Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / ce99543bb0d3cd863b04535b7f64e61ffd4b6a08^! / . / keystore2 / src / error.rs
commitce99543bb0d3cd863b04535b7f64e61ffd4b6a08[log] [tgz]
authorJanis Danisevskis <jdanis@google.com>Tue Jul 21 12:22:34 2020 -0700
committerJanis Danisevskis <jdanis@google.com>Thu Aug 13 12:47:50 2020 -0700
tree4123873b1831528fa1f43c2cd724cec00e004fd8
parentd0282625dbd972ae1509e4b9d5e465ee1bf201be [diff] [blame]
Keystore libselinux rust bindings.

Provide safe wrappers around the libselinux API needed for keystore.
 * getcon
 * selinux_check_acces
 * selabel_lookup

Test: keystore2_selinux_test
Test: keystore2_selinux_rust_bindings_host_test
Bug: 159466840
Change-Id: I73b4aa2e1da9b477965b10927eba069e6346ce6e

diff --git a/keystore2/src/error.rs b/keystore2/src/error.rs
index e58d3ce..e6443b7 100644
--- a/keystore2/src/error.rs
+++ b/keystore2/src/error.rs

@@ -36,6 +36,8 @@
 use keystore_aidl_generated as aidl;
 use keystore_aidl_generated::ResponseCode as AidlRc;
 
+use keystore2_selinux as selinux;
+
 pub use aidl::ResponseCode;
 
 /// AidlResult wraps the `android.security.keystore2.Result` generated from AIDL
@@ -89,7 +91,10 @@
         match root_cause.downcast_ref::<Error>() {
             Some(Error::Rc(rcode)) => AidlResult::rc(*rcode),
             Some(Error::Km(ec)) => AidlResult::ec(*ec),
-            None => AidlResult::rc(AidlRc::SystemError),
+            None => match root_cause.downcast_ref::<selinux::Error>() {
+                Some(selinux::Error::PermissionDenied) => AidlResult::rc(AidlRc::PermissionDenied),
+                _ => AidlResult::rc(AidlRc::SystemError),
+            },
         }
     }
 }
@@ -101,6 +106,7 @@
 /// All `Error::Rc(x)` variants get mapped onto `aidl::Result{x, 0}`.
 /// All `Error::Km(x)` variants get mapped onto
 /// `aidl::Result{aidl::ResponseCode::KeymintErrorCode, x}`.
+/// `selinux::Error::perm()` is mapped on `aidl::Result{aidl::ResponseCode::PermissionDenied, 0}`.
 ///
 /// All non `Error` error conditions get mapped onto
 /// `aidl::Result{aidl::ResponseCode::SystemError}`.
@@ -168,6 +174,14 @@
         nested_nested_ok(rc).context("nested ok")
     }
 
+    fn nested_nested_selinux_perm() -> anyhow::Result<()> {
+        Err(anyhow!(selinux::Error::perm())).context("nested nexted selinux permission denied")
+    }
+
+    fn nested_selinux_perm() -> anyhow::Result<()> {
+        nested_nested_selinux_perm().context("nested selinux permission denied")
+    }
+
     #[derive(Debug, thiserror::Error)]
     enum TestError {
         #[error("TestError::Fail")]
@@ -263,6 +277,11 @@
         );
         assert_eq!(AidlResult::ok(), map_or_log_err(nested_ok(AidlRc::Ok), AidlResult::rc));
 
+        // selinux::Error::Perm() needs to be mapped to AidlRc::PermissionDenied
+        assert_eq!(
+            AidlResult::rc(AidlRc::PermissionDenied),
+            map_or_log_err(nested_selinux_perm(), |_| AidlResult::ec(0))
+        );
         Ok(())
     }
 } // mod tests