Merge "Remove IKeystoreMaintenance#getState()" into main
This commit is contained in:
Eric Biggers
Gerrit Code Review
commit
b6d1dfbe0b
5 changed files with 3 additions and 80 deletions
|
|
@ -16,7 +16,6 @@ package android.security.maintenance;
|
|||
|
||||
import android.system.keystore2.Domain;
|
||||
import android.system.keystore2.KeyDescriptor;
|
||||
import android.security.maintenance.UserState;
|
||||
|
||||
/**
|
||||
* IKeystoreMaintenance interface exposes the methods for adding/removing users and changing the
|
||||
|
|
@ -76,19 +75,6 @@ interface IKeystoreMaintenance {
|
|||
*/
|
||||
void clearNamespace(Domain domain, long nspace);
|
||||
|
||||
/**
|
||||
* Allows querying user state, given user id.
|
||||
* Callers require 'GetState' permission.
|
||||
*
|
||||
* ## Error conditions:
|
||||
* `ResponseCode::PERMISSION_DENIED` - if the callers do not have the 'GetState'
|
||||
* permission.
|
||||
* `ResponseCode::SYSTEM_ERROR` - if an error occurred when querying the user state.
|
||||
*
|
||||
* @param userId - Android user id
|
||||
*/
|
||||
UserState getState(in int userId);
|
||||
|
||||
/**
|
||||
* This function notifies the Keymint device of the specified securityLevel that
|
||||
* early boot has ended, so that they no longer allow early boot keys to be used.
|
||||
|
|
|
|||
|
|
@ -1,23 +0,0 @@
|
|||
// Copyright 2021, The Android Open Source Project
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package android.security.maintenance;
|
||||
|
||||
/** @hide */
|
||||
@Backing(type="int")
|
||||
enum UserState {
|
||||
UNINITIALIZED = 0,
|
||||
LSKF_UNLOCKED = 1,
|
||||
LSKF_LOCKED = 2,
|
||||
}
|
||||
|
|
@ -29,9 +29,8 @@ use crate::utils::{
|
|||
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
|
||||
IKeyMintDevice::IKeyMintDevice, SecurityLevel::SecurityLevel,
|
||||
};
|
||||
use android_security_maintenance::aidl::android::security::maintenance::{
|
||||
IKeystoreMaintenance::{BnKeystoreMaintenance, IKeystoreMaintenance},
|
||||
UserState::UserState as AidlUserState,
|
||||
use android_security_maintenance::aidl::android::security::maintenance::IKeystoreMaintenance::{
|
||||
BnKeystoreMaintenance, IKeystoreMaintenance,
|
||||
};
|
||||
use android_security_maintenance::binder::{
|
||||
BinderFeatures, Interface, Result as BinderResult, Strong, ThreadState,
|
||||
|
|
@ -135,27 +134,6 @@ impl Maintenance {
|
|||
.context(ks_err!("While invoking the delete listener."))
|
||||
}
|
||||
|
||||
fn get_state(user_id: i32) -> Result<AidlUserState> {
|
||||
// Check permission. Function should return if this failed. Therefore having '?' at the end
|
||||
// is very important.
|
||||
check_keystore_permission(KeystorePerm::GetState).context("In get_state.")?;
|
||||
let state = DB
|
||||
.with(|db| {
|
||||
SUPER_KEY.read().unwrap().get_user_state(
|
||||
&mut db.borrow_mut(),
|
||||
&LEGACY_IMPORTER,
|
||||
user_id as u32,
|
||||
)
|
||||
})
|
||||
.context(ks_err!("Trying to get UserState."))?;
|
||||
|
||||
match state {
|
||||
UserState::Uninitialized => Ok(AidlUserState::UNINITIALIZED),
|
||||
UserState::LskfUnlocked(_) => Ok(AidlUserState::LSKF_UNLOCKED),
|
||||
UserState::LskfLocked => Ok(AidlUserState::LSKF_LOCKED),
|
||||
}
|
||||
}
|
||||
|
||||
fn call_with_watchdog<F>(sec_level: SecurityLevel, name: &'static str, op: &F) -> Result<()>
|
||||
where
|
||||
F: Fn(Strong<dyn IKeyMintDevice>) -> binder::Result<()>,
|
||||
|
|
@ -306,11 +284,6 @@ impl IKeystoreMaintenance for Maintenance {
|
|||
map_or_log_err(self.clear_namespace(domain, nspace), Ok)
|
||||
}
|
||||
|
||||
fn getState(&self, user_id: i32) -> BinderResult<AidlUserState> {
|
||||
let _wp = wd::watch_millis("IKeystoreMaintenance::getState", 500);
|
||||
map_or_log_err(Self::get_state(user_id), Ok)
|
||||
}
|
||||
|
||||
fn earlyBootEnded(&self) -> BinderResult<()> {
|
||||
log::info!("earlyBootEnded()");
|
||||
let _wp = wd::watch_millis("IKeystoreMaintenance::earlyBootEnded", 500);
|
||||
|
|
|
|||
|
|
@ -109,9 +109,6 @@ implement_class!(
|
|||
/// Checked when an app is uninstalled or wiped.
|
||||
#[selinux(name = clear_ns)]
|
||||
ClearNs,
|
||||
/// Checked when the user state is queried from Keystore 2.0.
|
||||
#[selinux(name = get_state)]
|
||||
GetState,
|
||||
/// Checked when Keystore 2.0 is asked to list a namespace that the caller
|
||||
/// does not have the get_info permission for.
|
||||
#[selinux(name = list)]
|
||||
|
|
@ -500,7 +497,6 @@ mod tests {
|
|||
let system_server_ctx = Context::new("u:r:system_server:s0")?;
|
||||
assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::AddAuth).is_ok());
|
||||
assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::ClearNs).is_ok());
|
||||
assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::GetState).is_ok());
|
||||
assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::Lock).is_ok());
|
||||
assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::Reset).is_ok());
|
||||
assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::Unlock).is_ok());
|
||||
|
|
@ -510,7 +506,6 @@ mod tests {
|
|||
let shell_ctx = Context::new("u:r:shell:s0")?;
|
||||
assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::AddAuth));
|
||||
assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::ClearNs));
|
||||
assert!(check_keystore_permission(&shell_ctx, KeystorePerm::GetState).is_ok());
|
||||
assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::List));
|
||||
assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::Lock));
|
||||
assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::Reset));
|
||||
|
|
|
|||
|
|
@ -25,9 +25,7 @@ use android_system_keystore2::aidl::android::system::keystore2::{
|
|||
Domain::Domain, KeyDescriptor::KeyDescriptor,
|
||||
};
|
||||
|
||||
use android_security_maintenance::aidl::android::security::maintenance::{
|
||||
IKeystoreMaintenance::IKeystoreMaintenance, UserState::UserState,
|
||||
};
|
||||
use android_security_maintenance::aidl::android::security::maintenance::IKeystoreMaintenance::IKeystoreMaintenance;
|
||||
|
||||
use android_security_authorization::aidl::android::security::authorization::{
|
||||
IKeystoreAuthorization::IKeystoreAuthorization, LockScreenEvent::LockScreenEvent,
|
||||
|
|
@ -241,9 +239,6 @@ fn keystore2_encrypted_characteristics() -> anyhow::Result<()> {
|
|||
}
|
||||
}
|
||||
|
||||
let maint_service = get_maintenance();
|
||||
assert_eq!(Ok(UserState(1)), maint_service.getState(99));
|
||||
|
||||
let mut key_params: Vec<KsKeyparameter> = Vec::new();
|
||||
for param in key_metadata.authorizations {
|
||||
let key_param = KsKeyparameter::new(param.keyParameter.into(), param.securityLevel);
|
||||
|
|
@ -502,9 +497,6 @@ fn keystore2_encrypted_certificates() -> anyhow::Result<()> {
|
|||
}
|
||||
}
|
||||
|
||||
let maint_service = get_maintenance();
|
||||
assert_eq!(Ok(UserState(1)), maint_service.getState(98));
|
||||
|
||||
let mut key_params: Vec<KsKeyparameter> = Vec::new();
|
||||
for param in key_metadata.authorizations {
|
||||
let key_param = KsKeyparameter::new(param.keyParameter.into(), param.securityLevel);
|
||||
|
|
|
|||
Loading…
Reference in a new issue