Merge "Allow DO/PO to go back to normal permission state." into mnc-dev

5 files changed, 69 insertions, 27 deletions

diff --git a/api/current.txt b/api/current.txt
index 2a2d9fc..e1d7c2b 100644
--- a/api/current.txt
+++ b/api/current.txt
@@ -5773,7 +5773,7 @@ package android.app.admin {
     method public void setPasswordMinimumSymbols(android.content.ComponentName, int);
     method public void setPasswordMinimumUpperCase(android.content.ComponentName, int);
     method public void setPasswordQuality(android.content.ComponentName, int);
-    method public boolean setPermissionGranted(android.content.ComponentName, java.lang.String, java.lang.String, boolean);
+    method public boolean setPermissionGrantState(android.content.ComponentName, java.lang.String, java.lang.String, int);
     method public void setPermissionPolicy(android.content.ComponentName, int);
     method public boolean setPermittedAccessibilityServices(android.content.ComponentName, java.util.List<java.lang.String>);
     method public boolean setPermittedInputMethods(android.content.ComponentName, java.util.List<java.lang.String>);
@@ -5862,6 +5862,9 @@ package android.app.admin {
     field public static final int PASSWORD_QUALITY_NUMERIC_COMPLEX = 196608; // 0x30000
     field public static final int PASSWORD_QUALITY_SOMETHING = 65536; // 0x10000
     field public static final int PASSWORD_QUALITY_UNSPECIFIED = 0; // 0x0
+    field public static final int PERMISSION_GRANT_STATE_DEFAULT = 0; // 0x0
+    field public static final int PERMISSION_GRANT_STATE_DENIED = 2; // 0x2
+    field public static final int PERMISSION_GRANT_STATE_GRANTED = 1; // 0x1
     field public static final int PERMISSION_POLICY_AUTO_DENY = 2; // 0x2
     field public static final int PERMISSION_POLICY_AUTO_GRANT = 1; // 0x1
     field public static final int PERMISSION_POLICY_PROMPT = 0; // 0x0
diff --git a/api/system-current.txt b/api/system-current.txt
index 2f30e4d..5772f6d 100644
--- a/api/system-current.txt
+++ b/api/system-current.txt
@@ -5882,7 +5882,7 @@ package android.app.admin {
     method public void setPasswordMinimumSymbols(android.content.ComponentName, int);
     method public void setPasswordMinimumUpperCase(android.content.ComponentName, int);
     method public void setPasswordQuality(android.content.ComponentName, int);
-    method public boolean setPermissionGranted(android.content.ComponentName, java.lang.String, java.lang.String, boolean);
+    method public boolean setPermissionGrantState(android.content.ComponentName, java.lang.String, java.lang.String, int);
     method public void setPermissionPolicy(android.content.ComponentName, int);
     method public boolean setPermittedAccessibilityServices(android.content.ComponentName, java.util.List<java.lang.String>);
     method public boolean setPermittedInputMethods(android.content.ComponentName, java.util.List<java.lang.String>);
@@ -5976,6 +5976,9 @@ package android.app.admin {
     field public static final int PASSWORD_QUALITY_NUMERIC_COMPLEX = 196608; // 0x30000
     field public static final int PASSWORD_QUALITY_SOMETHING = 65536; // 0x10000
     field public static final int PASSWORD_QUALITY_UNSPECIFIED = 0; // 0x0
+    field public static final int PERMISSION_GRANT_STATE_DEFAULT = 0; // 0x0
+    field public static final int PERMISSION_GRANT_STATE_DENIED = 2; // 0x2
+    field public static final int PERMISSION_GRANT_STATE_GRANTED = 1; // 0x1
     field public static final int PERMISSION_POLICY_AUTO_DENY = 2; // 0x2
     field public static final int PERMISSION_POLICY_AUTO_GRANT = 1; // 0x1
     field public static final int PERMISSION_POLICY_PROMPT = 0; // 0x0
diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java
index 55ff85a..a8f2311 100644
--- a/core/java/android/app/admin/DevicePolicyManager.java
+++ b/core/java/android/app/admin/DevicePolicyManager.java
@@ -825,6 +825,23 @@ public class DevicePolicyManager {
      */
     public static final int PERMISSION_POLICY_AUTO_DENY = 2;
 
+    /**
+     * Runtime permission state: The user can manage the permission
+     * through the UI.
+     */
+    public static final int PERMISSION_GRANT_STATE_DEFAULT = 0;
+
+    /**
+     * Runtime permission state: The permission is granted to the app
+     * and the user cannot manage the permission through the UI.
+     */
+    public static final int PERMISSION_GRANT_STATE_GRANTED = 1;
+
+    /**
+     * Runtime permission state: The permission is denied to the app
+     * and the user cannot manage the permission through the UI.
+     */
+    public static final int PERMISSION_GRANT_STATE_DENIED = 2;
 
     /**
      * Return true if the given administrator component is currently
@@ -4401,21 +4418,31 @@ public class DevicePolicyManager {
     }
 
     /**
-     * Grants or revokes a runtime permission to a specific application so that the user
-     * does not have to be prompted. This might affect all permissions in a group that the
-     * runtime permission belongs to. This method can only be called by a profile or device
-     * owner.
+     * Sets the grant state of a runtime permission for a specific application. The state
+     * can be {@link #PERMISSION_GRANT_STATE_DEFAULT default} in which a user can manage it
+     * through the UI, {@link #PERMISSION_GRANT_STATE_DENIED denied}, in which the permission
+     * is denied and the user cannot manage it through the UI, and {@link
+     * #PERMISSION_GRANT_STATE_GRANTED granted} in which the permission is granted and the
+     * user cannot manage it through the UI. This might affect all permissions in a
+     * group that the runtime permission belongs to. This method can only be called
+     * by a profile or device owner.
+     *
      * @param admin Which profile or device owner this request is associated with.
      * @param packageName The application to grant or revoke a permission to.
      * @param permission The permission to grant or revoke.
-     * @param granted Whether or not to grant the permission. If false, all permissions in the
-     * associated permission group will be denied.
-     * @return whether the permission was successfully granted or revoked
+     * @param grantState The permission grant state which is one of {@link
+     *         #PERMISSION_GRANT_STATE_DENIED}, {@link #PERMISSION_GRANT_STATE_DEFAULT},
+     *         {@link #PERMISSION_GRANT_STATE_GRANTED},
+     * @return whether the permission was successfully granted or revoked.
+     *
+     * @see #PERMISSION_GRANT_STATE_DENIED
+     * @see #PERMISSION_GRANT_STATE_DEFAULT
+     * @see #PERMISSION_GRANT_STATE_GRANTED
      */
-    public boolean setPermissionGranted(ComponentName admin, String packageName,
-            String permission, boolean granted) {
+    public boolean setPermissionGrantState(ComponentName admin, String packageName,
+            String permission, int grantState) {
         try {
-            return mService.setPermissionGranted(admin, packageName, permission, granted);
+            return mService.setPermissionGrantState(admin, packageName, permission, grantState);
         } catch (RemoteException re) {
             Log.w(TAG, "Failed talking with device policy service", re);
             return false;
diff --git a/core/java/android/app/admin/IDevicePolicyManager.aidl b/core/java/android/app/admin/IDevicePolicyManager.aidl
index 24ef604..10b0941 100644
--- a/core/java/android/app/admin/IDevicePolicyManager.aidl
+++ b/core/java/android/app/admin/IDevicePolicyManager.aidl
@@ -234,6 +234,6 @@ interface IDevicePolicyManager {
 
     void setPermissionPolicy(in ComponentName admin, int policy);
     int  getPermissionPolicy(in ComponentName admin);
-    boolean setPermissionGranted(in ComponentName admin, String packageName, String permission,
-            boolean granted);
+    boolean setPermissionGrantState(in ComponentName admin, String packageName,
+            String permission, int grantState);
 }
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 9ad7e11..a9e76d8 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -6392,25 +6392,34 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
     }
 
     @Override
-    public boolean setPermissionGranted(ComponentName admin, String packageName,
-            String permission, boolean granted) throws RemoteException {
+    public boolean setPermissionGrantState(ComponentName admin, String packageName,
+            String permission, int grantState) throws RemoteException {
         UserHandle user = Binder.getCallingUserHandle();
         synchronized (this) {
             getActiveAdminForCallerLocked(admin, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER);
             long ident = Binder.clearCallingIdentity();
             try {
                 PackageManager packageManager = mContext.getPackageManager();
-                if (granted) {
-                    packageManager.grantRuntimePermission(packageName, permission, user);
-                    packageManager.updatePermissionFlags(permission, packageName,
-                            PackageManager.FLAG_PERMISSION_POLICY_FIXED,
-                            PackageManager.FLAG_PERMISSION_POLICY_FIXED, user);
-                } else {
-                    packageManager.revokeRuntimePermission(packageName,
-                            permission, user);
-                    packageManager.updatePermissionFlags(permission, packageName,
-                            PackageManager.FLAG_PERMISSION_POLICY_FIXED,
-                            PackageManager.FLAG_PERMISSION_POLICY_FIXED, user);
+                switch (grantState) {
+                    case DevicePolicyManager.PERMISSION_GRANT_STATE_GRANTED: {
+                        packageManager.grantRuntimePermission(packageName, permission, user);
+                        packageManager.updatePermissionFlags(permission, packageName,
+                                PackageManager.FLAG_PERMISSION_POLICY_FIXED,
+                                PackageManager.FLAG_PERMISSION_POLICY_FIXED, user);
+                    } break;
+
+                    case DevicePolicyManager.PERMISSION_GRANT_STATE_DENIED: {
+                        packageManager.revokeRuntimePermission(packageName,
+                                permission, user);
+                        packageManager.updatePermissionFlags(permission, packageName,
+                                PackageManager.FLAG_PERMISSION_POLICY_FIXED,
+                                PackageManager.FLAG_PERMISSION_POLICY_FIXED, user);
+                    } break;
+
+                    case DevicePolicyManager.PERMISSION_GRANT_STATE_DEFAULT: {
+                        packageManager.updatePermissionFlags(permission, packageName,
+                                PackageManager.FLAG_PERMISSION_POLICY_FIXED, 0, user);
+                    } break;
                 }
                 return true;
             } catch (SecurityException se) {