Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7827327c authored by Danny Baumann's avatar Danny Baumann
Browse files

Fix profile lockscreen override. 

KeyStore.isEmpty() needs to be called under the system UID (as it needs
KeyStore's P_ZERO permission), otherwise it'll always return false.
Achieve that by moving the requireSecureKeyguard() implementation into
the DPM service.

Also take the opportunity to clean up the code a bit.

Change-Id: Ice648f2050f22ee5f27332f23a850f1e90befb94
parent 57e1d7bc

core/java/android/app/Profile.java

+0 −13
Original line number Diff line number Diff line
@@ -16,7 +16,6 @@ 


package android.app;



import android.app.admin.DevicePolicyManager;

import android.content.Context;

import android.media.AudioManager;

import android.os.Parcel;
@@ -454,18 +453,6 @@ public final class Profile implements Parcelable, Comparable { 
        mDirty = true;

    }



    public int getScreenLockModeWithDPM(Context context) {

        // Check device policy

        DevicePolicyManager dpm = (DevicePolicyManager) context.getSystemService(Context.DEVICE_POLICY_SERVICE);



        if (dpm.requireSecureKeyguard()) {

            // Always enforce lock screen

            return LockMode.DEFAULT;

        }



        return mScreenLockMode;

    }



    public int getScreenLockMode() {

        return mScreenLockMode;

    }

core/java/android/app/admin/DevicePolicyManager.java

+12 −9
Original line number Diff line number Diff line
@@ -30,7 +30,6 @@ import android.os.RemoteCallback; 
import android.os.RemoteException;

import android.os.ServiceManager;

import android.os.UserHandle;

import android.security.KeyStore;

import android.util.Log;



import com.android.org.conscrypt.TrustedCertificateStore;
@@ -1688,14 +1687,18 @@ public class DevicePolicyManager { 
     * @hide

     */

    public boolean requireSecureKeyguard() {

        int encryptionStatus = getStorageEncryptionStatus();

        if (getPasswordQuality(null) > PASSWORD_QUALITY_UNSPECIFIED ||

                !KeyStore.getInstance().isEmpty() ||

                encryptionStatus == DevicePolicyManager.ENCRYPTION_STATUS_ACTIVE ||

                encryptionStatus == DevicePolicyManager.ENCRYPTION_STATUS_ACTIVATING) {

            // Require secure keyguard

            return true;

        return requireSecureKeyguard(UserHandle.myUserId());

    }

        return false;



    /** @hide */

    public boolean requireSecureKeyguard(int userHandle) {

        if (mService != null) {

            try {

                return mService.requireSecureKeyguard(userHandle);

            } catch (RemoteException re) {

                Log.w(TAG, "Failed to get secure keyguard requirement");

            }

        }

        return true;

    }

}

core/java/android/app/admin/IDevicePolicyManager.aidl

+2 −0
Original line number Diff line number Diff line
@@ -105,4 +105,6 @@ interface IDevicePolicyManager { 


    boolean installCaCert(in byte[] certBuffer);

    void uninstallCaCert(in byte[] certBuffer);



    boolean requireSecureKeyguard(int userHandle);

}

core/java/com/android/internal/widget/LockPatternUtils.java

+19 −5
Original line number Diff line number Diff line
@@ -1249,11 +1249,25 @@ public class LockPatternUtils { 
                || mode == DevicePolicyManager.PASSWORD_QUALITY_ALPHABETIC

                || mode == DevicePolicyManager.PASSWORD_QUALITY_ALPHANUMERIC

                || mode == DevicePolicyManager.PASSWORD_QUALITY_COMPLEX;

        final boolean isProfileSecure = mProfileManager.getActiveProfile()

                .getScreenLockModeWithDPM(mContext) == Profile.LockMode.DEFAULT;

        final boolean secure = (isPattern && isLockPatternEnabled() && savedPatternExists()

                || isPassword && savedPasswordExists()) && isProfileSecure;

        return secure;

        final boolean hasPattern = isPattern && isLockPatternEnabled() && savedPatternExists();

        final boolean hasPassword = isPassword && savedPasswordExists();



        return (hasPattern || hasPassword) &&

                getActiveProfileLockMode() == Profile.LockMode.DEFAULT;

    }



    public int getActiveProfileLockMode() {

        // Check device policy

        DevicePolicyManager dpm = (DevicePolicyManager)

                mContext.getSystemService(Context.DEVICE_POLICY_SERVICE);



        if (dpm.requireSecureKeyguard(getCurrentOrCallingUserId())) {

            // Always enforce lock screen

            return Profile.LockMode.DEFAULT;

        }



        final Profile profile = mProfileManager.getActiveProfile();

        return profile.getScreenLockMode();

    }



    /**

packages/Keyguard/src/com/android/keyguard/KeyguardSecurityModel.java

+1 −7
Original line number Diff line number Diff line
@@ -16,7 +16,6 @@ 
package com.android.keyguard;



import android.app.Profile;

import android.app.ProfileManager;

import android.app.admin.DevicePolicyManager;

import android.content.Context;

import android.telephony.TelephonyManager;
@@ -44,13 +43,9 @@ public class KeyguardSecurityModel { 
    private Context mContext;

    private LockPatternUtils mLockPatternUtils;



    // We can use the profile manager to override security

    private ProfileManager mProfileManager;



    KeyguardSecurityModel(Context context) {

        mContext = context;

        mLockPatternUtils = new LockPatternUtils(context);

        mProfileManager = (ProfileManager) context.getSystemService(Context.PROFILE_SERVICE);

    }



    void setLockPatternUtils(LockPatternUtils utils) {
@@ -82,14 +77,13 @@ public class KeyguardSecurityModel { 
    SecurityMode getSecurityMode() {

        KeyguardUpdateMonitor updateMonitor = KeyguardUpdateMonitor.getInstance(mContext);

        final IccCardConstants.State simState = updateMonitor.getSimState();

        final Profile profile = mProfileManager.getActiveProfile();

        SecurityMode mode = SecurityMode.None;

        if (simState == IccCardConstants.State.PIN_REQUIRED) {

            mode = SecurityMode.SimPin;

        } else if (simState == IccCardConstants.State.PUK_REQUIRED

                && mLockPatternUtils.isPukUnlockScreenEnable()) {

            mode = SecurityMode.SimPuk;

        } else if (profile.getScreenLockModeWithDPM(mContext) != Profile.LockMode.INSECURE) {

        } else if (mLockPatternUtils.getActiveProfileLockMode() != Profile.LockMode.INSECURE) {

            final int security = mLockPatternUtils.getKeyguardStoredPasswordQuality();

            switch (security) {

                case DevicePolicyManager.PASSWORD_QUALITY_NUMERIC: