[RESTRICT AUTOMERGE] Prevent installing apps in policy restricted work profile using ADB

If DISALLOW_DEBUGGING_FEATURES or DISALLOW_INSTALL_APPS restrictions are set on a work profile, prevent side loading of APKs using ADB in the work profile. Bug: 257443065 Test: atest CtsPackageInstallTestCases:UserRestrictionInstallTest (cherry picked from commit febe3918020a94b2af48ade98eb6a49cdd4a3bdf) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b988a09db551d9a8b2aeb0e8eb88e610605709e8) Merged-In: I169a1f72c84528ca606b6a4da165d4fbcd02b08d Change-Id: I169a1f72c84528ca606b6a4da165d4fbcd02b08d
author: Sumedh Sen <sumedhsen@google.com> 2023-03-23 16:29:47 -0700
committer: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> 2023-05-18 22:15:22 +0000
commit: 56e9c33cc91f461c79ce8ffe9330f96f21e16216 (patch)
tree: 949e9606ac8e668c51fec63e9eff5ab94cc32d0b
parent: ee3f2dddcc6bad5f66399320964098bbe9889e84 (diff)
download: base-56e9c33cc91f461c79ce8ffe9330f96f21e16216.tar.gz
1 files changed, 19 insertions, 3 deletions
diff --git a/services/core/java/com/android/server/pm/InstallPackageHelper.java b/services/core/java/com/android/server/pm/InstallPackageHelper.java
index c32a57c68ede..259701166147 100644
--- a/services/core/java/com/android/server/pm/InstallPackageHelper.java
+++ b/services/core/java/com/android/server/pm/InstallPackageHelper.java
@@ -2093,9 +2093,25 @@ final class InstallPackageHelper {
                     // The caller explicitly specified INSTALL_ALL_USERS flag.
                     // Thus, updating the settings to install the app for all users.
                     for (int currentUserId : allUsers) {
-                        ps.setInstalled(true, currentUserId);
-                        ps.setEnabled(COMPONENT_ENABLED_STATE_DEFAULT, userId,
-                                installerPackageName);
+                        // If the app is already installed for the currentUser,
+                        // keep it as installed as we might be updating the app at this place.
+                        // If not currently installed, check if the currentUser is restricted by
+                        // DISALLOW_INSTALL_APPS or DISALLOW_DEBUGGING_FEATURES device policy.
+                        // Install / update the app if the user isn't restricted. Skip otherwise.
+                        final boolean installedForCurrentUser = ArrayUtils.contains(
+                                installedForUsers, currentUserId);
+                        final boolean restrictedByPolicy =
+                                mPm.isUserRestricted(currentUserId,
+                                        UserManager.DISALLOW_INSTALL_APPS)
+                                || mPm.isUserRestricted(currentUserId,
+                                        UserManager.DISALLOW_DEBUGGING_FEATURES);
+                        if (installedForCurrentUser || !restrictedByPolicy) {
+                            ps.setInstalled(true, currentUserId);
+                            ps.setEnabled(COMPONENT_ENABLED_STATE_DEFAULT, currentUserId,
+                                    installerPackageName);
+                        } else {
+                            ps.setInstalled(false, currentUserId);
+                        }
                     }
                 }
author	Sumedh Sen <sumedhsen@google.com>	2023-03-23 16:29:47 -0700
committer	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	2023-05-18 22:15:22 +0000
commit	56e9c33cc91f461c79ce8ffe9330f96f21e16216 (patch)
tree	949e9606ac8e668c51fec63e9eff5ab94cc32d0b
parent	ee3f2dddcc6bad5f66399320964098bbe9889e84 (diff)
download	base-56e9c33cc91f461c79ce8ffe9330f96f21e16216.tar.gz