diff --git a/keystore2/selinux/src/lib.rs b/keystore2/selinux/src/lib.rs index 8bc3bc44..932c30ef 100644 --- a/keystore2/selinux/src/lib.rs +++ b/keystore2/selinux/src/lib.rs @@ -424,7 +424,6 @@ mod tests { check_key_perm!(gen_unique_id, true); check_key_perm!(grant, true); check_key_perm!(get_info, false); - check_key_perm!(list, false); check_key_perm!(rebind, false); check_key_perm!(update, false); check_key_perm!(use, false); diff --git a/keystore2/src/android_security_keystore2.rs b/keystore2/src/android_security_keystore2.rs index 99629ff1..d22a593b 100644 --- a/keystore2/src/android_security_keystore2.rs +++ b/keystore2/src/android_security_keystore2.rs @@ -1034,13 +1034,12 @@ pub mod aidl { pub const GenUniqueId: KeyPermission = 2; pub const GetInfo: KeyPermission = 4; pub const Grant: KeyPermission = 8; - pub const List: KeyPermission = 16; - pub const ManageBlob: KeyPermission = 32; - pub const Rebind: KeyPermission = 64; - pub const ReqForcedOp: KeyPermission = 128; - pub const Update: KeyPermission = 256; - pub const Use: KeyPermission = 512; - pub const UseDevId: KeyPermission = 1024; + pub const ManageBlob: KeyPermission = 16; + pub const Rebind: KeyPermission = 32; + pub const ReqForcedOp: KeyPermission = 64; + pub const Update: KeyPermission = 128; + pub const Use: KeyPermission = 256; + pub const UseDevId: KeyPermission = 512; pub(crate) mod mangled { pub use super::KeyPermission as _7_android_8_security_9_keystore2_13_KeyPermission; } } pub mod OperationChallenge { diff --git a/keystore2/src/database.rs b/keystore2/src/database.rs index e459e867..ea70195b 100644 --- a/keystore2/src/database.rs +++ b/keystore2/src/database.rs @@ -1086,14 +1086,20 @@ mod tests { let mut stmt = db .conn .prepare("SELECT id, grantee, keyentryid, access_vector FROM perboot.grant;")?; - let mut rows = stmt.query_map::<(i64, u32, i64, i32), _, _>(NO_PARAMS, |row| { - Ok((row.get(0)?, row.get(1)?, row.get(2)?, row.get(3)?)) - })?; + let mut rows = + stmt.query_map::<(i64, u32, i64, KeyPermSet), _, _>(NO_PARAMS, |row| { + Ok(( + row.get(0)?, + row.get(1)?, + row.get(2)?, + KeyPermSet::from(row.get::<_, i32>(3)?), + )) + })?; let r = rows.next().unwrap().unwrap(); - assert_eq!(r, (next_random, GRANTEE_UID, 1, 516)); + assert_eq!(r, (next_random, GRANTEE_UID, 1, PVEC1)); let r = rows.next().unwrap().unwrap(); - assert_eq!(r, (next_random + 1, GRANTEE_UID, 2, 512)); + assert_eq!(r, (next_random + 1, GRANTEE_UID, 2, PVEC2)); assert!(rows.next().is_none()); } diff --git a/keystore2/src/permission.rs b/keystore2/src/permission.rs index df594845..18806237 100644 --- a/keystore2/src/permission.rs +++ b/keystore2/src/permission.rs @@ -197,7 +197,6 @@ implement_permission_aidl!( GenUniqueId, selinux name: gen_unique_id; GetInfo, selinux name: get_info; Grant, selinux name: grant; - List, selinux name: list; ManageBlob, selinux name: manage_blob; Rebind, selinux name: rebind; ReqForcedOp, selinux name: req_forced_op; @@ -294,12 +293,15 @@ implement_permission!( ClearNs = 2, selinux name: clear_ns; /// Checked when Keystore 2.0 gets locked. GetState = 4, selinux name: get_state; + /// Checked when Keystore 2.0 is asked to list a namespace that the caller + /// does not have the get_info permission for. + List = 8, selinux name: list; /// Checked when Keystore 2.0 gets locked. - Lock = 8, selinux name: lock; + Lock = 0x10, selinux name: lock; /// Checked when Keystore 2.0 shall be reset. - Reset = 0x10, selinux name: reset; + Reset = 0x20, selinux name: reset; /// Checked when Keystore 2.0 shall be unlocked. - Unlock = 0x20, selinux name: unlock; + Unlock = 0x40, selinux name: unlock; } ); @@ -556,7 +558,6 @@ mod tests { KeyPerm::gen_unique_id(), KeyPerm::grant(), KeyPerm::get_info(), - KeyPerm::list(), KeyPerm::rebind(), KeyPerm::update(), KeyPerm::use_(), @@ -570,7 +571,6 @@ mod tests { KeyPerm::gen_unique_id(), // No KeyPerm::grant() KeyPerm::get_info(), - KeyPerm::list(), KeyPerm::rebind(), KeyPerm::update(), KeyPerm::use_(), @@ -579,7 +579,6 @@ mod tests { const UNPRIV_PERMS: KeyPermSet = key_perm_set![ KeyPerm::delete(), KeyPerm::get_info(), - KeyPerm::list(), KeyPerm::rebind(), KeyPerm::update(), KeyPerm::use_(), @@ -632,6 +631,7 @@ mod tests { assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::add_auth()).is_ok()); assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::clear_ns()).is_ok()); assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::get_state()).is_ok()); + assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::list()).is_ok()); assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::lock()).is_ok()); assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::reset()).is_ok()); assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::unlock()).is_ok()); @@ -639,6 +639,7 @@ mod tests { assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::add_auth())); assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::clear_ns())); assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::get_state())); + assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::list())); assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::lock())); assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::reset())); assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::unlock())); @@ -718,7 +719,6 @@ mod tests { assert!(check_key_permission(&system_server_ctx, KeyPerm::delete(), &key, &None).is_ok()); assert!(check_key_permission(&system_server_ctx, KeyPerm::get_info(), &key, &None).is_ok()); assert!(check_key_permission(&system_server_ctx, KeyPerm::rebind(), &key, &None).is_ok()); - assert!(check_key_permission(&system_server_ctx, KeyPerm::list(), &key, &None).is_ok()); assert!(check_key_permission(&system_server_ctx, KeyPerm::update(), &key, &None).is_ok()); assert!(check_key_permission(&system_server_ctx, KeyPerm::grant(), &key, &None).is_ok()); assert!( @@ -730,7 +730,6 @@ mod tests { assert!(check_key_permission(&shell_ctx, KeyPerm::delete(), &key, &None).is_ok()); assert!(check_key_permission(&shell_ctx, KeyPerm::get_info(), &key, &None).is_ok()); assert!(check_key_permission(&shell_ctx, KeyPerm::rebind(), &key, &None).is_ok()); - assert!(check_key_permission(&shell_ctx, KeyPerm::list(), &key, &None).is_ok()); assert!(check_key_permission(&shell_ctx, KeyPerm::update(), &key, &None).is_ok()); assert_perm_failed!(check_key_permission(&shell_ctx, KeyPerm::grant(), &key, &None)); assert_perm_failed!(check_key_permission( @@ -767,7 +766,6 @@ mod tests { assert!(check_key_permission(&sctx, KeyPerm::delete(), &key, &None).is_ok()); assert!(check_key_permission(&sctx, KeyPerm::get_info(), &key, &None).is_ok()); assert!(check_key_permission(&sctx, KeyPerm::rebind(), &key, &None).is_ok()); - assert!(check_key_permission(&sctx, KeyPerm::list(), &key, &None).is_ok()); assert!(check_key_permission(&sctx, KeyPerm::update(), &key, &None).is_ok()); assert!(check_key_permission(&sctx, KeyPerm::grant(), &key, &None).is_ok()); assert!(check_key_permission(&sctx, KeyPerm::manage_blob(), &key, &None).is_ok()); @@ -779,7 +777,6 @@ mod tests { assert!(check_key_permission(&sctx, KeyPerm::delete(), &key, &None).is_ok()); assert!(check_key_permission(&sctx, KeyPerm::get_info(), &key, &None).is_ok()); assert!(check_key_permission(&sctx, KeyPerm::rebind(), &key, &None).is_ok()); - assert!(check_key_permission(&sctx, KeyPerm::list(), &key, &None).is_ok()); assert!(check_key_permission(&sctx, KeyPerm::update(), &key, &None).is_ok()); assert_perm_failed!(check_key_permission(&sctx, KeyPerm::grant(), &key, &None)); assert_perm_failed!(check_key_permission(&sctx, KeyPerm::req_forced_op(), &key, &None)); @@ -840,7 +837,6 @@ mod tests { KeyPerm::gen_unique_id(), KeyPerm::grant(), KeyPerm::get_info(), - KeyPerm::list(), KeyPerm::rebind(), KeyPerm::update(), KeyPerm::use_() // Test if the macro accepts missing comma at the end of the list. @@ -850,7 +846,6 @@ mod tests { assert_eq!(i.next().unwrap().to_selinux(), "gen_unique_id"); assert_eq!(i.next().unwrap().to_selinux(), "get_info"); assert_eq!(i.next().unwrap().to_selinux(), "grant"); - assert_eq!(i.next().unwrap().to_selinux(), "list"); assert_eq!(i.next().unwrap().to_selinux(), "manage_blob"); assert_eq!(i.next().unwrap().to_selinux(), "rebind"); assert_eq!(i.next().unwrap().to_selinux(), "req_forced_op"); @@ -865,13 +860,11 @@ mod tests { KeyPerm::manage_blob(), KeyPerm::req_forced_op(), KeyPerm::gen_unique_id(), - KeyPerm::list(), KeyPerm::update(), KeyPerm::use_(), // Test if macro accepts the comma at the end of the list. ]; let mut i = v.into_iter(); assert_eq!(i.next().unwrap().to_selinux(), "gen_unique_id"); - assert_eq!(i.next().unwrap().to_selinux(), "list"); assert_eq!(i.next().unwrap().to_selinux(), "manage_blob"); assert_eq!(i.next().unwrap().to_selinux(), "req_forced_op"); assert_eq!(i.next().unwrap().to_selinux(), "update"); @@ -894,7 +887,6 @@ mod tests { KeyPerm::gen_unique_id(), KeyPerm::grant(), KeyPerm::get_info(), - KeyPerm::list(), KeyPerm::rebind(), KeyPerm::update(), KeyPerm::use_(), @@ -902,7 +894,6 @@ mod tests { let v2 = key_perm_set![ KeyPerm::manage_blob(), KeyPerm::delete(), - KeyPerm::list(), KeyPerm::rebind(), KeyPerm::update(), KeyPerm::use_(), @@ -915,7 +906,6 @@ mod tests { let v1 = key_perm_set![ KeyPerm::manage_blob(), KeyPerm::delete(), - KeyPerm::list(), KeyPerm::rebind(), KeyPerm::update(), KeyPerm::use_(), @@ -923,7 +913,6 @@ mod tests { let v2 = key_perm_set![ KeyPerm::manage_blob(), KeyPerm::delete(), - KeyPerm::list(), KeyPerm::rebind(), KeyPerm::update(), KeyPerm::use_(), @@ -937,7 +926,6 @@ mod tests { KeyPerm::manage_blob(), KeyPerm::delete(), KeyPerm::grant(), // only in v1 - KeyPerm::list(), KeyPerm::rebind(), KeyPerm::update(), KeyPerm::use_(), @@ -946,7 +934,6 @@ mod tests { KeyPerm::manage_blob(), KeyPerm::delete(), KeyPerm::req_forced_op(), // only in v2 - KeyPerm::list(), KeyPerm::rebind(), KeyPerm::update(), KeyPerm::use_(), @@ -959,7 +946,6 @@ mod tests { let v1 = key_perm_set![KeyPerm::manage_blob(), KeyPerm::delete(), KeyPerm::grant(),]; let v2 = key_perm_set![ KeyPerm::req_forced_op(), - KeyPerm::list(), KeyPerm::rebind(), KeyPerm::update(), KeyPerm::use_(),