Merge "Force garbage collection after credential verification" into rvc-dev (612d9e85) · Commits · e / os / android_frameworks_base

services/core/java/com/android/server/locksettings/LockSettingsService.java

+54 −22

Original line number	Diff line number	Diff line
		@@ -1616,6 +1616,7 @@ public class LockSettingsService extends ILockSettings.Stub {
		synchronized (mSeparateChallengeLock) {
		if (!setLockCredentialInternal(credential, savedCredential,
		userId, /* isLockTiedToParent= */ false)) {
		scheduleGc();
		return false;
		}
		setSeparateProfileChallengeEnabledLocked(userId, true, /* unused */ null);
		@@ -1626,6 +1627,7 @@ public class LockSettingsService extends ILockSettings.Stub {
		setDeviceUnlockedForUser(userId);
		}
		notifySeparateProfileChallengeChanged(userId);
		scheduleGc();
		return true;
		}

		@@ -1965,7 +1967,11 @@ public class LockSettingsService extends ILockSettings.Stub {
		public VerifyCredentialResponse checkCredential(LockscreenCredential credential, int userId,
		ICheckCredentialProgressCallback progressCallback) {
		checkPasswordReadPermission(userId);
		try {
		return doVerifyCredential(credential, CHALLENGE_NONE, 0, userId, progressCallback);
		} finally {
		scheduleGc();
		}
		}

		@Override
		@@ -1978,8 +1984,12 @@ public class LockSettingsService extends ILockSettings.Stub {
		challengeType = CHALLENGE_NONE;

		}
		try {
		return doVerifyCredential(credential, challengeType, challenge, userId,
		null /* progressCallback */);
		} finally {
		scheduleGc();
		}
		}

		private VerifyCredentialResponse doVerifyCredential(LockscreenCredential credential,
		@@ -2070,6 +2080,8 @@ public class LockSettingsService extends ILockSettings.Stub {
		\| BadPaddingException \| CertificateException \| IOException e) {
		Slog.e(TAG, "Failed to decrypt child profile key", e);
		throw new IllegalStateException("Unable to get tied profile token");
		} finally {
		scheduleGc();
		}
		}

		@@ -2983,6 +2995,7 @@ public class LockSettingsService extends ILockSettings.Stub {
		@Override
		public byte[] getHashFactor(LockscreenCredential currentCredential, int userId) {
		checkPasswordReadPermission(userId);
		try {
		if (isManagedProfileWithUnifiedLock(userId)) {
		try {
		currentCredential = getDecryptedPasswordForTiedProfile(userId);
		@@ -3005,6 +3018,9 @@ public class LockSettingsService extends ILockSettings.Stub {
		}
		return auth.authToken.derivePasswordHashFactor();
		}
		} finally {
		scheduleGc();
		}
		}

		private long addEscrowToken(byte[] token, int userId, EscrowTokenStateChangeCallback callback) {
		@@ -3287,6 +3303,22 @@ public class LockSettingsService extends ILockSettings.Stub {
		}
		}

		/**
		* Schedules garbage collection to sanitize lockscreen credential remnants in memory.
		*
		* One source of leftover lockscreen credentials is the unmarshalled binder method arguments.
		* Since this method will be called within the binder implementation method, a small delay is
		* added before the GC operation to allow the enclosing binder proxy code to complete and
		* release references to the argument.
		*/
		private void scheduleGc() {
		mHandler.postDelayed(() -> {
		System.gc();
		System.runFinalization();
		System.gc();
		}, 2000);
		}

		private class DeviceProvisionedObserver extends ContentObserver {
		private final Uri mDeviceProvisionedUri = Settings.Global.getUriFor(
		Settings.Global.DEVICE_PROVISIONED);