Add and use run_as::run_as_root helper
Test: keystore2_client_tests
Flag: None, pure refactor of test code
Change-Id: I7c04464c701a053bee508c5bed1f13293028c7cc
diff --git a/keystore2/test_utils/run_as.rs b/keystore2/test_utils/run_as.rs
index 14a72be..07d1bbd 100644
--- a/keystore2/test_utils/run_as.rs
+++ b/keystore2/test_utils/run_as.rs
@@ -422,6 +422,27 @@
}
}
+/// Run the given closure in a new process running with the root identity.
+///
+/// # Safety
+/// run_as runs the given closure in the client branch of fork. And it uses non
+/// async signal safe API. This means that calling this function in a multi threaded program
+/// yields undefined behavior in the child. As of this writing, it is safe to call this function
+/// from a Rust device test, because every test itself is spawned as a separate process.
+///
+/// # Safety Binder
+/// It is okay for the closure to use binder services, however, this does not work
+/// if the parent initialized libbinder already. So do not use binder outside of the closure
+/// in your test.
+pub unsafe fn run_as_root<F, R>(f: F) -> R
+where
+ R: Serialize + DeserializeOwned,
+ F: 'static + Send + FnOnce() -> R,
+{
+ // SAFETY: Our caller guarantees that the process only has a single thread.
+ unsafe { run_as("u:r:su:s0", Uid::from_raw(0), Gid::from_raw(0), f) }
+}
+
/// Run the given closure in a new process running with the new identity given as
/// `uid`, `gid`, and `se_context`.
///
diff --git a/keystore2/tests/keystore2_client_grant_key_tests.rs b/keystore2/tests/keystore2_client_grant_key_tests.rs
index 853790e..e800f99 100644
--- a/keystore2/tests/keystore2_client_grant_key_tests.rs
+++ b/keystore2/tests/keystore2_client_grant_key_tests.rs
@@ -100,8 +100,6 @@
/// should fail to load the key with permission denied error.
#[test]
fn keystore2_grant_key_with_perm_none() {
- static TARGET_SU_CTX: &str = "u:r:su:s0";
-
static GRANTEE_CTX: &str = "u:r:untrusted_app:s0:c91,c256,c10,c20";
const USER_ID: u32 = 99;
const APPLICATION_ID: u32 = 10001;
@@ -124,8 +122,7 @@
// Safety: only one thread at this point (enforced by `AndroidTest.xml` setting
// `--test-threads=1`), and nothing yet done with binder.
- let grant_key_nspace =
- unsafe { run_as::run_as(TARGET_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), grantor_fn) };
+ let grant_key_nspace = unsafe { run_as::run_as_root(grantor_fn) };
// In grantee context try to load the key, it should fail to load the granted key as it is
// granted with empty access vector.
@@ -161,8 +158,6 @@
/// delete it as `DELETE` permission is not granted.
#[test]
fn keystore2_grant_get_info_use_key_perm() {
- static TARGET_SU_CTX: &str = "u:r:su:s0";
-
static GRANTEE_CTX: &str = "u:r:untrusted_app:s0:c91,c256,c10,c20";
const USER_ID: u32 = 99;
const APPLICATION_ID: u32 = 10001;
@@ -185,8 +180,7 @@
// Safety: only one thread at this point (enforced by `AndroidTest.xml` setting
// `--test-threads=1`), and nothing yet done with binder.
- let grant_key_nspace =
- unsafe { run_as::run_as(TARGET_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), grantor_fn) };
+ let grant_key_nspace = unsafe { run_as::run_as_root(grantor_fn) };
// In grantee context load the key and try to perform crypto operation.
let grantee_fn = move || {
@@ -250,7 +244,6 @@
/// should fail to find the key with error response `KEY_NOT_FOUND`.
#[test]
fn keystore2_grant_delete_key_success() {
- static GRANTOR_SU_CTX: &str = "u:r:su:s0";
static GRANTEE_CTX: &str = "u:r:untrusted_app:s0:c91,c256,c10,c20";
const USER_ID: u32 = 99;
const APPLICATION_ID: u32 = 10001;
@@ -275,8 +268,7 @@
// Safety: only one thread at this point (enforced by `AndroidTest.xml` setting
// `--test-threads=1`), and nothing yet done with binder.
- let grant_key_nspace =
- unsafe { run_as::run_as(GRANTOR_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), grantor_fn) };
+ let grant_key_nspace = unsafe { run_as::run_as_root(grantor_fn) };
// Grantee context, delete the key.
let grantee_fn = move || {
@@ -317,7 +309,7 @@
// Safety: only one thread at this point (enforced by `AndroidTest.xml` setting
// `--test-threads=1`), and nothing yet done with binder.
- unsafe { run_as::run_as(GRANTOR_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), grantor_fn) };
+ unsafe { run_as::run_as_root(grantor_fn) };
}
/// Grant a key to the user. In grantee context load the granted key and try to grant it to second
@@ -327,7 +319,6 @@
#[test]
#[ignore]
fn keystore2_grant_key_fails_with_permission_denied() {
- static GRANTOR_SU_CTX: &str = "u:r:su:s0";
static GRANTEE_CTX: &str = "u:r:untrusted_app:s0:c91,c256,c10,c20";
const USER_ID: u32 = 99;
const APPLICATION_ID: u32 = 10001;
@@ -356,8 +347,7 @@
};
// Safety: only one thread at this point (enforced by `AndroidTest.xml` setting
// `--test-threads=1`), and nothing yet done with binder.
- let grant_key_nspace =
- unsafe { run_as::run_as(GRANTOR_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), grantor_fn) };
+ let grant_key_nspace = unsafe { run_as::run_as_root(grantor_fn) };
// Grantee context, load the granted key and try to grant it to `SEC_GRANTEE_UID` grantee.
let grantee_fn = move || {
@@ -470,7 +460,6 @@
/// the key. Grantee should fail to load the ungranted key with `KEY_NOT_FOUND` error response.
#[test]
fn keystore2_ungrant_key_success() {
- static GRANTOR_SU_CTX: &str = "u:r:su:s0";
static GRANTEE_CTX: &str = "u:r:untrusted_app:s0:c91,c256,c10,c20";
const USER_ID: u32 = 99;
const APPLICATION_ID: u32 = 10001;
@@ -505,8 +494,7 @@
// Safety: only one thread at this point (enforced by `AndroidTest.xml` setting
// `--test-threads=1`), and nothing yet done with binder.
- let grant_key_nspace =
- unsafe { run_as::run_as(GRANTOR_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), grantor_fn) };
+ let grant_key_nspace = unsafe { run_as::run_as_root(grantor_fn) };
// Grantee context, try to load the ungranted key.
let grantee_fn = move || {
@@ -540,7 +528,6 @@
/// associated key is deleted from grantor context.
#[test]
fn keystore2_ungrant_fails_with_non_existing_key_expect_key_not_found_error() {
- static GRANTOR_SU_CTX: &str = "u:r:su:s0";
static GRANTEE_CTX: &str = "u:r:untrusted_app:s0:c91,c256,c10,c20";
const APPLICATION_ID: u32 = 10001;
@@ -594,8 +581,7 @@
// Safety: only one thread at this point (enforced by `AndroidTest.xml` setting
// `--test-threads=1`), and nothing yet done with binder.
- let grant_key_nspace =
- unsafe { run_as::run_as(GRANTOR_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), grantor_fn) };
+ let grant_key_nspace = unsafe { run_as::run_as_root(grantor_fn) };
// Make sure grant did not persist, try to access the earlier granted key in grantee context.
// Grantee context should fail to load the granted key as its associated key is deleted in
@@ -629,7 +615,6 @@
/// use it for performing an operation successfully.
#[test]
fn keystore2_grant_key_to_multi_users_success() {
- static GRANTOR_SU_CTX: &str = "u:r:su:s0";
static GRANTEE_CTX: &str = "u:r:untrusted_app:s0:c91,c256,c10,c20";
const APPLICATION_ID: u32 = 10001;
@@ -658,8 +643,7 @@
// Safety: only one thread at this point (enforced by `AndroidTest.xml` setting
// `--test-threads=1`), and nothing yet done with binder.
- let mut grant_keys =
- unsafe { run_as::run_as(GRANTOR_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), grantor_fn) };
+ let mut grant_keys = unsafe { run_as::run_as_root(grantor_fn) };
for (grantee_uid, grantee_gid) in
&[(GRANTEE_1_UID, GRANTEE_1_GID), (GRANTEE_2_UID, GRANTEE_2_GID)]
@@ -694,7 +678,6 @@
/// fail to load the granted key with `KEY_NOT_FOUND` error response.
#[test]
fn keystore2_grant_key_to_multi_users_delete_fails_with_key_not_found_error() {
- static GRANTOR_SU_CTX: &str = "u:r:su:s0";
static GRANTEE_CTX: &str = "u:r:untrusted_app:s0:c91,c256,c10,c20";
const USER_ID_1: u32 = 99;
@@ -724,8 +707,7 @@
// Safety: only one thread at this point (enforced by `AndroidTest.xml` setting
// `--test-threads=1`), and nothing yet done with binder.
- let mut grant_keys =
- unsafe { run_as::run_as(GRANTOR_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), grantor_fn) };
+ let mut grant_keys = unsafe { run_as::run_as_root(grantor_fn) };
// Grantee #1 context
let grant_key1_nspace = grant_keys.remove(0);
diff --git a/keystore2/tests/keystore2_client_keystore_engine_tests.rs b/keystore2/tests/keystore2_client_keystore_engine_tests.rs
index a576993..8ab9eb5 100644
--- a/keystore2/tests/keystore2_client_keystore_engine_tests.rs
+++ b/keystore2/tests/keystore2_client_keystore_engine_tests.rs
@@ -153,8 +153,6 @@
#[test]
fn keystore2_perofrm_crypto_op_using_keystore2_engine_rsa_key_success() {
- static TARGET_SU_CTX: &str = "u:r:su:s0";
-
static GRANTEE_CTX: &str = "u:r:untrusted_app:s0:c91,c256,c10,c20";
const USER_ID: u32 = 99;
const APPLICATION_ID: u32 = 10001;
@@ -170,8 +168,7 @@
// Safety: only one thread at this point (enforced by `AndroidTest.xml` setting
// `--test-threads=1`), and nothing yet done with binder.
- let grant_key_nspace =
- unsafe { run_as::run_as(TARGET_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), grantor_fn) };
+ let grant_key_nspace = unsafe { run_as::run_as_root(grantor_fn) };
// In grantee context load the key and try to perform crypto operation.
let grantee_fn = move || {
@@ -193,8 +190,6 @@
#[test]
fn keystore2_perofrm_crypto_op_using_keystore2_engine_ec_key_success() {
- static TARGET_SU_CTX: &str = "u:r:su:s0";
-
static GRANTEE_CTX: &str = "u:r:untrusted_app:s0:c91,c256,c10,c20";
const USER_ID: u32 = 99;
const APPLICATION_ID: u32 = 10001;
@@ -210,8 +205,7 @@
// Safety: only one thread at this point (enforced by `AndroidTest.xml` setting
// `--test-threads=1`), and nothing yet done with binder.
- let grant_key_nspace =
- unsafe { run_as::run_as(TARGET_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), grantor_fn) };
+ let grant_key_nspace = unsafe { run_as::run_as_root(grantor_fn) };
// In grantee context load the key and try to perform crypto operation.
let grantee_fn = move || {
@@ -233,8 +227,6 @@
#[test]
fn keystore2_perofrm_crypto_op_using_keystore2_engine_pem_pub_key_success() {
- static TARGET_SU_CTX: &str = "u:r:su:s0";
-
static GRANTEE_CTX: &str = "u:r:untrusted_app:s0:c91,c256,c10,c20";
const USER_ID: u32 = 99;
const APPLICATION_ID: u32 = 10001;
@@ -271,8 +263,7 @@
// Safety: only one thread at this point (enforced by `AndroidTest.xml` setting
// `--test-threads=1`), and nothing yet done with binder.
- let grant_key_nspace =
- unsafe { run_as::run_as(TARGET_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), grantor_fn) };
+ let grant_key_nspace = unsafe { run_as::run_as_root(grantor_fn) };
// In grantee context load the key and try to perform crypto operation.
let grantee_fn = move || {
diff --git a/keystore2/tests/keystore2_client_list_entries_tests.rs b/keystore2/tests/keystore2_client_list_entries_tests.rs
index af01a6e..de9f42e 100644
--- a/keystore2/tests/keystore2_client_list_entries_tests.rs
+++ b/keystore2/tests/keystore2_client_list_entries_tests.rs
@@ -51,7 +51,6 @@
/// context. GRANT keys shouldn't be part of this list.
#[test]
fn keystore2_list_entries_success() {
- static GRANTOR_SU_CTX: &str = "u:r:su:s0";
static GRANTEE_CTX: &str = "u:r:untrusted_app:s0:c91,c256,c10,c20";
const USER_ID: u32 = 91;
@@ -110,7 +109,7 @@
// Safety: only one thread at this point (enforced by `AndroidTest.xml` setting
// `--test-threads=1`), and nothing yet done with binder.
- unsafe { run_as::run_as(GRANTOR_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), gen_key_fn) };
+ unsafe { run_as::run_as_root(gen_key_fn) };
// In user context validate list of key entries associated with it.
let list_keys_fn = move || {
diff --git a/keystore2/tests/keystore2_client_update_subcomponent_tests.rs b/keystore2/tests/keystore2_client_update_subcomponent_tests.rs
index c1ec6a1..5078924 100644
--- a/keystore2/tests/keystore2_client_update_subcomponent_tests.rs
+++ b/keystore2/tests/keystore2_client_update_subcomponent_tests.rs
@@ -153,7 +153,6 @@
/// permissions, test should be able to update public certificate and cert-chain successfully.
#[test]
fn keystore2_update_subcomponent_fails_permission_denied() {
- static GRANTOR_SU_CTX: &str = "u:r:su:s0";
static GRANTEE_CTX: &str = "u:r:untrusted_app:s0:c91,c256,c10,c20";
const USER_ID_1: u32 = 99;
@@ -198,8 +197,7 @@
// Safety: only one thread at this point (enforced by `AndroidTest.xml` setting
// `--test-threads=1`), and nothing yet done with binder.
- let mut granted_keys =
- unsafe { run_as::run_as(GRANTOR_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), grantor_fn) };
+ let mut granted_keys = unsafe { run_as::run_as_root(grantor_fn) };
// Grantee context, try to update the key public certs, permission denied error is expected.
let granted_key1_nspace = granted_keys.remove(0);
diff --git a/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs b/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs
index cb99fe7..bbbadee 100644
--- a/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs
+++ b/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs
@@ -129,7 +129,6 @@
let auid = 99 * AID_USER_OFFSET + 10001;
let agid = 99 * AID_USER_OFFSET + 10001;
static TARGET_CTX: &str = "u:r:untrusted_app:s0:c91,c256,c10,c20";
- static TARGET_SU_CTX: &str = "u:r:su:s0";
// Cleanup user directory if it exists
let path_buf = PathBuf::from("/data/misc/keystore/user_99");
@@ -240,8 +239,7 @@
// Safety: only one thread at this point (enforced by `AndroidTest.xml` setting
// `--test-threads=1`), and nothing yet done with binder.
- let mut gen_key_result =
- unsafe { run_as::run_as(TARGET_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), gen_key_fn) };
+ let mut gen_key_result = unsafe { run_as::run_as_root(gen_key_fn) };
let use_key_fn = move || {
println!("UID: {}", getuid());
@@ -375,7 +373,6 @@
let auid = 98 * AID_USER_OFFSET + 10001;
let agid = 98 * AID_USER_OFFSET + 10001;
static TARGET_CTX: &str = "u:r:untrusted_app:s0:c91,c256,c10,c20";
- static TARGET_SU_CTX: &str = "u:r:su:s0";
// Cleanup user directory if it exists
let path_buf = PathBuf::from("/data/misc/keystore/user_98");
@@ -489,8 +486,7 @@
// Safety: only one thread at this point (enforced by `AndroidTest.xml` setting
// `--test-threads=1`), and nothing yet done with binder.
- let gen_key_result =
- unsafe { run_as::run_as(TARGET_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), gen_key_fn) };
+ let gen_key_result = unsafe { run_as::run_as_root(gen_key_fn) };
let use_key_fn = move || {
println!("UID: {}", getuid());