Load owner info during DevicePolicyManagerSerivce construction

While most of the admin policy (DevicePolicyData) is loaded lazily
wheneve they are read, the list of Device and Profile owners are
currently loaded during PHASE_LOCK_SETTINGS_READY, which means
policy getters relying on the list of owners, for example
isCommonCriteriaModeEnabled, does not work until this boot phase.
It turns out that some other system services (WifiService) will
attempt to read the policy before this boot phase and hence fails.

Fix this by loading the owner info as part of DevicePolicyManagerSerivce
construction, so the info is always available.

Test: atest FrameworksServicesTests:DevicePolicyManagerTest
Test: Set TestDPC as DO, enable Common Criteria mode, add WiFi,
      Check /data/misc/apexdata/com.android.wifi/WifiConfigStore.xml
      for the lack of plaintext WiFi PSK.
Test: atest
com.android.cts.devicepolicy.OrgOwnedProfileOwnerTest#testSecurityLogging
Bug: 157476512

Change-Id: If403cf98574612cb44f7c8a697095276c65087fe

1 files changed, 17 insertions, 2 deletions

diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index f1064d153814..df55b3bbd1a4 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -2616,6 +2616,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
         mSetupContentObserver = new SetupContentObserver(mHandler);
 
         mUserManagerInternal.addUserRestrictionsListener(new RestrictionsListener(mContext));
+
+        loadOwners();
     }
 
     /**
@@ -2676,12 +2678,23 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
         }
     }
 
+    /**
+     * Load information about device and profile owners of the device, populating mOwners and
+     * pushing owner info to other system services. This is called at a fairly early stage of
+     * system server initialiation (via DevicePolicyManagerService's ctor), so care should to
+     * be taken to not interact with system services that are initialiated after DPMS.
+     * onLockSettingsReady() is a safer place to do initialization work not critical during
+     * the first boot stage.
+     * Note this only loads the list of owners, and not their actual policy (DevicePolicyData).
+     * The policy is normally loaded lazily when it's first accessed. In several occasions
+     * the list of owners is necessary for providing callers with aggregated policies across
+     * multiple owners, hence the owner list is loaded as part of DPMS's construction here.
+     */
     void loadOwners() {
         synchronized (getLockObject()) {
             mOwners.load();
             setDeviceOwnershipSystemPropertyLocked();
             findOwnerComponentIfNecessaryLocked();
-            migrateUserRestrictionsIfNecessaryLocked();
 
             // TODO PO may not have a class name either due to b/17652534.  Address that too.
             updateDeviceOwnerLocked();
@@ -4104,8 +4117,10 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
     }
 
     private void onLockSettingsReady() {
+        synchronized (getLockObject()) {
+            migrateUserRestrictionsIfNecessaryLocked();
+        }
         getUserData(UserHandle.USER_SYSTEM);
-        loadOwners();
         cleanUpOldUsers();
         maybeSetDefaultProfileOwnerUserRestrictions();
         handleStartUser(UserHandle.USER_SYSTEM);