summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--data/etc/privapp-permissions-platform.xml2
-rw-r--r--packages/SettingsLib/src/com/android/settingslib/RestrictedLockUtilsInternal.java17
-rw-r--r--packages/Shell/AndroidManifest.xml1
-rw-r--r--services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java7
4 files changed, 16 insertions, 11 deletions
diff --git a/data/etc/privapp-permissions-platform.xml b/data/etc/privapp-permissions-platform.xml
index 9234902335c1..b32a502ab82e 100644
--- a/data/etc/privapp-permissions-platform.xml
+++ b/data/etc/privapp-permissions-platform.xml
@@ -621,6 +621,8 @@ applications that come with the platform
<permission name="android.permission.READ_COLOR_ZONES"/>
<!-- Permission required for CTS test - CtsTextClassifierTestCases -->
<permission name="android.permission.ACCESS_TEXT_CLASSIFIER_BY_TYPE"/>
+ <!-- Permission required for CTS test - CtsSecurityTestCases -->
+ <permission name="android.permission.MANAGE_DEVICE_POLICY_MTE"/>
</privapp-permissions>
<privapp-permissions package="com.android.statementservice">
diff --git a/packages/SettingsLib/src/com/android/settingslib/RestrictedLockUtilsInternal.java b/packages/SettingsLib/src/com/android/settingslib/RestrictedLockUtilsInternal.java
index 4de64769b425..89ed37cc5fbb 100644
--- a/packages/SettingsLib/src/com/android/settingslib/RestrictedLockUtilsInternal.java
+++ b/packages/SettingsLib/src/com/android/settingslib/RestrictedLockUtilsInternal.java
@@ -77,6 +77,10 @@ public class RestrictedLockUtilsInternal extends RestrictedLockUtils {
private static final String ROLE_DEVICE_LOCK_CONTROLLER =
"android.app.role.SYSTEM_FINANCED_DEVICE_CONTROLLER";
+ //TODO(b/378931989): Switch to android.app.admin.DevicePolicyIdentifiers.MEMORY_TAGGING_POLICY
+ //when the appropriate flag is launched.
+ private static final String MEMORY_TAGGING_POLICY = "memoryTagging";
+
/**
* @return drawables for displaying with settings that are locked by a device admin.
*/
@@ -838,14 +842,13 @@ public class RestrictedLockUtilsInternal extends RestrictedLockUtils {
if (dpm.getMtePolicy() == MTE_NOT_CONTROLLED_BY_POLICY) {
return null;
}
- EnforcedAdmin admin =
- RestrictedLockUtils.getProfileOrDeviceOwner(
- context, context.getUser());
- if (admin != null) {
- return admin;
+ EnforcingAdmin enforcingAdmin = context.getSystemService(DevicePolicyManager.class)
+ .getEnforcingAdmin(context.getUserId(), MEMORY_TAGGING_POLICY);
+ if (enforcingAdmin == null) {
+ Log.w(LOG_TAG, "MTE is controlled by policy but could not find enforcing admin.");
}
- int profileId = getManagedProfileId(context, context.getUserId());
- return RestrictedLockUtils.getProfileOrDeviceOwner(context, UserHandle.of(profileId));
+
+ return EnforcedAdmin.createDefaultEnforcedAdminWithRestriction(MEMORY_TAGGING_POLICY);
}
/**
diff --git a/packages/Shell/AndroidManifest.xml b/packages/Shell/AndroidManifest.xml
index 55f7317f25e4..b8534ffe9476 100644
--- a/packages/Shell/AndroidManifest.xml
+++ b/packages/Shell/AndroidManifest.xml
@@ -961,6 +961,7 @@
android:featureFlag="android.security.aapm_api"/>
<uses-permission android:name="android.permission.QUERY_ADVANCED_PROTECTION_MODE"
android:featureFlag="android.security.aapm_api"/>
+ <uses-permission android:name="android.permission.MANAGE_DEVICE_POLICY_MTE" />
<!-- Permission required for CTS test - IntrusionDetectionManagerTest -->
<uses-permission android:name="android.permission.READ_INTRUSION_DETECTION_STATE"
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 51ed6bb2aa40..e04fe080786a 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -23891,10 +23891,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
UserHandle.USER_ALL);
synchronized (getLockObject()) {
- final EnforcingAdmin admin = enforcePermissionAndGetEnforcingAdmin(null,
- MANAGE_DEVICE_POLICY_MTE, callerPackageName, caller.getUserId());
- final Integer policyFromAdmin = mDevicePolicyEngine.getGlobalPolicySetByAdmin(
- PolicyDefinition.MEMORY_TAGGING, admin);
+ final Integer policyFromAdmin = mDevicePolicyEngine.getResolvedPolicy(
+ PolicyDefinition.MEMORY_TAGGING, UserHandle.USER_ALL);
+
return (policyFromAdmin != null ? policyFromAdmin
: DevicePolicyManager.MTE_NOT_CONTROLLED_BY_POLICY);
}
generated by cgit v1.2.3-59-g8ed1b (git 2.39.0) at 2025-10-20 05:00:23 +0000