diff options
| author | Inseob Kim <inseob@google.com> | 2023-07-26 02:31:27 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2023-07-26 02:31:27 +0000 |
| commit | 1847b12d4377b1d9333732cddb377e7e53ce3dbe (patch) | |
| tree | 8aa999ae0b1031cc41d2ec516cb010e1651d6973 | |
| parent | 5ad7961fff24d5804c0ed3391bd37cb86f0f7004 (diff) | |
| parent | 066e9c5d2a6752f767530ffe07d65235ce664242 (diff) | |
| download | selinux-1847b12d4377b1d9333732cddb377e7e53ce3dbe.tar.gz | |
Fix preinstalled app partition check am: e7d2d82bbb am: 066e9c5d2a
Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2672475
Change-Id: I6c0b1f36bfcbd3469f98f30a455131b537453cd1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
| -rw-r--r-- | libselinux/src/android/android_seapp.c | 21 |
1 files changed, 11 insertions, 10 deletions
diff --git a/libselinux/src/android/android_seapp.c b/libselinux/src/android/android_seapp.c index db7bd0bf..c0f6eb2d 100644 --- a/libselinux/src/android/android_seapp.c +++ b/libselinux/src/android/android_seapp.c @@ -702,9 +702,10 @@ static bool is_platform(const char *partition) { return false; } -static bool check_preinstalled_app_partition(const char *spec, const char *app) { +static bool is_preinstalled_app_partition_valid(const char *app_policy, const char *app_partition) { // We forbid system/system_ext/product installed apps from being labeled with vendor sepolicy. - return !is_platform(spec) && is_platform(app); + // So, either the app shouldn't be platform, or the spec should be platform. + return !(is_platform(app_partition) && !is_platform(app_policy)); } @@ -896,14 +897,6 @@ int seapp_context_lookup_internal(enum seapp_kind kind, } if (cur->levelFrom != LEVELFROM_NONE) { - if (isPreinstalledApp - && !check_preinstalled_app_partition(cur->partition, partition)) { - // TODO(b/280547417): make this an error after fixing violations - selinux_log(SELINUX_ERROR, - "%s: App %s preinstalled to %s can't be labeled with %s sepolicy", - __FUNCTION__, pkgname, partition, cur->partition); - } - int res = set_range_from_level(ctx, cur->levelFrom, userid, appid); if (res != 0) { return res; @@ -913,6 +906,14 @@ int seapp_context_lookup_internal(enum seapp_kind kind, goto oom; } + if (isPreinstalledApp + && !is_preinstalled_app_partition_valid(cur->partition, partition)) { + // TODO(b/280547417): make this an error after fixing violations + selinux_log(SELINUX_ERROR, + "%s: App %s preinstalled to %s can't be labeled with %s sepolicy", + __FUNCTION__, pkgname, partition, cur->partition); + } + break; } |