Loading services/core/java/com/android/server/locksettings/ManagedProfilePasswordCache.java +12 −2 Original line number Original line Diff line number Diff line Loading @@ -104,8 +104,6 @@ public class ManagedProfilePasswordCache { // Generate auth-bound key to user 0 (since we the caller is user 0) // Generate auth-bound key to user 0 (since we the caller is user 0) .setUserAuthenticationRequired(true) .setUserAuthenticationRequired(true) .setUserAuthenticationValidityDurationSeconds(CACHE_TIMEOUT_SECONDS) .setUserAuthenticationValidityDurationSeconds(CACHE_TIMEOUT_SECONDS) // Only accessible after user 0's keyguard is unlocked .setUnlockedDeviceRequired(true) .build()); .build()); key = generator.generateKey(); key = generator.generateKey(); } catch (GeneralSecurityException e) { } catch (GeneralSecurityException e) { Loading Loading @@ -171,10 +169,14 @@ public class ManagedProfilePasswordCache { public void removePassword(int userId) { public void removePassword(int userId) { synchronized (mEncryptedPasswords) { synchronized (mEncryptedPasswords) { String keyName = getEncryptionKeyName(userId); String keyName = getEncryptionKeyName(userId); String legacyKeyName = getLegacyEncryptionKeyName(userId); try { try { if (mKeyStore.containsAlias(keyName)) { if (mKeyStore.containsAlias(keyName)) { mKeyStore.deleteEntry(keyName); mKeyStore.deleteEntry(keyName); } } if (mKeyStore.containsAlias(legacyKeyName)) { mKeyStore.deleteEntry(legacyKeyName); } } catch (KeyStoreException e) { } catch (KeyStoreException e) { Slog.d(TAG, "Cannot delete key", e); Slog.d(TAG, "Cannot delete key", e); } } Loading @@ -186,6 +188,14 @@ public class ManagedProfilePasswordCache { } } private static String getEncryptionKeyName(int userId) { private static String getEncryptionKeyName(int userId) { return "com.android.server.locksettings.unified_profile_cache_v2_" + userId; } /** * Returns the legacy keystore key name when setUnlockedDeviceRequired() was set explicitly. * Only existed during Android 11 internal testing period. */ private static String getLegacyEncryptionKeyName(int userId) { return "com.android.server.locksettings.unified_profile_cache_" + userId; return "com.android.server.locksettings.unified_profile_cache_" + userId; } } } } services/core/java/com/android/server/pm/UserManagerService.java +22 −2 Original line number Original line Diff line number Diff line Loading @@ -989,6 +989,15 @@ public class UserManagerService extends IUserManager.Stub { ensureCanModifyQuietMode( ensureCanModifyQuietMode( callingPackage, Binder.getCallingUid(), userId, target != null, dontAskCredential); callingPackage, Binder.getCallingUid(), userId, target != null, dontAskCredential); if (onlyIfCredentialNotRequired && callingPackage.equals( getPackageManagerInternal().getSystemUiServiceComponent().getPackageName())) { // This is to prevent SysUI from accidentally allowing the profile to turned on // without password when keyguard is still locked. throw new SecurityException("SystemUI is not allowed to set " + "QUIET_MODE_DISABLE_ONLY_IF_CREDENTIAL_NOT_REQUIRED"); } final long identity = Binder.clearCallingIdentity(); final long identity = Binder.clearCallingIdentity(); try { try { if (enableQuietMode) { if (enableQuietMode) { Loading @@ -996,7 +1005,17 @@ public class UserManagerService extends IUserManager.Stub { userId, true /* enableQuietMode */, target, callingPackage); userId, true /* enableQuietMode */, target, callingPackage); return true; return true; } } if (mLockPatternUtils.isManagedProfileWithUnifiedChallenge(userId)) { KeyguardManager km = mContext.getSystemService(KeyguardManager.class); // Normally only attempt to auto-unlock unified challenge if keyguard is not showing // (to stop turning profile on automatically via the QS tile), except when we // are called with QUIET_MODE_DISABLE_ONLY_IF_CREDENTIAL_NOT_REQUIRED, in which // case always attempt to auto-unlock. if (!km.isDeviceLocked(mLocalService.getProfileParentId(userId)) || onlyIfCredentialNotRequired) { mLockPatternUtils.tryUnlockWithCachedUnifiedChallenge(userId); mLockPatternUtils.tryUnlockWithCachedUnifiedChallenge(userId); } } final boolean needToShowConfirmCredential = !dontAskCredential final boolean needToShowConfirmCredential = !dontAskCredential && mLockPatternUtils.isSecure(userId) && mLockPatternUtils.isSecure(userId) && !StorageManager.isUserKeyUnlocked(userId); && !StorageManager.isUserKeyUnlocked(userId); Loading Loading @@ -1029,6 +1048,8 @@ public class UserManagerService extends IUserManager.Stub { */ */ private void ensureCanModifyQuietMode(String callingPackage, int callingUid, private void ensureCanModifyQuietMode(String callingPackage, int callingUid, @UserIdInt int targetUserId, boolean startIntent, boolean dontAskCredential) { @UserIdInt int targetUserId, boolean startIntent, boolean dontAskCredential) { verifyCallingPackage(callingPackage, callingUid); if (hasManageUsersPermission()) { if (hasManageUsersPermission()) { return; return; } } Loading @@ -1050,7 +1071,6 @@ public class UserManagerService extends IUserManager.Stub { return; return; } } verifyCallingPackage(callingPackage, callingUid); final ShortcutServiceInternal shortcutInternal = final ShortcutServiceInternal shortcutInternal = LocalServices.getService(ShortcutServiceInternal.class); LocalServices.getService(ShortcutServiceInternal.class); if (shortcutInternal != null) { if (shortcutInternal != null) { Loading Loading
services/core/java/com/android/server/locksettings/ManagedProfilePasswordCache.java +12 −2 Original line number Original line Diff line number Diff line Loading @@ -104,8 +104,6 @@ public class ManagedProfilePasswordCache { // Generate auth-bound key to user 0 (since we the caller is user 0) // Generate auth-bound key to user 0 (since we the caller is user 0) .setUserAuthenticationRequired(true) .setUserAuthenticationRequired(true) .setUserAuthenticationValidityDurationSeconds(CACHE_TIMEOUT_SECONDS) .setUserAuthenticationValidityDurationSeconds(CACHE_TIMEOUT_SECONDS) // Only accessible after user 0's keyguard is unlocked .setUnlockedDeviceRequired(true) .build()); .build()); key = generator.generateKey(); key = generator.generateKey(); } catch (GeneralSecurityException e) { } catch (GeneralSecurityException e) { Loading Loading @@ -171,10 +169,14 @@ public class ManagedProfilePasswordCache { public void removePassword(int userId) { public void removePassword(int userId) { synchronized (mEncryptedPasswords) { synchronized (mEncryptedPasswords) { String keyName = getEncryptionKeyName(userId); String keyName = getEncryptionKeyName(userId); String legacyKeyName = getLegacyEncryptionKeyName(userId); try { try { if (mKeyStore.containsAlias(keyName)) { if (mKeyStore.containsAlias(keyName)) { mKeyStore.deleteEntry(keyName); mKeyStore.deleteEntry(keyName); } } if (mKeyStore.containsAlias(legacyKeyName)) { mKeyStore.deleteEntry(legacyKeyName); } } catch (KeyStoreException e) { } catch (KeyStoreException e) { Slog.d(TAG, "Cannot delete key", e); Slog.d(TAG, "Cannot delete key", e); } } Loading @@ -186,6 +188,14 @@ public class ManagedProfilePasswordCache { } } private static String getEncryptionKeyName(int userId) { private static String getEncryptionKeyName(int userId) { return "com.android.server.locksettings.unified_profile_cache_v2_" + userId; } /** * Returns the legacy keystore key name when setUnlockedDeviceRequired() was set explicitly. * Only existed during Android 11 internal testing period. */ private static String getLegacyEncryptionKeyName(int userId) { return "com.android.server.locksettings.unified_profile_cache_" + userId; return "com.android.server.locksettings.unified_profile_cache_" + userId; } } } }
services/core/java/com/android/server/pm/UserManagerService.java +22 −2 Original line number Original line Diff line number Diff line Loading @@ -989,6 +989,15 @@ public class UserManagerService extends IUserManager.Stub { ensureCanModifyQuietMode( ensureCanModifyQuietMode( callingPackage, Binder.getCallingUid(), userId, target != null, dontAskCredential); callingPackage, Binder.getCallingUid(), userId, target != null, dontAskCredential); if (onlyIfCredentialNotRequired && callingPackage.equals( getPackageManagerInternal().getSystemUiServiceComponent().getPackageName())) { // This is to prevent SysUI from accidentally allowing the profile to turned on // without password when keyguard is still locked. throw new SecurityException("SystemUI is not allowed to set " + "QUIET_MODE_DISABLE_ONLY_IF_CREDENTIAL_NOT_REQUIRED"); } final long identity = Binder.clearCallingIdentity(); final long identity = Binder.clearCallingIdentity(); try { try { if (enableQuietMode) { if (enableQuietMode) { Loading @@ -996,7 +1005,17 @@ public class UserManagerService extends IUserManager.Stub { userId, true /* enableQuietMode */, target, callingPackage); userId, true /* enableQuietMode */, target, callingPackage); return true; return true; } } if (mLockPatternUtils.isManagedProfileWithUnifiedChallenge(userId)) { KeyguardManager km = mContext.getSystemService(KeyguardManager.class); // Normally only attempt to auto-unlock unified challenge if keyguard is not showing // (to stop turning profile on automatically via the QS tile), except when we // are called with QUIET_MODE_DISABLE_ONLY_IF_CREDENTIAL_NOT_REQUIRED, in which // case always attempt to auto-unlock. if (!km.isDeviceLocked(mLocalService.getProfileParentId(userId)) || onlyIfCredentialNotRequired) { mLockPatternUtils.tryUnlockWithCachedUnifiedChallenge(userId); mLockPatternUtils.tryUnlockWithCachedUnifiedChallenge(userId); } } final boolean needToShowConfirmCredential = !dontAskCredential final boolean needToShowConfirmCredential = !dontAskCredential && mLockPatternUtils.isSecure(userId) && mLockPatternUtils.isSecure(userId) && !StorageManager.isUserKeyUnlocked(userId); && !StorageManager.isUserKeyUnlocked(userId); Loading Loading @@ -1029,6 +1048,8 @@ public class UserManagerService extends IUserManager.Stub { */ */ private void ensureCanModifyQuietMode(String callingPackage, int callingUid, private void ensureCanModifyQuietMode(String callingPackage, int callingUid, @UserIdInt int targetUserId, boolean startIntent, boolean dontAskCredential) { @UserIdInt int targetUserId, boolean startIntent, boolean dontAskCredential) { verifyCallingPackage(callingPackage, callingUid); if (hasManageUsersPermission()) { if (hasManageUsersPermission()) { return; return; } } Loading @@ -1050,7 +1071,6 @@ public class UserManagerService extends IUserManager.Stub { return; return; } } verifyCallingPackage(callingPackage, callingUid); final ShortcutServiceInternal shortcutInternal = final ShortcutServiceInternal shortcutInternal = LocalServices.getService(ShortcutServiceInternal.class); LocalServices.getService(ShortcutServiceInternal.class); if (shortcutInternal != null) { if (shortcutInternal != null) { Loading
