Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c3aad6e2 authored by Kholoud Mohamed's avatar Kholoud Mohamed Committed by Automerger Merge Worker
Browse files

Merge "Stop using policy engine for permission grant state" into udc-dev am: 2554570b 

Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/base/+/22710881



Change-Id: Ifc26a1ff70655cf2d4c3f844b872770957990d34
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents 7e9dc654 2554570b

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+91 −67
Original line number Original line Diff line number Diff line
@@ -160,6 +160,7 @@ import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_NUMERIC; 
import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_NUMERIC_COMPLEX;

import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_NUMERIC_COMPLEX;

import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_SOMETHING;

import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_SOMETHING;

import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED;

import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED;

import static android.app.admin.DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT;

import static android.app.admin.DevicePolicyManager.PERMISSION_GRANT_STATE_GRANTED;

import static android.app.admin.DevicePolicyManager.PERMISSION_GRANT_STATE_GRANTED;

import static android.app.admin.DevicePolicyManager.PERSONAL_APPS_NOT_SUSPENDED;

import static android.app.admin.DevicePolicyManager.PERSONAL_APPS_NOT_SUSPENDED;

import static android.app.admin.DevicePolicyManager.PERSONAL_APPS_SUSPENDED_EXPLICITLY;

import static android.app.admin.DevicePolicyManager.PERSONAL_APPS_SUSPENDED_EXPLICITLY;
@@ -533,7 +534,6 @@ import java.util.Map; 
import java.util.Objects;

import java.util.Objects;

import java.util.Set;

import java.util.Set;

import java.util.concurrent.CompletableFuture;

import java.util.concurrent.CompletableFuture;

import java.util.concurrent.ConcurrentHashMap;

import java.util.concurrent.ExecutionException;

import java.util.concurrent.ExecutionException;

import java.util.concurrent.Executor;

import java.util.concurrent.Executor;

import java.util.concurrent.TimeUnit;

import java.util.concurrent.TimeUnit;
@@ -1186,10 +1186,10 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
                        // Resume logging if all remaining users are affiliated.

                        // Resume logging if all remaining users are affiliated.

                        maybeResumeDeviceWideLoggingLocked();

                        maybeResumeDeviceWideLoggingLocked();

                    }

                    }

                }

                if (isPolicyEngineForFinanceFlagEnabled() || isPermissionCheckFlagEnabled()) {

                if (isPolicyEngineForFinanceFlagEnabled() || isPermissionCheckFlagEnabled()) {

                    mDevicePolicyEngine.handleUserRemoved(userHandle);

                    mDevicePolicyEngine.handleUserRemoved(userHandle);

                }

                }

                }

            } else if (Intent.ACTION_USER_STARTED.equals(action)) {

            } else if (Intent.ACTION_USER_STARTED.equals(action)) {

                sendDeviceOwnerUserCommand(DeviceAdminReceiver.ACTION_USER_STARTED, userHandle);

                sendDeviceOwnerUserCommand(DeviceAdminReceiver.ACTION_USER_STARTED, userHandle);

                synchronized (getLockObject()) {

                synchronized (getLockObject()) {
@@ -4157,8 +4157,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_REMOVE_ACTIVE_ADMIN);

        checkCanExecuteOrThrowUnsafe(DevicePolicyManager.OPERATION_REMOVE_ACTIVE_ADMIN);

        enforceUserUnlocked(userHandle);

        enforceUserUnlocked(userHandle);




















        ActiveAdmin admin;











        synchronized (getLockObject()) {







        synchronized (getLockObject()) {











            ActiveAdmin admin = getActiveAdminUncheckedLocked(adminReceiver, userHandle);







            admin = getActiveAdminUncheckedLocked(adminReceiver, userHandle);











            if (admin == null) {







            if (admin == null) {











                return;







                return;











            }







            }









@@ -4169,16 +4170,15 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {









                        + adminReceiver);







                        + adminReceiver);











                return;







                return;











            }







            }
























            mInjector.binderWithCleanCallingIdentity(() ->







            mInjector.binderWithCleanCallingIdentity(() ->











                    removeActiveAdminLocked(adminReceiver, userHandle));







                    removeActiveAdminLocked(adminReceiver, userHandle));














        }











        if (isPolicyEngineForFinanceFlagEnabled() || isPermissionCheckFlagEnabled()) {







        if (isPolicyEngineForFinanceFlagEnabled() || isPermissionCheckFlagEnabled()) {











            mDevicePolicyEngine.removePoliciesForAdmin(







            mDevicePolicyEngine.removePoliciesForAdmin(











                    EnforcingAdmin.createEnterpriseEnforcingAdmin(







                    EnforcingAdmin.createEnterpriseEnforcingAdmin(











                            adminReceiver, userHandle, admin));







                            adminReceiver, userHandle, admin));











        }







        }











    }







    }











    }






























    private boolean canSetPasswordQualityOnParent(String packageName, final CallerIdentity caller) {







    private boolean canSetPasswordQualityOnParent(String packageName, final CallerIdentity caller) {











        return !mInjector.isChangeEnabled(







        return !mInjector.isChangeEnabled(










@@ -16661,8 +16661,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {









                enforcePermissionGrantStateOnFinancedDevice(packageName, permission);







                enforcePermissionGrantStateOnFinancedDevice(packageName, permission);











            }







            }











        }







        }














        EnforcingAdmin enforcingAdmin;











        if (isPermissionCheckFlagEnabled()) {







        if (isPermissionCheckFlagEnabled()) {











            EnforcingAdmin enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(







            enforcingAdmin = enforcePermissionAndGetEnforcingAdmin(











                    admin,







                    admin,











                    MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS,







                    MANAGE_DEVICE_POLICY_RUNTIME_PERMISSIONS,











                    callerPackage,







                    callerPackage,









@@ -16686,17 +16687,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {









                callback.sendResult(null);







                callback.sendResult(null);











                return;







                return;











            }







            }











            // TODO(b/266924257): decide how to handle the internal state if the package doesn't














            //  exist, or the permission isn't requested by the app, because we could end up with














            //  inconsistent state between the policy engine and package manager. Also a package














            //  might get removed or has it's permission updated after we've set the policy.














            mDevicePolicyEngine.setLocalPolicy(














                    PolicyDefinition.PERMISSION_GRANT(packageName, permission),














                    enforcingAdmin,














                    new IntegerPolicyValue(grantState),














                    caller.getUserId());














            // TODO: update javadoc to reflect that callback no longer return success/failure














            callback.sendResult(Bundle.EMPTY);














        } else {







        } else {











            Preconditions.checkCallAuthorization((caller.hasAdminComponent()







            Preconditions.checkCallAuthorization((caller.hasAdminComponent()











                    && (isProfileOwner(caller) || isDefaultDeviceOwner(caller)







                    && (isProfileOwner(caller) || isDefaultDeviceOwner(caller)









@@ -16720,6 +16710,47 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {









                        callback.sendResult(null);







                        callback.sendResult(null);











                        return;







                        return;











                    }







                    }














                } catch (SecurityException e) {














                    Slogf.e(LOG_TAG, "Could not set permission grant state", e);














                    callback.sendResult(null);














                } finally {














                    mInjector.binderRestoreCallingIdentity(ident);














                }














            }














        }














        // TODO(b/278710449): enable when we stop policy enforecer callback from blocking the main














        //  thread














        if (false) {














            // TODO(b/266924257): decide how to handle the internal state if the package doesn't














            //  exist, or the permission isn't requested by the app, because we could end up with














            //  inconsistent state between the policy engine and package manager. Also a package














            //  might get removed or has it's permission updated after we've set the policy.














            if (grantState == PERMISSION_GRANT_STATE_DEFAULT) {














                mDevicePolicyEngine.removeLocalPolicy(














                        PolicyDefinition.PERMISSION_GRANT(packageName, permission),














                        enforcingAdmin,














                        caller.getUserId());














            } else {














                mDevicePolicyEngine.setLocalPolicy(














                        PolicyDefinition.PERMISSION_GRANT(packageName, permission),














                        enforcingAdmin,














                        new IntegerPolicyValue(grantState),














                        caller.getUserId());














            }














            int newState = mInjector.binderWithCleanCallingIdentity(() ->














                    getPermissionGrantStateForUser(














                            packageName, permission, caller, caller.getUserId()));














            if (newState == grantState) {














                callback.sendResult(Bundle.EMPTY);














            } else {














                callback.sendResult(null);














            }














        } else {














            synchronized (getLockObject()) {














                long ident = mInjector.binderClearCallingIdentity();














                try {














                    boolean isPostQAdmin = getTargetSdk(caller.getPackageName(), caller.getUserId())














                            >= android.os.Build.VERSION_CODES.Q;











                    if (grantState == PERMISSION_GRANT_STATE_GRANTED







                    if (grantState == PERMISSION_GRANT_STATE_GRANTED











                            || grantState == DevicePolicyManager.PERMISSION_GRANT_STATE_DENIED







                            || grantState == DevicePolicyManager.PERMISSION_GRANT_STATE_DENIED











                            || grantState == DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT) {







                            || grantState == DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT) {









@@ -16736,17 +16767,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {









                                                callback.sendResult(null);







                                                callback.sendResult(null);











                                                return;







                                                return;











                                            }







                                            }
























                                        DevicePolicyEventLogger














                                                .createEvent(DevicePolicyEnums














                                                        .SET_PERMISSION_GRANT_STATE)














                                                .setAdmin(caller.getPackageName())














                                                .setStrings(permission)














                                                .setInt(grantState)














                                                .setBoolean(














                                                        /* isDelegate */ isCallerDelegate(caller))














                                                .write();



























                                            callback.sendResult(Bundle.EMPTY);







                                            callback.sendResult(Bundle.EMPTY);











                                        });







                                        });











                    }







                    }









@@ -16759,6 +16779,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {









                }







                }











            }







            }











        }







        }














        DevicePolicyEventLogger.createEvent(DevicePolicyEnums.SET_PERMISSION_GRANT_STATE)














                .setAdmin(caller.getPackageName())














                .setStrings(permission)














                .setInt(grantState)














                .setBoolean(/* isDelegate */ isCallerDelegate(caller))














                .write();











    }







    }



























    private static final List<String> SENSOR_PERMISSIONS = new ArrayList<>();







    private static final List<String> SENSOR_PERMISSIONS = new ArrayList<>();










@@ -16822,10 +16848,8 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {









            if (isFinancedDeviceOwner(caller)) {







            if (isFinancedDeviceOwner(caller)) {











                enforcePermissionGrantStateOnFinancedDevice(packageName, permission);







                enforcePermissionGrantStateOnFinancedDevice(packageName, permission);











            }







            }











            return mInjector.binderWithCleanCallingIdentity(() -> {







            return mInjector.binderWithCleanCallingIdentity(() -> getPermissionGrantStateForUser(











                return getPermissionGrantStateForUser(







                    packageName, permission, caller, caller.getUserId()));











                        packageName, permission, caller, caller.getUserId());














            });














        }







        }











    }







    }









































services/devicepolicy/java/com/android/server/devicepolicy/PolicyEnforcerCallbacks.java



+1
−0




























Original line number
Original line
Diff line number
Diff line








@@ -84,6 +84,7 @@ final class PolicyEnforcerCallbacks {









                    ? DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT







                    ? DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT











                    : grantState;







                    : grantState;


































            // TODO(b/278710449): stop blocking in the main thread











            BlockingCallback callback = new BlockingCallback();







            BlockingCallback callback = new BlockingCallback();











            // TODO: remove canAdminGrantSensorPermissions once we expose a new method in







            // TODO: remove canAdminGrantSensorPermissions once we expose a new method in











            //  permissionController that doesn't need it.







            //  permissionController that doesn't need it.