Keystore 2.0: Remove list permission from keystore2_key security class. am: 3d72aad0bc
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/security/+/12737985 Change-Id: I53c8cf3508d7b58768e14626a32b96454446b555
This commit is contained in:
commit
bc81e670db
4 changed files with 25 additions and 35 deletions
|
@ -424,7 +424,6 @@ mod tests {
|
|||
check_key_perm!(gen_unique_id, true);
|
||||
check_key_perm!(grant, true);
|
||||
check_key_perm!(get_info, false);
|
||||
check_key_perm!(list, false);
|
||||
check_key_perm!(rebind, false);
|
||||
check_key_perm!(update, false);
|
||||
check_key_perm!(use, false);
|
||||
|
|
|
@ -1034,13 +1034,12 @@ pub mod aidl {
|
|||
pub const GenUniqueId: KeyPermission = 2;
|
||||
pub const GetInfo: KeyPermission = 4;
|
||||
pub const Grant: KeyPermission = 8;
|
||||
pub const List: KeyPermission = 16;
|
||||
pub const ManageBlob: KeyPermission = 32;
|
||||
pub const Rebind: KeyPermission = 64;
|
||||
pub const ReqForcedOp: KeyPermission = 128;
|
||||
pub const Update: KeyPermission = 256;
|
||||
pub const Use: KeyPermission = 512;
|
||||
pub const UseDevId: KeyPermission = 1024;
|
||||
pub const ManageBlob: KeyPermission = 16;
|
||||
pub const Rebind: KeyPermission = 32;
|
||||
pub const ReqForcedOp: KeyPermission = 64;
|
||||
pub const Update: KeyPermission = 128;
|
||||
pub const Use: KeyPermission = 256;
|
||||
pub const UseDevId: KeyPermission = 512;
|
||||
pub(crate) mod mangled { pub use super::KeyPermission as _7_android_8_security_9_keystore2_13_KeyPermission; }
|
||||
}
|
||||
pub mod OperationChallenge {
|
||||
|
|
|
@ -1086,14 +1086,20 @@ mod tests {
|
|||
let mut stmt = db
|
||||
.conn
|
||||
.prepare("SELECT id, grantee, keyentryid, access_vector FROM perboot.grant;")?;
|
||||
let mut rows = stmt.query_map::<(i64, u32, i64, i32), _, _>(NO_PARAMS, |row| {
|
||||
Ok((row.get(0)?, row.get(1)?, row.get(2)?, row.get(3)?))
|
||||
})?;
|
||||
let mut rows =
|
||||
stmt.query_map::<(i64, u32, i64, KeyPermSet), _, _>(NO_PARAMS, |row| {
|
||||
Ok((
|
||||
row.get(0)?,
|
||||
row.get(1)?,
|
||||
row.get(2)?,
|
||||
KeyPermSet::from(row.get::<_, i32>(3)?),
|
||||
))
|
||||
})?;
|
||||
|
||||
let r = rows.next().unwrap().unwrap();
|
||||
assert_eq!(r, (next_random, GRANTEE_UID, 1, 516));
|
||||
assert_eq!(r, (next_random, GRANTEE_UID, 1, PVEC1));
|
||||
let r = rows.next().unwrap().unwrap();
|
||||
assert_eq!(r, (next_random + 1, GRANTEE_UID, 2, 512));
|
||||
assert_eq!(r, (next_random + 1, GRANTEE_UID, 2, PVEC2));
|
||||
assert!(rows.next().is_none());
|
||||
}
|
||||
|
||||
|
|
|
@ -197,7 +197,6 @@ implement_permission_aidl!(
|
|||
GenUniqueId, selinux name: gen_unique_id;
|
||||
GetInfo, selinux name: get_info;
|
||||
Grant, selinux name: grant;
|
||||
List, selinux name: list;
|
||||
ManageBlob, selinux name: manage_blob;
|
||||
Rebind, selinux name: rebind;
|
||||
ReqForcedOp, selinux name: req_forced_op;
|
||||
|
@ -294,12 +293,15 @@ implement_permission!(
|
|||
ClearNs = 2, selinux name: clear_ns;
|
||||
/// Checked when Keystore 2.0 gets locked.
|
||||
GetState = 4, selinux name: get_state;
|
||||
/// Checked when Keystore 2.0 is asked to list a namespace that the caller
|
||||
/// does not have the get_info permission for.
|
||||
List = 8, selinux name: list;
|
||||
/// Checked when Keystore 2.0 gets locked.
|
||||
Lock = 8, selinux name: lock;
|
||||
Lock = 0x10, selinux name: lock;
|
||||
/// Checked when Keystore 2.0 shall be reset.
|
||||
Reset = 0x10, selinux name: reset;
|
||||
Reset = 0x20, selinux name: reset;
|
||||
/// Checked when Keystore 2.0 shall be unlocked.
|
||||
Unlock = 0x20, selinux name: unlock;
|
||||
Unlock = 0x40, selinux name: unlock;
|
||||
}
|
||||
);
|
||||
|
||||
|
@ -556,7 +558,6 @@ mod tests {
|
|||
KeyPerm::gen_unique_id(),
|
||||
KeyPerm::grant(),
|
||||
KeyPerm::get_info(),
|
||||
KeyPerm::list(),
|
||||
KeyPerm::rebind(),
|
||||
KeyPerm::update(),
|
||||
KeyPerm::use_(),
|
||||
|
@ -570,7 +571,6 @@ mod tests {
|
|||
KeyPerm::gen_unique_id(),
|
||||
// No KeyPerm::grant()
|
||||
KeyPerm::get_info(),
|
||||
KeyPerm::list(),
|
||||
KeyPerm::rebind(),
|
||||
KeyPerm::update(),
|
||||
KeyPerm::use_(),
|
||||
|
@ -579,7 +579,6 @@ mod tests {
|
|||
const UNPRIV_PERMS: KeyPermSet = key_perm_set![
|
||||
KeyPerm::delete(),
|
||||
KeyPerm::get_info(),
|
||||
KeyPerm::list(),
|
||||
KeyPerm::rebind(),
|
||||
KeyPerm::update(),
|
||||
KeyPerm::use_(),
|
||||
|
@ -632,6 +631,7 @@ mod tests {
|
|||
assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::add_auth()).is_ok());
|
||||
assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::clear_ns()).is_ok());
|
||||
assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::get_state()).is_ok());
|
||||
assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::list()).is_ok());
|
||||
assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::lock()).is_ok());
|
||||
assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::reset()).is_ok());
|
||||
assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::unlock()).is_ok());
|
||||
|
@ -639,6 +639,7 @@ mod tests {
|
|||
assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::add_auth()));
|
||||
assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::clear_ns()));
|
||||
assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::get_state()));
|
||||
assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::list()));
|
||||
assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::lock()));
|
||||
assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::reset()));
|
||||
assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::unlock()));
|
||||
|
@ -718,7 +719,6 @@ mod tests {
|
|||
assert!(check_key_permission(&system_server_ctx, KeyPerm::delete(), &key, &None).is_ok());
|
||||
assert!(check_key_permission(&system_server_ctx, KeyPerm::get_info(), &key, &None).is_ok());
|
||||
assert!(check_key_permission(&system_server_ctx, KeyPerm::rebind(), &key, &None).is_ok());
|
||||
assert!(check_key_permission(&system_server_ctx, KeyPerm::list(), &key, &None).is_ok());
|
||||
assert!(check_key_permission(&system_server_ctx, KeyPerm::update(), &key, &None).is_ok());
|
||||
assert!(check_key_permission(&system_server_ctx, KeyPerm::grant(), &key, &None).is_ok());
|
||||
assert!(
|
||||
|
@ -730,7 +730,6 @@ mod tests {
|
|||
assert!(check_key_permission(&shell_ctx, KeyPerm::delete(), &key, &None).is_ok());
|
||||
assert!(check_key_permission(&shell_ctx, KeyPerm::get_info(), &key, &None).is_ok());
|
||||
assert!(check_key_permission(&shell_ctx, KeyPerm::rebind(), &key, &None).is_ok());
|
||||
assert!(check_key_permission(&shell_ctx, KeyPerm::list(), &key, &None).is_ok());
|
||||
assert!(check_key_permission(&shell_ctx, KeyPerm::update(), &key, &None).is_ok());
|
||||
assert_perm_failed!(check_key_permission(&shell_ctx, KeyPerm::grant(), &key, &None));
|
||||
assert_perm_failed!(check_key_permission(
|
||||
|
@ -767,7 +766,6 @@ mod tests {
|
|||
assert!(check_key_permission(&sctx, KeyPerm::delete(), &key, &None).is_ok());
|
||||
assert!(check_key_permission(&sctx, KeyPerm::get_info(), &key, &None).is_ok());
|
||||
assert!(check_key_permission(&sctx, KeyPerm::rebind(), &key, &None).is_ok());
|
||||
assert!(check_key_permission(&sctx, KeyPerm::list(), &key, &None).is_ok());
|
||||
assert!(check_key_permission(&sctx, KeyPerm::update(), &key, &None).is_ok());
|
||||
assert!(check_key_permission(&sctx, KeyPerm::grant(), &key, &None).is_ok());
|
||||
assert!(check_key_permission(&sctx, KeyPerm::manage_blob(), &key, &None).is_ok());
|
||||
|
@ -779,7 +777,6 @@ mod tests {
|
|||
assert!(check_key_permission(&sctx, KeyPerm::delete(), &key, &None).is_ok());
|
||||
assert!(check_key_permission(&sctx, KeyPerm::get_info(), &key, &None).is_ok());
|
||||
assert!(check_key_permission(&sctx, KeyPerm::rebind(), &key, &None).is_ok());
|
||||
assert!(check_key_permission(&sctx, KeyPerm::list(), &key, &None).is_ok());
|
||||
assert!(check_key_permission(&sctx, KeyPerm::update(), &key, &None).is_ok());
|
||||
assert_perm_failed!(check_key_permission(&sctx, KeyPerm::grant(), &key, &None));
|
||||
assert_perm_failed!(check_key_permission(&sctx, KeyPerm::req_forced_op(), &key, &None));
|
||||
|
@ -840,7 +837,6 @@ mod tests {
|
|||
KeyPerm::gen_unique_id(),
|
||||
KeyPerm::grant(),
|
||||
KeyPerm::get_info(),
|
||||
KeyPerm::list(),
|
||||
KeyPerm::rebind(),
|
||||
KeyPerm::update(),
|
||||
KeyPerm::use_() // Test if the macro accepts missing comma at the end of the list.
|
||||
|
@ -850,7 +846,6 @@ mod tests {
|
|||
assert_eq!(i.next().unwrap().to_selinux(), "gen_unique_id");
|
||||
assert_eq!(i.next().unwrap().to_selinux(), "get_info");
|
||||
assert_eq!(i.next().unwrap().to_selinux(), "grant");
|
||||
assert_eq!(i.next().unwrap().to_selinux(), "list");
|
||||
assert_eq!(i.next().unwrap().to_selinux(), "manage_blob");
|
||||
assert_eq!(i.next().unwrap().to_selinux(), "rebind");
|
||||
assert_eq!(i.next().unwrap().to_selinux(), "req_forced_op");
|
||||
|
@ -865,13 +860,11 @@ mod tests {
|
|||
KeyPerm::manage_blob(),
|
||||
KeyPerm::req_forced_op(),
|
||||
KeyPerm::gen_unique_id(),
|
||||
KeyPerm::list(),
|
||||
KeyPerm::update(),
|
||||
KeyPerm::use_(), // Test if macro accepts the comma at the end of the list.
|
||||
];
|
||||
let mut i = v.into_iter();
|
||||
assert_eq!(i.next().unwrap().to_selinux(), "gen_unique_id");
|
||||
assert_eq!(i.next().unwrap().to_selinux(), "list");
|
||||
assert_eq!(i.next().unwrap().to_selinux(), "manage_blob");
|
||||
assert_eq!(i.next().unwrap().to_selinux(), "req_forced_op");
|
||||
assert_eq!(i.next().unwrap().to_selinux(), "update");
|
||||
|
@ -894,7 +887,6 @@ mod tests {
|
|||
KeyPerm::gen_unique_id(),
|
||||
KeyPerm::grant(),
|
||||
KeyPerm::get_info(),
|
||||
KeyPerm::list(),
|
||||
KeyPerm::rebind(),
|
||||
KeyPerm::update(),
|
||||
KeyPerm::use_(),
|
||||
|
@ -902,7 +894,6 @@ mod tests {
|
|||
let v2 = key_perm_set![
|
||||
KeyPerm::manage_blob(),
|
||||
KeyPerm::delete(),
|
||||
KeyPerm::list(),
|
||||
KeyPerm::rebind(),
|
||||
KeyPerm::update(),
|
||||
KeyPerm::use_(),
|
||||
|
@ -915,7 +906,6 @@ mod tests {
|
|||
let v1 = key_perm_set![
|
||||
KeyPerm::manage_blob(),
|
||||
KeyPerm::delete(),
|
||||
KeyPerm::list(),
|
||||
KeyPerm::rebind(),
|
||||
KeyPerm::update(),
|
||||
KeyPerm::use_(),
|
||||
|
@ -923,7 +913,6 @@ mod tests {
|
|||
let v2 = key_perm_set![
|
||||
KeyPerm::manage_blob(),
|
||||
KeyPerm::delete(),
|
||||
KeyPerm::list(),
|
||||
KeyPerm::rebind(),
|
||||
KeyPerm::update(),
|
||||
KeyPerm::use_(),
|
||||
|
@ -937,7 +926,6 @@ mod tests {
|
|||
KeyPerm::manage_blob(),
|
||||
KeyPerm::delete(),
|
||||
KeyPerm::grant(), // only in v1
|
||||
KeyPerm::list(),
|
||||
KeyPerm::rebind(),
|
||||
KeyPerm::update(),
|
||||
KeyPerm::use_(),
|
||||
|
@ -946,7 +934,6 @@ mod tests {
|
|||
KeyPerm::manage_blob(),
|
||||
KeyPerm::delete(),
|
||||
KeyPerm::req_forced_op(), // only in v2
|
||||
KeyPerm::list(),
|
||||
KeyPerm::rebind(),
|
||||
KeyPerm::update(),
|
||||
KeyPerm::use_(),
|
||||
|
@ -959,7 +946,6 @@ mod tests {
|
|||
let v1 = key_perm_set![KeyPerm::manage_blob(), KeyPerm::delete(), KeyPerm::grant(),];
|
||||
let v2 = key_perm_set![
|
||||
KeyPerm::req_forced_op(),
|
||||
KeyPerm::list(),
|
||||
KeyPerm::rebind(),
|
||||
KeyPerm::update(),
|
||||
KeyPerm::use_(),
|
||||
|
|
Loading…
Reference in a new issue