Add new DevicePolicyManager API to allow fine-grained TrustAgent management

This adds a new feature that allows a device admin to specify a
whitelist of features that are allowed for the given admin.

Change-Id: I83f853318efbcf72308532d0a997374f73fa9c10

2 files changed, 50 insertions, 0 deletions

diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java
index 76cf29a..20a0072 100644
--- a/core/java/android/app/admin/DevicePolicyManager.java
+++ b/core/java/android/app/admin/DevicePolicyManager.java
@@ -54,6 +54,7 @@ import java.net.Proxy;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
 import java.util.List;
 import java.util.Set;
 
@@ -2327,6 +2328,51 @@ public class DevicePolicyManager {
     }
 
     /**
+     * Sets a list of features to enable for a TrustAgentService component. This is meant to be
+     * used in conjunction with {@link #KEYGUARD_DISABLE_TRUST_AGENTS}, which will disable all
+     * trust agents but those with features enabled by this function call.
+     *
+     * <p>The calling device admin must have requested
+     * {@link DeviceAdminInfo#USES_POLICY_DISABLE_KEYGUARD_FEATURES} to be able to call
+     * this method; if it has not, a security exception will be thrown.
+     *
+     * @param admin Which {@link DeviceAdminReceiver} this request is associated with.
+     * @param agent Which component to enable features for.
+     * @param features List of features to enable. Consult specific TrustAgent documentation for
+     * the feature list.
+     */
+    public void setTrustAgentFeaturesEnabled(ComponentName admin, ComponentName agent,
+            List<String> features) {
+        if (mService != null) {
+            try {
+                mService.setTrustAgentFeaturesEnabled(admin, agent, features, UserHandle.myUserId());
+            } catch (RemoteException e) {
+                Log.w(TAG, "Failed talking with device policy service", e);
+            }
+        }
+    }
+
+    /**
+     * Gets list of enabled features for the given {@link TrustAgentService} agent. If admin is
+     * null, this will return the intersection of all features enabled for the given agent by all
+     * admins.
+     *
+     * @param admin Which {@link DeviceAdminReceiver} this request is associated with.
+     * @param agent Which component to get enabled features for.
+     * @return List of enabled features.
+     */
+    public List<String> getTrustAgentFeaturesEnabled(ComponentName admin, ComponentName agent) {
+        if (mService != null) {
+            try {
+                return mService.getTrustAgentFeaturesEnabled(admin, agent, UserHandle.myUserId());
+            } catch (RemoteException e) {
+                Log.w(TAG, "Failed talking with device policy service", e);
+            }
+        }
+        return new ArrayList<String>(); // empty list
+    }
+
+    /**
      * Called by a profile owner to set whether caller-Id information from the managed
      * profile will be shown for incoming calls.
      *
diff --git a/core/java/android/app/admin/IDevicePolicyManager.aidl b/core/java/android/app/admin/IDevicePolicyManager.aidl
index 6499ae4..a6544e6 100644
--- a/core/java/android/app/admin/IDevicePolicyManager.aidl
+++ b/core/java/android/app/admin/IDevicePolicyManager.aidl
@@ -169,4 +169,8 @@ interface IDevicePolicyManager {
     void setCrossProfileCallerIdDisabled(in ComponentName who, boolean disabled);
     boolean getCrossProfileCallerIdDisabled(in ComponentName who);
     boolean getCrossProfileCallerIdDisabledForUser(int userId);
+
+    void setTrustAgentFeaturesEnabled(in ComponentName admin, in ComponentName agent, in List<String> features, int userId);
+    List<String> getTrustAgentFeaturesEnabled(in ComponentName admin, in ComponentName agent, int userId);
+
 }