diff options
| author | Inseob Kim <inseob@google.com> | 2023-07-24 11:06:47 +0900 |
|---|---|---|
| committer | Inseob Kim <inseob@google.com> | 2023-07-25 10:33:06 +0900 |
| commit | e7d2d82bbb1202c34c0ae2491e9825436878bbcc (patch) | |
| tree | 8aa999ae0b1031cc41d2ec516cb010e1651d6973 | |
| parent | be36d7106882bf6819c5a14632dac4937377af37 (diff) | |
| download | selinux-e7d2d82bbb1202c34c0ae2491e9825436878bbcc.tar.gz | |
Fix preinstalled app partition check
There is a bug on the code checking the partition, so it's printing
wrong logcat messages. This fixes it by renaming the function name for
better readability.
Also it fixes a bug that the check only happens when levelFrom != NONE.
Bug: 291005833
Test: boot and see logcat
Merged-In: I2dd51a995d76b2c50dae2b2c4af8e3a3a4599408
Change-Id: I2dd51a995d76b2c50dae2b2c4af8e3a3a4599408
(cherry picked from commit 321c0252599f525833bea20d9b3b7e3f1d0edee1)
| -rw-r--r-- | libselinux/src/android/android_seapp.c | 21 |
1 files changed, 11 insertions, 10 deletions
diff --git a/libselinux/src/android/android_seapp.c b/libselinux/src/android/android_seapp.c index db7bd0bf..c0f6eb2d 100644 --- a/libselinux/src/android/android_seapp.c +++ b/libselinux/src/android/android_seapp.c @@ -702,9 +702,10 @@ static bool is_platform(const char *partition) { return false; } -static bool check_preinstalled_app_partition(const char *spec, const char *app) { +static bool is_preinstalled_app_partition_valid(const char *app_policy, const char *app_partition) { // We forbid system/system_ext/product installed apps from being labeled with vendor sepolicy. - return !is_platform(spec) && is_platform(app); + // So, either the app shouldn't be platform, or the spec should be platform. + return !(is_platform(app_partition) && !is_platform(app_policy)); } @@ -896,14 +897,6 @@ int seapp_context_lookup_internal(enum seapp_kind kind, } if (cur->levelFrom != LEVELFROM_NONE) { - if (isPreinstalledApp - && !check_preinstalled_app_partition(cur->partition, partition)) { - // TODO(b/280547417): make this an error after fixing violations - selinux_log(SELINUX_ERROR, - "%s: App %s preinstalled to %s can't be labeled with %s sepolicy", - __FUNCTION__, pkgname, partition, cur->partition); - } - int res = set_range_from_level(ctx, cur->levelFrom, userid, appid); if (res != 0) { return res; @@ -913,6 +906,14 @@ int seapp_context_lookup_internal(enum seapp_kind kind, goto oom; } + if (isPreinstalledApp + && !is_preinstalled_app_partition_valid(cur->partition, partition)) { + // TODO(b/280547417): make this an error after fixing violations + selinux_log(SELINUX_ERROR, + "%s: App %s preinstalled to %s can't be labeled with %s sepolicy", + __FUNCTION__, pkgname, partition, cur->partition); + } + break; } |