Merge "Make zero trust related APIs callable by permission holders" into main

    method public CharSequence getDeviceOwnerLockScreenInfo();

    method public CharSequence getDeviceOwnerLockScreenInfo();

    method @Nullable public String getDevicePolicyManagementRoleHolderPackage();

    method @Nullable public String getDevicePolicyManagementRoleHolderPackage();

    method public CharSequence getEndUserSessionMessage(@NonNull android.content.ComponentName);

    method public CharSequence getEndUserSessionMessage(@NonNull android.content.ComponentName);

    method @NonNull public String getEnrollmentSpecificId();

    method @FlaggedApi("android.app.admin.flags.permission_migration_for_zero_trust_api_enabled") @NonNull @RequiresPermission(value=android.Manifest.permission.MANAGE_DEVICE_POLICY_CERTIFICATES, conditional=true) public String getEnrollmentSpecificId();

    method @Nullable @RequiresPermission(value=android.Manifest.permission.MANAGE_DEVICE_POLICY_FACTORY_RESET, conditional=true) public android.app.admin.FactoryResetProtectionPolicy getFactoryResetProtectionPolicy(@Nullable android.content.ComponentName);

    method @Nullable @RequiresPermission(value=android.Manifest.permission.MANAGE_DEVICE_POLICY_FACTORY_RESET, conditional=true) public android.app.admin.FactoryResetProtectionPolicy getFactoryResetProtectionPolicy(@Nullable android.content.ComponentName);

    method @Nullable public String getGlobalPrivateDnsHost(@NonNull android.content.ComponentName);

    method @Nullable public String getGlobalPrivateDnsHost(@NonNull android.content.ComponentName);

    method public int getGlobalPrivateDnsMode(@NonNull android.content.ComponentName);

    method public int getGlobalPrivateDnsMode(@NonNull android.content.ComponentName);

    method @Deprecated public int getPasswordMinimumSymbols(@Nullable android.content.ComponentName);

    method @Deprecated public int getPasswordMinimumSymbols(@Nullable android.content.ComponentName);

    method @Deprecated public int getPasswordMinimumUpperCase(@Nullable android.content.ComponentName);

    method @Deprecated public int getPasswordMinimumUpperCase(@Nullable android.content.ComponentName);

    method @Deprecated public int getPasswordQuality(@Nullable android.content.ComponentName);

    method @Deprecated public int getPasswordQuality(@Nullable android.content.ComponentName);

    method @Nullable public android.app.admin.SystemUpdateInfo getPendingSystemUpdate(@NonNull android.content.ComponentName);

    method @FlaggedApi("android.app.admin.flags.permission_migration_for_zero_trust_api_enabled") @Nullable @RequiresPermission(value=android.Manifest.permission.MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES, conditional=true) public android.app.admin.SystemUpdateInfo getPendingSystemUpdate(@Nullable android.content.ComponentName);

    method @RequiresPermission(value=android.Manifest.permission.MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS, conditional=true) public int getPermissionGrantState(@Nullable android.content.ComponentName, @NonNull String, @NonNull String);

    method @RequiresPermission(value=android.Manifest.permission.MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS, conditional=true) public int getPermissionGrantState(@Nullable android.content.ComponentName, @NonNull String, @NonNull String);

    method public int getPermissionPolicy(android.content.ComponentName);

    method public int getPermissionPolicy(android.content.ComponentName);

    method @Nullable public java.util.List<java.lang.String> getPermittedAccessibilityServices(@NonNull android.content.ComponentName);

    method @Nullable public java.util.List<java.lang.String> getPermittedAccessibilityServices(@NonNull android.content.ComponentName);

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_ORGANIZATION_IDENTITY;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_ORGANIZATION_IDENTITY;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_PACKAGE_STATE;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_PACKAGE_STATE;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_PROFILE_INTERACTION;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_PROFILE_INTERACTION;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_RESET_PASSWORD;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_RESET_PASSWORD;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_SCREEN_CAPTURE;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_SCREEN_CAPTURE;

    }

    }

    /**

    /**

     * Called by device or profile owners to get information about a pending system update.

     * Get information about a pending system update.

     *

     * Can be called by device or profile owners, and starting from Android

     * {@link android.os.Build.VERSION_CODES#VANILLA_ICE_CREAM}, holders of the permission

     * {@link android.Manifest.permission#MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES}.

     *

     *

     * @param admin Which profile or device owner this request is associated with.

     * @param admin Which profile or device owner this request is associated with.

     * @return Information about a pending system update or {@code null} if no update pending.

     * @return Information about a pending system update or {@code null} if no update pending.

     * @throws SecurityException if {@code admin} is not a device or profile owner.

     * @throws SecurityException if {@code admin} is not a device, profile owner or holders of

     * {@link android.Manifest.permission#MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES}.

     * @see DeviceAdminReceiver#onSystemUpdatePending(Context, Intent, long)

     * @see DeviceAdminReceiver#onSystemUpdatePending(Context, Intent, long)

     */

     */

    public @Nullable SystemUpdateInfo getPendingSystemUpdate(@NonNull ComponentName admin) {

    @RequiresPermission(value = MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES, conditional = true)

    @SuppressLint("RequiresPermission")

    @FlaggedApi(Flags.FLAG_PERMISSION_MIGRATION_FOR_ZERO_TRUST_API_ENABLED)

    public @Nullable SystemUpdateInfo getPendingSystemUpdate(@Nullable ComponentName admin) {

        throwIfParentInstance("getPendingSystemUpdate");

        throwIfParentInstance("getPendingSystemUpdate");

        try {

        try {

            return mService.getPendingSystemUpdate(admin);

            return mService.getPendingSystemUpdate(admin, mContext.getPackageName());

        } catch (RemoteException re) {

        } catch (RemoteException re) {

            throw re.rethrowFromSystemServer();

            throw re.rethrowFromSystemServer();

        }

        }

     * The identifier would be consistent even if the work profile is removed and enrolled again

     * The identifier would be consistent even if the work profile is removed and enrolled again

     * (to the same organization), or the device is factory reset and re-enrolled.

     * (to the same organization), or the device is factory reset and re-enrolled.

     *

     *

     * Can only be called by the Profile Owner or Device Owner, if the

     * Can only be called by the Profile Owner and Device Owner, and starting from Android

     * {@link #setOrganizationId(String)} was previously called.

     * {@link android.os.Build.VERSION_CODES#VANILLA_ICE_CREAM}, holders of the permission

     * {@link android.Manifest.permission#MANAGE_DEVICE_POLICY_CERTIFICATES}.

     * If {@link #setOrganizationId(String)} was not called, then the returned value will be an

     * If {@link #setOrganizationId(String)} was not called, then the returned value will be an

     * empty string.

     * empty string.

     *

     *

     * and must switch to using this method.

     * and must switch to using this method.

     *

     *

     * @return A stable, enrollment-specific identifier.

     * @return A stable, enrollment-specific identifier.

     * @throws SecurityException if the caller is not a profile owner or device owner.

     * @throws SecurityException if the caller is not a profile owner, device owner or holding the

     * {@link android.Manifest.permission#MANAGE_DEVICE_POLICY_CERTIFICATES} permission

     */

     */

    @RequiresPermission(value = MANAGE_DEVICE_POLICY_CERTIFICATES, conditional = true)

    @SuppressLint("RequiresPermission")

    @FlaggedApi(Flags.FLAG_PERMISSION_MIGRATION_FOR_ZERO_TRUST_API_ENABLED)

    @NonNull public String getEnrollmentSpecificId() {

    @NonNull public String getEnrollmentSpecificId() {

        throwIfParentInstance("getEnrollmentSpecificId");

        throwIfParentInstance("getEnrollmentSpecificId");

        if (mService == null) {

        if (mService == null) {

    boolean getDoNotAskCredentialsOnBoot();

    boolean getDoNotAskCredentialsOnBoot();

    void notifyPendingSystemUpdate(in SystemUpdateInfo info);

    void notifyPendingSystemUpdate(in SystemUpdateInfo info);

    SystemUpdateInfo getPendingSystemUpdate(in ComponentName admin);

    SystemUpdateInfo getPendingSystemUpdate(in ComponentName admin, in String callerPackage);

    void setPermissionPolicy(in ComponentName admin, in String callerPackage, int policy);

    void setPermissionPolicy(in ComponentName admin, in String callerPackage, int policy);

    int  getPermissionPolicy(in ComponentName admin);

    int  getPermissionPolicy(in ComponentName admin);

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_PRINTING;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_PRINTING;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_PROFILES;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_PROFILES;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_PROFILE_INTERACTION;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_PROFILE_INTERACTION;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_RESET_PASSWORD;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_RESET_PASSWORD;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_RESTRICT_PRIVATE_DNS;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_RESTRICT_PRIVATE_DNS;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_WIPE_DATA;

import static android.Manifest.permission.MANAGE_DEVICE_POLICY_WIPE_DATA;

import static android.Manifest.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS;

import static android.Manifest.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS;

import static android.Manifest.permission.MASTER_CLEAR;

import static android.Manifest.permission.MASTER_CLEAR;

import static android.Manifest.permission.NOTIFY_PENDING_SYSTEM_UPDATE;

import static android.Manifest.permission.QUERY_ADMIN_POLICY;

import static android.Manifest.permission.QUERY_ADMIN_POLICY;

import static android.Manifest.permission.REQUEST_PASSWORD_COMPLEXITY;

import static android.Manifest.permission.REQUEST_PASSWORD_COMPLEXITY;

import static android.Manifest.permission.SET_TIME;

import static android.Manifest.permission.SET_TIME;

import static android.app.admin.flags.Flags.devicePolicySizeTrackingEnabled;

import static android.app.admin.flags.Flags.devicePolicySizeTrackingEnabled;

import static android.app.admin.flags.Flags.dumpsysPolicyEngineMigrationEnabled;

import static android.app.admin.flags.Flags.dumpsysPolicyEngineMigrationEnabled;

import static android.app.admin.flags.Flags.headlessDeviceOwnerSingleUserEnabled;

import static android.app.admin.flags.Flags.headlessDeviceOwnerSingleUserEnabled;

import static android.app.admin.flags.Flags.permissionMigrationForZeroTrustImplEnabled;

import static android.app.admin.flags.Flags.policyEngineMigrationV2Enabled;

import static android.app.admin.flags.Flags.policyEngineMigrationV2Enabled;

import static android.app.admin.flags.Flags.assistContentUserRestrictionEnabled;

import static android.app.admin.flags.Flags.assistContentUserRestrictionEnabled;

import static android.app.admin.flags.Flags.securityLogV2Enabled;

import static android.app.admin.flags.Flags.securityLogV2Enabled;

    @Override

    @Override

    public void notifyPendingSystemUpdate(@Nullable SystemUpdateInfo info) {

    public void notifyPendingSystemUpdate(@Nullable SystemUpdateInfo info) {

        Preconditions.checkCallAuthorization(

        Preconditions.checkCallAuthorization(

                hasCallingOrSelfPermission(permission.NOTIFY_PENDING_SYSTEM_UPDATE),

                hasCallingOrSelfPermission(NOTIFY_PENDING_SYSTEM_UPDATE),

                "Only the system update service can broadcast update information");

                "Only the system update service can broadcast update information");

        mInjector.binderWithCleanCallingIdentity(() -> {

        mInjector.binderWithCleanCallingIdentity(() -> {

            }

            }

            // Send broadcasts to corresponding profile owners if any.

            // Send broadcasts to corresponding profile owners if any.

            for (final int userId : runningUserIds) {

            for (final int userId : runningUserIds) {

                final ComponentName profileOwnerPackage;

                synchronized (getLockObject()) {

                synchronized (getLockObject()) {

                    final ComponentName profileOwnerPackage =

                    profileOwnerPackage = mOwners.getProfileOwnerComponent(userId);

                            mOwners.getProfileOwnerComponent(userId);

                }

                if (profileOwnerPackage != null) {

                if (profileOwnerPackage != null) {

                    intent.setComponent(profileOwnerPackage);

                    intent.setComponent(profileOwnerPackage);

                    mContext.sendBroadcastAsUser(intent, UserHandle.of(userId));

                    mContext.sendBroadcastAsUser(intent, UserHandle.of(userId));

                }

                }

                if (permissionMigrationForZeroTrustImplEnabled()) {

                    final UserHandle user = UserHandle.of(userId);

                    final String roleHolderPackage = getRoleHolderPackageNameOnUser(

                            RoleManager.ROLE_DEVICE_POLICY_MANAGEMENT, userId);

                    if (roleHolderPackage != null) {

                        broadcastExplicitIntentToPackage(intent, roleHolderPackage, user);

                    }

                }

                }

            }

            }

        });

        });

    }

    }

    @Override

    @Override

    public SystemUpdateInfo getPendingSystemUpdate(ComponentName admin) {

    public SystemUpdateInfo getPendingSystemUpdate(ComponentName admin, String callerPackage) {

        if (permissionMigrationForZeroTrustImplEnabled()) {

            CallerIdentity caller = getCallerIdentity(admin, callerPackage);

            enforcePermissions(new String[] {NOTIFY_PENDING_SYSTEM_UPDATE,

                    MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES}, caller.getPackageName(),

                    caller.getUserId());

        } else {

            Objects.requireNonNull(admin, "ComponentName is null");

            Objects.requireNonNull(admin, "ComponentName is null");

            final CallerIdentity caller = getCallerIdentity(admin);

            final CallerIdentity caller = getCallerIdentity(admin);

            Preconditions.checkCallAuthorization(

            Preconditions.checkCallAuthorization(

                    isDefaultDeviceOwner(caller) || isProfileOwner(caller));

                    isDefaultDeviceOwner(caller) || isProfileOwner(caller));

        }

        return mOwners.getSystemUpdateInfo();

        return mOwners.getSystemUpdateInfo();

    }

    }

        }

        }

        final CallerIdentity caller = getCallerIdentity(callerPackage);

        final CallerIdentity caller = getCallerIdentity(callerPackage);

        if (permissionMigrationForZeroTrustImplEnabled()) {

            enforcePermission(MANAGE_DEVICE_POLICY_CERTIFICATES, caller.getPackageName());

        } else {

            Preconditions.checkCallAuthorization(

            Preconditions.checkCallAuthorization(

                    isDefaultDeviceOwner(caller) || isProfileOwner(caller)

                    isDefaultDeviceOwner(caller) || isProfileOwner(caller)

                            || isCallerDelegate(caller, DELEGATION_CERT_INSTALL));

                            || isCallerDelegate(caller, DELEGATION_CERT_INSTALL));

        }

        synchronized (getLockObject()) {

        synchronized (getLockObject()) {

            final ActiveAdmin requiredAdmin = getDeviceOrProfileOwnerAdminLocked(

            final ActiveAdmin requiredAdmin = getDeviceOrProfileOwnerAdminLocked(

                    caller.getUserId());

                    caller.getUserId());

            final String esid = requiredAdmin.mEnrollmentSpecificId;

            final String esid = requiredAdmin != null ? requiredAdmin.mEnrollmentSpecificId : null;

            return esid != null ? esid : "";

            return esid != null ? esid : "";

        }

        }

    }

    }

            MANAGE_DEVICE_POLICY_WINDOWS,

            MANAGE_DEVICE_POLICY_WINDOWS,

            MANAGE_DEVICE_POLICY_WIPE_DATA,

            MANAGE_DEVICE_POLICY_WIPE_DATA,

            SET_TIME,

            SET_TIME,

            SET_TIME_ZONE

            SET_TIME_ZONE,

            MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES

    );

    );

    private static final List<String> FINANCED_DEVICE_OWNER_PERMISSIONS = List.of(

    private static final List<String> FINANCED_DEVICE_OWNER_PERMISSIONS = List.of(

            MANAGE_DEVICE_POLICY_ACROSS_USERS,

            MANAGE_DEVICE_POLICY_ACROSS_USERS,

                    MANAGE_DEVICE_POLICY_SYSTEM_DIALOGS,

                    MANAGE_DEVICE_POLICY_SYSTEM_DIALOGS,

                    MANAGE_DEVICE_POLICY_TIME,

                    MANAGE_DEVICE_POLICY_TIME,

                    MANAGE_DEVICE_POLICY_VPN,

                    MANAGE_DEVICE_POLICY_VPN,

                    MANAGE_DEVICE_POLICY_WIPE_DATA

                    MANAGE_DEVICE_POLICY_WIPE_DATA,

                    MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES

            );

            );

    /**

    /**