[PATCH] libselinux android: Add keystore2_key label module.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This patch adds a new Android specific module for keystore2 key
namespace lookup. It assumes the presence of keystore_contexts files
mapping numeric namespace identifiers to SELinux labels. Keystore 2.0
uses this module to exert more granular access control and allow system
and vendor components to share explicit key namespaces.

Note that this patch was originally accepted July 30, 2020 into AOSP.
https://android-review.googlesource.com/c/platform/external/selinux/+/1329357

Original author: Kunal Shindea <shindek@xxxxxxxxxx>
Signed-off-by: Jeff Vander Stoep <jeffv@xxxxxxxxxx>
---
 libselinux/include/selinux/label.h      | 2 ++
 libselinux/src/label.c                  | 3 ++-
 libselinux/src/label_backends_android.c | 6 +++---
 libselinux/src/label_internal.h         | 2 +-
 libselinux/utils/selabel_lookup.c       | 2 ++
 5 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h
index e8983606..95e9a9b0 100644
--- a/libselinux/include/selinux/label.h
+++ b/libselinux/include/selinux/label.h
@@ -37,6 +37,8 @@ struct selabel_handle;
 #define SELABEL_CTX_ANDROID_PROP 4
 /* Android service contexts */
 #define SELABEL_CTX_ANDROID_SERVICE 5
+/* Android keystore key contexts */
+#define SELABEL_CTX_ANDROID_KEYSTORE2_KEY 6
 
 /*
  * Available options
diff --git a/libselinux/src/label.c b/libselinux/src/label.c
index a03192e5..dfc4e0bf 100644
--- a/libselinux/src/label.c
+++ b/libselinux/src/label.c
@@ -51,7 +51,8 @@ static selabel_initfunc initfuncs[] = {
 	CONFIG_X_BACKEND(selabel_x_init),
 	CONFIG_DB_BACKEND(selabel_db_init),
 	CONFIG_ANDROID_BACKEND(selabel_property_init),
-	CONFIG_ANDROID_BACKEND(selabel_service_init),
+	CONFIG_ANDROID_BACKEND(selabel_exact_match_init),//service init
+	CONFIG_ANDROID_BACKEND(selabel_exact_match_init),//keyStore key init
 };
 
 static inline struct selabel_digest *selabel_is_digest_set
diff --git a/libselinux/src/label_backends_android.c b/libselinux/src/label_backends_android.c
index cb8aae26..1cb83008 100644
--- a/libselinux/src/label_backends_android.c
+++ b/libselinux/src/label_backends_android.c
@@ -278,7 +278,7 @@ finish:
 	return ret;
 }
 
-static struct selabel_lookup_rec *service_lookup(struct selabel_handle *rec,
+static struct selabel_lookup_rec *lookup_exact_match(struct selabel_handle *rec,
 		const char *key, int __attribute__((unused)) type)
 {
 	struct saved_data *data = (struct saved_data *)rec->data;
@@ -333,7 +333,7 @@ int selabel_property_init(struct selabel_handle *rec,
 	return init(rec, opts, nopts);
 }
 
-int selabel_service_init(struct selabel_handle *rec,
+int selabel_exact_match_init(struct selabel_handle *rec,
 		const struct selinux_opt *opts, unsigned nopts)
 {
 	struct saved_data *data;
@@ -345,7 +345,7 @@ int selabel_service_init(struct selabel_handle *rec,
 	rec->data = data;
 	rec->func_close = &closef;
 	rec->func_stats = &stats;
-	rec->func_lookup = &service_lookup;
+	rec->func_lookup = &lookup_exact_match;
 
 	return init(rec, opts, nopts);
 }
diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
index 361b443c..fde55484 100644
--- a/libselinux/src/label_internal.h
+++ b/libselinux/src/label_internal.h
@@ -38,7 +38,7 @@ int selabel_db_init(struct selabel_handle *rec,
 int selabel_property_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
 			    unsigned nopts) ;
-int selabel_service_init(struct selabel_handle *rec,
+int selabel_exact_match_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
 			    unsigned nopts) ;
 
diff --git a/libselinux/utils/selabel_lookup.c b/libselinux/utils/selabel_lookup.c
index 1aef64de..b18e5fc6 100644
--- a/libselinux/utils/selabel_lookup.c
+++ b/libselinux/utils/selabel_lookup.c
@@ -59,6 +59,8 @@ int main(int argc, char **argv)
 				backend = SELABEL_CTX_ANDROID_PROP;
 			} else if (!strcmp(optarg, "service")) {
 				backend = SELABEL_CTX_ANDROID_SERVICE;
+			} else if (!strcmp(optarg, "keystore2_key")) {
+				backend = SELABEL_CTX_ANDROID_KEYSTORE2_KEY;
 			} else {
 				fprintf(stderr, "Unknown backend: %s\n",
 								    optarg);
-- 
2.31.1.498.g6c1eba8ee3d-goog




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux