Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2012 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
Jeff Sharkey | 7a96c39 | 2012-11-15 14:01:46 -0800 | [diff] [blame] | 17 | package com.android.server; |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 18 | |
Adrian Roos | 230635e | 2015-01-07 20:50:29 +0100 | [diff] [blame] | 19 | import android.app.admin.DevicePolicyManager; |
Amith Yamasani | 072543f | 2015-02-13 11:09:45 -0800 | [diff] [blame] | 20 | import android.app.backup.BackupManager; |
Robin Lee | f0246a8 | 2014-08-13 09:50:25 +0100 | [diff] [blame] | 21 | import android.content.BroadcastReceiver; |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 22 | import android.content.ContentResolver; |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 23 | import android.content.Context; |
Robin Lee | f0246a8 | 2014-08-13 09:50:25 +0100 | [diff] [blame] | 24 | import android.content.Intent; |
| 25 | import android.content.IntentFilter; |
Jim Miller | 158fe19 | 2013-04-17 15:23:55 -0700 | [diff] [blame] | 26 | import android.content.pm.PackageManager; |
Jim Miller | 187ec58 | 2013-04-15 18:27:54 -0700 | [diff] [blame] | 27 | import android.content.pm.UserInfo; |
| 28 | |
Adrian Roos | 261d5ab | 2014-10-29 14:42:38 +0100 | [diff] [blame] | 29 | import static android.Manifest.permission.ACCESS_KEYGUARD_SECURE_STORAGE; |
Jim Miller | 187ec58 | 2013-04-15 18:27:54 -0700 | [diff] [blame] | 30 | import static android.content.Context.USER_SERVICE; |
Jim Miller | 158fe19 | 2013-04-17 15:23:55 -0700 | [diff] [blame] | 31 | import static android.Manifest.permission.READ_PROFILE; |
Adrian Roos | 261d5ab | 2014-10-29 14:42:38 +0100 | [diff] [blame] | 32 | |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 33 | import android.database.sqlite.SQLiteDatabase; |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 34 | import android.os.Binder; |
Paul Lawrence | 945490c | 2014-03-27 16:37:28 +0000 | [diff] [blame] | 35 | import android.os.IBinder; |
Robin Lee | f0246a8 | 2014-08-13 09:50:25 +0100 | [diff] [blame] | 36 | import android.os.Process; |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 37 | import android.os.RemoteException; |
Paul Lawrence | 945490c | 2014-03-27 16:37:28 +0000 | [diff] [blame] | 38 | import android.os.storage.IMountService; |
| 39 | import android.os.ServiceManager; |
Amith Yamasani | d1645f8 | 2012-06-12 11:53:26 -0700 | [diff] [blame] | 40 | import android.os.SystemProperties; |
Dianne Hackborn | f02b60a | 2012-08-16 10:48:27 -0700 | [diff] [blame] | 41 | import android.os.UserHandle; |
Jim Miller | 187ec58 | 2013-04-15 18:27:54 -0700 | [diff] [blame] | 42 | import android.os.UserManager; |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 43 | import android.provider.Settings; |
| 44 | import android.provider.Settings.Secure; |
Jim Miller | 187ec58 | 2013-04-15 18:27:54 -0700 | [diff] [blame] | 45 | import android.provider.Settings.SettingNotFoundException; |
Jim Miller | de1af08 | 2013-09-11 14:58:26 -0700 | [diff] [blame] | 46 | import android.security.KeyStore; |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 47 | import android.service.gatekeeper.IGateKeeperService; |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 48 | import android.text.TextUtils; |
| 49 | import android.util.Slog; |
| 50 | |
Amith Yamasani | 072543f | 2015-02-13 11:09:45 -0800 | [diff] [blame] | 51 | import com.android.internal.util.ArrayUtils; |
Jeff Sharkey | 7a96c39 | 2012-11-15 14:01:46 -0800 | [diff] [blame] | 52 | import com.android.internal.widget.ILockSettings; |
| 53 | import com.android.internal.widget.LockPatternUtils; |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 54 | import com.android.server.LockSettingsStorage.CredentialHash; |
Jeff Sharkey | 7a96c39 | 2012-11-15 14:01:46 -0800 | [diff] [blame] | 55 | |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 56 | import java.util.Arrays; |
Jim Miller | 187ec58 | 2013-04-15 18:27:54 -0700 | [diff] [blame] | 57 | import java.util.List; |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 58 | |
| 59 | /** |
| 60 | * Keeps the lock pattern/password data and related settings for each user. |
| 61 | * Used by LockPatternUtils. Needs to be a service because Settings app also needs |
| 62 | * to be able to save lockscreen information for secondary users. |
| 63 | * @hide |
| 64 | */ |
| 65 | public class LockSettingsService extends ILockSettings.Stub { |
| 66 | |
Adrian Roos | 261d5ab | 2014-10-29 14:42:38 +0100 | [diff] [blame] | 67 | private static final String PERMISSION = ACCESS_KEYGUARD_SECURE_STORAGE; |
Adrian Roos | 4f78845 | 2014-05-22 20:45:59 +0200 | [diff] [blame] | 68 | |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 69 | private static final String TAG = "LockSettingsService"; |
| 70 | |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 71 | private final Context mContext; |
Adrian Roos | 261d5ab | 2014-10-29 14:42:38 +0100 | [diff] [blame] | 72 | |
| 73 | private final LockSettingsStorage mStorage; |
| 74 | |
Jim Miller | de1af08 | 2013-09-11 14:58:26 -0700 | [diff] [blame] | 75 | private LockPatternUtils mLockPatternUtils; |
Paul Lawrence | 945490c | 2014-03-27 16:37:28 +0000 | [diff] [blame] | 76 | private boolean mFirstCallToVold; |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 77 | private IGateKeeperService mGateKeeperService; |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 78 | |
| 79 | public LockSettingsService(Context context) { |
| 80 | mContext = context; |
| 81 | // Open the database |
Jim Miller | de1af08 | 2013-09-11 14:58:26 -0700 | [diff] [blame] | 82 | |
| 83 | mLockPatternUtils = new LockPatternUtils(context); |
Paul Lawrence | 945490c | 2014-03-27 16:37:28 +0000 | [diff] [blame] | 84 | mFirstCallToVold = true; |
Robin Lee | f0246a8 | 2014-08-13 09:50:25 +0100 | [diff] [blame] | 85 | |
| 86 | IntentFilter filter = new IntentFilter(); |
| 87 | filter.addAction(Intent.ACTION_USER_ADDED); |
Adrian Roos | 3dcae68 | 2014-10-29 14:43:56 +0100 | [diff] [blame] | 88 | filter.addAction(Intent.ACTION_USER_STARTING); |
Adrian Roos | db0f76e | 2015-01-07 22:19:38 +0100 | [diff] [blame] | 89 | filter.addAction(Intent.ACTION_USER_REMOVED); |
Robin Lee | f0246a8 | 2014-08-13 09:50:25 +0100 | [diff] [blame] | 90 | mContext.registerReceiverAsUser(mBroadcastReceiver, UserHandle.ALL, filter, null, null); |
Adrian Roos | 261d5ab | 2014-10-29 14:42:38 +0100 | [diff] [blame] | 91 | |
| 92 | mStorage = new LockSettingsStorage(context, new LockSettingsStorage.Callback() { |
| 93 | @Override |
| 94 | public void initialize(SQLiteDatabase db) { |
| 95 | // Get the lockscreen default from a system property, if available |
| 96 | boolean lockScreenDisable = SystemProperties.getBoolean( |
| 97 | "ro.lockscreen.disable.default", false); |
| 98 | if (lockScreenDisable) { |
| 99 | mStorage.writeKeyValue(db, LockPatternUtils.DISABLE_LOCKSCREEN_KEY, "1", 0); |
| 100 | } |
| 101 | } |
| 102 | }); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 103 | } |
| 104 | |
Robin Lee | f0246a8 | 2014-08-13 09:50:25 +0100 | [diff] [blame] | 105 | private final BroadcastReceiver mBroadcastReceiver = new BroadcastReceiver() { |
| 106 | @Override |
| 107 | public void onReceive(Context context, Intent intent) { |
Robin Lee | 1096cf8 | 2014-09-01 16:52:47 +0100 | [diff] [blame] | 108 | if (Intent.ACTION_USER_ADDED.equals(intent.getAction())) { |
Robin Lee | f0246a8 | 2014-08-13 09:50:25 +0100 | [diff] [blame] | 109 | final int userHandle = intent.getIntExtra(Intent.EXTRA_USER_HANDLE, 0); |
Robin Lee | 49d810c | 2014-09-23 13:50:22 +0100 | [diff] [blame] | 110 | final int userSysUid = UserHandle.getUid(userHandle, Process.SYSTEM_UID); |
| 111 | final KeyStore ks = KeyStore.getInstance(); |
| 112 | |
| 113 | // Clear up keystore in case anything was left behind by previous users |
| 114 | ks.resetUid(userSysUid); |
| 115 | |
| 116 | // If this user has a parent, sync with its keystore password |
Robin Lee | f0246a8 | 2014-08-13 09:50:25 +0100 | [diff] [blame] | 117 | final UserManager um = (UserManager) mContext.getSystemService(USER_SERVICE); |
| 118 | final UserInfo parentInfo = um.getProfileParent(userHandle); |
| 119 | if (parentInfo != null) { |
Robin Lee | 49d810c | 2014-09-23 13:50:22 +0100 | [diff] [blame] | 120 | final int parentSysUid = UserHandle.getUid(parentInfo.id, Process.SYSTEM_UID); |
| 121 | ks.syncUid(parentSysUid, userSysUid); |
Robin Lee | f0246a8 | 2014-08-13 09:50:25 +0100 | [diff] [blame] | 122 | } |
Adrian Roos | 3dcae68 | 2014-10-29 14:43:56 +0100 | [diff] [blame] | 123 | } else if (Intent.ACTION_USER_STARTING.equals(intent.getAction())) { |
| 124 | final int userHandle = intent.getIntExtra(Intent.EXTRA_USER_HANDLE, 0); |
| 125 | mStorage.prefetchUser(userHandle); |
Adrian Roos | db0f76e | 2015-01-07 22:19:38 +0100 | [diff] [blame] | 126 | } else if (Intent.ACTION_USER_REMOVED.equals(intent.getAction())) { |
| 127 | final int userHandle = intent.getIntExtra(Intent.EXTRA_USER_HANDLE, 0); |
| 128 | if (userHandle > 0) { |
| 129 | removeUser(userHandle); |
| 130 | } |
Robin Lee | f0246a8 | 2014-08-13 09:50:25 +0100 | [diff] [blame] | 131 | } |
| 132 | } |
| 133 | }; |
| 134 | |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 135 | public void systemReady() { |
| 136 | migrateOldData(); |
Andres Morales | 301ea44 | 2015-04-17 09:15:47 -0700 | [diff] [blame] | 137 | try { |
| 138 | getGateKeeperService(); |
| 139 | } catch (RemoteException e) { |
| 140 | Slog.e(TAG, "Failure retrieving IGateKeeperService", e); |
| 141 | } |
Adrian Roos | 3dcae68 | 2014-10-29 14:43:56 +0100 | [diff] [blame] | 142 | mStorage.prefetchUser(UserHandle.USER_OWNER); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 143 | } |
| 144 | |
| 145 | private void migrateOldData() { |
| 146 | try { |
Jim Miller | 187ec58 | 2013-04-15 18:27:54 -0700 | [diff] [blame] | 147 | // These Settings moved before multi-user was enabled, so we only have to do it for the |
| 148 | // root user. |
| 149 | if (getString("migrated", null, 0) == null) { |
| 150 | final ContentResolver cr = mContext.getContentResolver(); |
| 151 | for (String validSetting : VALID_SETTINGS) { |
| 152 | String value = Settings.Secure.getString(cr, validSetting); |
| 153 | if (value != null) { |
| 154 | setString(validSetting, value, 0); |
| 155 | } |
| 156 | } |
| 157 | // No need to move the password / pattern files. They're already in the right place. |
| 158 | setString("migrated", "true", 0); |
| 159 | Slog.i(TAG, "Migrated lock settings to new location"); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 160 | } |
| 161 | |
Jim Miller | 187ec58 | 2013-04-15 18:27:54 -0700 | [diff] [blame] | 162 | // These Settings changed after multi-user was enabled, hence need to be moved per user. |
| 163 | if (getString("migrated_user_specific", null, 0) == null) { |
| 164 | final UserManager um = (UserManager) mContext.getSystemService(USER_SERVICE); |
| 165 | final ContentResolver cr = mContext.getContentResolver(); |
| 166 | List<UserInfo> users = um.getUsers(); |
| 167 | for (int user = 0; user < users.size(); user++) { |
Jim Miller | 2d8ecf9d | 2013-04-22 17:17:03 -0700 | [diff] [blame] | 168 | // Migrate owner info |
| 169 | final int userId = users.get(user).id; |
| 170 | final String OWNER_INFO = Secure.LOCK_SCREEN_OWNER_INFO; |
| 171 | String ownerInfo = Settings.Secure.getStringForUser(cr, OWNER_INFO, userId); |
| 172 | if (ownerInfo != null) { |
| 173 | setString(OWNER_INFO, ownerInfo, userId); |
| 174 | Settings.Secure.putStringForUser(cr, ownerInfo, "", userId); |
| 175 | } |
Jim Miller | 187ec58 | 2013-04-15 18:27:54 -0700 | [diff] [blame] | 176 | |
Jim Miller | 2d8ecf9d | 2013-04-22 17:17:03 -0700 | [diff] [blame] | 177 | // Migrate owner info enabled. Note there was a bug where older platforms only |
| 178 | // stored this value if the checkbox was toggled at least once. The code detects |
| 179 | // this case by handling the exception. |
| 180 | final String OWNER_INFO_ENABLED = Secure.LOCK_SCREEN_OWNER_INFO_ENABLED; |
| 181 | boolean enabled; |
| 182 | try { |
| 183 | int ivalue = Settings.Secure.getIntForUser(cr, OWNER_INFO_ENABLED, userId); |
| 184 | enabled = ivalue != 0; |
| 185 | setLong(OWNER_INFO_ENABLED, enabled ? 1 : 0, userId); |
| 186 | } catch (SettingNotFoundException e) { |
| 187 | // Setting was never stored. Store it if the string is not empty. |
| 188 | if (!TextUtils.isEmpty(ownerInfo)) { |
| 189 | setLong(OWNER_INFO_ENABLED, 1, userId); |
Jim Miller | 187ec58 | 2013-04-15 18:27:54 -0700 | [diff] [blame] | 190 | } |
| 191 | } |
Jim Miller | 2d8ecf9d | 2013-04-22 17:17:03 -0700 | [diff] [blame] | 192 | Settings.Secure.putIntForUser(cr, OWNER_INFO_ENABLED, 0, userId); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 193 | } |
Jim Miller | 187ec58 | 2013-04-15 18:27:54 -0700 | [diff] [blame] | 194 | // No need to move the password / pattern files. They're already in the right place. |
| 195 | setString("migrated_user_specific", "true", 0); |
| 196 | Slog.i(TAG, "Migrated per-user lock settings to new location"); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 197 | } |
Adrian Roos | 230635e | 2015-01-07 20:50:29 +0100 | [diff] [blame] | 198 | |
| 199 | // Migrates biometric weak such that the fallback mechanism becomes the primary. |
| 200 | if (getString("migrated_biometric_weak", null, 0) == null) { |
| 201 | final UserManager um = (UserManager) mContext.getSystemService(USER_SERVICE); |
| 202 | List<UserInfo> users = um.getUsers(); |
| 203 | for (int i = 0; i < users.size(); i++) { |
| 204 | int userId = users.get(i).id; |
| 205 | long type = getLong(LockPatternUtils.PASSWORD_TYPE_KEY, |
| 206 | DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED, |
| 207 | userId); |
| 208 | long alternateType = getLong(LockPatternUtils.PASSWORD_TYPE_ALTERNATE_KEY, |
| 209 | DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED, |
| 210 | userId); |
| 211 | if (type == DevicePolicyManager.PASSWORD_QUALITY_BIOMETRIC_WEAK) { |
| 212 | setLong(LockPatternUtils.PASSWORD_TYPE_KEY, |
| 213 | alternateType, |
| 214 | userId); |
| 215 | } |
| 216 | setLong(LockPatternUtils.PASSWORD_TYPE_ALTERNATE_KEY, |
| 217 | DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED, |
| 218 | userId); |
| 219 | } |
| 220 | setString("migrated_biometric_weak", "true", 0); |
| 221 | Slog.i(TAG, "Migrated biometric weak to use the fallback instead"); |
| 222 | } |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 223 | } catch (RemoteException re) { |
Jim Miller | 187ec58 | 2013-04-15 18:27:54 -0700 | [diff] [blame] | 224 | Slog.e(TAG, "Unable to migrate old data", re); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 225 | } |
| 226 | } |
| 227 | |
Jim Miller | 5ecd811 | 2013-01-09 18:50:26 -0800 | [diff] [blame] | 228 | private final void checkWritePermission(int userId) { |
Jim Miller | 505329b | 2013-11-08 13:25:36 -0800 | [diff] [blame] | 229 | mContext.enforceCallingOrSelfPermission(PERMISSION, "LockSettingsWrite"); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 230 | } |
| 231 | |
Jim Miller | 5ecd811 | 2013-01-09 18:50:26 -0800 | [diff] [blame] | 232 | private final void checkPasswordReadPermission(int userId) { |
Jim Miller | 505329b | 2013-11-08 13:25:36 -0800 | [diff] [blame] | 233 | mContext.enforceCallingOrSelfPermission(PERMISSION, "LockSettingsRead"); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 234 | } |
| 235 | |
Jim Miller | 158fe19 | 2013-04-17 15:23:55 -0700 | [diff] [blame] | 236 | private final void checkReadPermission(String requestedKey, int userId) { |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 237 | final int callingUid = Binder.getCallingUid(); |
Adrian Roos | 001b00d | 2015-02-24 17:08:48 +0100 | [diff] [blame] | 238 | |
Jim Miller | 158fe19 | 2013-04-17 15:23:55 -0700 | [diff] [blame] | 239 | for (int i = 0; i < READ_PROFILE_PROTECTED_SETTINGS.length; i++) { |
| 240 | String key = READ_PROFILE_PROTECTED_SETTINGS[i]; |
| 241 | if (key.equals(requestedKey) && mContext.checkCallingOrSelfPermission(READ_PROFILE) |
| 242 | != PackageManager.PERMISSION_GRANTED) { |
| 243 | throw new SecurityException("uid=" + callingUid |
| 244 | + " needs permission " + READ_PROFILE + " to read " |
| 245 | + requestedKey + " for user " + userId); |
| 246 | } |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 247 | } |
Adrian Roos | 001b00d | 2015-02-24 17:08:48 +0100 | [diff] [blame] | 248 | |
| 249 | for (int i = 0; i < READ_PASSWORD_PROTECTED_SETTINGS.length; i++) { |
| 250 | String key = READ_PASSWORD_PROTECTED_SETTINGS[i]; |
| 251 | if (key.equals(requestedKey) && mContext.checkCallingOrSelfPermission(PERMISSION) |
| 252 | != PackageManager.PERMISSION_GRANTED) { |
| 253 | throw new SecurityException("uid=" + callingUid |
| 254 | + " needs permission " + PERMISSION + " to read " |
| 255 | + requestedKey + " for user " + userId); |
| 256 | } |
| 257 | } |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 258 | } |
| 259 | |
| 260 | @Override |
| 261 | public void setBoolean(String key, boolean value, int userId) throws RemoteException { |
| 262 | checkWritePermission(userId); |
Adrian Roos | 261d5ab | 2014-10-29 14:42:38 +0100 | [diff] [blame] | 263 | setStringUnchecked(key, userId, value ? "1" : "0"); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 264 | } |
| 265 | |
| 266 | @Override |
| 267 | public void setLong(String key, long value, int userId) throws RemoteException { |
| 268 | checkWritePermission(userId); |
Adrian Roos | 261d5ab | 2014-10-29 14:42:38 +0100 | [diff] [blame] | 269 | setStringUnchecked(key, userId, Long.toString(value)); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 270 | } |
| 271 | |
| 272 | @Override |
| 273 | public void setString(String key, String value, int userId) throws RemoteException { |
| 274 | checkWritePermission(userId); |
Adrian Roos | 261d5ab | 2014-10-29 14:42:38 +0100 | [diff] [blame] | 275 | setStringUnchecked(key, userId, value); |
| 276 | } |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 277 | |
Adrian Roos | 261d5ab | 2014-10-29 14:42:38 +0100 | [diff] [blame] | 278 | private void setStringUnchecked(String key, int userId, String value) { |
| 279 | mStorage.writeKeyValue(key, value, userId); |
Amith Yamasani | 072543f | 2015-02-13 11:09:45 -0800 | [diff] [blame] | 280 | if (ArrayUtils.contains(SETTINGS_TO_BACKUP, key)) { |
| 281 | BackupManager.dataChanged("com.android.providers.settings"); |
| 282 | } |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 283 | } |
| 284 | |
| 285 | @Override |
| 286 | public boolean getBoolean(String key, boolean defaultValue, int userId) throws RemoteException { |
Jim Miller | 158fe19 | 2013-04-17 15:23:55 -0700 | [diff] [blame] | 287 | checkReadPermission(key, userId); |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 288 | String value = getStringUnchecked(key, null, userId); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 289 | return TextUtils.isEmpty(value) ? |
| 290 | defaultValue : (value.equals("1") || value.equals("true")); |
| 291 | } |
| 292 | |
| 293 | @Override |
| 294 | public long getLong(String key, long defaultValue, int userId) throws RemoteException { |
Jim Miller | 158fe19 | 2013-04-17 15:23:55 -0700 | [diff] [blame] | 295 | checkReadPermission(key, userId); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 296 | |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 297 | String value = getStringUnchecked(key, null, userId); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 298 | return TextUtils.isEmpty(value) ? defaultValue : Long.parseLong(value); |
| 299 | } |
| 300 | |
| 301 | @Override |
| 302 | public String getString(String key, String defaultValue, int userId) throws RemoteException { |
Jim Miller | 158fe19 | 2013-04-17 15:23:55 -0700 | [diff] [blame] | 303 | checkReadPermission(key, userId); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 304 | |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 305 | return getStringUnchecked(key, defaultValue, userId); |
| 306 | } |
| 307 | |
| 308 | public String getStringUnchecked(String key, String defaultValue, int userId) { |
| 309 | if (Settings.Secure.LOCK_PATTERN_ENABLED.equals(key)) { |
| 310 | return mLockPatternUtils.isLockPatternEnabled(userId) ? "1" : "0"; |
| 311 | } |
| 312 | |
Adrian Roos | 261d5ab | 2014-10-29 14:42:38 +0100 | [diff] [blame] | 313 | return mStorage.readKeyValue(key, defaultValue, userId); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 314 | } |
| 315 | |
Adrian Roos | 4f78845 | 2014-05-22 20:45:59 +0200 | [diff] [blame] | 316 | @Override |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 317 | public boolean havePassword(int userId) throws RemoteException { |
| 318 | // Do we need a permissions check here? |
| 319 | |
Adrian Roos | 261d5ab | 2014-10-29 14:42:38 +0100 | [diff] [blame] | 320 | return mStorage.hasPassword(userId); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 321 | } |
| 322 | |
| 323 | @Override |
| 324 | public boolean havePattern(int userId) throws RemoteException { |
| 325 | // Do we need a permissions check here? |
| 326 | |
Adrian Roos | 261d5ab | 2014-10-29 14:42:38 +0100 | [diff] [blame] | 327 | return mStorage.hasPattern(userId); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 328 | } |
| 329 | |
Robin Lee | f0246a8 | 2014-08-13 09:50:25 +0100 | [diff] [blame] | 330 | private void maybeUpdateKeystore(String password, int userHandle) { |
| 331 | final UserManager um = (UserManager) mContext.getSystemService(USER_SERVICE); |
| 332 | final KeyStore ks = KeyStore.getInstance(); |
| 333 | |
| 334 | final List<UserInfo> profiles = um.getProfiles(userHandle); |
| 335 | boolean shouldReset = TextUtils.isEmpty(password); |
| 336 | |
| 337 | // For historical reasons, don't wipe a non-empty keystore if we have a single user with a |
| 338 | // single profile. |
| 339 | if (userHandle == UserHandle.USER_OWNER && profiles.size() == 1) { |
| 340 | if (!ks.isEmpty()) { |
| 341 | shouldReset = false; |
| 342 | } |
| 343 | } |
| 344 | |
| 345 | for (UserInfo pi : profiles) { |
| 346 | final int profileUid = UserHandle.getUid(pi.id, Process.SYSTEM_UID); |
| 347 | if (shouldReset) { |
| 348 | ks.resetUid(profileUid); |
Jim Miller | de1af08 | 2013-09-11 14:58:26 -0700 | [diff] [blame] | 349 | } else { |
Robin Lee | f0246a8 | 2014-08-13 09:50:25 +0100 | [diff] [blame] | 350 | ks.passwordUid(password, profileUid); |
Jim Miller | de1af08 | 2013-09-11 14:58:26 -0700 | [diff] [blame] | 351 | } |
| 352 | } |
| 353 | } |
| 354 | |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 355 | |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 356 | private byte[] getCurrentHandle(int userId) { |
| 357 | CredentialHash credential; |
| 358 | byte[] currentHandle; |
Jim Miller | de1af08 | 2013-09-11 14:58:26 -0700 | [diff] [blame] | 359 | |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 360 | int currentHandleType = mStorage.getStoredCredentialType(userId); |
| 361 | switch (currentHandleType) { |
| 362 | case CredentialHash.TYPE_PATTERN: |
| 363 | credential = mStorage.readPatternHash(userId); |
| 364 | currentHandle = credential != null |
| 365 | ? credential.hash |
| 366 | : null; |
| 367 | break; |
| 368 | case CredentialHash.TYPE_PASSWORD: |
| 369 | credential = mStorage.readPasswordHash(userId); |
| 370 | currentHandle = credential != null |
| 371 | ? credential.hash |
| 372 | : null; |
| 373 | break; |
| 374 | case CredentialHash.TYPE_NONE: |
| 375 | default: |
| 376 | currentHandle = null; |
| 377 | break; |
| 378 | } |
| 379 | |
| 380 | // sanity check |
| 381 | if (currentHandleType != CredentialHash.TYPE_NONE && currentHandle == null) { |
| 382 | Slog.e(TAG, "Stored handle type [" + currentHandleType + "] but no handle available"); |
| 383 | } |
| 384 | |
| 385 | return currentHandle; |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 386 | } |
| 387 | |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 388 | |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 389 | @Override |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 390 | public void setLockPattern(String pattern, String savedCredential, int userId) |
| 391 | throws RemoteException { |
| 392 | byte[] currentHandle = getCurrentHandle(userId); |
| 393 | |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 394 | if (pattern == null) { |
Andres Morales | cfb6160 | 2015-04-16 16:31:15 -0700 | [diff] [blame] | 395 | getGateKeeperService().clearSecureUserId(userId); |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 396 | mStorage.writePatternHash(null, userId); |
Andres Morales | cfb6160 | 2015-04-16 16:31:15 -0700 | [diff] [blame] | 397 | maybeUpdateKeystore(null, userId); |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 398 | return; |
| 399 | } |
| 400 | |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 401 | if (currentHandle == null) { |
| 402 | if (savedCredential != null) { |
| 403 | Slog.w(TAG, "Saved credential provided, but none stored"); |
| 404 | } |
| 405 | savedCredential = null; |
| 406 | } |
| 407 | |
| 408 | byte[] enrolledHandle = enrollCredential(currentHandle, savedCredential, pattern, userId); |
| 409 | if (enrolledHandle != null) { |
| 410 | mStorage.writePatternHash(enrolledHandle, userId); |
| 411 | } else { |
| 412 | Slog.e(TAG, "Failed to enroll pattern"); |
| 413 | } |
| 414 | } |
| 415 | |
| 416 | |
| 417 | @Override |
| 418 | public void setLockPassword(String password, String savedCredential, int userId) |
| 419 | throws RemoteException { |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 420 | byte[] currentHandle = getCurrentHandle(userId); |
| 421 | |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 422 | if (password == null) { |
Andres Morales | cfb6160 | 2015-04-16 16:31:15 -0700 | [diff] [blame] | 423 | getGateKeeperService().clearSecureUserId(userId); |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 424 | mStorage.writePasswordHash(null, userId); |
Andres Morales | cfb6160 | 2015-04-16 16:31:15 -0700 | [diff] [blame] | 425 | maybeUpdateKeystore(null, userId); |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 426 | return; |
| 427 | } |
| 428 | |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 429 | if (currentHandle == null) { |
| 430 | if (savedCredential != null) { |
| 431 | Slog.w(TAG, "Saved credential provided, but none stored"); |
| 432 | } |
| 433 | savedCredential = null; |
| 434 | } |
| 435 | |
| 436 | byte[] enrolledHandle = enrollCredential(currentHandle, savedCredential, password, userId); |
| 437 | if (enrolledHandle != null) { |
| 438 | mStorage.writePasswordHash(enrolledHandle, userId); |
| 439 | } else { |
| 440 | Slog.e(TAG, "Failed to enroll password"); |
| 441 | } |
| 442 | } |
| 443 | |
| 444 | private byte[] enrollCredential(byte[] enrolledHandle, |
| 445 | String enrolledCredential, String toEnroll, int userId) |
| 446 | throws RemoteException { |
Jim Miller | de1af08 | 2013-09-11 14:58:26 -0700 | [diff] [blame] | 447 | checkWritePermission(userId); |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 448 | byte[] enrolledCredentialBytes = enrolledCredential == null |
| 449 | ? null |
| 450 | : enrolledCredential.getBytes(); |
| 451 | byte[] toEnrollBytes = toEnroll == null |
| 452 | ? null |
| 453 | : toEnroll.getBytes(); |
| 454 | byte[] hash = getGateKeeperService().enroll(userId, enrolledHandle, enrolledCredentialBytes, |
| 455 | toEnrollBytes); |
Jim Miller | de1af08 | 2013-09-11 14:58:26 -0700 | [diff] [blame] | 456 | |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 457 | if (hash != null) { |
| 458 | maybeUpdateKeystore(toEnroll, userId); |
| 459 | } |
Jim Miller | de1af08 | 2013-09-11 14:58:26 -0700 | [diff] [blame] | 460 | |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 461 | return hash; |
Jim Miller | de1af08 | 2013-09-11 14:58:26 -0700 | [diff] [blame] | 462 | } |
| 463 | |
| 464 | @Override |
| 465 | public boolean checkPattern(String pattern, int userId) throws RemoteException { |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 466 | try { |
| 467 | doVerifyPattern(pattern, false, 0, userId); |
| 468 | } catch (VerificationFailedException ex) { |
| 469 | return false; |
| 470 | } |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 471 | |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 472 | return true; |
| 473 | } |
Adrian Roos | 261d5ab | 2014-10-29 14:42:38 +0100 | [diff] [blame] | 474 | |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 475 | @Override |
| 476 | public byte[] verifyPattern(String pattern, long challenge, int userId) |
| 477 | throws RemoteException { |
| 478 | try { |
| 479 | return doVerifyPattern(pattern, true, challenge, userId); |
| 480 | } catch (VerificationFailedException ex) { |
| 481 | return null; |
| 482 | } |
| 483 | } |
| 484 | |
| 485 | private byte[] doVerifyPattern(String pattern, boolean hasChallenge, long challenge, |
| 486 | int userId) throws VerificationFailedException, RemoteException { |
| 487 | checkPasswordReadPermission(userId); |
| 488 | |
| 489 | CredentialHash storedHash = mStorage.readPatternHash(userId); |
| 490 | |
| 491 | if ((storedHash == null || storedHash.hash.length == 0) && TextUtils.isEmpty(pattern)) { |
| 492 | // don't need to pass empty passwords to GateKeeper |
| 493 | return null; |
| 494 | } |
| 495 | |
| 496 | if (TextUtils.isEmpty(pattern)) { |
| 497 | throw new VerificationFailedException(); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 498 | } |
Adrian Roos | 261d5ab | 2014-10-29 14:42:38 +0100 | [diff] [blame] | 499 | |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 500 | if (storedHash.version == CredentialHash.VERSION_LEGACY) { |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 501 | byte[] hash = mLockPatternUtils.patternToHash( |
| 502 | mLockPatternUtils.stringToPattern(pattern)); |
| 503 | if (Arrays.equals(hash, storedHash.hash)) { |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 504 | maybeUpdateKeystore(pattern, userId); |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 505 | // migrate password to GateKeeper |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 506 | setLockPattern(pattern, null, userId); |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 507 | if (!hasChallenge) { |
| 508 | return null; |
| 509 | } |
| 510 | // Fall through to get the auth token. Technically this should never happen, |
| 511 | // as a user that had a legacy pattern would have to unlock their device |
| 512 | // before getting to a flow with a challenge, but supporting for consistency. |
| 513 | } else { |
| 514 | throw new VerificationFailedException(); |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 515 | } |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 516 | } |
| 517 | |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 518 | byte[] token = null; |
| 519 | if (hasChallenge) { |
| 520 | token = getGateKeeperService() |
| 521 | .verifyChallenge(userId, challenge, storedHash.hash, pattern.getBytes()); |
| 522 | if (token == null) { |
| 523 | throw new VerificationFailedException(); |
| 524 | } |
| 525 | } else if (!getGateKeeperService().verify(userId, storedHash.hash, pattern.getBytes())) { |
| 526 | throw new VerificationFailedException(); |
Adrian Roos | 261d5ab | 2014-10-29 14:42:38 +0100 | [diff] [blame] | 527 | } |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 528 | |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 529 | // pattern has matched |
| 530 | maybeUpdateKeystore(pattern, userId); |
| 531 | return token; |
| 532 | |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 533 | } |
| 534 | |
| 535 | @Override |
Jim Miller | de1af08 | 2013-09-11 14:58:26 -0700 | [diff] [blame] | 536 | public boolean checkPassword(String password, int userId) throws RemoteException { |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 537 | try { |
| 538 | doVerifyPassword(password, false, 0, userId); |
| 539 | } catch (VerificationFailedException ex) { |
| 540 | return false; |
| 541 | } |
| 542 | return true; |
| 543 | } |
| 544 | |
| 545 | @Override |
| 546 | public byte[] verifyPassword(String password, long challenge, int userId) |
| 547 | throws RemoteException { |
| 548 | try { |
| 549 | return doVerifyPassword(password, true, challenge, userId); |
| 550 | } catch (VerificationFailedException ex) { |
| 551 | return null; |
| 552 | } |
| 553 | } |
| 554 | |
| 555 | private byte[] doVerifyPassword(String password, boolean hasChallenge, long challenge, |
| 556 | int userId) throws VerificationFailedException, RemoteException { |
| 557 | checkPasswordReadPermission(userId); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 558 | |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 559 | CredentialHash storedHash = mStorage.readPasswordHash(userId); |
Adrian Roos | 261d5ab | 2014-10-29 14:42:38 +0100 | [diff] [blame] | 560 | |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 561 | if ((storedHash == null || storedHash.hash.length == 0) && TextUtils.isEmpty(password)) { |
| 562 | // don't need to pass empty passwords to GateKeeper |
| 563 | return null; |
| 564 | } |
| 565 | |
| 566 | if (TextUtils.isEmpty(password)) { |
| 567 | throw new VerificationFailedException(); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 568 | } |
Adrian Roos | 261d5ab | 2014-10-29 14:42:38 +0100 | [diff] [blame] | 569 | |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 570 | if (storedHash.version == CredentialHash.VERSION_LEGACY) { |
| 571 | byte[] hash = mLockPatternUtils.passwordToHash(password, userId); |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 572 | if (Arrays.equals(hash, storedHash.hash)) { |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 573 | maybeUpdateKeystore(password, userId); |
| 574 | // migrate password to GateKeeper |
| 575 | setLockPassword(password, null, userId); |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 576 | if (!hasChallenge) { |
| 577 | return null; |
| 578 | } |
| 579 | // Fall through to get the auth token. Technically this should never happen, |
| 580 | // as a user that had a legacy password would have to unlock their device |
| 581 | // before getting to a flow with a challenge, but supporting for consistency. |
| 582 | } else { |
| 583 | throw new VerificationFailedException(); |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 584 | } |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 585 | } |
| 586 | |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 587 | byte[] token = null; |
| 588 | if (hasChallenge) { |
| 589 | token = getGateKeeperService() |
| 590 | .verifyChallenge(userId, challenge, storedHash.hash, password.getBytes()); |
| 591 | if (token == null) { |
| 592 | throw new VerificationFailedException(); |
| 593 | } |
| 594 | } else if (!getGateKeeperService().verify(userId, storedHash.hash, password.getBytes())) { |
| 595 | throw new VerificationFailedException(); |
Adrian Roos | 261d5ab | 2014-10-29 14:42:38 +0100 | [diff] [blame] | 596 | } |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 597 | |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 598 | // password has matched |
| 599 | maybeUpdateKeystore(password, userId); |
| 600 | return token; |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 601 | } |
| 602 | |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 603 | |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 604 | @Override |
Adrian Roos | 261d5ab | 2014-10-29 14:42:38 +0100 | [diff] [blame] | 605 | public boolean checkVoldPassword(int userId) throws RemoteException { |
Paul Lawrence | 945490c | 2014-03-27 16:37:28 +0000 | [diff] [blame] | 606 | if (!mFirstCallToVold) { |
| 607 | return false; |
| 608 | } |
| 609 | mFirstCallToVold = false; |
| 610 | |
| 611 | checkPasswordReadPermission(userId); |
| 612 | |
| 613 | // There's no guarantee that this will safely connect, but if it fails |
| 614 | // we will simply show the lock screen when we shouldn't, so relatively |
| 615 | // benign. There is an outside chance something nasty would happen if |
| 616 | // this service restarted before vold stales out the password in this |
| 617 | // case. The nastiness is limited to not showing the lock screen when |
| 618 | // we should, within the first minute of decrypting the phone if this |
| 619 | // service can't connect to vold, it restarts, and then the new instance |
| 620 | // does successfully connect. |
| 621 | final IMountService service = getMountService(); |
| 622 | String password = service.getPassword(); |
| 623 | service.clearPassword(); |
| 624 | if (password == null) { |
| 625 | return false; |
| 626 | } |
| 627 | |
| 628 | try { |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 629 | if (mLockPatternUtils.isLockPatternEnabled(userId)) { |
Paul Lawrence | 945490c | 2014-03-27 16:37:28 +0000 | [diff] [blame] | 630 | if (checkPattern(password, userId)) { |
| 631 | return true; |
| 632 | } |
| 633 | } |
| 634 | } catch (Exception e) { |
| 635 | } |
| 636 | |
| 637 | try { |
Adrian Roos | 9dd16eb | 2015-01-08 16:20:49 +0100 | [diff] [blame] | 638 | if (mLockPatternUtils.isLockPasswordEnabled(userId)) { |
Paul Lawrence | 945490c | 2014-03-27 16:37:28 +0000 | [diff] [blame] | 639 | if (checkPassword(password, userId)) { |
| 640 | return true; |
| 641 | } |
| 642 | } |
| 643 | } catch (Exception e) { |
| 644 | } |
| 645 | |
| 646 | return false; |
| 647 | } |
| 648 | |
Adrian Roos | db0f76e | 2015-01-07 22:19:38 +0100 | [diff] [blame] | 649 | private void removeUser(int userId) { |
Adrian Roos | 261d5ab | 2014-10-29 14:42:38 +0100 | [diff] [blame] | 650 | mStorage.removeUser(userId); |
Robin Lee | 49d810c | 2014-09-23 13:50:22 +0100 | [diff] [blame] | 651 | |
| 652 | final KeyStore ks = KeyStore.getInstance(); |
| 653 | final int userUid = UserHandle.getUid(userId, Process.SYSTEM_UID); |
| 654 | ks.resetUid(userUid); |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 655 | } |
| 656 | |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 657 | private static final String[] VALID_SETTINGS = new String[] { |
| 658 | LockPatternUtils.LOCKOUT_PERMANENT_KEY, |
| 659 | LockPatternUtils.LOCKOUT_ATTEMPT_DEADLINE, |
| 660 | LockPatternUtils.PATTERN_EVER_CHOSEN_KEY, |
| 661 | LockPatternUtils.PASSWORD_TYPE_KEY, |
| 662 | LockPatternUtils.PASSWORD_TYPE_ALTERNATE_KEY, |
| 663 | LockPatternUtils.LOCK_PASSWORD_SALT_KEY, |
| 664 | LockPatternUtils.DISABLE_LOCKSCREEN_KEY, |
| 665 | LockPatternUtils.LOCKSCREEN_OPTIONS, |
| 666 | LockPatternUtils.LOCKSCREEN_BIOMETRIC_WEAK_FALLBACK, |
| 667 | LockPatternUtils.BIOMETRIC_WEAK_EVER_CHOSEN_KEY, |
| 668 | LockPatternUtils.LOCKSCREEN_POWER_BUTTON_INSTANTLY_LOCKS, |
| 669 | LockPatternUtils.PASSWORD_HISTORY_KEY, |
| 670 | Secure.LOCK_PATTERN_ENABLED, |
| 671 | Secure.LOCK_BIOMETRIC_WEAK_FLAGS, |
| 672 | Secure.LOCK_PATTERN_VISIBLE, |
| 673 | Secure.LOCK_PATTERN_TACTILE_FEEDBACK_ENABLED |
Jim Miller | 187ec58 | 2013-04-15 18:27:54 -0700 | [diff] [blame] | 674 | }; |
| 675 | |
Adrian Roos | 001b00d | 2015-02-24 17:08:48 +0100 | [diff] [blame] | 676 | // Reading these settings needs the profile permission |
Jim Miller | 2d8ecf9d | 2013-04-22 17:17:03 -0700 | [diff] [blame] | 677 | private static final String[] READ_PROFILE_PROTECTED_SETTINGS = new String[] { |
Jim Miller | 187ec58 | 2013-04-15 18:27:54 -0700 | [diff] [blame] | 678 | Secure.LOCK_SCREEN_OWNER_INFO_ENABLED, |
| 679 | Secure.LOCK_SCREEN_OWNER_INFO |
| 680 | }; |
Paul Lawrence | 945490c | 2014-03-27 16:37:28 +0000 | [diff] [blame] | 681 | |
Adrian Roos | 001b00d | 2015-02-24 17:08:48 +0100 | [diff] [blame] | 682 | // Reading these settings needs the same permission as checking the password |
| 683 | private static final String[] READ_PASSWORD_PROTECTED_SETTINGS = new String[] { |
| 684 | LockPatternUtils.LOCK_PASSWORD_SALT_KEY, |
| 685 | LockPatternUtils.PASSWORD_HISTORY_KEY, |
Adrian Roos | 855fa30 | 2015-04-02 16:01:12 +0200 | [diff] [blame] | 686 | LockPatternUtils.PASSWORD_TYPE_KEY, |
Adrian Roos | 001b00d | 2015-02-24 17:08:48 +0100 | [diff] [blame] | 687 | }; |
| 688 | |
Amith Yamasani | 072543f | 2015-02-13 11:09:45 -0800 | [diff] [blame] | 689 | private static final String[] SETTINGS_TO_BACKUP = new String[] { |
| 690 | Secure.LOCK_SCREEN_OWNER_INFO_ENABLED, |
| 691 | Secure.LOCK_SCREEN_OWNER_INFO |
| 692 | }; |
| 693 | |
Paul Lawrence | 945490c | 2014-03-27 16:37:28 +0000 | [diff] [blame] | 694 | private IMountService getMountService() { |
| 695 | final IBinder service = ServiceManager.getService("mount"); |
| 696 | if (service != null) { |
| 697 | return IMountService.Stub.asInterface(service); |
| 698 | } |
| 699 | return null; |
| 700 | } |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 701 | |
Andres Morales | 301ea44 | 2015-04-17 09:15:47 -0700 | [diff] [blame] | 702 | private class GateKeeperDiedRecipient implements IBinder.DeathRecipient { |
| 703 | @Override |
| 704 | public void binderDied() { |
| 705 | mGateKeeperService.asBinder().unlinkToDeath(this, 0); |
| 706 | mGateKeeperService = null; |
| 707 | } |
| 708 | } |
| 709 | |
| 710 | private synchronized IGateKeeperService getGateKeeperService() |
| 711 | throws RemoteException { |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 712 | if (mGateKeeperService != null) { |
| 713 | return mGateKeeperService; |
| 714 | } |
| 715 | |
| 716 | final IBinder service = |
| 717 | ServiceManager.getService("android.service.gatekeeper.IGateKeeperService"); |
| 718 | if (service != null) { |
Andres Morales | 301ea44 | 2015-04-17 09:15:47 -0700 | [diff] [blame] | 719 | service.linkToDeath(new GateKeeperDiedRecipient(), 0); |
Andres Morales | 8fa5665 | 2015-03-31 09:19:50 -0700 | [diff] [blame] | 720 | mGateKeeperService = IGateKeeperService.Stub.asInterface(service); |
| 721 | return mGateKeeperService; |
| 722 | } |
| 723 | |
| 724 | Slog.e(TAG, "Unable to acquire GateKeeperService"); |
| 725 | return null; |
| 726 | } |
| 727 | |
Andres Morales | d9fc85a | 2015-04-09 19:14:42 -0700 | [diff] [blame] | 728 | private class VerificationFailedException extends Exception {} |
| 729 | |
Amith Yamasani | 52c489c | 2012-03-28 11:42:42 -0700 | [diff] [blame] | 730 | } |