summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAdrian Roos <roosa@google.com>2015-02-24 17:08:48 +0100
committerAdrian Roos <roosa@google.com>2015-02-24 17:16:44 +0100
commit001b00d3bd8c20c7e73cb8101cbe98291bd5e68f (patch)
treeee32dde0e8601a8aedfcd41e26a9e32f9886cd20
parent6f542f5a40db8d09d8d84d58720bf19962faaca3 (diff)
downloadframeworks_base-001b00d3bd8c20c7e73cb8101cbe98291bd5e68f.zip
frameworks_base-001b00d3bd8c20c7e73cb8101cbe98291bd5e68f.tar.gz
frameworks_base-001b00d3bd8c20c7e73cb8101cbe98291bd5e68f.tar.bz2
Prevent regular processes from accessing the password history
Bug: 19019350 Change-Id: Iee410d62827fe0f9d43e08dd8869e8eea590382f
-rw-r--r--services/core/java/com/android/server/LockSettingsService.java19
1 files changed, 18 insertions, 1 deletions
diff --git a/services/core/java/com/android/server/LockSettingsService.java b/services/core/java/com/android/server/LockSettingsService.java
index 895a5c3..c189fea 100644
--- a/services/core/java/com/android/server/LockSettingsService.java
+++ b/services/core/java/com/android/server/LockSettingsService.java
@@ -228,6 +228,7 @@ public class LockSettingsService extends ILockSettings.Stub {
private final void checkReadPermission(String requestedKey, int userId) {
final int callingUid = Binder.getCallingUid();
+
for (int i = 0; i < READ_PROFILE_PROTECTED_SETTINGS.length; i++) {
String key = READ_PROFILE_PROTECTED_SETTINGS[i];
if (key.equals(requestedKey) && mContext.checkCallingOrSelfPermission(READ_PROFILE)
@@ -237,6 +238,16 @@ public class LockSettingsService extends ILockSettings.Stub {
+ requestedKey + " for user " + userId);
}
}
+
+ for (int i = 0; i < READ_PASSWORD_PROTECTED_SETTINGS.length; i++) {
+ String key = READ_PASSWORD_PROTECTED_SETTINGS[i];
+ if (key.equals(requestedKey) && mContext.checkCallingOrSelfPermission(PERMISSION)
+ != PackageManager.PERMISSION_GRANTED) {
+ throw new SecurityException("uid=" + callingUid
+ + " needs permission " + PERMISSION + " to read "
+ + requestedKey + " for user " + userId);
+ }
+ }
}
@Override
@@ -462,12 +473,18 @@ public class LockSettingsService extends ILockSettings.Stub {
Secure.LOCK_PATTERN_TACTILE_FEEDBACK_ENABLED
};
- // These are protected with a read permission
+ // Reading these settings needs the profile permission
private static final String[] READ_PROFILE_PROTECTED_SETTINGS = new String[] {
Secure.LOCK_SCREEN_OWNER_INFO_ENABLED,
Secure.LOCK_SCREEN_OWNER_INFO
};
+ // Reading these settings needs the same permission as checking the password
+ private static final String[] READ_PASSWORD_PROTECTED_SETTINGS = new String[] {
+ LockPatternUtils.LOCK_PASSWORD_SALT_KEY,
+ LockPatternUtils.PASSWORD_HISTORY_KEY,
+ };
+
private static final String[] SETTINGS_TO_BACKUP = new String[] {
Secure.LOCK_SCREEN_OWNER_INFO_ENABLED,
Secure.LOCK_SCREEN_OWNER_INFO