Merge "Indicator for admin control over sensor permission grants" into sc-dev

4 files changed, 130 insertions, 5 deletions

diff --git a/core/java/android/app/admin/DevicePolicyCache.java b/core/java/android/app/admin/DevicePolicyCache.java
index 8b0c7061925f..9c07f85a6390 100644
--- a/core/java/android/app/admin/DevicePolicyCache.java
+++ b/core/java/android/app/admin/DevicePolicyCache.java
@@ -57,6 +57,13 @@ public abstract class DevicePolicyCache {
     public abstract int getPermissionPolicy(@UserIdInt int userHandle);
 
     /**
+     * Caches {@link DevicePolicyManager#canAdminGrantSensorsPermissionsForUser(int)} for the
+     * given user.
+     */
+    public abstract boolean canAdminGrantSensorsPermissionsForUser(@UserIdInt int userHandle);
+
+
+    /**
      * Empty implementation.
      */
     private static class EmptyDevicePolicyCache extends DevicePolicyCache {
@@ -77,5 +84,10 @@ public abstract class DevicePolicyCache {
         public int getPermissionPolicy(int userHandle) {
             return DevicePolicyManager.PERMISSION_POLICY_PROMPT;
         }
+
+        @Override
+        public boolean canAdminGrantSensorsPermissionsForUser(int userHandle) {
+            return false;
+        }
     }
 }
diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java
index 06fe9d764f25..82255c87c971 100644
--- a/core/java/android/app/admin/DevicePolicyManager.java
+++ b/core/java/android/app/admin/DevicePolicyManager.java
@@ -980,6 +980,19 @@ public class DevicePolicyManager {
         = "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM";
 
     /**
+     * A boolean extra indicating the admin of a fully-managed device opts out of controlling
+     * permission grants for sensor-related permissions,
+     * see {@link #setPermissionGrantState(ComponentName, String, String, int)}.
+     *
+     * The default for this extra is {@code false} - by default, the admin of a fully-managed
+     * device has the ability to grant sensors-related permissions.
+     *
+     * <p>Use with {@link #ACTION_PROVISION_MANAGED_DEVICE} only.
+     */
+    public static final String EXTRA_PROVISIONING_PERMISSION_GRANT_OPT_OUT =
+            "android.app.extra.PROVISIONING_PERMISSION_GRANT_OPT_OUT";
+
+    /**
      * A String extra holding the URL-safe base64 encoded SHA-256 checksum of any signature of the
      * android package archive at the download location specified in {@link
      * #EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION}.
@@ -10520,6 +10533,13 @@ public class DevicePolicyManager {
      * As this policy only acts on runtime permission requests, it only applies to applications
      * built with a {@code targetSdkVersion} of {@link android.os.Build.VERSION_CODES#M} or later.
      *
+     * <p>
+     * NOTE: On devices running {@link android.os.Build.VERSION_CODES#S} and above, an auto-grant
+     * policy will not apply to certain sensors-related permissions on some configurations.
+     * See {@link #setPermissionGrantState(ComponentName, String, String, int)} for the list of
+     * permissions affected, and the behavior change for managed profiles and fully-managed
+     * devices.
+     *
      * @param admin Which profile or device owner this request is associated with.
      * @param policy One of the policy constants {@link #PERMISSION_POLICY_PROMPT},
      *            {@link #PERMISSION_POLICY_AUTO_GRANT} and {@link #PERMISSION_POLICY_AUTO_DENY}.
@@ -10578,6 +10598,31 @@ public class DevicePolicyManager {
      * application built with a {@code targetSdkVersion} &lt;
      * {@link android.os.Build.VERSION_CODES#M} the app-op matching the permission is set to
      * {@link android.app.AppOpsManager#MODE_IGNORED}, but the permission stays granted.
+     * <p>
+     * NOTE: On devices running {@link android.os.Build.VERSION_CODES#S} and above, control over
+     * the following, sensors-related, permissions is restricted:
+     * <ul>
+     *    <li>Manifest.permission.ACCESS_FINE_LOCATION</li>
+     *    <li>Manifest.permission.ACCESS_BACKGROUND_LOCATION</li>
+     *    <li>Manifest.permission.ACCESS_COARSE_LOCATION</li>
+     *    <li>Manifest.permission.CAMERA</li>
+     *    <li>Manifest.permission.RECORD_AUDIO</li>
+     *    <li>Manifest.permission.RECORD_BACKGROUND_AUDIO</li>
+     *    <li>Manifest.permission.ACTIVITY_RECOGNITION</li>
+     *    <li>Manifest.permission.BODY_SENSORS</li>
+     * </ul>
+     * <p>
+     * A profile owner may not grant these permissions (i.e. call this method with any of the
+     * permissions listed above and {@code grantState} of {@code #PERMISSION_GRANT_STATE_GRANTED}),
+     * but may deny them.
+     * <p>
+     * A device owner, by default, may continue granting these permissions. However, for increased
+     * user control, the admin may opt out of controlling grants for these permissions by including
+     * {@link #EXTRA_PROVISIONING_PERMISSION_GRANT_OPT_OUT} in the provisioning parameters. In that
+     * case the device owner's control will be limited do denying these permissions.
+     * <p>
+     * Attempts by the admin to grant these permissions, when the admin is restricted from doing
+     * so, will be silently ignored (no exception will be thrown).
      *
      * @param admin Which profile or device owner this request is associated with.
      * @param packageName The application to grant or revoke a permission to.
@@ -13271,4 +13316,38 @@ public class DevicePolicyManager {
             }
         }
     }
+    /**
+     * Returns true if the caller is running on a device where the admin can grant
+     * permissions related to device sensors.
+     * This is a signal that the device is a fully-managed device where personal usage is
+     * discouraged.
+     * The list of permissions is listed in
+     * {@link #setPermissionGrantState(ComponentName, String, String, int)}.
+     *
+     * May be called by any app.
+     * @return true if the app can grant device sensors-related permissions, false otherwise.
+     */
+    public boolean canAdminGrantSensorsPermissions() {
+        return canAdminGrantSensorsPermissionsForUser(myUserId());
+    }
+
+    /**
+     * Returns true if the admin can control grants of sensors-related permissions, for
+     * a given user.
+     *
+     * @hide
+     * @param userId The ID of the user to check.
+     * @return if the admin may grant these permissions, false otherwise.
+     */
+    @SystemApi
+    public boolean canAdminGrantSensorsPermissionsForUser(int userId) {
+        if (mService == null) {
+            return false;
+        }
+        try {
+            return mService.canAdminGrantSensorsPermissionsForUser(userId);
+        } catch (RemoteException re) {
+            throw re.rethrowFromSystemServer();
+        }
+    }
 }
diff --git a/core/java/android/app/admin/FullyManagedDeviceProvisioningParams.java b/core/java/android/app/admin/FullyManagedDeviceProvisioningParams.java
index 83af0195ddba..5e1cbadb458e 100644
--- a/core/java/android/app/admin/FullyManagedDeviceProvisioningParams.java
+++ b/core/java/android/app/admin/FullyManagedDeviceProvisioningParams.java
@@ -42,6 +42,7 @@ public final class FullyManagedDeviceProvisioningParams implements Parcelable {
     private final long mLocalTime;
     @SuppressLint("UseIcu")
     @Nullable private final Locale mLocale;
+    private final boolean mDeviceOwnerCanGrantSensorsPermissions;
 
     private FullyManagedDeviceProvisioningParams(
             @NonNull ComponentName deviceAdminComponentName,
@@ -49,13 +50,16 @@ public final class FullyManagedDeviceProvisioningParams implements Parcelable {
             boolean leaveAllSystemAppsEnabled,
             @Nullable String timeZone,
             long localTime,
-            @Nullable @SuppressLint("UseIcu") Locale locale) {
+            @Nullable @SuppressLint("UseIcu") Locale locale,
+            boolean deviceOwnerCanGrantSensorsPermissions) {
         this.mDeviceAdminComponentName = requireNonNull(deviceAdminComponentName);
         this.mOwnerName = requireNonNull(ownerName);
         this.mLeaveAllSystemAppsEnabled = leaveAllSystemAppsEnabled;
         this.mTimeZone = timeZone;
         this.mLocalTime = localTime;
         this.mLocale = locale;
+        this.mDeviceOwnerCanGrantSensorsPermissions =
+                deviceOwnerCanGrantSensorsPermissions;
     }
 
     private FullyManagedDeviceProvisioningParams(
@@ -64,13 +68,15 @@ public final class FullyManagedDeviceProvisioningParams implements Parcelable {
             boolean leaveAllSystemAppsEnabled,
             @Nullable String timeZone,
             long localTime,
-            @Nullable String localeStr) {
+            @Nullable String localeStr,
+            boolean deviceOwnerCanGrantSensorsPermissions) {
         this(deviceAdminComponentName,
                 ownerName,
                 leaveAllSystemAppsEnabled,
                 timeZone,
                 localTime,
-                getLocale(localeStr));
+                getLocale(localeStr),
+                deviceOwnerCanGrantSensorsPermissions);
     }
 
     @Nullable
@@ -107,6 +113,14 @@ public final class FullyManagedDeviceProvisioningParams implements Parcelable {
     }
 
     /**
+     * @return true if the device owner can control sensor-related permission grants, false
+     * if the device owner has opted out of it.
+     */
+    public boolean canDeviceOwnerGrantSensorsPermissions() {
+        return mDeviceOwnerCanGrantSensorsPermissions;
+    }
+
+    /**
      * Builder class for {@link FullyManagedDeviceProvisioningParams} objects.
      */
     public static final class Builder {
@@ -117,6 +131,8 @@ public final class FullyManagedDeviceProvisioningParams implements Parcelable {
         private long mLocalTime;
         @SuppressLint("UseIcu")
         @Nullable private Locale mLocale;
+        // Default to allowing control over sensor permission grants.
+        boolean mDeviceOwnerCanGrantSensorsPermissions = true;
 
         /**
          * Initialize a new {@link Builder} to construct a
@@ -181,6 +197,17 @@ public final class FullyManagedDeviceProvisioningParams implements Parcelable {
         }
 
         /**
+         * Marks that the Device Owner may grant permissions related to device sensors.
+         * See {@link DevicePolicyManager#EXTRA_PROVISIONING_PERMISSION_GRANT_OPT_OUT}.
+         */
+        @NonNull
+        @SuppressLint("MissingGetterMatchingBuilder")
+        public Builder setDeviceOwnerCanGrantSensorsPermissions(boolean mayGrant) {
+            mDeviceOwnerCanGrantSensorsPermissions = mayGrant;
+            return this;
+        }
+
+        /**
          * Combines all of the attributes that have been set on this {@code Builder}
          *
          * @return a new {@link FullyManagedDeviceProvisioningParams} object.
@@ -193,7 +220,8 @@ public final class FullyManagedDeviceProvisioningParams implements Parcelable {
                     mLeaveAllSystemAppsEnabled,
                     mTimeZone,
                     mLocalTime,
-                    mLocale);
+                    mLocale,
+                    mDeviceOwnerCanGrantSensorsPermissions);
         }
     }
 
@@ -211,6 +239,8 @@ public final class FullyManagedDeviceProvisioningParams implements Parcelable {
                 + ", mTimeZone=" + (mTimeZone == null ? "null" : mTimeZone)
                 + ", mLocalTime=" + mLocalTime
                 + ", mLocale=" + (mLocale == null ? "null" : mLocale)
+                + ", mDeviceOwnerCanGrantSensorsPermissions="
+                + mDeviceOwnerCanGrantSensorsPermissions
                 + '}';
     }
 
@@ -222,6 +252,7 @@ public final class FullyManagedDeviceProvisioningParams implements Parcelable {
         dest.writeString(mTimeZone);
         dest.writeLong(mLocalTime);
         dest.writeString(mLocale == null ? null : mLocale.toLanguageTag());
+        dest.writeBoolean(mDeviceOwnerCanGrantSensorsPermissions);
     }
 
     @NonNull
@@ -235,6 +266,7 @@ public final class FullyManagedDeviceProvisioningParams implements Parcelable {
                     String timeZone = in.readString();
                     long localtime = in.readLong();
                     String locale = in.readString();
+                    boolean deviceOwnerCanGrantSensorsPermissions = in.readBoolean();
 
                     return new FullyManagedDeviceProvisioningParams(
                             componentName,
@@ -242,7 +274,8 @@ public final class FullyManagedDeviceProvisioningParams implements Parcelable {
                             leaveAllSystemAppsEnabled,
                             timeZone,
                             localtime,
-                            locale);
+                            locale,
+                            deviceOwnerCanGrantSensorsPermissions);
                 }
 
                 @Override
diff --git a/core/java/android/app/admin/IDevicePolicyManager.aidl b/core/java/android/app/admin/IDevicePolicyManager.aidl
index cf0b31ea8cb2..89f30cc821ab 100644
--- a/core/java/android/app/admin/IDevicePolicyManager.aidl
+++ b/core/java/android/app/admin/IDevicePolicyManager.aidl
@@ -500,4 +500,5 @@ interface IDevicePolicyManager {
     void provisionFullyManagedDevice(in FullyManagedDeviceProvisioningParams provisioningParams, in String callerPackage);
 
     void resetDefaultCrossProfileIntentFilters(int userId);
+    boolean canAdminGrantSensorsPermissionsForUser(int userId);
 }