In order to allow inclusion of device identifiers in the key attestation
record generated by the profile owner, the platform needs an explicit
signal that it is OK for the profile owner to access those identifiers.
Add a system-privileged method to the DevicePolicyManager that allows
system applications, as well as Managed Provisioning to indicate that the
profile owner may access those identifiers.
In the DevicePolicyManagerService the following has changed:
* The OwnerInfo now contains a flag indicating whether the profile owner
was granted access to the device identifiers or not.
* The permission check for use of the Device ID Attestation flags in
generateKeyPair has been adjusted to allow profile owner (or its
delegate) to use them, if device identifiers access has been granted.
* A couple of utility methods have been added to ease checking of
profile owner presence for a user and whether the profile owner can
access device identifiers.
Additionally, a new adb command has been added to give this grant to an
existing profile owner for testing purposes.
Bug: 111335970
Test: Manual, using TestDPC + ADB command.
Test: atest FrameworksServicesTests:DevicePolicyManagerTest
Test: Additional CTS tests, see cts change in the same topic.
Change-Id: I05f2323d5edacd774cd3ce082ee9c551100f4afd
bb27189f56