This patch adds a new Android specific module for keystore2 key namespace lookup. It assumes the presence of keystore_contexts files mapping numeric namespace identifiers to SELinux labels. Keystore 2.0 uses this module to exert more granular access control and allow system and vendor components to share explicit key namespaces. Note that this patch was originally accepted July 30, 2020 into AOSP. https://android-review.googlesource.com/c/platform/external/selinux/+/1329357 Original author: Kunal Shindea <shindek@xxxxxxxxxx> Signed-off-by: Jeff Vander Stoep <jeffv@xxxxxxxxxx> --- libselinux/include/selinux/label.h | 2 ++ libselinux/src/label.c | 3 ++- libselinux/src/label_backends_android.c | 6 +++--- libselinux/src/label_internal.h | 2 +- libselinux/utils/selabel_lookup.c | 2 ++ 5 files changed, 10 insertions(+), 5 deletions(-) diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h index e8983606..95e9a9b0 100644 --- a/libselinux/include/selinux/label.h +++ b/libselinux/include/selinux/label.h @@ -37,6 +37,8 @@ struct selabel_handle; #define SELABEL_CTX_ANDROID_PROP 4 /* Android service contexts */ #define SELABEL_CTX_ANDROID_SERVICE 5 +/* Android keystore key contexts */ +#define SELABEL_CTX_ANDROID_KEYSTORE2_KEY 6 /* * Available options diff --git a/libselinux/src/label.c b/libselinux/src/label.c index a03192e5..dfc4e0bf 100644 --- a/libselinux/src/label.c +++ b/libselinux/src/label.c @@ -51,7 +51,8 @@ static selabel_initfunc initfuncs[] = { CONFIG_X_BACKEND(selabel_x_init), CONFIG_DB_BACKEND(selabel_db_init), CONFIG_ANDROID_BACKEND(selabel_property_init), - CONFIG_ANDROID_BACKEND(selabel_service_init), + CONFIG_ANDROID_BACKEND(selabel_exact_match_init),//service init + CONFIG_ANDROID_BACKEND(selabel_exact_match_init),//keyStore key init }; static inline struct selabel_digest *selabel_is_digest_set diff --git a/libselinux/src/label_backends_android.c b/libselinux/src/label_backends_android.c index cb8aae26..1cb83008 100644 --- a/libselinux/src/label_backends_android.c +++ b/libselinux/src/label_backends_android.c @@ -278,7 +278,7 @@ finish: return ret; } -static struct selabel_lookup_rec *service_lookup(struct selabel_handle *rec, +static struct selabel_lookup_rec *lookup_exact_match(struct selabel_handle *rec, const char *key, int __attribute__((unused)) type) { struct saved_data *data = (struct saved_data *)rec->data; @@ -333,7 +333,7 @@ int selabel_property_init(struct selabel_handle *rec, return init(rec, opts, nopts); } -int selabel_service_init(struct selabel_handle *rec, +int selabel_exact_match_init(struct selabel_handle *rec, const struct selinux_opt *opts, unsigned nopts) { struct saved_data *data; @@ -345,7 +345,7 @@ int selabel_service_init(struct selabel_handle *rec, rec->data = data; rec->func_close = &closef; rec->func_stats = &stats; - rec->func_lookup = &service_lookup; + rec->func_lookup = &lookup_exact_match; return init(rec, opts, nopts); } diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h index 361b443c..fde55484 100644 --- a/libselinux/src/label_internal.h +++ b/libselinux/src/label_internal.h @@ -38,7 +38,7 @@ int selabel_db_init(struct selabel_handle *rec, int selabel_property_init(struct selabel_handle *rec, const struct selinux_opt *opts, unsigned nopts) ; -int selabel_service_init(struct selabel_handle *rec, +int selabel_exact_match_init(struct selabel_handle *rec, const struct selinux_opt *opts, unsigned nopts) ; diff --git a/libselinux/utils/selabel_lookup.c b/libselinux/utils/selabel_lookup.c index 1aef64de..b18e5fc6 100644 --- a/libselinux/utils/selabel_lookup.c +++ b/libselinux/utils/selabel_lookup.c @@ -59,6 +59,8 @@ int main(int argc, char **argv) backend = SELABEL_CTX_ANDROID_PROP; } else if (!strcmp(optarg, "service")) { backend = SELABEL_CTX_ANDROID_SERVICE; + } else if (!strcmp(optarg, "keystore2_key")) { + backend = SELABEL_CTX_ANDROID_KEYSTORE2_KEY; } else { fprintf(stderr, "Unknown backend: %s\n", optarg); -- 2.31.1.498.g6c1eba8ee3d-goog