diff options
| author | Shaquille Johnson <ssjohnson@google.com> | 2024-03-06 14:42:56 +0000 |
|---|---|---|
| committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2024-03-06 14:42:56 +0000 |
| commit | b484dc1ce5cf0519364d137bef3e1d2810803100 (patch) | |
| tree | 0f10e341f7fa60a473e95427a2c9c3fda12f0886 | |
| parent | dae62efa2c2b8823094fe90b6aa62d99f3c77a4e (diff) | |
| parent | a4d10dbee0ba004163cd4c918a2100ffa2411b59 (diff) | |
| download | security-b484dc1ce5cf0519364d137bef3e1d2810803100.tar.gz | |
Merge "Update authorization log to be more clear" into main
| -rw-r--r-- | keystore2/src/authorization.rs | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/keystore2/src/authorization.rs b/keystore2/src/authorization.rs index f9567875..243abf13 100644 --- a/keystore2/src/authorization.rs +++ b/keystore2/src/authorization.rs @@ -128,7 +128,8 @@ impl AuthorizationManager { fn add_auth_token(&self, auth_token: &HardwareAuthToken) -> Result<()> { // Check keystore permission. - check_keystore_permission(KeystorePerm::AddAuth).context(ks_err!())?; + check_keystore_permission(KeystorePerm::AddAuth) + .context(ks_err!("caller missing AddAuth permissions"))?; log::info!( "add_auth_token(challenge={}, userId={}, authId={}, authType={:#x}, timestamp={}ms)", @@ -149,7 +150,8 @@ impl AuthorizationManager { user_id, password.is_some(), ); - check_keystore_permission(KeystorePerm::Unlock).context(ks_err!("Unlock."))?; + check_keystore_permission(KeystorePerm::Unlock) + .context(ks_err!("caller missing Unlock permissions"))?; ENFORCEMENTS.set_device_locked(user_id, false); let mut skm = SUPER_KEY.write().unwrap(); @@ -160,7 +162,7 @@ impl AuthorizationManager { .context(ks_err!("Unlock with password.")) } else { DB.with(|db| skm.try_unlock_user_with_biometric(&mut db.borrow_mut(), user_id as u32)) - .context(ks_err!("try_unlock_user_with_biometric failed")) + .context(ks_err!("try_unlock_user_with_biometric failed user_id={user_id}")) } } @@ -179,7 +181,8 @@ impl AuthorizationManager { if !android_security_flags::fix_unlocked_device_required_keys_v2() { weak_unlock_enabled = false; } - check_keystore_permission(KeystorePerm::Lock).context(ks_err!("Lock"))?; + check_keystore_permission(KeystorePerm::Lock) + .context(ks_err!("caller missing Lock permission"))?; ENFORCEMENTS.set_device_locked(user_id, true); let mut skm = SUPER_KEY.write().unwrap(); DB.with(|db| { @@ -198,7 +201,8 @@ impl AuthorizationManager { if !android_security_flags::fix_unlocked_device_required_keys_v2() { return Ok(()); } - check_keystore_permission(KeystorePerm::Lock).context(ks_err!("Lock"))?; + check_keystore_permission(KeystorePerm::Lock) + .context(ks_err!("caller missing Lock permission"))?; SUPER_KEY.write().unwrap().wipe_plaintext_unlocked_device_required_keys(user_id as u32); Ok(()) } @@ -208,7 +212,8 @@ impl AuthorizationManager { if !android_security_flags::fix_unlocked_device_required_keys_v2() { return Ok(()); } - check_keystore_permission(KeystorePerm::Lock).context(ks_err!("Lock"))?; + check_keystore_permission(KeystorePerm::Lock) + .context(ks_err!("caller missing Lock permission"))?; SUPER_KEY.write().unwrap().wipe_all_unlocked_device_required_keys(user_id as u32); Ok(()) } @@ -221,7 +226,8 @@ impl AuthorizationManager { ) -> Result<AuthorizationTokens> { // Check permission. Function should return if this failed. Therefore having '?' at the end // is very important. - check_keystore_permission(KeystorePerm::GetAuthToken).context(ks_err!("GetAuthToken"))?; + check_keystore_permission(KeystorePerm::GetAuthToken) + .context(ks_err!("caller missing GetAuthToken permission"))?; // If the challenge is zero, return error if challenge == 0 { @@ -240,7 +246,8 @@ impl AuthorizationManager { auth_types: &[HardwareAuthenticatorType], ) -> Result<i64> { // Check keystore permission. - check_keystore_permission(KeystorePerm::GetLastAuthTime).context(ks_err!())?; + check_keystore_permission(KeystorePerm::GetLastAuthTime) + .context(ks_err!("caller missing GetLastAuthTime permission"))?; let mut max_time: i64 = -1; for auth_type in auth_types.iter() { |