2 files changed, 34 insertions, 4 deletions

diff --git a/services/core/java/com/android/server/locksettings/ManagedProfilePasswordCache.java b/services/core/java/com/android/server/locksettings/ManagedProfilePasswordCache.java
index d38ee678c7aa..7950fcf7234c 100644
--- a/services/core/java/com/android/server/locksettings/ManagedProfilePasswordCache.java
+++ b/services/core/java/com/android/server/locksettings/ManagedProfilePasswordCache.java
@@ -104,8 +104,6 @@ public class ManagedProfilePasswordCache {
                         // Generate auth-bound key to user 0 (since we the caller is user 0)
                         .setUserAuthenticationRequired(true)
                         .setUserAuthenticationValidityDurationSeconds(CACHE_TIMEOUT_SECONDS)
-                        // Only accessible after user 0's keyguard is unlocked
-                        .setUnlockedDeviceRequired(true)
                         .build());
                 key = generator.generateKey();
             } catch (GeneralSecurityException e) {
@@ -171,10 +169,14 @@ public class ManagedProfilePasswordCache {
     public void removePassword(int userId) {
         synchronized (mEncryptedPasswords) {
             String keyName = getEncryptionKeyName(userId);
+            String legacyKeyName = getLegacyEncryptionKeyName(userId);
             try {
                 if (mKeyStore.containsAlias(keyName)) {
                     mKeyStore.deleteEntry(keyName);
                 }
+                if (mKeyStore.containsAlias(legacyKeyName)) {
+                    mKeyStore.deleteEntry(legacyKeyName);
+                }
             } catch (KeyStoreException e) {
                 Slog.d(TAG, "Cannot delete key", e);
             }
@@ -186,6 +188,14 @@ public class ManagedProfilePasswordCache {
     }
 
     private static String getEncryptionKeyName(int userId) {
+        return "com.android.server.locksettings.unified_profile_cache_v2_" + userId;
+    }
+
+    /**
+     * Returns the legacy keystore key name when setUnlockedDeviceRequired() was set explicitly.
+     * Only existed during Android 11 internal testing period.
+     */
+    private static String getLegacyEncryptionKeyName(int userId) {
         return "com.android.server.locksettings.unified_profile_cache_" + userId;
     }
 }
diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java
index 40fa798309c1..2a6997cba4bb 100644
--- a/services/core/java/com/android/server/pm/UserManagerService.java
+++ b/services/core/java/com/android/server/pm/UserManagerService.java
@@ -989,6 +989,15 @@ public class UserManagerService extends IUserManager.Stub {
 
         ensureCanModifyQuietMode(
                 callingPackage, Binder.getCallingUid(), userId, target != null, dontAskCredential);
+
+        if (onlyIfCredentialNotRequired && callingPackage.equals(
+                getPackageManagerInternal().getSystemUiServiceComponent().getPackageName())) {
+            // This is to prevent SysUI from accidentally allowing the profile to turned on
+            // without password when keyguard is still locked.
+            throw new SecurityException("SystemUI is not allowed to set "
+                    + "QUIET_MODE_DISABLE_ONLY_IF_CREDENTIAL_NOT_REQUIRED");
+        }
+
         final long identity = Binder.clearCallingIdentity();
         try {
             if (enableQuietMode) {
@@ -996,7 +1005,17 @@ public class UserManagerService extends IUserManager.Stub {
                         userId, true /* enableQuietMode */, target, callingPackage);
                 return true;
             }
-            mLockPatternUtils.tryUnlockWithCachedUnifiedChallenge(userId);
+            if (mLockPatternUtils.isManagedProfileWithUnifiedChallenge(userId)) {
+                KeyguardManager km = mContext.getSystemService(KeyguardManager.class);
+                // Normally only attempt to auto-unlock unified challenge if keyguard is not showing
+                // (to stop turning profile on automatically via the QS tile), except when we
+                // are called with QUIET_MODE_DISABLE_ONLY_IF_CREDENTIAL_NOT_REQUIRED, in which
+                // case always attempt to auto-unlock.
+                if (!km.isDeviceLocked(mLocalService.getProfileParentId(userId))
+                        || onlyIfCredentialNotRequired) {
+                    mLockPatternUtils.tryUnlockWithCachedUnifiedChallenge(userId);
+                }
+            }
             final boolean needToShowConfirmCredential = !dontAskCredential
                     && mLockPatternUtils.isSecure(userId)
                     && !StorageManager.isUserKeyUnlocked(userId);
@@ -1029,6 +1048,8 @@ public class UserManagerService extends IUserManager.Stub {
      */
     private void ensureCanModifyQuietMode(String callingPackage, int callingUid,
             @UserIdInt int targetUserId, boolean startIntent, boolean dontAskCredential) {
+        verifyCallingPackage(callingPackage, callingUid);
+
         if (hasManageUsersPermission()) {
             return;
         }
@@ -1050,7 +1071,6 @@ public class UserManagerService extends IUserManager.Stub {
             return;
         }
 
-        verifyCallingPackage(callingPackage, callingUid);
         final ShortcutServiceInternal shortcutInternal =
                 LocalServices.getService(ShortcutServiceInternal.class);
         if (shortcutInternal != null) {