SELinuxMMAC.java revision c44a6e08e2e60672f83e50a7d6948bce1199f055 
1/*
2 * Copyright (C) 2012 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package com.android.server.pm;
18
19import android.content.pm.PackageParser;
20import android.content.pm.Signature;
21import android.os.Environment;
22import android.system.ErrnoException;
23import android.system.Os;
24import android.system.OsConstants;
25import android.util.Slog;
26import android.util.Xml;
27
28import libcore.io.IoUtils;
29
30import org.xmlpull.v1.XmlPullParser;
31import org.xmlpull.v1.XmlPullParserException;
32
33import java.io.File;
34import java.io.FileReader;
35import java.io.IOException;
36import java.security.MessageDigest;
37import java.security.NoSuchAlgorithmException;
38import java.util.ArrayList;
39import java.util.Arrays;
40import java.util.Collections;
41import java.util.Comparator;
42import java.util.HashMap;
43import java.util.HashSet;
44import java.util.List;
45import java.util.Map;
46import java.util.Set;
47
48/**
49 * Centralized access to SELinux MMAC (middleware MAC) implementation. This
50 * class is responsible for loading the appropriate mac_permissions.xml file
51 * as well as providing an interface for assigning seinfo values to apks.
52 *
53 * {@hide}
54 */
55public final class SELinuxMMAC {
56
57    static final String TAG = "SELinuxMMAC";
58
59    private static final boolean DEBUG_POLICY = false;
60    private static final boolean DEBUG_POLICY_INSTALL = DEBUG_POLICY || false;
61    private static final boolean DEBUG_POLICY_ORDER = DEBUG_POLICY || false;
62
63    // All policy stanzas read from mac_permissions.xml. This is also the lock
64    // to synchronize access during policy load and access attempts.
65    private static List<Policy> sPolicies = new ArrayList<>();
66
67    /** Path to version on rootfs */
68    private static final File VERSION_FILE = new File("/selinux_version");
69
70    /** Path to MAC permissions on system image */
71    private static final File MAC_PERMISSIONS = new File(Environment.getRootDirectory(),
72            "/etc/security/mac_permissions.xml");
73
74    /** Path to app contexts on rootfs */
75    private static final File SEAPP_CONTEXTS = new File("/seapp_contexts");
76
77    /** Calculated hash of {@link #SEAPP_CONTEXTS} */
78    private static final byte[] SEAPP_CONTEXTS_HASH = returnHash(SEAPP_CONTEXTS);
79
80    /** Attribute where {@link #SEAPP_CONTEXTS_HASH} is stored */
81    private static final String XATTR_SEAPP_HASH = "user.seapp_hash";
82
83    // Append privapp to existing seinfo label
84    private static final String PRIVILEGED_APP_STR = ":privapp";
85
86    // Append autoplay to existing seinfo label
87    private static final String AUTOPLAY_APP_STR = ":autoplayapp";
88
89    /**
90     * Load the mac_permissions.xml file containing all seinfo assignments used to
91     * label apps. The loaded mac_permissions.xml file is determined by the
92     * MAC_PERMISSIONS class variable which is set at class load time which itself
93     * is based on the USE_OVERRIDE_POLICY class variable. For further guidance on
94     * the proper structure of a mac_permissions.xml file consult the source code
95     * located at system/sepolicy/mac_permissions.xml.
96     *
97     * @return boolean indicating if policy was correctly loaded. A value of false
98     *         typically indicates a structural problem with the xml or incorrectly
99     *         constructed policy stanzas. A value of true means that all stanzas
100     *         were loaded successfully; no partial loading is possible.
101     */
102    public static boolean readInstallPolicy() {
103        // Temp structure to hold the rules while we parse the xml file
104        List<Policy> policies = new ArrayList<>();
105
106        FileReader policyFile = null;
107        XmlPullParser parser = Xml.newPullParser();
108        try {
109            policyFile = new FileReader(MAC_PERMISSIONS);
110            Slog.d(TAG, "Using policy file " + MAC_PERMISSIONS);
111
112            parser.setInput(policyFile);
113            parser.nextTag();
114            parser.require(XmlPullParser.START_TAG, null, "policy");
115
116            while (parser.next() != XmlPullParser.END_TAG) {
117                if (parser.getEventType() != XmlPullParser.START_TAG) {
118                    continue;
119                }
120
121                switch (parser.getName()) {
122                    case "signer":
123                        policies.add(readSignerOrThrow(parser));
124                        break;
125                    default:
126                        skip(parser);
127                }
128            }
129        } catch (IllegalStateException | IllegalArgumentException |
130                XmlPullParserException ex) {
131            StringBuilder sb = new StringBuilder("Exception @");
132            sb.append(parser.getPositionDescription());
133            sb.append(" while parsing ");
134            sb.append(MAC_PERMISSIONS);
135            sb.append(":");
136            sb.append(ex);
137            Slog.w(TAG, sb.toString());
138            return false;
139        } catch (IOException ioe) {
140            Slog.w(TAG, "Exception parsing " + MAC_PERMISSIONS, ioe);
141            return false;
142        } finally {
143            IoUtils.closeQuietly(policyFile);
144        }
145
146        // Now sort the policy stanzas
147        PolicyComparator policySort = new PolicyComparator();
148        Collections.sort(policies, policySort);
149        if (policySort.foundDuplicate()) {
150            Slog.w(TAG, "ERROR! Duplicate entries found parsing " + MAC_PERMISSIONS);
151            return false;
152        }
153
154        synchronized (sPolicies) {
155            sPolicies = policies;
156
157            if (DEBUG_POLICY_ORDER) {
158                for (Policy policy : sPolicies) {
159                    Slog.d(TAG, "Policy: " + policy.toString());
160                }
161            }
162        }
163
164        return true;
165    }
166
167    /**
168     * Loop over a signer tag looking for seinfo, package and cert tags. A {@link Policy}
169     * instance will be created and returned in the process. During the pass all other
170     * tag elements will be skipped.
171     *
172     * @param parser an XmlPullParser object representing a signer element.
173     * @return the constructed {@link Policy} instance
174     * @throws IOException
175     * @throws XmlPullParserException
176     * @throws IllegalArgumentException if any of the validation checks fail while
177     *         parsing tag values.
178     * @throws IllegalStateException if any of the invariants fail when constructing
179     *         the {@link Policy} instance.
180     */
181    private static Policy readSignerOrThrow(XmlPullParser parser) throws IOException,
182            XmlPullParserException {
183
184        parser.require(XmlPullParser.START_TAG, null, "signer");
185        Policy.PolicyBuilder pb = new Policy.PolicyBuilder();
186
187        // Check for a cert attached to the signer tag. We allow a signature
188        // to appear as an attribute as well as those attached to cert tags.
189        String cert = parser.getAttributeValue(null, "signature");
190        if (cert != null) {
191            pb.addSignature(cert);
192        }
193
194        while (parser.next() != XmlPullParser.END_TAG) {
195            if (parser.getEventType() != XmlPullParser.START_TAG) {
196                continue;
197            }
198
199            String tagName = parser.getName();
200            if ("seinfo".equals(tagName)) {
201                String seinfo = parser.getAttributeValue(null, "value");
202                pb.setGlobalSeinfoOrThrow(seinfo);
203                readSeinfo(parser);
204            } else if ("package".equals(tagName)) {
205                readPackageOrThrow(parser, pb);
206            } else if ("cert".equals(tagName)) {
207                String sig = parser.getAttributeValue(null, "signature");
208                pb.addSignature(sig);
209                readCert(parser);
210            } else {
211                skip(parser);
212            }
213        }
214
215        return pb.build();
216    }
217
218    /**
219     * Loop over a package element looking for seinfo child tags. If found return the
220     * value attribute of the seinfo tag, otherwise return null. All other tags encountered
221     * will be skipped.
222     *
223     * @param parser an XmlPullParser object representing a package element.
224     * @param pb a Policy.PolicyBuilder instance to build
225     * @throws IOException
226     * @throws XmlPullParserException
227     * @throws IllegalArgumentException if any of the validation checks fail while
228     *         parsing tag values.
229     * @throws IllegalStateException if there is a duplicate seinfo tag for the current
230     *         package tag.
231     */
232    private static void readPackageOrThrow(XmlPullParser parser, Policy.PolicyBuilder pb) throws
233            IOException, XmlPullParserException {
234        parser.require(XmlPullParser.START_TAG, null, "package");
235        String pkgName = parser.getAttributeValue(null, "name");
236
237        while (parser.next() != XmlPullParser.END_TAG) {
238            if (parser.getEventType() != XmlPullParser.START_TAG) {
239                continue;
240            }
241
242            String tagName = parser.getName();
243            if ("seinfo".equals(tagName)) {
244                String seinfo = parser.getAttributeValue(null, "value");
245                pb.addInnerPackageMapOrThrow(pkgName, seinfo);
246                readSeinfo(parser);
247            } else {
248                skip(parser);
249            }
250        }
251    }
252
253    private static void readCert(XmlPullParser parser) throws IOException,
254            XmlPullParserException {
255        parser.require(XmlPullParser.START_TAG, null, "cert");
256        parser.nextTag();
257    }
258
259    private static void readSeinfo(XmlPullParser parser) throws IOException,
260            XmlPullParserException {
261        parser.require(XmlPullParser.START_TAG, null, "seinfo");
262        parser.nextTag();
263    }
264
265    private static void skip(XmlPullParser p) throws IOException, XmlPullParserException {
266        if (p.getEventType() != XmlPullParser.START_TAG) {
267            throw new IllegalStateException();
268        }
269        int depth = 1;
270        while (depth != 0) {
271            switch (p.next()) {
272            case XmlPullParser.END_TAG:
273                depth--;
274                break;
275            case XmlPullParser.START_TAG:
276                depth++;
277                break;
278            }
279        }
280    }
281
282    /**
283     * Applies a security label to a package based on an seinfo tag taken from a matched
284     * policy. All signature based policy stanzas are consulted and, if no match is
285     * found, the default seinfo label of 'default' (set in ApplicationInfo object) is
286     * used. The security label is attached to the ApplicationInfo instance of the package
287     * in the event that a matching policy was found.
288     *
289     * @param pkg object representing the package to be labeled.
290     */
291    public static void assignSeinfoValue(PackageParser.Package pkg) {
292        synchronized (sPolicies) {
293            for (Policy policy : sPolicies) {
294                String seinfo = policy.getMatchedSeinfo(pkg);
295                if (seinfo != null) {
296                    pkg.applicationInfo.seinfo = seinfo;
297                    break;
298                }
299            }
300        }
301
302        if (pkg.applicationInfo.isAutoPlayApp())
303            pkg.applicationInfo.seinfo += AUTOPLAY_APP_STR;
304
305        if (pkg.applicationInfo.isPrivilegedApp())
306            pkg.applicationInfo.seinfo += PRIVILEGED_APP_STR;
307
308        if (DEBUG_POLICY_INSTALL) {
309            Slog.i(TAG, "package (" + pkg.packageName + ") labeled with " +
310                    "seinfo=" + pkg.applicationInfo.seinfo);
311        }
312    }
313
314    /**
315     * Determines if a recursive restorecon on the given package data directory
316     * is needed. It does this by comparing the SHA-1 of the seapp_contexts file
317     * against the stored hash in an xattr.
318     * <p>
319     * Note that the xattr isn't in the 'security' namespace, so this should
320     * only be run on directories owned by the system.
321     *
322     * @return Returns true if the restorecon should occur or false otherwise.
323     */
324    public static boolean isRestoreconNeeded(File file) {
325        try {
326            final byte[] buf = Os.getxattr(file.getAbsolutePath(), XATTR_SEAPP_HASH);
327            if ((buf.length == 20) && Arrays.equals(SEAPP_CONTEXTS_HASH, buf)) {
328                return false;
329            }
330        } catch (ErrnoException e) {
331            if (e.errno != OsConstants.ENODATA) {
332                Slog.e(TAG, "Failed to read seapp hash for " + file, e);
333            }
334        }
335
336        return true;
337    }
338
339    /**
340     * Stores the SHA-1 of the seapp_contexts into an xattr.
341     * <p>
342     * Note that the xattr isn't in the 'security' namespace, so this should
343     * only be run on directories owned by the system.
344     */
345    public static void setRestoreconDone(File file) {
346        try {
347            Os.setxattr(file.getAbsolutePath(), XATTR_SEAPP_HASH, SEAPP_CONTEXTS_HASH, 0);
348        } catch (ErrnoException e) {
349            Slog.e(TAG, "Failed to persist seapp hash in " + file, e);
350        }
351    }
352
353    /**
354     * Return the SHA-1 of a file.
355     *
356     * @param file The path to the file given as a string.
357     * @return Returns the SHA-1 of the file as a byte array.
358     */
359    private static byte[] returnHash(File file) {
360        try {
361            final byte[] contents = IoUtils.readFileAsByteArray(file.getAbsolutePath());
362            return MessageDigest.getInstance("SHA-1").digest(contents);
363        } catch (IOException | NoSuchAlgorithmException e) {
364            throw new RuntimeException(e);
365        }
366    }
367}
368
369/**
370 * Holds valid policy representations of individual stanzas from a mac_permissions.xml
371 * file. Each instance can further be used to assign seinfo values to apks using the
372 * {@link Policy#getMatchedSeinfo} method. To create an instance of this use the
373 * {@link PolicyBuilder} pattern class, where each instance is validated against a set
374 * of invariants before being built and returned. Each instance can be guaranteed to
375 * hold one valid policy stanza as outlined in the system/sepolicy/mac_permissions.xml
376 * file.
377 * <p>
378 * The following is an example of how to use {@link Policy.PolicyBuilder} to create a
379 * signer based Policy instance with only inner package name refinements.
380 * </p>
381 * <pre>
382 * {@code
383 * Policy policy = new Policy.PolicyBuilder()
384 *         .addSignature("308204a8...")
385 *         .addSignature("483538c8...")
386 *         .addInnerPackageMapOrThrow("com.foo.", "bar")
387 *         .addInnerPackageMapOrThrow("com.foo.other", "bar")
388 *         .build();
389 * }
390 * </pre>
391 * <p>
392 * The following is an example of how to use {@link Policy.PolicyBuilder} to create a
393 * signer based Policy instance with only a global seinfo tag.
394 * </p>
395 * <pre>
396 * {@code
397 * Policy policy = new Policy.PolicyBuilder()
398 *         .addSignature("308204a8...")
399 *         .addSignature("483538c8...")
400 *         .setGlobalSeinfoOrThrow("paltform")
401 *         .build();
402 * }
403 * </pre>
404 */
405final class Policy {
406
407    private final String mSeinfo;
408    private final Set<Signature> mCerts;
409    private final Map<String, String> mPkgMap;
410
411    // Use the PolicyBuilder pattern to instantiate
412    private Policy(PolicyBuilder builder) {
413        mSeinfo = builder.mSeinfo;
414        mCerts = Collections.unmodifiableSet(builder.mCerts);
415        mPkgMap = Collections.unmodifiableMap(builder.mPkgMap);
416    }
417
418    /**
419     * Return all the certs stored with this policy stanza.
420     *
421     * @return A set of Signature objects representing all the certs stored
422     *         with the policy.
423     */
424    public Set<Signature> getSignatures() {
425        return mCerts;
426    }
427
428    /**
429     * Return whether this policy object contains package name mapping refinements.
430     *
431     * @return A boolean indicating if this object has inner package name mappings.
432     */
433    public boolean hasInnerPackages() {
434        return !mPkgMap.isEmpty();
435    }
436
437    /**
438     * Return the mapping of all package name refinements.
439     *
440     * @return A Map object whose keys are the package names and whose values are
441     *         the seinfo assignments.
442     */
443    public Map<String, String> getInnerPackages() {
444        return mPkgMap;
445    }
446
447    /**
448     * Return whether the policy object has a global seinfo tag attached.
449     *
450     * @return A boolean indicating if this stanza has a global seinfo tag.
451     */
452    public boolean hasGlobalSeinfo() {
453        return mSeinfo != null;
454    }
455
456    @Override
457    public String toString() {
458        StringBuilder sb = new StringBuilder();
459        for (Signature cert : mCerts) {
460            sb.append("cert=" + cert.toCharsString().substring(0, 11) + "... ");
461        }
462
463        if (mSeinfo != null) {
464            sb.append("seinfo=" + mSeinfo);
465        }
466
467        for (String name : mPkgMap.keySet()) {
468            sb.append(" " + name + "=" + mPkgMap.get(name));
469        }
470
471        return sb.toString();
472    }
473
474    /**
475     * <p>
476     * Determine the seinfo value to assign to an apk. The appropriate seinfo value
477     * is determined using the following steps:
478     * </p>
479     * <ul>
480     *   <li> All certs used to sign the apk and all certs stored with this policy
481     *     instance are tested for set equality. If this fails then null is returned.
482     *   </li>
483     *   <li> If all certs match then an appropriate inner package stanza is
484     *     searched based on package name alone. If matched, the stored seinfo
485     *     value for that mapping is returned.
486     *   </li>
487     *   <li> If all certs matched and no inner package stanza matches then return
488     *     the global seinfo value. The returned value can be null in this case.
489     *   </li>
490     * </ul>
491     * <p>
492     * In all cases, a return value of null should be interpreted as the apk failing
493     * to match this Policy instance; i.e. failing this policy stanza.
494     * </p>
495     * @param pkg the apk to check given as a PackageParser.Package object
496     * @return A string representing the seinfo matched during policy lookup.
497     *         A value of null can also be returned if no match occured.
498     */
499    public String getMatchedSeinfo(PackageParser.Package pkg) {
500        // Check for exact signature matches across all certs.
501        Signature[] certs = mCerts.toArray(new Signature[0]);
502        if (!Signature.areExactMatch(certs, pkg.mSignatures)) {
503            return null;
504        }
505
506        // Check for inner package name matches given that the
507        // signature checks already passed.
508        String seinfoValue = mPkgMap.get(pkg.packageName);
509        if (seinfoValue != null) {
510            return seinfoValue;
511        }
512
513        // Return the global seinfo value.
514        return mSeinfo;
515    }
516
517    /**
518     * A nested builder class to create {@link Policy} instances. A {@link Policy}
519     * class instance represents one valid policy stanza found in a mac_permissions.xml
520     * file. A valid policy stanza is defined to be a signer stanza which obeys the rules
521     * outlined in system/sepolicy/mac_permissions.xml. The {@link #build} method
522     * ensures a set of invariants are upheld enforcing the correct stanza structure
523     * before returning a valid Policy object.
524     */
525    public static final class PolicyBuilder {
526
527        private String mSeinfo;
528        private final Set<Signature> mCerts;
529        private final Map<String, String> mPkgMap;
530
531        public PolicyBuilder() {
532            mCerts = new HashSet<Signature>(2);
533            mPkgMap = new HashMap<String, String>(2);
534        }
535
536        /**
537         * Adds a signature to the set of certs used for validation checks. The purpose
538         * being that all contained certs will need to be matched against all certs
539         * contained with an apk.
540         *
541         * @param cert the signature to add given as a String.
542         * @return The reference to this PolicyBuilder.
543         * @throws IllegalArgumentException if the cert value fails validation;
544         *         null or is an invalid hex-encoded ASCII string.
545         */
546        public PolicyBuilder addSignature(String cert) {
547            if (cert == null) {
548                String err = "Invalid signature value " + cert;
549                throw new IllegalArgumentException(err);
550            }
551
552            mCerts.add(new Signature(cert));
553            return this;
554        }
555
556        /**
557         * Set the global seinfo tag for this policy stanza. The global seinfo tag
558         * when attached to a signer tag represents the assignment when there isn't a
559         * further inner package refinement in policy.
560         *
561         * @param seinfo the seinfo value given as a String.
562         * @return The reference to this PolicyBuilder.
563         * @throws IllegalArgumentException if the seinfo value fails validation;
564         *         null, zero length or contains non-valid characters [^a-zA-Z_\._0-9].
565         * @throws IllegalStateException if an seinfo value has already been found
566         */
567        public PolicyBuilder setGlobalSeinfoOrThrow(String seinfo) {
568            if (!validateValue(seinfo)) {
569                String err = "Invalid seinfo value " + seinfo;
570                throw new IllegalArgumentException(err);
571            }
572
573            if (mSeinfo != null && !mSeinfo.equals(seinfo)) {
574                String err = "Duplicate seinfo tag found";
575                throw new IllegalStateException(err);
576            }
577
578            mSeinfo = seinfo;
579            return this;
580        }
581
582        /**
583         * Create a package name to seinfo value mapping. Each mapping represents
584         * the seinfo value that will be assigned to the described package name.
585         * These localized mappings allow the global seinfo to be overriden.
586         *
587         * @param pkgName the android package name given to the app
588         * @param seinfo the seinfo value that will be assigned to the passed pkgName
589         * @return The reference to this PolicyBuilder.
590         * @throws IllegalArgumentException if the seinfo value fails validation;
591         *         null, zero length or contains non-valid characters [^a-zA-Z_\.0-9].
592         *         Or, if the package name isn't a valid android package name.
593         * @throws IllegalStateException if trying to reset a package mapping with a
594         *         different seinfo value.
595         */
596        public PolicyBuilder addInnerPackageMapOrThrow(String pkgName, String seinfo) {
597            if (!validateValue(pkgName)) {
598                String err = "Invalid package name " + pkgName;
599                throw new IllegalArgumentException(err);
600            }
601            if (!validateValue(seinfo)) {
602                String err = "Invalid seinfo value " + seinfo;
603                throw new IllegalArgumentException(err);
604            }
605
606            String pkgValue = mPkgMap.get(pkgName);
607            if (pkgValue != null && !pkgValue.equals(seinfo)) {
608                String err = "Conflicting seinfo value found";
609                throw new IllegalStateException(err);
610            }
611
612            mPkgMap.put(pkgName, seinfo);
613            return this;
614        }
615
616        /**
617         * General validation routine for the attribute strings of an element. Checks
618         * if the string is non-null, positive length and only contains [a-zA-Z_\.0-9].
619         *
620         * @param name the string to validate.
621         * @return boolean indicating if the string was valid.
622         */
623        private boolean validateValue(String name) {
624            if (name == null)
625                return false;
626
627            // Want to match on [0-9a-zA-Z_.]
628            if (!name.matches("\\A[\\.\\w]+\\z")) {
629                return false;
630            }
631
632            return true;
633        }
634
635        /**
636         * <p>
637         * Create a {@link Policy} instance based on the current configuration. This
638         * method checks for certain policy invariants used to enforce certain guarantees
639         * about the expected structure of a policy stanza.
640         * Those invariants are:
641         * </p>
642         * <ul>
643         *   <li> at least one cert must be found </li>
644         *   <li> either a global seinfo value is present OR at least one
645         *     inner package mapping must be present BUT not both. </li>
646         * </ul>
647         * @return an instance of {@link Policy} with the options set from this builder
648         * @throws IllegalStateException if an invariant is violated.
649         */
650        public Policy build() {
651            Policy p = new Policy(this);
652
653            if (p.mCerts.isEmpty()) {
654                String err = "Missing certs with signer tag. Expecting at least one.";
655                throw new IllegalStateException(err);
656            }
657            if (!(p.mSeinfo == null ^ p.mPkgMap.isEmpty())) {
658                String err = "Only seinfo tag XOR package tags are allowed within " +
659                        "a signer stanza.";
660                throw new IllegalStateException(err);
661            }
662
663            return p;
664        }
665    }
666}
667
668/**
669 * Comparision imposing an ordering on Policy objects. It is understood that Policy
670 * objects can only take one of three forms and ordered according to the following
671 * set of rules most specific to least.
672 * <ul>
673 *   <li> signer stanzas with inner package mappings </li>
674 *   <li> signer stanzas with global seinfo tags </li>
675 * </ul>
676 * This comparison also checks for duplicate entries on the input selectors. Any
677 * found duplicates will be flagged and can be checked with {@link #foundDuplicate}.
678 */
679
680final class PolicyComparator implements Comparator<Policy> {
681
682    private boolean duplicateFound = false;
683
684    public boolean foundDuplicate() {
685        return duplicateFound;
686    }
687
688    @Override
689    public int compare(Policy p1, Policy p2) {
690
691        // Give precedence to stanzas with inner package mappings
692        if (p1.hasInnerPackages() != p2.hasInnerPackages()) {
693            return p1.hasInnerPackages() ? -1 : 1;
694        }
695
696        // Check for duplicate entries
697        if (p1.getSignatures().equals(p2.getSignatures())) {
698            // Checks if signer w/o inner package names
699            if (p1.hasGlobalSeinfo()) {
700                duplicateFound = true;
701                Slog.e(SELinuxMMAC.TAG, "Duplicate policy entry: " + p1.toString());
702            }
703
704            // Look for common inner package name mappings
705            final Map<String, String> p1Packages = p1.getInnerPackages();
706            final Map<String, String> p2Packages = p2.getInnerPackages();
707            if (!Collections.disjoint(p1Packages.keySet(), p2Packages.keySet())) {
708                duplicateFound = true;
709                Slog.e(SELinuxMMAC.TAG, "Duplicate policy entry: " + p1.toString());
710            }
711        }
712
713        return 0;
714    }
715}
716