Merge "Enforce secure FRP mode while changing credentials" into rvc-dev am:... (6bc58b4e) · Commits · e / os / android_frameworks_base

services/core/java/com/android/server/locksettings/LockSettingsService.java

+13 −0

Original line number	Diff line number	Diff line
		@@ -530,6 +530,11 @@ public class LockSettingsService extends ILockSettings.Stub {
		return Settings.Global.getInt(contentResolver, keyName, defaultValue);
		}

		public int settingsSecureGetInt(ContentResolver contentResolver, String keyName,
		int defaultValue, int userId) {
		return Settings.Secure.getIntForUser(contentResolver, keyName, defaultValue, userId);
		}

		public @NonNull ManagedProfilePasswordCache getManagedProfilePasswordCache() {
		try {
		java.security.KeyStore ks = java.security.KeyStore.getInstance("AndroidKeyStore");
		@@ -1010,6 +1015,13 @@ public class LockSettingsService extends ILockSettings.Stub {
		}
		}

		private void enforceFrpResolved() {
		if (mInjector.settingsSecureGetInt(mContext.getContentResolver(),
		Settings.Secure.SECURE_FRP_MODE, 0, UserHandle.USER_SYSTEM) == 1) {
		throw new SecurityException("Cannot change credential while FRP is not resolved yet");
		}
		}

		private final void checkWritePermission(int userId) {
		mContext.enforceCallingOrSelfPermission(PERMISSION, "LockSettingsWrite");
		}
		@@ -1572,6 +1584,7 @@ public class LockSettingsService extends ILockSettings.Stub {
		"This operation requires secure lock screen feature");
		}
		checkWritePermission(userId);
		enforceFrpResolved();

		// When changing credential for profiles with unified challenge, some callers
		// will pass in empty credential while others will pass in the credential of

+15 −0

Original line number	Diff line number	Diff line
		@@ -15,16 +15,23 @@
		*/
		package com.android.server.locksettings;

		import android.content.ContentResolver;
		import android.os.UserHandle;
		import android.provider.Settings;

		public class FakeSettings {

		private int mDeviceProvisioned;
		private int mSecureFrpMode;

		public void setDeviceProvisioned(boolean provisioned) {
		mDeviceProvisioned = provisioned ? 1 : 0;
		}

		public void setSecureFrpMode(boolean secure) {
		mSecureFrpMode = secure ? 1 : 0;
		}

		public int globalGetInt(String keyName) {
		switch (keyName) {
		case Settings.Global.DEVICE_PROVISIONED:
		@@ -33,4 +40,12 @@ public class FakeSettings {
		throw new IllegalArgumentException("Unhandled global settings: " + keyName);
		}
		}

		public int secureGetInt(ContentResolver contentResolver, String keyName, int defaultValue,
		int userId) {
		if (Settings.Secure.SECURE_FRP_MODE.equals(keyName) && userId == UserHandle.USER_SYSTEM) {
		return mSecureFrpMode;
		}
		return defaultValue;
		}
		}

+6 −0

Original line number	Diff line number	Diff line
		@@ -123,6 +123,12 @@ public class LockSettingsServiceTestable extends LockSettingsService {
		return mSettings.globalGetInt(keyName);
		}

		@Override
		public int settingsSecureGetInt(ContentResolver contentResolver, String keyName,
		int defaultValue, int userId) {
		return mSettings.secureGetInt(contentResolver, keyName, defaultValue, userId);
		}

		@Override
		public UserManagerInternal getUserManagerInternal() {
		return mUserManagerInternal;

+9 −0

Original line number	Diff line number	Diff line
		@@ -416,6 +416,15 @@ public class LockSettingsServiceTests extends BaseLockSettingsServiceTests {
		eq(CREDENTIAL_TYPE_PASSWORD), any(), eq(MANAGED_PROFILE_USER_ID));
		}

		@Test
		public void testCredentialChangeNotPossibleInSecureFrpMode() {
		mSettings.setSecureFrpMode(true);
		try {
		mService.setLockCredential(newPassword("1234"), nonePassword(), PRIMARY_USER_ID);
		fail("Password shouldn't be changeable before FRP unlock");
		} catch (SecurityException e) { }
		}

		private void testCreateCredential(int userId, LockscreenCredential credential)
		throws RemoteException {
		assertTrue(mService.setLockCredential(credential, nonePassword(), userId));