diff options
3 files changed, 24 insertions, 7 deletions
diff --git a/core/java/android/hardware/biometrics/BiometricManager.java b/core/java/android/hardware/biometrics/BiometricManager.java index e385cd2b7ecd..a778c246ce1b 100644 --- a/core/java/android/hardware/biometrics/BiometricManager.java +++ b/core/java/android/hardware/biometrics/BiometricManager.java @@ -26,7 +26,7 @@ import android.annotation.SystemApi; import android.annotation.SystemService; import android.content.Context; import android.os.RemoteException; -import android.security.keystore.KeyGenParameterSpec; +import android.os.UserHandle; import android.security.keystore.KeyProperties; import android.util.Slog; @@ -334,11 +334,23 @@ public class BiometricManager { * in Keystore land as SIDs, and are used during key generation. * @hide */ - @RequiresPermission(USE_BIOMETRIC_INTERNAL) public long[] getAuthenticatorIds() { + return getAuthenticatorIds(UserHandle.getCallingUserId()); + } + + /** + * Get a list of AuthenticatorIDs for biometric authenticators which have 1) enrolled templates, + * and 2) meet the requirements for integrating with Keystore. The AuthenticatorIDs are known + * in Keystore land as SIDs, and are used during key generation. + * + * @param userId Android user ID for user to look up. + * + * @hide + */ + public long[] getAuthenticatorIds(int userId) { if (mService != null) { try { - return mService.getAuthenticatorIds(); + return mService.getAuthenticatorIds(userId); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } @@ -347,6 +359,5 @@ public class BiometricManager { return new long[0]; } } - } diff --git a/core/java/android/hardware/biometrics/IAuthService.aidl b/core/java/android/hardware/biometrics/IAuthService.aidl index a6f6c1ea0293..3542482927cb 100644 --- a/core/java/android/hardware/biometrics/IAuthService.aidl +++ b/core/java/android/hardware/biometrics/IAuthService.aidl @@ -55,5 +55,7 @@ interface IAuthService { // Get a list of AuthenticatorIDs for authenticators which have enrolled templates and meet // the requirements for integrating with Keystore. The AuthenticatorID are known in Keystore // land as SIDs, and are used during key generation. - long[] getAuthenticatorIds(); + // If userId is not equal to the calling user ID, the caller must have the + // USE_BIOMETRIC_INTERNAL permission. + long[] getAuthenticatorIds(in int userId); } diff --git a/services/core/java/com/android/server/biometrics/AuthService.java b/services/core/java/com/android/server/biometrics/AuthService.java index 131267924179..8fd8b5c2cded 100644 --- a/services/core/java/com/android/server/biometrics/AuthService.java +++ b/services/core/java/com/android/server/biometrics/AuthService.java @@ -289,7 +289,7 @@ public class AuthService extends SystemService { } @Override - public long[] getAuthenticatorIds() throws RemoteException { + public long[] getAuthenticatorIds(int userId) throws RemoteException { // In this method, we're not checking whether the caller is permitted to use face // API because current authenticator ID is leaked (in a more contrived way) via Android // Keystore (android.security.keystore package): the user of that API can create a key @@ -307,9 +307,13 @@ public class AuthService extends SystemService { // method from inside app processes. final int callingUserId = UserHandle.getCallingUserId(); + if (userId != callingUserId) { + getContext().enforceCallingOrSelfPermission(USE_BIOMETRIC_INTERNAL, + "Must have " + USE_BIOMETRIC_INTERNAL + " permission."); + } final long identity = Binder.clearCallingIdentity(); try { - return mBiometricService.getAuthenticatorIds(callingUserId); + return mBiometricService.getAuthenticatorIds(userId); } finally { Binder.restoreCallingIdentity(identity); } |