diff options
| author | 2022-03-23 18:29:52 +0000 | |
|---|---|---|
| committer | 2022-03-30 19:48:36 +0000 | |
| commit | f8d398ab113b751210ba8cc90d506f1c7821a25f (patch) | |
| tree | 6e5abf93127539f421f191f313f2f74c74ee130b | |
| parent | fe6bf4186a58cee524d17dca9c1585957f363843 (diff) | |
Add attribution tags to FingerprintService
FingerprintManager picks up the client app's attribution tag and sends
it to FingerprintService, which uses it in calls to
AppOpsManager#noteOp.
Bug: 226171374
Test: FingerprintManagerTest
Test: FingerprintServiceTest
Change-Id: Ieb2393b5d8d2f9103f044bd598e9a401ad7ef4c1
3 files changed, 89 insertions, 38 deletions
diff --git a/core/java/android/hardware/fingerprint/FingerprintManager.java b/core/java/android/hardware/fingerprint/FingerprintManager.java index 29221b801ef6..6d2cdf3cfadc 100644 --- a/core/java/android/hardware/fingerprint/FingerprintManager.java +++ b/core/java/android/hardware/fingerprint/FingerprintManager.java @@ -594,8 +594,16 @@ public class FingerprintManager implements BiometricAuthenticator, BiometricFing mAuthenticationCallback = callback; mCryptoObject = crypto; final long operationId = crypto != null ? crypto.getOpId() : 0; - final long authId = mService.authenticate(mToken, operationId, sensorId, userId, - mServiceReceiver, mContext.getOpPackageName(), ignoreEnrollmentState); + final long authId = + mService.authenticate( + mToken, + operationId, + sensorId, + userId, + mServiceReceiver, + mContext.getOpPackageName(), + mContext.getAttributionTag(), + ignoreEnrollmentState); if (cancel != null) { cancel.setOnCancelListener(new OnAuthenticationCancelListener(authId)); } @@ -838,7 +846,8 @@ public class FingerprintManager implements BiometricAuthenticator, BiometricFing @UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.R, trackingBug = 170729553) public List<Fingerprint> getEnrolledFingerprints(int userId) { if (mService != null) try { - return mService.getEnrolledFingerprints(userId, mContext.getOpPackageName()); + return mService.getEnrolledFingerprints( + userId, mContext.getOpPackageName(), mContext.getAttributionTag()); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } @@ -997,7 +1006,8 @@ public class FingerprintManager implements BiometricAuthenticator, BiometricFing INTERACT_ACROSS_USERS}) public boolean hasEnrolledFingerprints(int userId) { if (mService != null) try { - return mService.hasEnrolledFingerprintsDeprecated(userId, mContext.getOpPackageName()); + return mService.hasEnrolledFingerprintsDeprecated( + userId, mContext.getOpPackageName(), mContext.getAttributionTag()); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } @@ -1021,7 +1031,8 @@ public class FingerprintManager implements BiometricAuthenticator, BiometricFing if (mService != null) { try { - return mService.isHardwareDetectedDeprecated(mContext.getOpPackageName()); + return mService.isHardwareDetectedDeprecated( + mContext.getOpPackageName(), mContext.getAttributionTag()); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } @@ -1331,7 +1342,11 @@ public class FingerprintManager implements BiometricAuthenticator, BiometricFing private void cancelAuthentication(long requestId) { if (mService != null) try { - mService.cancelAuthentication(mToken, mContext.getOpPackageName(), requestId); + mService.cancelAuthentication( + mToken, + mContext.getOpPackageName(), + mContext.getAttributionTag(), + requestId); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } diff --git a/core/java/android/hardware/fingerprint/IFingerprintService.aidl b/core/java/android/hardware/fingerprint/IFingerprintService.aidl index 12114aa3fa33..d60bb6ef1543 100644 --- a/core/java/android/hardware/fingerprint/IFingerprintService.aidl +++ b/core/java/android/hardware/fingerprint/IFingerprintService.aidl @@ -52,7 +52,7 @@ interface IFingerprintService { // permission. This is effectively deprecated, since it only comes through FingerprintManager // now. A requestId is returned that can be used to cancel this operation. long authenticate(IBinder token, long operationId, int sensorId, int userId, - IFingerprintServiceReceiver receiver, String opPackageName, + IFingerprintServiceReceiver receiver, String opPackageName, String attributionTag, boolean shouldIgnoreEnrollmentState); // Uses the fingerprint hardware to detect for the presence of a finger, without giving details @@ -74,7 +74,7 @@ interface IFingerprintService { void startPreparedClient(int sensorId, int cookie); // Cancel authentication for the given requestId. - void cancelAuthentication(IBinder token, String opPackageName, long requestId); + void cancelAuthentication(IBinder token, String opPackageName, String attributionTag, long requestId); // Cancel finger detection for the given requestId. void cancelFingerprintDetect(IBinder token, String opPackageName, long requestId); @@ -101,10 +101,10 @@ interface IFingerprintService { void rename(int fingerId, int userId, String name); // Get a list of enrolled fingerprints in the given userId. - List<Fingerprint> getEnrolledFingerprints(int userId, String opPackageName); + List<Fingerprint> getEnrolledFingerprints(int userId, String opPackageName, String attributionTag); // Determine if the HAL is loaded and ready. Meant to support the deprecated FingerprintManager APIs - boolean isHardwareDetectedDeprecated(String opPackageName); + boolean isHardwareDetectedDeprecated(String opPackageName, String attributionTag); // Determine if the specified HAL is loaded and ready boolean isHardwareDetected(int sensorId, String opPackageName); @@ -116,7 +116,7 @@ interface IFingerprintService { void revokeChallenge(IBinder token, int sensorId, int userId, String opPackageName, long challenge); // Determine if a user has at least one enrolled fingerprint. Meant to support the deprecated FingerprintManager APIs - boolean hasEnrolledFingerprintsDeprecated(int userId, String opPackageName); + boolean hasEnrolledFingerprintsDeprecated(int userId, String opPackageName, String attributionTag); // Determine if a user has at least one enrolled fingerprint. boolean hasEnrolledFingerprints(int sensorId, int userId, String opPackageName); diff --git a/services/core/java/com/android/server/biometrics/sensors/fingerprint/FingerprintService.java b/services/core/java/com/android/server/biometrics/sensors/fingerprint/FingerprintService.java index e8d8fb828542..5727ffc468df 100644 --- a/services/core/java/com/android/server/biometrics/sensors/fingerprint/FingerprintService.java +++ b/services/core/java/com/android/server/biometrics/sensors/fingerprint/FingerprintService.java @@ -280,15 +280,26 @@ public class FingerprintService extends SystemService { @SuppressWarnings("deprecation") @Override // Binder call - public long authenticate(final IBinder token, final long operationId, - final int sensorId, final int userId, final IFingerprintServiceReceiver receiver, - final String opPackageName, boolean ignoreEnrollmentState) { + public long authenticate( + final IBinder token, + final long operationId, + final int sensorId, + final int userId, + final IFingerprintServiceReceiver receiver, + final String opPackageName, + final String attributionTag, + boolean ignoreEnrollmentState) { final int callingUid = Binder.getCallingUid(); final int callingPid = Binder.getCallingPid(); final int callingUserId = UserHandle.getCallingUserId(); - if (!canUseFingerprint(opPackageName, true /* requireForeground */, callingUid, - callingPid, callingUserId)) { + if (!canUseFingerprint( + opPackageName, + attributionTag, + true /* requireForeground */, + callingUid, + callingPid, + callingUserId)) { Slog.w(TAG, "Authenticate rejecting package: " + opPackageName); return -1; } @@ -487,16 +498,23 @@ public class FingerprintService extends SystemService { provider.startPreparedClient(sensorId, cookie); } - @Override // Binder call - public void cancelAuthentication(final IBinder token, final String opPackageName, + public void cancelAuthentication( + final IBinder token, + final String opPackageName, + final String attributionTag, long requestId) { final int callingUid = Binder.getCallingUid(); final int callingPid = Binder.getCallingPid(); final int callingUserId = UserHandle.getCallingUserId(); - if (!canUseFingerprint(opPackageName, true /* requireForeground */, callingUid, - callingPid, callingUserId)) { + if (!canUseFingerprint( + opPackageName, + attributionTag, + true /* requireForeground */, + callingUid, + callingPid, + callingUserId)) { Slog.w(TAG, "cancelAuthentication rejecting package: " + opPackageName); return; } @@ -645,9 +663,13 @@ public class FingerprintService extends SystemService { } @Override // Binder call - public boolean isHardwareDetectedDeprecated(String opPackageName) { - if (!canUseFingerprint(opPackageName, false /* foregroundOnly */, - Binder.getCallingUid(), Binder.getCallingPid(), + public boolean isHardwareDetectedDeprecated(String opPackageName, String attributionTag) { + if (!canUseFingerprint( + opPackageName, + attributionTag, + false /* foregroundOnly */, + Binder.getCallingUid(), + Binder.getCallingPid(), UserHandle.getCallingUserId())) { return false; } @@ -696,9 +718,14 @@ public class FingerprintService extends SystemService { } @Override // Binder call - public List<Fingerprint> getEnrolledFingerprints(int userId, String opPackageName) { - if (!canUseFingerprint(opPackageName, false /* foregroundOnly */, - Binder.getCallingUid(), Binder.getCallingPid(), + public List<Fingerprint> getEnrolledFingerprints( + int userId, String opPackageName, String attributionTag) { + if (!canUseFingerprint( + opPackageName, + attributionTag, + false /* foregroundOnly */, + Binder.getCallingUid(), + Binder.getCallingPid(), UserHandle.getCallingUserId())) { return Collections.emptyList(); } @@ -711,9 +738,14 @@ public class FingerprintService extends SystemService { } @Override // Binder call - public boolean hasEnrolledFingerprintsDeprecated(int userId, String opPackageName) { - if (!canUseFingerprint(opPackageName, false /* foregroundOnly */, - Binder.getCallingUid(), Binder.getCallingPid(), + public boolean hasEnrolledFingerprintsDeprecated( + int userId, String opPackageName, String attributionTag) { + if (!canUseFingerprint( + opPackageName, + attributionTag, + false /* foregroundOnly */, + Binder.getCallingUid(), + Binder.getCallingPid(), UserHandle.getCallingUserId())) { return false; } @@ -1093,12 +1125,15 @@ public class FingerprintService extends SystemService { return provider.second.getEnrolledFingerprints(provider.first, userId); } - /** - * Checks for public API invocations to ensure that permissions, etc are granted/correct. - */ + /** Checks for public API invocations to ensure that permissions, etc are granted/correct. */ @SuppressWarnings("BooleanMethodIsAlwaysInverted") - private boolean canUseFingerprint(String opPackageName, boolean requireForeground, int uid, - int pid, int userId) { + private boolean canUseFingerprint( + String opPackageName, + String attributionTag, + boolean requireForeground, + int uid, + int pid, + int userId) { if (getContext().checkCallingPermission(USE_FINGERPRINT) != PackageManager.PERMISSION_GRANTED) { Utils.checkPermission(getContext(), USE_BIOMETRIC); @@ -1114,7 +1149,7 @@ public class FingerprintService extends SystemService { Slog.w(TAG, "Rejecting " + opPackageName + "; not a current user or profile"); return false; } - if (!checkAppOps(uid, opPackageName)) { + if (!checkAppOps(uid, opPackageName, attributionTag)) { Slog.w(TAG, "Rejecting " + opPackageName + "; permission denied"); return false; } @@ -1125,12 +1160,13 @@ public class FingerprintService extends SystemService { return true; } - private boolean checkAppOps(int uid, String opPackageName) { + private boolean checkAppOps(int uid, String opPackageName, String attributionTag) { boolean appOpsOk = false; - if (mAppOps.noteOp(AppOpsManager.OP_USE_BIOMETRIC, uid, opPackageName) + if (mAppOps.noteOp(AppOpsManager.OP_USE_BIOMETRIC, uid, opPackageName, attributionTag, null) == AppOpsManager.MODE_ALLOWED) { appOpsOk = true; - } else if (mAppOps.noteOp(AppOpsManager.OP_USE_FINGERPRINT, uid, opPackageName) + } else if (mAppOps.noteOp( + AppOpsManager.OP_USE_FINGERPRINT, uid, opPackageName, attributionTag, null) == AppOpsManager.MODE_ALLOWED) { appOpsOk = true; } |