Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 18d21312 authored by Eran Messeri's avatar Eran Messeri
Browse files

Rename PO Device IDs access -> Org Owned device 

Repurpose the "Profile Owner was granted access to device identifiers"
to "Profile Owner of an Organization-owned device".

The old method now throws an exception, as it should not be called by
anything other than ManagedProvisioning (which is changed in this topic).

The new method now provides the functionality the old method provided,
and there's a new permission associated with it.

No functionality has been added or removed in this CL beyond that.

Bug: 138709470
Test: atest FrameworksServicesTests:DevicePolicyManagerTest
Test: atest com.android.cts.devicepolicy.MixedManagedProfileOwnerTest#testDeviceIdAttestationForProfileOwner
Change-Id: I9914e8220213898d0c6b3499af8897e3a6f23819
parent 804d53c6

api/system-current.txt

+2 −2
Original line number Diff line number Diff line
@@ -75,7 +75,7 @@ package android { 
    field public static final String GET_PROCESS_STATE_AND_OOM_SCORE = "android.permission.GET_PROCESS_STATE_AND_OOM_SCORE";

    field public static final String GET_RUNTIME_PERMISSIONS = "android.permission.GET_RUNTIME_PERMISSIONS";

    field public static final String GET_TOP_ACTIVITY_INFO = "android.permission.GET_TOP_ACTIVITY_INFO";

    field public static final String GRANT_PROFILE_OWNER_DEVICE_IDS_ACCESS = "android.permission.GRANT_PROFILE_OWNER_DEVICE_IDS_ACCESS";

    field @Deprecated public static final String GRANT_PROFILE_OWNER_DEVICE_IDS_ACCESS = "android.permission.GRANT_PROFILE_OWNER_DEVICE_IDS_ACCESS";

    field public static final String GRANT_RUNTIME_PERMISSIONS = "android.permission.GRANT_RUNTIME_PERMISSIONS";

    field public static final String GRANT_RUNTIME_PERMISSIONS_TO_TELEPHONY_DEFAULTS = "android.permission.GRANT_RUNTIME_PERMISSIONS_TO_TELEPHONY_DEFAULTS";

    field public static final String HANDLE_CAR_MODE_CHANGES = "android.permission.HANDLE_CAR_MODE_CHANGES";
@@ -745,7 +745,7 @@ package android.app.admin { 
    method @RequiresPermission(android.Manifest.permission.INTERACT_ACROSS_USERS_FULL) public boolean packageHasActiveAdmins(String);

    method @Deprecated @RequiresPermission("android.permission.MANAGE_DEVICE_ADMINS") public boolean setActiveProfileOwner(@NonNull android.content.ComponentName, String) throws java.lang.IllegalArgumentException;

    method @RequiresPermission(android.Manifest.permission.MANAGE_USERS) public void setDeviceProvisioningConfigApplied();

    method @RequiresPermission(value=android.Manifest.permission.GRANT_PROFILE_OWNER_DEVICE_IDS_ACCESS, conditional=true) public void setProfileOwnerCanAccessDeviceIds(@NonNull android.content.ComponentName);

    method @Deprecated @RequiresPermission(value=android.Manifest.permission.GRANT_PROFILE_OWNER_DEVICE_IDS_ACCESS, conditional=true) public void setProfileOwnerCanAccessDeviceIds(@NonNull android.content.ComponentName);

    field public static final String ACCOUNT_FEATURE_DEVICE_OR_PROFILE_OWNER_ALLOWED = "android.account.DEVICE_OR_PROFILE_OWNER_ALLOWED";

    field public static final String ACCOUNT_FEATURE_DEVICE_OR_PROFILE_OWNER_DISALLOWED = "android.account.DEVICE_OR_PROFILE_OWNER_DISALLOWED";

    field public static final String ACTION_PROVISION_FINALIZATION = "android.app.action.PROVISION_FINALIZATION";

cmds/dpm/src/com/android/commands/dpm/Dpm.java

+7 −7
Original line number Diff line number Diff line
@@ -48,8 +48,8 @@ public final class Dpm extends BaseCommand { 
    private static final String COMMAND_CLEAR_FREEZE_PERIOD_RECORD = "clear-freeze-period-record";

    private static final String COMMAND_FORCE_NETWORK_LOGS = "force-network-logs";

    private static final String COMMAND_FORCE_SECURITY_LOGS = "force-security-logs";

    private static final String COMMAND_GRANT_PO_DEVICE_ID_ACCESS =

            "grant-profile-owner-device-ids-access";

    private static final String COMMAND_MARK_PO_ON_ORG_OWNED_DEVICE =

            "mark-profile-owner-on-organization-owned-device";



    private IDevicePolicyManager mDevicePolicyManager;

    private int mUserId = UserHandle.USER_SYSTEM;
@@ -93,7 +93,7 @@ public final class Dpm extends BaseCommand { 
                "dpm " + COMMAND_FORCE_SECURITY_LOGS + ": makes all security logs available to " +

                "the DPC and triggers DeviceAdminReceiver.onSecurityLogsAvailable() if needed."

                + "\n"

                + "usage: dpm " + COMMAND_GRANT_PO_DEVICE_ID_ACCESS + ": "

                + "usage: dpm " + COMMAND_MARK_PO_ON_ORG_OWNED_DEVICE + ": "

                + "[ --user <USER_ID> | current ] <COMPONENT>\n");

    }
@@ -129,8 +129,8 @@ public final class Dpm extends BaseCommand { 
            case COMMAND_FORCE_SECURITY_LOGS:

                runForceSecurityLogs();

                break;

            case COMMAND_GRANT_PO_DEVICE_ID_ACCESS:

                runGrantProfileOwnerDeviceIdsAccess();

            case COMMAND_MARK_PO_ON_ORG_OWNED_DEVICE:

                runMarkProfileOwnerOnOrganizationOwnedDevice();

                break;

            default:

                throw new IllegalArgumentException ("unknown command '" + command + "'");
@@ -251,9 +251,9 @@ public final class Dpm extends BaseCommand { 
    }





    private void runGrantProfileOwnerDeviceIdsAccess() throws RemoteException {

    private void runMarkProfileOwnerOnOrganizationOwnedDevice() throws RemoteException {

        parseArgs(/*canHaveName=*/ false);

        mDevicePolicyManager.grantDeviceIdsAccessToProfileOwner(mComponent, mUserId);

        mDevicePolicyManager.markProfileOwnerOnOrganizationOwnedDevice(mComponent, mUserId);

        System.out.println("Success");

    }

core/java/android/app/admin/DevicePolicyManager.java

+20 −10
Original line number Diff line number Diff line
@@ -10832,28 +10832,38 @@ public class DevicePolicyManager { 
    }



    /**

     * Grants the profile owner of the given user access to device identifiers (such as

     * serial number, IMEI and MEID).

     * Deprecated. Use {@code markProfileOwnerOnOrganizationOwnedDevice} instead.

     * Throws UnsupportedOperationException when called.

     *

     * <p>This lets the profile owner request inclusion of device identifiers when calling

     * {@link generateKeyPair}.

     *

     * <p>This grant is necessary to guarantee that profile owners can access device identifiers.

     *

     * <p>Privileged system API - meant to be called by the system, particularly the managed

     * provisioning app, when a work profile is set up.

     * @deprecated Use {@link #markProfileOwnerOnOrganizationOwnedDevice} instead.

     *

     * @hide

     */

    @Deprecated

    @SystemApi

    @RequiresPermission(value = android.Manifest.permission.GRANT_PROFILE_OWNER_DEVICE_IDS_ACCESS,

            conditional = true)

    public void setProfileOwnerCanAccessDeviceIds(@NonNull ComponentName who) {

        throw new UnsupportedOperationException(

                "This method is deprecated. use markProfileOwnerOnOrganizationOwnedDevice instead"

                        + ".");

    }



    /**

     * Marks the profile owner of the given user as managing an organization-owned device.

     * That will give it access to device identifiers (such as serial number, IMEI and MEID)

     * as well as other privileges.

     *

     * @hide

     */

    @RequiresPermission(value = android.Manifest.permission.MARK_DEVICE_ORGANIZATION_OWNED,

            conditional = true)

    public void markProfileOwnerOnOrganizationOwnedDevice(@NonNull ComponentName who) {

        if (mService == null) {

            return;

        }

        try {

            mService.grantDeviceIdsAccessToProfileOwner(who, myUserId());

            mService.markProfileOwnerOnOrganizationOwnedDevice(who, myUserId());

        } catch (RemoteException re) {

            throw re.rethrowFromSystemServer();

        }

core/java/android/app/admin/IDevicePolicyManager.aidl

+1 −1
Original line number Diff line number Diff line
@@ -426,7 +426,7 @@ interface IDevicePolicyManager { 
    int getGlobalPrivateDnsMode(in ComponentName admin);

    String getGlobalPrivateDnsHost(in ComponentName admin);



    void grantDeviceIdsAccessToProfileOwner(in ComponentName who, int userId);

    void markProfileOwnerOnOrganizationOwnedDevice(in ComponentName who, int userId);



    void installUpdateFromFile(in ComponentName admin, in ParcelFileDescriptor updateFileDescriptor, in StartInstallingUpdateCallback listener);

core/res/AndroidManifest.xml

+7 −0
Original line number Diff line number Diff line
@@ -4595,10 +4595,17 @@ 


    <!-- @SystemApi Allows an app to grant a profile owner access to device identifiers.

         <p>Not for use by third-party applications.

         @deprecated

         @hide -->

    <permission android:name="android.permission.GRANT_PROFILE_OWNER_DEVICE_IDS_ACCESS"

        android:protectionLevel="signature" />



    <!-- Allows an app to mark a profile owner as managing an organization-owned device.

         <p>Not for use by third-party applications.

         @hide -->

    <permission android:name="android.permission.MARK_DEVICE_ORGANIZATION_OWNED"

                android:protectionLevel="signature" />



    <!-- Allows financial apps to read filtered sms messages.

         Protection level: signature|appop  -->

    <permission android:name="android.permission.SMS_FINANCIAL_TRANSACTIONS"