Merge "Clear identity when checking strongauth flags" into rvc-qpr-dev

author: Kevin Chyn <kchyn@google.com> 2020-07-20 20:36:24 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2020-07-20 20:36:24 +0000
commit: 90c7090ebf2f9285beaada8b91a2f9b6d56e0250 (patch)
tree: b896fce815dda6bc6db98e02bcc58de279cd3f7d
parent: cfeb7627b760ff0caf4c0f2746657bcbec54b2ed (diff)
parent: c4bbfd14a128cb3572e5db3872659c04b8202639 (diff)
1 files changed, 16 insertions, 7 deletions
diff --git a/services/core/java/com/android/server/biometrics/fingerprint/FingerprintService.java b/services/core/java/com/android/server/biometrics/fingerprint/FingerprintService.java
index a53fe47e4d3f..a90fee6788a8 100644
--- a/services/core/java/com/android/server/biometrics/fingerprint/FingerprintService.java
+++ b/services/core/java/com/android/server/biometrics/fingerprint/FingerprintService.java
@@ -247,13 +247,22 @@ public class FingerprintService extends BiometricServiceBase {
         public void authenticate(final IBinder token, final long opId, final int userId,
                 final IFingerprintServiceReceiver receiver, final int flags,
                 final String opPackageName) {
-            if (Utils.isUserEncryptedOrLockdown(mLockPatternUtils, userId)
-                    && Utils.isKeyguard(getContext(), opPackageName)) {
-                // If this happens, something in KeyguardUpdateMonitor is wrong.
-                // SafetyNet for b/79776455
-                EventLog.writeEvent(0x534e4554, "79776455");
-                Slog.e(TAG, "Authenticate invoked when user is encrypted or lockdown");
-                return;
+            // Keyguard check must be done on the caller's binder identity, since it also checks
+            // permission.
+            final boolean isKeyguard = Utils.isKeyguard(getContext(), opPackageName);
+
+            // Clear calling identity when checking LockPatternUtils for StrongAuth flags.
+            final long identity = Binder.clearCallingIdentity();
+            try {
+                if (isKeyguard && Utils.isUserEncryptedOrLockdown(mLockPatternUtils, userId)) {
+                    // If this happens, something in KeyguardUpdateMonitor is wrong.
+                    // SafetyNet for b/79776455
+                    EventLog.writeEvent(0x534e4554, "79776455");
+                    Slog.e(TAG, "Authenticate invoked when user is encrypted or lockdown");
+                    return;
+                }
+            } finally {
+                Binder.restoreCallingIdentity(identity);
             }
 
             updateActiveGroup(userId, opPackageName);
author	Kevin Chyn <kchyn@google.com>	2020-07-20 20:36:24 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2020-07-20 20:36:24 +0000
commit	90c7090ebf2f9285beaada8b91a2f9b6d56e0250 (patch)
tree	b896fce815dda6bc6db98e02bcc58de279cd3f7d
parent	cfeb7627b760ff0caf4c0f2746657bcbec54b2ed (diff)
parent	c4bbfd14a128cb3572e5db3872659c04b8202639 (diff)