Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a7aa4d6f authored by Rakesh Iyer's avatar Rakesh Iyer
Browse files

Allow smart unlock right after boot. 

This change enables relaxing the constraint by which
strong authentication is needed after device reboot.

There are very limited use cases where this might be
safe, one of which is in a car. Cars head units usually
are protected physically by the car and have hardware
anti-theft mechanisms so we can potentially allow for
Android to allow users to use smart unlock to avoid the
lockscreen just after boot.

This change adds in a config flag that sets the default
trust flags, which can be set to allow smart unlock after
boot for car head units.

Bug: 26559008
Change-Id: Id6338a97b617ddaf3d2fae5d51235429a42b81cc
parent 05dd8535

core/java/com/android/internal/widget/LockPatternUtils.java

+14 −7
Original line number Diff line number Diff line
@@ -1418,25 +1418,32 @@ public class LockPatternUtils { 
         */

        public static final int SOME_AUTH_REQUIRED_AFTER_WRONG_CREDENTIAL = 0x10;



        public static final int DEFAULT = STRONG_AUTH_REQUIRED_AFTER_BOOT;



        private static final int ALLOWING_FINGERPRINT = STRONG_AUTH_NOT_REQUIRED

                | SOME_AUTH_REQUIRED_AFTER_USER_REQUEST

                | SOME_AUTH_REQUIRED_AFTER_WRONG_CREDENTIAL;



        private final SparseIntArray mStrongAuthRequiredForUser = new SparseIntArray();

        private final H mHandler;

        private final int mDefaultStrongAuthFlags;



        public StrongAuthTracker() {

            this(Looper.myLooper());

        public StrongAuthTracker(Context context) {

            this(context, Looper.myLooper());

        }



        /**

         * @param looper the looper on whose thread calls to {@link #onStrongAuthRequiredChanged}

         *               will be scheduled.

         * @param context the current {@link Context}

         */

        public StrongAuthTracker(Looper looper) {

        public StrongAuthTracker(Context context, Looper looper) {

            mHandler = new H(looper);

            mDefaultStrongAuthFlags = getDefaultFlags(context);

        }



        public static @StrongAuthFlags int getDefaultFlags(Context context) {

            boolean strongAuthRequired = context.getResources().getBoolean(

                    com.android.internal.R.bool.config_strongAuthRequiredOnBoot);

            return strongAuthRequired ? STRONG_AUTH_REQUIRED_AFTER_BOOT : STRONG_AUTH_NOT_REQUIRED;

        }



        /**
@@ -1447,7 +1454,7 @@ public class LockPatternUtils { 
         * @param userId the user for whom the state is queried.

         */

        public @StrongAuthFlags int getStrongAuthForUser(int userId) {

            return mStrongAuthRequiredForUser.get(userId, DEFAULT);

            return mStrongAuthRequiredForUser.get(userId, mDefaultStrongAuthFlags);

        }



        /**
@@ -1477,7 +1484,7 @@ public class LockPatternUtils { 


            int oldValue = getStrongAuthForUser(userId);

            if (strongAuthFlags != oldValue) {

                if (strongAuthFlags == DEFAULT) {

                if (strongAuthFlags == mDefaultStrongAuthFlags) {

                    mStrongAuthRequiredForUser.delete(userId);

                } else {

                    mStrongAuthRequiredForUser.put(userId, strongAuthFlags);

core/res/res/values/config.xml

+7 −0
Original line number Diff line number Diff line
@@ -2462,4 +2462,11 @@ 


    <!-- If true, all guest users created on the device will be ephemeral. -->

    <bool name="config_guestUserEphemeral">false</bool>



    <!-- Enforce strong auth on boot. Setting this to false represents a security risk and should

         not be ordinarily done. The only case in which this might be permissible is in a car head

         unit where there are hardware mechanisms to protect the device (physical keys) and not

         much in the way of user data.

    -->

    <bool name="config_strongAuthRequiredOnBoot">true</bool>

</resources>

core/res/res/values/symbols.xml

+2 −0
Original line number Diff line number Diff line
@@ -2503,4 +2503,6 @@ 
  <!-- New SMS notification while phone is locked. -->

  <java-symbol type="string" name="new_sms_notification_title" />

  <java-symbol type="string" name="new_sms_notification_content" />



  <java-symbol type="bool" name="config_strongAuthRequiredOnBoot" />

</resources>

packages/Keyguard/src/com/android/keyguard/KeyguardUpdateMonitor.java

+5 −1
Original line number Diff line number Diff line
@@ -188,7 +188,7 @@ public class KeyguardUpdateMonitor implements TrustManager.TrustListener { 


    /** Tracks whether strong authentication hasn't been used since quite some time per user. */

    private ArraySet<Integer> mStrongAuthNotTimedOut = new ArraySet<>();

    private final StrongAuthTracker mStrongAuthTracker = new StrongAuthTracker();

    private final StrongAuthTracker mStrongAuthTracker;



    private final ArrayList<WeakReference<KeyguardUpdateMonitorCallback>>

            mCallbacks = Lists.newArrayList();
@@ -871,6 +871,9 @@ public class KeyguardUpdateMonitor implements TrustManager.TrustListener { 
    }



    public class StrongAuthTracker extends LockPatternUtils.StrongAuthTracker {

        public StrongAuthTracker(Context context) {

            super(context);

        }



        public boolean isUnlockingWithFingerprintAllowed() {

            int userId = getCurrentUser();
@@ -981,6 +984,7 @@ public class KeyguardUpdateMonitor implements TrustManager.TrustListener { 
        mSubscriptionManager = SubscriptionManager.from(context);

        mAlarmManager = context.getSystemService(AlarmManager.class);

        mDeviceProvisioned = isDeviceProvisionedInSettingsDb();

        mStrongAuthTracker = new StrongAuthTracker(context);



        // Since device can't be un-provisioned, we only need to register a content observer

        // to update mDeviceProvisioned when we are...

services/core/java/com/android/server/LockSettingsService.java

+2 −1
Original line number Diff line number Diff line
@@ -78,7 +78,7 @@ public class LockSettingsService extends ILockSettings.Stub { 
    private final Context mContext;



    private final LockSettingsStorage mStorage;

    private final LockSettingsStrongAuth mStrongAuth = new LockSettingsStrongAuth();

    private final LockSettingsStrongAuth mStrongAuth;



    private LockPatternUtils mLockPatternUtils;

    private boolean mFirstCallToVold;
@@ -93,6 +93,7 @@ public class LockSettingsService extends ILockSettings.Stub { 


    public LockSettingsService(Context context) {

        mContext = context;

        mStrongAuth = new LockSettingsStrongAuth(context);

        // Open the database



        mLockPatternUtils = new LockPatternUtils(context);