diff options
| author | Dariusz Michaluk <d.michaluk@samsung.com> | 2019-03-14 16:46:06 +0100 |
|---|---|---|
| committer | Dariusz Michaluk <d.michaluk@samsung.com> | 2019-04-09 14:39:03 +0200 |
| commit | 5bedd9a288d821baa4ed7f36a6095295900ad920 (patch) | |
| tree | f6d3a8e4ca0ed6d700ca9f0f33afd085da6470e3 /policy | |
| parent | 2acc8b607c62832cbb06614e57c098117a375849 (diff) | |
| download | security-manager-5bedd9a288d821baa4ed7f36a6095295900ad920.tar.gz security-manager-5bedd9a288d821baa4ed7f36a6095295900ad920.tar.bz2 security-manager-5bedd9a288d821baa4ed7f36a6095295900ad920.zip | |
Add new rules-loader options
--default - write all System/User rules (subject is not a package name)
--packages - write rules for list of packages
--exclude - write rules for all packages except list of packages
Change-Id: I66b2aa55f3419df8e93709e3191963d3f8e74ee4
Diffstat (limited to 'policy')
| -rwxr-xr-x | policy/generate-rule-code | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/policy/generate-rule-code b/policy/generate-rule-code index 50c270e8..c45a7e61 100755 --- a/policy/generate-rule-code +++ b/policy/generate-rule-code @@ -23,6 +23,7 @@ sub member { my $m = shift; grep { $_ eq $m } @_ } my @rulesAuthor; my @rulesPkgLabelAuthor; my @rulesPkgLabel; +my @rulesSystemPkgLabel; my @rulesPathRW; my @rulesPath; my @rulesSharedRO; @@ -52,7 +53,8 @@ for (sort @lines) { my %varCount; for (@segments[grep {$_%2} 0..$#segments]) { die "unknown var ($_)" if !member $_, qw(PATH_TRUSTED PROCESS PATH_RO PATH_RW PATH_SHARED_RO); - ++$varCount{$_}; + die "var used twice ($_)" if exists $varCount{$_}; + $varCount{$_} = 1; } die "first segment ending with non-space character ($_)" if length $segments[0] && $segments[0] !~ / $/; die "last segment starting with non-space character ($_)" if length $segments[-1] && $segments[-1] !~ /^ /; @@ -71,6 +73,7 @@ for (sort @lines) { $segments[-1] = $prePerm . join '', grep {exists $perm{$_}} split //, "rwxatlb"; # partition rules into rough groups + die "invalid subject variable ($segments[1])" if $segments[0] eq '' && $segments[1] ne 'PROCESS'; if (1 == keys %varCount) { # single variable rules if (exists $varCount{PATH_TRUSTED}) { @@ -82,11 +85,10 @@ for (sort @lines) { } elsif (exists $varCount{PATH_RW}) { push @rulesPathRW, [@segments]; } else { # PROCESS - push @rulesPkgLabel, [@segments]; + push @{$segments[0] eq '' ? \@rulesPkgLabel : \@rulesSystemPkgLabel}, [@segments]; } } else { # multi variable rules - die "multi-variable rule ($_) does not contain ~PROCESS~" if !exists $varCount{PROCESS}; if (exists $varCount{PATH_TRUSTED}) { push @rulesPkgLabelAuthor, [@segments]; } elsif (exists $varCount{PATH_RO} || exists $varCount{PATH_RW}) { @@ -98,12 +100,12 @@ for (sort @lines) { } # for non-hybrid packages, ~PATH_RW~ == ~PROCESS~ -# this may lead to rule duplication between @rulesPathRW and @rulesPkgLabel +# this may lead to rule duplication between @rulesPathRW and @rulesSystemPkgLabel # # in order to avoid this, @rulesPathRW is split into two groups: # rules having an isomorphic ~PROCESS~ rule end up in @rulesPathRWHybridOnly (not to be applied to non-hybrid packages) # other rules end up in @rulesPath (applied to all packages) -my @pureProcessRulesAsPathRWRule = map {3 != @$_ ? () : ($_->[0].'~PATH_RW~'.$_->[2])} @rulesPkgLabel; +my @pureProcessRulesAsPathRWRule = map {$_->[0].'~PATH_RW~'.$_->[2]} @rulesSystemPkgLabel; my @rulesPathRWHybridOnly; push @rulesPath, grep { my $asRule = $_->[0].'~PATH_RW~'.$_->[2]; @@ -147,6 +149,7 @@ sub rules { rules 'rulesAuthor', 0, @rulesAuthor; rules 'rulesPkgLabelAuthor', 1, @rulesPkgLabelAuthor; rules 'rulesPkgLabel', 0, @rulesPkgLabel; +rules 'rulesSystemPkgLabel', 0, @rulesSystemPkgLabel; rules 'rulesPathRWHybridOnly', 0, @rulesPathRWHybridOnly; rules 'rulesPath', 0, @rulesPath; rules 'rulesSharedRO', 0, @rulesSharedRO; |