Generalize levelFromUid support.
Introduce a levelFrom=none|app|user|all syntax for specifying per-app, per-user, or per-combination level assignment. levelFromUid=true|false remains valid syntax but is deprecated. levelFromUid=true is equivalent to levelFrom=app. Update check_seapp to accept the new syntax. Update seapp_contexts to document the new syntax and switch from levelFromUid=true to levelFrom=app. No change in behavior. Change-Id: Ibaddeed9bc3e2586d524efc2f1faa5ce65dea470 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley
Gerrit Code Review
parent
ae0fcf1fb6
commit
38084146e0
2 changed files with 14 additions and 3 deletions
|
|
@ -24,11 +24,12 @@
|
|||
# Outputs:
|
||||
# domain (string)
|
||||
# type (string)
|
||||
# levelFromUid (boolean)
|
||||
# levelFrom (string; one of none, all, app, or user)
|
||||
# level (string)
|
||||
# Only entries that specify domain= will be used for app process labeling.
|
||||
# Only entries that specify type= will be used for app directory labeling.
|
||||
# levelfromUid is only supported for app UIDs presently.
|
||||
# levelFrom=user is only supported for _app or _isolated UIDs.
|
||||
# levelFrom=app or levelFrom=all is only supported for _app UIDs.
|
||||
# level may be used to specify a fixed level for any UID.
|
||||
#
|
||||
isSystemServer=true domain=system
|
||||
|
|
@ -36,7 +37,7 @@ user=system domain=system_app type=system_data_file
|
|||
user=bluetooth domain=bluetooth type=bluetooth_data_file
|
||||
user=nfc domain=nfc type=nfc_data_file
|
||||
user=radio domain=radio type=radio_data_file
|
||||
user=_app domain=untrusted_app type=app_data_file levelFromUid=true
|
||||
user=_app domain=untrusted_app type=app_data_file levelFrom=app
|
||||
user=_app seinfo=platform domain=platform_app type=platform_app_data_file
|
||||
user=_app seinfo=shared domain=shared_app type=platform_app_data_file
|
||||
user=_app seinfo=media domain=media_app type=platform_app_data_file
|
||||
|
|
|
|||
|
|
@ -162,6 +162,7 @@ key_map rules[] = {
|
|||
{ .name = "domain", .type = dt_string, .dir = dir_out, .data = NULL },
|
||||
{ .name = "type", .type = dt_string, .dir = dir_out, .data = NULL },
|
||||
{ .name = "levelFromUid", .type = dt_bool, .dir = dir_out, .data = NULL },
|
||||
{ .name = "levelFrom", .type = dt_string, .dir = dir_out, .data = NULL },
|
||||
{ .name = "level", .type = dt_string, .dir = dir_out, .data = NULL },
|
||||
};
|
||||
|
||||
|
|
@ -256,6 +257,15 @@ static int key_map_validate(key_map *m, int lineno) {
|
|||
goto out;
|
||||
}
|
||||
|
||||
if (!strcasecmp(key, "levelFrom") &&
|
||||
(strcasecmp(value, "none") && strcasecmp(value, "all") &&
|
||||
strcasecmp(value, "app") && strcasecmp(value, "user"))) {
|
||||
log_error("Unknown levelFrom=%s on line: %d in file: %s\n",
|
||||
value, lineno, out_file_name);
|
||||
rc = 0;
|
||||
goto out;
|
||||
}
|
||||
|
||||
/*
|
||||
* If their is no policy file present,
|
||||
* then it is not in strict mode so just return.
|
||||
|
|
|
|||
Loading…
Reference in a new issue