[prev in list] [next in list] [prev in thread] [next in thread]
List: selinux
Subject: Re: [PATCH] You can now specify a sebool= flag in seapp_contexts
From: Stephen Smalley <sds () tycho ! nsa ! gov>
Date: 2012-07-27 21:18:51
Message-ID: 1343423931.17570.117.camel () moss-pluto ! epoch ! ncsc ! mil
[Download RAW message or body]
On Fri, 2012-07-27 at 17:06 -0400, Stephen Smalley wrote:
> On Fri, 2012-07-27 at 13:59 -0700, William Roberts wrote:
> > The seapp rule will containing an sebool clause will
> > ONLY be applied on a match to that boolean,
> > and only if the boolean is set to true.
> >
> > Change-Id: Ifdba35cd3a78ce1c8173786514db649203018e28
> > Signed-off-by: William Roberts <w.roberts@sta.samsung.com>
>
> Thanks, applied.
Also updated seapp_contexts configuration comment header to mention the
new selector. But feel free to augment with more description.
>
> > ---
> > src/android.c | 48 +++++++++++++++++++++++++++++++++++++++++-------
> > 1 files changed, 41 insertions(+), 7 deletions(-)
> >
> > diff --git a/src/android.c b/src/android.c
> > index 83ba7b7..7974391 100644
> > --- a/src/android.c
> > +++ b/src/android.c
> > @@ -45,6 +45,7 @@ struct seapp_context {
> > char *domain;
> > char *type;
> > char *level;
> > + char *sebool;
> > char levelFromUid;
> > };
> >
> > @@ -85,6 +86,12 @@ static int seapp_context_cmp(const void *A, const void *B)
> > if (!s1->name && s2->name)
> > return 1;
> >
> > + /* Give precedence to a specified sebool= over an unspecified sebool=. \
> > */ + if (s1->sebool && !s2->sebool)
> > + return -1;
> > + if (!s1->sebool && s2->sebool)
> > + return 1;
> > +
> > /* Anything else has equal precedence. */
> > return 0;
> > }
> > @@ -196,6 +203,10 @@ int selinux_android_seapp_context_reload(void)
> > cur->level = strdup(value);
> > if (!cur->level)
> > goto oom;
> > + } else if (!strcasecmp(name, "sebool")) {
> > + cur->sebool = strdup(value);
> > + if (!cur->sebool)
> > + goto oom;
> > } else
> > goto err;
> >
> > @@ -217,12 +228,12 @@ int selinux_android_seapp_context_reload(void)
> > int i;
> > for (i = 0; i < nspec; i++) {
> > cur = seapp_contexts[i];
> > - selinux_log(SELINUX_INFO, "%s: isSystemServer=%s user=%s seinfo=%s name=%s \
> > -> domain=%s type=%s level=%s levelFromUid=%s",
> > - __FUNCTION__,
> > - cur->isSystemServer ? "true" : "false",
> > - cur->user, cur->seinfo, cur->name,
> > - cur->domain, cur->type, cur->level,
> > - cur->levelFromUid ? "true" : "false");
> > + selinux_log(SELINUX_INFO, "%s: isSystemServer=%s user=%s seinfo=%s name=%s \
> > sebool=%s -> domain=%s type=%s level=%s levelFromUid=%s", + __FUNCTION__,
> > + cur->isSystemServer ? "true" : "false", cur->user,
> > + cur->seinfo, cur->name, cur->sebool, cur->domain,
> > + cur->type, cur->level,
> > + cur->levelFromUid ? "true" : "false");
> > }
> > }
> > #endif
> > @@ -335,6 +346,17 @@ int selinux_android_setfilecon2(const char *pkgdir,
> > if (!cur->type)
> > continue;
> >
> > + if (cur->sebool) {
> > + int value = security_get_boolean_active(cur->sebool);
> > + if (value == 0)
> > + continue;
> > + else if (value == -1) {
> > + selinux_log(SELINUX_ERROR,
> > + "Could not find boolean: %s ", cur->sebool);
> > + goto err;
> > + }
> > + }
> > +
> > if (context_type_set(ctx, cur->type))
> > goto oom;
> >
> > @@ -348,7 +370,7 @@ int selinux_android_setfilecon2(const char *pkgdir,
> > if (context_range_set(ctx, cur->level))
> > goto oom;
> > }
> > -
> > +
> > break;
> > }
> >
> > @@ -443,6 +465,7 @@ int selinux_android_setcontext(uid_t uid,
> >
> > for (i = 0; i < nspec; i++) {
> > cur = seapp_contexts[i];
> > +
> > if (cur->isSystemServer != isSystemServer)
> > continue;
> > if (cur->user) {
> > @@ -466,6 +489,17 @@ int selinux_android_setcontext(uid_t uid,
> > if (!cur->domain)
> > continue;
> >
> > + if (cur->sebool) {
> > + int value = security_get_boolean_active(cur->sebool);
> > + if (value == 0)
> > + continue;
> > + else if (value == -1) {
> > + selinux_log(SELINUX_ERROR,
> > + "Could not find boolean: %s ", cur->sebool);
> > + goto err;
> > + }
> > + }
> > +
> > if (context_type_set(ctx, cur->domain))
> > goto oom;
> >
>
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic