Please hold off on submission. We're discussing if this is really necessary.
On Thu, Oct 19, 2017 at 4:49 PM, Jaekyun Seok via Selinux
<selinux@xxxxxxxxxxxxx> wrote:
> Performs exact match if a property key of property contexts ends with '$'
> instead of prefix match.
>
> This will enable to define an exact rule which can avoid unexpected
> context assignment.
>
> Signed-off-by: Jaekyun Seok <jaekyun@xxxxxxxxxx>
> ---
> libselinux/src/label_backends_android.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/libselinux/src/label_backends_android.c b/libselinux/src/label_backends_android.c
> index cb8aae26..4611d396 100644
> --- a/libselinux/src/label_backends_android.c
> +++ b/libselinux/src/label_backends_android.c
> @@ -258,8 +258,13 @@ static struct selabel_lookup_rec *property_lookup(struct selabel_handle *rec,
> }
>
> for (i = 0; i < data->nspec; i++) {
> - if (strncmp(spec_arr[i].property_key, key,
> - strlen(spec_arr[i].property_key)) == 0) {
> + size_t property_key_len = strlen(spec_arr[i].property_key);
> + if (spec_arr[i].property_key[property_key_len - 1] == '$' &&
> + strlen(key) == property_key_len - 1 &&
> + strncmp(spec_arr[i].property_key, key, property_key_len - 1) == 0) {
> + break;
> + }
> + if (strncmp(spec_arr[i].property_key, key, property_key_len) == 0) {
> break;
> }
> if (strncmp(spec_arr[i].property_key, "*", 1) == 0)
> --
> 2.15.0.rc0.271.g36b669edcc-goog
>
>
