Merge "Correcting permission check for App UIDs listing" into main am: b7e5421688 am: c7f9449a28

Original change: https://android-review.googlesource.com/c/platform/system/security/+/2953647 Change-Id: I84fd23954f688720352d3c4883f76dc3929aa0f0 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-02-06 18:07:41 +00:00 · 2024-02-06 18:07:41 +00:00 · aeb4fce536
commit aeb4fce536
parent 83bb7cc03f c7f9449a28
3 changed files with 16 additions and 4 deletions
--- a/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl
+++ b/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl
@ -151,7 +151,8 @@ interface IKeystoreMaintenance {
     * (addition of a fingerprint, for example), authentication-bound keys may be invalidated.
     * This method allows the platform to find out which apps would be affected (for a given user)
     * when a given user secure ID is removed.
-     * Callers require 'ChangeUser' permission.
+     * Callers require the `android.permission.MANAGE_USERS` Android permission
+     * (not SELinux policy).
     *
     * @param userId The affected user.
     * @param sid The user secure ID - identifier of the authentication method.
--- a/keystore2/src/maintenance.rs
+++ b/keystore2/src/maintenance.rs
@ -24,7 +24,8 @@ use crate::ks_err;
 use crate::permission::{KeyPerm, KeystorePerm};
 use crate::super_key::{SuperKeyManager, UserState};
 use crate::utils::{
-    check_key_permission, check_keystore_permission, uid_to_android_user, watchdog as wd,
+    check_get_app_uids_affected_by_sid_permissions, check_key_permission,
+    check_keystore_permission, uid_to_android_user, watchdog as wd,
 };
 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
    IKeyMintDevice::IKeyMintDevice, SecurityLevel::SecurityLevel,
@ -292,8 +293,9 @@ impl Maintenance {
        secure_user_id: i64,
    ) -> Result<std::vec::Vec<i64>> {
        // This method is intended to be called by Settings and discloses a list of apps
-        // associated with a user, so it requires the ChangeUser permission.
-        check_keystore_permission(KeystorePerm::ChangeUser).context(ks_err!())?;
+        // associated with a user, so it requires the "android.permission.MANAGE_USERS"
+        // permission (to avoid leaking list of apps to unauthorized callers).
+        check_get_app_uids_affected_by_sid_permissions().context(ks_err!())?;
        DB.with(|db| db.borrow_mut().get_app_uids_affected_by_sid(user_id, secure_user_id))
            .context(ks_err!("Failed to get app UIDs affected by SID"))
    }
--- a/keystore2/src/utils.rs
+++ b/keystore2/src/utils.rs
@ -129,6 +129,15 @@ pub fn check_unique_id_attestation_permissions() -> anyhow::Result<()> {
    check_android_permission("android.permission.REQUEST_UNIQUE_ID_ATTESTATION")
 }

+/// This function checks whether the calling app has the Android permissions needed to manage
+/// users. Only callers that can manage users are allowed to get a list of apps affected
+/// by a user's SID changing.
+/// It throws an error if the permissions cannot be verified or if the caller doesn't
+/// have the right permissions. Otherwise it returns silently.
+pub fn check_get_app_uids_affected_by_sid_permissions() -> anyhow::Result<()> {
+    check_android_permission("android.permission.MANAGE_USERS")
+}
+
 fn check_android_permission(permission: &str) -> anyhow::Result<()> {
    let permission_controller: Strong<dyn IPermissionController::IPermissionController> =
        binder::get_interface("permission")?;