diff options
| author | Amith Yamasani <yamasani@google.com> | 2015-04-28 14:00:26 -0700 |
|---|---|---|
| committer | Amith Yamasani <yamasani@google.com> | 2015-04-28 14:30:09 -0700 |
| commit | d49489b3af01c13d3b13af1cd04d53787185cc0a (patch) | |
| tree | 9bbc6660bd05811e4f7bf12518fe5a8f334243de /services/devicepolicy/java/com/android | |
| parent | 50ea942255e139d3ace81cdd3f90be75625edd69 (diff) | |
| download | frameworks_base-d49489b3af01c13d3b13af1cd04d53787185cc0a.zip frameworks_base-d49489b3af01c13d3b13af1cd04d53787185cc0a.tar.gz frameworks_base-d49489b3af01c13d3b13af1cd04d53787185cc0a.tar.bz2 | |
Permissions control via profile/device owner admin
Profile owners and Device owners can set policies for runtime
permissions. Blanket grant/deny policy can be set for a user.
They can also explicitly grant/revoke permissions for specific apps
which cannot be overridden by the user and will not be prompted.
[More implementation required in PackageManagerService and
PackageInstaller]
Bug: 20666663
Change-Id: I2c25c18c2a195db9023a17716d5896970848bb45
Diffstat (limited to 'services/devicepolicy/java/com/android')
| -rw-r--r-- | services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java | 64 |
1 files changed, 63 insertions, 1 deletions
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 31d7f74..1d00de9 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -182,6 +182,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { private static final String ATTR_PERMISSION_PROVIDER = "permission-provider"; private static final String ATTR_SETUP_COMPLETE = "setup-complete"; private static final String ATTR_PREFERRED_SETUP_ACTIVITY = "setup-activity"; + private static final String ATTR_PERMISSION_POLICY = "permission-policy"; private static final String ATTR_DELEGATED_CERT_INSTALLER = "delegated-cert-installer"; @@ -300,6 +301,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { int mPasswordOwner = -1; long mLastMaximumTimeToLock = -1; boolean mUserSetupComplete = false; + int mPermissionPolicy; final HashMap<ComponentName, ActiveAdmin> mAdminMap = new HashMap<>(); final ArrayList<ActiveAdmin> mAdminList = new ArrayList<>(); @@ -1409,6 +1411,10 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { out.attribute(null, ATTR_SETUP_COMPLETE, Boolean.toString(true)); } + if (policy.mPermissionPolicy != DevicePolicyManager.PERMISSION_POLICY_PROMPT) { + out.attribute(null, ATTR_PERMISSION_POLICY, + Integer.toString(policy.mPermissionPolicy)); + } if (policy.mDelegatedCertInstallerPackage != null) { out.attribute(null, ATTR_DELEGATED_CERT_INSTALLER, policy.mDelegatedCertInstallerPackage); @@ -1537,6 +1543,10 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (userSetupComplete != null && Boolean.toString(true).equals(userSetupComplete)) { policy.mUserSetupComplete = true; } + String permissionPolicy = parser.getAttributeValue(null, ATTR_PERMISSION_POLICY); + if (!TextUtils.isEmpty(permissionPolicy)) { + policy.mPermissionPolicy = Integer.parseInt(permissionPolicy); + } policy.mDelegatedCertInstallerPackage = parser.getAttributeValue(null, ATTR_DELEGATED_CERT_INSTALLER); String preferredSetupActivity = @@ -4253,14 +4263,22 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return; } UserHandle callingUser = Binder.getCallingUserHandle(); + int userId = callingUser.getIdentifier(); // Check if this is the profile owner who is calling getActiveAdminForCallerLocked(who, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER); synchronized (this) { + // Reset some of the profile-owner policies + DevicePolicyData policy = getUserData(userId); + policy.mPermissionPolicy = DevicePolicyManager.PERMISSION_POLICY_PROMPT; + policy.mDelegatedCertInstallerPackage = null; + policy.mStatusBarEnabledState = true; + saveSettingsLocked(userId); + long ident = Binder.clearCallingIdentity(); try { clearUserRestrictions(callingUser); if (mDeviceOwner != null) { - mDeviceOwner.removeProfileOwner(callingUser.getIdentifier()); + mDeviceOwner.removeProfileOwner(userId); mDeviceOwner.writeOwnerFile(); } } finally { @@ -6261,4 +6279,48 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { } } } + + @Override + public void setPermissionPolicy(ComponentName admin, int policy) throws RemoteException { + int userId = UserHandle.getCallingUserId(); + synchronized (this) { + getActiveAdminForCallerLocked(admin, DeviceAdminInfo.USES_POLICY_DEVICE_OWNER); + DevicePolicyData userPolicy = getUserData(userId); + if (userPolicy.mPermissionPolicy != policy) { + userPolicy.mPermissionPolicy = policy; + saveSettingsLocked(userId); + } + } + } + + @Override + public int getPermissionPolicy(ComponentName admin) throws RemoteException { + int userId = UserHandle.getCallingUserId(); + synchronized (this) { + DevicePolicyData userPolicy = getUserData(userId); + return userPolicy.mPermissionPolicy; + } + } + + @Override + public boolean setPermissionGranted(ComponentName admin, String packageName, + String permission, boolean granted) throws RemoteException { + UserHandle user = Binder.getCallingUserHandle(); + synchronized (this) { + getActiveAdminForCallerLocked(admin, DeviceAdminInfo.USES_POLICY_DEVICE_OWNER); + long ident = Binder.clearCallingIdentity(); + try { + if (granted) { + mContext.getPackageManager().grantPermission(packageName, permission, user); + } else { + mContext.getPackageManager().revokePermission(packageName, permission, user); + } + return true; + } catch (SecurityException se) { + return false; + } finally { + Binder.restoreCallingIdentity(ident); + } + } + } } |