PawletOS/app_Settings
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Replace ECM AppOps call with service

Browse Source 
A new ECM service was introcuded in changeId
I831391e4437b51b3312b5273a2360bd029a3d8ee.

We begin calling it, and update/cleanup method signatures to match.

Note: There are two feature flags:

1. enhancedConfirmationModeApisEnabled - read only, protects the
   mainline API.

2. extendEcmToAllSettings - runtime - gates calls to the above APIs.

We use both so we can ramp up in teamfood as needed.

Bug: 297372999
Test: Tested on device
Test: atest SpaPrivilegedLibTests
Test: atest com.android.settings.applications.specialaccess.notificationaccess
Test: atest com.android.settings.datausage
Test: atest PremiumSmsAccessTest
Test: atest RestrictedPreferenceHelperTest
Change-Id: I945ec51df5cd63de548a8ffdd1acc4f09f2301e5
This commit is contained in:
Hani Kazmi
2024-01-29 14:59:22 +00:00
parent 96ab2b9e25
commit 206300962f
23 changed files with 215 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
src/com/android/settings/accessibility/RestrictedPreferenceHelper.java
View File

@@ -235,10 +235,11 @@ public class RestrictedPreferenceHelper {
boolean serviceAllowed = permittedServices == null || permittedServices.contains(
preference.getPackageName());
if (android.security.Flags.extendEcmToAllSettings()) {
if (android.permission.flags.Flags.enhancedConfirmationModeApisEnabled()
&& android.security.Flags.extendEcmToAllSettings()) {
preference.checkEcmRestrictionAndSetDisabled(
AppOpsManager.OPSTR_BIND_ACCESSIBILITY_SERVICE,
preference.getPackageName(), preference.getUid());
preference.getPackageName());
if (preference.isDisabledByEcm()) {
serviceAllowed = false;
}
@@ -257,40 +258,39 @@ public class RestrictedPreferenceHelper {
preference.setEnabled(false);
}
}
return;
}
boolean appOpsAllowed;
if (serviceAllowed) {
try {
final int mode = mAppOps.noteOpNoThrow(
AppOpsManager.OP_ACCESS_RESTRICTED_SETTINGS,
preference.getUid(), preference.getPackageName());
final boolean ecmEnabled = mContext.getResources().getBoolean(
com.android.internal.R.bool.config_enhancedConfirmationModeEnabled);
appOpsAllowed = !ecmEnabled || mode == AppOpsManager.MODE_ALLOWED;
serviceAllowed = appOpsAllowed;
} catch (Exception e) {
// Allow service in case if app ops is not available in testing.
appOpsAllowed = true;
}
} else {
appOpsAllowed = false;
}
if (serviceAllowed || serviceEnabled) {
preference.setEnabled(true);
} else {
// Disable accessibility service that are not permitted.
final RestrictedLockUtils.EnforcedAdmin admin =
RestrictedLockUtilsInternal.checkIfAccessibilityServiceDisallowed(
mContext, preference.getPackageName(), UserHandle.myUserId());
if (admin != null) {
preference.setDisabledByAdmin(admin);
} else if (!appOpsAllowed) {
preference.setDisabledByAppOps(true);
boolean appOpsAllowed;
if (serviceAllowed) {
try {
final int mode = mAppOps.noteOpNoThrow(
AppOpsManager.OP_ACCESS_RESTRICTED_SETTINGS,
preference.getUid(), preference.getPackageName());
final boolean ecmEnabled = mContext.getResources().getBoolean(
com.android.internal.R.bool.config_enhancedConfirmationModeEnabled);
appOpsAllowed = !ecmEnabled || mode == AppOpsManager.MODE_ALLOWED;
serviceAllowed = appOpsAllowed;
} catch (Exception e) {
// Allow service in case if app ops is not available in testing.
appOpsAllowed = true;
}
} else {
preference.setEnabled(false);
appOpsAllowed = false;
}
if (serviceAllowed || serviceEnabled) {
preference.setEnabled(true);
} else {
// Disable accessibility service that are not permitted.
final RestrictedLockUtils.EnforcedAdmin admin =
RestrictedLockUtilsInternal.checkIfAccessibilityServiceDisallowed(
mContext, preference.getPackageName(), UserHandle.myUserId());
if (admin != null) {
preference.setDisabledByAdmin(admin);
} else if (!appOpsAllowed) {
preference.setDisabledByAppOps(true);
} else {
preference.setEnabled(false);
}
}
}
}