Moving set_requesting_sid to new_binder method.

Bug: 178852354 Test: mm Change-Id: Ib6af028b19d36965ad2de62c8ddc52936b6abec2
2021-04-13 14:42:38 +00:00 · 2021-04-13 14:42:38 +00:00 · de45c8b999
commit de45c8b999
parent 2295dae962
8 changed files with 57 additions and 55 deletions
--- a/keystore2/src/apc.rs
+++ b/keystore2/src/apc.rs
@ -28,10 +28,10 @@ use android_security_apc::aidl::android::security::apc::{
    ResponseCode::ResponseCode,
 };
 use android_security_apc::binder::{
-    ExceptionCode, Interface, Result as BinderResult, SpIBinder, Status as BinderStatus, Strong,
+    BinderFeatures, ExceptionCode, Interface, Result as BinderResult, SpIBinder,
    Status as BinderStatus, Strong, ThreadState,
 };
 use anyhow::{Context, Result};
 use binder::{IBinderInternal, ThreadState};
 use keystore2_apc_compat::ApcHal;
 use keystore2_selinux as selinux;
 use std::time::{Duration, Instant};
@ -203,11 +203,10 @@ impl ApcManager {
    pub fn new_native_binder(
        confirmation_token_sender: Sender<Vec<u8>>,
    ) -> Result<Strong<dyn IProtectedConfirmation>> {
-        let result = BnProtectedConfirmation::new_binder(Self {
+        Ok(BnProtectedConfirmation::new_binder(
-            state: Arc::new(Mutex::new(ApcState::new(confirmation_token_sender))),
+            Self { state: Arc::new(Mutex::new(ApcState::new(confirmation_token_sender))) },
-        });
+            BinderFeatures { set_requesting_sid: true, ..BinderFeatures::default() },
-        result.as_binder().set_requesting_sid(true);
+        ))
        Ok(result)
    }
    fn result(
--- a/keystore2/src/authorization.rs
+++ b/keystore2/src/authorization.rs
@ -22,7 +22,7 @@ use crate::utils::check_keystore_permission;
 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
    HardwareAuthToken::HardwareAuthToken,
 };
-use android_security_authorization::binder::{ExceptionCode, Interface, Result as BinderResult,
+use android_security_authorization::binder::{BinderFeatures,ExceptionCode, Interface, Result as BinderResult,
     Strong, Status as BinderStatus};
 use android_security_authorization::aidl::android::security::authorization::{
    IKeystoreAuthorization::BnKeystoreAuthorization, IKeystoreAuthorization::IKeystoreAuthorization,
@ -32,7 +32,6 @@ use android_security_authorization::aidl::android::security::authorization::{
 use android_system_keystore2::aidl::android::system::keystore2::{
    ResponseCode::ResponseCode as KsResponseCode };
 use anyhow::{Context, Result};
 use binder::IBinderInternal;
 use keystore2_crypto::Password;
 use keystore2_selinux as selinux;
@ -112,9 +111,10 @@ pub struct AuthorizationManager;
 impl AuthorizationManager {
    /// Create a new instance of Keystore Authorization service.
    pub fn new_native_binder() -> Result<Strong<dyn IKeystoreAuthorization>> {
-        let result = BnKeystoreAuthorization::new_binder(Self);
+        Ok(BnKeystoreAuthorization::new_binder(
-        result.as_binder().set_requesting_sid(true);
+            Self,
-        Ok(result)
+            BinderFeatures { set_requesting_sid: true, ..BinderFeatures::default() },
        ))
    }
    fn add_auth_token(&self, auth_token: &HardwareAuthToken) -> Result<()> {
--- a/keystore2/src/maintenance.rs
+++ b/keystore2/src/maintenance.rs
@ -29,13 +29,14 @@ use android_security_maintenance::aidl::android::security::maintenance::{
    IKeystoreMaintenance::{BnKeystoreMaintenance, IKeystoreMaintenance},
    UserState::UserState as AidlUserState,
 };
-use android_security_maintenance::binder::{Interface, Result as BinderResult};
+use android_security_maintenance::binder::{
    BinderFeatures, Interface, Result as BinderResult, Strong, ThreadState,
 };
 use android_system_keystore2::aidl::android::system::keystore2::ResponseCode::ResponseCode;
 use android_system_keystore2::aidl::android::system::keystore2::{
    Domain::Domain, KeyDescriptor::KeyDescriptor,
 };
 use anyhow::{Context, Result};
 use binder::{IBinderInternal, Strong, ThreadState};
 use keystore2_crypto::Password;
 /// This struct is defined to implement the aforementioned AIDL interface.
@ -45,9 +46,10 @@ pub struct Maintenance;
 impl Maintenance {
    /// Create a new instance of Keystore User Manager service.
    pub fn new_native_binder() -> Result<Strong<dyn IKeystoreMaintenance>> {
-        let result = BnKeystoreMaintenance::new_binder(Self);
+        Ok(BnKeystoreMaintenance::new_binder(
-        result.as_binder().set_requesting_sid(true);
+            Self,
-        Ok(result)
+            BinderFeatures { set_requesting_sid: true, ..BinderFeatures::default() },
        ))
    }
    fn on_user_password_changed(user_id: i32, password: Option<Password>) -> Result<()> {
--- a/keystore2/src/operation.rs
+++ b/keystore2/src/operation.rs
@ -133,11 +133,11 @@ use android_hardware_security_keymint::aidl::android::hardware::security::keymin
    IKeyMintOperation::IKeyMintOperation, KeyParameter::KeyParameter, KeyPurpose::KeyPurpose,
    SecurityLevel::SecurityLevel,
 };
 use android_hardware_security_keymint::binder::BinderFeatures;
 use android_system_keystore2::aidl::android::system::keystore2::{
    IKeystoreOperation::BnKeystoreOperation, IKeystoreOperation::IKeystoreOperation,
 };
 use anyhow::{anyhow, Context, Result};
 use binder::IBinderInternal;
 use std::{
    collections::HashMap,
    sync::{Arc, Mutex, MutexGuard, Weak},
@ -783,16 +783,16 @@ pub struct KeystoreOperation {
 impl KeystoreOperation {
    /// Creates a new operation instance wrapped in a
-    /// BnKeystoreOperation proxy object. It also
+    /// BnKeystoreOperation proxy object. It also enables
-    /// calls `IBinderInternal::set_requesting_sid` on the new interface, because
+    /// `BinderFeatures::set_requesting_sid` on the new interface, because
    /// we need it for checking Keystore permissions.
    pub fn new_native_binder(
        operation: Arc<Operation>,
    ) -> binder::public_api::Strong<dyn IKeystoreOperation> {
-        let result =
+        BnKeystoreOperation::new_binder(
-            BnKeystoreOperation::new_binder(Self { operation: Mutex::new(Some(operation)) });
+            Self { operation: Mutex::new(Some(operation)) },
-        result.as_binder().set_requesting_sid(true);
+            BinderFeatures { set_requesting_sid: true, ..BinderFeatures::default() },
-        result
+        )
    }
    /// Grabs the outer operation mutex and calls `f` on the locked operation.
--- a/keystore2/src/remote_provisioning.rs
+++ b/keystore2/src/remote_provisioning.rs
@ -34,7 +34,7 @@ use android_security_remoteprovisioning::aidl::android::security::remoteprovisio
    AttestationPoolStatus::AttestationPoolStatus, IRemoteProvisioning::BnRemoteProvisioning,
    IRemoteProvisioning::IRemoteProvisioning,
 };
-use android_security_remoteprovisioning::binder::Strong;
+use android_security_remoteprovisioning::binder::{BinderFeatures, Strong};
 use android_system_keystore2::aidl::android::system::keystore2::{
    Domain::Domain, KeyDescriptor::KeyDescriptor,
 };
@ -233,7 +233,7 @@ impl RemoteProvisioningService {
        if let Ok(dev) = get_remotely_provisioned_component(&SecurityLevel::STRONGBOX) {
            result.device_by_sec_level.insert(SecurityLevel::STRONGBOX, dev);
        }
-        Ok(BnRemoteProvisioning::new_binder(result))
+        Ok(BnRemoteProvisioning::new_binder(result, BinderFeatures::default()))
    }
    /// Populates the AttestationPoolStatus parcelable with information about how many
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@ -22,6 +22,7 @@ use android_hardware_security_keymint::aidl::android::hardware::security::keymin
    KeyMintHardwareInfo::KeyMintHardwareInfo, KeyParameter::KeyParameter,
    KeyParameterValue::KeyParameterValue, SecurityLevel::SecurityLevel, Tag::Tag,
 };
 use android_hardware_security_keymint::binder::{BinderFeatures, Strong, ThreadState};
 use android_system_keystore2::aidl::android::system::keystore2::{
    AuthenticatorSpec::AuthenticatorSpec, CreateOperationResponse::CreateOperationResponse,
    Domain::Domain, IKeystoreOperation::IKeystoreOperation,
@ -57,7 +58,6 @@ use crate::{
    utils::key_characteristics_to_internal,
 };
 use anyhow::{anyhow, Context, Result};
 use binder::{IBinderInternal, Strong, ThreadState};
 /// Implementation of the IKeystoreSecurityLevel Interface.
 pub struct KeystoreSecurityLevel {
@ -79,8 +79,8 @@ const UNDEFINED_NOT_AFTER: i64 = 253402300799000i64;
 impl KeystoreSecurityLevel {
    /// Creates a new security level instance wrapped in a
-    /// BnKeystoreSecurityLevel proxy object. It also
+    /// BnKeystoreSecurityLevel proxy object. It also enables
-    /// calls `IBinderInternal::set_requesting_sid` on the new interface, because
+    /// `BinderFeatures::set_requesting_sid` on the new interface, because
    /// we need it for checking keystore permissions.
    pub fn new_native_binder(
        security_level: SecurityLevel,
@ -88,16 +88,18 @@ impl KeystoreSecurityLevel {
    ) -> Result<(Strong<dyn IKeystoreSecurityLevel>, Uuid)> {
        let (dev, hw_info, km_uuid) = get_keymint_device(&security_level)
            .context("In KeystoreSecurityLevel::new_native_binder.")?;
-        let result = BnKeystoreSecurityLevel::new_binder(Self {
+        let result = BnKeystoreSecurityLevel::new_binder(
-            security_level,
+            Self {
-            keymint: dev,
+                security_level,
-            hw_info,
+                keymint: dev,
-            km_uuid,
+                hw_info,
-            operation_db: OperationDb::new(),
+                km_uuid,
-            rem_prov_state: RemProvState::new(security_level, km_uuid),
+                operation_db: OperationDb::new(),
-            id_rotation_state,
+                rem_prov_state: RemProvState::new(security_level, km_uuid),
-        });
+                id_rotation_state,
-        result.as_binder().set_requesting_sid(true);
+            },
            BinderFeatures { set_requesting_sid: true, ..BinderFeatures::default() },
        );
        Ok((result, km_uuid))
    }
--- a/keystore2/src/service.rs
+++ b/keystore2/src/service.rs
@ -37,13 +37,13 @@ use crate::{
    id_rotation::IdRotationState,
 };
 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::SecurityLevel::SecurityLevel;
 use android_hardware_security_keymint::binder::{BinderFeatures, Strong, ThreadState};
 use android_system_keystore2::aidl::android::system::keystore2::{
    Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel,
    IKeystoreService::BnKeystoreService, IKeystoreService::IKeystoreService,
    KeyDescriptor::KeyDescriptor, KeyEntryResponse::KeyEntryResponse, KeyMetadata::KeyMetadata,
 };
 use anyhow::{Context, Result};
 use binder::{IBinderInternal, Strong, ThreadState};
 use error::Error;
 use keystore2_selinux as selinux;
@ -90,9 +90,10 @@ impl KeystoreService {
                "In KeystoreService::new_native_binder: Trying to initialize the legacy migrator.",
            )?;
-        let result = BnKeystoreService::new_binder(result);
+        Ok(BnKeystoreService::new_binder(
-        result.as_binder().set_requesting_sid(true);
+            result,
-        Ok(result)
+            BinderFeatures { set_requesting_sid: true, ..BinderFeatures::default() },
        ))
    }
    fn uuid_to_sec_level(&self, uuid: &Uuid) -> SecurityLevel {
--- a/keystore2/vpnprofilestore/lib.rs
+++ b/keystore2/vpnprofilestore/lib.rs
@ -18,9 +18,11 @@ use android_security_vpnprofilestore::aidl::android::security::vpnprofilestore::
    IVpnProfileStore::BnVpnProfileStore, IVpnProfileStore::IVpnProfileStore,
    IVpnProfileStore::ERROR_PROFILE_NOT_FOUND, IVpnProfileStore::ERROR_SYSTEM_ERROR,
 };
-use android_security_vpnprofilestore::binder::{Result as BinderResult, Status as BinderStatus};
+use android_security_vpnprofilestore::binder::{
    BinderFeatures, ExceptionCode, Result as BinderResult, Status as BinderStatus, Strong,
    ThreadState,
 };
 use anyhow::{Context, Result};
 use binder::{ExceptionCode, Strong, ThreadState};
 use keystore2::{async_task::AsyncTask, legacy_blob::LegacyBlobLoader};
 use rusqlite::{
    params, Connection, OptionalExtension, Transaction, TransactionBehavior, NO_PARAMS,
@ -75,15 +77,11 @@ impl DB {
    }
    fn is_locked_error(e: &anyhow::Error) -> bool {
-        matches!(e.root_cause().downcast_ref::<rusqlite::ffi::Error>(),
+        matches!(
-        Some(rusqlite::ffi::Error {
+            e.root_cause().downcast_ref::<rusqlite::ffi::Error>(),
-            code: rusqlite::ErrorCode::DatabaseBusy,
+            Some(rusqlite::ffi::Error { code: rusqlite::ErrorCode::DatabaseBusy, .. })
-            ..
+                | Some(rusqlite::ffi::Error { code: rusqlite::ErrorCode::DatabaseLocked, .. })
-        })
+        )
        | Some(rusqlite::ffi::Error {
            code: rusqlite::ErrorCode::DatabaseLocked,
            ..
        }))
    }
    fn init_tables(&mut self) -> Result<()> {
@ -224,7 +222,7 @@ impl VpnProfileStore {
        let result = Self { db_path, async_task: Default::default() };
        result.init_shelf(path);
-        BnVpnProfileStore::new_binder(result)
+        BnVpnProfileStore::new_binder(result, BinderFeatures::default())
    }
    fn open_db(&self) -> Result<DB> {