I have started implementing an arch string patch. Unfortunately, i did not manage to finish it before I had to leave the office today. In essence I did this: The regex_arch_string has three components: the pointer width determined by sizeof(void*), PCRE2_SIZE width determined by sizeof(), and endianess determined by __BYTE_ORDER__==__ORDER_BIG/LITTEL_ENDIAN__
For example, the resulting string for x86_64 and aarch64el should look like this: "8-8-el". I bumped the compiled context version number and added the string right after the version in the output. Comments? On Fri, Sep 16, 2016 at 3:52 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/16/2016 09:31 AM, Jason Zaman wrote: > > On Fri, Sep 16, 2016 at 06:15:01AM -0700, William Roberts wrote: > >> On Fri, Sep 16, 2016 at 6:09 AM, Janis Danisevskis <jda...@google.com> > wrote: > >>> I don't mind. Then before sefcontext_compile -r gets widely adapted we > >>> should change the semantic quickly. I'll prepare a patch. > >> > >> Did I miss something and this was merged? Iv'e been out recovering > >> from a surgery so I haven't been > >> following this as well as I normally would have, > >> > >> If its merged, just leave it. > > > > Its the very latest thing in master yeah, but I do also agree with > changing it. > > > > I just wanted to add that from a distro perspective, compiling things by > > default makes more sense. In gentoo, the package post_install runs > > sefcontext_compile. Using the fcontext files happens a lot more than any > > updates to libselinux (and thus potential format changes) so I'm pretty > > sure most people would prefer to have the speedup. > > > > Gentoo does it on the machine itself, I am not sure about redhat or > > debian but I wouldnt be surprised if they do it per-arch at the very > > least so cross-arch probably isnt an issue. > > In Red Hat, SELinux policy is noarch, and they switched to precompiling > both policy and file_contexts.bin at build time to minimize the cost at > package install time. Otherwise, in small VMs, they had issues with > running out of memory during semodule -B. So file_contexts.bin > presently has to be arch-independent, or we need the arch properties > detection logic and fallback. That said, none of this matters unless > you build with USE_PCRE2=y, and no one outside of Android is doing that > today. > > > Also, I think we should add the arch to the version string stored. I > > would rather have false negatives than positives especially since we are > > not 100% sure exactly what part of the arch is important. We can always > > loosen it up later if that gets locked down. > > We don't want the arch string itself, because that would invalidate use > of file_contexts.bin entirely on typical Android use cases (build on > x86_64, install to ARM), but only the relevant properties. And for > Android, that is fatal - there is no file_contexts text file on which to > fallback anymore. They only ship file_contexts.bin. > >
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
