Add restriction for privilege smack mapping rules

Do not support rules, which are not based only on privilege or
application based labels.

Change-Id: Ib86cac1c8b362f8b4549148be96915a16e323e65

diff --git a/policy/privilege-smack.list b/policy/privilege-smack.list
index f73816ac818daf94bfa6961f3bcf156cc13d475a..a95a151737a94e071ece8279ba256f6c20c67399 100644 (file)
--- a/policy/privilege-smack.list
+++ b/policy/privilege-smack.list
@@ -12,5 +12,11 @@
 #   In such case 'priv-rules-default-template.smack' will be used.
 #
 # - lines starting with '#' or empty lines are ignored
+#
+# IMPORTANT NOTICE:
+# This mechanism is only for special cases. Rules provided in privilege template
+# will only be accepted, when they are between privilege label and application
+# based labels (e.g. application process label, application read-only path label).
+# Other rules will be ignored.
 
 http://tizen.org/privilege/internet System::Privilege::Internet default

diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp
index d7963d83036d555a5c3f2c604b9372fc6ae869b1..469f69e341e5598804e9e68990f0c26c13250938 100644 (file)
--- a/src/common/smack-rules.cpp
+++ b/src/common/smack-rules.cpp
@@ -209,6 +209,12 @@ void SmackRules::addFromPrivTemplate(
         std::string object = rule[1];
         std::string permissions = rule[2];
 
+        if (subject[0] != '~' || object[0] != '~') {
+            LogWarning("Unsupported rule <"
+                     << subject << " " << object << " " << permissions
+                     << "> detected. Ignoring");
+        }
+
         strReplace(subject, SMACK_PROCESS_LABEL_TEMPLATE, appProcessLabel);
         strReplace(subject, SMACK_PRIVILEGE_LABEL_TEMPLATE, privilegeLabel);
         strReplace(object,  SMACK_PROCESS_LABEL_TEMPLATE, appProcessLabel);