Define the MigrateAnyKey permission
corresponding to the selinux perm `migrate_any_key`. Checked when
migrating keys for an app leaving a sharedUserId.
Bug: 179284822
Test: TH
Change-Id: I831af2f99049401855dcf4b7d23555a3473e37c6
diff --git a/keystore2/src/maintenance.rs b/keystore2/src/maintenance.rs
index 3f6cf36..57abc26 100644
--- a/keystore2/src/maintenance.rs
+++ b/keystore2/src/maintenance.rs
@@ -215,6 +215,8 @@
fn migrate_key_namespace(source: &KeyDescriptor, destination: &KeyDescriptor) -> Result<()> {
let caller_uid = ThreadState::get_calling_uid();
+ let migrate_any_key_permission =
+ check_keystore_permission(KeystorePerm::MigrateAnyKey).is_ok();
DB.with(|db| {
let key_id_guard = match source.domain {
@@ -227,9 +229,12 @@
KeyEntryLoadBits::NONE,
caller_uid,
|k, av| {
- check_key_permission(KeyPerm::Use, k, &av)?;
- check_key_permission(KeyPerm::Delete, k, &av)?;
- check_key_permission(KeyPerm::Grant, k, &av)
+ if !migrate_any_key_permission {
+ check_key_permission(KeyPerm::Use, k, &av)?;
+ check_key_permission(KeyPerm::Delete, k, &av)?;
+ check_key_permission(KeyPerm::Grant, k, &av)?;
+ }
+ Ok(())
},
)
})
@@ -245,7 +250,10 @@
};
db.borrow_mut().migrate_key_namespace(key_id_guard, destination, caller_uid, |k| {
- check_key_permission(KeyPerm::Rebind, k, &None)
+ if !migrate_any_key_permission {
+ check_key_permission(KeyPerm::Rebind, k, &None)?;
+ }
+ Ok(())
})
})
}
diff --git a/keystore2/src/permission.rs b/keystore2/src/permission.rs
index f280341..e6d61b0 100644
--- a/keystore2/src/permission.rs
+++ b/keystore2/src/permission.rs
@@ -145,6 +145,10 @@
/// Checked when IKeystoreMaintenance::deleteAllKeys is called.
#[selinux(name = delete_all_keys)]
DeleteAllKeys,
+ /// Checked when migrating any key from any namespace to any other namespace. It was
+ /// introduced for migrating keys when an app leaves a sharedUserId.
+ #[selinux(name = migrate_any_key)]
+ MigrateAnyKey,
}
);