1 /* 2 * Copyright (C) 2021 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package com.android.permissioncontroller.permission.utils; 18 19 import android.Manifest; 20 import android.app.admin.DevicePolicyManager; 21 import android.content.Context; 22 import android.os.UserHandle; 23 import android.os.UserManager; 24 import android.util.ArraySet; 25 26 import com.android.modules.utils.build.SdkLevel; 27 28 /** 29 * A class for dealing with permissions that the admin may not grant in certain configurations. 30 */ 31 public final class AdminRestrictedPermissionsUtils { 32 /** 33 * A set of permissions that the Profile Owner cannot grant and that the Device Owner 34 * could potentially grant (depending on opt-out state). 35 */ 36 private static final ArraySet<String> ADMIN_RESTRICTED_SENSORS_PERMISSIONS = new ArraySet<>(); 37 38 static { 39 ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.ACCESS_FINE_LOCATION); 40 ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.ACCESS_BACKGROUND_LOCATION); 41 ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.ACCESS_COARSE_LOCATION); 42 ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.CAMERA); 43 ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.RECORD_AUDIO); 44 ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.ACTIVITY_RECOGNITION); 45 ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.BODY_SENSORS); 46 // New S permissions - do not add unless running on S and above. 47 if (SdkLevel.isAtLeastS()) { 48 ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.BACKGROUND_CAMERA); 49 ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.RECORD_BACKGROUND_AUDIO); 50 } 51 } 52 53 /** 54 * A set of permissions that the managed Profile Owner cannot grant. 55 */ 56 private static final ArraySet<String> MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS = 57 new ArraySet<>(); 58 59 static { 60 MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS.add(Manifest.permission.READ_SMS); 61 } 62 63 /** 64 * Returns true if the admin may grant this permission, false otherwise. 65 */ mayAdminGrantPermission(Context context, String permission, int userId)66 public static boolean mayAdminGrantPermission(Context context, String permission, int userId) { 67 if (!SdkLevel.isAtLeastS()) { 68 return true; 69 } 70 Context userContext = context.createContextAsUser(UserHandle.of(userId), /* flags= */0); 71 DevicePolicyManager dpm = userContext.getSystemService(DevicePolicyManager.class); 72 UserManager um = userContext.getSystemService(UserManager.class); 73 if (um.isManagedProfile(userId) 74 && MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS.contains(permission)) { 75 return false; 76 } 77 if (!ADMIN_RESTRICTED_SENSORS_PERMISSIONS.contains(permission)) { 78 return true; 79 } 80 81 return dpm.canAdminGrantSensorsPermissions(); 82 } 83 84 /** 85 * Returns true if the admin may grant this permission, false otherwise. 86 */ mayAdminGrantPermission(String permission, boolean canAdminGrantSensorsPermissions, boolean isManagedProfile)87 public static boolean mayAdminGrantPermission(String permission, 88 boolean canAdminGrantSensorsPermissions, boolean isManagedProfile) { 89 if (!SdkLevel.isAtLeastS()) { 90 return true; 91 } 92 if (isManagedProfile && MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS.contains(permission)) { 93 return false; 94 } 95 if (!ADMIN_RESTRICTED_SENSORS_PERMISSIONS.contains(permission)) { 96 return true; 97 } 98 99 return canAdminGrantSensorsPermissions; 100 } 101 } 102