• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2021 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package com.android.permissioncontroller.permission.utils.v31;
18 
19 import android.Manifest;
20 import android.app.admin.DevicePolicyManager;
21 import android.app.admin.ManagedSubscriptionsPolicy;
22 import android.content.Context;
23 import android.os.UserHandle;
24 import android.os.UserManager;
25 import android.util.ArraySet;
26 
27 import com.android.modules.utils.build.SdkLevel;
28 
29 /**
30  * A class for dealing with permissions that the admin may not grant in certain configurations.
31  */
32 public final class AdminRestrictedPermissionsUtils {
33     /**
34      * A set of permissions that the Profile Owner cannot grant and that the Device Owner
35      * could potentially grant (depending on opt-out state).
36      */
37     private static final ArraySet<String> ADMIN_RESTRICTED_SENSORS_PERMISSIONS = new ArraySet<>();
38 
39     static {
40         ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.ACCESS_FINE_LOCATION);
41         ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.ACCESS_BACKGROUND_LOCATION);
42         ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.ACCESS_COARSE_LOCATION);
43         ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.CAMERA);
44         ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.RECORD_AUDIO);
45         ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.ACTIVITY_RECOGNITION);
46         ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.BODY_SENSORS);
47         // New S permissions - do not add unless running on S and above.
48         if (SdkLevel.isAtLeastS()) {
49             ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.BACKGROUND_CAMERA);
50             ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.RECORD_BACKGROUND_AUDIO);
51         }
52         // New T permissions - do not add unless running on T and above.
53         if (SdkLevel.isAtLeastT()) {
54             ADMIN_RESTRICTED_SENSORS_PERMISSIONS.add(Manifest.permission.BODY_SENSORS_BACKGROUND);
55         }
56     }
57 
58     /**
59      * Returns true if the admin may grant this permission, false otherwise.
60      */
mayAdminGrantPermission(Context context, String permission, int userId)61     public static boolean mayAdminGrantPermission(Context context, String permission, int userId) {
62         if (!SdkLevel.isAtLeastS()) {
63             return true;
64         }
65         Context userContext = context.createContextAsUser(UserHandle.of(userId), /* flags= */0);
66         DevicePolicyManager dpm = userContext.getSystemService(DevicePolicyManager.class);
67         UserManager um = userContext.getSystemService(UserManager.class);
68         if (um.isManagedProfile(userId) && Manifest.permission.READ_SMS.equals(permission)) {
69             return mayManagedProfileAdminGrantReadSms(dpm);
70         }
71         if (!ADMIN_RESTRICTED_SENSORS_PERMISSIONS.contains(permission)) {
72             return true;
73         }
74 
75         return dpm.canAdminGrantSensorsPermissions();
76     }
77 
78     /**
79      * Returns true if the admin may grant this permission, false otherwise.
80      */
mayAdminGrantPermission(String permission, boolean canAdminGrantSensorsPermissions, boolean isManagedProfile, DevicePolicyManager dpm)81     public static boolean mayAdminGrantPermission(String permission,
82             boolean canAdminGrantSensorsPermissions, boolean isManagedProfile,
83             DevicePolicyManager dpm) {
84         if (!SdkLevel.isAtLeastS()) {
85             return true;
86         }
87         if (isManagedProfile && Manifest.permission.READ_SMS.equals(permission)) {
88             return mayManagedProfileAdminGrantReadSms(dpm);
89         }
90         if (!ADMIN_RESTRICTED_SENSORS_PERMISSIONS.contains(permission)) {
91             return true;
92         }
93 
94         return canAdminGrantSensorsPermissions;
95     }
96 
mayManagedProfileAdminGrantReadSms(DevicePolicyManager dpm)97     private static boolean mayManagedProfileAdminGrantReadSms(DevicePolicyManager dpm) {
98         return SdkLevel.isAtLeastU() && dpm.isOrganizationOwnedDeviceWithManagedProfile()
99                 && dpm.getManagedSubscriptionsPolicy().getPolicyType()
100                 == ManagedSubscriptionsPolicy.TYPE_ALL_MANAGED_SUBSCRIPTIONS;
101     }
102 }
103