Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 13a36688 authored by Kris Alder's avatar Kris Alder
Browse files

disable 2g networking when advanced protection is enabled 

This needs to happen both when the service starts (after reboot) as well
as when the state changes.

If the APM is disabled (after having been enabled) the switch needs to
fall back to the more-secure mode (2G disallowed) but allow the user to
re-enable it if desired.

Test: manually check switch is greyed out and disabled when aapm is
enabled
Test: manually check switch is available, but off, when aapm is disabled
Bug: 374803296
Flag: android.security.aapm_feature_disable_cellular_2g

Change-Id: Iec108733cf8353ad90329d9999fb4e08916522c3
parent ca649f05

core/java/android/security/responsible_apis_flags.aconfig

+6 −0
Original line number Diff line number Diff line
@@ -132,3 +132,9 @@ flag { 
    description: "Android Advanced Protection Mode Feature: Memory Tagging Extension"

    bug: "378931989"

}

flag {

    name: "aapm_feature_disable_cellular_2g"

    namespace: "responsible_apis"

    description: "Android Advanced Protection Mode Feature: Disable Cellular 2G"

    bug: "377748286"

}

services/core/java/com/android/server/security/advancedprotection/AdvancedProtectionService.java

+4 −0
Original line number Diff line number Diff line
@@ -46,6 +46,7 @@ import com.android.server.SystemService; 
import com.android.server.pm.UserManagerInternal;

import com.android.server.security.advancedprotection.features.AdvancedProtectionHook;

import com.android.server.security.advancedprotection.features.AdvancedProtectionProvider;

import com.android.server.security.advancedprotection.features.DisallowCellular2GAdvancedProtectionHook;

import com.android.server.security.advancedprotection.features.DisallowInstallUnknownSourcesAdvancedProtectionHook;

import com.android.server.security.advancedprotection.features.MemoryTaggingExtensionHook;
@@ -84,6 +85,9 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub 
        if (android.security.Flags.aapmFeatureMemoryTaggingExtension()) {

            mHooks.add(new MemoryTaggingExtensionHook(mContext, enabled));

        }

        if (android.security.Flags.aapmFeatureDisableCellular2g()) {

            mHooks.add(new DisallowCellular2GAdvancedProtectionHook(mContext, enabled));

        }

    }



    // Only for tests

services/core/java/com/android/server/security/advancedprotection/features/DisallowCellular2GAdvancedProtectionHook.java

0 → 100644
+86 −0
Original line number Diff line number Diff line 
/*

 * Copyright (C) 2024 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */



package com.android.server.security.advancedprotection.features;



import static android.security.advancedprotection.AdvancedProtectionManager.ADVANCED_PROTECTION_SYSTEM_ENTITY;

import static android.security.advancedprotection.AdvancedProtectionManager.FEATURE_ID_DISALLOW_CELLULAR_2G;



import android.annotation.NonNull;

import android.app.admin.DevicePolicyManager;

import android.content.Context;

import android.os.UserManager;

import android.security.advancedprotection.AdvancedProtectionFeature;

import android.telephony.TelephonyManager;

import android.util.Slog;



/** @hide */

public final class DisallowCellular2GAdvancedProtectionHook extends AdvancedProtectionHook {

    private static final String TAG = "AdvancedProtectionDisallowCellular2G";



    private final AdvancedProtectionFeature mFeature =

            new AdvancedProtectionFeature(FEATURE_ID_DISALLOW_CELLULAR_2G);

    private final DevicePolicyManager mDevicePolicyManager;

    private final TelephonyManager mTelephonyManager;



    public DisallowCellular2GAdvancedProtectionHook(@NonNull Context context, boolean enabled) {

        super(context, enabled);

        mDevicePolicyManager = context.getSystemService(DevicePolicyManager.class);

        mTelephonyManager = context.getSystemService(TelephonyManager.class);



        setPolicy(enabled);

    }



    @NonNull

    @Override

    public AdvancedProtectionFeature getFeature() {

        return mFeature;

    }



    @Override

    public boolean isAvailable() {

        return mTelephonyManager.isDataCapable();

    }



    private void setPolicy(boolean enabled) {

        Slog.i(TAG, "setPolicy called with " + enabled);



        if (enabled) {

            Slog.d(TAG, "Setting DISALLOW_CELLULAR_2G_GLOBALLY restriction");

            mDevicePolicyManager.addUserRestrictionGlobally(

                    ADVANCED_PROTECTION_SYSTEM_ENTITY, UserManager.DISALLOW_CELLULAR_2G);

        } else {

            Slog.d(TAG, "Clearing DISALLOW_CELLULAR_2G_GLOBALLY restriction");

            mDevicePolicyManager.clearUserRestrictionGlobally(

                    ADVANCED_PROTECTION_SYSTEM_ENTITY, UserManager.DISALLOW_CELLULAR_2G);

        }

    }



    @Override

    public void onAdvancedProtectionChanged(boolean enabled) {

        setPolicy(enabled);



        // Leave 2G disabled even if APM is disabled.

        if (!enabled) {

            long oldAllowedTypes =

                    mTelephonyManager.getAllowedNetworkTypesForReason(

                            TelephonyManager.ALLOWED_NETWORK_TYPES_REASON_ENABLE_2G);

            long newAllowedTypes = oldAllowedTypes & ~TelephonyManager.NETWORK_CLASS_BITMASK_2G;

            mTelephonyManager.setAllowedNetworkTypesForReason(

                    TelephonyManager.ALLOWED_NETWORK_TYPES_REASON_ENABLE_2G, newAllowedTypes);

        }

    }

}