diff options
| author | Stephen Smalley <sds@tycho.nsa.gov> | 2014-04-04 14:16:46 -0400 |
|---|---|---|
| committer | Stephen Smalley <sds@tycho.nsa.gov> | 2014-04-04 14:16:46 -0400 |
| commit | f4fa7567f4e3d010a3e96c22034bf19fa05d15a7 (patch) | |
| tree | 10f3bdabe84afa7c71369c58d29af937327f4234 /tools | |
| parent | e8c9fdac46c2ae972fd9e0f97b442d59b349e718 (diff) | |
| download | android_external_sepolicy-f4fa7567f4e3d010a3e96c22034bf19fa05d15a7.tar.gz android_external_sepolicy-f4fa7567f4e3d010a3e96c22034bf19fa05d15a7.tar.bz2 android_external_sepolicy-f4fa7567f4e3d010a3e96c22034bf19fa05d15a7.zip | |
Treat seinfo=default name=<anything> as an error.
check_app already checks for usage of name= entries
in seapp_contexts with no seinfo= specification to
link it back to a signer in mac_permissions.xml.
However, one can avoid this error by specifying
a seinfo=default which merely matches the default
stanza of mac_permissions.xml without actually ensuring
that it is tied to a specific certificate. Catch
that error case too.
Change-Id: If33cf21501e8bfee44d31c92b6341dfa583552b2
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/check_seapp.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/tools/check_seapp.c b/tools/check_seapp.c index e5108e3..39fe77e 100644 --- a/tools/check_seapp.c +++ b/tools/check_seapp.c @@ -487,13 +487,13 @@ static bool rule_map_validate(const rule_map *rm) { name = tmp->data; found_name = true; } - if(!strcmp(tmp->name, "seinfo") && tmp->data) { + if(!strcmp(tmp->name, "seinfo") && tmp->data && strcmp(tmp->data, "default")) { found_seinfo = true; } } if(found_name && !found_seinfo) { - log_error("No seinfo specified with name=\"%s\", on line: %d\n", + log_error("No specific seinfo value specified with name=\"%s\", on line: %d: insecure configuration!\n", name, rm->lineno); return false; } |