Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 91bb4412 authored by [6;7~'s avatar [6;7~
Browse files

Specify UID in getAuthenticatorIds 

Allow the caller to get authenticator IDs for a specific UID. If
that UID is not the caller UID the USE_BIOMETRIC_INTERNAL permission
is required; this is enforced by AuthService.

Test: aosp/1686345
Bug: 163866361
Change-Id: I0eef28ecefb85f1c10a73a354d08c38087d59814
parent 8d2cf97e

core/java/android/hardware/biometrics/BiometricManager.java

+15 −1
Original line number Original line Diff line number Diff line
@@ -33,6 +33,7 @@ import android.annotation.TestApi; 
import android.content.Context;

import android.content.Context;

import android.os.IBinder;

import android.os.IBinder;

import android.os.RemoteException;

import android.os.RemoteException;

import android.os.UserHandle;

import android.security.keystore.KeyProperties;

import android.security.keystore.KeyProperties;

import android.util.Slog;

import android.util.Slog;
@@ -556,9 +557,22 @@ public class BiometricManager { 
     * @hide

     * @hide

     */

     */

    public long[] getAuthenticatorIds() {

    public long[] getAuthenticatorIds() {

        return getAuthenticatorIds(UserHandle.getCallingUserId());

    }



    /**

     * Get a list of AuthenticatorIDs for biometric authenticators which have 1) enrolled templates,

     * and 2) meet the requirements for integrating with Keystore. The AuthenticatorIDs are known

     * in Keystore land as SIDs, and are used during key generation.

     *

     * @param userId Android user ID for user to look up.

     *

     * @hide

     */

    public long[] getAuthenticatorIds(int userId) {

        if (mService != null) {

        if (mService != null) {

            try {

            try {

                return mService.getAuthenticatorIds();

                return mService.getAuthenticatorIds(userId);

            } catch (RemoteException e) {

            } catch (RemoteException e) {

                throw e.rethrowFromSystemServer();

                throw e.rethrowFromSystemServer();

            }

            }

core/java/android/hardware/biometrics/IAuthService.aidl

+3 −1
Original line number Original line Diff line number Diff line
@@ -67,7 +67,9 @@ interface IAuthService { 
    // Get a list of AuthenticatorIDs for authenticators which have enrolled templates and meet

    // Get a list of AuthenticatorIDs for authenticators which have enrolled templates and meet

    // the requirements for integrating with Keystore. The AuthenticatorID are known in Keystore

    // the requirements for integrating with Keystore. The AuthenticatorID are known in Keystore

    // land as SIDs, and are used during key generation.

    // land as SIDs, and are used during key generation.

    long[] getAuthenticatorIds();

    // If userId is not equal to the calling user ID, the caller must have the

    // USE_BIOMETRIC_INTERNAL permission.

    long[] getAuthenticatorIds(in int userId);





    // See documentation in BiometricManager.

    // See documentation in BiometricManager.

    void resetLockoutTimeBound(IBinder token, String opPackageName, int fromSensorId, int userId,

    void resetLockoutTimeBound(IBinder token, String opPackageName, int fromSensorId, int userId,

services/core/java/com/android/server/biometrics/AuthService.java

+6 −2
Original line number Original line Diff line number Diff line
@@ -337,7 +337,7 @@ public class AuthService extends SystemService { 
        }

        }





        @Override

        @Override

        public long[] getAuthenticatorIds() throws RemoteException {

        public long[] getAuthenticatorIds(int userId) throws RemoteException {

            // In this method, we're not checking whether the caller is permitted to use face

            // In this method, we're not checking whether the caller is permitted to use face

            // API because current authenticator ID is leaked (in a more contrived way) via Android

            // API because current authenticator ID is leaked (in a more contrived way) via Android

            // Keystore (android.security.keystore package): the user of that API can create a key

            // Keystore (android.security.keystore package): the user of that API can create a key
@@ -355,9 +355,13 @@ public class AuthService extends SystemService { 
            // method from inside app processes.

            // method from inside app processes.





            final int callingUserId = UserHandle.getCallingUserId();

            final int callingUserId = UserHandle.getCallingUserId();

            if (userId != callingUserId) {

                getContext().enforceCallingOrSelfPermission(USE_BIOMETRIC_INTERNAL,

                        "Must have " + USE_BIOMETRIC_INTERNAL + " permission.");

            }

            final long identity = Binder.clearCallingIdentity();

            final long identity = Binder.clearCallingIdentity();

            try {

            try {

                return mBiometricService.getAuthenticatorIds(callingUserId);

                return mBiometricService.getAuthenticatorIds(userId);

            } finally {

            } finally {

                Binder.restoreCallingIdentity(identity);

                Binder.restoreCallingIdentity(identity);

            }

            }