Use DPM's counter for invalid password attempts
Currently Keyguard uses separate counter for invalid password attempts
that is not persisted and is always initialized to zero after boot,
so if the user made several attempts and rebooted the device, the
device will show more allowed attempts before wipe than actually
available. The counter is also incorrectly reset to zero when
fingerprint is used successfully.
With this CL the same counter is used for that message and for actual
wipe triggering, it is persisted and is not reset upon reboot or
fingerprint authehtication.
Counting failed password attempts should be available in DevicePolicyManager
even without PackageManager.FEATURE_DEVICE_ADMIN.
Test: manual, tried using fingerprint and rebooting.
Bug: 112588257
Merged-In: I1f4012a95c6f6758885206f69e7ebe2c3704a567
Change-Id: I1f4012a95c6f6758885206f69e7ebe2c3704a567
diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
index b1a247a..ff383dd 100644
--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
+++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
@@ -15,7 +15,6 @@
*/
package com.android.keyguard;
-import android.R.style;
import android.app.Activity;
import android.app.AlertDialog;
import android.app.admin.DevicePolicyManager;
@@ -26,7 +25,6 @@
import android.util.Log;
import android.util.Slog;
import android.util.StatsLog;
-import android.view.ContextThemeWrapper;
import android.view.LayoutInflater;
import android.view.View;
import android.view.WindowManager;
@@ -210,7 +208,7 @@
if (messageId != 0) {
final String message = mContext.getString(messageId,
- KeyguardUpdateMonitor.getInstance(mContext).getFailedUnlockAttempts(userId),
+ mLockPatternUtils.getCurrentFailedPasswordAttempts(userId),
timeoutInSeconds);
showDialog(null, message);
}
@@ -255,8 +253,8 @@
}
private void reportFailedUnlockAttempt(int userId, int timeoutMs) {
- final KeyguardUpdateMonitor monitor = KeyguardUpdateMonitor.getInstance(mContext);
- final int failedAttempts = monitor.getFailedUnlockAttempts(userId) + 1; // +1 for this time
+ // +1 for this time
+ final int failedAttempts = mLockPatternUtils.getCurrentFailedPasswordAttempts(userId) + 1;
if (DEBUG) Log.d(TAG, "reportFailedPatternAttempt: #" + failedAttempts);
@@ -290,7 +288,6 @@
showWipeDialog(failedAttempts, userType);
}
}
- monitor.reportFailedStrongAuthUnlockAttempt(userId);
mLockPatternUtils.reportFailedPasswordAttempt(userId);
if (timeoutMs > 0) {
mLockPatternUtils.reportPasswordLockout(timeoutMs, userId);
@@ -434,7 +431,6 @@
if (success) {
StatsLog.write(StatsLog.KEYGUARD_BOUNCER_PASSWORD_ENTERED,
StatsLog.KEYGUARD_BOUNCER_PASSWORD_ENTERED__RESULT__SUCCESS);
- monitor.clearFailedUnlockAttempts();
mLockPatternUtils.reportSuccessfulPasswordAttempt(userId);
} else {
StatsLog.write(StatsLog.KEYGUARD_BOUNCER_PASSWORD_ENTERED,
diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardUpdateMonitor.java b/packages/SystemUI/src/com/android/keyguard/KeyguardUpdateMonitor.java
index ef3aa42..0e21815 100644
--- a/packages/SystemUI/src/com/android/keyguard/KeyguardUpdateMonitor.java
+++ b/packages/SystemUI/src/com/android/keyguard/KeyguardUpdateMonitor.java
@@ -209,9 +209,6 @@
// Battery status
private BatteryStatus mBatteryStatus;
- // Password attempts
- private SparseIntArray mFailedAttempts = new SparseIntArray();
-
private final StrongAuthTracker mStrongAuthTracker;
private final ArrayList<WeakReference<KeyguardUpdateMonitorCallback>>
@@ -1800,22 +1797,10 @@
return mDeviceProvisioned;
}
- public void clearFailedUnlockAttempts() {
- mFailedAttempts.delete(sCurrentUser);
- }
-
public ServiceState getServiceState(int subId) {
return mServiceStates.get(subId);
}
- public int getFailedUnlockAttempts(int userId) {
- return mFailedAttempts.get(userId, 0);
- }
-
- public void reportFailedStrongAuthUnlockAttempt(int userId) {
- mFailedAttempts.put(userId, getFailedUnlockAttempts(userId) + 1);
- }
-
public void clearFingerprintRecognized() {
mUserFingerprintAuthenticated.clear();
mTrustManager.clearAllFingerprints();
diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
index 89688fb..33db2c8 100644
--- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
+++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
@@ -1647,7 +1647,6 @@
resetKeyguardDonePendingLocked();
}
- mUpdateMonitor.clearFailedUnlockAttempts();
mUpdateMonitor.clearFingerprintRecognized();
if (mGoingToSleep) {
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index b74a582..6ee7d49 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -4572,10 +4572,12 @@
enforceFullCrossUsersPermission(userHandle);
synchronized (getLockObject()) {
if (!isCallerWithSystemUid()) {
- // This API can only be called by an active device admin,
- // so try to retrieve it to check that the caller is one.
- getActiveAdminForCallerLocked(
- null, DeviceAdminInfo.USES_POLICY_WATCH_LOGIN, parent);
+ // This API can be called by an active device admin or by keyguard code.
+ if (mContext.checkCallingPermission(permission.ACCESS_KEYGUARD_SECURE_STORAGE)
+ != PackageManager.PERMISSION_GRANTED) {
+ getActiveAdminForCallerLocked(
+ null, DeviceAdminInfo.USES_POLICY_WATCH_LOGIN, parent);
+ }
}
DevicePolicyData policy = getUserDataUnchecked(getCredentialOwner(userHandle, parent));