summaryrefslogtreecommitdiffstats
path: root/services
diff options
context:
space:
mode:
authorJoman Chu <jcchu@tycho.ncsc.mil>2012-11-16 16:25:51 -0500
committerRicardo Cerqueira <cyanogenmod@cerqueira.org>2013-07-18 21:02:19 +0100
commit36d685c5a72aef502af1b08c7fba921b15edb2a3 (patch)
tree793266ccb0f58a3fb09ab35eb5d67efc2f10c95e /services
parent7adb00f08a5693b74023cd8f4042db97c0cdfa16 (diff)
downloadframeworks_base-36d685c5a72aef502af1b08c7fba921b15edb2a3.zip
frameworks_base-36d685c5a72aef502af1b08c7fba921b15edb2a3.tar.gz
frameworks_base-36d685c5a72aef502af1b08c7fba921b15edb2a3.tar.bz2
Simplify check during admin removal for whether to cleanup SELinux
Also re-arrange and cleanup Change-Id: I1261e715d8d04b72f8a29b8a24268d75946d24dc
Diffstat (limited to 'services')
-rw-r--r--services/java/com/android/server/DevicePolicyManagerService.java199
1 files changed, 99 insertions, 100 deletions
diff --git a/services/java/com/android/server/DevicePolicyManagerService.java b/services/java/com/android/server/DevicePolicyManagerService.java
index 911ca50..a8c5221 100644
--- a/services/java/com/android/server/DevicePolicyManagerService.java
+++ b/services/java/com/android/server/DevicePolicyManagerService.java
@@ -858,8 +858,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
DevicePolicyData policy = getUserData(userHandle);
boolean doProxyCleanup = admin.info.usesPolicy(
DeviceAdminInfo.USES_POLICY_SETS_GLOBAL_PROXY);
- boolean doSELinuxCleanup = admin.info.usesPolicy(
- DeviceAdminInfo.USES_POLICY_ENFORCE_SELINUX) && admin.isSELinuxAdmin;
+ boolean doSELinuxCleanup = admin.isSELinuxAdmin;
policy.mAdminList.remove(admin);
policy.mAdminMap.remove(adminReceiver);
validatePasswordOwnerLocked(policy);
@@ -2572,104 +2571,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
// FTT fails a
// FTF fails a,b
- // Cases = 16
- @Override
- public boolean isSELinuxAdmin(ComponentName who, int userHandle) {
- enforceCrossUserPermission(userHandle);
- synchronized (this) {
- // Check for permissions
- if (who == null) {
- throw new NullPointerException("ComponentName is null");
- }
- // Only owner can set SELinux settings
- if (userHandle != UserHandle.USER_OWNER
- || UserHandle.getCallingUserId() != UserHandle.USER_OWNER) {
- Slog.w(TAG, "Only owner is allowed to set SELinux settings. User "
- + UserHandle.getCallingUserId() + " is not permitted.");
- return false;
- }
- //Case F** = 4
- ActiveAdmin admin = getActiveAdminForCallerLocked(who,
- DeviceAdminInfo.USES_POLICY_ENFORCE_SELINUX);
- //Case T** = 4
- return admin.isSELinuxAdmin;
- }
- }
-
- // Cases = 16
- @Override
- public boolean setSELinuxAdmin(ComponentName who, boolean control, int userHandle) {
- enforceCrossUserPermission(userHandle);
- synchronized (this) {
- // Check for permissions
- if (who == null) {
- throw new NullPointerException("ComponentName is null");
- }
- // Only owner can set SELinux settings
- if (userHandle != UserHandle.USER_OWNER
- || UserHandle.getCallingUserId() != UserHandle.USER_OWNER) {
- Slog.w(TAG, "Only owner is allowed to set SELinux settings. User "
- + UserHandle.getCallingUserId() + " is not permitted.");
- return false;
- }
- // Case F**(*) = 8
- ActiveAdmin admin = getActiveAdminForCallerLocked(who,
- DeviceAdminInfo.USES_POLICY_ENFORCE_SELINUX);
-
- // Case TT*(T) = 2
- // Case TF*(F) = 2
- if (admin.isSELinuxAdmin == control) {
- return true;
- }
-
- DevicePolicyData policy = getUserData(userHandle);
- ActiveAdmin curAdmin = policy.findSELinuxAdminLocked();
-
- // Case TFF(T) = 1
- if (control && curAdmin == null) {
- Slog.v(TAG, "SELinux admin set to " + admin.info.getComponent());
- admin.isSELinuxAdmin = true;
-
- admin.sebools = new HashMap<String, Boolean>(seboolsOrig.size());
- Set<String> seboolnames = seboolsOrig.keySet();
- for (String sebool : seboolnames) {
- boolean value = seboolsOrig.get(sebool);
- admin.sebools.put(sebool, value);
- }
-
- saveSettingsLocked(userHandle);
- return true;
- }
-
- // Case TTT(F) = 1
- if (!control && curAdmin.equals(admin)) {
- boolean setSEpolicyFile = admin.isCustomPolicyFile[DevicePolicyManager.SEPOLICY_FILE_SEPOLICY];
- boolean setPropertyContextsFile = admin.isCustomPolicyFile[DevicePolicyManager.SEPOLICY_FILE_PROPCTXS];
- boolean setFileContextsFile = admin.isCustomPolicyFile[DevicePolicyManager.SEPOLICY_FILE_FILECTXS];
- boolean setSEappContextsFile = admin.isCustomPolicyFile[DevicePolicyManager.SEPOLICY_FILE_SEAPPCTXS];
-
- Slog.v(TAG, admin.info.getComponent() + " is no longer a SELinux admin");
-
- admin.isSELinuxAdmin = false;
- admin.enforceSELinux = false;
- admin.isCustomPolicyFile[DevicePolicyManager.SEPOLICY_FILE_SEPOLICY] = false;
- admin.isCustomPolicyFile[DevicePolicyManager.SEPOLICY_FILE_PROPCTXS] = false;
- admin.isCustomPolicyFile[DevicePolicyManager.SEPOLICY_FILE_FILECTXS] = false;
- admin.isCustomPolicyFile[DevicePolicyManager.SEPOLICY_FILE_SEAPPCTXS] = false;
-
- saveSettingsLocked(userHandle);
- syncSELinuxPolicyLocked(policy, setSEpolicyFile,
- setPropertyContextsFile, setFileContextsFile,
- setSEappContextsFile);
- return true;
- }
-
- //Case TTF(F) = 1
- //Case TFT(T) = 1
- return false;
- }
- }
-
/** Resets the state the SELinux values in an ActiveAdmin to the current state of system */
private static void resetSELinuxAdmin(ActiveAdmin admin) {
String[] seboolsnames = SELinux.getBooleanNames();
@@ -2771,6 +2672,104 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
}
}
+ // Cases = 8
+ @Override
+ public boolean isSELinuxAdmin(ComponentName who, int userHandle) {
+ enforceCrossUserPermission(userHandle);
+ synchronized (this) {
+ // Check for permissions
+ if (who == null) {
+ throw new NullPointerException("ComponentName is null");
+ }
+ // Only owner can set SELinux settings
+ if (userHandle != UserHandle.USER_OWNER
+ || UserHandle.getCallingUserId() != UserHandle.USER_OWNER) {
+ Slog.w(TAG, "Only owner is allowed to set SELinux settings. User "
+ + UserHandle.getCallingUserId() + " is not permitted.");
+ return false;
+ }
+ //Case F** = 4
+ ActiveAdmin admin = getActiveAdminForCallerLocked(who,
+ DeviceAdminInfo.USES_POLICY_ENFORCE_SELINUX);
+ //Case T** = 4
+ return admin.isSELinuxAdmin;
+ }
+ }
+
+ // Cases = 16
+ @Override
+ public boolean setSELinuxAdmin(ComponentName who, boolean control, int userHandle) {
+ enforceCrossUserPermission(userHandle);
+ synchronized (this) {
+ // Check for permissions
+ if (who == null) {
+ throw new NullPointerException("ComponentName is null");
+ }
+ // Only owner can set SELinux settings
+ if (userHandle != UserHandle.USER_OWNER
+ || UserHandle.getCallingUserId() != UserHandle.USER_OWNER) {
+ Slog.w(TAG, "Only owner is allowed to set SELinux settings. User "
+ + UserHandle.getCallingUserId() + " is not permitted.");
+ return false;
+ }
+ // Case F**(*) = 8
+ ActiveAdmin admin = getActiveAdminForCallerLocked(who,
+ DeviceAdminInfo.USES_POLICY_ENFORCE_SELINUX);
+
+ // Case TT*(T) = 2
+ // Case TF*(F) = 2
+ if (admin.isSELinuxAdmin == control) {
+ return true;
+ }
+
+ DevicePolicyData policy = getUserData(userHandle);
+ ActiveAdmin curAdmin = policy.findSELinuxAdminLocked();
+
+ // Case TFF(T) = 1
+ if (control && curAdmin == null) {
+ Slog.v(TAG, "SELinux admin set to " + admin.info.getComponent());
+ admin.isSELinuxAdmin = true;
+
+ admin.sebools = new HashMap<String, Boolean>(seboolsOrig.size());
+ Set<String> seboolnames = seboolsOrig.keySet();
+ for (String sebool : seboolnames) {
+ boolean value = seboolsOrig.get(sebool);
+ admin.sebools.put(sebool, value);
+ }
+
+ saveSettingsLocked(userHandle);
+ return true;
+ }
+
+ // Case TTT(F) = 1
+ if (!control && curAdmin.equals(admin)) {
+ boolean setSEpolicyFile = admin.isCustomPolicyFile[DevicePolicyManager.SEPOLICY_FILE_SEPOLICY];
+ boolean setPropertyContextsFile = admin.isCustomPolicyFile[DevicePolicyManager.SEPOLICY_FILE_PROPCTXS];
+ boolean setFileContextsFile = admin.isCustomPolicyFile[DevicePolicyManager.SEPOLICY_FILE_FILECTXS];
+ boolean setSEappContextsFile = admin.isCustomPolicyFile[DevicePolicyManager.SEPOLICY_FILE_SEAPPCTXS];
+
+ Slog.v(TAG, admin.info.getComponent() + " is no longer a SELinux admin");
+
+ admin.isSELinuxAdmin = false;
+ admin.enforceSELinux = false;
+ admin.isCustomPolicyFile[DevicePolicyManager.SEPOLICY_FILE_SEPOLICY] = false;
+ admin.isCustomPolicyFile[DevicePolicyManager.SEPOLICY_FILE_PROPCTXS] = false;
+ admin.isCustomPolicyFile[DevicePolicyManager.SEPOLICY_FILE_FILECTXS] = false;
+ admin.isCustomPolicyFile[DevicePolicyManager.SEPOLICY_FILE_SEAPPCTXS] = false;
+
+ saveSettingsLocked(userHandle);
+ syncSELinuxPolicyLocked(policy, setSEpolicyFile,
+ setPropertyContextsFile, setFileContextsFile,
+ setSEappContextsFile);
+ return true;
+ }
+
+ //Case TTF(F) = 1
+ //Case TFT(T) = 1
+ return false;
+ }
+ }
+
@Override
public boolean getSELinuxEnforcing(ComponentName who, int userHandle) {
enforceCrossUserPermission(userHandle);