Keystore 2.0: Implement onDeviceOffBody.
Add onDeviceOffBody to KeystoreMaintenance interface.
Also rename user_namanger.rs to maintenance.rs.
Bug: 171305684
Test: N/A
Change-Id: I382213533c3891084159cefce8c32b4fe69e91bc
diff --git a/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl b/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl
index 50e674d..8bec0f7 100644
--- a/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl
+++ b/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl
@@ -29,6 +29,7 @@
/**
* Allows LockSettingsService to inform keystore about adding a new user.
* Callers require 'AddUser' permission.
+ *
* ## Error conditions:
* `ResponseCode::PERMISSION_DENIED` - if the callers do not have the 'AddUser' permission.
* `ResponseCode::SYSTEM_ERROR` - if failed to delete the keys of an existing user with the same
@@ -41,6 +42,7 @@
/**
* Allows LockSettingsService to inform keystore about removing a user.
* Callers require 'RemoveUser' permission.
+ *
* ## Error conditions:
* `ResponseCode::PERMISSION_DENIED` - if the callers do not have the 'RemoveUser' permission.
* `ResponseCode::SYSTEM_ERROR` - if failed to delete the keys of the user being deleted.
@@ -52,8 +54,9 @@
/**
* Allows LockSettingsService to inform keystore about password change of a user.
* Callers require 'ChangePassword' permission.
+ *
* ## Error conditions:
- * `ResponseCode::PERMISSION_DENIED` - if the callers do not have the 'ChangePassword'
+ * `ResponseCode::PERMISSION_DENIED` - if the callers does not have the 'ChangePassword'
* permission.
* `ResponseCode::SYSTEM_ERROR` - if failed to delete the super encrypted keys of the user.
* `ResponseCode::Locked' - if the keystore is locked for the given user.
@@ -71,11 +74,12 @@
* @param nspace - The UID of the app that is to be cleared if domain is Domain.APP or
* the SEPolicy namespace if domain is Domain.SELINUX.
*/
- void clearNamespace(Domain domain, long nspace);
+ void clearNamespace(Domain domain, long nspace);
/**
* Allows querying user state, given user id.
* Callers require 'GetState' permission.
+ *
* ## Error conditions:
* `ResponseCode::PERMISSION_DENIED` - if the callers do not have the 'GetState'
* permission.
@@ -84,4 +88,14 @@
* @param userId - Android user id
*/
UserState getState(in int userId);
+
+ /**
+ * Informs Keystore 2.0 that the an off body event was detected.
+ *
+ * ## Error conditions:
+ * `ResponseCode::PERMISSION_DENIED` - if the caller does not have the `ReportOffBody`
+ * permission.
+ * `ResponseCode::SYSTEM_ERROR` - if an unexpected error occurred.
+ */
+ void onDeviceOffBody();
}
diff --git a/keystore2/src/keystore2_main.rs b/keystore2/src/keystore2_main.rs
index 1ce3e14..09ffecb 100644
--- a/keystore2/src/keystore2_main.rs
+++ b/keystore2/src/keystore2_main.rs
@@ -17,9 +17,9 @@
use keystore2::authorization::AuthorizationManager;
use keystore2::entropy;
use keystore2::globals::ENFORCEMENTS;
+use keystore2::maintenance::Maintenance;
use keystore2::remote_provisioning::RemoteProvisioningService;
use keystore2::service::KeystoreService;
-use keystore2::user_manager::Maintenance;
use keystore2::{apc::ApcManager, shared_secret_negotiation};
use log::{error, info};
use std::{panic, path::Path, sync::mpsc::channel};
diff --git a/keystore2/src/lib.rs b/keystore2/src/lib.rs
index 2e8ced6..cb47e3e 100644
--- a/keystore2/src/lib.rs
+++ b/keystore2/src/lib.rs
@@ -27,13 +27,13 @@
pub mod key_parameter;
pub mod legacy_blob;
pub mod legacy_migrator;
+pub mod maintenance;
pub mod operation;
pub mod permission;
pub mod remote_provisioning;
pub mod security_level;
pub mod service;
pub mod shared_secret_negotiation;
-pub mod user_manager;
pub mod utils;
mod attestation_key_utils;
diff --git a/keystore2/src/user_manager.rs b/keystore2/src/maintenance.rs
similarity index 89%
rename from keystore2/src/user_manager.rs
rename to keystore2/src/maintenance.rs
index 0cc2e92..1c206fc 100644
--- a/keystore2/src/user_manager.rs
+++ b/keystore2/src/maintenance.rs
@@ -14,12 +14,12 @@
//! This module implements IKeystoreMaintenance AIDL interface.
-use crate::error::map_or_log_err;
use crate::error::Error as KeystoreError;
use crate::globals::{DB, LEGACY_MIGRATOR, SUPER_KEY};
use crate::permission::KeystorePerm;
use crate::super_key::UserState;
use crate::utils::check_keystore_permission;
+use crate::{database::MonotonicRawTime, error::map_or_log_err};
use android_security_maintenance::aidl::android::security::maintenance::{
IKeystoreMaintenance::{BnKeystoreMaintenance, IKeystoreMaintenance},
UserState::UserState as AidlUserState,
@@ -116,6 +116,15 @@
UserState::LskfLocked => Ok(AidlUserState::LSKF_LOCKED),
}
}
+
+ fn on_device_off_body() -> Result<()> {
+ // Security critical permission check. This statement must return on fail.
+ check_keystore_permission(KeystorePerm::report_off_body())
+ .context("In on_device_off_body.")?;
+
+ DB.with(|db| db.borrow_mut().update_last_off_body(MonotonicRawTime::now()))
+ .context("In on_device_off_body: Trying to update last off body time.")
+ }
}
impl Interface for Maintenance {}
@@ -137,7 +146,11 @@
map_or_log_err(Self::clear_namespace(domain, nspace), Ok)
}
- fn getState(&self, user_id: i32) -> binder::public_api::Result<AidlUserState> {
+ fn getState(&self, user_id: i32) -> BinderResult<AidlUserState> {
map_or_log_err(Self::get_state(user_id), Ok)
}
+
+ fn onDeviceOffBody(&self) -> BinderResult<()> {
+ map_or_log_err(Self::on_device_off_body(), Ok)
+ }
}
diff --git a/keystore2/src/permission.rs b/keystore2/src/permission.rs
index 7f63834..b1bb999 100644
--- a/keystore2/src/permission.rs
+++ b/keystore2/src/permission.rs
@@ -310,6 +310,8 @@
ClearUID = 0x200, selinux name: clear_uid;
/// Checked when Credstore calls IKeystoreAuthorization to obtain auth tokens.
GetAuthToken = 0x400, selinux name: get_auth_token;
+ /// Checked when IKeystoreMaintenance::onDeviceOffBody is called.
+ ReportOffBody = 0x1000, selinux name: report_off_body;
}
);