From 51fde66c16fc4ec12ba2da47c43d618751ca9316 Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Fri, 21 Jul 2023 18:17:52 +0900 Subject: [PATCH] Give priority to platform side seapp_contexts This is to remove duplicate errors while fixing seapp_contexts violations (because old vendors still have the entries). Bug: 280547417 Test: TH Change-Id: I8c381dad6e8bf5e91148494b55278e124b845c13 --- libselinux/src/android/android_seapp.c | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/libselinux/src/android/android_seapp.c b/libselinux/src/android/android_seapp.c index c0f6eb2d..7e847a8a 100644 --- a/libselinux/src/android/android_seapp.c +++ b/libselinux/src/android/android_seapp.c @@ -164,6 +164,15 @@ static void free_seapp_context(struct seapp_context *s) free(s->level); } +static bool is_platform(const char *partition) { + // system, system_ext, product are regarded as "platform", whereas vendor + // and odm are regarded as vendor. + if (strcmp(partition, "system") == 0) return true; + if (strcmp(partition, "system_ext") == 0) return true; + if (strcmp(partition, "product") == 0) return true; + return false; +} + /* Compare two seapp_context. Used to sort all the entries found. */ static int seapp_context_cmp(const void *A, const void *B) { @@ -234,6 +243,12 @@ static int seapp_context_cmp(const void *A, const void *B) if (s1->fromRunAs != s2->fromRunAs) return (s1->fromRunAs ? -1 : 1); + /* Give precedence to platform side contexts */ + bool isS1Platform = is_platform(s1->partition); + bool isS2Platform = is_platform(s2->partition); + if (isS1Platform != isS2Platform) + return (isS1Platform ? -1 : 1); + /* Anything else has equal precedence. */ return 0; } @@ -574,6 +589,8 @@ int seapp_context_reload_internal(const path_alts_t *context_paths) selinux_log(SELINUX_ERROR, " seinfo=%s\n", s1->seinfo); if (s1->name.str) selinux_log(SELINUX_ERROR, " name=%s\n", s1->name.str); + if (s1->partition) + selinux_log(SELINUX_ERROR, " partition=%s\n", s1->partition); goto err_no_log; } } @@ -693,15 +710,6 @@ static bool get_partition(const char *seinfo, char partition[], size_t size) return true; } -static bool is_platform(const char *partition) { - // system, system_ext, product are regarded as "platform", whereas vendor - // and odm are regarded as vendor. - if (strcmp(partition, "system") == 0) return true; - if (strcmp(partition, "system_ext") == 0) return true; - if (strcmp(partition, "product") == 0) return true; - return false; -} - static bool is_preinstalled_app_partition_valid(const char *app_policy, const char *app_partition) { // We forbid system/system_ext/product installed apps from being labeled with vendor sepolicy. // So, either the app shouldn't be platform, or the spec should be platform.