commit a86b0a606d1472cd0c86baed6ca76fbfbbd2b395
author Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Mon Oct 21 23:26:45 2024 +0000
committer Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Mon Oct 21 23:26:45 2024 +0000
tree 0bbf8546c7685094c9a888067861aa97b7189151
parent 086dacaa7bc296a4be677d6145f90c4975b5051e
parent 9aa9f7c6c21f5715e428e859a2d8551c52b0ff24

Snap for 12530792 from 9aa9f7c6c21f5715e428e859a2d8551c52b0ff24 to 25Q1-release

Change-Id: I7ab0c994db7e2f43bd0ff3a721251682137c2627

keystore2/OWNERS

diff --git a/keystore2/OWNERS b/keystore2/OWNERS
index bf9d61b..aeb8390 100644
--- a/keystore2/OWNERS
+++ b/keystore2/OWNERS
@@ -1,6 +1,5 @@
 set noparent
 # Bug component: 1084732
-eranm@google.com
 drysdale@google.com
 hasinitg@google.com
 jbires@google.com

keystore2/src/permission/tests.rs

diff --git a/keystore2/src/permission/tests.rs b/keystore2/src/permission/tests.rs
index f555c12..c9aebfe 100644
--- a/keystore2/src/permission/tests.rs
+++ b/keystore2/src/permission/tests.rs
@@ -134,15 +134,12 @@
 #[test]
 fn check_grant_permission_app() -> Result<()> {
     let system_server_ctx = Context::new("u:r:system_server:s0")?;
-    let shell_ctx = Context::new("u:r:shell:s0")?;
     let key = KeyDescriptor { domain: Domain::APP, nspace: 0, alias: None, blob: None };
     check_grant_permission(&system_server_ctx, SYSTEM_SERVER_PERMISSIONS_NO_GRANT, &key)
         .expect("Grant permission check failed.");
 
     // attempts to grant the grant permission must always fail even when privileged.
     assert_perm_failed!(check_grant_permission(&system_server_ctx, KeyPerm::Grant.into(), &key));
-    // unprivileged grant attempts always fail. shell does not have the grant permission.
-    assert_perm_failed!(check_grant_permission(&shell_ctx, UNPRIV_PERMS, &key));
     Ok(())
 }
 
@@ -209,7 +206,6 @@
     assert!(check_key_permission(0, &shell_ctx, KeyPerm::GetInfo, &key, &None).is_ok());
     assert!(check_key_permission(0, &shell_ctx, KeyPerm::Rebind, &key, &None).is_ok());
     assert!(check_key_permission(0, &shell_ctx, KeyPerm::Update, &key, &None).is_ok());
-    assert_perm_failed!(check_key_permission(0, &shell_ctx, KeyPerm::Grant, &key, &None));
     assert_perm_failed!(check_key_permission(0, &shell_ctx, KeyPerm::ReqForcedOp, &key, &None));
     assert_perm_failed!(check_key_permission(0, &shell_ctx, KeyPerm::ManageBlob, &key, &None));
     assert_perm_failed!(check_key_permission(0, &shell_ctx, KeyPerm::UseDevId, &key, &None));

keystore2/tests/keystore2_client_grant_key_tests.rs

diff --git a/keystore2/tests/keystore2_client_grant_key_tests.rs b/keystore2/tests/keystore2_client_grant_key_tests.rs
index 50b87b9..89569f5 100644
--- a/keystore2/tests/keystore2_client_grant_key_tests.rs
+++ b/keystore2/tests/keystore2_client_grant_key_tests.rs
@@ -311,6 +311,7 @@
 /// from grantee context. Test should make sure second grantee should not have a access to granted
 /// key.
 #[test]
+#[ignore]
 fn keystore2_grant_key_fails_with_permission_denied() {
     static GRANTOR_SU_CTX: &str = "u:r:su:s0";
     static GRANTEE_CTX: &str = "u:r:untrusted_app:s0:c91,c256,c10,c20";