diff options
| -rw-r--r-- | services/core/java/com/android/server/biometrics/fingerprint/FingerprintService.java | 23 |
1 files changed, 16 insertions, 7 deletions
diff --git a/services/core/java/com/android/server/biometrics/fingerprint/FingerprintService.java b/services/core/java/com/android/server/biometrics/fingerprint/FingerprintService.java index a53fe47e4d3f..a90fee6788a8 100644 --- a/services/core/java/com/android/server/biometrics/fingerprint/FingerprintService.java +++ b/services/core/java/com/android/server/biometrics/fingerprint/FingerprintService.java @@ -247,13 +247,22 @@ public class FingerprintService extends BiometricServiceBase { public void authenticate(final IBinder token, final long opId, final int userId, final IFingerprintServiceReceiver receiver, final int flags, final String opPackageName) { - if (Utils.isUserEncryptedOrLockdown(mLockPatternUtils, userId) - && Utils.isKeyguard(getContext(), opPackageName)) { - // If this happens, something in KeyguardUpdateMonitor is wrong. - // SafetyNet for b/79776455 - EventLog.writeEvent(0x534e4554, "79776455"); - Slog.e(TAG, "Authenticate invoked when user is encrypted or lockdown"); - return; + // Keyguard check must be done on the caller's binder identity, since it also checks + // permission. + final boolean isKeyguard = Utils.isKeyguard(getContext(), opPackageName); + + // Clear calling identity when checking LockPatternUtils for StrongAuth flags. + final long identity = Binder.clearCallingIdentity(); + try { + if (isKeyguard && Utils.isUserEncryptedOrLockdown(mLockPatternUtils, userId)) { + // If this happens, something in KeyguardUpdateMonitor is wrong. + // SafetyNet for b/79776455 + EventLog.writeEvent(0x534e4554, "79776455"); + Slog.e(TAG, "Authenticate invoked when user is encrypted or lockdown"); + return; + } + } finally { + Binder.restoreCallingIdentity(identity); } updateActiveGroup(userId, opPackageName); |