Merge "Updated the logic to determine the VSR API level for device ID attestation tests." into main
diff --git a/keystore2/legacykeystore/lib.rs b/keystore2/legacykeystore/lib.rs
index f7a8198..db3eff6 100644
--- a/keystore2/legacykeystore/lib.rs
+++ b/keystore2/legacykeystore/lib.rs
@@ -55,7 +55,7 @@
F: Fn(&Transaction) -> Result<T>,
{
loop {
- match self
+ let result = self
.conn
.transaction_with_behavior(behavior)
.context("In with_transaction.")
@@ -63,7 +63,8 @@
.and_then(|(result, tx)| {
tx.commit().context("In with_transaction: Failed to commit transaction.")?;
Ok(result)
- }) {
+ });
+ match result {
Ok(result) => break Ok(result),
Err(e) => {
if Self::is_locked_error(&e) {
diff --git a/keystore2/src/database.rs b/keystore2/src/database.rs
index b526daa..2757313 100644
--- a/keystore2/src/database.rs
+++ b/keystore2/src/database.rs
@@ -1467,7 +1467,7 @@
F: Fn(&Transaction) -> Result<(bool, T)>,
{
loop {
- match self
+ let result = self
.conn
.transaction_with_behavior(behavior)
.context(ks_err!())
@@ -1475,7 +1475,8 @@
.and_then(|(result, tx)| {
tx.commit().context(ks_err!("Failed to commit transaction."))?;
Ok(result)
- }) {
+ });
+ match result {
Ok(result) => break Ok(result),
Err(e) => {
if Self::is_locked_error(&e) {
diff --git a/keystore2/src/operation.rs b/keystore2/src/operation.rs
index eabc1ab..11eaf17 100644
--- a/keystore2/src/operation.rs
+++ b/keystore2/src/operation.rs
@@ -290,7 +290,7 @@
// We abort the operation. If there was an error we log it but ignore it.
if let Err(e) = map_km_error(self.km_op.abort()) {
- log::error!("In prune: KeyMint::abort failed with {:?}.", e);
+ log::warn!("In prune: KeyMint::abort failed with {:?}.", e);
}
Ok(())
diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index 6fb0eb2..5f9745f 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -927,7 +927,7 @@
.context(ks_err!("Check permission"))?;
let km_dev = &self.keymint;
- match {
+ let res = {
let _wp = self.watch_millis(
concat!(
"In IKeystoreSecurityLevel::convert_storage_key_to_ephemeral: ",
@@ -936,7 +936,8 @@
500,
);
map_km_error(km_dev.convertStorageKeyToEphemeral(key_blob))
- } {
+ };
+ match res {
Ok(result) => {
Ok(EphemeralStorageKeyResponse { ephemeralKey: result, upgradedBlob: None })
}
diff --git a/ondevice-signing/odsign.rc b/ondevice-signing/odsign.rc
index b96c62f..b95cf9d 100644
--- a/ondevice-signing/odsign.rc
+++ b/ondevice-signing/odsign.rc
@@ -3,13 +3,10 @@
user root
group system
disabled # does not start with the core class
- # Explicitly specify empty capabilities, otherwise odsign will inherit all
- # the capabilities from init.
- # Note: whether a process can use capabilities is controlled by SELinux, so
- # inheriting all the capabilities from init is not a security issue.
- # However, for defense-in-depth and just for the sake of bookkeeping it's
- # better to explicitly state that odsign doesn't need any capabilities.
- capabilities
+ # We need SYS_NICE in order to allow the crosvm child process to use it.
+ # (b/322197421). odsign itself never uses it (and isn't allowed to by
+ # SELinux).
+ capabilities SYS_NICE
# Note that odsign is not oneshot, but stopped manually when it exits. This
# ensures that if odsign crashes during a module update, apexd will detect