Loading services/core/java/com/android/server/biometrics/face/FaceService.java +30 −59 Original line number Original line Diff line number Diff line Loading @@ -42,14 +42,13 @@ import android.os.Binder; import android.os.Build; import android.os.Build; import android.os.Environment; import android.os.Environment; import android.os.IBinder; import android.os.IBinder; import android.os.NativeHandle; import android.os.RemoteException; import android.os.RemoteException; import android.os.SELinux; import android.os.SELinux; import android.os.SystemProperties; import android.os.SystemProperties; import android.os.UserHandle; import android.os.UserHandle; import android.os.UserManager; import android.os.UserManager; import android.service.restricted_image.RestrictedImageProto; import android.provider.Settings; import android.service.restricted_image.RestrictedImageSetProto; import android.service.restricted_image.RestrictedImagesDumpProto; import android.util.Slog; import android.util.Slog; import android.util.proto.ProtoOutputStream; import android.util.proto.ProtoOutputStream; Loading @@ -70,8 +69,11 @@ import org.json.JSONObject; import java.io.File; import java.io.File; import java.io.FileDescriptor; import java.io.FileDescriptor; import java.io.FileOutputStream; import java.io.IOException; import java.io.PrintWriter; import java.io.PrintWriter; import java.util.ArrayList; import java.util.ArrayList; import java.util.Arrays; import java.util.List; import java.util.List; /** /** Loading Loading @@ -286,8 +288,8 @@ public class FaceService extends BiometricServiceBase { final long ident = Binder.clearCallingIdentity(); final long ident = Binder.clearCallingIdentity(); try { try { if (args.length == 1 && "--restricted_image".equals(args[0])) { if (args.length > 1 && "--hal".equals(args[0])) { dumpRestrictedImage(fd); dumpHal(fd, Arrays.copyOfRange(args, 1, args.length, args.getClass())); } else if (args.length > 0 && "--proto".equals(args[0])) { } else if (args.length > 0 && "--proto".equals(args[0])) { dumpProto(fd); dumpProto(fd); } else { } else { Loading Loading @@ -1078,7 +1080,7 @@ public class FaceService extends BiometricServiceBase { mCryptoPerformanceMap.clear(); mCryptoPerformanceMap.clear(); } } private void dumpRestrictedImage(FileDescriptor fd) { private void dumpHal(FileDescriptor fd, String[] args) { // WARNING: CDD restricts image data from leaving TEE unencrypted on // WARNING: CDD restricts image data from leaving TEE unencrypted on // production devices: // production devices: // [C-1-10] MUST not allow unencrypted access to identifiable biometric // [C-1-10] MUST not allow unencrypted access to identifiable biometric Loading @@ -1099,59 +1101,28 @@ public class FaceService extends BiometricServiceBase { return; return; } } final ProtoOutputStream proto = new ProtoOutputStream(fd); // The debug method takes two file descriptors. The first is for text // output, which we will drop. The second is for binary data, which final long setToken = proto.start(RestrictedImagesDumpProto.SETS); // will be the protobuf data. final IBiometricsFace daemon = getFaceDaemon(); // Name of the service if (daemon != null) { proto.write(RestrictedImageSetProto.CATEGORY, "face"); FileOutputStream devnull = null; try { // Individual images devnull = new FileOutputStream("/dev/null"); for (int i = 0; i < 5; i++) { final NativeHandle handle = new NativeHandle( final long imageToken = proto.start(RestrictedImageSetProto.IMAGES); new FileDescriptor[] { devnull.getFD(), fd }, proto.write(RestrictedImageProto.MIME_TYPE, "image/png"); new int[0], false); proto.write(RestrictedImageProto.IMAGE_DATA, new byte[] { daemon.debug(handle, new ArrayList<String>(Arrays.asList(args))); // png image data } catch (IOException | RemoteException ex) { -119, 80, 78, 71, 13, 10, 26, 10, Slog.d(TAG, "error while reading face debugging data", ex); 0, 0, 0, 13, 73, 72, 68, 82, } finally { 0, 0, 0, 100, 0, 0, 0, 100, if (devnull != null) { 1, 3, 0, 0, 0, 74, 44, 7, try { 23, 0, 0, 0, 4, 103, 65, 77, devnull.close(); 65, 0, 0, -79, -113, 11, -4, 97, } catch (IOException ex) { 5, 0, 0, 0, 1, 115, 82, 71, } 66, 0, -82, -50, 28, -23, 0, 0, } 0, 6, 80, 76, 84, 69, -1, -1, } -1, 0, 0, 0, 85, -62, -45, 126, 0, 0, 0, -115, 73, 68, 65, 84, 56, -53, -19, -46, -79, 17, -128, 32, 12, 5, -48, 120, 22, -106, -116, -32, 40, -84, 101, -121, -93, 57, 10, 35, 88, 82, 112, 126, 3, -60, 104, 6, -112, 70, 127, -59, -69, -53, 29, 33, -127, -24, 79, -49, -52, -15, 41, 36, 34, -105, 85, 124, -14, 88, 27, 6, 28, 68, 1, 82, 62, 22, -95, -108, 55, -95, 40, -9, -110, -12, 98, -107, 76, -41, -105, -62, -50, 111, -60, 46, -14, -4, 24, -89, 42, -103, 16, 63, -72, -11, -15, 48, -62, 102, -44, 102, -73, -56, 56, -21, -128, 92, -70, -124, 117, -46, -67, -77, 82, 80, 121, -44, -56, 116, 93, -45, -90, -5, -29, -24, -83, -75, 52, -34, 55, -22, 102, -21, -105, -124, -23, 71, 87, -7, -25, -59, -100, -73, -92, -122, -7, -109, -49, -80, -89, 0, 0, 0, 0, 73, 69, 78, 68, -82, 66, 96, -126 }); // proto.write(RestrictedImageProto.METADATA, flattened_protobuf); proto.end(imageToken); } } // Face service metadata // proto.write(RestrictedImageSetProto.METADATA, flattened_protobuf); proto.end(setToken); proto.flush(); } } } } services/core/java/com/android/server/incident/IncidentCompanionService.java +2 −1 Original line number Original line Diff line number Diff line Loading @@ -55,7 +55,8 @@ public class IncidentCompanionService extends SystemService { * Dump argument for proxying restricted image dumps to the services * Dump argument for proxying restricted image dumps to the services * listed in the config. * listed in the config. */ */ private static String[] RESTRICTED_IMAGE_DUMP_ARGS = new String[] { "--restricted_image" }; private static String[] RESTRICTED_IMAGE_DUMP_ARGS = new String[] { "--hal", "--restricted_image" }; /** /** * The two permissions, for sendBroadcastAsUserMultiplePermissions. * The two permissions, for sendBroadcastAsUserMultiplePermissions. Loading Loading
services/core/java/com/android/server/biometrics/face/FaceService.java +30 −59 Original line number Original line Diff line number Diff line Loading @@ -42,14 +42,13 @@ import android.os.Binder; import android.os.Build; import android.os.Build; import android.os.Environment; import android.os.Environment; import android.os.IBinder; import android.os.IBinder; import android.os.NativeHandle; import android.os.RemoteException; import android.os.RemoteException; import android.os.SELinux; import android.os.SELinux; import android.os.SystemProperties; import android.os.SystemProperties; import android.os.UserHandle; import android.os.UserHandle; import android.os.UserManager; import android.os.UserManager; import android.service.restricted_image.RestrictedImageProto; import android.provider.Settings; import android.service.restricted_image.RestrictedImageSetProto; import android.service.restricted_image.RestrictedImagesDumpProto; import android.util.Slog; import android.util.Slog; import android.util.proto.ProtoOutputStream; import android.util.proto.ProtoOutputStream; Loading @@ -70,8 +69,11 @@ import org.json.JSONObject; import java.io.File; import java.io.File; import java.io.FileDescriptor; import java.io.FileDescriptor; import java.io.FileOutputStream; import java.io.IOException; import java.io.PrintWriter; import java.io.PrintWriter; import java.util.ArrayList; import java.util.ArrayList; import java.util.Arrays; import java.util.List; import java.util.List; /** /** Loading Loading @@ -286,8 +288,8 @@ public class FaceService extends BiometricServiceBase { final long ident = Binder.clearCallingIdentity(); final long ident = Binder.clearCallingIdentity(); try { try { if (args.length == 1 && "--restricted_image".equals(args[0])) { if (args.length > 1 && "--hal".equals(args[0])) { dumpRestrictedImage(fd); dumpHal(fd, Arrays.copyOfRange(args, 1, args.length, args.getClass())); } else if (args.length > 0 && "--proto".equals(args[0])) { } else if (args.length > 0 && "--proto".equals(args[0])) { dumpProto(fd); dumpProto(fd); } else { } else { Loading Loading @@ -1078,7 +1080,7 @@ public class FaceService extends BiometricServiceBase { mCryptoPerformanceMap.clear(); mCryptoPerformanceMap.clear(); } } private void dumpRestrictedImage(FileDescriptor fd) { private void dumpHal(FileDescriptor fd, String[] args) { // WARNING: CDD restricts image data from leaving TEE unencrypted on // WARNING: CDD restricts image data from leaving TEE unencrypted on // production devices: // production devices: // [C-1-10] MUST not allow unencrypted access to identifiable biometric // [C-1-10] MUST not allow unencrypted access to identifiable biometric Loading @@ -1099,59 +1101,28 @@ public class FaceService extends BiometricServiceBase { return; return; } } final ProtoOutputStream proto = new ProtoOutputStream(fd); // The debug method takes two file descriptors. The first is for text // output, which we will drop. The second is for binary data, which final long setToken = proto.start(RestrictedImagesDumpProto.SETS); // will be the protobuf data. final IBiometricsFace daemon = getFaceDaemon(); // Name of the service if (daemon != null) { proto.write(RestrictedImageSetProto.CATEGORY, "face"); FileOutputStream devnull = null; try { // Individual images devnull = new FileOutputStream("/dev/null"); for (int i = 0; i < 5; i++) { final NativeHandle handle = new NativeHandle( final long imageToken = proto.start(RestrictedImageSetProto.IMAGES); new FileDescriptor[] { devnull.getFD(), fd }, proto.write(RestrictedImageProto.MIME_TYPE, "image/png"); new int[0], false); proto.write(RestrictedImageProto.IMAGE_DATA, new byte[] { daemon.debug(handle, new ArrayList<String>(Arrays.asList(args))); // png image data } catch (IOException | RemoteException ex) { -119, 80, 78, 71, 13, 10, 26, 10, Slog.d(TAG, "error while reading face debugging data", ex); 0, 0, 0, 13, 73, 72, 68, 82, } finally { 0, 0, 0, 100, 0, 0, 0, 100, if (devnull != null) { 1, 3, 0, 0, 0, 74, 44, 7, try { 23, 0, 0, 0, 4, 103, 65, 77, devnull.close(); 65, 0, 0, -79, -113, 11, -4, 97, } catch (IOException ex) { 5, 0, 0, 0, 1, 115, 82, 71, } 66, 0, -82, -50, 28, -23, 0, 0, } 0, 6, 80, 76, 84, 69, -1, -1, } -1, 0, 0, 0, 85, -62, -45, 126, 0, 0, 0, -115, 73, 68, 65, 84, 56, -53, -19, -46, -79, 17, -128, 32, 12, 5, -48, 120, 22, -106, -116, -32, 40, -84, 101, -121, -93, 57, 10, 35, 88, 82, 112, 126, 3, -60, 104, 6, -112, 70, 127, -59, -69, -53, 29, 33, -127, -24, 79, -49, -52, -15, 41, 36, 34, -105, 85, 124, -14, 88, 27, 6, 28, 68, 1, 82, 62, 22, -95, -108, 55, -95, 40, -9, -110, -12, 98, -107, 76, -41, -105, -62, -50, 111, -60, 46, -14, -4, 24, -89, 42, -103, 16, 63, -72, -11, -15, 48, -62, 102, -44, 102, -73, -56, 56, -21, -128, 92, -70, -124, 117, -46, -67, -77, 82, 80, 121, -44, -56, 116, 93, -45, -90, -5, -29, -24, -83, -75, 52, -34, 55, -22, 102, -21, -105, -124, -23, 71, 87, -7, -25, -59, -100, -73, -92, -122, -7, -109, -49, -80, -89, 0, 0, 0, 0, 73, 69, 78, 68, -82, 66, 96, -126 }); // proto.write(RestrictedImageProto.METADATA, flattened_protobuf); proto.end(imageToken); } } // Face service metadata // proto.write(RestrictedImageSetProto.METADATA, flattened_protobuf); proto.end(setToken); proto.flush(); } } } }
services/core/java/com/android/server/incident/IncidentCompanionService.java +2 −1 Original line number Original line Diff line number Diff line Loading @@ -55,7 +55,8 @@ public class IncidentCompanionService extends SystemService { * Dump argument for proxying restricted image dumps to the services * Dump argument for proxying restricted image dumps to the services * listed in the config. * listed in the config. */ */ private static String[] RESTRICTED_IMAGE_DUMP_ARGS = new String[] { "--restricted_image" }; private static String[] RESTRICTED_IMAGE_DUMP_ARGS = new String[] { "--hal", "--restricted_image" }; /** /** * The two permissions, for sendBroadcastAsUserMultiplePermissions. * The two permissions, for sendBroadcastAsUserMultiplePermissions. Loading
