diff options
| author | sanghyeok.oh <sanghyeok.oh@samsung.com> | 2019-04-23 15:18:15 +0900 |
|---|---|---|
| committer | sanghyeok.oh <sanghyeok.oh@samsung.com> | 2019-05-07 13:58:05 +0900 |
| commit | 16b23d5c3cbd1560b7038e0af89713fe7c47742f (patch) | |
| tree | 081cd493637327ae284c79fbba9396a4890dcdea /policychecker | |
| parent | ed799cffb3a685f77ed130b3f0d143aa07c7759e (diff) | |
| download | dbus-tools-16b23d5c3cbd1560b7038e0af89713fe7c47742f.tar.gz dbus-tools-16b23d5c3cbd1560b7038e0af89713fe7c47742f.tar.bz2 dbus-tools-16b23d5c3cbd1560b7038e0af89713fe7c47742f.zip | |
policychecker: add rule for group 'priv_*'submit/tizen/20190507.115737accepted/tizen/unified/20190508.111129
/usr/share/security-manager/policy/privilege-group.list
In case of App, 'priv_*' group is assigned by it's cynara privilege.
But, user daemon also has related 'priv_*' groups.
Due to this group assignment policy rule for group priv_* affects application, user daemons and process who has priv_*.
To prevent this unintended situation, block rule for group 'priv_*'.
Change-Id: I888f28375b017ec00c5fb85bc59557b2145bffbc
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>
Diffstat (limited to 'policychecker')
| -rw-r--r-- | policychecker/rules.xsl | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/policychecker/rules.xsl b/policychecker/rules.xsl index 0b408a5..8d0bbe7 100644 --- a/policychecker/rules.xsl +++ b/policychecker/rules.xsl @@ -146,6 +146,7 @@ <sch:pattern name="Invalid group"> <sch:rule context="*[@group]"> <sch:assert test="@group = '*' or GROUPS_TEST">Group does not exist.</sch:assert> + <sch:assert test="not(starts-with(@group, 'priv_'))">Group 'priv_*' is not allowed.</sch:assert> </sch:rule> </sch:pattern> |