From f4fa7567f4e3d010a3e96c22034bf19fa05d15a7 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Fri, 4 Apr 2014 14:16:46 -0400 Subject: Treat seinfo=default name= as an error. check_app already checks for usage of name= entries in seapp_contexts with no seinfo= specification to link it back to a signer in mac_permissions.xml. However, one can avoid this error by specifying a seinfo=default which merely matches the default stanza of mac_permissions.xml without actually ensuring that it is tied to a specific certificate. Catch that error case too. Change-Id: If33cf21501e8bfee44d31c92b6341dfa583552b2 Signed-off-by: Stephen Smalley --- tools/check_seapp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'tools/check_seapp.c') diff --git a/tools/check_seapp.c b/tools/check_seapp.c index e5108e3..39fe77e 100644 --- a/tools/check_seapp.c +++ b/tools/check_seapp.c @@ -487,13 +487,13 @@ static bool rule_map_validate(const rule_map *rm) { name = tmp->data; found_name = true; } - if(!strcmp(tmp->name, "seinfo") && tmp->data) { + if(!strcmp(tmp->name, "seinfo") && tmp->data && strcmp(tmp->data, "default")) { found_seinfo = true; } } if(found_name && !found_seinfo) { - log_error("No seinfo specified with name=\"%s\", on line: %d\n", + log_error("No specific seinfo value specified with name=\"%s\", on line: %d: insecure configuration!\n", name, rm->lineno); return false; } -- cgit v1.2.3