Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c94ed1d8 authored by Grace Cheng's avatar Grace Cheng
Browse files

Update SecureLockDeviceService to use enrollment status 

Update SecureLockDeviceService to use getEnrollmentStatus instead of
canAuthenticate

Flag: android.security.secure_lock_device
Test: atest SecureLockDeviceServiceTest
Test: atest CtsSecurityTestCases:android.security.cts.authenticationpolicy.AuthenticationPolicyManagerTest
Bug: 401645997
Change-Id: I9f6bc06c20007dbd6e1774034407bceaf83e8890
parent 297d2d1f

data/etc/privapp-permissions-platform.xml

+8 −0
Original line number Diff line number Diff line
@@ -238,6 +238,14 @@ applications that come with the platform 
        <permission name="android.permission.READ_COMPAT_CHANGE_CONFIG" />

    </privapp-permissions>



    <privapp-permissions package="com.android.server.security.authenticationpolicy">

        <permission name="android.permission.INTERACT_ACROSS_USERS"/>

        <permission name="android.permission.MANAGE_SECURE_LOCK_DEVICE"/>

        <permission name="android.permission.SET_BIOMETRIC_DIALOG_ADVANCED"/>

        <permission name="android.permission.USE_BIOMETRIC"/>

        <permission name="android.permission.USE_BIOMETRIC_INTERNAL"/>

    </privapp-permissions>



    <privapp-permissions package="com.android.server.telecom">

        <permission name="android.permission.BIND_CONNECTION_SERVICE"/>

        <permission name="android.permission.BIND_INCALL_SERVICE"/>

services/core/java/com/android/server/security/authenticationpolicy/SecureLockDeviceService.java

+41 −11
Original line number Diff line number Diff line
@@ -16,7 +16,7 @@ 


package com.android.server.security.authenticationpolicy;



import static android.hardware.biometrics.BiometricManager.BIOMETRIC_ERROR_NONE_ENROLLED;

import static android.hardware.biometrics.BiometricManager.Authenticators.BIOMETRIC_STRONG;

import static android.os.UserManager.DISALLOW_USER_SWITCH;

import static android.security.Flags.secureLockDevice;

import static android.security.Flags.secureLockdown;
@@ -32,8 +32,10 @@ import android.annotation.NonNull; 
import android.app.ActivityManager;

import android.app.admin.DevicePolicyManager;

import android.content.Context;

import android.hardware.biometrics.BiometricEnrollmentStatus;

import android.hardware.biometrics.BiometricManager;

import android.hardware.biometrics.BiometricStateListener;

import android.hardware.biometrics.SensorProperties;

import android.hardware.face.FaceManager;

import android.hardware.fingerprint.FingerprintManager;

import android.os.Build;
@@ -74,6 +76,7 @@ import java.io.FileInputStream; 
import java.io.FileOutputStream;

import java.io.IOException;

import java.nio.charset.StandardCharsets;

import java.util.Map;



/**

 * System service for remotely calling secure lock on the device.
@@ -284,28 +287,55 @@ public class SecureLockDeviceService extends SecureLockDeviceServiceInternal { 
            return ERROR_UNSUPPORTED;

        }



        int userId = user.getIdentifier();

        if (mBiometricManager == null) {

            Slog.w(TAG, "BiometricManager not available: secure lock device is unsupported.");

            return ERROR_UNSUPPORTED;

        } else if (!mBiometricManager.hasEnrolledBiometrics(userId)) {

        } else if (!hasStrongBiometricSensor()) {

            if (DEBUG) {

                Slog.d(TAG, "Secure lock device unavailable: no biometrics are enrolled.");

                Slog.d(TAG, "Secure lock device unavailable: device does not have biometric"

                        + "sensors of sufficient strength.");

            }

            return ERROR_NO_BIOMETRICS_ENROLLED;

            // TODO: update to getEnrollmentStatus API once biometric strength check is supported

        } else if (mBiometricManager.canAuthenticate(userId,

                BiometricManager.Authenticators.BIOMETRIC_STRONG) == BIOMETRIC_ERROR_NONE_ENROLLED

        ) {

            return ERROR_INSUFFICIENT_BIOMETRICS;

        } else if (!hasStrongBiometricsEnrolled(user)) {

            if (DEBUG) {

                Slog.d(TAG, "Secure lock device unavailable: no strong biometric enrollments.");

                Slog.d(TAG, "Secure lock device unavailable: device is missing enrollments "

                        + "for strong biometric sensor.");

            }

            return ERROR_INSUFFICIENT_BIOMETRICS;

            return ERROR_NO_BIOMETRICS_ENROLLED;

        } else {

            return SUCCESS;

        }

    }



    private boolean hasStrongBiometricSensor() {

        for (SensorProperties sensorProps : mBiometricManager.getSensorProperties()) {

            if (sensorProps.getSensorStrength() == SensorProperties.STRENGTH_STRONG) {

                return true;

            }

        }

        return false;

    }



    private boolean hasStrongBiometricsEnrolled(UserHandle user) {

        Context userContext = mContext.createContextAsUser(user, 0);

        BiometricManager biometricManager = userContext.getSystemService(BiometricManager.class);



        if (biometricManager == null) {

            Slog.w(TAG, "BiometricManager not available, strong biometric enrollment cannot be "

                    + "checked.");

            return false;

        }

        Map<Integer, BiometricEnrollmentStatus> enrollmentStatusMap =

                biometricManager.getEnrollmentStatus();



        for (BiometricEnrollmentStatus status : enrollmentStatusMap.values()) {

            if (status.getStrength() == BIOMETRIC_STRONG && status.getEnrollmentCount() > 0) {

                return true;

            }

        }

        return false;

    }



    /**

     * @see AuthenticationPolicyManager#enableSecureLockDevice

     * @param user {@link UserHandle} of caller requesting to enable secure lock device