Re: Questions about execution binary from /data.

On Mon, Apr 2, 2018 at 7:37 AM, HAN wrote: > Hi Jeffrey, thanks for your quick response. > > > > My system_app is used to test some components with python script. > > This app is not pre-loaded and be installed to test and will be > uninstalled after all the test-cases are done.

Re: /data/misc contents are unlabeled

On Tue, Mar 13, 2018 at 11:45 PM, kiran mardi wrote: > Hi Stephen, > > Please correct me if I am wrong. > 1. restorecon_recurssive /data in system/core/rootdir/init.rc will not > run/apply on every bootup? No, as Stephen stated before, and I quote, "this is based on a

Re: map on _tmpfs

On Wed, Nov 1, 2017 at 11:34 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On Wed, 2017-11-01 at 11:06 -0700, William Roberts wrote: >> We're using a new kernel that has the map permission >> >> We're seeing denials on apps in/using the tmpfs_domain

map on _tmpfs

We're using a new kernel that has the map permission We're seeing denials on apps in/using the tmpfs_domain() macro. I *think* that this was just missed in: https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/432339/ I have an RFC patch here:

local induced CTS issues with property_contexts

We recently ran into an issue where CTS was failing on property_contexts. The best I can tell, is that the CTS build had locale of en_US.utf8 while the local build had a locale of C which affected the sort ordering as sort respects locale. I proposed a patch to use fc_sort, here:

m4 processing for macros on all files

IIRC, back in the day all files were m4 processed, concatenated and checked. I made use of these definitions passed vie BOARD_SEPOLICY_M4DEFS. Recent changes changed this behavior, so now one has to define the type always for things like type and domain for seapp_contexts. Does anyone object to

Re: How to check a neverallow for a single allow rule?

On Fri, May 19, 2017 at 6:09 AM, Stephen Smalley wrote: > On Fri, 2017-05-19 at 16:52 +0900, HAN wrote: >> Dear All, >> >> I'm doing a SEAndroid in my company and have one question. >> Our developers add SEAndroid policies for their own function oftenly. >> >> However, they

Re: hook

On Apr 11, 2017 04:54, "peng fei" wrote: Some research set hook on C API. SEAndroid set hook on syscall. What's the difference of access control performance between the C hook and the syscall hook? The userspace library hook will be faster, as it avoids the context

RE: add CONFIG_SECURITY_SELINUX_LOAD_ONCE

..tom *From: *William Roberts <bill.c.robe...@gmail.com> *Sent: *Friday, April 7, 2017 11:59 AM *To: *Tom Jones <thomasclinganjo...@gmail.com> *Cc: *seandroid-list@tycho.nsa.gov; seli...@tycho.nsa.gov; Nick Kralevich <n...@google.com> *Subject: *Re: add CONFIG_SECURITY_SELINUX

Re: add CONFIG_SECURITY_SELINUX_LOAD_ONCE

sed, the selinux policy is your least concern. Under treble it ends up in different DM verity protected images. I looked at the other site and decided it was looking at the technical problem and not the policy problem at all. On Fri, Apr 7, 2017 at 11:23 AM, William Roberts <bill.c.robe.

Re: service_manager add permission

For those following along, the topic was killed, so the patches are: https://android-review.googlesource.com/#/c/325725/ https://android-review.googlesource.com/#/c/325726/ On Thu, Jan 19, 2017 at 3:43 PM, Nick Kralevich wrote: > these are good patches. Thank you for uploading

Re: reload sepolicy

On Dec 23, 2016 19:34, "peng fei" wrote: Can I modify external/libselinux/src/android.c to force the policy just load from /data/security/current/sepolicy? --- This is the original file external/libselinux/src/android.c > static char const *

Re: Regarding SELinux denial for writing to /tmp from unstrusted_app

On Nov 30, 2016 18:14, "Sameer Joshi" wrote: > > Hi All, > > I want to give access to untrusted app to write to /tmp directory. > > This is on top of 6.0 M code. > > Denial was following: > > [ 151.092299] type=1400 audit(1479910142.370:18): avc: denied { write } for

Re: add new domain but it does not work well

On Nov 23, 2016 02:34, "peng fei" wrote: > > requirement: > system/bin/setest is a execuble program to read and write /data/hello.txt . I excepted just setest can read or wirte the file /data/hello.txt. > root@generic:/system/bin # ./setest > Hello, Software Weekly >

Re: fail to extend the policy

On Fri, Nov 4, 2016 at 6:47 AM, peng fei wrote: > 1. create an executable C program named setest to create , read and write > hello.txt. > 2. push the setest to /data. root@grouper:/data # ./setest this will > create hello.txt in /data > 3. add setest.te in

Re: Extending file_contexts

On Oct 18, 2016 11:08, "Stephen Smalley" wrote: > > On 10/18/2016 10:56 AM, Stephen Smalley wrote: > > On 10/18/2016 10:49 AM, Sava Mikalački wrote: > >> I'm not sure how to answer the ownership question. I'm trying to allow > >> my application to write files in

Re: Extending file_contexts

On Oct 18, 2016 10:51, "Stephen Smalley" <s...@tycho.nsa.gov> wrote: > > On 10/18/2016 10:23 AM, William Roberts wrote: > > On Oct 18, 2016 9:34 AM, "Sava Mikalački" <mikalac...@gmail.com > > <mailto:mikalac...@gmail.com>> wrote: > >

Re: Extending file_contexts

On Oct 18, 2016 10:33 AM, "Stephen Smalley" <s...@tycho.nsa.gov> wrote: > > On 10/18/2016 10:23 AM, William Roberts wrote: > > On Oct 18, 2016 9:34 AM, "Sava Mikalački" <mikalac...@gmail.com > > <mailto:mikalac...@gmail.com>> wrote: > >

Re: How to verify my policy?

On Oct 18, 2016 9:02 AM, "Stephen Smalley" wrote: > > On 10/17/2016 11:19 PM, peng fei wrote: > > I want to achieve the result that just allow jd process to open and > > read /data/audit/log/audit.log. > > For this target, I add some rules in policy file. > > And after that, I

Re: [PATCH 6/8] libselinux: support ANDROID_HOST=1 on Mac

On Oct 18, 2016 08:41, "Stephen Smalley" <s...@tycho.nsa.gov> wrote: > > On 10/17/2016 04:24 PM, william.c.robe...@intel.com wrote: > > From: William Roberts <william.c.robe...@intel.com> > > > > To build on mac, first build libsepol with > >

Re: Confidentiality and privacy

On Thu, Oct 13, 2016 at 5:19 PM, Eduardo Aguirre wrote: > Aren't Tomoyo, Apparmor and Smack other LSMs (Linux Security Modules) in the > Linux Kernel used in Android? Officially no, just SE Linux. However, I have seen some devices with TOMOYO enabled, but those were OEM

Re: Confidentiality and privacy

The only "LSM" in Android is SELinux. The term LSM means Linux Security Module and is a Linux kernel technology. If you want to actually look deeper in how SE Linux was integrated, parts of Exploring SE for Android (my book), may be of help. As far as Android Security, that internals book you

Re: kernel access device while enabling CONFIG_DEVTMPFS

On Oct 6, 2016 04:53, "Inamdar Sharif" wrote: > > Hi, > > > > I am getting the following denial when I enable CONFIG_DEVTMPFS > > avc: denied { write } for pid=37 comm="kdevtmpfs" dev="devtmpfs" ino=122 scontext=u:r:kernel:s0 tcontext=u:object_r:device:s0 tclass=dir

Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y

On Thu, Sep 29, 2016 at 3:15 PM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Thu, Sep 29, 2016 at 2:54 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >> On 09/29/2016 02:46 PM, William Roberts wrote: >>> On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smal

Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y

On Thu, Sep 29, 2016 at 2:54 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/29/2016 02:46 PM, William Roberts wrote: >> On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >>> On 09/29/2016 02:15 PM, William Roberts wrote: >&g

Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y

On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/29/2016 02:15 PM, William Roberts wrote: >> On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >>> On 09/29/2016 02:02 PM, william.c.robe...@intel.com wro

Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y

On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/29/2016 02:02 PM, william.c.robe...@intel.com wrote: >> From: William Roberts <william.c.robe...@intel.com> >> >> Provide stubs to the public boolean API that always returns -1.

Re: [PATCH 2/3] libselinux: android: fix lax service context lookup

do you have the corresponding changes to checkfc on AOSP? On Thu, Sep 29, 2016 at 7:39 AM, Janis Danisevskis wrote: > We use the same lookup function for service contexts > that we use for property contexts. However, property > contexts are namespace based and only compare

Re: [RFC] Build ANDROID_HOST=y on mac

On Sep 28, 2016 17:07, "Joshua Brindle" <brin...@quarksecurity.com> wrote: > > William Roberts wrote: >> >> On Sep 28, 2016 16:54, "Joshua Brindle"<brin...@quarksecurity.com> wrote: >>> >>> Joshua Brindle wrote: >>>

[RFC] Build ANDROID_HOST=y on mac

>From commit 35d702 on https://github.com/williamcroberts/selinux/tree/fix-mac I have a branch that is building on my elcapitan mac, requesting any comments anyone wishes to make, before I send them out. If you wish to test, this is the procedure 1. Build libsepol (assumes at root of tree)

Re: [PATCH] libselinux: android: fix lax service context lookup

On Wed, Sep 28, 2016 at 12:42 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/28/2016 12:25 PM, William Roberts wrote: >> On Wed, Sep 28, 2016 at 12:17 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >>> On 09/28/2016 12:04 PM, Janis Danisevskis wrote: >&g

Re: [PATCH] libselinux: fix unused variable error

On Wed, Sep 28, 2016 at 11:53 AM, <william.c.robe...@intel.com> wrote: > From: William Roberts <william.c.robe...@intel.com> > > When building for Android, this error manifests itself: > > label_file.c:570:7: error: unused variable ‘subs_file’ > [-Werror=unuse

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

>>> Don't you actually want to also pick up utils/sefcontext_compile? >>> That is built and used on the build host. And I'm not sure why we'd >>> drop the other SUBDIRS. >> >> You'll start running into linking issues if things that use >> libselinux, use something not >> in the build host IIRC.

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

On Tue, Sep 27, 2016 at 12:08 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/27/2016 03:03 PM, William Roberts wrote: >> On Tue, Sep 27, 2016 at 11:51 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >>> On 09/27/2016 02:43 PM, William Roberts wrote: >&g

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

On Tue, Sep 27, 2016 at 11:51 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/27/2016 02:43 PM, William Roberts wrote: >> On Sep 27, 2016 10:00, "Stephen Smalley" <s...@tycho.nsa.gov >> <mailto:s...@tycho.nsa.gov>> wrote: >>> >>>

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

On Sep 27, 2016 10:00, "Stephen Smalley" <s...@tycho.nsa.gov> wrote: > > On 09/27/2016 11:08 AM, William Roberts wrote: > > On Tue, Sep 27, 2016 at 7:11 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > >> On 09/26/2016 04:53 PM, william.c.robe...@i

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

On Sep 27, 2016 09:50, "Stephen Smalley" <s...@tycho.nsa.gov> wrote: > > On 09/27/2016 11:08 AM, William Roberts wrote: > > On Tue, Sep 27, 2016 at 7:11 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > >> On 09/26/2016 04:53 PM, william.c.robe...@i

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

On Tue, Sep 27, 2016 at 7:03 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/26/2016 04:55 PM, William Roberts wrote: >> On Mon, Sep 26, 2016 at 1:53 PM, <william.c.robe...@intel.com> wrote: >>> From: William Roberts <william.c.robe...@intel.com&g

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

On Tue, Sep 27, 2016 at 7:11 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/26/2016 04:53 PM, william.c.robe...@intel.com wrote: >> From: William Roberts <william.c.robe...@intel.com> >> >> To build the selinux host configuration, specify >>

Re: Android Fork

On Sep 27, 2016 07:52, "Jason Zaman" wrote: > > I just remembered that travis-ci has OSX stuff now. > https://docs.travis-ci.com/user/osx-ci-environment/ > > Maybe we should setup a .travis.yml for selinux to build all these > possible configurations going forward? At least

Re: 答复: A question about booting process with SELinux.

> > > Thanks. > > > -邮件原件- > 发件人: Stephen Smalley [mailto:s...@tycho.nsa.gov] > 发送时间: 2016年9月27日 0:43 > 收件人: Weiyuan (David, Euler); William Roberts > 抄送: seandroid-list@tycho.nsa.gov > 主题: Re: A question about booting process with SELinux. > >

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

On Mon, Sep 26, 2016 at 1:53 PM, <william.c.robe...@intel.com> wrote: > From: William Roberts <william.c.robe...@intel.com> > > To build the selinux host configuration, specify > ANDROID_HOST=y on the Make command line. > > eg) > make ANDROID_HOST=y &

Re: Android Fork

On Mon, Sep 26, 2016 at 12:10 PM, Stephen Smalley wrote: > On 09/26/2016 01:33 PM, william.c.robe...@intel.com wrote: >> Below, are the last two majore patches to close the Android fork. >> >> Patch "libselinux: add ifdef'ing for ANDROID and BUILD_HOST" I >> combined into 1

Re: Android Fork

On Mon, Sep 26, 2016 at 10:33 AM, wrote: > Below, are the last two majore patches to close the Android fork. > > Patch "libselinux: add ifdef'ing for ANDROID and BUILD_HOST" I > combined into 1 patch since some ANDROID and BUILD_HOST defines > are on the same line, I

Re: [PATCH 3/3] libselinux: sefcontext_compile invert semantics of "-r" flag

On Mon, Sep 26, 2016 at 10:43 AM, Stephen Smalley wrote: > On 09/26/2016 10:22 AM, Janis Danisevskis wrote: >> The "-r" flag of sefcontext_compile now causes it to omit the >> precompiled regular expressions from the output. > > The code itself looks ok, aside from William's

Re: [PATCH 3/3] libselinux: sefcontext_compile invert semantics of "-r" flag

On Mon, Sep 26, 2016 at 10:43 AM, Stephen Smalley wrote: > On 09/26/2016 10:22 AM, Janis Danisevskis wrote: >> The "-r" flag of sefcontext_compile now causes it to omit the >> precompiled regular expressions from the output. > > The code itself looks ok, aside from William's

Re: [PATCH 1/3] libselinux: Add architecture string to file_context.bin

On Mon, Sep 26, 2016 at 7:22 AM, Janis Danisevskis wrote: > Serialized precompiled regular expressins are architecture > dependent when using PCRE2. This patch > - bumps the SELINUX_COMPILED_FCONTEXT version to 5 and > - adds a field to the output indicating the architecture >

Re: Killing The Android libselinux Fork (available)

iling list. Thanks all for the input provided, and Josh for your late night mac help! On Fri, Sep 23, 2016 at 1:44 PM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Fri, Sep 23, 2016 at 1:24 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >> On 09/23/2016 04:01 PM, Joshua Bri

Re: Killing The Android libselinux Fork (available)

On Fri, Sep 23, 2016 at 1:24 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/23/2016 04:01 PM, Joshua Brindle wrote: >> William Roberts wrote: >>> On Fri, Sep 23, 2016 at 6:57 AM, Joshua Brindle >>> <brin...@quarksecurity.com> wrote: >>>>

Re: Killing The Android libselinux Fork (available)

, William Roberts <bill.c.robe...@gmail.com> wrote: > On Thu, Sep 22, 2016 at 6:34 PM, William Roberts > <bill.c.robe...@gmail.com> wrote: >> So I have been working the last couple of days to understand what it >> would take to kill external/libselinux (the Android Fork)

Re: Killing The Android libselinux Fork (available)

On Fri, Sep 23, 2016 at 6:57 AM, Joshua Brindle <brin...@quarksecurity.com> wrote: > William Roberts wrote: >> >> On Sep 22, 2016 9:18 PM, "Jeffrey Vander Stoep"<je...@google.com> wrote: >>> >>> Remember to test on the Mac build. About a year

Re: Killing The Android libselinux Fork (available)

Haines has done a lot of work to reduce the diff between upstream and the Android fork. Hopefully that will reduce your effort. Yeah I'm quite concerned about the Mac build, does anyone on here have access to a Mac for testing? > > On Thu, Sep 22, 2016 at 6:39 PM William Roberts <

Re: Killing The Android libselinux Fork (available)

On Thu, Sep 22, 2016 at 6:34 PM, William Roberts <bill.c.robe...@gmail.com> wrote: > So I have been working the last couple of days to understand what it > would take to kill external/libselinux (the Android Fork) and fixup > upstream so most of the delta is in. The only thin

Killing The Android libselinux Fork (available)

: Patches that matter ( I don't know how to make pretty little git summaries): commit e017f48acd2791a6aa62b4ed0c0b44256b26651f Author: William Roberts <william.c.robe...@intel.com> Date: Wed Sep 21 16:06:37 2016 -0700 libselinux: add The Android fork files

Re: unlocked stdio

On Wed, Sep 21, 2016 at 2:48 PM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Sep 21, 2016 13:16, "Stephen Smalley" <s...@tycho.nsa.gov> wrote: >> >> On 09/21/2016 04:11 PM, William Roberts wrote: >> > On Sep 21, 2016 13:06, "

Re: unlocked stdio

On Sep 21, 2016 13:16, "Stephen Smalley" <s...@tycho.nsa.gov> wrote: > > On 09/21/2016 04:11 PM, William Roberts wrote: > > On Sep 21, 2016 13:06, "Stephen Smalley" <s...@tycho.nsa.gov > > <mailto:s...@tycho.nsa.gov>> wrote: &g

Re: unlocked stdio

On Sep 21, 2016 13:06, "Stephen Smalley" wrote: > > On 09/21/2016 03:57 PM, Roberts, William C wrote: > > Correction, it’s just fgets_unlocked, it appears to support the others. > > Seems like a bug in bionic, but we can work around it by: > #ifdef ANDROID > #define

Re: [RFC] mmap file_contexts and property_contexts:

On Sep 19, 2016 22:25, "Jason Zaman" <ja...@perfinion.com> wrote: > > On 20 Sep 2016 12:50 pm, "William Roberts" <bill.c.robe...@gmail.com> wrote: > > > > On Sep 19, 2016 21:16, "Jason Zaman" <ja...@perfinion.com> wrote: >

Re: [RFC] mmap file_contexts and property_contexts:

On Sep 19, 2016 21:16, "Jason Zaman" <ja...@perfinion.com> wrote: > > On 20 Sep 2016 5:47 am, <william.c.robe...@intel.com> wrote: > > > > From: William Roberts <william.c.robe...@intel.com> > > > > THIS IS WIP... > > > > Rath

Re: Avc denied for isolated app

On Sep 19, 2016 22:28, "Inamdar Sharif" wrote: > > Hi , > > > > I am getting the following avc denied No, that woukd defeat the purpose if an isolated application. Isolated applications are sandboxed even away from their own on disk resources.

Re: [PATCH] Change semantic of -r in sefcontext_compile

On Fri, Sep 16, 2016 at 11:44 AM, Janis Danisevskis wrote: > I don't really care much about the behavior of sefcontext_compile. I just > thought making the default behavior the safest would be the best option. > Before android is using it, I will have to sync the (now modified

Re: [PATCH v3] libselinux: correct error path to always try text

On Fri, Sep 16, 2016 at 8:04 AM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Fri, Sep 16, 2016 at 8:00 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >> On 09/16/2016 10:44 AM, William Roberts wrote: >>> On Fri, Sep 16, 2016 at 7:41 AM, William Roberts

Re: [PATCH] Change semantic of -r in sefcontext_compile

On Sep 16, 2016 08:12, "Stephen Smalley" <s...@tycho.nsa.gov> wrote: > > On 09/16/2016 11:08 AM, William Roberts wrote: > > On Fri, Sep 16, 2016 at 7:41 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > >> On 09/16/2016 09:08 AM, Janis Danisevskis wrote:

Re: [PATCH v3] libselinux: correct error path to always try text

On Fri, Sep 16, 2016 at 8:00 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/16/2016 10:44 AM, William Roberts wrote: >> On Fri, Sep 16, 2016 at 7:41 AM, William Roberts >> <bill.c.robe...@gmail.com> wrote: >>> On Fri, Sep 16, 2016 at 7:38 AM, Stephe

Re: [PATCH v3] libselinux: correct error path to always try text

On Fri, Sep 16, 2016 at 7:41 AM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Fri, Sep 16, 2016 at 7:38 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >> On 09/16/2016 10:30 AM, Stephen Smalley wrote: >>> On 09/15/2016 07:13 PM, william.c.robe...@intel

Re: [PATCH v3] libselinux: correct error path to always try text

On Fri, Sep 16, 2016 at 7:38 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/16/2016 10:30 AM, Stephen Smalley wrote: >> On 09/15/2016 07:13 PM, william.c.robe...@intel.com wrote: >>> From: William Roberts <william.c.robe...@intel.com> >>> >>

Re: [PATCH v3] libselinux: correct error path to always try text

On Fri, Sep 16, 2016 at 7:30 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/15/2016 07:13 PM, william.c.robe...@intel.com wrote: >> From: William Roberts <william.c.robe...@intel.com> >> >> patch 5e15a52aaa cleans up the process_file() but introduced &g

Re: [PATCH] libselinux: add support for pcre2

On Sep 16, 2016 07:06, "Jason Zaman" <ja...@perfinion.com> wrote: > > On Fri, Sep 16, 2016 at 06:51:25AM -0700, William Roberts wrote: > > On Fri, Sep 16, 2016 at 6:43 AM, William Roberts > > <bill.c.robe...@gmail.com> wrote: > > > On Fri, Sep 16,

Re: [PATCH] libselinux: add support for pcre2

On Fri, Sep 16, 2016 at 6:43 AM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Fri, Sep 16, 2016 at 6:31 AM, Jason Zaman <ja...@perfinion.com> wrote: >> On Fri, Sep 16, 2016 at 06:15:01AM -0700, William Roberts wrote: >>> On Fri, Sep 16, 2016 at 6

Re: [PATCH] libselinux: add support for pcre2

On Fri, Sep 16, 2016 at 6:31 AM, Jason Zaman <ja...@perfinion.com> wrote: > On Fri, Sep 16, 2016 at 06:15:01AM -0700, William Roberts wrote: >> On Fri, Sep 16, 2016 at 6:09 AM, Janis Danisevskis <jda...@google.com> wrote: >> > I don't mind. Then before sefcontext_com

Re: [PATCH] libselinux: add support for pcre2

surgery so I haven't been following this as well as I normally would have, If its merged, just leave it. > > On Fri, Sep 16, 2016 at 1:35 PM William Roberts <bill.c.robe...@gmail.com> > wrote: >> >> >> > >> > >> > That's just th

Re: [PATCH] libselinux: add support for pcre2

> > > That's just the thing. Without -r the phone _will_ boot because the regexes > are compiled on first use. With -r and an arch mismatch we have an undefined > behavior, which is bad. That's just a limitation of the current design. > > See, I don't currently know what part of the

Re: [PATCH] libselinux: add support for pcre2

On Fri, Sep 16, 2016 at 3:13 AM, Janis Danisevskis <jda...@google.com> wrote: > First of all, I would like to thank you, Stephen and William, for your > patience and support. > > On Thu, Sep 15, 2016 at 8:34 PM William Roberts <bill.c.robe...@gmail.com> > wrote: >>

Re: [PATCH v2] libselinux: correct error path to always try text

> + if (!rc) { > + rc = digest_add_specfile(digest, fp, NULL, > sb.st_size, found_path); > + } One more time... ___ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email

Re: [PATCH] libselinux: add support for pcre2

On Thu, Sep 15, 2016 at 7:57 AM, Stephen Smalley wrote: > On 09/15/2016 10:04 AM, Janis Danisevskis wrote: >> From: Janis Danisevskis >> >> This patch moves all pcre1/2 dependencies into the new files regex.h >> and regex.c implementing the common

Re: [PATCH v3] libselinux: clean up process file

Ill send that right up! On Thu, Sep 15, 2016 at 7:42 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/09/2016 02:27 PM, Stephen Smalley wrote: >> On 09/09/2016 01:44 PM, william.c.robe...@intel.com wrote: >>> From: William Roberts <william.c.robe...@int

Re: [PATCH 1/2] libselinux: add support for pcre2

On Sep 7, 2016 11:29, "Jason Zaman" <ja...@perfinion.com> wrote: > > On Wed, Sep 07, 2016 at 09:40:43AM -0700, William Roberts wrote: > > On Wed, Sep 7, 2016 at 8:02 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > > > On 09/07/2016 04:08 AM,

Re: [PATCH 1/2] libselinux: add support for pcre2

On Wed, Sep 7, 2016 at 8:02 AM, Stephen Smalley wrote: > On 09/07/2016 04:08 AM, Janis Danisevskis wrote: >> From: Janis Danisevskis >> >> This patch moves all pcre1/2 dependencies into the new files regex.h >> and regex.c implementing the common

Re: [PATCH 1/2] libselinux: add support for pcre2

On Wed, Sep 7, 2016 at 1:08 AM, Janis Danisevskis wrote: > From: Janis Danisevskis > > This patch moves all pcre1/2 dependencies into the new files regex.h > and regex.c implementing the common denominator of features needed > by libselinux. The compiler

Re: [PATCH] libselinux: clean up process file

Also, there are some memory leaks in there; run it under valgrind, e.g. valgrind --leak-check=full matchpathcon /etc >>> >>> OK I'll run that test. > > I cant reproduce: bad send... Can you send your valgrind output? Are you sure its not there prior to my patch? The only heap alloc

Re: [PATCH] libselinux: clean up process file

On Tue, Sep 6, 2016 at 1:22 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/06/2016 04:06 PM, William Roberts wrote: >> On Sep 6, 2016 13:01, "Stephen Smalley" <s...@tycho.nsa.gov >> <mailto:s...@tycho.nsa.gov>> wrote: >>> >

Re: [PATCH 3/3] selinux: fix overflow and 0 length allocations

On Aug 29, 2016 16:56, "Paul Moore" <p...@paul-moore.com> wrote: > > On Tue, Aug 23, 2016 at 4:49 PM, <william.c.robe...@intel.com> wrote: > > From: William Roberts <william.c.robe...@intel.com> > > > > Throughout the SE Linux LSM, values tak

Re: [PATCH 2/2] libsepol: port str_read from kernel

On Aug 19, 2016 06:12, "Stephen Smalley" <s...@tycho.nsa.gov> wrote: > > On 08/18/2016 04:54 PM, william.c.robe...@intel.com wrote: > > From: William Roberts <william.c.robe...@intel.com> > > > > Rather than duplicating the following sequence: > &g

Re: [PATCH] selinux: drop SECURITY_SELINUX_POLICYDB_VERSION_MAX

On Aug 18, 2016 17:07, "Paul Moore" <p...@paul-moore.com> wrote: > > On Mon, Aug 15, 2016 at 3:42 PM, <william.c.robe...@intel.com> wrote: > > From: William Roberts <william.c.robe...@intel.com> > > > > Remove the SECURITY_SELINUX_PO

Re: [PATCH v3 5/7] libsepol: fix overflow and 0 length allocations

>> Currently, in file-systems like reiserFS that support scalable xattrs, only >> VFS is the one limiting the size to 64k. Since their is no constant, and >> maybe one day this arbitrary VFS limit >> would be removed, I think we should check correctlly here that were >> allocating > 1 bytes, and

Re: [PATCH v3 5/7] libsepol: fix overflow and 0 length allocations

On Tue, Aug 16, 2016 at 8:11 AM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Aug 16, 2016 06:12, "James Carter" <jwca...@tycho.nsa.gov> wrote: > > > > On 08/15/2016 11:59 AM, william.c.robe...@intel.com wrote: > >> > >

Re: [PATCH v3 5/7] libsepol: fix overflow and 0 length allocations

On Aug 16, 2016 06:12, "James Carter" <jwca...@tycho.nsa.gov> wrote: > > On 08/15/2016 11:59 AM, william.c.robe...@intel.com wrote: >> >> From: William Roberts <william.c.robe...@intel.com> >> >> Throughout libsepol, values taken from sepoli

Re: Regarding enabling selinux on Android

On Aug 1, 2016 04:17, "Sameer Joshi" wrote: > > Hi All, > > We are trying to enable SELinux in kernel and have defined following options in the config file. > > CONFIG_SECURITY_SELINUX=y > CONFIG_SECURITY_SELINUX_BOOTPARAM=y > > Command line options for kernel have

Re: userdebug_or_eng rules stopped by neverallow?

On Jul 28, 2016 09:15, "peter enderborg" wrote: > > What is the point with that? You could always wrap they aosp never allows in userdebug or eng macros, and be OK with respect to CTS. However, doing so increases the delta between user builds and other variants,

Re: ioctlcmd=7704 denied on unix_stream_socket for surfaceflinger and system_server domain

On Jul 12, 2016 21:20, "Jeffrey Vander Stoep" wrote: > > Hi Yongqin, > > Looks like a process is indiscriminately calling ashmem_get_size_region() (ioctl number 7704=ASHMEM_GET_SIZE) on a unix socket. This is a bug and should not be allowed. The selinux denial is working as

Re: capable(CAP_SYS_MODULE) causes sys_module denial?

On Jul 7, 2016 1:13 PM, "YongQin Liu" wrote: > > Hi, ALL > > When I try AOSP master with the hikey board, I see following sys_module denial on netd domain. > >> avc: denied { sys_module } for pid=1775 comm="netd" capability=16 scontext=u:r:netd:s0 tcontext=u:r:netd:s0

Re: Any way to restrict root user to an application directory on runtime

On Jul 7, 2016 07:57, "Sameer Joshi" wrote: > > Hi All, > > I have a use-case where the root user access Selinux has no notion of Linux uids like root. So this question doesn't quite make sense. Selinux is a white list, so if you don't add permissions it wont be allowed.

Re: Regarding giving an app permission

On Jul 5, 2016 01:33, "Sameer Joshi" wrote: > > Hi, > > I want to provide an application downloaded from app store , permission to access a particular directory which is shared between the platform service started from init.rc and that app. > > I wanted to know how can I

Re: genfs contexts labelling issue for special character

On Jul 1, 2016 08:15, "Inamdar Sharif" wrote: > > Hi Guys, > > > > I have a node which is “abc,xyz” > > I want to label this node in genfs_contexts but getting syntax error > > > > But if I make the below change in external/selinux/checksepolicy/policy_scan.l it works fine. >

Re: About dac_override denial on logd

On Jun 20, 2016 07:51, "William Roberts" <bill.c.robe...@gmail.com> wrote: > > > On Jun 20, 2016 01:24, "YongQin Liu" <yongqin@linaro.org> wrote: > > > > Hi, William > > > > Sorry for late response, my laptop OS was crashed

Re: About dac_override denial on logd

On Jun 20, 2016 01:24, "YongQin Liu" <yongqin@linaro.org> wrote: > > Hi, William > > Sorry for late response, my laptop OS was crashed last Friday:( > > Thanks for your suggestion first, and some comments in line. > On 17 June 2016 at 07:50, William Rob

Re: Regarding issue in defining file in file_contexts

On Thu, Jun 2, 2016 at 6:35 AM, Sameer Joshi wrote: > Thanks Stephen. It was my mistake that I did not do mkdir for > eeprom_data_file correctly. > After fixing this, it worked fine. > I was using wrong user. cpnoui executes with user root and group system. > After

Re: load new policy via application, but this not work

On Fri, Jan 22, 2016 at 2:03 AM, 李孟樵 wrote: > HI, > ROM: I build aosp-6.0.1-r7 aosp_flo-userdebug > Devices: Nexus 7 II > Goal: I want to use my application executes the command "load_policy" in > this ROM. > > I have tried these steps as follows: > step 1.creat an application

Re: avc denial while enabling zram

On Jan 19, 2016 12:20 PM, "Jeffrey Vander Stoep" <je...@google.com> wrote: > > Try adding notrim in your fstab. Trimming swap makes no sense. Does defaults include discard? I haven't looked. > > On Tue, Jan 19, 2016 at 9:31 AM William Roberts <bill.c.ro

Re: avc denial while enabling zram

aps right where Jeff suggested earlier. On Tue, Jan 19, 2016 at 12:41 PM, William Roberts <bill.c.robe...@gmail.com> wrote: > > > On Tue, Jan 19, 2016 at 12:26 PM, William Roberts < > bill.c.robe...@gmail.com> wrote: > >> >> On Jan 19, 2016 12:20 PM, "Jeff

  1   2   3   4   5   >