diff options
author | Sumedh Sen <sumedhsen@google.com> | 2023-03-23 16:29:47 -0700 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-05-18 22:15:22 +0000 |
commit | 56e9c33cc91f461c79ce8ffe9330f96f21e16216 (patch) | |
tree | 949e9606ac8e668c51fec63e9eff5ab94cc32d0b | |
parent | ee3f2dddcc6bad5f66399320964098bbe9889e84 (diff) | |
download | base-56e9c33cc91f461c79ce8ffe9330f96f21e16216.tar.gz |
[RESTRICT AUTOMERGE] Prevent installing apps in policy restricted work profile using ADB
If DISALLOW_DEBUGGING_FEATURES or DISALLOW_INSTALL_APPS restrictions are
set on a work profile, prevent side loading of APKs using ADB in the
work profile.
Bug: 257443065
Test: atest CtsPackageInstallTestCases:UserRestrictionInstallTest
(cherry picked from commit febe3918020a94b2af48ade98eb6a49cdd4a3bdf)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b988a09db551d9a8b2aeb0e8eb88e610605709e8)
Merged-In: I169a1f72c84528ca606b6a4da165d4fbcd02b08d
Change-Id: I169a1f72c84528ca606b6a4da165d4fbcd02b08d
-rw-r--r-- | services/core/java/com/android/server/pm/InstallPackageHelper.java | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/services/core/java/com/android/server/pm/InstallPackageHelper.java b/services/core/java/com/android/server/pm/InstallPackageHelper.java index c32a57c68ede..259701166147 100644 --- a/services/core/java/com/android/server/pm/InstallPackageHelper.java +++ b/services/core/java/com/android/server/pm/InstallPackageHelper.java @@ -2093,9 +2093,25 @@ final class InstallPackageHelper { // The caller explicitly specified INSTALL_ALL_USERS flag. // Thus, updating the settings to install the app for all users. for (int currentUserId : allUsers) { - ps.setInstalled(true, currentUserId); - ps.setEnabled(COMPONENT_ENABLED_STATE_DEFAULT, userId, - installerPackageName); + // If the app is already installed for the currentUser, + // keep it as installed as we might be updating the app at this place. + // If not currently installed, check if the currentUser is restricted by + // DISALLOW_INSTALL_APPS or DISALLOW_DEBUGGING_FEATURES device policy. + // Install / update the app if the user isn't restricted. Skip otherwise. + final boolean installedForCurrentUser = ArrayUtils.contains( + installedForUsers, currentUserId); + final boolean restrictedByPolicy = + mPm.isUserRestricted(currentUserId, + UserManager.DISALLOW_INSTALL_APPS) + || mPm.isUserRestricted(currentUserId, + UserManager.DISALLOW_DEBUGGING_FEATURES); + if (installedForCurrentUser || !restrictedByPolicy) { + ps.setInstalled(true, currentUserId); + ps.setEnabled(COMPONENT_ENABLED_STATE_DEFAULT, currentUserId, + installerPackageName); + } else { + ps.setInstalled(false, currentUserId); + } } } |