diff options
| author | 2025-03-19 14:02:50 +0000 | |
|---|---|---|
| committer | 2025-03-20 12:07:16 +0000 | |
| commit | 8afa1abb82796ed7e3d307ad031852b454f086fa (patch) | |
| tree | ce85ef94cac24d9078d462df45c867bf311e90a6 /libs/androidfw/FileStream.cpp | |
| parent | 27114f7855d1281b2a42b51b8453471c29aea255 (diff) | |
DPM/MTE: Fix MTE developer Option when AAPM is on
This change fixes the Memory Tagging Extension developer option Settings
to be greyed out if the MTE state is controlled by AAPM.
The fix consists of:
* A change to the DevicePolicyManagerService to return the MTE policy
regardless of the caller identity - as the getMtePolicy metthod
does not care which admin has set the MTE policy, just the resolved
policy for the device.
* A change to RestrictedLockUtilsInternal to return an EnfocredAdmin
representing that the MTE policy is managed somehow. Other code
in the RestrictedLockUtilsInternal knows how to resolve the right
admin from the EnforcedAdmin.
To test the fix, the MANAGE_DEVICE_POLICY_MTE permission was added
to the shell.
It is safe for the shell to have this permission because:
* A human can query and modify the state of the Memory Tagging Extension
policy via Developer Options.
* If the device is managed and the user tries to disable MTE, there is
an additional check in the DevicePolicyManagerService that only the
device policy client (DPC) can disable MTE.
Bug: 402456665
Test: Manual, turn on AAPM with adb commands and observe the toggle in
Settings.
Test: atest CtsSecurityTestCases:android.security.cts.advancedprotection.MemoryTaggingExtensionTest
Test: atest CtsDevicePolicyTestCases:android.devicepolicy.cts.MtePolicyTest
Test: atest CtsDevicePolicyTestCases:android.devicepolicy.cts.DeviceManagementCoexistenceTest
Flag: EXEMPT bugfix
Change-Id: I55ffdec9b7abc29be503d85a7ae2607ba81938de
Diffstat (limited to 'libs/androidfw/FileStream.cpp')
0 files changed, 0 insertions, 0 deletions