Loading services/core/java/com/android/server/locksettings/ManagedProfilePasswordCache.java +12 −2 Original line number Diff line number Diff line Loading @@ -104,8 +104,6 @@ public class ManagedProfilePasswordCache { // Generate auth-bound key to user 0 (since we the caller is user 0) .setUserAuthenticationRequired(true) .setUserAuthenticationValidityDurationSeconds(CACHE_TIMEOUT_SECONDS) // Only accessible after user 0's keyguard is unlocked .setUnlockedDeviceRequired(true) .build()); key = generator.generateKey(); } catch (GeneralSecurityException e) { Loading Loading @@ -171,10 +169,14 @@ public class ManagedProfilePasswordCache { public void removePassword(int userId) { synchronized (mEncryptedPasswords) { String keyName = getEncryptionKeyName(userId); String legacyKeyName = getLegacyEncryptionKeyName(userId); try { if (mKeyStore.containsAlias(keyName)) { mKeyStore.deleteEntry(keyName); } if (mKeyStore.containsAlias(legacyKeyName)) { mKeyStore.deleteEntry(legacyKeyName); } } catch (KeyStoreException e) { Slog.d(TAG, "Cannot delete key", e); } Loading @@ -186,6 +188,14 @@ public class ManagedProfilePasswordCache { } private static String getEncryptionKeyName(int userId) { return "com.android.server.locksettings.unified_profile_cache_v2_" + userId; } /** * Returns the legacy keystore key name when setUnlockedDeviceRequired() was set explicitly. * Only existed during Android 11 internal testing period. */ private static String getLegacyEncryptionKeyName(int userId) { return "com.android.server.locksettings.unified_profile_cache_" + userId; } } services/core/java/com/android/server/pm/UserManagerService.java +33 −2 Original line number Diff line number Diff line Loading @@ -43,6 +43,7 @@ import android.content.IntentFilter; import android.content.IntentSender; import android.content.pm.PackageManager; import android.content.pm.PackageManager.NameNotFoundException; import android.content.pm.PackageManagerInternal; import android.content.pm.ShortcutServiceInternal; import android.content.pm.UserInfo; import android.content.pm.UserInfo.UserInfoFlag; Loading Loading @@ -264,6 +265,7 @@ public class UserManagerService extends IUserManager.Stub { /** Installs system packages based on user-type. */ private final UserSystemPackageInstaller mSystemPackageInstaller; private PackageManagerInternal mPmInternal; private DevicePolicyManagerInternal mDevicePolicyManagerInternal; /** Loading Loading @@ -985,6 +987,15 @@ public class UserManagerService extends IUserManager.Stub { ensureCanModifyQuietMode( callingPackage, Binder.getCallingUid(), userId, target != null, dontAskCredential); if (onlyIfCredentialNotRequired && callingPackage.equals( getPackageManagerInternal().getSystemUiServiceComponent().getPackageName())) { // This is to prevent SysUI from accidentally allowing the profile to turned on // without password when keyguard is still locked. throw new SecurityException("SystemUI is not allowed to set " + "QUIET_MODE_DISABLE_ONLY_IF_CREDENTIAL_NOT_REQUIRED"); } final long identity = Binder.clearCallingIdentity(); try { if (enableQuietMode) { Loading @@ -992,7 +1003,17 @@ public class UserManagerService extends IUserManager.Stub { userId, true /* enableQuietMode */, target, callingPackage); return true; } if (mLockPatternUtils.isManagedProfileWithUnifiedChallenge(userId)) { KeyguardManager km = mContext.getSystemService(KeyguardManager.class); // Normally only attempt to auto-unlock unified challenge if keyguard is not showing // (to stop turning profile on automatically via the QS tile), except when we // are called with QUIET_MODE_DISABLE_ONLY_IF_CREDENTIAL_NOT_REQUIRED, in which // case always attempt to auto-unlock. if (!km.isDeviceLocked(mLocalService.getProfileParentId(userId)) || onlyIfCredentialNotRequired) { mLockPatternUtils.tryUnlockWithCachedUnifiedChallenge(userId); } } final boolean needToShowConfirmCredential = !dontAskCredential && mLockPatternUtils.isSecure(userId) && !StorageManager.isUserKeyUnlocked(userId); Loading Loading @@ -1025,6 +1046,8 @@ public class UserManagerService extends IUserManager.Stub { */ private void ensureCanModifyQuietMode(String callingPackage, int callingUid, @UserIdInt int targetUserId, boolean startIntent, boolean dontAskCredential) { verifyCallingPackage(callingPackage, callingUid); if (hasManageUsersPermission()) { return; } Loading @@ -1046,7 +1069,6 @@ public class UserManagerService extends IUserManager.Stub { return; } verifyCallingPackage(callingPackage, callingUid); final ShortcutServiceInternal shortcutInternal = LocalServices.getService(ShortcutServiceInternal.class); if (shortcutInternal != null) { Loading Loading @@ -5323,6 +5345,15 @@ public class UserManagerService extends IUserManager.Stub { } } /** Retrieves the internal package manager interface. */ private PackageManagerInternal getPackageManagerInternal() { // Don't need to synchonize; worst-case scenario LocalServices will be called twice. if (mPmInternal == null) { mPmInternal = LocalServices.getService(PackageManagerInternal.class); } return mPmInternal; } /** Returns the internal device policy manager interface. */ private DevicePolicyManagerInternal getDevicePolicyManagerInternal() { if (mDevicePolicyManagerInternal == null) { Loading Loading
services/core/java/com/android/server/locksettings/ManagedProfilePasswordCache.java +12 −2 Original line number Diff line number Diff line Loading @@ -104,8 +104,6 @@ public class ManagedProfilePasswordCache { // Generate auth-bound key to user 0 (since we the caller is user 0) .setUserAuthenticationRequired(true) .setUserAuthenticationValidityDurationSeconds(CACHE_TIMEOUT_SECONDS) // Only accessible after user 0's keyguard is unlocked .setUnlockedDeviceRequired(true) .build()); key = generator.generateKey(); } catch (GeneralSecurityException e) { Loading Loading @@ -171,10 +169,14 @@ public class ManagedProfilePasswordCache { public void removePassword(int userId) { synchronized (mEncryptedPasswords) { String keyName = getEncryptionKeyName(userId); String legacyKeyName = getLegacyEncryptionKeyName(userId); try { if (mKeyStore.containsAlias(keyName)) { mKeyStore.deleteEntry(keyName); } if (mKeyStore.containsAlias(legacyKeyName)) { mKeyStore.deleteEntry(legacyKeyName); } } catch (KeyStoreException e) { Slog.d(TAG, "Cannot delete key", e); } Loading @@ -186,6 +188,14 @@ public class ManagedProfilePasswordCache { } private static String getEncryptionKeyName(int userId) { return "com.android.server.locksettings.unified_profile_cache_v2_" + userId; } /** * Returns the legacy keystore key name when setUnlockedDeviceRequired() was set explicitly. * Only existed during Android 11 internal testing period. */ private static String getLegacyEncryptionKeyName(int userId) { return "com.android.server.locksettings.unified_profile_cache_" + userId; } }
services/core/java/com/android/server/pm/UserManagerService.java +33 −2 Original line number Diff line number Diff line Loading @@ -43,6 +43,7 @@ import android.content.IntentFilter; import android.content.IntentSender; import android.content.pm.PackageManager; import android.content.pm.PackageManager.NameNotFoundException; import android.content.pm.PackageManagerInternal; import android.content.pm.ShortcutServiceInternal; import android.content.pm.UserInfo; import android.content.pm.UserInfo.UserInfoFlag; Loading Loading @@ -264,6 +265,7 @@ public class UserManagerService extends IUserManager.Stub { /** Installs system packages based on user-type. */ private final UserSystemPackageInstaller mSystemPackageInstaller; private PackageManagerInternal mPmInternal; private DevicePolicyManagerInternal mDevicePolicyManagerInternal; /** Loading Loading @@ -985,6 +987,15 @@ public class UserManagerService extends IUserManager.Stub { ensureCanModifyQuietMode( callingPackage, Binder.getCallingUid(), userId, target != null, dontAskCredential); if (onlyIfCredentialNotRequired && callingPackage.equals( getPackageManagerInternal().getSystemUiServiceComponent().getPackageName())) { // This is to prevent SysUI from accidentally allowing the profile to turned on // without password when keyguard is still locked. throw new SecurityException("SystemUI is not allowed to set " + "QUIET_MODE_DISABLE_ONLY_IF_CREDENTIAL_NOT_REQUIRED"); } final long identity = Binder.clearCallingIdentity(); try { if (enableQuietMode) { Loading @@ -992,7 +1003,17 @@ public class UserManagerService extends IUserManager.Stub { userId, true /* enableQuietMode */, target, callingPackage); return true; } if (mLockPatternUtils.isManagedProfileWithUnifiedChallenge(userId)) { KeyguardManager km = mContext.getSystemService(KeyguardManager.class); // Normally only attempt to auto-unlock unified challenge if keyguard is not showing // (to stop turning profile on automatically via the QS tile), except when we // are called with QUIET_MODE_DISABLE_ONLY_IF_CREDENTIAL_NOT_REQUIRED, in which // case always attempt to auto-unlock. if (!km.isDeviceLocked(mLocalService.getProfileParentId(userId)) || onlyIfCredentialNotRequired) { mLockPatternUtils.tryUnlockWithCachedUnifiedChallenge(userId); } } final boolean needToShowConfirmCredential = !dontAskCredential && mLockPatternUtils.isSecure(userId) && !StorageManager.isUserKeyUnlocked(userId); Loading Loading @@ -1025,6 +1046,8 @@ public class UserManagerService extends IUserManager.Stub { */ private void ensureCanModifyQuietMode(String callingPackage, int callingUid, @UserIdInt int targetUserId, boolean startIntent, boolean dontAskCredential) { verifyCallingPackage(callingPackage, callingUid); if (hasManageUsersPermission()) { return; } Loading @@ -1046,7 +1069,6 @@ public class UserManagerService extends IUserManager.Stub { return; } verifyCallingPackage(callingPackage, callingUid); final ShortcutServiceInternal shortcutInternal = LocalServices.getService(ShortcutServiceInternal.class); if (shortcutInternal != null) { Loading Loading @@ -5323,6 +5345,15 @@ public class UserManagerService extends IUserManager.Stub { } } /** Retrieves the internal package manager interface. */ private PackageManagerInternal getPackageManagerInternal() { // Don't need to synchonize; worst-case scenario LocalServices will be called twice. if (mPmInternal == null) { mPmInternal = LocalServices.getService(PackageManagerInternal.class); } return mPmInternal; } /** Returns the internal device policy manager interface. */ private DevicePolicyManagerInternal getDevicePolicyManagerInternal() { if (mDevicePolicyManagerInternal == null) { Loading
