From ff4db9194e684a894939f88effc84f79f222e1c3 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 15 Sep 2014 15:16:06 -0400
Subject: [PATCH] Add isOwner= input selector for seapp_contexts.

Enable labeling apps differently depending on whether they
are running for the primary user / owner or for a secondary user.

Change-Id: I37aa5b183a7a617cce68ccf14510c31dfee4e04d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 seapp_contexts      | 19 ++++++++++++-------
 tools/check_seapp.c |  1 +
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/seapp_contexts b/seapp_contexts
index 26d0c8f37..2d00dda2e 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -1,5 +1,6 @@
 # Input selectors:
 #	isSystemServer (boolean)
+#	isOwner (boolean)
 #	user (string)
 #	seinfo (string)
 #	name (string)
@@ -7,6 +8,9 @@
 #	sebool (string)
 # isSystemServer=true can only be used once.
 # An unspecified isSystemServer defaults to false.
+# isOwner=true will only match for the owner/primary user.
+# isOwner=false will only match for secondary users.
+# If unspecified, the entry can match either case.
 # An unspecified string selector will match any value.
 # A user string selector that ends in * will perform a prefix match.
 # user=_app will match any regular app UID.
@@ -16,13 +20,14 @@
 #
 # Precedence rules:
 # 	  (1) isSystemServer=true before isSystemServer=false.
-#	  (2) Specified user= string before unspecified user= string.
-#	  (3) Fixed user= string before user= prefix (i.e. ending in *).
-#	  (4) Longer user= prefix before shorter user= prefix.
-#	  (5) Specified seinfo= string before unspecified seinfo= string.
-#	  (6) Specified name= string before unspecified name= string.
-#	  (7) Specified path= string before unspecified path= string.
-#	  (8) Specified sebool= string before unspecified sebool= string.
+# 	  (2) Specified isOwner= before unspecified isOwner= boolean.
+#	  (3) Specified user= string before unspecified user= string.
+#	  (4) Fixed user= string before user= prefix (i.e. ending in *).
+#	  (5) Longer user= prefix before shorter user= prefix.
+#	  (6) Specified seinfo= string before unspecified seinfo= string.
+#	  (7) Specified name= string before unspecified name= string.
+#	  (8) Specified path= string before unspecified path= string.
+#	  (9) Specified sebool= string before unspecified sebool= string.
 #
 # Outputs:
 #	domain (string)
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 39fe77e18..af780a359 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -157,6 +157,7 @@ static policy_info pol = {
 key_map rules[] = {
                 /*Inputs*/
                 { .name = "isSystemServer", .type = dt_bool,   .dir = dir_in,  .data = NULL },
+                { .name = "isOwner",        .type = dt_bool,   .dir = dir_in,  .data = NULL },
                 { .name = "user",           .type = dt_string, .dir = dir_in,  .data = NULL },
                 { .name = "seinfo",         .type = dt_string, .dir = dir_in,  .data = NULL },
                 { .name = "name",           .type = dt_string, .dir = dir_in,  .data = NULL },
-- 
GitLab