Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / ee10b5fab039d2410b821853265fb9cd0029bd05^! / .
commitee10b5fab039d2410b821853265fb9cd0029bd05[log] [tgz]
authorJanis Danisevskis <jdanis@google.com>Tue Sep 22 16:42:35 2020 -0700
committerJanis Danisevskis <jdanis@google.com>Wed Sep 30 12:20:56 2020 -0700
tree256b0c90de2486042e3ad9fc41eee6a070c4157a
parent29c9edd2d51acb5fd29e1bc963697bbbaa3f8a87 [diff]
Keystore 2.0: Remove list permission from keystore2_key security class.

The list permission is special keystore2 permission that allows
callers to list arbitrary namespaces. It is not a key or namespace
specific permission.

Test: N/A
Merged-In: Ie0a29d8b08c53977ae2ed04d042868044d2c34c5
Change-Id: Ie0a29d8b08c53977ae2ed04d042868044d2c34c5

diff --git a/keystore2/selinux/src/lib.rs b/keystore2/selinux/src/lib.rs
index 8bc3bc4..932c30e 100644
--- a/keystore2/selinux/src/lib.rs
+++ b/keystore2/selinux/src/lib.rs

@@ -424,7 +424,6 @@
         check_key_perm!(gen_unique_id, true);
         check_key_perm!(grant, true);
         check_key_perm!(get_info, false);
-        check_key_perm!(list, false);
         check_key_perm!(rebind, false);
         check_key_perm!(update, false);
         check_key_perm!(use, false);

diff --git a/keystore2/src/android_security_keystore2.rs b/keystore2/src/android_security_keystore2.rs
index 99629ff..d22a593 100644
--- a/keystore2/src/android_security_keystore2.rs
+++ b/keystore2/src/android_security_keystore2.rs

@@ -1034,13 +1034,12 @@
           pub const GenUniqueId: KeyPermission = 2;
           pub const GetInfo: KeyPermission = 4;
           pub const Grant: KeyPermission = 8;
-          pub const List: KeyPermission = 16;
-          pub const ManageBlob: KeyPermission = 32;
-          pub const Rebind: KeyPermission = 64;
-          pub const ReqForcedOp: KeyPermission = 128;
-          pub const Update: KeyPermission = 256;
-          pub const Use: KeyPermission = 512;
-          pub const UseDevId: KeyPermission = 1024;
+          pub const ManageBlob: KeyPermission = 16;
+          pub const Rebind: KeyPermission = 32;
+          pub const ReqForcedOp: KeyPermission = 64;
+          pub const Update: KeyPermission = 128;
+          pub const Use: KeyPermission = 256;
+          pub const UseDevId: KeyPermission = 512;
           pub(crate) mod mangled { pub use super::KeyPermission as _7_android_8_security_9_keystore2_13_KeyPermission; }
         }
         pub mod OperationChallenge {

diff --git a/keystore2/src/database.rs b/keystore2/src/database.rs
index e459e86..ea70195 100644
--- a/keystore2/src/database.rs
+++ b/keystore2/src/database.rs

@@ -1086,14 +1086,20 @@
             let mut stmt = db
                 .conn
                 .prepare("SELECT id, grantee, keyentryid, access_vector FROM perboot.grant;")?;
-            let mut rows = stmt.query_map::<(i64, u32, i64, i32), _, _>(NO_PARAMS, |row| {
-                Ok((row.get(0)?, row.get(1)?, row.get(2)?, row.get(3)?))
-            })?;
+            let mut rows =
+                stmt.query_map::<(i64, u32, i64, KeyPermSet), _, _>(NO_PARAMS, |row| {
+                    Ok((
+                        row.get(0)?,
+                        row.get(1)?,
+                        row.get(2)?,
+                        KeyPermSet::from(row.get::<_, i32>(3)?),
+                    ))
+                })?;
 
             let r = rows.next().unwrap().unwrap();
-            assert_eq!(r, (next_random, GRANTEE_UID, 1, 516));
+            assert_eq!(r, (next_random, GRANTEE_UID, 1, PVEC1));
             let r = rows.next().unwrap().unwrap();
-            assert_eq!(r, (next_random + 1, GRANTEE_UID, 2, 512));
+            assert_eq!(r, (next_random + 1, GRANTEE_UID, 2, PVEC2));
             assert!(rows.next().is_none());
         }
 

diff --git a/keystore2/src/permission.rs b/keystore2/src/permission.rs
index df59484..1880623 100644
--- a/keystore2/src/permission.rs
+++ b/keystore2/src/permission.rs

@@ -197,7 +197,6 @@
         GenUniqueId,    selinux name: gen_unique_id;
         GetInfo,        selinux name: get_info;
         Grant,          selinux name: grant;
-        List,           selinux name: list;
         ManageBlob,     selinux name: manage_blob;
         Rebind,         selinux name: rebind;
         ReqForcedOp,    selinux name: req_forced_op;
@@ -294,12 +293,15 @@
         ClearNs = 2,    selinux name: clear_ns;
         /// Checked when Keystore 2.0 gets locked.
         GetState = 4,   selinux name: get_state;
+        /// Checked when Keystore 2.0 is asked to list a namespace that the caller
+        /// does not have the get_info permission for.
+        List = 8,       selinux name: list;
         /// Checked when Keystore 2.0 gets locked.
-        Lock = 8,       selinux name: lock;
+        Lock = 0x10,       selinux name: lock;
         /// Checked when Keystore 2.0 shall be reset.
-        Reset = 0x10,   selinux name: reset;
+        Reset = 0x20,   selinux name: reset;
         /// Checked when Keystore 2.0 shall be unlocked.
-        Unlock = 0x20,  selinux name: unlock;
+        Unlock = 0x40,  selinux name: unlock;
     }
 );
 
@@ -556,7 +558,6 @@
         KeyPerm::gen_unique_id(),
         KeyPerm::grant(),
         KeyPerm::get_info(),
-        KeyPerm::list(),
         KeyPerm::rebind(),
         KeyPerm::update(),
         KeyPerm::use_(),
@@ -570,7 +571,6 @@
         KeyPerm::gen_unique_id(),
         // No KeyPerm::grant()
         KeyPerm::get_info(),
-        KeyPerm::list(),
         KeyPerm::rebind(),
         KeyPerm::update(),
         KeyPerm::use_(),
@@ -579,7 +579,6 @@
     const UNPRIV_PERMS: KeyPermSet = key_perm_set![
         KeyPerm::delete(),
         KeyPerm::get_info(),
-        KeyPerm::list(),
         KeyPerm::rebind(),
         KeyPerm::update(),
         KeyPerm::use_(),
@@ -632,6 +631,7 @@
         assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::add_auth()).is_ok());
         assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::clear_ns()).is_ok());
         assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::get_state()).is_ok());
+        assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::list()).is_ok());
         assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::lock()).is_ok());
         assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::reset()).is_ok());
         assert!(check_keystore_permission(&system_server_ctx, KeystorePerm::unlock()).is_ok());
@@ -639,6 +639,7 @@
         assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::add_auth()));
         assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::clear_ns()));
         assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::get_state()));
+        assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::list()));
         assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::lock()));
         assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::reset()));
         assert_perm_failed!(check_keystore_permission(&shell_ctx, KeystorePerm::unlock()));
@@ -718,7 +719,6 @@
         assert!(check_key_permission(&system_server_ctx, KeyPerm::delete(), &key, &None).is_ok());
         assert!(check_key_permission(&system_server_ctx, KeyPerm::get_info(), &key, &None).is_ok());
         assert!(check_key_permission(&system_server_ctx, KeyPerm::rebind(), &key, &None).is_ok());
-        assert!(check_key_permission(&system_server_ctx, KeyPerm::list(), &key, &None).is_ok());
         assert!(check_key_permission(&system_server_ctx, KeyPerm::update(), &key, &None).is_ok());
         assert!(check_key_permission(&system_server_ctx, KeyPerm::grant(), &key, &None).is_ok());
         assert!(
@@ -730,7 +730,6 @@
         assert!(check_key_permission(&shell_ctx, KeyPerm::delete(), &key, &None).is_ok());
         assert!(check_key_permission(&shell_ctx, KeyPerm::get_info(), &key, &None).is_ok());
         assert!(check_key_permission(&shell_ctx, KeyPerm::rebind(), &key, &None).is_ok());
-        assert!(check_key_permission(&shell_ctx, KeyPerm::list(), &key, &None).is_ok());
         assert!(check_key_permission(&shell_ctx, KeyPerm::update(), &key, &None).is_ok());
         assert_perm_failed!(check_key_permission(&shell_ctx, KeyPerm::grant(), &key, &None));
         assert_perm_failed!(check_key_permission(
@@ -767,7 +766,6 @@
             assert!(check_key_permission(&sctx, KeyPerm::delete(), &key, &None).is_ok());
             assert!(check_key_permission(&sctx, KeyPerm::get_info(), &key, &None).is_ok());
             assert!(check_key_permission(&sctx, KeyPerm::rebind(), &key, &None).is_ok());
-            assert!(check_key_permission(&sctx, KeyPerm::list(), &key, &None).is_ok());
             assert!(check_key_permission(&sctx, KeyPerm::update(), &key, &None).is_ok());
             assert!(check_key_permission(&sctx, KeyPerm::grant(), &key, &None).is_ok());
             assert!(check_key_permission(&sctx, KeyPerm::manage_blob(), &key, &None).is_ok());
@@ -779,7 +777,6 @@
             assert!(check_key_permission(&sctx, KeyPerm::delete(), &key, &None).is_ok());
             assert!(check_key_permission(&sctx, KeyPerm::get_info(), &key, &None).is_ok());
             assert!(check_key_permission(&sctx, KeyPerm::rebind(), &key, &None).is_ok());
-            assert!(check_key_permission(&sctx, KeyPerm::list(), &key, &None).is_ok());
             assert!(check_key_permission(&sctx, KeyPerm::update(), &key, &None).is_ok());
             assert_perm_failed!(check_key_permission(&sctx, KeyPerm::grant(), &key, &None));
             assert_perm_failed!(check_key_permission(&sctx, KeyPerm::req_forced_op(), &key, &None));
@@ -840,7 +837,6 @@
             KeyPerm::gen_unique_id(),
             KeyPerm::grant(),
             KeyPerm::get_info(),
-            KeyPerm::list(),
             KeyPerm::rebind(),
             KeyPerm::update(),
             KeyPerm::use_() // Test if the macro accepts missing comma at the end of the list.
@@ -850,7 +846,6 @@
         assert_eq!(i.next().unwrap().to_selinux(), "gen_unique_id");
         assert_eq!(i.next().unwrap().to_selinux(), "get_info");
         assert_eq!(i.next().unwrap().to_selinux(), "grant");
-        assert_eq!(i.next().unwrap().to_selinux(), "list");
         assert_eq!(i.next().unwrap().to_selinux(), "manage_blob");
         assert_eq!(i.next().unwrap().to_selinux(), "rebind");
         assert_eq!(i.next().unwrap().to_selinux(), "req_forced_op");
@@ -865,13 +860,11 @@
             KeyPerm::manage_blob(),
             KeyPerm::req_forced_op(),
             KeyPerm::gen_unique_id(),
-            KeyPerm::list(),
             KeyPerm::update(),
             KeyPerm::use_(), // Test if macro accepts the comma at the end of the list.
         ];
         let mut i = v.into_iter();
         assert_eq!(i.next().unwrap().to_selinux(), "gen_unique_id");
-        assert_eq!(i.next().unwrap().to_selinux(), "list");
         assert_eq!(i.next().unwrap().to_selinux(), "manage_blob");
         assert_eq!(i.next().unwrap().to_selinux(), "req_forced_op");
         assert_eq!(i.next().unwrap().to_selinux(), "update");
@@ -894,7 +887,6 @@
             KeyPerm::gen_unique_id(),
             KeyPerm::grant(),
             KeyPerm::get_info(),
-            KeyPerm::list(),
             KeyPerm::rebind(),
             KeyPerm::update(),
             KeyPerm::use_(),
@@ -902,7 +894,6 @@
         let v2 = key_perm_set![
             KeyPerm::manage_blob(),
             KeyPerm::delete(),
-            KeyPerm::list(),
             KeyPerm::rebind(),
             KeyPerm::update(),
             KeyPerm::use_(),
@@ -915,7 +906,6 @@
         let v1 = key_perm_set![
             KeyPerm::manage_blob(),
             KeyPerm::delete(),
-            KeyPerm::list(),
             KeyPerm::rebind(),
             KeyPerm::update(),
             KeyPerm::use_(),
@@ -923,7 +913,6 @@
         let v2 = key_perm_set![
             KeyPerm::manage_blob(),
             KeyPerm::delete(),
-            KeyPerm::list(),
             KeyPerm::rebind(),
             KeyPerm::update(),
             KeyPerm::use_(),
@@ -937,7 +926,6 @@
             KeyPerm::manage_blob(),
             KeyPerm::delete(),
             KeyPerm::grant(), // only in v1
-            KeyPerm::list(),
             KeyPerm::rebind(),
             KeyPerm::update(),
             KeyPerm::use_(),
@@ -946,7 +934,6 @@
             KeyPerm::manage_blob(),
             KeyPerm::delete(),
             KeyPerm::req_forced_op(), // only in v2
-            KeyPerm::list(),
             KeyPerm::rebind(),
             KeyPerm::update(),
             KeyPerm::use_(),
@@ -959,7 +946,6 @@
         let v1 = key_perm_set![KeyPerm::manage_blob(), KeyPerm::delete(), KeyPerm::grant(),];
         let v2 = key_perm_set![
             KeyPerm::req_forced_op(),
-            KeyPerm::list(),
             KeyPerm::rebind(),
             KeyPerm::update(),
             KeyPerm::use_(),