From 9d6fc9246ba0b726872a6a8dabe6c334292c3a10 Mon Sep 17 00:00:00 2001 From: Adrian Roos Date: Wed, 10 Aug 2016 17:09:55 -0700 Subject: [PATCH] Only disable trust agents after lockout Previously trust agents would be disabled even after one wrong attempt. Now we wait for the cooldown (usually 5 attempts), the same as fingerprint. Also adds a TrustArchive entry of when device policy changes are sent to trust agents. Bug: 30037948 Change-Id: I9e284d994ddae45ef66b5b8b601297c63d8ba667 --- .../android/internal/widget/LockPatternUtils.java | 13 ++++++------- .../com/android/keyguard/KeyguardSecurityView.java | 5 ----- .../systemui/keyguard/KeyguardViewMediator.java | 4 ---- .../com/android/server/trust/TrustArchive.java | 22 ++++++++++++++++------ .../android/server/trust/TrustManagerService.java | 5 +++++ 5 files changed, 27 insertions(+), 22 deletions(-) diff --git a/core/java/com/android/internal/widget/LockPatternUtils.java b/core/java/com/android/internal/widget/LockPatternUtils.java index d3792ade9965..479b3b7a7a71 100644 --- a/core/java/com/android/internal/widget/LockPatternUtils.java +++ b/core/java/com/android/internal/widget/LockPatternUtils.java @@ -288,7 +288,6 @@ public class LockPatternUtils { public void reportFailedPasswordAttempt(int userId) { getDevicePolicyManager().reportFailedPasswordAttempt(userId); getTrustManager().reportUnlockAttempt(false /* authenticated */, userId); - requireStrongAuth(StrongAuthTracker.SOME_AUTH_REQUIRED_AFTER_WRONG_CREDENTIAL, userId); } public void reportSuccessfulPasswordAttempt(int userId) { @@ -1544,7 +1543,8 @@ public class LockPatternUtils { value = { STRONG_AUTH_NOT_REQUIRED, STRONG_AUTH_REQUIRED_AFTER_BOOT, STRONG_AUTH_REQUIRED_AFTER_DPM_LOCK_NOW, - SOME_AUTH_REQUIRED_AFTER_USER_REQUEST}) + SOME_AUTH_REQUIRED_AFTER_USER_REQUEST, + STRONG_AUTH_REQUIRED_AFTER_LOCKOUT}) @Retention(RetentionPolicy.SOURCE) public @interface StrongAuthFlags {} @@ -1575,13 +1575,12 @@ public class LockPatternUtils { public static final int STRONG_AUTH_REQUIRED_AFTER_LOCKOUT = 0x8; /** - * Some authentication is required because the user has entered a wrong credential. + * Strong auth flags that do not prevent fingerprint from being accepted as auth. + * + * If any other flags are set, fingerprint is disabled. */ - public static final int SOME_AUTH_REQUIRED_AFTER_WRONG_CREDENTIAL = 0x10; - private static final int ALLOWING_FINGERPRINT = STRONG_AUTH_NOT_REQUIRED - | SOME_AUTH_REQUIRED_AFTER_USER_REQUEST - | SOME_AUTH_REQUIRED_AFTER_WRONG_CREDENTIAL; + | SOME_AUTH_REQUIRED_AFTER_USER_REQUEST; private final SparseIntArray mStrongAuthRequiredForUser = new SparseIntArray(); private final H mHandler; diff --git a/packages/Keyguard/src/com/android/keyguard/KeyguardSecurityView.java b/packages/Keyguard/src/com/android/keyguard/KeyguardSecurityView.java index aa74940492f2..829084202f5a 100644 --- a/packages/Keyguard/src/com/android/keyguard/KeyguardSecurityView.java +++ b/packages/Keyguard/src/com/android/keyguard/KeyguardSecurityView.java @@ -49,11 +49,6 @@ public interface KeyguardSecurityView { int PROMPT_REASON_AFTER_LOCKOUT = 5; /** - * Some auth is required because a single wrong credential has been tried. - */ - int PROMPT_REASON_WRONG_CREDENTIAL = 6; - - /** * Interface back to keyguard to tell it when security * @param callback */ diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java index a39c194bbda2..433fd00b765a 100644 --- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java +++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java @@ -86,7 +86,6 @@ import java.util.List; import static android.provider.Settings.System.SCREEN_OFF_TIMEOUT; import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.SOME_AUTH_REQUIRED_AFTER_USER_REQUEST; -import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.SOME_AUTH_REQUIRED_AFTER_WRONG_CREDENTIAL; import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.STRONG_AUTH_REQUIRED_AFTER_DPM_LOCK_NOW; import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.STRONG_AUTH_REQUIRED_AFTER_LOCKOUT; @@ -614,10 +613,7 @@ public class KeyguardViewMediator extends SystemUI { return KeyguardSecurityView.PROMPT_REASON_USER_REQUEST; } else if (any && (strongAuth & STRONG_AUTH_REQUIRED_AFTER_LOCKOUT) != 0) { return KeyguardSecurityView.PROMPT_REASON_AFTER_LOCKOUT; - } else if (trust && (strongAuth & SOME_AUTH_REQUIRED_AFTER_WRONG_CREDENTIAL) != 0) { - return KeyguardSecurityView.PROMPT_REASON_WRONG_CREDENTIAL; } - return KeyguardSecurityView.PROMPT_REASON_NONE; } }; diff --git a/services/core/java/com/android/server/trust/TrustArchive.java b/services/core/java/com/android/server/trust/TrustArchive.java index fd63d486d049..aaac2979049b 100644 --- a/services/core/java/com/android/server/trust/TrustArchive.java +++ b/services/core/java/com/android/server/trust/TrustArchive.java @@ -37,6 +37,7 @@ public class TrustArchive { private static final int TYPE_AGENT_CONNECTED = 4; private static final int TYPE_AGENT_STOPPED = 5; private static final int TYPE_MANAGING_TRUST = 6; + private static final int TYPE_POLICY_CHANGED = 7; private static final int HISTORY_LIMIT = 200; @@ -99,6 +100,10 @@ public class TrustArchive { addEvent(new Event(TYPE_MANAGING_TRUST, userId, agent, null, 0, 0, managing)); } + public void logDevicePolicyChanged() { + addEvent(new Event(TYPE_POLICY_CHANGED, UserHandle.USER_ALL, null, null, 0, 0, false)); + } + private void addEvent(Event e) { if (mEvents.size() >= HISTORY_LIMIT) { mEvents.removeFirst(); @@ -112,7 +117,8 @@ public class TrustArchive { Iterator iter = mEvents.descendingIterator(); while (iter.hasNext() && count < limit) { Event ev = iter.next(); - if (userId != UserHandle.USER_ALL && userId != ev.userId) { + if (userId != UserHandle.USER_ALL && userId != ev.userId + && ev.userId != UserHandle.USER_ALL) { continue; } @@ -122,11 +128,13 @@ public class TrustArchive { if (userId == UserHandle.USER_ALL) { writer.print("user="); writer.print(ev.userId); writer.print(", "); } - writer.print("agent="); - if (duplicateSimpleNames) { - writer.print(ev.agent.flattenToShortString()); - } else { - writer.print(getSimpleName(ev.agent)); + if (ev.agent != null) { + writer.print("agent="); + if (duplicateSimpleNames) { + writer.print(ev.agent.flattenToShortString()); + } else { + writer.print(getSimpleName(ev.agent)); + } } switch (ev.type) { case TYPE_GRANT_TRUST: @@ -181,6 +189,8 @@ public class TrustArchive { return "AgentStopped"; case TYPE_MANAGING_TRUST: return "ManagingTrust"; + case TYPE_POLICY_CHANGED: + return "DevicePolicyChanged"; default: return "Unknown(" + type + ")"; } diff --git a/services/core/java/com/android/server/trust/TrustManagerService.java b/services/core/java/com/android/server/trust/TrustManagerService.java index c1868a456641..d9c42541f9f4 100644 --- a/services/core/java/com/android/server/trust/TrustManagerService.java +++ b/services/core/java/com/android/server/trust/TrustManagerService.java @@ -399,12 +399,17 @@ public class TrustManagerService extends SystemService { } void updateDevicePolicyFeatures() { + boolean changed = false; for (int i = 0; i < mActiveAgents.size(); i++) { AgentInfo info = mActiveAgents.valueAt(i); if (info.agent.isConnected()) { info.agent.updateDevicePolicyFeatures(); + changed = true; } } + if (changed) { + mArchive.logDevicePolicyChanged(); + } } private void removeAgentsOfPackage(String packageName) { -- 2.11.0