Track active user inside keystore service
The active Android user ID is not generally accessible from native code
- UID is per-app, and PID can be split up even farther than that. Most
processes even on the Java side don't have correct permissions to read
their user ID, but the keyguard does, and we're already getting that
signal from the state change calls. Keep track of that, and write it out
to the saved authorization list that will be read back for the software
authorization.
Bug: 76430246
Test: CtsKeystoreTestCases, both as main and guest user
Change-Id: I39baac7264196318bb42c75964d64b5d3b567b97
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 9bd76fd..c8a8f84 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -849,6 +849,14 @@
}
}
+ if (!containsTag(params.getParameters(), Tag::USER_ID)) {
+ // Most Java processes don't have access to this tag
+ KeyParameter user_id;
+ user_id.tag = Tag::USER_ID;
+ user_id.f.integer = mActiveUserId;
+ keyCharacteristics.push_back(user_id);
+ }
+
// Write the characteristics:
String8 name8(name);
String8 cFilename(mKeyStore->getKeyNameForUidWithDir(name8, uid, ::TYPE_KEY_CHARACTERISTICS));
@@ -1079,6 +1087,14 @@
String8 cFilename(mKeyStore->getKeyNameForUidWithDir(name8, uid, ::TYPE_KEY_CHARACTERISTICS));
AuthorizationSet opParams = params.getParameters();
+ if (!containsTag(params.getParameters(), Tag::USER_ID)) {
+ // Most Java processes don't have access to this tag
+ KeyParameter user_id;
+ user_id.tag = Tag::USER_ID;
+ user_id.f.integer = mActiveUserId;
+ opParams.push_back(user_id);
+ }
+
std::stringstream kcStream;
opParams.Serialize(&kcStream);
if (kcStream.bad()) {
@@ -2234,6 +2250,9 @@
Status KeyStoreService::onKeyguardVisibilityChanged(bool isShowing, int32_t userId,
int32_t* aidl_return) {
enforcement_policy.set_device_locked(isShowing, userId);
+ if (!isShowing) {
+ mActiveUserId = userId;
+ }
*aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR);
return Status::ok();