596 */ isLocalOnlyPolicy()597 boolean isLocalOnlyPolicy() { 598 return (mPolicyFlags & POLICY_FLAG_LOCAL_ONLY_POLICY) != 0; 599 } 600 601 /** 602 * Returns {@code true} if the policy is inheritable by child profiles. 603 */ isInheritable()604 boolean isInheritable() { 605 return (mPolicyFlags & POLICY_FLAG_INHERITABLE) != 0; 606 } 607 608 /** 609 * Returns {@code true} if the policy engine should not try to resolve policies set by different 610 * admins and should just store it and pass it on to the enforcing logic. 611 */ isNonCoexistablePolicy()612 boolean isNonCoexistablePolicy() { 613 return (mPolicyFlags & POLICY_FLAG_NON_COEXISTABLE_POLICY) != 0; 614 } 615 isUserRestrictionPolicy()616 boolean isUserRestrictionPolicy() { 617 return (mPolicyFlags & POLICY_FLAG_USER_RESTRICTION_POLICY) != 0; 618 } 619 shouldSkipEnforcementIfNotChanged()620 boolean shouldSkipEnforcementIfNotChanged() { 621 return (mPolicyFlags & POLICY_FLAG_SKIP_ENFORCEMENT_IF_UNCHANGED) != 0; 622 } 623 624 @Nullable resolvePolicy(LinkedHashMap<EnforcingAdmin, PolicyValue<V>> adminsPolicy)625 PolicyValue<V> resolvePolicy(LinkedHashMap<EnforcingAdmin, PolicyValue<V>> adminsPolicy) { 626 return mResolutionMechanism.resolve(adminsPolicy); 627 } 628 enforcePolicy(@ullable V value, Context context, int userId)629 boolean enforcePolicy(@Nullable V value, Context context, int userId) { 630 return mPolicyEnforcerCallback.apply(value, context, userId, mPolicyKey); 631 } 632 createAndAddUserRestrictionPolicyDefinition( String restriction, int flags)633 private static void createAndAddUserRestrictionPolicyDefinition( 634 String restriction, int flags) { 635 String identifier = DevicePolicyIdentifiers.getIdentifierForUserRestriction(restriction); 636 UserRestrictionPolicyKey key = new UserRestrictionPolicyKey(identifier, restriction); 637 flags |= (POLICY_FLAG_USER_RESTRICTION_POLICY | POLICY_FLAG_INHERITABLE); 638 PolicyDefinition<Boolean> definition = new PolicyDefinition<>( 639 key, 640 TRUE_MORE_RESTRICTIVE, 641 flags, 642 PolicyEnforcerCallbacks::setUserRestriction, 643 new BooleanPolicySerializer()); 644 POLICY_DEFINITIONS.put(key.getIdentifier(), definition); 645 } 646 647 648 /** 649 * Callers must ensure that {@code policyType} have implemented an appropriate 650 * {@link Object#equals} implementation. 651 */ PolicyDefinition( @onNull PolicyKey key, ResolutionMechanism<V> resolutionMechanism, QuadFunction<V, Context, Integer, PolicyKey, Boolean> policyEnforcerCallback, PolicySerializer<V> policySerializer)652 private PolicyDefinition( 653 @NonNull PolicyKey key, 654 ResolutionMechanism<V> resolutionMechanism, 655 QuadFunction<V, Context, Integer, PolicyKey, Boolean> policyEnforcerCallback, 656 PolicySerializer<V> policySerializer) { 657 this(key, resolutionMechanism, POLICY_FLAG_NONE, policyEnforcerCallback, policySerializer); 658 } 659 660 /** 661 * Callers must ensure that custom {@code policyKeys} and {@code V} have an appropriate 662 * {@link Object#equals} and {@link Object#hashCode()} implementation. 663 */ PolicyDefinition( @onNull PolicyKey policyKey, ResolutionMechanism<V> resolutionMechanism, int policyFlags, QuadFunction<V, Context, Integer, PolicyKey, Boolean> policyEnforcerCallback, PolicySerializer<V> policySerializer)664 private PolicyDefinition( 665 @NonNull PolicyKey policyKey, 666 ResolutionMechanism<V> resolutionMechanism, 667 int policyFlags, 668 QuadFunction<V, Context, Integer, PolicyKey, Boolean> policyEnforcerCallback, 669 PolicySerializer<V> policySerializer) { 670 Objects.requireNonNull(policyKey); 671 mPolicyKey = policyKey; 672 mResolutionMechanism = resolutionMechanism; 673 mPolicyFlags = policyFlags; 674 mPolicyEnforcerCallback = policyEnforcerCallback; 675 mPolicySerializer = policySerializer; 676 677 if (isNonCoexistablePolicy() && !isLocalOnlyPolicy()) { 678 throw new UnsupportedOperationException("Non-coexistable global policies not supported," 679 + "please add support."); 680 } 681 // TODO: maybe use this instead of manually adding to the map 682 // sPolicyDefinitions.put(policyDefinitionKey, this); 683 } 684 saveToXml(TypedXmlSerializer serializer)685 void saveToXml(TypedXmlSerializer serializer) throws IOException { 686 mPolicyKey.saveToXml(serializer); 687 } 688 689 @Nullable readFromXml(TypedXmlPullParser parser)690 static <V> PolicyDefinition<V> readFromXml(TypedXmlPullParser parser) 691 throws XmlPullParserException, IOException { 692 // TODO: can we avoid casting? 693 PolicyKey policyKey = readPolicyKeyFromXml(parser); 694 if (policyKey == null) { 695 Slogf.wtf(TAG, "Error parsing PolicyDefinition, PolicyKey is null."); 696 return null; 697 } 698 PolicyDefinition<V> genericPolicyDefinition = 699 (PolicyDefinition<V>) POLICY_DEFINITIONS.get(policyKey.getIdentifier()); 700 if (genericPolicyDefinition == null) { 701 Slogf.wtf(TAG, "Unknown generic policy key: " + policyKey); 702 return null; 703 } 704 return genericPolicyDefinition.createPolicyDefinition(policyKey); 705 } 706 707 @Nullable readPolicyKeyFromXml(TypedXmlPullParser parser)708 static <V> PolicyKey readPolicyKeyFromXml(TypedXmlPullParser parser) 709 throws XmlPullParserException, IOException { 710 // TODO: can we avoid casting? 711 PolicyKey policyKey = PolicyKey.readGenericPolicyKeyFromXml(parser); 712 if (policyKey == null) { 713 Slogf.wtf(TAG, "Error parsing PolicyKey, GenericPolicyKey is null"); 714 return null; 715 } 716 PolicyDefinition<PolicyValue<V>> genericPolicyDefinition = 717 (PolicyDefinition<PolicyValue<V>>) POLICY_DEFINITIONS.get( 718 policyKey.getIdentifier()); 719 if (genericPolicyDefinition == null) { 720 Slogf.wtf(TAG, "Error parsing PolicyKey, Unknown generic policy key: " + policyKey); 721 return null; 722 } 723 return genericPolicyDefinition.mPolicyKey.readFromXml(parser); 724 } 725 savePolicyValueToXml(TypedXmlSerializer serializer, V value)726 void savePolicyValueToXml(TypedXmlSerializer serializer, V value) 727 throws IOException { 728 mPolicySerializer.saveToXml(serializer, value); 729 } 730 731 @Nullable readPolicyValueFromXml(TypedXmlPullParser parser)732 PolicyValue<V> readPolicyValueFromXml(TypedXmlPullParser parser) { 733 return mPolicySerializer.readFromXml(parser); 734 } 735 736 @Override toString()737 public String toString() { 738 return "PolicyDefinition{ mPolicyKey= " + mPolicyKey + ", mResolutionMechanism= " 739 + mResolutionMechanism + ", mPolicyFlags= " + mPolicyFlags + " }"; 740 } 741 } 742