From a5945d53dc24576bffcb84a01491478b14bb7ea4 Mon Sep 17 00:00:00 2001
From: Dmitry Dementyev <dementyev@google.com>
Date: Fri, 23 Mar 2018 12:10:09 -0700
Subject: [PATCH] Add RECOVER_KEYSTORE permission check to all IPC calls in
 RecoveryController.

Bug: 76116351
Test: GTS tests under development.
Change-Id: Ia4b01eb790a55e587f5719b94ff6cf2482a8eae1
---
 .../recoverablekeystore/RecoverableKeyStoreManager.java    | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java
index e75722af95aea..d9c97aef44555 100644
--- a/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java
+++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java
@@ -247,6 +247,7 @@ public class RecoverableKeyStoreManager {
             @NonNull String rootCertificateAlias, @NonNull byte[] recoveryServiceCertFile,
             @NonNull byte[] recoveryServiceSigFile)
             throws RemoteException {
+        checkRecoverKeyStorePermission();
         if (rootCertificateAlias == null) {
             Log.e(TAG, "rootCertificateAlias is null");
         }
@@ -356,6 +357,7 @@ public class RecoverableKeyStoreManager {
      *     {@link RecoveryController#RECOVERY_STATUS_PERMANENT_FAILURE}.
      */
     public @NonNull Map<String, Integer> getRecoveryStatus() throws RemoteException {
+        checkRecoverKeyStorePermission();
         return mDatabase.getStatusForAllKeys(Binder.getCallingUid());
     }
 
@@ -656,6 +658,7 @@ public class RecoverableKeyStoreManager {
      * @hide
      */
     public byte[] generateAndStoreKey(@NonNull String alias) throws RemoteException {
+        checkRecoverKeyStorePermission();
         int uid = Binder.getCallingUid();
         int userId = UserHandle.getCallingUserId();
 
@@ -688,6 +691,7 @@ public class RecoverableKeyStoreManager {
     }
 
     public void removeKey(@NonNull String alias) throws RemoteException {
+        checkRecoverKeyStorePermission();
         Preconditions.checkNotNull(alias, "alias is null");
         int uid = Binder.getCallingUid();
         int userId = UserHandle.getCallingUserId();
@@ -706,6 +710,7 @@ public class RecoverableKeyStoreManager {
      * @return grant alias, which caller can use to access the key.
      */
     public String generateKey(@NonNull String alias) throws RemoteException {
+        checkRecoverKeyStorePermission();
         Preconditions.checkNotNull(alias, "alias is null");
         int uid = Binder.getCallingUid();
         int userId = UserHandle.getCallingUserId();
@@ -745,6 +750,7 @@ public class RecoverableKeyStoreManager {
      */
     public String importKey(@NonNull String alias, @NonNull byte[] keyBytes)
             throws RemoteException {
+        checkRecoverKeyStorePermission();
         Preconditions.checkNotNull(alias, "alias is null");
         Preconditions.checkNotNull(keyBytes, "keyBytes is null");
         if (keyBytes.length != RecoverableKeyGenerator.KEY_SIZE_BITS / Byte.SIZE) {
@@ -790,6 +796,7 @@ public class RecoverableKeyStoreManager {
      * @return grant alias, which caller can use to access the key.
      */
     public String getKey(@NonNull String alias) throws RemoteException {
+        checkRecoverKeyStorePermission();
         Preconditions.checkNotNull(alias, "alias is null");
         int uid = Binder.getCallingUid();
         int userId = UserHandle.getCallingUserId();