-
Stephen Smalley authoredPresently it only detects complete duplicates if you specify -s (strict), which is not used in the external/sepolicy Makefile, and it allows overriding earlier entries that have the same input selectors (e.g. user=, seinfo=) with different values for the output selectors (e.g. domain=, type=). Thus, a device/<vendor>/<board>/sepolicy/seapp_contexts file can override the external/sepolicy definitions, and even a single seapp_contexts file can contain duplicated or conflicting definitions. Make it always check strictly, and prohibit either duplicates on the input selectors (i.e. overrides) or complete duplicates (redundant). Change-Id: Id1e38133cbe31b796253101cfe3b111d1826bc8c Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>Stephen Smalley authoredPresently it only detects complete duplicates if you specify -s (strict), which is not used in the external/sepolicy Makefile, and it allows overriding earlier entries that have the same input selectors (e.g. user=, seinfo=) with different values for the output selectors (e.g. domain=, type=). Thus, a device/<vendor>/<board>/sepolicy/seapp_contexts file can override the external/sepolicy definitions, and even a single seapp_contexts file can contain duplicated or conflicting definitions. Make it always check strictly, and prohibit either duplicates on the input selectors (i.e. overrides) or complete duplicates (redundant). Change-Id: Id1e38133cbe31b796253101cfe3b111d1826bc8c Signed-off-by:Stephen Smalley <sds@tycho.nsa.gov>