commit a31dd9ef24d0b5ffd68bfa130524b29ef45ab6f8
author Janis Danisevskis <jdanis@google.com> Sat Jan 30 00:13:17 2021 -0800
committer Janis Danisevskis <jdanis@google.com> Mon Feb 01 08:17:42 2021 -0800
tree c1e03c94507ea97293f48b7ec8be881fc9f1bb69
parent f3caf2698b239bf3bb33227941fca867231be1d5

Keystore 2.0: Fix permission tests.

Some of the permission tests only pass on cuttlefish because its
system_server is permissive. This fix makes them pass on real devices.

Test: keystore2_test
Change-Id: I3cca0cf7ca30276eb75fa1d86a9243ee65d3d588

keystore2/src/permission.rs

diff --git a/keystore2/src/permission.rs b/keystore2/src/permission.rs
index a81954f..0f0ca04 100644
--- a/keystore2/src/permission.rs
+++ b/keystore2/src/permission.rs
@@ -454,9 +454,12 @@
 
     for p in access_vec.into_iter() {
         selinux::check_access(caller_ctx, &target_context, "keystore2_key", p.to_selinux())
-            .context(concat!(
-                "check_grant_permission: check_access failed. ",
-                "The caller may have tried to grant a permission that they don't possess."
+            .context(format!(
+                concat!(
+                    "check_grant_permission: check_access failed. ",
+                    "The caller may have tried to grant a permission that they don't possess. {:?}"
+                ),
+                p
             ))?
     }
     Ok(())
@@ -575,6 +578,16 @@
         KeyPerm::use_(),
     ];
 
+    const SYSTEM_SERVER_PERMISSIONS_NO_GRANT: KeyPermSet = key_perm_set![
+        KeyPerm::delete(),
+        KeyPerm::use_dev_id(),
+        // No KeyPerm::grant()
+        KeyPerm::get_info(),
+        KeyPerm::rebind(),
+        KeyPerm::update(),
+        KeyPerm::use_(),
+    ];
+
     const NOT_GRANT_PERMS: KeyPermSet = key_perm_set![
         KeyPerm::manage_blob(),
         KeyPerm::delete(),
@@ -643,7 +656,6 @@
         assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::add_auth()).is_ok());
         assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::clear_ns()).is_ok());
         assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::get_state()).is_ok());
-        assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::list()).is_ok());
         assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::lock()).is_ok());
         assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::reset()).is_ok());
         assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::unlock()).is_ok());
@@ -663,9 +675,10 @@
         let system_server_ctx = Context::new("u:r:system_server:s0")?;
         let shell_ctx = Context::new("u:r:shell:s0")?;
         let key = KeyDescriptor { domain: Domain::APP, nspace: 0, alias: None, blob: None };
-        assert!(check_grant_permission(&system_server_ctx, NOT_GRANT_PERMS, &key).is_ok());
-        // attempts to grant the grant permission must always fail even when privileged.
+        check_grant_permission(&system_server_ctx, SYSTEM_SERVER_PERMISSIONS_NO_GRANT, &key)
+            .expect("Grant permission check failed.");
 
+        // attempts to grant the grant permission must always fail even when privileged.
         assert_perm_failed!(check_grant_permission(
             &system_server_ctx,
             KeyPerm::grant().into(),