PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Treat seinfo=default name=<anything> as an error.

Browse Source 
check_app already checks for usage of name= entries
in seapp_contexts with no seinfo= specification to
link it back to a signer in mac_permissions.xml.
However, one can avoid this error by specifying
a seinfo=default which merely matches the default
stanza of mac_permissions.xml without actually ensuring
that it is tied to a specific certificate.  Catch
that error case too.

Change-Id: If33cf21501e8bfee44d31c92b6341dfa583552b2
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley 2014-04-04 14:16:46 -04:00
parent e8c9fdac46
commit f4fa7567f4
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
tools/check_seapp.c
View File

@ -487,13 +487,13 @@ static bool rule_map_validate(const rule_map *rm) {
name = tmp->data;
found_name = true;
}
if(!strcmp(tmp->name, "seinfo") && tmp->data) {
if(!strcmp(tmp->name, "seinfo") && tmp->data && strcmp(tmp->data, "default")) {
found_seinfo = true;
}
}
if(found_name && !found_seinfo) {
log_error("No seinfo specified with name=\"%s\", on line: %d\n",
log_error("No specific seinfo value specified with name=\"%s\", on line: %d: insecure configuration!\n",
name, rm->lineno);
return false;
}