diff options
| author | 2025-03-18 19:45:16 -0700 | |
|---|---|---|
| committer | 2025-03-18 19:45:16 -0700 | |
| commit | fc16110c4c7c5d7700c0582ce16b4647df089093 (patch) | |
| tree | 79611658961ec5e701830e11bb7b5db61190448a | |
| parent | d4aebda32c0f16fddd0953e28758cb293b491d7a (diff) | |
| parent | dec29f62053b7f5349402962757711a83b702b51 (diff) | |
Merge "Add support for a separate APM subsetting for USB data protection in ADB shell." into main
6 files changed, 117 insertions, 12 deletions
diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java index b7e296228e45..e7bca1419418 100644 --- a/core/java/android/provider/Settings.java +++ b/core/java/android/provider/Settings.java @@ -13317,10 +13317,18 @@ public final class Settings { public static final String CONTEXTUAL_SEARCH_PACKAGE = "contextual_search_package"; /** - * Inetger property which determines whether advanced protection is on or not. + * Integer property which determines whether advanced protection is on or not. * @hide */ public static final String ADVANCED_PROTECTION_MODE = "advanced_protection_mode"; + + /** + * Integer property which determines whether advanced protection USB data protection + * feature is on or not. + * + * @hide + */ + public static final String AAPM_USB_DATA_PROTECTION = "aapm_usb_data_protection"; } /** diff --git a/packages/SettingsProvider/src/android/provider/settings/validators/SecureSettingsValidators.java b/packages/SettingsProvider/src/android/provider/settings/validators/SecureSettingsValidators.java index d0f84627f8d8..463e94bfa0d6 100644 --- a/packages/SettingsProvider/src/android/provider/settings/validators/SecureSettingsValidators.java +++ b/packages/SettingsProvider/src/android/provider/settings/validators/SecureSettingsValidators.java @@ -464,6 +464,7 @@ public class SecureSettingsValidators { VALIDATORS.put(Secure.MANDATORY_BIOMETRICS_REQUIREMENTS_SATISFIED, new InclusiveIntegerRangeValidator(0, 1)); VALIDATORS.put(Secure.ADVANCED_PROTECTION_MODE, BOOLEAN_VALIDATOR); + VALIDATORS.put(Secure.AAPM_USB_DATA_PROTECTION, BOOLEAN_VALIDATOR); VALIDATORS.put(Secure.DISABLE_ADAPTIVE_AUTH_LIMIT_LOCK, BOOLEAN_VALIDATOR); VALIDATORS.put(Secure.FACE_APP_ENABLED, BOOLEAN_VALIDATOR); VALIDATORS.put(Secure.FACE_KEYGUARD_ENABLED, BOOLEAN_VALIDATOR); diff --git a/packages/SettingsProvider/test/src/android/provider/SettingsBackupTest.java b/packages/SettingsProvider/test/src/android/provider/SettingsBackupTest.java index 7179cbdf93fb..e9b6c73cb800 100644 --- a/packages/SettingsProvider/test/src/android/provider/SettingsBackupTest.java +++ b/packages/SettingsProvider/test/src/android/provider/SettingsBackupTest.java @@ -642,6 +642,7 @@ public class SettingsBackupTest { private static final Set<String> BACKUP_DENY_LIST_SECURE_SETTINGS = newHashSet( + Settings.Secure.AAPM_USB_DATA_PROTECTION, Settings.Secure.ACCESSIBILITY_SOFT_KEYBOARD_MODE, Settings.Secure.ACCESSIBILITY_SPEAK_PASSWORD, // Deprecated since O. Settings.Secure.ALLOW_PRIMARY_GAIA_ACCOUNT_REMOVAL_FOR_TESTS, diff --git a/services/core/java/com/android/server/security/advancedprotection/AdvancedProtectionService.java b/services/core/java/com/android/server/security/advancedprotection/AdvancedProtectionService.java index 8c3b7c606f04..3ece07c84080 100644 --- a/services/core/java/com/android/server/security/advancedprotection/AdvancedProtectionService.java +++ b/services/core/java/com/android/server/security/advancedprotection/AdvancedProtectionService.java @@ -17,6 +17,7 @@ package com.android.server.security.advancedprotection; import static android.provider.Settings.Secure.ADVANCED_PROTECTION_MODE; +import static android.provider.Settings.Secure.AAPM_USB_DATA_PROTECTION; import static com.android.internal.util.ConcurrentUtils.DIRECT_EXECUTOR; import android.Manifest; @@ -69,6 +70,7 @@ import java.io.FileDescriptor; import java.io.PrintWriter; import java.util.ArrayList; import java.util.List; +import java.util.Set; /** @hide */ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub { @@ -129,7 +131,10 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub Slog.e(TAG, "Failed to initialize DisallowCellular2g", e); } } - if (android.security.Flags.aapmFeatureUsbDataProtection()) { + if (android.security.Flags.aapmFeatureUsbDataProtection() + // Usb data protection is enabled by default + && mStore.retrieveInt(AAPM_USB_DATA_PROTECTION, AdvancedProtectionStore.ON) + == AdvancedProtectionStore.ON) { try { mHooks.add(new UsbDataAdvancedProtectionHook(mContext, enabled)); } catch (Exception e) { @@ -183,7 +188,7 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub // Without permission check private boolean isAdvancedProtectionEnabledInternal() { - return mStore.retrieve(); + return mStore.retrieveAdvancedProtectionModeEnabled(); } @Override @@ -217,7 +222,7 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub try { synchronized (mCallbacks) { if (enabled != isAdvancedProtectionEnabledInternal()) { - mStore.store(enabled); + mStore.storeAdvancedProtectionModeEnabled(enabled); sendModeChanged(enabled); logAdvancedProtectionEnabled(enabled); } @@ -227,6 +232,34 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub } } + public void setUsbDataProtectionEnabled(boolean enabled) { + int value = enabled ? AdvancedProtectionStore.ON + : AdvancedProtectionStore.OFF; + setAdvancedProtectionSubSettingInt(AAPM_USB_DATA_PROTECTION, value); + } + + private void setAdvancedProtectionSubSettingInt(String key, int value) { + final long identity = Binder.clearCallingIdentity(); + try { + synchronized (mCallbacks) { + mStore.storeInt(key, value); + Slog.i(TAG, "Advanced protection: subsetting" + key + " is " + value); + } + } finally { + Binder.restoreCallingIdentity(identity); + } + } + + public boolean isUsbDataProtectionEnabled() { + final long identity = Binder.clearCallingIdentity(); + try { + return mStore.retrieveInt(AAPM_USB_DATA_PROTECTION, AdvancedProtectionStore.ON) + == AdvancedProtectionStore.ON; + } finally { + Binder.restoreCallingIdentity(identity); + } + } + @Override @EnforcePermission(Manifest.permission.MANAGE_ADVANCED_PROTECTION_MODE) public void logDialogShown(@FeatureId int featureId, @SupportDialogType int type, @@ -419,8 +452,8 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub @VisibleForTesting static class AdvancedProtectionStore { private final Context mContext; - private static final int APM_ON = 1; - private static final int APM_OFF = 0; + static final int ON = 1; + static final int OFF = 0; private final UserManagerInternal mUserManager; AdvancedProtectionStore(@NonNull Context context) { @@ -428,15 +461,26 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub mUserManager = LocalServices.getService(UserManagerInternal.class); } - void store(boolean enabled) { + void storeAdvancedProtectionModeEnabled(boolean enabled) { + Settings.Secure.putIntForUser(mContext.getContentResolver(), + ADVANCED_PROTECTION_MODE, enabled ? ON : OFF, + mUserManager.getMainUserId()); + } + + boolean retrieveAdvancedProtectionModeEnabled() { + return Settings.Secure.getIntForUser(mContext.getContentResolver(), + ADVANCED_PROTECTION_MODE, OFF, mUserManager.getMainUserId()) == ON; + } + + void storeInt(String key, int value) { Settings.Secure.putIntForUser(mContext.getContentResolver(), - ADVANCED_PROTECTION_MODE, enabled ? APM_ON : APM_OFF, + key, value, mUserManager.getMainUserId()); } - boolean retrieve() { + int retrieveInt(String key, int defaultValue) { return Settings.Secure.getIntForUser(mContext.getContentResolver(), - ADVANCED_PROTECTION_MODE, APM_OFF, mUserManager.getMainUserId()) == APM_ON; + key, defaultValue, mUserManager.getMainUserId()); } } diff --git a/services/core/java/com/android/server/security/advancedprotection/AdvancedProtectionShellCommand.java b/services/core/java/com/android/server/security/advancedprotection/AdvancedProtectionShellCommand.java index 42505ad2de3f..ae17a459010b 100644 --- a/services/core/java/com/android/server/security/advancedprotection/AdvancedProtectionShellCommand.java +++ b/services/core/java/com/android/server/security/advancedprotection/AdvancedProtectionShellCommand.java @@ -45,6 +45,10 @@ class AdvancedProtectionShellCommand extends ShellCommand { return setProtectionEnabled(); case "is-protection-enabled": return isProtectionEnabled(pw); + case "set-usb-data-protection-enabled": + return setUsbDataProtectedEnabled(); + case "is-usb-data-protection-enabled": + return isUsbDataProtectedEnabled(pw); } } catch (RemoteException e) { pw.println("Remote exception: " + e); @@ -64,6 +68,10 @@ class AdvancedProtectionShellCommand extends ShellCommand { pw.println(" Print this help text."); pw.println(" set-protection-enabled [true|false]"); pw.println(" is-protection-enabled"); + if(android.security.Flags.aapmFeatureUsbDataProtection()) { + pw.println(" set-usb-data-protection-enabled [true|false]"); + pw.println(" is-usb-data-protection-enabled"); + } } @SuppressLint("AndroidFrameworkRequiresPermission") @@ -79,4 +87,22 @@ class AdvancedProtectionShellCommand extends ShellCommand { pw.println(protectionMode); return 0; } + + @SuppressLint("AndroidFrameworkRequiresPermission") + private int setUsbDataProtectedEnabled() throws RemoteException { + if(android.security.Flags.aapmFeatureUsbDataProtection()) { + String protectionMode = getNextArgRequired(); + mService.setUsbDataProtectionEnabled(Boolean.parseBoolean(protectionMode)); + } + return 0; + } + + @SuppressLint("AndroidFrameworkRequiresPermission") + private int isUsbDataProtectedEnabled(@NonNull PrintWriter pw) throws RemoteException { + if(android.security.Flags.aapmFeatureUsbDataProtection()) { + boolean protectionMode = mService.isUsbDataProtectionEnabled(); + pw.println(protectionMode); + } + return 0; + } } diff --git a/services/tests/servicestests/src/com/android/server/security/advancedprotection/AdvancedProtectionServiceTest.java b/services/tests/servicestests/src/com/android/server/security/advancedprotection/AdvancedProtectionServiceTest.java index 339bac4f768b..d6b3fecb487c 100644 --- a/services/tests/servicestests/src/com/android/server/security/advancedprotection/AdvancedProtectionServiceTest.java +++ b/services/tests/servicestests/src/com/android/server/security/advancedprotection/AdvancedProtectionServiceTest.java @@ -45,6 +45,8 @@ import org.junit.runner.RunWith; import org.junit.runners.JUnit4; import java.util.List; +import java.util.Map; +import java.util.HashMap; import java.util.concurrent.atomic.AtomicBoolean; @SuppressLint("VisibleForTests") @@ -66,17 +68,28 @@ public class AdvancedProtectionServiceTest { mPermissionEnforcer.grant(Manifest.permission.QUERY_ADVANCED_PROTECTION_MODE); mStore = new AdvancedProtectionService.AdvancedProtectionStore(mContext) { + private Map<String, Integer> mStoredValues = new HashMap<>(); private boolean mEnabled = false; @Override - boolean retrieve() { + boolean retrieveAdvancedProtectionModeEnabled() { return mEnabled; } @Override - void store(boolean enabled) { + void storeAdvancedProtectionModeEnabled(boolean enabled) { this.mEnabled = enabled; } + + @Override + void storeInt(String key, int value) { + mStoredValues.put(key, value); + } + + @Override + int retrieveInt(String key, int defaultValue) { + return mStoredValues.getOrDefault(key, defaultValue); + } }; mLooper = new TestLooper(); @@ -316,6 +329,18 @@ public class AdvancedProtectionServiceTest { } @Test + public void testUsbDataProtection_withoutPermission() { + mPermissionEnforcer.revoke(Manifest.permission.QUERY_ADVANCED_PROTECTION_MODE); + assertThrows(SecurityException.class, () -> mService.isUsbDataProtectionEnabled()); + } + + @Test + public void testSetUsbDataProtection_withoutPermission() { + mPermissionEnforcer.revoke(Manifest.permission.MANAGE_ADVANCED_PROTECTION_MODE); + assertThrows(SecurityException.class, () -> mService.setUsbDataProtectionEnabled(true)); + } + + @Test public void testRegisterCallback_withoutPermission() { mPermissionEnforcer.revoke(Manifest.permission.QUERY_ADVANCED_PROTECTION_MODE); assertThrows(SecurityException.class, () -> mService.registerAdvancedProtectionCallback( |