diff options
5 files changed, 86 insertions, 126 deletions
diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java index 82e5ebf755c2..471f460433b9 100644 --- a/core/java/android/app/admin/DevicePolicyManager.java +++ b/core/java/android/app/admin/DevicePolicyManager.java @@ -60,7 +60,6 @@ import android.graphics.drawable.Drawable; import android.net.PrivateDnsConnectivityChecker; import android.net.ProxyInfo; import android.net.Uri; -import android.net.wifi.WifiSsid; import android.nfc.NfcAdapter; import android.os.Binder; import android.os.Build; @@ -112,7 +111,6 @@ import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.net.InetSocketAddress; import java.net.Proxy; -import java.nio.charset.StandardCharsets; import java.security.KeyFactory; import java.security.KeyPair; import java.security.NoSuchAlgorithmException; @@ -15237,26 +15235,15 @@ public class DevicePolicyManager { */ public void setWifiSsidPolicy(@Nullable WifiSsidPolicy policy) { throwIfParentInstance("setWifiSsidPolicy"); - if (mService != null) { - try { - if (policy == null) { - mService.setSsidAllowlist(new ArrayList<>()); - } else { - int policyType = policy.getPolicyType(); - List<String> ssidList = new ArrayList<>(); - for (WifiSsid ssid : policy.getSsids()) { - ssidList.add(new String(ssid.getBytes(), StandardCharsets.UTF_8)); - } - if (policyType == WifiSsidPolicy.WIFI_SSID_POLICY_TYPE_ALLOWLIST) { - mService.setSsidAllowlist(ssidList); - } else { - mService.setSsidDenylist(ssidList); - } - } - } catch (RemoteException e) { - throw e.rethrowFromSystemServer(); - } + if (mService == null) { + return; + } + try { + mService.setWifiSsidPolicy(policy); + } catch (RemoteException e) { + throw e.rethrowFromSystemServer(); } + } /** @@ -15274,30 +15261,10 @@ public class DevicePolicyManager { return null; } try { - List<String> allowlist = mService.getSsidAllowlist(); - if (!allowlist.isEmpty()) { - List<WifiSsid> wifiSsidAllowlist = new ArrayList<>(); - for (String ssid : allowlist) { - wifiSsidAllowlist.add( - WifiSsid.fromBytes(ssid.getBytes(StandardCharsets.UTF_8))); - } - return new WifiSsidPolicy(WifiSsidPolicy.WIFI_SSID_POLICY_TYPE_ALLOWLIST, - new ArraySet<>(wifiSsidAllowlist)); - } - List<String> denylist = mService.getSsidDenylist(); - if (!denylist.isEmpty()) { - List<WifiSsid> wifiSsidDenylist = new ArrayList<>(); - for (String ssid : denylist) { - wifiSsidDenylist.add( - WifiSsid.fromBytes(ssid.getBytes(StandardCharsets.UTF_8))); - } - return new WifiSsidPolicy(WifiSsidPolicy.WIFI_SSID_POLICY_TYPE_DENYLIST, - new ArraySet<>(wifiSsidDenylist)); - } + return mService.getWifiSsidPolicy(); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } - return null; } /** diff --git a/core/java/android/app/admin/IDevicePolicyManager.aidl b/core/java/android/app/admin/IDevicePolicyManager.aidl index 8a9ef4bf9e0e..6c6a7ca70837 100644 --- a/core/java/android/app/admin/IDevicePolicyManager.aidl +++ b/core/java/android/app/admin/IDevicePolicyManager.aidl @@ -33,6 +33,7 @@ import android.app.admin.PasswordMetrics; import android.app.admin.FactoryResetProtectionPolicy; import android.app.admin.ManagedProfileProvisioningParams; import android.app.admin.FullyManagedDeviceProvisioningParams; +import android.app.admin.WifiSsidPolicy; import android.content.ComponentName; import android.content.Intent; import android.content.IntentFilter; @@ -545,10 +546,8 @@ interface IDevicePolicyManager { void setMinimumRequiredWifiSecurityLevel(int level); int getMinimumRequiredWifiSecurityLevel(); - void setSsidAllowlist(in List<String> ssids); - List<String> getSsidAllowlist(); - void setSsidDenylist(in List<String> ssids); - List<String> getSsidDenylist(); + void setWifiSsidPolicy(in WifiSsidPolicy policy); + WifiSsidPolicy getWifiSsidPolicy(); List<UserHandle> listForegroundAffiliatedUsers(); void setDrawables(in List<DevicePolicyDrawableResource> drawables); diff --git a/core/java/android/app/admin/WifiSsidPolicy.java b/core/java/android/app/admin/WifiSsidPolicy.java index e91807535c6e..3fefe4bda331 100644 --- a/core/java/android/app/admin/WifiSsidPolicy.java +++ b/core/java/android/app/admin/WifiSsidPolicy.java @@ -25,6 +25,7 @@ import android.util.ArraySet; import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; +import java.util.Objects; import java.util.Set; /** @@ -135,6 +136,23 @@ public final class WifiSsidPolicy implements Parcelable { } @Override + public boolean equals(Object thatObject) { + if (this == thatObject) { + return true; + } + if (!(thatObject instanceof WifiSsidPolicy)) { + return false; + } + WifiSsidPolicy that = (WifiSsidPolicy) thatObject; + return mPolicyType == that.mPolicyType && Objects.equals(mSsids, that.mSsids); + } + + @Override + public int hashCode() { + return Objects.hash(mPolicyType, mSsids); + } + + @Override public int describeContents() { return 0; } diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/ActiveAdmin.java b/services/devicepolicy/java/com/android/server/devicepolicy/ActiveAdmin.java index 48c40523e9c2..aca138935491 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/ActiveAdmin.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/ActiveAdmin.java @@ -19,6 +19,8 @@ package com.android.server.devicepolicy; import static android.app.admin.DevicePolicyManager.NEARBY_STREAMING_SAME_MANAGED_ACCOUNT_ONLY; import static android.app.admin.DevicePolicyManager.PASSWORD_COMPLEXITY_NONE; import static android.app.admin.DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED; +import static android.app.admin.WifiSsidPolicy.WIFI_SSID_POLICY_TYPE_ALLOWLIST; +import static android.app.admin.WifiSsidPolicy.WIFI_SSID_POLICY_TYPE_DENYLIST; import static com.android.server.devicepolicy.DevicePolicyManagerService.LOG_TAG; @@ -33,7 +35,9 @@ import android.app.admin.DevicePolicyManager; import android.app.admin.FactoryResetProtectionPolicy; import android.app.admin.PasswordPolicy; import android.app.admin.PreferentialNetworkServiceConfig; +import android.app.admin.WifiSsidPolicy; import android.graphics.Color; +import android.net.wifi.WifiSsid; import android.os.Bundle; import android.os.PersistableBundle; import android.os.UserHandle; @@ -53,6 +57,7 @@ import com.android.server.utils.Slogf; import org.xmlpull.v1.XmlPullParserException; import java.io.IOException; +import java.nio.charset.StandardCharsets; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; @@ -60,6 +65,7 @@ import java.util.List; import java.util.Map; import java.util.Set; import java.util.function.Predicate; +import java.util.stream.Collectors; class ActiveAdmin { private static final String TAG_DISABLE_KEYGUARD_FEATURES = "disable-keyguard-features"; @@ -242,13 +248,8 @@ class ActiveAdmin { // List of package names to keep cached. List<String> keepUninstalledPackages; - // The allowlist of SSIDs the device may connect to. - // By default, the allowlist restriction is deactivated. - List<String> mSsidAllowlist; - - // The denylist of SSIDs the device may not connect to. - // By default, the denylist restriction is deactivated. - List<String> mSsidDenylist; + // Wi-Fi SSID restriction policy. + WifiSsidPolicy mWifiSsidPolicy; // TODO: review implementation decisions with frameworks team boolean specifiesGlobalProxy = false; @@ -594,14 +595,22 @@ class ActiveAdmin { if (mWifiMinimumSecurityLevel != DevicePolicyManager.WIFI_SECURITY_OPEN) { writeAttributeValueToXml(out, TAG_WIFI_MIN_SECURITY, mWifiMinimumSecurityLevel); } - if (mSsidAllowlist != null && !mSsidAllowlist.isEmpty()) { - writeAttributeValuesToXml(out, TAG_SSID_ALLOWLIST, TAG_SSID, mSsidAllowlist); - } - if (mSsidDenylist != null && !mSsidDenylist.isEmpty()) { - writeAttributeValuesToXml(out, TAG_SSID_DENYLIST, TAG_SSID, mSsidDenylist); + if (mWifiSsidPolicy != null) { + List<String> ssids = ssidsToStrings(mWifiSsidPolicy.getSsids()); + if (mWifiSsidPolicy.getPolicyType() == WIFI_SSID_POLICY_TYPE_ALLOWLIST) { + writeAttributeValuesToXml(out, TAG_SSID_ALLOWLIST, TAG_SSID, ssids); + } else if (mWifiSsidPolicy.getPolicyType() == WIFI_SSID_POLICY_TYPE_DENYLIST) { + writeAttributeValuesToXml(out, TAG_SSID_DENYLIST, TAG_SSID, ssids); + } } } + private List<String> ssidsToStrings(Set<WifiSsid> ssids) { + return ssids.stream() + .map(ssid -> new String(ssid.getBytes(), StandardCharsets.UTF_8)) + .collect(Collectors.toList()); + } + void writeTextToXml(TypedXmlSerializer out, String tag, String text) throws IOException { out.startTag(null, tag); out.text(text); @@ -855,11 +864,13 @@ class ActiveAdmin { } else if (TAG_WIFI_MIN_SECURITY.equals(tag)) { mWifiMinimumSecurityLevel = parser.getAttributeInt(null, ATTR_VALUE); } else if (TAG_SSID_ALLOWLIST.equals(tag)) { - mSsidAllowlist = new ArrayList<>(); - readAttributeValues(parser, TAG_SSID, mSsidAllowlist); + List<WifiSsid> ssids = readWifiSsids(parser, TAG_SSID); + mWifiSsidPolicy = new WifiSsidPolicy( + WIFI_SSID_POLICY_TYPE_ALLOWLIST, new ArraySet<>(ssids)); } else if (TAG_SSID_DENYLIST.equals(tag)) { - mSsidDenylist = new ArrayList<>(); - readAttributeValues(parser, TAG_SSID, mSsidDenylist); + List<WifiSsid> ssids = readWifiSsids(parser, TAG_SSID); + mWifiSsidPolicy = new WifiSsidPolicy( + WIFI_SSID_POLICY_TYPE_DENYLIST, new ArraySet<>(ssids)); } else { Slogf.w(LOG_TAG, "Unknown admin tag: %s", tag); XmlUtils.skipCurrentTag(parser); @@ -867,6 +878,16 @@ class ActiveAdmin { } } + private List<WifiSsid> readWifiSsids(TypedXmlPullParser parser, String tag) + throws XmlPullParserException, IOException { + List<String> ssidStrings = new ArrayList<>(); + readAttributeValues(parser, tag, ssidStrings); + List<WifiSsid> ssids = ssidStrings.stream() + .map(ssid -> WifiSsid.fromBytes(ssid.getBytes(StandardCharsets.UTF_8))) + .collect(Collectors.toList()); + return ssids; + } + private List<String> readPackageList(TypedXmlPullParser parser, String tag) throws XmlPullParserException, IOException { List<String> result = new ArrayList<String>(); @@ -1222,11 +1243,14 @@ class ActiveAdmin { pw.print("mWifiMinimumSecurityLevel="); pw.println(mWifiMinimumSecurityLevel); - pw.print("mSsidAllowlist="); - pw.println(mSsidAllowlist); - - pw.print("mSsidDenylist="); - pw.println(mSsidDenylist); + if (mWifiSsidPolicy != null) { + if (mWifiSsidPolicy.getPolicyType() == WIFI_SSID_POLICY_TYPE_ALLOWLIST) { + pw.print("mSsidAllowlist="); + } else { + pw.print("mSsidDenylist="); + } + pw.println(ssidsToStrings(mWifiSsidPolicy.getSsids())); + } if (mFactoryResetProtectionPolicy != null) { pw.println("mFactoryResetProtectionPolicy:"); diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 55e504a3b611..69fd0ecbff78 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -274,7 +274,6 @@ import android.net.Uri; import android.net.VpnManager; import android.net.metrics.IpConnectivityLog; import android.net.wifi.WifiManager; -import android.net.wifi.WifiSsid; import android.os.Binder; import android.os.Build; import android.os.Bundle; @@ -395,7 +394,6 @@ import java.io.FileOutputStream; import java.io.IOException; import java.io.PrintWriter; import java.lang.reflect.Constructor; -import java.nio.charset.StandardCharsets; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; @@ -18572,13 +18570,11 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { .notifyMinimumRequiredWifiSecurityLevelChanged(level)); } - private void notifyWifiSsidPolicyChanged(int policyType, List<String> ssids) { - List<WifiSsid> wifiSsidList = new ArrayList<>(); - for (String ssid : ssids) { - wifiSsidList.add( - WifiSsid.fromBytes(ssid.getBytes(StandardCharsets.UTF_8))); + private void notifyWifiSsidPolicyChanged(WifiSsidPolicy policy) { + if (policy == null) { + // If policy doesn't limit SSIDs, no need to disconnect anything. + return; } - WifiSsidPolicy policy = new WifiSsidPolicy(policyType, new ArraySet<>(wifiSsidList)); mInjector.binderWithCleanCallingIdentity( () -> mInjector.getWifiManager().notifyWifiSsidPolicyChanged(policy)); } @@ -18614,84 +18610,40 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } @Override - public void setSsidAllowlist(List<String> ssids) { - final CallerIdentity caller = getCallerIdentity(); - Preconditions.checkCallAuthorization( - isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller), - "SSID allowlist can only be controlled by a device owner or " - + "a profile owner on an organization-owned device."); - - Collections.sort(ssids); - boolean changed = false; - synchronized (getLockObject()) { - final ActiveAdmin admin = getProfileOwnerOrDeviceOwnerLocked(caller); - if (!ssids.equals(admin.mSsidAllowlist)) { - admin.mSsidAllowlist = ssids; - admin.mSsidDenylist = null; - changed = true; - } - if (changed) saveSettingsLocked(caller.getUserId()); - } - if (changed && !ssids.isEmpty()) { - notifyWifiSsidPolicyChanged(WifiSsidPolicy.WIFI_SSID_POLICY_TYPE_ALLOWLIST, ssids); - } - } - - @Override - public List<String> getSsidAllowlist() { + public WifiSsidPolicy getWifiSsidPolicy() { final CallerIdentity caller = getCallerIdentity(); Preconditions.checkCallAuthorization( isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller) || canQueryAdminPolicy(caller), - "SSID allowlist can only be retrieved by a device owner or " + "SSID policy can only be retrieved by a device owner or " + "a profile owner on an organization-owned device or " + "an app with the QUERY_ADMIN_POLICY permission."); synchronized (getLockObject()) { final ActiveAdmin admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked( UserHandle.USER_SYSTEM); - return (admin == null || admin.mSsidAllowlist == null) ? new ArrayList<>() - : admin.mSsidAllowlist; + return admin != null ? admin.mWifiSsidPolicy : null; } } @Override - public void setSsidDenylist(List<String> ssids) { + public void setWifiSsidPolicy(WifiSsidPolicy policy) { final CallerIdentity caller = getCallerIdentity(); Preconditions.checkCallAuthorization( isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller), "SSID denylist can only be controlled by a device owner or " + "a profile owner on an organization-owned device."); - Collections.sort(ssids); boolean changed = false; synchronized (getLockObject()) { final ActiveAdmin admin = getProfileOwnerOrDeviceOwnerLocked(caller); - if (!ssids.equals(admin.mSsidDenylist)) { - admin.mSsidDenylist = ssids; - admin.mSsidAllowlist = null; + if (!Objects.equals(policy, admin.mWifiSsidPolicy)) { + admin.mWifiSsidPolicy = policy; changed = true; } if (changed) saveSettingsLocked(caller.getUserId()); } if (changed) { - notifyWifiSsidPolicyChanged(WifiSsidPolicy.WIFI_SSID_POLICY_TYPE_DENYLIST, ssids); - } - } - - @Override - public List<String> getSsidDenylist() { - final CallerIdentity caller = getCallerIdentity(); - Preconditions.checkCallAuthorization( - isDefaultDeviceOwner(caller) || isProfileOwnerOfOrganizationOwnedDevice(caller) - || canQueryAdminPolicy(caller), - "SSID denylist can only be retrieved by a device owner or " - + "a profile owner on an organization-owned device or " - + "an app with the QUERY_ADMIN_POLICY permission."); - synchronized (getLockObject()) { - final ActiveAdmin admin = getDeviceOwnerOrProfileOwnerOfOrganizationOwnedDeviceLocked( - UserHandle.USER_SYSTEM); - return (admin == null || admin.mSsidDenylist == null) ? new ArrayList<>() - : admin.mSsidDenylist; + notifyWifiSsidPolicyChanged(policy); } } |