Track active user inside keystore service

The active Android user ID is not generally accessible from native code
- UID is per-app, and PID can be split up even farther than that. Most
processes even on the Java side don't have correct permissions to read
their user ID, but the keyguard does, and we're already getting that
signal from the state change calls. Keep track of that, and write it out
to the saved authorization list that will be read back for the software
authorization.

Bug: 76430246

Test: CtsKeystoreTestCases, both as main and guest user

Change-Id: I39baac7264196318bb42c75964d64b5d3b567b97

2 files changed, 21 insertions, 1 deletions

diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 9bd76fd1..c8a8f844 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -849,6 +849,14 @@ KeyStoreService::generateKey(const String16& name, const KeymasterArguments& par
         }
     }
 
+    if (!containsTag(params.getParameters(), Tag::USER_ID)) {
+        // Most Java processes don't have access to this tag
+        KeyParameter user_id;
+        user_id.tag = Tag::USER_ID;
+        user_id.f.integer = mActiveUserId;
+        keyCharacteristics.push_back(user_id);
+    }
+
     // Write the characteristics:
     String8 name8(name);
     String8 cFilename(mKeyStore->getKeyNameForUidWithDir(name8, uid, ::TYPE_KEY_CHARACTERISTICS));
@@ -1079,6 +1087,14 @@ KeyStoreService::importKey(const String16& name, const KeymasterArguments& param
     String8 cFilename(mKeyStore->getKeyNameForUidWithDir(name8, uid, ::TYPE_KEY_CHARACTERISTICS));
 
     AuthorizationSet opParams = params.getParameters();
+    if (!containsTag(params.getParameters(), Tag::USER_ID)) {
+        // Most Java processes don't have access to this tag
+        KeyParameter user_id;
+        user_id.tag = Tag::USER_ID;
+        user_id.f.integer = mActiveUserId;
+        opParams.push_back(user_id);
+    }
+
     std::stringstream kcStream;
     opParams.Serialize(&kcStream);
     if (kcStream.bad()) {
@@ -2234,6 +2250,9 @@ KeyStoreServiceReturnCode KeyStoreService::upgradeKeyBlob(const String16& name,
 Status KeyStoreService::onKeyguardVisibilityChanged(bool isShowing, int32_t userId,
                                                     int32_t* aidl_return) {
     enforcement_policy.set_device_locked(isShowing, userId);
+    if (!isShowing) {
+        mActiveUserId = userId;
+    }
     *aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR);
 
     return Status::ok();
diff --git a/keystore/key_store_service.h b/keystore/key_store_service.h
index 8d3f1f26..00563422 100644
--- a/keystore/key_store_service.h
+++ b/keystore/key_store_service.h
@@ -39,7 +39,7 @@ class KeyStoreService : public android::security::BnKeystoreService,
   public:
     explicit KeyStoreService(KeyStore* keyStore)
         : mKeyStore(keyStore), mOperationMap(this),
-          mConfirmationManager(new ConfirmationManager(this)) {}
+          mConfirmationManager(new ConfirmationManager(this)), mActiveUserId(0) {}
     virtual ~KeyStoreService() = default;
 
     void binderDied(const android::wp<android::IBinder>& who);
@@ -300,6 +300,7 @@ class KeyStoreService : public android::security::BnKeystoreService,
     android::sp<ConfirmationManager> mConfirmationManager;
     keystore::AuthTokenTable mAuthTokenTable;
     KeystoreKeymasterEnforcement enforcement_policy;
+    int32_t mActiveUserId;
 };
 
 };  // namespace keystore