Skip to content
Snippets Groups Projects
Commit 61846291 authored by William Roberts's avatar William Roberts
Browse files

tools: require that seinfo and packagename be used 

Modify check_seapp.c to verify that a packagname (name)
must be specified with a signing key (seinfo). This will
help thwart spoof attacks on the packagename.

Change-Id: I8f1aa8a479cb5beb5c3522d85e3181604931ea72
parent d1f1070a
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 48 additions and 0 deletions
tools/check_seapp.c
+ 48
0
View file @ 61846291
...@@ -8,6 +8,7 @@ ...@@ -8,6 +8,7 @@
#include <errno.h> #include <errno.h>
#include <stdint.h> #include <stdint.h>
#include <search.h> #include <search.h>
#include <stdbool.h>
#include <sepol/sepol.h> #include <sepol/sepol.h>
#include <sepol/policydb/policydb.h> #include <sepol/policydb/policydb.h>
...@@ -458,6 +459,46 @@ static void free_kvp(kvp *k) { ...@@ -458,6 +459,46 @@ static void free_kvp(kvp *k) {
free(k->value); free(k->value);
} }
/**
* Checks a rule_map for any variation of KVP's that shouldn't be allowed.
* Note that this function logs all errors.
*
* Current Checks:
* 1. That a specified name entry should have a specified seinfo entry as well.
* @param rm
* The rule map to check for validity.
* @return
* true if the rule is valid, false otherwise.
*/
static bool rule_map_validate(const rule_map *rm) {
int i;
bool found_name = false;
bool found_seinfo = false;
char *name = NULL;
key_map *tmp;
for(i=0; i < rm->length; i++) {
tmp = &(rm->m[i]);
if(!strcmp(tmp->name, "name") && tmp->data) {
name = tmp->data;
found_name = true;
}
if(!strcmp(tmp->name, "seinfo") && tmp->data) {
found_seinfo = true;
}
}
if(found_name && !found_seinfo) {
log_error("No seinfo specified with name=\"%s\", on line: %d\n",
name, rm->lineno);
return false;
}
return true;
}
/** /**
* Given a set of key value pairs, this will construct a new rule map. * Given a set of key value pairs, this will construct a new rule map.
* On error this function calls exit. * On error this function calls exit.
...@@ -473,6 +514,7 @@ static void free_kvp(kvp *k) { ...@@ -473,6 +514,7 @@ static void free_kvp(kvp *k) {
static rule_map *rule_map_new(kvp keys[], unsigned int num_of_keys, int lineno) { static rule_map *rule_map_new(kvp keys[], unsigned int num_of_keys, int lineno) {
unsigned int i = 0, j = 0; unsigned int i = 0, j = 0;
bool valid_rule;
rule_map *new_map = NULL; rule_map *new_map = NULL;
kvp *k = NULL; kvp *k = NULL;
key_map *r = NULL, *x = NULL; key_map *r = NULL, *x = NULL;
...@@ -546,6 +588,12 @@ static rule_map *rule_map_new(kvp keys[], unsigned int num_of_keys, int lineno) ...@@ -546,6 +588,12 @@ static rule_map *rule_map_new(kvp keys[], unsigned int num_of_keys, int lineno)
goto err; goto err;
} }
valid_rule = rule_map_validate(new_map);
if(!valid_rule) {
/* Error message logged from rule_map_validate() */
goto err;
}
return new_map; return new_map;
oom: oom:
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment