From 16b23d5c3cbd1560b7038e0af89713fe7c47742f Mon Sep 17 00:00:00 2001
From: "sanghyeok.oh" <sanghyeok.oh@samsung.com>
Date: Tue, 23 Apr 2019 15:18:15 +0900
Subject: [PATCH] policychecker: add rule for group 'priv_*'

/usr/share/security-manager/policy/privilege-group.list

In case of App, 'priv_*' group is assigned by it's cynara privilege.
But, user daemon also has related 'priv_*' groups.
Due to this group assignment policy rule for group priv_* affects application, user daemons and process who has priv_*.
To prevent this unintended situation, block rule for group 'priv_*'.

Change-Id: I888f28375b017ec00c5fb85bc59557b2145bffbc
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>
---
 policychecker/rules.xsl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policychecker/rules.xsl b/policychecker/rules.xsl
index 0b408a5..8d0bbe7 100644
--- a/policychecker/rules.xsl
+++ b/policychecker/rules.xsl
@@ -146,6 +146,7 @@
 	<sch:pattern name="Invalid group">
 		<sch:rule context="*[@group]">
 			<sch:assert test="@group = '*' or GROUPS_TEST">Group does not exist.</sch:assert>
+			<sch:assert test="not(starts-with(@group, 'priv_'))">Group 'priv_*' is not allowed.</sch:assert>
 		</sch:rule>
 	</sch:pattern>
 
-- 
2.34.1