Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y

2016-09-29 Thread Stephen Smalley 
On 09/29/2016 03:27 PM, William Roberts wrote:
> On Thu, Sep 29, 2016 at 3:15 PM, William Roberts
>  wrote:
>> On Thu, Sep 29, 2016 at 2:54 PM, Stephen Smalley  wrote:
>>> On 09/29/2016 02:46 PM, William Roberts wrote:
 On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smalley  
 wrote:
> On 09/29/2016 02:15 PM, William Roberts wrote:
>> On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley  
>> wrote:
>>> On 09/29/2016 02:02 PM, william.c.robe...@intel.com wrote:
 From: William Roberts 

 Provide stubs to the public boolean API that always returns -1.

 On Android, boolean symbols are needed for:
 external/ltrace/sysdeps/linux-gnu/trace.c
>>>
>>> Is this really worth doing?
>>
>> It's this or disabling that selinux via #define, which that source has
>> HAVE_LIBSELINUX.
>>
>> But it would seem confusing IMHO to have a libselinux.so, so one would
>> set HAVE_LIBSELINUX=1,
>> and you're getting link errors.
>
> Maybe I don't understand.  Obviously it builds today with
> external/libselinux without requiring this change.  Why do we need this 
> now?
>

 Richard Haines was doing further testing, and was building a different
 lunch target for the
 arm emulator and hit this issue. I have only tested x86_64 emulator.
>>>
>>> No, I mean that this is not required in external/libselinux (the Android
>>> fork) today.  So why is it needed here?  The Android fork builds
>>> src/booleans.c for the target.  It doesn't hurt anything to leave the
>>> code there.  The underlying kernel interface via selinuxfs still exists.
>>>  There just won't be any booleans in the policy.
>>>
>>
>> The target builds a modified booleans, if use booleans as is, we start
>> down the config c file
>> rabbit hole...
>>
>> external/selinux/libselinux/src/booleans.c:100: error: undefined
>> reference to 'selinux_booleans_subs_path'
>> external/selinux/libselinux/src/booleans.c:388: error: undefined
>> reference to 'selinux_booleans_path'
>> external/selinux/libselinux/src/booleans.c:529: error: undefined
>> reference to 'selinux_booleans_path'
>> external/selinux/libselinux/src/booleans.c:545: error: undefined
>> reference to 'selinux_booleans_path'
>> clang++.real: error: linker command failed with exit code 1 (use -v to
>> see invocation)
>>
>> I can take a look at that and see how much of a PITA it would be to
>> pull that in.
> 
> external/selinux/libselinux/src/selinux_config.c:100: error: undefined
> reference to 'fgets_unlocked'
> external/selinux/libselinux/src/selinux_config.c:100: error: undefined
> reference to 'fgets_unlocked'
> external/selinux/libselinux/src/selinux_config.c:231: error: undefined
> reference to 'require_seusers'
> external/selinux/libselinux/src/selinux_config.c:231: error: undefined
> reference to 'load_setlocaldefs'
> 
> fgets should be easy enough
> load_setlocaldefs is an exported integer value used in init_selinux_config()
> require_seusers is another exported int form seusers.c
> 
> I was figuring since we don't use any bools, to keep the size down,
> just stubbing dummies is the
> easiest route.
> 
> We could do something like STATIC_CONFIG and just stub in what things
> need and return the explicit paths.

Never mind, I'll take your original patch.


___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y

2016-09-29 Thread Stephen Smalley 
On 09/29/2016 02:02 PM, william.c.robe...@intel.com wrote:
> From: William Roberts 
> 
> Provide stubs to the public boolean API that always returns -1.
> 
> On Android, boolean symbols are needed for:
> external/ltrace/sysdeps/linux-gnu/trace.c

Thanks, applied.

> 
> Signed-off-by: William Roberts 
> ---
>  libselinux/Makefile   |  4 +++
>  libselinux/src/booleans.c | 64 
> +++
>  2 files changed, 58 insertions(+), 10 deletions(-)
> 
> diff --git a/libselinux/Makefile b/libselinux/Makefile
> index f607115..b5f32bb 100644
> --- a/libselinux/Makefile
> +++ b/libselinux/Makefile
> @@ -5,6 +5,7 @@ DISABLE_RPM ?= y
>  ANDROID_HOST ?= n
>  ifeq ($(ANDROID_HOST),y)
>   override DISABLE_SETRANS=y
> + override DISABLE_BOOL=y
>  endif
>  ifeq ($(DISABLE_RPM),y)
>   DISABLE_FLAGS+= -DDISABLE_RPM
> @@ -12,6 +13,9 @@ endif
>  ifeq ($(DISABLE_SETRANS),y)
>   DISABLE_FLAGS+= -DDISABLE_SETRANS
>  endif
> +ifeq ($(DISABLE_BOOL),y)
> + DISABLE_FLAGS+= -DDISABLE_BOOL
> +endif
>  export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST
>  
>  USE_PCRE2 ?= n
> diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c
> index c438af1..cbb0610 100644
> --- a/libselinux/src/booleans.c
> +++ b/libselinux/src/booleans.c
> @@ -25,6 +25,8 @@
>  
>  #define SELINUX_BOOL_DIR "/booleans/"
>  
> +#ifndef DISABLE_BOOL
> +
>  static int filename_select(const struct dirent *d)
>  {
>   if (d->d_name[0] == '.'
> @@ -85,8 +87,6 @@ int security_get_boolean_names(char ***names, int *len)
>   goto out;
>  }
>  
> -hidden_def(security_get_boolean_names)
> -
>  char *selinux_boolean_sub(const char *name)
>  {
>   char *sub = NULL;
> @@ -141,8 +141,6 @@ out:
>   return sub;
>  }
>  
> -hidden_def(selinux_boolean_sub)
> -
>  static int bool_open(const char *name, int flag) {
>   char *fname = NULL;
>   char *alt_name = NULL;
> @@ -262,8 +260,6 @@ int security_get_boolean_active(const char *name)
>   return val;
>  }
>  
> -hidden_def(security_get_boolean_active)
> -
>  int security_set_boolean(const char *name, int value)
>  {
>   int fd, ret;
> @@ -297,8 +293,6 @@ int security_set_boolean(const char *name, int value)
>   return -1;
>  }
>  
> -hidden_def(security_set_boolean)
> -
>  int security_commit_booleans(void)
>  {
>   int fd, ret;
> @@ -327,8 +321,6 @@ int security_commit_booleans(void)
>   return -1;
>  }
>  
> -hidden_def(security_commit_booleans)
> -
>  static char *strtrim(char *dest, char *source, int size)
>  {
>   int i = 0;
> @@ -567,3 +559,55 @@ int security_load_booleans(char *path)
>   errno = EINVAL;
>   return errors ? -1 : 0;
>  }
> +
> +#else
> +int security_set_boolean_list(size_t boolcnt __attribute__((unused)),
> + SELboolean * boollist __attribute__((unused)),
> + int permanent __attribute__((unused)))
> +{
> + return -1;
> +}
> +
> +int security_load_booleans(char *path __attribute__((unused)))
> +{
> + return -1;
> +}
> +
> +int security_get_boolean_names(char ***names __attribute__((unused)),
> + int *len __attribute__((unused)))
> +{
> + return -1;
> +}
> +
> +int security_get_boolean_pending(const char *name __attribute__((unused)))
> +{
> + return -1;
> +}
> +
> +int security_get_boolean_active(const char *name __attribute__((unused)))
> +{
> + return -1;
> +}
> +
> +int security_set_boolean(const char *name __attribute__((unused)),
> + int value __attribute__((unused)))
> +{
> + return -1;
> +}
> +
> +int security_commit_booleans(void)
> +{
> + return -1;
> +}
> +
> +char *selinux_boolean_sub(const char *name __attribute__((unused)))
> +{
> + return NULL;
> +}
> +#endif
> +
> +hidden_def(security_get_boolean_names)
> +hidden_def(selinux_boolean_sub)
> +hidden_def(security_get_boolean_active)
> +hidden_def(security_set_boolean)
> +hidden_def(security_commit_booleans)
> 

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y

2016-09-29 Thread William Roberts 
On Thu, Sep 29, 2016 at 3:15 PM, William Roberts
 wrote:
> On Thu, Sep 29, 2016 at 2:54 PM, Stephen Smalley  wrote:
>> On 09/29/2016 02:46 PM, William Roberts wrote:
>>> On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smalley  wrote:
 On 09/29/2016 02:15 PM, William Roberts wrote:
> On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley  
> wrote:
>> On 09/29/2016 02:02 PM, william.c.robe...@intel.com wrote:
>>> From: William Roberts 
>>>
>>> Provide stubs to the public boolean API that always returns -1.
>>>
>>> On Android, boolean symbols are needed for:
>>> external/ltrace/sysdeps/linux-gnu/trace.c
>>
>> Is this really worth doing?
>
> It's this or disabling that selinux via #define, which that source has
> HAVE_LIBSELINUX.
>
> But it would seem confusing IMHO to have a libselinux.so, so one would
> set HAVE_LIBSELINUX=1,
> and you're getting link errors.

 Maybe I don't understand.  Obviously it builds today with
 external/libselinux without requiring this change.  Why do we need this 
 now?

>>>
>>> Richard Haines was doing further testing, and was building a different
>>> lunch target for the
>>> arm emulator and hit this issue. I have only tested x86_64 emulator.
>>
>> No, I mean that this is not required in external/libselinux (the Android
>> fork) today.  So why is it needed here?  The Android fork builds
>> src/booleans.c for the target.  It doesn't hurt anything to leave the
>> code there.  The underlying kernel interface via selinuxfs still exists.
>>  There just won't be any booleans in the policy.
>>
>
> The target builds a modified booleans, if use booleans as is, we start
> down the config c file
> rabbit hole...
>
> external/selinux/libselinux/src/booleans.c:100: error: undefined
> reference to 'selinux_booleans_subs_path'
> external/selinux/libselinux/src/booleans.c:388: error: undefined
> reference to 'selinux_booleans_path'
> external/selinux/libselinux/src/booleans.c:529: error: undefined
> reference to 'selinux_booleans_path'
> external/selinux/libselinux/src/booleans.c:545: error: undefined
> reference to 'selinux_booleans_path'
> clang++.real: error: linker command failed with exit code 1 (use -v to
> see invocation)
>
> I can take a look at that and see how much of a PITA it would be to
> pull that in.

external/selinux/libselinux/src/selinux_config.c:100: error: undefined
reference to 'fgets_unlocked'
external/selinux/libselinux/src/selinux_config.c:100: error: undefined
reference to 'fgets_unlocked'
external/selinux/libselinux/src/selinux_config.c:231: error: undefined
reference to 'require_seusers'
external/selinux/libselinux/src/selinux_config.c:231: error: undefined
reference to 'load_setlocaldefs'

fgets should be easy enough
load_setlocaldefs is an exported integer value used in init_selinux_config()
require_seusers is another exported int form seusers.c

I was figuring since we don't use any bools, to keep the size down,
just stubbing dummies is the
easiest route.

We could do something like STATIC_CONFIG and just stub in what things
need and return the explicit paths.

-- 
Respectfully,

William C Roberts
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y

2016-09-29 Thread William Roberts 
On Thu, Sep 29, 2016 at 2:54 PM, Stephen Smalley  wrote:
> On 09/29/2016 02:46 PM, William Roberts wrote:
>> On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smalley  wrote:
>>> On 09/29/2016 02:15 PM, William Roberts wrote:
 On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley  
 wrote:
> On 09/29/2016 02:02 PM, william.c.robe...@intel.com wrote:
>> From: William Roberts 
>>
>> Provide stubs to the public boolean API that always returns -1.
>>
>> On Android, boolean symbols are needed for:
>> external/ltrace/sysdeps/linux-gnu/trace.c
>
> Is this really worth doing?

 It's this or disabling that selinux via #define, which that source has
 HAVE_LIBSELINUX.

 But it would seem confusing IMHO to have a libselinux.so, so one would
 set HAVE_LIBSELINUX=1,
 and you're getting link errors.
>>>
>>> Maybe I don't understand.  Obviously it builds today with
>>> external/libselinux without requiring this change.  Why do we need this now?
>>>
>>
>> Richard Haines was doing further testing, and was building a different
>> lunch target for the
>> arm emulator and hit this issue. I have only tested x86_64 emulator.
>
> No, I mean that this is not required in external/libselinux (the Android
> fork) today.  So why is it needed here?  The Android fork builds
> src/booleans.c for the target.  It doesn't hurt anything to leave the
> code there.  The underlying kernel interface via selinuxfs still exists.
>  There just won't be any booleans in the policy.
>

The target builds a modified booleans, if use booleans as is, we start
down the config c file
rabbit hole...

external/selinux/libselinux/src/booleans.c:100: error: undefined
reference to 'selinux_booleans_subs_path'
external/selinux/libselinux/src/booleans.c:388: error: undefined
reference to 'selinux_booleans_path'
external/selinux/libselinux/src/booleans.c:529: error: undefined
reference to 'selinux_booleans_path'
external/selinux/libselinux/src/booleans.c:545: error: undefined
reference to 'selinux_booleans_path'
clang++.real: error: linker command failed with exit code 1 (use -v to
see invocation)

I can take a look at that and see how much of a PITA it would be to
pull that in.
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y

2016-09-29 Thread William Roberts 
On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smalley  wrote:
> On 09/29/2016 02:15 PM, William Roberts wrote:
>> On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley  wrote:
>>> On 09/29/2016 02:02 PM, william.c.robe...@intel.com wrote:
 From: William Roberts 

 Provide stubs to the public boolean API that always returns -1.

 On Android, boolean symbols are needed for:
 external/ltrace/sysdeps/linux-gnu/trace.c
>>>
>>> Is this really worth doing?
>>
>> It's this or disabling that selinux via #define, which that source has
>> HAVE_LIBSELINUX.
>>
>> But it would seem confusing IMHO to have a libselinux.so, so one would
>> set HAVE_LIBSELINUX=1,
>> and you're getting link errors.
>
> Maybe I don't understand.  Obviously it builds today with
> external/libselinux without requiring this change.  Why do we need this now?
>

Richard Haines was doing further testing, and was building a different
lunch target for the
arm emulator and hit this issue. I have only tested x86_64 emulator.
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y

2016-09-29 Thread Stephen Smalley 
On 09/29/2016 02:46 PM, William Roberts wrote:
> On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smalley  wrote:
>> On 09/29/2016 02:15 PM, William Roberts wrote:
>>> On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley  wrote:
 On 09/29/2016 02:02 PM, william.c.robe...@intel.com wrote:
> From: William Roberts 
>
> Provide stubs to the public boolean API that always returns -1.
>
> On Android, boolean symbols are needed for:
> external/ltrace/sysdeps/linux-gnu/trace.c

 Is this really worth doing?
>>>
>>> It's this or disabling that selinux via #define, which that source has
>>> HAVE_LIBSELINUX.
>>>
>>> But it would seem confusing IMHO to have a libselinux.so, so one would
>>> set HAVE_LIBSELINUX=1,
>>> and you're getting link errors.
>>
>> Maybe I don't understand.  Obviously it builds today with
>> external/libselinux without requiring this change.  Why do we need this now?
>>
> 
> Richard Haines was doing further testing, and was building a different
> lunch target for the
> arm emulator and hit this issue. I have only tested x86_64 emulator.

No, I mean that this is not required in external/libselinux (the Android
fork) today.  So why is it needed here?  The Android fork builds
src/booleans.c for the target.  It doesn't hurt anything to leave the
code there.  The underlying kernel interface via selinuxfs still exists.
 There just won't be any booleans in the policy.


___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y

2016-09-29 Thread Stephen Smalley 
On 09/29/2016 02:15 PM, William Roberts wrote:
> On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley  wrote:
>> On 09/29/2016 02:02 PM, william.c.robe...@intel.com wrote:
>>> From: William Roberts 
>>>
>>> Provide stubs to the public boolean API that always returns -1.
>>>
>>> On Android, boolean symbols are needed for:
>>> external/ltrace/sysdeps/linux-gnu/trace.c
>>
>> Is this really worth doing?
> 
> It's this or disabling that selinux via #define, which that source has
> HAVE_LIBSELINUX.
> 
> But it would seem confusing IMHO to have a libselinux.so, so one would
> set HAVE_LIBSELINUX=1,
> and you're getting link errors.

Maybe I don't understand.  Obviously it builds today with
external/libselinux without requiring this change.  Why do we need this now?


___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y

2016-09-29 Thread William Roberts 
On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley  wrote:
> On 09/29/2016 02:02 PM, william.c.robe...@intel.com wrote:
>> From: William Roberts 
>>
>> Provide stubs to the public boolean API that always returns -1.
>>
>> On Android, boolean symbols are needed for:
>> external/ltrace/sysdeps/linux-gnu/trace.c
>
> Is this really worth doing?

It's this or disabling that selinux via #define, which that source has
HAVE_LIBSELINUX.

But it would seem confusing IMHO to have a libselinux.so, so one would
set HAVE_LIBSELINUX=1,
and you're getting link errors.

Seems to be yet-another red-hat contribution from a long time ago:

commit cec06ec8282c538a40bde968ae36fe8356daffaa
Author: Petr Machata 
Date:   Tue Apr 10 13:31:55 2012 +0200

Warn when we fail to trace and SELinux boolean deny_ptrace is in effect

diff --git a/ChangeLog b/ChangeLog
index c095263..6107a12 100644

>
>>
>> Signed-off-by: William Roberts 
>> ---
>>  libselinux/Makefile   |  4 +++
>>  libselinux/src/booleans.c | 64 
>> +++
>>  2 files changed, 58 insertions(+), 10 deletions(-)
>>
>> diff --git a/libselinux/Makefile b/libselinux/Makefile
>> index f607115..b5f32bb 100644
>> --- a/libselinux/Makefile
>> +++ b/libselinux/Makefile
>> @@ -5,6 +5,7 @@ DISABLE_RPM ?= y
>>  ANDROID_HOST ?= n
>>  ifeq ($(ANDROID_HOST),y)
>>   override DISABLE_SETRANS=y
>> + override DISABLE_BOOL=y
>>  endif
>>  ifeq ($(DISABLE_RPM),y)
>>   DISABLE_FLAGS+= -DDISABLE_RPM
>> @@ -12,6 +13,9 @@ endif
>>  ifeq ($(DISABLE_SETRANS),y)
>>   DISABLE_FLAGS+= -DDISABLE_SETRANS
>>  endif
>> +ifeq ($(DISABLE_BOOL),y)
>> + DISABLE_FLAGS+= -DDISABLE_BOOL
>> +endif
>>  export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST
>>
>>  USE_PCRE2 ?= n
>> diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c
>> index c438af1..cbb0610 100644
>> --- a/libselinux/src/booleans.c
>> +++ b/libselinux/src/booleans.c
>> @@ -25,6 +25,8 @@
>>
>>  #define SELINUX_BOOL_DIR "/booleans/"
>>
>> +#ifndef DISABLE_BOOL
>> +
>>  static int filename_select(const struct dirent *d)
>>  {
>>   if (d->d_name[0] == '.'
>> @@ -85,8 +87,6 @@ int security_get_boolean_names(char ***names, int *len)
>>   goto out;
>>  }
>>
>> -hidden_def(security_get_boolean_names)
>> -
>>  char *selinux_boolean_sub(const char *name)
>>  {
>>   char *sub = NULL;
>> @@ -141,8 +141,6 @@ out:
>>   return sub;
>>  }
>>
>> -hidden_def(selinux_boolean_sub)
>> -
>>  static int bool_open(const char *name, int flag) {
>>   char *fname = NULL;
>>   char *alt_name = NULL;
>> @@ -262,8 +260,6 @@ int security_get_boolean_active(const char *name)
>>   return val;
>>  }
>>
>> -hidden_def(security_get_boolean_active)
>> -
>>  int security_set_boolean(const char *name, int value)
>>  {
>>   int fd, ret;
>> @@ -297,8 +293,6 @@ int security_set_boolean(const char *name, int value)
>>   return -1;
>>  }
>>
>> -hidden_def(security_set_boolean)
>> -
>>  int security_commit_booleans(void)
>>  {
>>   int fd, ret;
>> @@ -327,8 +321,6 @@ int security_commit_booleans(void)
>>   return -1;
>>  }
>>
>> -hidden_def(security_commit_booleans)
>> -
>>  static char *strtrim(char *dest, char *source, int size)
>>  {
>>   int i = 0;
>> @@ -567,3 +559,55 @@ int security_load_booleans(char *path)
>>   errno = EINVAL;
>>   return errors ? -1 : 0;
>>  }
>> +
>> +#else
>> +int security_set_boolean_list(size_t boolcnt __attribute__((unused)),
>> + SELboolean * boollist __attribute__((unused)),
>> + int permanent __attribute__((unused)))
>> +{
>> + return -1;
>> +}
>> +
>> +int security_load_booleans(char *path __attribute__((unused)))
>> +{
>> + return -1;
>> +}
>> +
>> +int security_get_boolean_names(char ***names __attribute__((unused)),
>> + int *len __attribute__((unused)))
>> +{
>> + return -1;
>> +}
>> +
>> +int security_get_boolean_pending(const char *name __attribute__((unused)))
>> +{
>> + return -1;
>> +}
>> +
>> +int security_get_boolean_active(const char *name __attribute__((unused)))
>> +{
>> + return -1;
>> +}
>> +
>> +int security_set_boolean(const char *name __attribute__((unused)),
>> + int value __attribute__((unused)))
>> +{
>> + return -1;
>> +}
>> +
>> +int security_commit_booleans(void)
>> +{
>> + return -1;
>> +}
>> +
>> +char *selinux_boolean_sub(const char *name __attribute__((unused)))
>> +{
>> + return NULL;
>> +}
>> +#endif
>> +
>> +hidden_def(security_get_boolean_names)
>> +hidden_def(selinux_boolean_sub)
>> +hidden_def(security_get_boolean_active)
>> +hidden_def(security_set_boolean)
>> +hidden_def(security_commit_booleans)
>>
>
> ___
> Selinux mailing list
> seli...@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to

Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y

2016-09-29 Thread Stephen Smalley 
On 09/29/2016 02:02 PM, william.c.robe...@intel.com wrote:
> From: William Roberts 
> 
> Provide stubs to the public boolean API that always returns -1.
> 
> On Android, boolean symbols are needed for:
> external/ltrace/sysdeps/linux-gnu/trace.c

Is this really worth doing?

> 
> Signed-off-by: William Roberts 
> ---
>  libselinux/Makefile   |  4 +++
>  libselinux/src/booleans.c | 64 
> +++
>  2 files changed, 58 insertions(+), 10 deletions(-)
> 
> diff --git a/libselinux/Makefile b/libselinux/Makefile
> index f607115..b5f32bb 100644
> --- a/libselinux/Makefile
> +++ b/libselinux/Makefile
> @@ -5,6 +5,7 @@ DISABLE_RPM ?= y
>  ANDROID_HOST ?= n
>  ifeq ($(ANDROID_HOST),y)
>   override DISABLE_SETRANS=y
> + override DISABLE_BOOL=y
>  endif
>  ifeq ($(DISABLE_RPM),y)
>   DISABLE_FLAGS+= -DDISABLE_RPM
> @@ -12,6 +13,9 @@ endif
>  ifeq ($(DISABLE_SETRANS),y)
>   DISABLE_FLAGS+= -DDISABLE_SETRANS
>  endif
> +ifeq ($(DISABLE_BOOL),y)
> + DISABLE_FLAGS+= -DDISABLE_BOOL
> +endif
>  export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST
>  
>  USE_PCRE2 ?= n
> diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c
> index c438af1..cbb0610 100644
> --- a/libselinux/src/booleans.c
> +++ b/libselinux/src/booleans.c
> @@ -25,6 +25,8 @@
>  
>  #define SELINUX_BOOL_DIR "/booleans/"
>  
> +#ifndef DISABLE_BOOL
> +
>  static int filename_select(const struct dirent *d)
>  {
>   if (d->d_name[0] == '.'
> @@ -85,8 +87,6 @@ int security_get_boolean_names(char ***names, int *len)
>   goto out;
>  }
>  
> -hidden_def(security_get_boolean_names)
> -
>  char *selinux_boolean_sub(const char *name)
>  {
>   char *sub = NULL;
> @@ -141,8 +141,6 @@ out:
>   return sub;
>  }
>  
> -hidden_def(selinux_boolean_sub)
> -
>  static int bool_open(const char *name, int flag) {
>   char *fname = NULL;
>   char *alt_name = NULL;
> @@ -262,8 +260,6 @@ int security_get_boolean_active(const char *name)
>   return val;
>  }
>  
> -hidden_def(security_get_boolean_active)
> -
>  int security_set_boolean(const char *name, int value)
>  {
>   int fd, ret;
> @@ -297,8 +293,6 @@ int security_set_boolean(const char *name, int value)
>   return -1;
>  }
>  
> -hidden_def(security_set_boolean)
> -
>  int security_commit_booleans(void)
>  {
>   int fd, ret;
> @@ -327,8 +321,6 @@ int security_commit_booleans(void)
>   return -1;
>  }
>  
> -hidden_def(security_commit_booleans)
> -
>  static char *strtrim(char *dest, char *source, int size)
>  {
>   int i = 0;
> @@ -567,3 +559,55 @@ int security_load_booleans(char *path)
>   errno = EINVAL;
>   return errors ? -1 : 0;
>  }
> +
> +#else
> +int security_set_boolean_list(size_t boolcnt __attribute__((unused)),
> + SELboolean * boollist __attribute__((unused)),
> + int permanent __attribute__((unused)))
> +{
> + return -1;
> +}
> +
> +int security_load_booleans(char *path __attribute__((unused)))
> +{
> + return -1;
> +}
> +
> +int security_get_boolean_names(char ***names __attribute__((unused)),
> + int *len __attribute__((unused)))
> +{
> + return -1;
> +}
> +
> +int security_get_boolean_pending(const char *name __attribute__((unused)))
> +{
> + return -1;
> +}
> +
> +int security_get_boolean_active(const char *name __attribute__((unused)))
> +{
> + return -1;
> +}
> +
> +int security_set_boolean(const char *name __attribute__((unused)),
> + int value __attribute__((unused)))
> +{
> + return -1;
> +}
> +
> +int security_commit_booleans(void)
> +{
> + return -1;
> +}
> +
> +char *selinux_boolean_sub(const char *name __attribute__((unused)))
> +{
> + return NULL;
> +}
> +#endif
> +
> +hidden_def(security_get_boolean_names)
> +hidden_def(selinux_boolean_sub)
> +hidden_def(security_get_boolean_active)
> +hidden_def(security_set_boolean)
> +hidden_def(security_commit_booleans)
> 

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.