Stop using policy engine for permission grant state (39911c80) · Commits · e / os / android_frameworks_base

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+91 −67

Original line number	Original line	Diff line number	Diff line
	@@ -160,6 +160,7 @@ import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_NUMERIC;
	import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_NUMERIC_COMPLEX;		import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_NUMERIC_COMPLEX;
	import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_SOMETHING;		import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_SOMETHING;
	import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED;		import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED;
			import static android.app.admin.DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT;
	import static android.app.admin.DevicePolicyManager.PERMISSION_GRANT_STATE_GRANTED;		import static android.app.admin.DevicePolicyManager.PERMISSION_GRANT_STATE_GRANTED;
	import static android.app.admin.DevicePolicyManager.PERSONAL_APPS_NOT_SUSPENDED;		import static android.app.admin.DevicePolicyManager.PERSONAL_APPS_NOT_SUSPENDED;
	import static android.app.admin.DevicePolicyManager.PERSONAL_APPS_SUSPENDED_EXPLICITLY;		import static android.app.admin.DevicePolicyManager.PERSONAL_APPS_SUSPENDED_EXPLICITLY;
	@@ -533,7 +534,6 @@ import java.util.Map;
	import java.util.Objects;		import java.util.Objects;
	import java.util.Set;		import java.util.Set;
	import java.util.concurrent.CompletableFuture;		import java.util.concurrent.CompletableFuture;
	import java.util.concurrent.ConcurrentHashMap;
	import java.util.concurrent.ExecutionException;		import java.util.concurrent.ExecutionException;
	import java.util.concurrent.Executor;		import java.util.concurrent.Executor;
	import java.util.concurrent.TimeUnit;		import java.util.concurrent.TimeUnit;
	@@ -1186,10 +1186,10 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
	// Resume logging if all remaining users are affiliated.		// Resume logging if all remaining users are affiliated.
	maybeResumeDeviceWideLoggingLocked();		maybeResumeDeviceWideLoggingLocked();
	}		}
			}
	if (isPolicyEngineForFinanceFlagEnabled() \|\| isPermissionCheckFlagEnabled()) {		if (isPolicyEngineForFinanceFlagEnabled() \|\| isPermissionCheckFlagEnabled()) {
	mDevicePolicyEngine.handleUserRemoved(userHandle);		mDevicePolicyEngine.handleUserRemoved(userHandle);
	}		}
	}
	} else if (Intent.ACTION_USER_STARTED.equals(action)) {		} else if (Intent.ACTION_USER_STARTED.equals(action)) {
	sendDeviceOwnerUserCommand(DeviceAdminReceiver.ACTION_USER_STARTED, userHandle);		sendDeviceOwnerUserCommand(DeviceAdminReceiver.ACTION_USER_STARTED, userHandle);
	synchronized (getLockObject()) {		synchronized (getLockObject()) {
	@@ -4157,8 +4157,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
	checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_REMOVE_ACTIVE_ADMIN);		checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_REMOVE_ACTIVE_ADMIN);
	enforceUserUnlocked(userHandle);		enforceUserUnlocked(userHandle);

			ActiveAdmin admin;
	synchronized (getLockObject()) {		synchronized (getLockObject()) {
	ActiveAdmin admin = getActiveAdminUncheckedLocked(adminReceiver, userHandle);		admin = getActiveAdminUncheckedLocked(adminReceiver, userHandle);
	if (admin == null) {		if (admin == null) {
	return;		return;
	}		}
	@@ -4169,16 +4170,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
	+ adminReceiver);		+ adminReceiver);
	return;		return;
	}		}

	mInjector.binderWithCleanCallingIdentity(() ->		mInjector.binderWithCleanCallingIdentity(() ->
	removeActiveAdminLocked(adminReceiver, userHandle));		removeActiveAdminLocked(adminReceiver, userHandle));
			}
	if (isPolicyEngineForFinanceFlagEnabled() \|\| isPermissionCheckFlagEnabled()) {		if (isPolicyEngineForFinanceFlagEnabled() \|\| isPermissionCheckFlagEnabled()) {
	mDevicePolicyEngine.removePoliciesForAdmin(		mDevicePolicyEngine.removePoliciesForAdmin(
	EnforcingAdmin.createEnterpriseEnforcingAdmin(		EnforcingAdmin.createEnterpriseEnforcingAdmin(
	adminReceiver, userHandle, admin));		adminReceiver, userHandle, admin));
	}		}
	}		}
	}

	private boolean canSetPasswordQualityOnParent(String packageName, final CallerIdentity caller) {		private boolean canSetPasswordQualityOnParent(String packageName, final CallerIdentity caller) {
	return !mInjector.isChangeEnabled(		return !mInjector.isChangeEnabled(
	@@ -16661,8 +16661,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
	enforcePermissionGrantStateOnFinancedDevice(packageName, permission);		enforcePermissionGrantStateOnFinancedDevice(packageName, permission);
	}		}
	}		}
			EnforcingAdmin enforcingAdmin;
	if (isPermissionCheckFlagEnabled()) {		if (isPermissionCheckFlagEnabled()) {
	EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(		enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(
	admin,		admin,
	MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS,		MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS,
	callerPackage,		callerPackage,
	@@ -16686,17 +16687,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
	callback.sendResult(null);		callback.sendResult(null);
	return;		return;
	}		}
	// TODO(b/266924257): decide how to handle the internal state if the package doesn't
	// exist, or the permission isn't requested by the app, because we could end up with
	// inconsistent state between the policy engine and package manager. Also a package
	// might get removed or has it's permission updated after we've set the policy.
	mDevicePolicyEngine.setLocalPolicy(
	PolicyDefinition.PERMISSION_GRANT(packageName, permission),
	enforcingAdmin,
	new IntegerPolicyValue(grantState),
	caller.getUserId());
	// TODO: update javadoc to reflect that callback no longer return success/failure
	callback.sendResult(Bundle.EMPTY);
	} else {		} else {
	Preconditions.checkCallAuthorization((caller.hasAdminComponent()		Preconditions.checkCallAuthorization((caller.hasAdminComponent()
	&& (isProfileOwner(caller) \|\| isDefaultDeviceOwner(caller)		&& (isProfileOwner(caller) \|\| isDefaultDeviceOwner(caller)
	@@ -16720,6 +16710,47 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
	callback.sendResult(null);		callback.sendResult(null);
	return;		return;
	}		}
			} catch (SecurityException e) {
			Slogf.e(LOG_TAG, "Could not set permission grant state", e);
			callback.sendResult(null);
			} finally {
			mInjector.binderRestoreCallingIdentity(ident);
			}
			}
			}
			// TODO(b/278710449): enable when we stop policy enforecer callback from blocking the main
			// thread
			if (false) {
			// TODO(b/266924257): decide how to handle the internal state if the package doesn't
			// exist, or the permission isn't requested by the app, because we could end up with
			// inconsistent state between the policy engine and package manager. Also a package
			// might get removed or has it's permission updated after we've set the policy.
			if (grantState == PERMISSION_GRANT_STATE_DEFAULT) {
			mDevicePolicyEngine.removeLocalPolicy(
			PolicyDefinition.PERMISSION_GRANT(packageName, permission),
			enforcingAdmin,
			caller.getUserId());
			} else {
			mDevicePolicyEngine.setLocalPolicy(
			PolicyDefinition.PERMISSION_GRANT(packageName, permission),
			enforcingAdmin,
			new IntegerPolicyValue(grantState),
			caller.getUserId());
			}
			int newState = mInjector.binderWithCleanCallingIdentity(() ->
			getPermissionGrantStateForUser(
			packageName, permission, caller, caller.getUserId()));
			if (newState == grantState) {
			callback.sendResult(Bundle.EMPTY);
			} else {
			callback.sendResult(null);
			}
			} else {
			synchronized (getLockObject()) {
			long ident = mInjector.binderClearCallingIdentity();
			try {
			boolean isPostQAdmin = getTargetSdk(caller.getPackageName(), caller.getUserId())
			>= android.os.Build.VERSION_CODES.Q;
	if (grantState == PERMISSION_GRANT_STATE_GRANTED		if (grantState == PERMISSION_GRANT_STATE_GRANTED
	\|\| grantState == DevicePolicyManager.PERMISSION_GRANT_STATE_DENIED		\|\| grantState == DevicePolicyManager.PERMISSION_GRANT_STATE_DENIED
	\|\| grantState == DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT) {		\|\| grantState == DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT) {
	@@ -16736,17 +16767,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
	callback.sendResult(null);		callback.sendResult(null);
	return;		return;
	}		}

	DevicePolicyEventLogger
	.createEvent(DevicePolicyEnums
	.SET_PERMISSION_GRANT_STATE)
	.setAdmin(caller.getPackageName())
	.setStrings(permission)
	.setInt(grantState)
	.setBoolean(
	/* isDelegate */ isCallerDelegate(caller))
	.write();

	callback.sendResult(Bundle.EMPTY);		callback.sendResult(Bundle.EMPTY);
	});		});
	}		}
	@@ -16759,6 +16779,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
	}		}
	}		}
	}		}
			DevicePolicyEventLogger.createEvent(DevicePolicyEnums.SET_PERMISSION_GRANT_STATE)
			.setAdmin(caller.getPackageName())
			.setStrings(permission)
			.setInt(grantState)
			.setBoolean(/* isDelegate */ isCallerDelegate(caller))
			.write();
	}		}

	private static final List<String> SENSOR_PERMISSIONS = new ArrayList<>();		private static final List<String> SENSOR_PERMISSIONS = new ArrayList<>();
	@@ -16822,10 +16848,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
	if (isFinancedDeviceOwner(caller)) {		if (isFinancedDeviceOwner(caller)) {
	enforcePermissionGrantStateOnFinancedDevice(packageName, permission);		enforcePermissionGrantStateOnFinancedDevice(packageName, permission);
	}		}
	return mInjector.binderWithCleanCallingIdentity(() -> {		return mInjector.binderWithCleanCallingIdentity(() -> getPermissionGrantStateForUser(
	return getPermissionGrantStateForUser(		packageName, permission, caller, caller.getUserId()));
	packageName, permission, caller, caller.getUserId());
	});
	}		}
	}		}

services/devicepolicy/java/com/android/server/devicepolicy/PolicyEnforcerCallbacks.java

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -84,6 +84,7 @@ final class PolicyEnforcerCallbacks {
	? DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT		? DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT
	: grantState;		: grantState;

			// TODO(b/278710449): stop blocking in the main thread
	BlockingCallback callback = new BlockingCallback();		BlockingCallback callback = new BlockingCallback();
	// TODO: remove canAdminGrantSensorPermissions once we expose a new method in		// TODO: remove canAdminGrantSensorPermissions once we expose a new method in
	// permissionController that doesn't need it.		// permissionController that doesn't need it.