Merge changes from topic "secure-lock-device" into main

  @FlaggedApi("android.security.secure_lockdown") public final class AuthenticationPolicyManager {

    method @FlaggedApi("android.security.secure_lockdown") @RequiresPermission(android.Manifest.permission.MANAGE_SECURE_LOCK_DEVICE) public int disableSecureLockDevice(@NonNull android.security.authenticationpolicy.DisableSecureLockDeviceParams);

    method @FlaggedApi("android.security.secure_lockdown") @RequiresPermission(android.Manifest.permission.MANAGE_SECURE_LOCK_DEVICE) public int enableSecureLockDevice(@NonNull android.security.authenticationpolicy.EnableSecureLockDeviceParams);

    method @FlaggedApi("android.security.secure_lock_device") @RequiresPermission(android.Manifest.permission.MANAGE_SECURE_LOCK_DEVICE) public int isSecureLockDeviceAvailable();

    method @FlaggedApi("android.security.secure_lock_device") @RequiresPermission(android.Manifest.permission.MANAGE_SECURE_LOCK_DEVICE) public boolean isSecureLockDeviceEnabled();

    field @FlaggedApi("android.security.secure_lockdown") public static final int ERROR_ALREADY_ENABLED = 6; // 0x6

    field @FlaggedApi("android.security.secure_lockdown") public static final int ERROR_INSUFFICIENT_BIOMETRICS = 5; // 0x5

    field @FlaggedApi("android.security.secure_lockdown") public static final int ERROR_INVALID_PARAMS = 3; // 0x3

    field @FlaggedApi("android.security.secure_lockdown") public static final int ERROR_NOT_AUTHORIZED = 7; // 0x7

    field @FlaggedApi("android.security.secure_lockdown") public static final int ERROR_NO_BIOMETRICS_ENROLLED = 4; // 0x4

    field @FlaggedApi("android.security.secure_lockdown") public static final int ERROR_UNKNOWN = 1; // 0x1

    field @FlaggedApi("android.security.secure_lockdown") public static final int ERROR_UNSUPPORTED = 2; // 0x2

import static android.Manifest.permission.MANAGE_SECURE_LOCK_DEVICE;

import static android.security.Flags.FLAG_SECURE_LOCKDOWN;

import static android.security.Flags.FLAG_SECURE_LOCK_DEVICE;

import android.annotation.FlaggedApi;

import android.annotation.IntDef;

 * To disable secure lock on the device, call {@link #disableSecureLockDevice}. This will require

 * the caller to have the {@link android.Manifest.permission#MANAGE_SECURE_LOCK_DEVICE} permission.

 *

 * <p>

 * To check if the device meets the requirements to enable secure lock, call

 * {@link #isSecureLockDeviceAvailable}. This will require the caller to have the

 * {@link android.Manifest.permission#MANAGE_SECURE_LOCK_DEVICE} permission.

 *

 * <p>

 * To check if secure lock is already enabled on the device, call

 * {@link #isSecureLockDeviceEnabled}. This will require the caller to have the

 * {@link android.Manifest.permission#MANAGE_SECURE_LOCK_DEVICE} permission.

 *

 * @hide

 */

@SystemApi

    public static final int SUCCESS = 0;

    /**

     * Error result code for {@link #enableSecureLockDevice} and {@link

     * #disableSecureLockDevice}.

     * Error result code for {@link #enableSecureLockDevice} and {@link #disableSecureLockDevice}.

     *

     * Secure lock device request status unknown.

     *

    @FlaggedApi(FLAG_SECURE_LOCKDOWN)

    public static final int ERROR_ALREADY_ENABLED = 6;

    /**

     * Error result code for {@link #disableSecureLockDevice}

     *

     * @hide

     */

    @SystemApi

    @FlaggedApi(FLAG_SECURE_LOCKDOWN)

    public static final int ERROR_NOT_AUTHORIZED = 7;

    /**

     * Communicates the current status of a request to enable secure lock on the device.

     *

            ERROR_UNKNOWN,

            ERROR_UNSUPPORTED,

            ERROR_INVALID_PARAMS,

            ERROR_NOT_AUTHORIZED

    })

    @Retention(RetentionPolicy.SOURCE)

    public @interface DisableSecureLockDeviceRequestStatus {}

    /**

     * Communicates the current status of a request to check if the device meets the requirements

     * for secure lock device.

     *

     * @hide

     */

    @IntDef(prefix = {"IS_SECURE_LOCK_DEVICE_AVAILABLE_STATUS_"}, value = {

            SUCCESS,

            ERROR_UNSUPPORTED,

            ERROR_NO_BIOMETRICS_ENROLLED,

            ERROR_INSUFFICIENT_BIOMETRICS,

    })

    @Retention(RetentionPolicy.SOURCE)

    public @interface IsSecureLockDeviceAvailableRequestStatus {}

    /** @hide */

    public AuthenticationPolicyManager(@NonNull Context context,

            @NonNull IAuthenticationPolicyService authenticationPolicyService) {

    }

    /**

     * Called by a privileged component to remotely enable secure lock on the device.

     * Called by a privileged component to indicate if secure lock device is available for the

     * calling user.

     *

     * @return {@link IsSecureLockDeviceAvailableRequestStatus} int indicating whether secure lock

     * device is available for the calling user. This will return {@link #SUCCESS} if the device

     * meets all requirements to enable secure lock device, {@link #ERROR_INSUFFICIENT_BIOMETRICS}

     * if the device is missing a strong biometric enrollment, {@link #ERROR_NO_BIOMETRICS_ENROLLED}

     * if the device has no biometric enrollments, or {@link #ERROR_UNSUPPORTED} if secure lock

     * device is otherwise unsupported.

     *

     * @hide

     */

    @IsSecureLockDeviceAvailableRequestStatus

    @RequiresPermission(MANAGE_SECURE_LOCK_DEVICE)

    @SystemApi

    @FlaggedApi(FLAG_SECURE_LOCK_DEVICE)

    public int isSecureLockDeviceAvailable() {

        try {

            return mAuthenticationPolicyService.isSecureLockDeviceAvailable(mContext.getUser());

        } catch (RemoteException e) {

            throw e.rethrowFromSystemServer();

        }

    }

    /**

     * Called by a privileged component to remotely enable secure lock on the device across all

     * users. This operation will first check {@link #isSecureLockDeviceAvailable()} to see if the

     * calling user meets the requirements to enable secure lock device, including a strong

     * biometric enrollment, and will return an error if not.

     *

     * Secure lock is an enhanced security state that restricts access to sensitive data (app

     * notifications, widgets, quick settings, assistant, etc) and requires multi-factor

     * authentication for device entry, such as

     * notifications, widgets, quick settings, assistant, etc), and locks the device under the

     * calling user's credentials with multi-factor authentication for device entry, such as

     * {@link android.hardware.biometrics.BiometricManager.Authenticators#DEVICE_CREDENTIAL} and

     * {@link android.hardware.biometrics.BiometricManager.Authenticators#BIOMETRIC_STRONG}.

     *

     * If secure lock is already enabled when this method is called, it will return

     * {@link ERROR_ALREADY_ENABLED}.

     * {@link #ERROR_ALREADY_ENABLED}.

     *

     * @param params EnableSecureLockDeviceParams for caller to supply params related to the secure

     *               lock device request

     * @return @EnableSecureLockDeviceRequestStatus int indicating the result of the secure lock

     * device request

     * @param params {@link EnableSecureLockDeviceParams} for caller to supply params related to

     *                                                   the secure lock device request

     * @return {@link EnableSecureLockDeviceRequestStatus} int indicating the result of the secure

     * lock device request. This returns {@link #SUCCESS} if secure lock device is successfully

     * enabled, or an error code indicating more information about the failure otherwise.

     *

     * @hide

     */

    @FlaggedApi(FLAG_SECURE_LOCKDOWN)

    public int enableSecureLockDevice(@NonNull EnableSecureLockDeviceParams params) {

        try {

            return mAuthenticationPolicyService.enableSecureLockDevice(params);

            return mAuthenticationPolicyService.enableSecureLockDevice(mContext.getUser(), params);

        } catch (RemoteException e) {

            throw e.rethrowFromSystemServer();

        }

    }

    /**

     * Called by a privileged component to disable secure lock on the device.

     * Called by a privileged component to disable secure lock on the device across all users. This

     * operation is restricted to the user that originally enabled the current secure lock device

     * state.

     *

     * If the calling user identity does not match the user that enabled secure lock device, it

     * will return {@link #ERROR_NOT_AUTHORIZED}

     *

     * If secure lock is already disabled when this method is called, it will return

     * {@link SUCCESS}.

     * {@link #SUCCESS}.

     *

     * @param params @DisableSecureLockDeviceParams for caller to supply params related to the

     *               secure lock device request

     * @return @DisableSecureLockDeviceRequestStatus int indicating the result of the secure lock

     * device request

     * @param params {@link DisableSecureLockDeviceParams} for caller to supply params related to

     *                                                    the secure lock device request

     * @return {@link DisableSecureLockDeviceRequestStatus} int indicating the result of the secure

     * lock device request

     *

     * @hide

     */

    @FlaggedApi(FLAG_SECURE_LOCKDOWN)

    public int disableSecureLockDevice(@NonNull DisableSecureLockDeviceParams params) {

        try {

            return mAuthenticationPolicyService.disableSecureLockDevice(params);

            return mAuthenticationPolicyService.disableSecureLockDevice(mContext.getUser(), params);

        } catch (RemoteException e) {

            throw e.rethrowFromSystemServer();

        }

    }

    /**

     * Called by a privileged component to query if secure lock device is currently enabled.

     * @return true if secure lock device is enabled, false otherwise.

     *

     * @hide

     */

    @RequiresPermission(MANAGE_SECURE_LOCK_DEVICE)

    @SystemApi

    @FlaggedApi(FLAG_SECURE_LOCK_DEVICE)

    public boolean isSecureLockDeviceEnabled() {

        try {

            return mAuthenticationPolicyService.isSecureLockDeviceEnabled();

        } catch (RemoteException e) {

            throw e.rethrowFromSystemServer();

        }

package android.security.authenticationpolicy;

import android.os.UserHandle;

import android.security.authenticationpolicy.EnableSecureLockDeviceParams;

import android.security.authenticationpolicy.DisableSecureLockDeviceParams;

 */

interface IAuthenticationPolicyService {

    @EnforcePermission("MANAGE_SECURE_LOCK_DEVICE")

    int enableSecureLockDevice(in EnableSecureLockDeviceParams params);

    int enableSecureLockDevice(in UserHandle user, in EnableSecureLockDeviceParams params);

    @EnforcePermission("MANAGE_SECURE_LOCK_DEVICE")

    int disableSecureLockDevice(in DisableSecureLockDeviceParams params);

    int disableSecureLockDevice(in UserHandle user, in DisableSecureLockDeviceParams params);

    @EnforcePermission("MANAGE_SECURE_LOCK_DEVICE")

    int isSecureLockDeviceAvailable(in UserHandle user);

    @EnforcePermission("MANAGE_SECURE_LOCK_DEVICE")

    boolean isSecureLockDeviceEnabled();

}

 No newline at end of file

    is_exported: true

}

flag {

    name: "secure_lock_device"

    namespace: "biometrics"

    description: "Feature flag for Secure Lock Device feature"

    bug: "401645997"

    is_exported: true

}

flag {

    name: "subscribe_to_keyguard_locked_state_perm_priv_flag"

    namespace: "psap_ai"

        <permission name="android.permission.SUGGEST_EXTERNAL_TIME" />

        <!-- Permissions required for CTS test - android.server.biometrics -->

        <permission name="android.permission.USE_BIOMETRIC" />

        <permission name="android.permission.TEST_BIOMETRIC" />

        <permission name="android.permission.SET_BIOMETRIC_DIALOG_ADVANCED" />

        <permission name="android.permission.MANAGE_BIOMETRIC_DIALOG" />

        <!-- Permissions required for biometrics CTS tests and AuthenticationPolicyManagerTest-->

        <permission name="android.permission.TEST_BIOMETRIC" />

        <permission name="android.permission.MANAGE_BIOMETRIC" />

        <!-- Permission required for CTS test - AuthenticationPolicyManagerTest -->

        <permission name="android.permission.MANAGE_SECURE_LOCK_DEVICE" />

        <!-- Permissions required for CTS test - CtsContactsProviderTestCases -->

        <permission name="android.contacts.permission.MANAGE_SIM_ACCOUNTS" />

        <!-- Permissions required for CTS test - CtsHdmiCecHostTestCases -->

        <permission name="com.android.cellbroadcastservice.FULL_ACCESS_CELL_BROADCAST_HISTORY" />

        <!-- Permission required for ATS test - CarDevicePolicyManagerTest -->

        <permission name="android.permission.LOCK_DEVICE" />

        <!-- Permission required for AuthenticationPolicyManagerTest -->

        <permission name="android.permission.MANAGE_SECURE_LOCK_DEVICE" />

        <!-- Permissions required for CTS test - CtsSafetyCenterTestCases -->

        <permission name="android.permission.SEND_SAFETY_CENTER_UPDATE" />

        <permission name="android.permission.READ_SAFETY_CENTER_STATUS" />