Merge "keystore2: rename MonotonicRawTime to BootTime" into main
diff --git a/fsverity_init/Android.bp b/fsverity_init/Android.bp
index d9bff3b..5588493 100644
--- a/fsverity_init/Android.bp
+++ b/fsverity_init/Android.bp
@@ -22,12 +22,17 @@
         "libkeyutils",
         "liblog",
     ],
-    cflags: ["-Werror", "-Wall", "-Wextra"],
+    cflags: [
+        "-Werror",
+        "-Wall",
+        "-Wextra",
+    ],
 }
 
 aconfig_declarations {
     name: "aconfig_fsverity_init",
     package: "android.security.flag",
+    container: "system",
     srcs: ["flags.aconfig"],
 }
 
diff --git a/fsverity_init/flags.aconfig b/fsverity_init/flags.aconfig
index 20640d7..495c71c 100644
--- a/fsverity_init/flags.aconfig
+++ b/fsverity_init/flags.aconfig
@@ -1,4 +1,5 @@
 package: "android.security.flag"
+container: "system"
 
 flag {
     name: "deprecate_fsverity_init"
diff --git a/keystore2/Android.bp b/keystore2/Android.bp
index ad151ad..7cb7c37 100644
--- a/keystore2/Android.bp
+++ b/keystore2/Android.bp
@@ -158,6 +158,7 @@
 aconfig_declarations {
     name: "keystore2_flags",
     package: "android.security.keystore2",
+    container: "system",
     srcs: ["aconfig/flags.aconfig"],
 }
 
diff --git a/keystore2/aconfig/flags.aconfig b/keystore2/aconfig/flags.aconfig
index 133c4ab..b67bc6c 100644
--- a/keystore2/aconfig/flags.aconfig
+++ b/keystore2/aconfig/flags.aconfig
@@ -1,4 +1,5 @@
 package: "android.security.keystore2"
+container: "system"
 
 flag {
   name: "wal_db_journalmode_v3"
diff --git a/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl b/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl
index e612db9..abea958 100644
--- a/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl
+++ b/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl
@@ -151,7 +151,8 @@
      * (addition of a fingerprint, for example), authentication-bound keys may be invalidated.
      * This method allows the platform to find out which apps would be affected (for a given user)
      * when a given user secure ID is removed.
-     * Callers require 'ChangeUser' permission.
+     * Callers require the `android.permission.MANAGE_USERS` Android permission
+     * (not SELinux policy).
      *
      * @param userId The affected user.
      * @param sid The user secure ID - identifier of the authentication method.
diff --git a/keystore2/selinux/src/concurrency_test.rs b/keystore2/selinux/src/concurrency_test.rs
index a5d2df2..fa97f3a 100644
--- a/keystore2/selinux/src/concurrency_test.rs
+++ b/keystore2/selinux/src/concurrency_test.rs
@@ -69,7 +69,7 @@
     android_logger::init_once(
         android_logger::Config::default()
             .with_tag("keystore2_selinux_concurrency_test")
-            .with_min_level(log::Level::Debug),
+            .with_max_level(log::LevelFilter::Debug),
     );
 
     let cpus = num_cpus::get();
diff --git a/keystore2/selinux/src/lib.rs b/keystore2/selinux/src/lib.rs
index 32fdb59..695e029 100644
--- a/keystore2/selinux/src/lib.rs
+++ b/keystore2/selinux/src/lib.rs
@@ -720,7 +720,7 @@
                     android_logger::init_once(
                         android_logger::Config::default()
                             .with_tag("keystore_selinux_tests")
-                            .with_min_level(log::Level::Debug),
+                            .with_max_level(log::LevelFilter::Debug),
                     );
                     let scontext = Context::new("u:r:shell:s0")?;
                     let backend = KeystoreKeyBackend::new()?;
diff --git a/keystore2/src/error.rs b/keystore2/src/error.rs
index b4c57fb..f0d0d27 100644
--- a/keystore2/src/error.rs
+++ b/keystore2/src/error.rs
@@ -352,7 +352,7 @@
         android_logger::init_once(
             android_logger::Config::default()
                 .with_tag("keystore_error_tests")
-                .with_min_level(log::Level::Debug),
+                .with_max_level(log::LevelFilter::Debug),
         );
         // All Error::Rc(x) get mapped on a service specific error
         // code of x.
diff --git a/keystore2/src/keystore2_main.rs b/keystore2/src/keystore2_main.rs
index 059d59d..178b36c 100644
--- a/keystore2/src/keystore2_main.rs
+++ b/keystore2/src/keystore2_main.rs
@@ -40,8 +40,8 @@
     android_logger::init_once(
         android_logger::Config::default()
             .with_tag("keystore2")
-            .with_min_level(log::Level::Debug)
-            .with_log_id(android_logger::LogId::System)
+            .with_max_level(log::LevelFilter::Debug)
+            .with_log_buffer(android_logger::LogId::System)
             .format(|buf, record| {
                 writeln!(
                     buf,
diff --git a/keystore2/src/maintenance.rs b/keystore2/src/maintenance.rs
index 4d8b8c1..3e34cff 100644
--- a/keystore2/src/maintenance.rs
+++ b/keystore2/src/maintenance.rs
@@ -24,7 +24,8 @@
 use crate::permission::{KeyPerm, KeystorePerm};
 use crate::super_key::{SuperKeyManager, UserState};
 use crate::utils::{
-    check_key_permission, check_keystore_permission, uid_to_android_user, watchdog as wd,
+    check_get_app_uids_affected_by_sid_permissions, check_key_permission,
+    check_keystore_permission, uid_to_android_user, watchdog as wd,
 };
 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
     IKeyMintDevice::IKeyMintDevice, SecurityLevel::SecurityLevel,
@@ -292,8 +293,9 @@
         secure_user_id: i64,
     ) -> Result<std::vec::Vec<i64>> {
         // This method is intended to be called by Settings and discloses a list of apps
-        // associated with a user, so it requires the ChangeUser permission.
-        check_keystore_permission(KeystorePerm::ChangeUser).context(ks_err!())?;
+        // associated with a user, so it requires the "android.permission.MANAGE_USERS"
+        // permission (to avoid leaking list of apps to unauthorized callers).
+        check_get_app_uids_affected_by_sid_permissions().context(ks_err!())?;
         DB.with(|db| db.borrow_mut().get_app_uids_affected_by_sid(user_id, secure_user_id))
             .context(ks_err!("Failed to get app UIDs affected by SID"))
     }
diff --git a/keystore2/src/utils.rs b/keystore2/src/utils.rs
index 174a22b..a3fd882 100644
--- a/keystore2/src/utils.rs
+++ b/keystore2/src/utils.rs
@@ -129,6 +129,15 @@
     check_android_permission("android.permission.REQUEST_UNIQUE_ID_ATTESTATION")
 }
 
+/// This function checks whether the calling app has the Android permissions needed to manage
+/// users. Only callers that can manage users are allowed to get a list of apps affected
+/// by a user's SID changing.
+/// It throws an error if the permissions cannot be verified or if the caller doesn't
+/// have the right permissions. Otherwise it returns silently.
+pub fn check_get_app_uids_affected_by_sid_permissions() -> anyhow::Result<()> {
+    check_android_permission("android.permission.MANAGE_USERS")
+}
+
 fn check_android_permission(permission: &str) -> anyhow::Result<()> {
     let permission_controller: Strong<dyn IPermissionController::IPermissionController> =
         binder::get_interface("permission")?;
diff --git a/keystore2/watchdog/src/lib.rs b/keystore2/watchdog/src/lib.rs
index 01043c5..fa4620a 100644
--- a/keystore2/watchdog/src/lib.rs
+++ b/keystore2/watchdog/src/lib.rs
@@ -335,7 +335,7 @@
         android_logger::init_once(
             android_logger::Config::default()
                 .with_tag("keystore2_watchdog_tests")
-                .with_min_level(log::Level::Debug),
+                .with_max_level(log::LevelFilter::Debug),
         );
 
         let wd = Watchdog::new(Watchdog::NOISY_REPORT_TIMEOUT.checked_mul(3).unwrap());
diff --git a/ondevice-signing/Android.bp b/ondevice-signing/Android.bp
index f56cfab..6901b17 100644
--- a/ondevice-signing/Android.bp
+++ b/ondevice-signing/Android.bp
@@ -142,6 +142,8 @@
     "libfsverity",
     "liblogwrap",
     "libprotobuf-cpp-lite",
+    "libstatspull",
+    "libstatssocket",
     "libutils",
   ],
 }
diff --git a/prng_seeder/src/main.rs b/prng_seeder/src/main.rs
index f8b0c63..cb7f38d 100644
--- a/prng_seeder/src/main.rs
+++ b/prng_seeder/src/main.rs
@@ -31,7 +31,7 @@
 
 use anyhow::{ensure, Context, Result};
 use clap::Parser;
-use log::{error, info, Level};
+use log::{error, info, LevelFilter};
 use nix::sys::signal;
 use tokio::{io::AsyncWriteExt, net::UnixListener as TokioUnixListener};
 
@@ -48,7 +48,9 @@
 fn configure_logging() -> Result<()> {
     ensure!(
         logger::init(
-            logger::Config::default().with_tag_on_device("prng_seeder").with_min_level(Level::Info)
+            logger::Config::default()
+                .with_tag_on_device("prng_seeder")
+                .with_max_level(LevelFilter::Info)
         ),
         "log configuration failed"
     );