fix lax service context lookup

We use the same lookup function for service contexts
that we use for property contexts. However, property
contexts are namespace based and only compare the
prefix. This may lead to service associations with
a wrong label.

This patch introduces a stricter lookup function for
services contexts. Now the service name must match
the key of the service label exactly.

Test: bullhead builds and boots

Bug: 31353148
Change-Id: I16dd276e1e74c0d04af4e067992385be5499b01d

5 files changed, 58 insertions, 2 deletions

diff --git a/include/selinux/label.h b/include/selinux/label.h
index 512c71f..07eff74 100644
--- a/include/selinux/label.h
+++ b/include/selinux/label.h
@@ -32,8 +32,10 @@ struct selabel_handle;
 #define SELABEL_CTX_X		2
 /* db objects */
 #define SELABEL_CTX_DB		3
-/* Android property service contexts */
+/* Android property contexts */
 #define SELABEL_CTX_ANDROID_PROP 4
+/* Android service contexts */
+#define SELABEL_CTX_ANDROID_SERVICE 5
 
 /*
  * Available options
diff --git a/src/android.c b/src/android.c
index 7769c06..be12441 100644
--- a/src/android.c
+++ b/src/android.c
@@ -1435,7 +1435,7 @@ struct selabel_handle* selinux_android_service_context_handle(void)
 {
     struct selabel_handle* sehandle;
 
-    sehandle = selabel_open(SELABEL_CTX_ANDROID_PROP,
+    sehandle = selabel_open(SELABEL_CTX_ANDROID_SERVICE,
             &seopts_service, 1);
 
     if (!sehandle) {
diff --git a/src/label.c b/src/label.c
index fb8c266..6a67b65 100644
--- a/src/label.c
+++ b/src/label.c
@@ -26,6 +26,7 @@ static selabel_initfunc initfuncs[] = {
 	NULL,
 	NULL,
 	&selabel_property_init,
+	&selabel_service_init,
 };
 
 /*
diff --git a/src/label_android_property.c b/src/label_android_property.c
index 887e32c..b0a807c 100644
--- a/src/label_android_property.c
+++ b/src/label_android_property.c
@@ -274,6 +274,39 @@ finish:
 	return ret;
 }
 
+static struct selabel_lookup_rec *service_lookup(struct selabel_handle *rec,
+						 const char *key,
+						 int __attribute__((unused)) type)
+{
+	struct saved_data *data = (struct saved_data *) rec->data;
+	spec_t *spec_arr = data->spec_arr;
+	unsigned int i;
+	struct selabel_lookup_rec *ret = NULL;
+
+	if (!data->nspec) {
+		errno = ENOENT;
+		goto finish;
+	}
+
+	for (i = 0; i < data->nspec; i++) {
+		if (strcmp(spec_arr[i].property_key, key) == 0) {
+			break;
+		}
+		if (strcmp(spec_arr[i].property_key, "*") == 0) break;
+	}
+
+	if (i >= data->nspec) {
+		/* No matching specification. */
+		errno = ENOENT;
+		goto finish;
+	}
+
+	ret = &spec_arr[i].lr;
+
+finish:
+	return ret;
+}
+
 static void stats(struct selabel_handle __attribute__((unused)) *rec)
 {
 	selinux_log(SELINUX_WARNING, "'stats' functionality not implemented.\n");
@@ -297,3 +330,21 @@ int selabel_property_init(struct selabel_handle *rec,
 
 	return init(rec, opts, nopts);
 }
+
+int selabel_service_init(struct selabel_handle *rec,
+			 const struct selinux_opt *opts,
+			 unsigned nopts)
+{
+	struct saved_data *data;
+
+	data = (struct saved_data *)calloc(1, sizeof(*data));
+	if (!data)
+		return -1;
+
+	rec->data = data;
+	rec->func_close = &closef;
+	rec->func_stats = &stats;
+	rec->func_lookup = &service_lookup;
+
+	return init(rec, opts, nopts);
+}
diff --git a/src/label_internal.h b/src/label_internal.h
index 455d948..cca44d5 100644
--- a/src/label_internal.h
+++ b/src/label_internal.h
@@ -27,6 +27,8 @@ int selabel_db_init(struct selabel_handle *rec,
 		    const struct selinux_opt *opts, unsigned nopts) hidden;
 int selabel_property_init(struct selabel_handle *rec,
 			  const struct selinux_opt *opts, unsigned nopts) hidden;
+int selabel_service_init(struct selabel_handle *rec,
+			 const struct selinux_opt *opts, unsigned nopts) hidden;
 
 /*
  * Labeling internal structures