On Tue, Dec 29, 2015 at 3:46 PM, Roberts, William C <[email protected]> wrote: > > > I was under the impression that fc entry order does not matter. That they > are sorted based on how specific the match is.. > > > > As per: > > https://fedoraproject.org/wiki/SELinux/ManagingFileContext > > > > In the current Android 6.0 release, I don’t see the function sort_specs() > anywhere in external/libselinux, or any code that sorts the fc entries. > > > > Looks like this code from 6.0: > > > > 512 /* Move exact pathname specifications to the end. */ > > 513 spec_copy = (spec_t *) malloc(sizeof(spec_t) * data->nspec); > > 514 if (!spec_copy) > > 515 goto finish; > > 516 j = 0; > > 517 for (i = 0; i < data->nspec; i++) > > 518 if (data->spec_arr[i].hasMetaChars) > > 519 memcpy(&spec_copy[j++], > > 520 &data->spec_arr[i], sizeof(spec_t)); > > 521 for (i = 0; i < data->nspec; i++) > > 522 if (!data->spec_arr[i].hasMetaChars) > > 523 memcpy(&spec_copy[j++], > > 524 &data->spec_arr[i], sizeof(spec_t)); > > 525 free(data->spec_arr); > > > > Was replaced with sort_specs() on upstream libselinux. > > > > Does anyone perhaps have any more light to shed? Am I way off here?
libselinux only "sorts" in the sense of giving precedence to exact (no regex characters) entries. The sorting described in the page you referenced is done by libsemanage or by the fc_sort helper program used in the refpolicy build and is not part of Android at all. That sorting was introduced to help with ambiguities that occur when file_contexts was split into per-module .fc files. Android however only has a single monolithic file_contexts file, and even with the device-specific file_contexts, the assumption is that those entries should always take precedence over the generic ones (as long as they are not identical and conflict). So order does matter. Last matching entry wins. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
