Fix 2737842: disable keyguard API when device policy is enabled.

This fix disables KeyguardManager's enable/disable API when any
device policy admin requests a policy that enforces a password.

Change-Id: Idb1da16b14ed8963142f7b1f62d2b060d84ffa65

Author: Jim Miller

core/java/android/app/KeyguardManager.java

@@ -53,6 +53,9 @@ public class KeyguardLock {
          *
          * A good place to call this is from {@link android.app.Activity#onResume()}
          *
+         * Note: This call has no effect while any {@link DevicePolicyManager} is enabled
+         * that requires a password.
+         *
          * @see #reenableKeyguard()
          */
         public void disableKeyguard() {
@@ -66,7 +69,10 @@ public void disableKeyguard() {
          * Reenable the keyguard.  The keyguard will reappear if the previous
          * call to {@link #disableKeyguard()} caused it it to be hidden.
          *
-         * A good place to call this is from {@link android.app.Activity#onPause()} 
+         * A good place to call this is from {@link android.app.Activity#onPause()}
+         *
+         * Note: This call has no effect while any {@link DevicePolicyManager} is enabled
+         * that requires a password.
          *
          * @see #disableKeyguard()
          */

services/java/com/android/server/WindowManagerService.java

@@ -54,6 +54,7 @@
 import android.Manifest;
 import android.app.ActivityManagerNative;
 import android.app.IActivityManager;
+import android.app.admin.DevicePolicyManager;
 import android.content.Context;
 import android.content.pm.ActivityInfo;
 import android.content.pm.PackageManager;
@@ -86,6 +87,7 @@
 import android.provider.Settings;
 import android.util.DisplayMetrics;
 import android.util.EventLog;
+import android.util.Log;
 import android.util.Slog;
 import android.util.SparseIntArray;
 import android.view.Display;
@@ -4171,13 +4173,31 @@ public void moveAppTokensToBottom(List<IBinder> tokens) {
     // Misc IWindowSession methods
     // -------------------------------------------------------------
 
+    private boolean allowDisableKeyguard()
+    {
+        // We fail safe if this gets called before the service has started.
+        boolean allow = false;
+        DevicePolicyManager dpm = (DevicePolicyManager) mContext.getSystemService(
+                Context.DEVICE_POLICY_SERVICE);
+        if (dpm != null) {
+            allow = dpm.getPasswordQuality(null)
+                    == DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED;
+        }
+        return allow;
+    }
+
     public void disableKeyguard(IBinder token, String tag) {
         if (mContext.checkCallingOrSelfPermission(android.Manifest.permission.DISABLE_KEYGUARD)
             != PackageManager.PERMISSION_GRANTED) {
             throw new SecurityException("Requires DISABLE_KEYGUARD permission");
         }
-        synchronized (mKeyguardTokenWatcher) {
-            mKeyguardTokenWatcher.acquire(token, tag);
+
+        if (allowDisableKeyguard()) {
+            synchronized (mKeyguardTokenWatcher) {
+                mKeyguardTokenWatcher.acquire(token, tag);
+            }
+        } else {
+            Log.w(TAG, tag + ": disableKeyguard() ignored while DevicePolicyAmin is enabled.");
         }
     }
 
@@ -4186,25 +4206,30 @@ public void reenableKeyguard(IBinder token) {
             != PackageManager.PERMISSION_GRANTED) {
             throw new SecurityException("Requires DISABLE_KEYGUARD permission");
         }
-        synchronized (mKeyguardTokenWatcher) {
-            mKeyguardTokenWatcher.release(token);
-
-            if (!mKeyguardTokenWatcher.isAcquired()) {
-                // If we are the last one to reenable the keyguard wait until
-                // we have actaully finished reenabling until returning.
-                // It is possible that reenableKeyguard() can be called before
-                // the previous disableKeyguard() is handled, in which case
-                // neither mKeyguardTokenWatcher.acquired() or released() would
-                // be called.  In that case mKeyguardDisabled will be false here
-                // and we have nothing to wait for.
-                while (mKeyguardDisabled) {
-                    try {
-                        mKeyguardTokenWatcher.wait();
-                    } catch (InterruptedException e) {
-                        Thread.currentThread().interrupt();
+
+        if (allowDisableKeyguard()) {
+            synchronized (mKeyguardTokenWatcher) {
+                mKeyguardTokenWatcher.release(token);
+
+                if (!mKeyguardTokenWatcher.isAcquired()) {
+                    // If we are the last one to reenable the keyguard wait until
+                    // we have actaully finished reenabling until returning.
+                    // It is possible that reenableKeyguard() can be called before
+                    // the previous disableKeyguard() is handled, in which case
+                    // neither mKeyguardTokenWatcher.acquired() or released() would
+                    // be called.  In that case mKeyguardDisabled will be false here
+                    // and we have nothing to wait for.
+                    while (mKeyguardDisabled) {
+                        try {
+                            mKeyguardTokenWatcher.wait();
+                        } catch (InterruptedException e) {
+                            Thread.currentThread().interrupt();
+                        }
                     }
                 }
             }
+        } else {
+            Log.w(TAG, "reenableKeyguard() ignored while DevicePolicyAmin is enabled.");
         }
     }