4 files changed, 29 insertions, 21 deletions

diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java
index fd92174a8023..9c47e795c81d 100644
--- a/core/java/android/app/AppOpsManager.java
+++ b/core/java/android/app/AppOpsManager.java
@@ -429,8 +429,8 @@ public class AppOpsManager {
     /** @hide */
     @UnsupportedAppUsage
     public static final int OP_BLUETOOTH_SCAN = 77;
-    /** @hide Use the face authentication API. */
-    public static final int OP_USE_FACE = 78;
+    /** @hide Use the BiometricPrompt/BiometricManager APIs. */
+    public static final int OP_USE_BIOMETRIC = 78;
     /** @hide */
     @UnsupportedAppUsage
     public static final int _NUM_OP = 79;
@@ -678,8 +678,8 @@ public class AppOpsManager {
     /** @hide */
     public static final String OPSTR_BLUETOOTH_SCAN = "android:bluetooth_scan";
 
-    /** @hide Use the face authentication API. */
-    public static final String OPSTR_USE_FACE = "android:use_face";
+    /** @hide Use the BiometricPrompt/BiometricManager APIs. */
+    public static final String OPSTR_USE_BIOMETRIC = "android:use_biometric";
 
     // Warning: If an permission is added here it also has to be added to
     // com.android.packageinstaller.permission.utils.EventLogger
@@ -818,7 +818,7 @@ public class AppOpsManager {
             OP_MANAGE_IPSEC_TUNNELS,            // MANAGE_IPSEC_HANDOVERS
             OP_START_FOREGROUND,                // START_FOREGROUND
             OP_COARSE_LOCATION,                 // BLUETOOTH_SCAN
-            OP_USE_FACE,                        // FACE
+            OP_USE_BIOMETRIC,                   // BIOMETRIC
     };
 
     /**
@@ -903,7 +903,7 @@ public class AppOpsManager {
             OPSTR_MANAGE_IPSEC_TUNNELS,
             OPSTR_START_FOREGROUND,
             OPSTR_BLUETOOTH_SCAN,
-            OPSTR_USE_FACE,
+            OPSTR_USE_BIOMETRIC,
     };
 
     /**
@@ -989,7 +989,7 @@ public class AppOpsManager {
             "MANAGE_IPSEC_TUNNELS",
             "START_FOREGROUND",
             "BLUETOOTH_SCAN",
-            "USE_FACE",
+            "USE_BIOMETRIC",
     };
 
     /**
@@ -1163,7 +1163,7 @@ public class AppOpsManager {
             null, // MANAGE_IPSEC_TUNNELS
             null, // START_FOREGROUND
             null, // maybe should be UserManager.DISALLOW_SHARE_LOCATION, //BLUETOOTH_SCAN
-            null, // USE_FACE
+            null, // USE_BIOMETRIC
     };
 
     /**
@@ -1249,7 +1249,7 @@ public class AppOpsManager {
             false, // MANAGE_IPSEC_HANDOVERS
             false, // START_FOREGROUND
             true, // BLUETOOTH_SCAN
-            false, // USE_FACE
+            false, // USE_BIOMETRIC
     };
 
     /**
@@ -1334,7 +1334,7 @@ public class AppOpsManager {
             AppOpsManager.MODE_ERRORED,  // MANAGE_IPSEC_TUNNELS
             AppOpsManager.MODE_ALLOWED,  // OP_START_FOREGROUND
             AppOpsManager.MODE_ALLOWED,  // OP_BLUETOOTH_SCAN
-            AppOpsManager.MODE_ALLOWED,  // USE_FACE
+            AppOpsManager.MODE_ALLOWED,  // USE_BIOMETRIC
     };
 
     /**
@@ -1423,7 +1423,7 @@ public class AppOpsManager {
             false, // MANAGE_IPSEC_TUNNELS
             false, // START_FOREGROUND
             false, // BLUETOOTH_SCAN
-            false, // USE_FACE
+            false, // USE_BIOMETRIC
     };
 
     /**
diff --git a/services/core/java/com/android/server/biometrics/BiometricServiceBase.java b/services/core/java/com/android/server/biometrics/BiometricServiceBase.java
index b3c7c19eee71..6a2219366c8a 100644
--- a/services/core/java/com/android/server/biometrics/BiometricServiceBase.java
+++ b/services/core/java/com/android/server/biometrics/BiometricServiceBase.java
@@ -84,7 +84,6 @@ public abstract class BiometricServiceBase extends SystemService
 
     private final Context mContext;
     private final String mKeyguardPackage;
-    private final AppOpsManager mAppOps;
     private final SparseBooleanArray mTimedLockoutCleared;
     private final SparseIntArray mFailedAttempts;
     private final IActivityTaskManager mActivityTaskManager;
@@ -102,6 +101,7 @@ public abstract class BiometricServiceBase extends SystemService
             Collections.synchronizedMap(new HashMap<>());
     protected final ResetFailedAttemptsForUserRunnable mResetFailedAttemptsForCurrentUserRunnable =
             new ResetFailedAttemptsForUserRunnable();
+    protected final AppOpsManager mAppOps;
     protected final H mHandler = new H();
 
     private ClientMonitor mCurrentClient;
@@ -206,11 +206,9 @@ public abstract class BiometricServiceBase extends SystemService
     protected abstract void checkUseBiometricPermission();
 
     /**
-     * @return Returns one of the {@link AppOpsManager} constants which pertains to the specific
-     *         biometric service.
+     * Checks if the caller passes the app ops check
      */
-    protected abstract int getAppOp();
-
+    protected abstract boolean checkAppOps(int uid, String opPackageName);
 
     /**
      * Notifies clients of any change in the biometric state (active / idle). This is mainly for
@@ -822,10 +820,11 @@ public abstract class BiometricServiceBase extends SystemService
             Slog.w(getTag(), "Rejecting " + opPackageName + "; not a current user or profile");
             return false;
         }
-        if (mAppOps.noteOp(getAppOp(), uid, opPackageName) != AppOpsManager.MODE_ALLOWED) {
+        if (!checkAppOps(uid, opPackageName)) {
             Slog.w(getTag(), "Rejecting " + opPackageName + "; permission denied");
             return false;
         }
+
         if (requireForeground && !(isForegroundActivity(uid, pid) || isCurrentClient(
                 opPackageName))) {
             Slog.w(getTag(), "Rejecting " + opPackageName + "; not in foreground");
diff --git a/services/core/java/com/android/server/biometrics/face/FaceService.java b/services/core/java/com/android/server/biometrics/face/FaceService.java
index 75cdcf07fa22..d6f618638c15 100644
--- a/services/core/java/com/android/server/biometrics/face/FaceService.java
+++ b/services/core/java/com/android/server/biometrics/face/FaceService.java
@@ -730,8 +730,9 @@ public class FaceService extends BiometricServiceBase {
     }
 
     @Override
-    protected int getAppOp() {
-        return AppOpsManager.OP_USE_FACE;
+    protected boolean checkAppOps(int uid, String opPackageName) {
+        return mAppOps.noteOp(AppOpsManager.OP_USE_BIOMETRIC, uid, opPackageName)
+                == AppOpsManager.MODE_ALLOWED;
     }
 
     @Override
diff --git a/services/core/java/com/android/server/biometrics/fingerprint/FingerprintService.java b/services/core/java/com/android/server/biometrics/fingerprint/FingerprintService.java
index d3ae0642221e..b0b788fbe589 100644
--- a/services/core/java/com/android/server/biometrics/fingerprint/FingerprintService.java
+++ b/services/core/java/com/android/server/biometrics/fingerprint/FingerprintService.java
@@ -902,8 +902,16 @@ public class FingerprintService extends BiometricServiceBase {
     }
 
     @Override
-    protected int getAppOp() {
-        return AppOpsManager.OP_USE_FINGERPRINT;
+    protected boolean checkAppOps(int uid, String opPackageName) {
+        boolean appOpsOk = false;
+        if (mAppOps.noteOp(AppOpsManager.OP_USE_BIOMETRIC, uid, opPackageName)
+                == AppOpsManager.MODE_ALLOWED) {
+            appOpsOk = true;
+        } else if (mAppOps.noteOp(AppOpsManager.OP_USE_FINGERPRINT, uid, opPackageName)
+                == AppOpsManager.MODE_ALLOWED) {
+            appOpsOk = true;
+        }
+        return appOpsOk;
     }
 
     @Override