Merge "Allow automatic unlocking of work profile by Digital Wellbeing" into rvc-dev

2020-06-09 21:20:01 +00:00
parent c22af6e7fd a8c58f06d0
commit 54c8e6a9a4
2 changed files with 34 additions and 4 deletions
--- a/services/core/java/com/android/server/locksettings/ManagedProfilePasswordCache.java
+++ b/services/core/java/com/android/server/locksettings/ManagedProfilePasswordCache.java
@@ -104,8 +104,6 @@ public class ManagedProfilePasswordCache {
                        // Generate auth-bound key to user 0 (since we the caller is user 0)
                        .setUserAuthenticationRequired(true)
                        .setUserAuthenticationValidityDurationSeconds(CACHE_TIMEOUT_SECONDS)
-                        // Only accessible after user 0's keyguard is unlocked
-                        .setUnlockedDeviceRequired(true)
                        .build());
                key = generator.generateKey();
            } catch (GeneralSecurityException e) {
@@ -171,10 +169,14 @@ public class ManagedProfilePasswordCache {
    public void removePassword(int userId) {
        synchronized (mEncryptedPasswords) {
            String keyName = getEncryptionKeyName(userId);
+            String legacyKeyName = getLegacyEncryptionKeyName(userId);
            try {
                if (mKeyStore.containsAlias(keyName)) {
                    mKeyStore.deleteEntry(keyName);
                }
+                if (mKeyStore.containsAlias(legacyKeyName)) {
+                    mKeyStore.deleteEntry(legacyKeyName);
+                }
            } catch (KeyStoreException e) {
                Slog.d(TAG, "Cannot delete key", e);
            }
@@ -186,6 +188,14 @@ public class ManagedProfilePasswordCache {
    }

    private static String getEncryptionKeyName(int userId) {
+        return "com.android.server.locksettings.unified_profile_cache_v2_" + userId;
+    }
+
+    /**
+     * Returns the legacy keystore key name when setUnlockedDeviceRequired() was set explicitly.
+     * Only existed during Android 11 internal testing period.
+     */
+    private static String getLegacyEncryptionKeyName(int userId) {
        return "com.android.server.locksettings.unified_profile_cache_" + userId;
    }
 }
--- a/services/core/java/com/android/server/pm/UserManagerService.java
+++ b/services/core/java/com/android/server/pm/UserManagerService.java
@@ -989,6 +989,15 @@ public class UserManagerService extends IUserManager.Stub {

        ensureCanModifyQuietMode(
                callingPackage, Binder.getCallingUid(), userId, target != null, dontAskCredential);
+
+        if (onlyIfCredentialNotRequired && callingPackage.equals(
+                getPackageManagerInternal().getSystemUiServiceComponent().getPackageName())) {
+            // This is to prevent SysUI from accidentally allowing the profile to turned on
+            // without password when keyguard is still locked.
+            throw new SecurityException("SystemUI is not allowed to set "
+                    + "QUIET_MODE_DISABLE_ONLY_IF_CREDENTIAL_NOT_REQUIRED");
+        }
+
        final long identity = Binder.clearCallingIdentity();
        try {
            if (enableQuietMode) {
@@ -996,7 +1005,17 @@ public class UserManagerService extends IUserManager.Stub {
                        userId, true /* enableQuietMode */, target, callingPackage);
                return true;
            }
-            mLockPatternUtils.tryUnlockWithCachedUnifiedChallenge(userId);
+            if (mLockPatternUtils.isManagedProfileWithUnifiedChallenge(userId)) {
+                KeyguardManager km = mContext.getSystemService(KeyguardManager.class);
+                // Normally only attempt to auto-unlock unified challenge if keyguard is not showing
+                // (to stop turning profile on automatically via the QS tile), except when we
+                // are called with QUIET_MODE_DISABLE_ONLY_IF_CREDENTIAL_NOT_REQUIRED, in which
+                // case always attempt to auto-unlock.
+                if (!km.isDeviceLocked(mLocalService.getProfileParentId(userId))
+                        || onlyIfCredentialNotRequired) {
+                    mLockPatternUtils.tryUnlockWithCachedUnifiedChallenge(userId);
+                }
+            }
            final boolean needToShowConfirmCredential = !dontAskCredential
                    && mLockPatternUtils.isSecure(userId)
                    && !StorageManager.isUserKeyUnlocked(userId);
@@ -1029,6 +1048,8 @@ public class UserManagerService extends IUserManager.Stub {
     */
    private void ensureCanModifyQuietMode(String callingPackage, int callingUid,
            @UserIdInt int targetUserId, boolean startIntent, boolean dontAskCredential) {
+        verifyCallingPackage(callingPackage, callingUid);
+
        if (hasManageUsersPermission()) {
            return;
        }
@@ -1050,7 +1071,6 @@ public class UserManagerService extends IUserManager.Stub {
            return;
        }

-        verifyCallingPackage(callingPackage, callingUid);
        final ShortcutServiceInternal shortcutInternal =
                LocalServices.getService(ShortcutServiceInternal.class);
        if (shortcutInternal != null) {