• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2021 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package com.android.permissioncontroller.permission.utils;
18 
19 import android.Manifest;
20 import android.app.admin.DevicePolicyManager;
21 import android.content.Context;
22 import android.os.UserHandle;
23 import android.os.UserManager;
24 import android.util.ArraySet;
25 
26 import com.android.modules.utils.build.SdkLevel;
27 
28 /**
29  * A class for dealing with permissions that the admin may not grant in certain configurations.
30  */
31 public final class AdminRestrictedPermissionsUtils {
32     /**
33      * A set of permissions that the Profile Owner cannot grant and that the Device Owner
34      * could potentially grant (depending on opt-out state).
35      */
36     private static final ArraySet<String> ADMIN_RESTRICTED_SENSORS_PERMISSIONS = new ArraySet<>();
37 
38     static {
39         ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.ACCESS_FINE_LOCATION);
40         ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.ACCESS_BACKGROUND_LOCATION);
41         ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.ACCESS_COARSE_LOCATION);
42         ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.CAMERA);
43         ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.RECORD_AUDIO);
44         ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.ACTIVITY_RECOGNITION);
45         ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.BODY_SENSORS);
46         // New S permissions - do not add unless running on S and above.
47         if (SdkLevel.isAtLeastS()) {
48             ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.BACKGROUND_CAMERA);
49             ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.RECORD_BACKGROUND_AUDIO);
50         }
51         // New T permissions - do not add unless running on T and above.
52         if (SdkLevel.isAtLeastT()) {
53             ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.BODY_SENSORS_BACKGROUND);
54         }
55     }
56 
57     /**
58      * A set of permissions that the managed Profile Owner cannot grant.
59      */
60     private static final ArraySet<String> MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS =
61             new ArraySet<>();
62 
63     static {
64         MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS.add(Manifest.permission.READ_SMS);
65     }
66 
67     /**
68      * Returns true if the admin may grant this permission, false otherwise.
69      */
mayAdminGrantPermission(Context context, String permission, int userId)70     public static boolean mayAdminGrantPermission(Context context, String permission, int userId) {
71         if (!SdkLevel.isAtLeastS()) {
72             return true;
73         }
74         Context userContext = context.createContextAsUser(UserHandle.of(userId), /* flags= */0);
75         DevicePolicyManager dpm = userContext.getSystemService(DevicePolicyManager.class);
76         UserManager um = userContext.getSystemService(UserManager.class);
77         if (um.isManagedProfile(userId)
78                 && MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS.contains(permission)) {
79             return false;
80         }
81         if (!ADMIN_RESTRICTED_SENSORS_PERMISSIONS.contains(permission)) {
82             return true;
83         }
84 
85         return dpm.canAdminGrantSensorsPermissions();
86     }
87 
88     /**
89      * Returns true if the admin may grant this permission, false otherwise.
90      */
mayAdminGrantPermission(String permission, boolean canAdminGrantSensorsPermissions, boolean isManagedProfile)91     public static boolean mayAdminGrantPermission(String permission,
92             boolean canAdminGrantSensorsPermissions, boolean isManagedProfile) {
93         if (!SdkLevel.isAtLeastS()) {
94             return true;
95         }
96         if (isManagedProfile && MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS.contains(permission)) {
97             return false;
98         }
99         if (!ADMIN_RESTRICTED_SENSORS_PERMISSIONS.contains(permission)) {
100             return true;
101         }
102 
103         return canAdminGrantSensorsPermissions;
104     }
105 }
106