Add libselinux keystore_key backend.
We add a new back end for SELinux based keystore2_key namespaces.
This patch adds the rump policy and build system infrastructure
for installing keystore2_key context files on the target devices.
Bug: 158500146
Bug: 159466840
Test: None
Change-Id: I423c9e68ad259926e4a315d052dfda97fa502106
Merged-In: I423c9e68ad259926e4a315d052dfda97fa502106
diff --git a/Android.bp b/Android.bp
index dbd52cb..2ca424d 100644
--- a/Android.bp
+++ b/Android.bp
@@ -289,6 +289,11 @@
srcs: ["service_contexts"],
}
+se_filegroup {
+ name: "keystore2_key_contexts_files",
+ srcs: ["keystore2_key_contexts"],
+}
+
file_contexts {
name: "plat_file_contexts",
srcs: [":file_contexts_files"],
@@ -425,6 +430,30 @@
soc_specific: true,
}
+keystore2_key_contexts {
+ name: "plat_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files"],
+}
+
+keystore2_key_contexts {
+ name: "system_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files"],
+ system_ext_specific: true,
+}
+
+keystore2_key_contexts {
+ name: "product_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files"],
+ product_specific: true,
+}
+
+keystore2_key_contexts {
+ name: "vendor_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files"],
+ reqd_mask: true,
+ soc_specific: true,
+}
+
// For vts_treble_sys_prop_test
filegroup {
name: "private_property_contexts",
diff --git a/Android.mk b/Android.mk
index b667fd2..fa3a418 100644
--- a/Android.mk
+++ b/Android.mk
@@ -272,6 +272,7 @@
build_sepolicy \
plat_file_contexts \
plat_file_contexts_test \
+ plat_keystore2_key_contexts \
plat_mac_permissions.xml \
plat_property_contexts \
plat_property_contexts_test \
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 635ebda..26e8246 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -92,6 +92,7 @@
android.RegisterModuleType("hwservice_contexts", hwServiceFactory)
android.RegisterModuleType("property_contexts", propertyFactory)
android.RegisterModuleType("service_contexts", serviceFactory)
+ android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory)
android.PreDepsMutators(func(ctx android.RegisterMutatorsContext) {
ctx.BottomUp("selinux_contexts", selinuxContextsMutator).Parallel()
@@ -426,3 +427,9 @@
m.build = m.buildGeneralContexts
return m
}
+
+func keystoreKeyFactory() android.Module {
+ m := newModule()
+ m.build = m.buildGeneralContexts
+ return m
+}
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index c54c6f9..bcb571d 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -9,6 +9,7 @@
apex_info_file
debugfs_kprobes
gnss_device
+ keystore2_key_contexts_file
mediatranscoding_tmpfs
people_service
profcollectd
diff --git a/private/file_contexts b/private/file_contexts
index a4d967e..08e9e2f 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -62,6 +62,7 @@
/sepolicy u:object_r:sepolicy_file:s0
/plat_service_contexts u:object_r:service_contexts_file:s0
/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
# Use nonplat_service_contexts_file to allow servicemanager to read it
# on non full-treble devices.
@@ -329,6 +330,7 @@
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/system/etc/selinux/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
@@ -419,6 +421,7 @@
/(odm|vendor/odm)/etc/selinux/odm_seapp_contexts u:object_r:seapp_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_property_contexts u:object_r:property_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml u:object_r:mac_perms_file:s0
#############################
@@ -431,6 +434,7 @@
/(product|system/product)/etc/selinux/product_file_contexts u:object_r:file_contexts_file:s0
/(product|system/product)/etc/selinux/product_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/(product|system/product)/etc/selinux/product_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/(product|system/product)/etc/selinux/product_property_contexts u:object_r:property_contexts_file:s0
/(product|system/product)/etc/selinux/product_seapp_contexts u:object_r:seapp_contexts_file:s0
/(product|system/product)/etc/selinux/product_service_contexts u:object_r:service_contexts_file:s0
@@ -448,6 +452,7 @@
/(system_ext|system/system_ext)/etc/selinux/system_ext_file_contexts u:object_r:file_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_property_contexts u:object_r:property_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_seapp_contexts u:object_r:seapp_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_service_contexts u:object_r:service_contexts_file:s0
diff --git a/private/keystore.te b/private/keystore.te
index ee6dbdf..492ce77 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -13,3 +13,6 @@
# Allow to check whether security logging is enabled.
get_prop(keystore, device_logging_prop)
+
+# Keystore need access to the keystore_key context files to load the keystore key backend.
+allow keystore keystore2_key_contexts_file:file r_file_perms;
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
new file mode 100644
index 0000000..77c4c1e
--- /dev/null
+++ b/private/keystore2_key_contexts
@@ -0,0 +1,7 @@
+# Keystore 2.0 key contexts.
+# This file defines Keystore 2.0 namespaces and maps them to labels.
+# Format:
+# <namespace> <label>
+#
+# <namespace> must be an integer in the interval [0 ... 2^31)
+
diff --git a/private/keystore_keys.te b/private/keystore_keys.te
new file mode 100644
index 0000000..757ca39
--- /dev/null
+++ b/private/keystore_keys.te
@@ -0,0 +1,2 @@
+# Specify keystore2_key namespaces in this file.
+# Please keep the names in alphabetical order and comment each new entry.
diff --git a/public/attributes b/public/attributes
index 19623af..f5663a9 100644
--- a/public/attributes
+++ b/public/attributes
@@ -101,6 +101,9 @@
# All /system-defined properties with no restrictions.
attribute system_public_property_type;
+# All keystore2_key labels.
+attribute keystore2_key_type;
+
# All properties defined by /product.
# Currently there are no enforcements between /system and /product, so for now
# /product attributes are just replaced to /system attributes.
diff --git a/public/file.te b/public/file.te
index 4c5b541..3cf2ff0 100644
--- a/public/file.te
+++ b/public/file.te
@@ -511,6 +511,9 @@
# service_contexts file
type service_contexts_file, system_file_type, file_type;
+# keystore2_key_contexts_file
+type keystore2_key_contexts_file, system_file_type, file_type;
+
# vendor service_contexts file
type vendor_service_contexts_file, vendor_file_type, file_type;
diff --git a/public/keystore.te b/public/keystore.te
index 27c4624..3fac95f 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -1,4 +1,4 @@
-type keystore, domain;
+type keystore, domain, keystore2_key_type;
type keystore_exec, system_file_type, exec_type, file_type;
# keystore daemon