Don't allow disabling of the camera with managed profiles

Change-Id: I2e6085084682b04ef7973bc433214b5b3ab2da79
2014-09-15 13:26:36 -07:00 · 2014-09-15 13:26:36 -07:00 · ce6916b32a
parent 809313bda6
commit ce6916b32a
4 changed files with 66 additions and 2 deletions
--- a/emailcommon/src/com/android/emailcommon/service/IPolicyService.aidl
+++ b/emailcommon/src/com/android/emailcommon/service/IPolicyService.aidl
@ -25,4 +25,5 @@ interface IPolicyService {
    // New version
    void setAccountPolicy2(long accountId, in Policy policy, String securityKey, boolean notify);
    oneway void remoteWipe();
+    boolean canDisableCamera();
 }
--- a/emailcommon/src/com/android/emailcommon/service/PolicyServiceProxy.java
+++ b/emailcommon/src/com/android/emailcommon/service/PolicyServiceProxy.java
@ -85,6 +85,24 @@ public class PolicyServiceProxy extends ServiceProxy implements IPolicyService {
        waitForCompletion();
    }

+    public boolean canDisableCamera() throws RemoteException {
+        setTask(new ProxyTask() {
+            @Override
+            public void run() throws RemoteException {
+                mReturn = mService.canDisableCamera();
+            }
+        }, "canDisableCamera");
+        waitForCompletion();
+        if (mReturn == null) {
+            // This is not a great situation, but it's better to act like the policy isn't enforced
+            // rather than crash.
+            LogUtils.e(TAG, "PolicyService unavailable in canDisableCamera; assuming false");
+            return false;
+        } else {
+            return (Boolean)mReturn;
+        }
+    }
+
    @Override
    public void remoteWipe() throws RemoteException {
        setTask(new ProxyTask() {
@ -145,5 +163,13 @@ public class PolicyServiceProxy extends ServiceProxy implements IPolicyService {
        }
        throw new IllegalStateException("PolicyService transaction failed");
    }
+
+    public static boolean canDisableCamera(Context context) {
+        try {
+            return new PolicyServiceProxy(context).canDisableCamera();
+        } catch (RemoteException e) {
+        }
+        return false;
+    }
 }

--- a/provider_src/com/android/email/SecurityPolicy.java
+++ b/provider_src/com/android/email/SecurityPolicy.java
@ -56,7 +56,7 @@ import java.util.ArrayList;
 * into and out of various security states.
 */
 public class SecurityPolicy {
-    private static final String TAG = "Email/SecurityPolicy";
+    private static final String TAG = "Email";
    private static SecurityPolicy sInstance = null;
    private Context mContext;
    private DevicePolicyManager mDPM;
@ -438,7 +438,14 @@ public class SecurityPolicy {
            dpm.setPasswordMinimumNumeric(mAdminName, 0);
            dpm.setPasswordMinimumNonLetter(mAdminName, aggregatePolicy.mPasswordComplexChars);
            // Device capabilities
-            dpm.setCameraDisabled(mAdminName, aggregatePolicy.mDontAllowCamera);
+            try {
+                // If we are running in a managed policy, it is a securityException to even
+                // call setCameraDisabled(), if is disabled is false. We have to swallow
+                // the exception here.
+                dpm.setCameraDisabled(mAdminName, aggregatePolicy.mDontAllowCamera);
+            } catch (SecurityException e) {
+                LogUtils.d(TAG, "SecurityException in setCameraDisabled, nothing changed");
+            }

            // encryption required
            dpm.setStorageEncryption(mAdminName, aggregatePolicy.mRequireEncryption);
--- a/provider_src/com/android/email/service/PolicyService.java
+++ b/provider_src/com/android/email/service/PolicyService.java
@ -17,6 +17,8 @@
 package com.android.email.service;

 import android.app.Service;
+import android.app.admin.DevicePolicyManager;
+import android.content.ComponentName;
 import android.content.Context;
 import android.content.Intent;
 import android.os.IBinder;
@ -82,6 +84,34 @@ public class PolicyService extends Service {
                throw e;
            }
        }
+
+        public boolean canDisableCamera() {
+            // TODO: This is not a clean way to do this, but there is not currently
+            // any api that can answer the question "will disabling the camera work?"
+            // We need to answer this question here so that we can tell the server what
+            // policies we are able to support, and only apply them after it confirms that
+            // our partial support is acceptable.
+            DevicePolicyManager dpm =
+                    (DevicePolicyManager) mContext.getSystemService(Context.DEVICE_POLICY_SERVICE);
+            final ComponentName adminName = new ComponentName(mContext, SecurityPolicy.PolicyAdmin.class);
+            final boolean cameraDisabled = dpm.getCameraDisabled(adminName);
+            if (cameraDisabled) {
+                // The camera is already disabled, by this admin.
+                // Apparently we can support disabling the camera.
+                return true;
+            } else {
+                try {
+                    dpm.setCameraDisabled(adminName, true);
+                    dpm.setCameraDisabled(adminName, false);
+                } catch (SecurityException e) {
+                    // Apparently we cannot support disabling the camera.
+                    LogUtils.w(LOG_TAG, "SecurityException checking camera disabling.");
+                    return false;
+                }
+            }
+            return true;
+        }
+
    };

    @Override