summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
author Eran Messeri <eranm@google.com> 2025-02-21 14:40:07 +0000
committer Eran Messeri <eranm@google.com> 2025-02-26 19:41:24 +0000
commitb8cc7f8dce330bf30bbf418065e045ed9bfda234 (patch)
tree4dcf5c9a22eed076b7db8ee7b04b258c4c9ebe02
parent40e1d38f1c6fe1508dfb1f58b2cddfb730e8bbd8 (diff)
Use the MTE flag only for guarding policy identifier
Enable the implementation of storing the MTE policy in the DevicePolicyEngine by default. Filter the MTE policy identifier in the PolicyUpdateReceiver if the flag is not set as it means the constant associated with the policy is not part of the public API. Bug: 378931989 Test: atest CtsSecurityTestCases:android.security.cts.advancedprotection.MemoryTaggingExtensionTest Test: CtsDevicePolicyTestCases:android.devicepolicy.cts.PolicyUpdateReceiverTest Test: CtsDevicePolicyTestCases:android.devicepolicy.cts.DeviceManagementCoexistenceTest Flag: android.app.admin.flags.set_mte_policy_coexistence Change-Id: I88855596fe6185cd711bbb9397f3c8220308a705
-rw-r--r--core/java/android/app/admin/PolicyUpdateReceiver.java31
-rw-r--r--core/java/android/security/advancedprotection/AdvancedProtectionManager.java8
-rw-r--r--services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java93
-rw-r--r--services/devicepolicy/java/com/android/server/devicepolicy/OwnersData.java9
4 files changed, 58 insertions, 83 deletions
diff --git a/core/java/android/app/admin/PolicyUpdateReceiver.java b/core/java/android/app/admin/PolicyUpdateReceiver.java
index be13988d7c76..630ab0ece07d 100644
--- a/core/java/android/app/admin/PolicyUpdateReceiver.java
+++ b/core/java/android/app/admin/PolicyUpdateReceiver.java
@@ -20,10 +20,12 @@ import android.annotation.BroadcastBehavior;
import android.annotation.NonNull;
import android.annotation.SdkConstant;
import android.annotation.TestApi;
+import android.app.admin.flags.Flags;
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.os.Bundle;
+import android.text.TextUtils;
import android.util.Log;
import java.util.Objects;
@@ -46,6 +48,10 @@ import java.util.Objects;
public abstract class PolicyUpdateReceiver extends BroadcastReceiver {
private static String TAG = "PolicyUpdateReceiver";
+ //TODO(b/378931989): Switch to android.app.admin.DevicePolicyIdentifiers.MEMORY_TAGGING_POLICY
+ //when the appropriate flag is launched.
+ private static final String MEMORY_TAGGING_POLICY = "memoryTagging";
+
/**
* Action for a broadcast sent to admins to communicate back the result of setting a policy in
* {@link DevicePolicyManager}.
@@ -156,15 +162,28 @@ public abstract class PolicyUpdateReceiver extends BroadcastReceiver {
@Override
public final void onReceive(Context context, Intent intent) {
Objects.requireNonNull(intent.getAction());
+ String policyKey;
switch (intent.getAction()) {
case ACTION_DEVICE_POLICY_SET_RESULT:
Log.i(TAG, "Received ACTION_DEVICE_POLICY_SET_RESULT");
- onPolicySetResult(context, getPolicyKey(intent), getPolicyExtraBundle(intent),
+ policyKey = getPolicyKey(intent);
+ if (!shouldPropagatePolicy(policyKey)) {
+ Log.d(TAG, TextUtils.formatSimple(
+ "Skipping propagation of policy %s", policyKey));
+ break;
+ }
+ onPolicySetResult(context, policyKey, getPolicyExtraBundle(intent),
getTargetUser(intent), getPolicyChangedReason(intent));
break;
case ACTION_DEVICE_POLICY_CHANGED:
Log.i(TAG, "Received ACTION_DEVICE_POLICY_CHANGED");
- onPolicyChanged(context, getPolicyKey(intent), getPolicyExtraBundle(intent),
+ policyKey = getPolicyKey(intent);
+ if (!shouldPropagatePolicy(policyKey)) {
+ Log.d(TAG, TextUtils.formatSimple(
+ "Skipping propagation of policy %s", policyKey));
+ break;
+ }
+ onPolicyChanged(context, policyKey, getPolicyExtraBundle(intent),
getTargetUser(intent), getPolicyChangedReason(intent));
break;
default:
@@ -217,6 +236,14 @@ public abstract class PolicyUpdateReceiver extends BroadcastReceiver {
return new TargetUser(targetUserId);
}
+ /**
+ * @hide
+ */
+ private boolean shouldPropagatePolicy(String policyKey) {
+ return !MEMORY_TAGGING_POLICY.equals(policyKey) || Flags.setMtePolicyCoexistence();
+ }
+
+
// TODO(b/260847505): Add javadocs to explain which DPM APIs are supported
/**
* Callback triggered after an admin has set a policy using one of the APIs in
diff --git a/core/java/android/security/advancedprotection/AdvancedProtectionManager.java b/core/java/android/security/advancedprotection/AdvancedProtectionManager.java
index ea01fc98eda0..770e234381c4 100644
--- a/core/java/android/security/advancedprotection/AdvancedProtectionManager.java
+++ b/core/java/android/security/advancedprotection/AdvancedProtectionManager.java
@@ -16,7 +16,6 @@
package android.security.advancedprotection;
-import static android.app.admin.DevicePolicyIdentifiers.MEMORY_TAGGING_POLICY;
import static android.content.Intent.FLAG_ACTIVITY_NEW_TASK;
import static android.os.UserManager.DISALLOW_CELLULAR_2G;
import static android.os.UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY;
@@ -59,6 +58,10 @@ import java.util.concurrent.Executor;
public final class AdvancedProtectionManager {
private static final String TAG = "AdvancedProtectionMgr";
+ //TODO(b/378931989): Switch to android.app.admin.DevicePolicyIdentifiers.MEMORY_TAGGING_POLICY
+ //when the appropriate flag is launched.
+ private static final String MEMORY_TAGGING_POLICY = "memoryTagging";
+
/**
* Advanced Protection's identifier for setting policies or restrictions in
* {@link DevicePolicyManager}.
@@ -359,8 +362,7 @@ public final class AdvancedProtectionManager {
featureId = FEATURE_ID_DISALLOW_INSTALL_UNKNOWN_SOURCES;
} else if (DISALLOW_CELLULAR_2G.equals(identifier)) {
featureId = FEATURE_ID_DISALLOW_CELLULAR_2G;
- } else if (android.app.admin.flags.Flags.setMtePolicyCoexistence() && MEMORY_TAGGING_POLICY
- .equals(identifier)) {
+ } else if (MEMORY_TAGGING_POLICY.equals(identifier)) {
featureId = FEATURE_ID_ENABLE_MTE;
} else {
throw new UnsupportedOperationException("Unsupported identifier: " + identifier);
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index aee32a0473a3..215d6ca964eb 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -3582,14 +3582,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
@GuardedBy("getLockObject()")
private boolean maybeMigrateMemoryTaggingLocked(String backupId) {
- if (!Flags.setMtePolicyCoexistence()) {
- Slog.i(LOG_TAG, "Memory Tagging not migrated because coexistence "
- + "support is disabled.");
- return false;
- }
if (mOwners.isMemoryTaggingMigrated()) {
- // TODO: Remove log after Flags.setMtePolicyCoexistence full rollout.
- Slog.v(LOG_TAG, "Memory Tagging was previously migrated to policy engine.");
return false;
}
@@ -16354,7 +16347,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
private static <V> PolicyDefinition<V> getPolicyDefinitionForIdentifier(
@NonNull String identifier) {
Objects.requireNonNull(identifier);
- if (Flags.setMtePolicyCoexistence() && MEMORY_TAGGING_POLICY.equals(identifier)) {
+ if (MEMORY_TAGGING_POLICY.equals(identifier)) {
return (PolicyDefinition<V>) PolicyDefinition.MEMORY_TAGGING;
} else {
return (PolicyDefinition<V>) getPolicyDefinitionForRestriction(identifier);
@@ -23759,46 +23752,21 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
Preconditions.checkCallAuthorization(isDefaultDeviceOwner(caller));
}
- if (Flags.setMtePolicyCoexistence()) {
- enforcePermission(MANAGE_DEVICE_POLICY_MTE, caller.getPackageName(),
- UserHandle.USER_ALL);
- } else {
- Preconditions.checkCallAuthorization(
- isDefaultDeviceOwner(caller)
- || isProfileOwnerOfOrganizationOwnedDevice(caller));
- }
+ enforcePermission(MANAGE_DEVICE_POLICY_MTE, caller.getPackageName(),
+ UserHandle.USER_ALL);
synchronized (getLockObject()) {
- if (Flags.setMtePolicyCoexistence()) {
- final EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin(null,
- MANAGE_DEVICE_POLICY_MTE, callerPackageName, caller.getUserId());
- if (flags != DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY) {
- mDevicePolicyEngine.setGlobalPolicy(
- PolicyDefinition.MEMORY_TAGGING,
- admin,
- new IntegerPolicyValue(flags));
- } else {
- mDevicePolicyEngine.removeGlobalPolicy(
- PolicyDefinition.MEMORY_TAGGING,
- admin);
- }
+ final EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin(null,
+ MANAGE_DEVICE_POLICY_MTE, callerPackageName, caller.getUserId());
+ if (flags != DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY) {
+ mDevicePolicyEngine.setGlobalPolicy(
+ PolicyDefinition.MEMORY_TAGGING,
+ admin,
+ new IntegerPolicyValue(flags));
} else {
- ActiveAdmin admin =
- getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked();
- if (admin != null) {
- final String memtagProperty = "arm64.memtag.bootctl";
- if (flags == DevicePolicyManager.MTE_ENABLED) {
- mInjector.systemPropertiesSet(memtagProperty, "memtag");
- } else if (flags == DevicePolicyManager.MTE_DISABLED) {
- mInjector.systemPropertiesSet(memtagProperty, "memtag-off");
- } else if (flags == DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY) {
- if (admin.mtePolicy != DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY) {
- mInjector.systemPropertiesSet(memtagProperty, "default");
- }
- }
- admin.mtePolicy = flags;
- saveSettingsLocked(caller.getUserId());
- }
+ mDevicePolicyEngine.removeGlobalPolicy(
+ PolicyDefinition.MEMORY_TAGGING,
+ admin);
}
DevicePolicyEventLogger.createEvent(DevicePolicyEnums.SET_MTE_POLICY)
@@ -23817,10 +23785,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
Preconditions.checkCallAuthorization(isSystemUid(getCallerIdentity()),
"Only system services can call setMtePolicyBySystem");
- if (!Flags.setMtePolicyCoexistence()) {
- throw new UnsupportedOperationException("System can not set MTE policy only");
- }
-
EnforcingAdmin admin = EnforcingAdmin.createSystemEnforcingAdmin(systemEntity);
if (policy != DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY) {
mDevicePolicyEngine.setGlobalPolicy(
@@ -23858,31 +23822,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
@Override
public int getMtePolicy(String callerPackageName) {
final CallerIdentity caller = getCallerIdentity(callerPackageName);
- if (Flags.setMtePolicyCoexistence()) {
- enforcePermission(MANAGE_DEVICE_POLICY_MTE, caller.getPackageName(),
- UserHandle.USER_ALL);
- } else {
- Preconditions.checkCallAuthorization(
- isDefaultDeviceOwner(caller)
- || isProfileOwnerOfOrganizationOwnedDevice(caller)
- || isSystemUid(caller));
- }
+ enforcePermission(MANAGE_DEVICE_POLICY_MTE, caller.getPackageName(),
+ UserHandle.USER_ALL);
synchronized (getLockObject()) {
- if (Flags.setMtePolicyCoexistence()) {
- final EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin(null,
- MANAGE_DEVICE_POLICY_MTE, callerPackageName, caller.getUserId());
- final Integer policyFromAdmin = mDevicePolicyEngine.getGlobalPolicySetByAdmin(
- PolicyDefinition.MEMORY_TAGGING, admin);
- return (policyFromAdmin != null ? policyFromAdmin
- : DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY);
- } else {
- ActiveAdmin admin =
- getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked();
- return admin != null
- ? admin.mtePolicy
- : DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY;
- }
+ final EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin(null,
+ MANAGE_DEVICE_POLICY_MTE, callerPackageName, caller.getUserId());
+ final Integer policyFromAdmin = mDevicePolicyEngine.getGlobalPolicySetByAdmin(
+ PolicyDefinition.MEMORY_TAGGING, admin);
+ return (policyFromAdmin != null ? policyFromAdmin
+ : DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY);
}
}
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/OwnersData.java b/services/devicepolicy/java/com/android/server/devicepolicy/OwnersData.java
index caaf0964bb4e..6dfe08c1eb7e 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/OwnersData.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/OwnersData.java
@@ -433,10 +433,8 @@ class OwnersData {
out.attributeBoolean(null, ATTR_RESET_PASSWORD_WITH_TOKEN_MIGRATED,
mResetPasswordWithTokenMigrated);
}
- if (Flags.setMtePolicyCoexistence()) {
- out.attributeBoolean(null, ATTR_MEMORY_TAGGING_MIGRATED,
- mMemoryTaggingMigrated);
- }
+ out.attributeBoolean(null, ATTR_MEMORY_TAGGING_MIGRATED,
+ mMemoryTaggingMigrated);
if (Flags.setKeyguardDisabledFeaturesCoexistence()) {
out.attributeBoolean(null, ATTR_SET_KEYGUARD_DISABLED_FEATURES_MIGRATED,
mSetKeyguardDisabledFeaturesMigrated);
@@ -514,8 +512,7 @@ class OwnersData {
mResetPasswordWithTokenMigrated = Flags.resetPasswordWithTokenCoexistence()
&& parser.getAttributeBoolean(null,
ATTR_RESET_PASSWORD_WITH_TOKEN_MIGRATED, false);
- mMemoryTaggingMigrated = Flags.setMtePolicyCoexistence()
- && parser.getAttributeBoolean(null,
+ mMemoryTaggingMigrated = parser.getAttributeBoolean(null,
ATTR_MEMORY_TAGGING_MIGRATED, false);
mSetKeyguardDisabledFeaturesMigrated =
Flags.setKeyguardDisabledFeaturesCoexistence()