On Fri, 2012-07-27 at 13:59 -0700, William Roberts wrote:
> The seapp rule will containing an sebool clause will
> ONLY be applied on a match to that boolean,
> and only if the boolean is set to true.
>
> Change-Id: Ifdba35cd3a78ce1c8173786514db649203018e28
> Signed-off-by: William Roberts <w.roberts@xxxxxxxxxxxxxxx>
Thanks, applied.
> ---
> src/android.c | 48 +++++++++++++++++++++++++++++++++++++++++-------
> 1 files changed, 41 insertions(+), 7 deletions(-)
>
> diff --git a/src/android.c b/src/android.c
> index 83ba7b7..7974391 100644
> --- a/src/android.c
> +++ b/src/android.c
> @@ -45,6 +45,7 @@ struct seapp_context {
> char *domain;
> char *type;
> char *level;
> + char *sebool;
> char levelFromUid;
> };
>
> @@ -85,6 +86,12 @@ static int seapp_context_cmp(const void *A, const void *B)
> if (!s1->name && s2->name)
> return 1;
>
> + /* Give precedence to a specified sebool= over an unspecified sebool=. */
> + if (s1->sebool && !s2->sebool)
> + return -1;
> + if (!s1->sebool && s2->sebool)
> + return 1;
> +
> /* Anything else has equal precedence. */
> return 0;
> }
> @@ -196,6 +203,10 @@ int selinux_android_seapp_context_reload(void)
> cur->level = strdup(value);
> if (!cur->level)
> goto oom;
> + } else if (!strcasecmp(name, "sebool")) {
> + cur->sebool = strdup(value);
> + if (!cur->sebool)
> + goto oom;
> } else
> goto err;
>
> @@ -217,12 +228,12 @@ int selinux_android_seapp_context_reload(void)
> int i;
> for (i = 0; i < nspec; i++) {
> cur = seapp_contexts[i];
> - selinux_log(SELINUX_INFO, "%s: isSystemServer=%s user=%s seinfo=%s name=%s -> domain=%s type=%s level=%s levelFromUid=%s",
> - __FUNCTION__,
> - cur->isSystemServer ? "true" : "false",
> - cur->user, cur->seinfo, cur->name,
> - cur->domain, cur->type, cur->level,
> - cur->levelFromUid ? "true" : "false");
> + selinux_log(SELINUX_INFO, "%s: isSystemServer=%s user=%s seinfo=%s name=%s sebool=%s -> domain=%s type=%s level=%s levelFromUid=%s",
> + __FUNCTION__,
> + cur->isSystemServer ? "true" : "false", cur->user,
> + cur->seinfo, cur->name, cur->sebool, cur->domain,
> + cur->type, cur->level,
> + cur->levelFromUid ? "true" : "false");
> }
> }
> #endif
> @@ -335,6 +346,17 @@ int selinux_android_setfilecon2(const char *pkgdir,
> if (!cur->type)
> continue;
>
> + if (cur->sebool) {
> + int value = security_get_boolean_active(cur->sebool);
> + if (value == 0)
> + continue;
> + else if (value == -1) {
> + selinux_log(SELINUX_ERROR,
> + "Could not find boolean: %s ", cur->sebool);
> + goto err;
> + }
> + }
> +
> if (context_type_set(ctx, cur->type))
> goto oom;
>
> @@ -348,7 +370,7 @@ int selinux_android_setfilecon2(const char *pkgdir,
> if (context_range_set(ctx, cur->level))
> goto oom;
> }
> -
> +
> break;
> }
>
> @@ -443,6 +465,7 @@ int selinux_android_setcontext(uid_t uid,
>
> for (i = 0; i < nspec; i++) {
> cur = seapp_contexts[i];
> +
> if (cur->isSystemServer != isSystemServer)
> continue;
> if (cur->user) {
> @@ -466,6 +489,17 @@ int selinux_android_setcontext(uid_t uid,
> if (!cur->domain)
> continue;
>
> + if (cur->sebool) {
> + int value = security_get_boolean_active(cur->sebool);
> + if (value == 0)
> + continue;
> + else if (value == -1) {
> + selinux_log(SELINUX_ERROR,
> + "Could not find boolean: %s ", cur->sebool);
> + goto err;
> + }
> + }
> +
> if (context_type_set(ctx, cur->domain))
> goto oom;
>
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
