diff options
author | William Roberts <bill.c.roberts@gmail.com> | 2012-07-27 13:52:33 -0700 |
---|---|---|
committer | Stephen Smalley <sds@tycho.nsa.gov> | 2012-07-27 17:00:27 -0400 |
commit | 1b36ad00bfbea16ad4456a9fd715e594d57f2fd6 (patch) | |
tree | 9a3f4e20bcb24cc065b3769186c72f2e8c91bdb3 | |
parent | f77e60de67dbc84d06aa77adef6bdf80455ee9f5 (diff) | |
download | libselinux-1b36ad00bfbea16ad4456a9fd715e594d57f2fd6.tar.gz |
You can now specify a sebool= flag in seapp_contexts
The seapp rule will containing an sebool clause will
ONLY be applied on a match to that boolean,
and only if the boolean is set to true.
Change-Id: Ifdba35cd3a78ce1c8173786514db649203018e28
Signed-off-by: William Roberts <w.roberts@sta.samsung.com>
-rw-r--r-- | src/android.c | 48 |
1 files changed, 41 insertions, 7 deletions
diff --git a/src/android.c b/src/android.c index 6418531..9120379 100644 --- a/src/android.c +++ b/src/android.c @@ -45,6 +45,7 @@ struct seapp_context { char *domain; char *type; char *level; + char *sebool; char levelFromUid; }; @@ -85,6 +86,12 @@ static int seapp_context_cmp(const void *A, const void *B) if (!s1->name && s2->name) return 1; + /* Give precedence to a specified sebool= over an unspecified sebool=. */ + if (s1->sebool && !s2->sebool) + return -1; + if (!s1->sebool && s2->sebool) + return 1; + /* Anything else has equal precedence. */ return 0; } @@ -196,6 +203,10 @@ int selinux_android_seapp_context_reload(void) cur->level = strdup(value); if (!cur->level) goto oom; + } else if (!strcasecmp(name, "sebool")) { + cur->sebool = strdup(value); + if (!cur->sebool) + goto oom; } else goto err; @@ -217,12 +228,12 @@ int selinux_android_seapp_context_reload(void) int i; for (i = 0; i < nspec; i++) { cur = seapp_contexts[i]; - selinux_log(SELINUX_INFO, "%s: isSystemServer=%s user=%s seinfo=%s name=%s -> domain=%s type=%s level=%s levelFromUid=%s", - __FUNCTION__, - cur->isSystemServer ? "true" : "false", - cur->user, cur->seinfo, cur->name, - cur->domain, cur->type, cur->level, - cur->levelFromUid ? "true" : "false"); + selinux_log(SELINUX_INFO, "%s: isSystemServer=%s user=%s seinfo=%s name=%s sebool=%s -> domain=%s type=%s level=%s levelFromUid=%s", + __FUNCTION__, + cur->isSystemServer ? "true" : "false", cur->user, + cur->seinfo, cur->name, cur->sebool, cur->domain, + cur->type, cur->level, + cur->levelFromUid ? "true" : "false"); } } #endif @@ -335,6 +346,17 @@ int selinux_android_setfilecon2(const char *pkgdir, if (!cur->type) continue; + if (cur->sebool) { + int value = security_get_boolean_active(cur->sebool); + if (value == 0) + continue; + else if (value == -1) { + selinux_log(SELINUX_ERROR, \ + "Could not find boolean: %s ", cur->sebool); + goto err; + } + } + if (context_type_set(ctx, cur->type)) goto oom; @@ -348,7 +370,7 @@ int selinux_android_setfilecon2(const char *pkgdir, if (context_range_set(ctx, cur->level)) goto oom; } - + break; } @@ -443,6 +465,7 @@ int selinux_android_setcontext(uid_t uid, for (i = 0; i < nspec; i++) { cur = seapp_contexts[i]; + if (cur->isSystemServer != isSystemServer) continue; if (cur->user) { @@ -466,6 +489,17 @@ int selinux_android_setcontext(uid_t uid, if (!cur->domain) continue; + if (cur->sebool) { + int value = security_get_boolean_active(cur->sebool); + if (value == 0) + continue; + else if (value == -1) { + selinux_log(SELINUX_ERROR, \ + "Could not find boolean: %s ", cur->sebool); + goto err; + } + } + if (context_type_set(ctx, cur->domain)) goto oom; |