Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 608851e8 authored by Vlad Marica's avatar Vlad Marica
Browse files

Fix condition to check if FRP is active in LockSettingsService 

When the frp_enforcement flag is enabled, FRP will stay active
outside of Setup Wizard too, so checking if setup is complete is not
needed here.

Ignore-AOSP-First: Depends on internal changes that can't go into AOSP yet.
Bug: 341652439
Flag: EXEMPT bugfix
Test: atest & manual testing
Change-Id: I23a231cd64fee87334cc5ca521add55a6c954761
parent fc53cbc2

services/core/java/com/android/server/locksettings/LockSettingsService.java

+10 −9
Original line number Diff line number Diff line
@@ -1243,23 +1243,24 @@ public class LockSettingsService extends ILockSettings.Stub { 
        }

    }



    private void enforceFrpResolved() {

    private void enforceFrpNotActive() {

        final int mainUserId = mInjector.getUserManagerInternal().getMainUserId();

        if (mainUserId < 0) {

            Slog.d(TAG, "No Main user on device; skipping enforceFrpResolved");

            Slog.d(TAG, "No Main user on device; skipping enforceFrpNotActive");

            return;

        }

        final ContentResolver cr = mContext.getContentResolver();



        final ContentResolver cr = mContext.getContentResolver();

        final boolean inSetupWizard = Settings.Secure.getIntForUser(cr,

                Settings.Secure.USER_SETUP_COMPLETE, 0, mainUserId) == 0;

        final boolean secureFrp = android.security.Flags.frpEnforcement()

        final boolean isFrpActive = android.security.Flags.frpEnforcement()

                ? mStorage.isFactoryResetProtectionActive()

                : (Settings.Global.getInt(cr, Settings.Global.SECURE_FRP_MODE, 0) == 1);

                : (Settings.Global.getInt(cr, Settings.Global.SECURE_FRP_MODE, 0) == 1)

                        && inSetupWizard;



        if (inSetupWizard && secureFrp) {

            throw new SecurityException("Cannot change credential in SUW while factory reset"

                    + " protection is not resolved yet");

        if (isFrpActive) {

            throw new SecurityException("Cannot change credential while factory reset protection"

                    + " is active");

        }

    }
@@ -1831,7 +1832,7 @@ public class LockSettingsService extends ILockSettings.Stub { 


        final long identity = Binder.clearCallingIdentity();

        try {

            enforceFrpResolved();

            enforceFrpNotActive();

            // When changing credential for profiles with unified challenge, some callers

            // will pass in empty credential while others will pass in the credential of

            // the parent user. setLockCredentialInternal() handles the formal case (empty

services/tests/servicestests/src/com/android/server/locksettings/LockSettingsServiceTests.java

+17 −2
Original line number Diff line number Diff line
@@ -43,6 +43,8 @@ import android.app.PropertyInvalidatedCache; 
import android.content.Intent;

import android.os.RemoteException;

import android.os.UserHandle;

import android.platform.test.annotations.DisableFlags;

import android.platform.test.annotations.EnableFlags;

import android.platform.test.annotations.Presubmit;

import android.platform.test.flag.junit.SetFlagsRule;

import android.service.gatekeeper.GateKeeperResponse;
@@ -483,17 +485,30 @@ public class LockSettingsServiceTests extends BaseLockSettingsServiceTests { 
        setSecureFrpMode(true);

        try {

            mService.setLockCredential(newPassword("1234"), nonePassword(), PRIMARY_USER_ID);

            fail("Password shouldn't be changeable before FRP unlock");

            fail("Password shouldn't be changeable while FRP is active");

        } catch (SecurityException e) { }

    }



    @Test

    public void testSetCredentialPossibleInSecureFrpModeAfterSuw() throws RemoteException {

    @DisableFlags(android.security.Flags.FLAG_FRP_ENFORCEMENT)

    public void testSetCredentialPossibleInSecureFrpModeAfterSuw_FlagOff() throws RemoteException {

        setUserSetupComplete(true);

        setSecureFrpMode(true);

        setCredential(PRIMARY_USER_ID, newPassword("1234"));

    }



    @Test

    @EnableFlags(android.security.Flags.FLAG_FRP_ENFORCEMENT)

    public void testSetCredentialNotPossibleInSecureFrpModeAfterSuw_FlagOn()

            throws RemoteException {

        setUserSetupComplete(true);

        setSecureFrpMode(true);

        try {

            mService.setLockCredential(newPassword("1234"), nonePassword(), PRIMARY_USER_ID);

            fail("Password shouldn't be changeable after SUW while FRP is active");

        } catch (SecurityException e) { }

    }



    @Test

    public void testPasswordHistoryDisabledByDefault() throws Exception {

        final int userId = PRIMARY_USER_ID;