Loading core/java/android/app/admin/DevicePolicyManager.java +4 −7 Original line number Diff line number Diff line Loading @@ -2185,9 +2185,6 @@ public class DevicePolicyManager { * Force a new device unlock password (the password needed to access the entire device, not for * individual accounts) on the user. This takes effect immediately. * <p> * Calling this from a managed profile that shares the password with the owner profile will * throw a security exception. * <p> * <em>Note: This API has been limited as of {@link android.os.Build.VERSION_CODES#N} for * device admins that are not device owner and not profile owner. * The password can now only be changed if there is currently no password set. Device owner Loading @@ -2201,10 +2198,10 @@ public class DevicePolicyManager { * case the currently active quality will be increased to match. * <p> * Calling with a null or empty password will clear any existing PIN, pattern or password if the * current password constraints allow it. <em>Note: This will not * work in {@link android.os.Build.VERSION_CODES#N} and later for device admins that are not * device owner and not profile owner. Once set, the password cannot be changed to null or * empty, except by device owner or profile owner.</em> * current password constraints allow it. <em>Note: This will not work in * {@link android.os.Build.VERSION_CODES#N} and later for managed profiles, or for device admins * that are not device owner or profile owner. Once set, the password cannot be changed to null * or empty except by these admins.</em> * <p> * The calling device admin must have requested * {@link DeviceAdminInfo#USES_POLICY_RESET_PASSWORD} to be able to call this method; if it has Loading services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +10 −13 Original line number Diff line number Diff line Loading @@ -3740,32 +3740,26 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { final int callingUid = mInjector.binderGetCallingUid(); final int userHandle = mInjector.userHandleGetCallingUserId(); if (getCredentialOwner(userHandle, /* parent */ false) != userHandle) { throw new SecurityException("You can not change password for this profile because" + " it shares the password with the owner profile"); } String password = passwordOrNull != null ? passwordOrNull : ""; // Password resetting to empty/null is not allowed for managed profiles. if (TextUtils.isEmpty(password)) { enforceNotManagedProfile(userHandle, "clear the active password"); } int quality; synchronized (this) { // If caller has PO (or DO), it can clear the password, so see if that's the case // first. // If caller has PO (or DO) it can change the password, so see if that's the case first. ActiveAdmin admin = getActiveAdminWithPolicyForUidLocked( null, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER, callingUid); if (admin == null) { // Otherwise, make sure the caller has any active admin with the right policy. admin = getActiveAdminForCallerLocked(null, DeviceAdminInfo.USES_POLICY_RESET_PASSWORD); } final ComponentName adminComponent = admin.info.getComponent(); // As of N, only profile owners and device owners can reset the password. if (!(isProfileOwner(adminComponent, userHandle) || isDeviceOwner(adminComponent, userHandle))) { final boolean preN = getTargetSdk(admin.info.getPackageName(), userHandle) <= android.os.Build.VERSION_CODES.M; // As of N, password resetting to empty/null is not allowed anymore. // TODO Should we allow DO/PO to set an empty password? if (TextUtils.isEmpty(password)) { Loading Loading @@ -3894,6 +3888,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // back in to the service. final long ident = mInjector.binderClearCallingIdentity(); try { if (isManagedProfile(userHandle)) { mLockPatternUtils.setSeparateProfileChallengeEnabled(userHandle, true); } if (!TextUtils.isEmpty(password)) { mLockPatternUtils.saveLockPassword(password, null, quality, userHandle); } else { Loading Loading
core/java/android/app/admin/DevicePolicyManager.java +4 −7 Original line number Diff line number Diff line Loading @@ -2185,9 +2185,6 @@ public class DevicePolicyManager { * Force a new device unlock password (the password needed to access the entire device, not for * individual accounts) on the user. This takes effect immediately. * <p> * Calling this from a managed profile that shares the password with the owner profile will * throw a security exception. * <p> * <em>Note: This API has been limited as of {@link android.os.Build.VERSION_CODES#N} for * device admins that are not device owner and not profile owner. * The password can now only be changed if there is currently no password set. Device owner Loading @@ -2201,10 +2198,10 @@ public class DevicePolicyManager { * case the currently active quality will be increased to match. * <p> * Calling with a null or empty password will clear any existing PIN, pattern or password if the * current password constraints allow it. <em>Note: This will not * work in {@link android.os.Build.VERSION_CODES#N} and later for device admins that are not * device owner and not profile owner. Once set, the password cannot be changed to null or * empty, except by device owner or profile owner.</em> * current password constraints allow it. <em>Note: This will not work in * {@link android.os.Build.VERSION_CODES#N} and later for managed profiles, or for device admins * that are not device owner or profile owner. Once set, the password cannot be changed to null * or empty except by these admins.</em> * <p> * The calling device admin must have requested * {@link DeviceAdminInfo#USES_POLICY_RESET_PASSWORD} to be able to call this method; if it has Loading
services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +10 −13 Original line number Diff line number Diff line Loading @@ -3740,32 +3740,26 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { final int callingUid = mInjector.binderGetCallingUid(); final int userHandle = mInjector.userHandleGetCallingUserId(); if (getCredentialOwner(userHandle, /* parent */ false) != userHandle) { throw new SecurityException("You can not change password for this profile because" + " it shares the password with the owner profile"); } String password = passwordOrNull != null ? passwordOrNull : ""; // Password resetting to empty/null is not allowed for managed profiles. if (TextUtils.isEmpty(password)) { enforceNotManagedProfile(userHandle, "clear the active password"); } int quality; synchronized (this) { // If caller has PO (or DO), it can clear the password, so see if that's the case // first. // If caller has PO (or DO) it can change the password, so see if that's the case first. ActiveAdmin admin = getActiveAdminWithPolicyForUidLocked( null, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER, callingUid); if (admin == null) { // Otherwise, make sure the caller has any active admin with the right policy. admin = getActiveAdminForCallerLocked(null, DeviceAdminInfo.USES_POLICY_RESET_PASSWORD); } final ComponentName adminComponent = admin.info.getComponent(); // As of N, only profile owners and device owners can reset the password. if (!(isProfileOwner(adminComponent, userHandle) || isDeviceOwner(adminComponent, userHandle))) { final boolean preN = getTargetSdk(admin.info.getPackageName(), userHandle) <= android.os.Build.VERSION_CODES.M; // As of N, password resetting to empty/null is not allowed anymore. // TODO Should we allow DO/PO to set an empty password? if (TextUtils.isEmpty(password)) { Loading Loading @@ -3894,6 +3888,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // back in to the service. final long ident = mInjector.binderClearCallingIdentity(); try { if (isManagedProfile(userHandle)) { mLockPatternUtils.setSeparateProfileChallengeEnabled(userHandle, true); } if (!TextUtils.isEmpty(password)) { mLockPatternUtils.saveLockPassword(password, null, quality, userHandle); } else { Loading
