Add the MTE policy to the shell roles

It is safe for the shell to have this permission because: * A human can query and modify the state of the Memory Tagging Extension policy via Developer Options. * If the device is managed and the user tries to disable MTE, there is an additional check in the DevicePolicyManagerService that only the device policy client (DPC) can disable MTE. Bug: 402456665 Test: atest CtsSecurityTestCases:android.security.cts.advancedprotection.MemoryTaggingExtensionTest Flag: EXEMPT bugfix Relnote: Adding the MANAGE_DEVICE_POLICY_MTE permission to the Shell for testing. LOW_COVERAGE_REASON=NON_CODE_ONLY Change-Id: I674b360342820cd159a66467bd332fe7a2f6d84a
author: Eran Messeri <eranm@google.com> 2025-03-20 10:58:55 +0000
committer: Eran Messeri <eranm@google.com> 2025-03-21 10:59:27 +0000
commit: e6020127d89dd38ae4416bb09995926f4d615686 (patch)
tree: 3846f63ced233ba30d2c52fd355416abc46ff945
parent: 701f30433fa1960cbdf8490fea160e2333f2527d (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/PermissionController/res/xml/roles.xml b/PermissionController/res/xml/roles.xml
index 4ba524462..8a8a05c49 100644
--- a/PermissionController/res/xml/roles.xml
+++ b/PermissionController/res/xml/roles.xml
@@ -726,6 +726,8 @@
                 minSdkVersion="35" />
             <permission name="android.permission.MANAGE_DEVICE_POLICY_AUDIT_LOGGING"
                 minSdkVersion="35" />
+            <permission name="android.permission.MANAGE_DEVICE_POLICY_MTE"
+                minSdkVersion="36" />
         </permissions>
         <!-- App ops needed to allow background access to audio APIs for CTS -->
         <app-ops>
author	Eran Messeri <eranm@google.com>	2025-03-20 10:58:55 +0000
committer	Eran Messeri <eranm@google.com>	2025-03-21 10:59:27 +0000
commit	e6020127d89dd38ae4416bb09995926f4d615686 (patch)
tree	3846f63ced233ba30d2c52fd355416abc46ff945
parent	701f30433fa1960cbdf8490fea160e2333f2527d (diff)