Merge "Check permission on clearPassword and other CryptKeeper APIs" into nyc-dev

2016-04-29 14:43:12 +00:00
parent c750474fd1 0bbd108aa1
commit 1658fff3a9
2 changed files with 21 additions and 3 deletions
--- a/services/core/java/com/android/server/LockSettingsService.java
+++ b/services/core/java/com/android/server/LockSettingsService.java
@@ -1281,8 +1281,14 @@ public class LockSettingsService extends ILockSettings.Stub {
        // service can't connect to vold, it restarts, and then the new instance
        // does successfully connect.
        final IMountService service = getMountService();
-        String password = service.getPassword();
-        service.clearPassword();
+        String password;
+        long identity = Binder.clearCallingIdentity();
+        try {
+            password = service.getPassword();
+            service.clearPassword();
+        } finally {
+            Binder.restoreCallingIdentity(identity);
+        }
        if (password == null) {
            return false;
        }
--- a/services/core/java/com/android/server/MountService.java
+++ b/services/core/java/com/android/server/MountService.java
@@ -2648,6 +2648,8 @@ class MountService extends IMountService.Stub
     */
    @Override
    public int getPasswordType() {
+        mContext.enforceCallingOrSelfPermission(Manifest.permission.STORAGE_INTERNAL,
+            "no permission to access the crypt keeper");

        waitForReady();

@@ -2672,6 +2674,8 @@ class MountService extends IMountService.Stub
     */
    @Override
    public void setField(String field, String contents) throws RemoteException {
+        mContext.enforceCallingOrSelfPermission(Manifest.permission.STORAGE_INTERNAL,
+            "no permission to access the crypt keeper");

        waitForReady();

@@ -2690,6 +2694,8 @@ class MountService extends IMountService.Stub
     */
    @Override
    public String getField(String field) throws RemoteException {
+        mContext.enforceCallingOrSelfPermission(Manifest.permission.STORAGE_INTERNAL,
+            "no permission to access the crypt keeper");

        waitForReady();

@@ -2714,6 +2720,8 @@ class MountService extends IMountService.Stub
     */
    @Override
    public boolean isConvertibleToFBE() throws RemoteException {
+        mContext.enforceCallingOrSelfPermission(Manifest.permission.STORAGE_INTERNAL,
+            "no permission to access the crypt keeper");

        waitForReady();

@@ -2728,8 +2736,9 @@ class MountService extends IMountService.Stub

    @Override
    public String getPassword() throws RemoteException {
-        mContext.enforceCallingOrSelfPermission(Manifest.permission.ACCESS_KEYGUARD_SECURE_STORAGE,
+        mContext.enforceCallingOrSelfPermission(Manifest.permission.STORAGE_INTERNAL,
                "only keyguard can retrieve password");
+
        if (!isReady()) {
            return new String();
        }
@@ -2752,6 +2761,9 @@ class MountService extends IMountService.Stub

    @Override
    public void clearPassword() throws RemoteException {
+        mContext.enforceCallingOrSelfPermission(Manifest.permission.STORAGE_INTERNAL,
+                "only keyguard can clear password");
+
        if (!isReady()) {
            return;
        }