Merge "Use the MTE flag only for guarding policy identifier" into main

author: Eran Messeri <eranm@google.com> 2025-02-27 05:47:05 -0800
committer: Android (Google) Code Review <android-gerrit@google.com> 2025-02-27 05:47:05 -0800
commit: 8f66c43a57f119af09d8c9615f14369cad563e54 (patch)
tree: d4ffb43e3897980f0bdc67b71d18ecff601f73b2
parent: 40aa32b37c5db1e6f9e4f7277b7c39a02ede32a9 (diff)
parent: b8cc7f8dce330bf30bbf418065e045ed9bfda234 (diff)
4 files changed, 58 insertions, 83 deletions
diff --git a/core/java/android/app/admin/PolicyUpdateReceiver.java b/core/java/android/app/admin/PolicyUpdateReceiver.java
index be13988d7c76..630ab0ece07d 100644
--- a/core/java/android/app/admin/PolicyUpdateReceiver.java
+++ b/core/java/android/app/admin/PolicyUpdateReceiver.java
@@ -20,10 +20,12 @@ import android.annotation.BroadcastBehavior;
 import android.annotation.NonNull;
 import android.annotation.SdkConstant;
 import android.annotation.TestApi;
+import android.app.admin.flags.Flags;
 import android.content.BroadcastReceiver;
 import android.content.Context;
 import android.content.Intent;
 import android.os.Bundle;
+import android.text.TextUtils;
 import android.util.Log;
 
 import java.util.Objects;
@@ -46,6 +48,10 @@ import java.util.Objects;
 public abstract class PolicyUpdateReceiver extends BroadcastReceiver {
     private static String TAG = "PolicyUpdateReceiver";
 
+    //TODO(b/378931989): Switch to android.app.admin.DevicePolicyIdentifiers.MEMORY_TAGGING_POLICY
+    //when the appropriate flag is launched.
+    private static final String MEMORY_TAGGING_POLICY = "memoryTagging";
+
     /**
      * Action for a broadcast sent to admins to communicate back the result of setting a policy in
      * {@link DevicePolicyManager}.
@@ -156,15 +162,28 @@ public abstract class PolicyUpdateReceiver extends BroadcastReceiver {
     @Override
     public final void onReceive(Context context, Intent intent) {
         Objects.requireNonNull(intent.getAction());
+        String policyKey;
         switch (intent.getAction()) {
             case ACTION_DEVICE_POLICY_SET_RESULT:
                 Log.i(TAG, "Received ACTION_DEVICE_POLICY_SET_RESULT");
-                onPolicySetResult(context, getPolicyKey(intent), getPolicyExtraBundle(intent),
+                policyKey = getPolicyKey(intent);
+                if (!shouldPropagatePolicy(policyKey)) {
+                    Log.d(TAG, TextUtils.formatSimple(
+                            "Skipping propagation of policy %s", policyKey));
+                    break;
+                }
+                onPolicySetResult(context, policyKey, getPolicyExtraBundle(intent),
                         getTargetUser(intent), getPolicyChangedReason(intent));
                 break;
             case ACTION_DEVICE_POLICY_CHANGED:
                 Log.i(TAG, "Received ACTION_DEVICE_POLICY_CHANGED");
-                onPolicyChanged(context, getPolicyKey(intent), getPolicyExtraBundle(intent),
+                policyKey = getPolicyKey(intent);
+                if (!shouldPropagatePolicy(policyKey)) {
+                    Log.d(TAG, TextUtils.formatSimple(
+                            "Skipping propagation of policy %s", policyKey));
+                    break;
+                }
+                onPolicyChanged(context, policyKey, getPolicyExtraBundle(intent),
                         getTargetUser(intent), getPolicyChangedReason(intent));
                 break;
             default:
@@ -217,6 +236,14 @@ public abstract class PolicyUpdateReceiver extends BroadcastReceiver {
         return new TargetUser(targetUserId);
     }
 
+    /**
+     * @hide
+     */
+    private boolean shouldPropagatePolicy(String policyKey) {
+        return !MEMORY_TAGGING_POLICY.equals(policyKey) || Flags.setMtePolicyCoexistence();
+    }
+
+
     // TODO(b/260847505): Add javadocs to explain which DPM APIs are supported
     /**
      * Callback triggered after an admin has set a policy using one of the APIs in
diff --git a/core/java/android/security/advancedprotection/AdvancedProtectionManager.java b/core/java/android/security/advancedprotection/AdvancedProtectionManager.java
index ea01fc98eda0..770e234381c4 100644
--- a/core/java/android/security/advancedprotection/AdvancedProtectionManager.java
+++ b/core/java/android/security/advancedprotection/AdvancedProtectionManager.java
@@ -16,7 +16,6 @@
 
 package android.security.advancedprotection;
 
-import static android.app.admin.DevicePolicyIdentifiers.MEMORY_TAGGING_POLICY;
 import static android.content.Intent.FLAG_ACTIVITY_NEW_TASK;
 import static android.os.UserManager.DISALLOW_CELLULAR_2G;
 import static android.os.UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY;
@@ -59,6 +58,10 @@ import java.util.concurrent.Executor;
 public final class AdvancedProtectionManager {
     private static final String TAG = "AdvancedProtectionMgr";
 
+    //TODO(b/378931989): Switch to android.app.admin.DevicePolicyIdentifiers.MEMORY_TAGGING_POLICY
+    //when the appropriate flag is launched.
+    private static final String MEMORY_TAGGING_POLICY = "memoryTagging";
+
     /**
      * Advanced Protection's identifier for setting policies or restrictions in
      * {@link DevicePolicyManager}.
@@ -359,8 +362,7 @@ public final class AdvancedProtectionManager {
             featureId = FEATURE_ID_DISALLOW_INSTALL_UNKNOWN_SOURCES;
         } else if (DISALLOW_CELLULAR_2G.equals(identifier)) {
             featureId = FEATURE_ID_DISALLOW_CELLULAR_2G;
-        } else if (android.app.admin.flags.Flags.setMtePolicyCoexistence() && MEMORY_TAGGING_POLICY
-                .equals(identifier)) {
+        } else if (MEMORY_TAGGING_POLICY.equals(identifier)) {
             featureId = FEATURE_ID_ENABLE_MTE;
         } else {
             throw new UnsupportedOperationException("Unsupported identifier: " + identifier);
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index aee32a0473a3..215d6ca964eb 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -3582,14 +3582,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
 
     @GuardedBy("getLockObject()")
     private boolean maybeMigrateMemoryTaggingLocked(String backupId) {
-        if (!Flags.setMtePolicyCoexistence()) {
-            Slog.i(LOG_TAG, "Memory Tagging not migrated because coexistence "
-                    + "support is disabled.");
-            return false;
-        }
         if (mOwners.isMemoryTaggingMigrated()) {
-            // TODO: Remove log after Flags.setMtePolicyCoexistence full rollout.
-            Slog.v(LOG_TAG, "Memory Tagging was previously migrated to policy engine.");
             return false;
         }
 
@@ -16354,7 +16347,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
     private static <V> PolicyDefinition<V> getPolicyDefinitionForIdentifier(
             @NonNull String identifier) {
         Objects.requireNonNull(identifier);
-        if (Flags.setMtePolicyCoexistence() && MEMORY_TAGGING_POLICY.equals(identifier)) {
+        if (MEMORY_TAGGING_POLICY.equals(identifier)) {
             return (PolicyDefinition<V>) PolicyDefinition.MEMORY_TAGGING;
         } else {
             return (PolicyDefinition<V>) getPolicyDefinitionForRestriction(identifier);
@@ -23759,46 +23752,21 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
             Preconditions.checkCallAuthorization(isDefaultDeviceOwner(caller));
         }
 
-        if (Flags.setMtePolicyCoexistence()) {
-            enforcePermission(MANAGE_DEVICE_POLICY_MTE, caller.getPackageName(),
-                    UserHandle.USER_ALL);
-        } else {
-            Preconditions.checkCallAuthorization(
-                    isDefaultDeviceOwner(caller)
-                    || isProfileOwnerOfOrganizationOwnedDevice(caller));
-        }
+        enforcePermission(MANAGE_DEVICE_POLICY_MTE, caller.getPackageName(),
+                UserHandle.USER_ALL);
 
         synchronized (getLockObject()) {
-            if (Flags.setMtePolicyCoexistence()) {
-                final EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin(null,
-                        MANAGE_DEVICE_POLICY_MTE, callerPackageName, caller.getUserId());
-                if (flags != DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY) {
-                    mDevicePolicyEngine.setGlobalPolicy(
-                            PolicyDefinition.MEMORY_TAGGING,
-                            admin,
-                            new IntegerPolicyValue(flags));
-                } else {
-                    mDevicePolicyEngine.removeGlobalPolicy(
-                            PolicyDefinition.MEMORY_TAGGING,
-                            admin);
-                }
+            final EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin(null,
+                    MANAGE_DEVICE_POLICY_MTE, callerPackageName, caller.getUserId());
+            if (flags != DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY) {
+                mDevicePolicyEngine.setGlobalPolicy(
+                        PolicyDefinition.MEMORY_TAGGING,
+                        admin,
+                        new IntegerPolicyValue(flags));
             } else {
-                ActiveAdmin admin =
-                        getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked();
-                if (admin != null) {
-                    final String memtagProperty = "arm64.memtag.bootctl";
-                    if (flags == DevicePolicyManager.MTE_ENABLED) {
-                        mInjector.systemPropertiesSet(memtagProperty, "memtag");
-                    } else if (flags == DevicePolicyManager.MTE_DISABLED) {
-                        mInjector.systemPropertiesSet(memtagProperty, "memtag-off");
-                    } else if (flags == DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY) {
-                        if (admin.mtePolicy != DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY) {
-                            mInjector.systemPropertiesSet(memtagProperty, "default");
-                        }
-                    }
-                    admin.mtePolicy = flags;
-                    saveSettingsLocked(caller.getUserId());
-                }
+                mDevicePolicyEngine.removeGlobalPolicy(
+                        PolicyDefinition.MEMORY_TAGGING,
+                        admin);
             }
 
             DevicePolicyEventLogger.createEvent(DevicePolicyEnums.SET_MTE_POLICY)
@@ -23817,10 +23785,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
         Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()),
                 "Only system services can call setMtePolicyBySystem");
 
-        if (!Flags.setMtePolicyCoexistence()) {
-            throw new UnsupportedOperationException("System can not set MTE policy only");
-        }
-
         EnforcingAdmin admin = EnforcingAdmin.createSystemEnforcingAdmin(systemEntity);
         if (policy != DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY) {
             mDevicePolicyEngine.setGlobalPolicy(
@@ -23858,31 +23822,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
     @Override
     public int getMtePolicy(String callerPackageName) {
         final CallerIdentity caller = getCallerIdentity(callerPackageName);
-        if (Flags.setMtePolicyCoexistence()) {
-            enforcePermission(MANAGE_DEVICE_POLICY_MTE, caller.getPackageName(),
-                    UserHandle.USER_ALL);
-        } else {
-            Preconditions.checkCallAuthorization(
-                    isDefaultDeviceOwner(caller)
-                    || isProfileOwnerOfOrganizationOwnedDevice(caller)
-                    || isSystemUid(caller));
-        }
+        enforcePermission(MANAGE_DEVICE_POLICY_MTE, caller.getPackageName(),
+                UserHandle.USER_ALL);
 
         synchronized (getLockObject()) {
-            if (Flags.setMtePolicyCoexistence()) {
-                final EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin(null,
-                        MANAGE_DEVICE_POLICY_MTE, callerPackageName, caller.getUserId());
-                final Integer policyFromAdmin = mDevicePolicyEngine.getGlobalPolicySetByAdmin(
-                        PolicyDefinition.MEMORY_TAGGING, admin);
-                return (policyFromAdmin != null ? policyFromAdmin
-                        : DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY);
-            } else {
-                ActiveAdmin admin =
-                        getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked();
-                return admin != null
-                        ? admin.mtePolicy
-                        : DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY;
-            }
+            final EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin(null,
+                    MANAGE_DEVICE_POLICY_MTE, callerPackageName, caller.getUserId());
+            final Integer policyFromAdmin = mDevicePolicyEngine.getGlobalPolicySetByAdmin(
+                    PolicyDefinition.MEMORY_TAGGING, admin);
+            return (policyFromAdmin != null ? policyFromAdmin
+                    : DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY);
         }
     }
 
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/OwnersData.java b/services/devicepolicy/java/com/android/server/devicepolicy/OwnersData.java
index caaf0964bb4e..6dfe08c1eb7e 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/OwnersData.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/OwnersData.java
@@ -433,10 +433,8 @@ class OwnersData {
                 out.attributeBoolean(null, ATTR_RESET_PASSWORD_WITH_TOKEN_MIGRATED,
                         mResetPasswordWithTokenMigrated);
             }
-            if (Flags.setMtePolicyCoexistence()) {
-                out.attributeBoolean(null, ATTR_MEMORY_TAGGING_MIGRATED,
-                        mMemoryTaggingMigrated);
-            }
+            out.attributeBoolean(null, ATTR_MEMORY_TAGGING_MIGRATED,
+                    mMemoryTaggingMigrated);
             if (Flags.setKeyguardDisabledFeaturesCoexistence()) {
                 out.attributeBoolean(null, ATTR_SET_KEYGUARD_DISABLED_FEATURES_MIGRATED,
                         mSetKeyguardDisabledFeaturesMigrated);
@@ -514,8 +512,7 @@ class OwnersData {
                     mResetPasswordWithTokenMigrated = Flags.resetPasswordWithTokenCoexistence()
                             && parser.getAttributeBoolean(null,
                             ATTR_RESET_PASSWORD_WITH_TOKEN_MIGRATED, false);
-                    mMemoryTaggingMigrated = Flags.setMtePolicyCoexistence()
-                            && parser.getAttributeBoolean(null,
+                    mMemoryTaggingMigrated = parser.getAttributeBoolean(null,
                             ATTR_MEMORY_TAGGING_MIGRATED, false);
                     mSetKeyguardDisabledFeaturesMigrated =
                             Flags.setKeyguardDisabledFeaturesCoexistence()
author	Eran Messeri <eranm@google.com>	2025-02-27 05:47:05 -0800
committer	Android (Google) Code Review <android-gerrit@google.com>	2025-02-27 05:47:05 -0800
commit	8f66c43a57f119af09d8c9615f14369cad563e54 (patch)
tree	d4ffb43e3897980f0bdc67b71d18ecff601f73b2
parent	40aa32b37c5db1e6f9e4f7277b7c39a02ede32a9 (diff)
parent	b8cc7f8dce330bf30bbf418065e045ed9bfda234 (diff)