From e7d2d82bbb1202c34c0ae2491e9825436878bbcc Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Mon, 24 Jul 2023 11:06:47 +0900 Subject: [PATCH] Fix preinstalled app partition check There is a bug on the code checking the partition, so it's printing wrong logcat messages. This fixes it by renaming the function name for better readability. Also it fixes a bug that the check only happens when levelFrom != NONE. Bug: 291005833 Test: boot and see logcat Merged-In: I2dd51a995d76b2c50dae2b2c4af8e3a3a4599408 Change-Id: I2dd51a995d76b2c50dae2b2c4af8e3a3a4599408 (cherry picked from commit 321c0252599f525833bea20d9b3b7e3f1d0edee1) --- libselinux/src/android/android_seapp.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/libselinux/src/android/android_seapp.c b/libselinux/src/android/android_seapp.c index db7bd0bf..c0f6eb2d 100644 --- a/libselinux/src/android/android_seapp.c +++ b/libselinux/src/android/android_seapp.c @@ -702,9 +702,10 @@ static bool is_platform(const char *partition) { return false; } -static bool check_preinstalled_app_partition(const char *spec, const char *app) { +static bool is_preinstalled_app_partition_valid(const char *app_policy, const char *app_partition) { // We forbid system/system_ext/product installed apps from being labeled with vendor sepolicy. - return !is_platform(spec) && is_platform(app); + // So, either the app shouldn't be platform, or the spec should be platform. + return !(is_platform(app_partition) && !is_platform(app_policy)); } @@ -896,14 +897,6 @@ int seapp_context_lookup_internal(enum seapp_kind kind, } if (cur->levelFrom != LEVELFROM_NONE) { - if (isPreinstalledApp - && !check_preinstalled_app_partition(cur->partition, partition)) { - // TODO(b/280547417): make this an error after fixing violations - selinux_log(SELINUX_ERROR, - "%s: App %s preinstalled to %s can't be labeled with %s sepolicy", - __FUNCTION__, pkgname, partition, cur->partition); - } - int res = set_range_from_level(ctx, cur->levelFrom, userid, appid); if (res != 0) { return res; @@ -913,6 +906,14 @@ int seapp_context_lookup_internal(enum seapp_kind kind, goto oom; } + if (isPreinstalledApp + && !is_preinstalled_app_partition_valid(cur->partition, partition)) { + // TODO(b/280547417): make this an error after fixing violations + selinux_log(SELINUX_ERROR, + "%s: App %s preinstalled to %s can't be labeled with %s sepolicy", + __FUNCTION__, pkgname, partition, cur->partition); + } + break; }