Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bf8dbde6 authored by Azhara Assanova's avatar Azhara Assanova
Browse files

[AAPM] DisallowInstallUnknownSources: remove set state after disable 

After AAPM is disabled, all disallow install unknown sources toggles
should now go back to their original state, hence this change removes
the code that set them to MODE_ERRORED.

Bug: 369361373
Test: manually enabled, disabled, and observed the toggle is enabled
Test: atest DisallowInstallUnknownSourcesTest
Flag: android.security.aapm_feature_disable_install_unknown_sources
Change-Id: Id786f0e5026302cb3ef455b096e6007671db1668
parent 84f5f8ff

services/core/java/com/android/server/security/advancedprotection/features/DisallowInstallUnknownSourcesAdvancedProtectionHook.java

+3 −55
Original line number Diff line number Diff line
@@ -19,24 +19,13 @@ package com.android.server.security.advancedprotection.features; 
import static android.security.advancedprotection.AdvancedProtectionManager.ADVANCED_PROTECTION_SYSTEM_ENTITY;

import static android.security.advancedprotection.AdvancedProtectionManager.FEATURE_ID_DISALLOW_INSTALL_UNKNOWN_SOURCES;



import android.Manifest;

import android.annotation.NonNull;

import android.app.ActivityManagerInternal;

import android.app.AppGlobals;

import android.app.AppOpsManager;

import android.app.admin.DevicePolicyManager;

import android.content.Context;

import android.content.pm.IPackageManager;

import android.content.pm.PackageManager;

import android.content.pm.UserInfo;

import android.os.Process;

import android.os.RemoteException;

import android.os.UserManager;

import android.security.advancedprotection.AdvancedProtectionFeature;

import android.util.Slog;



import com.android.server.LocalServices;



/** @hide */

public final class DisallowInstallUnknownSourcesAdvancedProtectionHook

        extends AdvancedProtectionHook {
@@ -45,24 +34,14 @@ public final class DisallowInstallUnknownSourcesAdvancedProtectionHook 
    private final AdvancedProtectionFeature mFeature = new AdvancedProtectionFeature(

            FEATURE_ID_DISALLOW_INSTALL_UNKNOWN_SOURCES);



    private final ActivityManagerInternal mActivityManagerInternal;

    private final AppOpsManager mAppOpsManager;

    private final DevicePolicyManager mDevicePolicyManager;

    private final IPackageManager mIPackageManager;

    private final PackageManager mPackageManager;

    private final UserManager mUserManager;



    public DisallowInstallUnknownSourcesAdvancedProtectionHook(@NonNull Context context,

            boolean enabled) {

        super(context, enabled);

        mActivityManagerInternal = LocalServices.getService(ActivityManagerInternal.class);

        mAppOpsManager = context.getSystemService(AppOpsManager.class);

        mDevicePolicyManager = context.getSystemService(DevicePolicyManager.class);

        mIPackageManager = AppGlobals.getPackageManager();

        mUserManager = context.getSystemService(UserManager.class);

        mPackageManager = context.getPackageManager();



        setRestriction(enabled);

        onAdvancedProtectionChanged(enabled);

    }



    @NonNull
@@ -76,7 +55,8 @@ public final class DisallowInstallUnknownSourcesAdvancedProtectionHook 
        return true;

    }



    private void setRestriction(boolean enabled) {

    @Override

    public void onAdvancedProtectionChanged(boolean enabled) {

        if (enabled) {

            Slog.d(TAG, "Setting DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY restriction");

            mDevicePolicyManager.addUserRestrictionGlobally(ADVANCED_PROTECTION_SYSTEM_ENTITY,
@@ -87,36 +67,4 @@ public final class DisallowInstallUnknownSourcesAdvancedProtectionHook 
                    UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY);

        }

    }



    @Override

    public void onAdvancedProtectionChanged(boolean enabled) {

        setRestriction(enabled);

        if (enabled) return;



        // Leave OP_REQUEST_INSTALL_PACKAGES disabled when APM is disabled.

        Slog.d(TAG, "Setting all OP_REQUEST_INSTALL_PACKAGES to MODE_ERRORED");

        for (UserInfo userInfo : mUserManager.getAliveUsers()) {

            try {

                final String[] packagesWithRequestInstallPermission = mIPackageManager

                        .getAppOpPermissionPackages(

                                Manifest.permission.REQUEST_INSTALL_PACKAGES, userInfo.id);

                for (String packageName : packagesWithRequestInstallPermission) {

                    try {

                        int uid = mPackageManager.getPackageUidAsUser(packageName, userInfo.id);

                        boolean isCallerInstrumented = mActivityManagerInternal

                                .getInstrumentationSourceUid(uid) != Process.INVALID_UID;

                        if (!isCallerInstrumented) {

                            mAppOpsManager.setMode(AppOpsManager.OP_REQUEST_INSTALL_PACKAGES, uid,

                                    packageName, AppOpsManager.MODE_ERRORED);

                        }

                    } catch (PackageManager.NameNotFoundException e) {

                        Slog.e(TAG, "Couldn't retrieve uid for a package: " + e);

                    }

                }

            } catch (RemoteException e) {

                Slog.e(TAG, "Couldn't retrieve packages with REQUEST_INSTALL_PACKAGES."

                        + " getAppOpPermissionPackages() threw the following exception: " + e);

            }

        }

    }

}