private static final String ATTR_PERMISSION_POLICY = "permission-policy";
private static final String ATTR_DEVICE_PROVISIONING_CONFIG_APPLIED =
"device-provisioning-config-applied";
+ private static final String ATTR_DEVICE_PAIRED = "device-paired";
private static final String ATTR_DELEGATED_CERT_INSTALLER = "delegated-cert-installer";
private static final String ATTR_APPLICATION_RESTRICTIONS_MANAGER
private static final int CODE_NONSYSTEM_USER_EXISTS = 5;
private static final int CODE_ACCOUNTS_NOT_EMPTY = 6;
private static final int CODE_NOT_SYSTEM_USER = 7;
+ private static final int CODE_HAS_PAIRED = 8;
@Retention(RetentionPolicy.SOURCE)
@IntDef({ CODE_OK, CODE_HAS_DEVICE_OWNER, CODE_USER_HAS_PROFILE_OWNER, CODE_USER_NOT_RUNNING,
*/
boolean mHasFeature;
+ /**
+ * Whether or not this device is a watch.
+ */
+ boolean mIsWatch;
+
private final SecurityLogMonitor mSecurityLogMonitor;
private final AtomicBoolean mRemoteBugreportServiceIsActive = new AtomicBoolean();
int mPasswordOwner = -1;
long mLastMaximumTimeToLock = -1;
boolean mUserSetupComplete = false;
+ boolean mPaired = false;
int mUserProvisioningState;
int mPermissionPolicy;
mHasFeature = mContext.getPackageManager()
.hasSystemFeature(PackageManager.FEATURE_DEVICE_ADMIN);
+ mIsWatch = mContext.getPackageManager()
+ .hasSystemFeature(PackageManager.FEATURE_WATCH);
if (!mHasFeature) {
// Skip the rest of the initialization
return;
}
private void setDeviceOwnerSystemPropertyLocked() {
- // Device owner may still be provisioned, do not set the read-only system property yet.
- if (mInjector.settingsGlobalGetInt(Settings.Global.DEVICE_PROVISIONED, 0) == 0) {
+ final boolean deviceProvisioned =
+ mInjector.settingsGlobalGetInt(Settings.Global.DEVICE_PROVISIONED, 0) != 0;
+ // If the device is not provisioned and there is currently no device owner, do not set the
+ // read-only system property yet, since Device owner may still be provisioned. For Wear
+ // devices, if there is already a device owner then it's OK to set the property to true now,
+ // regardless the provision state.
+ final boolean isWatchWithDeviceOwner = mIsWatch && mOwners.hasDeviceOwner();
+ if (!isWatchWithDeviceOwner && !deviceProvisioned) {
return;
}
// Still at the first stage of CryptKeeper double bounce, mOwners.hasDeviceOwner is
out.attribute(null, ATTR_SETUP_COMPLETE,
Boolean.toString(true));
}
+ if (policy.mPaired) {
+ out.attribute(null, ATTR_DEVICE_PAIRED,
+ Boolean.toString(true));
+ }
if (policy.mDeviceProvisioningConfigApplied) {
out.attribute(null, ATTR_DEVICE_PROVISIONING_CONFIG_APPLIED,
Boolean.toString(true));
if (userSetupComplete != null && Boolean.toString(true).equals(userSetupComplete)) {
policy.mUserSetupComplete = true;
}
+ String paired = parser.getAttributeValue(null, ATTR_DEVICE_PAIRED);
+ if (paired != null && Boolean.toString(true).equals(paired)) {
+ policy.mPaired = true;
+ }
String deviceProvisioningConfigApplied = parser.getAttributeValue(null,
ATTR_DEVICE_PROVISIONING_CONFIG_APPLIED);
if (deviceProvisioningConfigApplied != null
// Register an observer for watching for user setup complete.
new SetupContentObserver(mHandler).register();
// Initialize the user setup state, to handle the upgrade case.
- updateUserSetupComplete();
+ updateUserSetupCompleteAndPaired();
List<String> packageList;
synchronized (this) {
updateDeviceOwnerLocked();
disableDeviceOwnerManagedSingleUserFeaturesIfNeeded();
try {
- // Reactivate backup service.
- mInjector.getIBackupManager().setBackupServiceActive(UserHandle.USER_SYSTEM, true);
+ if (mInjector.getIBackupManager() != null) {
+ // Reactivate backup service.
+ mInjector.getIBackupManager().setBackupServiceActive(UserHandle.USER_SYSTEM, true);
+ }
} catch (RemoteException e) {
throw new IllegalStateException("Failed reactivating backup service.", e);
}
return hasUserSetupCompleted(UserHandle.getCallingUserId());
}
+ // This checks only if the Setup Wizard has run. Since Wear devices pair before
+ // completing Setup Wizard, and pairing involves transferring user data, calling
+ // logic may want to check mIsWatch or mPaired in addition to hasUserSetupCompleted().
private boolean hasUserSetupCompleted(int userHandle) {
if (!mHasFeature) {
return true;
return getUserData(userHandle).mUserSetupComplete;
}
+ private boolean hasPaired(int userHandle) {
+ if (!mHasFeature) {
+ return true;
+ }
+ return getUserData(userHandle).mPaired;
+ }
+
@Override
public int getUserProvisioningState() {
if (!mHasFeature) {
}
int callingUid = mInjector.binderGetCallingUid();
if (callingUid == Process.SHELL_UID || callingUid == Process.ROOT_UID) {
- if (hasUserSetupCompleted(userHandle)
+ if ((mIsWatch || hasUserSetupCompleted(userHandle))
&& hasIncompatibleAccountsLocked(userHandle, owner)) {
throw new IllegalStateException("Not allowed to set the profile owner because "
+ "there are already some accounts on the profile");
return;
}
enforceCanManageProfileAndDeviceOwners();
- if (hasUserSetupCompleted(userHandle) && !isCallerWithSystemUid()) {
+ if ((mIsWatch || hasUserSetupCompleted(userHandle)) && !isCallerWithSystemUid()) {
throw new IllegalStateException("Cannot set the profile owner on a user which is "
+ "already set-up");
}
case CODE_ACCOUNTS_NOT_EMPTY:
throw new IllegalStateException("Not allowed to set the device owner because there "
+ "are already some accounts on the device");
+ case CODE_HAS_PAIRED:
+ throw new IllegalStateException("Not allowed to set the device owner because this "
+ + "device has already paired");
default:
throw new IllegalStateException("Unknown @DeviceOwnerPreConditionCode " + code);
}
}
/**
- * We need to update the internal state of whether a user has completed setup once. After
- * that, we ignore any changes that reset the Settings.Secure.USER_SETUP_COMPLETE changes
- * as we don't trust any apps that might try to reset it.
+ * We need to update the internal state of whether a user has completed setup or a
+ * device has paired once. After that, we ignore any changes that reset the
+ * Settings.Secure.USER_SETUP_COMPLETE or Settings.Secure.DEVICE_PAIRED change
+ * as we don't trust any apps that might try to reset them.
* <p>
* Unfortunately, we don't know which user's setup state was changed, so we write all of
* them.
*/
- void updateUserSetupComplete() {
+ void updateUserSetupCompleteAndPaired() {
List<UserInfo> users = mUserManager.getUsers(true);
final int N = users.size();
for (int i = 0; i < N; i++) {
}
}
}
+ if (mIsWatch && mInjector.settingsSecureGetIntForUser(Settings.Secure.DEVICE_PAIRED, 0,
+ userHandle) != 0) {
+ DevicePolicyData policy = getUserData(userHandle);
+ if (!policy.mPaired) {
+ policy.mPaired = true;
+ synchronized (this) {
+ saveSettingsLocked(userHandle);
+ }
+ }
+ }
}
}
Settings.Secure.USER_SETUP_COMPLETE);
private final Uri mDeviceProvisioned = Settings.Global.getUriFor(
Settings.Global.DEVICE_PROVISIONED);
+ private final Uri mPaired = Settings.Secure.getUriFor(Settings.Secure.DEVICE_PAIRED);
public SetupContentObserver(Handler handler) {
super(handler);
void register() {
mInjector.registerContentObserver(mUserSetupComplete, false, this, UserHandle.USER_ALL);
mInjector.registerContentObserver(mDeviceProvisioned, false, this, UserHandle.USER_ALL);
+ if (mIsWatch) {
+ mInjector.registerContentObserver(mPaired, false, this, UserHandle.USER_ALL);
+ }
}
@Override
public void onChange(boolean selfChange, Uri uri) {
- if (mUserSetupComplete.equals(uri)) {
- updateUserSetupComplete();
+ if (mUserSetupComplete.equals(uri) || (mIsWatch && mPaired.equals(uri))) {
+ updateUserSetupCompleteAndPaired();
} else if (mDeviceProvisioned.equals(uri)) {
synchronized (DevicePolicyManagerService.this) {
// Set PROPERTY_DEVICE_OWNER_PRESENT, for the SUW case where setting the property
if (hasUserSetupCompleted(callingUserId)) {
return false;
}
+ if (mIsWatch && hasPaired(UserHandle.USER_SYSTEM)) {
+ return false;
+ }
return true;
} else if (DevicePolicyManager.ACTION_PROVISION_MANAGED_SHAREABLE_DEVICE.equals(action)) {
if (!mInjector.userManagerIsSplitSystemUser()) {
if (!mUserManager.isUserRunning(new UserHandle(deviceOwnerUserId))) {
return CODE_USER_NOT_RUNNING;
}
+ if (mIsWatch && hasPaired(UserHandle.USER_SYSTEM)) {
+ return CODE_HAS_PAIRED;
+ }
if (isAdb) {
// if shell command runs after user setup completed check device status. Otherwise, OK.
- if (hasUserSetupCompleted(UserHandle.USER_SYSTEM)) {
+ if (mIsWatch || hasUserSetupCompleted(UserHandle.USER_SYSTEM)) {
if (!mInjector.userManagerIsSplitSystemUser()) {
if (mUserManager.getUserCount() > 1) {
return CODE_NONSYSTEM_USER_EXISTS;