diff options
| author | 2025-03-19 14:02:50 +0000 | |
|---|---|---|
| committer | 2025-03-20 12:07:16 +0000 | |
| commit | 8afa1abb82796ed7e3d307ad031852b454f086fa (patch) | |
| tree | ce85ef94cac24d9078d462df45c867bf311e90a6 | |
| parent | 27114f7855d1281b2a42b51b8453471c29aea255 (diff) | |
DPM/MTE: Fix MTE developer Option when AAPM is on
This change fixes the Memory Tagging Extension developer option Settings
to be greyed out if the MTE state is controlled by AAPM.
The fix consists of:
* A change to the DevicePolicyManagerService to return the MTE policy
regardless of the caller identity - as the getMtePolicy metthod
does not care which admin has set the MTE policy, just the resolved
policy for the device.
* A change to RestrictedLockUtilsInternal to return an EnfocredAdmin
representing that the MTE policy is managed somehow. Other code
in the RestrictedLockUtilsInternal knows how to resolve the right
admin from the EnforcedAdmin.
To test the fix, the MANAGE_DEVICE_POLICY_MTE permission was added
to the shell.
It is safe for the shell to have this permission because:
* A human can query and modify the state of the Memory Tagging Extension
policy via Developer Options.
* If the device is managed and the user tries to disable MTE, there is
an additional check in the DevicePolicyManagerService that only the
device policy client (DPC) can disable MTE.
Bug: 402456665
Test: Manual, turn on AAPM with adb commands and observe the toggle in
Settings.
Test: atest CtsSecurityTestCases:android.security.cts.advancedprotection.MemoryTaggingExtensionTest
Test: atest CtsDevicePolicyTestCases:android.devicepolicy.cts.MtePolicyTest
Test: atest CtsDevicePolicyTestCases:android.devicepolicy.cts.DeviceManagementCoexistenceTest
Flag: EXEMPT bugfix
Change-Id: I55ffdec9b7abc29be503d85a7ae2607ba81938de
4 files changed, 16 insertions, 11 deletions
diff --git a/data/etc/privapp-permissions-platform.xml b/data/etc/privapp-permissions-platform.xml index 9234902335c1..b32a502ab82e 100644 --- a/data/etc/privapp-permissions-platform.xml +++ b/data/etc/privapp-permissions-platform.xml @@ -621,6 +621,8 @@ applications that come with the platform <permission name="android.permission.READ_COLOR_ZONES"/> <!-- Permission required for CTS test - CtsTextClassifierTestCases --> <permission name="android.permission.ACCESS_TEXT_CLASSIFIER_BY_TYPE"/> + <!-- Permission required for CTS test - CtsSecurityTestCases --> + <permission name="android.permission.MANAGE_DEVICE_POLICY_MTE"/> </privapp-permissions> <privapp-permissions package="com.android.statementservice"> diff --git a/packages/SettingsLib/src/com/android/settingslib/RestrictedLockUtilsInternal.java b/packages/SettingsLib/src/com/android/settingslib/RestrictedLockUtilsInternal.java index 4de64769b425..89ed37cc5fbb 100644 --- a/packages/SettingsLib/src/com/android/settingslib/RestrictedLockUtilsInternal.java +++ b/packages/SettingsLib/src/com/android/settingslib/RestrictedLockUtilsInternal.java @@ -77,6 +77,10 @@ public class RestrictedLockUtilsInternal extends RestrictedLockUtils { private static final String ROLE_DEVICE_LOCK_CONTROLLER = "android.app.role.SYSTEM_FINANCED_DEVICE_CONTROLLER"; + //TODO(b/378931989): Switch to android.app.admin.DevicePolicyIdentifiers.MEMORY_TAGGING_POLICY + //when the appropriate flag is launched. + private static final String MEMORY_TAGGING_POLICY = "memoryTagging"; + /** * @return drawables for displaying with settings that are locked by a device admin. */ @@ -838,14 +842,13 @@ public class RestrictedLockUtilsInternal extends RestrictedLockUtils { if (dpm.getMtePolicy() == MTE_NOT_CONTROLLED_BY_POLICY) { return null; } - EnforcedAdmin admin = - RestrictedLockUtils.getProfileOrDeviceOwner( - context, context.getUser()); - if (admin != null) { - return admin; + EnforcingAdmin enforcingAdmin = context.getSystemService(DevicePolicyManager.class) + .getEnforcingAdmin(context.getUserId(), MEMORY_TAGGING_POLICY); + if (enforcingAdmin == null) { + Log.w(LOG_TAG, "MTE is controlled by policy but could not find enforcing admin."); } - int profileId = getManagedProfileId(context, context.getUserId()); - return RestrictedLockUtils.getProfileOrDeviceOwner(context, UserHandle.of(profileId)); + + return EnforcedAdmin.createDefaultEnforcedAdminWithRestriction(MEMORY_TAGGING_POLICY); } /** diff --git a/packages/Shell/AndroidManifest.xml b/packages/Shell/AndroidManifest.xml index 55f7317f25e4..b8534ffe9476 100644 --- a/packages/Shell/AndroidManifest.xml +++ b/packages/Shell/AndroidManifest.xml @@ -961,6 +961,7 @@ android:featureFlag="android.security.aapm_api"/> <uses-permission android:name="android.permission.QUERY_ADVANCED_PROTECTION_MODE" android:featureFlag="android.security.aapm_api"/> + <uses-permission android:name="android.permission.MANAGE_DEVICE_POLICY_MTE" /> <!-- Permission required for CTS test - IntrusionDetectionManagerTest --> <uses-permission android:name="android.permission.READ_INTRUSION_DETECTION_STATE" diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 51ed6bb2aa40..e04fe080786a 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -23891,10 +23891,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { UserHandle.USER_ALL); synchronized (getLockObject()) { - final EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin(null, - MANAGE_DEVICE_POLICY_MTE, callerPackageName, caller.getUserId()); - final Integer policyFromAdmin = mDevicePolicyEngine.getGlobalPolicySetByAdmin( - PolicyDefinition.MEMORY_TAGGING, admin); + final Integer policyFromAdmin = mDevicePolicyEngine.getResolvedPolicy( + PolicyDefinition.MEMORY_TAGGING, UserHandle.USER_ALL); + return (policyFromAdmin != null ? policyFromAdmin : DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY); } |