Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bb27189f authored by Eran Messeri's avatar Eran Messeri
Browse files

Grant Device IDs access to Profile Owner 

In order to allow inclusion of device identifiers in the key attestation
record generated by the profile owner, the platform needs an explicit
signal that it is OK for the profile owner to access those identifiers.

Add a system-privileged method to the DevicePolicyManager that allows
system applications, as well as Managed Provisioning to indicate that the
profile owner may access those identifiers.

In the DevicePolicyManagerService the following has changed:
* The OwnerInfo now contains a flag indicating whether the profile owner
  was granted access to the device identifiers or not.
* The permission check for use of the Device ID Attestation flags in
  generateKeyPair has been adjusted to allow profile owner (or its
  delegate) to use them, if device identifiers access has been granted.
* A couple of utility methods have been added to ease checking of
  profile owner presence for a user and whether the profile owner can
  access device identifiers.

Additionally, a new adb command has been added to give this grant to an
existing profile owner for testing purposes.

Bug: 111335970
Test: Manual, using TestDPC + ADB command.
Test: atest FrameworksServicesTests:DevicePolicyManagerTest
Test: Additional CTS tests, see cts change in the same topic.

Change-Id: I05f2323d5edacd774cd3ce082ee9c551100f4afd
parent 10113a7c

api/system-current.txt

+2 −0
Original line number Diff line number Diff line
@@ -74,6 +74,7 @@ package android { 
    field public static final java.lang.String GET_PROCESS_STATE_AND_OOM_SCORE = "android.permission.GET_PROCESS_STATE_AND_OOM_SCORE";

    field public static final java.lang.String GET_TOP_ACTIVITY_INFO = "android.permission.GET_TOP_ACTIVITY_INFO";

    field public static final java.lang.String GLOBAL_SEARCH = "android.permission.GLOBAL_SEARCH";

    field public static final java.lang.String GRANT_PROFILE_OWNER_DEVICE_IDS_ACCESS = "android.permission.GRANT_PROFILE_OWNER_DEVICE_IDS_ACCESS";

    field public static final java.lang.String GRANT_RUNTIME_PERMISSIONS = "android.permission.GRANT_RUNTIME_PERMISSIONS";

    field public static final java.lang.String HARDWARE_TEST = "android.permission.HARDWARE_TEST";

    field public static final java.lang.String HDMI_CEC = "android.permission.HDMI_CEC";
@@ -581,6 +582,7 @@ package android.app.admin { 
    method public boolean packageHasActiveAdmins(java.lang.String);

    method public deprecated boolean setActiveProfileOwner(android.content.ComponentName, java.lang.String) throws java.lang.IllegalArgumentException;

    method public void setDeviceProvisioningConfigApplied();

    method public void setProfileOwnerCanAccessDeviceIdsForUser(android.content.ComponentName, android.os.UserHandle);

    field public static final java.lang.String ACCOUNT_FEATURE_DEVICE_OR_PROFILE_OWNER_ALLOWED = "android.account.DEVICE_OR_PROFILE_OWNER_ALLOWED";

    field public static final java.lang.String ACCOUNT_FEATURE_DEVICE_OR_PROFILE_OWNER_DISALLOWED = "android.account.DEVICE_OR_PROFILE_OWNER_DISALLOWED";

    field public static final java.lang.String ACTION_PROVISION_FINALIZATION = "android.app.action.PROVISION_FINALIZATION";

cmds/dpm/src/com/android/commands/dpm/Dpm.java

+16 −1
Original line number Diff line number Diff line
@@ -48,6 +48,8 @@ public final class Dpm extends BaseCommand { 
    private static final String COMMAND_CLEAR_FREEZE_PERIOD_RECORD = "clear-freeze-period-record";

    private static final String COMMAND_FORCE_NETWORK_LOGS = "force-network-logs";

    private static final String COMMAND_FORCE_SECURITY_LOGS = "force-security-logs";

    private static final String COMMAND_GRANT_PO_DEVICE_ID_ACCESS =

            "grant-profile-owner-device-ids-access";



    private IDevicePolicyManager mDevicePolicyManager;

    private int mUserId = UserHandle.USER_SYSTEM;
@@ -89,7 +91,10 @@ public final class Dpm extends BaseCommand { 
                "the DPC and triggers DeviceAdminReceiver.onNetworkLogsAvailable() if needed.\n" +

                "\n" +

                "dpm " + COMMAND_FORCE_SECURITY_LOGS + ": makes all security logs available to " +

                "the DPC and triggers DeviceAdminReceiver.onSecurityLogsAvailable() if needed.");

                "the DPC and triggers DeviceAdminReceiver.onSecurityLogsAvailable() if needed."

                + "\n"

                + "usage: dpm " + COMMAND_GRANT_PO_DEVICE_ID_ACCESS + ": "

                + "[ --user <USER_ID> | current ] <COMPONENT>\n");

    }



    @Override
@@ -124,6 +129,9 @@ public final class Dpm extends BaseCommand { 
            case COMMAND_FORCE_SECURITY_LOGS:

                runForceSecurityLogs();

                break;

            case COMMAND_GRANT_PO_DEVICE_ID_ACCESS:

                runGrantProfileOwnerDeviceIdsAccess();

                break;

            default:

                throw new IllegalArgumentException ("unknown command '" + command + "'");

        }
@@ -242,6 +250,13 @@ public final class Dpm extends BaseCommand { 
        System.out.println("Success");

    }





    private void runGrantProfileOwnerDeviceIdsAccess() throws RemoteException {

        parseArgs(/*canHaveName=*/ false);

        mDevicePolicyManager.grantDeviceIdsAccessToProfileOwner(mComponent, mUserId);

        System.out.println("Success");

    }



    private ComponentName parseComponentName(String component) {

        ComponentName cn = ComponentName.unflattenFromString(component);

        if (cn == null) {

core/java/android/app/admin/DevicePolicyManager.java

+27 −1
Original line number Diff line number Diff line
@@ -9792,7 +9792,6 @@ public class DevicePolicyManager { 
        }

    }





    /**

     * Sets the global Private DNS mode and host to be used.

     * May only be called by the device owner.
@@ -9867,4 +9866,31 @@ public class DevicePolicyManager { 
            throw re.rethrowFromSystemServer();

        }

    }



    /**

     * Grants the profile owner of the given user access to device identifiers (such as

     * serial number, IMEI and MEID).

     *

     * <p>This lets the profile owner request inclusion of device identifiers when calling

     * {@link generateKeyPair}.

     *

     * <p>This grant is necessary to guarantee that profile owners can access device identifiers.

     *

     * <p>Privileged system API - meant to be called by the system, particularly the managed

     * provisioning app, when a work profile is set up.

     *

     * @hide

     */

    @SystemApi

    public void setProfileOwnerCanAccessDeviceIdsForUser(

            @NonNull ComponentName who, @NonNull UserHandle userHandle) {

        if (mService == null) {

            return;

        }

        try {

            mService.grantDeviceIdsAccessToProfileOwner(who, userHandle.getIdentifier());

        } catch (RemoteException re) {

            throw re.rethrowFromSystemServer();

        }

    }

}

core/java/android/app/admin/IDevicePolicyManager.aidl

+2 −0
Original line number Diff line number Diff line
@@ -417,4 +417,6 @@ interface IDevicePolicyManager { 
    void setGlobalPrivateDns(in ComponentName admin, int mode, in String privateDnsHost);

    int getGlobalPrivateDnsMode(in ComponentName admin);

    String getGlobalPrivateDnsHost(in ComponentName admin);



    void grantDeviceIdsAccessToProfileOwner(in ComponentName who, int userId);

}

core/res/AndroidManifest.xml

+7 −1
Original line number Diff line number Diff line
@@ -4226,6 +4226,12 @@ 
    <permission android:name="android.permission.MANAGE_ACCESSIBILITY"

        android:protectionLevel="signature|setup" />



    <!-- @SystemApi Allows an app to grant a profile owner access to device identifiers.

         <p>Not for use by third-party applications.

         @hide -->

    <permission android:name="android.permission.GRANT_PROFILE_OWNER_DEVICE_IDS_ACCESS"

        android:protectionLevel="signature" />



    <application android:process="system"

                 android:persistent="true"

                 android:hasCode="false"