Loading core/java/android/app/admin/DevicePolicyManager.java +30 −18 Original line number Diff line number Diff line Loading @@ -3918,34 +3918,46 @@ public class DevicePolicyManager { public static @interface MtePolicy {} /** * Set MTE policy for device. MTE_ENABLED does not necessarily enable MTE if set on a device * that does not support MTE. * * The default policy is MTE_NOT_CONTROLLED_BY_POLICY. * * Memory Tagging Extension (MTE) is a CPU extension that allows to protect against certain * Called by a device owner or profile owner of an organization-owned device to set the Memory * Tagging Extension (MTE) policy. MTE is a CPU extension that allows to protect against certain * classes of security problems at a small runtime performance cost overhead. * * @param policy the policy to be set * <p>The MTE policy can only be set to {@link #MTE_DISABLED} if called by a device owner. * Otherwise a {@link SecurityException} will be thrown. * * @throws SecurityException if caller is not device owner or profile owner of org-owned device * or if called on a parent instance * @param policy the MTE policy to be set */ public void setMtePolicy(@MtePolicy int policy) { // TODO(b/244290023): implement // This is SecurityException to temporarily make ParentProfileTest happy. // This is not used. throw new SecurityException("not implemented"); throwIfParentInstance("setMtePolicy"); if (mService != null) { try { mService.setMtePolicy(policy); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } } } /** * Get currently set MTE policy. This is not necessarily the same as the state of MTE on the * device, as the device might not support MTE. * Called by a device owner, a profile owner of an organization-owned device or the system to * get the Memory Tagging Extension (MTE) policy * * @return the currently set policy * @throws SecurityException if caller is not device owner or profile owner of org-owned device * or system uid, or if called on a parent instance * @return the currently set MTE policy */ public @MtePolicy int getMtePolicy() { // TODO(b/244290023): implement // This is SecurityException to temporarily make ParentProfileTest happy. // This is not used. throw new SecurityException("not implemented"); throwIfParentInstance("setMtePolicy"); if (mService != null) { try { return mService.getMtePolicy(); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } } return MTE_NOT_CONTROLLED_BY_POLICY; } // TODO: Expose this as SystemAPI once we add the query API Loading core/java/android/app/admin/IDevicePolicyManager.aidl +3 −0 Original line number Diff line number Diff line Loading @@ -571,4 +571,7 @@ interface IDevicePolicyManager { void setApplicationExemptions(String packageName, in int[]exemptions); int[] getApplicationExemptions(String packageName); void setMtePolicy(int flag); int getMtePolicy(); } packages/SettingsLib/src/com/android/settingslib/RestrictedLockUtilsInternal.java +21 −0 Original line number Diff line number Diff line Loading @@ -17,6 +17,7 @@ package com.android.settingslib; import static android.app.admin.DevicePolicyManager.KEYGUARD_DISABLE_FEATURES_NONE; import static android.app.admin.DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY; import static android.app.admin.DevicePolicyManager.PROFILE_KEYGUARD_FEATURES_AFFECT_OWNER; import android.annotation.NonNull; Loading Loading @@ -732,6 +733,26 @@ public class RestrictedLockUtilsInternal extends RestrictedLockUtils { textView.setText(sb); } /** * Checks whether MTE (Advanced memory protection) controls are disabled by the enterprise * policy. */ @RequiresApi(Build.VERSION_CODES.UPSIDE_DOWN_CAKE) public static EnforcedAdmin checkIfMteIsDisabled(Context context) { final DevicePolicyManager dpm = context.getSystemService(DevicePolicyManager.class); if (dpm.getMtePolicy() == MTE_NOT_CONTROLLED_BY_POLICY) { return null; } EnforcedAdmin admin = RestrictedLockUtils.getProfileOrDeviceOwner( context, UserHandle.of(UserHandle.USER_SYSTEM)); if (admin != null) { return admin; } int profileId = getManagedProfileId(context, UserHandle.USER_SYSTEM); return RestrictedLockUtils.getProfileOrDeviceOwner(context, UserHandle.of(profileId)); } /** * Show restricted setting dialog. */ Loading services/devicepolicy/java/com/android/server/devicepolicy/ActiveAdmin.java +11 −0 Original line number Diff line number Diff line Loading @@ -163,6 +163,7 @@ class ActiveAdmin { "preferential_network_service_config"; private static final String TAG_PROTECTED_PACKAGES = "protected_packages"; private static final String TAG_SUSPENDED_PACKAGES = "suspended-packages"; private static final String TAG_MTE_POLICY = "mte-policy"; private static final String ATTR_VALUE = "value"; private static final String ATTR_LAST_NETWORK_LOGGING_NOTIFICATION = "last-notification"; private static final String ATTR_NUM_NETWORK_LOGGING_NOTIFICATIONS = "num-notifications"; Loading Loading @@ -222,6 +223,8 @@ class ActiveAdmin { int numNetworkLoggingNotifications = 0; long lastNetworkLoggingNotificationTimeMs = 0; // Time in milliseconds since epoch @DevicePolicyManager.MtePolicy int mtePolicy = DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY; ActiveAdmin parentAdmin; final boolean isParent; Loading Loading @@ -620,6 +623,9 @@ class ActiveAdmin { } out.endTag(null, TAG_PREFERENTIAL_NETWORK_SERVICE_CONFIGS); } if (mtePolicy != DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY) { writeAttributeValueToXml(out, TAG_MTE_POLICY, mtePolicy); } } private List<String> ssidsToStrings(Set<WifiSsid> ssids) { Loading Loading @@ -906,6 +912,8 @@ class ActiveAdmin { if (!configs.isEmpty()) { mPreferentialNetworkServiceConfigs = configs; } } else if (TAG_MTE_POLICY.equals(tag)) { mtePolicy = parser.getAttributeInt(null, ATTR_VALUE); } else { Slogf.w(LOG_TAG, "Unknown admin tag: %s", tag); XmlUtils.skipCurrentTag(parser); Loading Loading @@ -1338,5 +1346,8 @@ class ActiveAdmin { } pw.decreaseIndent(); } pw.print("mtePolicy="); pw.println(mtePolicy); } } services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +53 −1 Original line number Diff line number Diff line Loading @@ -5387,7 +5387,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } if (!mInjector.storageManagerIsFileBasedEncryptionEnabled()) { throw new UnsupportedOperationException( "FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY only applies to FBE devices"); "FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY only applies to FBE" + " devices"); } mUserManager.evictCredentialEncryptionKey(callingUserId); } Loading Loading @@ -19240,4 +19241,55 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { KEEP_PROFILES_RUNNING_FLAG, DEFAULT_KEEP_PROFILES_RUNNING_FLAG); } @Override public void setMtePolicy(int flags) { final Set<Integer> allowedModes = Set.of( DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY, DevicePolicyManager.MTE_DISABLED, DevicePolicyManager.MTE_ENABLED); Preconditions.checkArgument( allowedModes.contains(flags), "Provided mode is not one of the allowed values."); final CallerIdentity caller = getCallerIdentity(); if (flags == DevicePolicyManager.MTE_DISABLED) { Preconditions.checkCallAuthorization(isDefaultDeviceOwner(caller)); } else { Preconditions.checkCallAuthorization( isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller)); } synchronized (getLockObject()) { ActiveAdmin admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked( UserHandle.USER_SYSTEM); if (admin != null) { final String memtagProperty = "arm64.memtag.bootctl"; if (flags == DevicePolicyManager.MTE_ENABLED) { mInjector.systemPropertiesSet(memtagProperty, "memtag"); } else if (flags == DevicePolicyManager.MTE_DISABLED) { mInjector.systemPropertiesSet(memtagProperty, "memtag-off"); } admin.mtePolicy = flags; saveSettingsLocked(caller.getUserId()); } } } @Override public int getMtePolicy() { final CallerIdentity caller = getCallerIdentity(); Preconditions.checkCallAuthorization( isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller) || isSystemUid(caller)); synchronized (getLockObject()) { ActiveAdmin admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked( UserHandle.USER_SYSTEM); return admin != null ? admin.mtePolicy : DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY; } } } Loading
core/java/android/app/admin/DevicePolicyManager.java +30 −18 Original line number Diff line number Diff line Loading @@ -3918,34 +3918,46 @@ public class DevicePolicyManager { public static @interface MtePolicy {} /** * Set MTE policy for device. MTE_ENABLED does not necessarily enable MTE if set on a device * that does not support MTE. * * The default policy is MTE_NOT_CONTROLLED_BY_POLICY. * * Memory Tagging Extension (MTE) is a CPU extension that allows to protect against certain * Called by a device owner or profile owner of an organization-owned device to set the Memory * Tagging Extension (MTE) policy. MTE is a CPU extension that allows to protect against certain * classes of security problems at a small runtime performance cost overhead. * * @param policy the policy to be set * <p>The MTE policy can only be set to {@link #MTE_DISABLED} if called by a device owner. * Otherwise a {@link SecurityException} will be thrown. * * @throws SecurityException if caller is not device owner or profile owner of org-owned device * or if called on a parent instance * @param policy the MTE policy to be set */ public void setMtePolicy(@MtePolicy int policy) { // TODO(b/244290023): implement // This is SecurityException to temporarily make ParentProfileTest happy. // This is not used. throw new SecurityException("not implemented"); throwIfParentInstance("setMtePolicy"); if (mService != null) { try { mService.setMtePolicy(policy); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } } } /** * Get currently set MTE policy. This is not necessarily the same as the state of MTE on the * device, as the device might not support MTE. * Called by a device owner, a profile owner of an organization-owned device or the system to * get the Memory Tagging Extension (MTE) policy * * @return the currently set policy * @throws SecurityException if caller is not device owner or profile owner of org-owned device * or system uid, or if called on a parent instance * @return the currently set MTE policy */ public @MtePolicy int getMtePolicy() { // TODO(b/244290023): implement // This is SecurityException to temporarily make ParentProfileTest happy. // This is not used. throw new SecurityException("not implemented"); throwIfParentInstance("setMtePolicy"); if (mService != null) { try { return mService.getMtePolicy(); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } } return MTE_NOT_CONTROLLED_BY_POLICY; } // TODO: Expose this as SystemAPI once we add the query API Loading
core/java/android/app/admin/IDevicePolicyManager.aidl +3 −0 Original line number Diff line number Diff line Loading @@ -571,4 +571,7 @@ interface IDevicePolicyManager { void setApplicationExemptions(String packageName, in int[]exemptions); int[] getApplicationExemptions(String packageName); void setMtePolicy(int flag); int getMtePolicy(); }
packages/SettingsLib/src/com/android/settingslib/RestrictedLockUtilsInternal.java +21 −0 Original line number Diff line number Diff line Loading @@ -17,6 +17,7 @@ package com.android.settingslib; import static android.app.admin.DevicePolicyManager.KEYGUARD_DISABLE_FEATURES_NONE; import static android.app.admin.DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY; import static android.app.admin.DevicePolicyManager.PROFILE_KEYGUARD_FEATURES_AFFECT_OWNER; import android.annotation.NonNull; Loading Loading @@ -732,6 +733,26 @@ public class RestrictedLockUtilsInternal extends RestrictedLockUtils { textView.setText(sb); } /** * Checks whether MTE (Advanced memory protection) controls are disabled by the enterprise * policy. */ @RequiresApi(Build.VERSION_CODES.UPSIDE_DOWN_CAKE) public static EnforcedAdmin checkIfMteIsDisabled(Context context) { final DevicePolicyManager dpm = context.getSystemService(DevicePolicyManager.class); if (dpm.getMtePolicy() == MTE_NOT_CONTROLLED_BY_POLICY) { return null; } EnforcedAdmin admin = RestrictedLockUtils.getProfileOrDeviceOwner( context, UserHandle.of(UserHandle.USER_SYSTEM)); if (admin != null) { return admin; } int profileId = getManagedProfileId(context, UserHandle.USER_SYSTEM); return RestrictedLockUtils.getProfileOrDeviceOwner(context, UserHandle.of(profileId)); } /** * Show restricted setting dialog. */ Loading
services/devicepolicy/java/com/android/server/devicepolicy/ActiveAdmin.java +11 −0 Original line number Diff line number Diff line Loading @@ -163,6 +163,7 @@ class ActiveAdmin { "preferential_network_service_config"; private static final String TAG_PROTECTED_PACKAGES = "protected_packages"; private static final String TAG_SUSPENDED_PACKAGES = "suspended-packages"; private static final String TAG_MTE_POLICY = "mte-policy"; private static final String ATTR_VALUE = "value"; private static final String ATTR_LAST_NETWORK_LOGGING_NOTIFICATION = "last-notification"; private static final String ATTR_NUM_NETWORK_LOGGING_NOTIFICATIONS = "num-notifications"; Loading Loading @@ -222,6 +223,8 @@ class ActiveAdmin { int numNetworkLoggingNotifications = 0; long lastNetworkLoggingNotificationTimeMs = 0; // Time in milliseconds since epoch @DevicePolicyManager.MtePolicy int mtePolicy = DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY; ActiveAdmin parentAdmin; final boolean isParent; Loading Loading @@ -620,6 +623,9 @@ class ActiveAdmin { } out.endTag(null, TAG_PREFERENTIAL_NETWORK_SERVICE_CONFIGS); } if (mtePolicy != DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY) { writeAttributeValueToXml(out, TAG_MTE_POLICY, mtePolicy); } } private List<String> ssidsToStrings(Set<WifiSsid> ssids) { Loading Loading @@ -906,6 +912,8 @@ class ActiveAdmin { if (!configs.isEmpty()) { mPreferentialNetworkServiceConfigs = configs; } } else if (TAG_MTE_POLICY.equals(tag)) { mtePolicy = parser.getAttributeInt(null, ATTR_VALUE); } else { Slogf.w(LOG_TAG, "Unknown admin tag: %s", tag); XmlUtils.skipCurrentTag(parser); Loading Loading @@ -1338,5 +1346,8 @@ class ActiveAdmin { } pw.decreaseIndent(); } pw.print("mtePolicy="); pw.println(mtePolicy); } }
services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +53 −1 Original line number Diff line number Diff line Loading @@ -5387,7 +5387,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } if (!mInjector.storageManagerIsFileBasedEncryptionEnabled()) { throw new UnsupportedOperationException( "FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY only applies to FBE devices"); "FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY only applies to FBE" + " devices"); } mUserManager.evictCredentialEncryptionKey(callingUserId); } Loading Loading @@ -19240,4 +19241,55 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { KEEP_PROFILES_RUNNING_FLAG, DEFAULT_KEEP_PROFILES_RUNNING_FLAG); } @Override public void setMtePolicy(int flags) { final Set<Integer> allowedModes = Set.of( DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY, DevicePolicyManager.MTE_DISABLED, DevicePolicyManager.MTE_ENABLED); Preconditions.checkArgument( allowedModes.contains(flags), "Provided mode is not one of the allowed values."); final CallerIdentity caller = getCallerIdentity(); if (flags == DevicePolicyManager.MTE_DISABLED) { Preconditions.checkCallAuthorization(isDefaultDeviceOwner(caller)); } else { Preconditions.checkCallAuthorization( isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller)); } synchronized (getLockObject()) { ActiveAdmin admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked( UserHandle.USER_SYSTEM); if (admin != null) { final String memtagProperty = "arm64.memtag.bootctl"; if (flags == DevicePolicyManager.MTE_ENABLED) { mInjector.systemPropertiesSet(memtagProperty, "memtag"); } else if (flags == DevicePolicyManager.MTE_DISABLED) { mInjector.systemPropertiesSet(memtagProperty, "memtag-off"); } admin.mtePolicy = flags; saveSettingsLocked(caller.getUserId()); } } } @Override public int getMtePolicy() { final CallerIdentity caller = getCallerIdentity(); Preconditions.checkCallAuthorization( isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller) || isSystemUid(caller)); synchronized (getLockObject()) { ActiveAdmin admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked( UserHandle.USER_SYSTEM); return admin != null ? admin.mtePolicy : DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY; } } }
