Merge "Migrate sec log to policy engine" into main

    field public static final String PERMISSION_GRANT_POLICY = "permissionGrant";

    field public static final String PERSISTENT_PREFERRED_ACTIVITY_POLICY = "persistentPreferredActivity";

    field public static final String RESET_PASSWORD_TOKEN_POLICY = "resetPasswordToken";

    field @FlaggedApi("android.app.admin.flags.security_log_v2_enabled") public static final String SECURITY_LOGGING_POLICY = "securityLogging";

    field public static final String STATUS_BAR_DISABLED_POLICY = "statusBarDisabled";

    field @FlaggedApi("android.app.admin.flags.policy_engine_migration_v2_enabled") public static final String USB_DATA_SIGNALING_POLICY = "usbDataSignaling";

    field public static final String USER_CONTROL_DISABLED_PACKAGES_POLICY = "userControlDisabledPackages";

package android.app.admin;

import static android.app.admin.flags.Flags.FLAG_SECURITY_LOG_V2_ENABLED;

import android.annotation.FlaggedApi;

import android.annotation.NonNull;

import android.annotation.TestApi;

     */

    public static final String PERMISSION_GRANT_POLICY = "permissionGrant";

    /**

     * String identifier for {@link DevicePolicyManager#setSecurityLoggingEnabled}.

     */

    @FlaggedApi(FLAG_SECURITY_LOG_V2_ENABLED)

    public static final String SECURITY_LOGGING_POLICY = "securityLogging";

    /**

     * String identifier for {@link DevicePolicyManager#setLockTaskPackages}.

     */

     * privacy-sensitive events happening outside the managed profile would have been redacted

     * already.

     *

     * Starting from {@link Build.VERSION_CODES#VANILLA_ICE_CREAM}, after the security logging

     * policy has been set, {@link PolicyUpdateReceiver#onPolicySetResult(Context, String,

     * Bundle, TargetUser, PolicyUpdateResult)} will notify the admin on whether the policy was

     * successfully set or not. This callback will contain:

     * <ul>

     * <li> The policy identifier {@link DevicePolicyIdentifiers#SECURITY_LOGGING_POLICY}

     * <li> The {@link TargetUser} that this policy relates to

     * <li> The {@link PolicyUpdateResult}, which will be

     * {@link PolicyUpdateResult#RESULT_POLICY_SET} if the policy was successfully set or the

     * reason the policy failed to be set

     * e.g. {@link PolicyUpdateResult#RESULT_FAILURE_CONFLICTING_ADMIN_POLICY})

     * </ul>

     * If there has been a change to the policy,

     * {@link PolicyUpdateReceiver#onPolicyChanged(Context, String, Bundle, TargetUser,

     * PolicyUpdateResult)} will notify the admin of this change. This callback will contain the

     * same parameters as PolicyUpdateReceiver#onPolicySetResult and the {@link PolicyUpdateResult}

     * will contain the reason why the policy changed.

     *

     * @param admin Which device admin this request is associated with, or {@code null}

     *              if called by a delegated app.

     * @param enabled whether security logging should be enabled or not.

     */

    public abstract List<EnforcingUser> getUserRestrictionSources(String restriction,

                @UserIdInt int userId);

    /**

     * Enforces resolved security logging policy, should only be invoked from device policy engine.

     */

    public abstract void enforceSecurityLoggingPolicy(boolean enabled);

}

import static android.app.admin.flags.Flags.headlessDeviceOwnerSingleUserEnabled;

import static android.app.admin.flags.Flags.policyEngineMigrationV2Enabled;

import static android.app.admin.flags.Flags.assistContentUserRestrictionEnabled;

import static android.app.admin.flags.Flags.securityLogV2Enabled;

import static android.content.Intent.ACTION_MANAGED_PROFILE_AVAILABLE;

import static android.content.Intent.ACTION_MANAGED_PROFILE_UNAVAILABLE;

import static android.content.Intent.FLAG_ACTIVITY_NEW_TASK;

                    applyProfileRestrictionsIfDeviceOwnerLocked();

                    // TODO: Is this the right place to trigger the migration?

                    if (shouldMigrateToDevicePolicyEngine()) {

                        migratePoliciesToDevicePolicyEngine();

                    if (shouldMigrateV1ToDevicePolicyEngine()) {

                        migrateV1PoliciesToDevicePolicyEngine();

                    }

                    migratePoliciesToPolicyEngineLocked();

                }

                maybeStartSecurityLogMonitorOnActivityManagerReady();

                break;

        }

    }

    @GuardedBy("getLockObject()")

    private void maybeMigrateSecurityLoggingPolicyLocked() {

        if (!securityLogV2Enabled() || mOwners.isSecurityLoggingMigrated()) {

            return;

        }

        try {

            migrateSecurityLoggingPolicyInternalLocked();

        } catch (Exception e) {

            Slog.e(LOG_TAG, "Failed to properly migrate security logging to policy engine", e);

        }

        Slog.i(LOG_TAG, "Marking security logging policy migration complete");

        mOwners.markSecurityLoggingMigrated();

    }

    @GuardedBy("getLockObject()")

    private void migrateSecurityLoggingPolicyInternalLocked() {

        Slog.i(LOG_TAG, "Migrating security logging policy to policy engine");

        if (!mInjector.securityLogGetLoggingEnabledProperty()) {

            Slog.i(LOG_TAG, "Security logs not enabled, exiting");

            return;

        }

        // Security logging can be enabled either by DO or by COPE PO.

        final ActiveAdmin admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked();

        if (admin == null) {

            Slog.wtf(LOG_TAG, "Security logging is enabled, but no appropriate admin found");

            return;

        }

        EnforcingAdmin enforcingAdmin =

                EnforcingAdmin.createEnterpriseEnforcingAdmin(

                        admin.info.getComponent(),

                        admin.getUserHandle().getIdentifier(),

                        admin);

        mDevicePolicyEngine.setGlobalPolicy(

                PolicyDefinition.SECURITY_LOGGING,

                enforcingAdmin,

                new BooleanPolicyValue(true));

    }

    private void applyManagedSubscriptionsPolicyIfRequired() {

        int copeProfileUserId = getOrganizationOwnedProfileUserId();

        // This policy is relevant only for COPE devices.

            return enforcingUsers;

        }

        @Override

        public void enforceSecurityLoggingPolicy(boolean enabled) {

            enforceLoggingPolicy(enabled);

        }

        private List<EnforcingUser> getEnforcingUsers(Set<EnforcingAdmin> admins) {

            List<EnforcingUser> enforcingUsers = new ArrayList();

            ComponentName deviceOwner = mOwners.getDeviceOwnerComponent();

        }

    }

    private void enforceLoggingPolicy(boolean securityLoggingEnabled) {

        Slogf.i(LOG_TAG, "Enforcing security logging, securityLoggingEnabled: %b",

                securityLoggingEnabled);

        SecurityLog.setLoggingEnabledProperty(securityLoggingEnabled);

        if (securityLoggingEnabled) {

            mSecurityLogMonitor.start(getSecurityLoggingEnabledUser());

            synchronized (getLockObject()) {

                maybePauseDeviceWideLoggingLocked();

            }

        } else {

            mSecurityLogMonitor.stop();

        }

    }

    private Intent createShowAdminSupportIntent(int userId) {

        // This method is called with AMS lock held, so don't take DPMS lock

        final Intent intent = new Intent(Settings.ACTION_SHOW_ADMIN_SUPPORT_DETAILS);

    }

    @Override

    public void setSecurityLoggingEnabled(ComponentName admin, String packageName,

    public void setSecurityLoggingEnabled(ComponentName who, String packageName,

            boolean enabled) {

        if (!mHasFeature) {

            return;

        }

        final CallerIdentity caller = getCallerIdentity(admin, packageName);

        final CallerIdentity caller = getCallerIdentity(who, packageName);

        synchronized (getLockObject()) {

            if (isPermissionCheckFlagEnabled()) {

                enforcePermission(MANAGE_DEVICE_POLICY_SECURITY_LOGGING, caller.getPackageName(),

                        UserHandle.USER_ALL);

        if (securityLogV2Enabled()) {

            EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin(

                    who,

                    MANAGE_DEVICE_POLICY_SECURITY_LOGGING,

                    caller.getPackageName(),

                    caller.getUserId());

            if (enabled) {

                mDevicePolicyEngine.setGlobalPolicy(

                        PolicyDefinition.SECURITY_LOGGING,

                        admin,

                        new BooleanPolicyValue(true));

            } else {

                if (admin != null) {

                mDevicePolicyEngine.removeGlobalPolicy(

                        PolicyDefinition.SECURITY_LOGGING,

                        admin);

            }

        } else {

            synchronized (getLockObject()) {

                if (who != null) {

                    Preconditions.checkCallAuthorization(

                            isProfileOwnerOfOrganizationOwnedDevice(caller)

                                    || isDefaultDeviceOwner(caller));

                    Preconditions.checkCallAuthorization(

                            isCallerDelegate(caller, DELEGATION_SECURITY_LOGGING));

                }

            }

                if (enabled == mInjector.securityLogGetLoggingEnabledProperty()) {

                    return;

                    mSecurityLogMonitor.stop();

                }

            }

        }

        DevicePolicyEventLogger

                .createEvent(DevicePolicyEnums.SET_SECURITY_LOGGING_ENABLED)

                .setAdmin(caller.getPackageName())

            return false;

        }

        synchronized (getLockObject()) {

            if (!isSystemUid(getCallerIdentity())) {

        final CallerIdentity caller = getCallerIdentity(admin, packageName);

                if (isPermissionCheckFlagEnabled()) {

                    enforcePermission(MANAGE_DEVICE_POLICY_SECURITY_LOGGING,

                            caller.getPackageName(), UserHandle.USER_ALL);

        if (isSystemUid(caller)) {

            // Settings uses this for privacy transparency.

            // TODO: create a separate @hidden API for settings.

            return mInjector.securityLogGetLoggingEnabledProperty();

        }

        if (securityLogV2Enabled()) {

            final EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(

                    admin,

                    MANAGE_DEVICE_POLICY_SECURITY_LOGGING,

                    caller.getPackageName(),

                    caller.getUserId());

            final Boolean policy = mDevicePolicyEngine.getGlobalPolicySetByAdmin(

                    PolicyDefinition.SECURITY_LOGGING, enforcingAdmin);

            return Boolean.TRUE.equals(policy);

        } else {

            synchronized (getLockObject()) {

                if (admin != null) {

                    Preconditions.checkCallAuthorization(

                            isProfileOwnerOfOrganizationOwnedDevice(caller)

                    Preconditions.checkCallAuthorization(

                            isCallerDelegate(caller, DELEGATION_SECURITY_LOGGING));

                }

                }

            }

                return mInjector.securityLogGetLoggingEnabledProperty();

            }

        }

    }

    private void recordSecurityLogRetrievalTime() {

        synchronized (getLockObject()) {

        }

        final CallerIdentity caller = getCallerIdentity(admin, packageName);

        if (isPermissionCheckFlagEnabled()) {

        if (securityLogV2Enabled()) {

            EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(

                    admin,

                    MANAGE_DEVICE_POLICY_SECURITY_LOGGING,

                    caller.getPackageName(),

                    caller.getUserId());

            synchronized (getLockObject()) {

                Preconditions.checkCallAuthorization(isOrganizationOwnedDeviceWithManagedProfile()

                        || areAllUsersAffiliatedWithDeviceLocked());

            }

            enforcePermission(MANAGE_DEVICE_POLICY_SECURITY_LOGGING, caller.getPackageName(),

                    UserHandle.USER_ALL);

            Boolean policy = mDevicePolicyEngine.getGlobalPolicySetByAdmin(

                    PolicyDefinition.SECURITY_LOGGING, enforcingAdmin);

            if (!Boolean.TRUE.equals(policy)) {

                Slogf.e(LOG_TAG, "%s hasn't enabled security logging but tries to retrieve logs",

                        caller.getPackageName());

                return null;

            }

        } else {

            if (admin != null) {

                Preconditions.checkCallAuthorization(

            }

            Preconditions.checkCallAuthorization(isOrganizationOwnedDeviceWithManagedProfile()

                    || areAllUsersAffiliatedWithDeviceLocked());

        }

            if (!mInjector.securityLogGetLoggingEnabledProperty()) {

                return null;

            }

        }

        recordSecurityLogRetrievalTime();

                .createEvent(DevicePolicyEnums.RETRIEVE_SECURITY_LOGS)

                .setAdmin(caller.getPackageName())

                .write();

        return logs != null ? new ParceledListSlice<SecurityEvent>(logs) : null;

        return logs != null ? new ParceledListSlice<>(logs) : null;

    }

    @Override

                hasCallingOrSelfPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS));

        return mInjector.binderWithCleanCallingIdentity(() -> {

            boolean canForceMigration = forceMigration && !hasNonTestOnlyActiveAdmins();

            if (!canForceMigration && !shouldMigrateToDevicePolicyEngine()) {

            if (!canForceMigration && !shouldMigrateV1ToDevicePolicyEngine()) {

                return false;

            }

            return migratePoliciesToDevicePolicyEngine();

            return migrateV1PoliciesToDevicePolicyEngine();

        });

    }

        });

    }

    private boolean shouldMigrateToDevicePolicyEngine() {

    private boolean shouldMigrateV1ToDevicePolicyEngine() {

        return mInjector.binderWithCleanCallingIdentity(() -> !mOwners.isMigratedToPolicyEngine());

    }

    /**

     * Migrates the initial set of policies to use policy engine.

     * @return {@code true} if policies were migrated successfully, {@code false} otherwise.

     */

    private boolean migratePoliciesToDevicePolicyEngine() {

    private boolean migrateV1PoliciesToDevicePolicyEngine() {

        return mInjector.binderWithCleanCallingIdentity(() -> {

            try {

                synchronized (getLockObject()) {

        });

    }

    /**

     * Migrates the rest of policies to use policy engine.

     */

    @GuardedBy("getLockObject()")

    private void migratePoliciesToPolicyEngineLocked() {

        maybeMigrateSecurityLoggingPolicyLocked();

    }

    private void migrateAutoTimezonePolicy() {

        Slogf.i(LOG_TAG, "Skipping Migration of AUTO_TIMEZONE policy to device policy engine,"

                + "as no way to identify if the value was set by the admin or the user.");