From 2ea46fe658c5a977a11372d7180e8ed9abf261e8 Mon Sep 17 00:00:00 2001
From: Nicolas Prevot <nprevot@google.com>
Date: Thu, 5 Jan 2017 10:29:34 +0000
Subject: [PATCH] Make disallow add/remove managed profile restriction not
 global.

Otherwise: if the DO sets remove managed profile user restriction:
the profile owner of a managed profile cannot remove this managed
profile.

BUG:33854430
Test: adb shell am instrument -e class com.android.server.devicepolicy.DevicePolicyManagerTest -w
com.android.frameworks.servicestests/android.support.test.runner.AndroidJUnitRunner
Change-Id: I90b2028ea627a2073298bf9ef3c07b4fdf8d13a1
---
 core/java/android/os/UserManager.java                        |  6 +++---
 .../java/com/android/server/pm/UserRestrictionsUtils.java    |  3 +--
 .../android/server/devicepolicy/DevicePolicyManagerTest.java | 12 ++++++------
 3 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/core/java/android/os/UserManager.java b/core/java/android/os/UserManager.java
index 0a32f0dd3720..802b1804c71d 100644
--- a/core/java/android/os/UserManager.java
+++ b/core/java/android/os/UserManager.java
@@ -256,7 +256,7 @@ public class UserManager {
      * Specifies if managed profiles of this user can be removed, other than by its profile owner.
      * The default value is <code>false</code>.
      * <p>
-     * This restriction can only be set by device owners.
+     * This restriction has no effect on managed profiles.
      *
      * <p>Key for user restrictions.
      * <p>Type: Boolean
@@ -353,8 +353,8 @@ public class UserManager {
     /**
      * Specifies if a user is disallowed from adding managed profiles.
      * <p>The default value for an unmanaged user is <code>false</code>.
-     * For users with a device owner set, the default is <code>true</code>
-     * <p>This restriction can only be set by device owners.
+     * For users with a device owner set, the default is <code>true</code>.
+     * <p>This restriction has no effect on managed profiles.
      *
      * <p>Key for user restrictions.
      * <p>Type: Boolean
diff --git a/services/core/java/com/android/server/pm/UserRestrictionsUtils.java b/services/core/java/com/android/server/pm/UserRestrictionsUtils.java
index e91cce11f7df..f5b866981993 100644
--- a/services/core/java/com/android/server/pm/UserRestrictionsUtils.java
+++ b/services/core/java/com/android/server/pm/UserRestrictionsUtils.java
@@ -126,8 +126,6 @@ public class UserRestrictionsUtils {
             UserManager.DISALLOW_NETWORK_RESET,
             UserManager.DISALLOW_FACTORY_RESET,
             UserManager.DISALLOW_ADD_USER,
-            UserManager.DISALLOW_ADD_MANAGED_PROFILE,
-            UserManager.DISALLOW_REMOVE_MANAGED_PROFILE,
             UserManager.DISALLOW_CONFIG_CELL_BROADCASTS,
             UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS,
             UserManager.DISALLOW_MOUNT_PHYSICAL_MEDIA,
@@ -261,6 +259,7 @@ public class UserRestrictionsUtils {
 
     /**
      * Returns the user restrictions that default to {@code true} for device owners.
+     * These user restrictions are local, though. ie only for the device owner's user id.
      */
     public static @NonNull Set<String> getDefaultEnabledForDeviceOwner() {
         return DEFAULT_ENABLED_FOR_DEVICE_OWNERS;
diff --git a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
index 469dea5a7259..d39245992d49 100644
--- a/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
+++ b/services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java
@@ -1208,8 +1208,8 @@ public class DevicePolicyManagerTest extends DpmTestBase {
         );
         verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
                 eq(UserHandle.USER_SYSTEM),
-                MockUtils.checkUserRestrictions(),
-                MockUtils.checkUserRestrictions(defaultRestrictions)
+                MockUtils.checkUserRestrictions(defaultRestrictions),
+                MockUtils.checkUserRestrictions()
         );
         reset(mContext.userManagerInternal);
 
@@ -1479,8 +1479,8 @@ public class DevicePolicyManagerTest extends DpmTestBase {
         );
         verify(mContext.userManagerInternal).setDevicePolicyUserRestrictions(
                 eq(UserHandle.USER_SYSTEM),
-                MockUtils.checkUserRestrictions(),
-                MockUtils.checkUserRestrictions(defaultRestrictions)
+                MockUtils.checkUserRestrictions(defaultRestrictions),
+                MockUtils.checkUserRestrictions()
         );
         reset(mContext.userManagerInternal);
 
@@ -1521,8 +1521,8 @@ public class DevicePolicyManagerTest extends DpmTestBase {
             );
             verify(mContext.userManagerInternal, atLeast(1)).setDevicePolicyUserRestrictions(
                 eq(UserHandle.USER_SYSTEM),
-                MockUtils.checkUserRestrictions(),
-                MockUtils.checkUserRestrictions(newDefaultEnabledRestriction)
+                MockUtils.checkUserRestrictions(newDefaultEnabledRestriction),
+                MockUtils.checkUserRestrictions()
             );
             reset(mContext.userManagerInternal);
 
-- 
2.11.0