Re: [PATCH] You can now specify a sebool= flag in seapp_contexts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is part of a patch series, but for some reason the operator of
git send-email is messing it up (me)

On Fri, Jul 27, 2012 at 12:19 PM, William Roberts
<bill.c.roberts@xxxxxxxxx> wrote:
> and that rule will ONLY be applied on a match to that
> boolean, and only if the boolean is set to true.
>
> Change-Id: Ifdba35cd3a78ce1c8173786514db649203018e28
> Signed-off-by: William Roberts <w.roberts@xxxxxxxxxxxxxxx>
> ---
>  src/android.c |   41 ++++++++++++++++++++++++++++++++++++++---
>  1 files changed, 38 insertions(+), 3 deletions(-)
>
> diff --git a/src/android.c b/src/android.c
> index 83ba7b7..8415742 100644
> --- a/src/android.c
> +++ b/src/android.c
> @@ -45,6 +45,7 @@ struct seapp_context {
>         char *domain;
>         char *type;
>         char *level;
> +       char *sebool;
>         char levelFromUid;
>  };
>
> @@ -85,6 +86,12 @@ static int seapp_context_cmp(const void *A, const void *B)
>         if (!s1->name && s2->name)
>                 return 1;
>
> +        /* Give precedence to a specified sebool= over an unspecified sebool=. */
> +        if (s1->sebool && !s2->sebool)
> +                return -1;
> +        if (!s1->sebool && s2->sebool)
> +                return 1;
> +
>         /* Anything else has equal precedence. */
>         return 0;
>  }
> @@ -196,6 +203,10 @@ int selinux_android_seapp_context_reload(void)
>                                 cur->level = strdup(value);
>                                 if (!cur->level)
>                                         goto oom;
> +                       } else if (!strcasecmp(name, "sebool")) {
> +                               cur->sebool = strdup(value);
> +                               if (!cur->sebool)
> +                                       goto oom;
>                         } else
>                                 goto err;
>
> @@ -217,12 +228,13 @@ int selinux_android_seapp_context_reload(void)
>                 int i;
>                 for (i = 0; i < nspec; i++) {
>                         cur = seapp_contexts[i];
> -                       selinux_log(SELINUX_INFO, "%s:  isSystemServer=%s user=%s seinfo=%s name=%s -> domain=%s type=%s level=%s levelFromUid=%s",
> +                       selinux_log(SELINUX_INFO, "%s:  isSystemServer=%s user=%s seinfo=%s name=%s -> domain=%s type=%s level=%s levelFromUid=%s sebool=%s",
>                                     __FUNCTION__,
>                                     cur->isSystemServer ? "true" : "false",
>                                     cur->user, cur->seinfo, cur->name,
>                                     cur->domain, cur->type, cur->level,
> -                                   cur->levelFromUid ? "true" : "false");
> +                                   cur->levelFromUid ? "true" : "false",
> +                                   cur->sebool);
>                 }
>         }
>  #endif
> @@ -348,7 +360,18 @@ int selinux_android_setfilecon2(const char *pkgdir,
>                         if (context_range_set(ctx, cur->level))
>                                 goto oom;
>                 }
> -
> +
> +                if (cur->sebool) {
> +                        int value = security_get_boolean_active(cur->sebool);
> +                        if (value == 0)
> +                                continue;
> +                        else if (value == -1) {
> +                                selinux_log(SELINUX_ERROR, \
> +                                "Could not find boolean: %s ", cur->sebool);
> +                                goto err;
> +                        }
> +                }
> +
>                 break;
>         }
>
> @@ -443,6 +466,7 @@ int selinux_android_setcontext(uid_t uid,
>
>         for (i = 0; i < nspec; i++) {
>                 cur = seapp_contexts[i];
> +
>                 if (cur->isSystemServer != isSystemServer)
>                         continue;
>                 if (cur->user) {
> @@ -466,6 +490,17 @@ int selinux_android_setcontext(uid_t uid,
>                 if (!cur->domain)
>                         continue;
>
> +               if (cur->sebool) {
> +                       int value = security_get_boolean_active(cur->sebool);
> +                       if (value == 0)
> +                               continue;
> +                       else if (value == -1) {
> +                               selinux_log(SELINUX_ERROR, \
> +                               "Could not find boolean: %s ", cur->sebool);
> +                                goto err;
> +                        }
> +                }
> +
>                 if (context_type_set(ctx, cur->domain))
>                         goto oom;
>
> --
> 1.7.0.4
>



-- 
Respectfully,

William C Roberts

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.


[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux