commit 8e92e746453c080fbbddbce409870caf70f11d72
author David Drysdale <drysdale@google.com> Tue Oct 22 13:07:07 2024 +0100
committer David Drysdale <drysdale@google.com> Wed Nov 06 10:41:08 2024 +0000
tree 9ec4b7dc6ac4530779122afac1f957941f80936f
parent d6ceaf11fbc908535122888b8ac5839c93bf9028

Don't allow a non-owner to grant access to APP key

Test: keystore2_client_tests
Test: KeyChainTests
Test: KeyStoreManagerTests
Test: CtsVerifier / Security / KeyChain storage test
Change-Id: I8f991e4dd9cbdf4ccf22e5a834881a379fb9333d

keystore2/src/permission.rs

diff --git a/keystore2/src/permission.rs b/keystore2/src/permission.rs
index 7bf17b5..023774f 100644
--- a/keystore2/src/permission.rs
+++ b/keystore2/src/permission.rs
@@ -282,12 +282,19 @@
 ///                      SELinux keystore key backend, and the result is used
 ///                      as target context.
 pub fn check_grant_permission(
+    caller_uid: u32,
     caller_ctx: &CStr,
     access_vec: KeyPermSet,
     key: &KeyDescriptor,
 ) -> anyhow::Result<()> {
     let target_context = match key.domain {
-        Domain::APP => getcon().context("check_grant_permission: getcon failed.")?,
+        Domain::APP => {
+            if caller_uid as i64 != key.nspace {
+                return Err(selinux::Error::perm())
+                    .context("Trying to access key without ownership.");
+            }
+            getcon().context("check_grant_permission: getcon failed.")?
+        }
         Domain::SELINUX => lookup_keystore2_key_context(key.nspace)
             .context("check_grant_permission: Domain::SELINUX: Failed to lookup namespace.")?,
         _ => return Err(KsError::sys()).context(format!("Cannot grant {:?}.", key.domain)),