* [PATCH] libselinux android: Add keystore2_key label module.
@ 2021-04-23 16:42 Jeff Vander Stoep
2021-04-23 16:54 ` Jeffrey Vander Stoep
0 siblings, 1 reply; 2+ messages in thread
From: Jeff Vander Stoep @ 2021-04-23 16:42 UTC (permalink / raw)
To: selinux; +Cc: Jeff Vander Stoep
This patch adds a new Android specific module for keystore2 key
namespace lookup. It assumes the presence of keystore_contexts files
mapping numeric namespace identifiers to SELinux labels. Keystore 2.0
uses this module to exert more granular access control and allow system
and vendor components to share explicit key namespaces.
Note that this patch was originally accepted July 30, 2020 into AOSP.
https://android-review.googlesource.com/c/platform/external/selinux/+/1329357
Original author: Kunal Shindea <shindek@google.com>
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
---
libselinux/include/selinux/label.h | 2 ++
libselinux/src/label.c | 3 ++-
libselinux/src/label_backends_android.c | 6 +++---
libselinux/src/label_internal.h | 2 +-
libselinux/utils/selabel_lookup.c | 2 ++
5 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h
index e8983606..95e9a9b0 100644
--- a/libselinux/include/selinux/label.h
+++ b/libselinux/include/selinux/label.h
@@ -37,6 +37,8 @@ struct selabel_handle;
#define SELABEL_CTX_ANDROID_PROP 4
/* Android service contexts */
#define SELABEL_CTX_ANDROID_SERVICE 5
+/* Android keystore key contexts */
+#define SELABEL_CTX_ANDROID_KEYSTORE2_KEY 6
/*
* Available options
diff --git a/libselinux/src/label.c b/libselinux/src/label.c
index a03192e5..dfc4e0bf 100644
--- a/libselinux/src/label.c
+++ b/libselinux/src/label.c
@@ -51,7 +51,8 @@ static selabel_initfunc initfuncs[] = {
CONFIG_X_BACKEND(selabel_x_init),
CONFIG_DB_BACKEND(selabel_db_init),
CONFIG_ANDROID_BACKEND(selabel_property_init),
- CONFIG_ANDROID_BACKEND(selabel_service_init),
+ CONFIG_ANDROID_BACKEND(selabel_exact_match_init),//service init
+ CONFIG_ANDROID_BACKEND(selabel_exact_match_init),//keyStore key init
};
static inline struct selabel_digest *selabel_is_digest_set
diff --git a/libselinux/src/label_backends_android.c b/libselinux/src/label_backends_android.c
index cb8aae26..1cb83008 100644
--- a/libselinux/src/label_backends_android.c
+++ b/libselinux/src/label_backends_android.c
@@ -278,7 +278,7 @@ finish:
return ret;
}
-static struct selabel_lookup_rec *service_lookup(struct selabel_handle *rec,
+static struct selabel_lookup_rec *lookup_exact_match(struct selabel_handle *rec,
const char *key, int __attribute__((unused)) type)
{
struct saved_data *data = (struct saved_data *)rec->data;
@@ -333,7 +333,7 @@ int selabel_property_init(struct selabel_handle *rec,
return init(rec, opts, nopts);
}
-int selabel_service_init(struct selabel_handle *rec,
+int selabel_exact_match_init(struct selabel_handle *rec,
const struct selinux_opt *opts, unsigned nopts)
{
struct saved_data *data;
@@ -345,7 +345,7 @@ int selabel_service_init(struct selabel_handle *rec,
rec->data = data;
rec->func_close = &closef;
rec->func_stats = &stats;
- rec->func_lookup = &service_lookup;
+ rec->func_lookup = &lookup_exact_match;
return init(rec, opts, nopts);
}
diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
index 361b443c..fde55484 100644
--- a/libselinux/src/label_internal.h
+++ b/libselinux/src/label_internal.h
@@ -38,7 +38,7 @@ int selabel_db_init(struct selabel_handle *rec,
int selabel_property_init(struct selabel_handle *rec,
const struct selinux_opt *opts,
unsigned nopts) ;
-int selabel_service_init(struct selabel_handle *rec,
+int selabel_exact_match_init(struct selabel_handle *rec,
const struct selinux_opt *opts,
unsigned nopts) ;
diff --git a/libselinux/utils/selabel_lookup.c b/libselinux/utils/selabel_lookup.c
index 1aef64de..b18e5fc6 100644
--- a/libselinux/utils/selabel_lookup.c
+++ b/libselinux/utils/selabel_lookup.c
@@ -59,6 +59,8 @@ int main(int argc, char **argv)
backend = SELABEL_CTX_ANDROID_PROP;
} else if (!strcmp(optarg, "service")) {
backend = SELABEL_CTX_ANDROID_SERVICE;
+ } else if (!strcmp(optarg, "keystore2_key")) {
+ backend = SELABEL_CTX_ANDROID_KEYSTORE2_KEY;
} else {
fprintf(stderr, "Unknown backend: %s\n",
optarg);
--
2.31.1.498.g6c1eba8ee3d-goog
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] libselinux android: Add keystore2_key label module.
2021-04-23 16:42 [PATCH] libselinux android: Add keystore2_key label module Jeff Vander Stoep
@ 2021-04-23 16:54 ` Jeffrey Vander Stoep
0 siblings, 0 replies; 2+ messages in thread
From: Jeffrey Vander Stoep @ 2021-04-23 16:54 UTC (permalink / raw)
To: SElinux list
NAK.
Apologies for the spam. I thought this was a clean cherry-pick, but it's not.
On Fri, Apr 23, 2021 at 6:42 PM Jeff Vander Stoep <jeffv@google.com> wrote:
>
> This patch adds a new Android specific module for keystore2 key
> namespace lookup. It assumes the presence of keystore_contexts files
> mapping numeric namespace identifiers to SELinux labels. Keystore 2.0
> uses this module to exert more granular access control and allow system
> and vendor components to share explicit key namespaces.
>
> Note that this patch was originally accepted July 30, 2020 into AOSP.
> https://android-review.googlesource.com/c/platform/external/selinux/+/1329357
>
> Original author: Kunal Shindea <shindek@google.com>
> Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
> ---
> libselinux/include/selinux/label.h | 2 ++
> libselinux/src/label.c | 3 ++-
> libselinux/src/label_backends_android.c | 6 +++---
> libselinux/src/label_internal.h | 2 +-
> libselinux/utils/selabel_lookup.c | 2 ++
> 5 files changed, 10 insertions(+), 5 deletions(-)
>
> diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h
> index e8983606..95e9a9b0 100644
> --- a/libselinux/include/selinux/label.h
> +++ b/libselinux/include/selinux/label.h
> @@ -37,6 +37,8 @@ struct selabel_handle;
> #define SELABEL_CTX_ANDROID_PROP 4
> /* Android service contexts */
> #define SELABEL_CTX_ANDROID_SERVICE 5
> +/* Android keystore key contexts */
> +#define SELABEL_CTX_ANDROID_KEYSTORE2_KEY 6
>
> /*
> * Available options
> diff --git a/libselinux/src/label.c b/libselinux/src/label.c
> index a03192e5..dfc4e0bf 100644
> --- a/libselinux/src/label.c
> +++ b/libselinux/src/label.c
> @@ -51,7 +51,8 @@ static selabel_initfunc initfuncs[] = {
> CONFIG_X_BACKEND(selabel_x_init),
> CONFIG_DB_BACKEND(selabel_db_init),
> CONFIG_ANDROID_BACKEND(selabel_property_init),
> - CONFIG_ANDROID_BACKEND(selabel_service_init),
> + CONFIG_ANDROID_BACKEND(selabel_exact_match_init),//service init
> + CONFIG_ANDROID_BACKEND(selabel_exact_match_init),//keyStore key init
> };
>
> static inline struct selabel_digest *selabel_is_digest_set
> diff --git a/libselinux/src/label_backends_android.c b/libselinux/src/label_backends_android.c
> index cb8aae26..1cb83008 100644
> --- a/libselinux/src/label_backends_android.c
> +++ b/libselinux/src/label_backends_android.c
> @@ -278,7 +278,7 @@ finish:
> return ret;
> }
>
> -static struct selabel_lookup_rec *service_lookup(struct selabel_handle *rec,
> +static struct selabel_lookup_rec *lookup_exact_match(struct selabel_handle *rec,
> const char *key, int __attribute__((unused)) type)
> {
> struct saved_data *data = (struct saved_data *)rec->data;
> @@ -333,7 +333,7 @@ int selabel_property_init(struct selabel_handle *rec,
> return init(rec, opts, nopts);
> }
>
> -int selabel_service_init(struct selabel_handle *rec,
> +int selabel_exact_match_init(struct selabel_handle *rec,
> const struct selinux_opt *opts, unsigned nopts)
> {
> struct saved_data *data;
> @@ -345,7 +345,7 @@ int selabel_service_init(struct selabel_handle *rec,
> rec->data = data;
> rec->func_close = &closef;
> rec->func_stats = &stats;
> - rec->func_lookup = &service_lookup;
> + rec->func_lookup = &lookup_exact_match;
>
> return init(rec, opts, nopts);
> }
> diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
> index 361b443c..fde55484 100644
> --- a/libselinux/src/label_internal.h
> +++ b/libselinux/src/label_internal.h
> @@ -38,7 +38,7 @@ int selabel_db_init(struct selabel_handle *rec,
> int selabel_property_init(struct selabel_handle *rec,
> const struct selinux_opt *opts,
> unsigned nopts) ;
> -int selabel_service_init(struct selabel_handle *rec,
> +int selabel_exact_match_init(struct selabel_handle *rec,
> const struct selinux_opt *opts,
> unsigned nopts) ;
>
> diff --git a/libselinux/utils/selabel_lookup.c b/libselinux/utils/selabel_lookup.c
> index 1aef64de..b18e5fc6 100644
> --- a/libselinux/utils/selabel_lookup.c
> +++ b/libselinux/utils/selabel_lookup.c
> @@ -59,6 +59,8 @@ int main(int argc, char **argv)
> backend = SELABEL_CTX_ANDROID_PROP;
> } else if (!strcmp(optarg, "service")) {
> backend = SELABEL_CTX_ANDROID_SERVICE;
> + } else if (!strcmp(optarg, "keystore2_key")) {
> + backend = SELABEL_CTX_ANDROID_KEYSTORE2_KEY;
> } else {
> fprintf(stderr, "Unknown backend: %s\n",
> optarg);
> --
> 2.31.1.498.g6c1eba8ee3d-goog
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-23 16:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-23 16:42 [PATCH] libselinux android: Add keystore2_key label module Jeff Vander Stoep
2021-04-23 16:54 ` Jeffrey Vander Stoep
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.