Merge "Keystore 2.0: Remove list permission from keystore2_key security class."

2020-10-01 16:49:33 +00:00 · 2020-10-01 16:49:33 +00:00 · d55f6ceacc
commit d55f6ceacc
parent 29c9edd2d5 ee10b5fab0
4 changed files with 25 additions and 35 deletions
--- a/keystore2/selinux/src/lib.rs
+++ b/keystore2/selinux/src/lib.rs
@ -424,7 +424,6 @@ mod tests {
        check_key_perm!(gen_unique_id, true);
        check_key_perm!(grant, true);
        check_key_perm!(get_info, false);
-        check_key_perm!(list, false);
        check_key_perm!(rebind, false);
        check_key_perm!(update, false);
        check_key_perm!(use, false);
--- a/keystore2/src/android_security_keystore2.rs
+++ b/keystore2/src/android_security_keystore2.rs
@ -1034,13 +1034,12 @@ pub mod aidl {
          pub const GenUniqueId: KeyPermission = 2;
          pub const GetInfo: KeyPermission = 4;
          pub const Grant: KeyPermission = 8;
-          pub const List: KeyPermission = 16;
-          pub const ManageBlob: KeyPermission = 32;
-          pub const Rebind: KeyPermission = 64;
-          pub const ReqForcedOp: KeyPermission = 128;
-          pub const Update: KeyPermission = 256;
-          pub const Use: KeyPermission = 512;
-          pub const UseDevId: KeyPermission = 1024;
+          pub const ManageBlob: KeyPermission = 16;
+          pub const Rebind: KeyPermission = 32;
+          pub const ReqForcedOp: KeyPermission = 64;
+          pub const Update: KeyPermission = 128;
+          pub const Use: KeyPermission = 256;
+          pub const UseDevId: KeyPermission = 512;
          pub(crate) mod mangled { pub use super::KeyPermission as _7_android_8_security_9_keystore2_13_KeyPermission; }
        }
        pub mod OperationChallenge {
--- a/keystore2/src/database.rs
+++ b/keystore2/src/database.rs
@ -1086,14 +1086,20 @@ mod tests {
            let mut stmt = db
                .conn
                .prepare("SELECT id, grantee, keyentryid, access_vector FROM perboot.grant;")?;
-            let mut rows = stmt.query_map::<(i64, u32, i64, i32), _, _>(NO_PARAMS, |row| {
-                Ok((row.get(0)?, row.get(1)?, row.get(2)?, row.get(3)?))
-            })?;
+            let mut rows =
+                stmt.query_map::<(i64, u32, i64, KeyPermSet), _, _>(NO_PARAMS, |row| {
+                    Ok((
+                        row.get(0)?,
+                        row.get(1)?,
+                        row.get(2)?,
+                        KeyPermSet::from(row.get::<_, i32>(3)?),
+                    ))
+                })?;

            let r = rows.next().unwrap().unwrap();
-            assert_eq!(r, (next_random, GRANTEE_UID, 1, 516));
+            assert_eq!(r, (next_random, GRANTEE_UID, 1, PVEC1));
            let r = rows.next().unwrap().unwrap();
-            assert_eq!(r, (next_random + 1, GRANTEE_UID, 2, 512));
+            assert_eq!(r, (next_random + 1, GRANTEE_UID, 2, PVEC2));
            assert!(rows.next().is_none());
        }

--- a/keystore2/src/permission.rs
+++ b/keystore2/src/permission.rs
@ -197,7 +197,6 @@ implement_permission_aidl!(
        GenUniqueId,    selinux name: gen_unique_id;
        GetInfo,        selinux name: get_info;
        Grant,          selinux name: grant;
-        List,           selinux name: list;
        ManageBlob,     selinux name: manage_blob;
        Rebind,         selinux name: rebind;
        ReqForcedOp,    selinux name: req_forced_op;
@ -294,12 +293,15 @@ implement_permission!(
        ClearNs = 2,    selinux name: clear_ns;
        /// Checked when Keystore 2.0 gets locked.
        GetState = 4,   selinux name: get_state;
+        /// Checked when Keystore 2.0 is asked to list a namespace that the caller
+        /// does not have the get_info permission for.
+        List = 8,       selinux name: list;
        /// Checked when Keystore 2.0 gets locked.
-        Lock = 8,       selinux name: lock;
+        Lock = 0x10,       selinux name: lock;
        /// Checked when Keystore 2.0 shall be reset.
-        Reset = 0x10,   selinux name: reset;
+        Reset = 0x20,   selinux name: reset;
        /// Checked when Keystore 2.0 shall be unlocked.
-        Unlock = 0x20,  selinux name: unlock;
+        Unlock = 0x40,  selinux name: unlock;
    }
 );

@ -556,7 +558,6 @@ mod tests {
        KeyPerm::gen_unique_id(),
        KeyPerm::grant(),
        KeyPerm::get_info(),
-        KeyPerm::list(),
        KeyPerm::rebind(),
        KeyPerm::update(),
        KeyPerm::use_(),
@ -570,7 +571,6 @@ mod tests {
        KeyPerm::gen_unique_id(),
        // No KeyPerm::grant()
        KeyPerm::get_info(),
-        KeyPerm::list(),
        KeyPerm::rebind(),
        KeyPerm::update(),
        KeyPerm::use_(),
@ -579,7 +579,6 @@ mod tests {
    const UNPRIV_PERMS: KeyPermSet = key_perm_set![
        KeyPerm::delete(),
        KeyPerm::get_info(),
-        KeyPerm::list(),
        KeyPerm::rebind(),
        KeyPerm::update(),
        KeyPerm::use_(),
@ -632,6 +631,7 @@ mod tests {
        assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::add_auth()).is_ok());
        assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::clear_ns()).is_ok());
        assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::get_state()).is_ok());
+        assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::list()).is_ok());
        assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::lock()).is_ok());
        assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::reset()).is_ok());
        assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::unlock()).is_ok());
@ -639,6 +639,7 @@ mod tests {
        assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::add_auth()));
        assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::clear_ns()));
        assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::get_state()));
+        assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::list()));
        assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::lock()));
        assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::reset()));
        assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::unlock()));
@ -718,7 +719,6 @@ mod tests {
        assert!(check_key_permission(&system_server_ctx, KeyPerm::delete(), &key, &None).is_ok());
        assert!(check_key_permission(&system_server_ctx, KeyPerm::get_info(), &key, &None).is_ok());
        assert!(check_key_permission(&system_server_ctx, KeyPerm::rebind(), &key, &None).is_ok());
-        assert!(check_key_permission(&system_server_ctx, KeyPerm::list(), &key, &None).is_ok());
        assert!(check_key_permission(&system_server_ctx, KeyPerm::update(), &key, &None).is_ok());
        assert!(check_key_permission(&system_server_ctx, KeyPerm::grant(), &key, &None).is_ok());
        assert!(
@ -730,7 +730,6 @@ mod tests {
        assert!(check_key_permission(&shell_ctx, KeyPerm::delete(), &key, &None).is_ok());
        assert!(check_key_permission(&shell_ctx, KeyPerm::get_info(), &key, &None).is_ok());
        assert!(check_key_permission(&shell_ctx, KeyPerm::rebind(), &key, &None).is_ok());
-        assert!(check_key_permission(&shell_ctx, KeyPerm::list(), &key, &None).is_ok());
        assert!(check_key_permission(&shell_ctx, KeyPerm::update(), &key, &None).is_ok());
        assert_perm_failed!(check_key_permission(&shell_ctx, KeyPerm::grant(), &key, &None));
        assert_perm_failed!(check_key_permission(
@ -767,7 +766,6 @@ mod tests {
            assert!(check_key_permission(&sctx, KeyPerm::delete(), &key, &None).is_ok());
            assert!(check_key_permission(&sctx, KeyPerm::get_info(), &key, &None).is_ok());
            assert!(check_key_permission(&sctx, KeyPerm::rebind(), &key, &None).is_ok());
-            assert!(check_key_permission(&sctx, KeyPerm::list(), &key, &None).is_ok());
            assert!(check_key_permission(&sctx, KeyPerm::update(), &key, &None).is_ok());
            assert!(check_key_permission(&sctx, KeyPerm::grant(), &key, &None).is_ok());
            assert!(check_key_permission(&sctx, KeyPerm::manage_blob(), &key, &None).is_ok());
@ -779,7 +777,6 @@ mod tests {
            assert!(check_key_permission(&sctx, KeyPerm::delete(), &key, &None).is_ok());
            assert!(check_key_permission(&sctx, KeyPerm::get_info(), &key, &None).is_ok());
            assert!(check_key_permission(&sctx, KeyPerm::rebind(), &key, &None).is_ok());
-            assert!(check_key_permission(&sctx, KeyPerm::list(), &key, &None).is_ok());
            assert!(check_key_permission(&sctx, KeyPerm::update(), &key, &None).is_ok());
            assert_perm_failed!(check_key_permission(&sctx, KeyPerm::grant(), &key, &None));
            assert_perm_failed!(check_key_permission(&sctx, KeyPerm::req_forced_op(), &key, &None));
@ -840,7 +837,6 @@ mod tests {
            KeyPerm::gen_unique_id(),
            KeyPerm::grant(),
            KeyPerm::get_info(),
-            KeyPerm::list(),
            KeyPerm::rebind(),
            KeyPerm::update(),
            KeyPerm::use_() // Test if the macro accepts missing comma at the end of the list.
@ -850,7 +846,6 @@ mod tests {
        assert_eq!(i.next().unwrap().to_selinux(), "gen_unique_id");
        assert_eq!(i.next().unwrap().to_selinux(), "get_info");
        assert_eq!(i.next().unwrap().to_selinux(), "grant");
-        assert_eq!(i.next().unwrap().to_selinux(), "list");
        assert_eq!(i.next().unwrap().to_selinux(), "manage_blob");
        assert_eq!(i.next().unwrap().to_selinux(), "rebind");
        assert_eq!(i.next().unwrap().to_selinux(), "req_forced_op");
@ -865,13 +860,11 @@ mod tests {
            KeyPerm::manage_blob(),
            KeyPerm::req_forced_op(),
            KeyPerm::gen_unique_id(),
-            KeyPerm::list(),
            KeyPerm::update(),
            KeyPerm::use_(), // Test if macro accepts the comma at the end of the list.
        ];
        let mut i = v.into_iter();
        assert_eq!(i.next().unwrap().to_selinux(), "gen_unique_id");
-        assert_eq!(i.next().unwrap().to_selinux(), "list");
        assert_eq!(i.next().unwrap().to_selinux(), "manage_blob");
        assert_eq!(i.next().unwrap().to_selinux(), "req_forced_op");
        assert_eq!(i.next().unwrap().to_selinux(), "update");
@ -894,7 +887,6 @@ mod tests {
            KeyPerm::gen_unique_id(),
            KeyPerm::grant(),
            KeyPerm::get_info(),
-            KeyPerm::list(),
            KeyPerm::rebind(),
            KeyPerm::update(),
            KeyPerm::use_(),
@ -902,7 +894,6 @@ mod tests {
        let v2 = key_perm_set![
            KeyPerm::manage_blob(),
            KeyPerm::delete(),
-            KeyPerm::list(),
            KeyPerm::rebind(),
            KeyPerm::update(),
            KeyPerm::use_(),
@ -915,7 +906,6 @@ mod tests {
        let v1 = key_perm_set![
            KeyPerm::manage_blob(),
            KeyPerm::delete(),
-            KeyPerm::list(),
            KeyPerm::rebind(),
            KeyPerm::update(),
            KeyPerm::use_(),
@ -923,7 +913,6 @@ mod tests {
        let v2 = key_perm_set![
            KeyPerm::manage_blob(),
            KeyPerm::delete(),
-            KeyPerm::list(),
            KeyPerm::rebind(),
            KeyPerm::update(),
            KeyPerm::use_(),
@ -937,7 +926,6 @@ mod tests {
            KeyPerm::manage_blob(),
            KeyPerm::delete(),
            KeyPerm::grant(), // only in v1
-            KeyPerm::list(),
            KeyPerm::rebind(),
            KeyPerm::update(),
            KeyPerm::use_(),
@ -946,7 +934,6 @@ mod tests {
            KeyPerm::manage_blob(),
            KeyPerm::delete(),
            KeyPerm::req_forced_op(), // only in v2
-            KeyPerm::list(),
            KeyPerm::rebind(),
            KeyPerm::update(),
            KeyPerm::use_(),
@ -959,7 +946,6 @@ mod tests {
        let v1 = key_perm_set![KeyPerm::manage_blob(), KeyPerm::delete(), KeyPerm::grant(),];
        let v2 = key_perm_set![
            KeyPerm::req_forced_op(),
-            KeyPerm::list(),
            KeyPerm::rebind(),
            KeyPerm::update(),
            KeyPerm::use_(),