Merge "[AAPM] Memory Tagging Extension hook" into main

        }

    }

    /**

     * Similar to the public variant of {@link #setMtePolicy} but for use by the system.

     *

     * <p>Called by a system service only, meaning that the caller's UID must be equal to

     * {@link Process#SYSTEM_UID}.

     *

     * @throws SecurityException if caller is not permitted to set Mte policy

     * @throws UnsupportedOperationException if the device does not support MTE

     * @param systemEntity  The service entity that adds the restriction. A user restriction set by

     *                       a service entity can only be cleared by the same entity. This can be

     *                       just the calling package name, or any string of the caller's choice

     *                       can be used.

     * @param policy the MTE policy to be set

     * @hide

     */

    public void setMtePolicy(@NonNull String systemEntity, @MtePolicy int policy) {

        throwIfParentInstance("setMtePolicyForUser");

        if (mService != null) {

            try {

                mService.setMtePolicyBySystem(systemEntity, policy);

            } catch (RemoteException e) {

                throw e.rethrowFromSystemServer();

            }

        }

    }

    /**

     * Called by a device owner, profile owner of an organization-owned device to

     * get the Memory Tagging Extension (MTE) policy

    int[] getApplicationExemptions(String packageName);

    void setMtePolicy(int flag, String callerPackageName);

    void setMtePolicyBySystem(in String systemEntity, int policy);

    int getMtePolicy(String callerPackageName);

    void setManagedSubscriptionsPolicy(in ManagedSubscriptionsPolicy policy);

    description: "Android Advanced Protection Mode Feature: Disable Install Unknown Sources"

    bug: "369361373"

}

flag {

    name: "aapm_feature_memory_tagging_extension"

    namespace: "responsible_apis"

    description: "Android Advanced Protection Mode Feature: Memory Tagging Extension"

    bug: "378931989"

}

import com.android.server.security.advancedprotection.features.AdvancedProtectionHook;

import com.android.server.security.advancedprotection.features.AdvancedProtectionProvider;

import com.android.server.security.advancedprotection.features.DisallowInstallUnknownSourcesAdvancedProtectionHook;

import com.android.server.security.advancedprotection.features.MemoryTaggingExtensionHook;

import java.io.FileDescriptor;

import java.util.ArrayList;

        if (android.security.Flags.aapmFeatureDisableInstallUnknownSources()) {

            mHooks.add(new DisallowInstallUnknownSourcesAdvancedProtectionHook(mContext, enabled));

        }

        if (android.security.Flags.aapmFeatureMemoryTaggingExtension()) {

            mHooks.add(new MemoryTaggingExtensionHook(mContext, enabled));

        }

    }

    // Only for tests

/*

 * Copyright (C) 2024 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

package com.android.server.security.advancedprotection.features;

import static android.security.advancedprotection.AdvancedProtectionManager.ADVANCED_PROTECTION_SYSTEM_ENTITY;

import static android.security.advancedprotection.AdvancedProtectionManager.FEATURE_ID_ENABLE_MTE;

import android.annotation.NonNull;

import android.app.admin.DevicePolicyManager;

import android.content.Context;

import android.os.SystemProperties;

import android.security.advancedprotection.AdvancedProtectionFeature;

import android.util.Slog;

/** @hide */

public final class MemoryTaggingExtensionHook

        extends AdvancedProtectionHook {

    private static final String TAG = "AdvancedProtectionMTE";

    private static final String MTE_DPM_SYSTEM_PROPERTY =

            "ro.arm64.memtag.bootctl_device_policy_manager";

    private static final String MTE_SETTINGS_SYSTEM_PROPERTY =

            "ro.arm64.memtag.bootctl_settings_toggle";

    private final AdvancedProtectionFeature mFeature = new AdvancedProtectionFeature(

            FEATURE_ID_ENABLE_MTE);

    private final DevicePolicyManager mDevicePolicyManager;

    public MemoryTaggingExtensionHook(@NonNull Context context,

            boolean enabled) {

        super(context, enabled);

        mDevicePolicyManager = context.getSystemService(DevicePolicyManager.class);

        onAdvancedProtectionChanged(enabled);

    }

    @NonNull

    @Override

    public AdvancedProtectionFeature getFeature() {

        return mFeature;

    }

    @Override

    public boolean isAvailable() {

        return SystemProperties.getBoolean(MTE_DPM_SYSTEM_PROPERTY,

                SystemProperties.getBoolean(MTE_SETTINGS_SYSTEM_PROPERTY, false));

    }

    @Override

    public void onAdvancedProtectionChanged(boolean enabled) {

        if (!isAvailable()) {

            Slog.i(TAG, "MTE unavailable on device, skipping.");

            return;

        }

        final int mtePolicy;

        if (enabled) {

            mtePolicy = DevicePolicyManager.MTE_ENABLED;

        } else {

            mtePolicy = DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY;

        }

        Slog.d(TAG, "Setting MTE state to " + mtePolicy);

        try {

            mDevicePolicyManager.setMtePolicy(ADVANCED_PROTECTION_SYSTEM_ENTITY, mtePolicy);

        } catch (UnsupportedOperationException e) {

            Slog.i(TAG, "Setting MTE policy unsupported", e);

        }

    }

}