Merge "Migrate Memory Tagging to DPE" into main

    field @FlaggedApi("android.view.contentprotection.flags.manage_device_policy_enabled") public static final String CONTENT_PROTECTION_POLICY = "contentProtection";

    field public static final String KEYGUARD_DISABLED_FEATURES_POLICY = "keyguardDisabledFeatures";

    field public static final String LOCK_TASK_POLICY = "lockTask";

    field @FlaggedApi("android.app.admin.flags.set_mte_policy_coexistence") public static final String MEMORY_TAGGING_POLICY = "memoryTagging";

    field public static final String PACKAGES_SUSPENDED_POLICY = "packagesSuspended";

    field public static final String PACKAGE_UNINSTALL_BLOCKED_POLICY = "packageUninstallBlocked";

    field public static final String PASSWORD_COMPLEXITY_POLICY = "passwordComplexity";

     */

    public static final String PASSWORD_COMPLEXITY_POLICY = "passwordComplexity";

    /**

     * String identifier for {@link DevicePolicyManager#setMtePolicy(int)}.

     */

    @FlaggedApi(android.app.admin.flags.Flags.FLAG_SET_MTE_POLICY_COEXISTENCE)

    public static final String MEMORY_TAGGING_POLICY = "memoryTagging";

    /**

     * @hide

     */

        return true;

    }

    @GuardedBy("getLockObject()")

    private boolean maybeMigrateMemoryTaggingLocked(String backupId) {

        if (!Flags.setMtePolicyCoexistence()) {

            Slog.i(LOG_TAG, "Memory Tagging not migrated because coexistence "

                    + "support is disabled.");

            return false;

        }

        if (mOwners.isMemoryTaggingMigrated()) {

            // TODO: Remove log after Flags.setMtePolicyCoexistence full rollout.

            Slog.v(LOG_TAG, "Memory Tagging was previously migrated to policy engine.");

            return false;

        }

        Slog.i(LOG_TAG, "Migrating Memory Tagging to policy engine");

        // Create backup if none exists

        mDevicePolicyEngine.createBackup(backupId);

        try {

            iterateThroughDpcAdminsLocked((admin, enforcingAdmin) -> {

                if (admin.mtePolicy != 0) {

                    Slog.i(LOG_TAG, "Setting Memory Tagging policy");

                    mDevicePolicyEngine.setGlobalPolicy(

                            PolicyDefinition.MEMORY_TAGGING,

                            enforcingAdmin,

                            new IntegerPolicyValue(admin.mtePolicy),

                            true /* No need to re-set system properties */);

                }

            });

        } catch (Exception e) {

            Slog.wtf(LOG_TAG,

                    "Failed to migrate Memory Tagging to policy engine", e);

        }

        Slog.i(LOG_TAG, "Marking Memory Tagging migration complete");

        mOwners.markMemoryTaggingMigrated();

        return true;

    }

    /** Register callbacks for statsd pulled atoms. */

    private void registerStatsCallbacks() {

        final StatsManager statsManager = mContext.getSystemService(StatsManager.class);

            Preconditions.checkCallAuthorization(isDefaultDeviceOwner(caller));

        }

        if (Flags.setMtePolicyCoexistence()) {

            enforcePermission(MANAGE_DEVICE_POLICY_MTE, caller.getPackageName(),

                    UserHandle.USER_ALL);

        } else {

            Preconditions.checkCallAuthorization(

                    isDefaultDeviceOwner(caller)

                    || isProfileOwnerOfOrganizationOwnedDevice(caller));

        }

        synchronized (getLockObject()) {

            if (Flags.setMtePolicyCoexistence()) {

                final EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin(null,

                        MANAGE_DEVICE_POLICY_MTE, callerPackageName, caller.getUserId());

                if (flags != DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY) {

                    mDevicePolicyEngine.setGlobalPolicy(

                            PolicyDefinition.MEMORY_TAGGING,

                            admin,

                            new IntegerPolicyValue(flags));

                } else {

                    mDevicePolicyEngine.removeGlobalPolicy(

                            PolicyDefinition.MEMORY_TAGGING,

                            admin);

                }

            } else {

                ActiveAdmin admin =

                        getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked();

                if (admin != null) {

                    final String memtagProperty = "arm64.memtag.bootctl";

                    if (flags == DevicePolicyManager.MTE_ENABLED) {

                    }

                    admin.mtePolicy = flags;

                    saveSettingsLocked(caller.getUserId());

                }

            }

            DevicePolicyEventLogger.createEvent(DevicePolicyEnums.SET_MTE_POLICY)

                    .setInt(flags)

                    .write();

        }

    }

    }

    @Override

    public int getMtePolicy(String callerPackageName) {

        final CallerIdentity caller = getCallerIdentity(callerPackageName);

        if (Flags.setMtePolicyCoexistence()) {

            enforcePermission(MANAGE_DEVICE_POLICY_MTE, caller.getPackageName(),

                    UserHandle.USER_ALL);

        } else {

            Preconditions.checkCallAuthorization(

                    isDefaultDeviceOwner(caller)

                    || isProfileOwnerOfOrganizationOwnedDevice(caller)

                    || isSystemUid(caller));

        }

        synchronized (getLockObject()) {

            if (Flags.setMtePolicyCoexistence()) {

                final EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin(null,

                        MANAGE_DEVICE_POLICY_MTE, callerPackageName, caller.getUserId());

                final Integer policyFromAdmin = mDevicePolicyEngine.getGlobalPolicySetByAdmin(

                        PolicyDefinition.MEMORY_TAGGING, admin);

                return (policyFromAdmin != null ? policyFromAdmin

                        : DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY);

            } else {

                ActiveAdmin admin =

                        getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked();

                return admin != null

                        : DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY;

            }

        }

    }

    @Override

    public void setContentProtectionPolicy(

            Slogf.i(LOG_TAG, "Backup made: " + supervisionBackupId);

        }

        String memoryTaggingBackupId = "36.3.memory-tagging";

        boolean memoryTaggingMigrated = maybeMigrateMemoryTaggingLocked(memoryTaggingBackupId);

        if (memoryTaggingMigrated) {

            Slogf.i(LOG_TAG, "Backup made: " + memoryTaggingBackupId);

        }

        // Additional migration steps should repeat the pattern above with a new backupId.

    }

        }

    }

    void markMemoryTaggingMigrated() {

        synchronized (mData) {

            mData.mMemoryTaggingMigrated = true;

            mData.writeDeviceOwner();

        }

    }

    boolean isMemoryTaggingMigrated() {

        synchronized (mData) {

            return mData.mMemoryTaggingMigrated;

        }

    }

    @GuardedBy("mData")

    void pushToAppOpsLocked() {

        if (!mSystemReady) {

    private static final String ATTR_SUSPENDED_PACKAGES_MIGRATED = "suspendedPackagesMigrated";

    private static final String ATTR_RESET_PASSWORD_WITH_TOKEN_MIGRATED =

            "resetPasswordWithTokenMigrated";

    private static final String ATTR_MEMORY_TAGGING_MIGRATED =

            "memoryTaggingMigrated";

    private static final String ATTR_MIGRATED_POST_UPGRADE = "migratedPostUpgrade";

    // Internal state for the device owner package.

    boolean mRequiredPasswordComplexityMigrated = false;

    boolean mSuspendedPackagesMigrated = false;

    boolean mResetPasswordWithTokenMigrated = false;

    boolean mMemoryTaggingMigrated = false;

    boolean mPoliciesMigratedPostUpdate = false;

                out.attributeBoolean(null, ATTR_RESET_PASSWORD_WITH_TOKEN_MIGRATED,

                        mResetPasswordWithTokenMigrated);

            }

            if (Flags.setMtePolicyCoexistence()) {

                out.attributeBoolean(null, ATTR_MEMORY_TAGGING_MIGRATED,

                        mMemoryTaggingMigrated);

            }

            out.endTag(null, TAG_POLICY_ENGINE_MIGRATION);

        }

                    mResetPasswordWithTokenMigrated = Flags.resetPasswordWithTokenCoexistence()

                            && parser.getAttributeBoolean(null,

                            ATTR_RESET_PASSWORD_WITH_TOKEN_MIGRATED, false);

                    mMemoryTaggingMigrated = Flags.setMtePolicyCoexistence()

                            && parser.getAttributeBoolean(null,

                            ATTR_MEMORY_TAGGING_MIGRATED, false);

                    break;

                default:

                    Slog.e(TAG, "Unexpected tag: " + tag);