Merge changes Ib339bd0a,I4ff3ff91,I6863269e,I85d24118,Ic7ce23e2
* changes:
Keystore 2.0: Refactor permissions. 5/5
Keystore 2.0: Refactor permissions. 4/5
Keystore 2.0: Refactor permissions. 3/5
Keystore 2.0: Refactor permissions. 2/5
Keystore 2.0: Refactor permissions. 1/5
diff --git a/keystore2/selinux/src/lib.rs b/keystore2/selinux/src/lib.rs
index 902e9a4..c0593b7 100644
--- a/keystore2/selinux/src/lib.rs
+++ b/keystore2/selinux/src/lib.rs
@@ -333,6 +333,311 @@
}
}
+/// Represents an SEPolicy permission belonging to a specific class.
+pub trait ClassPermission {
+ /// The permission string of the given instance as specified in the class vector.
+ fn name(&self) -> &'static str;
+ /// The class of the permission.
+ fn class_name(&self) -> &'static str;
+}
+
+/// This macro implements an enum with values mapped to SELinux permission names.
+/// The example below implements `enum MyPermission with public visibility:
+/// * From<i32> and Into<i32> are implemented. Where the implementation of From maps
+/// any variant not specified to the default `None` with value `0`.
+/// * `MyPermission` implements ClassPermission.
+/// * An implicit default values `MyPermission::None` is created with a numeric representation
+/// of `0` and a string representation of `"none"`.
+/// * Specifying a value is optional. If the value is omitted it is set to the value of the
+/// previous variant left shifted by 1.
+///
+/// ## Example
+/// ```
+/// implement_class!(
+/// /// MyPermission documentation.
+/// #[derive(Clone, Copy, Debug, Eq, PartialEq)]
+/// #[selinux(class_name = my_class)]
+/// pub enum MyPermission {
+/// #[selinux(name = foo)]
+/// Foo = 1,
+/// #[selinux(name = bar)]
+/// Bar = 2,
+/// #[selinux(name = snafu)]
+/// Snafu, // Implicit value: MyPermission::Bar << 1 -> 4
+/// }
+/// assert_eq!(MyPermission::Foo.name(), &"foo");
+/// assert_eq!(MyPermission::Foo.class_name(), &"my_class");
+/// assert_eq!(MyPermission::Snafu as i32, 4);
+/// );
+/// ```
+#[macro_export]
+macro_rules! implement_class {
+ // First rule: Public interface.
+ (
+ $(#[$($enum_meta:tt)+])*
+ $enum_vis:vis enum $enum_name:ident $body:tt
+ ) => {
+ implement_class! {
+ @extract_class
+ []
+ [$(#[$($enum_meta)+])*]
+ $enum_vis enum $enum_name $body
+ }
+ };
+
+ // The next two rules extract the #[selinux(class_name = <name>)] meta field from
+ // the types meta list.
+ // This first rule finds the field and terminates the recursion through the meta fields.
+ (
+ @extract_class
+ [$(#[$mout:meta])*]
+ [
+ #[selinux(class_name = $class_name:ident)]
+ $(#[$($mtail:tt)+])*
+ ]
+ $enum_vis:vis enum $enum_name:ident {
+ $(
+ $(#[$($emeta:tt)+])*
+ $vname:ident$( = $vval:expr)?
+ ),* $(,)?
+ }
+ ) => {
+ implement_class!{
+ @extract_perm_name
+ $class_name
+ $(#[$mout])*
+ $(#[$($mtail)+])*
+ $enum_vis enum $enum_name {
+ 1;
+ []
+ [$(
+ [] [$(#[$($emeta)+])*]
+ $vname$( = $vval)?,
+ )*]
+ }
+ }
+ };
+
+ // The second rule iterates through the type global meta fields.
+ (
+ @extract_class
+ [$(#[$mout:meta])*]
+ [
+ #[$front:meta]
+ $(#[$($mtail:tt)+])*
+ ]
+ $enum_vis:vis enum $enum_name:ident $body:tt
+ ) => {
+ implement_class!{
+ @extract_class
+ [
+ $(#[$mout])*
+ #[$front]
+ ]
+ [$(#[$($mtail)+])*]
+ $enum_vis enum $enum_name $body
+ }
+ };
+
+ // The next four rules implement two nested recursions. The outer iterates through
+ // the enum variants and the inner iterates through the meta fields of each variant.
+ // The first two rules find the #[selinux(name = <name>)] stanza, terminate the inner
+ // recursion and descend a level in the outer recursion.
+ // The first rule matches variants with explicit initializer $vval. And updates the next
+ // value to ($vval << 1).
+ (
+ @extract_perm_name
+ $class_name:ident
+ $(#[$enum_meta:meta])*
+ $enum_vis:vis enum $enum_name:ident {
+ $next_val:expr;
+ [$($out:tt)*]
+ [
+ [$(#[$mout:meta])*]
+ [
+ #[selinux(name = $selinux_name:ident)]
+ $(#[$($mtail:tt)+])*
+ ]
+ $vname:ident = $vval:expr,
+ $($tail:tt)*
+ ]
+ }
+ ) => {
+ implement_class!{
+ @extract_perm_name
+ $class_name
+ $(#[$enum_meta])*
+ $enum_vis enum $enum_name {
+ ($vval << 1);
+ [
+ $($out)*
+ $(#[$mout])*
+ $(#[$($mtail)+])*
+ $selinux_name $vname = $vval,
+ ]
+ [$($tail)*]
+ }
+ }
+ };
+
+ // The second rule differs form the previous in that there is no explicit initializer.
+ // Instead $next_val is used as initializer and the next value is set to (&next_val << 1).
+ (
+ @extract_perm_name
+ $class_name:ident
+ $(#[$enum_meta:meta])*
+ $enum_vis:vis enum $enum_name:ident {
+ $next_val:expr;
+ [$($out:tt)*]
+ [
+ [$(#[$mout:meta])*]
+ [
+ #[selinux(name = $selinux_name:ident)]
+ $(#[$($mtail:tt)+])*
+ ]
+ $vname:ident,
+ $($tail:tt)*
+ ]
+ }
+ ) => {
+ implement_class!{
+ @extract_perm_name
+ $class_name
+ $(#[$enum_meta])*
+ $enum_vis enum $enum_name {
+ ($next_val << 1);
+ [
+ $($out)*
+ $(#[$mout])*
+ $(#[$($mtail)+])*
+ $selinux_name $vname = $next_val,
+ ]
+ [$($tail)*]
+ }
+ }
+ };
+
+ // The third rule descends a step in the inner recursion.
+ (
+ @extract_perm_name
+ $class_name:ident
+ $(#[$enum_meta:meta])*
+ $enum_vis:vis enum $enum_name:ident {
+ $next_val:expr;
+ [$($out:tt)*]
+ [
+ [$(#[$mout:meta])*]
+ [
+ #[$front:meta]
+ $(#[$($mtail:tt)+])*
+ ]
+ $vname:ident$( = $vval:expr)?,
+ $($tail:tt)*
+ ]
+ }
+ ) => {
+ implement_class!{
+ @extract_perm_name
+ $class_name
+ $(#[$enum_meta])*
+ $enum_vis enum $enum_name {
+ $next_val;
+ [$($out)*]
+ [
+ [
+ $(#[$mout])*
+ #[$front]
+ ]
+ [$(#[$($mtail)+])*]
+ $vname$( = $vval)?,
+ $($tail)*
+ ]
+ }
+ }
+ };
+
+ // The fourth rule terminates the outer recursion and transitions to the
+ // implementation phase @spill.
+ (
+ @extract_perm_name
+ $class_name:ident
+ $(#[$enum_meta:meta])*
+ $enum_vis:vis enum $enum_name:ident {
+ $next_val:expr;
+ [$($out:tt)*]
+ []
+ }
+ ) => {
+ implement_class!{
+ @spill
+ $class_name
+ $(#[$enum_meta])*
+ $enum_vis enum $enum_name {
+ $($out)*
+ }
+ }
+ };
+
+ (
+ @spill
+ $class_name:ident
+ $(#[$enum_meta:meta])*
+ $enum_vis:vis enum $enum_name:ident {
+ $(
+ $(#[$emeta:meta])*
+ $selinux_name:ident $vname:ident = $vval:expr,
+ )*
+ }
+ ) => {
+ $(#[$enum_meta])*
+ $enum_vis enum $enum_name {
+ /// The default variant of the enum.
+ None = 0,
+ $(
+ $(#[$emeta])*
+ $vname = $vval,
+ )*
+ }
+
+ impl From<i32> for $enum_name {
+ #[allow(non_upper_case_globals)]
+ fn from (p: i32) -> Self {
+ // Creating constants forces the compiler to evaluate the value expressions
+ // so that they can be used in the match statement below.
+ $(const $vname: i32 = $vval;)*
+ match p {
+ 0 => Self::None,
+ $($vname => Self::$vname,)*
+ _ => Self::None,
+ }
+ }
+ }
+
+ impl From<$enum_name> for i32 {
+ fn from(p: $enum_name) -> i32 {
+ p as i32
+ }
+ }
+
+ impl ClassPermission for $enum_name {
+ fn name(&self) -> &'static str {
+ match self {
+ Self::None => &"none",
+ $(Self::$vname => stringify!($selinux_name),)*
+ }
+ }
+ fn class_name(&self) -> &'static str {
+ stringify!($class_name)
+ }
+ }
+ };
+}
+
+/// Calls `check_access` on the given class permission.
+pub fn check_permission<T: ClassPermission>(source: &CStr, target: &CStr, perm: T) -> Result<()> {
+ check_access(source, target, perm.class_name(), perm.name())
+}
+
#[cfg(test)]
mod tests {
use super::*;
diff --git a/keystore2/src/attestation_key_utils.rs b/keystore2/src/attestation_key_utils.rs
index b6a8e31..a8c1ca9 100644
--- a/keystore2/src/attestation_key_utils.rs
+++ b/keystore2/src/attestation_key_utils.rs
@@ -109,7 +109,7 @@
KeyType::Client,
KeyEntryLoadBits::BOTH,
caller_uid,
- |k, av| check_key_permission(KeyPerm::use_(), k, &av),
+ |k, av| check_key_permission(KeyPerm::Use, k, &av),
)
.context("In load_attest_key_blob_and_cert: Failed to load key.")?;
diff --git a/keystore2/src/authorization.rs b/keystore2/src/authorization.rs
index 777089f..04626bc 100644
--- a/keystore2/src/authorization.rs
+++ b/keystore2/src/authorization.rs
@@ -119,7 +119,7 @@
fn add_auth_token(&self, auth_token: &HardwareAuthToken) -> Result<()> {
// Check keystore permission.
- check_keystore_permission(KeystorePerm::add_auth()).context("In add_auth_token.")?;
+ check_keystore_permission(KeystorePerm::AddAuth).context("In add_auth_token.")?;
ENFORCEMENTS.add_auth_token(auth_token.clone());
Ok(())
@@ -143,7 +143,7 @@
(LockScreenEvent::UNLOCK, Some(password)) => {
// This corresponds to the unlock() method in legacy keystore API.
// check permission
- check_keystore_permission(KeystorePerm::unlock())
+ check_keystore_permission(KeystorePerm::Unlock)
.context("In on_lock_screen_event: Unlock with password.")?;
ENFORCEMENTS.set_device_locked(user_id, false);
@@ -177,7 +177,7 @@
Ok(())
}
(LockScreenEvent::UNLOCK, None) => {
- check_keystore_permission(KeystorePerm::unlock())
+ check_keystore_permission(KeystorePerm::Unlock)
.context("In on_lock_screen_event: Unlock.")?;
ENFORCEMENTS.set_device_locked(user_id, false);
DB.with(|db| {
@@ -187,7 +187,7 @@
Ok(())
}
(LockScreenEvent::LOCK, None) => {
- check_keystore_permission(KeystorePerm::lock())
+ check_keystore_permission(KeystorePerm::Lock)
.context("In on_lock_screen_event: Lock")?;
ENFORCEMENTS.set_device_locked(user_id, true);
DB.with(|db| {
@@ -215,7 +215,7 @@
) -> Result<AuthorizationTokens> {
// Check permission. Function should return if this failed. Therefore having '?' at the end
// is very important.
- check_keystore_permission(KeystorePerm::get_auth_token())
+ check_keystore_permission(KeystorePerm::GetAuthToken)
.context("In get_auth_tokens_for_credstore.")?;
// If the challenge is zero, return error
diff --git a/keystore2/src/database.rs b/keystore2/src/database.rs
index ae2875c..d73cc8b 100644
--- a/keystore2/src/database.rs
+++ b/keystore2/src/database.rs
@@ -3704,8 +3704,8 @@
alias: Some("key".to_string()),
blob: None,
};
- const PVEC1: KeyPermSet = key_perm_set![KeyPerm::use_(), KeyPerm::get_info()];
- const PVEC2: KeyPermSet = key_perm_set![KeyPerm::use_()];
+ const PVEC1: KeyPermSet = key_perm_set![KeyPerm::Use, KeyPerm::GetInfo];
+ const PVEC2: KeyPermSet = key_perm_set![KeyPerm::Use];
// Reset totally predictable random number generator in case we
// are not the first test running on this thread.
@@ -4181,7 +4181,7 @@
},
1,
2,
- key_perm_set![KeyPerm::use_()],
+ key_perm_set![KeyPerm::Use],
|_k, _av| Ok(()),
)
.unwrap();
@@ -4191,7 +4191,7 @@
let (_key_guard, key_entry) = db
.load_key_entry(&granted_key, KeyType::Client, KeyEntryLoadBits::BOTH, 2, |k, av| {
assert_eq!(Domain::GRANT, k.domain);
- assert!(av.unwrap().includes(KeyPerm::use_()));
+ assert!(av.unwrap().includes(KeyPerm::Use));
Ok(())
})
.unwrap();
@@ -4238,7 +4238,7 @@
},
OWNER_UID,
GRANTEE_UID,
- key_perm_set![KeyPerm::use_()],
+ key_perm_set![KeyPerm::Use],
|_k, _av| Ok(()),
)
.unwrap();
@@ -4257,7 +4257,7 @@
|k, av| {
assert_eq!(Domain::APP, k.domain);
assert_eq!(OWNER_UID as i64, k.nspace);
- assert!(av.unwrap().includes(KeyPerm::use_()));
+ assert!(av.unwrap().includes(KeyPerm::Use));
Ok(())
},
)
@@ -5675,7 +5675,7 @@
},
OWNER as u32,
123,
- key_perm_set![KeyPerm::use_()],
+ key_perm_set![KeyPerm::Use],
|_, _| Ok(()),
)?;
diff --git a/keystore2/src/maintenance.rs b/keystore2/src/maintenance.rs
index 7ce9042..3f6cf36 100644
--- a/keystore2/src/maintenance.rs
+++ b/keystore2/src/maintenance.rs
@@ -69,7 +69,7 @@
fn on_user_password_changed(user_id: i32, password: Option<Password>) -> Result<()> {
//Check permission. Function should return if this failed. Therefore having '?' at the end
//is very important.
- check_keystore_permission(KeystorePerm::change_password())
+ check_keystore_permission(KeystorePerm::ChangePassword)
.context("In on_user_password_changed.")?;
if let Some(pw) = password.as_ref() {
@@ -106,7 +106,7 @@
fn add_or_remove_user(&self, user_id: i32) -> Result<()> {
// Check permission. Function should return if this failed. Therefore having '?' at the end
// is very important.
- check_keystore_permission(KeystorePerm::change_user()).context("In add_or_remove_user.")?;
+ check_keystore_permission(KeystorePerm::ChangeUser).context("In add_or_remove_user.")?;
DB.with(|db| {
UserState::reset_user(
&mut db.borrow_mut(),
@@ -124,7 +124,7 @@
fn clear_namespace(&self, domain: Domain, nspace: i64) -> Result<()> {
// Permission check. Must return on error. Do not touch the '?'.
- check_keystore_permission(KeystorePerm::clear_uid()).context("In clear_namespace.")?;
+ check_keystore_permission(KeystorePerm::ClearUID).context("In clear_namespace.")?;
LEGACY_MIGRATOR
.bulk_delete_uid(domain, nspace)
@@ -139,7 +139,7 @@
fn get_state(user_id: i32) -> Result<AidlUserState> {
// Check permission. Function should return if this failed. Therefore having '?' at the end
// is very important.
- check_keystore_permission(KeystorePerm::get_state()).context("In get_state.")?;
+ check_keystore_permission(KeystorePerm::GetState).context("In get_state.")?;
let state = DB
.with(|db| {
UserState::get(&mut db.borrow_mut(), &LEGACY_MIGRATOR, &SUPER_KEY, user_id as u32)
@@ -195,7 +195,7 @@
}
fn early_boot_ended() -> Result<()> {
- check_keystore_permission(KeystorePerm::early_boot_ended())
+ check_keystore_permission(KeystorePerm::EarlyBootEnded)
.context("In early_boot_ended. Checking permission")?;
log::info!("In early_boot_ended.");
@@ -207,8 +207,7 @@
fn on_device_off_body() -> Result<()> {
// Security critical permission check. This statement must return on fail.
- check_keystore_permission(KeystorePerm::report_off_body())
- .context("In on_device_off_body.")?;
+ check_keystore_permission(KeystorePerm::ReportOffBody).context("In on_device_off_body.")?;
DB.with(|db| db.borrow_mut().update_last_off_body(MonotonicRawTime::now()));
Ok(())
@@ -228,9 +227,9 @@
KeyEntryLoadBits::NONE,
caller_uid,
|k, av| {
- check_key_permission(KeyPerm::use_(), k, &av)?;
- check_key_permission(KeyPerm::delete(), k, &av)?;
- check_key_permission(KeyPerm::grant(), k, &av)
+ check_key_permission(KeyPerm::Use, k, &av)?;
+ check_key_permission(KeyPerm::Delete, k, &av)?;
+ check_key_permission(KeyPerm::Grant, k, &av)
},
)
})
@@ -246,14 +245,14 @@
};
db.borrow_mut().migrate_key_namespace(key_id_guard, destination, caller_uid, |k| {
- check_key_permission(KeyPerm::rebind(), k, &None)
+ check_key_permission(KeyPerm::Rebind, k, &None)
})
})
}
fn delete_all_keys() -> Result<()> {
// Security critical permission check. This statement must return on fail.
- check_keystore_permission(KeystorePerm::delete_all_keys())
+ check_keystore_permission(KeystorePerm::DeleteAllKeys)
.context("In delete_all_keys. Checking permission")?;
log::info!("In delete_all_keys.");
diff --git a/keystore2/src/metrics.rs b/keystore2/src/metrics.rs
index 42295b7..3d8d6d3 100644
--- a/keystore2/src/metrics.rs
+++ b/keystore2/src/metrics.rs
@@ -41,7 +41,7 @@
fn pull_metrics(&self, atom_id: AtomID) -> Result<Vec<KeystoreAtom>> {
// Check permission. Function should return if this failed. Therefore having '?' at the end
// is very important.
- check_keystore_permission(KeystorePerm::pull_metrics()).context("In pull_metrics.")?;
+ check_keystore_permission(KeystorePerm::PullMetrics).context("In pull_metrics.")?;
METRICS_STORE.get_atoms(atom_id)
}
}
diff --git a/keystore2/src/permission.rs b/keystore2/src/permission.rs
index 4392acf..f280341 100644
--- a/keystore2/src/permission.rs
+++ b/keystore2/src/permission.rs
@@ -18,23 +18,18 @@
//! It also provides KeystorePerm and KeyPerm as convenience wrappers for the SELinux permission
//! defined by keystore2 and keystore2_key respectively.
+use crate::error::Error as KsError;
use android_system_keystore2::aidl::android::system::keystore2::{
Domain::Domain, KeyDescriptor::KeyDescriptor, KeyPermission::KeyPermission,
};
-
+use anyhow::Context as AnyhowContext;
+use keystore2_selinux as selinux;
+use lazy_static::lazy_static;
+use selinux::{implement_class, Backend, ClassPermission};
use std::cmp::PartialEq;
use std::convert::From;
use std::ffi::CStr;
-use crate::error::Error as KsError;
-use keystore2_selinux as selinux;
-
-use anyhow::Context as AnyhowContext;
-
-use selinux::Backend;
-
-use lazy_static::lazy_static;
-
// Replace getcon with a mock in the test situation
#[cfg(not(test))]
use selinux::getcon;
@@ -52,273 +47,104 @@
KEYSTORE2_KEY_LABEL_BACKEND.lookup(&namespace.to_string())
}
-/// ## Background
-///
-/// AIDL enums are represented as constants of the form:
-/// ```
-/// mod EnumName {
-/// pub type EnumName = i32;
-/// pub const Variant1: EnumName = <value1>;
-/// pub const Variant2: EnumName = <value2>;
-/// ...
-/// }
-///```
-/// This macro wraps the enum in a new type, e.g., `MyPerm` and maps each variant to an SELinux
-/// permission while providing the following interface:
-/// * From<EnumName> and Into<EnumName> are implemented. Where the implementation of From maps
-/// any variant not specified to the default.
-/// * Every variant has a constructor with a name corresponding to its lower case SELinux string
-/// representation.
-/// * `MyPerm.to_selinux(&self)` returns the SELinux string representation of the
-/// represented permission.
-///
-/// ## Special behavior
-/// If the keyword `use` appears as an selinux name `use_` is used as identifier for the
-/// constructor function (e.g. `MePerm::use_()`) but the string returned by `to_selinux` will
-/// still be `"use"`.
-///
-/// ## Example
-/// ```
-///
-/// implement_permission!(
-/// /// MyPerm documentation.
-/// #[derive(Clone, Copy, Debug, PartialEq)]
-/// MyPerm from EnumName with default (None, none) {}
-/// Variant1, selinux name: variant1;
-/// Variant2, selinux name: variant1;
-/// }
-/// );
-/// ```
-macro_rules! implement_permission_aidl {
- // This rule provides the public interface of the macro. And starts the preprocessing
- // recursion (see below).
- ($(#[$m:meta])* $name:ident from $aidl_name:ident with default ($($def:tt)*)
- { $($element:tt)* })
- => {
- implement_permission_aidl!(@replace_use $($m)*, $name, $aidl_name, ($($def)*), [],
- $($element)*);
- };
-
- // The following three rules recurse through the elements of the form
- // `<enum variant>, selinux name: <selinux_name>;`
- // preprocessing the input.
-
- // The first rule terminates the recursion and passes the processed arguments to the final
- // rule that spills out the implementation.
- (@replace_use $($m:meta)*, $name:ident, $aidl_name:ident, ($($def:tt)*), [$($out:tt)*], ) => {
- implement_permission_aidl!(@end $($m)*, $name, $aidl_name, ($($def)*) { $($out)* } );
- };
-
- // The second rule is triggered if the selinux name of an element is literally `use`.
- // It produces the tuple `<enum variant>, use_, use;`
- // and appends it to the out list.
- (@replace_use $($m:meta)*, $name:ident, $aidl_name:ident, ($($def:tt)*), [$($out:tt)*],
- $e_name:ident, selinux name: use; $($element:tt)*)
- => {
- implement_permission_aidl!(@replace_use $($m)*, $name, $aidl_name, ($($def)*),
- [$($out)* $e_name, use_, use;], $($element)*);
- };
-
- // The third rule is the default rule which replaces every input tuple with
- // `<enum variant>, <selinux_name>, <selinux_name>;`
- // and appends the result to the out list.
- (@replace_use $($m:meta)*, $name:ident, $aidl_name:ident, ($($def:tt)*), [$($out:tt)*],
- $e_name:ident, selinux name: $e_str:ident; $($element:tt)*)
- => {
- implement_permission_aidl!(@replace_use $($m)*, $name, $aidl_name, ($($def)*),
- [$($out)* $e_name, $e_str, $e_str;], $($element)*);
- };
-
- (@end $($m:meta)*, $name:ident, $aidl_name:ident,
- ($def_name:ident, $def_selinux_name:ident) {
- $($element_name:ident, $element_identifier:ident,
- $selinux_name:ident;)*
- })
- =>
- {
- $(#[$m])*
- pub struct $name(pub $aidl_name);
-
- impl From<$aidl_name> for $name {
- fn from (p: $aidl_name) -> Self {
- match p {
- $aidl_name::$def_name => Self($aidl_name::$def_name),
- $($aidl_name::$element_name => Self($aidl_name::$element_name),)*
- _ => Self($aidl_name::$def_name),
- }
- }
- }
-
- impl From<$name> for $aidl_name {
- fn from(p: $name) -> $aidl_name {
- p.0
- }
- }
-
- impl $name {
- /// Returns a string representation of the permission as required by
- /// `selinux::check_access`.
- pub fn to_selinux(self) -> &'static str {
- match self {
- Self($aidl_name::$def_name) => stringify!($def_selinux_name),
- $(Self($aidl_name::$element_name) => stringify!($selinux_name),)*
- _ => stringify!($def_selinux_name),
- }
- }
-
- /// Creates an instance representing a permission with the same name.
- pub const fn $def_selinux_name() -> Self { Self($aidl_name::$def_name) }
- $(
- /// Creates an instance representing a permission with the same name.
- pub const fn $element_identifier() -> Self { Self($aidl_name::$element_name) }
- )*
- }
- };
-}
-
-implement_permission_aidl!(
+implement_class!(
/// KeyPerm provides a convenient abstraction from the SELinux class `keystore2_key`.
/// At the same time it maps `KeyPermissions` from the Keystore 2.0 AIDL Grant interface to
- /// the SELinux permissions. With the implement_permission macro, we conveniently
- /// provide mappings between the wire type bit field values, the rust enum and the SELinux
- /// string representation.
- ///
- /// ## Example
- ///
- /// In this access check `KeyPerm::get_info().to_selinux()` would return the SELinux representation
- /// "info".
- /// ```
- /// selinux::check_access(source_context, target_context, "keystore2_key",
- /// KeyPerm::get_info().to_selinux());
- /// ```
- #[derive(Clone, Copy, Debug, Eq, PartialEq)]
- KeyPerm from KeyPermission with default (NONE, none) {
- CONVERT_STORAGE_KEY_TO_EPHEMERAL, selinux name: convert_storage_key_to_ephemeral;
- DELETE, selinux name: delete;
- GEN_UNIQUE_ID, selinux name: gen_unique_id;
- GET_INFO, selinux name: get_info;
- GRANT, selinux name: grant;
- MANAGE_BLOB, selinux name: manage_blob;
- REBIND, selinux name: rebind;
- REQ_FORCED_OP, selinux name: req_forced_op;
- UPDATE, selinux name: update;
- USE, selinux name: use;
- USE_DEV_ID, selinux name: use_dev_id;
+ /// the SELinux permissions.
+ #[repr(i32)]
+ #[selinux(class_name = keystore2_key)]
+ #[derive(Clone, Copy, Debug, PartialEq)]
+ pub enum KeyPerm {
+ /// Checked when convert_storage_key_to_ephemeral is called.
+ #[selinux(name = convert_storage_key_to_ephemeral)]
+ ConvertStorageKeyToEphemeral = KeyPermission::CONVERT_STORAGE_KEY_TO_EPHEMERAL.0,
+ /// Checked when the caller tries do delete a key.
+ #[selinux(name = delete)]
+ Delete = KeyPermission::DELETE.0,
+ /// Checked when the caller tries to use a unique id.
+ #[selinux(name = gen_unique_id)]
+ GenUniqueId = KeyPermission::GEN_UNIQUE_ID.0,
+ /// Checked when the caller tries to load a key.
+ #[selinux(name = get_info)]
+ GetInfo = KeyPermission::GET_INFO.0,
+ /// Checked when the caller attempts to grant a key to another uid.
+ /// Also used for gating key migration attempts.
+ #[selinux(name = grant)]
+ Grant = KeyPermission::GRANT.0,
+ /// Checked when the caller attempts to use Domain::BLOB.
+ #[selinux(name = manage_blob)]
+ ManageBlob = KeyPermission::MANAGE_BLOB.0,
+ /// Checked when the caller tries to create a key which implies rebinding
+ /// an alias to the new key.
+ #[selinux(name = rebind)]
+ Rebind = KeyPermission::REBIND.0,
+ /// Checked when the caller attempts to create a forced operation.
+ #[selinux(name = req_forced_op)]
+ ReqForcedOp = KeyPermission::REQ_FORCED_OP.0,
+ /// Checked when the caller attempts to update public key artifacts.
+ #[selinux(name = update)]
+ Update = KeyPermission::UPDATE.0,
+ /// Checked when the caller attempts to use a private or public key.
+ #[selinux(name = use)]
+ Use = KeyPermission::USE.0,
+ /// Checked when the caller attempts to use device ids for attestation.
+ #[selinux(name = use_dev_id)]
+ UseDevId = KeyPermission::USE_DEV_ID.0,
}
);
-/// This macro implements an enum with values mapped to SELinux permission names.
-/// The below example wraps the enum MyPermission in the tuple struct `MyPerm` and implements
-/// * From<i32> and Into<i32> are implemented. Where the implementation of From maps
-/// any variant not specified to the default.
-/// * Every variant has a constructor with a name corresponding to its lower case SELinux string
-/// representation.
-/// * `MyPerm.to_selinux(&self)` returns the SELinux string representation of the
-/// represented permission.
-///
-/// ## Example
-/// ```
-/// implement_permission!(
-/// /// MyPerm documentation.
-/// #[derive(Clone, Copy, Debug, Eq, PartialEq)]
-/// MyPerm with default (None = 0, none) {
-/// Foo = 1, selinux name: foo;
-/// Bar = 2, selinux name: bar;
-/// }
-/// );
-/// ```
-macro_rules! implement_permission {
- // This rule provides the public interface of the macro. And starts the preprocessing
- // recursion (see below).
- ($(#[$m:meta])* $name:ident with default
- ($def_name:ident = $def_val:expr, $def_selinux_name:ident)
- {
- $($(#[$element_meta:meta])*
- $element_name:ident = $element_val:expr, selinux name: $selinux_name:ident;)*
- })
- => {
- $(#[$m])*
- pub enum $name {
- /// The default variant of an enum.
- $def_name = $def_val,
- $(
- $(#[$element_meta])*
- $element_name = $element_val,
- )*
- }
-
- impl From<i32> for $name {
- fn from (p: i32) -> Self {
- match p {
- $def_val => Self::$def_name,
- $($element_val => Self::$element_name,)*
- _ => Self::$def_name,
- }
- }
- }
-
- impl From<$name> for i32 {
- fn from(p: $name) -> i32 {
- p as i32
- }
- }
-
- impl $name {
- /// Returns a string representation of the permission as required by
- /// `selinux::check_access`.
- pub fn to_selinux(self) -> &'static str {
- match self {
- Self::$def_name => stringify!($def_selinux_name),
- $(Self::$element_name => stringify!($selinux_name),)*
- }
- }
-
- /// Creates an instance representing a permission with the same name.
- pub const fn $def_selinux_name() -> Self { Self::$def_name }
- $(
- /// Creates an instance representing a permission with the same name.
- pub const fn $selinux_name() -> Self { Self::$element_name }
- )*
- }
- };
-}
-
-implement_permission!(
+implement_class!(
/// KeystorePerm provides a convenient abstraction from the SELinux class `keystore2`.
/// Using the implement_permission macro we get the same features as `KeyPerm`.
+ #[selinux(class_name = keystore2)]
#[derive(Clone, Copy, Debug, PartialEq)]
- KeystorePerm with default (None = 0, none) {
+ pub enum KeystorePerm {
/// Checked when a new auth token is installed.
- AddAuth = 1, selinux name: add_auth;
+ #[selinux(name = add_auth)]
+ AddAuth,
/// Checked when an app is uninstalled or wiped.
- ClearNs = 2, selinux name: clear_ns;
+ #[selinux(name = clear_ns)]
+ ClearNs,
/// Checked when the user state is queried from Keystore 2.0.
- GetState = 4, selinux name: get_state;
+ #[selinux(name = get_state)]
+ GetState,
/// Checked when Keystore 2.0 is asked to list a namespace that the caller
/// does not have the get_info permission for.
- List = 8, selinux name: list;
+ #[selinux(name = list)]
+ List,
/// Checked when Keystore 2.0 gets locked.
- Lock = 0x10, selinux name: lock;
+ #[selinux(name = lock)]
+ Lock,
/// Checked when Keystore 2.0 shall be reset.
- Reset = 0x20, selinux name: reset;
+ #[selinux(name = reset)]
+ Reset,
/// Checked when Keystore 2.0 shall be unlocked.
- Unlock = 0x40, selinux name: unlock;
+ #[selinux(name = unlock)]
+ Unlock,
/// Checked when user is added or removed.
- ChangeUser = 0x80, selinux name: change_user;
+ #[selinux(name = change_user)]
+ ChangeUser,
/// Checked when password of the user is changed.
- ChangePassword = 0x100, selinux name: change_password;
+ #[selinux(name = change_password)]
+ ChangePassword,
/// Checked when a UID is cleared.
- ClearUID = 0x200, selinux name: clear_uid;
+ #[selinux(name = clear_uid)]
+ ClearUID,
/// Checked when Credstore calls IKeystoreAuthorization to obtain auth tokens.
- GetAuthToken = 0x400, selinux name: get_auth_token;
+ #[selinux(name = get_auth_token)]
+ GetAuthToken,
/// Checked when earlyBootEnded() is called.
- EarlyBootEnded = 0x800, selinux name: early_boot_ended;
+ #[selinux(name = early_boot_ended)]
+ EarlyBootEnded,
/// Checked when IKeystoreMaintenance::onDeviceOffBody is called.
- ReportOffBody = 0x1000, selinux name: report_off_body;
- /// Checked when IkeystoreMetrics::pullMetris is called.
- PullMetrics = 0x2000, selinux name: pull_metrics;
+ #[selinux(name = report_off_body)]
+ ReportOffBody,
+ /// Checked when IkeystoreMetrics::pullMetrics is called.
+ #[selinux(name = pull_metrics)]
+ PullMetrics,
/// Checked when IKeystoreMaintenance::deleteAllKeys is called.
- DeleteAllKeys = 0x4000, selinux name: delete_all_keys;
+ #[selinux(name = delete_all_keys)]
+ DeleteAllKeys,
}
);
@@ -332,17 +158,17 @@
///
/// ## Example
/// ```
-/// let perms1 = key_perm_set![KeyPerm::use_(), KeyPerm::manage_blob(), KeyPerm::grant()];
-/// let perms2 = key_perm_set![KeyPerm::use_(), KeyPerm::manage_blob()];
+/// let perms1 = key_perm_set![KeyPerm::Use, KeyPerm::ManageBlob, KeyPerm::Grant];
+/// let perms2 = key_perm_set![KeyPerm::Use, KeyPerm::ManageBlob];
///
/// assert!(perms1.includes(perms2))
/// assert!(!perms2.includes(perms1))
///
/// let i = perms1.into_iter();
/// // iteration in ascending order of the permission's numeric representation.
-/// assert_eq(Some(KeyPerm::manage_blob()), i.next());
-/// assert_eq(Some(KeyPerm::grant()), i.next());
-/// assert_eq(Some(KeyPerm::use_()), i.next());
+/// assert_eq(Some(KeyPerm::ManageBlob), i.next());
+/// assert_eq(Some(KeyPerm::Grant), i.next());
+/// assert_eq(Some(KeyPerm::Use), i.next());
/// assert_eq(None, i.next());
/// ```
#[derive(Copy, Clone, Debug, Eq, PartialEq, Ord, PartialOrd)]
@@ -373,7 +199,7 @@
let p = self.vec.0 & (1 << self.pos);
self.pos += 1;
if p != 0 {
- return Some(KeyPerm::from(KeyPermission(p)));
+ return Some(KeyPerm::from(p));
}
}
}
@@ -382,7 +208,7 @@
impl From<KeyPerm> for KeyPermSet {
fn from(p: KeyPerm) -> Self {
- Self((p.0).0 as i32)
+ Self(p as i32)
}
}
@@ -417,7 +243,7 @@
macro_rules! key_perm_set {
() => { KeyPermSet(0) };
($head:expr $(, $tail:expr)* $(,)?) => {
- KeyPermSet(($head.0).0 $(| ($tail.0).0)*)
+ KeyPermSet($head as i32 $(| $tail as i32)*)
};
}
@@ -430,14 +256,14 @@
}
}
-/// Uses `selinux::check_access` to check if the given caller context `caller_cxt` may access
+/// Uses `selinux::check_permission` to check if the given caller context `caller_cxt` may access
/// the given permision `perm` of the `keystore2` security class.
pub fn check_keystore_permission(caller_ctx: &CStr, perm: KeystorePerm) -> anyhow::Result<()> {
let target_context = getcon().context("check_keystore_permission: getcon failed.")?;
- selinux::check_access(caller_ctx, &target_context, "keystore2", perm.to_selinux())
+ selinux::check_permission(caller_ctx, &target_context, perm)
}
-/// Uses `selinux::check_access` to check if the given caller context `caller_cxt` has
+/// Uses `selinux::check_permission` to check if the given caller context `caller_cxt` has
/// all the permissions indicated in `access_vec` for the target domain indicated by the key
/// descriptor `key` in the security class `keystore2_key`.
///
@@ -462,27 +288,24 @@
_ => return Err(KsError::sys()).context(format!("Cannot grant {:?}.", key.domain)),
};
- selinux::check_access(caller_ctx, &target_context, "keystore2_key", "grant")
+ selinux::check_permission(caller_ctx, &target_context, KeyPerm::Grant)
.context("Grant permission is required when granting.")?;
- if access_vec.includes(KeyPerm::grant()) {
+ if access_vec.includes(KeyPerm::Grant) {
return Err(selinux::Error::perm()).context("Grant permission cannot be granted.");
}
for p in access_vec.into_iter() {
- selinux::check_access(caller_ctx, &target_context, "keystore2_key", p.to_selinux())
- .context(format!(
- concat!(
- "check_grant_permission: check_access failed. ",
- "The caller may have tried to grant a permission that they don't possess. {:?}"
- ),
- p
- ))?
+ selinux::check_permission(caller_ctx, &target_context, p).context(format!(
+ "check_grant_permission: check_permission failed. \
+ The caller may have tried to grant a permission that they don't possess. {:?}",
+ p
+ ))?
}
Ok(())
}
-/// Uses `selinux::check_access` to check if the given caller context `caller_cxt`
+/// Uses `selinux::check_permission` to check if the given caller context `caller_cxt`
/// has the permissions indicated by `perm` for the target domain indicated by the key
/// descriptor `key` in the security class `keystore2_key`.
///
@@ -492,7 +315,7 @@
/// backend, and the result is used as target context.
/// * `Domain::BLOB` Same as SELinux but the "manage_blob" permission is always checked additionally
/// to the one supplied in `perm`.
-/// * `Domain::GRANT` Does not use selinux::check_access. Instead the `access_vector`
+/// * `Domain::GRANT` Does not use selinux::check_permission. Instead the `access_vector`
/// parameter is queried for permission, which must be supplied in this case.
///
/// ## Return values.
@@ -536,7 +359,7 @@
match access_vector {
Some(_) => {
return Err(selinux::Error::perm())
- .context(format!("\"{}\" not granted", perm.to_selinux()));
+ .context(format!("\"{}\" not granted", perm.name()));
}
None => {
// If DOMAIN_GRANT was selected an access vector must be supplied.
@@ -557,12 +380,7 @@
.context("Domain::BLOB: Failed to lookup namespace.")?;
// If DOMAIN_KEY_BLOB was specified, we check for the "manage_blob"
// permission in addition to the requested permission.
- selinux::check_access(
- caller_ctx,
- &tctx,
- "keystore2_key",
- KeyPerm::manage_blob().to_selinux(),
- )?;
+ selinux::check_permission(caller_ctx, &tctx, KeyPerm::ManageBlob)?;
tctx
}
@@ -572,7 +390,7 @@
}
};
- selinux::check_access(caller_ctx, &target_context, "keystore2_key", perm.to_selinux())
+ selinux::check_permission(caller_ctx, &target_context, perm)
}
#[cfg(test)]
@@ -583,49 +401,49 @@
use keystore2_selinux::*;
const ALL_PERMS: KeyPermSet = key_perm_set![
- KeyPerm::manage_blob(),
- KeyPerm::delete(),
- KeyPerm::use_dev_id(),
- KeyPerm::req_forced_op(),
- KeyPerm::gen_unique_id(),
- KeyPerm::grant(),
- KeyPerm::get_info(),
- KeyPerm::rebind(),
- KeyPerm::update(),
- KeyPerm::use_(),
- KeyPerm::convert_storage_key_to_ephemeral(),
+ KeyPerm::ManageBlob,
+ KeyPerm::Delete,
+ KeyPerm::UseDevId,
+ KeyPerm::ReqForcedOp,
+ KeyPerm::GenUniqueId,
+ KeyPerm::Grant,
+ KeyPerm::GetInfo,
+ KeyPerm::Rebind,
+ KeyPerm::Update,
+ KeyPerm::Use,
+ KeyPerm::ConvertStorageKeyToEphemeral,
];
const SYSTEM_SERVER_PERMISSIONS_NO_GRANT: KeyPermSet = key_perm_set![
- KeyPerm::delete(),
- KeyPerm::use_dev_id(),
- // No KeyPerm::grant()
- KeyPerm::get_info(),
- KeyPerm::rebind(),
- KeyPerm::update(),
- KeyPerm::use_(),
+ KeyPerm::Delete,
+ KeyPerm::UseDevId,
+ // No KeyPerm::Grant
+ KeyPerm::GetInfo,
+ KeyPerm::Rebind,
+ KeyPerm::Update,
+ KeyPerm::Use,
];
const NOT_GRANT_PERMS: KeyPermSet = key_perm_set![
- KeyPerm::manage_blob(),
- KeyPerm::delete(),
- KeyPerm::use_dev_id(),
- KeyPerm::req_forced_op(),
- KeyPerm::gen_unique_id(),
- // No KeyPerm::grant()
- KeyPerm::get_info(),
- KeyPerm::rebind(),
- KeyPerm::update(),
- KeyPerm::use_(),
- KeyPerm::convert_storage_key_to_ephemeral(),
+ KeyPerm::ManageBlob,
+ KeyPerm::Delete,
+ KeyPerm::UseDevId,
+ KeyPerm::ReqForcedOp,
+ KeyPerm::GenUniqueId,
+ // No KeyPerm::Grant
+ KeyPerm::GetInfo,
+ KeyPerm::Rebind,
+ KeyPerm::Update,
+ KeyPerm::Use,
+ KeyPerm::ConvertStorageKeyToEphemeral,
];
const UNPRIV_PERMS: KeyPermSet = key_perm_set![
- KeyPerm::delete(),
- KeyPerm::get_info(),
- KeyPerm::rebind(),
- KeyPerm::update(),
- KeyPerm::use_(),
+ KeyPerm::Delete,
+ KeyPerm::GetInfo,
+ KeyPerm::Rebind,
+ KeyPerm::Update,
+ KeyPerm::Use,
];
/// The su_key namespace as defined in su.te and keystore_key_contexts of the
@@ -672,28 +490,26 @@
#[test]
fn check_keystore_permission_test() -> Result<()> {
let system_server_ctx = Context::new("u:r:system_server:s0")?;
- assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::add_auth()).is_ok());
- assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::clear_ns()).is_ok());
- assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::get_state()).is_ok());
- assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::lock()).is_ok());
- assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::reset()).is_ok());
- assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::unlock()).is_ok());
- assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::change_user()).is_ok());
- assert!(
- check_keystore_permission(&system_server_ctx, KeystorePerm::change_password()).is_ok()
- );
- assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::clear_uid()).is_ok());
+ assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::AddAuth).is_ok());
+ assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::ClearNs).is_ok());
+ assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::GetState).is_ok());
+ assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::Lock).is_ok());
+ assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::Reset).is_ok());
+ assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::Unlock).is_ok());
+ assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::ChangeUser).is_ok());
+ assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::ChangePassword).is_ok());
+ assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::ClearUID).is_ok());
let shell_ctx = Context::new("u:r:shell:s0")?;
- assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::add_auth()));
- assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::clear_ns()));
- assert!(check_keystore_permission(&shell_ctx, KeystorePerm::get_state()).is_ok());
- assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::list()));
- assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::lock()));
- assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::reset()));
- assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::unlock()));
- assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::change_user()));
- assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::change_password()));
- assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::clear_uid()));
+ assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::AddAuth));
+ assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::ClearNs));
+ assert!(check_keystore_permission(&shell_ctx, KeystorePerm::GetState).is_ok());
+ assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::List));
+ assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::Lock));
+ assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::Reset));
+ assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::Unlock));
+ assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::ChangeUser));
+ assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::ChangePassword));
+ assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::ClearUID));
Ok(())
}
@@ -708,7 +524,7 @@
// attempts to grant the grant permission must always fail even when privileged.
assert_perm_failed!(check_grant_permission(
&system_server_ctx,
- KeyPerm::grant().into(),
+ KeyPerm::Grant.into(),
&key
));
// unprivileged grant attempts always fail. shell does not have the grant permission.
@@ -728,7 +544,7 @@
if is_su {
assert!(check_grant_permission(&sctx, NOT_GRANT_PERMS, &key).is_ok());
// attempts to grant the grant permission must always fail even when privileged.
- assert_perm_failed!(check_grant_permission(&sctx, KeyPerm::grant().into(), &key));
+ assert_perm_failed!(check_grant_permission(&sctx, KeyPerm::Grant.into(), &key));
} else {
// unprivileged grant attempts always fail. shell does not have the grant permission.
assert_perm_failed!(check_grant_permission(&sctx, UNPRIV_PERMS, &key));
@@ -743,7 +559,7 @@
assert_perm_failed!(check_key_permission(
0,
&selinux::Context::new("ignored").unwrap(),
- KeyPerm::grant(),
+ KeyPerm::Grant,
&key,
&Some(UNPRIV_PERMS)
));
@@ -751,7 +567,7 @@
check_key_permission(
0,
&selinux::Context::new("ignored").unwrap(),
- KeyPerm::use_(),
+ KeyPerm::Use,
&key,
&Some(ALL_PERMS),
)
@@ -765,61 +581,31 @@
let key = KeyDescriptor { domain: Domain::APP, nspace: 0, alias: None, blob: None };
- assert!(check_key_permission(0, &system_server_ctx, KeyPerm::use_(), &key, &None).is_ok());
- assert!(check_key_permission(0, &system_server_ctx, KeyPerm::delete(), &key, &None).is_ok());
- assert!(
- check_key_permission(0, &system_server_ctx, KeyPerm::get_info(), &key, &None).is_ok()
- );
- assert!(check_key_permission(0, &system_server_ctx, KeyPerm::rebind(), &key, &None).is_ok());
- assert!(check_key_permission(0, &system_server_ctx, KeyPerm::update(), &key, &None).is_ok());
- assert!(check_key_permission(0, &system_server_ctx, KeyPerm::grant(), &key, &None).is_ok());
- assert!(
- check_key_permission(0, &system_server_ctx, KeyPerm::use_dev_id(), &key, &None).is_ok()
- );
- assert!(
- check_key_permission(0, &gmscore_app, KeyPerm::gen_unique_id(), &key, &None).is_ok()
- );
+ assert!(check_key_permission(0, &system_server_ctx, KeyPerm::Use, &key, &None).is_ok());
+ assert!(check_key_permission(0, &system_server_ctx, KeyPerm::Delete, &key, &None).is_ok());
+ assert!(check_key_permission(0, &system_server_ctx, KeyPerm::GetInfo, &key, &None).is_ok());
+ assert!(check_key_permission(0, &system_server_ctx, KeyPerm::Rebind, &key, &None).is_ok());
+ assert!(check_key_permission(0, &system_server_ctx, KeyPerm::Update, &key, &None).is_ok());
+ assert!(check_key_permission(0, &system_server_ctx, KeyPerm::Grant, &key, &None).is_ok());
+ assert!(check_key_permission(0, &system_server_ctx, KeyPerm::UseDevId, &key, &None).is_ok());
+ assert!(check_key_permission(0, &gmscore_app, KeyPerm::GenUniqueId, &key, &None).is_ok());
- assert!(check_key_permission(0, &shell_ctx, KeyPerm::use_(), &key, &None).is_ok());
- assert!(check_key_permission(0, &shell_ctx, KeyPerm::delete(), &key, &None).is_ok());
- assert!(check_key_permission(0, &shell_ctx, KeyPerm::get_info(), &key, &None).is_ok());
- assert!(check_key_permission(0, &shell_ctx, KeyPerm::rebind(), &key, &None).is_ok());
- assert!(check_key_permission(0, &shell_ctx, KeyPerm::update(), &key, &None).is_ok());
- assert_perm_failed!(check_key_permission(0, &shell_ctx, KeyPerm::grant(), &key, &None));
- assert_perm_failed!(check_key_permission(
- 0,
- &shell_ctx,
- KeyPerm::req_forced_op(),
- &key,
- &None
- ));
- assert_perm_failed!(check_key_permission(
- 0,
- &shell_ctx,
- KeyPerm::manage_blob(),
- &key,
- &None
- ));
- assert_perm_failed!(check_key_permission(
- 0,
- &shell_ctx,
- KeyPerm::use_dev_id(),
- &key,
- &None
- ));
- assert_perm_failed!(check_key_permission(
- 0,
- &shell_ctx,
- KeyPerm::gen_unique_id(),
- &key,
- &None
- ));
+ assert!(check_key_permission(0, &shell_ctx, KeyPerm::Use, &key, &None).is_ok());
+ assert!(check_key_permission(0, &shell_ctx, KeyPerm::Delete, &key, &None).is_ok());
+ assert!(check_key_permission(0, &shell_ctx, KeyPerm::GetInfo, &key, &None).is_ok());
+ assert!(check_key_permission(0, &shell_ctx, KeyPerm::Rebind, &key, &None).is_ok());
+ assert!(check_key_permission(0, &shell_ctx, KeyPerm::Update, &key, &None).is_ok());
+ assert_perm_failed!(check_key_permission(0, &shell_ctx, KeyPerm::Grant, &key, &None));
+ assert_perm_failed!(check_key_permission(0, &shell_ctx, KeyPerm::ReqForcedOp, &key, &None));
+ assert_perm_failed!(check_key_permission(0, &shell_ctx, KeyPerm::ManageBlob, &key, &None));
+ assert_perm_failed!(check_key_permission(0, &shell_ctx, KeyPerm::UseDevId, &key, &None));
+ assert_perm_failed!(check_key_permission(0, &shell_ctx, KeyPerm::GenUniqueId, &key, &None));
// Also make sure that the permission fails if the caller is not the owner.
assert_perm_failed!(check_key_permission(
1, // the owner is 0
&system_server_ctx,
- KeyPerm::use_(),
+ KeyPerm::Use,
&key,
&None
));
@@ -827,18 +613,18 @@
assert!(check_key_permission(
1,
&system_server_ctx,
- KeyPerm::use_(),
+ KeyPerm::Use,
&key,
- &Some(key_perm_set![KeyPerm::use_()])
+ &Some(key_perm_set![KeyPerm::Use])
)
.is_ok());
// But fail if the grant did not cover the requested permission.
assert_perm_failed!(check_key_permission(
1,
&system_server_ctx,
- KeyPerm::use_(),
+ KeyPerm::Use,
&key,
- &Some(key_perm_set![KeyPerm::get_info()])
+ &Some(key_perm_set![KeyPerm::GetInfo])
));
Ok(())
@@ -854,42 +640,24 @@
blob: None,
};
- assert!(check_key_permission(0, &sctx, KeyPerm::use_(), &key, &None).is_ok());
- assert!(check_key_permission(0, &sctx, KeyPerm::delete(), &key, &None).is_ok());
- assert!(check_key_permission(0, &sctx, KeyPerm::get_info(), &key, &None).is_ok());
- assert!(check_key_permission(0, &sctx, KeyPerm::rebind(), &key, &None).is_ok());
- assert!(check_key_permission(0, &sctx, KeyPerm::update(), &key, &None).is_ok());
+ assert!(check_key_permission(0, &sctx, KeyPerm::Use, &key, &None).is_ok());
+ assert!(check_key_permission(0, &sctx, KeyPerm::Delete, &key, &None).is_ok());
+ assert!(check_key_permission(0, &sctx, KeyPerm::GetInfo, &key, &None).is_ok());
+ assert!(check_key_permission(0, &sctx, KeyPerm::Rebind, &key, &None).is_ok());
+ assert!(check_key_permission(0, &sctx, KeyPerm::Update, &key, &None).is_ok());
if is_su {
- assert!(check_key_permission(0, &sctx, KeyPerm::grant(), &key, &None).is_ok());
- assert!(check_key_permission(0, &sctx, KeyPerm::manage_blob(), &key, &None).is_ok());
- assert!(check_key_permission(0, &sctx, KeyPerm::use_dev_id(), &key, &None).is_ok());
- assert!(check_key_permission(0, &sctx, KeyPerm::gen_unique_id(), &key, &None).is_ok());
- assert!(check_key_permission(0, &sctx, KeyPerm::req_forced_op(), &key, &None).is_ok());
+ assert!(check_key_permission(0, &sctx, KeyPerm::Grant, &key, &None).is_ok());
+ assert!(check_key_permission(0, &sctx, KeyPerm::ManageBlob, &key, &None).is_ok());
+ assert!(check_key_permission(0, &sctx, KeyPerm::UseDevId, &key, &None).is_ok());
+ assert!(check_key_permission(0, &sctx, KeyPerm::GenUniqueId, &key, &None).is_ok());
+ assert!(check_key_permission(0, &sctx, KeyPerm::ReqForcedOp, &key, &None).is_ok());
} else {
- assert_perm_failed!(check_key_permission(0, &sctx, KeyPerm::grant(), &key, &None));
- assert_perm_failed!(check_key_permission(
- 0,
- &sctx,
- KeyPerm::req_forced_op(),
- &key,
- &None
- ));
- assert_perm_failed!(check_key_permission(
- 0,
- &sctx,
- KeyPerm::manage_blob(),
- &key,
- &None
- ));
- assert_perm_failed!(check_key_permission(0, &sctx, KeyPerm::use_dev_id(), &key, &None));
- assert_perm_failed!(check_key_permission(
- 0,
- &sctx,
- KeyPerm::gen_unique_id(),
- &key,
- &None
- ));
+ assert_perm_failed!(check_key_permission(0, &sctx, KeyPerm::Grant, &key, &None));
+ assert_perm_failed!(check_key_permission(0, &sctx, KeyPerm::ReqForcedOp, &key, &None));
+ assert_perm_failed!(check_key_permission(0, &sctx, KeyPerm::ManageBlob, &key, &None));
+ assert_perm_failed!(check_key_permission(0, &sctx, KeyPerm::UseDevId, &key, &None));
+ assert_perm_failed!(check_key_permission(0, &sctx, KeyPerm::GenUniqueId, &key, &None));
}
Ok(())
}
@@ -905,9 +673,9 @@
};
if is_su {
- check_key_permission(0, &sctx, KeyPerm::use_(), &key, &None)
+ check_key_permission(0, &sctx, KeyPerm::Use, &key, &None)
} else {
- assert_perm_failed!(check_key_permission(0, &sctx, KeyPerm::use_(), &key, &None));
+ assert_perm_failed!(check_key_permission(0, &sctx, KeyPerm::Use, &key, &None));
Ok(())
}
}
@@ -921,7 +689,7 @@
check_key_permission(
0,
&selinux::Context::new("ignored").unwrap(),
- KeyPerm::use_(),
+ KeyPerm::Use,
&key,
&None
)
@@ -936,45 +704,45 @@
#[test]
fn key_perm_set_all_test() {
let v = key_perm_set![
- KeyPerm::manage_blob(),
- KeyPerm::delete(),
- KeyPerm::use_dev_id(),
- KeyPerm::req_forced_op(),
- KeyPerm::gen_unique_id(),
- KeyPerm::grant(),
- KeyPerm::get_info(),
- KeyPerm::rebind(),
- KeyPerm::update(),
- KeyPerm::use_() // Test if the macro accepts missing comma at the end of the list.
+ KeyPerm::ManageBlob,
+ KeyPerm::Delete,
+ KeyPerm::UseDevId,
+ KeyPerm::ReqForcedOp,
+ KeyPerm::GenUniqueId,
+ KeyPerm::Grant,
+ KeyPerm::GetInfo,
+ KeyPerm::Rebind,
+ KeyPerm::Update,
+ KeyPerm::Use // Test if the macro accepts missing comma at the end of the list.
];
let mut i = v.into_iter();
- assert_eq!(i.next().unwrap().to_selinux(), "delete");
- assert_eq!(i.next().unwrap().to_selinux(), "gen_unique_id");
- assert_eq!(i.next().unwrap().to_selinux(), "get_info");
- assert_eq!(i.next().unwrap().to_selinux(), "grant");
- assert_eq!(i.next().unwrap().to_selinux(), "manage_blob");
- assert_eq!(i.next().unwrap().to_selinux(), "rebind");
- assert_eq!(i.next().unwrap().to_selinux(), "req_forced_op");
- assert_eq!(i.next().unwrap().to_selinux(), "update");
- assert_eq!(i.next().unwrap().to_selinux(), "use");
- assert_eq!(i.next().unwrap().to_selinux(), "use_dev_id");
+ assert_eq!(i.next().unwrap().name(), "delete");
+ assert_eq!(i.next().unwrap().name(), "gen_unique_id");
+ assert_eq!(i.next().unwrap().name(), "get_info");
+ assert_eq!(i.next().unwrap().name(), "grant");
+ assert_eq!(i.next().unwrap().name(), "manage_blob");
+ assert_eq!(i.next().unwrap().name(), "rebind");
+ assert_eq!(i.next().unwrap().name(), "req_forced_op");
+ assert_eq!(i.next().unwrap().name(), "update");
+ assert_eq!(i.next().unwrap().name(), "use");
+ assert_eq!(i.next().unwrap().name(), "use_dev_id");
assert_eq!(None, i.next());
}
#[test]
fn key_perm_set_sparse_test() {
let v = key_perm_set![
- KeyPerm::manage_blob(),
- KeyPerm::req_forced_op(),
- KeyPerm::gen_unique_id(),
- KeyPerm::update(),
- KeyPerm::use_(), // Test if macro accepts the comma at the end of the list.
+ KeyPerm::ManageBlob,
+ KeyPerm::ReqForcedOp,
+ KeyPerm::GenUniqueId,
+ KeyPerm::Update,
+ KeyPerm::Use, // Test if macro accepts the comma at the end of the list.
];
let mut i = v.into_iter();
- assert_eq!(i.next().unwrap().to_selinux(), "gen_unique_id");
- assert_eq!(i.next().unwrap().to_selinux(), "manage_blob");
- assert_eq!(i.next().unwrap().to_selinux(), "req_forced_op");
- assert_eq!(i.next().unwrap().to_selinux(), "update");
- assert_eq!(i.next().unwrap().to_selinux(), "use");
+ assert_eq!(i.next().unwrap().name(), "gen_unique_id");
+ assert_eq!(i.next().unwrap().name(), "manage_blob");
+ assert_eq!(i.next().unwrap().name(), "req_forced_op");
+ assert_eq!(i.next().unwrap().name(), "update");
+ assert_eq!(i.next().unwrap().name(), "use");
assert_eq!(None, i.next());
}
#[test]
@@ -986,23 +754,23 @@
#[test]
fn key_perm_set_include_subset_test() {
let v1 = key_perm_set![
- KeyPerm::manage_blob(),
- KeyPerm::delete(),
- KeyPerm::use_dev_id(),
- KeyPerm::req_forced_op(),
- KeyPerm::gen_unique_id(),
- KeyPerm::grant(),
- KeyPerm::get_info(),
- KeyPerm::rebind(),
- KeyPerm::update(),
- KeyPerm::use_(),
+ KeyPerm::ManageBlob,
+ KeyPerm::Delete,
+ KeyPerm::UseDevId,
+ KeyPerm::ReqForcedOp,
+ KeyPerm::GenUniqueId,
+ KeyPerm::Grant,
+ KeyPerm::GetInfo,
+ KeyPerm::Rebind,
+ KeyPerm::Update,
+ KeyPerm::Use,
];
let v2 = key_perm_set![
- KeyPerm::manage_blob(),
- KeyPerm::delete(),
- KeyPerm::rebind(),
- KeyPerm::update(),
- KeyPerm::use_(),
+ KeyPerm::ManageBlob,
+ KeyPerm::Delete,
+ KeyPerm::Rebind,
+ KeyPerm::Update,
+ KeyPerm::Use,
];
assert!(v1.includes(v2));
assert!(!v2.includes(v1));
@@ -1010,18 +778,18 @@
#[test]
fn key_perm_set_include_equal_test() {
let v1 = key_perm_set![
- KeyPerm::manage_blob(),
- KeyPerm::delete(),
- KeyPerm::rebind(),
- KeyPerm::update(),
- KeyPerm::use_(),
+ KeyPerm::ManageBlob,
+ KeyPerm::Delete,
+ KeyPerm::Rebind,
+ KeyPerm::Update,
+ KeyPerm::Use,
];
let v2 = key_perm_set![
- KeyPerm::manage_blob(),
- KeyPerm::delete(),
- KeyPerm::rebind(),
- KeyPerm::update(),
- KeyPerm::use_(),
+ KeyPerm::ManageBlob,
+ KeyPerm::Delete,
+ KeyPerm::Rebind,
+ KeyPerm::Update,
+ KeyPerm::Use,
];
assert!(v1.includes(v2));
assert!(v2.includes(v1));
@@ -1029,33 +797,29 @@
#[test]
fn key_perm_set_include_overlap_test() {
let v1 = key_perm_set![
- KeyPerm::manage_blob(),
- KeyPerm::delete(),
- KeyPerm::grant(), // only in v1
- KeyPerm::rebind(),
- KeyPerm::update(),
- KeyPerm::use_(),
+ KeyPerm::ManageBlob,
+ KeyPerm::Delete,
+ KeyPerm::Grant, // only in v1
+ KeyPerm::Rebind,
+ KeyPerm::Update,
+ KeyPerm::Use,
];
let v2 = key_perm_set![
- KeyPerm::manage_blob(),
- KeyPerm::delete(),
- KeyPerm::req_forced_op(), // only in v2
- KeyPerm::rebind(),
- KeyPerm::update(),
- KeyPerm::use_(),
+ KeyPerm::ManageBlob,
+ KeyPerm::Delete,
+ KeyPerm::ReqForcedOp, // only in v2
+ KeyPerm::Rebind,
+ KeyPerm::Update,
+ KeyPerm::Use,
];
assert!(!v1.includes(v2));
assert!(!v2.includes(v1));
}
#[test]
fn key_perm_set_include_no_overlap_test() {
- let v1 = key_perm_set![KeyPerm::manage_blob(), KeyPerm::delete(), KeyPerm::grant(),];
- let v2 = key_perm_set![
- KeyPerm::req_forced_op(),
- KeyPerm::rebind(),
- KeyPerm::update(),
- KeyPerm::use_(),
- ];
+ let v1 = key_perm_set![KeyPerm::ManageBlob, KeyPerm::Delete, KeyPerm::Grant,];
+ let v2 =
+ key_perm_set![KeyPerm::ReqForcedOp, KeyPerm::Rebind, KeyPerm::Update, KeyPerm::Use,];
assert!(!v1.includes(v2));
assert!(!v2.includes(v1));
}
diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index 74aba3c..ee725eb 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -216,10 +216,10 @@
let scoping_blob: Vec<u8>;
let (km_blob, key_properties, key_id_guard, blob_metadata) = match key.domain {
Domain::BLOB => {
- check_key_permission(KeyPerm::use_(), key, &None)
+ check_key_permission(KeyPerm::Use, key, &None)
.context("In create_operation: checking use permission for Domain::BLOB.")?;
if forced {
- check_key_permission(KeyPerm::req_forced_op(), key, &None).context(
+ check_key_permission(KeyPerm::ReqForcedOp, key, &None).context(
"In create_operation: checking forced permission for Domain::BLOB.",
)?;
}
@@ -248,9 +248,9 @@
KeyEntryLoadBits::KM,
caller_uid,
|k, av| {
- check_key_permission(KeyPerm::use_(), k, &av)?;
+ check_key_permission(KeyPerm::Use, k, &av)?;
if forced {
- check_key_permission(KeyPerm::req_forced_op(), k, &av)?;
+ check_key_permission(KeyPerm::ReqForcedOp, k, &av)?;
}
Ok(())
},
@@ -415,7 +415,7 @@
}
if params.iter().any(|kp| kp.tag == Tag::INCLUDE_UNIQUE_ID) {
- check_key_permission(KeyPerm::gen_unique_id(), key, &None).context(concat!(
+ check_key_permission(KeyPerm::GenUniqueId, key, &None).context(concat!(
"In add_certificate_parameters: ",
"Caller does not have the permission to generate a unique ID"
))?;
@@ -487,7 +487,7 @@
// generate_key requires the rebind permission.
// Must return on error for security reasons.
- check_key_permission(KeyPerm::rebind(), &key, &None).context("In generate_key.")?;
+ check_key_permission(KeyPerm::Rebind, &key, &None).context("In generate_key.")?;
let attestation_key_info = match (key.domain, attest_key_descriptor) {
(Domain::BLOB, _) => None,
@@ -601,7 +601,7 @@
};
// import_key requires the rebind permission.
- check_key_permission(KeyPerm::rebind(), &key, &None).context("In import_key.")?;
+ check_key_permission(KeyPerm::Rebind, &key, &None).context("In import_key.")?;
let params = self
.add_certificate_parameters(caller_uid, params, &key)
@@ -685,7 +685,7 @@
};
// Import_wrapped_key requires the rebind permission for the new key.
- check_key_permission(KeyPerm::rebind(), &key, &None).context("In import_wrapped_key.")?;
+ check_key_permission(KeyPerm::Rebind, &key, &None).context("In import_wrapped_key.")?;
let (wrapping_key_id_guard, mut wrapping_key_entry) = DB
.with(|db| {
@@ -695,7 +695,7 @@
KeyType::Client,
KeyEntryLoadBits::KM,
caller_uid,
- |k, av| check_key_permission(KeyPerm::use_(), k, &av),
+ |k, av| check_key_permission(KeyPerm::Use, k, &av),
)
})
})
@@ -876,7 +876,7 @@
)?;
// convert_storage_key_to_ephemeral requires the associated permission
- check_key_permission(KeyPerm::convert_storage_key_to_ephemeral(), storage_key, &None)
+ check_key_permission(KeyPerm::ConvertStorageKeyToEphemeral, storage_key, &None)
.context("In convert_storage_key_to_ephemeral: Check permission")?;
let km_dev = &self.keymint;
@@ -935,7 +935,7 @@
.ok_or(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
.context("In IKeystoreSecurityLevel delete_key: No key blob specified")?;
- check_key_permission(KeyPerm::delete(), key, &None)
+ check_key_permission(KeyPerm::Delete, key, &None)
.context("In IKeystoreSecurityLevel delete_key: Checking delete permissions")?;
let km_dev = &self.keymint;
diff --git a/keystore2/src/service.rs b/keystore2/src/service.rs
index b35fe36..70f5c71 100644
--- a/keystore2/src/service.rs
+++ b/keystore2/src/service.rs
@@ -138,7 +138,7 @@
KeyType::Client,
KeyEntryLoadBits::PUBLIC,
caller_uid,
- |k, av| check_key_permission(KeyPerm::get_info(), k, &av),
+ |k, av| check_key_permission(KeyPerm::GetInfo, k, &av),
)
})
})
@@ -190,7 +190,7 @@
KeyEntryLoadBits::NONE,
caller_uid,
|k, av| {
- check_key_permission(KeyPerm::update(), k, &av)
+ check_key_permission(KeyPerm::Update, k, &av)
.context("In update_subcomponent.")
},
)
@@ -236,7 +236,7 @@
};
// Security critical: This must return on failure. Do not remove the `?`;
- check_key_permission(KeyPerm::rebind(), &key, &None)
+ check_key_permission(KeyPerm::Rebind, &key, &None)
.context("Caller does not have permission to insert this certificate.")?;
db.store_new_certificate(
@@ -269,12 +269,12 @@
// If the first check fails we check if the caller has the list permission allowing to list
// any namespace. In that case we also adjust the queried namespace if a specific uid was
// selected.
- match check_key_permission(KeyPerm::get_info(), &k, &None) {
+ match check_key_permission(KeyPerm::GetInfo, &k, &None) {
Err(e) => {
if let Some(selinux::Error::PermissionDenied) =
e.root_cause().downcast_ref::<selinux::Error>()
{
- check_keystore_permission(KeystorePerm::list())
+ check_keystore_permission(KeystorePerm::List)
.context("In list_entries: While checking keystore permission.")?;
if namespace != -1 {
k.nspace = namespace;
@@ -309,7 +309,7 @@
DB.with(|db| {
LEGACY_MIGRATOR.with_try_migrate(key, caller_uid, || {
db.borrow_mut().unbind_key(key, KeyType::Client, caller_uid, |k, av| {
- check_key_permission(KeyPerm::delete(), k, &av).context("During delete_key.")
+ check_key_permission(KeyPerm::Delete, k, &av).context("During delete_key.")
})
})
})
@@ -341,7 +341,7 @@
fn ungrant(&self, key: &KeyDescriptor, grantee_uid: i32) -> Result<()> {
DB.with(|db| {
db.borrow_mut().ungrant(key, ThreadState::get_calling_uid(), grantee_uid as u32, |k| {
- check_key_permission(KeyPerm::grant(), k, &None)
+ check_key_permission(KeyPerm::Grant, k, &None)
})
})
.context("In KeystoreService::ungrant.")