Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / f8ac3643c59242f2eb3e1e97f198afc8ac345759^2..f8ac3643c59242f2eb3e1e97f198afc8ac345759 / .
commitf8ac3643c59242f2eb3e1e97f198afc8ac345759[log] [tgz]
authorDerek Sollenberger <djsollen@google.com>Fri Jan 15 16:37:11 2016 +0000
committerAndroid (Google) Code Review <android-gerrit@google.com>Fri Jan 15 16:37:11 2016 +0000
tree94ba402aa248751f57b3c0d5979fe3b5e0348921
parent4bfa55d4c232d2c55b5ffabd2e1ec856d4ef5a89 [diff]
parentc95d2d1bd6047cc8e246f80994c34dddd93801c0 [diff]
Merge "Restore old behavior of setLocalMatrix"
diff --git a/core/java/android/app/trust/TrustManager.java b/core/java/android/app/trust/TrustManager.java
index ee591d3..88ba874 100644
--- a/core/java/android/app/trust/TrustManager.java
+++ b/core/java/android/app/trust/TrustManager.java

@@ -16,7 +16,9 @@
 
 package android.app.trust;
 
+import android.Manifest;
 import android.annotation.IntDef;
+import android.annotation.RequiresPermission;
 import android.os.Handler;
 import android.os.IBinder;
 import android.os.Looper;
@@ -54,9 +56,12 @@
      * Changes the lock status for the given user. This is only applicable to Managed Profiles,
      * other users should be handled by Keyguard.
      *
+     * Requires the {@link android.Manifest.permission#ACCESS_KEYGUARD_SECURE_STORAGE} permission.
+     *
      * @param userId The id for the user to be locked/unlocked.
      * @param locked The value for that user's locked state.
      */
+    @RequiresPermission(Manifest.permission.ACCESS_KEYGUARD_SECURE_STORAGE)
     public void setDeviceLockedForUser(int userId, boolean locked) {
         try {
             mService.setDeviceLockedForUser(userId, locked);

diff --git a/services/core/java/com/android/server/trust/TrustManagerService.java b/services/core/java/com/android/server/trust/TrustManagerService.java
index 42b8721..8cdff11 100644
--- a/services/core/java/com/android/server/trust/TrustManagerService.java
+++ b/services/core/java/com/android/server/trust/TrustManagerService.java

@@ -778,6 +778,7 @@
 
         @Override
         public void setDeviceLockedForUser(int userId, boolean value) {
+            enforceReportPermission();
             mHandler.obtainMessage(MSG_SET_DEVICE_LOCKED, value ? 1 : 0, userId)
                     .sendToTarget();
         }

diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index ce0474d..f14b032 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

@@ -2626,7 +2626,7 @@
                 return admin != null ? admin.passwordQuality : mode;
             }
 
-            if (mLockPatternUtils.isSeparateProfileChallengeEnabled(userHandle) && !parent) {
+            if (isSeparateProfileChallengeEnabled(userHandle) && !parent) {
                 // If a Work Challenge is in use, only return its restrictions.
                 DevicePolicyData policy = getUserDataUnchecked(userHandle);
                 final int N = policy.mAdminList.size();
@@ -2646,7 +2646,7 @@
                     // Only aggregate data for the parent profile plus the non-work challenge
                     // enabled profiles.
                     if (!(userInfo.isManagedProfile()
-                            && mLockPatternUtils.isSeparateProfileChallengeEnabled(userInfo.id))) {
+                            && isSeparateProfileChallengeEnabled(userInfo.id))) {
                         DevicePolicyData policy = getUserDataUnchecked(userInfo.id);
                         final int N = policy.mAdminList.size();
                         for (int i = 0; i < N; i++) {
@@ -2662,6 +2662,15 @@
         }
     }
 
+    private boolean isSeparateProfileChallengeEnabled(int userHandle) {
+        long ident = mInjector.binderClearCallingIdentity();
+        try {
+            return mLockPatternUtils.isSeparateProfileChallengeEnabled(userHandle);
+        } finally {
+            mInjector.binderRestoreCallingIdentity(ident);
+        }
+    }
+
     @Override
     public void setPasswordMinimumLength(ComponentName who, int length) {
         if (!mHasFeature) {
@@ -3233,7 +3242,7 @@
             ComponentName adminComponentName = admin.info.getComponent();
             // TODO: Include the Admin sdk level check in LockPatternUtils check.
             ComponentName who = !isAdminApiLevelMOrBelow(adminComponentName, userHandle)
-                    && mLockPatternUtils.isSeparateProfileChallengeEnabled(userHandle)
+                    && isSeparateProfileChallengeEnabled(userHandle)
                         ? adminComponentName : null;
             if (policy.mActivePasswordQuality < getPasswordQuality(who, userHandle, parent)
                     || policy.mActivePasswordLength < getPasswordMinimumLength(null, userHandle)) {
@@ -4072,7 +4081,7 @@
         }
         enforceFullCrossUsersPermission(userHandle);
         // Managed Profile password can only be changed when per user encryption is present.
-        if (!mLockPatternUtils.isSeparateProfileChallengeEnabled(userHandle)) {
+        if (!isSeparateProfileChallengeEnabled(userHandle)) {
             enforceNotManagedProfile(userHandle, "set the active password");
         }
 
@@ -4712,7 +4721,7 @@
                             // If we are being asked explictly about this user
                             // return all disabled features even if its a managed profile.
                             which |= admin.disabledKeyguardFeatures;
-                        } else if (!mLockPatternUtils.isSeparateProfileChallengeEnabled(
+                        } else if (!isSeparateProfileChallengeEnabled(
                                 userInfo.id)) {
                             // Otherwise a managed profile is only allowed to disable
                             // some features on the parent user, and we only aggregate them if