Generalize levelFromUid support.

Introduce a levelFrom=none|app|user|all syntax for specifying per-app, per-user, or per-combination level assignment. levelFromUid=true|false remains valid syntax but is deprecated. levelFromUid=true is equivalent to levelFrom=app. Update check_seapp to accept the new syntax. Update seapp_contexts to document the new syntax and switch from levelFromUid=true to levelFrom=app. No change in behavior. Change-Id: Ibaddeed9bc3e2586d524efc2f1faa5ce65dea470 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Generalize levelFromUid support.
Introduce a levelFrom=none|app|user|all syntax for specifying per-app, per-user, or per-combination level assignment. levelFromUid=true|false remains valid syntax but is deprecated. levelFromUid=true is equivalent to levelFrom=app. Update check_seapp to accept the new syntax. Update seapp_contexts to document the new syntax and switch from levelFromUid=true to levelFrom=app. No change in behavior. Change-Id: Ibaddeed9bc3e2586d524efc2f1faa5ce65dea470 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
38084146 · Stephen Smalley · Gerrit Code Review · ae0fcf1f · 38084146 · 38084146
Commit 38084146 authored 12 years ago by Stephen Smalley Committed by Gerrit Code Review 12 years ago
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -24,11 +24,12 @@
 # Outputs:
 #	domain (string)
 #	type (string)
-#	levelFromUid (boolean)
+#	levelFrom (string; one of none, all, app, or user)
 #	level (string)
 # Only entries that specify domain= will be used for app process labeling.
 # Only entries that specify type= will be used for app directory labeling.
-# levelfromUid is only supported for app UIDs presently.
+# levelFrom=user is only supported for _app or _isolated UIDs.
+# levelFrom=app or levelFrom=all is only supported for _app UIDs.
 # level may be used to specify a fixed level for any UID. 
 #
 isSystemServer=true domain=system
@@ -36,7 +37,7 @@ user=system domain=system_app type=system_data_file
 user=bluetooth domain=bluetooth type=bluetooth_data_file
 user=nfc domain=nfc type=nfc_data_file
 user=radio domain=radio type=radio_data_file
-user=_app domain=untrusted_app type=app_data_file levelFromUid=true
+user=_app domain=untrusted_app type=app_data_file levelFrom=app
 user=_app seinfo=platform domain=platform_app type=platform_app_data_file
 user=_app seinfo=shared domain=shared_app type=platform_app_data_file
 user=_app seinfo=media domain=media_app type=platform_app_data_file

--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -162,6 +162,7 @@ key_map rules[] = {
                { .name = "domain",         .type = dt_string, .dir = dir_out, .data = NULL },
                { .name = "type",           .type = dt_string, .dir = dir_out, .data = NULL },
                { .name = "levelFromUid",   .type = dt_bool,   .dir = dir_out, .data = NULL },
+                { .name = "levelFrom",      .type = dt_string,   .dir = dir_out, .data = NULL },
                { .name = "level",          .type = dt_string, .dir = dir_out, .data = NULL },
 };
@@ -256,6 +257,15 @@ static int key_map_validate(key_map *m, int lineno) {
 		goto out;
 	}
+	if (!strcasecmp(key, "levelFrom") &&
+	    (strcasecmp(value, "none") && strcasecmp(value, "all") &&
+	     strcasecmp(value, "app") && strcasecmp(value, "user"))) {
+		log_error("Unknown levelFrom=%s on line: %d in file: %s\n",
+			  value, lineno, out_file_name);
+		rc = 0;
+		goto out;
+	}
 	/*
 	 * If their is no policy file present,
 	 * then it is not in strict mode so just return.