Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

2016-09-27 Thread William Roberts 

>>> Don't you actually want to also pick up utils/sefcontext_compile?
>>> That is built and used on the build host.  And I'm not sure why we'd
>>> drop the other SUBDIRS.
>>
>> You'll start running into linking issues if things that use
>> libselinux, use something not
>> in the build host IIRC. Perhaps, if that is the issue, we just limit
>> it to sefcontext_compile.
>
> Sure, the utils/Makefile can remove entries the same way it already does
> for DISABLE_*.

Well actually, that means every-time their is a new file added, the
Makefile needs to be modified,
I was trying to avoid that. Also, the remove list is super long, so it
looks pretty unwieldy.


___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

2016-09-27 Thread Stephen Smalley 
On 09/27/2016 03:09 PM, William Roberts wrote:
> On Tue, Sep 27, 2016 at 12:08 PM, Stephen Smalley  wrote:
>> On 09/27/2016 03:03 PM, William Roberts wrote:
>>> On Tue, Sep 27, 2016 at 11:51 AM, Stephen Smalley  
>>> wrote:
 On 09/27/2016 02:43 PM, William Roberts wrote:
> On Sep 27, 2016 10:00, "Stephen Smalley"  > wrote:
>>
>> On 09/27/2016 11:08 AM, William Roberts wrote:
>>> On Tue, Sep 27, 2016 at 7:11 AM, Stephen Smalley  > wrote:
 On 09/26/2016 04:53 PM, william.c.robe...@intel.com
>  wrote:
> From: William Roberts  >
>
> To build the selinux host configuration, specify
> ANDROID_HOST=y on the Make command line.
>
> eg)
> make ANDROID_HOST=y

 Seems oddly named, neither corresponding to the #define it enables
 (BUILD_HOST) nor to the target platform.
>>>
>>> We could change this to BUILD_HOST=y to enable all of it, but
> considering
>>> that this build is specific for Android, I thought the naming to be more
>>> appropriate.
>>>
>>> Additionally, EMBEDDED doesn't flip anything called EMBEDDED as well.
>>>

>
> Signed-off-by: William Roberts  >
> ---
>  libselinux/Makefile |  8 +++-
>  libselinux/src/Makefile | 50
> +
>  2 files changed, 41 insertions(+), 17 deletions(-)
>
> diff --git a/libselinux/Makefile b/libselinux/Makefile
> index 5a8d42c..50ae009 100644
> --- a/libselinux/Makefile
> +++ b/libselinux/Makefile
> @@ -10,6 +10,12 @@ ifeq ($(EMBEDDED),y)
>   override DISABLE_RPM=y
>   override DISABLE_BOOL=y
>  endif
> +ifeq ($(ANDROID_HOST),y)
> + override DISABLE_SETRANS=y
> + EMFLAGS+= -DDISABLE_RPM -DNO_MEDIA_BACKEND -DNO_DB_BACKEND
> -DNO_X_BACKEND \
> + -DBUILD_HOST
> + SUBDIRS = src
> +endif
>>
>> Also, this is redundant; you can handle it entirely within
>> libselinux/src/Makefile without anything here.
>
> You mean all the ANDROID _HOST stuff? I didn't want to depart from
> what's there, that seemed to be the spot for disabling things.

 You don't use the -DNO_*_BACKEND or -DBUILD_HOST flags anywhere except
 in src/Makefile, so you don't need to set them here.

>>>
>>> The same could be said about DISABLE_SETRANS
>>
>> It isn't set in both Makefiles.  Pick one.
> 
> Its not set in both, did you mean referenced/used? In fact I don't
> even set the default n, which I should be doing.

You set -DNO_*_BACKEND and -DBUILD_HOST in both Makefiles if ANDROID_HOST=y.


___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

2016-09-27 Thread William Roberts 
On Tue, Sep 27, 2016 at 12:08 PM, Stephen Smalley  wrote:
> On 09/27/2016 03:03 PM, William Roberts wrote:
>> On Tue, Sep 27, 2016 at 11:51 AM, Stephen Smalley  wrote:
>>> On 09/27/2016 02:43 PM, William Roberts wrote:
 On Sep 27, 2016 10:00, "Stephen Smalley" > wrote:
>
> On 09/27/2016 11:08 AM, William Roberts wrote:
>> On Tue, Sep 27, 2016 at 7:11 AM, Stephen Smalley > wrote:
>>> On 09/26/2016 04:53 PM, william.c.robe...@intel.com
  wrote:
 From: William Roberts >

 To build the selinux host configuration, specify
 ANDROID_HOST=y on the Make command line.

 eg)
 make ANDROID_HOST=y
>>>
>>> Seems oddly named, neither corresponding to the #define it enables
>>> (BUILD_HOST) nor to the target platform.
>>
>> We could change this to BUILD_HOST=y to enable all of it, but
 considering
>> that this build is specific for Android, I thought the naming to be more
>> appropriate.
>>
>> Additionally, EMBEDDED doesn't flip anything called EMBEDDED as well.
>>
>>>

 Signed-off-by: William Roberts >
 ---
  libselinux/Makefile |  8 +++-
  libselinux/src/Makefile | 50
 +
  2 files changed, 41 insertions(+), 17 deletions(-)

 diff --git a/libselinux/Makefile b/libselinux/Makefile
 index 5a8d42c..50ae009 100644
 --- a/libselinux/Makefile
 +++ b/libselinux/Makefile
 @@ -10,6 +10,12 @@ ifeq ($(EMBEDDED),y)
   override DISABLE_RPM=y
   override DISABLE_BOOL=y
  endif
 +ifeq ($(ANDROID_HOST),y)
 + override DISABLE_SETRANS=y
 + EMFLAGS+= -DDISABLE_RPM -DNO_MEDIA_BACKEND -DNO_DB_BACKEND
 -DNO_X_BACKEND \
 + -DBUILD_HOST
 + SUBDIRS = src
 +endif
>
> Also, this is redundant; you can handle it entirely within
> libselinux/src/Makefile without anything here.

 You mean all the ANDROID _HOST stuff? I didn't want to depart from
 what's there, that seemed to be the spot for disabling things.
>>>
>>> You don't use the -DNO_*_BACKEND or -DBUILD_HOST flags anywhere except
>>> in src/Makefile, so you don't need to set them here.
>>>
>>
>> The same could be said about DISABLE_SETRANS
>
> It isn't set in both Makefiles.  Pick one.

Its not set in both, did you mean referenced/used? In fact I don't
even set the default n, which I should be doing.
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

2016-09-27 Thread William Roberts 
On Tue, Sep 27, 2016 at 11:51 AM, Stephen Smalley  wrote:
> On 09/27/2016 02:43 PM, William Roberts wrote:
>> On Sep 27, 2016 10:00, "Stephen Smalley" > > wrote:
>>>
>>> On 09/27/2016 11:08 AM, William Roberts wrote:
>>> > On Tue, Sep 27, 2016 at 7:11 AM, Stephen Smalley > > wrote:
>>> >> On 09/26/2016 04:53 PM, william.c.robe...@intel.com
>>  wrote:
>>> >>> From: William Roberts > >
>>> >>>
>>> >>> To build the selinux host configuration, specify
>>> >>> ANDROID_HOST=y on the Make command line.
>>> >>>
>>> >>> eg)
>>> >>> make ANDROID_HOST=y
>>> >>
>>> >> Seems oddly named, neither corresponding to the #define it enables
>>> >> (BUILD_HOST) nor to the target platform.
>>> >
>>> > We could change this to BUILD_HOST=y to enable all of it, but
>> considering
>>> > that this build is specific for Android, I thought the naming to be more
>>> > appropriate.
>>> >
>>> > Additionally, EMBEDDED doesn't flip anything called EMBEDDED as well.
>>> >
>>> >>
>>> >>>
>>> >>> Signed-off-by: William Roberts > >
>>> >>> ---
>>> >>>  libselinux/Makefile |  8 +++-
>>> >>>  libselinux/src/Makefile | 50
>> +
>>> >>>  2 files changed, 41 insertions(+), 17 deletions(-)
>>> >>>
>>> >>> diff --git a/libselinux/Makefile b/libselinux/Makefile
>>> >>> index 5a8d42c..50ae009 100644
>>> >>> --- a/libselinux/Makefile
>>> >>> +++ b/libselinux/Makefile
>>> >>> @@ -10,6 +10,12 @@ ifeq ($(EMBEDDED),y)
>>> >>>   override DISABLE_RPM=y
>>> >>>   override DISABLE_BOOL=y
>>> >>>  endif
>>> >>> +ifeq ($(ANDROID_HOST),y)
>>> >>> + override DISABLE_SETRANS=y
>>> >>> + EMFLAGS+= -DDISABLE_RPM -DNO_MEDIA_BACKEND -DNO_DB_BACKEND
>> -DNO_X_BACKEND \
>>> >>> + -DBUILD_HOST
>>> >>> + SUBDIRS = src
>>> >>> +endif
>>>
>>> Also, this is redundant; you can handle it entirely within
>>> libselinux/src/Makefile without anything here.
>>
>> You mean all the ANDROID _HOST stuff? I didn't want to depart from
>> what's there, that seemed to be the spot for disabling things.
>
> You don't use the -DNO_*_BACKEND or -DBUILD_HOST flags anywhere except
> in src/Makefile, so you don't need to set them here.
>

The same could be said about DISABLE_SETRANS
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

2016-09-27 Thread Stephen Smalley 
On 09/27/2016 02:43 PM, William Roberts wrote:
> On Sep 27, 2016 10:00, "Stephen Smalley"  > wrote:
>>
>> On 09/27/2016 11:08 AM, William Roberts wrote:
>> > On Tue, Sep 27, 2016 at 7:11 AM, Stephen Smalley  > wrote:
>> >> On 09/26/2016 04:53 PM, william.c.robe...@intel.com
>  wrote:
>> >>> From: William Roberts  >
>> >>>
>> >>> To build the selinux host configuration, specify
>> >>> ANDROID_HOST=y on the Make command line.
>> >>>
>> >>> eg)
>> >>> make ANDROID_HOST=y
>> >>
>> >> Seems oddly named, neither corresponding to the #define it enables
>> >> (BUILD_HOST) nor to the target platform.
>> >
>> > We could change this to BUILD_HOST=y to enable all of it, but
> considering
>> > that this build is specific for Android, I thought the naming to be more
>> > appropriate.
>> >
>> > Additionally, EMBEDDED doesn't flip anything called EMBEDDED as well.
>> >
>> >>
>> >>>
>> >>> Signed-off-by: William Roberts  >
>> >>> ---
>> >>>  libselinux/Makefile |  8 +++-
>> >>>  libselinux/src/Makefile | 50
> +
>> >>>  2 files changed, 41 insertions(+), 17 deletions(-)
>> >>>
>> >>> diff --git a/libselinux/Makefile b/libselinux/Makefile
>> >>> index 5a8d42c..50ae009 100644
>> >>> --- a/libselinux/Makefile
>> >>> +++ b/libselinux/Makefile
>> >>> @@ -10,6 +10,12 @@ ifeq ($(EMBEDDED),y)
>> >>>   override DISABLE_RPM=y
>> >>>   override DISABLE_BOOL=y
>> >>>  endif
>> >>> +ifeq ($(ANDROID_HOST),y)
>> >>> + override DISABLE_SETRANS=y
>> >>> + EMFLAGS+= -DDISABLE_RPM -DNO_MEDIA_BACKEND -DNO_DB_BACKEND
> -DNO_X_BACKEND \
>> >>> + -DBUILD_HOST
>> >>> + SUBDIRS = src
>> >>> +endif
>>
>> Also, this is redundant; you can handle it entirely within
>> libselinux/src/Makefile without anything here.
> 
> You mean all the ANDROID _HOST stuff? I didn't want to depart from
> what's there, that seemed to be the spot for disabling things.

You don't use the -DNO_*_BACKEND or -DBUILD_HOST flags anywhere except
in src/Makefile, so you don't need to set them here.


___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

2016-09-27 Thread William Roberts 
On Sep 27, 2016 10:00, "Stephen Smalley"  wrote:
>
> On 09/27/2016 11:08 AM, William Roberts wrote:
> > On Tue, Sep 27, 2016 at 7:11 AM, Stephen Smalley 
wrote:
> >> On 09/26/2016 04:53 PM, william.c.robe...@intel.com wrote:
> >>> From: William Roberts 
> >>>
> >>> To build the selinux host configuration, specify
> >>> ANDROID_HOST=y on the Make command line.
> >>>
> >>> eg)
> >>> make ANDROID_HOST=y
> >>
> >> Seems oddly named, neither corresponding to the #define it enables
> >> (BUILD_HOST) nor to the target platform.
> >
> > We could change this to BUILD_HOST=y to enable all of it, but
considering
> > that this build is specific for Android, I thought the naming to be more
> > appropriate.
> >
> > Additionally, EMBEDDED doesn't flip anything called EMBEDDED as well.
> >
> >>
> >>>
> >>> Signed-off-by: William Roberts 
> >>> ---
> >>>  libselinux/Makefile |  8 +++-
> >>>  libselinux/src/Makefile | 50
+
> >>>  2 files changed, 41 insertions(+), 17 deletions(-)
> >>>
> >>> diff --git a/libselinux/Makefile b/libselinux/Makefile
> >>> index 5a8d42c..50ae009 100644
> >>> --- a/libselinux/Makefile
> >>> +++ b/libselinux/Makefile
> >>> @@ -10,6 +10,12 @@ ifeq ($(EMBEDDED),y)
> >>>   override DISABLE_RPM=y
> >>>   override DISABLE_BOOL=y
> >>>  endif
> >>> +ifeq ($(ANDROID_HOST),y)
> >>> + override DISABLE_SETRANS=y
> >>> + EMFLAGS+= -DDISABLE_RPM -DNO_MEDIA_BACKEND -DNO_DB_BACKEND
-DNO_X_BACKEND \
> >>> + -DBUILD_HOST
> >>> + SUBDIRS = src
> >>> +endif
>
> Also, this is redundant; you can handle it entirely within
> libselinux/src/Makefile without anything here.

You mean all the ANDROID _HOST stuff? I didn't want to depart from what's
there, that seemed to be the spot for disabling things.
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

2016-09-27 Thread William Roberts 
On Sep 27, 2016 09:50, "Stephen Smalley"  wrote:
>
> On 09/27/2016 11:08 AM, William Roberts wrote:
> > On Tue, Sep 27, 2016 at 7:11 AM, Stephen Smalley 
wrote:
> >> On 09/26/2016 04:53 PM, william.c.robe...@intel.com wrote:
> >>> From: William Roberts 
> >>>
> >>> To build the selinux host configuration, specify
> >>> ANDROID_HOST=y on the Make command line.
> >>>
> >>> eg)
> >>> make ANDROID_HOST=y
> >>
> >> Seems oddly named, neither corresponding to the #define it enables
> >> (BUILD_HOST) nor to the target platform.
> >
> > We could change this to BUILD_HOST=y to enable all of it, but
considering
> > that this build is specific for Android, I thought the naming to be more
> > appropriate.
> >
> > Additionally, EMBEDDED doesn't flip anything called EMBEDDED as well.
>
> Ok, fair point.  Actually EMBEDDED=y is broken and no one is using it
> AFAIK so we should probably kill it at some point separately.
>
> >
> >>
> >>>
> >>> Signed-off-by: William Roberts 
> >>> ---
> >>>  libselinux/Makefile |  8 +++-
> >>>  libselinux/src/Makefile | 50
+
> >>>  2 files changed, 41 insertions(+), 17 deletions(-)
> >>>
> >>> diff --git a/libselinux/Makefile b/libselinux/Makefile
> >>> index 5a8d42c..50ae009 100644
> >>> --- a/libselinux/Makefile
> >>> +++ b/libselinux/Makefile
> >>> @@ -10,6 +10,12 @@ ifeq ($(EMBEDDED),y)
> >>>   override DISABLE_RPM=y
> >>>   override DISABLE_BOOL=y
> >>>  endif
> >>> +ifeq ($(ANDROID_HOST),y)
> >>> + override DISABLE_SETRANS=y
> >>> + EMFLAGS+= -DDISABLE_RPM -DNO_MEDIA_BACKEND -DNO_DB_BACKEND
-DNO_X_BACKEND \
> >>> + -DBUILD_HOST
> >>> + SUBDIRS = src
> >>> +endif
> >>
> >> Don't you actually want to also pick up utils/sefcontext_compile?
> >> That is built and used on the build host.  And I'm not sure why we'd
> >> drop the other SUBDIRS.
> >
> > You'll start running into linking issues if things that use
> > libselinux, use something not
> > in the build host IIRC. Perhaps, if that is the issue, we just limit
> > it to sefcontext_compile.
>
> Sure, the utils/Makefile can remove entries the same way it already does
> for DISABLE_*.
> >
> >>
> >>>  ifeq ($(DISABLE_AVC),y)
> >>>   EMFLAGS+= -DDISABLE_AVC
> >>>  endif
> >>> @@ -22,7 +28,7 @@ endif
> >>>  ifeq ($(DISABLE_SETRANS),y)
> >>>   EMFLAGS+= -DDISABLE_SETRANS
> >>>  endif
> >>> -export DISABLE_AVC DISABLE_SETRANS DISABLE_RPM DISABLE_BOOL EMFLAGS
> >>> +export DISABLE_AVC DISABLE_SETRANS DISABLE_RPM DISABLE_BOOL EMFLAGS
ANDROID_HOST
> >>>
> >>>  USE_PCRE2 ?= n
> >>>  ifeq ($(USE_PCRE2),y)
> >>> diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
> >>> index 36e42b8..d841ef7 100644
> >>> --- a/libselinux/src/Makefile
> >>> +++ b/libselinux/src/Makefile
> >>> @@ -47,9 +47,17 @@ endif
> >>>  ifeq ($(DISABLE_BOOL),y)
> >>>   UNUSED_SRCS+=booleans.c
> >>>  endif
> >>> +ifeq ($(ANDROID_HOST),y)
> >>> + SRCS=callbacks.c freecon.c label.c label_file.c \
> >>> + label_android_property.c regex.c
label_support.c \
> >>> + matchpathcon.c setrans_client.c sha1.c
> >>> + override CFLAGS += -DNO_MEDIA_BACKEND -DNO_DB_BACKEND
-DNO_X_BACKEND \
> >>> + -DBUILD_HOST
> >>> +else
> >>> + SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c,
$(sort $(wildcard *.c)))
> >>> +endif
> >>>
> >>>  GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i
> >>> -SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(sort
$(wildcard *.c)))
> >>>
> >>>  MAX_STACK_SIZE=32768
> >>>
> >>> @@ -92,6 +100,28 @@ SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir
./ $(EMFLAGS)
> >>>
> >>>  SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(EMFLAGS)
> >>>
> >>> +$(LIBA): $(OBJS)
> >>> + $(AR) rcs $@ $^
> >>> + $(RANLIB) $@
> >>> +
> >>> +$(LIBSO): $(LOBJS)
> >>> + $(CC) $(CFLAGS) -shared -o $@ $^ $(PCRE_LDFLAGS) -ldl
$(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
> >>> + ln -sf $@ $(TARGET)
> >>> +
> >>> +%.o:  %.c policy.h
> >>> + $(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $<
> >>> +
> >>> +%.lo:  %.c policy.h
> >>> + $(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $<
> >>
> >> Did these truly need to move?  I don't see why.
> >
> > this prevents us from having multiple definitions of the recipes or
> > multiple if's on ANDROID_HOST=y.
> > Both flavors need these wildcard targets.
>
> If I undo all of these changes, make ANDROID_HOST=y clean all works just
> fine.   So does make install.  You don't need any of this conditional
> logic in the Makefile, and it just makes it harder to read and maintain.
>
> >
> >>
> >>> +
> >>> +# ANDROID_HOST Build option only builds the shared and static
versions of
> >>> +# libselinux.
> >>> +ifeq ($(ANDROID_HOST),y)
> >>> +
> >>> +all: $(LIBA) $(LIBSO)
> >>> +
> >>> +else
> >>> +
> >>>  all: $(LIBA)

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

2016-09-27 Thread Stephen Smalley 
On 09/27/2016 11:08 AM, William Roberts wrote:
> On Tue, Sep 27, 2016 at 7:11 AM, Stephen Smalley  wrote:
>> On 09/26/2016 04:53 PM, william.c.robe...@intel.com wrote:
>>> From: William Roberts 
>>>
>>> To build the selinux host configuration, specify
>>> ANDROID_HOST=y on the Make command line.
>>>
>>> eg)
>>> make ANDROID_HOST=y
>>
>> Seems oddly named, neither corresponding to the #define it enables
>> (BUILD_HOST) nor to the target platform.
> 
> We could change this to BUILD_HOST=y to enable all of it, but considering
> that this build is specific for Android, I thought the naming to be more
> appropriate.
> 
> Additionally, EMBEDDED doesn't flip anything called EMBEDDED as well.

Ok, fair point.  Actually EMBEDDED=y is broken and no one is using it
AFAIK so we should probably kill it at some point separately.

> 
>>
>>>
>>> Signed-off-by: William Roberts 
>>> ---
>>>  libselinux/Makefile |  8 +++-
>>>  libselinux/src/Makefile | 50 
>>> +
>>>  2 files changed, 41 insertions(+), 17 deletions(-)
>>>
>>> diff --git a/libselinux/Makefile b/libselinux/Makefile
>>> index 5a8d42c..50ae009 100644
>>> --- a/libselinux/Makefile
>>> +++ b/libselinux/Makefile
>>> @@ -10,6 +10,12 @@ ifeq ($(EMBEDDED),y)
>>>   override DISABLE_RPM=y
>>>   override DISABLE_BOOL=y
>>>  endif
>>> +ifeq ($(ANDROID_HOST),y)
>>> + override DISABLE_SETRANS=y
>>> + EMFLAGS+= -DDISABLE_RPM -DNO_MEDIA_BACKEND -DNO_DB_BACKEND 
>>> -DNO_X_BACKEND \
>>> + -DBUILD_HOST
>>> + SUBDIRS = src
>>> +endif
>>
>> Don't you actually want to also pick up utils/sefcontext_compile?
>> That is built and used on the build host.  And I'm not sure why we'd
>> drop the other SUBDIRS.
> 
> You'll start running into linking issues if things that use
> libselinux, use something not
> in the build host IIRC. Perhaps, if that is the issue, we just limit
> it to sefcontext_compile.

Sure, the utils/Makefile can remove entries the same way it already does
for DISABLE_*.
> 
>>
>>>  ifeq ($(DISABLE_AVC),y)
>>>   EMFLAGS+= -DDISABLE_AVC
>>>  endif
>>> @@ -22,7 +28,7 @@ endif
>>>  ifeq ($(DISABLE_SETRANS),y)
>>>   EMFLAGS+= -DDISABLE_SETRANS
>>>  endif
>>> -export DISABLE_AVC DISABLE_SETRANS DISABLE_RPM DISABLE_BOOL EMFLAGS
>>> +export DISABLE_AVC DISABLE_SETRANS DISABLE_RPM DISABLE_BOOL EMFLAGS 
>>> ANDROID_HOST
>>>
>>>  USE_PCRE2 ?= n
>>>  ifeq ($(USE_PCRE2),y)
>>> diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
>>> index 36e42b8..d841ef7 100644
>>> --- a/libselinux/src/Makefile
>>> +++ b/libselinux/src/Makefile
>>> @@ -47,9 +47,17 @@ endif
>>>  ifeq ($(DISABLE_BOOL),y)
>>>   UNUSED_SRCS+=booleans.c
>>>  endif
>>> +ifeq ($(ANDROID_HOST),y)
>>> + SRCS=callbacks.c freecon.c label.c label_file.c \
>>> + label_android_property.c regex.c label_support.c \
>>> + matchpathcon.c setrans_client.c sha1.c
>>> + override CFLAGS += -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \
>>> + -DBUILD_HOST
>>> +else
>>> + SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(sort 
>>> $(wildcard *.c)))
>>> +endif
>>>
>>>  GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i
>>> -SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(sort 
>>> $(wildcard *.c)))
>>>
>>>  MAX_STACK_SIZE=32768
>>>
>>> @@ -92,6 +100,28 @@ SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./ 
>>> $(EMFLAGS)
>>>
>>>  SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(EMFLAGS)
>>>
>>> +$(LIBA): $(OBJS)
>>> + $(AR) rcs $@ $^
>>> + $(RANLIB) $@
>>> +
>>> +$(LIBSO): $(LOBJS)
>>> + $(CC) $(CFLAGS) -shared -o $@ $^ $(PCRE_LDFLAGS) -ldl $(LDFLAGS) 
>>> -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
>>> + ln -sf $@ $(TARGET)
>>> +
>>> +%.o:  %.c policy.h
>>> + $(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $<
>>> +
>>> +%.lo:  %.c policy.h
>>> + $(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $<
>>
>> Did these truly need to move?  I don't see why.
> 
> this prevents us from having multiple definitions of the recipes or
> multiple if's on ANDROID_HOST=y.
> Both flavors need these wildcard targets.

If I undo all of these changes, make ANDROID_HOST=y clean all works just
fine.   So does make install.  You don't need any of this conditional
logic in the Makefile, and it just makes it harder to read and maintain.

> 
>>
>>> +
>>> +# ANDROID_HOST Build option only builds the shared and static versions of
>>> +# libselinux.
>>> +ifeq ($(ANDROID_HOST),y)
>>> +
>>> +all: $(LIBA) $(LIBSO)
>>> +
>>> +else
>>> +
>>>  all: $(LIBA) $(LIBSO) $(LIBPC)
>>
>> Is this worthwhile/necessary?  The point of the build option IIUC is
>> just to allow upstream testing that the Android build host version will
>> still build, it shouldn't matter if there are extras.
> 
> Those things die on linking... so I didn't want to submit something

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

2016-09-27 Thread William Roberts 
On Tue, Sep 27, 2016 at 7:03 AM, Stephen Smalley  wrote:
> On 09/26/2016 04:55 PM, William Roberts wrote:
>> On Mon, Sep 26, 2016 at 1:53 PM,   wrote:
>>> From: William Roberts 
>>>
>>> To build the selinux host configuration, specify
>>> ANDROID_HOST=y on the Make command line.
>>>
>>> eg)
>>> make ANDROID_HOST=y
>>>
>>> Signed-off-by: William Roberts 
>>> ---
>>>  libselinux/Makefile |  8 +++-
>>>  libselinux/src/Makefile | 50 
>>> +
>>>  2 files changed, 41 insertions(+), 17 deletions(-)
>>>
>>> diff --git a/libselinux/Makefile b/libselinux/Makefile
>>> index 5a8d42c..50ae009 100644
>>> --- a/libselinux/Makefile
>>> +++ b/libselinux/Makefile
>>> @@ -10,6 +10,12 @@ ifeq ($(EMBEDDED),y)
>>> override DISABLE_RPM=y
>>> override DISABLE_BOOL=y
>>>  endif
>>> +ifeq ($(ANDROID_HOST),y)
>>> +   override DISABLE_SETRANS=y
>>> +   EMFLAGS+= -DDISABLE_RPM -DNO_MEDIA_BACKEND -DNO_DB_BACKEND 
>>> -DNO_X_BACKEND \
>>
>> argghhh .. missing too much, drop DISABLE_RPM... copy+paste+edit fail.
>> Ill let v2 sit for a day, and aggregate other
>> feedback for v3. Sorry for the noise.
>
> Sorry, why can't you override DISABLE_RPM=y?
>
It's superfluous because it;s not used in the source files built for
ANDROID_HOST, and
it doesn't match the build recipe for Android. So if the goal would be
to provide a quick
flag to test the build against, it wouldn't meet that requirement.
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

2016-09-27 Thread William Roberts 
On Tue, Sep 27, 2016 at 7:11 AM, Stephen Smalley  wrote:
> On 09/26/2016 04:53 PM, william.c.robe...@intel.com wrote:
>> From: William Roberts 
>>
>> To build the selinux host configuration, specify
>> ANDROID_HOST=y on the Make command line.
>>
>> eg)
>> make ANDROID_HOST=y
>
> Seems oddly named, neither corresponding to the #define it enables
> (BUILD_HOST) nor to the target platform.

We could change this to BUILD_HOST=y to enable all of it, but considering
that this build is specific for Android, I thought the naming to be more
appropriate.

Additionally, EMBEDDED doesn't flip anything called EMBEDDED as well.

>
>>
>> Signed-off-by: William Roberts 
>> ---
>>  libselinux/Makefile |  8 +++-
>>  libselinux/src/Makefile | 50 
>> +
>>  2 files changed, 41 insertions(+), 17 deletions(-)
>>
>> diff --git a/libselinux/Makefile b/libselinux/Makefile
>> index 5a8d42c..50ae009 100644
>> --- a/libselinux/Makefile
>> +++ b/libselinux/Makefile
>> @@ -10,6 +10,12 @@ ifeq ($(EMBEDDED),y)
>>   override DISABLE_RPM=y
>>   override DISABLE_BOOL=y
>>  endif
>> +ifeq ($(ANDROID_HOST),y)
>> + override DISABLE_SETRANS=y
>> + EMFLAGS+= -DDISABLE_RPM -DNO_MEDIA_BACKEND -DNO_DB_BACKEND 
>> -DNO_X_BACKEND \
>> + -DBUILD_HOST
>> + SUBDIRS = src
>> +endif
>
> Don't you actually want to also pick up utils/sefcontext_compile?
> That is built and used on the build host.  And I'm not sure why we'd
> drop the other SUBDIRS.

You'll start running into linking issues if things that use
libselinux, use something not
in the build host IIRC. Perhaps, if that is the issue, we just limit
it to sefcontext_compile.

>
>>  ifeq ($(DISABLE_AVC),y)
>>   EMFLAGS+= -DDISABLE_AVC
>>  endif
>> @@ -22,7 +28,7 @@ endif
>>  ifeq ($(DISABLE_SETRANS),y)
>>   EMFLAGS+= -DDISABLE_SETRANS
>>  endif
>> -export DISABLE_AVC DISABLE_SETRANS DISABLE_RPM DISABLE_BOOL EMFLAGS
>> +export DISABLE_AVC DISABLE_SETRANS DISABLE_RPM DISABLE_BOOL EMFLAGS 
>> ANDROID_HOST
>>
>>  USE_PCRE2 ?= n
>>  ifeq ($(USE_PCRE2),y)
>> diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
>> index 36e42b8..d841ef7 100644
>> --- a/libselinux/src/Makefile
>> +++ b/libselinux/src/Makefile
>> @@ -47,9 +47,17 @@ endif
>>  ifeq ($(DISABLE_BOOL),y)
>>   UNUSED_SRCS+=booleans.c
>>  endif
>> +ifeq ($(ANDROID_HOST),y)
>> + SRCS=callbacks.c freecon.c label.c label_file.c \
>> + label_android_property.c regex.c label_support.c \
>> + matchpathcon.c setrans_client.c sha1.c
>> + override CFLAGS += -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \
>> + -DBUILD_HOST
>> +else
>> + SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(sort 
>> $(wildcard *.c)))
>> +endif
>>
>>  GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i
>> -SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(sort 
>> $(wildcard *.c)))
>>
>>  MAX_STACK_SIZE=32768
>>
>> @@ -92,6 +100,28 @@ SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./ 
>> $(EMFLAGS)
>>
>>  SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(EMFLAGS)
>>
>> +$(LIBA): $(OBJS)
>> + $(AR) rcs $@ $^
>> + $(RANLIB) $@
>> +
>> +$(LIBSO): $(LOBJS)
>> + $(CC) $(CFLAGS) -shared -o $@ $^ $(PCRE_LDFLAGS) -ldl $(LDFLAGS) 
>> -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
>> + ln -sf $@ $(TARGET)
>> +
>> +%.o:  %.c policy.h
>> + $(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $<
>> +
>> +%.lo:  %.c policy.h
>> + $(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $<
>
> Did these truly need to move?  I don't see why.

this prevents us from having multiple definitions of the recipes or
multiple if's on ANDROID_HOST=y.
Both flavors need these wildcard targets.

>
>> +
>> +# ANDROID_HOST Build option only builds the shared and static versions of
>> +# libselinux.
>> +ifeq ($(ANDROID_HOST),y)
>> +
>> +all: $(LIBA) $(LIBSO)
>> +
>> +else
>> +
>>  all: $(LIBA) $(LIBSO) $(LIBPC)
>
> Is this worthwhile/necessary?  The point of the build option IIUC is
> just to allow upstream testing that the Android build host version will
> still build, it shouldn't matter if there are extras.

Those things die on linking... so I didn't want to submit something
where Make returns not 0.

>
>>
>>  pywrap: all $(SWIGFILES) $(AUDIT2WHYSO)
>> @@ -110,14 +140,6 @@ $(SWIGSO): $(SWIGLOBJ)
>>  $(SWIGRUBYSO): $(SWIGRUBYLOBJ)
>>   $(CC) $(CFLAGS) -shared -o $@ $^ -L. -lselinux $(LDFLAGS) -L$(LIBDIR)
>>
>> -$(LIBA): $(OBJS)
>> - $(AR) rcs $@ $^
>> - $(RANLIB) $@
>> -
>> -$(LIBSO): $(LOBJS)
>> - $(CC) $(CFLAGS) -shared -o $@ $^ $(PCRE_LDFLAGS) -ldl $(LDFLAGS) 
>> -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
>> - ln -sf $@ $(TARGET)
>> -
>>  $(LIBPC): $(LIBPC).in ../VERSION
>>   sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; 
>> s:@libdir@:$(LIBBASE):;

Re: Android Fork

2016-09-27 Thread William Roberts 
On Sep 27, 2016 07:52, "Jason Zaman"  wrote:
>
> I just remembered that travis-ci has OSX stuff now.
> https://docs.travis-ci.com/user/osx-ci-environment/
>
> Maybe we should setup a .travis.yml for selinux to build all these
> possible configurations going forward?

At least the Android config would be nice, because certain things
will never build on mac.

>

> On Mon, Sep 26, 2016 at 10:33:37AM -0700, william.c.robe...@intel.com
wrote:
> > Below, are the last two majore patches to close the Android fork.
> >
> > Patch "libselinux: add ifdef'ing for ANDROID and BUILD_HOST" I
> > combined into 1 patch since some ANDROID and BUILD_HOST defines
> > are on the same line, I can split it appart if its really needed.
> >
> > Note, that you need the Android make recipe for some of these
> > configurations to work as Android doesn't use all the src files.
> >
> > The Build files are left out, for now, so AOSP can pull from
> > upstream without it breaking the AOSP build.
> >
> > Once merged AOSP can take the build files, once they drop
> > external/libselinux, and then the last patch u[stream will
> > be the enabling patch with the build files.
> >
> > [PATCH 1/2] libselinux: introduce configurable backends
> > [PATCH 2/2] libselinux: add ifdef'ing for ANDROID and BUILD_HOST
> > ___
> > Selinux mailing list
> > seli...@tycho.nsa.gov
> > To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> > To get help, send an email containing "help" to
selinux-requ...@tycho.nsa.gov.
> ___
> Selinux mailing list
> seli...@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to
selinux-requ...@tycho.nsa.gov.
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: Android Fork

2016-09-27 Thread Jason Zaman 
I just remembered that travis-ci has OSX stuff now.
https://docs.travis-ci.com/user/osx-ci-environment/

Maybe we should setup a .travis.yml for selinux to build all these
possible configurations going forward?

On Mon, Sep 26, 2016 at 10:33:37AM -0700, william.c.robe...@intel.com wrote:
> Below, are the last two majore patches to close the Android fork.
> 
> Patch "libselinux: add ifdef'ing for ANDROID and BUILD_HOST" I
> combined into 1 patch since some ANDROID and BUILD_HOST defines
> are on the same line, I can split it appart if its really needed.
> 
> Note, that you need the Android make recipe for some of these
> configurations to work as Android doesn't use all the src files.
> 
> The Build files are left out, for now, so AOSP can pull from
> upstream without it breaking the AOSP build.
> 
> Once merged AOSP can take the build files, once they drop
> external/libselinux, and then the last patch u[stream will
> be the enabling patch with the build files.
> 
> [PATCH 1/2] libselinux: introduce configurable backends
> [PATCH 2/2] libselinux: add ifdef'ing for ANDROID and BUILD_HOST
> ___
> Selinux mailing list
> seli...@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

2016-09-27 Thread Stephen Smalley 
On 09/26/2016 04:53 PM, william.c.robe...@intel.com wrote:
> From: William Roberts 
> 
> To build the selinux host configuration, specify
> ANDROID_HOST=y on the Make command line.
> 
> eg)
> make ANDROID_HOST=y

Seems oddly named, neither corresponding to the #define it enables
(BUILD_HOST) nor to the target platform.

> 
> Signed-off-by: William Roberts 
> ---
>  libselinux/Makefile |  8 +++-
>  libselinux/src/Makefile | 50 
> +
>  2 files changed, 41 insertions(+), 17 deletions(-)
> 
> diff --git a/libselinux/Makefile b/libselinux/Makefile
> index 5a8d42c..50ae009 100644
> --- a/libselinux/Makefile
> +++ b/libselinux/Makefile
> @@ -10,6 +10,12 @@ ifeq ($(EMBEDDED),y)
>   override DISABLE_RPM=y
>   override DISABLE_BOOL=y
>  endif
> +ifeq ($(ANDROID_HOST),y)
> + override DISABLE_SETRANS=y
> + EMFLAGS+= -DDISABLE_RPM -DNO_MEDIA_BACKEND -DNO_DB_BACKEND 
> -DNO_X_BACKEND \
> + -DBUILD_HOST
> + SUBDIRS = src
> +endif

Don't you actually want to also pick up utils/sefcontext_compile?
That is built and used on the build host.  And I'm not sure why we'd
drop the other SUBDIRS.

>  ifeq ($(DISABLE_AVC),y)
>   EMFLAGS+= -DDISABLE_AVC
>  endif
> @@ -22,7 +28,7 @@ endif
>  ifeq ($(DISABLE_SETRANS),y)
>   EMFLAGS+= -DDISABLE_SETRANS
>  endif
> -export DISABLE_AVC DISABLE_SETRANS DISABLE_RPM DISABLE_BOOL EMFLAGS
> +export DISABLE_AVC DISABLE_SETRANS DISABLE_RPM DISABLE_BOOL EMFLAGS 
> ANDROID_HOST
>  
>  USE_PCRE2 ?= n
>  ifeq ($(USE_PCRE2),y)
> diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
> index 36e42b8..d841ef7 100644
> --- a/libselinux/src/Makefile
> +++ b/libselinux/src/Makefile
> @@ -47,9 +47,17 @@ endif
>  ifeq ($(DISABLE_BOOL),y)
>   UNUSED_SRCS+=booleans.c
>  endif
> +ifeq ($(ANDROID_HOST),y)
> + SRCS=callbacks.c freecon.c label.c label_file.c \
> + label_android_property.c regex.c label_support.c \
> + matchpathcon.c setrans_client.c sha1.c
> + override CFLAGS += -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \
> + -DBUILD_HOST
> +else
> + SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(sort 
> $(wildcard *.c)))
> +endif
>  
>  GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i
> -SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(sort 
> $(wildcard *.c)))
>  
>  MAX_STACK_SIZE=32768
>  
> @@ -92,6 +100,28 @@ SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./ 
> $(EMFLAGS)
>  
>  SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(EMFLAGS)
>  
> +$(LIBA): $(OBJS)
> + $(AR) rcs $@ $^
> + $(RANLIB) $@
> +
> +$(LIBSO): $(LOBJS)
> + $(CC) $(CFLAGS) -shared -o $@ $^ $(PCRE_LDFLAGS) -ldl $(LDFLAGS) 
> -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
> + ln -sf $@ $(TARGET)
> +
> +%.o:  %.c policy.h
> + $(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $<
> +
> +%.lo:  %.c policy.h
> + $(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $<

Did these truly need to move?  I don't see why.

> +
> +# ANDROID_HOST Build option only builds the shared and static versions of
> +# libselinux.
> +ifeq ($(ANDROID_HOST),y)
> +
> +all: $(LIBA) $(LIBSO)
> +
> +else
> +
>  all: $(LIBA) $(LIBSO) $(LIBPC)

Is this worthwhile/necessary?  The point of the build option IIUC is
just to allow upstream testing that the Android build host version will
still build, it shouldn't matter if there are extras.

>  
>  pywrap: all $(SWIGFILES) $(AUDIT2WHYSO)
> @@ -110,14 +140,6 @@ $(SWIGSO): $(SWIGLOBJ)
>  $(SWIGRUBYSO): $(SWIGRUBYLOBJ)
>   $(CC) $(CFLAGS) -shared -o $@ $^ -L. -lselinux $(LDFLAGS) -L$(LIBDIR)
>  
> -$(LIBA): $(OBJS)
> - $(AR) rcs $@ $^
> - $(RANLIB) $@
> -
> -$(LIBSO): $(LOBJS)
> - $(CC) $(CFLAGS) -shared -o $@ $^ $(PCRE_LDFLAGS) -ldl $(LDFLAGS) 
> -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
> - ln -sf $@ $(TARGET) 
> -
>  $(LIBPC): $(LIBPC).in ../VERSION
>   sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; 
> s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@
>  
> @@ -130,12 +152,6 @@ $(AUDIT2WHYLOBJ): audit2why.c
>  $(AUDIT2WHYSO): $(AUDIT2WHYLOBJ)
>   $(CC) $(CFLAGS) -shared -o $@ $^ -L. $(LDFLAGS) -lselinux 
> $(LIBDIR)/libsepol.a -L$(LIBDIR)
>  
> -%.o:  %.c policy.h
> - $(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $<
> -
> -%.lo:  %.c policy.h
> - $(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $<
> -
>  $(SWIGCOUT): $(SWIGIF)
>   $(SWIG) $<
>  
> @@ -178,4 +194,6 @@ distclean: clean
>  indent:
>   ../../scripts/Lindent $(filter-out $(GENERATED),$(wildcard *.[ch]))
>  
> -.PHONY: all clean pywrap rubywrap swigify install install-pywrap 
> install-rubywrap distclean
> +.PHONY: clean pywrap rubywrap swigify install install-pywrap 
> install-rubywrap distclean
> +endif
> +.PHONY: all

Why is this needed?

BTW, this option can be dangerous.  Don't build with it and then

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

2016-09-27 Thread Stephen Smalley 
On 09/26/2016 04:55 PM, William Roberts wrote:
> On Mon, Sep 26, 2016 at 1:53 PM,   wrote:
>> From: William Roberts 
>>
>> To build the selinux host configuration, specify
>> ANDROID_HOST=y on the Make command line.
>>
>> eg)
>> make ANDROID_HOST=y
>>
>> Signed-off-by: William Roberts 
>> ---
>>  libselinux/Makefile |  8 +++-
>>  libselinux/src/Makefile | 50 
>> +
>>  2 files changed, 41 insertions(+), 17 deletions(-)
>>
>> diff --git a/libselinux/Makefile b/libselinux/Makefile
>> index 5a8d42c..50ae009 100644
>> --- a/libselinux/Makefile
>> +++ b/libselinux/Makefile
>> @@ -10,6 +10,12 @@ ifeq ($(EMBEDDED),y)
>> override DISABLE_RPM=y
>> override DISABLE_BOOL=y
>>  endif
>> +ifeq ($(ANDROID_HOST),y)
>> +   override DISABLE_SETRANS=y
>> +   EMFLAGS+= -DDISABLE_RPM -DNO_MEDIA_BACKEND -DNO_DB_BACKEND 
>> -DNO_X_BACKEND \
> 
> argghhh .. missing too much, drop DISABLE_RPM... copy+paste+edit fail.
> Ill let v2 sit for a day, and aggregate other
> feedback for v3. Sorry for the noise.

Sorry, why can't you override DISABLE_RPM=y?


___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: 答复: A question about booting process with SELinux.

2016-09-27 Thread Stephen Smalley 
On 09/27/2016 03:00 AM, Weiyuan (David, Euler) wrote:
> "The rootfs is typically just unpacked from initramfs and all files within it 
> are assigned a default label based on the genfscon statement"
> 
> Do you mean Kernel lable rootfs with genfscon before init loading the 
> sepolicy into kernel?
> 
> 
> Could you please describe the details of the process that how does the rootfs 
> be labeled with u:object_r:rootfs:s0 during the booting of Android (Such as 
> Nexus) ?

If you really want to delve into that level of detail, then this is what
happens:

When the inodes are allocated, SELinux initializes them with the
unlabeled SID (inode_alloc_security).  When the corresponding dentry is
instantiated, SELinux adds them to a list associated with the superblock
because policy has not yet been loaded so we do not yet know how to
label them (inode_doinit_with_dentry, sbsec->flags does not yet have
SE_SBINITIALIZED set).  When init loads the /sepolicy file into the
kernel, security_load_policy() calls selinux_complete_init() after
loading the policy.  selinux_complete_init() iterates the superblocks
with delayed_superblock_init() as the callback, which calls
superblock_doinit().  superblock_doinit() calls selinux_set_mnt_opts(),
which calls security_fs_use().  security_fs_use() checks to see if the
filesystem type has a fs_use_* rule, and if not, checks for a genfscon
rule.  For the rootfs, we find the genfscon rule and return
SECURITY_FS_USE_GENFS along with the SID/context from the rule.  Then
selinux_set_mnt_opts() calls sb_finish_set_opts().  sb_finish_set_opts()
calls inode_doinit_with_dentry() on the root inode and inode_doinit() on
any inode in the list (which in turn calls inode_doinit_with_dentry()
with a NULL dentry). inode_doinit_with_dentry() falls through to the
default case of the switch statement.  inode_doinit_with_dentry() then
sets the inode SID to the superblock SID (which came from the genfscon
rule) and is done (rootfs does not enable SE_SBGENFS).  The inode is now
labeled with the context specified by the genfscon rule.
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

答复: A question about booting process with SELinux.

2016-09-27 Thread Weiyuan (David, Euler) 
"The rootfs is typically just unpacked from initramfs and all files within it 
are assigned a default label based on the genfscon statement"

Do you mean Kernel lable rootfs with genfscon before init loading the sepolicy 
into kernel?


Could you please describe the details of the process that how does the rootfs 
be labeled with u:object_r:rootfs:s0 during the booting of Android (Such as 
Nexus) ?



Thanks.


-邮件原件-
发件人: Stephen Smalley [mailto:s...@tycho.nsa.gov] 
发送时间: 2016年9月27日 0:43
收件人: Weiyuan (David, Euler); William Roberts
抄送: seandroid-list@tycho.nsa.gov
主题: Re: A question about booting process with SELinux.

On 09/26/2016 12:23 PM, Weiyuan (David, Euler) wrote:
> Dear All:
> 
>I have a question that is when and how the root“/”and files in 
> it are labeled?
> 
>  
> 
> There are  "/ u:object_r:rootfs:s0" in file_contexts,  and  "genfscon 
> rootfs / u:object_r:rootfs:s0" in genfs_contexts.
> 
> My understanding is, First, kernel will load the initial_sid_contexts 
> before init process do the selinux_initialize().
> 
> Then when rootfs is mounted to “/”, kernel will label it with 
> “u:object_r:labeledfs.
> 
> And After init process do the selinux_initialize() to load sepolicy to 
> kernel,  there will be a restorecon to “/”.
> 
>  
> 
> Am I right?   If I am right, then when do this restorecon happen?

restorecon is only needed for /data or other filesystems that are updated at 
runtime.  The rootfs is typically just unpacked from initramfs and all files 
within it are assigned a default label based on the genfscon statement, unless 
using a real ext4 root filesystem partition (in which case the inode xattrs 
would be set when the filesystem image is generated, not when the system is 
booting).


___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: 答复: A question about booting process with SELinux.

2016-09-27 Thread William Roberts 
On Sep 27, 2016 00:00, "Weiyuan (David, Euler)" 
wrote:
>
> "The rootfs is typically just unpacked from initramfs and all files
within it are assigned a default label based on the genfscon statement"
>
> Do you mean Kernel lable rootfs with genfscon before init loading the
sepolicy into kernel?
>
>
> Could you please describe the details of the process that how does the
rootfs be labeled with u:object_r:rootfs:s0 during the booting of Android
(Such as Nexus) ?

There is nothing happening with selinux until userspace mounts selinuxfs
and loads the policy file. The initial sid, which is the initial label for
an object, is encoded in the loaded policy along with the genfscon
statements. Genfscon is used primarily for labeling filesystems that do not
have xattr support.

For filesystems that have xattr, if set, the sid encoded in the xattr
security.selinux is used.

The file_contexts file, file_contexts.bin as of late, is used by userspace
services to.properly set the xattr label on filesystems. Namely init and
ueventd use it.

The basic boot sequence is:
1. Boot the kernel and exec init
2. Initialize selinux mount
3. Load the policy file
3. Restorecon /init
4. setenforce(1) unless non-user build and Android boot variable is set to
permissive.
5. Exec init in the second stage
6. Init script calls restorecon /data and /sys to reset labels if
fike_contexts changed (ie update).

I'm recalling this off the top of my head, some of the ordering might be
slightly off, but the concepts should be correct. You can verify by reading
init.cpp in system/core/init for the userspace load sequence.

To answer your question concisely, selinux isn't doing anything or labeling
anything until the policy is loaded.

>
>
>
> Thanks.
>
>
> -邮件原件-
> 发件人: Stephen Smalley [mailto:s...@tycho.nsa.gov]
> 发送时间: 2016年9月27日 0:43
> 收件人: Weiyuan (David, Euler); William Roberts
> 抄送: seandroid-list@tycho.nsa.gov
> 主题: Re: A question about booting process with SELinux.
>
> On 09/26/2016 12:23 PM, Weiyuan (David, Euler) wrote:
> > Dear All:
> >
> >I have a question that is when and how the root“/”and files in
> > it are labeled?
> >
> >
> >
> > There are  "/ u:object_r:rootfs:s0" in file_contexts,  and  "genfscon
> > rootfs / u:object_r:rootfs:s0" in genfs_contexts.
> >
> > My understanding is, First, kernel will load the initial_sid_contexts
> > before init process do the selinux_initialize().
> >
> > Then when rootfs is mounted to “/”, kernel will label it with
> > “u:object_r:labeledfs.
> >
> > And After init process do the selinux_initialize() to load sepolicy to
> > kernel,  there will be a restorecon to “/”.
> >
> >
> >
> > Am I right?   If I am right, then when do this restorecon happen?
>
> restorecon is only needed for /data or other filesystems that are updated
at runtime.  The rootfs is typically just unpacked from initramfs and all
files within it are assigned a default label based on the genfscon
statement, unless using a real ext4 root filesystem partition (in which
case the inode xattrs would be set when the filesystem image is generated,
not when the system is booting).
>
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.