Home | History | Annotate | Download | only in trust
      1 /*
      2  * Copyright (C) 2014 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License
     15  */
     16 
     17 package com.android.server.trust;
     18 
     19 import android.Manifest;
     20 import android.annotation.UserIdInt;
     21 import android.app.ActivityManager;
     22 import android.app.admin.DevicePolicyManager;
     23 import android.app.trust.ITrustListener;
     24 import android.app.trust.ITrustManager;
     25 import android.content.BroadcastReceiver;
     26 import android.content.ComponentName;
     27 import android.content.Context;
     28 import android.content.Intent;
     29 import android.content.IntentFilter;
     30 import android.content.pm.ApplicationInfo;
     31 import android.content.pm.PackageManager;
     32 import android.content.pm.ResolveInfo;
     33 import android.content.pm.UserInfo;
     34 import android.content.res.Resources;
     35 import android.content.res.TypedArray;
     36 import android.content.res.XmlResourceParser;
     37 import android.graphics.drawable.Drawable;
     38 import android.os.Binder;
     39 import android.os.Build;
     40 import android.os.DeadObjectException;
     41 import android.os.Handler;
     42 import android.os.IBinder;
     43 import android.os.Message;
     44 import android.os.PersistableBundle;
     45 import android.os.RemoteException;
     46 import android.os.SystemClock;
     47 import android.os.UserHandle;
     48 import android.os.UserManager;
     49 import android.os.storage.StorageManager;
     50 import android.provider.Settings;
     51 import android.service.trust.TrustAgentService;
     52 import android.text.TextUtils;
     53 import android.util.ArraySet;
     54 import android.util.AttributeSet;
     55 import android.util.Log;
     56 import android.util.Slog;
     57 import android.util.SparseBooleanArray;
     58 import android.util.Xml;
     59 import android.view.IWindowManager;
     60 import android.view.WindowManagerGlobal;
     61 import com.android.internal.annotations.GuardedBy;
     62 import com.android.internal.content.PackageMonitor;
     63 import com.android.internal.policy.IKeyguardDismissCallback;
     64 import com.android.internal.util.DumpUtils;
     65 import com.android.internal.widget.LockPatternUtils;
     66 import com.android.server.SystemService;
     67 import java.io.FileDescriptor;
     68 import java.io.IOException;
     69 import java.io.PrintWriter;
     70 import java.util.ArrayList;
     71 import java.util.List;
     72 import org.xmlpull.v1.XmlPullParser;
     73 import org.xmlpull.v1.XmlPullParserException;
     74 
     75 /**
     76  * Manages trust agents and trust listeners.
     77  *
     78  * It is responsible for binding to the enabled {@link android.service.trust.TrustAgentService}s
     79  * of each user and notifies them about events that are relevant to them.
     80  * It start and stops them based on the value of
     81  * {@link com.android.internal.widget.LockPatternUtils#getEnabledTrustAgents(int)}.
     82  *
     83  * It also keeps a set of {@link android.app.trust.ITrustListener}s that are notified whenever the
     84  * trust state changes for any user.
     85  *
     86  * Trust state and the setting of enabled agents is kept per user and each user has its own
     87  * instance of a {@link android.service.trust.TrustAgentService}.
     88  */
     89 public class TrustManagerService extends SystemService {
     90     private static final String TAG = "TrustManagerService";
     91     static final boolean DEBUG = Build.IS_DEBUGGABLE && Log.isLoggable(TAG, Log.VERBOSE);
     92 
     93     private static final Intent TRUST_AGENT_INTENT =
     94             new Intent(TrustAgentService.SERVICE_INTERFACE);
     95     private static final String PERMISSION_PROVIDE_AGENT = Manifest.permission.PROVIDE_TRUST_AGENT;
     96 
     97     private static final int MSG_REGISTER_LISTENER = 1;
     98     private static final int MSG_UNREGISTER_LISTENER = 2;
     99     private static final int MSG_DISPATCH_UNLOCK_ATTEMPT = 3;
    100     private static final int MSG_ENABLED_AGENTS_CHANGED = 4;
    101     private static final int MSG_KEYGUARD_SHOWING_CHANGED = 6;
    102     private static final int MSG_START_USER = 7;
    103     private static final int MSG_CLEANUP_USER = 8;
    104     private static final int MSG_SWITCH_USER = 9;
    105     private static final int MSG_FLUSH_TRUST_USUALLY_MANAGED = 10;
    106     private static final int MSG_UNLOCK_USER = 11;
    107     private static final int MSG_STOP_USER = 12;
    108     private static final int MSG_DISPATCH_UNLOCK_LOCKOUT = 13;
    109     private static final int MSG_REFRESH_DEVICE_LOCKED_FOR_USER = 14;
    110 
    111     private static final int TRUST_USUALLY_MANAGED_FLUSH_DELAY = 2 * 60 * 1000;
    112 
    113     private final ArraySet<AgentInfo> mActiveAgents = new ArraySet<>();
    114     private final ArrayList<ITrustListener> mTrustListeners = new ArrayList<>();
    115     private final Receiver mReceiver = new Receiver();
    116 
    117     /* package */ final TrustArchive mArchive = new TrustArchive();
    118     private final Context mContext;
    119     private final LockPatternUtils mLockPatternUtils;
    120     private final UserManager mUserManager;
    121     private final ActivityManager mActivityManager;
    122 
    123     @GuardedBy("mUserIsTrusted")
    124     private final SparseBooleanArray mUserIsTrusted = new SparseBooleanArray();
    125 
    126     @GuardedBy("mDeviceLockedForUser")
    127     private final SparseBooleanArray mDeviceLockedForUser = new SparseBooleanArray();
    128 
    129     @GuardedBy("mTrustUsuallyManagedForUser")
    130     private final SparseBooleanArray mTrustUsuallyManagedForUser = new SparseBooleanArray();
    131 
    132     // set to true only if user can skip bouncer
    133     @GuardedBy("mUsersUnlockedByFingerprint")
    134     private final SparseBooleanArray mUsersUnlockedByFingerprint = new SparseBooleanArray();
    135 
    136     private final StrongAuthTracker mStrongAuthTracker;
    137 
    138     private boolean mTrustAgentsCanRun = false;
    139     private int mCurrentUser = UserHandle.USER_SYSTEM;
    140 
    141     public TrustManagerService(Context context) {
    142         super(context);
    143         mContext = context;
    144         mUserManager = (UserManager) mContext.getSystemService(Context.USER_SERVICE);
    145         mActivityManager = (ActivityManager) mContext.getSystemService(Context.ACTIVITY_SERVICE);
    146         mLockPatternUtils = new LockPatternUtils(context);
    147         mStrongAuthTracker = new StrongAuthTracker(context);
    148     }
    149 
    150     @Override
    151     public void onStart() {
    152         publishBinderService(Context.TRUST_SERVICE, mService);
    153     }
    154 
    155     @Override
    156     public void onBootPhase(int phase) {
    157         if (isSafeMode()) {
    158             // No trust agents in safe mode.
    159             return;
    160         }
    161         if (phase == SystemService.PHASE_SYSTEM_SERVICES_READY) {
    162             mPackageMonitor.register(mContext, mHandler.getLooper(), UserHandle.ALL, true);
    163             mReceiver.register(mContext);
    164             mLockPatternUtils.registerStrongAuthTracker(mStrongAuthTracker);
    165         } else if (phase == SystemService.PHASE_THIRD_PARTY_APPS_CAN_START) {
    166             mTrustAgentsCanRun = true;
    167             refreshAgentList(UserHandle.USER_ALL);
    168             refreshDeviceLockedForUser(UserHandle.USER_ALL);
    169         } else if (phase == SystemService.PHASE_BOOT_COMPLETED) {
    170             maybeEnableFactoryTrustAgents(mLockPatternUtils, UserHandle.USER_SYSTEM);
    171         }
    172     }
    173 
    174     // Agent management
    175 
    176     private static final class AgentInfo {
    177         CharSequence label;
    178         Drawable icon;
    179         ComponentName component; // service that implements ITrustAgent
    180         SettingsAttrs settings; // setting to launch to modify agent.
    181         TrustAgentWrapper agent;
    182         int userId;
    183 
    184         @Override
    185         public boolean equals(Object other) {
    186             if (!(other instanceof AgentInfo)) {
    187                 return false;
    188             }
    189             AgentInfo o = (AgentInfo) other;
    190             return component.equals(o.component) && userId == o.userId;
    191         }
    192 
    193         @Override
    194         public int hashCode() {
    195             return component.hashCode() * 31 + userId;
    196         }
    197     }
    198 
    199     private void updateTrustAll() {
    200         List<UserInfo> userInfos = mUserManager.getUsers(true /* excludeDying */);
    201         for (UserInfo userInfo : userInfos) {
    202             updateTrust(userInfo.id, 0);
    203         }
    204     }
    205 
    206     public void updateTrust(int userId, int flags) {
    207         boolean managed = aggregateIsTrustManaged(userId);
    208         dispatchOnTrustManagedChanged(managed, userId);
    209         if (mStrongAuthTracker.isTrustAllowedForUser(userId)
    210                 && isTrustUsuallyManagedInternal(userId) != managed) {
    211             updateTrustUsuallyManaged(userId, managed);
    212         }
    213         boolean trusted = aggregateIsTrusted(userId);
    214         boolean changed;
    215         synchronized (mUserIsTrusted) {
    216             changed = mUserIsTrusted.get(userId) != trusted;
    217             mUserIsTrusted.put(userId, trusted);
    218         }
    219         dispatchOnTrustChanged(trusted, userId, flags);
    220         if (changed) {
    221             refreshDeviceLockedForUser(userId);
    222         }
    223     }
    224 
    225     private void updateTrustUsuallyManaged(int userId, boolean managed) {
    226         synchronized (mTrustUsuallyManagedForUser) {
    227             mTrustUsuallyManagedForUser.put(userId, managed);
    228         }
    229         // Wait a few minutes before committing to flash, in case the trust agent is transiently not
    230         // managing trust (crashed, needs to acknowledge DPM restrictions, etc).
    231         mHandler.removeMessages(MSG_FLUSH_TRUST_USUALLY_MANAGED);
    232         mHandler.sendMessageDelayed(
    233                 mHandler.obtainMessage(MSG_FLUSH_TRUST_USUALLY_MANAGED),
    234                 TRUST_USUALLY_MANAGED_FLUSH_DELAY);
    235     }
    236 
    237     public long addEscrowToken(byte[] token, int userId) {
    238         return mLockPatternUtils.addEscrowToken(token, userId);
    239     }
    240 
    241     public boolean removeEscrowToken(long handle, int userId) {
    242         return mLockPatternUtils.removeEscrowToken(handle, userId);
    243     }
    244 
    245     public boolean isEscrowTokenActive(long handle, int userId) {
    246         return mLockPatternUtils.isEscrowTokenActive(handle, userId);
    247     }
    248 
    249     public void unlockUserWithToken(long handle, byte[] token, int userId) {
    250         mLockPatternUtils.unlockUserWithToken(handle, token, userId);
    251     }
    252 
    253     void showKeyguardErrorMessage(CharSequence message) {
    254         dispatchOnTrustError(message);
    255     }
    256 
    257     void refreshAgentList(int userIdOrAll) {
    258         if (DEBUG) Slog.d(TAG, "refreshAgentList(" + userIdOrAll + ")");
    259         if (!mTrustAgentsCanRun) {
    260             return;
    261         }
    262         if (userIdOrAll != UserHandle.USER_ALL && userIdOrAll < UserHandle.USER_SYSTEM) {
    263             Log.e(TAG, "refreshAgentList(userId=" + userIdOrAll + "): Invalid user handle,"
    264                     + " must be USER_ALL or a specific user.", new Throwable("here"));
    265             userIdOrAll = UserHandle.USER_ALL;
    266         }
    267         PackageManager pm = mContext.getPackageManager();
    268 
    269         List<UserInfo> userInfos;
    270         if (userIdOrAll == UserHandle.USER_ALL) {
    271             userInfos = mUserManager.getUsers(true /* excludeDying */);
    272         } else {
    273             userInfos = new ArrayList<>();
    274             userInfos.add(mUserManager.getUserInfo(userIdOrAll));
    275         }
    276         LockPatternUtils lockPatternUtils = mLockPatternUtils;
    277 
    278         ArraySet<AgentInfo> obsoleteAgents = new ArraySet<>();
    279         obsoleteAgents.addAll(mActiveAgents);
    280 
    281         for (UserInfo userInfo : userInfos) {
    282             if (userInfo == null || userInfo.partial || !userInfo.isEnabled()
    283                     || userInfo.guestToRemove) continue;
    284             if (!userInfo.supportsSwitchToByUser()) {
    285                 if (DEBUG) Slog.d(TAG, "refreshAgentList: skipping user " + userInfo.id
    286                         + ": switchToByUser=false");
    287                 continue;
    288             }
    289             if (!mActivityManager.isUserRunning(userInfo.id)) {
    290                 if (DEBUG) Slog.d(TAG, "refreshAgentList: skipping user " + userInfo.id
    291                         + ": user not started");
    292                 continue;
    293             }
    294             if (!lockPatternUtils.isSecure(userInfo.id)) {
    295                 if (DEBUG) Slog.d(TAG, "refreshAgentList: skipping user " + userInfo.id
    296                         + ": no secure credential");
    297                 continue;
    298             }
    299 
    300             DevicePolicyManager dpm = lockPatternUtils.getDevicePolicyManager();
    301             int disabledFeatures = dpm.getKeyguardDisabledFeatures(null, userInfo.id);
    302             final boolean disableTrustAgents =
    303                     (disabledFeatures & DevicePolicyManager.KEYGUARD_DISABLE_TRUST_AGENTS) != 0;
    304 
    305             List<ComponentName> enabledAgents = lockPatternUtils.getEnabledTrustAgents(userInfo.id);
    306             if (enabledAgents == null) {
    307                 if (DEBUG) Slog.d(TAG, "refreshAgentList: skipping user " + userInfo.id
    308                         + ": no agents enabled by user");
    309                 continue;
    310             }
    311             List<ResolveInfo> resolveInfos = resolveAllowedTrustAgents(pm, userInfo.id);
    312             for (ResolveInfo resolveInfo : resolveInfos) {
    313                 ComponentName name = getComponentName(resolveInfo);
    314 
    315                 if (!enabledAgents.contains(name)) {
    316                     if (DEBUG) Slog.d(TAG, "refreshAgentList: skipping "
    317                             + name.flattenToShortString() + " u"+ userInfo.id
    318                             + ": not enabled by user");
    319                     continue;
    320                 }
    321                 if (disableTrustAgents) {
    322                     List<PersistableBundle> config =
    323                             dpm.getTrustAgentConfiguration(null /* admin */, name, userInfo.id);
    324                     // Disable agent if no features are enabled.
    325                     if (config == null || config.isEmpty()) {
    326                         if (DEBUG) Slog.d(TAG, "refreshAgentList: skipping "
    327                                 + name.flattenToShortString() + " u"+ userInfo.id
    328                                 + ": not allowed by DPM");
    329                         continue;
    330                     }
    331                 }
    332                 AgentInfo agentInfo = new AgentInfo();
    333                 agentInfo.component = name;
    334                 agentInfo.userId = userInfo.id;
    335                 if (!mActiveAgents.contains(agentInfo)) {
    336                     agentInfo.label = resolveInfo.loadLabel(pm);
    337                     agentInfo.icon = resolveInfo.loadIcon(pm);
    338                     agentInfo.settings = getSettingsAttrs(pm, resolveInfo);
    339                 } else {
    340                     int index = mActiveAgents.indexOf(agentInfo);
    341                     agentInfo = mActiveAgents.valueAt(index);
    342                 }
    343 
    344                 boolean directUnlock = resolveInfo.serviceInfo.directBootAware
    345                     && agentInfo.settings.canUnlockProfile;
    346 
    347                 if (directUnlock) {
    348                     if (DEBUG) Slog.d(TAG, "refreshAgentList: trustagent " + name
    349                             + "of user " + userInfo.id + "can unlock user profile.");
    350                 }
    351 
    352                 if (!mUserManager.isUserUnlockingOrUnlocked(userInfo.id)
    353                         && !directUnlock) {
    354                     if (DEBUG) Slog.d(TAG, "refreshAgentList: skipping user " + userInfo.id
    355                             + "'s trust agent " + name + ": FBE still locked and "
    356                             + " the agent cannot unlock user profile.");
    357                     continue;
    358                 }
    359 
    360                 if (!mStrongAuthTracker.canAgentsRunForUser(userInfo.id)) {
    361                     int flag = mStrongAuthTracker.getStrongAuthForUser(userInfo.id);
    362                     if (flag != StrongAuthTracker.STRONG_AUTH_REQUIRED_AFTER_LOCKOUT) {
    363                         if (flag != StrongAuthTracker.STRONG_AUTH_REQUIRED_AFTER_BOOT
    364                             || !directUnlock) {
    365                             if (DEBUG)
    366                                 Slog.d(TAG, "refreshAgentList: skipping user " + userInfo.id
    367                                     + ": prevented by StrongAuthTracker = 0x"
    368                                     + Integer.toHexString(mStrongAuthTracker.getStrongAuthForUser(
    369                                     userInfo.id)));
    370                             continue;
    371                         }
    372                     }
    373                 }
    374 
    375                 if (agentInfo.agent == null) {
    376                     agentInfo.agent = new TrustAgentWrapper(mContext, this,
    377                             new Intent().setComponent(name), userInfo.getUserHandle());
    378                 }
    379 
    380                 if (!mActiveAgents.contains(agentInfo)) {
    381                     mActiveAgents.add(agentInfo);
    382                 } else {
    383                     obsoleteAgents.remove(agentInfo);
    384                 }
    385             }
    386         }
    387 
    388         boolean trustMayHaveChanged = false;
    389         for (int i = 0; i < obsoleteAgents.size(); i++) {
    390             AgentInfo info = obsoleteAgents.valueAt(i);
    391             if (userIdOrAll == UserHandle.USER_ALL || userIdOrAll == info.userId) {
    392                 if (info.agent.isManagingTrust()) {
    393                     trustMayHaveChanged = true;
    394                 }
    395                 info.agent.destroy();
    396                 mActiveAgents.remove(info);
    397             }
    398         }
    399 
    400         if (trustMayHaveChanged) {
    401             if (userIdOrAll == UserHandle.USER_ALL) {
    402                 updateTrustAll();
    403             } else {
    404                 updateTrust(userIdOrAll, 0);
    405             }
    406         }
    407     }
    408 
    409     boolean isDeviceLockedInner(int userId) {
    410         synchronized (mDeviceLockedForUser) {
    411             return mDeviceLockedForUser.get(userId, true);
    412         }
    413     }
    414 
    415     private void refreshDeviceLockedForUser(int userId) {
    416         if (userId != UserHandle.USER_ALL && userId < UserHandle.USER_SYSTEM) {
    417             Log.e(TAG, "refreshDeviceLockedForUser(userId=" + userId + "): Invalid user handle,"
    418                     + " must be USER_ALL or a specific user.", new Throwable("here"));
    419             userId = UserHandle.USER_ALL;
    420         }
    421         List<UserInfo> userInfos;
    422         if (userId == UserHandle.USER_ALL) {
    423             userInfos = mUserManager.getUsers(true /* excludeDying */);
    424         } else {
    425             userInfos = new ArrayList<>();
    426             userInfos.add(mUserManager.getUserInfo(userId));
    427         }
    428 
    429         IWindowManager wm = WindowManagerGlobal.getWindowManagerService();
    430 
    431         for (int i = 0; i < userInfos.size(); i++) {
    432             UserInfo info = userInfos.get(i);
    433 
    434             if (info == null || info.partial || !info.isEnabled() || info.guestToRemove
    435                     || !info.supportsSwitchToByUser()) {
    436                 continue;
    437             }
    438 
    439             int id = info.id;
    440             boolean secure = mLockPatternUtils.isSecure(id);
    441             boolean trusted = aggregateIsTrusted(id);
    442             boolean showingKeyguard = true;
    443             boolean fingerprintAuthenticated = false;
    444 
    445             if (mCurrentUser == id) {
    446                 synchronized(mUsersUnlockedByFingerprint) {
    447                     fingerprintAuthenticated = mUsersUnlockedByFingerprint.get(id, false);
    448                 }
    449                 try {
    450                     showingKeyguard = wm.isKeyguardLocked();
    451                 } catch (RemoteException e) {
    452                 }
    453             }
    454             boolean deviceLocked = secure && showingKeyguard && !trusted &&
    455                     !fingerprintAuthenticated;
    456             setDeviceLockedForUser(id, deviceLocked);
    457         }
    458     }
    459 
    460     private void setDeviceLockedForUser(@UserIdInt int userId, boolean locked) {
    461         final boolean changed;
    462         synchronized (mDeviceLockedForUser) {
    463             changed = isDeviceLockedInner(userId) != locked;
    464             mDeviceLockedForUser.put(userId, locked);
    465         }
    466         if (changed) {
    467             dispatchDeviceLocked(userId, locked);
    468         }
    469     }
    470 
    471     private void dispatchDeviceLocked(int userId, boolean isLocked) {
    472         for (int i = 0; i < mActiveAgents.size(); i++) {
    473             AgentInfo agent = mActiveAgents.valueAt(i);
    474             if (agent.userId == userId) {
    475                 if (isLocked) {
    476                     agent.agent.onDeviceLocked();
    477                 } else{
    478                     agent.agent.onDeviceUnlocked();
    479                 }
    480             }
    481         }
    482     }
    483 
    484     void updateDevicePolicyFeatures() {
    485         boolean changed = false;
    486         for (int i = 0; i < mActiveAgents.size(); i++) {
    487             AgentInfo info = mActiveAgents.valueAt(i);
    488             if (info.agent.isConnected()) {
    489                 info.agent.updateDevicePolicyFeatures();
    490                 changed = true;
    491             }
    492         }
    493         if (changed) {
    494             mArchive.logDevicePolicyChanged();
    495         }
    496     }
    497 
    498     private void removeAgentsOfPackage(String packageName) {
    499         boolean trustMayHaveChanged = false;
    500         for (int i = mActiveAgents.size() - 1; i >= 0; i--) {
    501             AgentInfo info = mActiveAgents.valueAt(i);
    502             if (packageName.equals(info.component.getPackageName())) {
    503                 Log.i(TAG, "Resetting agent " + info.component.flattenToShortString());
    504                 if (info.agent.isManagingTrust()) {
    505                     trustMayHaveChanged = true;
    506                 }
    507                 info.agent.destroy();
    508                 mActiveAgents.removeAt(i);
    509             }
    510         }
    511         if (trustMayHaveChanged) {
    512             updateTrustAll();
    513         }
    514     }
    515 
    516     public void resetAgent(ComponentName name, int userId) {
    517         boolean trustMayHaveChanged = false;
    518         for (int i = mActiveAgents.size() - 1; i >= 0; i--) {
    519             AgentInfo info = mActiveAgents.valueAt(i);
    520             if (name.equals(info.component) && userId == info.userId) {
    521                 Log.i(TAG, "Resetting agent " + info.component.flattenToShortString());
    522                 if (info.agent.isManagingTrust()) {
    523                     trustMayHaveChanged = true;
    524                 }
    525                 info.agent.destroy();
    526                 mActiveAgents.removeAt(i);
    527             }
    528         }
    529         if (trustMayHaveChanged) {
    530             updateTrust(userId, 0);
    531         }
    532         refreshAgentList(userId);
    533     }
    534 
    535     private SettingsAttrs getSettingsAttrs(PackageManager pm, ResolveInfo resolveInfo) {
    536         if (resolveInfo == null || resolveInfo.serviceInfo == null
    537                 || resolveInfo.serviceInfo.metaData == null) return null;
    538         String cn = null;
    539         boolean canUnlockProfile = false;
    540 
    541         XmlResourceParser parser = null;
    542         Exception caughtException = null;
    543         try {
    544             parser = resolveInfo.serviceInfo.loadXmlMetaData(pm,
    545                     TrustAgentService.TRUST_AGENT_META_DATA);
    546             if (parser == null) {
    547                 Slog.w(TAG, "Can't find " + TrustAgentService.TRUST_AGENT_META_DATA + " meta-data");
    548                 return null;
    549             }
    550             Resources res = pm.getResourcesForApplication(resolveInfo.serviceInfo.applicationInfo);
    551             AttributeSet attrs = Xml.asAttributeSet(parser);
    552             int type;
    553             while ((type = parser.next()) != XmlPullParser.END_DOCUMENT
    554                     && type != XmlPullParser.START_TAG) {
    555                 // Drain preamble.
    556             }
    557             String nodeName = parser.getName();
    558             if (!"trust-agent".equals(nodeName)) {
    559                 Slog.w(TAG, "Meta-data does not start with trust-agent tag");
    560                 return null;
    561             }
    562             TypedArray sa = res
    563                     .obtainAttributes(attrs, com.android.internal.R.styleable.TrustAgent);
    564             cn = sa.getString(com.android.internal.R.styleable.TrustAgent_settingsActivity);
    565             canUnlockProfile = sa.getBoolean(
    566                     com.android.internal.R.styleable.TrustAgent_unlockProfile, false);
    567             sa.recycle();
    568         } catch (PackageManager.NameNotFoundException e) {
    569             caughtException = e;
    570         } catch (IOException e) {
    571             caughtException = e;
    572         } catch (XmlPullParserException e) {
    573             caughtException = e;
    574         } finally {
    575             if (parser != null) parser.close();
    576         }
    577         if (caughtException != null) {
    578             Slog.w(TAG, "Error parsing : " + resolveInfo.serviceInfo.packageName, caughtException);
    579             return null;
    580         }
    581         if (cn == null) {
    582             return null;
    583         }
    584         if (cn.indexOf('/') < 0) {
    585             cn = resolveInfo.serviceInfo.packageName + "/" + cn;
    586         }
    587         return new SettingsAttrs(ComponentName.unflattenFromString(cn), canUnlockProfile);
    588     }
    589 
    590     private ComponentName getComponentName(ResolveInfo resolveInfo) {
    591         if (resolveInfo == null || resolveInfo.serviceInfo == null) return null;
    592         return new ComponentName(resolveInfo.serviceInfo.packageName, resolveInfo.serviceInfo.name);
    593     }
    594 
    595     private void maybeEnableFactoryTrustAgents(LockPatternUtils utils, int userId) {
    596         if (0 != Settings.Secure.getIntForUser(mContext.getContentResolver(),
    597                 Settings.Secure.TRUST_AGENTS_INITIALIZED, 0, userId)) {
    598             return;
    599         }
    600         PackageManager pm = mContext.getPackageManager();
    601         List<ResolveInfo> resolveInfos = resolveAllowedTrustAgents(pm, userId);
    602         ComponentName defaultAgent = getDefaultFactoryTrustAgent(mContext);
    603         boolean shouldUseDefaultAgent = defaultAgent != null;
    604         ArraySet<ComponentName> discoveredAgents = new ArraySet<>();
    605 
    606         if (shouldUseDefaultAgent) {
    607             discoveredAgents.add(defaultAgent);
    608             Log.i(TAG, "Enabling " + defaultAgent + " because it is a default agent.");
    609         } else { // A default agent is not set; perform regular trust agent discovery
    610             for (ResolveInfo resolveInfo : resolveInfos) {
    611                 ComponentName componentName = getComponentName(resolveInfo);
    612                 int applicationInfoFlags = resolveInfo.serviceInfo.applicationInfo.flags;
    613                 if ((applicationInfoFlags & ApplicationInfo.FLAG_SYSTEM) == 0) {
    614                     Log.i(TAG, "Leaving agent " + componentName + " disabled because package "
    615                             + "is not a system package.");
    616                     continue;
    617                 }
    618                 discoveredAgents.add(componentName);
    619             }
    620         }
    621 
    622         List<ComponentName> previouslyEnabledAgents = utils.getEnabledTrustAgents(userId);
    623         if (previouslyEnabledAgents != null) {
    624             discoveredAgents.addAll(previouslyEnabledAgents);
    625         }
    626         utils.setEnabledTrustAgents(discoveredAgents, userId);
    627         Settings.Secure.putIntForUser(mContext.getContentResolver(),
    628                 Settings.Secure.TRUST_AGENTS_INITIALIZED, 1, userId);
    629     }
    630 
    631     /**
    632      * Returns the {@link ComponentName} for the default trust agent, or {@code null} if there
    633      * is no trust agent set.
    634      */
    635     private static ComponentName getDefaultFactoryTrustAgent(Context context) {
    636         String defaultTrustAgent = context.getResources()
    637             .getString(com.android.internal.R.string.config_defaultTrustAgent);
    638         if (TextUtils.isEmpty(defaultTrustAgent)) {
    639             return null;
    640         }
    641         return ComponentName.unflattenFromString(defaultTrustAgent);
    642     }
    643 
    644     private List<ResolveInfo> resolveAllowedTrustAgents(PackageManager pm, int userId) {
    645         List<ResolveInfo> resolveInfos = pm.queryIntentServicesAsUser(TRUST_AGENT_INTENT,
    646                 PackageManager.GET_META_DATA |
    647                 PackageManager.MATCH_DIRECT_BOOT_AWARE | PackageManager.MATCH_DIRECT_BOOT_UNAWARE,
    648                 userId);
    649         ArrayList<ResolveInfo> allowedAgents = new ArrayList<>(resolveInfos.size());
    650         for (ResolveInfo resolveInfo : resolveInfos) {
    651             if (resolveInfo.serviceInfo == null) continue;
    652             if (resolveInfo.serviceInfo.applicationInfo == null) continue;
    653             String packageName = resolveInfo.serviceInfo.packageName;
    654             if (pm.checkPermission(PERMISSION_PROVIDE_AGENT, packageName)
    655                     != PackageManager.PERMISSION_GRANTED) {
    656                 ComponentName name = getComponentName(resolveInfo);
    657                 Log.w(TAG, "Skipping agent " + name + " because package does not have"
    658                         + " permission " + PERMISSION_PROVIDE_AGENT + ".");
    659                 continue;
    660             }
    661             allowedAgents.add(resolveInfo);
    662         }
    663         return allowedAgents;
    664     }
    665 
    666     // Agent dispatch and aggregation
    667 
    668     private boolean aggregateIsTrusted(int userId) {
    669         if (!mStrongAuthTracker.isTrustAllowedForUser(userId)) {
    670             return false;
    671         }
    672         for (int i = 0; i < mActiveAgents.size(); i++) {
    673             AgentInfo info = mActiveAgents.valueAt(i);
    674             if (info.userId == userId) {
    675                 if (info.agent.isTrusted()) {
    676                     return true;
    677                 }
    678             }
    679         }
    680         return false;
    681     }
    682 
    683     private boolean aggregateIsTrustManaged(int userId) {
    684         if (!mStrongAuthTracker.isTrustAllowedForUser(userId)) {
    685             return false;
    686         }
    687         for (int i = 0; i < mActiveAgents.size(); i++) {
    688             AgentInfo info = mActiveAgents.valueAt(i);
    689             if (info.userId == userId) {
    690                 if (info.agent.isManagingTrust()) {
    691                     return true;
    692                 }
    693             }
    694         }
    695         return false;
    696     }
    697 
    698     private void dispatchUnlockAttempt(boolean successful, int userId) {
    699         if (successful) {
    700             mStrongAuthTracker.allowTrustFromUnlock(userId);
    701         }
    702 
    703         for (int i = 0; i < mActiveAgents.size(); i++) {
    704             AgentInfo info = mActiveAgents.valueAt(i);
    705             if (info.userId == userId) {
    706                 info.agent.onUnlockAttempt(successful);
    707             }
    708         }
    709     }
    710 
    711     private void dispatchUnlockLockout(int timeoutMs, int userId) {
    712         for (int i = 0; i < mActiveAgents.size(); i++) {
    713             AgentInfo info = mActiveAgents.valueAt(i);
    714             if (info.userId == userId) {
    715                 info.agent.onUnlockLockout(timeoutMs);
    716             }
    717         }
    718     }
    719 
    720     // Listeners
    721 
    722     private void addListener(ITrustListener listener) {
    723         for (int i = 0; i < mTrustListeners.size(); i++) {
    724             if (mTrustListeners.get(i).asBinder() == listener.asBinder()) {
    725                 return;
    726             }
    727         }
    728         mTrustListeners.add(listener);
    729         updateTrustAll();
    730     }
    731 
    732     private void removeListener(ITrustListener listener) {
    733         for (int i = 0; i < mTrustListeners.size(); i++) {
    734             if (mTrustListeners.get(i).asBinder() == listener.asBinder()) {
    735                 mTrustListeners.remove(i);
    736                 return;
    737             }
    738         }
    739     }
    740 
    741     private void dispatchOnTrustChanged(boolean enabled, int userId, int flags) {
    742         if (DEBUG) {
    743             Log.i(TAG, "onTrustChanged(" + enabled + ", " + userId + ", 0x"
    744                     + Integer.toHexString(flags) + ")");
    745         }
    746         if (!enabled) flags = 0;
    747         for (int i = 0; i < mTrustListeners.size(); i++) {
    748             try {
    749                 mTrustListeners.get(i).onTrustChanged(enabled, userId, flags);
    750             } catch (DeadObjectException e) {
    751                 Slog.d(TAG, "Removing dead TrustListener.");
    752                 mTrustListeners.remove(i);
    753                 i--;
    754             } catch (RemoteException e) {
    755                 Slog.e(TAG, "Exception while notifying TrustListener.", e);
    756             }
    757         }
    758     }
    759 
    760     private void dispatchOnTrustManagedChanged(boolean managed, int userId) {
    761         if (DEBUG) {
    762             Log.i(TAG, "onTrustManagedChanged(" + managed + ", " + userId + ")");
    763         }
    764         for (int i = 0; i < mTrustListeners.size(); i++) {
    765             try {
    766                 mTrustListeners.get(i).onTrustManagedChanged(managed, userId);
    767             } catch (DeadObjectException e) {
    768                 Slog.d(TAG, "Removing dead TrustListener.");
    769                 mTrustListeners.remove(i);
    770                 i--;
    771             } catch (RemoteException e) {
    772                 Slog.e(TAG, "Exception while notifying TrustListener.", e);
    773             }
    774         }
    775     }
    776 
    777     private void dispatchOnTrustError(CharSequence message) {
    778         if (DEBUG) {
    779             Log.i(TAG, "onTrustError(" + message + ")");
    780         }
    781         for (int i = 0; i < mTrustListeners.size(); i++) {
    782             try {
    783                 mTrustListeners.get(i).onTrustError(message);
    784             } catch (DeadObjectException e) {
    785                 Slog.d(TAG, "Removing dead TrustListener.");
    786                 mTrustListeners.remove(i);
    787                 i--;
    788             } catch (RemoteException e) {
    789                 Slog.e(TAG, "Exception while notifying TrustListener.", e);
    790             }
    791         }
    792     }
    793 
    794     // User lifecycle
    795 
    796     @Override
    797     public void onStartUser(int userId) {
    798         mHandler.obtainMessage(MSG_START_USER, userId, 0, null).sendToTarget();
    799     }
    800 
    801     @Override
    802     public void onCleanupUser(int userId) {
    803         mHandler.obtainMessage(MSG_CLEANUP_USER, userId, 0, null).sendToTarget();
    804     }
    805 
    806     @Override
    807     public void onSwitchUser(int userId) {
    808         mHandler.obtainMessage(MSG_SWITCH_USER, userId, 0, null).sendToTarget();
    809     }
    810 
    811     @Override
    812     public void onUnlockUser(int userId) {
    813         mHandler.obtainMessage(MSG_UNLOCK_USER, userId, 0, null).sendToTarget();
    814     }
    815 
    816     @Override
    817     public void onStopUser(@UserIdInt int userId) {
    818         mHandler.obtainMessage(MSG_STOP_USER, userId, 0, null).sendToTarget();
    819     }
    820 
    821     // Plumbing
    822 
    823     private final IBinder mService = new ITrustManager.Stub() {
    824         @Override
    825         public void reportUnlockAttempt(boolean authenticated, int userId) throws RemoteException {
    826             enforceReportPermission();
    827             mHandler.obtainMessage(MSG_DISPATCH_UNLOCK_ATTEMPT, authenticated ? 1 : 0, userId)
    828                     .sendToTarget();
    829         }
    830 
    831         @Override
    832         public void reportUnlockLockout(int timeoutMs, int userId) throws RemoteException {
    833             enforceReportPermission();
    834             mHandler.obtainMessage(MSG_DISPATCH_UNLOCK_LOCKOUT, timeoutMs, userId)
    835                     .sendToTarget();
    836         }
    837 
    838         @Override
    839         public void reportEnabledTrustAgentsChanged(int userId) throws RemoteException {
    840             enforceReportPermission();
    841             // coalesce refresh messages.
    842             mHandler.removeMessages(MSG_ENABLED_AGENTS_CHANGED);
    843             mHandler.sendEmptyMessage(MSG_ENABLED_AGENTS_CHANGED);
    844         }
    845 
    846         @Override
    847         public void reportKeyguardShowingChanged() throws RemoteException {
    848             enforceReportPermission();
    849             // coalesce refresh messages.
    850             mHandler.removeMessages(MSG_KEYGUARD_SHOWING_CHANGED);
    851             mHandler.sendEmptyMessage(MSG_KEYGUARD_SHOWING_CHANGED);
    852 
    853             // Make sure handler processes the message before returning, such that isDeviceLocked
    854             // after this call will retrieve the correct value.
    855             mHandler.runWithScissors(() -> {}, 0);
    856         }
    857 
    858         @Override
    859         public void registerTrustListener(ITrustListener trustListener) throws RemoteException {
    860             enforceListenerPermission();
    861             mHandler.obtainMessage(MSG_REGISTER_LISTENER, trustListener).sendToTarget();
    862         }
    863 
    864         @Override
    865         public void unregisterTrustListener(ITrustListener trustListener) throws RemoteException {
    866             enforceListenerPermission();
    867             mHandler.obtainMessage(MSG_UNREGISTER_LISTENER, trustListener).sendToTarget();
    868         }
    869 
    870         @Override
    871         public boolean isDeviceLocked(int userId) throws RemoteException {
    872             userId = ActivityManager.handleIncomingUser(getCallingPid(), getCallingUid(), userId,
    873                     false /* allowAll */, true /* requireFull */, "isDeviceLocked", null);
    874 
    875             long token = Binder.clearCallingIdentity();
    876             try {
    877                 if (!mLockPatternUtils.isSeparateProfileChallengeEnabled(userId)) {
    878                     userId = resolveProfileParent(userId);
    879                 }
    880                 return isDeviceLockedInner(userId);
    881             } finally {
    882                 Binder.restoreCallingIdentity(token);
    883             }
    884         }
    885 
    886         @Override
    887         public boolean isDeviceSecure(int userId) throws RemoteException {
    888             userId = ActivityManager.handleIncomingUser(getCallingPid(), getCallingUid(), userId,
    889                     false /* allowAll */, true /* requireFull */, "isDeviceSecure", null);
    890 
    891             long token = Binder.clearCallingIdentity();
    892             try {
    893                 if (!mLockPatternUtils.isSeparateProfileChallengeEnabled(userId)) {
    894                     userId = resolveProfileParent(userId);
    895                 }
    896                 return mLockPatternUtils.isSecure(userId);
    897             } finally {
    898                 Binder.restoreCallingIdentity(token);
    899             }
    900         }
    901 
    902         private void enforceReportPermission() {
    903             mContext.enforceCallingOrSelfPermission(
    904                     Manifest.permission.ACCESS_KEYGUARD_SECURE_STORAGE, "reporting trust events");
    905         }
    906 
    907         private void enforceListenerPermission() {
    908             mContext.enforceCallingPermission(Manifest.permission.TRUST_LISTENER,
    909                     "register trust listener");
    910         }
    911 
    912         @Override
    913         protected void dump(FileDescriptor fd, final PrintWriter fout, String[] args) {
    914             if (!DumpUtils.checkDumpPermission(mContext, TAG, fout)) return;
    915             if (isSafeMode()) {
    916                 fout.println("disabled because the system is in safe mode.");
    917                 return;
    918             }
    919             if (!mTrustAgentsCanRun) {
    920                 fout.println("disabled because the third-party apps can't run yet.");
    921                 return;
    922             }
    923             final List<UserInfo> userInfos = mUserManager.getUsers(true /* excludeDying */);
    924             mHandler.runWithScissors(new Runnable() {
    925                 @Override
    926                 public void run() {
    927                     fout.println("Trust manager state:");
    928                     for (UserInfo user : userInfos) {
    929                         dumpUser(fout, user, user.id == mCurrentUser);
    930                     }
    931                 }
    932             }, 1500);
    933         }
    934 
    935         private void dumpUser(PrintWriter fout, UserInfo user, boolean isCurrent) {
    936             fout.printf(" User \"%s\" (id=%d, flags=%#x)",
    937                     user.name, user.id, user.flags);
    938             if (!user.supportsSwitchToByUser()) {
    939                 fout.println("(managed profile)");
    940                 fout.println("   disabled because switching to this user is not possible.");
    941                 return;
    942             }
    943             if (isCurrent) {
    944                 fout.print(" (current)");
    945             }
    946             fout.print(": trusted=" + dumpBool(aggregateIsTrusted(user.id)));
    947             fout.print(", trustManaged=" + dumpBool(aggregateIsTrustManaged(user.id)));
    948             fout.print(", deviceLocked=" + dumpBool(isDeviceLockedInner(user.id)));
    949             fout.print(", strongAuthRequired=" + dumpHex(
    950                     mStrongAuthTracker.getStrongAuthForUser(user.id)));
    951             fout.println();
    952             fout.println("   Enabled agents:");
    953             boolean duplicateSimpleNames = false;
    954             ArraySet<String> simpleNames = new ArraySet<String>();
    955             for (AgentInfo info : mActiveAgents) {
    956                 if (info.userId != user.id) { continue; }
    957                 boolean trusted = info.agent.isTrusted();
    958                 fout.print("    "); fout.println(info.component.flattenToShortString());
    959                 fout.print("     bound=" + dumpBool(info.agent.isBound()));
    960                 fout.print(", connected=" + dumpBool(info.agent.isConnected()));
    961                 fout.print(", managingTrust=" + dumpBool(info.agent.isManagingTrust()));
    962                 fout.print(", trusted=" + dumpBool(trusted));
    963                 fout.println();
    964                 if (trusted) {
    965                     fout.println("      message=\"" + info.agent.getMessage() + "\"");
    966                 }
    967                 if (!info.agent.isConnected()) {
    968                     String restartTime = TrustArchive.formatDuration(
    969                             info.agent.getScheduledRestartUptimeMillis()
    970                                     - SystemClock.uptimeMillis());
    971                     fout.println("      restartScheduledAt=" + restartTime);
    972                 }
    973                 if (!simpleNames.add(TrustArchive.getSimpleName(info.component))) {
    974                     duplicateSimpleNames = true;
    975                 }
    976             }
    977             fout.println("   Events:");
    978             mArchive.dump(fout, 50, user.id, "    " /* linePrefix */, duplicateSimpleNames);
    979             fout.println();
    980         }
    981 
    982         private String dumpBool(boolean b) {
    983             return b ? "1" : "0";
    984         }
    985 
    986         private String dumpHex(int i) {
    987             return "0x" + Integer.toHexString(i);
    988         }
    989 
    990         @Override
    991         public void setDeviceLockedForUser(int userId, boolean locked) {
    992             enforceReportPermission();
    993             final long identity = Binder.clearCallingIdentity();
    994             try {
    995                 if (mLockPatternUtils.isSeparateProfileChallengeEnabled(userId)) {
    996                     synchronized (mDeviceLockedForUser) {
    997                         mDeviceLockedForUser.put(userId, locked);
    998                     }
    999                     if (locked) {
   1000                         try {
   1001                             ActivityManager.getService().notifyLockedProfile(userId);
   1002                         } catch (RemoteException e) {
   1003                         }
   1004                     }
   1005                     final Intent lockIntent = new Intent(Intent.ACTION_DEVICE_LOCKED_CHANGED);
   1006                     lockIntent.addFlags(Intent.FLAG_RECEIVER_REGISTERED_ONLY);
   1007                     lockIntent.putExtra(Intent.EXTRA_USER_HANDLE, userId);
   1008                     mContext.sendBroadcastAsUser(lockIntent, UserHandle.SYSTEM,
   1009                             Manifest.permission.TRUST_LISTENER, /* options */ null);
   1010                 }
   1011             } finally {
   1012                 Binder.restoreCallingIdentity(identity);
   1013             }
   1014         }
   1015 
   1016         @Override
   1017         public boolean isTrustUsuallyManaged(int userId) {
   1018             mContext.enforceCallingPermission(Manifest.permission.TRUST_LISTENER,
   1019                     "query trust state");
   1020             return isTrustUsuallyManagedInternal(userId);
   1021         }
   1022 
   1023         @Override
   1024         public void unlockedByFingerprintForUser(int userId) {
   1025             enforceReportPermission();
   1026             synchronized(mUsersUnlockedByFingerprint) {
   1027                 mUsersUnlockedByFingerprint.put(userId, true);
   1028             }
   1029             mHandler.obtainMessage(MSG_REFRESH_DEVICE_LOCKED_FOR_USER, userId,
   1030                     0 /* arg2 */).sendToTarget();
   1031         }
   1032 
   1033         @Override
   1034         public void clearAllFingerprints() {
   1035             enforceReportPermission();
   1036             synchronized(mUsersUnlockedByFingerprint) {
   1037                 mUsersUnlockedByFingerprint.clear();
   1038             }
   1039             mHandler.obtainMessage(MSG_REFRESH_DEVICE_LOCKED_FOR_USER, UserHandle.USER_ALL,
   1040                     0 /* arg2 */).sendToTarget();
   1041         }
   1042     };
   1043 
   1044     private boolean isTrustUsuallyManagedInternal(int userId) {
   1045         synchronized (mTrustUsuallyManagedForUser) {
   1046             int i = mTrustUsuallyManagedForUser.indexOfKey(userId);
   1047             if (i >= 0) {
   1048                 return mTrustUsuallyManagedForUser.valueAt(i);
   1049             }
   1050         }
   1051         // It's not in memory yet, get the value from persisted storage instead
   1052         boolean persistedValue = mLockPatternUtils.isTrustUsuallyManaged(userId);
   1053         synchronized (mTrustUsuallyManagedForUser) {
   1054             int i = mTrustUsuallyManagedForUser.indexOfKey(userId);
   1055             if (i >= 0) {
   1056                 // Someone set the trust usually managed in the mean time. Better use that.
   1057                 return mTrustUsuallyManagedForUser.valueAt(i);
   1058             } else {
   1059                 // .. otherwise it's safe to cache the fetched value now.
   1060                 mTrustUsuallyManagedForUser.put(userId, persistedValue);
   1061                 return persistedValue;
   1062             }
   1063         }
   1064     }
   1065 
   1066     private int resolveProfileParent(int userId) {
   1067         long identity = Binder.clearCallingIdentity();
   1068         try {
   1069             UserInfo parent = mUserManager.getProfileParent(userId);
   1070             if (parent != null) {
   1071                 return parent.getUserHandle().getIdentifier();
   1072             }
   1073             return userId;
   1074         } finally {
   1075             Binder.restoreCallingIdentity(identity);
   1076         }
   1077     }
   1078 
   1079     private final Handler mHandler = new Handler() {
   1080         @Override
   1081         public void handleMessage(Message msg) {
   1082             switch (msg.what) {
   1083                 case MSG_REGISTER_LISTENER:
   1084                     addListener((ITrustListener) msg.obj);
   1085                     break;
   1086                 case MSG_UNREGISTER_LISTENER:
   1087                     removeListener((ITrustListener) msg.obj);
   1088                     break;
   1089                 case MSG_DISPATCH_UNLOCK_ATTEMPT:
   1090                     dispatchUnlockAttempt(msg.arg1 != 0, msg.arg2);
   1091                     break;
   1092                 case MSG_DISPATCH_UNLOCK_LOCKOUT:
   1093                     dispatchUnlockLockout(msg.arg1, msg.arg2);
   1094                     break;
   1095                 case MSG_ENABLED_AGENTS_CHANGED:
   1096                     refreshAgentList(UserHandle.USER_ALL);
   1097                     // This is also called when the security mode of a user changes.
   1098                     refreshDeviceLockedForUser(UserHandle.USER_ALL);
   1099                     break;
   1100                 case MSG_KEYGUARD_SHOWING_CHANGED:
   1101                     refreshDeviceLockedForUser(mCurrentUser);
   1102                     break;
   1103                 case MSG_START_USER:
   1104                 case MSG_CLEANUP_USER:
   1105                 case MSG_UNLOCK_USER:
   1106                     refreshAgentList(msg.arg1);
   1107                     break;
   1108                 case MSG_SWITCH_USER:
   1109                     mCurrentUser = msg.arg1;
   1110                     refreshDeviceLockedForUser(UserHandle.USER_ALL);
   1111                     break;
   1112                 case MSG_STOP_USER:
   1113                     setDeviceLockedForUser(msg.arg1, true);
   1114                     break;
   1115                 case MSG_FLUSH_TRUST_USUALLY_MANAGED:
   1116                     SparseBooleanArray usuallyManaged;
   1117                     synchronized (mTrustUsuallyManagedForUser) {
   1118                         usuallyManaged = mTrustUsuallyManagedForUser.clone();
   1119                     }
   1120 
   1121                     for (int i = 0; i < usuallyManaged.size(); i++) {
   1122                         int userId = usuallyManaged.keyAt(i);
   1123                         boolean value = usuallyManaged.valueAt(i);
   1124                         if (value != mLockPatternUtils.isTrustUsuallyManaged(userId)) {
   1125                             mLockPatternUtils.setTrustUsuallyManaged(value, userId);
   1126                         }
   1127                     }
   1128                     break;
   1129                 case MSG_REFRESH_DEVICE_LOCKED_FOR_USER:
   1130                     refreshDeviceLockedForUser(msg.arg1);
   1131                     break;
   1132             }
   1133         }
   1134     };
   1135 
   1136     private final PackageMonitor mPackageMonitor = new PackageMonitor() {
   1137         @Override
   1138         public void onSomePackagesChanged() {
   1139             refreshAgentList(UserHandle.USER_ALL);
   1140         }
   1141 
   1142         @Override
   1143         public boolean onPackageChanged(String packageName, int uid, String[] components) {
   1144             // We're interested in all changes, even if just some components get enabled / disabled.
   1145             return true;
   1146         }
   1147 
   1148         @Override
   1149         public void onPackageDisappeared(String packageName, int reason) {
   1150             removeAgentsOfPackage(packageName);
   1151         }
   1152     };
   1153 
   1154     private static class SettingsAttrs {
   1155         public ComponentName componentName;
   1156         public boolean canUnlockProfile;
   1157 
   1158         public SettingsAttrs(
   1159                 ComponentName componentName,
   1160                 boolean canUnlockProfile) {
   1161             this.componentName = componentName;
   1162             this.canUnlockProfile = canUnlockProfile;
   1163         }
   1164     };
   1165 
   1166     private class Receiver extends BroadcastReceiver {
   1167 
   1168         @Override
   1169         public void onReceive(Context context, Intent intent) {
   1170             String action = intent.getAction();
   1171             if (DevicePolicyManager.ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED.equals(action)) {
   1172                 refreshAgentList(getSendingUserId());
   1173                 updateDevicePolicyFeatures();
   1174             } else if (Intent.ACTION_USER_ADDED.equals(action)) {
   1175                 int userId = getUserId(intent);
   1176                 if (userId > 0) {
   1177                     maybeEnableFactoryTrustAgents(mLockPatternUtils, userId);
   1178                 }
   1179             } else if (Intent.ACTION_USER_REMOVED.equals(action)) {
   1180                 int userId = getUserId(intent);
   1181                 if (userId > 0) {
   1182                     synchronized (mUserIsTrusted) {
   1183                         mUserIsTrusted.delete(userId);
   1184                     }
   1185                     synchronized (mDeviceLockedForUser) {
   1186                         mDeviceLockedForUser.delete(userId);
   1187                     }
   1188                     synchronized (mTrustUsuallyManagedForUser) {
   1189                         mTrustUsuallyManagedForUser.delete(userId);
   1190                     }
   1191                     synchronized (mUsersUnlockedByFingerprint) {
   1192                         mUsersUnlockedByFingerprint.delete(userId);
   1193                     }
   1194                     refreshAgentList(userId);
   1195                     refreshDeviceLockedForUser(userId);
   1196                 }
   1197             }
   1198         }
   1199 
   1200         private int getUserId(Intent intent) {
   1201             int userId = intent.getIntExtra(Intent.EXTRA_USER_HANDLE, -100);
   1202             if (userId > 0) {
   1203                 return userId;
   1204             } else {
   1205                 Slog.wtf(TAG, "EXTRA_USER_HANDLE missing or invalid, value=" + userId);
   1206                 return -100;
   1207             }
   1208         }
   1209 
   1210         public void register(Context context) {
   1211             IntentFilter filter = new IntentFilter();
   1212             filter.addAction(DevicePolicyManager.ACTION_DEVICE_POLICY_MANAGER_STATE_CHANGED);
   1213             filter.addAction(Intent.ACTION_USER_ADDED);
   1214             filter.addAction(Intent.ACTION_USER_REMOVED);
   1215             context.registerReceiverAsUser(this,
   1216                     UserHandle.ALL,
   1217                     filter,
   1218                     null /* permission */,
   1219                     null /* scheduler */);
   1220         }
   1221     }
   1222 
   1223     private class StrongAuthTracker extends LockPatternUtils.StrongAuthTracker {
   1224 
   1225         SparseBooleanArray mStartFromSuccessfulUnlock = new SparseBooleanArray();
   1226 
   1227         public StrongAuthTracker(Context context) {
   1228             super(context);
   1229         }
   1230 
   1231         @Override
   1232         public void onStrongAuthRequiredChanged(int userId) {
   1233             mStartFromSuccessfulUnlock.delete(userId);
   1234 
   1235             if (DEBUG) {
   1236                 Log.i(TAG, "onStrongAuthRequiredChanged(" + userId + ") ->"
   1237                         + " trustAllowed=" + isTrustAllowedForUser(userId)
   1238                         + " agentsCanRun=" + canAgentsRunForUser(userId));
   1239             }
   1240 
   1241             refreshAgentList(userId);
   1242 
   1243             // The list of active trust agents may not have changed, if there was a previous call
   1244             // to allowTrustFromUnlock, so we update the trust here too.
   1245             updateTrust(userId, 0 /* flags */);
   1246         }
   1247 
   1248         boolean canAgentsRunForUser(int userId) {
   1249             return mStartFromSuccessfulUnlock.get(userId)
   1250                     || super.isTrustAllowedForUser(userId);
   1251         }
   1252 
   1253         /**
   1254          * Temporarily suppress strong auth requirements for {@param userId} until strong auth
   1255          * changes again. Must only be called when we know about a successful unlock already
   1256          * before the underlying StrongAuthTracker.
   1257          *
   1258          * Note that this only changes whether trust agents can be started, not the actual trusted
   1259          * value.
   1260          */
   1261         void allowTrustFromUnlock(int userId) {
   1262             if (userId < UserHandle.USER_SYSTEM) {
   1263                 throw new IllegalArgumentException("userId must be a valid user: " + userId);
   1264             }
   1265             boolean previous = canAgentsRunForUser(userId);
   1266             mStartFromSuccessfulUnlock.put(userId, true);
   1267 
   1268             if (DEBUG) {
   1269                 Log.i(TAG, "allowTrustFromUnlock(" + userId + ") ->"
   1270                         + " trustAllowed=" + isTrustAllowedForUser(userId)
   1271                         + " agentsCanRun=" + canAgentsRunForUser(userId));
   1272             }
   1273 
   1274             if (canAgentsRunForUser(userId) != previous) {
   1275                 refreshAgentList(userId);
   1276             }
   1277         }
   1278     }
   1279 }
   1280