Evict CE key on request and when work mode is turned off. (85a63bc1) · Commits · e / os / android_frameworks_base

api/current.txt

+2 −0

Original line number	Diff line number	Diff line
		@@ -6129,6 +6129,7 @@ package android.app.admin {
		method public boolean isSecurityLoggingEnabled(android.content.ComponentName);
		method public boolean isUninstallBlocked(android.content.ComponentName, java.lang.String);
		method public void lockNow();
		method public void lockNow(int);
		method public void reboot(android.content.ComponentName);
		method public void removeActiveAdmin(android.content.ComponentName);
		method public boolean removeCrossProfileWidgetProvider(android.content.ComponentName, java.lang.String);
		@@ -6245,6 +6246,7 @@ package android.app.admin {
		field public static final java.lang.String EXTRA_PROVISIONING_WIFI_PROXY_PORT = "android.app.extra.PROVISIONING_WIFI_PROXY_PORT";
		field public static final java.lang.String EXTRA_PROVISIONING_WIFI_SECURITY_TYPE = "android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE";
		field public static final java.lang.String EXTRA_PROVISIONING_WIFI_SSID = "android.app.extra.PROVISIONING_WIFI_SSID";
		field public static final int FLAG_EVICT_CE_KEY = 1; // 0x1
		field public static final int FLAG_MANAGED_CAN_ACCESS_PARENT = 2; // 0x2
		field public static final int FLAG_PARENT_CAN_ACCESS_MANAGED = 1; // 0x1
		field public static final int KEYGUARD_DISABLE_FEATURES_ALL = 2147483647; // 0x7fffffff

api/system-current.txt

+2 −0

Original line number	Diff line number	Diff line
		@@ -6315,6 +6315,7 @@ package android.app.admin {
		method public boolean isSecurityLoggingEnabled(android.content.ComponentName);
		method public boolean isUninstallBlocked(android.content.ComponentName, java.lang.String);
		method public void lockNow();
		method public void lockNow(int);
		method public void notifyPendingSystemUpdate(long);
		method public void reboot(android.content.ComponentName);
		method public void removeActiveAdmin(android.content.ComponentName);
		@@ -6438,6 +6439,7 @@ package android.app.admin {
		field public static final java.lang.String EXTRA_PROVISIONING_WIFI_PROXY_PORT = "android.app.extra.PROVISIONING_WIFI_PROXY_PORT";
		field public static final java.lang.String EXTRA_PROVISIONING_WIFI_SECURITY_TYPE = "android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE";
		field public static final java.lang.String EXTRA_PROVISIONING_WIFI_SSID = "android.app.extra.PROVISIONING_WIFI_SSID";
		field public static final int FLAG_EVICT_CE_KEY = 1; // 0x1
		field public static final int FLAG_MANAGED_CAN_ACCESS_PARENT = 2; // 0x2
		field public static final int FLAG_PARENT_CAN_ACCESS_MANAGED = 1; // 0x1
		field public static final int KEYGUARD_DISABLE_FEATURES_ALL = 2147483647; // 0x7fffffff

api/test-current.txt

+2 −0

Original line number	Diff line number	Diff line
		@@ -6151,6 +6151,7 @@ package android.app.admin {
		method public boolean isSecurityLoggingEnabled(android.content.ComponentName);
		method public boolean isUninstallBlocked(android.content.ComponentName, java.lang.String);
		method public void lockNow();
		method public void lockNow(int);
		method public void reboot(android.content.ComponentName);
		method public void removeActiveAdmin(android.content.ComponentName);
		method public boolean removeCrossProfileWidgetProvider(android.content.ComponentName, java.lang.String);
		@@ -6267,6 +6268,7 @@ package android.app.admin {
		field public static final java.lang.String EXTRA_PROVISIONING_WIFI_PROXY_PORT = "android.app.extra.PROVISIONING_WIFI_PROXY_PORT";
		field public static final java.lang.String EXTRA_PROVISIONING_WIFI_SECURITY_TYPE = "android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE";
		field public static final java.lang.String EXTRA_PROVISIONING_WIFI_SSID = "android.app.extra.PROVISIONING_WIFI_SSID";
		field public static final int FLAG_EVICT_CE_KEY = 1; // 0x1
		field public static final int FLAG_MANAGED_CAN_ACCESS_PARENT = 2; // 0x2
		field public static final int FLAG_PARENT_CAN_ACCESS_MANAGED = 1; // 0x1
		field public static final int KEYGUARD_DISABLE_FEATURES_ALL = 2147483647; // 0x7fffffff

core/java/android/app/IActivityManager.aidl

+1 −0

Original line number	Diff line number	Diff line
		@@ -578,6 +578,7 @@ interface IActivityManager {
		boolean requestAutoFillData(in IResultReceiver receiver, in Bundle receiverExtras,
		in IBinder activityToken, int flags);
		void dismissKeyguard(in IBinder token, in IKeyguardDismissCallback callback);
		int restartUserInBackground(int userId);

		// WARNING: when these transactions are updated, check if they are any callers on the native
		// side. If so, make sure they are using the correct transaction ids and arguments.

core/java/android/app/admin/DevicePolicyManager.java

+45 −1

Original line number	Diff line number	Diff line
		@@ -2714,6 +2714,24 @@ public class DevicePolicyManager {
		return DEFAULT_STRONG_AUTH_TIMEOUT_MS;
		}

		/**
		* Flag for {@link #lockNow(int)}: also evict the user's credential encryption key from the
		* keyring. The user's credential will need to be entered again in order to derive the
		* credential encryption key that will be stored back in the keyring for future use.
		* <p>
		* This flag can only be used by a profile owner when locking a managed profile on an FBE
		* device.
		* <p>
		* In order to secure user data, the user will be stopped and restarted so apps should wait
		* until they are next run to perform further actions.
		*/
		public static final int FLAG_EVICT_CE_KEY = 1;

		/** @hide */
		@Retention(RetentionPolicy.SOURCE)
		@IntDef(flag=true, value={FLAG_EVICT_CE_KEY})
		public @interface LockNowFlag {}

		/**
		* Make the device lock immediately, as if the lock screen timeout has expired at the point of
		* this call.
		@@ -2723,14 +2741,40 @@ public class DevicePolicyManager {
		* <p>
		* This method can be called on the {@link DevicePolicyManager} instance returned by
		* {@link #getParentProfileInstance(ComponentName)} in order to lock the parent profile.
		* <p>
		* Equivalent to calling {@link #lockNow(int)} with no flags.
		*
		* @throws SecurityException if the calling application does not own an active administrator
		* that uses {@link DeviceAdminInfo#USES_POLICY_FORCE_LOCK}
		*/
		public void lockNow() {
		lockNow(0);
		}

		/**
		* Make the device lock immediately, as if the lock screen timeout has expired at the point of
		* this call.
		* <p>
		* The calling device admin must have requested {@link DeviceAdminInfo#USES_POLICY_FORCE_LOCK}
		* to be able to call this method; if it has not, a security exception will be thrown.
		* <p>
		* This method can be called on the {@link DevicePolicyManager} instance returned by
		* {@link #getParentProfileInstance(ComponentName)} in order to lock the parent profile.
		*
		* @param flags May be 0 or {@link #FLAG_EVICT_CE_KEY}.
		* @throws SecurityException if the calling application does not own an active administrator
		* that uses {@link DeviceAdminInfo#USES_POLICY_FORCE_LOCK} or the
		* {@link #FLAG_EVICT_CE_KEY} flag is passed by an application that is not a profile
		* owner of a managed profile.
		* @throws IllegalArgumentException if the {@link #FLAG_EVICT_CE_KEY} flag is passed when
		* locking the parent profile.
		* @throws UnsupportedOperationException if the {@link #FLAG_EVICT_CE_KEY} flag is passed on a
		* non-FBE device.
		*/
		public void lockNow(@LockNowFlag int flags) {
		if (mService != null) {
		try {
		mService.lockNow(mParentInstance);
		mService.lockNow(flags, mParentInstance);
		} catch (RemoteException e) {
		throw e.rethrowFromSystemServer();
		}