am bc22f8d6: am 410ba59a: Fix failure to save master key on new profile
* commit 'bc22f8d63e2ca24ee4ee9d61258d6704bc78724b':
Fix failure to save master key on new profile
diff --git a/keystore/Android.mk b/keystore/Android.mk
index e18b2d8..3babd1d 100644
--- a/keystore/Android.mk
+++ b/keystore/Android.mk
@@ -37,6 +37,7 @@
libkeymaster1
LOCAL_MODULE := keystore
LOCAL_MODULE_TAGS := optional
+LOCAL_INIT_RC := keystore.rc
LOCAL_C_INCLUES := system/keymaster/
LOCAL_ADDITIONAL_DEPENDENCIES := $(LOCAL_PATH)/Android.mk
include $(BUILD_EXECUTABLE)
diff --git a/keystore/keystore.cpp b/keystore/keystore.cpp
index bb5a411..ffd8b5c 100644
--- a/keystore/keystore.cpp
+++ b/keystore/keystore.cpp
@@ -330,6 +330,11 @@
static const perm_t DEFAULT_PERMS = static_cast<perm_t>(P_GET_STATE | P_GET | P_INSERT | P_DELETE
| P_EXIST | P_LIST | P_SIGN | P_VERIFY);
+struct audit_data {
+ pid_t pid;
+ uid_t uid;
+};
+
static char *tctx;
static int ks_is_selinux_enabled;
@@ -359,11 +364,24 @@
return uid / AID_USER;
}
-static bool keystore_selinux_check_access(uid_t /*uid*/, perm_t perm, pid_t spid) {
+static int audit_callback(void *data, security_class_t /* cls */, char *buf, size_t len)
+{
+ struct audit_data *ad = reinterpret_cast<struct audit_data *>(data);
+ if (!ad) {
+ ALOGE("No keystore audit data");
+ return 0;
+ }
+
+ snprintf(buf, len, "pid=%d uid=%d", ad->pid, ad->uid);
+ return 0;
+}
+
+static bool keystore_selinux_check_access(uid_t uid, perm_t perm, pid_t spid) {
if (!ks_is_selinux_enabled) {
return true;
}
+ audit_data ad;
char *sctx = NULL;
const char *selinux_class = "keystore_key";
const char *str_perm = get_perm_label(perm);
@@ -377,8 +395,11 @@
return false;
}
+ ad.pid = spid;
+ ad.uid = uid;
+
bool allowed = selinux_check_access(sctx, tctx, selinux_class, str_perm,
- NULL) == 0;
+ reinterpret_cast<void *>(&ad)) == 0;
freecon(sctx);
return allowed;
}
@@ -3305,6 +3326,8 @@
ks_is_selinux_enabled = is_selinux_enabled();
if (ks_is_selinux_enabled) {
union selinux_callback cb;
+ cb.func_audit = audit_callback;
+ selinux_set_callback(SELINUX_CB_AUDIT, cb);
cb.func_log = selinux_log_callback;
selinux_set_callback(SELINUX_CB_LOG, cb);
if (getcon(&tctx) != 0) {
diff --git a/keystore/keystore.rc b/keystore/keystore.rc
new file mode 100644
index 0000000..df48412
--- /dev/null
+++ b/keystore/keystore.rc
@@ -0,0 +1,4 @@
+service keystore /system/bin/keystore /data/misc/keystore
+ class main
+ user keystore
+ group keystore drmrpc
diff --git a/keystore/operation.cpp b/keystore/operation.cpp
index 4a71922..3b381c4 100644
--- a/keystore/operation.cpp
+++ b/keystore/operation.cpp
@@ -31,7 +31,7 @@
keymaster_key_characteristics_t* characteristics,
bool pruneable) {
sp<IBinder> token = new BBinder();
- mMap[token] = std::move(Operation(handle, keyid, purpose, dev, characteristics, appToken));
+ mMap[token] = Operation(handle, keyid, purpose, dev, characteristics, appToken);
if (pruneable) {
mLru.push_back(token);
}