Add support for a separate APM subsetting for USB data protection in ADB shell.

Test: atest Bug: 395965739 Flag: android.security.aapm_feature_usb_data_protection Change-Id: I7a881c3b6f8867ee75267c216b96f10b9e288ff7
author: George Chan <georgechan@google.com> 2025-03-17 16:30:13 -0700
committer: George Chan <georgechan@google.com> 2025-03-17 16:30:13 -0700
commit: dec29f62053b7f5349402962757711a83b702b51 (patch)
tree: 875b83b327e657dfec11641ce592f9554fc24fe7
parent: e2e048ae9f4628647fa5ab4f364955db8abb34ce (diff)
6 files changed, 117 insertions, 12 deletions
diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java
index b7e296228e45..e7bca1419418 100644
--- a/core/java/android/provider/Settings.java
+++ b/core/java/android/provider/Settings.java
@@ -13317,10 +13317,18 @@ public final class Settings {
         public static final String CONTEXTUAL_SEARCH_PACKAGE = "contextual_search_package";
 
         /**
-         * Inetger property which determines whether advanced protection is on or not.
+         * Integer property which determines whether advanced protection is on or not.
          * @hide
          */
         public static final String ADVANCED_PROTECTION_MODE = "advanced_protection_mode";
+
+        /**
+         * Integer property which determines whether advanced protection USB data protection
+         * feature is on or not.
+         *
+         * @hide
+         */
+        public static final String AAPM_USB_DATA_PROTECTION = "aapm_usb_data_protection";
     }
 
     /**
diff --git a/packages/SettingsProvider/src/android/provider/settings/validators/SecureSettingsValidators.java b/packages/SettingsProvider/src/android/provider/settings/validators/SecureSettingsValidators.java
index d0f84627f8d8..463e94bfa0d6 100644
--- a/packages/SettingsProvider/src/android/provider/settings/validators/SecureSettingsValidators.java
+++ b/packages/SettingsProvider/src/android/provider/settings/validators/SecureSettingsValidators.java
@@ -464,6 +464,7 @@ public class SecureSettingsValidators {
         VALIDATORS.put(Secure.MANDATORY_BIOMETRICS_REQUIREMENTS_SATISFIED,
                 new InclusiveIntegerRangeValidator(0, 1));
         VALIDATORS.put(Secure.ADVANCED_PROTECTION_MODE, BOOLEAN_VALIDATOR);
+        VALIDATORS.put(Secure.AAPM_USB_DATA_PROTECTION, BOOLEAN_VALIDATOR);
         VALIDATORS.put(Secure.DISABLE_ADAPTIVE_AUTH_LIMIT_LOCK, BOOLEAN_VALIDATOR);
         VALIDATORS.put(Secure.FACE_APP_ENABLED,  BOOLEAN_VALIDATOR);
         VALIDATORS.put(Secure.FACE_KEYGUARD_ENABLED,  BOOLEAN_VALIDATOR);
diff --git a/packages/SettingsProvider/test/src/android/provider/SettingsBackupTest.java b/packages/SettingsProvider/test/src/android/provider/SettingsBackupTest.java
index 7179cbdf93fb..e9b6c73cb800 100644
--- a/packages/SettingsProvider/test/src/android/provider/SettingsBackupTest.java
+++ b/packages/SettingsProvider/test/src/android/provider/SettingsBackupTest.java
@@ -642,6 +642,7 @@ public class SettingsBackupTest {
 
     private static final Set<String> BACKUP_DENY_LIST_SECURE_SETTINGS =
              newHashSet(
+                 Settings.Secure.AAPM_USB_DATA_PROTECTION,
                  Settings.Secure.ACCESSIBILITY_SOFT_KEYBOARD_MODE,
                  Settings.Secure.ACCESSIBILITY_SPEAK_PASSWORD, // Deprecated since O.
                  Settings.Secure.ALLOW_PRIMARY_GAIA_ACCOUNT_REMOVAL_FOR_TESTS,
diff --git a/services/core/java/com/android/server/security/advancedprotection/AdvancedProtectionService.java b/services/core/java/com/android/server/security/advancedprotection/AdvancedProtectionService.java
index 8c3b7c606f04..3ece07c84080 100644
--- a/services/core/java/com/android/server/security/advancedprotection/AdvancedProtectionService.java
+++ b/services/core/java/com/android/server/security/advancedprotection/AdvancedProtectionService.java
@@ -17,6 +17,7 @@
 package com.android.server.security.advancedprotection;
 
 import static android.provider.Settings.Secure.ADVANCED_PROTECTION_MODE;
+import static android.provider.Settings.Secure.AAPM_USB_DATA_PROTECTION;
 import static com.android.internal.util.ConcurrentUtils.DIRECT_EXECUTOR;
 
 import android.Manifest;
@@ -69,6 +70,7 @@ import java.io.FileDescriptor;
 import java.io.PrintWriter;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Set;
 
 /** @hide */
 public class AdvancedProtectionService extends IAdvancedProtectionService.Stub  {
@@ -129,7 +131,10 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub
             Slog.e(TAG, "Failed to initialize DisallowCellular2g", e);
           }
         }
-        if (android.security.Flags.aapmFeatureUsbDataProtection()) {
+        if (android.security.Flags.aapmFeatureUsbDataProtection()
+                // Usb data protection is enabled by default
+                && mStore.retrieveInt(AAPM_USB_DATA_PROTECTION, AdvancedProtectionStore.ON)
+                == AdvancedProtectionStore.ON) {
           try {
             mHooks.add(new UsbDataAdvancedProtectionHook(mContext, enabled));
           } catch (Exception e) {
@@ -183,7 +188,7 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub
 
     // Without permission check
     private boolean isAdvancedProtectionEnabledInternal() {
-        return mStore.retrieve();
+        return mStore.retrieveAdvancedProtectionModeEnabled();
     }
 
     @Override
@@ -217,7 +222,7 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub
         try {
             synchronized (mCallbacks) {
                 if (enabled != isAdvancedProtectionEnabledInternal()) {
-                    mStore.store(enabled);
+                    mStore.storeAdvancedProtectionModeEnabled(enabled);
                     sendModeChanged(enabled);
                     logAdvancedProtectionEnabled(enabled);
                 }
@@ -227,6 +232,34 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub
         }
     }
 
+    public void setUsbDataProtectionEnabled(boolean enabled) {
+        int value = enabled ? AdvancedProtectionStore.ON
+                : AdvancedProtectionStore.OFF;
+        setAdvancedProtectionSubSettingInt(AAPM_USB_DATA_PROTECTION, value);
+    }
+
+    private void setAdvancedProtectionSubSettingInt(String key, int value) {
+        final long identity = Binder.clearCallingIdentity();
+        try {
+            synchronized (mCallbacks) {
+                mStore.storeInt(key, value);
+                Slog.i(TAG, "Advanced protection: subsetting" + key + " is " + value);
+            }
+        } finally {
+            Binder.restoreCallingIdentity(identity);
+        }
+    }
+
+    public boolean isUsbDataProtectionEnabled() {
+        final long identity = Binder.clearCallingIdentity();
+        try {
+            return mStore.retrieveInt(AAPM_USB_DATA_PROTECTION, AdvancedProtectionStore.ON)
+                == AdvancedProtectionStore.ON;
+        } finally {
+            Binder.restoreCallingIdentity(identity);
+        }
+    }
+
     @Override
     @EnforcePermission(Manifest.permission.MANAGE_ADVANCED_PROTECTION_MODE)
     public void logDialogShown(@FeatureId int featureId, @SupportDialogType int type,
@@ -419,8 +452,8 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub
     @VisibleForTesting
     static class AdvancedProtectionStore {
         private final Context mContext;
-        private static final int APM_ON = 1;
-        private static final int APM_OFF = 0;
+        static final int ON = 1;
+        static final int OFF = 0;
         private final UserManagerInternal mUserManager;
 
         AdvancedProtectionStore(@NonNull Context context) {
@@ -428,15 +461,26 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub
             mUserManager = LocalServices.getService(UserManagerInternal.class);
         }
 
-        void store(boolean enabled) {
+        void storeAdvancedProtectionModeEnabled(boolean enabled) {
+            Settings.Secure.putIntForUser(mContext.getContentResolver(),
+                    ADVANCED_PROTECTION_MODE, enabled ? ON : OFF,
+                    mUserManager.getMainUserId());
+        }
+
+        boolean retrieveAdvancedProtectionModeEnabled() {
+            return Settings.Secure.getIntForUser(mContext.getContentResolver(),
+                    ADVANCED_PROTECTION_MODE, OFF, mUserManager.getMainUserId()) == ON;
+        }
+
+        void storeInt(String key, int value) {
             Settings.Secure.putIntForUser(mContext.getContentResolver(),
-                    ADVANCED_PROTECTION_MODE, enabled ? APM_ON : APM_OFF,
+                    key, value,
                     mUserManager.getMainUserId());
         }
 
-        boolean retrieve() {
+        int retrieveInt(String key, int defaultValue) {
             return Settings.Secure.getIntForUser(mContext.getContentResolver(),
-                    ADVANCED_PROTECTION_MODE, APM_OFF, mUserManager.getMainUserId()) == APM_ON;
+                    key, defaultValue, mUserManager.getMainUserId());
         }
     }
 
diff --git a/services/core/java/com/android/server/security/advancedprotection/AdvancedProtectionShellCommand.java b/services/core/java/com/android/server/security/advancedprotection/AdvancedProtectionShellCommand.java
index 42505ad2de3f..ae17a459010b 100644
--- a/services/core/java/com/android/server/security/advancedprotection/AdvancedProtectionShellCommand.java
+++ b/services/core/java/com/android/server/security/advancedprotection/AdvancedProtectionShellCommand.java
@@ -45,6 +45,10 @@ class AdvancedProtectionShellCommand extends ShellCommand {
                     return setProtectionEnabled();
                 case "is-protection-enabled":
                     return isProtectionEnabled(pw);
+                case "set-usb-data-protection-enabled":
+                    return setUsbDataProtectedEnabled();
+                case "is-usb-data-protection-enabled":
+                    return isUsbDataProtectedEnabled(pw);
             }
         } catch (RemoteException e) {
             pw.println("Remote exception: " + e);
@@ -64,6 +68,10 @@ class AdvancedProtectionShellCommand extends ShellCommand {
         pw.println("      Print this help text.");
         pw.println("  set-protection-enabled [true|false]");
         pw.println("  is-protection-enabled");
+        if(android.security.Flags.aapmFeatureUsbDataProtection()) {
+            pw.println("  set-usb-data-protection-enabled [true|false]");
+            pw.println("  is-usb-data-protection-enabled");
+        }
     }
 
     @SuppressLint("AndroidFrameworkRequiresPermission")
@@ -79,4 +87,22 @@ class AdvancedProtectionShellCommand extends ShellCommand {
         pw.println(protectionMode);
         return 0;
     }
+
+    @SuppressLint("AndroidFrameworkRequiresPermission")
+    private int setUsbDataProtectedEnabled() throws RemoteException {
+        if(android.security.Flags.aapmFeatureUsbDataProtection()) {
+            String protectionMode = getNextArgRequired();
+            mService.setUsbDataProtectionEnabled(Boolean.parseBoolean(protectionMode));
+        }
+        return 0;
+    }
+
+    @SuppressLint("AndroidFrameworkRequiresPermission")
+    private int isUsbDataProtectedEnabled(@NonNull PrintWriter pw) throws RemoteException {
+        if(android.security.Flags.aapmFeatureUsbDataProtection()) {
+            boolean protectionMode = mService.isUsbDataProtectionEnabled();
+            pw.println(protectionMode);
+        }
+        return 0;
+    }
 }
diff --git a/services/tests/servicestests/src/com/android/server/security/advancedprotection/AdvancedProtectionServiceTest.java b/services/tests/servicestests/src/com/android/server/security/advancedprotection/AdvancedProtectionServiceTest.java
index 339bac4f768b..d6b3fecb487c 100644
--- a/services/tests/servicestests/src/com/android/server/security/advancedprotection/AdvancedProtectionServiceTest.java
+++ b/services/tests/servicestests/src/com/android/server/security/advancedprotection/AdvancedProtectionServiceTest.java
@@ -45,6 +45,8 @@ import org.junit.runner.RunWith;
 import org.junit.runners.JUnit4;
 
 import java.util.List;
+import java.util.Map;
+import java.util.HashMap;
 import java.util.concurrent.atomic.AtomicBoolean;
 
 @SuppressLint("VisibleForTests")
@@ -66,17 +68,28 @@ public class AdvancedProtectionServiceTest {
         mPermissionEnforcer.grant(Manifest.permission.QUERY_ADVANCED_PROTECTION_MODE);
 
         mStore = new AdvancedProtectionService.AdvancedProtectionStore(mContext) {
+            private Map<String, Integer> mStoredValues = new HashMap<>();
             private boolean mEnabled = false;
 
             @Override
-            boolean retrieve() {
+            boolean retrieveAdvancedProtectionModeEnabled() {
                 return mEnabled;
             }
 
             @Override
-            void store(boolean enabled) {
+            void storeAdvancedProtectionModeEnabled(boolean enabled) {
                 this.mEnabled = enabled;
             }
+
+            @Override
+            void storeInt(String key, int value) {
+                mStoredValues.put(key, value);
+            }
+
+            @Override
+            int retrieveInt(String key, int defaultValue) {
+                return mStoredValues.getOrDefault(key, defaultValue);
+            }
         };
 
         mLooper = new TestLooper();
@@ -316,6 +329,18 @@ public class AdvancedProtectionServiceTest {
     }
 
     @Test
+    public void testUsbDataProtection_withoutPermission() {
+        mPermissionEnforcer.revoke(Manifest.permission.QUERY_ADVANCED_PROTECTION_MODE);
+        assertThrows(SecurityException.class, () -> mService.isUsbDataProtectionEnabled());
+    }
+
+    @Test
+    public void testSetUsbDataProtection_withoutPermission() {
+        mPermissionEnforcer.revoke(Manifest.permission.MANAGE_ADVANCED_PROTECTION_MODE);
+        assertThrows(SecurityException.class, () -> mService.setUsbDataProtectionEnabled(true));
+    }
+
+    @Test
     public void testRegisterCallback_withoutPermission() {
         mPermissionEnforcer.revoke(Manifest.permission.QUERY_ADVANCED_PROTECTION_MODE);
         assertThrows(SecurityException.class, () -> mService.registerAdvancedProtectionCallback(
author	George Chan <georgechan@google.com>	2025-03-17 16:30:13 -0700
committer	George Chan <georgechan@google.com>	2025-03-17 16:30:13 -0700
commit	dec29f62053b7f5349402962757711a83b702b51 (patch)
tree	875b83b327e657dfec11641ce592f9554fc24fe7
parent	e2e048ae9f4628647fa5ab4f364955db8abb34ce (diff)