30 use keystore2_selinux as selinux;
34 use selinux::Backend;
40 use selinux::getcon;
47     static ref KEYSTORE2_KEY_LABEL_BACKEND: selinux::KeystoreKeyBackend =
48             selinux::KeystoreKeyBackend::new().unwrap();
51 fn lookup_keystore2_key_context(namespace: i64) -> anyhow::Result<selinux::Context> {  in lookup_keystore2_key_context()
116         $e_name:ident, selinux name: use; $($element:tt)*)
126         $e_name:ident, selinux name: $e_str:ident; $($element:tt)*)
196         CONVERT_STORAGE_KEY_TO_EPHEMERAL,   selinux name: convert_storage_key_to_ephemeral;
197         DELETE,         selinux name: delete;
198         GEN_UNIQUE_ID,  selinux name: gen_unique_id;
199         GET_INFO,       selinux name: get_info;
200         GRANT,          selinux name: grant;
201         MANAGE_BLOB,    selinux name: manage_blob;
202         REBIND,         selinux name: rebind;
203         REQ_FORCED_OP,  selinux name: req_forced_op;
204         UPDATE,         selinux name: update;
205         USE,            selinux name: use;
206         USE_DEV_ID,     selinux name: use_dev_id;
237             $element_name:ident = $element_val:expr, selinux name: $selinux_name:ident;)*
292         AddAuth = 1,    selinux name: add_auth;
294         ClearNs = 2,    selinux name: clear_ns;
296         GetState = 4,   selinux name: get_state;
299         List = 8,       selinux name: list;
301         Lock = 0x10,       selinux name: lock;
303         Reset = 0x20,    selinux name: reset;
305         Unlock = 0x40,    selinux name: unlock;
307         ChangeUser = 0x80,    selinux name: change_user;
309         ChangePassword = 0x100,    selinux name: change_password;
311         ClearUID = 0x200,    selinux name: clear_uid;
313         GetAuthToken = 0x400,  selinux name: get_auth_token;
315         EarlyBootEnded = 0x800,   selinux name: early_boot_ended;
317         ReportOffBody = 0x1000, selinux name: report_off_body;
319         PullMetrics = 0x2000, selinux name: pull_metrics;
321         DeleteAllKeys = 0x4000, selinux name: delete_all_keys;
437     selinux::check_access(caller_ctx, &target_context, "keystore2", perm.to_selinux())  in check_keystore_permission()
465     selinux::check_access(caller_ctx, &target_context, "keystore2_key", "grant")  in check_grant_permission()
469         return Err(selinux::Error::perm()).context("Grant permission cannot be granted.");  in check_grant_permission()
473         selinux::check_access(caller_ctx, &target_context, "keystore2_key", p.to_selinux())  in check_grant_permission()
528                 return Err(selinux::Error::perm())  in check_key_permission()
538                     return Err(selinux::Error::perm())  in check_key_permission()
560             selinux::check_access(  in check_key_permission()
575     selinux::check_access(caller_ctx, &target_context, "keystore2_key", perm.to_selinux())  in check_key_permission()
653                 Some(&selinux::Error::perm()),
654                 result.err().unwrap().root_cause().downcast_ref::<selinux::Error>()
659     fn check_context() -> Result<(selinux::Context, i32, bool)> {  in check_context()
661         let context = selinux::getcon()?;  in check_context()
745             &selinux::Context::new("ignored").unwrap(),  in check_key_permission_domain_grant()
753             &selinux::Context::new("ignored").unwrap(),  in check_key_permission_domain_grant()
927                 &selinux::Context::new("ignored").unwrap(),  in check_key_permission_domain_key_id()