Only disable trust agents after lockout
Previously trust agents would be disabled even after one
wrong attempt. Now we wait for the cooldown (usually 5 attempts),
the same as fingerprint.
Also adds a TrustArchive entry of when device policy changes are sent to
trust agents.
Bug: 30037948
Change-Id: I9e284d994ddae45ef66b5b8b601297c63d8ba667
diff --git a/core/java/com/android/internal/widget/LockPatternUtils.java b/core/java/com/android/internal/widget/LockPatternUtils.java
index d3792ad..479b3b7 100644
--- a/core/java/com/android/internal/widget/LockPatternUtils.java
+++ b/core/java/com/android/internal/widget/LockPatternUtils.java
@@ -288,7 +288,6 @@
public void reportFailedPasswordAttempt(int userId) {
getDevicePolicyManager().reportFailedPasswordAttempt(userId);
getTrustManager().reportUnlockAttempt(false /* authenticated */, userId);
- requireStrongAuth(StrongAuthTracker.SOME_AUTH_REQUIRED_AFTER_WRONG_CREDENTIAL, userId);
}
public void reportSuccessfulPasswordAttempt(int userId) {
@@ -1544,7 +1543,8 @@
value = { STRONG_AUTH_NOT_REQUIRED,
STRONG_AUTH_REQUIRED_AFTER_BOOT,
STRONG_AUTH_REQUIRED_AFTER_DPM_LOCK_NOW,
- SOME_AUTH_REQUIRED_AFTER_USER_REQUEST})
+ SOME_AUTH_REQUIRED_AFTER_USER_REQUEST,
+ STRONG_AUTH_REQUIRED_AFTER_LOCKOUT})
@Retention(RetentionPolicy.SOURCE)
public @interface StrongAuthFlags {}
@@ -1575,13 +1575,12 @@
public static final int STRONG_AUTH_REQUIRED_AFTER_LOCKOUT = 0x8;
/**
- * Some authentication is required because the user has entered a wrong credential.
+ * Strong auth flags that do not prevent fingerprint from being accepted as auth.
+ *
+ * If any other flags are set, fingerprint is disabled.
*/
- public static final int SOME_AUTH_REQUIRED_AFTER_WRONG_CREDENTIAL = 0x10;
-
private static final int ALLOWING_FINGERPRINT = STRONG_AUTH_NOT_REQUIRED
- | SOME_AUTH_REQUIRED_AFTER_USER_REQUEST
- | SOME_AUTH_REQUIRED_AFTER_WRONG_CREDENTIAL;
+ | SOME_AUTH_REQUIRED_AFTER_USER_REQUEST;
private final SparseIntArray mStrongAuthRequiredForUser = new SparseIntArray();
private final H mHandler;
diff --git a/packages/Keyguard/src/com/android/keyguard/KeyguardSecurityView.java b/packages/Keyguard/src/com/android/keyguard/KeyguardSecurityView.java
index aa74940..8290842 100644
--- a/packages/Keyguard/src/com/android/keyguard/KeyguardSecurityView.java
+++ b/packages/Keyguard/src/com/android/keyguard/KeyguardSecurityView.java
@@ -49,11 +49,6 @@
int PROMPT_REASON_AFTER_LOCKOUT = 5;
/**
- * Some auth is required because a single wrong credential has been tried.
- */
- int PROMPT_REASON_WRONG_CREDENTIAL = 6;
-
- /**
* Interface back to keyguard to tell it when security
* @param callback
*/
diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
index a39c194..433fd00 100644
--- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
+++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
@@ -86,7 +86,6 @@
import static android.provider.Settings.System.SCREEN_OFF_TIMEOUT;
import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.SOME_AUTH_REQUIRED_AFTER_USER_REQUEST;
-import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.SOME_AUTH_REQUIRED_AFTER_WRONG_CREDENTIAL;
import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.STRONG_AUTH_REQUIRED_AFTER_DPM_LOCK_NOW;
import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.STRONG_AUTH_REQUIRED_AFTER_LOCKOUT;
@@ -614,10 +613,7 @@
return KeyguardSecurityView.PROMPT_REASON_USER_REQUEST;
} else if (any && (strongAuth & STRONG_AUTH_REQUIRED_AFTER_LOCKOUT) != 0) {
return KeyguardSecurityView.PROMPT_REASON_AFTER_LOCKOUT;
- } else if (trust && (strongAuth & SOME_AUTH_REQUIRED_AFTER_WRONG_CREDENTIAL) != 0) {
- return KeyguardSecurityView.PROMPT_REASON_WRONG_CREDENTIAL;
}
-
return KeyguardSecurityView.PROMPT_REASON_NONE;
}
};
diff --git a/services/core/java/com/android/server/trust/TrustArchive.java b/services/core/java/com/android/server/trust/TrustArchive.java
index fd63d48..aaac297 100644
--- a/services/core/java/com/android/server/trust/TrustArchive.java
+++ b/services/core/java/com/android/server/trust/TrustArchive.java
@@ -37,6 +37,7 @@
private static final int TYPE_AGENT_CONNECTED = 4;
private static final int TYPE_AGENT_STOPPED = 5;
private static final int TYPE_MANAGING_TRUST = 6;
+ private static final int TYPE_POLICY_CHANGED = 7;
private static final int HISTORY_LIMIT = 200;
@@ -99,6 +100,10 @@
addEvent(new Event(TYPE_MANAGING_TRUST, userId, agent, null, 0, 0, managing));
}
+ public void logDevicePolicyChanged() {
+ addEvent(new Event(TYPE_POLICY_CHANGED, UserHandle.USER_ALL, null, null, 0, 0, false));
+ }
+
private void addEvent(Event e) {
if (mEvents.size() >= HISTORY_LIMIT) {
mEvents.removeFirst();
@@ -112,7 +117,8 @@
Iterator<Event> iter = mEvents.descendingIterator();
while (iter.hasNext() && count < limit) {
Event ev = iter.next();
- if (userId != UserHandle.USER_ALL && userId != ev.userId) {
+ if (userId != UserHandle.USER_ALL && userId != ev.userId
+ && ev.userId != UserHandle.USER_ALL) {
continue;
}
@@ -122,11 +128,13 @@
if (userId == UserHandle.USER_ALL) {
writer.print("user="); writer.print(ev.userId); writer.print(", ");
}
- writer.print("agent=");
- if (duplicateSimpleNames) {
- writer.print(ev.agent.flattenToShortString());
- } else {
- writer.print(getSimpleName(ev.agent));
+ if (ev.agent != null) {
+ writer.print("agent=");
+ if (duplicateSimpleNames) {
+ writer.print(ev.agent.flattenToShortString());
+ } else {
+ writer.print(getSimpleName(ev.agent));
+ }
}
switch (ev.type) {
case TYPE_GRANT_TRUST:
@@ -181,6 +189,8 @@
return "AgentStopped";
case TYPE_MANAGING_TRUST:
return "ManagingTrust";
+ case TYPE_POLICY_CHANGED:
+ return "DevicePolicyChanged";
default:
return "Unknown(" + type + ")";
}
diff --git a/services/core/java/com/android/server/trust/TrustManagerService.java b/services/core/java/com/android/server/trust/TrustManagerService.java
index c1868a4..d9c4254 100644
--- a/services/core/java/com/android/server/trust/TrustManagerService.java
+++ b/services/core/java/com/android/server/trust/TrustManagerService.java
@@ -399,12 +399,17 @@
}
void updateDevicePolicyFeatures() {
+ boolean changed = false;
for (int i = 0; i < mActiveAgents.size(); i++) {
AgentInfo info = mActiveAgents.valueAt(i);
if (info.agent.isConnected()) {
info.agent.updateDevicePolicyFeatures();
+ changed = true;
}
}
+ if (changed) {
+ mArchive.logDevicePolicyChanged();
+ }
}
private void removeAgentsOfPackage(String packageName) {