Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7fcf82fb authored by Rubin Xu's avatar Rubin Xu Committed by Android (Google) Code Review
Browse files

Merge "Make zero trust related APIs callable by permission holders" into main

parents 0b95567e 8668395a
Loading
Loading
Loading
Loading
+2 −2
Original line number Original line Diff line number Diff line
@@ -8017,7 +8017,7 @@ package android.app.admin {
    method public CharSequence getDeviceOwnerLockScreenInfo();
    method public CharSequence getDeviceOwnerLockScreenInfo();
    method @Nullable public String getDevicePolicyManagementRoleHolderPackage();
    method @Nullable public String getDevicePolicyManagementRoleHolderPackage();
    method public CharSequence getEndUserSessionMessage(@NonNull android.content.ComponentName);
    method public CharSequence getEndUserSessionMessage(@NonNull android.content.ComponentName);
    method @NonNull public String getEnrollmentSpecificId();
    method @FlaggedApi("android.app.admin.flags.permission_migration_for_zero_trust_api_enabled") @NonNull @RequiresPermission(value=android.Manifest.permission.MANAGE_DEVICE_POLICY_CERTIFICATES, conditional=true) public String getEnrollmentSpecificId();
    method @Nullable @RequiresPermission(value=android.Manifest.permission.MANAGE_DEVICE_POLICY_FACTORY_RESET, conditional=true) public android.app.admin.FactoryResetProtectionPolicy getFactoryResetProtectionPolicy(@Nullable android.content.ComponentName);
    method @Nullable @RequiresPermission(value=android.Manifest.permission.MANAGE_DEVICE_POLICY_FACTORY_RESET, conditional=true) public android.app.admin.FactoryResetProtectionPolicy getFactoryResetProtectionPolicy(@Nullable android.content.ComponentName);
    method @Nullable public String getGlobalPrivateDnsHost(@NonNull android.content.ComponentName);
    method @Nullable public String getGlobalPrivateDnsHost(@NonNull android.content.ComponentName);
    method public int getGlobalPrivateDnsMode(@NonNull android.content.ComponentName);
    method public int getGlobalPrivateDnsMode(@NonNull android.content.ComponentName);
@@ -8056,7 +8056,7 @@ package android.app.admin {
    method @Deprecated public int getPasswordMinimumSymbols(@Nullable android.content.ComponentName);
    method @Deprecated public int getPasswordMinimumSymbols(@Nullable android.content.ComponentName);
    method @Deprecated public int getPasswordMinimumUpperCase(@Nullable android.content.ComponentName);
    method @Deprecated public int getPasswordMinimumUpperCase(@Nullable android.content.ComponentName);
    method @Deprecated public int getPasswordQuality(@Nullable android.content.ComponentName);
    method @Deprecated public int getPasswordQuality(@Nullable android.content.ComponentName);
    method @Nullable public android.app.admin.SystemUpdateInfo getPendingSystemUpdate(@NonNull android.content.ComponentName);
    method @FlaggedApi("android.app.admin.flags.permission_migration_for_zero_trust_api_enabled") @Nullable @RequiresPermission(value=android.Manifest.permission.MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES, conditional=true) public android.app.admin.SystemUpdateInfo getPendingSystemUpdate(@Nullable android.content.ComponentName);
    method @RequiresPermission(value=android.Manifest.permission.MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS, conditional=true) public int getPermissionGrantState(@Nullable android.content.ComponentName, @NonNull String, @NonNull String);
    method @RequiresPermission(value=android.Manifest.permission.MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS, conditional=true) public int getPermissionGrantState(@Nullable android.content.ComponentName, @NonNull String, @NonNull String);
    method public int getPermissionPolicy(android.content.ComponentName);
    method public int getPermissionPolicy(android.content.ComponentName);
    method @Nullable public java.util.List<java.lang.String> getPermittedAccessibilityServices(@NonNull android.content.ComponentName);
    method @Nullable public java.util.List<java.lang.String> getPermittedAccessibilityServices(@NonNull android.content.ComponentName);
+21 −7
Original line number Original line Diff line number Diff line
@@ -37,6 +37,7 @@ import static android.Manifest.permission.MANAGE_DEVICE_POLICY_MTE;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_ORGANIZATION_IDENTITY;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_ORGANIZATION_IDENTITY;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_PACKAGE_STATE;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_PACKAGE_STATE;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_PROFILE_INTERACTION;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_PROFILE_INTERACTION;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_RESET_PASSWORD;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_RESET_PASSWORD;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_SCREEN_CAPTURE;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_SCREEN_CAPTURE;
@@ -13416,17 +13417,25 @@ public class DevicePolicyManager {
    }
    }
    /**
    /**
     * Called by device or profile owners to get information about a pending system update.
     * Get information about a pending system update.
     *
     * Can be called by device or profile owners, and starting from Android
     * {@link android.os.Build.VERSION_CODES#VANILLA_ICE_CREAM}, holders of the permission
     * {@link android.Manifest.permission#MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES}.
     *
     *
     * @param admin Which profile or device owner this request is associated with.
     * @param admin Which profile or device owner this request is associated with.
     * @return Information about a pending system update or {@code null} if no update pending.
     * @return Information about a pending system update or {@code null} if no update pending.
     * @throws SecurityException if {@code admin} is not a device or profile owner.
     * @throws SecurityException if {@code admin} is not a device, profile owner or holders of
     * {@link android.Manifest.permission#MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES}.
     * @see DeviceAdminReceiver#onSystemUpdatePending(Context, Intent, long)
     * @see DeviceAdminReceiver#onSystemUpdatePending(Context, Intent, long)
     */
     */
    public @Nullable SystemUpdateInfo getPendingSystemUpdate(@NonNull ComponentName admin) {
    @RequiresPermission(value = MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES, conditional = true)
    @SuppressLint("RequiresPermission")
    @FlaggedApi(Flags.FLAG_PERMISSION_MIGRATION_FOR_ZERO_TRUST_API_ENABLED)
    public @Nullable SystemUpdateInfo getPendingSystemUpdate(@Nullable ComponentName admin) {
        throwIfParentInstance("getPendingSystemUpdate");
        throwIfParentInstance("getPendingSystemUpdate");
        try {
        try {
            return mService.getPendingSystemUpdate(admin);
            return mService.getPendingSystemUpdate(admin, mContext.getPackageName());
        } catch (RemoteException re) {
        } catch (RemoteException re) {
            throw re.rethrowFromSystemServer();
            throw re.rethrowFromSystemServer();
        }
        }
@@ -16495,8 +16504,9 @@ public class DevicePolicyManager {
     * The identifier would be consistent even if the work profile is removed and enrolled again
     * The identifier would be consistent even if the work profile is removed and enrolled again
     * (to the same organization), or the device is factory reset and re-enrolled.
     * (to the same organization), or the device is factory reset and re-enrolled.
     *
     *
     * Can only be called by the Profile Owner or Device Owner, if the
     * Can only be called by the Profile Owner and Device Owner, and starting from Android
     * {@link #setOrganizationId(String)} was previously called.
     * {@link android.os.Build.VERSION_CODES#VANILLA_ICE_CREAM}, holders of the permission
     * {@link android.Manifest.permission#MANAGE_DEVICE_POLICY_CERTIFICATES}.
     * If {@link #setOrganizationId(String)} was not called, then the returned value will be an
     * If {@link #setOrganizationId(String)} was not called, then the returned value will be an
     * empty string.
     * empty string.
     *
     *
@@ -16509,8 +16519,12 @@ public class DevicePolicyManager {
     * and must switch to using this method.
     * and must switch to using this method.
     *
     *
     * @return A stable, enrollment-specific identifier.
     * @return A stable, enrollment-specific identifier.
     * @throws SecurityException if the caller is not a profile owner or device owner.
     * @throws SecurityException if the caller is not a profile owner, device owner or holding the
     * {@link android.Manifest.permission#MANAGE_DEVICE_POLICY_CERTIFICATES} permission
     */
     */
    @RequiresPermission(value = MANAGE_DEVICE_POLICY_CERTIFICATES, conditional = true)
    @SuppressLint("RequiresPermission")
    @FlaggedApi(Flags.FLAG_PERMISSION_MIGRATION_FOR_ZERO_TRUST_API_ENABLED)
    @NonNull public String getEnrollmentSpecificId() {
    @NonNull public String getEnrollmentSpecificId() {
        throwIfParentInstance("getEnrollmentSpecificId");
        throwIfParentInstance("getEnrollmentSpecificId");
        if (mService == null) {
        if (mService == null) {
+1 −1
Original line number Original line Diff line number Diff line
@@ -392,7 +392,7 @@ interface IDevicePolicyManager {
    boolean getDoNotAskCredentialsOnBoot();
    boolean getDoNotAskCredentialsOnBoot();


    void notifyPendingSystemUpdate(in SystemUpdateInfo info);
    void notifyPendingSystemUpdate(in SystemUpdateInfo info);
    SystemUpdateInfo getPendingSystemUpdate(in ComponentName admin);
    SystemUpdateInfo getPendingSystemUpdate(in ComponentName admin, in String callerPackage);


    void setPermissionPolicy(in ComponentName admin, in String callerPackage, int policy);
    void setPermissionPolicy(in ComponentName admin, in String callerPackage, int policy);
    int  getPermissionPolicy(in ComponentName admin);
    int  getPermissionPolicy(in ComponentName admin);
+42 −18
Original line number Original line Diff line number Diff line
@@ -60,6 +60,7 @@ import static android.Manifest.permission.MANAGE_DEVICE_POLICY_PHYSICAL_MEDIA;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_PRINTING;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_PRINTING;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_PROFILES;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_PROFILES;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_PROFILE_INTERACTION;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_PROFILE_INTERACTION;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_RESET_PASSWORD;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_RESET_PASSWORD;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_RESTRICT_PRIVATE_DNS;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_RESTRICT_PRIVATE_DNS;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS;
@@ -85,6 +86,7 @@ import static android.Manifest.permission.MANAGE_DEVICE_POLICY_WINDOWS;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_WIPE_DATA;
import static android.Manifest.permission.MANAGE_DEVICE_POLICY_WIPE_DATA;
import static android.Manifest.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS;
import static android.Manifest.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS;
import static android.Manifest.permission.MASTER_CLEAR;
import static android.Manifest.permission.MASTER_CLEAR;
import static android.Manifest.permission.NOTIFY_PENDING_SYSTEM_UPDATE;
import static android.Manifest.permission.QUERY_ADMIN_POLICY;
import static android.Manifest.permission.QUERY_ADMIN_POLICY;
import static android.Manifest.permission.REQUEST_PASSWORD_COMPLEXITY;
import static android.Manifest.permission.REQUEST_PASSWORD_COMPLEXITY;
import static android.Manifest.permission.SET_TIME;
import static android.Manifest.permission.SET_TIME;
@@ -236,6 +238,7 @@ import static android.app.admin.flags.Flags.backupServiceSecurityLogEventEnabled
import static android.app.admin.flags.Flags.devicePolicySizeTrackingEnabled;
import static android.app.admin.flags.Flags.devicePolicySizeTrackingEnabled;
import static android.app.admin.flags.Flags.dumpsysPolicyEngineMigrationEnabled;
import static android.app.admin.flags.Flags.dumpsysPolicyEngineMigrationEnabled;
import static android.app.admin.flags.Flags.headlessDeviceOwnerSingleUserEnabled;
import static android.app.admin.flags.Flags.headlessDeviceOwnerSingleUserEnabled;
import static android.app.admin.flags.Flags.permissionMigrationForZeroTrustImplEnabled;
import static android.app.admin.flags.Flags.policyEngineMigrationV2Enabled;
import static android.app.admin.flags.Flags.policyEngineMigrationV2Enabled;
import static android.app.admin.flags.Flags.assistContentUserRestrictionEnabled;
import static android.app.admin.flags.Flags.assistContentUserRestrictionEnabled;
import static android.app.admin.flags.Flags.securityLogV2Enabled;
import static android.app.admin.flags.Flags.securityLogV2Enabled;
@@ -16253,7 +16256,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
    @Override
    @Override
    public void notifyPendingSystemUpdate(@Nullable SystemUpdateInfo info) {
    public void notifyPendingSystemUpdate(@Nullable SystemUpdateInfo info) {
        Preconditions.checkCallAuthorization(
        Preconditions.checkCallAuthorization(
                hasCallingOrSelfPermission(permission.NOTIFY_PENDING_SYSTEM_UPDATE),
                hasCallingOrSelfPermission(NOTIFY_PENDING_SYSTEM_UPDATE),
                "Only the system update service can broadcast update information");
                "Only the system update service can broadcast update information");
        mInjector.binderWithCleanCallingIdentity(() -> {
        mInjector.binderWithCleanCallingIdentity(() -> {
@@ -16294,26 +16297,41 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
            }
            }
            // Send broadcasts to corresponding profile owners if any.
            // Send broadcasts to corresponding profile owners if any.
            for (final int userId : runningUserIds) {
            for (final int userId : runningUserIds) {
                final ComponentName profileOwnerPackage;
                synchronized (getLockObject()) {
                synchronized (getLockObject()) {
                    final ComponentName profileOwnerPackage =
                    profileOwnerPackage = mOwners.getProfileOwnerComponent(userId);
                            mOwners.getProfileOwnerComponent(userId);
                }
                if (profileOwnerPackage != null) {
                if (profileOwnerPackage != null) {
                    intent.setComponent(profileOwnerPackage);
                    intent.setComponent(profileOwnerPackage);
                    mContext.sendBroadcastAsUser(intent, UserHandle.of(userId));
                    mContext.sendBroadcastAsUser(intent, UserHandle.of(userId));
                }
                }
                if (permissionMigrationForZeroTrustImplEnabled()) {
                    final UserHandle user = UserHandle.of(userId);
                    final String roleHolderPackage = getRoleHolderPackageNameOnUser(
                            RoleManager.ROLE_DEVICE_POLICY_MANAGEMENT, userId);
                    if (roleHolderPackage != null) {
                        broadcastExplicitIntentToPackage(intent, roleHolderPackage, user);
                    }
                }
                }
            }
            }
        });
        });
    }
    }
    @Override
    @Override
    public SystemUpdateInfo getPendingSystemUpdate(ComponentName admin) {
    public SystemUpdateInfo getPendingSystemUpdate(ComponentName admin, String callerPackage) {
        if (permissionMigrationForZeroTrustImplEnabled()) {
            CallerIdentity caller = getCallerIdentity(admin, callerPackage);
            enforcePermissions(new String[] {NOTIFY_PENDING_SYSTEM_UPDATE,
                    MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES}, caller.getPackageName(),
                    caller.getUserId());
        } else {
            Objects.requireNonNull(admin, "ComponentName is null");
            Objects.requireNonNull(admin, "ComponentName is null");
            final CallerIdentity caller = getCallerIdentity(admin);
            final CallerIdentity caller = getCallerIdentity(admin);
            Preconditions.checkCallAuthorization(
            Preconditions.checkCallAuthorization(
                    isDefaultDeviceOwner(caller) || isProfileOwner(caller));
                    isDefaultDeviceOwner(caller) || isProfileOwner(caller));
        }
        return mOwners.getSystemUpdateInfo();
        return mOwners.getSystemUpdateInfo();
    }
    }
@@ -20817,14 +20835,18 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
        }
        }
        final CallerIdentity caller = getCallerIdentity(callerPackage);
        final CallerIdentity caller = getCallerIdentity(callerPackage);
        if (permissionMigrationForZeroTrustImplEnabled()) {
            enforcePermission(MANAGE_DEVICE_POLICY_CERTIFICATES, caller.getPackageName());
        } else {
            Preconditions.checkCallAuthorization(
            Preconditions.checkCallAuthorization(
                    isDefaultDeviceOwner(caller) || isProfileOwner(caller)
                    isDefaultDeviceOwner(caller) || isProfileOwner(caller)
                            || isCallerDelegate(caller, DELEGATION_CERT_INSTALL));
                            || isCallerDelegate(caller, DELEGATION_CERT_INSTALL));
        }
        synchronized (getLockObject()) {
        synchronized (getLockObject()) {
            final ActiveAdmin requiredAdmin = getDeviceOrProfileOwnerAdminLocked(
            final ActiveAdmin requiredAdmin = getDeviceOrProfileOwnerAdminLocked(
                    caller.getUserId());
                    caller.getUserId());
            final String esid = requiredAdmin.mEnrollmentSpecificId;
            final String esid = requiredAdmin != null ? requiredAdmin.mEnrollmentSpecificId : null;
            return esid != null ? esid : "";
            return esid != null ? esid : "";
        }
        }
    }
    }
@@ -22495,7 +22517,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
            MANAGE_DEVICE_POLICY_WINDOWS,
            MANAGE_DEVICE_POLICY_WINDOWS,
            MANAGE_DEVICE_POLICY_WIPE_DATA,
            MANAGE_DEVICE_POLICY_WIPE_DATA,
            SET_TIME,
            SET_TIME,
            SET_TIME_ZONE
            SET_TIME_ZONE,
            MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES
    );
    );
    private static final List<String> FINANCED_DEVICE_OWNER_PERMISSIONS = List.of(
    private static final List<String> FINANCED_DEVICE_OWNER_PERMISSIONS = List.of(
            MANAGE_DEVICE_POLICY_ACROSS_USERS,
            MANAGE_DEVICE_POLICY_ACROSS_USERS,
@@ -22559,7 +22582,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
                    MANAGE_DEVICE_POLICY_SYSTEM_DIALOGS,
                    MANAGE_DEVICE_POLICY_SYSTEM_DIALOGS,
                    MANAGE_DEVICE_POLICY_TIME,
                    MANAGE_DEVICE_POLICY_TIME,
                    MANAGE_DEVICE_POLICY_VPN,
                    MANAGE_DEVICE_POLICY_VPN,
                    MANAGE_DEVICE_POLICY_WIPE_DATA
                    MANAGE_DEVICE_POLICY_WIPE_DATA,
                    MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES
            );
            );
    /**
    /**