keystore2/test_utils/run_as.rs - platform/system/security - Git at Google

 // Copyright 2021, The Android Open Source Project
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 //! This module is intended for testing access control enforcement of services such as keystore2,
 //! by assuming various identities with varying levels of privilege. Consequently, appropriate
 //! privileges are required, or the attempt will fail causing a panic.
 //! The `run_as` module provides the function `run_as`, which takes a UID, GID, an SELinux
 //! context, and a closure. The return type of the closure, which is also the return type of
 //! `run_as`, must implement `serde::Serialize` and `serde::Deserialize`.
 //! `run_as` forks, transitions to the given identity, and executes the closure in the newly
 //! forked process. If the closure returns, i.e., does not panic, the forked process exits with
 //! a status of `0`, and the return value is serialized and sent through a pipe to the parent where
 //! it gets deserialized and returned. The STDIO is not changed and the parent's panic handler
 //! remains unchanged. So if the closure panics, the panic message is printed on the parent's STDERR
 //! and the exit status is set to a non `0` value. The latter causes the parent to panic as well,
 //! and if run in a test context, the test to fail.

 use keystore2_selinux as selinux;
 use nix::sys::wait::{waitpid, WaitStatus};
 use nix::unistd::{
     fork, pipe as nix_pipe, read as nix_read, setgid, setuid, write as nix_write, ForkResult, Gid,
     Pid, Uid,
 };
 use serde::{de::DeserializeOwned, Serialize};
 use std::io::{Read, Write};
 use std::marker::PhantomData;
 use std::os::fd::AsRawFd;
 use std::os::fd::OwnedFd;

 fn transition(se_context: selinux::Context, uid: Uid, gid: Gid) {
     setgid(gid).expect("Failed to set GID. This test might need more privileges.");
     setuid(uid).expect("Failed to set UID. This test might need more privileges.");

     selinux::setcon(&se_context)
         .expect("Failed to set SELinux context. This test might need more privileges.");
 }

 /// PipeReader is a simple wrapper around raw pipe file descriptors.
 /// It takes ownership of the file descriptor and closes it on drop. It provides `read_all`, which
 /// reads from the pipe into an expending vector, until no more data can be read.
 struct PipeReader(OwnedFd);

 impl Read for PipeReader {
     fn read(&mut self, buf: &mut [u8]) -> std::io::Result<usize> {
         let bytes = nix_read(self.0.as_raw_fd(), buf)?;
         Ok(bytes)
     }
 }

 /// PipeWriter is a simple wrapper around raw pipe file descriptors.
 /// It takes ownership of the file descriptor and closes it on drop. It provides `write`, which
 /// writes the given buffer into the pipe, returning the number of bytes written.
 struct PipeWriter(OwnedFd);

 impl Write for PipeWriter {
     fn write(&mut self, buf: &[u8]) -> std::io::Result<usize> {
         let written = nix_write(&self.0, buf)?;
         Ok(written)
     }

     fn flush(&mut self) -> std::io::Result<()> {
         // Flush is a NO-OP.
         Ok(())
     }
 }

 /// Denotes the sender side of a serializing channel.
 pub struct ChannelWriter<T: Serialize + DeserializeOwned>(PipeWriter, PhantomData<T>);

 impl<T: Serialize + DeserializeOwned> ChannelWriter<T> {
     /// Sends a serializable object to a the corresponding ChannelReader.
     /// Sending is always non blocking. Panics if any error occurs during io or serialization.
     pub fn send(&mut self, value: &T) {
         let serialized = serde_cbor::to_vec(value)
             .expect("In ChannelWriter::send: Failed to serialize to vector.");
         let size = serialized.len().to_be_bytes();
         match self.0.write(&size).expect("In ChannelWriter::send: Failed to write serialized size.")
         {
             w if w != std::mem::size_of::<usize>() => {
                 panic!(
                     "In ChannelWriter::send: Failed to write serialized size. (written: {}).",
                     w
                 );
             }
             _ => {}
         };
         match self
             .0
             .write(&serialized)
             .expect("In ChannelWriter::send: Failed to write serialized data.")
         {
             w if w != serialized.len() => {
                 panic!(
                     "In ChannelWriter::send: Failed to write serialized data. (written: {}).",
                     w
                 );
             }
             _ => {}
         };
     }
 }

 /// Represents the receiving and of a serializing channel.
 pub struct ChannelReader<T>(PipeReader, PhantomData<T>);

 impl<T: Serialize + DeserializeOwned> ChannelReader<T> {
     /// Receives a serializable object from the corresponding ChannelWriter.
     /// Receiving blocks until an object of type T has been read from the channel.
     /// Panics if an error occurs during io or deserialization.
     pub fn recv(&mut self) -> T {
         let mut size_buffer = [0u8; std::mem::size_of::<usize>()];
         match self.0.read(&mut size_buffer).expect("In ChannelReader::recv: Failed to read size.") {
             r if r != size_buffer.len() => {
                 panic!("In ChannelReader::recv: Failed to read size. Insufficient data: {}", r);
             }
             _ => {}
         };
         let size = usize::from_be_bytes(size_buffer);
         let mut data_buffer = vec![0u8; size];
         match self
             .0
             .read(&mut data_buffer)
             .expect("In ChannelReader::recv: Failed to read serialized data.")
         {
             r if r != data_buffer.len() => {
                 panic!(
                     "In ChannelReader::recv: Failed to read serialized data. Insufficient data: {}",
                     r
                 );
             }
             _ => {}
         };

         serde_cbor::from_slice(&data_buffer)
             .expect("In ChannelReader::recv: Failed to deserialize data.")
     }
 }

 fn pipe() -> Result<(PipeReader, PipeWriter), nix::Error> {
     let (read_fd, write_fd) = nix_pipe()?;
     Ok((PipeReader(read_fd), PipeWriter(write_fd)))
 }

 fn pipe_channel<T>() -> Result<(ChannelReader<T>, ChannelWriter<T>), nix::Error>
 where
     T: Serialize + DeserializeOwned,
 {
     let (reader, writer) = pipe()?;
     Ok((
         ChannelReader::<T>(reader, Default::default()),
         ChannelWriter::<T>(writer, Default::default()),
     ))
 }

 /// Handle for handling child processes.
 pub struct ChildHandle<R: Serialize + DeserializeOwned, M: Serialize + DeserializeOwned> {
     pid: Pid,
     result_reader: ChannelReader<R>,
     cmd_writer: ChannelWriter<M>,
     response_reader: ChannelReader<M>,
     exit_status: Option<WaitStatus>,
 }

 impl<R: Serialize + DeserializeOwned, M: Serialize + DeserializeOwned> ChildHandle<R, M> {
     /// Send a command message to the child.
     pub fn send(&mut self, data: &M) {
         self.cmd_writer.send(data)
     }

     /// Receive a response from the child.
     pub fn recv(&mut self) -> M {
         self.response_reader.recv()
     }

     /// Get child result. Panics if the child did not exit with status 0 or if a serialization
     /// error occurred.
     pub fn get_result(mut self) -> R {
         let status =
             waitpid(self.pid, None).expect("ChildHandle::wait: Failed while waiting for child.");
         match status {
             WaitStatus::Exited(pid, 0) => {
                 // Child exited successfully.
                 // Read the result from the pipe.
                 self.exit_status = Some(WaitStatus::Exited(pid, 0));
                 self.result_reader.recv()
             }
             WaitStatus::Exited(pid, c) => {
                 panic!("Child did not exit as expected: {:?}", WaitStatus::Exited(pid, c));
             }
             status => {
                 panic!("Child did not exit at all: {:?}", status);
             }
         }
     }
 }

 impl<R: Serialize + DeserializeOwned, M: Serialize + DeserializeOwned> Drop for ChildHandle<R, M> {
     fn drop(&mut self) {
         if self.exit_status.is_none() {
             panic!("Child result not checked.")
         }
     }
 }

 /// Run the given closure in a new process running with the new identity given as
 /// `uid`, `gid`, and `se_context`. Parent process will run without waiting for child status.
 ///
 /// # Safety
 /// run_as_child runs the given closure in the client branch of fork. And it uses non
 /// async signal safe API. This means that calling this function in a multi threaded program
 /// yields undefined behavior in the child. As of this writing, it is safe to call this function
 /// from a Rust device test, because every test itself is spawned as a separate process.
 ///
 /// # Safety Binder
 /// It is okay for the closure to use binder services, however, this does not work
 /// if the parent initialized libbinder already. So do not use binder outside of the closure
 /// in your test.
 pub unsafe fn run_as_child<F, R, M>(
     se_context: &str,
     uid: Uid,
     gid: Gid,
     f: F,
 ) -> Result<ChildHandle<R, M>, nix::Error>
 where
     R: Serialize + DeserializeOwned,
     M: Serialize + DeserializeOwned,
     F: 'static + Send + FnOnce(&mut ChannelReader<M>, &mut ChannelWriter<M>) -> R,
 {
     let se_context =
         selinux::Context::new(se_context).expect("Unable to construct selinux::Context.");
     let (result_reader, mut result_writer) = pipe_channel().expect("Failed to create pipe.");
     let (mut cmd_reader, cmd_writer) = pipe_channel().expect("Failed to create cmd pipe.");
     let (response_reader, mut response_writer) =
         pipe_channel().expect("Failed to create cmd pipe.");

     // SAFETY: Our caller guarantees that the process only has a single thread, so calling
     // non-async-signal-safe functions in the child is in fact safe.
     match unsafe { fork() } {
         Ok(ForkResult::Parent { child, .. }) => {
             drop(response_writer);
             drop(cmd_reader);
             drop(result_writer);

             Ok(ChildHandle::<R, M> {
                 pid: child,
                 result_reader,
                 response_reader,
                 cmd_writer,
                 exit_status: None,
             })
         }
         Ok(ForkResult::Child) => {
             drop(cmd_writer);
             drop(response_reader);
             drop(result_reader);

             // This will panic on error or insufficient privileges.
             transition(se_context, uid, gid);

             // Run the closure.
             let result = f(&mut cmd_reader, &mut response_writer);

             // Serialize the result of the closure.
             result_writer.send(&result);

             // Set exit status to `0`.
             std::process::exit(0);
         }
         Err(errno) => {
             panic!("Failed to fork: {:?}", errno);
         }
     }
 }

 /// Run the given closure in a new process running with the new identity given as
 /// `uid`, `gid`, and `se_context`.
 ///
 /// # Safety
 /// run_as runs the given closure in the client branch of fork. And it uses non
 /// async signal safe API. This means that calling this function in a multi threaded program
 /// yields undefined behavior in the child. As of this writing, it is safe to call this function
 /// from a Rust device test, because every test itself is spawned as a separate process.
 ///
 /// # Safety Binder
 /// It is okay for the closure to use binder services, however, this does not work
 /// if the parent initialized libbinder already. So do not use binder outside of the closure
 /// in your test.
 pub unsafe fn run_as<F, R>(se_context: &str, uid: Uid, gid: Gid, f: F) -> R
 where
     R: Serialize + DeserializeOwned,
     F: 'static + Send + FnOnce() -> R,
 {
     let se_context =
         selinux::Context::new(se_context).expect("Unable to construct selinux::Context.");
     let (mut reader, mut writer) = pipe_channel::<R>().expect("Failed to create pipe.");

     // SAFETY: Our caller guarantees that the process only has a single thread, so calling
     // non-async-signal-safe functions in the child is in fact safe.
     match unsafe { fork() } {
         Ok(ForkResult::Parent { child, .. }) => {
             drop(writer);
             let status = waitpid(child, None).expect("Failed while waiting for child.");
             if let WaitStatus::Exited(_, 0) = status {
                 // Child exited successfully.
                 // Read the result from the pipe.
                 // let serialized_result =
                 //     reader.read_all().expect("Failed to read result from child.");

                 // Deserialize the result and return it.
                 reader.recv()
             } else {
                 panic!("Child did not exit as expected {:?}", status);
             }
         }
         Ok(ForkResult::Child) => {
             // This will panic on error or insufficient privileges.
             transition(se_context, uid, gid);

             // Run the closure.
             let result = f();

             // Serialize the result of the closure.
             writer.send(&result);

             // Set exit status to `0`.
             std::process::exit(0);
         }
         Err(errno) => {
             panic!("Failed to fork: {:?}", errno);
         }
     }
 }

 #[cfg(test)]
 mod test {
     use super::*;
     use keystore2_selinux as selinux;
     use nix::unistd::{getgid, getuid};
     use serde::{Deserialize, Serialize};

     /// This test checks that the closure does not produce an exit status of `0` when run inside a
     /// test and the closure panics. This would mask test failures as success.
     #[test]
     #[should_panic]
     fn test_run_as_panics_on_closure_panic() {
         // Safety: run_as must be called from a single threaded process.
         // This device test is run as a separate single threaded process.
         unsafe {
             run_as(selinux::getcon().unwrap().to_str().unwrap(), getuid(), getgid(), || {
                 panic!("Closure must panic.")
             })
         };
     }

     static TARGET_UID: Uid = Uid::from_raw(10020);
     static TARGET_GID: Gid = Gid::from_raw(10020);
     static TARGET_CTX: &str = "u:r:untrusted_app:s0:c91,c256,c10,c20";

     /// Tests that the closure is running as the target identity.
     #[test]
     fn test_transition_to_untrusted_app() {
         // Safety: run_as must be called from a single threaded process.
         // This device test is run as a separate single threaded process.
         unsafe {
             run_as(TARGET_CTX, TARGET_UID, TARGET_GID, || {
                 assert_eq!(TARGET_UID, getuid());
                 assert_eq!(TARGET_GID, getgid());
                 assert_eq!(TARGET_CTX, selinux::getcon().unwrap().to_str().unwrap());
             })
         };
     }

     #[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
     struct SomeResult {
         a: u32,
         b: u64,
         c: String,
     }

     #[test]
     fn test_serialized_result() {
         let test_result = SomeResult {
             a: 5,
             b: 0xffffffffffffffff,
             c: "supercalifragilisticexpialidocious".to_owned(),
         };
         let test_result_clone = test_result.clone();
         // Safety: run_as must be called from a single threaded process.
         // This device test is run as a separate single threaded process.
         let result = unsafe { run_as(TARGET_CTX, TARGET_UID, TARGET_GID, || test_result_clone) };
         assert_eq!(test_result, result);
     }

     #[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
     enum PingPong {
         Ping,
         Pong,
     }

     /// Tests that closure is running under given user identity and communicates with calling
     /// process using pipe.
     #[test]
     fn test_run_as_child() {
         let test_result = SomeResult {
             a: 5,
             b: 0xffffffffffffffff,
             c: "supercalifragilisticexpialidocious".to_owned(),
         };
         let test_result_clone = test_result.clone();

         // Safety: run_as_child must be called from a single threaded process.
         // This device test is run as a separate single threaded process.
         let mut child_handle: ChildHandle<SomeResult, PingPong> = unsafe {
             run_as_child(TARGET_CTX, TARGET_UID, TARGET_GID, |cmd_reader, response_writer| {
                 assert_eq!(TARGET_UID, getuid());
                 assert_eq!(TARGET_GID, getgid());
                 assert_eq!(TARGET_CTX, selinux::getcon().unwrap().to_str().unwrap());

                 let ping: PingPong = cmd_reader.recv();
                 assert_eq!(ping, PingPong::Ping);

                 response_writer.send(&PingPong::Pong);

                 let ping: PingPong = cmd_reader.recv();
                 assert_eq!(ping, PingPong::Ping);
                 let pong: PingPong = cmd_reader.recv();
                 assert_eq!(pong, PingPong::Pong);

                 response_writer.send(&PingPong::Pong);
                 response_writer.send(&PingPong::Ping);

                 test_result_clone
             })
             .unwrap()
         };

         // Send one ping.
         child_handle.send(&PingPong::Ping);

         // Expect one pong.
         let pong = child_handle.recv();
         assert_eq!(pong, PingPong::Pong);

         // Send ping and pong.
         child_handle.send(&PingPong::Ping);
         child_handle.send(&PingPong::Pong);

         // Expect pong and ping.
         let pong = child_handle.recv();
         assert_eq!(pong, PingPong::Pong);
         let ping = child_handle.recv();
         assert_eq!(ping, PingPong::Ping);

         assert_eq!(child_handle.get_result(), test_result);
     }
 }
	// Copyright 2021, The Android Open Source Project
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	//! This module is intended for testing access control enforcement of services such as keystore2,
	//! by assuming various identities with varying levels of privilege. Consequently, appropriate
	//! privileges are required, or the attempt will fail causing a panic.
	//! The `run_as` module provides the function `run_as`, which takes a UID, GID, an SELinux
	//! context, and a closure. The return type of the closure, which is also the return type of
	//! `run_as`, must implement `serde::Serialize` and `serde::Deserialize`.
	//! `run_as` forks, transitions to the given identity, and executes the closure in the newly
	//! forked process. If the closure returns, i.e., does not panic, the forked process exits with
	//! a status of `0`, and the return value is serialized and sent through a pipe to the parent where
	//! it gets deserialized and returned. The STDIO is not changed and the parent's panic handler
	//! remains unchanged. So if the closure panics, the panic message is printed on the parent's STDERR
	//! and the exit status is set to a non `0` value. The latter causes the parent to panic as well,
	//! and if run in a test context, the test to fail.

	use keystore2_selinux as selinux;
	use nix::sys::wait::{waitpid, WaitStatus};
	use nix::unistd::{
	fork, pipe as nix_pipe, read as nix_read, setgid, setuid, write as nix_write, ForkResult, Gid,
	Pid, Uid,
	};
	use serde::{de::DeserializeOwned, Serialize};
	use std::io::{Read, Write};
	use std::marker::PhantomData;
	use std::os::fd::AsRawFd;
	use std::os::fd::OwnedFd;

	fn transition(se_context: selinux::Context, uid: Uid, gid: Gid) {
	setgid(gid).expect("Failed to set GID. This test might need more privileges.");
	setuid(uid).expect("Failed to set UID. This test might need more privileges.");

	selinux::setcon(&se_context)
	.expect("Failed to set SELinux context. This test might need more privileges.");
	}

	/// PipeReader is a simple wrapper around raw pipe file descriptors.
	/// It takes ownership of the file descriptor and closes it on drop. It provides `read_all`, which
	/// reads from the pipe into an expending vector, until no more data can be read.
	struct PipeReader(OwnedFd);

	impl Read for PipeReader {
	fn read(&mut self, buf: &mut [u8]) -> std::io::Result<usize> {
	let bytes = nix_read(self.0.as_raw_fd(), buf)?;
	Ok(bytes)
	}
	}

	/// PipeWriter is a simple wrapper around raw pipe file descriptors.
	/// It takes ownership of the file descriptor and closes it on drop. It provides `write`, which
	/// writes the given buffer into the pipe, returning the number of bytes written.
	struct PipeWriter(OwnedFd);

	impl Write for PipeWriter {
	fn write(&mut self, buf: &[u8]) -> std::io::Result<usize> {
	let written = nix_write(&self.0, buf)?;
	Ok(written)
	}

	fn flush(&mut self) -> std::io::Result<()> {
	// Flush is a NO-OP.
	Ok(())
	}
	}

	/// Denotes the sender side of a serializing channel.
	pub struct ChannelWriter<T: Serialize + DeserializeOwned>(PipeWriter, PhantomData<T>);

	impl<T: Serialize + DeserializeOwned> ChannelWriter<T> {
	/// Sends a serializable object to a the corresponding ChannelReader.
	/// Sending is always non blocking. Panics if any error occurs during io or serialization.
	pub fn send(&mut self, value: &T) {
	let serialized = serde_cbor::to_vec(value)
	.expect("In ChannelWriter::send: Failed to serialize to vector.");
	let size = serialized.len().to_be_bytes();
	match self.0.write(&size).expect("In ChannelWriter::send: Failed to write serialized size.")
	{
	w if w != std::mem::size_of::<usize>() => {
	panic!(
	"In ChannelWriter::send: Failed to write serialized size. (written: {}).",
	w
	);
	}
	_ => {}
	};
	match self
	.0
	.write(&serialized)
	.expect("In ChannelWriter::send: Failed to write serialized data.")
	{
	w if w != serialized.len() => {
	panic!(
	"In ChannelWriter::send: Failed to write serialized data. (written: {}).",
	w
	);
	}
	_ => {}
	};
	}
	}

	/// Represents the receiving and of a serializing channel.
	pub struct ChannelReader<T>(PipeReader, PhantomData<T>);

	impl<T: Serialize + DeserializeOwned> ChannelReader<T> {
	/// Receives a serializable object from the corresponding ChannelWriter.
	/// Receiving blocks until an object of type T has been read from the channel.
	/// Panics if an error occurs during io or deserialization.
	pub fn recv(&mut self) -> T {
	let mut size_buffer = [0u8; std::mem::size_of::<usize>()];
	match self.0.read(&mut size_buffer).expect("In ChannelReader::recv: Failed to read size.") {
	r if r != size_buffer.len() => {
	panic!("In ChannelReader::recv: Failed to read size. Insufficient data: {}", r);
	}
	_ => {}
	};
	let size = usize::from_be_bytes(size_buffer);
	let mut data_buffer = vec![0u8; size];
	match self
	.0
	.read(&mut data_buffer)
	.expect("In ChannelReader::recv: Failed to read serialized data.")
	{
	r if r != data_buffer.len() => {
	panic!(
	"In ChannelReader::recv: Failed to read serialized data. Insufficient data: {}",
	r
	);
	}
	_ => {}
	};

	serde_cbor::from_slice(&data_buffer)
	.expect("In ChannelReader::recv: Failed to deserialize data.")
	}
	}

	fn pipe() -> Result<(PipeReader, PipeWriter), nix::Error> {
	let (read_fd, write_fd) = nix_pipe()?;
	Ok((PipeReader(read_fd), PipeWriter(write_fd)))
	}

	fn pipe_channel<T>() -> Result<(ChannelReader<T>, ChannelWriter<T>), nix::Error>
	where
	T: Serialize + DeserializeOwned,
	{
	let (reader, writer) = pipe()?;
	Ok((
	ChannelReader::<T>(reader, Default::default()),
	ChannelWriter::<T>(writer, Default::default()),
	))
	}

	/// Handle for handling child processes.
	pub struct ChildHandle<R: Serialize + DeserializeOwned, M: Serialize + DeserializeOwned> {
	pid: Pid,
	result_reader: ChannelReader<R>,
	cmd_writer: ChannelWriter<M>,
	response_reader: ChannelReader<M>,
	exit_status: Option<WaitStatus>,
	}

	impl<R: Serialize + DeserializeOwned, M: Serialize + DeserializeOwned> ChildHandle<R, M> {
	/// Send a command message to the child.
	pub fn send(&mut self, data: &M) {
	self.cmd_writer.send(data)
	}

	/// Receive a response from the child.
	pub fn recv(&mut self) -> M {
	self.response_reader.recv()
	}

	/// Get child result. Panics if the child did not exit with status 0 or if a serialization
	/// error occurred.
	pub fn get_result(mut self) -> R {
	let status =
	waitpid(self.pid, None).expect("ChildHandle::wait: Failed while waiting for child.");
	match status {
	WaitStatus::Exited(pid, 0) => {
	// Child exited successfully.
	// Read the result from the pipe.
	self.exit_status = Some(WaitStatus::Exited(pid, 0));
	self.result_reader.recv()
	}
	WaitStatus::Exited(pid, c) => {
	panic!("Child did not exit as expected: {:?}", WaitStatus::Exited(pid, c));
	}
	status => {
	panic!("Child did not exit at all: {:?}", status);
	}
	}
	}
	}

	impl<R: Serialize + DeserializeOwned, M: Serialize + DeserializeOwned> Drop for ChildHandle<R, M> {
	fn drop(&mut self) {
	if self.exit_status.is_none() {
	panic!("Child result not checked.")
	}
	}
	}

	/// Run the given closure in a new process running with the new identity given as
	/// `uid`, `gid`, and `se_context`. Parent process will run without waiting for child status.
	///
	/// # Safety
	/// run_as_child runs the given closure in the client branch of fork. And it uses non
	/// async signal safe API. This means that calling this function in a multi threaded program
	/// yields undefined behavior in the child. As of this writing, it is safe to call this function
	/// from a Rust device test, because every test itself is spawned as a separate process.
	///
	/// # Safety Binder
	/// It is okay for the closure to use binder services, however, this does not work
	/// if the parent initialized libbinder already. So do not use binder outside of the closure
	/// in your test.
	pub unsafe fn run_as_child<F, R, M>(
	se_context: &str,
	uid: Uid,
	gid: Gid,
	f: F,
	) -> Result<ChildHandle<R, M>, nix::Error>
	where
	R: Serialize + DeserializeOwned,
	M: Serialize + DeserializeOwned,
	F: 'static + Send + FnOnce(&mut ChannelReader<M>, &mut ChannelWriter<M>) -> R,
	{
	let se_context =
	selinux::Context::new(se_context).expect("Unable to construct selinux::Context.");
	let (result_reader, mut result_writer) = pipe_channel().expect("Failed to create pipe.");
	let (mut cmd_reader, cmd_writer) = pipe_channel().expect("Failed to create cmd pipe.");
	let (response_reader, mut response_writer) =
	pipe_channel().expect("Failed to create cmd pipe.");

	// SAFETY: Our caller guarantees that the process only has a single thread, so calling
	// non-async-signal-safe functions in the child is in fact safe.
	match unsafe { fork() } {
	Ok(ForkResult::Parent { child, .. }) => {
	drop(response_writer);
	drop(cmd_reader);
	drop(result_writer);

	Ok(ChildHandle::<R, M> {
	pid: child,
	result_reader,
	response_reader,
	cmd_writer,
	exit_status: None,
	})
	}
	Ok(ForkResult::Child) => {
	drop(cmd_writer);
	drop(response_reader);
	drop(result_reader);

	// This will panic on error or insufficient privileges.
	transition(se_context, uid, gid);

	// Run the closure.
	let result = f(&mut cmd_reader, &mut response_writer);

	// Serialize the result of the closure.
	result_writer.send(&result);

	// Set exit status to `0`.
	std::process::exit(0);
	}
	Err(errno) => {
	panic!("Failed to fork: {:?}", errno);
	}
	}
	}

	/// Run the given closure in a new process running with the new identity given as
	/// `uid`, `gid`, and `se_context`.
	///
	/// # Safety
	/// run_as runs the given closure in the client branch of fork. And it uses non
	/// async signal safe API. This means that calling this function in a multi threaded program
	/// yields undefined behavior in the child. As of this writing, it is safe to call this function
	/// from a Rust device test, because every test itself is spawned as a separate process.
	///
	/// # Safety Binder
	/// It is okay for the closure to use binder services, however, this does not work
	/// if the parent initialized libbinder already. So do not use binder outside of the closure
	/// in your test.
	pub unsafe fn run_as<F, R>(se_context: &str, uid: Uid, gid: Gid, f: F) -> R
	where
	R: Serialize + DeserializeOwned,
	F: 'static + Send + FnOnce() -> R,
	{
	let se_context =
	selinux::Context::new(se_context).expect("Unable to construct selinux::Context.");
	let (mut reader, mut writer) = pipe_channel::<R>().expect("Failed to create pipe.");

	// SAFETY: Our caller guarantees that the process only has a single thread, so calling
	// non-async-signal-safe functions in the child is in fact safe.
	match unsafe { fork() } {
	Ok(ForkResult::Parent { child, .. }) => {
	drop(writer);
	let status = waitpid(child, None).expect("Failed while waiting for child.");
	if let WaitStatus::Exited(_, 0) = status {
	// Child exited successfully.
	// Read the result from the pipe.
	// let serialized_result =
	// reader.read_all().expect("Failed to read result from child.");

	// Deserialize the result and return it.
	reader.recv()
	} else {
	panic!("Child did not exit as expected {:?}", status);
	}
	}
	Ok(ForkResult::Child) => {
	// This will panic on error or insufficient privileges.
	transition(se_context, uid, gid);

	// Run the closure.
	let result = f();

	// Serialize the result of the closure.
	writer.send(&result);

	// Set exit status to `0`.
	std::process::exit(0);
	}
	Err(errno) => {
	panic!("Failed to fork: {:?}", errno);
	}
	}
	}

	#[cfg(test)]
	mod test {
	use super::*;
	use keystore2_selinux as selinux;
	use nix::unistd::{getgid, getuid};
	use serde::{Deserialize, Serialize};

	/// This test checks that the closure does not produce an exit status of `0` when run inside a
	/// test and the closure panics. This would mask test failures as success.
	#[test]
	#[should_panic]
	fn test_run_as_panics_on_closure_panic() {
	// Safety: run_as must be called from a single threaded process.
	// This device test is run as a separate single threaded process.
	unsafe {
	run_as(selinux::getcon().unwrap().to_str().unwrap(), getuid(), getgid(), \|\| {
	panic!("Closure must panic.")
	})
	};
	}

	static TARGET_UID: Uid = Uid::from_raw(10020);
	static TARGET_GID: Gid = Gid::from_raw(10020);
	static TARGET_CTX: &str = "u:r:untrusted_app:s0:c91,c256,c10,c20";

	/// Tests that the closure is running as the target identity.
	#[test]
	fn test_transition_to_untrusted_app() {
	// Safety: run_as must be called from a single threaded process.
	// This device test is run as a separate single threaded process.
	unsafe {
	run_as(TARGET_CTX, TARGET_UID, TARGET_GID, \|\| {
	assert_eq!(TARGET_UID, getuid());
	assert_eq!(TARGET_GID, getgid());
	assert_eq!(TARGET_CTX, selinux::getcon().unwrap().to_str().unwrap());
	})
	};
	}

	#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
	struct SomeResult {
	a: u32,
	b: u64,
	c: String,
	}

	#[test]
	fn test_serialized_result() {
	let test_result = SomeResult {
	a: 5,
	b: 0xffffffffffffffff,
	c: "supercalifragilisticexpialidocious".to_owned(),
	};
	let test_result_clone = test_result.clone();
	// Safety: run_as must be called from a single threaded process.
	// This device test is run as a separate single threaded process.
	let result = unsafe { run_as(TARGET_CTX, TARGET_UID, TARGET_GID, \|\| test_result_clone) };
	assert_eq!(test_result, result);
	}

	#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
	enum PingPong {
	Ping,
	Pong,
	}

	/// Tests that closure is running under given user identity and communicates with calling
	/// process using pipe.
	#[test]
	fn test_run_as_child() {
	let test_result = SomeResult {
	a: 5,
	b: 0xffffffffffffffff,
	c: "supercalifragilisticexpialidocious".to_owned(),
	};
	let test_result_clone = test_result.clone();

	// Safety: run_as_child must be called from a single threaded process.
	// This device test is run as a separate single threaded process.
	let mut child_handle: ChildHandle<SomeResult, PingPong> = unsafe {
	run_as_child(TARGET_CTX, TARGET_UID, TARGET_GID, \|cmd_reader, response_writer\| {
	assert_eq!(TARGET_UID, getuid());
	assert_eq!(TARGET_GID, getgid());
	assert_eq!(TARGET_CTX, selinux::getcon().unwrap().to_str().unwrap());

	let ping: PingPong = cmd_reader.recv();
	assert_eq!(ping, PingPong::Ping);

	response_writer.send(&PingPong::Pong);

	let ping: PingPong = cmd_reader.recv();
	assert_eq!(ping, PingPong::Ping);
	let pong: PingPong = cmd_reader.recv();
	assert_eq!(pong, PingPong::Pong);

	response_writer.send(&PingPong::Pong);
	response_writer.send(&PingPong::Ping);

	test_result_clone
	})
	.unwrap()
	};

	// Send one ping.
	child_handle.send(&PingPong::Ping);

	// Expect one pong.
	let pong = child_handle.recv();
	assert_eq!(pong, PingPong::Pong);

	// Send ping and pong.
	child_handle.send(&PingPong::Ping);
	child_handle.send(&PingPong::Pong);

	// Expect pong and ping.
	let pong = child_handle.recv();
	assert_eq!(pong, PingPong::Pong);
	let ping = child_handle.recv();
	assert_eq!(ping, PingPong::Ping);

	assert_eq!(child_handle.get_result(), test_result);
	}
	}