Merge "Deprecate put and return error in ILegacyKeystore" into main am: 2dc300aee0

Original change: https://android-review.googlesource.com/c/platform/system/security/+/2797796

Change-Id: I0c99eff2ad660c565b2dba1c8e41293c33a7394d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

3 files changed, 21 insertions, 1 deletions

diff --git a/keystore2/aconfig/flags.aconfig b/keystore2/aconfig/flags.aconfig
index 725df2a9..7bdb0074 100644
--- a/keystore2/aconfig/flags.aconfig
+++ b/keystore2/aconfig/flags.aconfig
@@ -9,7 +9,7 @@ flag {
 }
 
 flag {
-  name: "disable_legacy_keystore_put"
+  name: "disable_legacy_keystore_put_v2"
   namespace: "hardware_backed_security"
   description: "This flag disables legacy keystore put and makes it so that command returns an error"
   bug: "307460850"
diff --git a/keystore2/legacykeystore/Android.bp b/keystore2/legacykeystore/Android.bp
index accc8b2c..8cb7289b 100644
--- a/keystore2/legacykeystore/Android.bp
+++ b/keystore2/legacykeystore/Android.bp
@@ -31,6 +31,7 @@ rust_defaults {
         "android.security.legacykeystore-rust",
         "libanyhow",
         "libbinder_rs",
+        "libkeystore2_flags_rust",
         "liblog_rust",
         "libkeystore2_flags_rust",
         "librusqlite",
@@ -44,6 +45,7 @@ rust_library {
     defaults: ["liblegacykeystore-rust_defaults"],
     rustlibs: [
         "libkeystore2",
+        "libkeystore2_flags_rust",
         "librusqlite",
     ],
 }
@@ -61,6 +63,7 @@ rust_test {
         "libkeystore2",
         "libkeystore2_flags_rust",
         "libkeystore2_test_utils",
+        "libkeystore2_flags_rust",
         "liblog_rust",
         "librusqlite",
         "librustutils",
diff --git a/keystore2/legacykeystore/lib.rs b/keystore2/legacykeystore/lib.rs
index edc530a8..cf61482b 100644
--- a/keystore2/legacykeystore/lib.rs
+++ b/keystore2/legacykeystore/lib.rs
@@ -127,6 +127,12 @@ impl DB {
     }
 
     fn put(&mut self, caller_uid: u32, alias: &str, entry: &[u8]) -> Result<()> {
+        if keystore2_flags::disable_legacy_keystore_put_v2() {
+            return Err(Error::deprecated()).context(concat!(
+                "Storing into Keystore's legacy database is ",
+                "no longer supported, store in an app-specific database instead"
+            ));
+        }
         self.with_transaction(TransactionBehavior::Immediate, |tx| {
             tx.execute(
                 "INSERT OR REPLACE INTO profiles (owner, alias, profile) values (?, ?, ?)",
@@ -207,6 +213,11 @@ impl Error {
     pub fn perm() -> Self {
         Error::Error(ERROR_PERMISSION_DENIED)
     }
+
+    /// Short hand for `Error::Error(ERROR_SYSTEM_ERROR)`
+    pub fn deprecated() -> Self {
+        Error::Error(ERROR_SYSTEM_ERROR)
+    }
 }
 
 /// This function should be used by legacykeystore service calls to translate error conditions
@@ -338,6 +349,12 @@ impl LegacyKeystore {
     }
 
     fn put(&self, alias: &str, uid: i32, entry: &[u8]) -> Result<()> {
+        if keystore2_flags::disable_legacy_keystore_put_v2() {
+            return Err(Error::deprecated()).context(concat!(
+                "Storing into Keystore's legacy database is ",
+                "no longer supported, store in an app-specific database instead"
+            ));
+        }
         let uid = Self::get_effective_uid(uid).context("In put.")?;
         let mut db = self.open_db().context("In put.")?;
         db.put(uid, alias, entry).context("In put: Trying to insert entry into DB.")?;