projects / platform / core / system / dbus-tools.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ed799cf)
policychecker: add rule for group 'priv_*' 33/204333/2 accepted/tizen/unified/20190508.111129 submit/tizen/20190507.115737
authorsanghyeok.oh <sanghyeok.oh@samsung.com>
Tue, 23 Apr 2019 06:18:15 +0000 (15:18 +0900)
committersanghyeok.oh <sanghyeok.oh@samsung.com>
Tue, 7 May 2019 04:58:05 +0000 (13:58 +0900)
/usr/share/security-manager/policy/privilege-group.list

In case of App, 'priv_*' group is assigned by it's cynara privilege.
But, user daemon also has related 'priv_*' groups.
Due to this group assignment policy rule for group priv_* affects application, user daemons and process who has priv_*.
To prevent this unintended situation, block rule for group 'priv_*'.

Change-Id: I888f28375b017ec00c5fb85bc59557b2145bffbc
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>
policychecker/rules.xsl patch | blob | history

diff --git a/policychecker/rules.xsl b/policychecker/rules.xsl
index 0b408a5600e1a156b89fde22b51a35b71677e998..8d0bbe7b772104c73708ec2051a1df8c6ae0d0d5 100644 (file)
--- a/policychecker/rules.xsl
+++ b/policychecker/rules.xsl
@@ -146,6 +146,7 @@
        <sch:pattern name="Invalid group">
                <sch:rule context="*[@group]">
                        <sch:assert test="@group = '*' or GROUPS_TEST">Group does not exist.</sch:assert>
+                       <sch:assert test="not(starts-with(@group, 'priv_'))">Group 'priv_*' is not allowed.</sch:assert>
                </sch:rule>
        </sch:pattern>
 
Domain: System / IPC;