1 /* 2 * Copyright (C) 2021 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package com.android.permissioncontroller.permission.utils; 18 19 import android.Manifest; 20 import android.app.admin.DevicePolicyManager; 21 import android.content.Context; 22 import android.os.UserHandle; 23 import android.os.UserManager; 24 import android.util.ArraySet; 25 26 import com.android.modules.utils.build.SdkLevel; 27 28 /** 29 * A class for dealing with permissions that the admin may not grant in certain configurations. 30 */ 31 public final class AdminRestrictedPermissionsUtils { 32 /** 33 * A set of permissions that the Profile Owner cannot grant and that the Device Owner 34 * could potentially grant (depending on opt-out state). 35 */ 36 private static final ArraySet<String> ADMIN_RESTRICTED_SENSORS_PERMISSIONS = new ArraySet<>(); 37 38 static { 39 ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.ACCESS_FINE_LOCATION); 40 ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.ACCESS_BACKGROUND_LOCATION); 41 ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.ACCESS_COARSE_LOCATION); 42 ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.CAMERA); 43 ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.RECORD_AUDIO); 44 ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.ACTIVITY_RECOGNITION); 45 ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.BODY_SENSORS); 46 // New S permissions - do not add unless running on S and above. 47 if (SdkLevel.isAtLeastS()) { 48 ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.BACKGROUND_CAMERA); 49 ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.RECORD_BACKGROUND_AUDIO); 50 } 51 // New T permissions - do not add unless running on T and above. 52 if (SdkLevel.isAtLeastT()) { 53 ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.BODY_SENSORS_BACKGROUND); 54 } 55 } 56 57 /** 58 * A set of permissions that the managed Profile Owner cannot grant. 59 */ 60 private static final ArraySet<String> MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS = 61 new ArraySet<>(); 62 63 static { 64 MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS.add(Manifest.permission.READ_SMS); 65 } 66 67 /** 68 * Returns true if the admin may grant this permission, false otherwise. 69 */ mayAdminGrantPermission(Context context, String permission, int userId)70 public static boolean mayAdminGrantPermission(Context context, String permission, int userId) { 71 if (!SdkLevel.isAtLeastS()) { 72 return true; 73 } 74 Context userContext = context.createContextAsUser(UserHandle.of(userId), /* flags= */0); 75 DevicePolicyManager dpm = userContext.getSystemService(DevicePolicyManager.class); 76 UserManager um = userContext.getSystemService(UserManager.class); 77 if (um.isManagedProfile(userId) 78 && MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS.contains(permission)) { 79 return false; 80 } 81 if (!ADMIN_RESTRICTED_SENSORS_PERMISSIONS.contains(permission)) { 82 return true; 83 } 84 85 return dpm.canAdminGrantSensorsPermissions(); 86 } 87 88 /** 89 * Returns true if the admin may grant this permission, false otherwise. 90 */ mayAdminGrantPermission(String permission, boolean canAdminGrantSensorsPermissions, boolean isManagedProfile)91 public static boolean mayAdminGrantPermission(String permission, 92 boolean canAdminGrantSensorsPermissions, boolean isManagedProfile) { 93 if (!SdkLevel.isAtLeastS()) { 94 return true; 95 } 96 if (isManagedProfile && MANAGED_PROFILE_OWNER_RESTRICTED_PERMISSIONS.contains(permission)) { 97 return false; 98 } 99 if (!ADMIN_RESTRICTED_SENSORS_PERMISSIONS.contains(permission)) { 100 return true; 101 } 102 103 return canAdminGrantSensorsPermissions; 104 } 105 } 106