Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c1073635 authored by Rubin Xu's avatar Rubin Xu
Browse files

Only enforce secure FRP mode when in setup wizard 

SUW can be skipped on debug builds and that will leave
secure_frp_mode uncleared, causing credential change
to fail under the current enforcement. Fix it such that
the enforcement only applies before SUW completes.

Bug: 152587445
Test: manual
Change-Id: Ic79a9412a2a11f5a2fcca2b8ea76fdab78496d06
parent 0ccefbe9

services/core/java/com/android/server/locksettings/LockSettingsService.java

+8 −3
Original line number Diff line number Diff line
@@ -1016,9 +1016,14 @@ public class LockSettingsService extends ILockSettings.Stub { 
    }



    private void enforceFrpResolved() {

        if (mInjector.settingsSecureGetInt(mContext.getContentResolver(),

                Settings.Secure.SECURE_FRP_MODE, 0, UserHandle.USER_SYSTEM) == 1) {

            throw new SecurityException("Cannot change credential while FRP is not resolved yet");

        final ContentResolver cr = mContext.getContentResolver();

        final boolean inSetupWizard = mInjector.settingsSecureGetInt(cr,

                Settings.Secure.USER_SETUP_COMPLETE, 0, UserHandle.USER_SYSTEM) == 0;

        final boolean secureFrp = mInjector.settingsSecureGetInt(cr,

                Settings.Secure.SECURE_FRP_MODE, 0, UserHandle.USER_SYSTEM) == 1;

        if (inSetupWizard && secureFrp) {

            throw new SecurityException("Cannot change credential in SUW while factory reset"

                    + " protection is not resolved yet");

        }

    }

services/tests/servicestests/src/com/android/server/locksettings/FakeSettings.java

+9 −0
Original line number Diff line number Diff line
@@ -23,6 +23,7 @@ public class FakeSettings { 


    private int mDeviceProvisioned;

    private int mSecureFrpMode;

    private int mUserSetupComplete;



    public void setDeviceProvisioned(boolean provisioned) {

        mDeviceProvisioned = provisioned ? 1 : 0;
@@ -32,6 +33,10 @@ public class FakeSettings { 
        mSecureFrpMode = secure ? 1 : 0;

    }



    public void setUserSetupComplete(boolean complete) {

        mUserSetupComplete = complete ? 1 : 0;

    }



    public int globalGetInt(String keyName) {

        switch (keyName) {

            case Settings.Global.DEVICE_PROVISIONED:
@@ -46,6 +51,10 @@ public class FakeSettings { 
        if (Settings.Secure.SECURE_FRP_MODE.equals(keyName) && userId == UserHandle.USER_SYSTEM) {

            return mSecureFrpMode;

        }

        if (Settings.Secure.USER_SETUP_COMPLETE.equals(keyName)

                && userId == UserHandle.USER_SYSTEM) {

            return mUserSetupComplete;

        }

        return defaultValue;

    }

}

services/tests/servicestests/src/com/android/server/locksettings/LockSettingsServiceTests.java

+10 −1
Original line number Diff line number Diff line
@@ -417,7 +417,8 @@ public class LockSettingsServiceTests extends BaseLockSettingsServiceTests { 
    }



    @Test

    public void testCredentialChangeNotPossibleInSecureFrpMode() {

    public void testCredentialChangeNotPossibleInSecureFrpModeDuringSuw() {

        mSettings.setUserSetupComplete(false);

        mSettings.setSecureFrpMode(true);

        try {

            mService.setLockCredential(newPassword("1234"), nonePassword(), PRIMARY_USER_ID);
@@ -425,6 +426,14 @@ public class LockSettingsServiceTests extends BaseLockSettingsServiceTests { 
        } catch (SecurityException e) { }

    }



    @Test

    public void testCredentialChangePossibleInSecureFrpModeAfterSuw() {

        mSettings.setUserSetupComplete(true);

        mSettings.setSecureFrpMode(true);

        assertTrue(mService.setLockCredential(newPassword("1234"), nonePassword(),

                PRIMARY_USER_ID));

    }



    private void testCreateCredential(int userId, LockscreenCredential credential)

            throws RemoteException {

        assertTrue(mService.setLockCredential(credential, nonePassword(), userId));