Loading services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +91 −67 Original line number Diff line number Diff line Loading @@ -160,6 +160,7 @@ import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_NUMERIC; import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_NUMERIC_COMPLEX; import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_SOMETHING; import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED; import static android.app.admin.DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT; import static android.app.admin.DevicePolicyManager.PERMISSION_GRANT_STATE_GRANTED; import static android.app.admin.DevicePolicyManager.PERSONAL_APPS_NOT_SUSPENDED; import static android.app.admin.DevicePolicyManager.PERSONAL_APPS_SUSPENDED_EXPLICITLY; Loading Loading @@ -533,7 +534,6 @@ import java.util.Map; import java.util.Objects; import java.util.Set; import java.util.concurrent.CompletableFuture; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ExecutionException; import java.util.concurrent.Executor; import java.util.concurrent.TimeUnit; Loading Loading @@ -1186,10 +1186,10 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // Resume logging if all remaining users are affiliated. maybeResumeDeviceWideLoggingLocked(); } } if (isPolicyEngineForFinanceFlagEnabled() || isPermissionCheckFlagEnabled()) { mDevicePolicyEngine.handleUserRemoved(userHandle); } } } else if (Intent.ACTION_USER_STARTED.equals(action)) { sendDeviceOwnerUserCommand(DeviceAdminReceiver.ACTION_USER_STARTED, userHandle); synchronized (getLockObject()) { Loading Loading @@ -4157,8 +4157,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_REMOVE_ACTIVE_ADMIN); enforceUserUnlocked(userHandle); ActiveAdmin admin; synchronized (getLockObject()) { ActiveAdmin admin = getActiveAdminUncheckedLocked(adminReceiver, userHandle); admin = getActiveAdminUncheckedLocked(adminReceiver, userHandle); if (admin == null) { return; } Loading @@ -4169,16 +4170,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { + adminReceiver); return; } mInjector.binderWithCleanCallingIdentity(() -> removeActiveAdminLocked(adminReceiver, userHandle)); } if (isPolicyEngineForFinanceFlagEnabled() || isPermissionCheckFlagEnabled()) { mDevicePolicyEngine.removePoliciesForAdmin( EnforcingAdmin.createEnterpriseEnforcingAdmin( adminReceiver, userHandle, admin)); } } } private boolean canSetPasswordQualityOnParent(String packageName, final CallerIdentity caller) { return !mInjector.isChangeEnabled( Loading Loading @@ -16661,8 +16661,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { enforcePermissionGrantStateOnFinancedDevice(packageName, permission); } } EnforcingAdmin enforcingAdmin; if (isPermissionCheckFlagEnabled()) { EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin( enforcingAdmin = enforcePermissionAndGetEnforcingAdmin( admin, MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS, callerPackage, Loading @@ -16686,17 +16687,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { callback.sendResult(null); return; } // TODO(b/266924257): decide how to handle the internal state if the package doesn't // exist, or the permission isn't requested by the app, because we could end up with // inconsistent state between the policy engine and package manager. Also a package // might get removed or has it's permission updated after we've set the policy. mDevicePolicyEngine.setLocalPolicy( PolicyDefinition.PERMISSION_GRANT(packageName, permission), enforcingAdmin, new IntegerPolicyValue(grantState), caller.getUserId()); // TODO: update javadoc to reflect that callback no longer return success/failure callback.sendResult(Bundle.EMPTY); } else { Preconditions.checkCallAuthorization((caller.hasAdminComponent() && (isProfileOwner(caller) || isDefaultDeviceOwner(caller) Loading @@ -16720,6 +16710,47 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { callback.sendResult(null); return; } } catch (SecurityException e) { Slogf.e(LOG_TAG, "Could not set permission grant state", e); callback.sendResult(null); } finally { mInjector.binderRestoreCallingIdentity(ident); } } } // TODO(b/278710449): enable when we stop policy enforecer callback from blocking the main // thread if (false) { // TODO(b/266924257): decide how to handle the internal state if the package doesn't // exist, or the permission isn't requested by the app, because we could end up with // inconsistent state between the policy engine and package manager. Also a package // might get removed or has it's permission updated after we've set the policy. if (grantState == PERMISSION_GRANT_STATE_DEFAULT) { mDevicePolicyEngine.removeLocalPolicy( PolicyDefinition.PERMISSION_GRANT(packageName, permission), enforcingAdmin, caller.getUserId()); } else { mDevicePolicyEngine.setLocalPolicy( PolicyDefinition.PERMISSION_GRANT(packageName, permission), enforcingAdmin, new IntegerPolicyValue(grantState), caller.getUserId()); } int newState = mInjector.binderWithCleanCallingIdentity(() -> getPermissionGrantStateForUser( packageName, permission, caller, caller.getUserId())); if (newState == grantState) { callback.sendResult(Bundle.EMPTY); } else { callback.sendResult(null); } } else { synchronized (getLockObject()) { long ident = mInjector.binderClearCallingIdentity(); try { boolean isPostQAdmin = getTargetSdk(caller.getPackageName(), caller.getUserId()) >= android.os.Build.VERSION_CODES.Q; if (grantState == PERMISSION_GRANT_STATE_GRANTED || grantState == DevicePolicyManager.PERMISSION_GRANT_STATE_DENIED || grantState == DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT) { Loading @@ -16736,17 +16767,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { callback.sendResult(null); return; } DevicePolicyEventLogger .createEvent(DevicePolicyEnums .SET_PERMISSION_GRANT_STATE) .setAdmin(caller.getPackageName()) .setStrings(permission) .setInt(grantState) .setBoolean( /* isDelegate */ isCallerDelegate(caller)) .write(); callback.sendResult(Bundle.EMPTY); }); } Loading @@ -16759,6 +16779,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } } } DevicePolicyEventLogger.createEvent(DevicePolicyEnums.SET_PERMISSION_GRANT_STATE) .setAdmin(caller.getPackageName()) .setStrings(permission) .setInt(grantState) .setBoolean(/* isDelegate */ isCallerDelegate(caller)) .write(); } private static final List<String> SENSOR_PERMISSIONS = new ArrayList<>(); Loading Loading @@ -16822,10 +16848,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (isFinancedDeviceOwner(caller)) { enforcePermissionGrantStateOnFinancedDevice(packageName, permission); } return mInjector.binderWithCleanCallingIdentity(() -> { return getPermissionGrantStateForUser( packageName, permission, caller, caller.getUserId()); }); return mInjector.binderWithCleanCallingIdentity(() -> getPermissionGrantStateForUser( packageName, permission, caller, caller.getUserId())); } } services/devicepolicy/java/com/android/server/devicepolicy/PolicyEnforcerCallbacks.java +1 −0 Original line number Diff line number Diff line Loading @@ -84,6 +84,7 @@ final class PolicyEnforcerCallbacks { ? DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT : grantState; // TODO(b/278710449): stop blocking in the main thread BlockingCallback callback = new BlockingCallback(); // TODO: remove canAdminGrantSensorPermissions once we expose a new method in // permissionController that doesn't need it. Loading Loading
services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +91 −67 Original line number Diff line number Diff line Loading @@ -160,6 +160,7 @@ import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_NUMERIC; import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_NUMERIC_COMPLEX; import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_SOMETHING; import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED; import static android.app.admin.DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT; import static android.app.admin.DevicePolicyManager.PERMISSION_GRANT_STATE_GRANTED; import static android.app.admin.DevicePolicyManager.PERSONAL_APPS_NOT_SUSPENDED; import static android.app.admin.DevicePolicyManager.PERSONAL_APPS_SUSPENDED_EXPLICITLY; Loading Loading @@ -533,7 +534,6 @@ import java.util.Map; import java.util.Objects; import java.util.Set; import java.util.concurrent.CompletableFuture; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ExecutionException; import java.util.concurrent.Executor; import java.util.concurrent.TimeUnit; Loading Loading @@ -1186,10 +1186,10 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // Resume logging if all remaining users are affiliated. maybeResumeDeviceWideLoggingLocked(); } } if (isPolicyEngineForFinanceFlagEnabled() || isPermissionCheckFlagEnabled()) { mDevicePolicyEngine.handleUserRemoved(userHandle); } } } else if (Intent.ACTION_USER_STARTED.equals(action)) { sendDeviceOwnerUserCommand(DeviceAdminReceiver.ACTION_USER_STARTED, userHandle); synchronized (getLockObject()) { Loading Loading @@ -4157,8 +4157,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_REMOVE_ACTIVE_ADMIN); enforceUserUnlocked(userHandle); ActiveAdmin admin; synchronized (getLockObject()) { ActiveAdmin admin = getActiveAdminUncheckedLocked(adminReceiver, userHandle); admin = getActiveAdminUncheckedLocked(adminReceiver, userHandle); if (admin == null) { return; } Loading @@ -4169,16 +4170,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { + adminReceiver); return; } mInjector.binderWithCleanCallingIdentity(() -> removeActiveAdminLocked(adminReceiver, userHandle)); } if (isPolicyEngineForFinanceFlagEnabled() || isPermissionCheckFlagEnabled()) { mDevicePolicyEngine.removePoliciesForAdmin( EnforcingAdmin.createEnterpriseEnforcingAdmin( adminReceiver, userHandle, admin)); } } } private boolean canSetPasswordQualityOnParent(String packageName, final CallerIdentity caller) { return !mInjector.isChangeEnabled( Loading Loading @@ -16661,8 +16661,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { enforcePermissionGrantStateOnFinancedDevice(packageName, permission); } } EnforcingAdmin enforcingAdmin; if (isPermissionCheckFlagEnabled()) { EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin( enforcingAdmin = enforcePermissionAndGetEnforcingAdmin( admin, MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS, callerPackage, Loading @@ -16686,17 +16687,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { callback.sendResult(null); return; } // TODO(b/266924257): decide how to handle the internal state if the package doesn't // exist, or the permission isn't requested by the app, because we could end up with // inconsistent state between the policy engine and package manager. Also a package // might get removed or has it's permission updated after we've set the policy. mDevicePolicyEngine.setLocalPolicy( PolicyDefinition.PERMISSION_GRANT(packageName, permission), enforcingAdmin, new IntegerPolicyValue(grantState), caller.getUserId()); // TODO: update javadoc to reflect that callback no longer return success/failure callback.sendResult(Bundle.EMPTY); } else { Preconditions.checkCallAuthorization((caller.hasAdminComponent() && (isProfileOwner(caller) || isDefaultDeviceOwner(caller) Loading @@ -16720,6 +16710,47 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { callback.sendResult(null); return; } } catch (SecurityException e) { Slogf.e(LOG_TAG, "Could not set permission grant state", e); callback.sendResult(null); } finally { mInjector.binderRestoreCallingIdentity(ident); } } } // TODO(b/278710449): enable when we stop policy enforecer callback from blocking the main // thread if (false) { // TODO(b/266924257): decide how to handle the internal state if the package doesn't // exist, or the permission isn't requested by the app, because we could end up with // inconsistent state between the policy engine and package manager. Also a package // might get removed or has it's permission updated after we've set the policy. if (grantState == PERMISSION_GRANT_STATE_DEFAULT) { mDevicePolicyEngine.removeLocalPolicy( PolicyDefinition.PERMISSION_GRANT(packageName, permission), enforcingAdmin, caller.getUserId()); } else { mDevicePolicyEngine.setLocalPolicy( PolicyDefinition.PERMISSION_GRANT(packageName, permission), enforcingAdmin, new IntegerPolicyValue(grantState), caller.getUserId()); } int newState = mInjector.binderWithCleanCallingIdentity(() -> getPermissionGrantStateForUser( packageName, permission, caller, caller.getUserId())); if (newState == grantState) { callback.sendResult(Bundle.EMPTY); } else { callback.sendResult(null); } } else { synchronized (getLockObject()) { long ident = mInjector.binderClearCallingIdentity(); try { boolean isPostQAdmin = getTargetSdk(caller.getPackageName(), caller.getUserId()) >= android.os.Build.VERSION_CODES.Q; if (grantState == PERMISSION_GRANT_STATE_GRANTED || grantState == DevicePolicyManager.PERMISSION_GRANT_STATE_DENIED || grantState == DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT) { Loading @@ -16736,17 +16767,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { callback.sendResult(null); return; } DevicePolicyEventLogger .createEvent(DevicePolicyEnums .SET_PERMISSION_GRANT_STATE) .setAdmin(caller.getPackageName()) .setStrings(permission) .setInt(grantState) .setBoolean( /* isDelegate */ isCallerDelegate(caller)) .write(); callback.sendResult(Bundle.EMPTY); }); } Loading @@ -16759,6 +16779,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } } } DevicePolicyEventLogger.createEvent(DevicePolicyEnums.SET_PERMISSION_GRANT_STATE) .setAdmin(caller.getPackageName()) .setStrings(permission) .setInt(grantState) .setBoolean(/* isDelegate */ isCallerDelegate(caller)) .write(); } private static final List<String> SENSOR_PERMISSIONS = new ArrayList<>(); Loading Loading @@ -16822,10 +16848,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (isFinancedDeviceOwner(caller)) { enforcePermissionGrantStateOnFinancedDevice(packageName, permission); } return mInjector.binderWithCleanCallingIdentity(() -> { return getPermissionGrantStateForUser( packageName, permission, caller, caller.getUserId()); }); return mInjector.binderWithCleanCallingIdentity(() -> getPermissionGrantStateForUser( packageName, permission, caller, caller.getUserId())); } }
services/devicepolicy/java/com/android/server/devicepolicy/PolicyEnforcerCallbacks.java +1 −0 Original line number Diff line number Diff line Loading @@ -84,6 +84,7 @@ final class PolicyEnforcerCallbacks { ? DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT : grantState; // TODO(b/278710449): stop blocking in the main thread BlockingCallback callback = new BlockingCallback(); // TODO: remove canAdminGrantSensorPermissions once we expose a new method in // permissionController that doesn't need it. Loading