Android/frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "Only allow foreground app and keyguard to access FingerprintManager" into mnc-dr-dev

Browse Source
This commit is contained in:
Jim Miller
2015-09-02 00:32:11 +00:00
committed by Android (Google) Code Review
parent 991e493616 975f145c01
commit be342fc3c7
1 changed files with 55 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
services/core/java/com/android/server/fingerprint/FingerprintService.java
View File

@@ -18,9 +18,12 @@ package com.android.server.fingerprint;
import android.Manifest; import android.Manifest;
import android.app.ActivityManager; import android.app.ActivityManager;
import android.app.ActivityManager.RunningAppProcessInfo;
import android.app.ActivityManager.RunningTaskInfo;
import android.app.ActivityManagerNative; import android.app.ActivityManagerNative;
import android.app.AppOpsManager; import android.app.AppOpsManager;
import android.app.IUserSwitchObserver; import android.app.IUserSwitchObserver;
import android.content.ComponentName;
import android.content.Context; import android.content.Context;
import android.content.pm.PackageManager; import android.content.pm.PackageManager;
import android.content.pm.UserInfo; import android.content.pm.UserInfo;
@@ -54,6 +57,7 @@ import android.hardware.fingerprint.IFingerprintDaemon;
import android.hardware.fingerprint.IFingerprintDaemonCallback; import android.hardware.fingerprint.IFingerprintDaemonCallback;
import android.hardware.fingerprint.IFingerprintServiceReceiver; import android.hardware.fingerprint.IFingerprintServiceReceiver;
import static android.app.ActivityManager.RunningAppProcessInfo.IMPORTANCE_FOREGROUND;
import static android.Manifest.permission.MANAGE_FINGERPRINT; import static android.Manifest.permission.MANAGE_FINGERPRINT;
import static android.Manifest.permission.RESET_FINGERPRINT_LOCKOUT; import static android.Manifest.permission.RESET_FINGERPRINT_LOCKOUT;
import static android.Manifest.permission.USE_FINGERPRINT; import static android.Manifest.permission.USE_FINGERPRINT;
@@ -93,6 +97,7 @@ public class FingerprintService extends SystemService implements IBinder.DeathRe
private static final long FAIL_LOCKOUT_TIMEOUT_MS = 30*1000; private static final long FAIL_LOCKOUT_TIMEOUT_MS = 30*1000;
private static final int MAX_FAILED_ATTEMPTS = 5; private static final int MAX_FAILED_ATTEMPTS = 5;
private static final int FINGERPRINT_ACQUIRED_GOOD = 0; private static final int FINGERPRINT_ACQUIRED_GOOD = 0;
private final String mKeyguardPackage;
Handler mHandler = new Handler() { Handler mHandler = new Handler() {
@Override @Override
@@ -125,6 +130,8 @@ public class FingerprintService extends SystemService implements IBinder.DeathRe
public FingerprintService(Context context) { public FingerprintService(Context context) {
super(context); super(context);
mContext = context; mContext = context;
mKeyguardPackage = ComponentName.unflattenFromString(context.getResources().getString(
com.android.internal.R.string.config_keyguardComponent)).getPackageName();
mAppOps = context.getSystemService(AppOpsManager.class); mAppOps = context.getSystemService(AppOpsManager.class);
mPowerManager = (PowerManager) mContext.getSystemService(Context.POWER_SERVICE); mPowerManager = (PowerManager) mContext.getSystemService(Context.POWER_SERVICE);
} }
@@ -498,10 +505,50 @@ public class FingerprintService extends SystemService implements IBinder.DeathRe
return false; return false;
} }
private boolean canUseFingerprint(String opPackageName) { private boolean isForegroundActivity(int uid, int pid) {
try {
List<RunningAppProcessInfo> procs =
ActivityManagerNative.getDefault().getRunningAppProcesses();
int N = procs.size();
for (int i = 0; i < N; i++) {
RunningAppProcessInfo proc = procs.get(i);
if (proc.pid == pid && proc.uid == uid
&& proc.importance == IMPORTANCE_FOREGROUND) {
return true;
}
}
} catch (RemoteException e) {
Slog.w(TAG, "am.getRunningAppProcesses() failed");
}
return false;
}
/**
* @param opPackageName name of package for caller
* @param foregroundOnly only allow this call while app is in the foreground
* @return true if caller can use fingerprint API
*/
private boolean canUseFingerprint(String opPackageName, boolean foregroundOnly) {
checkPermission(USE_FINGERPRINT); checkPermission(USE_FINGERPRINT);
return mAppOps.noteOp(AppOpsManager.OP_USE_FINGERPRINT, Binder.getCallingUid(), final int uid = Binder.getCallingUid();
opPackageName) == AppOpsManager.MODE_ALLOWED; final int pid = Binder.getCallingPid();
if (opPackageName.equals(mKeyguardPackage)) {
return true; // Keyguard is always allowed
}
if (!isCurrentUserOrProfile(UserHandle.getCallingUserId())) {
Slog.w(TAG,"Rejecting " + opPackageName + " ; not a current user or profile");
return false;
}
if (mAppOps.noteOp(AppOpsManager.OP_USE_FINGERPRINT, uid, opPackageName)
!= AppOpsManager.MODE_ALLOWED) {
Slog.v(TAG, "Rejecting " + opPackageName + " ; permission denied");
return false;
}
if (foregroundOnly && !isForegroundActivity(uid, pid)) {
Slog.v(TAG, "Rejecting " + opPackageName + " ; not in foreground");
return false;
}
return true;
} }
private void addLockoutResetMonitor(FingerprintServiceLockoutResetMonitor monitor) { private void addLockoutResetMonitor(FingerprintServiceLockoutResetMonitor monitor) {
@@ -834,12 +881,7 @@ public class FingerprintService extends SystemService implements IBinder.DeathRe
public void authenticate(final IBinder token, final long opId, final int groupId, public void authenticate(final IBinder token, final long opId, final int groupId,
final IFingerprintServiceReceiver receiver, final int flags, final IFingerprintServiceReceiver receiver, final int flags,
final String opPackageName) { final String opPackageName) {
if (!isCurrentUserOrProfile(UserHandle.getCallingUserId())) { if (!canUseFingerprint(opPackageName, true /* foregroundOnly */)) {
Slog.w(TAG, "Can't authenticate non-current user");
return;
}
if (!canUseFingerprint(opPackageName)) {
Slog.w(TAG, "Calling not granted permission to use fingerprint");
return; return;
} }
@@ -859,7 +901,7 @@ public class FingerprintService extends SystemService implements IBinder.DeathRe
@Override // Binder call @Override // Binder call
public void cancelAuthentication(final IBinder token, String opPackageName) { public void cancelAuthentication(final IBinder token, String opPackageName) {
if (!canUseFingerprint(opPackageName)) { if (!canUseFingerprint(opPackageName, false /* foregroundOnly */)) {
return; return;
} }
mHandler.post(new Runnable() { mHandler.post(new Runnable() {
@@ -890,7 +932,7 @@ public class FingerprintService extends SystemService implements IBinder.DeathRe
@Override // Binder call @Override // Binder call
public boolean isHardwareDetected(long deviceId, String opPackageName) { public boolean isHardwareDetected(long deviceId, String opPackageName) {
if (!canUseFingerprint(opPackageName)) { if (!canUseFingerprint(opPackageName, false /* foregroundOnly */)) {
return false; return false;
} }
return mHalDeviceId != 0; return mHalDeviceId != 0;
@@ -914,7 +956,7 @@ public class FingerprintService extends SystemService implements IBinder.DeathRe
@Override // Binder call @Override // Binder call
public List<Fingerprint> getEnrolledFingerprints(int userId, String opPackageName) { public List<Fingerprint> getEnrolledFingerprints(int userId, String opPackageName) {
if (!canUseFingerprint(opPackageName)) { if (!canUseFingerprint(opPackageName, false /* foregroundOnly */)) {
return Collections.emptyList(); return Collections.emptyList();
} }
int effectiveUserId = getEffectiveUserId(userId); int effectiveUserId = getEffectiveUserId(userId);
@@ -924,7 +966,7 @@ public class FingerprintService extends SystemService implements IBinder.DeathRe
@Override // Binder call @Override // Binder call
public boolean hasEnrolledFingerprints(int userId, String opPackageName) { public boolean hasEnrolledFingerprints(int userId, String opPackageName) {
if (!canUseFingerprint(opPackageName)) { if (!canUseFingerprint(opPackageName, false /* foregroundOnly */)) {
return false; return false;
} }