NAK. Apologies for the spam. I thought this was a clean cherry-pick, but it's not. On Fri, Apr 23, 2021 at 6:42 PM Jeff Vander Stoep <jeffv@xxxxxxxxxx> wrote: > > This patch adds a new Android specific module for keystore2 key > namespace lookup. It assumes the presence of keystore_contexts files > mapping numeric namespace identifiers to SELinux labels. Keystore 2.0 > uses this module to exert more granular access control and allow system > and vendor components to share explicit key namespaces. > > Note that this patch was originally accepted July 30, 2020 into AOSP. > https://android-review.googlesource.com/c/platform/external/selinux/+/1329357 > > Original author: Kunal Shindea <shindek@xxxxxxxxxx> > Signed-off-by: Jeff Vander Stoep <jeffv@xxxxxxxxxx> > --- > libselinux/include/selinux/label.h | 2 ++ > libselinux/src/label.c | 3 ++- > libselinux/src/label_backends_android.c | 6 +++--- > libselinux/src/label_internal.h | 2 +- > libselinux/utils/selabel_lookup.c | 2 ++ > 5 files changed, 10 insertions(+), 5 deletions(-) > > diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h > index e8983606..95e9a9b0 100644 > --- a/libselinux/include/selinux/label.h > +++ b/libselinux/include/selinux/label.h > @@ -37,6 +37,8 @@ struct selabel_handle; > #define SELABEL_CTX_ANDROID_PROP 4 > /* Android service contexts */ > #define SELABEL_CTX_ANDROID_SERVICE 5 > +/* Android keystore key contexts */ > +#define SELABEL_CTX_ANDROID_KEYSTORE2_KEY 6 > > /* > * Available options > diff --git a/libselinux/src/label.c b/libselinux/src/label.c > index a03192e5..dfc4e0bf 100644 > --- a/libselinux/src/label.c > +++ b/libselinux/src/label.c > @@ -51,7 +51,8 @@ static selabel_initfunc initfuncs[] = { > CONFIG_X_BACKEND(selabel_x_init), > CONFIG_DB_BACKEND(selabel_db_init), > CONFIG_ANDROID_BACKEND(selabel_property_init), > - CONFIG_ANDROID_BACKEND(selabel_service_init), > + CONFIG_ANDROID_BACKEND(selabel_exact_match_init),//service init > + CONFIG_ANDROID_BACKEND(selabel_exact_match_init),//keyStore key init > }; > > static inline struct selabel_digest *selabel_is_digest_set > diff --git a/libselinux/src/label_backends_android.c b/libselinux/src/label_backends_android.c > index cb8aae26..1cb83008 100644 > --- a/libselinux/src/label_backends_android.c > +++ b/libselinux/src/label_backends_android.c > @@ -278,7 +278,7 @@ finish: > return ret; > } > > -static struct selabel_lookup_rec *service_lookup(struct selabel_handle *rec, > +static struct selabel_lookup_rec *lookup_exact_match(struct selabel_handle *rec, > const char *key, int __attribute__((unused)) type) > { > struct saved_data *data = (struct saved_data *)rec->data; > @@ -333,7 +333,7 @@ int selabel_property_init(struct selabel_handle *rec, > return init(rec, opts, nopts); > } > > -int selabel_service_init(struct selabel_handle *rec, > +int selabel_exact_match_init(struct selabel_handle *rec, > const struct selinux_opt *opts, unsigned nopts) > { > struct saved_data *data; > @@ -345,7 +345,7 @@ int selabel_service_init(struct selabel_handle *rec, > rec->data = data; > rec->func_close = &closef; > rec->func_stats = &stats; > - rec->func_lookup = &service_lookup; > + rec->func_lookup = &lookup_exact_match; > > return init(rec, opts, nopts); > } > diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h > index 361b443c..fde55484 100644 > --- a/libselinux/src/label_internal.h > +++ b/libselinux/src/label_internal.h > @@ -38,7 +38,7 @@ int selabel_db_init(struct selabel_handle *rec, > int selabel_property_init(struct selabel_handle *rec, > const struct selinux_opt *opts, > unsigned nopts) ; > -int selabel_service_init(struct selabel_handle *rec, > +int selabel_exact_match_init(struct selabel_handle *rec, > const struct selinux_opt *opts, > unsigned nopts) ; > > diff --git a/libselinux/utils/selabel_lookup.c b/libselinux/utils/selabel_lookup.c > index 1aef64de..b18e5fc6 100644 > --- a/libselinux/utils/selabel_lookup.c > +++ b/libselinux/utils/selabel_lookup.c > @@ -59,6 +59,8 @@ int main(int argc, char **argv) > backend = SELABEL_CTX_ANDROID_PROP; > } else if (!strcmp(optarg, "service")) { > backend = SELABEL_CTX_ANDROID_SERVICE; > + } else if (!strcmp(optarg, "keystore2_key")) { > + backend = SELABEL_CTX_ANDROID_KEYSTORE2_KEY; > } else { > fprintf(stderr, "Unknown backend: %s\n", > optarg); > -- > 2.31.1.498.g6c1eba8ee3d-goog >
