Merge "Prevent auto-granting of location permission via DPM"

     * {@link android.os.Build.VERSION_CODES#M} the app-op matching the permission is set to

     * {@link android.app.AppOpsManager#MODE_IGNORED}, but the permission stays granted.

     *

     * NOTE: Starting from Android R, location-related permissions cannot be granted by the

     * admin: Calling this method with {@link #PERMISSION_GRANT_STATE_GRANTED} for any of the

     * following permissions will return false:

     *

     * <ul>

     * <li>{@code ACCESS_FINE_LOCATION}</li>

     * <li>{@code ACCESS_BACKGROUND_LOCATION}</li>

     * <li>{@code ACCESS_COARSE_LOCATION}</li>

     * </ul>

     *

     * @param admin Which profile or device owner this request is associated with.

     * @param packageName The application to grant or revoke a permission to.

     * @param permission The permission to grant or revoke.

    // A collection of user restrictions that are deprecated and should simply be ignored.

    private static final Set<String> DEPRECATED_USER_RESTRICTIONS;

    private static final String AB_DEVICE_KEY = "ro.build.ab_update";

    // Permissions related to location which must not be granted automatically

    private static  final Set<String> LOCATION_PERMISSIONS;

    static {

        SECURE_SETTINGS_WHITELIST = new ArraySet<>();

        DEPRECATED_USER_RESTRICTIONS = Sets.newHashSet(

                UserManager.DISALLOW_ADD_MANAGED_PROFILE,

                UserManager.DISALLOW_REMOVE_MANAGED_PROFILE);

        LOCATION_PERMISSIONS = Sets.newHashSet(

                permission.ACCESS_FINE_LOCATION,

                permission.ACCESS_BACKGROUND_LOCATION,

                permission.ACCESS_COARSE_LOCATION);

    }

    /**

                            true);

                }

                // Prevent granting location-related permissions without user consent.

                if (LOCATION_PERMISSIONS.contains(permission)

                        && grantState == DevicePolicyManager.PERMISSION_GRANT_STATE_GRANTED

                        && !isUnattendedManagedKioskUnchecked()) {

                    callback.sendResult(null);

                    return;

                }

                if (grantState == DevicePolicyManager.PERMISSION_GRANT_STATE_GRANTED

                        || grantState == DevicePolicyManager.PERMISSION_GRANT_STATE_DENIED

                        || grantState == DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT) {

        }

    }

    @Override

    public boolean isUnattendedManagedKiosk() {

        if (!mHasFeature) {

            return false;

        }

        enforceManageUsers();

        long id = mInjector.binderClearCallingIdentity();

    private boolean isUnattendedManagedKioskUnchecked() {

        try {

            return isManagedKioskInternal()

                    && getPowerManagerInternal().wasDeviceIdleFor(UNATTENDED_MANAGED_KIOSK_MS);

        } catch (RemoteException e) {

            throw new IllegalStateException(e);

        } finally {

            mInjector.binderRestoreCallingIdentity(id);

        }

    }

    @Override

    public boolean isUnattendedManagedKiosk() {

        if (!mHasFeature) {

            return false;

        }

        enforceManageUsers();

        return mInjector.binderWithCleanCallingIdentity(() -> isUnattendedManagedKioskUnchecked());

    }

    /**

     * Returns whether the device is currently being used as a publicly-accessible dedicated device.

     * Assumes that feature checks and permission checks have already been performed, and that the