Expose system update related API to corp-owned managed profile

Allows profile owner of corporate-owned managed profile to call the following APIs: * setSystemUpdatePolicy * installSystemUpdate The following APIs can already be called by regular profile owners so no changes are needed: * getSystemUpdatePolicy * getPendingSystemUpdate Test: atest com.android.cts.devicepolicy.OrgOwnedProfileOwnerTest#testSystemUpdatePolicy Test: atest com.android.cts.devicepolicy.OrgOwnedProfileOwnerTest#testInstallUpdate Test: atest com.android.cts.devicepolicy.MixedDeviceOwnerTest#testSystemUpdatePolicy Test: atest com.android.cts.devicepolicy.MixedDeviceOwnerTest#testInstallUpdate Test: atest com.android.cts.devicepolicy.MixedDeviceOwnerTest#testInstallUpdateLogged Bug: 147414327 Change-Id: I7224eb208f665ca7cb301daa7d17cce5126f7858

Expose system update related API to corp-owned managed profile
ca00dd49 · Rubin Xu · f85aaad6 · ca00dd49 · ca00dd49
Commit ca00dd49 authored 5 years ago by Rubin Xu
--- a/core/java/android/app/admin/DevicePolicyManager.java
+++ b/core/java/android/app/admin/DevicePolicyManager.java
@@ -8935,7 +8935,8 @@ public class DevicePolicyManager {
    }
  
    /**
-     * Called by device owners to set a local system update policy. When a new policy is set,
+     * Called by device owners or profile owners of an organization-owned managed profile to to set
+     * a local system update policy. When a new policy is set,
     * {@link #ACTION_SYSTEM_UPDATE_POLICY_CHANGED} is broadcasted.
     * <p>
     * If the supplied system update policy has freeze periods set but the freeze periods do not
@@ -8953,7 +8954,8 @@ public class DevicePolicyManager {
     *            components in the device owner package can set system update policies and the most
     *            recent policy takes effect.
     * @param policy the new policy, or {@code null} to clear the current policy.
-     * @throws SecurityException if {@code admin} is not a device owner.
+     * @throws SecurityException if {@code admin} is not a device owner or a profile owner of an
+     *      organization-owned managed profile.
     * @throws IllegalArgumentException if the policy type or maintenance window is not valid.
     * @throws SystemUpdatePolicy.ValidationFailedException if the policy's freeze period does not
     *             meet the requirement.
@@ -11028,7 +11030,8 @@ public class DevicePolicyManager {
    }
  
    /**
-     * Called by device owner to install a system update from the given file. The device will be
+     * Called by device owner or profile owner of an organization-owned managed profile to install
+     * a system update from the given file. The device will be
     * rebooted in order to finish installing the update. Note that if the device is rebooted, this
     * doesn't necessarily mean that the update has been applied successfully. The caller should
     * additionally check the system version with {@link android.os.Build#FINGERPRINT} or {@link

--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -12040,7 +12040,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
                    LocalDate.now());
        }
        synchronized (getLockObject()) {
-            getActiveAdminForCallerLocked(who, DeviceAdminInfo.USES_POLICY_DEVICE_OWNER);
+            getActiveAdminForCallerLocked(who,
+                    DeviceAdminInfo.USES_POLICY_ORGANIZATION_OWNED_PROFILE_OWNER);
            if (policy == null) {
                mOwners.clearSystemUpdatePolicy();
            } else {
@@ -12049,9 +12050,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
            }
            mOwners.writeDeviceOwner();
        }
-        mContext.sendBroadcastAsUser(
+        mInjector.binderWithCleanCallingIdentity(() -> mContext.sendBroadcastAsUser(
                new Intent(DevicePolicyManager.ACTION_SYSTEM_UPDATE_POLICY_CHANGED),
-                UserHandle.SYSTEM);
+                UserHandle.SYSTEM));
        DevicePolicyEventLogger
                .createEvent(DevicePolicyEnums.SET_SYSTEM_UPDATE_POLICY)
                .setAdmin(who)
@@ -14705,7 +14706,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
                .setAdmin(admin)
                .setBoolean(isDeviceAB())
                .write();
-        enforceDeviceOwner(admin);
+        enforceDeviceOwnerOrProfileOwnerOnOrganizationOwnedDevice(admin);
        mInjector.binderWithCleanCallingIdentity(() -> {
            UpdateInstaller updateInstaller;
            if (isDeviceAB()) {