On Mon, Apr 2, 2018 at 7:37 AM, HAN wrote:
> Hi Jeffrey, thanks for your quick response.
>
>
>
> My system_app is used to test some components with python script.
>
> This app is not pre-loaded and be installed to test and will be
> uninstalled after all the test-cases are done.
On Tue, Mar 13, 2018 at 11:45 PM, kiran mardi wrote:
> Hi Stephen,
>
> Please correct me if I am wrong.
> 1. restorecon_recurssive /data in system/core/rootdir/init.rc will not
> run/apply on every bootup?
No, as Stephen stated before, and I quote, "this is based
on a
On Wed, Nov 1, 2017 at 11:34 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On Wed, 2017-11-01 at 11:06 -0700, William Roberts wrote:
>> We're using a new kernel that has the map permission
>>
>> We're seeing denials on apps in/using the tmpfs_domain
We're using a new kernel that has the map permission
We're seeing denials on apps in/using the tmpfs_domain()
macro.
I *think* that this was just missed in:
https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/432339/
I have an RFC patch here:
We recently ran into an issue where CTS was failing on property_contexts.
The best I can tell, is that the CTS build had locale of en_US.utf8 while
the local
build had a locale of C which affected the sort ordering as sort respects
locale.
I proposed a patch to use fc_sort, here:
IIRC, back in the day all files were m4 processed, concatenated and
checked. I made use of these definitions
passed vie BOARD_SEPOLICY_M4DEFS.
Recent changes changed this behavior, so now one has to define the
type always for things like type and
domain for seapp_contexts.
Does anyone object to
On Fri, May 19, 2017 at 6:09 AM, Stephen Smalley wrote:
> On Fri, 2017-05-19 at 16:52 +0900, HAN wrote:
>> Dear All,
>>
>> I'm doing a SEAndroid in my company and have one question.
>> Our developers add SEAndroid policies for their own function oftenly.
>>
>> However, they
On Apr 11, 2017 04:54, "peng fei" wrote:
Some research set hook on C API. SEAndroid set hook on syscall.
What's the difference of access control performance between the C hook and
the syscall hook?
The userspace library hook will be faster, as it avoids the context
..tom
*From: *William Roberts <bill.c.robe...@gmail.com>
*Sent: *Friday, April 7, 2017 11:59 AM
*To: *Tom Jones <thomasclinganjo...@gmail.com>
*Cc: *seandroid-list@tycho.nsa.gov; seli...@tycho.nsa.gov; Nick Kralevich
<n...@google.com>
*Subject: *Re: add CONFIG_SECURITY_SELINUX
sed, the selinux policy is your least
concern. Under treble it ends up in different DM verity protected images.
I looked at the other site and decided it was looking at the technical
problem and not the policy problem at all.
On Fri, Apr 7, 2017 at 11:23 AM, William Roberts <bill.c.robe.
For those following along, the topic was killed, so the patches are:
https://android-review.googlesource.com/#/c/325725/
https://android-review.googlesource.com/#/c/325726/
On Thu, Jan 19, 2017 at 3:43 PM, Nick Kralevich wrote:
> these are good patches. Thank you for uploading
On Dec 23, 2016 19:34, "peng fei" wrote:
Can I modify external/libselinux/src/android.c to force the policy just
load from /data/security/current/sepolicy?
---
This is the original file external/libselinux/src/android.c
> static char const *
On Nov 30, 2016 18:14, "Sameer Joshi" wrote:
>
> Hi All,
>
> I want to give access to untrusted app to write to /tmp directory.
>
> This is on top of 6.0 M code.
>
> Denial was following:
>
> [ 151.092299] type=1400 audit(1479910142.370:18): avc: denied { write }
for
On Nov 23, 2016 02:34, "peng fei" wrote:
>
> requirement:
> system/bin/setest is a execuble program to read and
write /data/hello.txt . I excepted just setest can read or wirte the file
/data/hello.txt.
> root@generic:/system/bin # ./setest
> Hello, Software Weekly
>
On Fri, Nov 4, 2016 at 6:47 AM, peng fei wrote:
> 1. create an executable C program named setest to create , read and write
> hello.txt.
> 2. push the setest to /data. root@grouper:/data # ./setest this will
> create hello.txt in /data
> 3. add setest.te in
On Oct 18, 2016 11:08, "Stephen Smalley" wrote:
>
> On 10/18/2016 10:56 AM, Stephen Smalley wrote:
> > On 10/18/2016 10:49 AM, Sava Mikalački wrote:
> >> I'm not sure how to answer the ownership question. I'm trying to allow
> >> my application to write files in
On Oct 18, 2016 10:51, "Stephen Smalley" <s...@tycho.nsa.gov> wrote:
>
> On 10/18/2016 10:23 AM, William Roberts wrote:
> > On Oct 18, 2016 9:34 AM, "Sava Mikalački" <mikalac...@gmail.com
> > <mailto:mikalac...@gmail.com>> wrote:
> >
On Oct 18, 2016 10:33 AM, "Stephen Smalley" <s...@tycho.nsa.gov> wrote:
>
> On 10/18/2016 10:23 AM, William Roberts wrote:
> > On Oct 18, 2016 9:34 AM, "Sava Mikalački" <mikalac...@gmail.com
> > <mailto:mikalac...@gmail.com>> wrote:
> >
On Oct 18, 2016 9:02 AM, "Stephen Smalley" wrote:
>
> On 10/17/2016 11:19 PM, peng fei wrote:
> > I want to achieve the result that just allow jd process to open and
> > read /data/audit/log/audit.log.
> > For this target, I add some rules in policy file.
> > And after that, I
On Oct 18, 2016 08:41, "Stephen Smalley" <s...@tycho.nsa.gov> wrote:
>
> On 10/17/2016 04:24 PM, william.c.robe...@intel.com wrote:
> > From: William Roberts <william.c.robe...@intel.com>
> >
> > To build on mac, first build libsepol with
> >
On Thu, Oct 13, 2016 at 5:19 PM, Eduardo Aguirre wrote:
> Aren't Tomoyo, Apparmor and Smack other LSMs (Linux Security Modules) in the
> Linux Kernel used in Android?
Officially no, just SE Linux. However, I have seen some devices with
TOMOYO enabled,
but those were OEM
The only "LSM" in Android is SELinux. The term LSM means Linux
Security Module and
is a Linux kernel technology.
If you want to actually look deeper in how SE Linux was integrated, parts of
Exploring SE for Android (my book), may be of help.
As far as Android Security, that internals book you
On Oct 6, 2016 04:53, "Inamdar Sharif" wrote:
>
> Hi,
>
>
>
> I am getting the following denial when I enable CONFIG_DEVTMPFS
>
> avc: denied { write } for pid=37 comm="kdevtmpfs" dev="devtmpfs" ino=122
scontext=u:r:kernel:s0 tcontext=u:object_r:device:s0 tclass=dir
On Thu, Sep 29, 2016 at 3:15 PM, William Roberts
<bill.c.robe...@gmail.com> wrote:
> On Thu, Sep 29, 2016 at 2:54 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
>> On 09/29/2016 02:46 PM, William Roberts wrote:
>>> On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smal
On Thu, Sep 29, 2016 at 2:54 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 09/29/2016 02:46 PM, William Roberts wrote:
>> On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
>>> On 09/29/2016 02:15 PM, William Roberts wrote:
>&g
On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 09/29/2016 02:15 PM, William Roberts wrote:
>> On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
>>> On 09/29/2016 02:02 PM, william.c.robe...@intel.com wro
On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 09/29/2016 02:02 PM, william.c.robe...@intel.com wrote:
>> From: William Roberts <william.c.robe...@intel.com>
>>
>> Provide stubs to the public boolean API that always returns -1.
do you have the corresponding changes to checkfc on AOSP?
On Thu, Sep 29, 2016 at 7:39 AM, Janis Danisevskis wrote:
> We use the same lookup function for service contexts
> that we use for property contexts. However, property
> contexts are namespace based and only compare
On Sep 28, 2016 17:07, "Joshua Brindle" <brin...@quarksecurity.com> wrote:
>
> William Roberts wrote:
>>
>> On Sep 28, 2016 16:54, "Joshua Brindle"<brin...@quarksecurity.com>
wrote:
>>>
>>> Joshua Brindle wrote:
>>>
>From commit 35d702 on https://github.com/williamcroberts/selinux/tree/fix-mac
I have a branch that is building on my elcapitan mac, requesting any
comments anyone
wishes to make, before I send them out.
If you wish to test, this is the procedure
1. Build libsepol (assumes at root of tree)
On Wed, Sep 28, 2016 at 12:42 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 09/28/2016 12:25 PM, William Roberts wrote:
>> On Wed, Sep 28, 2016 at 12:17 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
>>> On 09/28/2016 12:04 PM, Janis Danisevskis wrote:
>&g
On Wed, Sep 28, 2016 at 11:53 AM, <william.c.robe...@intel.com> wrote:
> From: William Roberts <william.c.robe...@intel.com>
>
> When building for Android, this error manifests itself:
>
> label_file.c:570:7: error: unused variable ‘subs_file’
> [-Werror=unuse
>>> Don't you actually want to also pick up utils/sefcontext_compile?
>>> That is built and used on the build host. And I'm not sure why we'd
>>> drop the other SUBDIRS.
>>
>> You'll start running into linking issues if things that use
>> libselinux, use something not
>> in the build host IIRC.
On Tue, Sep 27, 2016 at 12:08 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 09/27/2016 03:03 PM, William Roberts wrote:
>> On Tue, Sep 27, 2016 at 11:51 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
>>> On 09/27/2016 02:43 PM, William Roberts wrote:
>&g
On Tue, Sep 27, 2016 at 11:51 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 09/27/2016 02:43 PM, William Roberts wrote:
>> On Sep 27, 2016 10:00, "Stephen Smalley" <s...@tycho.nsa.gov
>> <mailto:s...@tycho.nsa.gov>> wrote:
>>>
>>>
On Sep 27, 2016 10:00, "Stephen Smalley" <s...@tycho.nsa.gov> wrote:
>
> On 09/27/2016 11:08 AM, William Roberts wrote:
> > On Tue, Sep 27, 2016 at 7:11 AM, Stephen Smalley <s...@tycho.nsa.gov>
wrote:
> >> On 09/26/2016 04:53 PM, william.c.robe...@i
On Sep 27, 2016 09:50, "Stephen Smalley" <s...@tycho.nsa.gov> wrote:
>
> On 09/27/2016 11:08 AM, William Roberts wrote:
> > On Tue, Sep 27, 2016 at 7:11 AM, Stephen Smalley <s...@tycho.nsa.gov>
wrote:
> >> On 09/26/2016 04:53 PM, william.c.robe...@i
On Tue, Sep 27, 2016 at 7:03 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 09/26/2016 04:55 PM, William Roberts wrote:
>> On Mon, Sep 26, 2016 at 1:53 PM, <william.c.robe...@intel.com> wrote:
>>> From: William Roberts <william.c.robe...@intel.com&g
On Tue, Sep 27, 2016 at 7:11 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 09/26/2016 04:53 PM, william.c.robe...@intel.com wrote:
>> From: William Roberts <william.c.robe...@intel.com>
>>
>> To build the selinux host configuration, specify
>>
On Sep 27, 2016 07:52, "Jason Zaman" wrote:
>
> I just remembered that travis-ci has OSX stuff now.
> https://docs.travis-ci.com/user/osx-ci-environment/
>
> Maybe we should setup a .travis.yml for selinux to build all these
> possible configurations going forward?
At least
>
>
> Thanks.
>
>
> -邮件原件-
> 发件人: Stephen Smalley [mailto:s...@tycho.nsa.gov]
> 发送时间: 2016年9月27日 0:43
> 收件人: Weiyuan (David, Euler); William Roberts
> 抄送: seandroid-list@tycho.nsa.gov
> 主题: Re: A question about booting process with SELinux.
>
>
On Mon, Sep 26, 2016 at 1:53 PM, <william.c.robe...@intel.com> wrote:
> From: William Roberts <william.c.robe...@intel.com>
>
> To build the selinux host configuration, specify
> ANDROID_HOST=y on the Make command line.
>
> eg)
> make ANDROID_HOST=y
&
On Mon, Sep 26, 2016 at 12:10 PM, Stephen Smalley wrote:
> On 09/26/2016 01:33 PM, william.c.robe...@intel.com wrote:
>> Below, are the last two majore patches to close the Android fork.
>>
>> Patch "libselinux: add ifdef'ing for ANDROID and BUILD_HOST" I
>> combined into 1
On Mon, Sep 26, 2016 at 10:33 AM, wrote:
> Below, are the last two majore patches to close the Android fork.
>
> Patch "libselinux: add ifdef'ing for ANDROID and BUILD_HOST" I
> combined into 1 patch since some ANDROID and BUILD_HOST defines
> are on the same line, I
On Mon, Sep 26, 2016 at 10:43 AM, Stephen Smalley wrote:
> On 09/26/2016 10:22 AM, Janis Danisevskis wrote:
>> The "-r" flag of sefcontext_compile now causes it to omit the
>> precompiled regular expressions from the output.
>
> The code itself looks ok, aside from William's
On Mon, Sep 26, 2016 at 10:43 AM, Stephen Smalley wrote:
> On 09/26/2016 10:22 AM, Janis Danisevskis wrote:
>> The "-r" flag of sefcontext_compile now causes it to omit the
>> precompiled regular expressions from the output.
>
> The code itself looks ok, aside from William's
On Mon, Sep 26, 2016 at 7:22 AM, Janis Danisevskis wrote:
> Serialized precompiled regular expressins are architecture
> dependent when using PCRE2. This patch
> - bumps the SELINUX_COMPILED_FCONTEXT version to 5 and
> - adds a field to the output indicating the architecture
>
iling list.
Thanks all for the input provided, and Josh for your late night mac help!
On Fri, Sep 23, 2016 at 1:44 PM, William Roberts
<bill.c.robe...@gmail.com> wrote:
> On Fri, Sep 23, 2016 at 1:24 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
>> On 09/23/2016 04:01 PM, Joshua Bri
On Fri, Sep 23, 2016 at 1:24 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 09/23/2016 04:01 PM, Joshua Brindle wrote:
>> William Roberts wrote:
>>> On Fri, Sep 23, 2016 at 6:57 AM, Joshua Brindle
>>> <brin...@quarksecurity.com> wrote:
>>>>
, William Roberts
<bill.c.robe...@gmail.com> wrote:
> On Thu, Sep 22, 2016 at 6:34 PM, William Roberts
> <bill.c.robe...@gmail.com> wrote:
>> So I have been working the last couple of days to understand what it
>> would take to kill external/libselinux (the Android Fork)
On Fri, Sep 23, 2016 at 6:57 AM, Joshua Brindle
<brin...@quarksecurity.com> wrote:
> William Roberts wrote:
>>
>> On Sep 22, 2016 9:18 PM, "Jeffrey Vander Stoep"<je...@google.com> wrote:
>>>
>>> Remember to test on the Mac build. About a year
Haines has done a lot of
work to reduce the diff between upstream and the Android fork. Hopefully
that will reduce your effort.
Yeah I'm quite concerned about the Mac build, does anyone on here have
access to a Mac for testing?
>
> On Thu, Sep 22, 2016 at 6:39 PM William Roberts <
On Thu, Sep 22, 2016 at 6:34 PM, William Roberts
<bill.c.robe...@gmail.com> wrote:
> So I have been working the last couple of days to understand what it
> would take to kill external/libselinux (the Android Fork) and fixup
> upstream so most of the delta is in. The only thin
:
Patches that matter ( I don't know how to make pretty little git summaries):
commit e017f48acd2791a6aa62b4ed0c0b44256b26651f
Author: William Roberts <william.c.robe...@intel.com>
Date: Wed Sep 21 16:06:37 2016 -0700
libselinux: add The Android fork files
On Wed, Sep 21, 2016 at 2:48 PM, William Roberts
<bill.c.robe...@gmail.com> wrote:
> On Sep 21, 2016 13:16, "Stephen Smalley" <s...@tycho.nsa.gov> wrote:
>>
>> On 09/21/2016 04:11 PM, William Roberts wrote:
>> > On Sep 21, 2016 13:06, "
On Sep 21, 2016 13:16, "Stephen Smalley" <s...@tycho.nsa.gov> wrote:
>
> On 09/21/2016 04:11 PM, William Roberts wrote:
> > On Sep 21, 2016 13:06, "Stephen Smalley" <s...@tycho.nsa.gov
> > <mailto:s...@tycho.nsa.gov>> wrote:
&g
On Sep 21, 2016 13:06, "Stephen Smalley" wrote:
>
> On 09/21/2016 03:57 PM, Roberts, William C wrote:
> > Correction, it’s just fgets_unlocked, it appears to support the others.
>
> Seems like a bug in bionic, but we can work around it by:
> #ifdef ANDROID
> #define
On Sep 19, 2016 22:25, "Jason Zaman" <ja...@perfinion.com> wrote:
>
> On 20 Sep 2016 12:50 pm, "William Roberts" <bill.c.robe...@gmail.com>
wrote:
> >
> > On Sep 19, 2016 21:16, "Jason Zaman" <ja...@perfinion.com> wrote:
>
On Sep 19, 2016 21:16, "Jason Zaman" <ja...@perfinion.com> wrote:
>
> On 20 Sep 2016 5:47 am, <william.c.robe...@intel.com> wrote:
> >
> > From: William Roberts <william.c.robe...@intel.com>
> >
> > THIS IS WIP...
> >
> > Rath
On Sep 19, 2016 22:28, "Inamdar Sharif" wrote:
>
> Hi ,
>
>
>
> I am getting the following avc denied
No, that woukd defeat the purpose if an isolated application. Isolated
applications are sandboxed even away from their own on disk resources.
On Fri, Sep 16, 2016 at 11:44 AM, Janis Danisevskis wrote:
> I don't really care much about the behavior of sefcontext_compile. I just
> thought making the default behavior the safest would be the best option.
> Before android is using it, I will have to sync the (now modified
On Fri, Sep 16, 2016 at 8:04 AM, William Roberts
<bill.c.robe...@gmail.com> wrote:
> On Fri, Sep 16, 2016 at 8:00 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
>> On 09/16/2016 10:44 AM, William Roberts wrote:
>>> On Fri, Sep 16, 2016 at 7:41 AM, William Roberts
On Sep 16, 2016 08:12, "Stephen Smalley" <s...@tycho.nsa.gov> wrote:
>
> On 09/16/2016 11:08 AM, William Roberts wrote:
> > On Fri, Sep 16, 2016 at 7:41 AM, Stephen Smalley <s...@tycho.nsa.gov>
wrote:
> >> On 09/16/2016 09:08 AM, Janis Danisevskis wrote:
On Fri, Sep 16, 2016 at 8:00 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 09/16/2016 10:44 AM, William Roberts wrote:
>> On Fri, Sep 16, 2016 at 7:41 AM, William Roberts
>> <bill.c.robe...@gmail.com> wrote:
>>> On Fri, Sep 16, 2016 at 7:38 AM, Stephe
On Fri, Sep 16, 2016 at 7:41 AM, William Roberts
<bill.c.robe...@gmail.com> wrote:
> On Fri, Sep 16, 2016 at 7:38 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
>> On 09/16/2016 10:30 AM, Stephen Smalley wrote:
>>> On 09/15/2016 07:13 PM, william.c.robe...@intel
On Fri, Sep 16, 2016 at 7:38 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 09/16/2016 10:30 AM, Stephen Smalley wrote:
>> On 09/15/2016 07:13 PM, william.c.robe...@intel.com wrote:
>>> From: William Roberts <william.c.robe...@intel.com>
>>>
>>
On Fri, Sep 16, 2016 at 7:30 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 09/15/2016 07:13 PM, william.c.robe...@intel.com wrote:
>> From: William Roberts <william.c.robe...@intel.com>
>>
>> patch 5e15a52aaa cleans up the process_file() but introduced
&g
On Sep 16, 2016 07:06, "Jason Zaman" <ja...@perfinion.com> wrote:
>
> On Fri, Sep 16, 2016 at 06:51:25AM -0700, William Roberts wrote:
> > On Fri, Sep 16, 2016 at 6:43 AM, William Roberts
> > <bill.c.robe...@gmail.com> wrote:
> > > On Fri, Sep 16,
On Fri, Sep 16, 2016 at 6:43 AM, William Roberts
<bill.c.robe...@gmail.com> wrote:
> On Fri, Sep 16, 2016 at 6:31 AM, Jason Zaman <ja...@perfinion.com> wrote:
>> On Fri, Sep 16, 2016 at 06:15:01AM -0700, William Roberts wrote:
>>> On Fri, Sep 16, 2016 at 6
On Fri, Sep 16, 2016 at 6:31 AM, Jason Zaman <ja...@perfinion.com> wrote:
> On Fri, Sep 16, 2016 at 06:15:01AM -0700, William Roberts wrote:
>> On Fri, Sep 16, 2016 at 6:09 AM, Janis Danisevskis <jda...@google.com> wrote:
>> > I don't mind. Then before sefcontext_com
surgery so I haven't been
following this as well as I normally would have,
If its merged, just leave it.
>
> On Fri, Sep 16, 2016 at 1:35 PM William Roberts <bill.c.robe...@gmail.com>
> wrote:
>>
>>
>> >
>> >
>> > That's just th
>
>
> That's just the thing. Without -r the phone _will_ boot because the regexes
> are compiled on first use. With -r and an arch mismatch we have an undefined
> behavior, which is bad.
That's just a limitation of the current design.
>
> See, I don't currently know what part of the
On Fri, Sep 16, 2016 at 3:13 AM, Janis Danisevskis <jda...@google.com> wrote:
> First of all, I would like to thank you, Stephen and William, for your
> patience and support.
>
> On Thu, Sep 15, 2016 at 8:34 PM William Roberts <bill.c.robe...@gmail.com>
> wrote:
>>
> + if (!rc) {
> + rc = digest_add_specfile(digest, fp, NULL,
> sb.st_size, found_path);
> + }
One more time...
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email
On Thu, Sep 15, 2016 at 7:57 AM, Stephen Smalley wrote:
> On 09/15/2016 10:04 AM, Janis Danisevskis wrote:
>> From: Janis Danisevskis
>>
>> This patch moves all pcre1/2 dependencies into the new files regex.h
>> and regex.c implementing the common
Ill send that right up!
On Thu, Sep 15, 2016 at 7:42 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 09/09/2016 02:27 PM, Stephen Smalley wrote:
>> On 09/09/2016 01:44 PM, william.c.robe...@intel.com wrote:
>>> From: William Roberts <william.c.robe...@int
On Sep 7, 2016 11:29, "Jason Zaman" <ja...@perfinion.com> wrote:
>
> On Wed, Sep 07, 2016 at 09:40:43AM -0700, William Roberts wrote:
> > On Wed, Sep 7, 2016 at 8:02 AM, Stephen Smalley <s...@tycho.nsa.gov>
wrote:
> > > On 09/07/2016 04:08 AM,
On Wed, Sep 7, 2016 at 8:02 AM, Stephen Smalley wrote:
> On 09/07/2016 04:08 AM, Janis Danisevskis wrote:
>> From: Janis Danisevskis
>>
>> This patch moves all pcre1/2 dependencies into the new files regex.h
>> and regex.c implementing the common
On Wed, Sep 7, 2016 at 1:08 AM, Janis Danisevskis wrote:
> From: Janis Danisevskis
>
> This patch moves all pcre1/2 dependencies into the new files regex.h
> and regex.c implementing the common denominator of features needed
> by libselinux. The compiler
Also, there are some memory leaks in there; run it under valgrind, e.g.
valgrind --leak-check=full matchpathcon /etc
>>>
>>> OK I'll run that test.
>
> I cant reproduce:
bad send... Can you send your valgrind output? Are you sure its not there
prior to my patch? The only heap alloc
On Tue, Sep 6, 2016 at 1:22 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 09/06/2016 04:06 PM, William Roberts wrote:
>> On Sep 6, 2016 13:01, "Stephen Smalley" <s...@tycho.nsa.gov
>> <mailto:s...@tycho.nsa.gov>> wrote:
>>>
>
On Aug 29, 2016 16:56, "Paul Moore" <p...@paul-moore.com> wrote:
>
> On Tue, Aug 23, 2016 at 4:49 PM, <william.c.robe...@intel.com> wrote:
> > From: William Roberts <william.c.robe...@intel.com>
> >
> > Throughout the SE Linux LSM, values tak
On Aug 19, 2016 06:12, "Stephen Smalley" <s...@tycho.nsa.gov> wrote:
>
> On 08/18/2016 04:54 PM, william.c.robe...@intel.com wrote:
> > From: William Roberts <william.c.robe...@intel.com>
> >
> > Rather than duplicating the following sequence:
> &g
On Aug 18, 2016 17:07, "Paul Moore" <p...@paul-moore.com> wrote:
>
> On Mon, Aug 15, 2016 at 3:42 PM, <william.c.robe...@intel.com> wrote:
> > From: William Roberts <william.c.robe...@intel.com>
> >
> > Remove the SECURITY_SELINUX_PO
>> Currently, in file-systems like reiserFS that support scalable xattrs, only
>> VFS is the one limiting the size to 64k. Since their is no constant, and
>> maybe one day this arbitrary VFS limit
>> would be removed, I think we should check correctlly here that were
>> allocating > 1 bytes, and
On Tue, Aug 16, 2016 at 8:11 AM, William Roberts <bill.c.robe...@gmail.com>
wrote:
> On Aug 16, 2016 06:12, "James Carter" <jwca...@tycho.nsa.gov> wrote:
> >
> > On 08/15/2016 11:59 AM, william.c.robe...@intel.com wrote:
> >>
> >
On Aug 16, 2016 06:12, "James Carter" <jwca...@tycho.nsa.gov> wrote:
>
> On 08/15/2016 11:59 AM, william.c.robe...@intel.com wrote:
>>
>> From: William Roberts <william.c.robe...@intel.com>
>>
>> Throughout libsepol, values taken from sepoli
On Aug 1, 2016 04:17, "Sameer Joshi" wrote:
>
> Hi All,
>
> We are trying to enable SELinux in kernel and have defined following
options in the config file.
>
> CONFIG_SECURITY_SELINUX=y
> CONFIG_SECURITY_SELINUX_BOOTPARAM=y
>
> Command line options for kernel have
On Jul 28, 2016 09:15, "peter enderborg"
wrote:
>
> What is the point with that?
You could always wrap they aosp never allows in userdebug or eng macros,
and be OK with respect to CTS. However, doing so increases the delta
between user builds and other variants,
On Jul 12, 2016 21:20, "Jeffrey Vander Stoep" wrote:
>
> Hi Yongqin,
>
> Looks like a process is indiscriminately calling ashmem_get_size_region()
(ioctl number 7704=ASHMEM_GET_SIZE) on a unix socket. This is a bug and
should not be allowed. The selinux denial is working as
On Jul 7, 2016 1:13 PM, "YongQin Liu" wrote:
>
> Hi, ALL
>
> When I try AOSP master with the hikey board, I see following sys_module
denial on netd domain.
>
>> avc: denied { sys_module } for pid=1775 comm="netd" capability=16
scontext=u:r:netd:s0 tcontext=u:r:netd:s0
On Jul 7, 2016 07:57, "Sameer Joshi" wrote:
>
> Hi All,
>
> I have a use-case where the root user access
Selinux has no notion of Linux uids like root. So this question doesn't
quite make sense. Selinux is a white list, so if you don't add permissions
it wont be allowed.
On Jul 5, 2016 01:33, "Sameer Joshi" wrote:
>
> Hi,
>
> I want to provide an application downloaded from app store , permission
to access a particular directory which is shared between the platform
service started from init.rc and that app.
>
> I wanted to know how can I
On Jul 1, 2016 08:15, "Inamdar Sharif" wrote:
>
> Hi Guys,
>
>
>
> I have a node which is “abc,xyz”
>
> I want to label this node in genfs_contexts but getting syntax error
>
>
>
> But if I make the below change in
external/selinux/checksepolicy/policy_scan.l it works fine.
>
On Jun 20, 2016 07:51, "William Roberts" <bill.c.robe...@gmail.com> wrote:
>
>
> On Jun 20, 2016 01:24, "YongQin Liu" <yongqin@linaro.org> wrote:
> >
> > Hi, William
> >
> > Sorry for late response, my laptop OS was crashed
On Jun 20, 2016 01:24, "YongQin Liu" <yongqin@linaro.org> wrote:
>
> Hi, William
>
> Sorry for late response, my laptop OS was crashed last Friday:(
>
> Thanks for your suggestion first, and some comments in line.
> On 17 June 2016 at 07:50, William Rob
On Thu, Jun 2, 2016 at 6:35 AM, Sameer Joshi wrote:
> Thanks Stephen. It was my mistake that I did not do mkdir for
> eeprom_data_file correctly.
> After fixing this, it worked fine.
> I was using wrong user. cpnoui executes with user root and group system.
> After
On Fri, Jan 22, 2016 at 2:03 AM, 李孟樵 wrote:
> HI,
> ROM: I build aosp-6.0.1-r7 aosp_flo-userdebug
> Devices: Nexus 7 II
> Goal: I want to use my application executes the command "load_policy" in
> this ROM.
>
> I have tried these steps as follows:
> step 1.creat an application
On Jan 19, 2016 12:20 PM, "Jeffrey Vander Stoep" <je...@google.com> wrote:
>
> Try adding notrim in your fstab. Trimming swap makes no sense.
Does defaults include discard? I haven't looked.
>
> On Tue, Jan 19, 2016 at 9:31 AM William Roberts <bill.c.ro
aps right where Jeff suggested earlier.
On Tue, Jan 19, 2016 at 12:41 PM, William Roberts <bill.c.robe...@gmail.com>
wrote:
>
>
> On Tue, Jan 19, 2016 at 12:26 PM, William Roberts <
> bill.c.robe...@gmail.com> wrote:
>
>>
>> On Jan 19, 2016 12:20 PM, "Jeff
1 - 100 of 426 matches
Mail list logo