Loading core/java/android/app/admin/PolicyUpdateReceiver.java +29 −2 Original line number Diff line number Diff line Loading @@ -20,10 +20,12 @@ import android.annotation.BroadcastBehavior; import android.annotation.NonNull; import android.annotation.SdkConstant; import android.annotation.TestApi; import android.app.admin.flags.Flags; import android.content.BroadcastReceiver; import android.content.Context; import android.content.Intent; import android.os.Bundle; import android.text.TextUtils; import android.util.Log; import java.util.Objects; Loading @@ -46,6 +48,10 @@ import java.util.Objects; public abstract class PolicyUpdateReceiver extends BroadcastReceiver { private static String TAG = "PolicyUpdateReceiver"; //TODO(b/378931989): Switch to android.app.admin.DevicePolicyIdentifiers.MEMORY_TAGGING_POLICY //when the appropriate flag is launched. private static final String MEMORY_TAGGING_POLICY = "memoryTagging"; /** * Action for a broadcast sent to admins to communicate back the result of setting a policy in * {@link DevicePolicyManager}. Loading Loading @@ -156,15 +162,28 @@ public abstract class PolicyUpdateReceiver extends BroadcastReceiver { @Override public final void onReceive(Context context, Intent intent) { Objects.requireNonNull(intent.getAction()); String policyKey; switch (intent.getAction()) { case ACTION_DEVICE_POLICY_SET_RESULT: Log.i(TAG, "Received ACTION_DEVICE_POLICY_SET_RESULT"); onPolicySetResult(context, getPolicyKey(intent), getPolicyExtraBundle(intent), policyKey = getPolicyKey(intent); if (!shouldPropagatePolicy(policyKey)) { Log.d(TAG, TextUtils.formatSimple( "Skipping propagation of policy %s", policyKey)); break; } onPolicySetResult(context, policyKey, getPolicyExtraBundle(intent), getTargetUser(intent), getPolicyChangedReason(intent)); break; case ACTION_DEVICE_POLICY_CHANGED: Log.i(TAG, "Received ACTION_DEVICE_POLICY_CHANGED"); onPolicyChanged(context, getPolicyKey(intent), getPolicyExtraBundle(intent), policyKey = getPolicyKey(intent); if (!shouldPropagatePolicy(policyKey)) { Log.d(TAG, TextUtils.formatSimple( "Skipping propagation of policy %s", policyKey)); break; } onPolicyChanged(context, policyKey, getPolicyExtraBundle(intent), getTargetUser(intent), getPolicyChangedReason(intent)); break; default: Loading Loading @@ -217,6 +236,14 @@ public abstract class PolicyUpdateReceiver extends BroadcastReceiver { return new TargetUser(targetUserId); } /** * @hide */ private boolean shouldPropagatePolicy(String policyKey) { return !MEMORY_TAGGING_POLICY.equals(policyKey) || Flags.setMtePolicyCoexistence(); } // TODO(b/260847505): Add javadocs to explain which DPM APIs are supported /** * Callback triggered after an admin has set a policy using one of the APIs in Loading core/java/android/security/advancedprotection/AdvancedProtectionManager.java +5 −3 Original line number Diff line number Diff line Loading @@ -16,7 +16,6 @@ package android.security.advancedprotection; import static android.app.admin.DevicePolicyIdentifiers.MEMORY_TAGGING_POLICY; import static android.content.Intent.FLAG_ACTIVITY_NEW_TASK; import static android.os.UserManager.DISALLOW_CELLULAR_2G; import static android.os.UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY; Loading Loading @@ -59,6 +58,10 @@ import java.util.concurrent.Executor; public final class AdvancedProtectionManager { private static final String TAG = "AdvancedProtectionMgr"; //TODO(b/378931989): Switch to android.app.admin.DevicePolicyIdentifiers.MEMORY_TAGGING_POLICY //when the appropriate flag is launched. private static final String MEMORY_TAGGING_POLICY = "memoryTagging"; /** * Advanced Protection's identifier for setting policies or restrictions in * {@link DevicePolicyManager}. Loading Loading @@ -359,8 +362,7 @@ public final class AdvancedProtectionManager { featureId = FEATURE_ID_DISALLOW_INSTALL_UNKNOWN_SOURCES; } else if (DISALLOW_CELLULAR_2G.equals(identifier)) { featureId = FEATURE_ID_DISALLOW_CELLULAR_2G; } else if (android.app.admin.flags.Flags.setMtePolicyCoexistence() && MEMORY_TAGGING_POLICY .equals(identifier)) { } else if (MEMORY_TAGGING_POLICY.equals(identifier)) { featureId = FEATURE_ID_ENABLE_MTE; } else { throw new UnsupportedOperationException("Unsupported identifier: " + identifier); Loading services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +21 −72 Original line number Diff line number Diff line Loading @@ -3582,14 +3582,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @GuardedBy("getLockObject()") private boolean maybeMigrateMemoryTaggingLocked(String backupId) { if (!Flags.setMtePolicyCoexistence()) { Slog.i(LOG_TAG, "Memory Tagging not migrated because coexistence " + "support is disabled."); return false; } if (mOwners.isMemoryTaggingMigrated()) { // TODO: Remove log after Flags.setMtePolicyCoexistence full rollout. Slog.v(LOG_TAG, "Memory Tagging was previously migrated to policy engine."); return false; } Loading Loading @@ -16354,7 +16347,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { private static <V> PolicyDefinition<V> getPolicyDefinitionForIdentifier( @NonNull String identifier) { Objects.requireNonNull(identifier); if (Flags.setMtePolicyCoexistence() && MEMORY_TAGGING_POLICY.equals(identifier)) { if (MEMORY_TAGGING_POLICY.equals(identifier)) { return (PolicyDefinition<V>) PolicyDefinition.MEMORY_TAGGING; } else { return (PolicyDefinition<V>) getPolicyDefinitionForRestriction(identifier); Loading Loading @@ -23759,17 +23752,10 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { Preconditions.checkCallAuthorization(isDefaultDeviceOwner(caller)); } if (Flags.setMtePolicyCoexistence()) { enforcePermission(MANAGE_DEVICE_POLICY_MTE, caller.getPackageName(), UserHandle.USER_ALL); } else { Preconditions.checkCallAuthorization( isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller)); } synchronized (getLockObject()) { if (Flags.setMtePolicyCoexistence()) { final EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin(null, MANAGE_DEVICE_POLICY_MTE, callerPackageName, caller.getUserId()); if (flags != DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY) { Loading @@ -23782,24 +23768,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { PolicyDefinition.MEMORY_TAGGING, admin); } } else { ActiveAdmin admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked(); if (admin != null) { final String memtagProperty = "arm64.memtag.bootctl"; if (flags == DevicePolicyManager.MTE_ENABLED) { mInjector.systemPropertiesSet(memtagProperty, "memtag"); } else if (flags == DevicePolicyManager.MTE_DISABLED) { mInjector.systemPropertiesSet(memtagProperty, "memtag-off"); } else if (flags == DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY) { if (admin.mtePolicy != DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY) { mInjector.systemPropertiesSet(memtagProperty, "default"); } } admin.mtePolicy = flags; saveSettingsLocked(caller.getUserId()); } } DevicePolicyEventLogger.createEvent(DevicePolicyEnums.SET_MTE_POLICY) .setInt(flags) Loading @@ -23817,10 +23785,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), "Only system services can call setMtePolicyBySystem"); if (!Flags.setMtePolicyCoexistence()) { throw new UnsupportedOperationException("System can not set MTE policy only"); } EnforcingAdmin admin = EnforcingAdmin.createSystemEnforcingAdmin(systemEntity); if (policy != DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY) { mDevicePolicyEngine.setGlobalPolicy( Loading Loading @@ -23858,31 +23822,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public int getMtePolicy(String callerPackageName) { final CallerIdentity caller = getCallerIdentity(callerPackageName); if (Flags.setMtePolicyCoexistence()) { enforcePermission(MANAGE_DEVICE_POLICY_MTE, caller.getPackageName(), UserHandle.USER_ALL); } else { Preconditions.checkCallAuthorization( isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller) || isSystemUid(caller)); } synchronized (getLockObject()) { if (Flags.setMtePolicyCoexistence()) { final EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin(null, MANAGE_DEVICE_POLICY_MTE, callerPackageName, caller.getUserId()); final Integer policyFromAdmin = mDevicePolicyEngine.getGlobalPolicySetByAdmin( PolicyDefinition.MEMORY_TAGGING, admin); return (policyFromAdmin != null ? policyFromAdmin : DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY); } else { ActiveAdmin admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked(); return admin != null ? admin.mtePolicy : DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY; } } } services/devicepolicy/java/com/android/server/devicepolicy/OwnersData.java +3 −6 Original line number Diff line number Diff line Loading @@ -433,10 +433,8 @@ class OwnersData { out.attributeBoolean(null, ATTR_RESET_PASSWORD_WITH_TOKEN_MIGRATED, mResetPasswordWithTokenMigrated); } if (Flags.setMtePolicyCoexistence()) { out.attributeBoolean(null, ATTR_MEMORY_TAGGING_MIGRATED, mMemoryTaggingMigrated); } if (Flags.setKeyguardDisabledFeaturesCoexistence()) { out.attributeBoolean(null, ATTR_SET_KEYGUARD_DISABLED_FEATURES_MIGRATED, mSetKeyguardDisabledFeaturesMigrated); Loading Loading @@ -514,8 +512,7 @@ class OwnersData { mResetPasswordWithTokenMigrated = Flags.resetPasswordWithTokenCoexistence() && parser.getAttributeBoolean(null, ATTR_RESET_PASSWORD_WITH_TOKEN_MIGRATED, false); mMemoryTaggingMigrated = Flags.setMtePolicyCoexistence() && parser.getAttributeBoolean(null, mMemoryTaggingMigrated = parser.getAttributeBoolean(null, ATTR_MEMORY_TAGGING_MIGRATED, false); mSetKeyguardDisabledFeaturesMigrated = Flags.setKeyguardDisabledFeaturesCoexistence() Loading Loading
core/java/android/app/admin/PolicyUpdateReceiver.java +29 −2 Original line number Diff line number Diff line Loading @@ -20,10 +20,12 @@ import android.annotation.BroadcastBehavior; import android.annotation.NonNull; import android.annotation.SdkConstant; import android.annotation.TestApi; import android.app.admin.flags.Flags; import android.content.BroadcastReceiver; import android.content.Context; import android.content.Intent; import android.os.Bundle; import android.text.TextUtils; import android.util.Log; import java.util.Objects; Loading @@ -46,6 +48,10 @@ import java.util.Objects; public abstract class PolicyUpdateReceiver extends BroadcastReceiver { private static String TAG = "PolicyUpdateReceiver"; //TODO(b/378931989): Switch to android.app.admin.DevicePolicyIdentifiers.MEMORY_TAGGING_POLICY //when the appropriate flag is launched. private static final String MEMORY_TAGGING_POLICY = "memoryTagging"; /** * Action for a broadcast sent to admins to communicate back the result of setting a policy in * {@link DevicePolicyManager}. Loading Loading @@ -156,15 +162,28 @@ public abstract class PolicyUpdateReceiver extends BroadcastReceiver { @Override public final void onReceive(Context context, Intent intent) { Objects.requireNonNull(intent.getAction()); String policyKey; switch (intent.getAction()) { case ACTION_DEVICE_POLICY_SET_RESULT: Log.i(TAG, "Received ACTION_DEVICE_POLICY_SET_RESULT"); onPolicySetResult(context, getPolicyKey(intent), getPolicyExtraBundle(intent), policyKey = getPolicyKey(intent); if (!shouldPropagatePolicy(policyKey)) { Log.d(TAG, TextUtils.formatSimple( "Skipping propagation of policy %s", policyKey)); break; } onPolicySetResult(context, policyKey, getPolicyExtraBundle(intent), getTargetUser(intent), getPolicyChangedReason(intent)); break; case ACTION_DEVICE_POLICY_CHANGED: Log.i(TAG, "Received ACTION_DEVICE_POLICY_CHANGED"); onPolicyChanged(context, getPolicyKey(intent), getPolicyExtraBundle(intent), policyKey = getPolicyKey(intent); if (!shouldPropagatePolicy(policyKey)) { Log.d(TAG, TextUtils.formatSimple( "Skipping propagation of policy %s", policyKey)); break; } onPolicyChanged(context, policyKey, getPolicyExtraBundle(intent), getTargetUser(intent), getPolicyChangedReason(intent)); break; default: Loading Loading @@ -217,6 +236,14 @@ public abstract class PolicyUpdateReceiver extends BroadcastReceiver { return new TargetUser(targetUserId); } /** * @hide */ private boolean shouldPropagatePolicy(String policyKey) { return !MEMORY_TAGGING_POLICY.equals(policyKey) || Flags.setMtePolicyCoexistence(); } // TODO(b/260847505): Add javadocs to explain which DPM APIs are supported /** * Callback triggered after an admin has set a policy using one of the APIs in Loading
core/java/android/security/advancedprotection/AdvancedProtectionManager.java +5 −3 Original line number Diff line number Diff line Loading @@ -16,7 +16,6 @@ package android.security.advancedprotection; import static android.app.admin.DevicePolicyIdentifiers.MEMORY_TAGGING_POLICY; import static android.content.Intent.FLAG_ACTIVITY_NEW_TASK; import static android.os.UserManager.DISALLOW_CELLULAR_2G; import static android.os.UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY; Loading Loading @@ -59,6 +58,10 @@ import java.util.concurrent.Executor; public final class AdvancedProtectionManager { private static final String TAG = "AdvancedProtectionMgr"; //TODO(b/378931989): Switch to android.app.admin.DevicePolicyIdentifiers.MEMORY_TAGGING_POLICY //when the appropriate flag is launched. private static final String MEMORY_TAGGING_POLICY = "memoryTagging"; /** * Advanced Protection's identifier for setting policies or restrictions in * {@link DevicePolicyManager}. Loading Loading @@ -359,8 +362,7 @@ public final class AdvancedProtectionManager { featureId = FEATURE_ID_DISALLOW_INSTALL_UNKNOWN_SOURCES; } else if (DISALLOW_CELLULAR_2G.equals(identifier)) { featureId = FEATURE_ID_DISALLOW_CELLULAR_2G; } else if (android.app.admin.flags.Flags.setMtePolicyCoexistence() && MEMORY_TAGGING_POLICY .equals(identifier)) { } else if (MEMORY_TAGGING_POLICY.equals(identifier)) { featureId = FEATURE_ID_ENABLE_MTE; } else { throw new UnsupportedOperationException("Unsupported identifier: " + identifier); Loading
services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +21 −72 Original line number Diff line number Diff line Loading @@ -3582,14 +3582,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @GuardedBy("getLockObject()") private boolean maybeMigrateMemoryTaggingLocked(String backupId) { if (!Flags.setMtePolicyCoexistence()) { Slog.i(LOG_TAG, "Memory Tagging not migrated because coexistence " + "support is disabled."); return false; } if (mOwners.isMemoryTaggingMigrated()) { // TODO: Remove log after Flags.setMtePolicyCoexistence full rollout. Slog.v(LOG_TAG, "Memory Tagging was previously migrated to policy engine."); return false; } Loading Loading @@ -16354,7 +16347,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { private static <V> PolicyDefinition<V> getPolicyDefinitionForIdentifier( @NonNull String identifier) { Objects.requireNonNull(identifier); if (Flags.setMtePolicyCoexistence() && MEMORY_TAGGING_POLICY.equals(identifier)) { if (MEMORY_TAGGING_POLICY.equals(identifier)) { return (PolicyDefinition<V>) PolicyDefinition.MEMORY_TAGGING; } else { return (PolicyDefinition<V>) getPolicyDefinitionForRestriction(identifier); Loading Loading @@ -23759,17 +23752,10 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { Preconditions.checkCallAuthorization(isDefaultDeviceOwner(caller)); } if (Flags.setMtePolicyCoexistence()) { enforcePermission(MANAGE_DEVICE_POLICY_MTE, caller.getPackageName(), UserHandle.USER_ALL); } else { Preconditions.checkCallAuthorization( isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller)); } synchronized (getLockObject()) { if (Flags.setMtePolicyCoexistence()) { final EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin(null, MANAGE_DEVICE_POLICY_MTE, callerPackageName, caller.getUserId()); if (flags != DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY) { Loading @@ -23782,24 +23768,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { PolicyDefinition.MEMORY_TAGGING, admin); } } else { ActiveAdmin admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked(); if (admin != null) { final String memtagProperty = "arm64.memtag.bootctl"; if (flags == DevicePolicyManager.MTE_ENABLED) { mInjector.systemPropertiesSet(memtagProperty, "memtag"); } else if (flags == DevicePolicyManager.MTE_DISABLED) { mInjector.systemPropertiesSet(memtagProperty, "memtag-off"); } else if (flags == DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY) { if (admin.mtePolicy != DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY) { mInjector.systemPropertiesSet(memtagProperty, "default"); } } admin.mtePolicy = flags; saveSettingsLocked(caller.getUserId()); } } DevicePolicyEventLogger.createEvent(DevicePolicyEnums.SET_MTE_POLICY) .setInt(flags) Loading @@ -23817,10 +23785,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()), "Only system services can call setMtePolicyBySystem"); if (!Flags.setMtePolicyCoexistence()) { throw new UnsupportedOperationException("System can not set MTE policy only"); } EnforcingAdmin admin = EnforcingAdmin.createSystemEnforcingAdmin(systemEntity); if (policy != DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY) { mDevicePolicyEngine.setGlobalPolicy( Loading Loading @@ -23858,31 +23822,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { @Override public int getMtePolicy(String callerPackageName) { final CallerIdentity caller = getCallerIdentity(callerPackageName); if (Flags.setMtePolicyCoexistence()) { enforcePermission(MANAGE_DEVICE_POLICY_MTE, caller.getPackageName(), UserHandle.USER_ALL); } else { Preconditions.checkCallAuthorization( isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller) || isSystemUid(caller)); } synchronized (getLockObject()) { if (Flags.setMtePolicyCoexistence()) { final EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin(null, MANAGE_DEVICE_POLICY_MTE, callerPackageName, caller.getUserId()); final Integer policyFromAdmin = mDevicePolicyEngine.getGlobalPolicySetByAdmin( PolicyDefinition.MEMORY_TAGGING, admin); return (policyFromAdmin != null ? policyFromAdmin : DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY); } else { ActiveAdmin admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked(); return admin != null ? admin.mtePolicy : DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY; } } }
services/devicepolicy/java/com/android/server/devicepolicy/OwnersData.java +3 −6 Original line number Diff line number Diff line Loading @@ -433,10 +433,8 @@ class OwnersData { out.attributeBoolean(null, ATTR_RESET_PASSWORD_WITH_TOKEN_MIGRATED, mResetPasswordWithTokenMigrated); } if (Flags.setMtePolicyCoexistence()) { out.attributeBoolean(null, ATTR_MEMORY_TAGGING_MIGRATED, mMemoryTaggingMigrated); } if (Flags.setKeyguardDisabledFeaturesCoexistence()) { out.attributeBoolean(null, ATTR_SET_KEYGUARD_DISABLED_FEATURES_MIGRATED, mSetKeyguardDisabledFeaturesMigrated); Loading Loading @@ -514,8 +512,7 @@ class OwnersData { mResetPasswordWithTokenMigrated = Flags.resetPasswordWithTokenCoexistence() && parser.getAttributeBoolean(null, ATTR_RESET_PASSWORD_WITH_TOKEN_MIGRATED, false); mMemoryTaggingMigrated = Flags.setMtePolicyCoexistence() && parser.getAttributeBoolean(null, mMemoryTaggingMigrated = parser.getAttributeBoolean(null, ATTR_MEMORY_TAGGING_MIGRATED, false); mSetKeyguardDisabledFeaturesMigrated = Flags.setKeyguardDisabledFeaturesCoexistence() Loading
