Re: [PATCH v5 1/2] selinux: add brief info to policydb

On Wed, May 17, 2017 at 8:43 AM, Sebastien Buisson <sbuisson@gmail.com> wrote: > 2017-05-17 17:34 GMT+02:00 William Roberts <bill.c.robe...@gmail.com>: >>>>>> Is there a particular reason to not just return policybrief_len here as >>>>>>

Re: [PATCH v5 1/2] selinux: add brief info to policydb

On Wed, May 17, 2017 at 8:24 AM, Sebastien Buisson <sbuisson@gmail.com> wrote: > 2017-05-17 17:09 GMT+02:00 William Roberts <bill.c.robe...@gmail.com>: >> On Wed, May 17, 2017 at 7:59 AM, Sebastien Buisson >> <sbuisson@gmail.com> wrote: >>> 201

Re: [PATCH v5 1/2] selinux: add brief info to policydb

On Wed, May 17, 2017 at 7:59 AM, Sebastien Buisson wrote: > 2017-05-16 22:40 GMT+02:00 Stephen Smalley : >>> + strcpy(*brief, policydb.policybrief); >>> + /* *len is the length of the output string */ >>> + *len = policybrief_len - 1; >> >>

Re: [PATCH v3 1/2] selinux: add brief info to policydb

On Fri, May 12, 2017 at 3:22 PM, Paul Moore wrote: > > On Thu, May 11, 2017 at 4:45 PM, Casey Schaufler > wrote: > > On 5/11/2017 1:22 PM, Stephen Smalley wrote: > >> On Thu, 2017-05-11 at 08:56 -0700, Casey Schaufler wrote: > >>> On 5/11/2017 5:59

Re: [PATCH v3 1/2] selinux: add brief info to policydb

On Fri, May 12, 2017 at 3:22 PM, Paul Moore wrote: > On Thu, May 11, 2017 at 4:45 PM, Casey Schaufler > wrote: > > On 5/11/2017 1:22 PM, Stephen Smalley wrote: > >> On Thu, 2017-05-11 at 08:56 -0700, Casey Schaufler wrote: > >>> On 5/11/2017 5:59 AM,

Re: [PATCH] procattr.c: Use __BIONIC__ instead of __ANDROID__

On Fri, May 12, 2017 at 11:01 AM, Tom Cherry wrote: > On Fri, May 12, 2017 at 6:22 AM, Stephen Smalley > wrote: > > On Thu, 2017-05-11 at 16:50 -0700, Tom Cherry via Selinux wrote: > >> This check is not specific to Android devices. If libselinux were >

Re: Possible use after free in selabel_subs_init

On Fri, May 12, 2017 at 1:26 PM, Nicolas Iooss wrote: > Hi, > > Currently libselinux/src/label.c defines selabel_subs_init() like this [1]: > > struct selabel_sub *selabel_subs_init(/* ... */) > { > /* ... */ > while (fgets_unlocked(buf, sizeof(buf)

Re: [PATCH] procattr.c: Use __BIONIC__ instead of __ANDROID__

On Thursday, May 11, 2017, Tom Cherry via Selinux wrote: > This check is not specific to Android devices. If libselinux were used > with Bionic on a normal Linux system this check would still be needed. > > Signed-off-by: Tom Cherry > >

Re: [PATCH] libselinux: Fix CFLAGS definition

On Tue, May 9, 2017 at 7:54 AM, Stephen Smalley wrote: > commit 16c123f4b1f3c8d20b3f597df161d7e635620923 ("libselinux: > support ANDROID_HOST=1 on Mac") split up warning flags in > CFLAGS based on compiler support in a manner that could lead to > including a subset that is

Re: MLS directory label inheritance rules

On Apr 7, 2017 13:16, "Dennis Sherrell" wrote: In a thread ending with Nick Kravelich's contact infirmation, it was written: " If you write top secret data it should stay top secret even if you're writing to a folder that is normally reserved for secret data, or

Re: add CONFIG_SECURITY_SELINUX_LOAD_ONCE

sed, the selinux policy is your least concern. Under treble it ends up in different DM verity protected images. I looked at the other site and decided it was looking at the technical problem and not the policy problem at all. On Fri, Apr 7, 2017 at 11:23 AM, William Roberts <bill.c.robe.

Re: MLS directory label inheritance rules

On Apr 7, 2017 11:41, "Nick Kralevich" wrote: When a file is created in a directory, the default label for the file is based on the label of the enclosing directory (unless something like setfscreatecon is used). For example: bullhead:/ # cd /data/misc/zoneinfo/

Re: add CONFIG_SECURITY_SELINUX_LOAD_ONCE

On Fri, Apr 7, 2017 at 11:02 AM, Tom Jones wrote: > I like that, but I wonder at its scope. Would an update to the OS be > allowed to update the policy? For example, Microsoft ships updates to the > Windows O/S 2 times (at least) per month. Would that type of update

Re: Running Java and JVM on SELinux

On Apr 3, 2017 21:35, "Rahmadi Trimananda" wrote: Umm, how's the easiest way to permit that one? Do I need to create a local policy or can I just use a command line? Sorry I am really a newbie. :) That would be a command, but the logs you provided should be enough. I am

Re: Running Java and JVM on SELinux

On Apr 3, 2017 19:57, "William Roberts" <bill.c.robe...@gmail.com> wrote: On Apr 3, 2017 19:35, "Rahmadi Trimananda" <rtrim...@uci.edu> wrote: I have more error messages from /var/log/audit/audit.log if this is of any use for you. And yeah, it works in permissi

Re: Running Java and JVM on SELinux

:1274): auid=1001 uid=1001 gid=1001 ses=11 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2190 comm="javac" exe="/usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/bin javac" sig=11 That's what we're looking for. Looks like MLS issues, but I'd let some

Re: Running Java and JVM on SELinux

ate.lock" dev="tmpfs" ino=1816 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 I don't see anything that would prevent running javac offhand, perhaps others more versed in the desktop side can help tomorrow morning. Ma

Re: Running Java and JVM on SELinux

Do you see any "avc: denied" messages in dmesg/syslog? If so send them. On Apr 3, 2017 16:28, "Rahmadi Trimananda" wrote: > Hi All, > > I am trying to run javac and java on my Raspbian while SELinux is enabled. > However, I keep getting "Segmentation fault", even when I just

Re: [PATCH 3/6] libsemanage: never call memcpy with a NULL value

On Feb 27, 2017 2:16 PM, "William Roberts" <bill.c.robe...@gmail.com> wrote: On Feb 27, 2017 12:42, "Nicolas Iooss" <nicolas.io...@m4x.org> wrote: clang's static analyzer reports "Argument with 'nonnull' attribute passed null" in append_str(),

Re: [PATCH 3/6] libsemanage: never call memcpy with a NULL value

On Feb 27, 2017 12:42, "Nicolas Iooss" wrote: clang's static analyzer reports "Argument with 'nonnull' attribute passed null" in append_str(), because argument t may be NULL but is used in a call to memcpy(). Make append_str() do nothing when called with t=NULL.

Re: [PATCH] libselinux: allow link with -lfts

On Tue, Feb 21, 2017 at 10:58 AM, Natanael Copa wrote: > This makes it possible to build libselinux with the external libtfs for > systems which does not implement the non-standard fts. For example musl > libc. > > make FTS_LDFLAGS=-lfts The way this was done before for

Re: [PATCH 1/1] libsepol: make capability index an unsigned int

On Wed, Jan 4, 2017 at 2:02 PM, Nicolas Iooss wrote: > When sepol_polcap_getname() is called with a negative capnum, it > dereferences polcap_names[capnum] which produces a segmentation fault > most of the time. > > For information, here is a gdb session when hll/pp loads a

Re: [PATCH] libselinux: add O_CLOEXEC

On Mon, Dec 12, 2016 at 1:19 PM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Mon, Dec 12, 2016 at 12:16 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >> On 12/11/2016 07:25 PM, William Roberts wrote: >>> I'll test it tomorrow on Mac OS for you if yo

Re: [PATCH] libselinux: add O_CLOEXEC

On Mon, Dec 12, 2016 at 12:16 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 12/11/2016 07:25 PM, William Roberts wrote: >> I'll test it tomorrow on Mac OS for you if you want? > > It would be good if someone were to test it on MacOS, particularly > whichever versi

Re: [PATCH] libselinux: add O_CLOEXEC

I'll test it tomorrow on Mac OS for you if you want? On Dec 11, 2016 3:22 PM, "Nick Kralevich" <n...@google.com> wrote: > I don't know. I didn't test this change on a Mac. > > -- Nick > > On Sun, Dec 11, 2016 at 1:39 PM, William Roberts <bill.c.robe...@gma

Re: [PATCH] libselinux: add O_CLOEXEC

Do you know if "re" poses any Mac issues? I would assume not, but I've never checked. On Dec 11, 2016 09:32, "Nick Kralevich" wrote: Makes libselinux safer and less likely to leak file descriptors when used as part of a multithreaded program. Signed-off-by: Nick Kralevich

Re: [PATCH v2 2/2] expand_avrule_helper: cleanup

016 10:46 AM, William Roberts wrote: >> Ill submit a patch for expand_terule_helper() as well, do we want to >> retain the assert(0); property on the 2 if/else if/else calsues? Do we >> just want to assume that specified is OK since it has never hit the >> assert? Do we want

Re: [PATCH v2 2/2] expand_avrule_helper: cleanup

On Thu, Nov 17, 2016 at 5:36 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 11/16/2016 04:47 PM, william.c.robe...@intel.com wrote: >> From: William Roberts <william.c.robe...@intel.com> >> >> General clean up for expand_avrule_helper: >> 1. Minimize

Re: [PATCH 2/2] expand_avrule_helper: cleanup

On Wed, Nov 16, 2016 at 12:57 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 11/16/2016 03:37 PM, William Roberts wrote: >> On Wed, Nov 16, 2016 at 11:50 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >>> On 11/16/2016 02:32 PM, William Roberts wrote: >&g

Re: [PATCH 2/2] expand_avrule_helper: cleanup

On Wed, Nov 16, 2016 at 11:48 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 11/16/2016 02:46 PM, Stephen Smalley wrote: >> On 11/16/2016 02:12 PM, william.c.robe...@intel.com wrote: >>> From: William Roberts <william.c.robe...@intel.com> >>> >&g

Re: [PATCH 2/2] expand_avrule_helper: cleanup

On Wed, Nov 16, 2016 at 11:50 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 11/16/2016 02:32 PM, William Roberts wrote: >> sediff reports no delta between policies built on master and these 2 patches. > > Not possible. checkpolicy segfaults with these patches. >

Re: [PATCH 2/2] expand_avrule_helper: cleanup

sediff reports no delta between policies built on master and these 2 patches. On Wed, Nov 16, 2016 at 11:12 AM, <william.c.robe...@intel.com> wrote: > From: William Roberts <william.c.robe...@intel.com> > > General clean up for expand_avrule_helper: > 1. Stop convert

Re: [PATCH take2 v6] libsepol: fix checkpolicy dontaudit compiler bug

On Wed, Nov 16, 2016 at 5:54 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 11/15/2016 07:42 PM, william.c.robe...@intel.com wrote: >> From: William Roberts <william.c.robe...@intel.com> >> >> The combining logic for dontaudit rules was wrong, cau

Re: [PATCH take2 v6] libsepol: fix checkpolicy dontaudit compiler bug

On Nov 15, 2016 4:43 PM, <william.c.robe...@intel.com> wrote: > > From: William Roberts <william.c.robe...@intel.com> > > The combining logic for dontaudit rules was wrong, causing > a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p; > rule.

Re: [PATCH take2 v5] libsepol: fix checkpolicy dontaudit compiler bug

> memset(, 0, sizeof avdatum); > + /* > +* AUDITDENY and DONTAUDIT are &= assigned, versus |= for > +* others. Initialize the data accordingly. > +*/ > + avdatum.data = (key->specified & > +

Re: [PATCH take2 v4] libsepol: fix checkpolicy dontaudit compiler bug

On Tue, Nov 15, 2016 at 3:21 PM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Tue, Nov 15, 2016 at 1:53 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >> On 11/15/2016 04:42 PM, william.c.robe...@intel.com wrote: >>> From: William Robert

Re: [PATCH take2 v2] libsepol: fix checkpolicy dontaudit compiler bug

On Tue, Nov 15, 2016 at 1:17 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 11/15/2016 04:06 PM, william.c.robe...@intel.com wrote: >> From: William Roberts <william.c.robe...@intel.com> >> >> The combining logic for dontaudit rules was wrong, cau

Re: [PATCH 2/2] libsepol: fix checkpolicy dontaudit compiler bug

> > a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p; > > rule. > > > > This is a reimplimation of 6201bb5e2 that avoids the cumbersome > > pointer assignments on alloced. > > > > Reported-by: Nick Kralevich <n...@google.com> > >

Re: [PATCH v2] libsepol: fix checkpolicy dontaudit compiler bug

too. > > -- Nick > > On Tue, Nov 15, 2016 at 9:10 AM, William Roberts > <bill.c.robe...@gmail.com> wrote: > > For bit setting in constant time, one could always clear the bit(s) and or > > in what you want. I think that logic might be applicable here. I could take >

Re: [PATCH v2] libsepol: fix checkpolicy dontaudit compiler bug

For bit setting in constant time, one could always clear the bit(s) and or in what you want. I think that logic might be applicable here. I could take a stab at looking at it today, if no one has anything better by tomorrow well just merge yours as is. Does that sound reasonable? On Nov 15, 2016

Re: [PATCH 1/2] libselinux, libsemanage: fall back to gcc in exception.sh

provides much value. > > Nicolas > > [1] > https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/selinuxswig_python.i#L11 > [2] http://www.swig.org/Doc3.0/SWIGDocumentation.html > > > On Mon, Nov 14, 2016 at 11:15 PM, William Roberts <bill.c.robe...@gmail.com

Re: [PATCH 1/2] libselinux, libsemanage: fall back to gcc in exception.sh

For a more long term solution, why not just give swig a header file (you can ifdef on SWIG for anything to omit), or write the interface file by hand. I ended up using a hybrid approach for one my projects (the build system is a mess):

Re: [PATCH 1/1 V2] mqueue: Implment generic xattr support

On Nov 9, 2016 08:33, "David Graziano" wrote: > > On Mon, Nov 7, 2016 at 4:23 PM, Paul Moore wrote: > > On Mon, Nov 7, 2016 at 3:46 PM, David Graziano > > wrote: > >> This patch adds support for generic

Re: [PATCH 1/1] libselinux, libsemanage: remove *swig_python_exception.i if its creation failed

On Mon, Nov 7, 2016 at 2:07 PM, Nicolas Iooss <nicolas.io...@m4x.org> wrote: > On 07/11/16 22:19, William Roberts wrote: >> On Nov 7, 2016 13:03, "Stephen Smalley" <s...@tycho.nsa.gov >> <mailto:s...@tycho.nsa.gov>> wrote: >>> >>> On 1

Re: [PATCH 1/1] libselinux, libsemanage: remove *swig_python_exception.i if its creation failed

On Nov 7, 2016 13:03, "Stephen Smalley" wrote: > > On 11/05/2016 05:24 PM, Nicolas Iooss wrote: > > When compiling libselinux with CC=clang, "make pywrap" reports the > > following message: > > > > bash exception.sh > selinuxswig_python_exception.i > > clang-3.9:

Re: [PATCH] libselinux: avc_internal.c: allow building with clang

On Tue, Nov 1, 2016 at 2:23 PM, William Roberts <bill.c.robe...@gmail.com> wrote: > We're gonna cross, I just sent this out as well, as well as noreturn > fixes for utils. > Never-mind, a gitfoo mistake ended up in my favor of ditching my version of this and rebasing on top of

Re: [PATCH] libselinux: fix compiler flags for linux + clang

On Tue, Nov 1, 2016 at 1:59 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 11/01/2016 04:54 PM, William Roberts wrote: >> On Tue, Nov 1, 2016 at 1:55 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >>> On 11/01/2016 04:32 PM, William Roberts wrote: >&

Re: [PATCH] libselinux: fix compiler flags for linux + clang

Nicolas, Let us know if this works for you, I am unable to test it at the moment on Linux. I did test this on Mac, its OK. On Tue, Nov 1, 2016 at 1:23 PM, <william.c.robe...@intel.com> wrote: > From: William Roberts <william.c.robe...@intel.com> > > As reported by Nic

Re: [PATCH 6/8] libselinux: support ANDROID_HOST=1 on Mac

is bigger than a nlmsghdr... I'll send a test patch out in bit. On Tue, Nov 1, 2016 at 12:48 PM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Tue, Nov 1, 2016 at 11:06 AM, Nicolas Iooss <nicolas.io...@m4x.org> wrote: >> Hello, >> >> After this commit, lib

Re: [PATCH 6/8] libselinux: support ANDROID_HOST=1 on Mac

> to put the lines which add these two options to the compiler command > lines into a "ifeq ($(OS), Darwin)" block, if they are indeed targeted > to MacOS? I'll look into this, likely needs to be Darwin and clang > > Thanks, > Nicolas > > On 17/10/16

Re: [PATCH 1/1] policycoreutils: semodule_package: do not fail with an empty fc file

Ack on this, I've had similar issues in Android that I patched up in the Android specific tooling. On Oct 30, 2016 14:28, "Nicolas Iooss" wrote: > When running sepolgen tests on a Linux 4.7 kernel, one test fails with > the following message: > >

Re: speeding up nodups_specs, need large fc file.

On Fri, Oct 14, 2016 at 10:32 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 10/14/2016 10:15 AM, William Roberts wrote: >> Is it to be expected that checkfc would actually fail on refpolicy? >> >> $ ./checkfc ../refpolicy/policy.30 ../refpolicy/file_

Re: speeding up nodups_specs, need large fc file.

16 at 9:08 AM, William Roberts <bill.c.robe...@gmail.com> wrote: > Yeah I just exported CHECKPOLICY to be the one from the AOSP tree and > it only took 4 seconds. > > On Fri, Oct 14, 2016 at 9:07 AM, William Roberts > <bill.c.robe...@gmail.com> wrote: >> Likely

Re: speeding up nodups_specs, need large fc file.

Yeah I just exported CHECKPOLICY to be the one from the AOSP tree and it only took 4 seconds. On Fri, Oct 14, 2016 at 9:07 AM, William Roberts <bill.c.robe...@gmail.com> wrote: > Likely not, I see it compiling version 29 and I am on ubuntu which is > way out of date with this stuff

Re: speeding up nodups_specs, need large fc file.

t;s...@tycho.nsa.gov> wrote: > On 10/14/2016 09:02 AM, William Roberts wrote: >> Looks like make MONOLITHIC=y policy to get the binary policy file >> >> Is it normal for checkpolicy to take 5 minutes? > > No, at least not with a modern checkpolicy. Are you usin

Re: Fuzzing /usr/libexec/selinux/hll/pp with AFL

5ba0 error 4 in libsepol.so.1[7f5dff4d+95000] >> [10489.509501] pp[24320]: segfault at 0 ip 7f6067bec544 sp >> 7fff17b0e5c0 error 4 in libsepol.so.1[7f6067bdb000+95000] >> # >> >> I also tested checkmodule and checkpolicy with AFL, but nothing sofar. > > I

Re: Fuzzing /usr/libexec/selinux/hll/pp with AFL

Thanks for fuzzing stuff, it helps with code robustness. However, in my opinion, this is only the first step. I'm a firm believer if you find it, you should at least take a stab at fixing it. Analyzing these inputs and understanding what broke and having a patch helps aid in the correct fix.

Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y

On Thu, Sep 29, 2016 at 2:54 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/29/2016 02:46 PM, William Roberts wrote: >> On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >>> On 09/29/2016 02:15 PM, William Roberts wrote: >&g

Re: [PATCH 2/3] libselinux: android: fix lax service context lookup

do you have the corresponding changes to checkfc on AOSP? On Thu, Sep 29, 2016 at 7:39 AM, Janis Danisevskis wrote: > We use the same lookup function for service contexts > that we use for property contexts. However, property > contexts are namespace based and only compare

Re: [PATCH 1/1] libsepol/cil: do not heap-overflow when too many permissions are in a class

On Wed, Sep 28, 2016 at 5:34 PM, Nicolas Iooss <nicolas.io...@m4x.org> wrote: > On 28/09/16 23:06, William Roberts wrote: >> On Sep 28, 2016 17:02, "Nicolas Iooss" <nicolas.io...@m4x.org >> <mailto:nicolas.io...@m4x.org>> wrote: >>> >

Re: [RFC] Build ANDROID_HOST=y on mac

On Sep 28, 2016 17:07, "Joshua Brindle" <brin...@quarksecurity.com> wrote: > > William Roberts wrote: >> >> On Sep 28, 2016 16:54, "Joshua Brindle"<brin...@quarksecurity.com> wrote: >>> >>> Joshua Brindle wrote: >>>

Re: [PATCH 1/1] libsepol/cil: do not heap-overflow when too many permissions are in a class

On Sep 28, 2016 17:02, "Nicolas Iooss" wrote: > > When compiling a CIL policy with more than 32 items in a class (e.g. in > (class capability (chown ...)) with many items), > cil_classorder_to_policydb() overflows perm_value_to_cil[class_index] > array. As this array is

Re: [RFC] Build ANDROID_HOST=y on mac

On Sep 28, 2016 16:54, "Joshua Brindle" <brin...@quarksecurity.com> wrote: > > Joshua Brindle wrote: >> >> William Roberts wrote: >>> >>> From commit 35d702 on >>> https://github.com/williamcroberts/selinux/tree/fix-mac >>> &g

Re: [PATCH] libselinux: android: fix lax service context lookup

On Wed, Sep 28, 2016 at 12:42 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/28/2016 12:25 PM, William Roberts wrote: >> On Wed, Sep 28, 2016 at 12:17 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >>> On 09/28/2016 12:04 PM, Janis Danisevskis wrote: >&g

Re: [PATCH] libselinux: android: fix lax service context lookup

On Wed, Sep 28, 2016 at 12:04 PM, Janis Danisevskis wrote: > We use the same lookup function for service contexts > that we use for property contexts. However, property > contexts are namespace based and only compare the > prefix. This may lead to service associations with > a

Re: [PATCH] libselinux: fix unused variable error

On Wed, Sep 28, 2016 at 11:53 AM, <william.c.robe...@intel.com> wrote: > From: William Roberts <william.c.robe...@intel.com> > > When building for Android, this error manifests itself: > > label_file.c:570:7: error: unused variable ‘subs_file’ > [-Werror=unuse

Re: [PATCH 3/3] libselinux: drop DISABLE_BOOL=y option

On Wed, Sep 28, 2016 at 11:51 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/28/2016 11:26 AM, william.c.robe...@intel.com wrote: >> From: William Roberts <william.c.robe...@intel.com> >> >> Build option DISABLE_BOOL=y is not being used, and is

Re: DISABLE_AVC=y

On Wed, Sep 28, 2016 at 11:24 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/28/2016 11:13 AM, William Roberts wrote: >> On Wed, Sep 28, 2016 at 11:10 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >>> On 09/28/2016 11:00 AM, William Roberts wrote: &g

Re: DISABLE_AVC=y

On Wed, Sep 28, 2016 at 11:10 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/28/2016 11:00 AM, William Roberts wrote: >> Same thing for DISABLE_BOOL, should that die or be fixed? > > Would that be useful for the Android device/target build, since they > don't sup

DISABLE_AVC=y

Does anyone actualy use this, this currently doesn't build: compute_av.c: In function ‘security_compute_av_flags_raw’: compute_av.c:65:28: error: suggest braces around empty body in an ‘if’ statement [-Werror=empty-body] map_decision(tclass, avd); ^ cc1: all

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

>>> Don't you actually want to also pick up utils/sefcontext_compile? >>> That is built and used on the build host. And I'm not sure why we'd >>> drop the other SUBDIRS. >> >> You'll start running into linking issues if things that use >> libselinux, use something not >> in the build host IIRC.

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

On Tue, Sep 27, 2016 at 12:08 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/27/2016 03:03 PM, William Roberts wrote: >> On Tue, Sep 27, 2016 at 11:51 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >>> On 09/27/2016 02:43 PM, William Roberts wrote: >&g

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

On Tue, Sep 27, 2016 at 11:51 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/27/2016 02:43 PM, William Roberts wrote: >> On Sep 27, 2016 10:00, "Stephen Smalley" <s...@tycho.nsa.gov >> <mailto:s...@tycho.nsa.gov>> wrote: >>> >>>

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

On Sep 27, 2016 10:00, "Stephen Smalley" <s...@tycho.nsa.gov> wrote: > > On 09/27/2016 11:08 AM, William Roberts wrote: > > On Tue, Sep 27, 2016 at 7:11 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > >> On 09/26/2016 04:53 PM, william.c.robe...@i

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

On Tue, Sep 27, 2016 at 7:03 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/26/2016 04:55 PM, William Roberts wrote: >> On Mon, Sep 26, 2016 at 1:53 PM, <william.c.robe...@intel.com> wrote: >>> From: William Roberts <william.c.robe...@intel.com&g

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

On Tue, Sep 27, 2016 at 7:11 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/26/2016 04:53 PM, william.c.robe...@intel.com wrote: >> From: William Roberts <william.c.robe...@intel.com> >> >> To build the selinux host configuration, specify >>

Re: Android Fork

On Sep 27, 2016 07:52, "Jason Zaman" wrote: > > I just remembered that travis-ci has OSX stuff now. > https://docs.travis-ci.com/user/osx-ci-environment/ > > Maybe we should setup a .travis.yml for selinux to build all these > possible configurations going forward? At least

Re: [PATCH v2] libselinux: add ANDROID_HOST=y build option

On Mon, Sep 26, 2016 at 1:53 PM, <william.c.robe...@intel.com> wrote: > From: William Roberts <william.c.robe...@intel.com> > > To build the selinux host configuration, specify > ANDROID_HOST=y on the Make command line. > > eg) > make ANDROID_HOST=y &

Re: [PATCH] libselinux: add ANDROID_HOST=y build option

On Mon, Sep 26, 2016 at 1:33 PM, <william.c.robe...@intel.com> wrote: > From: William Roberts <william.c.robe...@intel.com> > > To build the selinux host configuration, specify > ANDROID_HOST=y on the Make command line. > > eg) > make ANDROID_HOST=y &

Re: Android Fork

On Mon, Sep 26, 2016 at 12:10 PM, Stephen Smalley wrote: > On 09/26/2016 01:33 PM, william.c.robe...@intel.com wrote: >> Below, are the last two majore patches to close the Android fork. >> >> Patch "libselinux: add ifdef'ing for ANDROID and BUILD_HOST" I >> combined into 1

Re: Android Fork

On Mon, Sep 26, 2016 at 10:33 AM, wrote: > Below, are the last two majore patches to close the Android fork. > > Patch "libselinux: add ifdef'ing for ANDROID and BUILD_HOST" I > combined into 1 patch since some ANDROID and BUILD_HOST defines > are on the same line, I

Re: [PATCH 3/3] libselinux: sefcontext_compile invert semantics of "-r" flag

On Mon, Sep 26, 2016 at 10:43 AM, Stephen Smalley wrote: > On 09/26/2016 10:22 AM, Janis Danisevskis wrote: >> The "-r" flag of sefcontext_compile now causes it to omit the >> precompiled regular expressions from the output. > > The code itself looks ok, aside from William's

Re: [PATCH 3/3] libselinux: sefcontext_compile invert semantics of "-r" flag

On Mon, Sep 26, 2016 at 10:43 AM, Stephen Smalley wrote: > On 09/26/2016 10:22 AM, Janis Danisevskis wrote: >> The "-r" flag of sefcontext_compile now causes it to omit the >> precompiled regular expressions from the output. > > The code itself looks ok, aside from William's

Re: [PATCH] libselinux: drop unused stdio_ext.h header file

On Mon, Sep 26, 2016 at 8:05 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/24/2016 01:10 PM, william.c.robe...@intel.com wrote: >> From: William Roberts <william.c.robe...@intel.com> >> >> Nothing was being used from the stdio_ext.h header file, so >&

Re: Killing The Android libselinux Fork (available)

iling list. Thanks all for the input provided, and Josh for your late night mac help! On Fri, Sep 23, 2016 at 1:44 PM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Fri, Sep 23, 2016 at 1:24 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >> On 09/23/2016 04:01 PM, Joshua Bri

Re: Killing The Android libselinux Fork (available)

On Fri, Sep 23, 2016 at 1:24 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/23/2016 04:01 PM, Joshua Brindle wrote: >> William Roberts wrote: >>> On Fri, Sep 23, 2016 at 6:57 AM, Joshua Brindle >>> <brin...@quarksecurity.com> wrote: >>>>

Re: Killing The Android libselinux Fork (available)

On Sep 23, 2016 13:01, "Joshua Brindle" <brin...@quarksecurity.com> wrote: > > William Roberts wrote: >> >> On Fri, Sep 23, 2016 at 6:57 AM, Joshua Brindle >> <brin...@quarksecurity.com> wrote: >>> >>> William Roberts wro

Re: Killing The Android libselinux Fork (available)

On Fri, Sep 23, 2016 at 6:57 AM, Joshua Brindle <brin...@quarksecurity.com> wrote: > William Roberts wrote: >> >> On Sep 22, 2016 9:18 PM, "Jeffrey Vander Stoep"<je...@google.com> wrote: >>> >>> Remember to test on the Mac build. About a year

Re: Killing The Android libselinux Fork (available)

Haines has done a lot of work to reduce the diff between upstream and the Android fork. Hopefully that will reduce your effort. Yeah I'm quite concerned about the Mac build, does anyone on here have access to a Mac for testing? > > On Thu, Sep 22, 2016 at 6:39 PM William Roberts <

Re: Killing The Android libselinux Fork (available)

On Thu, Sep 22, 2016 at 6:34 PM, William Roberts <bill.c.robe...@gmail.com> wrote: > So I have been working the last couple of days to understand what it > would take to kill external/libselinux (the Android Fork) and fixup > upstream so most of the delta is in. The only thin

Killing The Android libselinux Fork (available)

: Patches that matter ( I don't know how to make pretty little git summaries): commit e017f48acd2791a6aa62b4ed0c0b44256b26651f Author: William Roberts <william.c.robe...@intel.com> Date: Wed Sep 21 16:06:37 2016 -0700 libselinux: add The Android fork files

Re: unlocked stdio

Another thing I noticed rectifying the Android tree is that the selinux/Android.mk upstream is empty, but the secondary levels are present, any reason that hasn't been pushed? On Wed, Sep 21, 2016 at 2:53 PM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Wed, Sep 21, 2016 a

Re: unlocked stdio

On Wed, Sep 21, 2016 at 2:48 PM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Sep 21, 2016 13:16, "Stephen Smalley" <s...@tycho.nsa.gov> wrote: >> >> On 09/21/2016 04:11 PM, William Roberts wrote: >> > On Sep 21, 2016 13:06, "

Re: unlocked stdio

On Sep 21, 2016 13:16, "Stephen Smalley" <s...@tycho.nsa.gov> wrote: > > On 09/21/2016 04:11 PM, William Roberts wrote: > > On Sep 21, 2016 13:06, "Stephen Smalley" <s...@tycho.nsa.gov > > <mailto:s...@tycho.nsa.gov>> wrote: &g

Re: selinux 2.6-rc1 release planned 9/30

I'd like to see the -r flip change in by then, so no official release is cut with that behavior. Also, I was looking at the help output for -r, and its quite confusing, I cant tell if -r includes or omits, verbatim output: -r Include precompiled regular expressions in the output.

Re: [RFC] mmap file_contexts and property_contexts:

On Sep 19, 2016 22:25, "Jason Zaman" <ja...@perfinion.com> wrote: > > On 20 Sep 2016 12:50 pm, "William Roberts" <bill.c.robe...@gmail.com> wrote: > > > > On Sep 19, 2016 21:16, "Jason Zaman" <ja...@perfinion.com> wrote: >

Re: [RFC] mmap file_contexts and property_contexts:

On Sep 19, 2016 21:16, "Jason Zaman" <ja...@perfinion.com> wrote: > > On 20 Sep 2016 5:47 am, <william.c.robe...@intel.com> wrote: > > > > From: William Roberts <william.c.robe...@intel.com> > > > > THIS IS WIP... > > > > Rath

Re: [PATCH] Change semantic of -r in sefcontext_compile

On Fri, Sep 16, 2016 at 11:44 AM, Janis Danisevskis wrote: > I don't really care much about the behavior of sefcontext_compile. I just > thought making the default behavior the safest would be the best option. > Before android is using it, I will have to sync the (now modified

Re: [PATCH v3] libselinux: correct error path to always try text

On Fri, Sep 16, 2016 at 8:04 AM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Fri, Sep 16, 2016 at 8:00 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >> On 09/16/2016 10:44 AM, William Roberts wrote: >>> On Fri, Sep 16, 2016 at 7:41 AM, William Roberts

Re: [PATCH] Change semantic of -r in sefcontext_compile

On Sep 16, 2016 08:12, "Stephen Smalley" <s...@tycho.nsa.gov> wrote: > > On 09/16/2016 11:08 AM, William Roberts wrote: > > On Fri, Sep 16, 2016 at 7:41 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > >> On 09/16/2016 09:08 AM, Janis Danisevskis wrote:

<    1   2   3   >