Merge "Remove settings to relax device ID access restrictions" into qt-dev

        public static final String LOCATION_GLOBAL_KILL_SWITCH =

                "location_global_kill_switch";

        /**

         * If set to 1, the device identifier check will be relaxed to the previous READ_PHONE_STATE

         * permission check for 3P apps.

         *

         * STOPSHIP: Remove this once we ship with the new device identifier check enabled.

         *

         * @hide

         */

        public static final String PRIVILEGED_DEVICE_IDENTIFIER_3P_CHECK_RELAXED =

                "privileged_device_identifier_3p_check_relaxed";

        /**

         * If set to 1, the device identifier check will be relaxed to the previous READ_PHONE_STATE

         * permission check for preloaded non-privileged apps.

         *

         * STOPSHIP: Remove this once we ship with the new device identifier check enabled.

         *

         * @hide

         */

        public static final String PRIVILEGED_DEVICE_IDENTIFIER_NON_PRIV_CHECK_RELAXED =

                "privileged_device_identifier_non_priv_check_relaxed";

        /**

         * If set to 1, the device identifier check will be relaxed to the previous READ_PHONE_STATE

         * permission check for preloaded privileged apps.

         *

         * STOPSHIP: Remove this once we ship with the new device identifier check enabled.

         *

         * @hide

         */

        public static final String PRIVILEGED_DEVICE_IDENTIFIER_PRIV_CHECK_RELAXED =

                "privileged_device_identifier_priv_check_relaxed";

        /**

         * If set to 1, SettingsProvider's restoreAnyVersion="true" attribute will be ignored

         * and restoring to lower version of platform API will be skipped.

                    Settings.Global.POWER_MANAGER_CONSTANTS,

                    Settings.Global.PREFERRED_NETWORK_MODE,

                    Settings.Global.PRIVATE_DNS_DEFAULT_MODE,

                    Settings.Global.PRIVILEGED_DEVICE_IDENTIFIER_NON_PRIV_CHECK_RELAXED,

                    Settings.Global.PRIVILEGED_DEVICE_IDENTIFIER_PRIV_CHECK_RELAXED,

                    Settings.Global.PRIVILEGED_DEVICE_IDENTIFIER_3P_CHECK_RELAXED,

                    Settings.Global.PROVISIONING_APN_ALARM_DELAY_IN_MS,

                    Settings.Global.RADIO_BLUETOOTH,

                    Settings.Global.RADIO_CELL,

import android.os.RemoteException;

import android.os.ServiceManager;

import android.os.UserHandle;

import android.provider.DeviceConfig;

import android.provider.Settings;

import android.telephony.Rlog;

import android.telephony.SubscriptionManager;

import android.telephony.TelephonyManager;

     */

    private static boolean reportAccessDeniedToReadIdentifiers(Context context, int subId, int pid,

            int uid, String callingPackage, String message) {

        // Check if the application is not preinstalled; if not then a separate setting is required

        // to relax the check to begin flagging problems with non-preinstalled apps early.

        boolean relax3PDeviceIdentifierCheck = Settings.Global.getInt(context.getContentResolver(),

                Settings.Global.PRIVILEGED_DEVICE_IDENTIFIER_3P_CHECK_RELAXED, 0) == 1;

        boolean isPreinstalled = false;

        // Also check if the application is a preloaded non-privileged app; if so there is a

        // separate setting to relax the check for these apps to ensure users can relax the check

        // for non-preinstalled or non-priv apps as needed while continuing to test the other.

        boolean relaxNonPrivDeviceIdentifierCheck = Settings.Global.getInt(

                context.getContentResolver(),

                Settings.Global.PRIVILEGED_DEVICE_IDENTIFIER_NON_PRIV_CHECK_RELAXED, 0) == 1;

        boolean isPrivApp = false;

        // Similar to above support relaxing the check for privileged apps while still enforcing it

        // for non-privileged and non-preinstalled apps.

        boolean relaxPrivDeviceIdentifierCheck = Settings.Global.getInt(

                context.getContentResolver(),

                Settings.Global.PRIVILEGED_DEVICE_IDENTIFIER_PRIV_CHECK_RELAXED, 0) == 1;

        ApplicationInfo callingPackageInfo = null;

        try {

            callingPackageInfo = context.getPackageManager().getApplicationInfoAsUser(

            Log.e(LOG_TAG, "Exception caught obtaining package info for package " + callingPackage,

                    e);

        }

        // The new Q restrictions for device identifier access will be enforced for all apps with

        // settings to individually disable the new restrictions for privileged, preloaded

        // non-privileged, and non-preinstalled apps.

        if (!isIdentifierCheckDisabled() && (

                (isPrivApp && !relaxPrivDeviceIdentifierCheck)

                        || (!isPreinstalled && !relax3PDeviceIdentifierCheck)

                        || (isPreinstalled && !isPrivApp && !relaxNonPrivDeviceIdentifierCheck))) {

        // The current package should only be reported in StatsLog if it has not previously been

        // reported for the currently invoked device identifier method.

        boolean packageReported = sReportedDeviceIDPackages.containsKey(callingPackage);

        }

        throw new SecurityException(message + ": The user " + uid

                + " does not meet the requirements to access device identifiers.");

        } else {

            return checkReadPhoneState(context, subId, pid, uid, callingPackage, message);

        }

    }

    /**

     * Returns true if the new device identifier access restrictions are disabled.

     */

    private static boolean isIdentifierCheckDisabled() {

        return DeviceConfig.getInt(DeviceConfig.NAMESPACE_PRIVACY,

                PROPERTY_DEVICE_IDENTIFIER_ACCESS_RESTRICTIONS_DISABLED, 0) == 1;

    }

    /**