diff options
7 files changed, 44 insertions, 27 deletions
diff --git a/core/java/android/app/AppOpsManager.java b/core/java/android/app/AppOpsManager.java index fd92174a8023..9c47e795c81d 100644 --- a/core/java/android/app/AppOpsManager.java +++ b/core/java/android/app/AppOpsManager.java @@ -429,8 +429,8 @@ public class AppOpsManager { /** @hide */ @UnsupportedAppUsage public static final int OP_BLUETOOTH_SCAN = 77; - /** @hide Use the face authentication API. */ - public static final int OP_USE_FACE = 78; + /** @hide Use the BiometricPrompt/BiometricManager APIs. */ + public static final int OP_USE_BIOMETRIC = 78; /** @hide */ @UnsupportedAppUsage public static final int _NUM_OP = 79; @@ -678,8 +678,8 @@ public class AppOpsManager { /** @hide */ public static final String OPSTR_BLUETOOTH_SCAN = "android:bluetooth_scan"; - /** @hide Use the face authentication API. */ - public static final String OPSTR_USE_FACE = "android:use_face"; + /** @hide Use the BiometricPrompt/BiometricManager APIs. */ + public static final String OPSTR_USE_BIOMETRIC = "android:use_biometric"; // Warning: If an permission is added here it also has to be added to // com.android.packageinstaller.permission.utils.EventLogger @@ -818,7 +818,7 @@ public class AppOpsManager { OP_MANAGE_IPSEC_TUNNELS, // MANAGE_IPSEC_HANDOVERS OP_START_FOREGROUND, // START_FOREGROUND OP_COARSE_LOCATION, // BLUETOOTH_SCAN - OP_USE_FACE, // FACE + OP_USE_BIOMETRIC, // BIOMETRIC }; /** @@ -903,7 +903,7 @@ public class AppOpsManager { OPSTR_MANAGE_IPSEC_TUNNELS, OPSTR_START_FOREGROUND, OPSTR_BLUETOOTH_SCAN, - OPSTR_USE_FACE, + OPSTR_USE_BIOMETRIC, }; /** @@ -989,7 +989,7 @@ public class AppOpsManager { "MANAGE_IPSEC_TUNNELS", "START_FOREGROUND", "BLUETOOTH_SCAN", - "USE_FACE", + "USE_BIOMETRIC", }; /** @@ -1163,7 +1163,7 @@ public class AppOpsManager { null, // MANAGE_IPSEC_TUNNELS null, // START_FOREGROUND null, // maybe should be UserManager.DISALLOW_SHARE_LOCATION, //BLUETOOTH_SCAN - null, // USE_FACE + null, // USE_BIOMETRIC }; /** @@ -1249,7 +1249,7 @@ public class AppOpsManager { false, // MANAGE_IPSEC_HANDOVERS false, // START_FOREGROUND true, // BLUETOOTH_SCAN - false, // USE_FACE + false, // USE_BIOMETRIC }; /** @@ -1334,7 +1334,7 @@ public class AppOpsManager { AppOpsManager.MODE_ERRORED, // MANAGE_IPSEC_TUNNELS AppOpsManager.MODE_ALLOWED, // OP_START_FOREGROUND AppOpsManager.MODE_ALLOWED, // OP_BLUETOOTH_SCAN - AppOpsManager.MODE_ALLOWED, // USE_FACE + AppOpsManager.MODE_ALLOWED, // USE_BIOMETRIC }; /** @@ -1423,7 +1423,7 @@ public class AppOpsManager { false, // MANAGE_IPSEC_TUNNELS false, // START_FOREGROUND false, // BLUETOOTH_SCAN - false, // USE_FACE + false, // USE_BIOMETRIC }; /** diff --git a/core/java/android/hardware/biometrics/BiometricManager.java b/core/java/android/hardware/biometrics/BiometricManager.java index 36e978b77cab..eea5f9ba9835 100644 --- a/core/java/android/hardware/biometrics/BiometricManager.java +++ b/core/java/android/hardware/biometrics/BiometricManager.java @@ -48,7 +48,7 @@ public class BiometricManager { @RequiresPermission(USE_BIOMETRIC) public boolean hasEnrolledBiometrics() { try { - return mService.hasEnrolledBiometrics(); + return mService.hasEnrolledBiometrics(mContext.getOpPackageName()); } catch (RemoteException e) { return false; } diff --git a/core/java/android/hardware/biometrics/IBiometricService.aidl b/core/java/android/hardware/biometrics/IBiometricService.aidl index bfd6941d1583..fd9d5725f921 100644 --- a/core/java/android/hardware/biometrics/IBiometricService.aidl +++ b/core/java/android/hardware/biometrics/IBiometricService.aidl @@ -38,5 +38,5 @@ interface IBiometricService { void cancelAuthentication(IBinder token, String opPackageName); // Returns true if the user has at least one enrolled biometric. - boolean hasEnrolledBiometrics(); + boolean hasEnrolledBiometrics(String opPackageName); }
\ No newline at end of file diff --git a/services/core/java/com/android/server/biometrics/BiometricService.java b/services/core/java/com/android/server/biometrics/BiometricService.java index fa22b84f452e..0f68c6889680 100644 --- a/services/core/java/com/android/server/biometrics/BiometricService.java +++ b/services/core/java/com/android/server/biometrics/BiometricService.java @@ -19,6 +19,7 @@ package com.android.server.biometrics; import static android.Manifest.permission.USE_BIOMETRIC; import static android.Manifest.permission.USE_FINGERPRINT; +import android.app.AppOpsManager; import android.content.Context; import android.content.pm.PackageManager; import android.hardware.biometrics.BiometricAuthenticator; @@ -80,6 +81,7 @@ public class BiometricService extends SystemService { BIOMETRIC_FACE }; + private final AppOpsManager mAppOps; private final Handler mHandler; private final boolean mHasFeatureFingerprint; private final boolean mHasFeatureIris; @@ -200,14 +202,20 @@ public class BiometricService extends SystemService { } @Override // Binder call - public boolean hasEnrolledBiometrics() { + public boolean hasEnrolledBiometrics(String opPackageName) { checkPermission(); - boolean hasEnrolled = false; + if (mAppOps.noteOp(AppOpsManager.OP_USE_BIOMETRIC, Binder.getCallingUid(), + opPackageName) != AppOpsManager.MODE_ALLOWED) { + Slog.w(TAG, "Rejecting " + opPackageName + "; permission denied"); + throw new SecurityException("Permission denied"); + } + final long ident = Binder.clearCallingIdentity(); + boolean hasEnrolled = false; try { - // Note: On devices with multi-modal authentication, the selection logic will need to - // be updated. + // Note: On devices with multi-modal authentication, the selection logic will need + // to be updated. for (int i = 0; i < mAuthenticators.size(); i++) { if (mAuthenticators.get(i).getAuthenticator().hasEnrolledTemplates()) { hasEnrolled = true; @@ -241,6 +249,7 @@ public class BiometricService extends SystemService { public BiometricService(Context context) { super(context); + mAppOps = context.getSystemService(AppOpsManager.class); mHandler = new Handler(Looper.getMainLooper()); final PackageManager pm = context.getPackageManager(); diff --git a/services/core/java/com/android/server/biometrics/BiometricServiceBase.java b/services/core/java/com/android/server/biometrics/BiometricServiceBase.java index b3c7c19eee71..6a2219366c8a 100644 --- a/services/core/java/com/android/server/biometrics/BiometricServiceBase.java +++ b/services/core/java/com/android/server/biometrics/BiometricServiceBase.java @@ -84,7 +84,6 @@ public abstract class BiometricServiceBase extends SystemService private final Context mContext; private final String mKeyguardPackage; - private final AppOpsManager mAppOps; private final SparseBooleanArray mTimedLockoutCleared; private final SparseIntArray mFailedAttempts; private final IActivityTaskManager mActivityTaskManager; @@ -102,6 +101,7 @@ public abstract class BiometricServiceBase extends SystemService Collections.synchronizedMap(new HashMap<>()); protected final ResetFailedAttemptsForUserRunnable mResetFailedAttemptsForCurrentUserRunnable = new ResetFailedAttemptsForUserRunnable(); + protected final AppOpsManager mAppOps; protected final H mHandler = new H(); private ClientMonitor mCurrentClient; @@ -206,11 +206,9 @@ public abstract class BiometricServiceBase extends SystemService protected abstract void checkUseBiometricPermission(); /** - * @return Returns one of the {@link AppOpsManager} constants which pertains to the specific - * biometric service. + * Checks if the caller passes the app ops check */ - protected abstract int getAppOp(); - + protected abstract boolean checkAppOps(int uid, String opPackageName); /** * Notifies clients of any change in the biometric state (active / idle). This is mainly for @@ -822,10 +820,11 @@ public abstract class BiometricServiceBase extends SystemService Slog.w(getTag(), "Rejecting " + opPackageName + "; not a current user or profile"); return false; } - if (mAppOps.noteOp(getAppOp(), uid, opPackageName) != AppOpsManager.MODE_ALLOWED) { + if (!checkAppOps(uid, opPackageName)) { Slog.w(getTag(), "Rejecting " + opPackageName + "; permission denied"); return false; } + if (requireForeground && !(isForegroundActivity(uid, pid) || isCurrentClient( opPackageName))) { Slog.w(getTag(), "Rejecting " + opPackageName + "; not in foreground"); diff --git a/services/core/java/com/android/server/biometrics/face/FaceService.java b/services/core/java/com/android/server/biometrics/face/FaceService.java index 75cdcf07fa22..d6f618638c15 100644 --- a/services/core/java/com/android/server/biometrics/face/FaceService.java +++ b/services/core/java/com/android/server/biometrics/face/FaceService.java @@ -730,8 +730,9 @@ public class FaceService extends BiometricServiceBase { } @Override - protected int getAppOp() { - return AppOpsManager.OP_USE_FACE; + protected boolean checkAppOps(int uid, String opPackageName) { + return mAppOps.noteOp(AppOpsManager.OP_USE_BIOMETRIC, uid, opPackageName) + == AppOpsManager.MODE_ALLOWED; } @Override diff --git a/services/core/java/com/android/server/biometrics/fingerprint/FingerprintService.java b/services/core/java/com/android/server/biometrics/fingerprint/FingerprintService.java index d3ae0642221e..b0b788fbe589 100644 --- a/services/core/java/com/android/server/biometrics/fingerprint/FingerprintService.java +++ b/services/core/java/com/android/server/biometrics/fingerprint/FingerprintService.java @@ -902,8 +902,16 @@ public class FingerprintService extends BiometricServiceBase { } @Override - protected int getAppOp() { - return AppOpsManager.OP_USE_FINGERPRINT; + protected boolean checkAppOps(int uid, String opPackageName) { + boolean appOpsOk = false; + if (mAppOps.noteOp(AppOpsManager.OP_USE_BIOMETRIC, uid, opPackageName) + == AppOpsManager.MODE_ALLOWED) { + appOpsOk = true; + } else if (mAppOps.noteOp(AppOpsManager.OP_USE_FINGERPRINT, uid, opPackageName) + == AppOpsManager.MODE_ALLOWED) { + appOpsOk = true; + } + return appOpsOk; } @Override |