UserRestrictionsUtils.java revision f2519814cc7136773a115b770d20cf4c92945952
1/* 2 * Copyright (C) 2015 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17package com.android.server.pm; 18 19import com.google.android.collect.Sets; 20 21import com.android.internal.util.Preconditions; 22 23import android.annotation.NonNull; 24import android.annotation.Nullable; 25import android.app.ActivityManager; 26import android.app.ActivityManagerNative; 27import android.content.ContentResolver; 28import android.content.Context; 29import android.net.Uri; 30import android.os.Binder; 31import android.os.Bundle; 32import android.os.RemoteException; 33import android.os.SystemProperties; 34import android.os.UserHandle; 35import android.os.UserManager; 36import android.telephony.SubscriptionInfo; 37import android.telephony.SubscriptionManager; 38import android.util.Log; 39 40import org.xmlpull.v1.XmlPullParser; 41import org.xmlpull.v1.XmlSerializer; 42 43import java.io.IOException; 44import java.io.PrintWriter; 45import java.util.List; 46import java.util.Set; 47 48/** 49 * Utility methods for user restrictions. 50 * 51 * <p>See {@link UserManagerService} for the method suffixes. 52 */ 53public class UserRestrictionsUtils { 54 private static final String TAG = "UserRestrictionsUtils"; 55 56 private UserRestrictionsUtils() { 57 } 58 59 public static final Set<String> USER_RESTRICTIONS = Sets.newArraySet( 60 UserManager.DISALLOW_CONFIG_WIFI, 61 UserManager.DISALLOW_MODIFY_ACCOUNTS, 62 UserManager.DISALLOW_INSTALL_APPS, 63 UserManager.DISALLOW_UNINSTALL_APPS, 64 UserManager.DISALLOW_SHARE_LOCATION, 65 UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES, 66 UserManager.DISALLOW_CONFIG_BLUETOOTH, 67 UserManager.DISALLOW_USB_FILE_TRANSFER, 68 UserManager.DISALLOW_CONFIG_CREDENTIALS, 69 UserManager.DISALLOW_REMOVE_USER, 70 UserManager.DISALLOW_DEBUGGING_FEATURES, 71 UserManager.DISALLOW_CONFIG_VPN, 72 UserManager.DISALLOW_CONFIG_TETHERING, 73 UserManager.DISALLOW_NETWORK_RESET, 74 UserManager.DISALLOW_FACTORY_RESET, 75 UserManager.DISALLOW_ADD_USER, 76 UserManager.ENSURE_VERIFY_APPS, 77 UserManager.DISALLOW_CONFIG_CELL_BROADCASTS, 78 UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS, 79 UserManager.DISALLOW_APPS_CONTROL, 80 UserManager.DISALLOW_MOUNT_PHYSICAL_MEDIA, 81 UserManager.DISALLOW_UNMUTE_MICROPHONE, 82 UserManager.DISALLOW_ADJUST_VOLUME, 83 UserManager.DISALLOW_OUTGOING_CALLS, 84 UserManager.DISALLOW_SMS, 85 UserManager.DISALLOW_FUN, 86 UserManager.DISALLOW_CREATE_WINDOWS, 87 UserManager.DISALLOW_CROSS_PROFILE_COPY_PASTE, 88 UserManager.DISALLOW_OUTGOING_BEAM, 89 UserManager.DISALLOW_WALLPAPER, 90 UserManager.DISALLOW_SAFE_BOOT, 91 UserManager.ALLOW_PARENT_PROFILE_APP_LINKING, 92 UserManager.DISALLOW_RECORD_AUDIO, 93 UserManager.DISALLOW_CAMERA, 94 UserManager.DISALLOW_RUN_IN_BACKGROUND, 95 UserManager.DISALLOW_DATA_ROAMING, 96 UserManager.DISALLOW_SET_USER_ICON, 97 UserManager.DISALLOW_SET_WALLPAPER 98 ); 99 100 /** 101 * Set of user restriction which we don't want to persist. 102 */ 103 private static final Set<String> NON_PERSIST_USER_RESTRICTIONS = Sets.newArraySet( 104 UserManager.DISALLOW_RECORD_AUDIO 105 ); 106 107 /** 108 * User restrictions that can not be set by profile owners. 109 */ 110 private static final Set<String> DEVICE_OWNER_ONLY_RESTRICTIONS = Sets.newArraySet( 111 UserManager.DISALLOW_USB_FILE_TRANSFER, 112 UserManager.DISALLOW_CONFIG_TETHERING, 113 UserManager.DISALLOW_NETWORK_RESET, 114 UserManager.DISALLOW_FACTORY_RESET, 115 UserManager.DISALLOW_ADD_USER, 116 UserManager.DISALLOW_CONFIG_CELL_BROADCASTS, 117 UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS, 118 UserManager.DISALLOW_MOUNT_PHYSICAL_MEDIA, 119 UserManager.DISALLOW_SMS, 120 UserManager.DISALLOW_FUN, 121 UserManager.DISALLOW_SAFE_BOOT, 122 UserManager.DISALLOW_CREATE_WINDOWS, 123 UserManager.DISALLOW_DATA_ROAMING 124 ); 125 126 /** 127 * User restrictions that can't be changed by device owner or profile owner. 128 */ 129 private static final Set<String> IMMUTABLE_BY_OWNERS = Sets.newArraySet( 130 UserManager.DISALLOW_RECORD_AUDIO, 131 UserManager.DISALLOW_WALLPAPER 132 ); 133 134 /** 135 * Special user restrictions that can be applied to a user as well as to all users globally, 136 * depending on callers. When device owner sets them, they'll be applied to all users. 137 */ 138 private static final Set<String> GLOBAL_RESTRICTIONS = Sets.newArraySet( 139 UserManager.DISALLOW_ADJUST_VOLUME, 140 UserManager.DISALLOW_RUN_IN_BACKGROUND, 141 UserManager.DISALLOW_UNMUTE_MICROPHONE 142 ); 143 144 public static void writeRestrictions(@NonNull XmlSerializer serializer, 145 @Nullable Bundle restrictions, @NonNull String tag) throws IOException { 146 if (restrictions == null) { 147 return; 148 } 149 150 serializer.startTag(null, tag); 151 for (String key : restrictions.keySet()) { 152 if (NON_PERSIST_USER_RESTRICTIONS.contains(key)) { 153 continue; // Don't persist. 154 } 155 if (USER_RESTRICTIONS.contains(key)) { 156 if (restrictions.getBoolean(key)) { 157 serializer.attribute(null, key, "true"); 158 } 159 continue; 160 } 161 Log.w(TAG, "Unknown user restriction detected: " + key); 162 } 163 serializer.endTag(null, tag); 164 } 165 166 public static void readRestrictions(XmlPullParser parser, Bundle restrictions) 167 throws IOException { 168 for (String key : USER_RESTRICTIONS) { 169 final String value = parser.getAttributeValue(null, key); 170 if (value != null) { 171 restrictions.putBoolean(key, Boolean.parseBoolean(value)); 172 } 173 } 174 } 175 176 /** 177 * @return {@code in} itself when it's not null, or an empty bundle (which can writable). 178 */ 179 public static Bundle nonNull(@Nullable Bundle in) { 180 return in != null ? in : new Bundle(); 181 } 182 183 public static boolean isEmpty(@Nullable Bundle in) { 184 return (in == null) || (in.size() == 0); 185 } 186 187 /** 188 * Creates a copy of the {@code in} Bundle. If {@code in} is null, it'll return an empty 189 * bundle. 190 * 191 * <p>The resulting {@link Bundle} is always writable. (i.e. it won't return 192 * {@link Bundle#EMPTY}) 193 */ 194 public static @NonNull Bundle clone(@Nullable Bundle in) { 195 return (in != null) ? new Bundle(in) : new Bundle(); 196 } 197 198 public static void merge(@NonNull Bundle dest, @Nullable Bundle in) { 199 Preconditions.checkNotNull(dest); 200 Preconditions.checkArgument(dest != in); 201 if (in == null) { 202 return; 203 } 204 for (String key : in.keySet()) { 205 if (in.getBoolean(key, false)) { 206 dest.putBoolean(key, true); 207 } 208 } 209 } 210 211 /** 212 * @return true if a restriction is settable by device owner. 213 */ 214 public static boolean canDeviceOwnerChange(String restriction) { 215 return !IMMUTABLE_BY_OWNERS.contains(restriction); 216 } 217 218 /** 219 * @return true if a restriction is settable by profile owner. Note it takes a user ID because 220 * some restrictions can be changed by PO only when it's running on the system user. 221 */ 222 public static boolean canProfileOwnerChange(String restriction, int userId) { 223 return !IMMUTABLE_BY_OWNERS.contains(restriction) 224 && !(userId != UserHandle.USER_SYSTEM 225 && DEVICE_OWNER_ONLY_RESTRICTIONS.contains(restriction)); 226 } 227 228 /** 229 * Takes restrictions that can be set by device owner, and sort them into what should be applied 230 * globally and what should be applied only on the current user. 231 */ 232 public static void sortToGlobalAndLocal(@Nullable Bundle in, @NonNull Bundle global, 233 @NonNull Bundle local) { 234 if (in == null || in.size() == 0) { 235 return; 236 } 237 for (String key : in.keySet()) { 238 if (!in.getBoolean(key)) { 239 continue; 240 } 241 if (DEVICE_OWNER_ONLY_RESTRICTIONS.contains(key) || GLOBAL_RESTRICTIONS.contains(key)) { 242 global.putBoolean(key, true); 243 } else { 244 local.putBoolean(key, true); 245 } 246 } 247 } 248 249 /** 250 * @return true if two Bundles contain the same user restriction. 251 * A null bundle and an empty bundle are considered to be equal. 252 */ 253 public static boolean areEqual(@Nullable Bundle a, @Nullable Bundle b) { 254 if (a == b) { 255 return true; 256 } 257 if (isEmpty(a)) { 258 return isEmpty(b); 259 } 260 if (isEmpty(b)) { 261 return false; 262 } 263 for (String key : a.keySet()) { 264 if (a.getBoolean(key) != b.getBoolean(key)) { 265 return false; 266 } 267 } 268 for (String key : b.keySet()) { 269 if (a.getBoolean(key) != b.getBoolean(key)) { 270 return false; 271 } 272 } 273 return true; 274 } 275 276 /** 277 * Takes a new use restriction set and the previous set, and apply the restrictions that have 278 * changed. 279 * 280 * <p>Note this method is called by {@link UserManagerService} without holding any locks. 281 */ 282 public static void applyUserRestrictions(Context context, int userId, 283 Bundle newRestrictions, Bundle prevRestrictions) { 284 for (String key : USER_RESTRICTIONS) { 285 final boolean newValue = newRestrictions.getBoolean(key); 286 final boolean prevValue = prevRestrictions.getBoolean(key); 287 288 if (newValue != prevValue) { 289 applyUserRestriction(context, userId, key, newValue); 290 } 291 } 292 } 293 294 /** 295 * Apply each user restriction. 296 * 297 * <p>See also {@link 298 * com.android.providers.settings.SettingsProvider#isGlobalOrSecureSettingRestrictedForUser}, 299 * which should be in sync with this method. 300 */ 301 private static void applyUserRestriction(Context context, int userId, String key, 302 boolean newValue) { 303 if (UserManagerService.DBG) { 304 Log.d(TAG, "Applying user restriction: userId=" + userId 305 + " key=" + key + " value=" + newValue); 306 } 307 // When certain restrictions are cleared, we don't update the system settings, 308 // because these settings are changeable on the Settings UI and we don't know the original 309 // value -- for example LOCATION_MODE might have been off already when the restriction was 310 // set, and in that case even if the restriction is lifted, changing it to ON would be 311 // wrong. So just don't do anything in such a case. If the user hopes to enable location 312 // later, they can do it on the Settings UI. 313 314 final ContentResolver cr = context.getContentResolver(); 315 final long id = Binder.clearCallingIdentity(); 316 try { 317 switch (key) { 318 case UserManager.DISALLOW_CONFIG_WIFI: 319 if (newValue) { 320 android.provider.Settings.Secure.putIntForUser(cr, 321 android.provider.Settings.Global 322 .WIFI_NETWORKS_AVAILABLE_NOTIFICATION_ON, 0, userId); 323 } 324 break; 325 case UserManager.DISALLOW_DATA_ROAMING: 326 if (newValue) { 327 // DISALLOW_DATA_ROAMING user restriction is set. 328 329 // Multi sim device. 330 SubscriptionManager subscriptionManager = new SubscriptionManager(context); 331 final List<SubscriptionInfo> subscriptionInfoList = 332 subscriptionManager.getActiveSubscriptionInfoList(); 333 if (subscriptionInfoList != null) { 334 for (SubscriptionInfo subInfo : subscriptionInfoList) { 335 android.provider.Settings.Global.putStringForUser(cr, 336 android.provider.Settings.Global.DATA_ROAMING 337 + subInfo.getSubscriptionId(), "0", userId); 338 } 339 } 340 341 // Single sim device. 342 android.provider.Settings.Global.putStringForUser(cr, 343 android.provider.Settings.Global.DATA_ROAMING, "0", userId); 344 } 345 break; 346 case UserManager.DISALLOW_SHARE_LOCATION: 347 if (newValue) { 348 android.provider.Settings.Secure.putIntForUser(cr, 349 android.provider.Settings.Secure.LOCATION_MODE, 350 android.provider.Settings.Secure.LOCATION_MODE_OFF, 351 userId); 352 } 353 // Send out notifications as some clients may want to reread the 354 // value which actually changed due to a restriction having been 355 // applied. 356 final String property = 357 android.provider.Settings.Secure.SYS_PROP_SETTING_VERSION; 358 long version = SystemProperties.getLong(property, 0) + 1; 359 SystemProperties.set(property, Long.toString(version)); 360 361 final String name = android.provider.Settings.Secure.LOCATION_PROVIDERS_ALLOWED; 362 final Uri url = Uri.withAppendedPath( 363 android.provider.Settings.Secure.CONTENT_URI, name); 364 context.getContentResolver().notifyChange(url, null, true, userId); 365 366 break; 367 case UserManager.DISALLOW_DEBUGGING_FEATURES: 368 if (newValue) { 369 // Only disable adb if changing for system user, since it is global 370 // TODO: should this be admin user? 371 if (userId == UserHandle.USER_SYSTEM) { 372 android.provider.Settings.Global.putStringForUser(cr, 373 android.provider.Settings.Global.ADB_ENABLED, "0", 374 userId); 375 } 376 } 377 break; 378 case UserManager.ENSURE_VERIFY_APPS: 379 if (newValue) { 380 android.provider.Settings.Global.putStringForUser( 381 context.getContentResolver(), 382 android.provider.Settings.Global.PACKAGE_VERIFIER_ENABLE, "1", 383 userId); 384 android.provider.Settings.Global.putStringForUser( 385 context.getContentResolver(), 386 android.provider.Settings.Global.PACKAGE_VERIFIER_INCLUDE_ADB, "1", 387 userId); 388 } 389 break; 390 case UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES: 391 if (newValue) { 392 android.provider.Settings.Secure.putIntForUser(cr, 393 android.provider.Settings.Secure.INSTALL_NON_MARKET_APPS, 0, 394 userId); 395 } 396 break; 397 case UserManager.DISALLOW_RUN_IN_BACKGROUND: 398 if (newValue) { 399 int currentUser = ActivityManager.getCurrentUser(); 400 if (currentUser != userId && userId != UserHandle.USER_SYSTEM) { 401 try { 402 ActivityManagerNative.getDefault().stopUser(userId, false, null); 403 } catch (RemoteException e) { 404 throw e.rethrowAsRuntimeException(); 405 } 406 } 407 } 408 } 409 } finally { 410 Binder.restoreCallingIdentity(id); 411 } 412 } 413 414 public static void dumpRestrictions(PrintWriter pw, String prefix, Bundle restrictions) { 415 boolean noneSet = true; 416 if (restrictions != null) { 417 for (String key : restrictions.keySet()) { 418 if (restrictions.getBoolean(key, false)) { 419 pw.println(prefix + key); 420 noneSet = false; 421 } 422 } 423 if (noneSet) { 424 pw.println(prefix + "none"); 425 } 426 } else { 427 pw.println(prefix + "null"); 428 } 429 } 430} 431