Merge "DPM/MTE: Fix MTE developer Option when AAPM is on" into main

author: Eran Messeri <eranm@google.com> 2025-03-21 06:38:24 -0700
committer: Android (Google) Code Review <android-gerrit@google.com> 2025-03-21 06:38:24 -0700
commit: a196c00e7791ae8b0e9a605da31c51d7cda8649d (patch)
tree: 663a3fb8495fb3a974802444dae4674612c8aa25
parent: e560309896965555e59cc219cff157e290eaf179 (diff)
parent: 8afa1abb82796ed7e3d307ad031852b454f086fa (diff)
4 files changed, 16 insertions, 11 deletions
diff --git a/data/etc/privapp-permissions-platform.xml b/data/etc/privapp-permissions-platform.xml
index 1d8eed2749d5..62e14d368a1c 100644
--- a/data/etc/privapp-permissions-platform.xml
+++ b/data/etc/privapp-permissions-platform.xml
@@ -621,6 +621,8 @@ applications that come with the platform
         <permission name="android.permission.READ_COLOR_ZONES"/>
         <!-- Permission required for CTS test - CtsTextClassifierTestCases -->
         <permission name="android.permission.ACCESS_TEXT_CLASSIFIER_BY_TYPE"/>
+        <!-- Permission required for CTS test - CtsSecurityTestCases -->
+        <permission name="android.permission.MANAGE_DEVICE_POLICY_MTE"/>
     </privapp-permissions>
 
     <privapp-permissions package="com.android.soundpicker">
diff --git a/packages/SettingsLib/src/com/android/settingslib/RestrictedLockUtilsInternal.java b/packages/SettingsLib/src/com/android/settingslib/RestrictedLockUtilsInternal.java
index d5cf8331345c..f89bd9c43a37 100644
--- a/packages/SettingsLib/src/com/android/settingslib/RestrictedLockUtilsInternal.java
+++ b/packages/SettingsLib/src/com/android/settingslib/RestrictedLockUtilsInternal.java
@@ -77,6 +77,10 @@ public class RestrictedLockUtilsInternal extends RestrictedLockUtils {
     private static final String ROLE_DEVICE_LOCK_CONTROLLER =
             "android.app.role.SYSTEM_FINANCED_DEVICE_CONTROLLER";
 
+    //TODO(b/378931989): Switch to android.app.admin.DevicePolicyIdentifiers.MEMORY_TAGGING_POLICY
+    //when the appropriate flag is launched.
+    private static final String MEMORY_TAGGING_POLICY = "memoryTagging";
+
     /**
      * @return drawables for displaying with settings that are locked by a device admin.
      */
@@ -847,14 +851,13 @@ public class RestrictedLockUtilsInternal extends RestrictedLockUtils {
         if (dpm.getMtePolicy() == MTE_NOT_CONTROLLED_BY_POLICY) {
             return null;
         }
-        EnforcedAdmin admin =
-                RestrictedLockUtils.getProfileOrDeviceOwner(
-                        context, context.getUser());
-        if (admin != null) {
-            return admin;
+        EnforcingAdmin enforcingAdmin = context.getSystemService(DevicePolicyManager.class)
+                .getEnforcingAdmin(context.getUserId(), MEMORY_TAGGING_POLICY);
+        if (enforcingAdmin == null) {
+            Log.w(LOG_TAG, "MTE is controlled by policy but could not find enforcing admin.");
         }
-        int profileId = getManagedProfileId(context, context.getUserId());
-        return RestrictedLockUtils.getProfileOrDeviceOwner(context, UserHandle.of(profileId));
+
+        return EnforcedAdmin.createDefaultEnforcedAdminWithRestriction(MEMORY_TAGGING_POLICY);
     }
 
     /**
diff --git a/packages/Shell/AndroidManifest.xml b/packages/Shell/AndroidManifest.xml
index a178869d23d6..ea09d634b82b 100644
--- a/packages/Shell/AndroidManifest.xml
+++ b/packages/Shell/AndroidManifest.xml
@@ -961,6 +961,7 @@
         android:featureFlag="android.security.aapm_api"/>
     <uses-permission android:name="android.permission.QUERY_ADVANCED_PROTECTION_MODE"
         android:featureFlag="android.security.aapm_api"/>
+    <uses-permission android:name="android.permission.MANAGE_DEVICE_POLICY_MTE" />
 
     <!-- Permission required for CTS test - IntrusionDetectionManagerTest -->
     <uses-permission android:name="android.permission.READ_INTRUSION_DETECTION_STATE"
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index d984fcc599cb..964826d1ee73 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -23903,10 +23903,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
                 UserHandle.USER_ALL);
 
         synchronized (getLockObject()) {
-            final EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin(null,
-                    MANAGE_DEVICE_POLICY_MTE, callerPackageName, caller.getUserId());
-            final Integer policyFromAdmin = mDevicePolicyEngine.getGlobalPolicySetByAdmin(
-                    PolicyDefinition.MEMORY_TAGGING, admin);
+            final Integer policyFromAdmin = mDevicePolicyEngine.getResolvedPolicy(
+                    PolicyDefinition.MEMORY_TAGGING, UserHandle.USER_ALL);
+
             return (policyFromAdmin != null ? policyFromAdmin
                     : DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY);
         }
author	Eran Messeri <eranm@google.com>	2025-03-21 06:38:24 -0700
committer	Android (Google) Code Review <android-gerrit@google.com>	2025-03-21 06:38:24 -0700
commit	a196c00e7791ae8b0e9a605da31c51d7cda8649d (patch)
tree	663a3fb8495fb3a974802444dae4674612c8aa25
parent	e560309896965555e59cc219cff157e290eaf179 (diff)
parent	8afa1abb82796ed7e3d307ad031852b454f086fa (diff)