Loading services/core/java/com/android/server/trust/TrustAgentWrapper.java +2 −0 Original line number Original line Diff line number Diff line Loading @@ -443,6 +443,8 @@ public class TrustAgentWrapper { mPendingSuccessfulUnlock = false; mPendingSuccessfulUnlock = false; } } // It's okay to use the "Inner" version of isDeviceLocked since they differ only for // profiles, which cannot be switched to and thus don't support trust agents anyway. if (mTrustManagerService.isDeviceLockedInner(mUserId)) { if (mTrustManagerService.isDeviceLockedInner(mUserId)) { onDeviceLocked(); onDeviceLocked(); } else { } else { Loading services/core/java/com/android/server/trust/TrustManagerService.java +22 −12 Original line number Original line Diff line number Diff line Loading @@ -188,25 +188,30 @@ public class TrustManagerService extends SystemService { new SparseArray<>(); new SparseArray<>(); /** /** * Stores the locked state for users on the device. There are three different type of users * Stores the locked state for users on the device. There are several different types of users * which are handled slightly differently: * which are handled slightly differently: * <ul> * <ul> * <li> Users with real keyguard * <li> Users with real keyguard: * These are users who can be switched to ({@link UserInfo#supportsSwitchToByUser()}). Their * These are users who can be switched to ({@link UserInfo#supportsSwitchToByUser()}). Their * locked state is derived by a combination of user secure state, keyguard state, trust agent * locked state is derived by a combination of user secure state, keyguard state, trust agent * decision and biometric authentication result. These are updated via * decision and biometric authentication result. These are updated via * {@link #refreshDeviceLockedForUser(int)} and result stored in {@link #mDeviceLockedForUser}. * {@link #refreshDeviceLockedForUser(int)} and result stored in {@link #mDeviceLockedForUser}. * <li> Managed profiles with unified challenge * <li> Profiles with unified challenge: * Managed profile with unified challenge always shares the same locked state as their parent, * Profiles with a unified challenge always share the same locked state as their parent, * so their locked state is not recorded in {@link #mDeviceLockedForUser}. Instead, * so their locked state is not recorded in {@link #mDeviceLockedForUser}. Instead, * {@link ITrustManager#isDeviceLocked(int)} always resolves their parent user handle and * {@link ITrustManager#isDeviceLocked(int)} always resolves their parent user handle and * queries its locked state instead. * queries its locked state instead. * <li> Managed profiles with separate challenge * <li> Profiles without unified challenge: * Locked state for profile with separate challenge is determined by other parts of the * The locked state for profiles that do not have a unified challenge (e.g. they have a * framework (mostly PowerManager) and pushed to TrustManagerService via * separate challenge from their parent, or they have no parent at all) is determined by other * {@link ITrustManager#setDeviceLockedForUser(int, boolean)}. Although in a corner case when * parts of the framework (mostly PowerManager) and pushed to TrustManagerService via * the profile has a separate but empty challenge, setting its {@link #mDeviceLockedForUser} to * {@link ITrustManager#setDeviceLockedForUser(int, boolean)}. * {@code false} is actually done by {@link #refreshDeviceLockedForUser(int)}. * However, in the case where such a profile has an empty challenge, setting its * {@link #mDeviceLockedForUser} to {@code false} is actually done by * {@link #refreshDeviceLockedForUser(int)}. * (This serves as a corner case for managed profiles with a separate but empty challenge. It * is always currently the case for Communal profiles, for which having a non-empty challenge * is not currently supported.) * </ul> * </ul> * TODO: Rename {@link ITrustManager#setDeviceLockedForUser(int, boolean)} to * TODO: Rename {@link ITrustManager#setDeviceLockedForUser(int, boolean)} to * {@code setDeviceLockedForProfile} to better reflect its purpose. Unifying * {@code setDeviceLockedForProfile} to better reflect its purpose. Unifying Loading Loading @@ -794,7 +799,7 @@ public class TrustManagerService extends SystemService { /** /** * Update the user's locked state. Only applicable to users with a real keyguard * Update the user's locked state. Only applicable to users with a real keyguard * ({@link UserInfo#supportsSwitchToByUser}) and unsecured managed profiles. * ({@link UserInfo#supportsSwitchToByUser}) and unsecured profiles. * * * If this is called due to an unlock operation set unlockedUser to prevent the lock from * If this is called due to an unlock operation set unlockedUser to prevent the lock from * being prematurely reset for that user while keyguard is still in the process of going away. * being prematurely reset for that user while keyguard is still in the process of going away. Loading Loading @@ -826,7 +831,11 @@ public class TrustManagerService extends SystemService { boolean secure = mLockPatternUtils.isSecure(id); boolean secure = mLockPatternUtils.isSecure(id); if (!info.supportsSwitchToByUser()) { if (!info.supportsSwitchToByUser()) { if (info.isManagedProfile() && !secure) { if (info.isProfile() && !secure && !mLockPatternUtils.isProfileWithUnifiedChallenge(id)) { // Unsecured profiles need to be explicitly set to false. // However, Unified challenge profiles officially shouldn't have a presence in // mDeviceLockedForUser at all, since that's not how they're tracked. setDeviceLockedForUser(id, false); setDeviceLockedForUser(id, false); } } continue; continue; Loading Loading @@ -1853,6 +1862,7 @@ public class TrustManagerService extends SystemService { } } } } /** If the userId has a parent, returns that parent's userId. Otherwise userId is returned. */ private int resolveProfileParent(int userId) { private int resolveProfileParent(int userId) { final long identity = Binder.clearCallingIdentity(); final long identity = Binder.clearCallingIdentity(); try { try { Loading Loading
services/core/java/com/android/server/trust/TrustAgentWrapper.java +2 −0 Original line number Original line Diff line number Diff line Loading @@ -443,6 +443,8 @@ public class TrustAgentWrapper { mPendingSuccessfulUnlock = false; mPendingSuccessfulUnlock = false; } } // It's okay to use the "Inner" version of isDeviceLocked since they differ only for // profiles, which cannot be switched to and thus don't support trust agents anyway. if (mTrustManagerService.isDeviceLockedInner(mUserId)) { if (mTrustManagerService.isDeviceLockedInner(mUserId)) { onDeviceLocked(); onDeviceLocked(); } else { } else { Loading
services/core/java/com/android/server/trust/TrustManagerService.java +22 −12 Original line number Original line Diff line number Diff line Loading @@ -188,25 +188,30 @@ public class TrustManagerService extends SystemService { new SparseArray<>(); new SparseArray<>(); /** /** * Stores the locked state for users on the device. There are three different type of users * Stores the locked state for users on the device. There are several different types of users * which are handled slightly differently: * which are handled slightly differently: * <ul> * <ul> * <li> Users with real keyguard * <li> Users with real keyguard: * These are users who can be switched to ({@link UserInfo#supportsSwitchToByUser()}). Their * These are users who can be switched to ({@link UserInfo#supportsSwitchToByUser()}). Their * locked state is derived by a combination of user secure state, keyguard state, trust agent * locked state is derived by a combination of user secure state, keyguard state, trust agent * decision and biometric authentication result. These are updated via * decision and biometric authentication result. These are updated via * {@link #refreshDeviceLockedForUser(int)} and result stored in {@link #mDeviceLockedForUser}. * {@link #refreshDeviceLockedForUser(int)} and result stored in {@link #mDeviceLockedForUser}. * <li> Managed profiles with unified challenge * <li> Profiles with unified challenge: * Managed profile with unified challenge always shares the same locked state as their parent, * Profiles with a unified challenge always share the same locked state as their parent, * so their locked state is not recorded in {@link #mDeviceLockedForUser}. Instead, * so their locked state is not recorded in {@link #mDeviceLockedForUser}. Instead, * {@link ITrustManager#isDeviceLocked(int)} always resolves their parent user handle and * {@link ITrustManager#isDeviceLocked(int)} always resolves their parent user handle and * queries its locked state instead. * queries its locked state instead. * <li> Managed profiles with separate challenge * <li> Profiles without unified challenge: * Locked state for profile with separate challenge is determined by other parts of the * The locked state for profiles that do not have a unified challenge (e.g. they have a * framework (mostly PowerManager) and pushed to TrustManagerService via * separate challenge from their parent, or they have no parent at all) is determined by other * {@link ITrustManager#setDeviceLockedForUser(int, boolean)}. Although in a corner case when * parts of the framework (mostly PowerManager) and pushed to TrustManagerService via * the profile has a separate but empty challenge, setting its {@link #mDeviceLockedForUser} to * {@link ITrustManager#setDeviceLockedForUser(int, boolean)}. * {@code false} is actually done by {@link #refreshDeviceLockedForUser(int)}. * However, in the case where such a profile has an empty challenge, setting its * {@link #mDeviceLockedForUser} to {@code false} is actually done by * {@link #refreshDeviceLockedForUser(int)}. * (This serves as a corner case for managed profiles with a separate but empty challenge. It * is always currently the case for Communal profiles, for which having a non-empty challenge * is not currently supported.) * </ul> * </ul> * TODO: Rename {@link ITrustManager#setDeviceLockedForUser(int, boolean)} to * TODO: Rename {@link ITrustManager#setDeviceLockedForUser(int, boolean)} to * {@code setDeviceLockedForProfile} to better reflect its purpose. Unifying * {@code setDeviceLockedForProfile} to better reflect its purpose. Unifying Loading Loading @@ -794,7 +799,7 @@ public class TrustManagerService extends SystemService { /** /** * Update the user's locked state. Only applicable to users with a real keyguard * Update the user's locked state. Only applicable to users with a real keyguard * ({@link UserInfo#supportsSwitchToByUser}) and unsecured managed profiles. * ({@link UserInfo#supportsSwitchToByUser}) and unsecured profiles. * * * If this is called due to an unlock operation set unlockedUser to prevent the lock from * If this is called due to an unlock operation set unlockedUser to prevent the lock from * being prematurely reset for that user while keyguard is still in the process of going away. * being prematurely reset for that user while keyguard is still in the process of going away. Loading Loading @@ -826,7 +831,11 @@ public class TrustManagerService extends SystemService { boolean secure = mLockPatternUtils.isSecure(id); boolean secure = mLockPatternUtils.isSecure(id); if (!info.supportsSwitchToByUser()) { if (!info.supportsSwitchToByUser()) { if (info.isManagedProfile() && !secure) { if (info.isProfile() && !secure && !mLockPatternUtils.isProfileWithUnifiedChallenge(id)) { // Unsecured profiles need to be explicitly set to false. // However, Unified challenge profiles officially shouldn't have a presence in // mDeviceLockedForUser at all, since that's not how they're tracked. setDeviceLockedForUser(id, false); setDeviceLockedForUser(id, false); } } continue; continue; Loading Loading @@ -1853,6 +1862,7 @@ public class TrustManagerService extends SystemService { } } } } /** If the userId has a parent, returns that parent's userId. Otherwise userId is returned. */ private int resolveProfileParent(int userId) { private int resolveProfileParent(int userId) { final long identity = Binder.clearCallingIdentity(); final long identity = Binder.clearCallingIdentity(); try { try { Loading
