am 274d2927: Clean up remaining denials.
* commit '274d2927a7ccbfd266c83d6da5e9e2772805fbd5':
Clean up remaining denials.
diff --git a/te_macros b/te_macros
index 278205e..1c78c96 100644
--- a/te_macros
+++ b/te_macros
@@ -296,3 +296,8 @@
allow $1 klog_device:chr_file { create open write unlink };
allow $1 device:dir { add_name remove_name };
')
+
+#####################################
+# Non system_app application set
+#
+define(`non_system_app_set', `{ appdomain -system_app }')
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 482d060..1f51248 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -126,6 +126,9 @@
/** Set to !0 to enable verbose logging */
static int logging_verbose = 0;
+/** set to !0 to enable strict checking of duplicate entries */
+static int is_strict = 0;
+
/** file handle to the output file */
static FILE *output_file = NULL;
@@ -189,7 +192,9 @@
* @param fmt
* The printf style formatter to use, such as "%d"
*/
-static void log_msg(FILE *out, const char *prefix, const char *fmt, ...) {
+static void __attribute__ ((format(printf, 3, 4)))
+log_msg(FILE *out, const char *prefix, const char *fmt, ...) {
+
fprintf(out, "%s", prefix);
va_list args;
va_start(args, fmt);
@@ -267,8 +272,8 @@
}
/*
- * If their is no policy file present,
- * then it is not in strict mode so just return.
+ * If there is no policy file present,
+ * then it is not going to enforce the types against the policy so just return.
* User and name cannot really be checked.
*/
if (!pol.policy_file) {
@@ -395,12 +400,12 @@
}
if (input_mode) {
- log_info("Matched input lines: type=%s name=%s data=%s dir=%d\n", mA->type, mA->name, mA->data, mA->dir);
+ log_info("Matched input lines: name=%s data=%s\n", mA->name, mA->data);
num_of_matched_inputs++;
}
/* Match found, move on */
- log_info("Matched lines: type=%s name=%s data=%s dir=%d\n", mA->type, mA->name, mA->data, mA->dir);
+ log_info("Matched lines: name=%s data=%s", mA->name, mA->data);
matches++;
break;
}
@@ -567,8 +572,9 @@
"and allows later declarations to override previous ones on a match.\n"
"Options:\n"
"-h - print this help message\n"
+ "-s - enable strict checking of duplicates. This causes the program to exit on a duplicate entry with a non-zero exit status\n"
"-v - enable verbose debugging informations\n"
- "-p policy file - specify policy file for strict checking of output selectors\n"
+ "-p policy file - specify policy file for strict checking of output selectors against the policy\n"
"-o output file - specify output file, default is stdout\n");
}
@@ -655,7 +661,7 @@
int c;
int num_of_args;
- while ((c = getopt(argc, argv, "ho:p:v")) != -1) {
+ while ((c = getopt(argc, argv, "ho:p:sv")) != -1) {
switch (c) {
case 'h':
usage();
@@ -666,6 +672,9 @@
case 'p':
pol.policy_file_name = optarg;
break;
+ case 's':
+ is_strict = 1;
+ break;
case 'v':
log_set_verbose();
break;
@@ -678,9 +687,7 @@
log_error(
"Unknown option character `\\x%x'.\n",
optopt);
- exit(EXIT_FAILURE);
}
- break;
default:
exit(EXIT_FAILURE);
}
@@ -802,11 +809,20 @@
}
/* Duplicate */
else {
- log_error("Duplicate line detected in file: %s\n"
+ /* if is_strict is set, then don't allow duplicates */
+ if(is_strict) {
+ log_error("Duplicate line detected in file: %s\n"
+ "Lines %d and %d match!\n",
+ out_file_name, tmp->r->lineno, rm->lineno);
+ rule_map_free(rm, rule_map_destroy_key);
+ goto err;
+ }
+
+ /* Allow duplicates, just drop the entry*/
+ log_info("Duplicate line detected in file: %s\n"
"Lines %d and %d match!\n",
out_file_name, tmp->r->lineno, rm->lineno);
rule_map_free(rm, rule_map_destroy_key);
- goto err;
}
}
/* It wasn't found, just add the rule map to the table */