Merge "Refactor uids to user ids where appropriate"
diff --git a/keystore/keystore.cpp b/keystore/keystore.cpp
index 2ee7324..360619c 100644
--- a/keystore/keystore.cpp
+++ b/keystore/keystore.cpp
@@ -249,10 +249,6 @@
return uid / AID_USER;
}
-static uid_t get_uid(uid_t userId, uid_t appId) {
- return userId * AID_USER + get_app_id(appId);
-}
-
static bool keystore_selinux_check_access(uid_t /*uid*/, perm_t perm, pid_t spid) {
if (!ks_is_selinux_enabled) {
return true;
@@ -1015,28 +1011,28 @@
return ::NO_ERROR;
}
- State getState(uid_t uid) {
- return getUserState(uid)->getState();
+ State getState(uid_t userId) {
+ return getUserState(userId)->getState();
}
- ResponseCode initializeUser(const android::String8& pw, uid_t uid) {
- UserState* userState = getUserState(uid);
+ ResponseCode initializeUser(const android::String8& pw, uid_t userId) {
+ UserState* userState = getUserState(userId);
return userState->initialize(pw, mEntropy);
}
- ResponseCode copyMasterKey(uid_t src, uid_t uid) {
- UserState *userState = getUserState(uid);
- UserState *initState = getUserState(src);
+ ResponseCode copyMasterKey(uid_t srcUser, uid_t dstUser) {
+ UserState *userState = getUserState(dstUser);
+ UserState *initState = getUserState(srcUser);
return userState->copyMasterKey(initState);
}
- ResponseCode writeMasterKey(const android::String8& pw, uid_t uid) {
- UserState* userState = getUserState(uid);
+ ResponseCode writeMasterKey(const android::String8& pw, uid_t userId) {
+ UserState* userState = getUserState(userId);
return userState->writeMasterKey(pw, mEntropy);
}
- ResponseCode readMasterKey(const android::String8& pw, uid_t uid) {
- UserState* userState = getUserState(uid);
+ ResponseCode readMasterKey(const android::String8& pw, uid_t userId) {
+ UserState* userState = getUserState(userId);
return userState->readMasterKey(pw, mEntropy);
}
@@ -1055,7 +1051,7 @@
android::String8 getKeyNameForUidWithDir(const android::String8& keyName, uid_t uid) {
char encoded[encode_key_length(keyName) + 1]; // add 1 for null char
encode_key(encoded, keyName);
- return android::String8::format("%s/%u_%s", getUserState(uid)->getUserDirName(), uid,
+ return android::String8::format("%s/%u_%s", getUserStateByUid(uid)->getUserDirName(), uid,
encoded);
}
@@ -1067,9 +1063,8 @@
void resetUser(uid_t userId, bool keepUnenryptedEntries) {
android::String8 prefix("");
android::Vector<android::String16> aliases;
- uid_t uid = get_uid(userId, AID_SYSTEM);
- UserState* userState = getUserState(uid);
- if (saw(prefix, &aliases, uid) != ::NO_ERROR) {
+ UserState* userState = getUserState(userId);
+ if (saw(prefix, &aliases, userId) != ::NO_ERROR) {
return;
}
for (uint32_t i = 0; i < aliases.size(); i++) {
@@ -1079,7 +1074,7 @@
bool shouldDelete = true;
if (keepUnenryptedEntries) {
Blob blob;
- ResponseCode rc = get(filename, &blob, ::TYPE_ANY, uid);
+ ResponseCode rc = get(filename, &blob, ::TYPE_ANY, userId);
/* get can fail if the blob is encrypted and the state is
* not unlocked, only skip deleting blobs that were loaded and
@@ -1090,7 +1085,7 @@
shouldDelete = !(rc == ::NO_ERROR && !blob.isEncrypted());
}
if (shouldDelete) {
- del(filename, ::TYPE_ANY, uid);
+ del(filename, ::TYPE_ANY, userId);
}
}
if (!userState->deleteMasterKey()) {
@@ -1103,8 +1098,8 @@
}
}
- bool isEmpty(uid_t uid) const {
- const UserState* userState = getUserState(uid);
+ bool isEmpty(uid_t userId) const {
+ const UserState* userState = getUserState(userId);
if (userState == NULL) {
return true;
}
@@ -1134,14 +1129,14 @@
return result;
}
- void lock(uid_t uid) {
- UserState* userState = getUserState(uid);
+ void lock(uid_t userId) {
+ UserState* userState = getUserState(userId);
userState->zeroizeMasterKeysInMemory();
userState->setState(STATE_LOCKED);
}
- ResponseCode get(const char* filename, Blob* keyBlob, const BlobType type, uid_t uid) {
- UserState* userState = getUserState(uid);
+ ResponseCode get(const char* filename, Blob* keyBlob, const BlobType type, uid_t userId) {
+ UserState* userState = getUserState(userId);
ResponseCode rc = keyBlob->readBlob(filename, userState->getDecryptionKey(),
userState->getState());
if (rc != NO_ERROR) {
@@ -1154,8 +1149,8 @@
* it must be read it again since the blob is encrypted each time
* it's written.
*/
- if (upgradeBlob(filename, keyBlob, version, type, uid)) {
- if ((rc = this->put(filename, keyBlob, uid)) != NO_ERROR
+ if (upgradeBlob(filename, keyBlob, version, type, userId)) {
+ if ((rc = this->put(filename, keyBlob, userId)) != NO_ERROR
|| (rc = keyBlob->readBlob(filename, userState->getDecryptionKey(),
userState->getState())) != NO_ERROR) {
return rc;
@@ -1171,12 +1166,12 @@
&& mDevice->common.module->module_api_version >= KEYMASTER_MODULE_API_VERSION_0_2
&& keyBlob->isFallback()) {
ResponseCode imported = importKey(keyBlob->getValue(), keyBlob->getLength(), filename,
- uid, keyBlob->isEncrypted() ? KEYSTORE_FLAG_ENCRYPTED : KEYSTORE_FLAG_NONE);
+ userId, keyBlob->isEncrypted() ? KEYSTORE_FLAG_ENCRYPTED : KEYSTORE_FLAG_NONE);
// The HAL allowed the import, reget the key to have the "fresh"
// version.
if (imported == NO_ERROR) {
- rc = get(filename, keyBlob, TYPE_KEY_PAIR, uid);
+ rc = get(filename, keyBlob, TYPE_KEY_PAIR, userId);
}
}
@@ -1188,15 +1183,15 @@
return rc;
}
- ResponseCode put(const char* filename, Blob* keyBlob, uid_t uid) {
- UserState* userState = getUserState(uid);
+ ResponseCode put(const char* filename, Blob* keyBlob, uid_t userId) {
+ UserState* userState = getUserState(userId);
return keyBlob->writeBlob(filename, userState->getEncryptionKey(), userState->getState(),
mEntropy);
}
- ResponseCode del(const char *filename, const BlobType type, uid_t uid) {
+ ResponseCode del(const char *filename, const BlobType type, uid_t userId) {
Blob keyBlob;
- ResponseCode rc = get(filename, &keyBlob, type, uid);
+ ResponseCode rc = get(filename, &keyBlob, type, userId);
if (rc != ::NO_ERROR) {
return rc;
}
@@ -1226,9 +1221,9 @@
}
ResponseCode saw(const android::String8& prefix, android::Vector<android::String16> *matches,
- uid_t uid) {
+ uid_t userId) {
- UserState* userState = getUserState(uid);
+ UserState* userState = getUserState(userId);
size_t n = prefix.length();
DIR* dir = opendir(userState->getUserDirName());
@@ -1295,7 +1290,7 @@
return getGrant(filename, uid) != NULL;
}
- ResponseCode importKey(const uint8_t* key, size_t keyLen, const char* filename, uid_t uid,
+ ResponseCode importKey(const uint8_t* key, size_t keyLen, const char* filename, uid_t userId,
int32_t flags) {
uint8_t* data;
size_t dataLength;
@@ -1330,7 +1325,7 @@
keyBlob.setEncrypted(flags & KEYSTORE_FLAG_ENCRYPTED);
keyBlob.setFallback(isFallback);
- return put(filename, &keyBlob, uid);
+ return put(filename, &keyBlob, userId);
}
bool isHardwareBacked(const android::String16& keyType) const {
@@ -1351,8 +1346,9 @@
ResponseCode getKeyForName(Blob* keyBlob, const android::String8& keyName, const uid_t uid,
const BlobType type) {
android::String8 filepath8(getKeyNameForUidWithDir(keyName, uid));
+ uid_t userId = get_user_id(uid);
- ResponseCode responseCode = get(filepath8.string(), keyBlob, type, uid);
+ ResponseCode responseCode = get(filepath8.string(), keyBlob, type, userId);
if (responseCode == NO_ERROR) {
return responseCode;
}
@@ -1361,7 +1357,7 @@
uid_t euid = get_keystore_euid(uid);
if (euid != uid) {
filepath8 = getKeyNameForUidWithDir(keyName, euid);
- responseCode = get(filepath8.string(), keyBlob, type, uid);
+ responseCode = get(filepath8.string(), keyBlob, type, userId);
if (responseCode == NO_ERROR) {
return responseCode;
}
@@ -1374,22 +1370,20 @@
if (end[0] != '_' || end[1] == 0) {
return KEY_NOT_FOUND;
}
- filepath8 = android::String8::format("%s/%s", getUserState(uid)->getUserDirName(),
+ filepath8 = android::String8::format("%s/%s", getUserState(userId)->getUserDirName(),
filename8.string());
if (!hasGrant(filepath8.string(), uid)) {
return responseCode;
}
// It is a granted key. Try to load it.
- return get(filepath8.string(), keyBlob, type, uid);
+ return get(filepath8.string(), keyBlob, type, userId);
}
/**
* Returns any existing UserState or creates it if it doesn't exist.
*/
- UserState* getUserState(uid_t uid) {
- uid_t userId = get_user_id(uid);
-
+ UserState* getUserState(uid_t userId) {
for (android::Vector<UserState*>::iterator it(mMasterKeys.begin());
it != mMasterKeys.end(); it++) {
UserState* state = *it;
@@ -1411,11 +1405,17 @@
}
/**
+ * Returns any existing UserState or creates it if it doesn't exist.
+ */
+ UserState* getUserStateByUid(uid_t uid) {
+ uid_t userId = get_user_id(uid);
+ return getUserState(userId);
+ }
+
+ /**
* Returns NULL if the UserState doesn't already exist.
*/
- const UserState* getUserState(uid_t uid) const {
- uid_t userId = get_user_id(uid);
-
+ const UserState* getUserState(uid_t userId) const {
for (android::Vector<UserState*>::const_iterator it(mMasterKeys.begin());
it != mMasterKeys.end(); it++) {
UserState* state = *it;
@@ -1427,6 +1427,14 @@
return NULL;
}
+ /**
+ * Returns NULL if the UserState doesn't already exist.
+ */
+ const UserState* getUserStateByUid(uid_t uid) const {
+ uid_t userId = get_user_id(uid);
+ return getUserState(userId);
+ }
+
private:
static const char* sOldMasterKey;
static const char* sMetaDataFile;
@@ -1534,7 +1542,7 @@
return SYSTEM_ERROR;
}
- ResponseCode rc = importKey(pkcs8key.get(), len, filename, uid,
+ ResponseCode rc = importKey(pkcs8key.get(), len, filename, get_user_id(uid),
blob->isEncrypted() ? KEYSTORE_FLAG_ENCRYPTED : KEYSTORE_FLAG_NONE);
if (rc != NO_ERROR) {
return rc;
@@ -1577,7 +1585,7 @@
bool upgraded = false;
if (mMetaData.version == 0) {
- UserState* userState = getUserState(0);
+ UserState* userState = getUserStateByUid(0);
// Initialize first so the directory is made.
userState->initialize();
@@ -1619,7 +1627,7 @@
if (end[0] != '_' || end[1] == 0) {
continue;
}
- UserState* otherUser = getUserState(thisUid);
+ UserState* otherUser = getUserStateByUid(thisUid);
if (otherUser->getUserId() != 0) {
unlinkat(dirfd(dir), file->d_name, 0);
}
@@ -1671,7 +1679,7 @@
return ::PERMISSION_DENIED;
}
- return mKeyStore->getState(IPCThreadState::self()->getCallingUid());
+ return mKeyStore->getState(get_user_id(IPCThreadState::self()->getCallingUid()));
}
int32_t get(const String16& name, uint8_t** item, size_t* itemLength) {
@@ -1714,7 +1722,7 @@
Blob keyBlob(item, itemLength, NULL, 0, ::TYPE_GENERIC);
keyBlob.setEncrypted(flags & KEYSTORE_FLAG_ENCRYPTED);
- return mKeyStore->put(filename.string(), &keyBlob, targetUid);
+ return mKeyStore->put(filename.string(), &keyBlob, get_user_id(targetUid));
}
int32_t del(const String16& name, int targetUid) {
@@ -1724,7 +1732,7 @@
}
String8 name8(name);
String8 filename(mKeyStore->getKeyNameForUidWithDir(name8, targetUid));
- return mKeyStore->del(filename.string(), ::TYPE_ANY, targetUid);
+ return mKeyStore->del(filename.string(), ::TYPE_ANY, get_user_id(targetUid));
}
int32_t exist(const String16& name, int targetUid) {
@@ -1750,7 +1758,7 @@
const String8 prefix8(prefix);
String8 filename(mKeyStore->getKeyNameForUid(prefix8, targetUid));
- if (mKeyStore->saw(filename, matches, targetUid) != ::NO_ERROR) {
+ if (mKeyStore->saw(filename, matches, get_user_id(targetUid)) != ::NO_ERROR) {
return ::SYSTEM_ERROR;
}
return ::NO_ERROR;
@@ -1772,32 +1780,30 @@
}
const String8 password8(password);
- uid_t uid = get_uid(userId, AID_SYSTEM);
-
// Flush the auth token table to prevent stale tokens from sticking
// around.
mAuthTokenTable.Clear();
if (password.size() == 0) {
ALOGI("Secure lockscreen for user %d removed, deleting encrypted entries", userId);
- mKeyStore->resetUser(static_cast<uid_t>(userId), true);
+ mKeyStore->resetUser(userId, true);
return ::NO_ERROR;
} else {
- switch (mKeyStore->getState(uid)) {
+ switch (mKeyStore->getState(userId)) {
case ::STATE_UNINITIALIZED: {
// generate master key, encrypt with password, write to file,
// initialize mMasterKey*.
- return mKeyStore->initializeUser(password8, uid);
+ return mKeyStore->initializeUser(password8, userId);
}
case ::STATE_NO_ERROR: {
// rewrite master key with new password.
- return mKeyStore->writeMasterKey(password8, uid);
+ return mKeyStore->writeMasterKey(password8, userId);
}
case ::STATE_LOCKED: {
ALOGE("Changing user %d's password while locked, clearing old encryption",
userId);
- mKeyStore->resetUser(static_cast<uid_t>(userId), true);
- return mKeyStore->initializeUser(password8, uid);
+ mKeyStore->resetUser(userId, true);
+ return mKeyStore->initializeUser(password8, userId);
}
}
return ::SYSTEM_ERROR;
@@ -1809,14 +1815,14 @@
return ::PERMISSION_DENIED;
}
- uid_t callingUid = IPCThreadState::self()->getCallingUid();
- State state = mKeyStore->getState(callingUid);
+ uid_t userId = get_user_id(IPCThreadState::self()->getCallingUid());
+ State state = mKeyStore->getState(userId);
if (state != ::STATE_NO_ERROR) {
ALOGD("calling lock in state: %d", state);
return state;
}
- mKeyStore->lock(callingUid);
+ mKeyStore->lock(userId);
return ::NO_ERROR;
}
@@ -1825,8 +1831,7 @@
return ::PERMISSION_DENIED;
}
- uid_t uid = get_uid(userId, AID_SYSTEM);
- State state = mKeyStore->getState(uid);
+ State state = mKeyStore->getState(userId);
if (state != ::STATE_LOCKED) {
ALOGI("calling unlock when not locked, ignoring.");
return state;
@@ -1834,7 +1839,7 @@
const String8 password8(pw);
// read master key, decrypt with password, initialize mMasterKey*.
- return mKeyStore->readMasterKey(password8, uid);
+ return mKeyStore->readMasterKey(password8, userId);
}
int32_t zero() {
@@ -1843,7 +1848,7 @@
}
uid_t callingUid = IPCThreadState::self()->getCallingUid();
- return mKeyStore->isEmpty(callingUid) ? ::KEY_NOT_FOUND : ::NO_ERROR;
+ return mKeyStore->isEmpty(get_user_id(callingUid)) ? ::KEY_NOT_FOUND : ::NO_ERROR;
}
int32_t generate(const String16& name, int32_t targetUid, int32_t keyType, int32_t keySize,
@@ -1984,7 +1989,7 @@
keyBlob.setEncrypted(flags & KEYSTORE_FLAG_ENCRYPTED);
keyBlob.setFallback(isFallback);
- return mKeyStore->put(filename.string(), &keyBlob, targetUid);
+ return mKeyStore->put(filename.string(), &keyBlob, get_user_id(targetUid));
}
int32_t import(const String16& name, const uint8_t* data, size_t length, int targetUid,
@@ -1998,7 +2003,8 @@
String8 name8(name);
String8 filename(mKeyStore->getKeyNameForUidWithDir(name8, targetUid));
- return mKeyStore->importKey(data, length, filename.string(), targetUid, flags);
+ return mKeyStore->importKey(data, length, filename.string(), get_user_id(targetUid),
+ flags);
}
int32_t sign(const String16& name, const uint8_t* data, size_t length, uint8_t** out,
@@ -2211,7 +2217,7 @@
return -1L;
}
- State state = mKeyStore->getState(callingUid);
+ State state = mKeyStore->getState(get_user_id(callingUid));
if (!isKeystoreUnlocked(state)) {
ALOGD("calling duplicate in state: %d", state);
return state;
@@ -2254,12 +2260,12 @@
Blob keyBlob;
ResponseCode responseCode = mKeyStore->get(sourceFile.string(), &keyBlob, TYPE_ANY,
- srcUid);
+ get_user_id(srcUid));
if (responseCode != ::NO_ERROR) {
return responseCode;
}
- return mKeyStore->put(targetFile.string(), &keyBlob, destUid);
+ return mKeyStore->put(targetFile.string(), &keyBlob, get_user_id(destUid));
}
int32_t is_hardware_backed(const String16& keyType) {
@@ -2274,14 +2280,14 @@
String8 prefix = String8::format("%u_", targetUid);
Vector<String16> aliases;
- if (mKeyStore->saw(prefix, &aliases, targetUid) != ::NO_ERROR) {
+ if (mKeyStore->saw(prefix, &aliases, get_user_id(targetUid)) != ::NO_ERROR) {
return ::SYSTEM_ERROR;
}
for (uint32_t i = 0; i < aliases.size(); i++) {
String8 name8(aliases[i]);
String8 filename(mKeyStore->getKeyNameForUidWithDir(name8, targetUid));
- mKeyStore->del(filename.string(), ::TYPE_ANY, targetUid);
+ mKeyStore->del(filename.string(), ::TYPE_ANY, get_user_id(targetUid));
}
return ::NO_ERROR;
}
@@ -2296,13 +2302,15 @@
if (!checkBinderPermission(P_SYNC_UID, targetUid)) {
return ::PERMISSION_DENIED;
}
+ uid_t sourceUser = get_user_id(sourceUid);
+ uid_t targetUser = get_user_id(targetUid);
- if (sourceUid == targetUid) {
+ if (sourceUser == targetUser) {
return ::SYSTEM_ERROR;
}
// Initialise user keystore with existing master key held in-memory
- return mKeyStore->copyMasterKey(sourceUid, targetUid);
+ return mKeyStore->copyMasterKey(sourceUser, targetUser);
}
int32_t password_uid(const String16& pw, int32_t targetUid) {
@@ -2311,19 +2319,20 @@
return ::PERMISSION_DENIED;
}
const String8 password8(pw);
+ uid_t userId = get_user_id(targetUid);
- switch (mKeyStore->getState(targetUid)) {
+ switch (mKeyStore->getState(userId)) {
case ::STATE_UNINITIALIZED: {
// generate master key, encrypt with password, write to file, initialize mMasterKey*.
- return mKeyStore->initializeUser(password8, targetUid);
+ return mKeyStore->initializeUser(password8, userId);
}
case ::STATE_NO_ERROR: {
// rewrite master key with new password.
- return mKeyStore->writeMasterKey(password8, targetUid);
+ return mKeyStore->writeMasterKey(password8, userId);
}
case ::STATE_LOCKED: {
// read master key, decrypt with password, initialize mMasterKey*.
- return mKeyStore->readMasterKey(password8, targetUid);
+ return mKeyStore->readMasterKey(password8, userId);
}
}
return ::SYSTEM_ERROR;
@@ -2425,7 +2434,7 @@
free(const_cast<uint8_t*>(blob.key_material));
- return mKeyStore->put(filename.string(), &keyBlob, uid);
+ return mKeyStore->put(filename.string(), &keyBlob, get_user_id(uid));
}
int32_t getKeyCharacteristics(const String16& name,
@@ -2516,7 +2525,7 @@
free((void*) blob.key_material);
- return mKeyStore->put(filename.string(), &keyBlob, uid);
+ return mKeyStore->put(filename.string(), &keyBlob, get_user_id(uid));
}
void exportKey(const String16& name, keymaster_key_format_t format,
@@ -2840,7 +2849,7 @@
if (!checkBinderPermission(permission, targetUid)) {
return ::PERMISSION_DENIED;
}
- State state = mKeyStore->getState(getEffectiveUid(targetUid));
+ State state = mKeyStore->getState(get_user_id(getEffectiveUid(targetUid)));
if (checkUnlocked && !isKeystoreUnlocked(state)) {
return state;
}