diff options
author | android-build-prod (mdb) <android-build-team-robot@google.com> | 2018-02-22 22:53:14 +0000 |
---|---|---|
committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2018-02-22 22:53:14 +0000 |
commit | 43260694c01cf5d99c8cd9f273e154a262481b0c (patch) | |
tree | 3900cb904f3230c37f4c41e2a7de8e4fcfcc003f | |
parent | 7c9c67d8fe73dd06582b5098f9710a786c60564a (diff) | |
parent | d8009cefd5fbce7d40f986511172f37e30c3cf8c (diff) | |
download | security-43260694c01cf5d99c8cd9f273e154a262481b0c.tar.gz |
Merge "Snap for 4615400 from e5bfaa9cebdbbf4c43be6ac430cd38d0e92d9b6d to oreo-mr1-cts-release" into oreo-mr1-cts-releaseandroid-cts-8.1_r9android-cts-8.1_r8android-cts-8.1_r7android-cts-8.1_r6android-cts-8.1_r5android-cts-8.1_r4android-cts-8.1_r3android-cts-8.1_r25android-cts-8.1_r24android-cts-8.1_r23android-cts-8.1_r22android-cts-8.1_r21android-cts-8.1_r20android-cts-8.1_r19android-cts-8.1_r18android-cts-8.1_r17android-cts-8.1_r16android-cts-8.1_r15android-cts-8.1_r14android-cts-8.1_r13android-cts-8.1_r12android-cts-8.1_r11android-cts-8.1_r10oreo-mr1-cts-release
-rw-r--r-- | keystore/key_store_service.cpp | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp index eb5fe86b..f6786b88 100644 --- a/keystore/key_store_service.cpp +++ b/keystore/key_store_service.cpp @@ -693,6 +693,8 @@ KeyStoreServiceReturnCode KeyStoreService::generateKey(const String16& name, const hidl_vec<uint8_t>& entropy, int uid, int flags, KeyCharacteristics* outCharacteristics) { + // TODO(jbires): remove this getCallingUid call upon implementation of b/25646100 + uid_t originalUid = IPCThreadState::self()->getCallingUid(); uid = getEffectiveUid(uid); KeyStoreServiceReturnCode rc = checkBinderPermissionAndKeystoreState(P_INSERT, uid, flags & KEYSTORE_FLAG_ENCRYPTED); @@ -703,9 +705,11 @@ KeyStoreServiceReturnCode KeyStoreService::generateKey(const String16& name, ALOGE("Non-system uid %d cannot set FLAG_CRITICAL_TO_DEVICE_ENCRYPTION", uid); return ResponseCode::PERMISSION_DENIED; } - if (containsTag(params, Tag::INCLUDE_UNIQUE_ID)) { - if (!checkBinderPermission(P_GEN_UNIQUE_ID)) return ResponseCode::PERMISSION_DENIED; + if (!checkBinderPermission(P_GEN_UNIQUE_ID) || + originalUid != IPCThreadState::self()->getCallingUid()) { + return ResponseCode::PERMISSION_DENIED; + } } bool usingFallback = false; |