Keystore 2.0: Implement onDeviceOffBody.
Add onDeviceOffBody to KeystoreMaintenance interface.
Also rename user_namanger.rs to maintenance.rs.
Bug: 171305684
Test: N/A
Change-Id: I382213533c3891084159cefce8c32b4fe69e91bc
diff --git a/keystore2/src/keystore2_main.rs b/keystore2/src/keystore2_main.rs
index 1ce3e14..09ffecb 100644
--- a/keystore2/src/keystore2_main.rs
+++ b/keystore2/src/keystore2_main.rs
@@ -17,9 +17,9 @@
use keystore2::authorization::AuthorizationManager;
use keystore2::entropy;
use keystore2::globals::ENFORCEMENTS;
+use keystore2::maintenance::Maintenance;
use keystore2::remote_provisioning::RemoteProvisioningService;
use keystore2::service::KeystoreService;
-use keystore2::user_manager::Maintenance;
use keystore2::{apc::ApcManager, shared_secret_negotiation};
use log::{error, info};
use std::{panic, path::Path, sync::mpsc::channel};
diff --git a/keystore2/src/lib.rs b/keystore2/src/lib.rs
index 2e8ced6..cb47e3e 100644
--- a/keystore2/src/lib.rs
+++ b/keystore2/src/lib.rs
@@ -27,13 +27,13 @@
pub mod key_parameter;
pub mod legacy_blob;
pub mod legacy_migrator;
+pub mod maintenance;
pub mod operation;
pub mod permission;
pub mod remote_provisioning;
pub mod security_level;
pub mod service;
pub mod shared_secret_negotiation;
-pub mod user_manager;
pub mod utils;
mod attestation_key_utils;
diff --git a/keystore2/src/user_manager.rs b/keystore2/src/maintenance.rs
similarity index 89%
rename from keystore2/src/user_manager.rs
rename to keystore2/src/maintenance.rs
index 0cc2e92..1c206fc 100644
--- a/keystore2/src/user_manager.rs
+++ b/keystore2/src/maintenance.rs
@@ -14,12 +14,12 @@
//! This module implements IKeystoreMaintenance AIDL interface.
-use crate::error::map_or_log_err;
use crate::error::Error as KeystoreError;
use crate::globals::{DB, LEGACY_MIGRATOR, SUPER_KEY};
use crate::permission::KeystorePerm;
use crate::super_key::UserState;
use crate::utils::check_keystore_permission;
+use crate::{database::MonotonicRawTime, error::map_or_log_err};
use android_security_maintenance::aidl::android::security::maintenance::{
IKeystoreMaintenance::{BnKeystoreMaintenance, IKeystoreMaintenance},
UserState::UserState as AidlUserState,
@@ -116,6 +116,15 @@
UserState::LskfLocked => Ok(AidlUserState::LSKF_LOCKED),
}
}
+
+ fn on_device_off_body() -> Result<()> {
+ // Security critical permission check. This statement must return on fail.
+ check_keystore_permission(KeystorePerm::report_off_body())
+ .context("In on_device_off_body.")?;
+
+ DB.with(|db| db.borrow_mut().update_last_off_body(MonotonicRawTime::now()))
+ .context("In on_device_off_body: Trying to update last off body time.")
+ }
}
impl Interface for Maintenance {}
@@ -137,7 +146,11 @@
map_or_log_err(Self::clear_namespace(domain, nspace), Ok)
}
- fn getState(&self, user_id: i32) -> binder::public_api::Result<AidlUserState> {
+ fn getState(&self, user_id: i32) -> BinderResult<AidlUserState> {
map_or_log_err(Self::get_state(user_id), Ok)
}
+
+ fn onDeviceOffBody(&self) -> BinderResult<()> {
+ map_or_log_err(Self::on_device_off_body(), Ok)
+ }
}
diff --git a/keystore2/src/permission.rs b/keystore2/src/permission.rs
index 7f63834..b1bb999 100644
--- a/keystore2/src/permission.rs
+++ b/keystore2/src/permission.rs
@@ -310,6 +310,8 @@
ClearUID = 0x200, selinux name: clear_uid;
/// Checked when Credstore calls IKeystoreAuthorization to obtain auth tokens.
GetAuthToken = 0x400, selinux name: get_auth_token;
+ /// Checked when IKeystoreMaintenance::onDeviceOffBody is called.
+ ReportOffBody = 0x1000, selinux name: report_off_body;
}
);