Add option to ignore tklock removal while device lock is active

The tklock status more or less equals "lockscreen is active". And
removing tklock switches from lockscreen to home/app view. This
is problematic if device unlocking should happen in the context of
the lockscreen as power key actions / random tklock request from
applications could effectively bypass the device lock.

Add configuration setting "devicelock is in lockscreen". While the
setting is enabled, mce will not allow removal of tklock while
device lock is active.

By the default the setting is disabled.

Changing the setting should happen via installing configuration file
to /etc/mce directory if (and only if) the ui side actually implements
device unlocking within lockscreen.

The option can also be toggled via mcetool. But since inappropriate
use can make the device unlockable from ui, the mcetool option is
flagged as dangerous and interactive confirmation is required.

[mce] Add option to ignore tklock removal while device lock is active. Fixes JB#26525

builtin-gconf.c

@@ -1209,6 +1209,11 @@ static const setting_t gconf_defaults[] =
     .type = "b",
     .def  = G_STRINGIFY(PROXIMITY_BLOCKS_TOUCH_DEFAULT),
   },
+  {
+    .key  = MCE_GCONF_DEVICELOCK_IN_LOCKSCREEN,
+    .type = "b",
+    .def  = G_STRINGIFY(DEFAULT_DEVICELOCK_IN_LOCKSCREEN),
+  },
   {
     // MCE_GCONF_BLANKING_INHIBIT_MODE @ modules/display.h
     .key  = "/system/osso/dsm/display/inhibit_blank_mode",

tklock.c

@@ -353,6 +353,12 @@ extern void     mce_tklock_exit(void);
  * gconf settings
  * ========================================================================= */
 
+/** Flag: Devicelock is handled in lockscreen */
+static gboolean tklock_devicelock_in_lockscreen = DEFAULT_DEVICELOCK_IN_LOCKSCREEN;
+
+/** GConf callback ID for tklock_devicelock_in_lockscreen */
+static guint tklock_devicelock_in_lockscreen_cb_id = 0;
+
 /** Flag: Automatically lock (after ON->DIM->OFF cycle) */
 static gboolean tk_autolock_enabled = DEFAULT_TK_AUTOLOCK;
 /** GConf callback ID for tk_autolock_enabled */
@@ -3621,6 +3627,12 @@ static void tklock_gconf_cb(GConfClient *const gcc, const guint id,
         mce_log(LL_NOTICE, "tklock_lpmui_triggering: %d -> %d",
                 old, tklock_lpmui_triggering);
     }
+    else if( id == tklock_devicelock_in_lockscreen_cb_id ) {
+        gboolean old = tklock_devicelock_in_lockscreen;
+        tklock_devicelock_in_lockscreen = gconf_value_get_bool(gcv);
+        mce_log(LL_NOTICE, "tklock_devicelock_in_lockscreen: %d -> %d",
+                old, tklock_devicelock_in_lockscreen);
+    }
     else {
         mce_log(LL_WARN, "Spurious GConf value received; confused!");
     }
@@ -3677,6 +3689,13 @@ static void tklock_gconf_init(void)
                          PROXIMITY_BLOCKS_TOUCH_DEFAULT,
                          tklock_gconf_cb,
                          &proximity_blocks_touch_cb_id);
+
+    /* Devicelock is in lockscreen */
+    mce_gconf_track_bool(MCE_GCONF_DEVICELOCK_IN_LOCKSCREEN,
+                         &tklock_devicelock_in_lockscreen,
+                         DEFAULT_DEVICELOCK_IN_LOCKSCREEN,
+                         tklock_gconf_cb,
+                         &tklock_devicelock_in_lockscreen_cb_id);
 }
 
 /** Remove gconf change notifiers
@@ -3700,6 +3719,9 @@ static void tklock_gconf_quit(void)
 
     mce_gconf_notifier_remove(proximity_blocks_touch_cb_id),
         proximity_blocks_touch_cb_id = 0;
+
+    mce_gconf_notifier_remove(tklock_devicelock_in_lockscreen_cb_id),
+        tklock_devicelock_in_lockscreen_cb_id = 0;
 }
 
 /* ========================================================================= *
@@ -3946,6 +3968,7 @@ static void tklock_ui_notify_schdule(void)
 
 static void tklock_ui_set(bool enable)
 {
+    /* Filter request based on device state */
     if( enable ) {
         if( system_state != MCE_STATE_USER ) {
             mce_log(LL_INFO, "deny tklock; not in user mode");
@@ -3961,13 +3984,29 @@ static void tklock_ui_set(bool enable)
         }
     }
 
-    if( tklock_ui_enabled != enable ) {
-        if( (tklock_ui_enabled = enable) )
-            mce_add_submode_int32(MCE_TKLOCK_SUBMODE);
-        else
-            mce_rem_submode_int32(MCE_TKLOCK_SUBMODE);
+    /* Skip if there would be no change */
+    if( tklock_ui_enabled == enable )
+        goto EXIT;
+
+    /* If device lock is handled in lockscreen, we must not
+     * allow *removing* of tklock (=move away from lockscreen)
+     * while device lock is still active. */
+    if( tklock_devicelock_in_lockscreen &&
+        device_lock_state == DEVICE_LOCK_LOCKED && !enable ) {
+        mce_log(LL_WARN, "deny tkunlock; devicelock is active");
+        goto EXIT;
     }
 
+    /* Activate the new tklock state */
+    if( (tklock_ui_enabled = enable) )
+        mce_add_submode_int32(MCE_TKLOCK_SUBMODE);
+    else
+        mce_rem_submode_int32(MCE_TKLOCK_SUBMODE);
+
+EXIT:
+    /* Schedule notification attempt even if there is no change,
+     * so that ui side is not left thinking that a tklock request
+     * it made was accepted. */
     tklock_ui_notify_schdule();
 }
 

tklock.h

@@ -108,6 +108,12 @@ typedef enum
 /** Default value for can block touch input GConf setting */
 # define PROXIMITY_BLOCKS_TOUCH_DEFAULT         false
 
+/** Devicelock is in lockscreen GConf setting */
+# define MCE_GCONF_DEVICELOCK_IN_LOCKSCREEN     MCE_GCONF_LOCK_PATH "/devicelock_in_lockscreen"
+
+/** Default value for MCE_GCONF_DEVICELOCK_IN_LOCKSCREEN */
+# define DEFAULT_DEVICELOCK_IN_LOCKSCREEN       false
+
 /** Automatic lpm triggering modes */
 enum
 {

tools/mcetool.c

@@ -2583,6 +2583,68 @@ static void xmce_get_autolock_mode(void)
         printf("%-"PAD1"s %s\n", "Touchscreen/Keypad autolock:", txt);
 }
 
+/* ------------------------------------------------------------------------- *
+ * devicelock_in_lockscreen
+ * ------------------------------------------------------------------------- */
+
+static bool interactive_confirmation(const char *positive)
+{
+        if( !isatty(STDIN_FILENO) ) {
+                printf("\nstdin is not a tty\n");
+                return false;
+        }
+
+        char buff[64];
+
+        fflush(stdout);
+
+        if( !fgets(buff, sizeof buff, stdin) ) {
+                printf("\n");
+                return false;
+        }
+
+        buff[strcspn(buff, "\r\n")] = 0;
+
+        return !strcmp(buff, positive);
+}
+
+/* Set devicelock_in_lockscreen mode
+ *
+ * @param args string suitable for interpreting as enabled/disabled
+ */
+static bool xmce_set_devicelock_in_lockscreen(const char *args)
+{
+        gboolean val = xmce_parse_enabled(args);
+
+        /* Make it a bit more difficult to enable the setting
+         * accidentally */
+        if( val ) {
+                printf("Setting devicelock-in-lockscreen=enabled can make\n"
+                       "the device unlockabe via normal touch interaction\n"
+                       "\n"
+                       "Are you sure you want to continue (yes/NO): ");
+                if( !interactive_confirmation("yes") ) {
+                        printf("operation canceled\n");
+                        return false;
+                }
+        }
+
+        mcetool_gconf_set_bool(MCE_GCONF_DEVICELOCK_IN_LOCKSCREEN, val);
+        return true;
+}
+
+/** Get current devicelock_in_lockscreen mode from mce and print it out
+ */
+static void xmce_get_devicelock_in_lockscreen(void)
+{
+        gboolean val = 0;
+        char txt[32] = "unknown";
+
+        if( mcetool_gconf_get_bool(MCE_GCONF_DEVICELOCK_IN_LOCKSCREEN, &val) )
+                snprintf(txt, sizeof txt, "%s", val ? "enabled" : "disabled");
+        printf("%-"PAD1"s %s\n", "Devicelock is in lockscreen:", txt);
+}
+
 /* ------------------------------------------------------------------------- *
  * blank timeout
  * ------------------------------------------------------------------------- */
@@ -4040,6 +4102,7 @@ static bool xmce_get_status(const char *args)
         xmce_get_psm_threshold();
         xmce_get_tklock_mode();
         xmce_get_autolock_mode();
+        xmce_get_devicelock_in_lockscreen();
         xmce_get_doubletap_mode();
         xmce_get_doubletap_wakeup();
         xmce_get_powerkey_action();
@@ -4320,6 +4383,19 @@ static const mce_opt_t options[] =
                         "set the autolock mode; valid modes are:\n"
                         "'enabled' and 'disabled'\n"
         },
+        {
+                .name        = "set-devicelock-in-lockscreen",
+                .with_arg    = xmce_set_devicelock_in_lockscreen,
+                .values      = "READ THE LONG HELP",
+                .usage       =
+                        "DO NOT TOUCH THIS UNLESS YOU KNOWN WHAT YOU ARE DOING\n"
+                        "\n"
+                        "Enabling the toggle on devices where device unlocking\n"
+                        "is not included in the lockscreen makes it impossible to\n"
+                        "unlock the device via touch screen.\n"
+                        "\n"
+                        "Valid modes are: 'enabled' and 'disabled'\n"
+        },
         {
                 .name        = "set-tklock-blank",
                 .flag        = 't',