Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 2ded9cb10d9f38d1dd06afff9ef25941df64e1cc^! / . / diced / src / permission.rs
commit2ded9cb10d9f38d1dd06afff9ef25941df64e1cc[log] [tgz]
authorJanis Danisevskis <jdanis@google.com>Wed Oct 20 08:39:30 2021 -0700
committerJanis Danisevskis <jdanis@google.com>Fri Jan 07 12:05:32 2022 -0800
tree9c3ba61609e26c646d5d9af38261ecc062697a7f
parentc51dff810958608ff0eae4b2a6c552e77515d4c1 [diff] [blame]
Diced: Add selinux permission checks.

Add permission checks to IDiceNode entry points.

Test: N/A
Bug: 198197213
Change-Id: I3118515f42c160e2c52a478ee4adefa81e2fe80c

diff --git a/diced/src/permission.rs b/diced/src/permission.rs
new file mode 100644
index 0000000..116df1b
--- /dev/null
+++ b/diced/src/permission.rs

@@ -0,0 +1,46 @@
+// Copyright 2021, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! This crate provides convenience wrappers for the SELinux permission
+//! defined in the diced SELinux access class.
+
+use keystore2_selinux as selinux;
+use selinux::{implement_class, ClassPermission};
+
+implement_class!(
+    /// Permission provides a convenient abstraction from the SELinux class `diced`.
+    #[selinux(class_name = diced)]
+    #[derive(Clone, Copy, Debug, PartialEq)]
+    pub enum Permission {
+        /// Checked when a client attempts to call seal or unseal.
+        #[selinux(name = use_seal)]
+        UseSeal,
+        /// Checked when a client attempts to call IDiceNode::sign.
+        #[selinux(name = use_sign)]
+        UseSign,
+        /// Checked when a client attempts to call IDiceNode::getAttestationChain.
+        #[selinux(name = get_attestation_chain)]
+        GetAttestationChain,
+        /// Checked when a client attempts to call IDiceNode::derive.
+        #[selinux(name = derive)]
+        Derive,
+        /// Checked when a client wants to demote itself by calling IDiceNode::demote.
+        #[selinux(name = demote)]
+        Demote,
+        /// Checked when a client calls IDiceMaintenance::demote in an attempt to
+        /// demote this dice node.
+        #[selinux(name = demote_self)]
+        DemoteSelf,
+    }
+);