Loading services/core/java/com/android/server/locksettings/LockSettingsService.java +13 −0 Original line number Diff line number Diff line Loading @@ -530,6 +530,11 @@ public class LockSettingsService extends ILockSettings.Stub { return Settings.Global.getInt(contentResolver, keyName, defaultValue); } public int settingsSecureGetInt(ContentResolver contentResolver, String keyName, int defaultValue, int userId) { return Settings.Secure.getIntForUser(contentResolver, keyName, defaultValue, userId); } public @NonNull ManagedProfilePasswordCache getManagedProfilePasswordCache() { try { java.security.KeyStore ks = java.security.KeyStore.getInstance("AndroidKeyStore"); Loading Loading @@ -1010,6 +1015,13 @@ public class LockSettingsService extends ILockSettings.Stub { } } private void enforceFrpResolved() { if (mInjector.settingsSecureGetInt(mContext.getContentResolver(), Settings.Secure.SECURE_FRP_MODE, 0, UserHandle.USER_SYSTEM) == 1) { throw new SecurityException("Cannot change credential while FRP is not resolved yet"); } } private final void checkWritePermission(int userId) { mContext.enforceCallingOrSelfPermission(PERMISSION, "LockSettingsWrite"); } Loading Loading @@ -1572,6 +1584,7 @@ public class LockSettingsService extends ILockSettings.Stub { "This operation requires secure lock screen feature"); } checkWritePermission(userId); enforceFrpResolved(); // When changing credential for profiles with unified challenge, some callers // will pass in empty credential while others will pass in the credential of Loading services/tests/servicestests/src/com/android/server/locksettings/FakeSettings.java +15 −0 Original line number Diff line number Diff line Loading @@ -15,16 +15,23 @@ */ package com.android.server.locksettings; import android.content.ContentResolver; import android.os.UserHandle; import android.provider.Settings; public class FakeSettings { private int mDeviceProvisioned; private int mSecureFrpMode; public void setDeviceProvisioned(boolean provisioned) { mDeviceProvisioned = provisioned ? 1 : 0; } public void setSecureFrpMode(boolean secure) { mSecureFrpMode = secure ? 1 : 0; } public int globalGetInt(String keyName) { switch (keyName) { case Settings.Global.DEVICE_PROVISIONED: Loading @@ -33,4 +40,12 @@ public class FakeSettings { throw new IllegalArgumentException("Unhandled global settings: " + keyName); } } public int secureGetInt(ContentResolver contentResolver, String keyName, int defaultValue, int userId) { if (Settings.Secure.SECURE_FRP_MODE.equals(keyName) && userId == UserHandle.USER_SYSTEM) { return mSecureFrpMode; } return defaultValue; } } services/tests/servicestests/src/com/android/server/locksettings/LockSettingsServiceTestable.java +6 −0 Original line number Diff line number Diff line Loading @@ -123,6 +123,12 @@ public class LockSettingsServiceTestable extends LockSettingsService { return mSettings.globalGetInt(keyName); } @Override public int settingsSecureGetInt(ContentResolver contentResolver, String keyName, int defaultValue, int userId) { return mSettings.secureGetInt(contentResolver, keyName, defaultValue, userId); } @Override public UserManagerInternal getUserManagerInternal() { return mUserManagerInternal; Loading services/tests/servicestests/src/com/android/server/locksettings/LockSettingsServiceTests.java +9 −0 Original line number Diff line number Diff line Loading @@ -416,6 +416,15 @@ public class LockSettingsServiceTests extends BaseLockSettingsServiceTests { eq(CREDENTIAL_TYPE_PASSWORD), any(), eq(MANAGED_PROFILE_USER_ID)); } @Test public void testCredentialChangeNotPossibleInSecureFrpMode() { mSettings.setSecureFrpMode(true); try { mService.setLockCredential(newPassword("1234"), nonePassword(), PRIMARY_USER_ID); fail("Password shouldn't be changeable before FRP unlock"); } catch (SecurityException e) { } } private void testCreateCredential(int userId, LockscreenCredential credential) throws RemoteException { assertTrue(mService.setLockCredential(credential, nonePassword(), userId)); Loading Loading
services/core/java/com/android/server/locksettings/LockSettingsService.java +13 −0 Original line number Diff line number Diff line Loading @@ -530,6 +530,11 @@ public class LockSettingsService extends ILockSettings.Stub { return Settings.Global.getInt(contentResolver, keyName, defaultValue); } public int settingsSecureGetInt(ContentResolver contentResolver, String keyName, int defaultValue, int userId) { return Settings.Secure.getIntForUser(contentResolver, keyName, defaultValue, userId); } public @NonNull ManagedProfilePasswordCache getManagedProfilePasswordCache() { try { java.security.KeyStore ks = java.security.KeyStore.getInstance("AndroidKeyStore"); Loading Loading @@ -1010,6 +1015,13 @@ public class LockSettingsService extends ILockSettings.Stub { } } private void enforceFrpResolved() { if (mInjector.settingsSecureGetInt(mContext.getContentResolver(), Settings.Secure.SECURE_FRP_MODE, 0, UserHandle.USER_SYSTEM) == 1) { throw new SecurityException("Cannot change credential while FRP is not resolved yet"); } } private final void checkWritePermission(int userId) { mContext.enforceCallingOrSelfPermission(PERMISSION, "LockSettingsWrite"); } Loading Loading @@ -1572,6 +1584,7 @@ public class LockSettingsService extends ILockSettings.Stub { "This operation requires secure lock screen feature"); } checkWritePermission(userId); enforceFrpResolved(); // When changing credential for profiles with unified challenge, some callers // will pass in empty credential while others will pass in the credential of Loading
services/tests/servicestests/src/com/android/server/locksettings/FakeSettings.java +15 −0 Original line number Diff line number Diff line Loading @@ -15,16 +15,23 @@ */ package com.android.server.locksettings; import android.content.ContentResolver; import android.os.UserHandle; import android.provider.Settings; public class FakeSettings { private int mDeviceProvisioned; private int mSecureFrpMode; public void setDeviceProvisioned(boolean provisioned) { mDeviceProvisioned = provisioned ? 1 : 0; } public void setSecureFrpMode(boolean secure) { mSecureFrpMode = secure ? 1 : 0; } public int globalGetInt(String keyName) { switch (keyName) { case Settings.Global.DEVICE_PROVISIONED: Loading @@ -33,4 +40,12 @@ public class FakeSettings { throw new IllegalArgumentException("Unhandled global settings: " + keyName); } } public int secureGetInt(ContentResolver contentResolver, String keyName, int defaultValue, int userId) { if (Settings.Secure.SECURE_FRP_MODE.equals(keyName) && userId == UserHandle.USER_SYSTEM) { return mSecureFrpMode; } return defaultValue; } }
services/tests/servicestests/src/com/android/server/locksettings/LockSettingsServiceTestable.java +6 −0 Original line number Diff line number Diff line Loading @@ -123,6 +123,12 @@ public class LockSettingsServiceTestable extends LockSettingsService { return mSettings.globalGetInt(keyName); } @Override public int settingsSecureGetInt(ContentResolver contentResolver, String keyName, int defaultValue, int userId) { return mSettings.secureGetInt(contentResolver, keyName, defaultValue, userId); } @Override public UserManagerInternal getUserManagerInternal() { return mUserManagerInternal; Loading
services/tests/servicestests/src/com/android/server/locksettings/LockSettingsServiceTests.java +9 −0 Original line number Diff line number Diff line Loading @@ -416,6 +416,15 @@ public class LockSettingsServiceTests extends BaseLockSettingsServiceTests { eq(CREDENTIAL_TYPE_PASSWORD), any(), eq(MANAGED_PROFILE_USER_ID)); } @Test public void testCredentialChangeNotPossibleInSecureFrpMode() { mSettings.setSecureFrpMode(true); try { mService.setLockCredential(newPassword("1234"), nonePassword(), PRIMARY_USER_ID); fail("Password shouldn't be changeable before FRP unlock"); } catch (SecurityException e) { } } private void testCreateCredential(int userId, LockscreenCredential credential) throws RemoteException { assertTrue(mService.setLockCredential(credential, nonePassword(), userId)); Loading