Bug: 7136483
Store device policy information for each user and apply them when user switches.
Global proxy can only be controlled by owner.
Camera restriction applies to all users, if any one has an admin that disables it.
Storage encryption can only be controlled by owner, although other users can query the state.
Wipe data will only remove the user if non-zero, wipe the device, if zero.
Change-Id: I359be46c1bc3828fd13d4be3228f11495081c8f2
It moved from System to Global, so writes are not automatically redirected
to the new namespace (else apps would start crashing).
Bug 7126575
Change-Id: Ief31fcb5a6107a098da04d30d146e16921dee776
You can now use ALL and CURRENT when sending broadcasts, to specify
where the broadcast goes.
Sticky broadcasts are now correctly separated per user, and registered
receivers are filtered based on the requested target user.
New Context APIs for more kinds of sending broadcasts as users.
Updating a bunch of system code that sends broadcasts to explicitly
specify which user the broadcast goes to.
Made a single version of the code for interpreting the requested
target user ID that all entries to activity manager (start activity,
send broadcast, start service) use.
Change-Id: Ie29f02dd5242ef8c8fa56c54593a315cd2574e1c
The major goal of this rewrite is to make it easier to implement
power management policies correctly. According, the new
implementation primarily uses state-based rather than event-based
triggers for applying changes to the current power state.
For example, when an application requests that the proximity
sensor be used to manage the screen state (by way of a wake lock),
the power manager makes note of the fact that the set of
wake locks changed. Then it executes a common update function
that recalculates the entire state, first looking at wake locks,
then considering user activity, and eventually determining whether
the screen should be turned on or off. At this point it may
make a request to a component called the DisplayPowerController
to asynchronously update the display's powe state. Likewise,
DisplayPowerController makes note of the updated power request
and schedules its own update function to figure out what needs
to be changed.
The big benefit of this approach is that it's easy to mutate
multiple properties of the power state simultaneously then
apply their joint effects together all at once. Transitions
between states are detected and resolved by the update in
a consistent manner.
The new power manager service has is implemented as a set of
loosely coupled components. For the most part, information
only flows one way through these components (by issuing a
request to that component) although some components support
sending a message back to indicate when the work has been
completed. For example, the DisplayPowerController posts
a callback runnable asynchronously to tell the PowerManagerService
when the display is ready. An important feature of this
approach is that each component neatly encapsulates its
state and maintains its own invariants. Moreover, we do
not need to worry about deadlocks or awkward mutual exclusion
semantics because most of the requests are asynchronous.
The benefits of this design are especially apparent in
the implementation of the screen on / off and brightness
control animations which are able to take advantage of
framework features like properties, ObjectAnimator
and Choreographer.
The screen on / off animation is now the responsibility
of the power manager (instead of surface flinger). This change
makes it much easier to ensure that the animation is properly
coordinated with other power state changes and eliminates
the cause of race conditions in the older implementation.
The because of the userActivity() function has been changed
so that it never wakes the device from sleep. This change
removes ambiguity around forcing or disabling user activity
for various purposes. To wake the device, use wakeUp().
To put it to sleep, use goToSleep(). Simple.
The power manager service interface and API has been significantly
simplified and consolidated. Also fixed some inconsistencies
related to how the minimum and maximum screen brightness setting
was presented in brightness control widgets and enforced behind
the scenes.
At present the following features are implemented:
- Wake locks.
- User activity.
- Wake up / go to sleep.
- Power state broadcasts.
- Battery stats and event log notifications.
- Dreams.
- Proximity screen off.
- Animated screen on / off transitions.
- Auto-dimming.
- Auto-brightness control for the screen backlight with
different timeouts for ramping up versus ramping down.
- Auto-on when plugged or unplugged.
- Stay on when plugged.
- Device administration maximum user activity timeout.
- Application controlled brightness via window manager.
The following features are not yet implemented:
- Reduced user activity timeout for the key guard.
- Reduced user activity timeout for the phone application.
- Coordinating screen on barriers with the window manager.
- Preventing auto-rotation during power state changes.
- Auto-brightness adjustment setting (feature was disabled
in previous version of the power manager service pending
an improved UI design so leaving it out for now).
- Interpolated brightness control (a proposed new scheme
for more compactly specifying auto-brightness levels
in config.xml).
- Button / keyboard backlight control.
- Change window manager to associated WorkSource with
KEEP_SCREEN_ON_FLAG wake lock instead of talking
directly to the battery stats service.
- Optionally support animating screen brightness when
turning on/off instead of playing electron beam animation
(config_animateScreenLights).
Change-Id: I1d7a52e98f0449f76d70bf421f6a7f245957d1d7
Reduce the amount of unnecessary information emitted from
the DevicePolicyManagerService.
Bug: 6732364
Change-Id: I639f6beab8471bdbe41ce6cd3a5a378acaf678b2
...in Developer options is on
Don't respect stay awake while on as long as a time to lock limit
is being enforced. When we start enforcing one, make sure the
setting is off (since we won't be respecting it anyway).
Bug: 6664140
Change-Id: Id07cb528afa0c64c7766341841c51771f507121d
When the external storage is not mounted, the android system won't
wipe out the user data (i.e. "/data") if wipeData() is called with
the flag WIPE_EXTERNAL_STORAGE.
We think that the user data should be wiped out in any options and
also wipeData(int) method currently supports also for a external
storage. So we will also change the API reference comment.
If we should care about backward compatibility of this method behavior
with the option WIPE_EXTERNAL_STORAGE, then we would add an another
bitmask something like a ALWAYS_RESET.
Change-Id: Id7bf673c722bacc0480d32e46553b9a348513879
This fixes a bug where the device fails to lock when DevicePolicyManagerService
requests the device to be locked and the screen was off because the user hit
the power button.
The change allows DPMS to directly invoke screen lock, bypasssing the screen state.
Change-Id: Iecdda6fc61e9c519119de495be23c69c3b983921
Fix 5783857: Device Policy Manager doesn't allow Face Unlock
This makes it so that if face unlock is enabled and then a device policy
manager that requires something more secure than face unlock is installed,
the user will be forced to choose a new acceptable lock type.
This was previously fixed for the case where the device had been reset, or
the shell was restarted after setting face unlock, but not for the case where the
device remained on between setting face unlock and setting up a device policy
manager.
Also changed the function ordering of saveLockPattern() so that the overloaded
wrapper function is next to the main function.
Change-Id: Ibed8c4ab137ebbc07fb143faef6f047bc6dc4474
The DPM seemed to always go through ExternalStorageFormatter to wipe the
device and SD card. For SD cards emulated on a fuse filesystem, this
seems to fail unless the device is wholly encrypted. Bypass
ExternalStorageFormatter in those cases and just wipe as normal.
Bug: 5458396
Change-Id: Iec759ef894c6bd3863cb4e7329f4de4584c60c1a
This fixes a crash caused by permission problems when we try to update
the password history and discover there's no password salt. The code
attempts to create the salt, which triggers the exception.
This could be fixed by wrapping the call with a clearCallingIdentity()/
restoreCallingIdentity(ident). However, while looking at it, it occurred to me
that this can cause unexpected failures if the DPM tries to set the
password twice or happens to set it to something in the password history.
Instead, we should *always* allow the DPM to reset the password to whatever it wants,
provided it passes the minimum password criteria.
Change-Id: I1505b24f9c097ee5c2c44e4bf378ba90095b113b
This introduces a new policy that a DeviceAdmin can use to disable _all_
cameras on the device. A separate CL will be made on the media side to
watch this policy bit and act accordingly.
Bug: 4185303
Change-Id: I700cfc4a8317bb74087ccae39346d74467fc58b2
Due to a copy/paste typo, getStorageEncryption() was protected by
getActiveAdminForCallerLocked(), which made the API unreadable if the
caller is not an admin. This doesn't match the rest of the DPM API which
allows the "get" calls to be made anonymously.
This fix supercedes the proposed workaround CL in the DPM ApiDemo sample.
Change-Id: If1a6237634e97ced09a7c6a8876bb6b0f60c9be9
Also fix not writing the settings file when an admin is removed.
And take care of an old to-do about not removing an admin until
after it has received the broadcast about it being disabled.
Change-Id: I4ebe0ea0461222b65425b2c5438b646b572f18c8
* Add code to persist per-admin setting
* Add hooks for OS-level tie-in (is supported, get / set status)
* Add 3rd API call to get OS status (irrespective of admin settings)
* Remove "REQUESTED" status, no longer relevant with 3rd API
* Fixed bug that impacted global proxy settings
* Update api/11.xml to match current.xml
Bug: 3346770
Change-Id: I56bdf9a7894f6ca4842402c7b82ddb3caf4b37b9
* New uses-policies value
* Definitions for storage domain and encryption status
* API to get and set encryption status
* Intent to launch encryption changes
* Both new calls bottom out in the DPM service and are suitable for
a device that does not support encryption.
NOTE: Nobody should use ACTION_START_ENCRYPTION yet. It needs a receiver
to be built in Settings (different CL).
Change-Id: I2ae193bedbec59f6ba46c0ec7de12ecf321e5803
* Allows an app to detect that it needs to have additional policies granted
* Add "refreshing" parameter to setActiveAdmin() to handle this case
* Minor cleanups to eliminate warnings (mostly for unused things)
Bug: 3253179
Change-Id: I4bf639bf560557130bf98e8cfb75f996fac416f1
* Change alarm math to snap to multiples of 24h before expiration
* Stop recurring alarm when no expirations upcoming
* Fix small bug in update logic when device password is updated
Change-Id: I31ce147e4f8c766245fae3e286fc50eaee4cfa22
Addresses these bugs:
3061847 - With no headers, PreferenceActivity crashes
2888426 - minor typo in DevicePolicyManagerService.ActiveAdmin.writeToXml()
3159155 - IllegalStateException:"Can not perform this action after
onSaveInstanceState" while dismissing a DialogFragment
3155995 - PopupWindow.showAtLocation does not respect LayoutParams
Also tweak the new fragment APIs to use abstract classes instead of
interfaces as base classes.
Change-Id: I9c0b4337fe0e304b737b5f7c2762762372bb3020
3094621: add "wipe sd card" option to factory data reset
3094609: collapse unmount/format into one command
Also since we have decided that it is important to consider
the Crespo storage as internal storage, DevicePolicyManager
gets a new API to be able to wipe it. (No big deal, since
all of the work for this is now done in the implementation
of the new UI.)
Change-Id: I32a77c410f710a87dcdcbf6586c09bd2e48a8807
This change adds notification to find out when the device policy
has changed. When an admin adds or changes a policy, we get notified
and reset the state of keyguard to be enabled.
It also moves disabling keyguard into the TokenWatcher.acquired()
method to avoid disabling keyguard when a policy doesn't permit it.
This avoids reference counting issues in TokenWatcher and hence relieves
the ordering issue.
There is one remaining caveat. An application that uses KeyguardManager
to disable keyguard will need to disable keyguard again after any
policy change.
Tested:
Install and run app that disables keyguard with no admin. Result: keyguard is enabled/disabled as expected.
Enable admin and set quality = "something" after installing & running app. Result: keyguard is enabled.
Change admin password quality to "unspecified" and re-run app (per caveat). Result: keyguard is disabled.
Change admin password quality to "something" again. Result: keyguard is enabled.
Disable admin : Result: keyguard is enabled until app runs again (per caveat).
Added minor cosmetic changes after review.
Change-Id: I302f2b01446bf031f746b0f3e8b5fd7a6cc0e648
Also fixes how the quality vs. mode is handled to be more consistent, which also
required introducing a new "alphabetic" quality since it is possible for the user
to enter such a password.
The current password quality and length is stored in the DPM, since at boot it
couldn't figure this out from the stored password.
Change-Id: I519d9b76dd0b4431bcf42920c34dda38c9f1136e
No steps to repro, but makes the code more robust by using the standard
JournaledFile class and doing sanity checks on the input it reads.
This required moving the JournaledFile class in to the framework (and
we really should get rid of either it or AtomicFile, but they have
different recovery semantics so that is tough). Also went through and
cleaned up the file management in various places.
Change-Id: Ieb7268d8435e77dff66b6e67bb63b62e5dea572e
Also add ability for admins to hide themselves when not in use,
a facility for admins to not allow other admins to reset
their password, and debug dumping.
This is the framework part, moving classes around so the framework
no longer needs to link to android-common. Makes some APIs public,
others that didn't need to be public are private in the framework,
some small things are copied.
I am getting tired of writing package monitor code, realized this is missing in
a number of places, and at this point it has gotten complicated enough that I
don't think anyone actually does it 100% right so:
Introducing PackageMonitor.
Yes there are no Java docs. I am still playing around with just what this
thing is to figure out what makes sense and how people will use it. It is
being used to fix this bug for monitoring voice recognizers (integrating the
code from the settings provider for setting an initial value), to replace
the existing code for monitoring input methods (and fix the bug where we
wouldn't remove an input method from the enabled list when it got
uninstalled), to now monitor live wallpaper package changes (now allowing
us to avoid reverting back to the default live wallpaper when the current
one is updated!), and to monitor device admin changes.
Also includes a fix so you can't uninstall an .apk that is currently enabled
as a device admin.
Also includes a fix where the default time zone was not initialized early
enough which should fix issue #2455507 (Observed Google services frame work crash).
In addition, this finally introduces a mechanism to determine if the
"force stop" button should be enabled, with convenience in PackageMonitor
for system services to handle it. All services have been updated to support
this. There is also new infrastructure for reporting battery usage as an
applicatin error report.
Note in docs that callbacks are on main thread.
Rename to DeviceAdminReceiver?
Document resetPassword is the device's password.
Also hide android.R.attr.neverEncrypt.
This is merged with force-lock. These both allow effectively the same thing,
so there is no reason to junk up the user experience with them as separate
entities.
