Define trust agent framework components
Adds the TrustManager system service that allows
registering for changes to the trust status and
reporting events that are important to trust agents.
Bug: 13723878
Change-Id: I7d0d2ea86fd755702d31aa5d49cac038a6cd4301
diff --git a/core/java/android/app/ContextImpl.java b/core/java/android/app/ContextImpl.java
index b2b2571..d1f94f0 100644
--- a/core/java/android/app/ContextImpl.java
+++ b/core/java/android/app/ContextImpl.java
@@ -119,6 +119,7 @@
import android.accounts.AccountManager;
import android.accounts.IAccountManager;
import android.app.admin.DevicePolicyManager;
+import android.app.trust.TrustManager;
import com.android.internal.annotations.GuardedBy;
import com.android.internal.app.IAppOpsService;
@@ -621,6 +622,12 @@
return new MediaSessionManager(ctx);
}
});
+ registerService(TRUST_SERVICE, new ServiceFetcher() {
+ public Object createService(ContextImpl ctx) {
+ IBinder b = ServiceManager.getService(TRUST_SERVICE);
+ return new TrustManager(b);
+ }
+ });
}
static ContextImpl getImpl(Context context) {
diff --git a/core/java/android/app/trust/ITrustListener.aidl b/core/java/android/app/trust/ITrustListener.aidl
new file mode 100644
index 0000000..4680043
--- /dev/null
+++ b/core/java/android/app/trust/ITrustListener.aidl
@@ -0,0 +1,26 @@
+/*
+**
+** Copyright 2014, The Android Open Source Project
+**
+** Licensed under the Apache License, Version 2.0 (the "License");
+** you may not use this file except in compliance with the License.
+** You may obtain a copy of the License at
+**
+** http://www.apache.org/licenses/LICENSE-2.0
+**
+** Unless required by applicable law or agreed to in writing, software
+** distributed under the License is distributed on an "AS IS" BASIS,
+** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+** See the License for the specific language governing permissions and
+** limitations under the License.
+*/
+package android.app.trust;
+
+/**
+ * Private API to be notified about trust changes.
+ *
+ * {@hide}
+ */
+oneway interface ITrustListener {
+ void onTrustChanged(boolean enabled, int userId);
+}
\ No newline at end of file
diff --git a/core/java/android/app/trust/ITrustManager.aidl b/core/java/android/app/trust/ITrustManager.aidl
new file mode 100644
index 0000000..ad4ccbb
--- /dev/null
+++ b/core/java/android/app/trust/ITrustManager.aidl
@@ -0,0 +1,31 @@
+/*
+**
+** Copyright 2014, The Android Open Source Project
+**
+** Licensed under the Apache License, Version 2.0 (the "License");
+** you may not use this file except in compliance with the License.
+** You may obtain a copy of the License at
+**
+** http://www.apache.org/licenses/LICENSE-2.0
+**
+** Unless required by applicable law or agreed to in writing, software
+** distributed under the License is distributed on an "AS IS" BASIS,
+** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+** See the License for the specific language governing permissions and
+** limitations under the License.
+*/
+package android.app.trust;
+
+import android.app.trust.ITrustListener;
+
+/**
+ * System private API to comunicate with trust service.
+ *
+ * {@hide}
+ */
+interface ITrustManager {
+ void reportUnlockAttempt(boolean successful, int userId);
+ void reportEnabledTrustAgentsChanged(int userId);
+ void registerTrustListener(in ITrustListener trustListener);
+ void unregisterTrustListener(in ITrustListener trustListener);
+}
diff --git a/core/java/android/app/trust/TrustManager.java b/core/java/android/app/trust/TrustManager.java
new file mode 100644
index 0000000..e31c624
--- /dev/null
+++ b/core/java/android/app/trust/TrustManager.java
@@ -0,0 +1,134 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+package android.app.trust;
+
+import android.os.Handler;
+import android.os.IBinder;
+import android.os.Looper;
+import android.os.Message;
+import android.os.RemoteException;
+import android.util.ArrayMap;
+import android.util.Log;
+
+/**
+ * See {@link com.android.server.trust.TrustManagerService}
+ * @hide
+ */
+public class TrustManager {
+
+ private static final int MSG_TRUST_CHANGED = 1;
+
+ private static final String TAG = "TrustManager";
+
+ private final ITrustManager mService;
+ private final ArrayMap<TrustListener, ITrustListener> mTrustListeners;
+
+ public TrustManager(IBinder b) {
+ mService = ITrustManager.Stub.asInterface(b);
+ mTrustListeners = new ArrayMap<TrustListener, ITrustListener>();
+ }
+
+ /**
+ * Reports that user {@param userId} has tried to unlock the device.
+ *
+ * @param successful if true, the unlock attempt was successful.
+ *
+ * Requires the {@link android.Manifest.permission#ACCESS_KEYGUARD_SECURE_STORAGE} permission.
+ */
+ public void reportUnlockAttempt(boolean successful, int userId) {
+ try {
+ mService.reportUnlockAttempt(successful, userId);
+ } catch (RemoteException e) {
+ onError(e);
+ }
+ }
+
+ /**
+ * Reports that the list of enabled trust agents changed for user {@param userId}.
+ *
+ * Requires the {@link android.Manifest.permission#ACCESS_KEYGUARD_SECURE_STORAGE} permission.
+ */
+ public void reportEnabledTrustAgentsChanged(int userId) {
+ try {
+ mService.reportEnabledTrustAgentsChanged(userId);
+ } catch (RemoteException e) {
+ onError(e);
+ }
+ }
+
+ /**
+ * Registers a listener for trust events.
+ *
+ * Requires the {@link android.Manifest.permission#TRUST_LISTENER} permission.
+ */
+ public void registerTrustListener(final TrustListener trustListener) {
+ try {
+ ITrustListener.Stub iTrustListener = new ITrustListener.Stub() {
+ @Override
+ public void onTrustChanged(boolean enabled, int userId) throws RemoteException {
+ mHandler.obtainMessage(MSG_TRUST_CHANGED, (enabled ? 1 : 0), userId,
+ trustListener).sendToTarget();
+ }
+ };
+ mService.registerTrustListener(iTrustListener);
+ mTrustListeners.put(trustListener, iTrustListener);
+ } catch (RemoteException e) {
+ onError(e);
+ }
+ }
+
+ /**
+ * Unregisters a listener for trust events.
+ *
+ * Requires the {@link android.Manifest.permission#TRUST_LISTENER} permission.
+ */
+ public void unregisterTrustListener(final TrustListener trustListener) {
+ ITrustListener iTrustListener = mTrustListeners.remove(trustListener);
+ if (iTrustListener != null) {
+ try {
+ mService.unregisterTrustListener(iTrustListener);
+ } catch (RemoteException e) {
+ onError(e);
+ }
+ }
+ }
+
+ private void onError(Exception e) {
+ Log.e(TAG, "Error while calling TrustManagerService", e);
+ }
+
+ private final Handler mHandler = new Handler(Looper.getMainLooper()) {
+ @Override
+ public void handleMessage(Message msg) {
+ switch(msg.what) {
+ case MSG_TRUST_CHANGED:
+ ((TrustListener)msg.obj).onTrustChanged(msg.arg1 != 0, msg.arg2);
+ break;
+ }
+ }
+ };
+
+ public interface TrustListener {
+
+ /**
+ * Reports that the trust state has changed.
+ * @param enabled if true, the system believes the environment to be trusted.
+ * @param userId the user, for which the trust changed.
+ */
+ void onTrustChanged(boolean enabled, int userId);
+ }
+}
diff --git a/core/java/android/content/Context.java b/core/java/android/content/Context.java
index cd91f3b..3fdaef2 100644
--- a/core/java/android/content/Context.java
+++ b/core/java/android/content/Context.java
@@ -2595,6 +2595,14 @@
public static final String CONSUMER_IR_SERVICE = "consumer_ir";
/**
+ * {@link android.app.trust.TrustManager} for managing trust agents.
+ * @see #getSystemService
+ * @see android.app.trust.TrustManager
+ * @hide
+ */
+ public static final String TRUST_SERVICE = "trust";
+
+ /**
* Determine whether the given permission is allowed for a particular
* process and user ID running in the system.
*
diff --git a/core/java/com/android/internal/widget/LockPatternUtils.java b/core/java/com/android/internal/widget/LockPatternUtils.java
index 2d79491..4752da5 100644
--- a/core/java/com/android/internal/widget/LockPatternUtils.java
+++ b/core/java/com/android/internal/widget/LockPatternUtils.java
@@ -19,11 +19,14 @@
import android.Manifest;
import android.app.ActivityManagerNative;
import android.app.admin.DevicePolicyManager;
+import android.app.trust.TrustManager;
import android.appwidget.AppWidgetManager;
+import android.content.ComponentName;
import android.content.ContentResolver;
import android.content.Context;
import android.content.Intent;
import android.content.pm.PackageManager;
+import android.net.Uri;
import android.os.IBinder;
import android.os.RemoteException;
import android.os.ServiceManager;
@@ -46,6 +49,8 @@
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
+import java.util.ArrayList;
+import java.util.Collection;
import java.util.List;
/**
@@ -145,6 +150,8 @@
private static final String LOCK_SCREEN_OWNER_INFO_ENABLED =
Settings.Secure.LOCK_SCREEN_OWNER_INFO_ENABLED;
+ private static final String ENABLED_TRUST_AGENTS = "lockscreen.enabledtrustagents";
+
private final Context mContext;
private final ContentResolver mContentResolver;
private DevicePolicyManager mDevicePolicyManager;
@@ -167,6 +174,15 @@
return mDevicePolicyManager;
}
+ private TrustManager getTrustManager() {
+ TrustManager trust = (TrustManager) mContext.getSystemService(Context.TRUST_SERVICE);
+ if (trust == null) {
+ Log.e(TAG, "Can't get TrustManagerService: is it running?",
+ new IllegalStateException("Stack trace:"));
+ }
+ return trust;
+ }
+
/**
* @param contentResolver Used to look up and save settings.
*/
@@ -242,10 +258,14 @@
*/
public void reportFailedPasswordAttempt() {
getDevicePolicyManager().reportFailedPasswordAttempt(getCurrentOrCallingUserId());
+ getTrustManager().reportUnlockAttempt(false /* authenticated */,
+ getCurrentOrCallingUserId());
}
public void reportSuccessfulPasswordAttempt() {
getDevicePolicyManager().reportSuccessfulPasswordAttempt(getCurrentOrCallingUserId());
+ getTrustManager().reportUnlockAttempt(true /* authenticated */,
+ getCurrentOrCallingUserId());
}
public void setCurrentUser(int userId) {
@@ -496,11 +516,12 @@
*/
public void saveLockPattern(List<LockPatternView.Cell> pattern, boolean isFallback) {
try {
- getLockSettings().setLockPattern(patternToString(pattern), getCurrentOrCallingUserId());
+ int userId = getCurrentOrCallingUserId();
+ getLockSettings().setLockPattern(patternToString(pattern), userId);
DevicePolicyManager dpm = getDevicePolicyManager();
if (pattern != null) {
- int userHandle = getCurrentOrCallingUserId();
+ int userHandle = userId;
if (userHandle == UserHandle.USER_OWNER) {
String stringPattern = patternToString(pattern);
updateEncryptionPassword(StorageManager.CRYPT_TYPE_PATTERN, stringPattern);
@@ -511,18 +532,18 @@
deleteGallery();
setLong(PASSWORD_TYPE_KEY, DevicePolicyManager.PASSWORD_QUALITY_SOMETHING);
dpm.setActivePasswordState(DevicePolicyManager.PASSWORD_QUALITY_SOMETHING,
- pattern.size(), 0, 0, 0, 0, 0, 0, getCurrentOrCallingUserId());
+ pattern.size(), 0, 0, 0, 0, 0, 0, userId);
} else {
setLong(PASSWORD_TYPE_KEY, DevicePolicyManager.PASSWORD_QUALITY_BIOMETRIC_WEAK);
setLong(PASSWORD_TYPE_ALTERNATE_KEY,
DevicePolicyManager.PASSWORD_QUALITY_SOMETHING);
finishBiometricWeak();
dpm.setActivePasswordState(DevicePolicyManager.PASSWORD_QUALITY_BIOMETRIC_WEAK,
- 0, 0, 0, 0, 0, 0, 0, getCurrentOrCallingUserId());
+ 0, 0, 0, 0, 0, 0, 0, userId);
}
} else {
dpm.setActivePasswordState(DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED, 0, 0,
- 0, 0, 0, 0, 0, getCurrentOrCallingUserId());
+ 0, 0, 0, 0, 0, userId);
}
} catch (RemoteException re) {
Log.e(TAG, "Couldn't save lock pattern " + re);
@@ -1374,4 +1395,38 @@
setBoolean(LOCKSCREEN_WIDGETS_ENABLED, enabled, userId);
}
+ public void setEnabledTrustAgents(Collection<ComponentName> activeTrustAgents) {
+ setEnabledTrustAgents(activeTrustAgents, getCurrentOrCallingUserId());
+ }
+
+ public List<ComponentName> getEnabledTrustAgents() {
+ return getEnabledTrustAgents(getCurrentOrCallingUserId());
+ }
+
+ public void setEnabledTrustAgents(Collection<ComponentName> activeTrustAgents, int userId) {
+ StringBuilder sb = new StringBuilder();
+ for (ComponentName cn : activeTrustAgents) {
+ if (sb.length() > 0) {
+ sb.append(',');
+ }
+ sb.append(cn.flattenToShortString());
+ }
+ setString(ENABLED_TRUST_AGENTS, sb.toString(), userId);
+ getTrustManager().reportEnabledTrustAgentsChanged(getCurrentOrCallingUserId());
+ }
+
+ public List<ComponentName> getEnabledTrustAgents(int userId) {
+ String serialized = getString(ENABLED_TRUST_AGENTS, userId);
+ if (TextUtils.isEmpty(serialized)) {
+ return null;
+ }
+ String[] split = serialized.split(",");
+ ArrayList<ComponentName> activeTrustAgents = new ArrayList<ComponentName>(split.length);
+ for (String s : split) {
+ if (!TextUtils.isEmpty(s)) {
+ activeTrustAgents.add(ComponentName.unflattenFromString(s));
+ }
+ }
+ return activeTrustAgents;
+ }
}
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index 2e0ac08..2a4d872 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -2547,6 +2547,13 @@
android:label="@string/permlab_control_keyguard"
android:description="@string/permdesc_control_keyguard" />
+ <!-- Allows an application to listen to trust changes. Only allowed for system processes.
+ @hide -->
+ <permission android:name="android.permission.TRUST_LISTENER"
+ android:protectionLevel="signature"
+ android:label="@string/permlab_trust_listener"
+ android:description="@string/permdesc_trust_listener" />
+
<!-- Must be required by an {@link
android.service.trust.TrustAgentService},
to ensure that only the system can bind to it. -->
diff --git a/core/res/res/values/strings.xml b/core/res/res/values/strings.xml
index eb16bbd..3a4f059 100644
--- a/core/res/res/values/strings.xml
+++ b/core/res/res/values/strings.xml
@@ -3651,6 +3651,11 @@
<!-- Description of an application permission that lets it control keyguard. -->
<string name="permdesc_control_keyguard">Allows an application to control keguard.</string>
+ <!-- Title of an application permission that lets it listen to trust state changes. -->
+ <string name="permlab_trust_listener">Listen to trust state changes.</string>
+ <!-- Description of an application permission that lets it listen to trust state changes. -->
+ <string name="permdesc_trust_listener">Allows an application to listen for changes in trust state.</string>
+
<!-- Title of an application permission that lets it bind to a trust agent service. -->
<string name="permlab_bind_trust_agent_service">Bind to a trust agent service</string>
<!-- Description of an application permission that lets it bind to a trust agent service. -->