Add libselinux keystore_key backend.

We add a new back end for SELinux based keystore2_key namespaces. This patch adds the rump policy and build system infrastructure for installing keystore2_key context files on the target devices. Bug: 158500146 Bug: 159466840 Test: None Change-Id: I423c9e68ad259926e4a315d052dfda97fa502106 Merged-In: I423c9e68ad259926e4a315d052dfda97fa502106
2020-07-25 13:02:29 -07:00 · 2020-07-25 13:02:29 -07:00 · c40681f1b5
commit c40681f1b5
parent 2e91219f9a
11 changed files with 62 additions and 1 deletions
--- a/Android.bp
+++ b/Android.bp
@ -289,6 +289,11 @@ se_filegroup {
    srcs: ["service_contexts"],
 }

+se_filegroup {
+    name: "keystore2_key_contexts_files",
+    srcs: ["keystore2_key_contexts"],
+}
+
 file_contexts {
    name: "plat_file_contexts",
    srcs: [":file_contexts_files"],
@ -425,6 +430,30 @@ service_contexts {
    soc_specific: true,
 }

+keystore2_key_contexts {
+    name: "plat_keystore2_key_contexts",
+    srcs: [":keystore2_key_contexts_files"],
+}
+
+keystore2_key_contexts {
+    name: "system_keystore2_key_contexts",
+    srcs: [":keystore2_key_contexts_files"],
+    system_ext_specific: true,
+}
+
+keystore2_key_contexts {
+    name: "product_keystore2_key_contexts",
+    srcs: [":keystore2_key_contexts_files"],
+    product_specific: true,
+}
+
+keystore2_key_contexts {
+    name: "vendor_keystore2_key_contexts",
+    srcs: [":keystore2_key_contexts_files"],
+    reqd_mask: true,
+    soc_specific: true,
+}
+
 // For vts_treble_sys_prop_test
 filegroup {
    name: "private_property_contexts",
--- a/Android.mk
+++ b/Android.mk
@ -272,6 +272,7 @@ LOCAL_REQUIRED_MODULES += \
    build_sepolicy \
    plat_file_contexts \
    plat_file_contexts_test \
+    plat_keystore2_key_contexts \
    plat_mac_permissions.xml \
    plat_property_contexts \
    plat_property_contexts_test \
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@ -92,6 +92,7 @@ func init() {
 	android.RegisterModuleType("hwservice_contexts", hwServiceFactory)
 	android.RegisterModuleType("property_contexts", propertyFactory)
 	android.RegisterModuleType("service_contexts", serviceFactory)
+	android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory)

 	android.PreDepsMutators(func(ctx android.RegisterMutatorsContext) {
 		ctx.BottomUp("selinux_contexts", selinuxContextsMutator).Parallel()
@ -426,3 +427,9 @@ func serviceFactory() android.Module {
 	m.build = m.buildGeneralContexts
 	return m
 }
+
+func keystoreKeyFactory() android.Module {
+	m := newModule()
+	m.build = m.buildGeneralContexts
+	return m
+}
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@ -9,6 +9,7 @@
    apex_info_file
    debugfs_kprobes
    gnss_device
+    keystore2_key_contexts_file
    mediatranscoding_tmpfs
    people_service
    profcollectd
--- a/private/file_contexts
+++ b/private/file_contexts
@ -62,6 +62,7 @@
 /sepolicy           u:object_r:sepolicy_file:s0
 /plat_service_contexts   u:object_r:service_contexts_file:s0
 /plat_hwservice_contexts   u:object_r:hwservice_contexts_file:s0
+/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
 /nonplat_service_contexts   u:object_r:nonplat_service_contexts_file:s0
 # Use nonplat_service_contexts_file to allow servicemanager to read it
 # on non full-treble devices.
@ -329,6 +330,7 @@
 /system/etc/selinux/plat_property_contexts  u:object_r:property_contexts_file:s0
 /system/etc/selinux/plat_service_contexts  u:object_r:service_contexts_file:s0
 /system/etc/selinux/plat_hwservice_contexts  u:object_r:hwservice_contexts_file:s0
+/system/etc/selinux/plat_keystore2_key_contexts  u:object_r:keystore2_key_contexts_file:s0
 /system/etc/selinux/plat_file_contexts  u:object_r:file_contexts_file:s0
 /system/etc/selinux/plat_seapp_contexts  u:object_r:seapp_contexts_file:s0
 /system/etc/selinux/plat_sepolicy\.cil       u:object_r:sepolicy_file:s0
@ -419,6 +421,7 @@
 /(odm|vendor/odm)/etc/selinux/odm_seapp_contexts                u:object_r:seapp_contexts_file:s0
 /(odm|vendor/odm)/etc/selinux/odm_property_contexts             u:object_r:property_contexts_file:s0
 /(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts            u:object_r:hwservice_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts         u:object_r:keystore2_key_contexts_file:s0
 /(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml           u:object_r:mac_perms_file:s0

 #############################
@ -431,6 +434,7 @@

 /(product|system/product)/etc/selinux/product_file_contexts      u:object_r:file_contexts_file:s0
 /(product|system/product)/etc/selinux/product_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/(product|system/product)/etc/selinux/product_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
 /(product|system/product)/etc/selinux/product_property_contexts  u:object_r:property_contexts_file:s0
 /(product|system/product)/etc/selinux/product_seapp_contexts     u:object_r:seapp_contexts_file:s0
 /(product|system/product)/etc/selinux/product_service_contexts   u:object_r:service_contexts_file:s0
@ -448,6 +452,7 @@

 /(system_ext|system/system_ext)/etc/selinux/system_ext_file_contexts        u:object_r:file_contexts_file:s0
 /(system_ext|system/system_ext)/etc/selinux/system_ext_hwservice_contexts   u:object_r:hwservice_contexts_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
 /(system_ext|system/system_ext)/etc/selinux/system_ext_property_contexts    u:object_r:property_contexts_file:s0
 /(system_ext|system/system_ext)/etc/selinux/system_ext_seapp_contexts       u:object_r:seapp_contexts_file:s0
 /(system_ext|system/system_ext)/etc/selinux/system_ext_service_contexts     u:object_r:service_contexts_file:s0
--- a/private/keystore.te
+++ b/private/keystore.te
@ -13,3 +13,6 @@ allow keystore platform_app:binder call;

 # Allow to check whether security logging is enabled.
 get_prop(keystore, device_logging_prop)
+
+# Keystore need access to the keystore_key context files to load the keystore key backend.
+allow keystore keystore2_key_contexts_file:file r_file_perms;
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@ -0,0 +1,7 @@
+# Keystore 2.0 key contexts.
+# This file defines Keystore 2.0 namespaces and maps them to labels.
+# Format:
+# <namespace> <label>
+#
+# <namespace> must be an integer in the interval [0 ...  2^31)
+
--- a/private/keystore_keys.te
+++ b/private/keystore_keys.te
@ -0,0 +1,2 @@
+# Specify keystore2_key namespaces in this file.
+# Please keep the names in alphabetical order and comment each new entry.
--- a/public/attributes
+++ b/public/attributes
@ -101,6 +101,9 @@ attribute system_restricted_property_type;
 # All /system-defined properties with no restrictions.
 attribute system_public_property_type;

+# All keystore2_key labels.
+attribute keystore2_key_type;
+
 # All properties defined by /product.
 # Currently there are no enforcements between /system and /product, so for now
 # /product attributes are just replaced to /system attributes.
--- a/public/file.te
+++ b/public/file.te
@ -511,6 +511,9 @@ type sepolicy_file, system_file_type, file_type;
 # service_contexts file
 type service_contexts_file, system_file_type, file_type;

+# keystore2_key_contexts_file
+type keystore2_key_contexts_file, system_file_type, file_type;
+
 # vendor service_contexts file
 type vendor_service_contexts_file, vendor_file_type, file_type;

--- a/public/keystore.te
+++ b/public/keystore.te
@ -1,4 +1,4 @@
-type keystore, domain;
+type keystore, domain, keystore2_key_type;
 type keystore_exec, system_file_type, exec_type, file_type;

 # keystore daemon