Remove IKeystoreMaintenance#getState()
IKeystoreMaintenance#getState() is no longer called, so remove it along
with the enum value for the GetState permission.
Bug: 296464083
Test: atest -p --include-subdirs system/security/keystore2
Change-Id: I9ec6cca78cd1eb899ac7adfc99fc5eee41dc7e44
diff --git a/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl b/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl
index 9618842..86d38d7 100644
--- a/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl
+++ b/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl
@@ -16,7 +16,6 @@
import android.system.keystore2.Domain;
import android.system.keystore2.KeyDescriptor;
-import android.security.maintenance.UserState;
/**
* IKeystoreMaintenance interface exposes the methods for adding/removing users and changing the
@@ -77,19 +76,6 @@
void clearNamespace(Domain domain, long nspace);
/**
- * Allows querying user state, given user id.
- * Callers require 'GetState' permission.
- *
- * ## Error conditions:
- * `ResponseCode::PERMISSION_DENIED` - if the callers do not have the 'GetState'
- * permission.
- * `ResponseCode::SYSTEM_ERROR` - if an error occurred when querying the user state.
- *
- * @param userId - Android user id
- */
- UserState getState(in int userId);
-
- /**
* This function notifies the Keymint device of the specified securityLevel that
* early boot has ended, so that they no longer allow early boot keys to be used.
* ## Error conditions:
diff --git a/keystore2/aidl/android/security/maintenance/UserState.aidl b/keystore2/aidl/android/security/maintenance/UserState.aidl
deleted file mode 100644
index 376f4fb..0000000
--- a/keystore2/aidl/android/security/maintenance/UserState.aidl
+++ /dev/null
@@ -1,23 +0,0 @@
-// Copyright 2021, The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package android.security.maintenance;
-
-/** @hide */
-@Backing(type="int")
-enum UserState {
- UNINITIALIZED = 0,
- LSKF_UNLOCKED = 1,
- LSKF_LOCKED = 2,
-}
\ No newline at end of file
diff --git a/keystore2/src/maintenance.rs b/keystore2/src/maintenance.rs
index 59f5d70..f25233f 100644
--- a/keystore2/src/maintenance.rs
+++ b/keystore2/src/maintenance.rs
@@ -29,9 +29,8 @@
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
IKeyMintDevice::IKeyMintDevice, SecurityLevel::SecurityLevel,
};
-use android_security_maintenance::aidl::android::security::maintenance::{
- IKeystoreMaintenance::{BnKeystoreMaintenance, IKeystoreMaintenance},
- UserState::UserState as AidlUserState,
+use android_security_maintenance::aidl::android::security::maintenance::IKeystoreMaintenance::{
+ BnKeystoreMaintenance, IKeystoreMaintenance,
};
use android_security_maintenance::binder::{
BinderFeatures, Interface, Result as BinderResult, Strong, ThreadState,
@@ -135,27 +134,6 @@
.context(ks_err!("While invoking the delete listener."))
}
- fn get_state(user_id: i32) -> Result<AidlUserState> {
- // Check permission. Function should return if this failed. Therefore having '?' at the end
- // is very important.
- check_keystore_permission(KeystorePerm::GetState).context("In get_state.")?;
- let state = DB
- .with(|db| {
- SUPER_KEY.read().unwrap().get_user_state(
- &mut db.borrow_mut(),
- &LEGACY_IMPORTER,
- user_id as u32,
- )
- })
- .context(ks_err!("Trying to get UserState."))?;
-
- match state {
- UserState::Uninitialized => Ok(AidlUserState::UNINITIALIZED),
- UserState::LskfUnlocked(_) => Ok(AidlUserState::LSKF_UNLOCKED),
- UserState::LskfLocked => Ok(AidlUserState::LSKF_LOCKED),
- }
- }
-
fn call_with_watchdog<F>(sec_level: SecurityLevel, name: &'static str, op: &F) -> Result<()>
where
F: Fn(Strong<dyn IKeyMintDevice>) -> binder::Result<()>,
@@ -306,11 +284,6 @@
map_or_log_err(self.clear_namespace(domain, nspace), Ok)
}
- fn getState(&self, user_id: i32) -> BinderResult<AidlUserState> {
- let _wp = wd::watch_millis("IKeystoreMaintenance::getState", 500);
- map_or_log_err(Self::get_state(user_id), Ok)
- }
-
fn earlyBootEnded(&self) -> BinderResult<()> {
log::info!("earlyBootEnded()");
let _wp = wd::watch_millis("IKeystoreMaintenance::earlyBootEnded", 500);
diff --git a/keystore2/src/permission.rs b/keystore2/src/permission.rs
index d9bdf79..35d6988 100644
--- a/keystore2/src/permission.rs
+++ b/keystore2/src/permission.rs
@@ -109,9 +109,6 @@
/// Checked when an app is uninstalled or wiped.
#[selinux(name = clear_ns)]
ClearNs,
- /// Checked when the user state is queried from Keystore 2.0.
- #[selinux(name = get_state)]
- GetState,
/// Checked when Keystore 2.0 is asked to list a namespace that the caller
/// does not have the get_info permission for.
#[selinux(name = list)]
@@ -500,7 +497,6 @@
let system_server_ctx = Context::new("u:r:system_server:s0")?;
assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::AddAuth).is_ok());
assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::ClearNs).is_ok());
- assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::GetState).is_ok());
assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::Lock).is_ok());
assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::Reset).is_ok());
assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::Unlock).is_ok());
@@ -510,7 +506,6 @@
let shell_ctx = Context::new("u:r:shell:s0")?;
assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::AddAuth));
assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::ClearNs));
- assert!(check_keystore_permission(&shell_ctx, KeystorePerm::GetState).is_ok());
assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::List));
assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::Lock));
assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::Reset));
diff --git a/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs b/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs
index 63122fe..faf954a 100644
--- a/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs
+++ b/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs
@@ -25,9 +25,7 @@
Domain::Domain, KeyDescriptor::KeyDescriptor,
};
-use android_security_maintenance::aidl::android::security::maintenance::{
- IKeystoreMaintenance::IKeystoreMaintenance, UserState::UserState,
-};
+use android_security_maintenance::aidl::android::security::maintenance::IKeystoreMaintenance::IKeystoreMaintenance;
use android_security_authorization::aidl::android::security::authorization::{
IKeystoreAuthorization::IKeystoreAuthorization, LockScreenEvent::LockScreenEvent,
@@ -241,9 +239,6 @@
}
}
- let maint_service = get_maintenance();
- assert_eq!(Ok(UserState(1)), maint_service.getState(99));
-
let mut key_params: Vec<KsKeyparameter> = Vec::new();
for param in key_metadata.authorizations {
let key_param = KsKeyparameter::new(param.keyParameter.into(), param.securityLevel);
@@ -502,9 +497,6 @@
}
}
- let maint_service = get_maintenance();
- assert_eq!(Ok(UserState(1)), maint_service.getState(98));
-
let mut key_params: Vec<KsKeyparameter> = Vec::new();
for param in key_metadata.authorizations {
let key_param = KsKeyparameter::new(param.keyParameter.into(), param.securityLevel);