Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 75342ef5 authored by Hani Kazmi's avatar Hani Kazmi
Browse files

[AAPM] Introduce new Service for Android Advanced Protection Mode 

We add a new service and manager, behind a feature flag. This service
will be used to enroll devices into a security conscious protection
mode, and to allow clients to customise behaviour based on the state of
this mode.

Both the query API and callback are protected by a install permission.
This may be revisited as the feature evolves.

AAPM can be turned on for testing via

adb shell cmd advanced_protection set-protection-enabled true

Bug: 352420507
Test: atest AdvancedProtectionServiceTest AdvancedProtectionManagerTest
Flag: android.security.aapm_api
Change-Id: Ibf8478235b147e9f844d80d083a5e04819e1b052
parent a3bea3e2

core/api/current.txt

+16 −0
Original line number Diff line number Diff line
@@ -239,6 +239,7 @@ package android { 
    field @Deprecated public static final String PROCESS_OUTGOING_CALLS = "android.permission.PROCESS_OUTGOING_CALLS";

    field public static final String PROVIDE_OWN_AUTOFILL_SUGGESTIONS = "android.permission.PROVIDE_OWN_AUTOFILL_SUGGESTIONS";

    field public static final String PROVIDE_REMOTE_CREDENTIALS = "android.permission.PROVIDE_REMOTE_CREDENTIALS";

    field @FlaggedApi("android.security.aapm_api") public static final String QUERY_ADVANCED_PROTECTION_MODE = "android.permission.QUERY_ADVANCED_PROTECTION_MODE";

    field public static final String QUERY_ALL_PACKAGES = "android.permission.QUERY_ALL_PACKAGES";

    field public static final String READ_ASSISTANT_APP_SEARCH_DATA = "android.permission.READ_ASSISTANT_APP_SEARCH_DATA";

    field public static final String READ_BASIC_PHONE_STATE = "android.permission.READ_BASIC_PHONE_STATE";
@@ -10798,6 +10799,7 @@ package android.content { 
    field public static final String ACCESSIBILITY_SERVICE = "accessibility";

    field public static final String ACCOUNT_SERVICE = "account";

    field public static final String ACTIVITY_SERVICE = "activity";

    field @FlaggedApi("android.security.aapm_api") public static final String ADVANCED_PROTECTION_SERVICE = "advanced_protection";

    field public static final String ALARM_SERVICE = "alarm";

    field public static final String APPWIDGET_SERVICE = "appwidget";

    field @FlaggedApi("android.app.appfunctions.flags.enable_app_function_manager") public static final String APP_FUNCTION_SERVICE = "app_function";
@@ -39662,6 +39664,20 @@ package android.security { 














}



























package android.security.advancedprotection {

























  @FlaggedApi("android.security.aapm_api") public class AdvancedProtectionManager {













    method @RequiresPermission(android.Manifest.permission.QUERY_ADVANCED_PROTECTION_MODE) public boolean isAdvancedProtectionEnabled();













    method @RequiresPermission(android.Manifest.permission.QUERY_ADVANCED_PROTECTION_MODE) public void registerAdvancedProtectionCallback(@NonNull java.util.concurrent.Executor, @NonNull android.security.advancedprotection.AdvancedProtectionManager.Callback);













    method @RequiresPermission(android.Manifest.permission.QUERY_ADVANCED_PROTECTION_MODE) public void unregisterAdvancedProtectionCallback(@NonNull android.security.advancedprotection.AdvancedProtectionManager.Callback);













  }

























  @FlaggedApi("android.security.aapm_api") public static interface AdvancedProtectionManager.Callback {













    method public void onAdvancedProtectionChanged(boolean);













  }

























}



























package android.security.identity {





























  public class AccessControlProfile {

























core/api/system-current.txt



+9
−0




























Original line number
Diff line number
Diff line








@@ -362,6 +362,7 @@ package android {













    field public static final String SERIAL_PORT = "android.permission.SERIAL_PORT";















    field @FlaggedApi("android.security.fsverity_api") public static final String SETUP_FSVERITY = "android.permission.SETUP_FSVERITY";















    field public static final String SET_ACTIVITY_WATCHER = "android.permission.SET_ACTIVITY_WATCHER";













    field @FlaggedApi("android.security.aapm_api") public static final String SET_ADVANCED_PROTECTION_MODE = "android.permission.SET_ADVANCED_PROTECTION_MODE";















    field public static final String SET_CLIP_SOURCE = "android.permission.SET_CLIP_SOURCE";















    field public static final String SET_DEFAULT_ACCOUNT_FOR_CONTACTS = "android.permission.SET_DEFAULT_ACCOUNT_FOR_CONTACTS";















    field public static final String SET_HARMFUL_APP_WARNINGS = "android.permission.SET_HARMFUL_APP_WARNINGS";










@@ -12310,6 +12311,14 @@ package android.security {



























}



























package android.security.advancedprotection {

























  @FlaggedApi("android.security.aapm_api") public class AdvancedProtectionManager {













    method @RequiresPermission(android.Manifest.permission.SET_ADVANCED_PROTECTION_MODE) public void setAdvancedProtectionEnabled(boolean);













  }

























}



























package android.security.keystore {





























  public class AndroidKeyStoreProvider extends java.security.Provider {

























core/java/android/app/SystemServiceRegistry.java



+17
−0




























Original line number
Diff line number
Diff line








@@ -235,6 +235,8 @@ import android.safetycenter.SafetyCenterFrameworkInitializer;













import android.scheduling.SchedulingFrameworkInitializer;















import android.security.FileIntegrityManager;















import android.security.IFileIntegrityService;













import android.security.advancedprotection.AdvancedProtectionManager;













import android.security.advancedprotection.IAdvancedProtectionService;















import android.security.attestationverification.AttestationVerificationManager;















import android.security.attestationverification.IAttestationVerificationManagerService;















import android.service.oemlock.IOemLockService;










@@ -1771,6 +1773,21 @@ public final class SystemServiceRegistry {













                        return new SupervisionManager(ctx, service);















                    }















                });













        if (android.security.Flags.aapmApi()) {













            registerService(Context.ADVANCED_PROTECTION_SERVICE, AdvancedProtectionManager.class,













                    new CachedServiceFetcher<>() {













                        @Override













                        public AdvancedProtectionManager createService(ContextImpl ctx)













                                throws ServiceNotFoundException {













                            IBinder iBinder = ServiceManager.getServiceOrThrow(













                                    Context.ADVANCED_PROTECTION_SERVICE);













                            IAdvancedProtectionService service =













                                    IAdvancedProtectionService.Stub.asInterface(iBinder);













                            return new AdvancedProtectionManager(service);













                        }













                    });













        }





























        // DO NOT do a flag check like this unless the flag is read-only.















        // (because this code is executed during preload in zygote.)















        // If the flag is mutable, the check should be inside CachedServiceFetcher.

































core/java/android/content/Context.java



+10
−0




























Original line number
Diff line number
Diff line








@@ -4325,6 +4325,7 @@ public abstract class Context {













           //@hide: ECM_ENHANCED_CONFIRMATION_SERVICE,















            CONTACT_KEYS_SERVICE,















            RANGING_SERVICE,













            ADVANCED_PROTECTION_SERVICE,































    })















    @Retention(RetentionPolicy.SOURCE)










@@ -6366,6 +6367,15 @@ public abstract class Context {













     */















    public static final String ATTESTATION_VERIFICATION_SERVICE = "attestation_verification";





























    /**













     * Use with {@link #getSystemService(String)} to retrieve an













     * {@link android.security.advancedprotection.AdvancedProtectionManager}













     * @see #getSystemService(String)













     * @see android.security.advancedprotection.AdvancedProtectionManager













     */













    @FlaggedApi(android.security.Flags.FLAG_AAPM_API)













    public static final String ADVANCED_PROTECTION_SERVICE = "advanced_protection";





























    /**















     * Use with {@link #getSystemService(String)} to retrieve an















     * {@link android.security.FileIntegrityManager}.

































core/java/android/provider/Settings.java



+6
−0




























Original line number
Diff line number
Diff line








@@ -12819,6 +12819,12 @@ public final class Settings {













         */















        @Readable















        public static final String CONTEXTUAL_SEARCH_PACKAGE = "contextual_search_package";

























        /**













         * Inetger property which determines whether advanced protection is on or not.













         * @hide













         */













        public static final String ADVANCED_PROTECTION_MODE = "advanced_protection_mode";















    }





























    /**