From 38084146e0fd665b68c8c4ff131cae9d07ef5993 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 28 Nov 2012 10:46:18 -0500
Subject: [PATCH] Generalize levelFromUid support.

Introduce a levelFrom=none|app|user|all syntax for specifying
per-app, per-user, or per-combination level assignment.
levelFromUid=true|false remains valid syntax but is deprecated.
levelFromUid=true is equivalent to levelFrom=app.

Update check_seapp to accept the new syntax.
Update seapp_contexts to document the new syntax and switch
from levelFromUid=true to levelFrom=app.  No change in behavior.

Change-Id: Ibaddeed9bc3e2586d524efc2f1faa5ce65dea470
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 seapp_contexts      |  7 ++++---
 tools/check_seapp.c | 10 ++++++++++
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/seapp_contexts b/seapp_contexts
index 258477a9a..f0cea676a 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -24,11 +24,12 @@
 # Outputs:
 #	domain (string)
 #	type (string)
-#	levelFromUid (boolean)
+#	levelFrom (string; one of none, all, app, or user)
 #	level (string)
 # Only entries that specify domain= will be used for app process labeling.
 # Only entries that specify type= will be used for app directory labeling.
-# levelfromUid is only supported for app UIDs presently.
+# levelFrom=user is only supported for _app or _isolated UIDs.
+# levelFrom=app or levelFrom=all is only supported for _app UIDs.
 # level may be used to specify a fixed level for any UID. 
 #
 isSystemServer=true domain=system
@@ -36,7 +37,7 @@ user=system domain=system_app type=system_data_file
 user=bluetooth domain=bluetooth type=bluetooth_data_file
 user=nfc domain=nfc type=nfc_data_file
 user=radio domain=radio type=radio_data_file
-user=_app domain=untrusted_app type=app_data_file levelFromUid=true
+user=_app domain=untrusted_app type=app_data_file levelFrom=app
 user=_app seinfo=platform domain=platform_app type=platform_app_data_file
 user=_app seinfo=shared domain=shared_app type=platform_app_data_file
 user=_app seinfo=media domain=media_app type=platform_app_data_file
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 8001ceaf3..482d060f0 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -162,6 +162,7 @@ key_map rules[] = {
                 { .name = "domain",         .type = dt_string, .dir = dir_out, .data = NULL },
                 { .name = "type",           .type = dt_string, .dir = dir_out, .data = NULL },
                 { .name = "levelFromUid",   .type = dt_bool,   .dir = dir_out, .data = NULL },
+                { .name = "levelFrom",      .type = dt_string,   .dir = dir_out, .data = NULL },
                 { .name = "level",          .type = dt_string, .dir = dir_out, .data = NULL },
 };
 
@@ -256,6 +257,15 @@ static int key_map_validate(key_map *m, int lineno) {
 		goto out;
 	}
 
+	if (!strcasecmp(key, "levelFrom") &&
+	    (strcasecmp(value, "none") && strcasecmp(value, "all") &&
+	     strcasecmp(value, "app") && strcasecmp(value, "user"))) {
+		log_error("Unknown levelFrom=%s on line: %d in file: %s\n",
+			  value, lineno, out_file_name);
+		rc = 0;
+		goto out;
+	}
+
 	/*
 	 * If their is no policy file present,
 	 * then it is not in strict mode so just return.
-- 
GitLab