Start trust agents earlier on successful unlocks
Frequently, trust agents are not running because
a successful unlock is required for them to start.
Unfortunately, that means they were not able to receive the
successful unlock. To fix this, we'll now override
StrongAuth requirements and start agents early if we
detect a successful unlock.
Bug: 23021202
Change-Id: Ie85f78d9ce2823dd5c9b6215a52db069fb796d91
diff --git a/services/core/java/com/android/server/trust/TrustAgentWrapper.java b/services/core/java/com/android/server/trust/TrustAgentWrapper.java
index e5c5b2bc..858f7c7 100644
--- a/services/core/java/com/android/server/trust/TrustAgentWrapper.java
+++ b/services/core/java/com/android/server/trust/TrustAgentWrapper.java
@@ -81,6 +81,7 @@
private boolean mBound;
private long mScheduledRestartUptimeMillis;
private long mMaximumTimeToLock; // from DevicePolicyManager
+ private boolean mPendingSuccessfulUnlock = false;
// Trust state
private boolean mTrusted;
@@ -234,6 +235,11 @@
setCallback(mCallback);
updateDevicePolicyFeatures();
+ if (mPendingSuccessfulUnlock) {
+ onUnlockAttempt(true);
+ mPendingSuccessfulUnlock = false;
+ }
+
if (mTrustManagerService.isDeviceLockedInner(mUserId)) {
onDeviceLocked();
} else {
@@ -302,7 +308,11 @@
*/
public void onUnlockAttempt(boolean successful) {
try {
- if (mTrustAgentService != null) mTrustAgentService.onUnlockAttempt(successful);
+ if (mTrustAgentService != null) {
+ mTrustAgentService.onUnlockAttempt(successful);
+ } else {
+ mPendingSuccessfulUnlock = successful;
+ }
} catch (RemoteException e) {
onError(e);
}
diff --git a/services/core/java/com/android/server/trust/TrustManagerService.java b/services/core/java/com/android/server/trust/TrustManagerService.java
index b54e866..984fb76 100644
--- a/services/core/java/com/android/server/trust/TrustManagerService.java
+++ b/services/core/java/com/android/server/trust/TrustManagerService.java
@@ -19,7 +19,6 @@
import com.android.internal.annotations.GuardedBy;
import com.android.internal.content.PackageMonitor;
import com.android.internal.widget.LockPatternUtils;
-import com.android.internal.widget.LockPatternUtils.StrongAuthTracker;
import com.android.server.SystemService;
import org.xmlpull.v1.XmlPullParser;
@@ -104,7 +103,7 @@
private static final int MSG_SET_DEVICE_LOCKED = 10;
private static final int MSG_FLUSH_TRUST_USUALLY_MANAGED = 11;
- public static final int TRUST_USUALLY_MANAGED_FLUSH_DELAY = 2 * 60 * 1000;
+ private static final int TRUST_USUALLY_MANAGED_FLUSH_DELAY = 2 * 60 * 1000;
private final ArraySet<AgentInfo> mActiveAgents = new ArraySet<>();
private final ArrayList<ITrustListener> mTrustListeners = new ArrayList<>();
@@ -136,13 +135,7 @@
mUserManager = (UserManager) mContext.getSystemService(Context.USER_SERVICE);
mActivityManager = (ActivityManager) mContext.getSystemService(Context.ACTIVITY_SERVICE);
mLockPatternUtils = new LockPatternUtils(context);
-
- mStrongAuthTracker = new StrongAuthTracker(context) {
- @Override
- public void onStrongAuthRequiredChanged(int userId) {
- refreshAgentList(userId);
- }
- };
+ mStrongAuthTracker = new StrongAuthTracker(context);
}
@Override
@@ -231,24 +224,24 @@
TRUST_USUALLY_MANAGED_FLUSH_DELAY);
}
- void refreshAgentList(int userId) {
- if (DEBUG) Slog.d(TAG, "refreshAgentList()");
+ void refreshAgentList(int userIdOrAll) {
+ if (DEBUG) Slog.d(TAG, "refreshAgentList(" + userIdOrAll + ")");
if (!mTrustAgentsCanRun) {
return;
}
- if (userId != UserHandle.USER_ALL && userId < UserHandle.USER_SYSTEM) {
- Log.e(TAG, "refreshAgentList(userId=" + userId + "): Invalid user handle,"
+ if (userIdOrAll != UserHandle.USER_ALL && userIdOrAll < UserHandle.USER_SYSTEM) {
+ Log.e(TAG, "refreshAgentList(userId=" + userIdOrAll + "): Invalid user handle,"
+ " must be USER_ALL or a specific user.", new Throwable("here"));
- userId = UserHandle.USER_ALL;
+ userIdOrAll = UserHandle.USER_ALL;
}
PackageManager pm = mContext.getPackageManager();
List<UserInfo> userInfos;
- if (userId == UserHandle.USER_ALL) {
+ if (userIdOrAll == UserHandle.USER_ALL) {
userInfos = mUserManager.getUsers(true /* excludeDying */);
} else {
userInfos = new ArrayList<>();
- userInfos.add(mUserManager.getUserInfo(userId));
+ userInfos.add(mUserManager.getUserInfo(userIdOrAll));
}
LockPatternUtils lockPatternUtils = mLockPatternUtils;
@@ -261,7 +254,7 @@
if (!userInfo.supportsSwitchToByUser()) continue;
if (!mActivityManager.isUserRunning(userInfo.id)) continue;
if (!lockPatternUtils.isSecure(userInfo.id)) continue;
- if (!mStrongAuthTracker.isTrustAllowedForUser(userInfo.id)) continue;
+ if (!mStrongAuthTracker.canAgentsRunForUser(userInfo.id)) continue;
DevicePolicyManager dpm = lockPatternUtils.getDevicePolicyManager();
int disabledFeatures = dpm.getKeyguardDisabledFeatures(null, userInfo.id);
final boolean disableTrustAgents =
@@ -302,7 +295,7 @@
boolean trustMayHaveChanged = false;
for (int i = 0; i < obsoleteAgents.size(); i++) {
AgentInfo info = obsoleteAgents.valueAt(i);
- if (userId == UserHandle.USER_ALL || userId == info.userId) {
+ if (userIdOrAll == UserHandle.USER_ALL || userIdOrAll == info.userId) {
if (info.agent.isManagingTrust()) {
trustMayHaveChanged = true;
}
@@ -312,10 +305,10 @@
}
if (trustMayHaveChanged) {
- if (userId == UserHandle.USER_ALL) {
+ if (userIdOrAll == UserHandle.USER_ALL) {
updateTrustAll();
} else {
- updateTrust(userId, 0);
+ updateTrust(userIdOrAll, 0);
}
}
}
@@ -578,6 +571,10 @@
}
private void dispatchUnlockAttempt(boolean successful, int userId) {
+ if (successful) {
+ mStrongAuthTracker.allowTrustFromUnlock(userId);
+ }
+
for (int i = 0; i < mActiveAgents.size(); i++) {
AgentInfo info = mActiveAgents.valueAt(i);
if (info.userId == userId) {
@@ -608,6 +605,10 @@
}
private void dispatchOnTrustChanged(boolean enabled, int userId, int flags) {
+ if (DEBUG) {
+ Log.i(TAG, "onTrustChanged(" + enabled + ", " + userId + ", 0x"
+ + Integer.toHexString(flags) + ")");
+ }
if (!enabled) flags = 0;
for (int i = 0; i < mTrustListeners.size(); i++) {
try {
@@ -623,6 +624,9 @@
}
private void dispatchOnTrustManagedChanged(boolean managed, int userId) {
+ if (DEBUG) {
+ Log.i(TAG, "onTrustManagedChanged(" + managed + ", " + userId + ")");
+ }
for (int i = 0; i < mTrustListeners.size(); i++) {
try {
mTrustListeners.get(i).onTrustManagedChanged(managed, userId);
@@ -980,4 +984,61 @@
null /* scheduler */);
}
}
+
+ private class StrongAuthTracker extends LockPatternUtils.StrongAuthTracker {
+
+ SparseBooleanArray mStartFromSuccessfulUnlock = new SparseBooleanArray();
+
+ public StrongAuthTracker(Context context) {
+ super(context);
+ }
+
+ @Override
+ public void onStrongAuthRequiredChanged(int userId) {
+ mStartFromSuccessfulUnlock.delete(userId);
+
+ if (DEBUG) {
+ Log.i(TAG, "onStrongAuthRequiredChanged(" + userId + ") ->"
+ + " trustAllowed=" + isTrustAllowedForUser(userId)
+ + " agentsCanRun=" + canAgentsRunForUser(userId));
+ }
+
+ refreshAgentList(userId);
+
+ // The list of active trust agents may not have changed, if there was a previous call
+ // to allowTrustFromUnlock, so we update the trust here too.
+ updateTrust(userId, 0 /* flags */);
+ }
+
+ boolean canAgentsRunForUser(int userId) {
+ return mStartFromSuccessfulUnlock.get(userId)
+ || super.isTrustAllowedForUser(userId);
+ }
+
+ /**
+ * Temporarily suppress strong auth requirements for {@param userId} until strong auth
+ * changes again. Must only be called when we know about a successful unlock already
+ * before the underlying StrongAuthTracker.
+ *
+ * Note that this only changes whether trust agents can be started, not the actual trusted
+ * value.
+ */
+ void allowTrustFromUnlock(int userId) {
+ if (userId < UserHandle.USER_SYSTEM) {
+ throw new IllegalArgumentException("userId must be a valid user: " + userId);
+ }
+ boolean previous = canAgentsRunForUser(userId);
+ mStartFromSuccessfulUnlock.put(userId, true);
+
+ if (DEBUG) {
+ Log.i(TAG, "allowTrustFromUnlock(" + userId + ") ->"
+ + " trustAllowed=" + isTrustAllowedForUser(userId)
+ + " agentsCanRun=" + canAgentsRunForUser(userId));
+ }
+
+ if (canAgentsRunForUser(userId) != previous) {
+ refreshAgentList(userId);
+ }
+ }
+ }
}