Merge "Tests to verify importWrappedKey functionality."
diff --git a/keystore2/apc_compat/apc_compat.rs b/keystore2/apc_compat/apc_compat.rs
index 57f8710..9f44927 100644
--- a/keystore2/apc_compat/apc_compat.rs
+++ b/keystore2/apc_compat/apc_compat.rs
@@ -19,7 +19,7 @@
 //! client.
 
 use keystore2_apc_compat_bindgen::{
-    abortUserConfirmation, closeUserConfirmationService, promptUserConfirmation, size_t,
+    abortUserConfirmation, closeUserConfirmationService, promptUserConfirmation,
     tryGetUserConfirmationService, ApcCompatCallback, ApcCompatServiceHandle,
 };
 pub use keystore2_apc_compat_bindgen::{
@@ -76,9 +76,9 @@
     handle: *mut ::std::os::raw::c_void,
     rc: u32,
     tbs_message: *const u8,
-    tbs_message_size: size_t,
+    tbs_message_size: usize,
     confirmation_token: *const u8,
-    confirmation_token_size: size_t,
+    confirmation_token_size: usize,
 ) {
     // # Safety:
     // The C/C++ implementation must pass to us the handle that was created
@@ -178,7 +178,7 @@
                 cb,
                 prompt_text.as_ptr(),
                 extra_data.as_ptr(),
-                extra_data.len() as size_t,
+                extra_data.len() as usize,
                 locale.as_ptr(),
                 ui_opts,
             )
diff --git a/keystore2/tests/keystore2_client_attest_key_tests.rs b/keystore2/tests/keystore2_client_attest_key_tests.rs
index 5644fbe..b286b2f 100644
--- a/keystore2/tests/keystore2_client_attest_key_tests.rs
+++ b/keystore2/tests/keystore2_client_attest_key_tests.rs
@@ -157,7 +157,9 @@
         let mut cert_chain: Vec<u8> = Vec::new();
         cert_chain.extend(attestation_key_metadata.certificate.as_ref().unwrap());
         cert_chain.extend(attestation_key_metadata.certificateChain.as_ref().unwrap());
-        validate_certchain(&cert_chain).expect("Error while validating cert chain.");
+        // The server seems to be issuing test certs with invalid subject names.
+        // Re-enable when b/263254184 is fixed
+        // validate_certchain(&cert_chain).expect("Error while validating cert chain.");
 
         // Create EC key and use attestation key to sign it.
         let ec_key_alias = format!("ks_ec_attested_test_key_{}", getuid());
@@ -175,7 +177,9 @@
         cert_chain.extend(attestation_key_metadata.certificate.as_ref().unwrap());
         cert_chain.extend(attestation_key_metadata.certificateChain.as_ref().unwrap());
 
-        validate_certchain(&cert_chain).expect("Error while validating cert chain.");
+        // The server seems to be issuing test certs with invalid subject names.
+        // Re-enable when b/263254184 is fixed
+        // validate_certchain(&cert_chain).expect("Error while validating cert chain.");
     }
 }
 
diff --git a/ondevice-signing/odsign.rc b/ondevice-signing/odsign.rc
index de09fc0..b96c62f 100644
--- a/ondevice-signing/odsign.rc
+++ b/ondevice-signing/odsign.rc
@@ -3,6 +3,13 @@
     user root
     group system
     disabled # does not start with the core class
+    # Explicitly specify empty capabilities, otherwise odsign will inherit all
+    # the capabilities from init.
+    # Note: whether a process can use capabilities is controlled by SELinux, so
+    # inheriting all the capabilities from init is not a security issue.
+    # However, for defense-in-depth and just for the sake of bookkeeping it's
+    # better to explicitly state that odsign doesn't need any capabilities.
+    capabilities
 
 # Note that odsign is not oneshot, but stopped manually when it exits. This
 # ensures that if odsign crashes during a module update, apexd will detect