Grant Device IDs access to Profile Owner

In order to allow inclusion of device identifiers in the key attestation
record generated by the profile owner, the platform needs an explicit
signal that it is OK for the profile owner to access those identifiers.

Add a system-privileged method to the DevicePolicyManager that allows
system applications, as well as Managed Provisioning to indicate that the
profile owner may access those identifiers.

In the DevicePolicyManagerService the following has changed:
* The OwnerInfo now contains a flag indicating whether the profile owner
  was granted access to the device identifiers or not.
* The permission check for use of the Device ID Attestation flags in
  generateKeyPair has been adjusted to allow profile owner (or its
  delegate) to use them, if device identifiers access has been granted.
* A couple of utility methods have been added to ease checking of
  profile owner presence for a user and whether the profile owner can
  access device identifiers.

Additionally, a new adb command has been added to give this grant to an
existing profile owner for testing purposes.

Bug: 111335970
Test: Manual, using TestDPC + ADB command.
Test: atest FrameworksServicesTests:DevicePolicyManagerTest
Test: Additional CTS tests, see cts change in the same topic.

Change-Id: I05f2323d5edacd774cd3ce082ee9c551100f4afd

1 files changed, 16 insertions, 1 deletions

diff --git a/cmds/dpm/src/com/android/commands/dpm/Dpm.java b/cmds/dpm/src/com/android/commands/dpm/Dpm.java
index 376b13cd371e..6c6797a328c9 100644
--- a/cmds/dpm/src/com/android/commands/dpm/Dpm.java
+++ b/cmds/dpm/src/com/android/commands/dpm/Dpm.java
@@ -48,6 +48,8 @@ public final class Dpm extends BaseCommand {
     private static final String COMMAND_CLEAR_FREEZE_PERIOD_RECORD = "clear-freeze-period-record";
     private static final String COMMAND_FORCE_NETWORK_LOGS = "force-network-logs";
     private static final String COMMAND_FORCE_SECURITY_LOGS = "force-security-logs";
+    private static final String COMMAND_GRANT_PO_DEVICE_ID_ACCESS =
+            "grant-profile-owner-device-ids-access";
 
     private IDevicePolicyManager mDevicePolicyManager;
     private int mUserId = UserHandle.USER_SYSTEM;
@@ -89,7 +91,10 @@ public final class Dpm extends BaseCommand {
                 "the DPC and triggers DeviceAdminReceiver.onNetworkLogsAvailable() if needed.\n" +
                 "\n" +
                 "dpm " + COMMAND_FORCE_SECURITY_LOGS + ": makes all security logs available to " +
-                "the DPC and triggers DeviceAdminReceiver.onSecurityLogsAvailable() if needed.");
+                "the DPC and triggers DeviceAdminReceiver.onSecurityLogsAvailable() if needed."
+                + "\n"
+                + "usage: dpm " + COMMAND_GRANT_PO_DEVICE_ID_ACCESS + ": "
+                + "[ --user <USER_ID> | current ] <COMPONENT>\n");
     }
 
     @Override
@@ -124,6 +129,9 @@ public final class Dpm extends BaseCommand {
             case COMMAND_FORCE_SECURITY_LOGS:
                 runForceSecurityLogs();
                 break;
+            case COMMAND_GRANT_PO_DEVICE_ID_ACCESS:
+                runGrantProfileOwnerDeviceIdsAccess();
+                break;
             default:
                 throw new IllegalArgumentException ("unknown command '" + command + "'");
         }
@@ -242,6 +250,13 @@ public final class Dpm extends BaseCommand {
         System.out.println("Success");
     }
 
+
+    private void runGrantProfileOwnerDeviceIdsAccess() throws RemoteException {
+        parseArgs(/*canHaveName=*/ false);
+        mDevicePolicyManager.grantDeviceIdsAccessToProfileOwner(mComponent, mUserId);
+        System.out.println("Success");
+    }
+
     private ComponentName parseComponentName(String component) {
         ComponentName cn = ComponentName.unflattenFromString(component);
         if (cn == null) {