tequilaOS/platform_system_security
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add permission check on onKeyguardVisibilityChanged

Browse source 
Without this permission check any app can toggle the locked state of
keymaster once it has been unlocked for the first time.

Bug: 144285084
Test: Manually tested with debugger that the requred code paths are
      run.

Merged-In: Idb8a200dc2963e1085e9fddd0c565c5172465e65
Change-Id: Idb8a200dc2963e1085e9fddd0c565c5172465e65
(cherry picked from commit 21f452c372)
This commit is contained in:
Janis Danisevskis 2020-01-21 14:33:30 -08:00
parent 3c04bca28a
commit ed9a255fc6
1 changed files with 15 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
keystore/key_store_service.cpp
View file

@ -1354,12 +1354,23 @@ bool KeyStoreService::checkAllowedOperationParams(const hidl_vec<KeyParameter>&
} }
Status KeyStoreService::onKeyguardVisibilityChanged(bool isShowing, int32_t userId, Status KeyStoreService::onKeyguardVisibilityChanged(bool isShowing, int32_t userId,
int32_t* aidl_return) { int32_t* _aidl_return) {
KEYSTORE_SERVICE_LOCK; KEYSTORE_SERVICE_LOCK;
if (isShowing) {
if (!checkBinderPermission(P_LOCK, UID_SELF)) {
LOG(WARNING) << "onKeyguardVisibilityChanged called with isShowing == true but "
"without LOCK permission";
return AIDL_RETURN(ResponseCode::PERMISSION_DENIED);
}
} else {
if (!checkBinderPermission(P_UNLOCK, UID_SELF)) {
LOG(WARNING) << "onKeyguardVisibilityChanged called with isShowing == false but "
"without UNLOCK permission";
return AIDL_RETURN(ResponseCode::PERMISSION_DENIED);
}
}
mKeyStore->getEnforcementPolicy().set_device_locked(isShowing, userId); mKeyStore->getEnforcementPolicy().set_device_locked(isShowing, userId);
*aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR); return AIDL_RETURN(ResponseCode::NO_ERROR);
return Status::ok();
} }
} // namespace keystore } // namespace keystore