diff options
| author | Haining Chen <hainingc@google.com> | 2023-03-27 22:10:52 -0700 |
|---|---|---|
| committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-09-07 21:55:27 +0000 |
| commit | 35ebd43b2d3cd5612fd36958dfefb4399980292f (patch) | |
| tree | 3afb43ad3ba62da6735f05db50bf4f6e9295200a | |
| parent | 4895c856ed7d797f28c51f8bc7ea23b65f54f5d6 (diff) | |
| download | base-35ebd43b2d3cd5612fd36958dfefb4399980292f.tar.gz | |
RESTRICT AUTOMERGE Unset StrongAuthFlags when unlocking a user profile
Currently the full user (e.g. userId 0) is required to enter device
credential (e.g. device PIN/pattern/password) to unlock the device in
certain cases as specified by StrongAuthFlags (e.g. the user has
triggered lockdown). After successfully verify the device credential,
StrongAuthFlags for the full user will be set back to
STRONG_AUTH_NOT_REQUIRED. This may or may not clear StrongAuthFlags for
a profile of the user, depending on whether the profile has a separate
or unified lock.
Case #1: the profile has a seprate lock. In this case, the user will
need to enter the device credential on lockscreen to unlock the device,
and then enter the different profile lock to unlock the profile.
StrongAuthFlags for the profile will only be cleared after successfully
verifying the profile lock.
Case #2: the profile has a unified lock. Currently in this case,
StrongAuthFlags for the profile doesn't get cleared properly after the
user verifies the device credential on lockscreen and unpauses the
profile. For example, if the user triggers lockdown and later enters the
device credential to unlock the device, StrongAuthFlags for the full
user gets cleared (so the full user exits lockdown) while
StrongAuthFlags for the profile doesn't get cleared (so the profile
remains in lockdown), and thus notifications for the profile won't be
shown properly.
This CL fixes the issue above for the case #2. The user will only need
to enter the device credential on lockscreen once to unlock the device.
If the profile is already unpaused, at this point StrongAuthFlags
should already be cleared; otherwise, StrongAuthFlags will be cleared
after the user unpauses the profile (but without having to enter any
lock again since the profile uses a unified lock).
Test: (1) Set up a profile (e.g. a managed profile) with a unified lock.
(2) Trigger the lockdown mode on lockscreen, and verify that
StrongAuthFlags for the full user and the profile are both set
properly, via "adb shell dumpsys lock_settings".
(3) Enter the device credential on lockscreen for the full user,
and verify that StrongAuthFlags for the full user is unset.
StrongAuthFlags for the profile should also be cleared at this
point if the profile was unpaused already before lockdown;
otherwise
(4) Unpause the profile and verify that StrongAuthFlags for the
profile is cleared.
Fix: 176924824
Bug: 173721373
(cherry picked from commit ea925cf0b1293ddece4a77f8cce60196ee27f146)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a3e155e8060b3652baac209e4e48fa988e255206)
Merged-In: Ic466fc22a5be9047d39194ad42c56dc4a2acb4dc
Change-Id: Ic466fc22a5be9047d39194ad42c56dc4a2acb4dc
| -rw-r--r-- | services/core/java/com/android/server/locksettings/LockSettingsService.java | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/services/core/java/com/android/server/locksettings/LockSettingsService.java b/services/core/java/com/android/server/locksettings/LockSettingsService.java index 78cffa6f4f79..62ae4aae2b4d 100644 --- a/services/core/java/com/android/server/locksettings/LockSettingsService.java +++ b/services/core/java/com/android/server/locksettings/LockSettingsService.java @@ -2992,9 +2992,19 @@ public class LockSettingsService extends ILockSettings.Stub { } activateEscrowTokens(authToken, userId); - if (isProfileWithSeparatedLock(userId)) { - setDeviceUnlockedForUser(userId); + if (isCredentialSharableWithParent(userId)) { + if (getSeparateProfileChallengeEnabledInternal(userId)) { + setDeviceUnlockedForUser(userId); + } else { + // Here only clear StrongAuthFlags for a profile that has a unified challenge. + // StrongAuth for a profile with a separate challenge is handled differently and + // is cleared after the user successfully confirms the separate challenge to enter + // the profile. StrongAuth for the full user (e.g. userId 0) is also handled + // separately by Keyguard. + mStrongAuth.reportUnlock(userId); + } } + mStrongAuth.reportSuccessfulStrongAuthUnlock(userId); onAuthTokenKnownForUser(userId, authToken); |