Commit f30bd8b6 authored Jun 26, 2023 by Eric Biggers

DPMS: allow getPasswordMinimumMetrics() to anyone who can set LSKF

Everyone who sets a new LSKF is supposed to first validate it against
the minimum password metrics.  Yet, the
SET_AND_VERIFY_LOCKSCREEN_CREDENTIALS or ACCESS_KEYGUARD_SECURE_STORAGE
permission is sufficient to set a new LSKF but isn't necessarily
sufficient to get the minimum password metrics.  This is preventing
'KeyguardManager#setLock(int, byte[], int, byte[])' from being fixed to
properly validate the new LSKF.

To fix this, make DevicePolicyManagerService#getPasswordMinimumMetrics()
accept these permissions.

Bug: 219511761
Bug: 232900169
Bug: 243881358
Test: see I46d8bf920526a00d6e6d2145d06c8e39f8047ea8
Change-Id: Ic69fd01dadf95ab49b025295711fa020180690ff
Merged-In: Ic69fd01dadf95ab49b025295711fa020180690ff
(cherry picked from commit 62dbf253)

parent 220d6a28

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+5 −2

Original line number	Diff line number	Diff line
		@@ -5127,8 +5127,11 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		boolean deviceWideOnly) {
		final CallerIdentity caller = getCallerIdentity();
		Preconditions.checkCallAuthorization(hasFullCrossUsersPermission(caller, userHandle)
		&& (isSystemUid(caller) \|\| hasCallingOrSelfPermission(
		permission.SET_INITIAL_LOCK)));
		&& (isSystemUid(caller)
		// Accept any permission that ILockSettings#setLockCredential() accepts.
		\|\| hasCallingOrSelfPermission(permission.SET_INITIAL_LOCK)
		\|\| hasCallingOrSelfPermission(permission.SET_AND_VERIFY_LOCKSCREEN_CREDENTIALS)
		\|\| hasCallingOrSelfPermission(permission.ACCESS_KEYGUARD_SECURE_STORAGE)));
		return getPasswordMinimumMetricsUnchecked(userHandle, deviceWideOnly);
		}