From: sanghyeok.oh <sanghyeok.oh@samsung.com>
Date: Tue, 23 Apr 2019 06:18:15 +0000 (+0900)
Subject: policychecker: add rule for group 'priv_*'
X-Git-Tag: submit/tizen/20180808.030253~2
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=16b23d5c3cbd1560b7038e0af89713fe7c47742f;p=platform%2Fcore%2Fsystem%2Fdbus-tools.git

policychecker: add rule for group 'priv_*'

/usr/share/security-manager/policy/privilege-group.list

In case of App, 'priv_*' group is assigned by it's cynara privilege.
But, user daemon also has related 'priv_*' groups.
Due to this group assignment policy rule for group priv_* affects application, user daemons and process who has priv_*.
To prevent this unintended situation, block rule for group 'priv_*'.

Change-Id: I888f28375b017ec00c5fb85bc59557b2145bffbc
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>
---

diff --git a/policychecker/rules.xsl b/policychecker/rules.xsl
index 0b408a5..8d0bbe7 100644
--- a/policychecker/rules.xsl
+++ b/policychecker/rules.xsl
@@ -146,6 +146,7 @@
 	<sch:pattern name="Invalid group">
 		<sch:rule context="*[@group]">
 			<sch:assert test="@group = '*' or GROUPS_TEST">Group does not exist.</sch:assert>
+			<sch:assert test="not(starts-with(@group, 'priv_'))">Group 'priv_*' is not allowed.</sch:assert>
 		</sch:rule>
 	</sch:pattern>