Merge changes Ifbaf0f19,Ia7eb2e35,I6e2a7a3f (3250c655) · Commits · e / os / android_frameworks_base

core/java/android/app/admin/DevicePolicyManager.java

+28 −0

Original line number	Diff line number	Diff line
		@@ -3937,6 +3937,34 @@ public class DevicePolicyManager {
		throw new SecurityException("not implemented");
		}

		// TODO: Expose this as SystemAPI once we add the query API
		/**
		* @hide
		*/
		public static final String AUTO_TIMEZONE_POLICY = "autoTimezone";

		/**
		* @hide
		*/
		public static final String PERMISSION_GRANT_POLICY_KEY = "permissionGrant";

		// TODO: Expose this as SystemAPI once we add the query API
		/**
		* @hide
		*/
		public static String PERMISSION_GRANT_POLICY(
		@NonNull String packageName, @NonNull String permission) {
		Objects.requireNonNull(packageName);
		Objects.requireNonNull(permission);
		return PERMISSION_GRANT_POLICY_KEY + "_" + packageName + "_" + permission;
		}

		// TODO: Expose this as SystemAPI once we add the query API
		/**
		* @hide
		*/
		public static final String LOCK_TASK_POLICY = "lockTask";

		/**
		* This object is a single place to tack on invalidation and disable calls. All
		* binder caches in this class derive from this Config, so all can be invalidated or

services/devicepolicy/Android.bp

+1 −0

Original line number	Diff line number	Diff line
		@@ -22,5 +22,6 @@ java_library_static {
		libs: [
		"services.core",
		"app-compat-annotations",
		"service-permission.stubs.system_server",
		],
		}

services/devicepolicy/java/com/android/server/devicepolicy/BooleanPolicySerializer.java

0 → 100644

+39 −0

Original line number	Diff line number	Diff line
		/*
		* Copyright (C) 2022 The Android Open Source Project
		*
		* Licensed under the Apache License, Version 2.0 (the "License");
		* you may not use this file except in compliance with the License.
		* You may obtain a copy of the License at
		*
		* http://www.apache.org/licenses/LICENSE-2.0
		*
		* Unless required by applicable law or agreed to in writing, software
		* distributed under the License is distributed on an "AS IS" BASIS,
		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		* See the License for the specific language governing permissions and
		* limitations under the License.
		*/

		package com.android.server.devicepolicy;

		import com.android.modules.utils.TypedXmlPullParser;
		import com.android.modules.utils.TypedXmlSerializer;

		import org.xmlpull.v1.XmlPullParserException;

		import java.io.IOException;

		final class BooleanPolicySerializer extends PolicySerializer<Boolean> {

		@Override
		void saveToXml(TypedXmlSerializer serializer, String attributeName, Boolean value)
		throws IOException {
		serializer.attributeBoolean(/* namespace= */ null, attributeName, value);
		}

		@Override
		Boolean readFromXml(TypedXmlPullParser parser, String attributeName)
		throws XmlPullParserException {
		return parser.getAttributeBoolean(/* namespace= */ null, attributeName);
		}
		}

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyEngine.java

0 → 100644

+461 −0

Original line number	Diff line number	Diff line
		/*
		* Copyright (C) 2022 The Android Open Source Project
		*
		* Licensed under the Apache License, Version 2.0 (the "License");
		* you may not use this file except in compliance with the License.
		* You may obtain a copy of the License at
		*
		* http://www.apache.org/licenses/LICENSE-2.0
		*
		* Unless required by applicable law or agreed to in writing, software
		* distributed under the License is distributed on an "AS IS" BASIS,
		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		* See the License for the specific language governing permissions and
		* limitations under the License.
		*/

		package com.android.server.devicepolicy;

		import android.annotation.NonNull;
		import android.annotation.Nullable;
		import android.content.Context;
		import android.os.Environment;
		import android.os.UserHandle;
		import android.util.AtomicFile;
		import android.util.Log;
		import android.util.SparseArray;
		import android.util.Xml;

		import com.android.internal.util.XmlUtils;
		import com.android.modules.utils.TypedXmlPullParser;
		import com.android.modules.utils.TypedXmlSerializer;

		import libcore.io.IoUtils;

		import org.xmlpull.v1.XmlPullParserException;

		import java.io.File;
		import java.io.FileOutputStream;
		import java.io.IOException;
		import java.io.InputStream;
		import java.util.HashMap;
		import java.util.Map;
		import java.util.Objects;

		/**
		* Class responsible for setting, resolving, and enforcing policies set by multiple management
		* admins on the device.
		*/
		final class DevicePolicyEngine {
		static final String TAG = "DevicePolicyEngine";

		private final Context mContext;
		// TODO(b/256849338): add more granular locks
		private final Object mLock = new Object();

		/**
		* Map of <userId, Map<policyKey, policyState>>
		*/
		private final SparseArray<Map<String, PolicyState<?>>> mUserPolicies;

		/**
		* Map of <policyKey, policyState>
		*/
		private final Map<String, PolicyState<?>> mGlobalPolicies;

		DevicePolicyEngine(@NonNull Context context) {
		mContext = Objects.requireNonNull(context);
		mUserPolicies = new SparseArray<>();
		mGlobalPolicies = new HashMap<>();
		}

		// TODO: add more documentation on broadcasts/callbacks to use to get current enforced values
		/**
		* Set the policy for the provided {@code policyDefinition}
		* (see {@link PolicyDefinition}) and {@code enforcingAdmin} to the provided {@code value}.
		* Returns {@code true} if the enforced policy has been changed.
		*
		*/
		<V> boolean setLocalPolicy(
		@NonNull PolicyDefinition<V> policyDefinition,
		@NonNull EnforcingAdmin enforcingAdmin,
		@NonNull V value,
		int userId) {

		Objects.requireNonNull(policyDefinition);
		Objects.requireNonNull(enforcingAdmin);
		Objects.requireNonNull(value);

		synchronized (mLock) {
		PolicyState<V> policyState = getLocalPolicyStateLocked(policyDefinition, userId);

		boolean policyChanged = policyState.setPolicy(enforcingAdmin, value);

		if (policyChanged) {
		enforcePolicy(policyDefinition, policyState.getCurrentResolvedPolicy(), userId);
		}
		return policyChanged;
		}
		}

		// TODO: add more documentation on broadcasts/callbacks to use to get current enforced values
		/**
		* Set the policy for the provided {@code policyDefinition}
		* (see {@link PolicyDefinition}) and {@code enforcingAdmin} to the provided {@code value}.
		* Returns {@code true} if the enforced policy has been changed.
		*
		*/
		<V> boolean setGlobalPolicy(
		@NonNull PolicyDefinition<V> policyDefinition,
		@NonNull EnforcingAdmin enforcingAdmin,
		@NonNull V value) {

		Objects.requireNonNull(policyDefinition);
		Objects.requireNonNull(enforcingAdmin);
		Objects.requireNonNull(value);

		synchronized (mLock) {
		PolicyState<V> policyState = getGlobalPolicyStateLocked(policyDefinition);

		boolean policyChanged = policyState.setPolicy(enforcingAdmin, value);

		if (policyChanged) {
		enforcePolicy(policyDefinition, policyState.getCurrentResolvedPolicy(),
		UserHandle.USER_ALL);
		}
		return policyChanged;
		}
		}


		// TODO: add more documentation on broadcasts/callbacks to use to get current enforced values
		/**
		* Removes any previously set policy for the provided {@code policyDefinition}
		* (see {@link PolicyDefinition}) and {@code enforcingAdmin}.
		* Returns {@code true} if the enforced policy has been changed.
		*
		*/
		<V> boolean removeLocalPolicy(
		@NonNull PolicyDefinition<V> policyDefinition,
		@NonNull EnforcingAdmin enforcingAdmin,
		int userId) {

		Objects.requireNonNull(policyDefinition);
		Objects.requireNonNull(enforcingAdmin);

		synchronized (mLock) {
		PolicyState<V> policyState = getLocalPolicyStateLocked(policyDefinition, userId);
		boolean policyChanged = policyState.removePolicy(enforcingAdmin);

		if (policyChanged) {
		enforcePolicy(policyDefinition, policyState.getCurrentResolvedPolicy(), userId);
		}
		write();
		return policyChanged;
		}
		}

		// TODO: add more documentation on broadcasts/callbacks to use to get current enforced values
		/**
		* Removes any previously set policy for the provided {@code policyDefinition}
		* (see {@link PolicyDefinition}) and {@code enforcingAdmin}.
		* Returns {@code true} if the enforced policy has been changed.
		*
		*/
		<V> boolean removeGlobalPolicy(
		@NonNull PolicyDefinition<V> policyDefinition,
		@NonNull EnforcingAdmin enforcingAdmin) {

		Objects.requireNonNull(policyDefinition);
		Objects.requireNonNull(enforcingAdmin);

		synchronized (mLock) {
		PolicyState<V> policyState = getGlobalPolicyStateLocked(policyDefinition);
		boolean policyChanged = policyState.removePolicy(enforcingAdmin);

		if (policyChanged) {
		enforcePolicy(policyDefinition, policyState.getCurrentResolvedPolicy(),
		UserHandle.USER_ALL);
		}
		write();
		return policyChanged;
		}
		}

		/**
		* Retrieves policies set by all admins for the provided {@code policyDefinition}.
		*
		*/
		<V> PolicyState<V> getLocalPolicy(@NonNull PolicyDefinition<V> policyDefinition, int userId) {
		Objects.requireNonNull(policyDefinition);

		synchronized (mLock) {
		return getLocalPolicyStateLocked(policyDefinition, userId);
		}
		}

		/**
		* Retrieves policies set by all admins for the provided {@code policyDefinition}.
		*
		*/
		<V> PolicyState<V> getGlobalPolicy(@NonNull PolicyDefinition<V> policyDefinition) {
		Objects.requireNonNull(policyDefinition);

		synchronized (mLock) {
		return getGlobalPolicyStateLocked(policyDefinition);
		}
		}

		@NonNull
		private <V> PolicyState<V> getLocalPolicyStateLocked(
		PolicyDefinition<V> policyDefinition, int userId) {

		if (policyDefinition.isGlobalOnlyPolicy()) {
		throw new IllegalArgumentException("Can't set global policy "
		+ policyDefinition.getPolicyKey() + " locally.");
		}

		if (!mUserPolicies.contains(userId)) {
		mUserPolicies.put(userId, new HashMap<>());
		}
		if (!mUserPolicies.get(userId).containsKey(policyDefinition.getPolicyKey())) {
		mUserPolicies.get(userId).put(
		policyDefinition.getPolicyKey(), new PolicyState<>(policyDefinition));
		}
		return getPolicyState(mUserPolicies.get(userId), policyDefinition);
		}

		@NonNull
		private <V> PolicyState<V> getGlobalPolicyStateLocked(PolicyDefinition<V> policyDefinition) {

		if (policyDefinition.isLocalOnlyPolicy()) {
		throw new IllegalArgumentException("Can't set local policy "
		+ policyDefinition.getPolicyKey() + " globally.");
		}

		if (!mGlobalPolicies.containsKey(policyDefinition.getPolicyKey())) {
		mGlobalPolicies.put(
		policyDefinition.getPolicyKey(), new PolicyState<>(policyDefinition));
		}
		return getPolicyState(mGlobalPolicies, policyDefinition);
		}

		private static <V> PolicyState<V> getPolicyState(
		Map<String, PolicyState<?>> policies, PolicyDefinition<V> policyDefinition) {
		try {
		// This will not throw an exception because policyDefinition is of type V, so unless
		// we've created two policies with the same key but different types - we can only have
		// stored a PolicyState of the right type.
		PolicyState<V> policyState = (PolicyState<V>) policies.get(
		policyDefinition.getPolicyKey());
		return policyState;
		} catch (ClassCastException exception) {
		// TODO: handle exception properly
		throw new IllegalArgumentException();
		}
		}

		private <V> void enforcePolicy(
		PolicyDefinition<V> policyDefinition, @Nullable V policyValue, int userId) {
		// TODO: null policyValue means remove any enforced policies, ensure callbacks handle this
		// properly
		policyDefinition.enforcePolicy(policyValue, mContext, userId);
		// TODO: send broadcast or call callback to notify admins of policy change
		// TODO: notify calling admin of result (e.g. success, runtime failure, policy set by
		// a different admin)
		}

		private void write() {
		Log.d(TAG, "Writing device policies to file.");
		new DevicePoliciesReaderWriter().writeToFileLocked();
		}

		// TODO(b/256852787): trigger resolving logic after loading policies as roles are recalculated
		// and could result in a different enforced policy
		void load() {
		Log.d(TAG, "Reading device policies from file.");
		synchronized (mLock) {
		clear();
		new DevicePoliciesReaderWriter().readFromFileLocked();
		}
		}

		private void clear() {
		synchronized (mLock) {
		mGlobalPolicies.clear();
		mUserPolicies.clear();
		}
		}

		private class DevicePoliciesReaderWriter {
		private static final String DEVICE_POLICIES_XML = "device_policies.xml";
		private static final String TAG_USER_POLICY_ENTRY = "user-policy-entry";
		private static final String TAG_DEVICE_POLICY_ENTRY = "device-policy-entry";
		private static final String TAG_ADMINS_POLICY_ENTRY = "admins-policy-entry";
		private static final String ATTR_USER_ID = "user-id";
		private static final String ATTR_POLICY_ID = "policy-id";

		private final File mFile;

		private DevicePoliciesReaderWriter() {
		mFile = new File(Environment.getDataSystemDirectory(), DEVICE_POLICIES_XML);
		}

		void writeToFileLocked() {
		Log.d(TAG, "Writing to " + mFile);

		AtomicFile f = new AtomicFile(mFile);
		FileOutputStream outputStream = null;
		try {
		outputStream = f.startWrite();
		TypedXmlSerializer out = Xml.resolveSerializer(outputStream);

		out.startDocument(null, true);

		// Actual content
		writeInner(out);

		out.endDocument();
		out.flush();

		// Commit the content.
		f.finishWrite(outputStream);
		outputStream = null;

		} catch (IOException e) {
		Log.e(TAG, "Exception when writing", e);
		if (outputStream != null) {
		f.failWrite(outputStream);
		}
		}
		}

		// TODO(b/256846294): Add versioning to read/write
		void writeInner(TypedXmlSerializer serializer) throws IOException {
		writeUserPoliciesInner(serializer);
		writeDevicePoliciesInner(serializer);
		}

		private void writeUserPoliciesInner(TypedXmlSerializer serializer) throws IOException {
		if (mUserPolicies != null) {
		for (int i = 0; i < mUserPolicies.size(); i++) {
		int userId = mUserPolicies.keyAt(i);
		for (Map.Entry<String, PolicyState<?>> policy : mUserPolicies.get(
		userId).entrySet()) {
		serializer.startTag(/* namespace= */ null, TAG_USER_POLICY_ENTRY);

		serializer.attributeInt(/* namespace= */ null, ATTR_USER_ID, userId);
		serializer.attribute(
		/* namespace= */ null, ATTR_POLICY_ID, policy.getKey());

		serializer.startTag(/* namespace= */ null, TAG_ADMINS_POLICY_ENTRY);
		policy.getValue().saveToXml(serializer);
		serializer.endTag(/* namespace= */ null, TAG_ADMINS_POLICY_ENTRY);

		serializer.endTag(/* namespace= */ null, TAG_USER_POLICY_ENTRY);
		}
		}
		}
		}

		private void writeDevicePoliciesInner(TypedXmlSerializer serializer) throws IOException {
		if (mGlobalPolicies != null) {
		for (Map.Entry<String, PolicyState<?>> policy : mGlobalPolicies.entrySet()) {
		serializer.startTag(/* namespace= */ null, TAG_DEVICE_POLICY_ENTRY);

		serializer.attribute(/* namespace= */ null, ATTR_POLICY_ID, policy.getKey());

		serializer.startTag(/* namespace= */ null, TAG_ADMINS_POLICY_ENTRY);
		policy.getValue().saveToXml(serializer);
		serializer.endTag(/* namespace= */ null, TAG_ADMINS_POLICY_ENTRY);

		serializer.endTag(/* namespace= */ null, TAG_DEVICE_POLICY_ENTRY);
		}
		}
		}

		void readFromFileLocked() {
		if (!mFile.exists()) {
		Log.d(TAG, "" + mFile + " doesn't exist");
		return;
		}

		Log.d(TAG, "Reading from " + mFile);
		AtomicFile f = new AtomicFile(mFile);
		InputStream input = null;
		try {
		input = f.openRead();
		TypedXmlPullParser parser = Xml.resolvePullParser(input);

		readInner(parser);

		} catch (XmlPullParserException \| IOException \| ClassNotFoundException e) {
		Log.e(TAG, "Error parsing resources file", e);
		} finally {
		IoUtils.closeQuietly(input);
		}
		}

		private void readInner(TypedXmlPullParser parser)
		throws IOException, XmlPullParserException, ClassNotFoundException {
		int outerDepth = parser.getDepth();
		while (XmlUtils.nextElementWithin(parser, outerDepth)) {
		String tag = parser.getName();
		switch (tag) {
		case TAG_USER_POLICY_ENTRY:
		readUserPoliciesInner(parser);
		break;
		case TAG_DEVICE_POLICY_ENTRY:
		readDevicePoliciesInner(parser);
		break;
		default:
		Log.e(TAG, "Unknown tag " + tag);
		}
		}
		}

		private void readUserPoliciesInner(TypedXmlPullParser parser)
		throws XmlPullParserException, IOException {
		int userId = parser.getAttributeInt(/* namespace= */ null, ATTR_USER_ID);
		String policyKey = parser.getAttributeValue(
		/* namespace= */ null, ATTR_POLICY_ID);
		if (!mUserPolicies.contains(userId)) {
		mUserPolicies.put(userId, new HashMap<>());
		}
		PolicyState<?> adminsPolicy = parseAdminsPolicy(parser);
		if (adminsPolicy != null) {
		mUserPolicies.get(userId).put(policyKey, adminsPolicy);
		} else {
		Log.e(TAG, "Error parsing file, " + policyKey + "doesn't have an "
		+ "AdminsPolicy.");
		}
		}

		private void readDevicePoliciesInner(TypedXmlPullParser parser)
		throws IOException, XmlPullParserException {
		String policyKey = parser.getAttributeValue(/* namespace= */ null, ATTR_POLICY_ID);
		PolicyState<?> adminsPolicy = parseAdminsPolicy(parser);
		if (adminsPolicy != null) {
		mGlobalPolicies.put(policyKey, adminsPolicy);
		} else {
		Log.e(TAG, "Error parsing file, " + policyKey + "doesn't have an "
		+ "AdminsPolicy.");
		}
		}

		@Nullable
		private PolicyState<?> parseAdminsPolicy(TypedXmlPullParser parser)
		throws XmlPullParserException, IOException {
		int outerDepth = parser.getDepth();
		while (XmlUtils.nextElementWithin(parser, outerDepth)) {
		String tag = parser.getName();
		if (tag.equals(TAG_ADMINS_POLICY_ENTRY)) {
		return PolicyState.readFromXml(parser);
		}
		Log.e(TAG, "Unknown tag " + tag);
		}
		Log.e(TAG, "Error parsing file, AdminsPolicy not found");
		return null;
		}
		}
		}

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+53 −52

File changed.

Preview size limit exceeded, changes collapsed.