Loading core/java/android/provider/Settings.java +9 −1 Original line number Original line Diff line number Diff line Loading @@ -13317,10 +13317,18 @@ public final class Settings { public static final String CONTEXTUAL_SEARCH_PACKAGE = "contextual_search_package"; public static final String CONTEXTUAL_SEARCH_PACKAGE = "contextual_search_package"; /** /** * Inetger property which determines whether advanced protection is on or not. * Integer property which determines whether advanced protection is on or not. * @hide * @hide */ */ public static final String ADVANCED_PROTECTION_MODE = "advanced_protection_mode"; public static final String ADVANCED_PROTECTION_MODE = "advanced_protection_mode"; /** * Integer property which determines whether advanced protection USB data protection * feature is on or not. * * @hide */ public static final String AAPM_USB_DATA_PROTECTION = "aapm_usb_data_protection"; } } /** /** Loading packages/SettingsProvider/src/android/provider/settings/validators/SecureSettingsValidators.java +1 −0 Original line number Original line Diff line number Diff line Loading @@ -464,6 +464,7 @@ public class SecureSettingsValidators { VALIDATORS.put(Secure.MANDATORY_BIOMETRICS_REQUIREMENTS_SATISFIED, VALIDATORS.put(Secure.MANDATORY_BIOMETRICS_REQUIREMENTS_SATISFIED, new InclusiveIntegerRangeValidator(0, 1)); new InclusiveIntegerRangeValidator(0, 1)); VALIDATORS.put(Secure.ADVANCED_PROTECTION_MODE, BOOLEAN_VALIDATOR); VALIDATORS.put(Secure.ADVANCED_PROTECTION_MODE, BOOLEAN_VALIDATOR); VALIDATORS.put(Secure.AAPM_USB_DATA_PROTECTION, BOOLEAN_VALIDATOR); VALIDATORS.put(Secure.DISABLE_ADAPTIVE_AUTH_LIMIT_LOCK, BOOLEAN_VALIDATOR); VALIDATORS.put(Secure.DISABLE_ADAPTIVE_AUTH_LIMIT_LOCK, BOOLEAN_VALIDATOR); VALIDATORS.put(Secure.FACE_APP_ENABLED, BOOLEAN_VALIDATOR); VALIDATORS.put(Secure.FACE_APP_ENABLED, BOOLEAN_VALIDATOR); VALIDATORS.put(Secure.FACE_KEYGUARD_ENABLED, BOOLEAN_VALIDATOR); VALIDATORS.put(Secure.FACE_KEYGUARD_ENABLED, BOOLEAN_VALIDATOR); Loading packages/SettingsProvider/test/src/android/provider/SettingsBackupTest.java +1 −0 Original line number Original line Diff line number Diff line Loading @@ -642,6 +642,7 @@ public class SettingsBackupTest { private static final Set<String> BACKUP_DENY_LIST_SECURE_SETTINGS = private static final Set<String> BACKUP_DENY_LIST_SECURE_SETTINGS = newHashSet( newHashSet( Settings.Secure.AAPM_USB_DATA_PROTECTION, Settings.Secure.ACCESSIBILITY_SOFT_KEYBOARD_MODE, Settings.Secure.ACCESSIBILITY_SOFT_KEYBOARD_MODE, Settings.Secure.ACCESSIBILITY_SPEAK_PASSWORD, // Deprecated since O. Settings.Secure.ACCESSIBILITY_SPEAK_PASSWORD, // Deprecated since O. Settings.Secure.ALLOW_PRIMARY_GAIA_ACCOUNT_REMOVAL_FOR_TESTS, Settings.Secure.ALLOW_PRIMARY_GAIA_ACCOUNT_REMOVAL_FOR_TESTS, Loading services/core/java/com/android/server/security/advancedprotection/AdvancedProtectionService.java +53 −9 Original line number Original line Diff line number Diff line Loading @@ -17,6 +17,7 @@ package com.android.server.security.advancedprotection; package com.android.server.security.advancedprotection; import static android.provider.Settings.Secure.ADVANCED_PROTECTION_MODE; import static android.provider.Settings.Secure.ADVANCED_PROTECTION_MODE; import static android.provider.Settings.Secure.AAPM_USB_DATA_PROTECTION; import static com.android.internal.util.ConcurrentUtils.DIRECT_EXECUTOR; import static com.android.internal.util.ConcurrentUtils.DIRECT_EXECUTOR; import android.Manifest; import android.Manifest; Loading Loading @@ -69,6 +70,7 @@ import java.io.FileDescriptor; import java.io.PrintWriter; import java.io.PrintWriter; import java.util.ArrayList; import java.util.ArrayList; import java.util.List; import java.util.List; import java.util.Set; /** @hide */ /** @hide */ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub { public class AdvancedProtectionService extends IAdvancedProtectionService.Stub { Loading Loading @@ -129,7 +131,10 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub Slog.e(TAG, "Failed to initialize DisallowCellular2g", e); Slog.e(TAG, "Failed to initialize DisallowCellular2g", e); } } } } if (android.security.Flags.aapmFeatureUsbDataProtection()) { if (android.security.Flags.aapmFeatureUsbDataProtection() // Usb data protection is enabled by default && mStore.retrieveInt(AAPM_USB_DATA_PROTECTION, AdvancedProtectionStore.ON) == AdvancedProtectionStore.ON) { try { try { mHooks.add(new UsbDataAdvancedProtectionHook(mContext, enabled)); mHooks.add(new UsbDataAdvancedProtectionHook(mContext, enabled)); } catch (Exception e) { } catch (Exception e) { Loading Loading @@ -183,7 +188,7 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub // Without permission check // Without permission check private boolean isAdvancedProtectionEnabledInternal() { private boolean isAdvancedProtectionEnabledInternal() { return mStore.retrieve(); return mStore.retrieveAdvancedProtectionModeEnabled(); } } @Override @Override Loading Loading @@ -217,7 +222,7 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub try { try { synchronized (mCallbacks) { synchronized (mCallbacks) { if (enabled != isAdvancedProtectionEnabledInternal()) { if (enabled != isAdvancedProtectionEnabledInternal()) { mStore.store(enabled); mStore.storeAdvancedProtectionModeEnabled(enabled); sendModeChanged(enabled); sendModeChanged(enabled); logAdvancedProtectionEnabled(enabled); logAdvancedProtectionEnabled(enabled); } } Loading @@ -227,6 +232,34 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub } } } } public void setUsbDataProtectionEnabled(boolean enabled) { int value = enabled ? AdvancedProtectionStore.ON : AdvancedProtectionStore.OFF; setAdvancedProtectionSubSettingInt(AAPM_USB_DATA_PROTECTION, value); } private void setAdvancedProtectionSubSettingInt(String key, int value) { final long identity = Binder.clearCallingIdentity(); try { synchronized (mCallbacks) { mStore.storeInt(key, value); Slog.i(TAG, "Advanced protection: subsetting" + key + " is " + value); } } finally { Binder.restoreCallingIdentity(identity); } } public boolean isUsbDataProtectionEnabled() { final long identity = Binder.clearCallingIdentity(); try { return mStore.retrieveInt(AAPM_USB_DATA_PROTECTION, AdvancedProtectionStore.ON) == AdvancedProtectionStore.ON; } finally { Binder.restoreCallingIdentity(identity); } } @Override @Override @EnforcePermission(Manifest.permission.MANAGE_ADVANCED_PROTECTION_MODE) @EnforcePermission(Manifest.permission.MANAGE_ADVANCED_PROTECTION_MODE) public void logDialogShown(@FeatureId int featureId, @SupportDialogType int type, public void logDialogShown(@FeatureId int featureId, @SupportDialogType int type, Loading Loading @@ -419,8 +452,8 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub @VisibleForTesting @VisibleForTesting static class AdvancedProtectionStore { static class AdvancedProtectionStore { private final Context mContext; private final Context mContext; private static final int APM_ON = 1; static final int ON = 1; private static final int APM_OFF = 0; static final int OFF = 0; private final UserManagerInternal mUserManager; private final UserManagerInternal mUserManager; AdvancedProtectionStore(@NonNull Context context) { AdvancedProtectionStore(@NonNull Context context) { Loading @@ -428,15 +461,26 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub mUserManager = LocalServices.getService(UserManagerInternal.class); mUserManager = LocalServices.getService(UserManagerInternal.class); } } void store(boolean enabled) { void storeAdvancedProtectionModeEnabled(boolean enabled) { Settings.Secure.putIntForUser(mContext.getContentResolver(), ADVANCED_PROTECTION_MODE, enabled ? ON : OFF, mUserManager.getMainUserId()); } boolean retrieveAdvancedProtectionModeEnabled() { return Settings.Secure.getIntForUser(mContext.getContentResolver(), ADVANCED_PROTECTION_MODE, OFF, mUserManager.getMainUserId()) == ON; } void storeInt(String key, int value) { Settings.Secure.putIntForUser(mContext.getContentResolver(), Settings.Secure.putIntForUser(mContext.getContentResolver(), ADVANCED_PROTECTION_MODE, enabled ? APM_ON : APM_OFF, key, value, mUserManager.getMainUserId()); mUserManager.getMainUserId()); } } boolean retrieve() { int retrieveInt(String key, int defaultValue) { return Settings.Secure.getIntForUser(mContext.getContentResolver(), return Settings.Secure.getIntForUser(mContext.getContentResolver(), ADVANCED_PROTECTION_MODE, APM_OFF, mUserManager.getMainUserId()) == APM_ON; key, defaultValue, mUserManager.getMainUserId()); } } } } Loading services/core/java/com/android/server/security/advancedprotection/AdvancedProtectionShellCommand.java +26 −0 Original line number Original line Diff line number Diff line Loading @@ -45,6 +45,10 @@ class AdvancedProtectionShellCommand extends ShellCommand { return setProtectionEnabled(); return setProtectionEnabled(); case "is-protection-enabled": case "is-protection-enabled": return isProtectionEnabled(pw); return isProtectionEnabled(pw); case "set-usb-data-protection-enabled": return setUsbDataProtectedEnabled(); case "is-usb-data-protection-enabled": return isUsbDataProtectedEnabled(pw); } } } catch (RemoteException e) { } catch (RemoteException e) { pw.println("Remote exception: " + e); pw.println("Remote exception: " + e); Loading @@ -64,6 +68,10 @@ class AdvancedProtectionShellCommand extends ShellCommand { pw.println(" Print this help text."); pw.println(" Print this help text."); pw.println(" set-protection-enabled [true|false]"); pw.println(" set-protection-enabled [true|false]"); pw.println(" is-protection-enabled"); pw.println(" is-protection-enabled"); if(android.security.Flags.aapmFeatureUsbDataProtection()) { pw.println(" set-usb-data-protection-enabled [true|false]"); pw.println(" is-usb-data-protection-enabled"); } } } @SuppressLint("AndroidFrameworkRequiresPermission") @SuppressLint("AndroidFrameworkRequiresPermission") Loading @@ -79,4 +87,22 @@ class AdvancedProtectionShellCommand extends ShellCommand { pw.println(protectionMode); pw.println(protectionMode); return 0; return 0; } } @SuppressLint("AndroidFrameworkRequiresPermission") private int setUsbDataProtectedEnabled() throws RemoteException { if(android.security.Flags.aapmFeatureUsbDataProtection()) { String protectionMode = getNextArgRequired(); mService.setUsbDataProtectionEnabled(Boolean.parseBoolean(protectionMode)); } return 0; } @SuppressLint("AndroidFrameworkRequiresPermission") private int isUsbDataProtectedEnabled(@NonNull PrintWriter pw) throws RemoteException { if(android.security.Flags.aapmFeatureUsbDataProtection()) { boolean protectionMode = mService.isUsbDataProtectionEnabled(); pw.println(protectionMode); } return 0; } } } Loading
core/java/android/provider/Settings.java +9 −1 Original line number Original line Diff line number Diff line Loading @@ -13317,10 +13317,18 @@ public final class Settings { public static final String CONTEXTUAL_SEARCH_PACKAGE = "contextual_search_package"; public static final String CONTEXTUAL_SEARCH_PACKAGE = "contextual_search_package"; /** /** * Inetger property which determines whether advanced protection is on or not. * Integer property which determines whether advanced protection is on or not. * @hide * @hide */ */ public static final String ADVANCED_PROTECTION_MODE = "advanced_protection_mode"; public static final String ADVANCED_PROTECTION_MODE = "advanced_protection_mode"; /** * Integer property which determines whether advanced protection USB data protection * feature is on or not. * * @hide */ public static final String AAPM_USB_DATA_PROTECTION = "aapm_usb_data_protection"; } } /** /** Loading
packages/SettingsProvider/src/android/provider/settings/validators/SecureSettingsValidators.java +1 −0 Original line number Original line Diff line number Diff line Loading @@ -464,6 +464,7 @@ public class SecureSettingsValidators { VALIDATORS.put(Secure.MANDATORY_BIOMETRICS_REQUIREMENTS_SATISFIED, VALIDATORS.put(Secure.MANDATORY_BIOMETRICS_REQUIREMENTS_SATISFIED, new InclusiveIntegerRangeValidator(0, 1)); new InclusiveIntegerRangeValidator(0, 1)); VALIDATORS.put(Secure.ADVANCED_PROTECTION_MODE, BOOLEAN_VALIDATOR); VALIDATORS.put(Secure.ADVANCED_PROTECTION_MODE, BOOLEAN_VALIDATOR); VALIDATORS.put(Secure.AAPM_USB_DATA_PROTECTION, BOOLEAN_VALIDATOR); VALIDATORS.put(Secure.DISABLE_ADAPTIVE_AUTH_LIMIT_LOCK, BOOLEAN_VALIDATOR); VALIDATORS.put(Secure.DISABLE_ADAPTIVE_AUTH_LIMIT_LOCK, BOOLEAN_VALIDATOR); VALIDATORS.put(Secure.FACE_APP_ENABLED, BOOLEAN_VALIDATOR); VALIDATORS.put(Secure.FACE_APP_ENABLED, BOOLEAN_VALIDATOR); VALIDATORS.put(Secure.FACE_KEYGUARD_ENABLED, BOOLEAN_VALIDATOR); VALIDATORS.put(Secure.FACE_KEYGUARD_ENABLED, BOOLEAN_VALIDATOR); Loading
packages/SettingsProvider/test/src/android/provider/SettingsBackupTest.java +1 −0 Original line number Original line Diff line number Diff line Loading @@ -642,6 +642,7 @@ public class SettingsBackupTest { private static final Set<String> BACKUP_DENY_LIST_SECURE_SETTINGS = private static final Set<String> BACKUP_DENY_LIST_SECURE_SETTINGS = newHashSet( newHashSet( Settings.Secure.AAPM_USB_DATA_PROTECTION, Settings.Secure.ACCESSIBILITY_SOFT_KEYBOARD_MODE, Settings.Secure.ACCESSIBILITY_SOFT_KEYBOARD_MODE, Settings.Secure.ACCESSIBILITY_SPEAK_PASSWORD, // Deprecated since O. Settings.Secure.ACCESSIBILITY_SPEAK_PASSWORD, // Deprecated since O. Settings.Secure.ALLOW_PRIMARY_GAIA_ACCOUNT_REMOVAL_FOR_TESTS, Settings.Secure.ALLOW_PRIMARY_GAIA_ACCOUNT_REMOVAL_FOR_TESTS, Loading
services/core/java/com/android/server/security/advancedprotection/AdvancedProtectionService.java +53 −9 Original line number Original line Diff line number Diff line Loading @@ -17,6 +17,7 @@ package com.android.server.security.advancedprotection; package com.android.server.security.advancedprotection; import static android.provider.Settings.Secure.ADVANCED_PROTECTION_MODE; import static android.provider.Settings.Secure.ADVANCED_PROTECTION_MODE; import static android.provider.Settings.Secure.AAPM_USB_DATA_PROTECTION; import static com.android.internal.util.ConcurrentUtils.DIRECT_EXECUTOR; import static com.android.internal.util.ConcurrentUtils.DIRECT_EXECUTOR; import android.Manifest; import android.Manifest; Loading Loading @@ -69,6 +70,7 @@ import java.io.FileDescriptor; import java.io.PrintWriter; import java.io.PrintWriter; import java.util.ArrayList; import java.util.ArrayList; import java.util.List; import java.util.List; import java.util.Set; /** @hide */ /** @hide */ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub { public class AdvancedProtectionService extends IAdvancedProtectionService.Stub { Loading Loading @@ -129,7 +131,10 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub Slog.e(TAG, "Failed to initialize DisallowCellular2g", e); Slog.e(TAG, "Failed to initialize DisallowCellular2g", e); } } } } if (android.security.Flags.aapmFeatureUsbDataProtection()) { if (android.security.Flags.aapmFeatureUsbDataProtection() // Usb data protection is enabled by default && mStore.retrieveInt(AAPM_USB_DATA_PROTECTION, AdvancedProtectionStore.ON) == AdvancedProtectionStore.ON) { try { try { mHooks.add(new UsbDataAdvancedProtectionHook(mContext, enabled)); mHooks.add(new UsbDataAdvancedProtectionHook(mContext, enabled)); } catch (Exception e) { } catch (Exception e) { Loading Loading @@ -183,7 +188,7 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub // Without permission check // Without permission check private boolean isAdvancedProtectionEnabledInternal() { private boolean isAdvancedProtectionEnabledInternal() { return mStore.retrieve(); return mStore.retrieveAdvancedProtectionModeEnabled(); } } @Override @Override Loading Loading @@ -217,7 +222,7 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub try { try { synchronized (mCallbacks) { synchronized (mCallbacks) { if (enabled != isAdvancedProtectionEnabledInternal()) { if (enabled != isAdvancedProtectionEnabledInternal()) { mStore.store(enabled); mStore.storeAdvancedProtectionModeEnabled(enabled); sendModeChanged(enabled); sendModeChanged(enabled); logAdvancedProtectionEnabled(enabled); logAdvancedProtectionEnabled(enabled); } } Loading @@ -227,6 +232,34 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub } } } } public void setUsbDataProtectionEnabled(boolean enabled) { int value = enabled ? AdvancedProtectionStore.ON : AdvancedProtectionStore.OFF; setAdvancedProtectionSubSettingInt(AAPM_USB_DATA_PROTECTION, value); } private void setAdvancedProtectionSubSettingInt(String key, int value) { final long identity = Binder.clearCallingIdentity(); try { synchronized (mCallbacks) { mStore.storeInt(key, value); Slog.i(TAG, "Advanced protection: subsetting" + key + " is " + value); } } finally { Binder.restoreCallingIdentity(identity); } } public boolean isUsbDataProtectionEnabled() { final long identity = Binder.clearCallingIdentity(); try { return mStore.retrieveInt(AAPM_USB_DATA_PROTECTION, AdvancedProtectionStore.ON) == AdvancedProtectionStore.ON; } finally { Binder.restoreCallingIdentity(identity); } } @Override @Override @EnforcePermission(Manifest.permission.MANAGE_ADVANCED_PROTECTION_MODE) @EnforcePermission(Manifest.permission.MANAGE_ADVANCED_PROTECTION_MODE) public void logDialogShown(@FeatureId int featureId, @SupportDialogType int type, public void logDialogShown(@FeatureId int featureId, @SupportDialogType int type, Loading Loading @@ -419,8 +452,8 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub @VisibleForTesting @VisibleForTesting static class AdvancedProtectionStore { static class AdvancedProtectionStore { private final Context mContext; private final Context mContext; private static final int APM_ON = 1; static final int ON = 1; private static final int APM_OFF = 0; static final int OFF = 0; private final UserManagerInternal mUserManager; private final UserManagerInternal mUserManager; AdvancedProtectionStore(@NonNull Context context) { AdvancedProtectionStore(@NonNull Context context) { Loading @@ -428,15 +461,26 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub mUserManager = LocalServices.getService(UserManagerInternal.class); mUserManager = LocalServices.getService(UserManagerInternal.class); } } void store(boolean enabled) { void storeAdvancedProtectionModeEnabled(boolean enabled) { Settings.Secure.putIntForUser(mContext.getContentResolver(), ADVANCED_PROTECTION_MODE, enabled ? ON : OFF, mUserManager.getMainUserId()); } boolean retrieveAdvancedProtectionModeEnabled() { return Settings.Secure.getIntForUser(mContext.getContentResolver(), ADVANCED_PROTECTION_MODE, OFF, mUserManager.getMainUserId()) == ON; } void storeInt(String key, int value) { Settings.Secure.putIntForUser(mContext.getContentResolver(), Settings.Secure.putIntForUser(mContext.getContentResolver(), ADVANCED_PROTECTION_MODE, enabled ? APM_ON : APM_OFF, key, value, mUserManager.getMainUserId()); mUserManager.getMainUserId()); } } boolean retrieve() { int retrieveInt(String key, int defaultValue) { return Settings.Secure.getIntForUser(mContext.getContentResolver(), return Settings.Secure.getIntForUser(mContext.getContentResolver(), ADVANCED_PROTECTION_MODE, APM_OFF, mUserManager.getMainUserId()) == APM_ON; key, defaultValue, mUserManager.getMainUserId()); } } } } Loading
services/core/java/com/android/server/security/advancedprotection/AdvancedProtectionShellCommand.java +26 −0 Original line number Original line Diff line number Diff line Loading @@ -45,6 +45,10 @@ class AdvancedProtectionShellCommand extends ShellCommand { return setProtectionEnabled(); return setProtectionEnabled(); case "is-protection-enabled": case "is-protection-enabled": return isProtectionEnabled(pw); return isProtectionEnabled(pw); case "set-usb-data-protection-enabled": return setUsbDataProtectedEnabled(); case "is-usb-data-protection-enabled": return isUsbDataProtectedEnabled(pw); } } } catch (RemoteException e) { } catch (RemoteException e) { pw.println("Remote exception: " + e); pw.println("Remote exception: " + e); Loading @@ -64,6 +68,10 @@ class AdvancedProtectionShellCommand extends ShellCommand { pw.println(" Print this help text."); pw.println(" Print this help text."); pw.println(" set-protection-enabled [true|false]"); pw.println(" set-protection-enabled [true|false]"); pw.println(" is-protection-enabled"); pw.println(" is-protection-enabled"); if(android.security.Flags.aapmFeatureUsbDataProtection()) { pw.println(" set-usb-data-protection-enabled [true|false]"); pw.println(" is-usb-data-protection-enabled"); } } } @SuppressLint("AndroidFrameworkRequiresPermission") @SuppressLint("AndroidFrameworkRequiresPermission") Loading @@ -79,4 +87,22 @@ class AdvancedProtectionShellCommand extends ShellCommand { pw.println(protectionMode); pw.println(protectionMode); return 0; return 0; } } @SuppressLint("AndroidFrameworkRequiresPermission") private int setUsbDataProtectedEnabled() throws RemoteException { if(android.security.Flags.aapmFeatureUsbDataProtection()) { String protectionMode = getNextArgRequired(); mService.setUsbDataProtectionEnabled(Boolean.parseBoolean(protectionMode)); } return 0; } @SuppressLint("AndroidFrameworkRequiresPermission") private int isUsbDataProtectedEnabled(@NonNull PrintWriter pw) throws RemoteException { if(android.security.Flags.aapmFeatureUsbDataProtection()) { boolean protectionMode = mService.isUsbDataProtectionEnabled(); pw.println(protectionMode); } return 0; } } }
