Home | History | Annotate | Download | only in server
      1 /*
      2  * Copyright (C) 2010 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 
     17 package com.android.server;
     18 
     19 import static android.Manifest.permission.MANAGE_CA_CERTIFICATES;
     20 
     21 import com.android.internal.R;
     22 import com.android.internal.os.storage.ExternalStorageFormatter;
     23 import com.android.internal.util.FastXmlSerializer;
     24 import com.android.internal.util.JournaledFile;
     25 import com.android.internal.util.XmlUtils;
     26 import com.android.internal.widget.LockPatternUtils;
     27 import com.android.org.conscrypt.TrustedCertificateStore;
     28 
     29 import org.xmlpull.v1.XmlPullParser;
     30 import org.xmlpull.v1.XmlPullParserException;
     31 import org.xmlpull.v1.XmlSerializer;
     32 
     33 import android.app.Activity;
     34 import android.app.ActivityManagerNative;
     35 import android.app.AlarmManager;
     36 import android.app.AppGlobals;
     37 import android.app.INotificationManager;
     38 import android.app.Notification;
     39 import android.app.NotificationManager;
     40 import android.app.PendingIntent;
     41 import android.app.admin.DeviceAdminInfo;
     42 import android.app.admin.DeviceAdminReceiver;
     43 import android.app.admin.DevicePolicyManager;
     44 import android.app.admin.IDevicePolicyManager;
     45 import android.content.BroadcastReceiver;
     46 import android.content.ComponentName;
     47 import android.content.ContentResolver;
     48 import android.content.Context;
     49 import android.content.Intent;
     50 import android.content.IntentFilter;
     51 import android.content.pm.ApplicationInfo;
     52 import android.content.pm.IPackageManager;
     53 import android.content.pm.PackageInfo;
     54 import android.content.pm.PackageManager;
     55 import android.content.pm.Signature;
     56 import android.content.pm.PackageManager.NameNotFoundException;
     57 import android.content.pm.ResolveInfo;
     58 import android.content.pm.UserInfo;
     59 import android.net.Uri;
     60 import android.os.AsyncTask;
     61 import android.os.Binder;
     62 import android.os.Bundle;
     63 import android.os.Environment;
     64 import android.os.Handler;
     65 import android.os.IBinder;
     66 import android.os.IPowerManager;
     67 import android.os.PowerManager;
     68 import android.os.Process;
     69 import android.os.RecoverySystem;
     70 import android.os.RemoteCallback;
     71 import android.os.RemoteException;
     72 import android.os.ServiceManager;
     73 import android.os.SystemClock;
     74 import android.os.SystemProperties;
     75 import android.os.UserHandle;
     76 import android.os.UserManager;
     77 import android.provider.Settings;
     78 import android.security.Credentials;
     79 import android.security.IKeyChainService;
     80 import android.security.KeyChain;
     81 import android.security.KeyChain.KeyChainConnection;
     82 import android.util.AtomicFile;
     83 import android.util.Log;
     84 import android.util.PrintWriterPrinter;
     85 import android.util.Printer;
     86 import android.util.Slog;
     87 import android.util.SparseArray;
     88 import android.util.Xml;
     89 import android.view.IWindowManager;
     90 import android.view.WindowManagerPolicy;
     91 
     92 import java.io.ByteArrayInputStream;
     93 import java.io.File;
     94 import java.io.FileDescriptor;
     95 import java.io.FileInputStream;
     96 import java.io.FileNotFoundException;
     97 import java.io.FileOutputStream;
     98 import java.io.IOException;
     99 import java.io.PrintWriter;
    100 import java.security.KeyStore.TrustedCertificateEntry;
    101 import java.security.cert.CertificateException;
    102 import java.security.cert.CertificateFactory;
    103 import java.security.cert.X509Certificate;
    104 import java.text.DateFormat;
    105 import java.util.ArrayList;
    106 import java.util.Arrays;
    107 import java.util.Collection;
    108 import java.util.Collections;
    109 import java.util.Date;
    110 import java.util.HashMap;
    111 import java.util.List;
    112 import java.util.Set;
    113 
    114 /**
    115  * Implementation of the device policy APIs.
    116  */
    117 public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
    118 
    119     private static final String TAG = "DevicePolicyManagerService";
    120 
    121     private static final String DEVICE_POLICIES_XML = "device_policies.xml";
    122 
    123     private static final int REQUEST_EXPIRE_PASSWORD = 5571;
    124 
    125     private static final long MS_PER_DAY = 86400 * 1000;
    126 
    127     private static final long EXPIRATION_GRACE_PERIOD_MS = 5 * MS_PER_DAY; // 5 days, in ms
    128 
    129     protected static final String ACTION_EXPIRED_PASSWORD_NOTIFICATION
    130             = "com.android.server.ACTION_EXPIRED_PASSWORD_NOTIFICATION";
    131 
    132     private static final int MONITORING_CERT_NOTIFICATION_ID = R.string.ssl_ca_cert_warning;
    133 
    134     private static final boolean DBG = false;
    135 
    136     final Context mContext;
    137     final PowerManager.WakeLock mWakeLock;
    138 
    139     IPowerManager mIPowerManager;
    140     IWindowManager mIWindowManager;
    141     NotificationManager mNotificationManager;
    142 
    143     private DeviceOwner mDeviceOwner;
    144 
    145     /**
    146      * Whether or not device admin feature is supported. If it isn't return defaults for all
    147      * public methods.
    148      */
    149     private boolean mHasFeature;
    150 
    151     public static class DevicePolicyData {
    152         int mActivePasswordQuality = DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED;
    153         int mActivePasswordLength = 0;
    154         int mActivePasswordUpperCase = 0;
    155         int mActivePasswordLowerCase = 0;
    156         int mActivePasswordLetters = 0;
    157         int mActivePasswordNumeric = 0;
    158         int mActivePasswordSymbols = 0;
    159         int mActivePasswordNonLetter = 0;
    160         int mFailedPasswordAttempts = 0;
    161 
    162         int mUserHandle;;
    163         int mPasswordOwner = -1;
    164         long mLastMaximumTimeToLock = -1;
    165 
    166         final HashMap<ComponentName, ActiveAdmin> mAdminMap
    167                 = new HashMap<ComponentName, ActiveAdmin>();
    168         final ArrayList<ActiveAdmin> mAdminList
    169                 = new ArrayList<ActiveAdmin>();
    170 
    171         public DevicePolicyData(int userHandle) {
    172             mUserHandle = userHandle;
    173         }
    174     }
    175 
    176     final SparseArray<DevicePolicyData> mUserData = new SparseArray<DevicePolicyData>();
    177 
    178     Handler mHandler = new Handler();
    179 
    180     BroadcastReceiver mReceiver = new BroadcastReceiver() {
    181         @Override
    182         public void onReceive(Context context, Intent intent) {
    183             final String action = intent.getAction();
    184             final int userHandle = intent.getIntExtra(Intent.EXTRA_USER_HANDLE,
    185                     getSendingUserId());
    186             if (Intent.ACTION_BOOT_COMPLETED.equals(action)
    187                     || ACTION_EXPIRED_PASSWORD_NOTIFICATION.equals(action)) {
    188                 if (DBG) Slog.v(TAG, "Sending password expiration notifications for action "
    189                         + action + " for user " + userHandle);
    190                 mHandler.post(new Runnable() {
    191                     public void run() {
    192                         handlePasswordExpirationNotification(getUserData(userHandle));
    193                     }
    194                 });
    195             }
    196             if (Intent.ACTION_BOOT_COMPLETED.equals(action)
    197                     || KeyChain.ACTION_STORAGE_CHANGED.equals(action)) {
    198                 manageMonitoringCertificateNotification(intent);
    199             }
    200             if (Intent.ACTION_USER_REMOVED.equals(action)) {
    201                 removeUserData(userHandle);
    202             } else if (Intent.ACTION_USER_STARTED.equals(action)
    203                     || Intent.ACTION_PACKAGE_CHANGED.equals(action)
    204                     || Intent.ACTION_PACKAGE_REMOVED.equals(action)
    205                     || Intent.ACTION_EXTERNAL_APPLICATIONS_UNAVAILABLE.equals(action)) {
    206 
    207                 if (Intent.ACTION_USER_STARTED.equals(action)) {
    208                     // Reset the policy data
    209                     synchronized (DevicePolicyManagerService.this) {
    210                         mUserData.remove(userHandle);
    211                     }
    212                 }
    213 
    214                 handlePackagesChanged(userHandle);
    215             }
    216         }
    217     };
    218 
    219     static class ActiveAdmin {
    220         final DeviceAdminInfo info;
    221 
    222         int passwordQuality = DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED;
    223 
    224         static final int DEF_MINIMUM_PASSWORD_LENGTH = 0;
    225         int minimumPasswordLength = DEF_MINIMUM_PASSWORD_LENGTH;
    226 
    227         static final int DEF_PASSWORD_HISTORY_LENGTH = 0;
    228         int passwordHistoryLength = DEF_PASSWORD_HISTORY_LENGTH;
    229 
    230         static final int DEF_MINIMUM_PASSWORD_UPPER_CASE = 0;
    231         int minimumPasswordUpperCase = DEF_MINIMUM_PASSWORD_UPPER_CASE;
    232 
    233         static final int DEF_MINIMUM_PASSWORD_LOWER_CASE = 0;
    234         int minimumPasswordLowerCase = DEF_MINIMUM_PASSWORD_LOWER_CASE;
    235 
    236         static final int DEF_MINIMUM_PASSWORD_LETTERS = 1;
    237         int minimumPasswordLetters = DEF_MINIMUM_PASSWORD_LETTERS;
    238 
    239         static final int DEF_MINIMUM_PASSWORD_NUMERIC = 1;
    240         int minimumPasswordNumeric = DEF_MINIMUM_PASSWORD_NUMERIC;
    241 
    242         static final int DEF_MINIMUM_PASSWORD_SYMBOLS = 1;
    243         int minimumPasswordSymbols = DEF_MINIMUM_PASSWORD_SYMBOLS;
    244 
    245         static final int DEF_MINIMUM_PASSWORD_NON_LETTER = 0;
    246         int minimumPasswordNonLetter = DEF_MINIMUM_PASSWORD_NON_LETTER;
    247 
    248         static final long DEF_MAXIMUM_TIME_TO_UNLOCK = 0;
    249         long maximumTimeToUnlock = DEF_MAXIMUM_TIME_TO_UNLOCK;
    250 
    251         static final int DEF_MAXIMUM_FAILED_PASSWORDS_FOR_WIPE = 0;
    252         int maximumFailedPasswordsForWipe = DEF_MAXIMUM_FAILED_PASSWORDS_FOR_WIPE;
    253 
    254         static final long DEF_PASSWORD_EXPIRATION_TIMEOUT = 0;
    255         long passwordExpirationTimeout = DEF_PASSWORD_EXPIRATION_TIMEOUT;
    256 
    257         static final long DEF_PASSWORD_EXPIRATION_DATE = 0;
    258         long passwordExpirationDate = DEF_PASSWORD_EXPIRATION_DATE;
    259 
    260         static final int DEF_KEYGUARD_FEATURES_DISABLED = 0; // none
    261         int disabledKeyguardFeatures = DEF_KEYGUARD_FEATURES_DISABLED;
    262 
    263         boolean encryptionRequested = false;
    264         boolean disableCamera = false;
    265 
    266         // TODO: review implementation decisions with frameworks team
    267         boolean specifiesGlobalProxy = false;
    268         String globalProxySpec = null;
    269         String globalProxyExclusionList = null;
    270 
    271         ActiveAdmin(DeviceAdminInfo _info) {
    272             info = _info;
    273         }
    274 
    275         int getUid() { return info.getActivityInfo().applicationInfo.uid; }
    276 
    277         public UserHandle getUserHandle() {
    278             return new UserHandle(UserHandle.getUserId(info.getActivityInfo().applicationInfo.uid));
    279         }
    280 
    281         void writeToXml(XmlSerializer out)
    282                 throws IllegalArgumentException, IllegalStateException, IOException {
    283             out.startTag(null, "policies");
    284             info.writePoliciesToXml(out);
    285             out.endTag(null, "policies");
    286             if (passwordQuality != DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED) {
    287                 out.startTag(null, "password-quality");
    288                 out.attribute(null, "value", Integer.toString(passwordQuality));
    289                 out.endTag(null, "password-quality");
    290                 if (minimumPasswordLength != DEF_MINIMUM_PASSWORD_LENGTH) {
    291                     out.startTag(null, "min-password-length");
    292                     out.attribute(null, "value", Integer.toString(minimumPasswordLength));
    293                     out.endTag(null, "min-password-length");
    294                 }
    295                 if(passwordHistoryLength != DEF_PASSWORD_HISTORY_LENGTH) {
    296                     out.startTag(null, "password-history-length");
    297                     out.attribute(null, "value", Integer.toString(passwordHistoryLength));
    298                     out.endTag(null, "password-history-length");
    299                 }
    300                 if (minimumPasswordUpperCase != DEF_MINIMUM_PASSWORD_UPPER_CASE) {
    301                     out.startTag(null, "min-password-uppercase");
    302                     out.attribute(null, "value", Integer.toString(minimumPasswordUpperCase));
    303                     out.endTag(null, "min-password-uppercase");
    304                 }
    305                 if (minimumPasswordLowerCase != DEF_MINIMUM_PASSWORD_LOWER_CASE) {
    306                     out.startTag(null, "min-password-lowercase");
    307                     out.attribute(null, "value", Integer.toString(minimumPasswordLowerCase));
    308                     out.endTag(null, "min-password-lowercase");
    309                 }
    310                 if (minimumPasswordLetters != DEF_MINIMUM_PASSWORD_LETTERS) {
    311                     out.startTag(null, "min-password-letters");
    312                     out.attribute(null, "value", Integer.toString(minimumPasswordLetters));
    313                     out.endTag(null, "min-password-letters");
    314                 }
    315                 if (minimumPasswordNumeric != DEF_MINIMUM_PASSWORD_NUMERIC) {
    316                     out.startTag(null, "min-password-numeric");
    317                     out.attribute(null, "value", Integer.toString(minimumPasswordNumeric));
    318                     out.endTag(null, "min-password-numeric");
    319                 }
    320                 if (minimumPasswordSymbols != DEF_MINIMUM_PASSWORD_SYMBOLS) {
    321                     out.startTag(null, "min-password-symbols");
    322                     out.attribute(null, "value", Integer.toString(minimumPasswordSymbols));
    323                     out.endTag(null, "min-password-symbols");
    324                 }
    325                 if (minimumPasswordNonLetter > DEF_MINIMUM_PASSWORD_NON_LETTER) {
    326                     out.startTag(null, "min-password-nonletter");
    327                     out.attribute(null, "value", Integer.toString(minimumPasswordNonLetter));
    328                     out.endTag(null, "min-password-nonletter");
    329                 }
    330             }
    331             if (maximumTimeToUnlock != DEF_MAXIMUM_TIME_TO_UNLOCK) {
    332                 out.startTag(null, "max-time-to-unlock");
    333                 out.attribute(null, "value", Long.toString(maximumTimeToUnlock));
    334                 out.endTag(null, "max-time-to-unlock");
    335             }
    336             if (maximumFailedPasswordsForWipe != DEF_MAXIMUM_FAILED_PASSWORDS_FOR_WIPE) {
    337                 out.startTag(null, "max-failed-password-wipe");
    338                 out.attribute(null, "value", Integer.toString(maximumFailedPasswordsForWipe));
    339                 out.endTag(null, "max-failed-password-wipe");
    340             }
    341             if (specifiesGlobalProxy) {
    342                 out.startTag(null, "specifies-global-proxy");
    343                 out.attribute(null, "value", Boolean.toString(specifiesGlobalProxy));
    344                 out.endTag(null, "specifies_global_proxy");
    345                 if (globalProxySpec != null) {
    346                     out.startTag(null, "global-proxy-spec");
    347                     out.attribute(null, "value", globalProxySpec);
    348                     out.endTag(null, "global-proxy-spec");
    349                 }
    350                 if (globalProxyExclusionList != null) {
    351                     out.startTag(null, "global-proxy-exclusion-list");
    352                     out.attribute(null, "value", globalProxyExclusionList);
    353                     out.endTag(null, "global-proxy-exclusion-list");
    354                 }
    355             }
    356             if (passwordExpirationTimeout != DEF_PASSWORD_EXPIRATION_TIMEOUT) {
    357                 out.startTag(null, "password-expiration-timeout");
    358                 out.attribute(null, "value", Long.toString(passwordExpirationTimeout));
    359                 out.endTag(null, "password-expiration-timeout");
    360             }
    361             if (passwordExpirationDate != DEF_PASSWORD_EXPIRATION_DATE) {
    362                 out.startTag(null, "password-expiration-date");
    363                 out.attribute(null, "value", Long.toString(passwordExpirationDate));
    364                 out.endTag(null, "password-expiration-date");
    365             }
    366             if (encryptionRequested) {
    367                 out.startTag(null, "encryption-requested");
    368                 out.attribute(null, "value", Boolean.toString(encryptionRequested));
    369                 out.endTag(null, "encryption-requested");
    370             }
    371             if (disableCamera) {
    372                 out.startTag(null, "disable-camera");
    373                 out.attribute(null, "value", Boolean.toString(disableCamera));
    374                 out.endTag(null, "disable-camera");
    375             }
    376             if (disabledKeyguardFeatures != DEF_KEYGUARD_FEATURES_DISABLED) {
    377                 out.startTag(null, "disable-keyguard-features");
    378                 out.attribute(null, "value", Integer.toString(disabledKeyguardFeatures));
    379                 out.endTag(null, "disable-keyguard-features");
    380             }
    381         }
    382 
    383         void readFromXml(XmlPullParser parser)
    384                 throws XmlPullParserException, IOException {
    385             int outerDepth = parser.getDepth();
    386             int type;
    387             while ((type=parser.next()) != XmlPullParser.END_DOCUMENT
    388                    && (type != XmlPullParser.END_TAG || parser.getDepth() > outerDepth)) {
    389                 if (type == XmlPullParser.END_TAG || type == XmlPullParser.TEXT) {
    390                     continue;
    391                 }
    392                 String tag = parser.getName();
    393                 if ("policies".equals(tag)) {
    394                     info.readPoliciesFromXml(parser);
    395                 } else if ("password-quality".equals(tag)) {
    396                     passwordQuality = Integer.parseInt(
    397                             parser.getAttributeValue(null, "value"));
    398                 } else if ("min-password-length".equals(tag)) {
    399                     minimumPasswordLength = Integer.parseInt(
    400                             parser.getAttributeValue(null, "value"));
    401                 } else if ("password-history-length".equals(tag)) {
    402                     passwordHistoryLength = Integer.parseInt(
    403                             parser.getAttributeValue(null, "value"));
    404                 } else if ("min-password-uppercase".equals(tag)) {
    405                     minimumPasswordUpperCase = Integer.parseInt(
    406                             parser.getAttributeValue(null, "value"));
    407                 } else if ("min-password-lowercase".equals(tag)) {
    408                     minimumPasswordLowerCase = Integer.parseInt(
    409                             parser.getAttributeValue(null, "value"));
    410                 } else if ("min-password-letters".equals(tag)) {
    411                     minimumPasswordLetters = Integer.parseInt(
    412                             parser.getAttributeValue(null, "value"));
    413                 } else if ("min-password-numeric".equals(tag)) {
    414                     minimumPasswordNumeric = Integer.parseInt(
    415                             parser.getAttributeValue(null, "value"));
    416                 } else if ("min-password-symbols".equals(tag)) {
    417                     minimumPasswordSymbols = Integer.parseInt(
    418                             parser.getAttributeValue(null, "value"));
    419                 } else if ("min-password-nonletter".equals(tag)) {
    420                     minimumPasswordNonLetter = Integer.parseInt(
    421                             parser.getAttributeValue(null, "value"));
    422                 } else if ("max-time-to-unlock".equals(tag)) {
    423                     maximumTimeToUnlock = Long.parseLong(
    424                             parser.getAttributeValue(null, "value"));
    425                 } else if ("max-failed-password-wipe".equals(tag)) {
    426                     maximumFailedPasswordsForWipe = Integer.parseInt(
    427                             parser.getAttributeValue(null, "value"));
    428                 } else if ("specifies-global-proxy".equals(tag)) {
    429                     specifiesGlobalProxy = Boolean.parseBoolean(
    430                             parser.getAttributeValue(null, "value"));
    431                 } else if ("global-proxy-spec".equals(tag)) {
    432                     globalProxySpec =
    433                         parser.getAttributeValue(null, "value");
    434                 } else if ("global-proxy-exclusion-list".equals(tag)) {
    435                     globalProxyExclusionList =
    436                         parser.getAttributeValue(null, "value");
    437                 } else if ("password-expiration-timeout".equals(tag)) {
    438                     passwordExpirationTimeout = Long.parseLong(
    439                             parser.getAttributeValue(null, "value"));
    440                 } else if ("password-expiration-date".equals(tag)) {
    441                     passwordExpirationDate = Long.parseLong(
    442                             parser.getAttributeValue(null, "value"));
    443                 } else if ("encryption-requested".equals(tag)) {
    444                     encryptionRequested = Boolean.parseBoolean(
    445                             parser.getAttributeValue(null, "value"));
    446                 } else if ("disable-camera".equals(tag)) {
    447                     disableCamera = Boolean.parseBoolean(
    448                             parser.getAttributeValue(null, "value"));
    449                 } else if ("disable-keyguard-features".equals(tag)) {
    450                     disabledKeyguardFeatures = Integer.parseInt(
    451                             parser.getAttributeValue(null, "value"));
    452                 } else {
    453                     Slog.w(TAG, "Unknown admin tag: " + tag);
    454                 }
    455                 XmlUtils.skipCurrentTag(parser);
    456             }
    457         }
    458 
    459         void dump(String prefix, PrintWriter pw) {
    460             pw.print(prefix); pw.print("uid="); pw.println(getUid());
    461             pw.print(prefix); pw.println("policies:");
    462             ArrayList<DeviceAdminInfo.PolicyInfo> pols = info.getUsedPolicies();
    463             if (pols != null) {
    464                 for (int i=0; i<pols.size(); i++) {
    465                     pw.print(prefix); pw.print("  "); pw.println(pols.get(i).tag);
    466                 }
    467             }
    468             pw.print(prefix); pw.print("passwordQuality=0x");
    469                     pw.println(Integer.toHexString(passwordQuality));
    470             pw.print(prefix); pw.print("minimumPasswordLength=");
    471                     pw.println(minimumPasswordLength);
    472             pw.print(prefix); pw.print("passwordHistoryLength=");
    473                     pw.println(passwordHistoryLength);
    474             pw.print(prefix); pw.print("minimumPasswordUpperCase=");
    475                     pw.println(minimumPasswordUpperCase);
    476             pw.print(prefix); pw.print("minimumPasswordLowerCase=");
    477                     pw.println(minimumPasswordLowerCase);
    478             pw.print(prefix); pw.print("minimumPasswordLetters=");
    479                     pw.println(minimumPasswordLetters);
    480             pw.print(prefix); pw.print("minimumPasswordNumeric=");
    481                     pw.println(minimumPasswordNumeric);
    482             pw.print(prefix); pw.print("minimumPasswordSymbols=");
    483                     pw.println(minimumPasswordSymbols);
    484             pw.print(prefix); pw.print("minimumPasswordNonLetter=");
    485                     pw.println(minimumPasswordNonLetter);
    486             pw.print(prefix); pw.print("maximumTimeToUnlock=");
    487                     pw.println(maximumTimeToUnlock);
    488             pw.print(prefix); pw.print("maximumFailedPasswordsForWipe=");
    489                     pw.println(maximumFailedPasswordsForWipe);
    490             pw.print(prefix); pw.print("specifiesGlobalProxy=");
    491                     pw.println(specifiesGlobalProxy);
    492             pw.print(prefix); pw.print("passwordExpirationTimeout=");
    493                     pw.println(passwordExpirationTimeout);
    494             pw.print(prefix); pw.print("passwordExpirationDate=");
    495                     pw.println(passwordExpirationDate);
    496             if (globalProxySpec != null) {
    497                 pw.print(prefix); pw.print("globalProxySpec=");
    498                         pw.println(globalProxySpec);
    499             }
    500             if (globalProxyExclusionList != null) {
    501                 pw.print(prefix); pw.print("globalProxyEclusionList=");
    502                         pw.println(globalProxyExclusionList);
    503             }
    504             pw.print(prefix); pw.print("encryptionRequested=");
    505                     pw.println(encryptionRequested);
    506             pw.print(prefix); pw.print("disableCamera=");
    507                     pw.println(disableCamera);
    508             pw.print(prefix); pw.print("disabledKeyguardFeatures=");
    509                     pw.println(disabledKeyguardFeatures);
    510         }
    511     }
    512 
    513     private void handlePackagesChanged(int userHandle) {
    514         boolean removed = false;
    515         if (DBG) Slog.d(TAG, "Handling package changes for user " + userHandle);
    516         DevicePolicyData policy = getUserData(userHandle);
    517         IPackageManager pm = AppGlobals.getPackageManager();
    518         for (int i = policy.mAdminList.size() - 1; i >= 0; i--) {
    519             ActiveAdmin aa = policy.mAdminList.get(i);
    520             try {
    521                 if (pm.getPackageInfo(aa.info.getPackageName(), 0, userHandle) == null
    522                         || pm.getReceiverInfo(aa.info.getComponent(), 0, userHandle) == null) {
    523                     removed = true;
    524                     policy.mAdminList.remove(i);
    525                 }
    526             } catch (RemoteException re) {
    527                 // Shouldn't happen
    528             }
    529         }
    530         if (removed) {
    531             validatePasswordOwnerLocked(policy);
    532             syncDeviceCapabilitiesLocked(policy);
    533             saveSettingsLocked(policy.mUserHandle);
    534         }
    535     }
    536 
    537     /**
    538      * Instantiates the service.
    539      */
    540     public DevicePolicyManagerService(Context context) {
    541         mContext = context;
    542         mHasFeature = context.getPackageManager().hasSystemFeature(
    543                 PackageManager.FEATURE_DEVICE_ADMIN);
    544         mWakeLock = ((PowerManager)context.getSystemService(Context.POWER_SERVICE))
    545                 .newWakeLock(PowerManager.PARTIAL_WAKE_LOCK, "DPM");
    546         if (!mHasFeature) {
    547             // Skip the rest of the initialization
    548             return;
    549         }
    550         IntentFilter filter = new IntentFilter();
    551         filter.addAction(Intent.ACTION_BOOT_COMPLETED);
    552         filter.addAction(ACTION_EXPIRED_PASSWORD_NOTIFICATION);
    553         filter.addAction(Intent.ACTION_USER_REMOVED);
    554         filter.addAction(Intent.ACTION_USER_STARTED);
    555         filter.addAction(KeyChain.ACTION_STORAGE_CHANGED);
    556         context.registerReceiverAsUser(mReceiver, UserHandle.ALL, filter, null, mHandler);
    557         filter = new IntentFilter();
    558         filter.addAction(Intent.ACTION_PACKAGE_CHANGED);
    559         filter.addAction(Intent.ACTION_PACKAGE_REMOVED);
    560         filter.addAction(Intent.ACTION_EXTERNAL_APPLICATIONS_UNAVAILABLE);
    561         filter.addAction(Intent.ACTION_PACKAGE_ADDED);
    562         filter.addDataScheme("package");
    563         context.registerReceiverAsUser(mReceiver, UserHandle.ALL, filter, null, mHandler);
    564     }
    565 
    566     /**
    567      * Creates and loads the policy data from xml.
    568      * @param userHandle the user for whom to load the policy data
    569      * @return
    570      */
    571     DevicePolicyData getUserData(int userHandle) {
    572         synchronized (this) {
    573             DevicePolicyData policy = mUserData.get(userHandle);
    574             if (policy == null) {
    575                 policy = new DevicePolicyData(userHandle);
    576                 mUserData.append(userHandle, policy);
    577                 loadSettingsLocked(policy, userHandle);
    578             }
    579             return policy;
    580         }
    581     }
    582 
    583     void removeUserData(int userHandle) {
    584         synchronized (this) {
    585             if (userHandle == UserHandle.USER_OWNER) {
    586                 Slog.w(TAG, "Tried to remove device policy file for user 0! Ignoring.");
    587                 return;
    588             }
    589             DevicePolicyData policy = mUserData.get(userHandle);
    590             if (policy != null) {
    591                 mUserData.remove(userHandle);
    592             }
    593             File policyFile = new File(Environment.getUserSystemDirectory(userHandle),
    594                     DEVICE_POLICIES_XML);
    595             policyFile.delete();
    596             Slog.i(TAG, "Removed device policy file " + policyFile.getAbsolutePath());
    597         }
    598     }
    599 
    600     void loadDeviceOwner() {
    601         synchronized (this) {
    602             if (DeviceOwner.isRegistered()) {
    603                 mDeviceOwner = new DeviceOwner();
    604             }
    605         }
    606     }
    607 
    608     /**
    609      * Set an alarm for an upcoming event - expiration warning, expiration, or post-expiration
    610      * reminders.  Clears alarm if no expirations are configured.
    611      */
    612     protected void setExpirationAlarmCheckLocked(Context context, DevicePolicyData policy) {
    613         final long expiration = getPasswordExpirationLocked(null, policy.mUserHandle);
    614         final long now = System.currentTimeMillis();
    615         final long timeToExpire = expiration - now;
    616         final long alarmTime;
    617         if (expiration == 0) {
    618             // No expirations are currently configured:  Cancel alarm.
    619             alarmTime = 0;
    620         } else if (timeToExpire <= 0) {
    621             // The password has already expired:  Repeat every 24 hours.
    622             alarmTime = now + MS_PER_DAY;
    623         } else {
    624             // Selecting the next alarm time:  Roll forward to the next 24 hour multiple before
    625             // the expiration time.
    626             long alarmInterval = timeToExpire % MS_PER_DAY;
    627             if (alarmInterval == 0) {
    628                 alarmInterval = MS_PER_DAY;
    629             }
    630             alarmTime = now + alarmInterval;
    631         }
    632 
    633         long token = Binder.clearCallingIdentity();
    634         try {
    635             AlarmManager am = (AlarmManager) context.getSystemService(Context.ALARM_SERVICE);
    636             PendingIntent pi = PendingIntent.getBroadcastAsUser(context, REQUEST_EXPIRE_PASSWORD,
    637                     new Intent(ACTION_EXPIRED_PASSWORD_NOTIFICATION),
    638                     PendingIntent.FLAG_ONE_SHOT | PendingIntent.FLAG_UPDATE_CURRENT,
    639                     new UserHandle(policy.mUserHandle));
    640             am.cancel(pi);
    641             if (alarmTime != 0) {
    642                 am.set(AlarmManager.RTC, alarmTime, pi);
    643             }
    644         } finally {
    645             Binder.restoreCallingIdentity(token);
    646         }
    647     }
    648 
    649     private IPowerManager getIPowerManager() {
    650         if (mIPowerManager == null) {
    651             IBinder b = ServiceManager.getService(Context.POWER_SERVICE);
    652             mIPowerManager = IPowerManager.Stub.asInterface(b);
    653         }
    654         return mIPowerManager;
    655     }
    656 
    657     private IWindowManager getWindowManager() {
    658         if (mIWindowManager == null) {
    659             IBinder b = ServiceManager.getService(Context.WINDOW_SERVICE);
    660             mIWindowManager = IWindowManager.Stub.asInterface(b);
    661         }
    662         return mIWindowManager;
    663     }
    664 
    665     private NotificationManager getNotificationManager() {
    666         if (mNotificationManager == null) {
    667             mNotificationManager =
    668                     (NotificationManager) mContext.getSystemService(Context.NOTIFICATION_SERVICE);
    669         }
    670         return mNotificationManager;
    671     }
    672 
    673     ActiveAdmin getActiveAdminUncheckedLocked(ComponentName who, int userHandle) {
    674         ActiveAdmin admin = getUserData(userHandle).mAdminMap.get(who);
    675         if (admin != null
    676                 && who.getPackageName().equals(admin.info.getActivityInfo().packageName)
    677                 && who.getClassName().equals(admin.info.getActivityInfo().name)) {
    678             return admin;
    679         }
    680         return null;
    681     }
    682 
    683     ActiveAdmin getActiveAdminForCallerLocked(ComponentName who, int reqPolicy)
    684             throws SecurityException {
    685         final int callingUid = Binder.getCallingUid();
    686         final int userHandle = UserHandle.getUserId(callingUid);
    687         final DevicePolicyData policy = getUserData(userHandle);
    688         if (who != null) {
    689             ActiveAdmin admin = policy.mAdminMap.get(who);
    690             if (admin == null) {
    691                 throw new SecurityException("No active admin " + who);
    692             }
    693             if (admin.getUid() != callingUid) {
    694                 throw new SecurityException("Admin " + who + " is not owned by uid "
    695                         + Binder.getCallingUid());
    696             }
    697             if (!admin.info.usesPolicy(reqPolicy)) {
    698                 throw new SecurityException("Admin " + admin.info.getComponent()
    699                         + " did not specify uses-policy for: "
    700                         + admin.info.getTagForPolicy(reqPolicy));
    701             }
    702             return admin;
    703         } else {
    704             final int N = policy.mAdminList.size();
    705             for (int i=0; i<N; i++) {
    706                 ActiveAdmin admin = policy.mAdminList.get(i);
    707                 if (admin.getUid() == callingUid && admin.info.usesPolicy(reqPolicy)) {
    708                     return admin;
    709                 }
    710             }
    711             throw new SecurityException("No active admin owned by uid "
    712                     + Binder.getCallingUid() + " for policy #" + reqPolicy);
    713         }
    714     }
    715 
    716     void sendAdminCommandLocked(ActiveAdmin admin, String action) {
    717         sendAdminCommandLocked(admin, action, null);
    718     }
    719 
    720     void sendAdminCommandLocked(ActiveAdmin admin, String action, BroadcastReceiver result) {
    721         Intent intent = new Intent(action);
    722         intent.setComponent(admin.info.getComponent());
    723         if (action.equals(DeviceAdminReceiver.ACTION_PASSWORD_EXPIRING)) {
    724             intent.putExtra("expiration", admin.passwordExpirationDate);
    725         }
    726         if (result != null) {
    727             mContext.sendOrderedBroadcastAsUser(intent, admin.getUserHandle(),
    728                     null, result, mHandler, Activity.RESULT_OK, null, null);
    729         } else {
    730             mContext.sendBroadcastAsUser(intent, UserHandle.OWNER);
    731         }
    732     }
    733 
    734     void sendAdminCommandLocked(String action, int reqPolicy, int userHandle) {
    735         final DevicePolicyData policy = getUserData(userHandle);
    736         final int count = policy.mAdminList.size();
    737         if (count > 0) {
    738             for (int i = 0; i < count; i++) {
    739                 ActiveAdmin admin = policy.mAdminList.get(i);
    740                 if (admin.info.usesPolicy(reqPolicy)) {
    741                     sendAdminCommandLocked(admin, action);
    742                 }
    743             }
    744         }
    745     }
    746 
    747     void removeActiveAdminLocked(final ComponentName adminReceiver, int userHandle) {
    748         final ActiveAdmin admin = getActiveAdminUncheckedLocked(adminReceiver, userHandle);
    749         if (admin != null) {
    750             sendAdminCommandLocked(admin,
    751                     DeviceAdminReceiver.ACTION_DEVICE_ADMIN_DISABLED,
    752                     new BroadcastReceiver() {
    753                         @Override
    754                         public void onReceive(Context context, Intent intent) {
    755                             synchronized (DevicePolicyManagerService.this) {
    756                                 int userHandle = admin.getUserHandle().getIdentifier();
    757                                 DevicePolicyData policy = getUserData(userHandle);
    758                                 boolean doProxyCleanup = admin.info.usesPolicy(
    759                                         DeviceAdminInfo.USES_POLICY_SETS_GLOBAL_PROXY);
    760                                 policy.mAdminList.remove(admin);
    761                                 policy.mAdminMap.remove(adminReceiver);
    762                                 validatePasswordOwnerLocked(policy);
    763                                 syncDeviceCapabilitiesLocked(policy);
    764                                 if (doProxyCleanup) {
    765                                     resetGlobalProxyLocked(getUserData(userHandle));
    766                                 }
    767                                 saveSettingsLocked(userHandle);
    768                                 updateMaximumTimeToLockLocked(policy);
    769                             }
    770                         }
    771             });
    772         }
    773     }
    774 
    775     public DeviceAdminInfo findAdmin(ComponentName adminName, int userHandle) {
    776         if (!mHasFeature) {
    777             return null;
    778         }
    779         enforceCrossUserPermission(userHandle);
    780         Intent resolveIntent = new Intent();
    781         resolveIntent.setComponent(adminName);
    782         List<ResolveInfo> infos = mContext.getPackageManager().queryBroadcastReceivers(
    783                 resolveIntent,
    784                 PackageManager.GET_META_DATA | PackageManager.GET_DISABLED_UNTIL_USED_COMPONENTS,
    785                 userHandle);
    786         if (infos == null || infos.size() <= 0) {
    787             throw new IllegalArgumentException("Unknown admin: " + adminName);
    788         }
    789 
    790         try {
    791             return new DeviceAdminInfo(mContext, infos.get(0));
    792         } catch (XmlPullParserException e) {
    793             Slog.w(TAG, "Bad device admin requested for user=" + userHandle + ": " + adminName, e);
    794             return null;
    795         } catch (IOException e) {
    796             Slog.w(TAG, "Bad device admin requested for user=" + userHandle + ": " + adminName, e);
    797             return null;
    798         }
    799     }
    800 
    801     private static JournaledFile makeJournaledFile(int userHandle) {
    802         final String base = userHandle == 0
    803                 ? "/data/system/" + DEVICE_POLICIES_XML
    804                 : new File(Environment.getUserSystemDirectory(userHandle), DEVICE_POLICIES_XML)
    805                         .getAbsolutePath();
    806         return new JournaledFile(new File(base), new File(base + ".tmp"));
    807     }
    808 
    809     private void saveSettingsLocked(int userHandle) {
    810         DevicePolicyData policy = getUserData(userHandle);
    811         JournaledFile journal = makeJournaledFile(userHandle);
    812         FileOutputStream stream = null;
    813         try {
    814             stream = new FileOutputStream(journal.chooseForWrite(), false);
    815             XmlSerializer out = new FastXmlSerializer();
    816             out.setOutput(stream, "utf-8");
    817             out.startDocument(null, true);
    818 
    819             out.startTag(null, "policies");
    820 
    821             final int N = policy.mAdminList.size();
    822             for (int i=0; i<N; i++) {
    823                 ActiveAdmin ap = policy.mAdminList.get(i);
    824                 if (ap != null) {
    825                     out.startTag(null, "admin");
    826                     out.attribute(null, "name", ap.info.getComponent().flattenToString());
    827                     ap.writeToXml(out);
    828                     out.endTag(null, "admin");
    829                 }
    830             }
    831 
    832             if (policy.mPasswordOwner >= 0) {
    833                 out.startTag(null, "password-owner");
    834                 out.attribute(null, "value", Integer.toString(policy.mPasswordOwner));
    835                 out.endTag(null, "password-owner");
    836             }
    837 
    838             if (policy.mFailedPasswordAttempts != 0) {
    839                 out.startTag(null, "failed-password-attempts");
    840                 out.attribute(null, "value", Integer.toString(policy.mFailedPasswordAttempts));
    841                 out.endTag(null, "failed-password-attempts");
    842             }
    843 
    844             if (policy.mActivePasswordQuality != 0 || policy.mActivePasswordLength != 0
    845                     || policy.mActivePasswordUpperCase != 0 || policy.mActivePasswordLowerCase != 0
    846                     || policy.mActivePasswordLetters != 0 || policy.mActivePasswordNumeric != 0
    847                     || policy.mActivePasswordSymbols != 0 || policy.mActivePasswordNonLetter != 0) {
    848                 out.startTag(null, "active-password");
    849                 out.attribute(null, "quality", Integer.toString(policy.mActivePasswordQuality));
    850                 out.attribute(null, "length", Integer.toString(policy.mActivePasswordLength));
    851                 out.attribute(null, "uppercase", Integer.toString(policy.mActivePasswordUpperCase));
    852                 out.attribute(null, "lowercase", Integer.toString(policy.mActivePasswordLowerCase));
    853                 out.attribute(null, "letters", Integer.toString(policy.mActivePasswordLetters));
    854                 out.attribute(null, "numeric", Integer
    855                         .toString(policy.mActivePasswordNumeric));
    856                 out.attribute(null, "symbols", Integer.toString(policy.mActivePasswordSymbols));
    857                 out.attribute(null, "nonletter", Integer.toString(policy.mActivePasswordNonLetter));
    858                 out.endTag(null, "active-password");
    859             }
    860 
    861             out.endTag(null, "policies");
    862 
    863             out.endDocument();
    864             stream.close();
    865             journal.commit();
    866             sendChangedNotification(userHandle);
    867         } catch (IOException e) {
    868             try {
    869                 if (stream != null) {
    870                     stream.close();
    871                 }
    872             } catch (IOException ex) {
    873                 // Ignore
    874             }
    875             journal.rollback();
    876         }
    877     }
    878 
    879     private void sendChangedNotification(int userHandle) {
    880         Intent intent = new Intent(DevicePolicyManager.ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED);
    881         intent.setFlags(Intent.FLAG_RECEIVER_REGISTERED_ONLY);
    882         long ident = Binder.clearCallingIdentity();
    883         try {
    884             mContext.sendBroadcastAsUser(intent, new UserHandle(userHandle));
    885         } finally {
    886             Binder.restoreCallingIdentity(ident);
    887         }
    888     }
    889 
    890     private void loadSettingsLocked(DevicePolicyData policy, int userHandle) {
    891         JournaledFile journal = makeJournaledFile(userHandle);
    892         FileInputStream stream = null;
    893         File file = journal.chooseForRead();
    894         try {
    895             stream = new FileInputStream(file);
    896             XmlPullParser parser = Xml.newPullParser();
    897             parser.setInput(stream, null);
    898 
    899             int type;
    900             while ((type=parser.next()) != XmlPullParser.END_DOCUMENT
    901                     && type != XmlPullParser.START_TAG) {
    902             }
    903             String tag = parser.getName();
    904             if (!"policies".equals(tag)) {
    905                 throw new XmlPullParserException(
    906                         "Settings do not start with policies tag: found " + tag);
    907             }
    908             type = parser.next();
    909             int outerDepth = parser.getDepth();
    910             while ((type=parser.next()) != XmlPullParser.END_DOCUMENT
    911                    && (type != XmlPullParser.END_TAG || parser.getDepth() > outerDepth)) {
    912                 if (type == XmlPullParser.END_TAG || type == XmlPullParser.TEXT) {
    913                     continue;
    914                 }
    915                 tag = parser.getName();
    916                 if ("admin".equals(tag)) {
    917                     String name = parser.getAttributeValue(null, "name");
    918                     try {
    919                         DeviceAdminInfo dai = findAdmin(
    920                                 ComponentName.unflattenFromString(name), userHandle);
    921                         if (DBG && (UserHandle.getUserId(dai.getActivityInfo().applicationInfo.uid)
    922                                 != userHandle)) {
    923                             Slog.w(TAG, "findAdmin returned an incorrect uid "
    924                                     + dai.getActivityInfo().applicationInfo.uid + " for user "
    925                                     + userHandle);
    926                         }
    927                         if (dai != null) {
    928                             ActiveAdmin ap = new ActiveAdmin(dai);
    929                             ap.readFromXml(parser);
    930                             policy.mAdminMap.put(ap.info.getComponent(), ap);
    931                             policy.mAdminList.add(ap);
    932                         }
    933                     } catch (RuntimeException e) {
    934                         Slog.w(TAG, "Failed loading admin " + name, e);
    935                     }
    936                 } else if ("failed-password-attempts".equals(tag)) {
    937                     policy.mFailedPasswordAttempts = Integer.parseInt(
    938                             parser.getAttributeValue(null, "value"));
    939                     XmlUtils.skipCurrentTag(parser);
    940                 } else if ("password-owner".equals(tag)) {
    941                     policy.mPasswordOwner = Integer.parseInt(
    942                             parser.getAttributeValue(null, "value"));
    943                     XmlUtils.skipCurrentTag(parser);
    944                 } else if ("active-password".equals(tag)) {
    945                     policy.mActivePasswordQuality = Integer.parseInt(
    946                             parser.getAttributeValue(null, "quality"));
    947                     policy.mActivePasswordLength = Integer.parseInt(
    948                             parser.getAttributeValue(null, "length"));
    949                     policy.mActivePasswordUpperCase = Integer.parseInt(
    950                             parser.getAttributeValue(null, "uppercase"));
    951                     policy.mActivePasswordLowerCase = Integer.parseInt(
    952                             parser.getAttributeValue(null, "lowercase"));
    953                     policy.mActivePasswordLetters = Integer.parseInt(
    954                             parser.getAttributeValue(null, "letters"));
    955                     policy.mActivePasswordNumeric = Integer.parseInt(
    956                             parser.getAttributeValue(null, "numeric"));
    957                     policy.mActivePasswordSymbols = Integer.parseInt(
    958                             parser.getAttributeValue(null, "symbols"));
    959                     policy.mActivePasswordNonLetter = Integer.parseInt(
    960                             parser.getAttributeValue(null, "nonletter"));
    961                     XmlUtils.skipCurrentTag(parser);
    962                 } else {
    963                     Slog.w(TAG, "Unknown tag: " + tag);
    964                     XmlUtils.skipCurrentTag(parser);
    965                 }
    966             }
    967         } catch (NullPointerException e) {
    968             Slog.w(TAG, "failed parsing " + file + " " + e);
    969         } catch (NumberFormatException e) {
    970             Slog.w(TAG, "failed parsing " + file + " " + e);
    971         } catch (XmlPullParserException e) {
    972             Slog.w(TAG, "failed parsing " + file + " " + e);
    973         } catch (FileNotFoundException e) {
    974             // Don't be noisy, this is normal if we haven't defined any policies.
    975         } catch (IOException e) {
    976             Slog.w(TAG, "failed parsing " + file + " " + e);
    977         } catch (IndexOutOfBoundsException e) {
    978             Slog.w(TAG, "failed parsing " + file + " " + e);
    979         }
    980         try {
    981             if (stream != null) {
    982                 stream.close();
    983             }
    984         } catch (IOException e) {
    985             // Ignore
    986         }
    987 
    988         // Validate that what we stored for the password quality matches
    989         // sufficiently what is currently set.  Note that this is only
    990         // a sanity check in case the two get out of sync; this should
    991         // never normally happen.
    992         LockPatternUtils utils = new LockPatternUtils(mContext);
    993         if (utils.getActivePasswordQuality() < policy.mActivePasswordQuality) {
    994             Slog.w(TAG, "Active password quality 0x"
    995                     + Integer.toHexString(policy.mActivePasswordQuality)
    996                     + " does not match actual quality 0x"
    997                     + Integer.toHexString(utils.getActivePasswordQuality()));
    998             policy.mActivePasswordQuality = DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED;
    999             policy.mActivePasswordLength = 0;
   1000             policy.mActivePasswordUpperCase = 0;
   1001             policy.mActivePasswordLowerCase = 0;
   1002             policy.mActivePasswordLetters = 0;
   1003             policy.mActivePasswordNumeric = 0;
   1004             policy.mActivePasswordSymbols = 0;
   1005             policy.mActivePasswordNonLetter = 0;
   1006         }
   1007 
   1008         validatePasswordOwnerLocked(policy);
   1009         syncDeviceCapabilitiesLocked(policy);
   1010         updateMaximumTimeToLockLocked(policy);
   1011     }
   1012 
   1013     static void validateQualityConstant(int quality) {
   1014         switch (quality) {
   1015             case DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED:
   1016             case DevicePolicyManager.PASSWORD_QUALITY_BIOMETRIC_WEAK:
   1017             case DevicePolicyManager.PASSWORD_QUALITY_SOMETHING:
   1018             case DevicePolicyManager.PASSWORD_QUALITY_NUMERIC:
   1019             case DevicePolicyManager.PASSWORD_QUALITY_ALPHABETIC:
   1020             case DevicePolicyManager.PASSWORD_QUALITY_ALPHANUMERIC:
   1021             case DevicePolicyManager.PASSWORD_QUALITY_COMPLEX:
   1022                 return;
   1023         }
   1024         throw new IllegalArgumentException("Invalid quality constant: 0x"
   1025                 + Integer.toHexString(quality));
   1026     }
   1027 
   1028     void validatePasswordOwnerLocked(DevicePolicyData policy) {
   1029         if (policy.mPasswordOwner >= 0) {
   1030             boolean haveOwner = false;
   1031             for (int i = policy.mAdminList.size() - 1; i >= 0; i--) {
   1032                 if (policy.mAdminList.get(i).getUid() == policy.mPasswordOwner) {
   1033                     haveOwner = true;
   1034                     break;
   1035                 }
   1036             }
   1037             if (!haveOwner) {
   1038                 Slog.w(TAG, "Previous password owner " + policy.mPasswordOwner
   1039                         + " no longer active; disabling");
   1040                 policy.mPasswordOwner = -1;
   1041             }
   1042         }
   1043     }
   1044 
   1045     /**
   1046      * Pushes down policy information to the system for any policies related to general device
   1047      * capabilities that need to be enforced by lower level services (e.g. Camera services).
   1048      */
   1049     void syncDeviceCapabilitiesLocked(DevicePolicyData policy) {
   1050         // Ensure the status of the camera is synced down to the system. Interested native services
   1051         // should monitor this value and act accordingly.
   1052         boolean systemState = SystemProperties.getBoolean(SYSTEM_PROP_DISABLE_CAMERA, false);
   1053         boolean cameraDisabled = getCameraDisabled(null, policy.mUserHandle);
   1054         if (cameraDisabled != systemState) {
   1055             long token = Binder.clearCallingIdentity();
   1056             try {
   1057                 String value = cameraDisabled ? "1" : "0";
   1058                 if (DBG) Slog.v(TAG, "Change in camera state ["
   1059                         + SYSTEM_PROP_DISABLE_CAMERA + "] = " + value);
   1060                 SystemProperties.set(SYSTEM_PROP_DISABLE_CAMERA, value);
   1061             } finally {
   1062                 Binder.restoreCallingIdentity(token);
   1063             }
   1064         }
   1065     }
   1066 
   1067     public void systemReady() {
   1068         if (!mHasFeature) {
   1069             return;
   1070         }
   1071         synchronized (this) {
   1072             loadSettingsLocked(getUserData(UserHandle.USER_OWNER), UserHandle.USER_OWNER);
   1073             loadDeviceOwner();
   1074         }
   1075     }
   1076 
   1077     private void handlePasswordExpirationNotification(DevicePolicyData policy) {
   1078         synchronized (this) {
   1079             final long now = System.currentTimeMillis();
   1080             final int N = policy.mAdminList.size();
   1081             if (N <= 0) {
   1082                 return;
   1083             }
   1084             for (int i=0; i < N; i++) {
   1085                 ActiveAdmin admin = policy.mAdminList.get(i);
   1086                 if (admin.info.usesPolicy(DeviceAdminInfo.USES_POLICY_EXPIRE_PASSWORD)
   1087                         && admin.passwordExpirationTimeout > 0L
   1088                         && admin.passwordExpirationDate > 0L
   1089                         && now >= admin.passwordExpirationDate - EXPIRATION_GRACE_PERIOD_MS) {
   1090                     sendAdminCommandLocked(admin, DeviceAdminReceiver.ACTION_PASSWORD_EXPIRING);
   1091                 }
   1092             }
   1093             setExpirationAlarmCheckLocked(mContext, policy);
   1094         }
   1095     }
   1096 
   1097     private void manageMonitoringCertificateNotification(Intent intent) {
   1098         final NotificationManager notificationManager = getNotificationManager();
   1099 
   1100         final boolean hasCert = DevicePolicyManager.hasAnyCaCertsInstalled();
   1101         if (! hasCert) {
   1102             if (intent.getAction().equals(KeyChain.ACTION_STORAGE_CHANGED)) {
   1103                 UserManager um = (UserManager) mContext.getSystemService(Context.USER_SERVICE);
   1104                 for (UserInfo user : um.getUsers()) {
   1105                     notificationManager.cancelAsUser(
   1106                             null, MONITORING_CERT_NOTIFICATION_ID, user.getUserHandle());
   1107                 }
   1108             }
   1109             return;
   1110         }
   1111         final boolean isManaged = getDeviceOwner() != null;
   1112         int smallIconId;
   1113         String contentText;
   1114         if (isManaged) {
   1115             contentText = mContext.getString(R.string.ssl_ca_cert_noti_managed,
   1116                     getDeviceOwnerName());
   1117             smallIconId = R.drawable.stat_sys_certificate_info;
   1118         } else {
   1119             contentText = mContext.getString(R.string.ssl_ca_cert_noti_by_unknown);
   1120             smallIconId = android.R.drawable.stat_sys_warning;
   1121         }
   1122 
   1123         Intent dialogIntent = new Intent(Settings.ACTION_MONITORING_CERT_INFO);
   1124         dialogIntent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK | Intent.FLAG_ACTIVITY_CLEAR_TASK);
   1125         dialogIntent.setPackage("com.android.settings");
   1126         // Notification will be sent individually to all users. The activity should start as
   1127         // whichever user is current when it starts.
   1128         PendingIntent notifyIntent = PendingIntent.getActivityAsUser(mContext, 0, dialogIntent,
   1129                 PendingIntent.FLAG_UPDATE_CURRENT, null, UserHandle.CURRENT);
   1130 
   1131         Notification noti = new Notification.Builder(mContext)
   1132             .setSmallIcon(smallIconId)
   1133             .setContentTitle(mContext.getString(R.string.ssl_ca_cert_warning))
   1134             .setContentText(contentText)
   1135             .setContentIntent(notifyIntent)
   1136             .setPriority(Notification.PRIORITY_HIGH)
   1137             .setShowWhen(false)
   1138             .build();
   1139 
   1140         // If this is a boot intent, this will fire for each user. But if this is a storage changed
   1141         // intent, it will fire once, so we need to notify all users.
   1142         if (intent.getAction().equals(KeyChain.ACTION_STORAGE_CHANGED)) {
   1143             UserManager um = (UserManager) mContext.getSystemService(Context.USER_SERVICE);
   1144             for (UserInfo user : um.getUsers()) {
   1145                 notificationManager.notifyAsUser(
   1146                         null, MONITORING_CERT_NOTIFICATION_ID, noti, user.getUserHandle());
   1147             }
   1148         } else {
   1149             notificationManager.notifyAsUser(
   1150                     null, MONITORING_CERT_NOTIFICATION_ID, noti, UserHandle.CURRENT);
   1151         }
   1152     }
   1153 
   1154     /**
   1155      * @param adminReceiver The admin to add
   1156      * @param refreshing true = update an active admin, no error
   1157      */
   1158     public void setActiveAdmin(ComponentName adminReceiver, boolean refreshing, int userHandle) {
   1159         if (!mHasFeature) {
   1160             return;
   1161         }
   1162         mContext.enforceCallingOrSelfPermission(
   1163                 android.Manifest.permission.MANAGE_DEVICE_ADMINS, null);
   1164         enforceCrossUserPermission(userHandle);
   1165 
   1166         DevicePolicyData policy = getUserData(userHandle);
   1167         DeviceAdminInfo info = findAdmin(adminReceiver, userHandle);
   1168         if (info == null) {
   1169             throw new IllegalArgumentException("Bad admin: " + adminReceiver);
   1170         }
   1171         synchronized (this) {
   1172             long ident = Binder.clearCallingIdentity();
   1173             try {
   1174                 if (!refreshing && getActiveAdminUncheckedLocked(adminReceiver, userHandle) != null) {
   1175                     throw new IllegalArgumentException("Admin is already added");
   1176                 }
   1177                 ActiveAdmin newAdmin = new ActiveAdmin(info);
   1178                 policy.mAdminMap.put(adminReceiver, newAdmin);
   1179                 int replaceIndex = -1;
   1180                 if (refreshing) {
   1181                     final int N = policy.mAdminList.size();
   1182                     for (int i=0; i < N; i++) {
   1183                         ActiveAdmin oldAdmin = policy.mAdminList.get(i);
   1184                         if (oldAdmin.info.getComponent().equals(adminReceiver)) {
   1185                             replaceIndex = i;
   1186                             break;
   1187                         }
   1188                     }
   1189                 }
   1190                 if (replaceIndex == -1) {
   1191                     policy.mAdminList.add(newAdmin);
   1192                     enableIfNecessary(info.getPackageName(), userHandle);
   1193                 } else {
   1194                     policy.mAdminList.set(replaceIndex, newAdmin);
   1195                 }
   1196                 saveSettingsLocked(userHandle);
   1197                 sendAdminCommandLocked(newAdmin, DeviceAdminReceiver.ACTION_DEVICE_ADMIN_ENABLED);
   1198             } finally {
   1199                 Binder.restoreCallingIdentity(ident);
   1200             }
   1201         }
   1202     }
   1203 
   1204     public boolean isAdminActive(ComponentName adminReceiver, int userHandle) {
   1205         if (!mHasFeature) {
   1206             return false;
   1207         }
   1208         enforceCrossUserPermission(userHandle);
   1209         synchronized (this) {
   1210             return getActiveAdminUncheckedLocked(adminReceiver, userHandle) != null;
   1211         }
   1212     }
   1213 
   1214     public boolean hasGrantedPolicy(ComponentName adminReceiver, int policyId, int userHandle) {
   1215         if (!mHasFeature) {
   1216             return false;
   1217         }
   1218         enforceCrossUserPermission(userHandle);
   1219         synchronized (this) {
   1220             ActiveAdmin administrator = getActiveAdminUncheckedLocked(adminReceiver, userHandle);
   1221             if (administrator == null) {
   1222                 throw new SecurityException("No active admin " + adminReceiver);
   1223             }
   1224             return administrator.info.usesPolicy(policyId);
   1225         }
   1226     }
   1227 
   1228     @SuppressWarnings("unchecked")
   1229     public List<ComponentName> getActiveAdmins(int userHandle) {
   1230         if (!mHasFeature) {
   1231             return Collections.EMPTY_LIST;
   1232         }
   1233 
   1234         enforceCrossUserPermission(userHandle);
   1235         synchronized (this) {
   1236             DevicePolicyData policy = getUserData(userHandle);
   1237             final int N = policy.mAdminList.size();
   1238             if (N <= 0) {
   1239                 return null;
   1240             }
   1241             ArrayList<ComponentName> res = new ArrayList<ComponentName>(N);
   1242             for (int i=0; i<N; i++) {
   1243                 res.add(policy.mAdminList.get(i).info.getComponent());
   1244             }
   1245             return res;
   1246         }
   1247     }
   1248 
   1249     public boolean packageHasActiveAdmins(String packageName, int userHandle) {
   1250         if (!mHasFeature) {
   1251             return false;
   1252         }
   1253         enforceCrossUserPermission(userHandle);
   1254         synchronized (this) {
   1255             DevicePolicyData policy = getUserData(userHandle);
   1256             final int N = policy.mAdminList.size();
   1257             for (int i=0; i<N; i++) {
   1258                 if (policy.mAdminList.get(i).info.getPackageName().equals(packageName)) {
   1259                     return true;
   1260                 }
   1261             }
   1262             return false;
   1263         }
   1264     }
   1265 
   1266     public void removeActiveAdmin(ComponentName adminReceiver, int userHandle) {
   1267         if (!mHasFeature) {
   1268             return;
   1269         }
   1270         enforceCrossUserPermission(userHandle);
   1271         synchronized (this) {
   1272             ActiveAdmin admin = getActiveAdminUncheckedLocked(adminReceiver, userHandle);
   1273             if (admin == null) {
   1274                 return;
   1275             }
   1276             if (admin.getUid() != Binder.getCallingUid()) {
   1277                 // If trying to remove device owner, refuse when the caller is not the owner.
   1278                 if (mDeviceOwner != null
   1279                         && adminReceiver.getPackageName().equals(mDeviceOwner.getPackageName())) {
   1280                     return;
   1281                 }
   1282                 mContext.enforceCallingOrSelfPermission(
   1283                         android.Manifest.permission.MANAGE_DEVICE_ADMINS, null);
   1284             }
   1285             long ident = Binder.clearCallingIdentity();
   1286             try {
   1287                 removeActiveAdminLocked(adminReceiver, userHandle);
   1288             } finally {
   1289                 Binder.restoreCallingIdentity(ident);
   1290             }
   1291         }
   1292     }
   1293 
   1294     public void setPasswordQuality(ComponentName who, int quality, int userHandle) {
   1295         if (!mHasFeature) {
   1296             return;
   1297         }
   1298         validateQualityConstant(quality);
   1299         enforceCrossUserPermission(userHandle);
   1300 
   1301         synchronized (this) {
   1302             if (who == null) {
   1303                 throw new NullPointerException("ComponentName is null");
   1304             }
   1305             ActiveAdmin ap = getActiveAdminForCallerLocked(who,
   1306                     DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD);
   1307             if (ap.passwordQuality != quality) {
   1308                 ap.passwordQuality = quality;
   1309                 saveSettingsLocked(userHandle);
   1310             }
   1311         }
   1312     }
   1313 
   1314     public int getPasswordQuality(ComponentName who, int userHandle) {
   1315         if (!mHasFeature) {
   1316             return DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED;
   1317         }
   1318         enforceCrossUserPermission(userHandle);
   1319         synchronized (this) {
   1320             int mode = DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED;
   1321             DevicePolicyData policy = getUserData(userHandle);
   1322 
   1323             if (who != null) {
   1324                 ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle);
   1325                 return admin != null ? admin.passwordQuality : mode;
   1326             }
   1327 
   1328             final int N = policy.mAdminList.size();
   1329             for  (int i=0; i<N; i++) {
   1330                 ActiveAdmin admin = policy.mAdminList.get(i);
   1331                 if (mode < admin.passwordQuality) {
   1332                     mode = admin.passwordQuality;
   1333                 }
   1334             }
   1335             return mode;
   1336         }
   1337     }
   1338 
   1339     public void setPasswordMinimumLength(ComponentName who, int length, int userHandle) {
   1340         if (!mHasFeature) {
   1341             return;
   1342         }
   1343         enforceCrossUserPermission(userHandle);
   1344         synchronized (this) {
   1345             if (who == null) {
   1346                 throw new NullPointerException("ComponentName is null");
   1347             }
   1348             ActiveAdmin ap = getActiveAdminForCallerLocked(who,
   1349                     DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD);
   1350             if (ap.minimumPasswordLength != length) {
   1351                 ap.minimumPasswordLength = length;
   1352                 saveSettingsLocked(userHandle);
   1353             }
   1354         }
   1355     }
   1356 
   1357     public int getPasswordMinimumLength(ComponentName who, int userHandle) {
   1358         if (!mHasFeature) {
   1359             return 0;
   1360         }
   1361         enforceCrossUserPermission(userHandle);
   1362         synchronized (this) {
   1363             DevicePolicyData policy = getUserData(userHandle);
   1364             int length = 0;
   1365 
   1366             if (who != null) {
   1367                 ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle);
   1368                 return admin != null ? admin.minimumPasswordLength : length;
   1369             }
   1370 
   1371             final int N = policy.mAdminList.size();
   1372             for  (int i=0; i<N; i++) {
   1373                 ActiveAdmin admin = policy.mAdminList.get(i);
   1374                 if (length < admin.minimumPasswordLength) {
   1375                     length = admin.minimumPasswordLength;
   1376                 }
   1377             }
   1378             return length;
   1379         }
   1380     }
   1381 
   1382     public void setPasswordHistoryLength(ComponentName who, int length, int userHandle) {
   1383         if (!mHasFeature) {
   1384             return;
   1385         }
   1386         enforceCrossUserPermission(userHandle);
   1387         synchronized (this) {
   1388             if (who == null) {
   1389                 throw new NullPointerException("ComponentName is null");
   1390             }
   1391             ActiveAdmin ap = getActiveAdminForCallerLocked(who,
   1392                     DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD);
   1393             if (ap.passwordHistoryLength != length) {
   1394                 ap.passwordHistoryLength = length;
   1395                 saveSettingsLocked(userHandle);
   1396             }
   1397         }
   1398     }
   1399 
   1400     public int getPasswordHistoryLength(ComponentName who, int userHandle) {
   1401         if (!mHasFeature) {
   1402             return 0;
   1403         }
   1404         enforceCrossUserPermission(userHandle);
   1405         synchronized (this) {
   1406             DevicePolicyData policy = getUserData(userHandle);
   1407             int length = 0;
   1408 
   1409             if (who != null) {
   1410                 ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle);
   1411                 return admin != null ? admin.passwordHistoryLength : length;
   1412             }
   1413 
   1414             final int N = policy.mAdminList.size();
   1415             for (int i = 0; i < N; i++) {
   1416                 ActiveAdmin admin = policy.mAdminList.get(i);
   1417                 if (length < admin.passwordHistoryLength) {
   1418                     length = admin.passwordHistoryLength;
   1419                 }
   1420             }
   1421             return length;
   1422         }
   1423     }
   1424 
   1425     public void setPasswordExpirationTimeout(ComponentName who, long timeout, int userHandle) {
   1426         if (!mHasFeature) {
   1427             return;
   1428         }
   1429         enforceCrossUserPermission(userHandle);
   1430         synchronized (this) {
   1431             if (who == null) {
   1432                 throw new NullPointerException("ComponentName is null");
   1433             }
   1434             if (timeout < 0) {
   1435                 throw new IllegalArgumentException("Timeout must be >= 0 ms");
   1436             }
   1437             ActiveAdmin ap = getActiveAdminForCallerLocked(who,
   1438                     DeviceAdminInfo.USES_POLICY_EXPIRE_PASSWORD);
   1439             // Calling this API automatically bumps the expiration date
   1440             final long expiration = timeout > 0L ? (timeout + System.currentTimeMillis()) : 0L;
   1441             ap.passwordExpirationDate = expiration;
   1442             ap.passwordExpirationTimeout = timeout;
   1443             if (timeout > 0L) {
   1444                 Slog.w(TAG, "setPasswordExpiration(): password will expire on "
   1445                         + DateFormat.getDateTimeInstance(DateFormat.DEFAULT, DateFormat.DEFAULT)
   1446                         .format(new Date(expiration)));
   1447             }
   1448             saveSettingsLocked(userHandle);
   1449             // in case this is the first one
   1450             setExpirationAlarmCheckLocked(mContext, getUserData(userHandle));
   1451         }
   1452     }
   1453 
   1454     /**
   1455      * Return a single admin's expiration cycle time, or the min of all cycle times.
   1456      * Returns 0 if not configured.
   1457      */
   1458     public long getPasswordExpirationTimeout(ComponentName who, int userHandle) {
   1459         if (!mHasFeature) {
   1460             return 0L;
   1461         }
   1462         enforceCrossUserPermission(userHandle);
   1463         synchronized (this) {
   1464             if (who != null) {
   1465                 ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle);
   1466                 return admin != null ? admin.passwordExpirationTimeout : 0L;
   1467             }
   1468 
   1469             long timeout = 0L;
   1470             DevicePolicyData policy = getUserData(userHandle);
   1471             final int N = policy.mAdminList.size();
   1472             for (int i = 0; i < N; i++) {
   1473                 ActiveAdmin admin = policy.mAdminList.get(i);
   1474                 if (timeout == 0L || (admin.passwordExpirationTimeout != 0L
   1475                         && timeout > admin.passwordExpirationTimeout)) {
   1476                     timeout = admin.passwordExpirationTimeout;
   1477                 }
   1478             }
   1479             return timeout;
   1480         }
   1481     }
   1482 
   1483     /**
   1484      * Return a single admin's expiration date/time, or the min (soonest) for all admins.
   1485      * Returns 0 if not configured.
   1486      */
   1487     private long getPasswordExpirationLocked(ComponentName who, int userHandle) {
   1488         if (who != null) {
   1489             ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle);
   1490             return admin != null ? admin.passwordExpirationDate : 0L;
   1491         }
   1492 
   1493         long timeout = 0L;
   1494         DevicePolicyData policy = getUserData(userHandle);
   1495         final int N = policy.mAdminList.size();
   1496         for (int i = 0; i < N; i++) {
   1497             ActiveAdmin admin = policy.mAdminList.get(i);
   1498             if (timeout == 0L || (admin.passwordExpirationDate != 0
   1499                     && timeout > admin.passwordExpirationDate)) {
   1500                 timeout = admin.passwordExpirationDate;
   1501             }
   1502         }
   1503         return timeout;
   1504     }
   1505 
   1506     public long getPasswordExpiration(ComponentName who, int userHandle) {
   1507         if (!mHasFeature) {
   1508             return 0L;
   1509         }
   1510         enforceCrossUserPermission(userHandle);
   1511         synchronized (this) {
   1512             return getPasswordExpirationLocked(who, userHandle);
   1513         }
   1514     }
   1515 
   1516     public void setPasswordMinimumUpperCase(ComponentName who, int length, int userHandle) {
   1517         if (!mHasFeature) {
   1518             return;
   1519         }
   1520         enforceCrossUserPermission(userHandle);
   1521         synchronized (this) {
   1522             if (who == null) {
   1523                 throw new NullPointerException("ComponentName is null");
   1524             }
   1525             ActiveAdmin ap = getActiveAdminForCallerLocked(who,
   1526                     DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD);
   1527             if (ap.minimumPasswordUpperCase != length) {
   1528                 ap.minimumPasswordUpperCase = length;
   1529                 saveSettingsLocked(userHandle);
   1530             }
   1531         }
   1532     }
   1533 
   1534     public int getPasswordMinimumUpperCase(ComponentName who, int userHandle) {
   1535         if (!mHasFeature) {
   1536             return 0;
   1537         }
   1538         enforceCrossUserPermission(userHandle);
   1539         synchronized (this) {
   1540             int length = 0;
   1541 
   1542             if (who != null) {
   1543                 ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle);
   1544                 return admin != null ? admin.minimumPasswordUpperCase : length;
   1545             }
   1546 
   1547             DevicePolicyData policy = getUserData(userHandle);
   1548             final int N = policy.mAdminList.size();
   1549             for (int i=0; i<N; i++) {
   1550                 ActiveAdmin admin = policy.mAdminList.get(i);
   1551                 if (length < admin.minimumPasswordUpperCase) {
   1552                     length = admin.minimumPasswordUpperCase;
   1553                 }
   1554             }
   1555             return length;
   1556         }
   1557     }
   1558 
   1559     public void setPasswordMinimumLowerCase(ComponentName who, int length, int userHandle) {
   1560         enforceCrossUserPermission(userHandle);
   1561         synchronized (this) {
   1562             if (who == null) {
   1563                 throw new NullPointerException("ComponentName is null");
   1564             }
   1565             ActiveAdmin ap = getActiveAdminForCallerLocked(who,
   1566                     DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD);
   1567             if (ap.minimumPasswordLowerCase != length) {
   1568                 ap.minimumPasswordLowerCase = length;
   1569                 saveSettingsLocked(userHandle);
   1570             }
   1571         }
   1572     }
   1573 
   1574     public int getPasswordMinimumLowerCase(ComponentName who, int userHandle) {
   1575         if (!mHasFeature) {
   1576             return 0;
   1577         }
   1578         enforceCrossUserPermission(userHandle);
   1579         synchronized (this) {
   1580             int length = 0;
   1581 
   1582             if (who != null) {
   1583                 ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle);
   1584                 return admin != null ? admin.minimumPasswordLowerCase : length;
   1585             }
   1586 
   1587             DevicePolicyData policy = getUserData(userHandle);
   1588             final int N = policy.mAdminList.size();
   1589             for (int i=0; i<N; i++) {
   1590                 ActiveAdmin admin = policy.mAdminList.get(i);
   1591                 if (length < admin.minimumPasswordLowerCase) {
   1592                     length = admin.minimumPasswordLowerCase;
   1593                 }
   1594             }
   1595             return length;
   1596         }
   1597     }
   1598 
   1599     public void setPasswordMinimumLetters(ComponentName who, int length, int userHandle) {
   1600         if (!mHasFeature) {
   1601             return;
   1602         }
   1603         enforceCrossUserPermission(userHandle);
   1604         synchronized (this) {
   1605             if (who == null) {
   1606                 throw new NullPointerException("ComponentName is null");
   1607             }
   1608             ActiveAdmin ap = getActiveAdminForCallerLocked(who,
   1609                     DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD);
   1610             if (ap.minimumPasswordLetters != length) {
   1611                 ap.minimumPasswordLetters = length;
   1612                 saveSettingsLocked(userHandle);
   1613             }
   1614         }
   1615     }
   1616 
   1617     public int getPasswordMinimumLetters(ComponentName who, int userHandle) {
   1618         if (!mHasFeature) {
   1619             return 0;
   1620         }
   1621         enforceCrossUserPermission(userHandle);
   1622         synchronized (this) {
   1623             int length = 0;
   1624 
   1625             if (who != null) {
   1626                 ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle);
   1627                 return admin != null ? admin.minimumPasswordLetters : length;
   1628             }
   1629 
   1630             DevicePolicyData policy = getUserData(userHandle);
   1631             final int N = policy.mAdminList.size();
   1632             for (int i=0; i<N; i++) {
   1633                 ActiveAdmin admin = policy.mAdminList.get(i);
   1634                 if (length < admin.minimumPasswordLetters) {
   1635                     length = admin.minimumPasswordLetters;
   1636                 }
   1637             }
   1638             return length;
   1639         }
   1640     }
   1641 
   1642     public void setPasswordMinimumNumeric(ComponentName who, int length, int userHandle) {
   1643         if (!mHasFeature) {
   1644             return;
   1645         }
   1646         enforceCrossUserPermission(userHandle);
   1647         synchronized (this) {
   1648             if (who == null) {
   1649                 throw new NullPointerException("ComponentName is null");
   1650             }
   1651             ActiveAdmin ap = getActiveAdminForCallerLocked(who,
   1652                     DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD);
   1653             if (ap.minimumPasswordNumeric != length) {
   1654                 ap.minimumPasswordNumeric = length;
   1655                 saveSettingsLocked(userHandle);
   1656             }
   1657         }
   1658     }
   1659 
   1660     public int getPasswordMinimumNumeric(ComponentName who, int userHandle) {
   1661         if (!mHasFeature) {
   1662             return 0;
   1663         }
   1664         enforceCrossUserPermission(userHandle);
   1665         synchronized (this) {
   1666             int length = 0;
   1667 
   1668             if (who != null) {
   1669                 ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle);
   1670                 return admin != null ? admin.minimumPasswordNumeric : length;
   1671             }
   1672 
   1673             DevicePolicyData policy = getUserData(userHandle);
   1674             final int N = policy.mAdminList.size();
   1675             for (int i = 0; i < N; i++) {
   1676                 ActiveAdmin admin = policy.mAdminList.get(i);
   1677                 if (length < admin.minimumPasswordNumeric) {
   1678                     length = admin.minimumPasswordNumeric;
   1679                 }
   1680             }
   1681             return length;
   1682         }
   1683     }
   1684 
   1685     public void setPasswordMinimumSymbols(ComponentName who, int length, int userHandle) {
   1686         if (!mHasFeature) {
   1687             return;
   1688         }
   1689         enforceCrossUserPermission(userHandle);
   1690         synchronized (this) {
   1691             if (who == null) {
   1692                 throw new NullPointerException("ComponentName is null");
   1693             }
   1694             ActiveAdmin ap = getActiveAdminForCallerLocked(who,
   1695                     DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD);
   1696             if (ap.minimumPasswordSymbols != length) {
   1697                 ap.minimumPasswordSymbols = length;
   1698                 saveSettingsLocked(userHandle);
   1699             }
   1700         }
   1701     }
   1702 
   1703     public int getPasswordMinimumSymbols(ComponentName who, int userHandle) {
   1704         if (!mHasFeature) {
   1705             return 0;
   1706         }
   1707         enforceCrossUserPermission(userHandle);
   1708         synchronized (this) {
   1709             int length = 0;
   1710 
   1711             if (who != null) {
   1712                 ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle);
   1713                 return admin != null ? admin.minimumPasswordSymbols : length;
   1714             }
   1715 
   1716             DevicePolicyData policy = getUserData(userHandle);
   1717             final int N = policy.mAdminList.size();
   1718             for  (int i=0; i<N; i++) {
   1719                 ActiveAdmin admin = policy.mAdminList.get(i);
   1720                 if (length < admin.minimumPasswordSymbols) {
   1721                     length = admin.minimumPasswordSymbols;
   1722                 }
   1723             }
   1724             return length;
   1725         }
   1726     }
   1727 
   1728     public void setPasswordMinimumNonLetter(ComponentName who, int length, int userHandle) {
   1729         if (!mHasFeature) {
   1730             return;
   1731         }
   1732         enforceCrossUserPermission(userHandle);
   1733         synchronized (this) {
   1734             if (who == null) {
   1735                 throw new NullPointerException("ComponentName is null");
   1736             }
   1737             ActiveAdmin ap = getActiveAdminForCallerLocked(who,
   1738                     DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD);
   1739             if (ap.minimumPasswordNonLetter != length) {
   1740                 ap.minimumPasswordNonLetter = length;
   1741                 saveSettingsLocked(userHandle);
   1742             }
   1743         }
   1744     }
   1745 
   1746     public int getPasswordMinimumNonLetter(ComponentName who, int userHandle) {
   1747         if (!mHasFeature) {
   1748             return 0;
   1749         }
   1750         enforceCrossUserPermission(userHandle);
   1751         synchronized (this) {
   1752             int length = 0;
   1753 
   1754             if (who != null) {
   1755                 ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle);
   1756                 return admin != null ? admin.minimumPasswordNonLetter : length;
   1757             }
   1758 
   1759             DevicePolicyData policy = getUserData(userHandle);
   1760             final int N = policy.mAdminList.size();
   1761             for (int i=0; i<N; i++) {
   1762                 ActiveAdmin admin = policy.mAdminList.get(i);
   1763                 if (length < admin.minimumPasswordNonLetter) {
   1764                     length = admin.minimumPasswordNonLetter;
   1765                 }
   1766             }
   1767             return length;
   1768         }
   1769     }
   1770 
   1771     public boolean isActivePasswordSufficient(int userHandle) {
   1772         if (!mHasFeature) {
   1773             return true;
   1774         }
   1775         enforceCrossUserPermission(userHandle);
   1776         synchronized (this) {
   1777             DevicePolicyData policy = getUserData(userHandle);
   1778             // This API can only be called by an active device admin,
   1779             // so try to retrieve it to check that the caller is one.
   1780             getActiveAdminForCallerLocked(null,
   1781                     DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD);
   1782             if (policy.mActivePasswordQuality < getPasswordQuality(null, userHandle)
   1783                     || policy.mActivePasswordLength < getPasswordMinimumLength(null, userHandle)) {
   1784                 return false;
   1785             }
   1786             if (policy.mActivePasswordQuality != DevicePolicyManager.PASSWORD_QUALITY_COMPLEX) {
   1787                 return true;
   1788             }
   1789             return policy.mActivePasswordUpperCase >= getPasswordMinimumUpperCase(null, userHandle)
   1790                     && policy.mActivePasswordLowerCase >= getPasswordMinimumLowerCase(null, userHandle)
   1791                     && policy.mActivePasswordLetters >= getPasswordMinimumLetters(null, userHandle)
   1792                     && policy.mActivePasswordNumeric >= getPasswordMinimumNumeric(null, userHandle)
   1793                     && policy.mActivePasswordSymbols >= getPasswordMinimumSymbols(null, userHandle)
   1794                     && policy.mActivePasswordNonLetter >= getPasswordMinimumNonLetter(null, userHandle);
   1795         }
   1796     }
   1797 
   1798     public int getCurrentFailedPasswordAttempts(int userHandle) {
   1799         enforceCrossUserPermission(userHandle);
   1800         synchronized (this) {
   1801             // This API can only be called by an active device admin,
   1802             // so try to retrieve it to check that the caller is one.
   1803             getActiveAdminForCallerLocked(null,
   1804                     DeviceAdminInfo.USES_POLICY_WATCH_LOGIN);
   1805             return getUserData(userHandle).mFailedPasswordAttempts;
   1806         }
   1807     }
   1808 
   1809     public void setMaximumFailedPasswordsForWipe(ComponentName who, int num, int userHandle) {
   1810         if (!mHasFeature) {
   1811             return;
   1812         }
   1813         enforceCrossUserPermission(userHandle);
   1814         synchronized (this) {
   1815             // This API can only be called by an active device admin,
   1816             // so try to retrieve it to check that the caller is one.
   1817             getActiveAdminForCallerLocked(who,
   1818                     DeviceAdminInfo.USES_POLICY_WIPE_DATA);
   1819             ActiveAdmin ap = getActiveAdminForCallerLocked(who,
   1820                     DeviceAdminInfo.USES_POLICY_WATCH_LOGIN);
   1821             if (ap.maximumFailedPasswordsForWipe != num) {
   1822                 ap.maximumFailedPasswordsForWipe = num;
   1823                 saveSettingsLocked(userHandle);
   1824             }
   1825         }
   1826     }
   1827 
   1828     public int getMaximumFailedPasswordsForWipe(ComponentName who, int userHandle) {
   1829         if (!mHasFeature) {
   1830             return 0;
   1831         }
   1832         enforceCrossUserPermission(userHandle);
   1833         synchronized (this) {
   1834             DevicePolicyData policy = getUserData(userHandle);
   1835             int count = 0;
   1836 
   1837             if (who != null) {
   1838                 ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle);
   1839                 return admin != null ? admin.maximumFailedPasswordsForWipe : count;
   1840             }
   1841 
   1842             final int N = policy.mAdminList.size();
   1843             for  (int i=0; i<N; i++) {
   1844                 ActiveAdmin admin = policy.mAdminList.get(i);
   1845                 if (count == 0) {
   1846                     count = admin.maximumFailedPasswordsForWipe;
   1847                 } else if (admin.maximumFailedPasswordsForWipe != 0
   1848                         && count > admin.maximumFailedPasswordsForWipe) {
   1849                     count = admin.maximumFailedPasswordsForWipe;
   1850                 }
   1851             }
   1852             return count;
   1853         }
   1854     }
   1855 
   1856     public boolean resetPassword(String password, int flags, int userHandle) {
   1857         if (!mHasFeature) {
   1858             return false;
   1859         }
   1860         enforceCrossUserPermission(userHandle);
   1861         int quality;
   1862         synchronized (this) {
   1863             // This API can only be called by an active device admin,
   1864             // so try to retrieve it to check that the caller is one.
   1865             getActiveAdminForCallerLocked(null,
   1866                     DeviceAdminInfo.USES_POLICY_RESET_PASSWORD);
   1867             quality = getPasswordQuality(null, userHandle);
   1868             if (quality != DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED) {
   1869                 int realQuality = LockPatternUtils.computePasswordQuality(password);
   1870                 if (realQuality < quality
   1871                         && quality != DevicePolicyManager.PASSWORD_QUALITY_COMPLEX) {
   1872                     Slog.w(TAG, "resetPassword: password quality 0x"
   1873                             + Integer.toHexString(realQuality)
   1874                             + " does not meet required quality 0x"
   1875                             + Integer.toHexString(quality));
   1876                     return false;
   1877                 }
   1878                 quality = Math.max(realQuality, quality);
   1879             }
   1880             int length = getPasswordMinimumLength(null, userHandle);
   1881             if (password.length() < length) {
   1882                 Slog.w(TAG, "resetPassword: password length " + password.length()
   1883                         + " does not meet required length " + length);
   1884                 return false;
   1885             }
   1886             if (quality == DevicePolicyManager.PASSWORD_QUALITY_COMPLEX) {
   1887                 int letters = 0;
   1888                 int uppercase = 0;
   1889                 int lowercase = 0;
   1890                 int numbers = 0;
   1891                 int symbols = 0;
   1892                 int nonletter = 0;
   1893                 for (int i = 0; i < password.length(); i++) {
   1894                     char c = password.charAt(i);
   1895                     if (c >= 'A' && c <= 'Z') {
   1896                         letters++;
   1897                         uppercase++;
   1898                     } else if (c >= 'a' && c <= 'z') {
   1899                         letters++;
   1900                         lowercase++;
   1901                     } else if (c >= '0' && c <= '9') {
   1902                         numbers++;
   1903                         nonletter++;
   1904                     } else {
   1905                         symbols++;
   1906                         nonletter++;
   1907                     }
   1908                 }
   1909                 int neededLetters = getPasswordMinimumLetters(null, userHandle);
   1910                 if(letters < neededLetters) {
   1911                     Slog.w(TAG, "resetPassword: number of letters " + letters
   1912                             + " does not meet required number of letters " + neededLetters);
   1913                     return false;
   1914                 }
   1915                 int neededNumbers = getPasswordMinimumNumeric(null, userHandle);
   1916                 if (numbers < neededNumbers) {
   1917                     Slog.w(TAG, "resetPassword: number of numerical digits " + numbers
   1918                             + " does not meet required number of numerical digits "
   1919                             + neededNumbers);
   1920                     return false;
   1921                 }
   1922                 int neededLowerCase = getPasswordMinimumLowerCase(null, userHandle);
   1923                 if (lowercase < neededLowerCase) {
   1924                     Slog.w(TAG, "resetPassword: number of lowercase letters " + lowercase
   1925                             + " does not meet required number of lowercase letters "
   1926                             + neededLowerCase);
   1927                     return false;
   1928                 }
   1929                 int neededUpperCase = getPasswordMinimumUpperCase(null, userHandle);
   1930                 if (uppercase < neededUpperCase) {
   1931                     Slog.w(TAG, "resetPassword: number of uppercase letters " + uppercase
   1932                             + " does not meet required number of uppercase letters "
   1933                             + neededUpperCase);
   1934                     return false;
   1935                 }
   1936                 int neededSymbols = getPasswordMinimumSymbols(null, userHandle);
   1937                 if (symbols < neededSymbols) {
   1938                     Slog.w(TAG, "resetPassword: number of special symbols " + symbols
   1939                             + " does not meet required number of special symbols " + neededSymbols);
   1940                     return false;
   1941                 }
   1942                 int neededNonLetter = getPasswordMinimumNonLetter(null, userHandle);
   1943                 if (nonletter < neededNonLetter) {
   1944                     Slog.w(TAG, "resetPassword: number of non-letter characters " + nonletter
   1945                             + " does not meet required number of non-letter characters "
   1946                             + neededNonLetter);
   1947                     return false;
   1948                 }
   1949             }
   1950         }
   1951 
   1952         int callingUid = Binder.getCallingUid();
   1953         DevicePolicyData policy = getUserData(userHandle);
   1954         if (policy.mPasswordOwner >= 0 && policy.mPasswordOwner != callingUid) {
   1955             Slog.w(TAG, "resetPassword: already set by another uid and not entered by user");
   1956             return false;
   1957         }
   1958 
   1959         // Don't do this with the lock held, because it is going to call
   1960         // back in to the service.
   1961         long ident = Binder.clearCallingIdentity();
   1962         try {
   1963             LockPatternUtils utils = new LockPatternUtils(mContext);
   1964             utils.saveLockPassword(password, quality, false, userHandle);
   1965             synchronized (this) {
   1966                 int newOwner = (flags&DevicePolicyManager.RESET_PASSWORD_REQUIRE_ENTRY)
   1967                         != 0 ? callingUid : -1;
   1968                 if (policy.mPasswordOwner != newOwner) {
   1969                     policy.mPasswordOwner = newOwner;
   1970                     saveSettingsLocked(userHandle);
   1971                 }
   1972             }
   1973         } finally {
   1974             Binder.restoreCallingIdentity(ident);
   1975         }
   1976 
   1977         return true;
   1978     }
   1979 
   1980     public void setMaximumTimeToLock(ComponentName who, long timeMs, int userHandle) {
   1981         if (!mHasFeature) {
   1982             return;
   1983         }
   1984         enforceCrossUserPermission(userHandle);
   1985         synchronized (this) {
   1986             if (who == null) {
   1987                 throw new NullPointerException("ComponentName is null");
   1988             }
   1989             ActiveAdmin ap = getActiveAdminForCallerLocked(who,
   1990                     DeviceAdminInfo.USES_POLICY_FORCE_LOCK);
   1991             if (ap.maximumTimeToUnlock != timeMs) {
   1992                 ap.maximumTimeToUnlock = timeMs;
   1993                 saveSettingsLocked(userHandle);
   1994                 updateMaximumTimeToLockLocked(getUserData(userHandle));
   1995             }
   1996         }
   1997     }
   1998 
   1999     void updateMaximumTimeToLockLocked(DevicePolicyData policy) {
   2000         long timeMs = getMaximumTimeToLock(null, policy.mUserHandle);
   2001         if (policy.mLastMaximumTimeToLock == timeMs) {
   2002             return;
   2003         }
   2004 
   2005         long ident = Binder.clearCallingIdentity();
   2006         try {
   2007             if (timeMs <= 0) {
   2008                 timeMs = Integer.MAX_VALUE;
   2009             } else {
   2010                 // Make sure KEEP_SCREEN_ON is disabled, since that
   2011                 // would allow bypassing of the maximum time to lock.
   2012                 Settings.Global.putInt(mContext.getContentResolver(),
   2013                         Settings.Global.STAY_ON_WHILE_PLUGGED_IN, 0);
   2014             }
   2015 
   2016             policy.mLastMaximumTimeToLock = timeMs;
   2017 
   2018             try {
   2019                 getIPowerManager().setMaximumScreenOffTimeoutFromDeviceAdmin((int)timeMs);
   2020             } catch (RemoteException e) {
   2021                 Slog.w(TAG, "Failure talking with power manager", e);
   2022             }
   2023         } finally {
   2024             Binder.restoreCallingIdentity(ident);
   2025         }
   2026     }
   2027 
   2028     public long getMaximumTimeToLock(ComponentName who, int userHandle) {
   2029         if (!mHasFeature) {
   2030             return 0;
   2031         }
   2032         enforceCrossUserPermission(userHandle);
   2033         synchronized (this) {
   2034             long time = 0;
   2035 
   2036             if (who != null) {
   2037                 ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle);
   2038                 return admin != null ? admin.maximumTimeToUnlock : time;
   2039             }
   2040 
   2041             DevicePolicyData policy = getUserData(userHandle);
   2042             final int N = policy.mAdminList.size();
   2043             for  (int i=0; i<N; i++) {
   2044                 ActiveAdmin admin = policy.mAdminList.get(i);
   2045                 if (time == 0) {
   2046                     time = admin.maximumTimeToUnlock;
   2047                 } else if (admin.maximumTimeToUnlock != 0
   2048                         && time > admin.maximumTimeToUnlock) {
   2049                     time = admin.maximumTimeToUnlock;
   2050                 }
   2051             }
   2052             return time;
   2053         }
   2054     }
   2055 
   2056     public void lockNow() {
   2057         if (!mHasFeature) {
   2058             return;
   2059         }
   2060         synchronized (this) {
   2061             // This API can only be called by an active device admin,
   2062             // so try to retrieve it to check that the caller is one.
   2063             getActiveAdminForCallerLocked(null,
   2064                     DeviceAdminInfo.USES_POLICY_FORCE_LOCK);
   2065             lockNowUnchecked();
   2066         }
   2067     }
   2068 
   2069     private void lockNowUnchecked() {
   2070         long ident = Binder.clearCallingIdentity();
   2071         try {
   2072             // Power off the display
   2073             getIPowerManager().goToSleep(SystemClock.uptimeMillis(),
   2074                     PowerManager.GO_TO_SLEEP_REASON_DEVICE_ADMIN);
   2075             // Ensure the device is locked
   2076             getWindowManager().lockNow(null);
   2077         } catch (RemoteException e) {
   2078         } finally {
   2079             Binder.restoreCallingIdentity(ident);
   2080         }
   2081     }
   2082 
   2083     private boolean isExtStorageEncrypted() {
   2084         String state = SystemProperties.get("vold.decrypt");
   2085         return !"".equals(state);
   2086     }
   2087 
   2088     public boolean installCaCert(byte[] certBuffer) throws RemoteException {
   2089         mContext.enforceCallingOrSelfPermission(MANAGE_CA_CERTIFICATES, null);
   2090         KeyChainConnection keyChainConnection = null;
   2091         byte[] pemCert;
   2092         try {
   2093             X509Certificate cert = parseCert(certBuffer);
   2094             pemCert =  Credentials.convertToPem(cert);
   2095         } catch (CertificateException ce) {
   2096             Log.e(TAG, "Problem converting cert", ce);
   2097             return false;
   2098         } catch (IOException ioe) {
   2099             Log.e(TAG, "Problem reading cert", ioe);
   2100             return false;
   2101         }
   2102         try {
   2103             keyChainConnection = KeyChain.bind(mContext);
   2104             try {
   2105                 keyChainConnection.getService().installCaCertificate(pemCert);
   2106                 return true;
   2107             } finally {
   2108                 if (keyChainConnection != null) {
   2109                     keyChainConnection.close();
   2110                     keyChainConnection = null;
   2111                 }
   2112             }
   2113         } catch (InterruptedException e1) {
   2114             Log.w(TAG, "installCaCertsToKeyChain(): ", e1);
   2115             Thread.currentThread().interrupt();
   2116         }
   2117         return false;
   2118     }
   2119 
   2120     private static X509Certificate parseCert(byte[] certBuffer)
   2121             throws CertificateException, IOException {
   2122         CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
   2123         return (X509Certificate) certFactory.generateCertificate(new ByteArrayInputStream(
   2124                 certBuffer));
   2125     }
   2126 
   2127     public void uninstallCaCert(final byte[] certBuffer) {
   2128         mContext.enforceCallingOrSelfPermission(MANAGE_CA_CERTIFICATES, null);
   2129         TrustedCertificateStore certStore = new TrustedCertificateStore();
   2130         String alias = null;
   2131         try {
   2132             X509Certificate cert = parseCert(certBuffer);
   2133             alias = certStore.getCertificateAlias(cert);
   2134         } catch (CertificateException ce) {
   2135             Log.e(TAG, "Problem creating X509Certificate", ce);
   2136             return;
   2137         } catch (IOException ioe) {
   2138             Log.e(TAG, "Problem reading certificate", ioe);
   2139             return;
   2140         }
   2141         try {
   2142             KeyChainConnection keyChainConnection = KeyChain.bind(mContext);
   2143             IKeyChainService service = keyChainConnection.getService();
   2144             try {
   2145                 service.deleteCaCertificate(alias);
   2146             } catch (RemoteException e) {
   2147                 Log.e(TAG, "from CaCertUninstaller: ", e);
   2148             } finally {
   2149                 keyChainConnection.close();
   2150                 keyChainConnection = null;
   2151             }
   2152         } catch (InterruptedException ie) {
   2153             Log.w(TAG, "CaCertUninstaller: ", ie);
   2154             Thread.currentThread().interrupt();
   2155         }
   2156     }
   2157 
   2158     void wipeDataLocked(int flags) {
   2159         // If the SD card is encrypted and non-removable, we have to force a wipe.
   2160         boolean forceExtWipe = !Environment.isExternalStorageRemovable() && isExtStorageEncrypted();
   2161         boolean wipeExtRequested = (flags&DevicePolicyManager.WIPE_EXTERNAL_STORAGE) != 0;
   2162 
   2163         // Note: we can only do the wipe via ExternalStorageFormatter if the volume is not emulated.
   2164         if ((forceExtWipe || wipeExtRequested) && !Environment.isExternalStorageEmulated()) {
   2165             Intent intent = new Intent(ExternalStorageFormatter.FORMAT_AND_FACTORY_RESET);
   2166             intent.putExtra(ExternalStorageFormatter.EXTRA_ALWAYS_RESET, true);
   2167             intent.setComponent(ExternalStorageFormatter.COMPONENT_NAME);
   2168             mWakeLock.acquire(10000);
   2169             mContext.startService(intent);
   2170         } else {
   2171             try {
   2172                 RecoverySystem.rebootWipeUserData(mContext);
   2173             } catch (IOException e) {
   2174                 Slog.w(TAG, "Failed requesting data wipe", e);
   2175             }
   2176         }
   2177     }
   2178 
   2179     public void wipeData(int flags, final int userHandle) {
   2180         if (!mHasFeature) {
   2181             return;
   2182         }
   2183         enforceCrossUserPermission(userHandle);
   2184         synchronized (this) {
   2185             // This API can only be called by an active device admin,
   2186             // so try to retrieve it to check that the caller is one.
   2187             getActiveAdminForCallerLocked(null,
   2188                     DeviceAdminInfo.USES_POLICY_WIPE_DATA);
   2189             long ident = Binder.clearCallingIdentity();
   2190             try {
   2191                 wipeDeviceOrUserLocked(flags, userHandle);
   2192             } finally {
   2193                 Binder.restoreCallingIdentity(ident);
   2194             }
   2195         }
   2196     }
   2197 
   2198     private void wipeDeviceOrUserLocked(int flags, final int userHandle) {
   2199         if (userHandle == UserHandle.USER_OWNER) {
   2200             wipeDataLocked(flags);
   2201         } else {
   2202             lockNowUnchecked();
   2203             mHandler.post(new Runnable() {
   2204                 public void run() {
   2205                     try {
   2206                         ActivityManagerNative.getDefault().switchUser(UserHandle.USER_OWNER);
   2207                         ((UserManager) mContext.getSystemService(Context.USER_SERVICE))
   2208                                 .removeUser(userHandle);
   2209                     } catch (RemoteException re) {
   2210                         // Shouldn't happen
   2211                     }
   2212                 }
   2213             });
   2214         }
   2215     }
   2216 
   2217     public void getRemoveWarning(ComponentName comp, final RemoteCallback result, int userHandle) {
   2218         if (!mHasFeature) {
   2219             return;
   2220         }
   2221         enforceCrossUserPermission(userHandle);
   2222         mContext.enforceCallingOrSelfPermission(
   2223                 android.Manifest.permission.BIND_DEVICE_ADMIN, null);
   2224 
   2225         synchronized (this) {
   2226             ActiveAdmin admin = getActiveAdminUncheckedLocked(comp, userHandle);
   2227             if (admin == null) {
   2228                 try {
   2229                     result.sendResult(null);
   2230                 } catch (RemoteException e) {
   2231                 }
   2232                 return;
   2233             }
   2234             Intent intent = new Intent(DeviceAdminReceiver.ACTION_DEVICE_ADMIN_DISABLE_REQUESTED);
   2235             intent.setComponent(admin.info.getComponent());
   2236             mContext.sendOrderedBroadcastAsUser(intent, new UserHandle(userHandle),
   2237                     null, new BroadcastReceiver() {
   2238                 @Override
   2239                 public void onReceive(Context context, Intent intent) {
   2240                     try {
   2241                         result.sendResult(getResultExtras(false));
   2242                     } catch (RemoteException e) {
   2243                     }
   2244                 }
   2245             }, null, Activity.RESULT_OK, null, null);
   2246         }
   2247     }
   2248 
   2249     public void setActivePasswordState(int quality, int length, int letters, int uppercase,
   2250             int lowercase, int numbers, int symbols, int nonletter, int userHandle) {
   2251         if (!mHasFeature) {
   2252             return;
   2253         }
   2254         enforceCrossUserPermission(userHandle);
   2255         mContext.enforceCallingOrSelfPermission(
   2256                 android.Manifest.permission.BIND_DEVICE_ADMIN, null);
   2257         DevicePolicyData p = getUserData(userHandle);
   2258 
   2259         validateQualityConstant(quality);
   2260 
   2261         synchronized (this) {
   2262             if (p.mActivePasswordQuality != quality || p.mActivePasswordLength != length
   2263                     || p.mFailedPasswordAttempts != 0 || p.mActivePasswordLetters != letters
   2264                     || p.mActivePasswordUpperCase != uppercase
   2265                     || p.mActivePasswordLowerCase != lowercase || p.mActivePasswordNumeric != numbers
   2266                     || p.mActivePasswordSymbols != symbols || p.mActivePasswordNonLetter != nonletter) {
   2267                 long ident = Binder.clearCallingIdentity();
   2268                 try {
   2269                     p.mActivePasswordQuality = quality;
   2270                     p.mActivePasswordLength = length;
   2271                     p.mActivePasswordLetters = letters;
   2272                     p.mActivePasswordLowerCase = lowercase;
   2273                     p.mActivePasswordUpperCase = uppercase;
   2274                     p.mActivePasswordNumeric = numbers;
   2275                     p.mActivePasswordSymbols = symbols;
   2276                     p.mActivePasswordNonLetter = nonletter;
   2277                     p.mFailedPasswordAttempts = 0;
   2278                     saveSettingsLocked(userHandle);
   2279                     updatePasswordExpirationsLocked(userHandle);
   2280                     setExpirationAlarmCheckLocked(mContext, p);
   2281                     sendAdminCommandLocked(DeviceAdminReceiver.ACTION_PASSWORD_CHANGED,
   2282                             DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD, userHandle);
   2283                 } finally {
   2284                     Binder.restoreCallingIdentity(ident);
   2285                 }
   2286             }
   2287         }
   2288     }
   2289 
   2290     /**
   2291      * Called any time the device password is updated.  Resets all password expiration clocks.
   2292      */
   2293     private void updatePasswordExpirationsLocked(int userHandle) {
   2294         DevicePolicyData policy = getUserData(userHandle);
   2295         final int N = policy.mAdminList.size();
   2296         if (N > 0) {
   2297             for (int i=0; i<N; i++) {
   2298                 ActiveAdmin admin = policy.mAdminList.get(i);
   2299                 if (admin.info.usesPolicy(DeviceAdminInfo.USES_POLICY_EXPIRE_PASSWORD)) {
   2300                     long timeout = admin.passwordExpirationTimeout;
   2301                     long expiration = timeout > 0L ? (timeout + System.currentTimeMillis()) : 0L;
   2302                     admin.passwordExpirationDate = expiration;
   2303                 }
   2304             }
   2305             saveSettingsLocked(userHandle);
   2306         }
   2307     }
   2308 
   2309     public void reportFailedPasswordAttempt(int userHandle) {
   2310         enforceCrossUserPermission(userHandle);
   2311         mContext.enforceCallingOrSelfPermission(
   2312                 android.Manifest.permission.BIND_DEVICE_ADMIN, null);
   2313 
   2314         synchronized (this) {
   2315             DevicePolicyData policy = getUserData(userHandle);
   2316             long ident = Binder.clearCallingIdentity();
   2317             try {
   2318                 policy.mFailedPasswordAttempts++;
   2319                 saveSettingsLocked(userHandle);
   2320                 if (mHasFeature) {
   2321                     int max = getMaximumFailedPasswordsForWipe(null, userHandle);
   2322                     if (max > 0 && policy.mFailedPasswordAttempts >= max) {
   2323                         wipeDeviceOrUserLocked(0, userHandle);
   2324                     }
   2325                     sendAdminCommandLocked(DeviceAdminReceiver.ACTION_PASSWORD_FAILED,
   2326                             DeviceAdminInfo.USES_POLICY_WATCH_LOGIN, userHandle);
   2327                 }
   2328             } finally {
   2329                 Binder.restoreCallingIdentity(ident);
   2330             }
   2331         }
   2332     }
   2333 
   2334     public void reportSuccessfulPasswordAttempt(int userHandle) {
   2335         enforceCrossUserPermission(userHandle);
   2336         mContext.enforceCallingOrSelfPermission(
   2337                 android.Manifest.permission.BIND_DEVICE_ADMIN, null);
   2338 
   2339         synchronized (this) {
   2340             DevicePolicyData policy = getUserData(userHandle);
   2341             if (policy.mFailedPasswordAttempts != 0 || policy.mPasswordOwner >= 0) {
   2342                 long ident = Binder.clearCallingIdentity();
   2343                 try {
   2344                     policy.mFailedPasswordAttempts = 0;
   2345                     policy.mPasswordOwner = -1;
   2346                     saveSettingsLocked(userHandle);
   2347                     if (mHasFeature) {
   2348                         sendAdminCommandLocked(DeviceAdminReceiver.ACTION_PASSWORD_SUCCEEDED,
   2349                                 DeviceAdminInfo.USES_POLICY_WATCH_LOGIN, userHandle);
   2350                     }
   2351                 } finally {
   2352                     Binder.restoreCallingIdentity(ident);
   2353                 }
   2354             }
   2355         }
   2356     }
   2357 
   2358     public ComponentName setGlobalProxy(ComponentName who, String proxySpec,
   2359             String exclusionList, int userHandle) {
   2360         if (!mHasFeature) {
   2361             return null;
   2362         }
   2363         enforceCrossUserPermission(userHandle);
   2364         synchronized(this) {
   2365             if (who == null) {
   2366                 throw new NullPointerException("ComponentName is null");
   2367             }
   2368 
   2369             // Only check if owner has set global proxy. We don't allow other users to set it.
   2370             DevicePolicyData policy = getUserData(UserHandle.USER_OWNER);
   2371             ActiveAdmin admin = getActiveAdminForCallerLocked(who,
   2372                     DeviceAdminInfo.USES_POLICY_SETS_GLOBAL_PROXY);
   2373 
   2374             // Scan through active admins and find if anyone has already
   2375             // set the global proxy.
   2376             Set<ComponentName> compSet = policy.mAdminMap.keySet();
   2377             for  (ComponentName component : compSet) {
   2378                 ActiveAdmin ap = policy.mAdminMap.get(component);
   2379                 if ((ap.specifiesGlobalProxy) && (!component.equals(who))) {
   2380                     // Another admin already sets the global proxy
   2381                     // Return it to the caller.
   2382                     return component;
   2383                 }
   2384             }
   2385 
   2386             // If the user is not the owner, don't set the global proxy. Fail silently.
   2387             if (UserHandle.getCallingUserId() != UserHandle.USER_OWNER) {
   2388                 Slog.w(TAG, "Only the owner is allowed to set the global proxy. User "
   2389                         + userHandle + " is not permitted.");
   2390                 return null;
   2391             }
   2392             if (proxySpec == null) {
   2393                 admin.specifiesGlobalProxy = false;
   2394                 admin.globalProxySpec = null;
   2395                 admin.globalProxyExclusionList = null;
   2396             } else {
   2397 
   2398                 admin.specifiesGlobalProxy = true;
   2399                 admin.globalProxySpec = proxySpec;
   2400                 admin.globalProxyExclusionList = exclusionList;
   2401             }
   2402 
   2403             // Reset the global proxy accordingly
   2404             // Do this using system permissions, as apps cannot write to secure settings
   2405             long origId = Binder.clearCallingIdentity();
   2406             resetGlobalProxyLocked(policy);
   2407             Binder.restoreCallingIdentity(origId);
   2408             return null;
   2409         }
   2410     }
   2411 
   2412     public ComponentName getGlobalProxyAdmin(int userHandle) {
   2413         if (!mHasFeature) {
   2414             return null;
   2415         }
   2416         enforceCrossUserPermission(userHandle);
   2417         synchronized(this) {
   2418             DevicePolicyData policy = getUserData(UserHandle.USER_OWNER);
   2419             // Scan through active admins and find if anyone has already
   2420             // set the global proxy.
   2421             final int N = policy.mAdminList.size();
   2422             for (int i = 0; i < N; i++) {
   2423                 ActiveAdmin ap = policy.mAdminList.get(i);
   2424                 if (ap.specifiesGlobalProxy) {
   2425                     // Device admin sets the global proxy
   2426                     // Return it to the caller.
   2427                     return ap.info.getComponent();
   2428                 }
   2429             }
   2430         }
   2431         // No device admin sets the global proxy.
   2432         return null;
   2433     }
   2434 
   2435     private void resetGlobalProxyLocked(DevicePolicyData policy) {
   2436         final int N = policy.mAdminList.size();
   2437         for (int i = 0; i < N; i++) {
   2438             ActiveAdmin ap = policy.mAdminList.get(i);
   2439             if (ap.specifiesGlobalProxy) {
   2440                 saveGlobalProxyLocked(ap.globalProxySpec, ap.globalProxyExclusionList);
   2441                 return;
   2442             }
   2443         }
   2444         // No device admins defining global proxies - reset global proxy settings to none
   2445         saveGlobalProxyLocked(null, null);
   2446     }
   2447 
   2448     private void saveGlobalProxyLocked(String proxySpec, String exclusionList) {
   2449         if (exclusionList == null) {
   2450             exclusionList = "";
   2451         }
   2452         if (proxySpec == null) {
   2453             proxySpec = "";
   2454         }
   2455         // Remove white spaces
   2456         proxySpec = proxySpec.trim();
   2457         String data[] = proxySpec.split(":");
   2458         int proxyPort = 8080;
   2459         if (data.length > 1) {
   2460             try {
   2461                 proxyPort = Integer.parseInt(data[1]);
   2462             } catch (NumberFormatException e) {}
   2463         }
   2464         exclusionList = exclusionList.trim();
   2465         ContentResolver res = mContext.getContentResolver();
   2466         Settings.Global.putString(res, Settings.Global.GLOBAL_HTTP_PROXY_HOST, data[0]);
   2467         Settings.Global.putInt(res, Settings.Global.GLOBAL_HTTP_PROXY_PORT, proxyPort);
   2468         Settings.Global.putString(res, Settings.Global.GLOBAL_HTTP_PROXY_EXCLUSION_LIST,
   2469                 exclusionList);
   2470     }
   2471 
   2472     /**
   2473      * Set the storage encryption request for a single admin.  Returns the new total request
   2474      * status (for all admins).
   2475      */
   2476     public int setStorageEncryption(ComponentName who, boolean encrypt, int userHandle) {
   2477         if (!mHasFeature) {
   2478             return DevicePolicyManager.ENCRYPTION_STATUS_UNSUPPORTED;
   2479         }
   2480         enforceCrossUserPermission(userHandle);
   2481         synchronized (this) {
   2482             // Check for permissions
   2483             if (who == null) {
   2484                 throw new NullPointerException("ComponentName is null");
   2485             }
   2486             // Only owner can set storage encryption
   2487             if (userHandle != UserHandle.USER_OWNER
   2488                     || UserHandle.getCallingUserId() != UserHandle.USER_OWNER) {
   2489                 Slog.w(TAG, "Only owner is allowed to set storage encryption. User "
   2490                         + UserHandle.getCallingUserId() + " is not permitted.");
   2491                 return 0;
   2492             }
   2493 
   2494             ActiveAdmin ap = getActiveAdminForCallerLocked(who,
   2495                     DeviceAdminInfo.USES_ENCRYPTED_STORAGE);
   2496 
   2497             // Quick exit:  If the filesystem does not support encryption, we can exit early.
   2498             if (!isEncryptionSupported()) {
   2499                 return DevicePolicyManager.ENCRYPTION_STATUS_UNSUPPORTED;
   2500             }
   2501 
   2502             // (1) Record the value for the admin so it's sticky
   2503             if (ap.encryptionRequested != encrypt) {
   2504                 ap.encryptionRequested = encrypt;
   2505                 saveSettingsLocked(userHandle);
   2506             }
   2507 
   2508             DevicePolicyData policy = getUserData(UserHandle.USER_OWNER);
   2509             // (2) Compute "max" for all admins
   2510             boolean newRequested = false;
   2511             final int N = policy.mAdminList.size();
   2512             for (int i = 0; i < N; i++) {
   2513                 newRequested |= policy.mAdminList.get(i).encryptionRequested;
   2514             }
   2515 
   2516             // Notify OS of new request
   2517             setEncryptionRequested(newRequested);
   2518 
   2519             // Return the new global request status
   2520             return newRequested
   2521                     ? DevicePolicyManager.ENCRYPTION_STATUS_ACTIVE
   2522                     : DevicePolicyManager.ENCRYPTION_STATUS_INACTIVE;
   2523         }
   2524     }
   2525 
   2526     /**
   2527      * Get the current storage encryption request status for a given admin, or aggregate of all
   2528      * active admins.
   2529      */
   2530     public boolean getStorageEncryption(ComponentName who, int userHandle) {
   2531         if (!mHasFeature) {
   2532             return false;
   2533         }
   2534         enforceCrossUserPermission(userHandle);
   2535         synchronized (this) {
   2536             // Check for permissions if a particular caller is specified
   2537             if (who != null) {
   2538                 // When checking for a single caller, status is based on caller's request
   2539                 ActiveAdmin ap = getActiveAdminUncheckedLocked(who, userHandle);
   2540                 return ap != null ? ap.encryptionRequested : false;
   2541             }
   2542 
   2543             // If no particular caller is specified, return the aggregate set of requests.
   2544             // This is short circuited by returning true on the first hit.
   2545             DevicePolicyData policy = getUserData(userHandle);
   2546             final int N = policy.mAdminList.size();
   2547             for (int i = 0; i < N; i++) {
   2548                 if (policy.mAdminList.get(i).encryptionRequested) {
   2549                     return true;
   2550                 }
   2551             }
   2552             return false;
   2553         }
   2554     }
   2555 
   2556     /**
   2557      * Get the current encryption status of the device.
   2558      */
   2559     public int getStorageEncryptionStatus(int userHandle) {
   2560         if (!mHasFeature) {
   2561             // Ok to return current status.
   2562         }
   2563         enforceCrossUserPermission(userHandle);
   2564         return getEncryptionStatus();
   2565     }
   2566 
   2567     /**
   2568      * Hook to low-levels:  This should report if the filesystem supports encrypted storage.
   2569      */
   2570     private boolean isEncryptionSupported() {
   2571         // Note, this can be implemented as
   2572         //   return getEncryptionStatus() != DevicePolicyManager.ENCRYPTION_STATUS_UNSUPPORTED;
   2573         // But is provided as a separate internal method if there's a faster way to do a
   2574         // simple check for supported-or-not.
   2575         return getEncryptionStatus() != DevicePolicyManager.ENCRYPTION_STATUS_UNSUPPORTED;
   2576     }
   2577 
   2578     /**
   2579      * Hook to low-levels:  Reporting the current status of encryption.
   2580      * @return A value such as {@link DevicePolicyManager#ENCRYPTION_STATUS_UNSUPPORTED} or
   2581      * {@link DevicePolicyManager#ENCRYPTION_STATUS_INACTIVE} or
   2582      * {@link DevicePolicyManager#ENCRYPTION_STATUS_ACTIVE}.
   2583      */
   2584     private int getEncryptionStatus() {
   2585         String status = SystemProperties.get("ro.crypto.state", "unsupported");
   2586         if ("encrypted".equalsIgnoreCase(status)) {
   2587             return DevicePolicyManager.ENCRYPTION_STATUS_ACTIVE;
   2588         } else if ("unencrypted".equalsIgnoreCase(status)) {
   2589             return DevicePolicyManager.ENCRYPTION_STATUS_INACTIVE;
   2590         } else {
   2591             return DevicePolicyManager.ENCRYPTION_STATUS_UNSUPPORTED;
   2592         }
   2593     }
   2594 
   2595     /**
   2596      * Hook to low-levels:  If needed, record the new admin setting for encryption.
   2597      */
   2598     private void setEncryptionRequested(boolean encrypt) {
   2599     }
   2600 
   2601     /**
   2602      * The system property used to share the state of the camera. The native camera service
   2603      * is expected to read this property and act accordingly.
   2604      */
   2605     public static final String SYSTEM_PROP_DISABLE_CAMERA = "sys.secpolicy.camera.disabled";
   2606 
   2607     /**
   2608      * Disables all device cameras according to the specified admin.
   2609      */
   2610     public void setCameraDisabled(ComponentName who, boolean disabled, int userHandle) {
   2611         if (!mHasFeature) {
   2612             return;
   2613         }
   2614         enforceCrossUserPermission(userHandle);
   2615         synchronized (this) {
   2616             if (who == null) {
   2617                 throw new NullPointerException("ComponentName is null");
   2618             }
   2619             ActiveAdmin ap = getActiveAdminForCallerLocked(who,
   2620                     DeviceAdminInfo.USES_POLICY_DISABLE_CAMERA);
   2621             if (ap.disableCamera != disabled) {
   2622                 ap.disableCamera = disabled;
   2623                 saveSettingsLocked(userHandle);
   2624             }
   2625             syncDeviceCapabilitiesLocked(getUserData(userHandle));
   2626         }
   2627     }
   2628 
   2629     /**
   2630      * Gets whether or not all device cameras are disabled for a given admin, or disabled for any
   2631      * active admins.
   2632      */
   2633     public boolean getCameraDisabled(ComponentName who, int userHandle) {
   2634         if (!mHasFeature) {
   2635             return false;
   2636         }
   2637         synchronized (this) {
   2638             if (who != null) {
   2639                 ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle);
   2640                 return (admin != null) ? admin.disableCamera : false;
   2641             }
   2642 
   2643             DevicePolicyData policy = getUserData(userHandle);
   2644             // Determine whether or not the device camera is disabled for any active admins.
   2645             final int N = policy.mAdminList.size();
   2646             for (int i = 0; i < N; i++) {
   2647                 ActiveAdmin admin = policy.mAdminList.get(i);
   2648                 if (admin.disableCamera) {
   2649                     return true;
   2650                 }
   2651             }
   2652             return false;
   2653         }
   2654     }
   2655 
   2656     /**
   2657      * Selectively disable keyguard features.
   2658      */
   2659     public void setKeyguardDisabledFeatures(ComponentName who, int which, int userHandle) {
   2660         if (!mHasFeature) {
   2661             return;
   2662         }
   2663         enforceCrossUserPermission(userHandle);
   2664         synchronized (this) {
   2665             if (who == null) {
   2666                 throw new NullPointerException("ComponentName is null");
   2667             }
   2668             ActiveAdmin ap = getActiveAdminForCallerLocked(who,
   2669                     DeviceAdminInfo.USES_POLICY_DISABLE_KEYGUARD_FEATURES);
   2670             if (ap.disabledKeyguardFeatures != which) {
   2671                 ap.disabledKeyguardFeatures = which;
   2672                 saveSettingsLocked(userHandle);
   2673             }
   2674             syncDeviceCapabilitiesLocked(getUserData(userHandle));
   2675         }
   2676     }
   2677 
   2678     /**
   2679      * Gets the disabled state for features in keyguard for the given admin,
   2680      * or the aggregate of all active admins if who is null.
   2681      */
   2682     public int getKeyguardDisabledFeatures(ComponentName who, int userHandle) {
   2683         if (!mHasFeature) {
   2684             return 0;
   2685         }
   2686         enforceCrossUserPermission(userHandle);
   2687         synchronized (this) {
   2688             if (who != null) {
   2689                 ActiveAdmin admin = getActiveAdminUncheckedLocked(who, userHandle);
   2690                 return (admin != null) ? admin.disabledKeyguardFeatures : 0;
   2691             }
   2692 
   2693             // Determine which keyguard features are disabled for any active admins.
   2694             DevicePolicyData policy = getUserData(userHandle);
   2695             final int N = policy.mAdminList.size();
   2696             int which = 0;
   2697             for (int i = 0; i < N; i++) {
   2698                 ActiveAdmin admin = policy.mAdminList.get(i);
   2699                 which |= admin.disabledKeyguardFeatures;
   2700             }
   2701             return which;
   2702         }
   2703     }
   2704 
   2705     @Override
   2706     public boolean setDeviceOwner(String packageName, String ownerName) {
   2707         if (!mHasFeature) {
   2708             return false;
   2709         }
   2710         if (packageName == null
   2711                 || !DeviceOwner.isInstalled(packageName, mContext.getPackageManager())) {
   2712             throw new IllegalArgumentException("Invalid package name " + packageName
   2713                     + " for device owner");
   2714         }
   2715         synchronized (this) {
   2716             if (mDeviceOwner == null && !isDeviceProvisioned()) {
   2717                 mDeviceOwner = new DeviceOwner(packageName, ownerName);
   2718                 mDeviceOwner.writeOwnerFile();
   2719                 return true;
   2720             } else {
   2721                 throw new IllegalStateException("Trying to set device owner to " + packageName
   2722                         + ", owner=" + mDeviceOwner.getPackageName()
   2723                         + ", device_provisioned=" + isDeviceProvisioned());
   2724             }
   2725         }
   2726     }
   2727 
   2728     @Override
   2729     public boolean isDeviceOwner(String packageName) {
   2730         if (!mHasFeature) {
   2731             return false;
   2732         }
   2733         synchronized (this) {
   2734             return mDeviceOwner != null
   2735                     && mDeviceOwner.getPackageName().equals(packageName);
   2736         }
   2737     }
   2738 
   2739     @Override
   2740     public String getDeviceOwner() {
   2741         if (!mHasFeature) {
   2742             return null;
   2743         }
   2744         synchronized (this) {
   2745             if (mDeviceOwner != null) {
   2746                 return mDeviceOwner.getPackageName();
   2747             }
   2748         }
   2749         return null;
   2750     }
   2751 
   2752     @Override
   2753     public String getDeviceOwnerName() {
   2754         if (!mHasFeature) {
   2755             return null;
   2756         }
   2757         mContext.enforceCallingOrSelfPermission(android.Manifest.permission.MANAGE_USERS, null);
   2758         synchronized (this) {
   2759             if (mDeviceOwner != null) {
   2760                 return mDeviceOwner.getName();
   2761             }
   2762         }
   2763         return null;
   2764     }
   2765 
   2766     private boolean isDeviceProvisioned() {
   2767         return Settings.Global.getInt(mContext.getContentResolver(),
   2768                 Settings.Global.DEVICE_PROVISIONED, 0) > 0;
   2769     }
   2770 
   2771     private void enforceCrossUserPermission(int userHandle) {
   2772         if (userHandle < 0) {
   2773             throw new IllegalArgumentException("Invalid userId " + userHandle);
   2774         }
   2775         final int callingUid = Binder.getCallingUid();
   2776         if (userHandle == UserHandle.getUserId(callingUid)) return;
   2777         if (callingUid != Process.SYSTEM_UID && callingUid != 0) {
   2778             mContext.enforceCallingOrSelfPermission(
   2779                     android.Manifest.permission.INTERACT_ACROSS_USERS_FULL, "Must be system or have"
   2780                     + " INTERACT_ACROSS_USERS_FULL permission");
   2781         }
   2782     }
   2783 
   2784     private void enableIfNecessary(String packageName, int userId) {
   2785         try {
   2786             IPackageManager ipm = AppGlobals.getPackageManager();
   2787             ApplicationInfo ai = ipm.getApplicationInfo(packageName,
   2788                     PackageManager.GET_DISABLED_UNTIL_USED_COMPONENTS,
   2789                     userId);
   2790             if (ai.enabledSetting
   2791                     == PackageManager.COMPONENT_ENABLED_STATE_DISABLED_UNTIL_USED) {
   2792                 ipm.setApplicationEnabledSetting(packageName,
   2793                         PackageManager.COMPONENT_ENABLED_STATE_DEFAULT,
   2794                         PackageManager.DONT_KILL_APP, userId, "DevicePolicyManager");
   2795             }
   2796         } catch (RemoteException e) {
   2797         }
   2798     }
   2799 
   2800     @Override
   2801     protected void dump(FileDescriptor fd, PrintWriter pw, String[] args) {
   2802         if (mContext.checkCallingOrSelfPermission(android.Manifest.permission.DUMP)
   2803                 != PackageManager.PERMISSION_GRANTED) {
   2804 
   2805             pw.println("Permission Denial: can't dump DevicePolicyManagerService from from pid="
   2806                     + Binder.getCallingPid()
   2807                     + ", uid=" + Binder.getCallingUid());
   2808             return;
   2809         }
   2810 
   2811         final Printer p = new PrintWriterPrinter(pw);
   2812 
   2813         synchronized (this) {
   2814             p.println("Current Device Policy Manager state:");
   2815 
   2816             int userCount = mUserData.size();
   2817             for (int u = 0; u < userCount; u++) {
   2818                 DevicePolicyData policy = getUserData(mUserData.keyAt(u));
   2819                 p.println("  Enabled Device Admins (User " + policy.mUserHandle + "):");
   2820                 final int N = policy.mAdminList.size();
   2821                 for (int i=0; i<N; i++) {
   2822                     ActiveAdmin ap = policy.mAdminList.get(i);
   2823                     if (ap != null) {
   2824                         pw.print("  "); pw.print(ap.info.getComponent().flattenToShortString());
   2825                                 pw.println(":");
   2826                         ap.dump("    ", pw);
   2827                     }
   2828                 }
   2829 
   2830                 pw.println(" ");
   2831                 pw.print("  mPasswordOwner="); pw.println(policy.mPasswordOwner);
   2832             }
   2833         }
   2834     }
   2835 
   2836     static class DeviceOwner {
   2837         private static final String DEVICE_OWNER_XML = "device_owner.xml";
   2838         private static final String TAG_DEVICE_OWNER = "device-owner";
   2839         private static final String ATTR_NAME = "name";
   2840         private static final String ATTR_PACKAGE = "package";
   2841         private String mPackageName;
   2842         private String mOwnerName;
   2843 
   2844         DeviceOwner() {
   2845             readOwnerFile();
   2846         }
   2847 
   2848         DeviceOwner(String packageName, String ownerName) {
   2849             this.mPackageName = packageName;
   2850             this.mOwnerName = ownerName;
   2851         }
   2852 
   2853         static boolean isRegistered() {
   2854             return new File(Environment.getSystemSecureDirectory(),
   2855                     DEVICE_OWNER_XML).exists();
   2856         }
   2857 
   2858         String getPackageName() {
   2859             return mPackageName;
   2860         }
   2861 
   2862         String getName() {
   2863             return mOwnerName;
   2864         }
   2865 
   2866         static boolean isInstalled(String packageName, PackageManager pm) {
   2867             try {
   2868                 PackageInfo pi;
   2869                 if ((pi = pm.getPackageInfo(packageName, 0)) != null) {
   2870                     if ((pi.applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM) != 0) {
   2871                         return true;
   2872                     }
   2873                 }
   2874             } catch (NameNotFoundException nnfe) {
   2875                 Slog.w(TAG, "Device Owner package " + packageName + " not installed.");
   2876             }
   2877             return false;
   2878         }
   2879 
   2880         void readOwnerFile() {
   2881             AtomicFile file = new AtomicFile(new File(Environment.getSystemSecureDirectory(),
   2882                     DEVICE_OWNER_XML));
   2883             try {
   2884                 FileInputStream input = file.openRead();
   2885                 XmlPullParser parser = Xml.newPullParser();
   2886                 parser.setInput(input, null);
   2887                 int type;
   2888                 while ((type=parser.next()) != XmlPullParser.END_DOCUMENT
   2889                         && type != XmlPullParser.START_TAG) {
   2890                 }
   2891                 String tag = parser.getName();
   2892                 if (!TAG_DEVICE_OWNER.equals(tag)) {
   2893                     throw new XmlPullParserException(
   2894                             "Device Owner file does not start with device-owner tag: found " + tag);
   2895                 }
   2896                 mPackageName = parser.getAttributeValue(null, ATTR_PACKAGE);
   2897                 mOwnerName = parser.getAttributeValue(null, ATTR_NAME);
   2898                 input.close();
   2899             } catch (XmlPullParserException xppe) {
   2900                 Slog.e(TAG, "Error parsing device-owner file\n" + xppe);
   2901             } catch (IOException ioe) {
   2902                 Slog.e(TAG, "IO Exception when reading device-owner file\n" + ioe);
   2903             }
   2904         }
   2905 
   2906         void writeOwnerFile() {
   2907             synchronized (this) {
   2908                 writeOwnerFileLocked();
   2909             }
   2910         }
   2911 
   2912         private void writeOwnerFileLocked() {
   2913             AtomicFile file = new AtomicFile(new File(Environment.getSystemSecureDirectory(),
   2914                     DEVICE_OWNER_XML));
   2915             try {
   2916                 FileOutputStream output = file.startWrite();
   2917                 XmlSerializer out = new FastXmlSerializer();
   2918                 out.setOutput(output, "utf-8");
   2919                 out.startDocument(null, true);
   2920                 out.startTag(null, TAG_DEVICE_OWNER);
   2921                 out.attribute(null, ATTR_PACKAGE, mPackageName);
   2922                 if (mOwnerName != null) {
   2923                     out.attribute(null, ATTR_NAME, mOwnerName);
   2924                 }
   2925                 out.endTag(null, TAG_DEVICE_OWNER);
   2926                 out.endDocument();
   2927                 out.flush();
   2928                 file.finishWrite(output);
   2929             } catch (IOException ioe) {
   2930                 Slog.e(TAG, "IO Exception when writing device-owner file\n" + ioe);
   2931             }
   2932         }
   2933     }
   2934 }
   2935