How to verify my policy?
I want to achieve the result that just allow jd process to open and read /data/audit/log/audit.log. For this target, I add some rules in policy file. And after that, I want to verify my policy. So, I create a test.c to read /data/audit/log/audit.log. Using gcc to build the test.c to executable test.The file test.c and test is in /home/pengfei. - My modify policy are as follows: -- First, add new type in file.te #/data/audit/log/audit.log type sec_file, file_type, data_file_type; #/home/test type jd_exec, file_type; -- add the contexts in the file_contexts /data/audit/log/audit.log u:object_r:sec_file:s0 /home/pengfei/test u:object_r:jd_exec:s0 -- add rule in jd.te allow jd sec_file:file {read, open }; allow jd jd_exec:file rx_file_perms; - How can I verify my policy? Can I create a executable file to imitate jd. How to assign the conte Please help me. Thanks advance. ___ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
how to verify my policy?
I want to add some policy. -- add a new type in file.te #/data/audit/log/audit.log type sec_file, file_type, data_file_type; #/home/test type jd_exec; -- add the contexts in the file_contexts /data/audit/log/audit.log u:object_r:sec_file:s0 /home/pengfei/test -- add rule in jd.te allow jd sec_file:file r_file_perms; allow jd jd_exec:file rx_file_perms; ___ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
[PATCH 8/8] libselinux: add booleans.c to ANDROID_HOST=y recipe
From: William RobertsWe build booleans.c with DISABLE_BOOL set on Android host and target. Add that file to the upstream Makefile. Signed-off-by: William Roberts --- libselinux/src/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index 7a1ae05..ccd8442 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile @@ -100,7 +100,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \ -DBUILD_HOST SRCS= callbacks.c freecon.c label.c label_file.c \ label_backends_android.c regex.c label_support.c \ - matchpathcon.c setrans_client.c sha1.c + matchpathcon.c setrans_client.c sha1.c booleans.c else DISABLE_FLAGS+= -DNO_ANDROID_BACKEND SRCS:= $(filter-out label_backends_android.c, $(SRCS)) -- 1.9.1 ___ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
[PATCH 4/8] libselinux: fix required alignment for sha1.c on mac
From: William RobertsWhen building on mac with ANDROID_HOST=y, clang complains: sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align] CHAR64LONG16* block = (CHAR64LONG16*) workspace; Rather then casting the bytearray to the CHAR64LONG16 union, just create a stack workspace of type CHAR64LONG16. This will prevent alignment issues with the data accesses. Signed-off-by: William Roberts --- libselinux/src/sha1.c | 12 +--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c index 5f02af8..9bcbb6e 100644 --- a/libselinux/src/sha1.c +++ b/libselinux/src/sha1.c @@ -8,8 +8,14 @@ // Modified by WaterJuice retaining Public Domain license. // // This is free and unencumbered software released into the public domain - June 2013 waterjuice.org -// Modified to stop symbols being exported for libselinux shared library - October 2015 +// Modified to: +//- stop symbols being exported for libselinux shared library - October 2015 //Richard Haines +//- Not cast the workspace from a byte array to a CHAR64LONG16 due to allignment isses. +// Fixes: +//sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align] +// CHAR64LONG16* block = (CHAR64LONG16*) workspace; +// William Roberts /// /// @@ -69,8 +75,8 @@ void uint32_tc; uint32_td; uint32_te; -uint8_t workspace[64]; -CHAR64LONG16* block = (CHAR64LONG16*) workspace; +CHAR64LONG16workspace; +CHAR64LONG16* block = memcpy( block, buffer, 64 ); -- 1.9.1 ___ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
[PATCH 1/8] libsepol/cil: disable symver on Mac builds
From: William Robertssymver does not work on Mac, so like Android, just disable it. Signed-off-by: William Roberts --- libsepol/cil/src/dso.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libsepol/cil/src/dso.h b/libsepol/cil/src/dso.h index a06e349..64a162c 100644 --- a/libsepol/cil/src/dso.h +++ b/libsepol/cil/src/dso.h @@ -1,7 +1,7 @@ #ifndef _SEPOL_DSO_H #define _SEPOL_DSO_H 1 -#if !defined(SHARED) || defined(ANDROID) +#if !defined(SHARED) || defined(ANDROID) || defined(__APPLE__) #define DISABLE_SYMVER 1 #endif -- 1.9.1 ___ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
[PATCH 7/8] libselinux: DISABLE_BOOL move to include headers
From: William RobertsSome systems, like Mac, don't have stdio_ext.h. Since we're building with DISABLE_BOOL=y on Mac, just include the header files with the DISABLE define, and use the bare minimum headers for DISABLE_BOOL=y. Signed-off-by: William Roberts --- libselinux/src/booleans.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c index cbb0610..ba9d934 100644 --- a/libselinux/src/booleans.c +++ b/libselinux/src/booleans.c @@ -5,6 +5,8 @@ * Dan Walsh - Added security_load_booleans(). */ +#ifndef DISABLE_BOOL + #include #include #include @@ -25,8 +27,6 @@ #define SELINUX_BOOL_DIR "/booleans/" -#ifndef DISABLE_BOOL - static int filename_select(const struct dirent *d) { if (d->d_name[0] == '.' @@ -561,6 +561,10 @@ int security_load_booleans(char *path) } #else + +#include +#include "selinux_internal.h" + int security_set_boolean_list(size_t boolcnt __attribute__((unused)), SELboolean * boollist __attribute__((unused)), int permanent __attribute__((unused))) -- 1.9.1 ___ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
[PATCH 5/8] libselinux/utils: add noreturn to sefcontext_compile
From: William RobertsWhen building on mac, one encounters this error: sefcontext_compile.c:270:1: error: function 'usage' could be declared with attribute 'noreturn' [-Werror,-Wmissing-noreturn] To correct this, add the attribute noreturn to the function. Signed-off-by: William Roberts --- libselinux/utils/sefcontext_compile.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c index 6b564b4..54600e2 100644 --- a/libselinux/utils/sefcontext_compile.c +++ b/libselinux/utils/sefcontext_compile.c @@ -266,7 +266,7 @@ static void free_specs(struct saved_data *data) memset(data, 0, sizeof(*data)); } -static void usage(const char *progname) +static __attribute__ ((__noreturn__)) void usage(const char *progname) { fprintf(stderr, "usage: %s [-o out_file] [-p policy_file] fc_file\n" -- 1.9.1 ___ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
[PATCH 2/8] libsepol: build on mac
From: William RobertsCorrect the build issues on mac, mostly flags for tools. libsepol and cil now build completley on Mac with a simple make command. Signed-off-by: William Roberts --- libsepol/src/Makefile | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libsepol/src/Makefile b/libsepol/src/Makefile index b0c901f..7856213 100644 --- a/libsepol/src/Makefile +++ b/libsepol/src/Makefile @@ -30,6 +30,13 @@ LOBJS += $(sort $(patsubst %.c,%.lo,$(sort $(wildcard $(CILDIR)/src/*.c)) $(CIL_ override CFLAGS += -I$(CILDIR)/include endif +LD_SONAME_FLAGS=-soname,$(LIBSO),--version-script=$(LIBMAP),-z,defs + +OS := $(shell uname) +ifeq ($(OS), Darwin) +LD_SONAME_FLAGS=-install_name,$(LIBSO) +LDFLAGS += -undefined dynamic_lookup +endif all: $(LIBA) $(LIBSO) $(LIBPC) @@ -39,7 +46,7 @@ $(LIBA): $(OBJS) $(RANLIB) $@ $(LIBSO): $(LOBJS) $(LIBMAP) - $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $(LOBJS) -Wl,-soname,$(LIBSO),--version-script=$(LIBMAP),-z,defs + $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $(LOBJS) -Wl,$(LD_SONAME_FLAGS) ln -sf $@ $(TARGET) $(LIBPC): $(LIBPC).in ../VERSION -- 1.9.1 ___ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.