Unity 8

Merge lp:~mterry/unity8/tablet-security into lp:unity8

tablet-security
Merge into trunk

Proposed by Michael Terry on 2014-09-10

Status:

Merged

Approved by:

Michael Zanetti on 2014-10-08

Approved revision:

1278

Merged at revision:

1350

Proposed branch:

lp:~mterry/unity8/tablet-security

Merge into:

lp:unity8

Diff against target:

917 lines (+518/-75)

9 files modified

qml/Greeter/Greeter.qml (+13/-1)
qml/Greeter/GreeterContent.qml (+12/-0)
qml/Greeter/LoginList.qml (+19/-6)
qml/Shell.qml (+74/-40)
tests/qmltests/CMakeLists.txt (+1/-0)
tests/qmltests/Greeter/tst_MultiGreeter.qml (+2/-2)
tests/qmltests/tst_Shell.qml (+1/-0)
tests/qmltests/tst_ShellWithPin.qml (+107/-26)
tests/qmltests/tst_TabletShell.qml (+289/-0)

To merge this branch:

bzr merge lp:~mterry/unity8/tablet-security

High

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
PS Jenkins bot (community)	continuous-integration		Needs Fixing on 2014-10-09
Michael Zanetti (community)		2014-09-10	Approve on 2014-10-08
Unity Team		2014-10-06	Pending
Review via email: mp+234219@code.launchpad.net

Commit message

Fix some security issues with the tablet greeter, which allowed the lockscreen to be bypassed. (LP: #1367715)

Recent greeter fixes for phone mode did not fully take the tablet scenario into account. This branch does three main things:

1) Rename fakeActiveForApp because it is nothing but confusing. I renamed the variable itself to lockedApp and added a new variable hasLockedApp, which is infinitely clearer than fakeActiveForApp !== "", which is what we used to use. Since that is a very security-sensitive variable, I figured it's best to be clear.

2) Closed a security bug where if the user could plug in a phone showing the emergency dialer to a bigger screen, thus switching to tablet mode, they could get access to other apps.

3) Closed a security bug where the tablet lockscreen could be left-swiped away.

4) Closed a security bug where the tablet would unlock itself if you launched an app from the indicators or launcher. Now it just focuses the prompt field (much like how the phone shows the lockscreen pin pad).

Description of the change

Fix some security issues with the tablet greeter, which allowed the lockscreen to be bypassed. (LP: #1367715)

Recent greeter fixes for phone mode did not fully take the tablet scenario into account. This branch does four main things:

2) Closed a security bug where if the user could plug in a phone showing the emergency dialer to a bigger screen, thus switching to tablet mode, they could get access to other apps.

3) Closed a security bug where the tablet lockscreen could be left-swiped away.

This whole branch has really brought home how much the lockscreen/greeter interactions need to be tied more closely together and abstracted. Having them strewn throughout Shell.qml is error-prone and adds a lot of logic to the "master file" that I'd rather have in isolated qml files.

Ideally we'd have one bundled "Greeter" object that would expose a clear API to Shell.qml and would just "do the right thing" regardless of tablet, phone-with-pin, phone-with-passphrase, and phone-with-swipe.

But that's a bigger project for another day.

== Checklist ==

* Are there any related MPs required for this MP to build/function as expected? Please list.
No

* Did you perform an exploratory manual test run of your code change and any related functionality?
Yes

* Did you make sure that your branch does not contain spurious tags?
Yes

* If you changed the packaging (debian), did you subscribe the ubuntu-unity team to this MP?
NA

* If you changed the UI, has there been a design review?
NA

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-09-11:

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/unity8-ci/4272/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

Michał Sawicz (saviq) wrote on 2014-09-11:

Think we could get some tests confirming these behaviours?

Revision history for this message

Michael Terry (mterry) wrote on 2014-09-11:

Yeah, fair. Will work on that.

Revision history for this message

Michael Terry (mterry) wrote on 2014-09-11:

OK, tests added, review away.

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-09-11:

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/unity8-ci/4286/rebuild

review: Needs Fixing (continuous-integration)

lp:~mterry/unity8/tablet-security updated on 2014-09-12

1267. By Michael Terry on 2014-09-12: Make ShellWithPin tests more reliable by waiting for rendering

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-09-12:

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/unity8-ci/4294/rebuild

review: Needs Fixing (continuous-integration)

lp:~mterry/unity8/tablet-security updated on 2014-09-16

1268. By Michael Terry on 2014-09-16: Make ShellWithPin tests more reliable

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-09-16:

FAILED: Continuous integration, rev:1268
http://jenkins.qa.ubuntu.com/job/unity8-ci/4317/
Executed test runs:
    FAILURE: http://jenkins.qa.ubuntu.com/job/generic-deb-autopilot-utopic-touch/4841/console
    SUCCESS: http://jenkins.qa.ubuntu.com/job/unity-phablet-qmluitests-utopic/1318
    SUCCESS: http://jenkins.qa.ubuntu.com/job/unity8-utopic-amd64-ci/1411
    SUCCESS: http://jenkins.qa.ubuntu.com/job/unity8-utopic-i386-ci/1411
    FAILURE: http://jenkins.qa.ubuntu.com/job/generic-deb-autopilot-runner-mako/4604/console
    SUCCESS: http://jenkins.qa.ubuntu.com/job/generic-mediumtests-builder-utopic-armhf/6093
        deb: http://jenkins.qa.ubuntu.com/job/generic-mediumtests-builder-utopic-armhf/6093/artifact/work/output/*zip*/output.zip
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/13241

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/unity8-ci/4317/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

Albert Astals Cid (aacid) wrote on 2014-10-01:

Text conflict in qml/Shell.qml
1 conflicts encountered.

lp:~mterry/unity8/tablet-security updated on 2014-10-01

1269. By Michael Terry on 2014-10-01: Merge from trunk

Revision history for this message

Michael Terry (mterry) wrote on 2014-10-01:

Merged from trunk.

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-10-01:

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/unity8-ci/4463/rebuild

review: Needs Fixing (continuous-integration)

lp:~mterry/unity8/tablet-security updated on 2014-10-05

1270. By Michael Terry on 2014-10-05: Merge from trunk
1271. By Michael Terry on 2014-10-05: Fix tests

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-10-05:

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/unity8-ci/4492/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-10-05:

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/unity8-ci/4493/rebuild

review: Needs Fixing (continuous-integration)

lp:~mterry/unity8/tablet-security updated on 2014-10-06

1272. By Michael Terry on 2014-10-06: Fix MultiGreeter qmluitest

Revision history for this message

Albert Astals Cid (aacid) wrote on 2014-10-06:

Text conflict in qml/Shell.qml
1 conflicts encountered.

lp:~mterry/unity8/tablet-security updated on 2014-10-06

1273. By Michael Terry on 2014-10-06: Merge from trunk

Revision history for this message

Michael Terry (mterry) wrote on 2014-10-06:

Merged from trunk

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-10-06:

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/unity8-ci/4500/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-10-06:

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/unity8-ci/4508/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

Michael Zanetti (mzanetti) wrote on 2014-10-08:

hmm... running tryTabletShell I can still unlock it by doing a left edge swipe...

Also see one inline comment.

testing it on the phone seems to behave as expected

review: Needs Fixing

Revision history for this message

Michael Terry (mterry) wrote on 2014-10-08:

Replied inline to your comment, will look at tryTabletShell.

lp:~mterry/unity8/tablet-security updated on 2014-10-08

1274. By Michael Terry on 2014-10-08: Merge from trunk
1275. By Michael Terry on 2014-10-08: Prevent dash logins in tablet mode

Revision history for this message

Michael Terry (mterry) wrote on 2014-10-08:

OK, fixed the left-drag-unlock for locked users! Whoops, that was the result of a bad merge.

lp:~mterry/unity8/tablet-security updated on 2014-10-08

1276. By Michael Terry on 2014-10-08: Make password login test a little more reliable

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-10-08:

FAILED: Continuous integration, rev:1276
http://jenkins.qa.ubuntu.com/job/unity8-ci/4545/
Executed test runs:
    FAILURE: http://jenkins.qa.ubuntu.com/job/generic-deb-autopilot-utopic-touch/5690/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/unity-phablet-qmluitests-utopic/1530/console
    SUCCESS: http://jenkins.qa.ubuntu.com/job/unity8-utopic-amd64-ci/1641
    SUCCESS: http://jenkins.qa.ubuntu.com/job/unity8-utopic-i386-ci/1639
    FAILURE: http://jenkins.qa.ubuntu.com/job/generic-mediumtests-builder-utopic-armhf/6942/console

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/unity8-ci/4545/rebuild

review: Needs Fixing (continuous-integration)

lp:~mterry/unity8/tablet-security updated on 2014-10-08

1277. By Michael Terry on 2014-10-08: expand comments
1278. By Michael Terry on 2014-10-08: Add wait(500) to properly test leftEdgeDrag

Revision history for this message

Michael Zanetti (mzanetti) wrote on 2014-10-08:

* Did you perform an exploratory manual test run of the code change and any related functionality?

yes

* Did CI run pass? If not, please explain why.

seems dead currently :/

* Did you make sure that the branch does not contain spurious tags?

yes

review: Approve

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-10-08:

FAILED: Continuous integration, rev:1277
http://jenkins.qa.ubuntu.com/job/unity8-ci/4546/
Executed test runs:
    FAILURE: http://jenkins.qa.ubuntu.com/job/generic-deb-autopilot-utopic-touch/5693/console
    SUCCESS: http://jenkins.qa.ubuntu.com/job/unity-phablet-qmluitests-utopic/1531
    SUCCESS: http://jenkins.qa.ubuntu.com/job/unity8-utopic-amd64-ci/1642
    SUCCESS: http://jenkins.qa.ubuntu.com/job/unity8-utopic-i386-ci/1640
    FAILURE: http://jenkins.qa.ubuntu.com/job/generic-deb-autopilot-runner-mako/5364/console
    SUCCESS: http://jenkins.qa.ubuntu.com/job/generic-mediumtests-builder-utopic-armhf/6945
        deb: http://jenkins.qa.ubuntu.com/job/generic-mediumtests-builder-utopic-armhf/6945/artifact/work/output/*zip*/output.zip
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/14362

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/unity8-ci/4546/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-10-09:

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/unity8-ci/4554/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-10-09:

FAILED: Continuous integration, rev:1278
http://jenkins.qa.ubuntu.com/job/unity8-ci/4579/
Executed test runs:
    FAILURE: http://jenkins.qa.ubuntu.com/job/generic-deb-autopilot-utopic-touch/5743/console
    SUCCESS: http://jenkins.qa.ubuntu.com/job/unity-phablet-qmluitests-utopic/1565
    SUCCESS: http://jenkins.qa.ubuntu.com/job/unity8-utopic-amd64-ci/1675
    SUCCESS: http://jenkins.qa.ubuntu.com/job/unity8-utopic-i386-ci/1673
    FAILURE: http://jenkins.qa.ubuntu.com/job/generic-deb-autopilot-runner-mako/5406/console
    SUCCESS: http://jenkins.qa.ubuntu.com/job/generic-mediumtests-builder-utopic-armhf/6995
        deb: http://jenkins.qa.ubuntu.com/job/generic-mediumtests-builder-utopic-armhf/6995/artifact/work/output/*zip*/output.zip
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/14411

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/unity8-ci/4579/rebuild

review: Needs Fixing (continuous-integration)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Michael Terry

Mohammad Rakibul Hasan

Unity Team

 === modified file 'qml/Greeter/Greeter.qml'
 --- qml/Greeter/Greeter.qml	2014-09-15 16:41:54 +0000
 +++ qml/Greeter/Greeter.qml	2014-10-08 20:37:01 +0000
@@ -36,7 +36,7 @@
      property alias dragHandleWidth: dragHandle.width
      property alias model: greeterContentLoader.model
--    property bool locked: shown && !LightDM.Greeter.promptless
++    property bool locked: true
      readonly property bool narrowMode: !multiUser && height > width
      readonly property bool multiUser: LightDM.Users.count > 1
@@ -57,6 +57,18 @@
+         }
+     }
++    function tryToUnlock() {
++        if (created) {
++            greeterContentLoader.item.tryToUnlock()
++        }
++    }
++
++    function reset() {
++        if (created) {
++            greeterContentLoader.item.reset()
++        }
++    }
++
      onRequiredChanged: {
          // Reset hide animation to default once we're finished with it
          if (required) {
 === modified file 'qml/Greeter/GreeterContent.qml'
 --- qml/Greeter/GreeterContent.qml	2014-09-25 18:30:32 +0000
 +++ qml/Greeter/GreeterContent.qml	2014-10-08 20:37:01 +0000
@@ -29,6 +29,18 @@
      signal selected(int uid)
      signal unlocked(int uid)
++    function tryToUnlock() {
++        if (loginLoader.item) {
++            loginLoader.item.tryToUnlock()
++        }
++    }
++
++    function reset() {
++        if (loginLoader.item) {
++            loginLoader.item.reset()
++        }
++    }
++
      Rectangle {
          // In case background fails to load
          id: backgroundBackup
 === modified file 'qml/Greeter/LoginList.qml'
 --- qml/Greeter/LoginList.qml	2014-06-20 23:04:15 +0000
 +++ qml/Greeter/LoginList.qml	2014-10-08 20:37:01 +0000
@@ -35,6 +35,22 @@
      signal selected(int uid)
      signal unlocked(int uid)
++    function tryToUnlock() {
++        if (LightDM.Greeter.promptless) {
++            if (LightDM.Greeter.authenticated) {
++                root.unlocked(userList.currentIndex)
++            } else {
++                root.resetAuthentication()
++            }
++        } else {
++            passwordInput.forceActiveFocus()
++        }
++    }
++
++    function reset() {
++        root.resetAuthentication()
++    }
++
      Keys.onEscapePressed: root.resetAuthentication()
      Rectangle {
@@ -229,14 +245,11 @@
+     }
      MouseArea {
++        id: passwordMouseArea
++        objectName: "passwordMouseArea"
          anchors.fill: passwordInput
          enabled: LightDM.Greeter.promptless
--        onClicked: {
--            if (LightDM.Greeter.authenticated)
--                root.unlocked(userList.currentIndex);
--            else
--                root.resetAuthentication();
--        }
++        onClicked: root.tryToUnlock()
+     }
      function resetAuthentication() {
 === modified file 'qml/Shell.qml'
 --- qml/Shell.qml	2014-10-06 08:02:44 +0000
 +++ qml/Shell.qml	2014-10-08 20:37:01 +0000
@@ -87,9 +87,9 @@
+         }
+     }
--    function setFakeActiveForApp(app) {
++    function setLockedApp(app) {
          if (shell.locked) {
--            greeter.fakeActiveForApp = app
++            greeter.lockedApp = app
              lockscreen.hide()
+         }
+     }
@@ -169,31 +169,37 @@
          Connections {
              target: ApplicationManager
              onFocusRequested: {
--                if (appId === "dialer-app") {
--                    // Always let the dialer-app through.  Either user asked
--                    // for an emergency call or accepted an incoming call.
--                    setFakeActiveForApp(appId)
--                } else if (greeter.fakeActiveForApp !== "" && greeter.fakeActiveForApp !== appId) {
--                    lockscreen.show();
++                if (greeter.narrowMode) {
++                    if (appId === "dialer-app") {
++                        // Always let the dialer-app through.  Either user asked
++                        // for an emergency call or accepted an incoming call.
++                        setLockedApp(appId)
++                    } else if (greeter.hasLockedApp && greeter.lockedApp !== appId) {
++                        greeter.startUnlock()
++                    }
++                    greeter.hide();
++                } else {
++                    if (LightDM.Greeter.active) {
++                        greeter.startUnlock()
++                    }
+                 }
--                greeter.hide();
+             }
              onFocusedApplicationIdChanged: {
--                if (greeter.fakeActiveForApp !== "" && greeter.fakeActiveForApp !== ApplicationManager.focusedApplicationId) {
--                    lockscreen.show();
++                if (greeter.hasLockedApp && greeter.lockedApp !== ApplicationManager.focusedApplicationId) {
++                    greeter.startUnlock()
+                 }
                  panel.indicators.hide();
+             }
              onApplicationAdded: {
                  if (greeter.shown && appId != "unity8-dash") {
--                    greeter.hide();
++                    greeter.startUnlock()
+                 }
--                if (appId === "dialer-app") {
++                if (greeter.narrowMode && appId === "dialer-app") {
                      // Always let the dialer-app through.  Either user asked
                      // for an emergency call or accepted an incoming call.
--                    setFakeActiveForApp(appId)
++                    setLockedApp(appId)
+                 }
                  launcher.hide();
+             }
@@ -201,9 +207,19 @@
          Loader {
              id: applicationsDisplayLoader
++            objectName: "applicationsDisplayLoader"
              anchors.fill: parent
--            source: shell.sideStageEnabled ? "Stages/TabletStage.qml" : "Stages/PhoneStage.qml"
++            // When we have a locked app, we only want to show that one app.
++            // FIXME: do this in a less traumatic way.  We currently only allow
++            // locked apps in phone mode (see FIXME in Lockscreen component in
++            // this same file).  When that changes, we need to do something
++            // nicer here.  But this code is currently just to prevent a
++            // theoretical attack where user enters lockedApp mode, then makes
++            // the screen larger (maybe connects to monitor) and tries to enter
++            // tablet mode.
++            property bool tabletMode: shell.sideStageEnabled && !greeter.hasLockedApp
++            source: tabletMode ? "Stages/TabletStage.qml" : "Stages/PhoneStage.qml"
              Binding {
                  target: applicationsDisplayLoader.item
@@ -229,7 +245,7 @@
              Binding {
                  target: applicationsDisplayLoader.item
                  property: "spreadEnabled"
--                value: edgeDemo.stagesEnabled && greeter.fakeActiveForApp === "" // to support emergency dialer hack
++                value: edgeDemo.stagesEnabled && !greeter.hasLockedApp
+             }
              Binding {
                  target: applicationsDisplayLoader.item
@@ -304,14 +320,14 @@
          // and wider screens are tablets which don't.  When we do allow this
          // on devices with a side stage and a SIM, work should be done to
          // ensure that the main stage is disabled while the dialer is present
--        // in the side stage.
++        // in the side stage.  See the FIXME in the stage loader in this file.
          showEmergencyCallButton: !shell.sideStageEnabled
          onEntered: LightDM.Greeter.respond(passphrase);
          onCancel: greeter.show()
--        onEmergencyCall: shell.activateApplication("dialer-app") // will automatically enter fake-active mode
++        onEmergencyCall: shell.activateApplication("dialer-app") // will automatically enter locked-app mode
--        onShownChanged: if (shown) greeter.fakeActiveForApp = ""
++        onShownChanged: if (shown) greeter.lockedApp = ""
          Timer {
              id: forcedDelayTimer
@@ -360,11 +376,13 @@
+         }
          onPromptlessChanged: {
--            if (LightDM.Greeter.promptless && LightDM.Greeter.authenticated) {
--                lockscreen.hide()
--            } else {
--                lockscreen.reset();
--                lockscreen.show();
++            if (greeter.narrowMode) {
++                if (LightDM.Greeter.promptless && LightDM.Greeter.authenticated) {
++                    lockscreen.hide()
++                } else {
++                    lockscreen.reset();
++                    lockscreen.show();
++                }
+             }
+         }
@@ -414,7 +432,7 @@
      Binding {
          target: LightDM.Greeter
          property: "active"
--        value: greeter.shown || lockscreen.shown || greeter.fakeActiveForApp != ""
++        value: greeter.shown || lockscreen.shown || greeter.hasLockedApp
+     }
      Rectangle {
@@ -426,7 +444,8 @@
      Item {
          // Just a tiny wrapper to adjust greeter's x without messing with its own dragging
          id: greeterWrapper
--        x: launcher.progress
++        objectName: "greeterWrapper"
++        x: greeter.narrowMode ? launcher.progress : 0
          y: panel.panelHeight
          width: parent.width
          height: parent.height - panel.panelHeight
@@ -439,7 +458,7 @@
          property bool fullyShown: showProgress === 1.0
          onFullyShownChanged: {
              // Wait until the greeter is completely covering lockscreen before resetting it.
--            if (fullyShown && !LightDM.Greeter.authenticated) {
++            if (greeter.narrowMode && fullyShown && !LightDM.Greeter.authenticated) {
                  lockscreen.reset();
                  lockscreen.show();
+             }
@@ -448,7 +467,7 @@
          readonly property real showProgress: MathUtils.clamp((1 - x/width) + greeter.showProgress - 1, 0, 1)
          onShowProgressChanged: {
              if (showProgress === 0) {
--                if (LightDM.Greeter.authenticated) {
++                if (LightDM.Greeter.promptless && LightDM.Greeter.authenticated) {
                      greeter.login()
                  } else if (greeter.narrowMode) {
                      lockscreen.clear(false) // to reset focus if necessary
@@ -462,13 +481,16 @@
              signal sessionStarted() // helpful for tests
--            property string fakeActiveForApp: ""
++            property string lockedApp: ""
++            property bool hasLockedApp: lockedApp !== ""
              available: true
              hides: [launcher, panel.indicators]
              shown: true
              loadContent: required || lockscreen.required // keeps content in memory for quick show()
++            locked: shell.locked
++
              defaultBackground: shell.background
              width: parent.width
@@ -476,6 +498,18 @@
              dragHandleWidth: shell.edgeSize
++            function startUnlock() {
++                if (narrowMode) {
++                    if (!LightDM.Greeter.authenticated) {
++                        lockscreen.show()
++                    }
++                    hide()
++                } else {
++                    show()
++                    tryToUnlock()
++                }
++            }
++
              function login() {
                  enabled = false;
                  if (LightDM.Greeter.startSessionSync()) {
@@ -491,8 +525,10 @@
                  if (shown) {
                      if (greeter.narrowMode) {
                          LightDM.Greeter.authenticate(LightDM.Users.data(0, LightDM.UserRoles.NameRole));
++                    } else {
++                        reset()
+                     }
--                    greeter.fakeActiveForApp = "";
++                    greeter.lockedApp = "";
                      greeter.forceActiveFocus();
+                 }
+             }
@@ -537,10 +573,7 @@
+         }
          if (LightDM.Greeter.active) {
--            if (!LightDM.Greeter.authenticated) {
--                lockscreen.show()
--            }
--            greeter.hide()
++            greeter.startUnlock()
+         }
          var animate = !LightDM.Greeter.active && !stages.shown
@@ -549,7 +582,8 @@
+     }
      function showDash() {
--        if (greeter.fakeActiveForApp !== "") { // just in case user gets here
++        if (greeter.hasLockedApp || // just in case user gets here
++            (!greeter.narrowMode && shell.locked)) {
              return
+         }
@@ -576,7 +610,7 @@
              anchors.fill: parent //because this draws indicator menus
              indicators {
                  hides: [launcher]
--                available: edgeDemo.panelEnabled && (!shell.locked || AccountsService.enableIndicatorsWhileLocked) && greeter.fakeActiveForApp === ""
++                available: edgeDemo.panelEnabled && (!shell.locked || AccountsService.enableIndicatorsWhileLocked) && !greeter.hasLockedApp
                  contentEnabled: edgeDemo.panelContentEnabled
                  width: parent.width > units.gu(60) ? units.gu(40) : parent.width
                  panelHeight: units.gu(3)
@@ -587,7 +621,7 @@
                      ApplicationManager.findApplication(ApplicationManager.focusedApplicationId).fullscreen
              fullscreenMode: (topmostApplicationIsFullscreen && !LightDM.Greeter.active && launcher.progress == 0)
--                            || greeter.fakeActiveForApp !== ""
++                            || greeter.hasLockedApp
+         }
          Launcher {
@@ -600,7 +634,7 @@
              anchors.bottom: parent.bottom
              width: parent.width
              dragAreaWidth: shell.edgeSize
--            available: edgeDemo.launcherEnabled && (!shell.locked || AccountsService.enableLauncherWhileLocked) && greeter.fakeActiveForApp === ""
++            available: edgeDemo.launcherEnabled && (!shell.locked || AccountsService.enableLauncherWhileLocked) && !greeter.hasLockedApp
              onShowDashHome: showHome()
              onDash: showDash()
@@ -610,8 +644,8 @@
+                 }
+             }
              onLauncherApplicationSelected: {
--                if (greeter.fakeActiveForApp !== "") {
--                    lockscreen.show()
++                if (greeter.hasLockedApp) {
++                    greeter.startUnlock()
+                 }
                  if (!edgeDemo.running)
                      shell.activateApplication(appId)
 === modified file 'tests/qmltests/CMakeLists.txt'
 --- tests/qmltests/CMakeLists.txt	2014-09-30 16:56:24 +0000
 +++ tests/qmltests/CMakeLists.txt	2014-10-08 20:37:01 +0000
@@ -21,6 +21,7 @@
  add_qml_test(. Shell ENVIRONMENT "LD_LIBRARY_PATH=${CMAKE_BINARY_DIR}/tests/mocks/LightDM/single")
  add_qml_test(. ShellWithPin ENVIRONMENT "LD_LIBRARY_PATH=${CMAKE_BINARY_DIR}/tests/mocks/LightDM/single-pin")
++add_qml_test(. TabletShell ENVIRONMENT "LD_LIBRARY_PATH=${CMAKE_BINARY_DIR}/tests/mocks/LightDM/full")
  add_qml_test(Components Background)
  add_qml_test(Components Carousel)
  add_qml_test(Components DraggingArea)
 === modified file 'tests/qmltests/Greeter/tst_MultiGreeter.qml'
 --- tests/qmltests/Greeter/tst_MultiGreeter.qml	2014-06-02 14:10:59 +0000
 +++ tests/qmltests/Greeter/tst_MultiGreeter.qml	2014-10-08 20:37:01 +0000
@@ -29,6 +29,7 @@
      Greeter {
          id: greeter
          anchors.fill: parent
++        locked: !LightDM.Greeter.authenticated
+     }
      Component {
@@ -115,8 +116,7 @@
              var waitForSignal = data.uid != 0 && userList.currentIndex != data.uid
              select_index(data.uid)
              tryCompare(userList, "currentIndex", data.uid)
--            tryCompare(greeter, "locked", data.tag !== "no-password" &&
--                                          data.tag !== "auth-error")
++            tryCompare(greeter, "locked", data.tag !== "no-password")
              if (waitForSignal) {
                  selectionSpy.wait()
                  tryCompare(selectionSpy, "count", 1)
 === modified file 'tests/qmltests/tst_Shell.qml'
 --- tests/qmltests/tst_Shell.qml	2014-10-06 07:59:50 +0000
 +++ tests/qmltests/tst_Shell.qml	2014-10-08 20:37:01 +0000
@@ -484,6 +484,7 @@
              tryCompare(greeter, "showProgress", 0)
              waitForRendering(greeter);
              LightDM.Greeter.showGreeter()
++            waitForRendering(greeter)
              tryCompare(greeter, "showProgress", 1)
              LightDM.Greeter.hideGreeter()
              tryCompare(greeter, "showProgress", 0)
 === modified file 'tests/qmltests/tst_ShellWithPin.qml'
 --- tests/qmltests/tst_ShellWithPin.qml	2014-09-15 16:41:54 +0000
 +++ tests/qmltests/tst_ShellWithPin.qml	2014-10-08 20:37:01 +0000
@@ -27,10 +27,9 @@
  import "../../qml"
--Item {
++Row {
      id: root
--    width: shell.width + units.gu(20)
--    height: shell.height
++    spacing: 0
      QtObject {
          id: applicationArguments
@@ -48,21 +47,55 @@
+         }
+     }
--    Shell {
--        id: shell
--        maxFailedLogins: maxRetriesTextField.text
++    Loader {
++        id: shellLoader
++
++        width: units.gu(40)
++        height: units.gu(71)
++
++        property bool itemDestroyed: false
++        sourceComponent: Component {
++            Shell {
++                Component.onDestruction: {
++                    shellLoader.itemDestroyed = true
++                }
++                maxFailedLogins: maxRetriesTextField.text
++            }
++        }
+     }
--    Column {
--        anchors { top: parent.top; right: parent.right; bottom: parent.bottom; margins:units.gu(1) }
--        width: units.gu(18)
--
--        Label {
--            text: "Max retries:"
--            color: "black"
--        }
--        TextField {
--            id: maxRetriesTextField
--            text: "-1"
++
++    Rectangle {
++        color: "white"
++        width: units.gu(30)
++        height: shellLoader.height
++
++        Column {
++            anchors { left: parent.left; right: parent.right; top: parent.top; margins: units.gu(1) }
++            spacing: units.gu(1)
++            Row {
++                anchors { left: parent.left; right: parent.right }
++                Button {
++                    text: "Show Greeter"
++                    onClicked: {
++                        if (shellLoader.status !== Loader.Ready)
++                            return
++
++                        var greeter = testCase.findChild(shellLoader.item, "greeter")
++                        if (!greeter.shown) {
++                            greeter.show()
++                        }
++                    }
++                }
++            }
++
++            Label {
++                text: "Max retries:"
++                color: "black"
++            }
++            TextField {
++                id: maxRetriesTextField
++                text: "-1"
++            }
+         }
+     }
@@ -81,12 +114,10 @@
          name: "ShellWithPin"
          when: windowShown
--        function initTestCase() {
++        property Item shell: shellLoader.status === Loader.Ready ? shellLoader.item : null
++        function init() {
              sessionSpy.target = findChild(shell, "greeter")
--        }
--
--        function init() {
              swipeAwayGreeter()
              shell.failedLoginsDelayAttempts = -1
              maxRetriesTextField.text = "-1"
@@ -95,12 +126,28 @@
+         }
          function cleanup() {
--            LightDM.Greeter.showGreeter()
--            var greeter = findChild(shell, "greeter")
--            tryCompare(greeter, "showProgress", 1)
++            shellLoader.itemDestroyed = false
++
++            shellLoader.active = false
++
++            tryCompare(shellLoader, "status", Loader.Null)
++            tryCompare(shellLoader, "item", null)
++            // Loader.status might be Loader.Null and Loader.item might be null but the Loader
++            // item might still be alive. So if we set Loader.active back to true
++            // again right now we will get the very same Shell instance back. So no reload
++            // actually took place. Likely because Loader waits until the next event loop
++            // iteration to do its work. So to ensure the reload, we will wait until the
++            // Shell instance gets destroyed.
++            tryCompare(shellLoader, "itemDestroyed", true)
              // kill all (fake) running apps
              killApps()
++
++            // reload our test subject to get it in a fresh state once again
++            shellLoader.active = true
++
++            tryCompare(shellLoader, "status", Loader.Ready)
++            removeTimeConstraintsFromDirectionalDragAreas(shellLoader.item)
+         }
          function killApps() {
@@ -113,6 +160,7 @@
          function swipeAwayGreeter() {
              var greeter = findChild(shell, "greeter");
++            waitForRendering(greeter)
              tryCompare(greeter, "showProgress", 1);
              var touchX = shell.width - (shell.edgeSize / 2);
@@ -168,7 +216,8 @@
              mouseClick(emergencyButton, units.gu(1), units.gu(1))
--            tryCompare(greeter, "fakeActiveForApp", "dialer-app")
++            tryCompare(greeter, "lockedApp", "dialer-app")
++            tryCompare(greeter, "hasLockedApp", true)
              tryCompare(lockscreen, "shown", false)
              tryCompare(panel, "fullscreenMode", true)
              tryCompare(indicators, "available", false)
@@ -180,7 +229,8 @@
              LightDM.Greeter.showGreeter()
              tryCompare(greeter, "shown", true)
--            tryCompare(greeter, "fakeActiveForApp", "")
++            tryCompare(greeter, "lockedApp", "")
++            tryCompare(greeter, "hasLockedApp", false)
              tryCompare(lockscreen, "shown", true)
              tryCompare(panel, "fullscreenMode", false)
              tryCompare(indicators, "available", true)
@@ -253,5 +303,36 @@
              enterPin("1111")
              tryCompare(resetSpy, "count", 1)
+         }
++
++        function test_emergencyDialerLockOut() {
++            // This is a theoretical attack on the lockscreen: Enter emergency
++            // dialer mode on a phone, then plug into a larger screen,
++            // switching to a tablet interface.  This would in theory move the
++            // dialer to a side stage and give access to other apps.  So just
++            // confirm that such an attack doesn't work.
++
++            var applicationsDisplayLoader = findChild(shell, "applicationsDisplayLoader")
++
++            // We start in phone mode
++            tryCompare(shell, "sideStageEnabled", false)
++            tryCompare(applicationsDisplayLoader, "tabletMode", false)
++
++            var app = ApplicationManager.startApplication("dialer-app")
++
++            var greeter = findChild(shell, "greeter")
++            tryCompare(greeter, "showProgress", 0)
++            tryCompare(greeter, "hasLockedApp", true)
++
++            // OK, we're in. Now try (but fail) to switch to tablet mode
++            shell.tablet = true
++            tryCompare(shell, "sideStageEnabled", true)
++            tryCompare(applicationsDisplayLoader, "tabletMode", false)
++
++            // And when we kill the app, we go back to locked tablet mode
++            killApps()
++            tryCompare(greeter, "showProgress", 1)
++            tryCompare(shell, "sideStageEnabled", true)
++            tryCompare(applicationsDisplayLoader, "tabletMode", true)
++        }
+     }
+ }
 === added file 'tests/qmltests/tst_TabletShell.qml'
 --- tests/qmltests/tst_TabletShell.qml	1970-01-01 00:00:00 +0000
 +++ tests/qmltests/tst_TabletShell.qml	2014-10-08 20:37:01 +0000
@@ -0,0 +1,289 @@
++/*
++ * Copyright (C) 2013,2014 Canonical, Ltd.
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; version 3.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ */
++
++import QtQuick 2.0
++import QtTest 1.0
++import GSettings 1.0
++import LightDM 0.1 as LightDM
++import Ubuntu.Components 1.1
++import Ubuntu.Telephony 0.1 as Telephony
++import Unity.Application 0.1
++import Unity.Connectivity 0.1
++import Unity.Test 0.1 as UT
++import Powerd 0.1
++
++import "../../qml"
++
++Row {
++    id: root
++    spacing: 0
++
++    QtObject {
++        id: applicationArguments
++
++        function hasGeometry() {
++            return false
++        }
++
++        function width() {
++            return 0
++        }
++
++        function height() {
++            return 0
++        }
++    }
++
++    Loader {
++        id: shellLoader
++
++        width: units.gu(100)
++        height: units.gu(80)
++
++        property bool itemDestroyed: false
++        sourceComponent: Component {
++            Shell {
++                Component.onDestruction: {
++                    shellLoader.itemDestroyed = true
++                }
++            }
++        }
++    }
++
++    Rectangle {
++        color: "white"
++        width: units.gu(20)
++        height: shellLoader.height
++
++        Column {
++            anchors { left: parent.left; right: parent.right; top: parent.top; margins: units.gu(1) }
++            spacing: units.gu(1)
++            Row {
++                anchors { left: parent.left; right: parent.right }
++                Button {
++                    text: "Show Greeter"
++                    onClicked: {
++                        if (shellLoader.status !== Loader.Ready)
++                            return
++
++                        var greeter = testCase.findChild(shellLoader.item, "greeter")
++                        if (!greeter.shown) {
++                            greeter.show()
++                        }
++                    }
++                }
++            }
++        }
++    }
++
++    SignalSpy {
++        id: sessionSpy
++        signalName: "sessionStarted"
++    }
++
++    SignalSpy {
++        id: dashCommunicatorSpy
++        signalName: "setCurrentScopeCalled"
++    }
++
++    SignalSpy {
++        id: unlockAllModemsSpy
++        target: Connectivity
++        signalName: "unlockingAllModems"
++    }
++
++    Telephony.CallEntry {
++        id: phoneCall
++        phoneNumber: "+447812221111"
++    }
++
++    UT.UnityTestCase {
++        id: testCase
++        name: "TabletShell"
++        when: windowShown
++
++        property Item shell: shellLoader.status === Loader.Ready ? shellLoader.item : null
++
++        function init() {
++            sessionSpy.clear()
++            sessionSpy.target = findChild(shell, "greeter")
++            dashCommunicatorSpy.target = findInvisibleChild(shell, "dashCommunicator")
++        }
++
++        function cleanup() {
++            shellLoader.itemDestroyed = false
++
++            shellLoader.active = false
++
++            tryCompare(shellLoader, "status", Loader.Null)
++            tryCompare(shellLoader, "item", null)
++            // Loader.status might be Loader.Null and Loader.item might be null but the Loader
++            // item might still be alive. So if we set Loader.active back to true
++            // again right now we will get the very same Shell instance back. So no reload
++            // actually took place. Likely because Loader waits until the next event loop
++            // iteration to do its work. So to ensure the reload, we will wait until the
++            // Shell instance gets destroyed.
++            tryCompare(shellLoader, "itemDestroyed", true)
++
++            // kill all (fake) running apps
++            killApps()
++
++            unlockAllModemsSpy.clear()
++
++            // reload our test subject to get it in a fresh state once again
++            shellLoader.active = true
++
++            tryCompare(shellLoader, "status", Loader.Ready)
++            removeTimeConstraintsFromDirectionalDragAreas(shellLoader.item)
++        }
++
++        function killApps() {
++            while (ApplicationManager.count > 1) {
++                var appIndex = ApplicationManager.get(0).appId == "unity8-dash" ? 1 : 0
++                ApplicationManager.stopApplication(ApplicationManager.get(appIndex).appId)
++            }
++            compare(ApplicationManager.count, 1)
++        }
++
++        function selectIndex(i) {
++            // We could be anywhere in list; find target index to know which direction
++            var greeter = findChild(shell, "greeter")
++            var userlist = findChild(greeter, "userList")
++            if (userlist.currentIndex == i)
++                keyClick(Qt.Key_Escape) // Reset state if we're not moving
++            while (userlist.currentIndex != i) {
++                var next = userlist.currentIndex + 1
++                if (userlist.currentIndex > i) {
++                    next = userlist.currentIndex - 1
++                }
++                var account = findChild(greeter, "username"+next)
++                mouseClick(account, 1, 1)
++                tryCompare(userlist, "currentIndex", next)
++                tryCompare(userlist, "movingInternally", false)
++            }
++        }
++
++        function selectUser(name) {
++            // Find index of user with the right name
++            var greeter = findChild(shell, "greeter")
++            for (var i = 0; i < greeter.model.count; i++) {
++                if (greeter.model.data(i, LightDM.UserRoles.NameRole) == name) {
++                    break
++                }
++            }
++            if (i == greeter.model.count) {
++                fail("Didn't find name")
++                return -1
++            }
++            selectIndex(i)
++            return i
++        }
++
++        function clickPasswordInput(isButton) {
++            var greeter = findChild(shell, "greeter")
++            tryCompare(greeter, "showProgress", 1)
++
++            var passwordMouseArea = findChild(shell, "passwordMouseArea")
++            tryCompare(passwordMouseArea, "enabled", isButton)
++
++            var passwordInput = findChild(shell, "passwordInput")
++            mouseClick(passwordInput, passwordInput.width / 2, passwordInput.height / 2)
++        }
++
++        function confirmLoggedIn(loggedIn) {
++            var greeterWrapper = findChild(shell, "greeterWrapper")
++            tryCompare(greeterWrapper, "showProgress", loggedIn ? 0 : 1)
++            tryCompare(sessionSpy, "count", loggedIn ? 1 : 0)
++        }
++
++        function swipeFromLeftEdge(swipeLength) {
++            var touchStartX = 2
++            var touchStartY = shell.height / 2
++            touchFlick(shell, touchStartX, touchStartY, swipeLength, touchStartY)
++        }
++
++        function test_noLockscreen() {
++            selectUser("has-password")
++            var lockscreen = findChild(shell, "lockscreen")
++            tryCompare(lockscreen, "shown", false)
++        }
++
++        function test_showAndHideGreeterDBusCalls() {
++            var greeter = findChild(shell, "greeter")
++            LightDM.Greeter.hideGreeter()
++            tryCompare(greeter, "showProgress", 0)
++            LightDM.Greeter.showGreeter()
++            tryCompare(greeter, "showProgress", 1)
++        }
++
++        function test_login_data() {
++            return [
++                {tag: "auth error", user: "auth-error", loggedIn: false, password: ""},
++                {tag: "with password", user: "has-password", loggedIn: true, password: "password"},
++                {tag: "without password", user: "no-password", loggedIn: true, password: ""},
++            ]
++        }
++
++        function test_login(data) {
++            selectUser(data.user)
++
++            clickPasswordInput(data.password === "")
++
++            if (data.password !== "") {
++                typeString(data.password)
++                keyClick(Qt.Key_Enter)
++            }
++
++            confirmLoggedIn(data.loggedIn)
++        }
++
++        function test_appLaunchDuringGreeter_data() {
++            return [
++                {tag: "auth error", user: "auth-error", loggedIn: false, passwordFocus: false},
++                {tag: "without password", user: "no-password", loggedIn: true, passwordFocus: false},
++                {tag: "with password", user: "has-password", loggedIn: false, passwordFocus: true},
++            ]
++        }
++
++        function test_appLaunchDuringGreeter(data) {
++            selectUser(data.user)
++
++            var greeter = findChild(shell, "greeter")
++            var app = ApplicationManager.startApplication("dialer-app")
++
++            confirmLoggedIn(data.loggedIn)
++
++            if (data.passwordFocus) {
++                var passwordInput = findChild(greeter, "passwordInput")
++                tryCompare(passwordInput, "focus", true)
++            }
++        }
++
++        function test_leftEdgeDrag_data() {
++            return [
++                {tag: "without password", user: "no-password", loggedIn: true},
++                {tag: "with password", user: "has-password", loggedIn: false},
++            ]
++        }
++
++        function test_leftEdgeDrag(data) {
++            selectUser(data.user)
++            swipeFromLeftEdge(shell.width * 0.75)
++            wait(500) // to give time to handle dash() signal from Launcher
++            confirmLoggedIn(data.loggedIn)
++        }
++    }
++}