Loading services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +91 −67 Original line number Original line Diff line number Diff line Loading @@ -160,6 +160,7 @@ import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_NUMERIC; import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_NUMERIC_COMPLEX; import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_NUMERIC_COMPLEX; import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_SOMETHING; import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_SOMETHING; import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED; import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED; import static android.app.admin.DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT; import static android.app.admin.DevicePolicyManager.PERMISSION_GRANT_STATE_GRANTED; import static android.app.admin.DevicePolicyManager.PERMISSION_GRANT_STATE_GRANTED; import static android.app.admin.DevicePolicyManager.PERSONAL_APPS_NOT_SUSPENDED; import static android.app.admin.DevicePolicyManager.PERSONAL_APPS_NOT_SUSPENDED; import static android.app.admin.DevicePolicyManager.PERSONAL_APPS_SUSPENDED_EXPLICITLY; import static android.app.admin.DevicePolicyManager.PERSONAL_APPS_SUSPENDED_EXPLICITLY; Loading Loading @@ -533,7 +534,6 @@ import java.util.Map; import java.util.Objects; import java.util.Objects; import java.util.Set; import java.util.Set; import java.util.concurrent.CompletableFuture; import java.util.concurrent.CompletableFuture; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ExecutionException; import java.util.concurrent.ExecutionException; import java.util.concurrent.Executor; import java.util.concurrent.Executor; import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeUnit; Loading Loading @@ -1186,10 +1186,10 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // Resume logging if all remaining users are affiliated. // Resume logging if all remaining users are affiliated. maybeResumeDeviceWideLoggingLocked(); maybeResumeDeviceWideLoggingLocked(); } } } if (isPolicyEngineForFinanceFlagEnabled() || isPermissionCheckFlagEnabled()) { if (isPolicyEngineForFinanceFlagEnabled() || isPermissionCheckFlagEnabled()) { mDevicePolicyEngine.handleUserRemoved(userHandle); mDevicePolicyEngine.handleUserRemoved(userHandle); } } } } else if (Intent.ACTION_USER_STARTED.equals(action)) { } else if (Intent.ACTION_USER_STARTED.equals(action)) { sendDeviceOwnerUserCommand(DeviceAdminReceiver.ACTION_USER_STARTED, userHandle); sendDeviceOwnerUserCommand(DeviceAdminReceiver.ACTION_USER_STARTED, userHandle); synchronized (getLockObject()) { synchronized (getLockObject()) { Loading Loading @@ -4157,8 +4157,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_REMOVE_ACTIVE_ADMIN); checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_REMOVE_ACTIVE_ADMIN); enforceUserUnlocked(userHandle); enforceUserUnlocked(userHandle); ActiveAdmin admin; synchronized (getLockObject()) { synchronized (getLockObject()) { ActiveAdmin admin = getActiveAdminUncheckedLocked(adminReceiver, userHandle); admin = getActiveAdminUncheckedLocked(adminReceiver, userHandle); if (admin == null) { if (admin == null) { return; return; } } Loading @@ -4169,16 +4170,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { + adminReceiver); + adminReceiver); return; return; } } mInjector.binderWithCleanCallingIdentity(() -> mInjector.binderWithCleanCallingIdentity(() -> removeActiveAdminLocked(adminReceiver, userHandle)); removeActiveAdminLocked(adminReceiver, userHandle)); } if (isPolicyEngineForFinanceFlagEnabled() || isPermissionCheckFlagEnabled()) { if (isPolicyEngineForFinanceFlagEnabled() || isPermissionCheckFlagEnabled()) { mDevicePolicyEngine.removePoliciesForAdmin( mDevicePolicyEngine.removePoliciesForAdmin( EnforcingAdmin.createEnterpriseEnforcingAdmin( EnforcingAdmin.createEnterpriseEnforcingAdmin( adminReceiver, userHandle, admin)); adminReceiver, userHandle, admin)); } } } } } private boolean canSetPasswordQualityOnParent(String packageName, final CallerIdentity caller) { private boolean canSetPasswordQualityOnParent(String packageName, final CallerIdentity caller) { return !mInjector.isChangeEnabled( return !mInjector.isChangeEnabled( Loading Loading @@ -16661,8 +16661,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { enforcePermissionGrantStateOnFinancedDevice(packageName, permission); enforcePermissionGrantStateOnFinancedDevice(packageName, permission); } } } } EnforcingAdmin enforcingAdmin; if (isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin( enforcingAdmin = enforcePermissionAndGetEnforcingAdmin( admin, admin, MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS, MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS, callerPackage, callerPackage, Loading @@ -16686,17 +16687,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { callback.sendResult(null); callback.sendResult(null); return; return; } } // TODO(b/266924257): decide how to handle the internal state if the package doesn't // exist, or the permission isn't requested by the app, because we could end up with // inconsistent state between the policy engine and package manager. Also a package // might get removed or has it's permission updated after we've set the policy. mDevicePolicyEngine.setLocalPolicy( PolicyDefinition.PERMISSION_GRANT(packageName, permission), enforcingAdmin, new IntegerPolicyValue(grantState), caller.getUserId()); // TODO: update javadoc to reflect that callback no longer return success/failure callback.sendResult(Bundle.EMPTY); } else { } else { Preconditions.checkCallAuthorization((caller.hasAdminComponent() Preconditions.checkCallAuthorization((caller.hasAdminComponent() && (isProfileOwner(caller) || isDefaultDeviceOwner(caller) && (isProfileOwner(caller) || isDefaultDeviceOwner(caller) Loading @@ -16720,6 +16710,47 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { callback.sendResult(null); callback.sendResult(null); return; return; } } } catch (SecurityException e) { Slogf.e(LOG_TAG, "Could not set permission grant state", e); callback.sendResult(null); } finally { mInjector.binderRestoreCallingIdentity(ident); } } } // TODO(b/278710449): enable when we stop policy enforecer callback from blocking the main // thread if (false) { // TODO(b/266924257): decide how to handle the internal state if the package doesn't // exist, or the permission isn't requested by the app, because we could end up with // inconsistent state between the policy engine and package manager. Also a package // might get removed or has it's permission updated after we've set the policy. if (grantState == PERMISSION_GRANT_STATE_DEFAULT) { mDevicePolicyEngine.removeLocalPolicy( PolicyDefinition.PERMISSION_GRANT(packageName, permission), enforcingAdmin, caller.getUserId()); } else { mDevicePolicyEngine.setLocalPolicy( PolicyDefinition.PERMISSION_GRANT(packageName, permission), enforcingAdmin, new IntegerPolicyValue(grantState), caller.getUserId()); } int newState = mInjector.binderWithCleanCallingIdentity(() -> getPermissionGrantStateForUser( packageName, permission, caller, caller.getUserId())); if (newState == grantState) { callback.sendResult(Bundle.EMPTY); } else { callback.sendResult(null); } } else { synchronized (getLockObject()) { long ident = mInjector.binderClearCallingIdentity(); try { boolean isPostQAdmin = getTargetSdk(caller.getPackageName(), caller.getUserId()) >= android.os.Build.VERSION_CODES.Q; if (grantState == PERMISSION_GRANT_STATE_GRANTED if (grantState == PERMISSION_GRANT_STATE_GRANTED || grantState == DevicePolicyManager.PERMISSION_GRANT_STATE_DENIED || grantState == DevicePolicyManager.PERMISSION_GRANT_STATE_DENIED || grantState == DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT) { || grantState == DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT) { Loading @@ -16736,17 +16767,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { callback.sendResult(null); callback.sendResult(null); return; return; } } DevicePolicyEventLogger .createEvent(DevicePolicyEnums .SET_PERMISSION_GRANT_STATE) .setAdmin(caller.getPackageName()) .setStrings(permission) .setInt(grantState) .setBoolean( /* isDelegate */ isCallerDelegate(caller)) .write(); callback.sendResult(Bundle.EMPTY); callback.sendResult(Bundle.EMPTY); }); }); } } Loading @@ -16759,6 +16779,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } } } } } } DevicePolicyEventLogger.createEvent(DevicePolicyEnums.SET_PERMISSION_GRANT_STATE) .setAdmin(caller.getPackageName()) .setStrings(permission) .setInt(grantState) .setBoolean(/* isDelegate */ isCallerDelegate(caller)) .write(); } } private static final List<String> SENSOR_PERMISSIONS = new ArrayList<>(); private static final List<String> SENSOR_PERMISSIONS = new ArrayList<>(); Loading Loading @@ -16822,10 +16848,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (isFinancedDeviceOwner(caller)) { if (isFinancedDeviceOwner(caller)) { enforcePermissionGrantStateOnFinancedDevice(packageName, permission); enforcePermissionGrantStateOnFinancedDevice(packageName, permission); } } return mInjector.binderWithCleanCallingIdentity(() -> { return mInjector.binderWithCleanCallingIdentity(() -> getPermissionGrantStateForUser( return getPermissionGrantStateForUser( packageName, permission, caller, caller.getUserId())); packageName, permission, caller, caller.getUserId()); }); } } } } services/devicepolicy/java/com/android/server/devicepolicy/PolicyEnforcerCallbacks.java +1 −0 Original line number Original line Diff line number Diff line Loading @@ -84,6 +84,7 @@ final class PolicyEnforcerCallbacks { ? DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT ? DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT : grantState; : grantState; // TODO(b/278710449): stop blocking in the main thread BlockingCallback callback = new BlockingCallback(); BlockingCallback callback = new BlockingCallback(); // TODO: remove canAdminGrantSensorPermissions once we expose a new method in // TODO: remove canAdminGrantSensorPermissions once we expose a new method in // permissionController that doesn't need it. // permissionController that doesn't need it. Loading Loading
services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +91 −67 Original line number Original line Diff line number Diff line Loading @@ -160,6 +160,7 @@ import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_NUMERIC; import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_NUMERIC_COMPLEX; import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_NUMERIC_COMPLEX; import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_SOMETHING; import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_SOMETHING; import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED; import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED; import static android.app.admin.DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT; import static android.app.admin.DevicePolicyManager.PERMISSION_GRANT_STATE_GRANTED; import static android.app.admin.DevicePolicyManager.PERMISSION_GRANT_STATE_GRANTED; import static android.app.admin.DevicePolicyManager.PERSONAL_APPS_NOT_SUSPENDED; import static android.app.admin.DevicePolicyManager.PERSONAL_APPS_NOT_SUSPENDED; import static android.app.admin.DevicePolicyManager.PERSONAL_APPS_SUSPENDED_EXPLICITLY; import static android.app.admin.DevicePolicyManager.PERSONAL_APPS_SUSPENDED_EXPLICITLY; Loading Loading @@ -533,7 +534,6 @@ import java.util.Map; import java.util.Objects; import java.util.Objects; import java.util.Set; import java.util.Set; import java.util.concurrent.CompletableFuture; import java.util.concurrent.CompletableFuture; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ExecutionException; import java.util.concurrent.ExecutionException; import java.util.concurrent.Executor; import java.util.concurrent.Executor; import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeUnit; Loading Loading @@ -1186,10 +1186,10 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // Resume logging if all remaining users are affiliated. // Resume logging if all remaining users are affiliated. maybeResumeDeviceWideLoggingLocked(); maybeResumeDeviceWideLoggingLocked(); } } } if (isPolicyEngineForFinanceFlagEnabled() || isPermissionCheckFlagEnabled()) { if (isPolicyEngineForFinanceFlagEnabled() || isPermissionCheckFlagEnabled()) { mDevicePolicyEngine.handleUserRemoved(userHandle); mDevicePolicyEngine.handleUserRemoved(userHandle); } } } } else if (Intent.ACTION_USER_STARTED.equals(action)) { } else if (Intent.ACTION_USER_STARTED.equals(action)) { sendDeviceOwnerUserCommand(DeviceAdminReceiver.ACTION_USER_STARTED, userHandle); sendDeviceOwnerUserCommand(DeviceAdminReceiver.ACTION_USER_STARTED, userHandle); synchronized (getLockObject()) { synchronized (getLockObject()) { Loading Loading @@ -4157,8 +4157,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_REMOVE_ACTIVE_ADMIN); checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_REMOVE_ACTIVE_ADMIN); enforceUserUnlocked(userHandle); enforceUserUnlocked(userHandle); ActiveAdmin admin; synchronized (getLockObject()) { synchronized (getLockObject()) { ActiveAdmin admin = getActiveAdminUncheckedLocked(adminReceiver, userHandle); admin = getActiveAdminUncheckedLocked(adminReceiver, userHandle); if (admin == null) { if (admin == null) { return; return; } } Loading @@ -4169,16 +4170,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { + adminReceiver); + adminReceiver); return; return; } } mInjector.binderWithCleanCallingIdentity(() -> mInjector.binderWithCleanCallingIdentity(() -> removeActiveAdminLocked(adminReceiver, userHandle)); removeActiveAdminLocked(adminReceiver, userHandle)); } if (isPolicyEngineForFinanceFlagEnabled() || isPermissionCheckFlagEnabled()) { if (isPolicyEngineForFinanceFlagEnabled() || isPermissionCheckFlagEnabled()) { mDevicePolicyEngine.removePoliciesForAdmin( mDevicePolicyEngine.removePoliciesForAdmin( EnforcingAdmin.createEnterpriseEnforcingAdmin( EnforcingAdmin.createEnterpriseEnforcingAdmin( adminReceiver, userHandle, admin)); adminReceiver, userHandle, admin)); } } } } } private boolean canSetPasswordQualityOnParent(String packageName, final CallerIdentity caller) { private boolean canSetPasswordQualityOnParent(String packageName, final CallerIdentity caller) { return !mInjector.isChangeEnabled( return !mInjector.isChangeEnabled( Loading Loading @@ -16661,8 +16661,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { enforcePermissionGrantStateOnFinancedDevice(packageName, permission); enforcePermissionGrantStateOnFinancedDevice(packageName, permission); } } } } EnforcingAdmin enforcingAdmin; if (isPermissionCheckFlagEnabled()) { if (isPermissionCheckFlagEnabled()) { EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin( enforcingAdmin = enforcePermissionAndGetEnforcingAdmin( admin, admin, MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS, MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS, callerPackage, callerPackage, Loading @@ -16686,17 +16687,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { callback.sendResult(null); callback.sendResult(null); return; return; } } // TODO(b/266924257): decide how to handle the internal state if the package doesn't // exist, or the permission isn't requested by the app, because we could end up with // inconsistent state between the policy engine and package manager. Also a package // might get removed or has it's permission updated after we've set the policy. mDevicePolicyEngine.setLocalPolicy( PolicyDefinition.PERMISSION_GRANT(packageName, permission), enforcingAdmin, new IntegerPolicyValue(grantState), caller.getUserId()); // TODO: update javadoc to reflect that callback no longer return success/failure callback.sendResult(Bundle.EMPTY); } else { } else { Preconditions.checkCallAuthorization((caller.hasAdminComponent() Preconditions.checkCallAuthorization((caller.hasAdminComponent() && (isProfileOwner(caller) || isDefaultDeviceOwner(caller) && (isProfileOwner(caller) || isDefaultDeviceOwner(caller) Loading @@ -16720,6 +16710,47 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { callback.sendResult(null); callback.sendResult(null); return; return; } } } catch (SecurityException e) { Slogf.e(LOG_TAG, "Could not set permission grant state", e); callback.sendResult(null); } finally { mInjector.binderRestoreCallingIdentity(ident); } } } // TODO(b/278710449): enable when we stop policy enforecer callback from blocking the main // thread if (false) { // TODO(b/266924257): decide how to handle the internal state if the package doesn't // exist, or the permission isn't requested by the app, because we could end up with // inconsistent state between the policy engine and package manager. Also a package // might get removed or has it's permission updated after we've set the policy. if (grantState == PERMISSION_GRANT_STATE_DEFAULT) { mDevicePolicyEngine.removeLocalPolicy( PolicyDefinition.PERMISSION_GRANT(packageName, permission), enforcingAdmin, caller.getUserId()); } else { mDevicePolicyEngine.setLocalPolicy( PolicyDefinition.PERMISSION_GRANT(packageName, permission), enforcingAdmin, new IntegerPolicyValue(grantState), caller.getUserId()); } int newState = mInjector.binderWithCleanCallingIdentity(() -> getPermissionGrantStateForUser( packageName, permission, caller, caller.getUserId())); if (newState == grantState) { callback.sendResult(Bundle.EMPTY); } else { callback.sendResult(null); } } else { synchronized (getLockObject()) { long ident = mInjector.binderClearCallingIdentity(); try { boolean isPostQAdmin = getTargetSdk(caller.getPackageName(), caller.getUserId()) >= android.os.Build.VERSION_CODES.Q; if (grantState == PERMISSION_GRANT_STATE_GRANTED if (grantState == PERMISSION_GRANT_STATE_GRANTED || grantState == DevicePolicyManager.PERMISSION_GRANT_STATE_DENIED || grantState == DevicePolicyManager.PERMISSION_GRANT_STATE_DENIED || grantState == DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT) { || grantState == DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT) { Loading @@ -16736,17 +16767,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { callback.sendResult(null); callback.sendResult(null); return; return; } } DevicePolicyEventLogger .createEvent(DevicePolicyEnums .SET_PERMISSION_GRANT_STATE) .setAdmin(caller.getPackageName()) .setStrings(permission) .setInt(grantState) .setBoolean( /* isDelegate */ isCallerDelegate(caller)) .write(); callback.sendResult(Bundle.EMPTY); callback.sendResult(Bundle.EMPTY); }); }); } } Loading @@ -16759,6 +16779,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } } } } } } DevicePolicyEventLogger.createEvent(DevicePolicyEnums.SET_PERMISSION_GRANT_STATE) .setAdmin(caller.getPackageName()) .setStrings(permission) .setInt(grantState) .setBoolean(/* isDelegate */ isCallerDelegate(caller)) .write(); } } private static final List<String> SENSOR_PERMISSIONS = new ArrayList<>(); private static final List<String> SENSOR_PERMISSIONS = new ArrayList<>(); Loading Loading @@ -16822,10 +16848,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (isFinancedDeviceOwner(caller)) { if (isFinancedDeviceOwner(caller)) { enforcePermissionGrantStateOnFinancedDevice(packageName, permission); enforcePermissionGrantStateOnFinancedDevice(packageName, permission); } } return mInjector.binderWithCleanCallingIdentity(() -> { return mInjector.binderWithCleanCallingIdentity(() -> getPermissionGrantStateForUser( return getPermissionGrantStateForUser( packageName, permission, caller, caller.getUserId())); packageName, permission, caller, caller.getUserId()); }); } } } }
services/devicepolicy/java/com/android/server/devicepolicy/PolicyEnforcerCallbacks.java +1 −0 Original line number Original line Diff line number Diff line Loading @@ -84,6 +84,7 @@ final class PolicyEnforcerCallbacks { ? DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT ? DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT : grantState; : grantState; // TODO(b/278710449): stop blocking in the main thread BlockingCallback callback = new BlockingCallback(); BlockingCallback callback = new BlockingCallback(); // TODO: remove canAdminGrantSensorPermissions once we expose a new method in // TODO: remove canAdminGrantSensorPermissions once we expose a new method in // permissionController that doesn't need it. // permissionController that doesn't need it. Loading
