Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5b5662d7 authored by Kevin Chyn's avatar Kevin Chyn
Browse files

Send callingUserId from AuthService -> BiometricServiceBase 

Since authenticatorIds are collected from AuthService, which is
system_server, we need to get the callingUserId before the code
enters system_server, which clears calling identity.

Test: 1) Set up work profile, install BiometricPromptDemo
      2) Enroll work profile fingerprint
      3) Open work profile version of BiometricPromptDemo
      4) Create biometric-bound keys and authenticate with fingerprint
      Before this change, key was unusable. After this change,
      the key can be used

Fixes: 157486161
Change-Id: I4ec89b9cb13caff397b1a1acd844962736290040
parent bcbf7ee8

core/java/android/hardware/biometrics/IBiometricAuthenticator.aidl

+1 −1
Original line number Diff line number Diff line
@@ -57,5 +57,5 @@ interface IBiometricAuthenticator { 
    void setActiveUser(int uid);



    // Gets the authenticator ID representing the current set of enrolled templates

    long getAuthenticatorId();

    long getAuthenticatorId(int callingUserId);

}

core/java/android/hardware/biometrics/IBiometricService.aidl

+1 −1
Original line number Diff line number Diff line
@@ -65,7 +65,7 @@ interface IBiometricService { 
    // Get a list of AuthenticatorIDs for authenticators which have enrolled templates and meet

    // the requirements for integrating with Keystore. The AuthenticatorID are known in Keystore

    // land as SIDs, and are used during key generation.

    long[] getAuthenticatorIds();

    long[] getAuthenticatorIds(int callingUserId);



    int getCurrentStrength(int sensorId);

}

core/java/android/hardware/face/IFaceService.aidl

+1 −1
Original line number Diff line number Diff line
@@ -84,7 +84,7 @@ interface IFaceService { 
    boolean hasEnrolledFaces(int userId, String opPackageName);



    // Gets the authenticator ID for face

    long getAuthenticatorId();

    long getAuthenticatorId(int callingUserId);



    // Reset the lockout when user authenticates with strong auth (e.g. PIN, pattern or password)

    void resetLockout(in byte [] token);

core/java/android/hardware/fingerprint/IFingerprintService.aidl

+1 −1
Original line number Diff line number Diff line
@@ -85,7 +85,7 @@ interface IFingerprintService { 
    boolean hasEnrolledFingerprints(int groupId, String opPackageName);



    // Gets the authenticator ID for fingerprint

    long getAuthenticatorId();

    long getAuthenticatorId(int callingUserId);



    // Reset the timeout when user authenticates with strong auth (e.g. PIN, pattern or password)

    void resetTimeout(in byte [] cryptoToken);

services/core/java/com/android/server/biometrics/AuthService.java

+2 −1
Original line number Diff line number Diff line
@@ -282,9 +282,10 @@ public class AuthService extends SystemService { 
            // The permission check should be restored once Android Keystore no longer invokes this

            // method from inside app processes.



            final int callingUserId = UserHandle.getCallingUserId();

            final long identity = Binder.clearCallingIdentity();

            try {

                return mBiometricService.getAuthenticatorIds();

                return mBiometricService.getAuthenticatorIds(callingUserId);

            } finally {

                Binder.restoreCallingIdentity(identity);

            }