Add libselinux keystore_key backend. We add a new back end for SELinux based keystore2_key namespaces. This patch adds the rump policy and build system infrastructure for installing keystore2_key context files on the target devices. Bug: 158500146 Bug: 159466840 Test: None Change-Id: I423c9e68ad259926e4a315d052dfda97fa502106 Merged-In: I423c9e68ad259926e4a315d052dfda97fa502106

commit: c40681f1b51dbba51ed6c6a9d83805305c27252f [log] [tgz]
author: Janis Danisevskis <jdanis@google.com> Sat Jul 25 13:02:29 2020 -0700
committer: Janis Danisevskis <jdanis@google.com> Wed Aug 05 16:11:48 2020 +0000
tree: 1e3a94c2277d120a5e4f725b9c31cef798a55f9c
parent: 2e91219f9aef16d21f4d006dd97f35cbcbb2b19b [diff]
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index c54c6f9..bcb571d 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil

@@ -9,6 +9,7 @@
     apex_info_file
     debugfs_kprobes
     gnss_device
+    keystore2_key_contexts_file
     mediatranscoding_tmpfs
     people_service
     profcollectd

diff --git a/private/file_contexts b/private/file_contexts
index a4d967e..08e9e2f 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -62,6 +62,7 @@
 /sepolicy           u:object_r:sepolicy_file:s0
 /plat_service_contexts   u:object_r:service_contexts_file:s0
 /plat_hwservice_contexts   u:object_r:hwservice_contexts_file:s0
+/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
 /nonplat_service_contexts   u:object_r:nonplat_service_contexts_file:s0
 # Use nonplat_service_contexts_file to allow servicemanager to read it
 # on non full-treble devices.
@@ -329,6 +330,7 @@
 /system/etc/selinux/plat_property_contexts  u:object_r:property_contexts_file:s0
 /system/etc/selinux/plat_service_contexts  u:object_r:service_contexts_file:s0
 /system/etc/selinux/plat_hwservice_contexts  u:object_r:hwservice_contexts_file:s0
+/system/etc/selinux/plat_keystore2_key_contexts  u:object_r:keystore2_key_contexts_file:s0
 /system/etc/selinux/plat_file_contexts  u:object_r:file_contexts_file:s0
 /system/etc/selinux/plat_seapp_contexts  u:object_r:seapp_contexts_file:s0
 /system/etc/selinux/plat_sepolicy\.cil       u:object_r:sepolicy_file:s0
@@ -419,6 +421,7 @@
 /(odm|vendor/odm)/etc/selinux/odm_seapp_contexts                u:object_r:seapp_contexts_file:s0
 /(odm|vendor/odm)/etc/selinux/odm_property_contexts             u:object_r:property_contexts_file:s0
 /(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts            u:object_r:hwservice_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts         u:object_r:keystore2_key_contexts_file:s0
 /(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml           u:object_r:mac_perms_file:s0
 
 #############################
@@ -431,6 +434,7 @@
 
 /(product|system/product)/etc/selinux/product_file_contexts      u:object_r:file_contexts_file:s0
 /(product|system/product)/etc/selinux/product_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/(product|system/product)/etc/selinux/product_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
 /(product|system/product)/etc/selinux/product_property_contexts  u:object_r:property_contexts_file:s0
 /(product|system/product)/etc/selinux/product_seapp_contexts     u:object_r:seapp_contexts_file:s0
 /(product|system/product)/etc/selinux/product_service_contexts   u:object_r:service_contexts_file:s0
@@ -448,6 +452,7 @@
 
 /(system_ext|system/system_ext)/etc/selinux/system_ext_file_contexts        u:object_r:file_contexts_file:s0
 /(system_ext|system/system_ext)/etc/selinux/system_ext_hwservice_contexts   u:object_r:hwservice_contexts_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
 /(system_ext|system/system_ext)/etc/selinux/system_ext_property_contexts    u:object_r:property_contexts_file:s0
 /(system_ext|system/system_ext)/etc/selinux/system_ext_seapp_contexts       u:object_r:seapp_contexts_file:s0
 /(system_ext|system/system_ext)/etc/selinux/system_ext_service_contexts     u:object_r:service_contexts_file:s0

diff --git a/private/keystore.te b/private/keystore.te
index ee6dbdf..492ce77 100644
--- a/private/keystore.te
+++ b/private/keystore.te

@@ -13,3 +13,6 @@
 
 # Allow to check whether security logging is enabled.
 get_prop(keystore, device_logging_prop)
+
+# Keystore need access to the keystore_key context files to load the keystore key backend.
+allow keystore keystore2_key_contexts_file:file r_file_perms;

diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
new file mode 100644
index 0000000..77c4c1e
--- /dev/null
+++ b/private/keystore2_key_contexts

@@ -0,0 +1,7 @@
+# Keystore 2.0 key contexts.
+# This file defines Keystore 2.0 namespaces and maps them to labels.
+# Format:
+# <namespace> <label>
+#
+# <namespace> must be an integer in the interval [0 ...  2^31)
+

diff --git a/private/keystore_keys.te b/private/keystore_keys.te
new file mode 100644
index 0000000..757ca39
--- /dev/null
+++ b/private/keystore_keys.te

@@ -0,0 +1,2 @@
+# Specify keystore2_key namespaces in this file.
+# Please keep the names in alphabetical order and comment each new entry.
commit	c40681f1b51dbba51ed6c6a9d83805305c27252f	[log] [tgz]
author	Janis Danisevskis <jdanis@google.com>	Sat Jul 25 13:02:29 2020 -0700
committer	Janis Danisevskis <jdanis@google.com>	Wed Aug 05 16:11:48 2020 +0000
tree	1e3a94c2277d120a5e4f725b9c31cef798a55f9c
parent	2e91219f9aef16d21f4d006dd97f35cbcbb2b19b [diff]