diff options
| author | Stephen Smalley <sds@tycho.nsa.gov> | 2014-09-15 15:16:06 -0400 |
|---|---|---|
| committer | Stephen Smalley <sds@tycho.nsa.gov> | 2014-09-15 15:55:04 -0400 |
| commit | ff4db9194e684a894939f88effc84f79f222e1c3 (patch) | |
| tree | df6a93c118a6eb8e8d8b115e28a85500de8791d9 | |
| parent | e7d136738fcd90346839b373bf3404d70c5334eb (diff) | |
| download | android_external_sepolicy-ff4db9194e684a894939f88effc84f79f222e1c3.tar.gz android_external_sepolicy-ff4db9194e684a894939f88effc84f79f222e1c3.tar.bz2 android_external_sepolicy-ff4db9194e684a894939f88effc84f79f222e1c3.zip | |
Add isOwner= input selector for seapp_contexts.
Enable labeling apps differently depending on whether they
are running for the primary user / owner or for a secondary user.
Change-Id: I37aa5b183a7a617cce68ccf14510c31dfee4e04d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
| -rw-r--r-- | seapp_contexts | 19 | ||||
| -rw-r--r-- | tools/check_seapp.c | 1 |
2 files changed, 13 insertions, 7 deletions
diff --git a/seapp_contexts b/seapp_contexts index 26d0c8f..2d00dda 100644 --- a/seapp_contexts +++ b/seapp_contexts @@ -1,5 +1,6 @@ # Input selectors: # isSystemServer (boolean) +# isOwner (boolean) # user (string) # seinfo (string) # name (string) @@ -7,6 +8,9 @@ # sebool (string) # isSystemServer=true can only be used once. # An unspecified isSystemServer defaults to false. +# isOwner=true will only match for the owner/primary user. +# isOwner=false will only match for secondary users. +# If unspecified, the entry can match either case. # An unspecified string selector will match any value. # A user string selector that ends in * will perform a prefix match. # user=_app will match any regular app UID. @@ -16,13 +20,14 @@ # # Precedence rules: # (1) isSystemServer=true before isSystemServer=false. -# (2) Specified user= string before unspecified user= string. -# (3) Fixed user= string before user= prefix (i.e. ending in *). -# (4) Longer user= prefix before shorter user= prefix. -# (5) Specified seinfo= string before unspecified seinfo= string. -# (6) Specified name= string before unspecified name= string. -# (7) Specified path= string before unspecified path= string. -# (8) Specified sebool= string before unspecified sebool= string. +# (2) Specified isOwner= before unspecified isOwner= boolean. +# (3) Specified user= string before unspecified user= string. +# (4) Fixed user= string before user= prefix (i.e. ending in *). +# (5) Longer user= prefix before shorter user= prefix. +# (6) Specified seinfo= string before unspecified seinfo= string. +# (7) Specified name= string before unspecified name= string. +# (8) Specified path= string before unspecified path= string. +# (9) Specified sebool= string before unspecified sebool= string. # # Outputs: # domain (string) diff --git a/tools/check_seapp.c b/tools/check_seapp.c index 39fe77e..af780a3 100644 --- a/tools/check_seapp.c +++ b/tools/check_seapp.c @@ -157,6 +157,7 @@ static policy_info pol = { key_map rules[] = { /*Inputs*/ { .name = "isSystemServer", .type = dt_bool, .dir = dir_in, .data = NULL }, + { .name = "isOwner", .type = dt_bool, .dir = dir_in, .data = NULL }, { .name = "user", .type = dt_string, .dir = dir_in, .data = NULL }, { .name = "seinfo", .type = dt_string, .dir = dir_in, .data = NULL }, { .name = "name", .type = dt_string, .dir = dir_in, .data = NULL }, |