Loading services/core/java/com/android/server/locksettings/LockSettingsService.java +10 −9 Original line number Diff line number Diff line Loading @@ -1243,23 +1243,24 @@ public class LockSettingsService extends ILockSettings.Stub { } } private void enforceFrpResolved() { private void enforceFrpNotActive() { final int mainUserId = mInjector.getUserManagerInternal().getMainUserId(); if (mainUserId < 0) { Slog.d(TAG, "No Main user on device; skipping enforceFrpResolved"); Slog.d(TAG, "No Main user on device; skipping enforceFrpNotActive"); return; } final ContentResolver cr = mContext.getContentResolver(); final ContentResolver cr = mContext.getContentResolver(); final boolean inSetupWizard = Settings.Secure.getIntForUser(cr, Settings.Secure.USER_SETUP_COMPLETE, 0, mainUserId) == 0; final boolean secureFrp = android.security.Flags.frpEnforcement() final boolean isFrpActive = android.security.Flags.frpEnforcement() ? mStorage.isFactoryResetProtectionActive() : (Settings.Global.getInt(cr, Settings.Global.SECURE_FRP_MODE, 0) == 1); : (Settings.Global.getInt(cr, Settings.Global.SECURE_FRP_MODE, 0) == 1) && inSetupWizard; if (inSetupWizard && secureFrp) { throw new SecurityException("Cannot change credential in SUW while factory reset" + " protection is not resolved yet"); if (isFrpActive) { throw new SecurityException("Cannot change credential while factory reset protection" + " is active"); } } Loading Loading @@ -1831,7 +1832,7 @@ public class LockSettingsService extends ILockSettings.Stub { final long identity = Binder.clearCallingIdentity(); try { enforceFrpResolved(); enforceFrpNotActive(); // When changing credential for profiles with unified challenge, some callers // will pass in empty credential while others will pass in the credential of // the parent user. setLockCredentialInternal() handles the formal case (empty Loading services/tests/servicestests/src/com/android/server/locksettings/LockSettingsServiceTests.java +17 −2 Original line number Diff line number Diff line Loading @@ -43,6 +43,8 @@ import android.app.PropertyInvalidatedCache; import android.content.Intent; import android.os.RemoteException; import android.os.UserHandle; import android.platform.test.annotations.DisableFlags; import android.platform.test.annotations.EnableFlags; import android.platform.test.annotations.Presubmit; import android.platform.test.flag.junit.SetFlagsRule; import android.service.gatekeeper.GateKeeperResponse; Loading Loading @@ -483,17 +485,30 @@ public class LockSettingsServiceTests extends BaseLockSettingsServiceTests { setSecureFrpMode(true); try { mService.setLockCredential(newPassword("1234"), nonePassword(), PRIMARY_USER_ID); fail("Password shouldn't be changeable before FRP unlock"); fail("Password shouldn't be changeable while FRP is active"); } catch (SecurityException e) { } } @Test public void testSetCredentialPossibleInSecureFrpModeAfterSuw() throws RemoteException { @DisableFlags(android.security.Flags.FLAG_FRP_ENFORCEMENT) public void testSetCredentialPossibleInSecureFrpModeAfterSuw_FlagOff() throws RemoteException { setUserSetupComplete(true); setSecureFrpMode(true); setCredential(PRIMARY_USER_ID, newPassword("1234")); } @Test @EnableFlags(android.security.Flags.FLAG_FRP_ENFORCEMENT) public void testSetCredentialNotPossibleInSecureFrpModeAfterSuw_FlagOn() throws RemoteException { setUserSetupComplete(true); setSecureFrpMode(true); try { mService.setLockCredential(newPassword("1234"), nonePassword(), PRIMARY_USER_ID); fail("Password shouldn't be changeable after SUW while FRP is active"); } catch (SecurityException e) { } } @Test public void testPasswordHistoryDisabledByDefault() throws Exception { final int userId = PRIMARY_USER_ID; Loading Loading
services/core/java/com/android/server/locksettings/LockSettingsService.java +10 −9 Original line number Diff line number Diff line Loading @@ -1243,23 +1243,24 @@ public class LockSettingsService extends ILockSettings.Stub { } } private void enforceFrpResolved() { private void enforceFrpNotActive() { final int mainUserId = mInjector.getUserManagerInternal().getMainUserId(); if (mainUserId < 0) { Slog.d(TAG, "No Main user on device; skipping enforceFrpResolved"); Slog.d(TAG, "No Main user on device; skipping enforceFrpNotActive"); return; } final ContentResolver cr = mContext.getContentResolver(); final ContentResolver cr = mContext.getContentResolver(); final boolean inSetupWizard = Settings.Secure.getIntForUser(cr, Settings.Secure.USER_SETUP_COMPLETE, 0, mainUserId) == 0; final boolean secureFrp = android.security.Flags.frpEnforcement() final boolean isFrpActive = android.security.Flags.frpEnforcement() ? mStorage.isFactoryResetProtectionActive() : (Settings.Global.getInt(cr, Settings.Global.SECURE_FRP_MODE, 0) == 1); : (Settings.Global.getInt(cr, Settings.Global.SECURE_FRP_MODE, 0) == 1) && inSetupWizard; if (inSetupWizard && secureFrp) { throw new SecurityException("Cannot change credential in SUW while factory reset" + " protection is not resolved yet"); if (isFrpActive) { throw new SecurityException("Cannot change credential while factory reset protection" + " is active"); } } Loading Loading @@ -1831,7 +1832,7 @@ public class LockSettingsService extends ILockSettings.Stub { final long identity = Binder.clearCallingIdentity(); try { enforceFrpResolved(); enforceFrpNotActive(); // When changing credential for profiles with unified challenge, some callers // will pass in empty credential while others will pass in the credential of // the parent user. setLockCredentialInternal() handles the formal case (empty Loading
services/tests/servicestests/src/com/android/server/locksettings/LockSettingsServiceTests.java +17 −2 Original line number Diff line number Diff line Loading @@ -43,6 +43,8 @@ import android.app.PropertyInvalidatedCache; import android.content.Intent; import android.os.RemoteException; import android.os.UserHandle; import android.platform.test.annotations.DisableFlags; import android.platform.test.annotations.EnableFlags; import android.platform.test.annotations.Presubmit; import android.platform.test.flag.junit.SetFlagsRule; import android.service.gatekeeper.GateKeeperResponse; Loading Loading @@ -483,17 +485,30 @@ public class LockSettingsServiceTests extends BaseLockSettingsServiceTests { setSecureFrpMode(true); try { mService.setLockCredential(newPassword("1234"), nonePassword(), PRIMARY_USER_ID); fail("Password shouldn't be changeable before FRP unlock"); fail("Password shouldn't be changeable while FRP is active"); } catch (SecurityException e) { } } @Test public void testSetCredentialPossibleInSecureFrpModeAfterSuw() throws RemoteException { @DisableFlags(android.security.Flags.FLAG_FRP_ENFORCEMENT) public void testSetCredentialPossibleInSecureFrpModeAfterSuw_FlagOff() throws RemoteException { setUserSetupComplete(true); setSecureFrpMode(true); setCredential(PRIMARY_USER_ID, newPassword("1234")); } @Test @EnableFlags(android.security.Flags.FLAG_FRP_ENFORCEMENT) public void testSetCredentialNotPossibleInSecureFrpModeAfterSuw_FlagOn() throws RemoteException { setUserSetupComplete(true); setSecureFrpMode(true); try { mService.setLockCredential(newPassword("1234"), nonePassword(), PRIMARY_USER_ID); fail("Password shouldn't be changeable after SUW while FRP is active"); } catch (SecurityException e) { } } @Test public void testPasswordHistoryDisabledByDefault() throws Exception { final int userId = PRIMARY_USER_ID; Loading
