Implement Device Admin API for MMAC (2a091b42) · Commits · e / os / android_frameworks_base

core/java/android/app/admin/DeviceAdminInfo.java

+15 −1

Original line number	Diff line number	Diff line
		@@ -155,6 +155,16 @@ public final class DeviceAdminInfo implements Parcelable {
		*/
		public static final int USES_POLICY_ENFORCE_SELINUX = 10;

		/**
		* @hide
		* A type of policy that this device admin can use: enforce SE Android MMAC policy.
		*
		* <p>To control this policy, the device admin must have a "enforce-mmac" tag in the
		* "uses-policies" section of its meta-data.
		*/
		public static final int USES_POLICY_ENFORCE_MMAC = 11;


		/** @hide */
		public static class PolicyInfo {
		public final int ident;
		@@ -209,6 +219,9 @@ public final class DeviceAdminInfo implements Parcelable {
		sPoliciesDisplayOrder.add(new PolicyInfo(USES_POLICY_ENFORCE_SELINUX, "enforce-selinux",
		com.android.internal.R.string.policylab_enforceSelinux,
		com.android.internal.R.string.policydesc_enforceSelinux));
		sPoliciesDisplayOrder.add(new PolicyInfo(USES_POLICY_ENFORCE_MMAC, "enforce-mmac",
		com.android.internal.R.string.policylab_enforceMmac,
		com.android.internal.R.string.policydesc_enforceMmac));

		for (int i=0; i<sPoliciesDisplayOrder.size(); i++) {
		PolicyInfo pi = sPoliciesDisplayOrder.get(i);
		@@ -401,7 +414,8 @@ public final class DeviceAdminInfo implements Parcelable {
		* {@link #USES_POLICY_RESET_PASSWORD}, {@link #USES_POLICY_FORCE_LOCK},
		* {@link #USES_POLICY_WIPE_DATA},
		* {@link #USES_POLICY_EXPIRE_PASSWORD}, {@link #USES_ENCRYPTED_STORAGE},
		* {@link #USES_POLICY_DISABLE_CAMERA}, {@link #USES_POLICY_ENFORCE_SELINUX}.
		* {@link #USES_POLICY_DISABLE_CAMERA}, {@link #USES_POLICY_ENFORCE_SELINUX},
		* {@link #USES_POLICY_ENFORCE_MMAC}.
		*/
		public boolean usesPolicy(int policyIdent) {
		return (mUsesPolicies & (1<<policyIdent)) != 0;

core/java/android/app/admin/DevicePolicyManager.java

+152 −3

Original line number	Diff line number	Diff line
		@@ -1640,6 +1640,134 @@ public class DevicePolicyManager {
		return false;
		}

		/**
		* Checks whether an admin app has control over SE Android MMAC policy.
		*
		* <p>The calling device admin must have requested
		* {@link DeviceAdminInfo#USES_POLICY_ENFORCE_MMAC} to be able to call
		* this method; if it has not, a security exception will be thrown.
		*
		* @param admin Which {@link DeviceAdminReceiver} this request is associated,
		* must be self
		* @return true if admin app can control MMAC policy, false otherwise
		* @hide
		*/
		public boolean isMMACadmin(ComponentName admin) {
		return isMMACadmin(admin, UserHandle.myUserId());
		}

		/** @hide per-user version */
		public boolean isMMACadmin(ComponentName admin, int userHandle) {
		if (mService != null) {
		try {
		return mService.isMMACadmin(admin, userHandle);
		} catch (RemoteException e) {
		Log.w(TAG, "Failed talking with device policy server", e);
		}
		}
		return false;
		}

		/**
		* Called by an application that is administering the device to start or stop
		* controlling SE Android MMAC policies, enforcement, etc. When an admin
		* app gives up control of MMAC policies, the policy in place prior to the app
		* taking control will be applied.
		*
		* <p>The calling device admin must have requested
		* {@link DeviceAdminInfo#USES_POLICY_ENFORCE_MMAC} to be able to call
		* this method; if it has not, a security exception will be thrown.
		*
		* <p>When an application gains control of MMAC settings, it is called an
		* MMAC administrator. Admistration applications will call this with true and
		* ensure this method returned true before attempting to toggle MMAC settings.
		* When apps intend to stop controlling MMAC settings, apps should call this
		* with false.
		*
		* @param admin Which {@link DeviceAdminReceiver} this request is associated,
		* must be self
		* @param control true if the admin wishes to control MMAC, false if the admin
		* wishes to give back control of MMAC
		* @return true if the operation succeeded, false if the operation failed or
		* MMAC was not enabled on the device.
		* @hide
		*/
		public boolean setMMACadmin(ComponentName admin, boolean control) {
		return setMMACadmin(admin, control, UserHandle.myUserId());
		}

		/** @hide per-user version */
		public boolean setMMACadmin(ComponentName admin, boolean control, int userHandle) {
		if (mService != null) {
		try {
		return mService.setMMACadmin(admin, control, userHandle);
		} catch (RemoteException e) {
		Log.w(TAG, "Failed talking with device policy server", e);
		}
		}
		return false;
		}

		/**
		* Called by an application that is a SEAndroid MMAC admin to set MMAC
		* protections into enforcing or permissive mode. The system requires a
		* reboot for the protections to take effect.
		*
		* <p>The calling device admin must have requested
		* {@link DeviceAdminInfo#USES_POLICY_ENFORCE_MMAC} to be able to call
		* this method; if it has not, a security exception will be thrown.
		*
		* @param admin Which {@link DeviceAdminReceiver} this request is associated with.
		* @param enforcing true for enforcing mode, false for permissive mode.
		* @return false if Android was unable to set the desired mode
		* @hide
		*/
		public boolean setMMACenforcing(ComponentName admin, boolean enforcing) {
		return setMMACenforcing(admin, enforcing, UserHandle.myUserId());
		}

		/** @hide per-user version */
		public boolean setMMACenforcing(ComponentName admin, boolean enforcing, int userHandle) {
		if (mService != null) {
		try {
		return mService.setMMACenforcing(admin, enforcing, userHandle);
		} catch (RemoteException e) {
		Log.w(TAG, "Failed talking with device policy server", e);
		}
		}
		return false;
		}

		/**
		* Determine whether SE Android MMAC policies are being enforced by the
		* current admin.
		*
		* <p>The calling device admin must have requested
		* {@link DeviceAdminInfo#USES_POLICY_ENFORCE_MMAC} to be able to call
		* this method; if it has not, a security exception will be thrown.
		*
		* <p>The returned value is only meaningful if the current admin is a
		* MMAC admin.
		*
		* @param admin Which {@link DeviceAdminReceiver} this request is associated with.
		* @hide
		*/
		public boolean getMMACenforcing(ComponentName admin) {
		return getMMACenforcing(admin, UserHandle.myUserId());
		}

		/** @hide per-user version */
		public boolean getMMACenforcing(ComponentName admin, int userHandle) {
		if (mService != null) {
		try {
		return mService.getMMACenforcing(admin, userHandle);
		} catch (RemoteException e) {
		Log.w(TAG, "Failed talking with device policy server", e);
		}
		}
		return false;
		}

		// Before changing these values, be sure to update
		// DevicePolicyManagerService.java's POLICY_DESCRIPTIONS array.
		/** @hide */
		@@ -1651,7 +1779,9 @@ public class DevicePolicyManager {
		/** @hide */
		public static final int SEPOLICY_FILE_SEAPPCTXS = 3;
		/** @hide */
		public static final int SEPOLICY_FILE_COUNT = SEPOLICY_FILE_SEAPPCTXS+1;
		public static final int MMAC_POLICY_FILE = 4;
		/** @hide */
		public static final int SEPOLICY_FILE_COUNT = MMAC_POLICY_FILE+1;

		/**
		* Sets a new policy file and reloads it at the proper time.
		@@ -1671,9 +1801,20 @@ public class DevicePolicyManager {
		* returned value is only meaingful if the current admin is a SELinux
		* admin.
		*
		* <p>For {@link #MMAC_POLICY_FILE}, the admin must have requested
		* {@link DeviceAdminInfo#USES_POLICY_ENFORCE_MMAC} before calling this
		* method. If it has not, a security exception will be thrown.
		*
		* <p>For {@link #MMAC_POLICY_FILE}, the MMAC policy file is reloaded on
		* reboot.
		*
		* <p>For {@link #MMAC_POLICY_FILE}, the returned value is only meaingful
		* if the current admin is a MMAC admin.
		*
		* @param admin which {@link DeviceAdminReceiver} this request is associated with
		* @param policyType one of {@link #SEPOLICY_FILE_SEPOLICY}, {@link #SEPOLICY_FILE_PROPCTXS},
		* {@link #SEPOLICY_FILE_FILECTXS}, or {@link #SEPOLICY_FILE_SEAPPCTXS}
		* {@link #SEPOLICY_FILE_FILECTXS}, {@link #SEPOLICY_FILE_SEAPPCTXS},
		* or {@link #MMAC_POLICY_FILE}.
		* @param policy the new policy file in bytes, or null if you wish to revert to
		* the default policy
		* @return false if Android was unable to set the new policy
		@@ -1709,9 +1850,17 @@ public class DevicePolicyManager {
		* returned value is only meaingful if the current admin is a SELinux
		* admin.
		*
		* <p>For {@link #MMAC_POLICY_FILE}, the admin must have requested
		* {@link DeviceAdminInfo#USES_POLICY_ENFORCE_MMAC} before calling this
		* method. If it has not, a security exception will be thrown.
		*
		* <p>For {@link #MMAC_POLICY_FILE}, the returned value is only meaingful
		* if the current admin is a MMAC admin.
		*
		* @param admin which {@link DeviceAdminReceiver} this request is associated with
		* @param policyType one of {@link #SEPOLICY_FILE_SEPOLICY}, {@link #SEPOLICY_FILE_PROPCTXS},
		* {@link #SEPOLICY_FILE_FILECTXS}, or {@link #SEPOLICY_FILE_SEAPPCTXS}
		* {@link #SEPOLICY_FILE_FILECTXS}, {@link #SEPOLICY_FILE_SEAPPCTXS}, or
		* {@link #MMAC_POLICY_FILE}
		* @return true if the admin set a custom policy file
		* @hide
		*/

core/java/android/app/admin/IDevicePolicyManager.aidl

+6 −0

Original line number	Diff line number	Diff line
		@@ -103,6 +103,12 @@ interface IDevicePolicyManager {
		boolean getSELinuxBooleanValue(in ComponentName who, String name, int userHandle);
		boolean setSELinuxBooleanValue(in ComponentName who, String name, boolean value, int userHandle);

		boolean isMMACadmin(in ComponentName who, int userHandle);
		boolean setMMACadmin(in ComponentName who, boolean control, int userHandle);

		boolean setMMACenforcing(in ComponentName who, boolean enforcing, int userHandle);
		boolean getMMACenforcing(in ComponentName who, int userHandle);

		boolean setCustomPolicyFile(in ComponentName who, int policyType, in byte[] policy, int userHandle);
		boolean isCustomPolicyFile(in ComponentName who, int policyType, int userHandle);

core/res/res/values/strings.xml

+4 −0

Original line number	Diff line number	Diff line
		@@ -1824,6 +1824,10 @@
		<string name="policylab_enforceSelinux">Enforce SELinux</string>
		<!-- Description of policy access to start enforcing SELinux policy [CHAR LIMIT=110]-->
		<string name="policydesc_enforceSelinux">Toggle SELinux policy enforcing or permissive mode.</string>
		<!-- Title of policy access to start enforcing SE Android MMAC policy [CHAR LIMIT=30]-->
		<string name="policylab_enforceMmac">Enforce SE Android MMAC</string>
		<!-- Description of policy access to start enforcing SE Android MMAC policy [CHAR LIMIT=110]-->
		<string name="policydesc_enforceMmac">Toggle SE Android MMAC policy enforcing or permissive mode.</string>

		<!-- The order of these is important, don't reorder without changing Contacts.java --> <skip />
		<!-- Phone number types from android.provider.Contacts. This could be used when adding a new phone number for a contact, for example. -->

core/res/res/values/symbols.xml

+2 −0

Original line number	Diff line number	Diff line
		@@ -865,6 +865,8 @@
		<java-symbol type="string" name="owner_name" />
		<java-symbol type="string" name="policylab_enforceSelinux" />
		<java-symbol type="string" name="policydesc_enforceSelinux" />
		<java-symbol type="string" name="policylab_enforceMmac" />
		<java-symbol type="string" name="policydesc_enforceMmac" />

		<java-symbol type="plurals" name="abbrev_in_num_days" />
		<java-symbol type="plurals" name="abbrev_in_num_hours" />