Re: [PATCH] Change semantic of -r in sefcontext_compile

On Fri, Sep 16, 2016 at 7:41 AM, Stephen Smalley wrote: > On 09/16/2016 09:08 AM, Janis Danisevskis wrote: >> This patch reestablishes the default behavior of sefcontext_compile >> to include precompiled regular expressions in the output. If linked >> against PCRE2 the flag

Re: [PATCH v3] libselinux: correct error path to always try text

On Fri, Sep 16, 2016 at 7:30 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/15/2016 07:13 PM, william.c.robe...@intel.com wrote: >> From: William Roberts <william.c.robe...@intel.com> >> >> patch 5e15a52aaa cleans up the process_file() but introduced &g

Re: [PATCH] libselinux: add support for pcre2

On Sep 16, 2016 07:06, "Jason Zaman" <ja...@perfinion.com> wrote: > > On Fri, Sep 16, 2016 at 06:51:25AM -0700, William Roberts wrote: > > On Fri, Sep 16, 2016 at 6:43 AM, William Roberts > > <bill.c.robe...@gmail.com> wrote: > > > On Fri, Sep 16,

Re: [PATCH] libselinux: add support for pcre2

On Fri, Sep 16, 2016 at 6:43 AM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Fri, Sep 16, 2016 at 6:31 AM, Jason Zaman <ja...@perfinion.com> wrote: >> On Fri, Sep 16, 2016 at 06:15:01AM -0700, William Roberts wrote: >>> On Fri, Sep 16, 2016 at 6

Re: [PATCH] libselinux: add support for pcre2

On Fri, Sep 16, 2016 at 6:31 AM, Jason Zaman <ja...@perfinion.com> wrote: > On Fri, Sep 16, 2016 at 06:15:01AM -0700, William Roberts wrote: >> On Fri, Sep 16, 2016 at 6:09 AM, Janis Danisevskis <jda...@google.com> wrote: >> > I don't mind. Then before sefcontext_com

Re: [PATCH] libselinux: add support for pcre2

surgery so I haven't been following this as well as I normally would have, If its merged, just leave it. > > On Fri, Sep 16, 2016 at 1:35 PM William Roberts <bill.c.robe...@gmail.com> > wrote: >> >> >> > >> > >> > That's just th

Re: [PATCH] libselinux: add support for pcre2

> > > That's just the thing. Without -r the phone _will_ boot because the regexes > are compiled on first use. With -r and an arch mismatch we have an undefined > behavior, which is bad. That's just a limitation of the current design. > > See, I don't currently know what part of the

Re: [PATCH] libselinux: add support for pcre2

On Thu, Sep 15, 2016 at 7:57 AM, Stephen Smalley wrote: > On 09/15/2016 10:04 AM, Janis Danisevskis wrote: >> From: Janis Danisevskis >> >> This patch moves all pcre1/2 dependencies into the new files regex.h >> and regex.c implementing the common

Re: [PATCH] libselinux: correct error path to always try text

On Thu, Sep 15, 2016 at 11:10 AM, <william.c.robe...@intel.com> wrote: > From: William Roberts <william.c.robe...@intel.com> > > patch 5e15a52aaa cleans up the process_file() but introduced > a bug. If the binary file cannot be opened, always attempt > to fa

Re: [PATCH 1/2] libselinux: add support for pcre2

On Sep 7, 2016 11:29, "Jason Zaman" <ja...@perfinion.com> wrote: > > On Wed, Sep 07, 2016 at 09:40:43AM -0700, William Roberts wrote: > > On Wed, Sep 7, 2016 at 8:02 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > > > On 09/07/2016 04:08 AM,

Re: [PATCH 1/2] libselinux: add support for pcre2

On Wed, Sep 7, 2016 at 8:02 AM, Stephen Smalley wrote: > On 09/07/2016 04:08 AM, Janis Danisevskis wrote: >> From: Janis Danisevskis >> >> This patch moves all pcre1/2 dependencies into the new files regex.h >> and regex.c implementing the common

Re: [PATCH] libselinux: clean up process file

On Tue, Sep 6, 2016 at 1:43 PM, William Roberts <bill.c.robe...@gmail.com> wrote: > >>>>> >>>>> Also, there are some memory leaks in there; run it under valgrind, e.g. >>>>> valgrind --leak-check=full matchpathcon /etc >>>> >>

Re: [PATCH] libselinux: clean up process file

Also, there are some memory leaks in there; run it under valgrind, e.g. valgrind --leak-check=full matchpathcon /etc >>> >>> OK I'll run that test. > > I cant reproduce: bad send... Can you send your valgrind output? Are you sure its not there prior to my patch? The only heap alloc

Re: [PATCH] libselinux: clean up process file

On Tue, Sep 6, 2016 at 1:22 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/06/2016 04:06 PM, William Roberts wrote: >> On Sep 6, 2016 13:01, "Stephen Smalley" <s...@tycho.nsa.gov >> <mailto:s...@tycho.nsa.gov>> wrote: >>> >

Re: [PATCH] libselinux: clean up process file

On Sep 6, 2016 13:01, "Stephen Smalley" <s...@tycho.nsa.gov> wrote: > > On 09/06/2016 11:51 AM, william.c.robe...@intel.com wrote: > > From: William Roberts <william.c.robe...@intel.com> > > > > The current process_file() code will open the file &

Re: [PATCH] [RFC] nodups_specs: speedup

On Sep 6, 2016 11:58, "Stephen Smalley" <s...@tycho.nsa.gov> wrote: > > On 08/29/2016 12:22 PM, william.c.robe...@intel.com wrote: > > From: William Roberts <william.c.robe...@intel.com> > > > > I noticed, via gprof, that the time spent in nodups_s

Re: [PATCH] selinux: drop SECURITY_SELINUX_POLICYDB_VERSION_MAX

On Aug 18, 2016 17:07, "Paul Moore" <p...@paul-moore.com> wrote: > > On Mon, Aug 15, 2016 at 3:42 PM, <william.c.robe...@intel.com> wrote: > > From: William Roberts <william.c.robe...@intel.com> > > > > Remove the SECURITY_SELINUX_PO

Re: [PATCH v3 5/7] libsepol: fix overflow and 0 length allocations

>> Currently, in file-systems like reiserFS that support scalable xattrs, only >> VFS is the one limiting the size to 64k. Since their is no constant, and >> maybe one day this arbitrary VFS limit >> would be removed, I think we should check correctlly here that were >> allocating > 1 bytes, and

Re: [PATCH v3 5/7] libsepol: fix overflow and 0 length allocations

On Tue, Aug 16, 2016 at 8:11 AM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Aug 16, 2016 06:12, "James Carter" <jwca...@tycho.nsa.gov> wrote: > > > > On 08/15/2016 11:59 AM, william.c.robe...@intel.com wrote: > >> > >

Re: [PATCH v2 5/5] libsepol: fix overflow and 0 length allocations

On Thu, Aug 11, 2016 at 12:14 PM, James Carter <jwca...@tycho.nsa.gov> wrote: > On 08/10/2016 06:36 PM, william.c.robe...@intel.com wrote: > >> From: William Roberts <william.c.robe...@intel.com> >> >> Throughout libsepol, values taken from sepolicy are

Re: [PATCH v2] module_to_cil: fix use of uninitialized variables

> > I would recommend just initializing the variables to NULL and keeping > the "goto exit"'s. That would maintain the single return point, allows > for extra cleanup code to be run in the future if necessary, and is > consistent with the rest of the module_to_cil code. > FYI these functions

Re: [PATCH] selinux: print leading 0x on ioctlcmd audits

On Thu, Jul 14, 2016 at 4:18 PM, William Roberts <bill.c.robe...@gmail.com> wrote: > > > On Thu, Jul 14, 2016 at 3:17 PM, Paul Moore <p...@paul-moore.com> wrote: > >> On Thu, Jul 14, 2016 at 3:29 PM, <william.c.robe...@intel.com> wrote: >> > From:

Re: [PATCH] selinux: print leading 0x on ioctlcmd audits

On Thu, Jul 14, 2016 at 3:17 PM, Paul Moore <p...@paul-moore.com> wrote: > On Thu, Jul 14, 2016 at 3:29 PM, <william.c.robe...@intel.com> wrote: > > From: William Roberts <william.c.robe...@intel.com> > > > > ioctlcmd is currently printing hex numbers, but

Re: Selectively assigning SELinux policies to permissive and enforcement mode

You could set enforcing mode to on via set enforce, which enables it globally, and then set various domains in permissive to get a mixed blend of enforcing and non-enforcing. On Jun 19, 2016 16:21, "Taeho Kgil" wrote: > Hi SELinux community, > > I'm relatively new to this

Re: [PATCH] libsepol: Change which attributes CIL keeps in the binary policy

On May 6, 2016 11:58 AM, "James Carter" wrote: > > The removal of attributes that are only used in neverallow rules is > hindering AOSP adoption of the CIL compiler. This is because AOSP > extracts neverallow rules from its policy.conf for use in the Android > compatibility

Re: [PATCH] libsepol, checkpolicy, secilc: Replace #ifdef DARWIN with __APPLE__.

LGTM, but have no way to test it. I have no apples. On Tue, May 3, 2016 at 9:13 AM, Nick Kralevich wrote: > On Tue, May 3, 2016 at 8:58 AM, Stephen Smalley wrote: > > As per discussion in https://android-review.googlesource.com/#/c/221980, > > we should be

Re: [PATCH] selinux: restrict kernel module loading

On Sat, Apr 2, 2016 at 8:31 AM, Paul Moore wrote: > On Fri, Apr 1, 2016 at 6:40 PM, Jeff Vander Stoep > wrote: > > Utilize existing kernel_read_file hook on kernel module load. > > Add module_load permission to the system class. > > > > Enforces

Re: initial_sid context via libsepol

> > > > I came accross this in build/tools/fs_config/fs_config.c: > > > char* secontext; > if (selabel_lookup(sehnd, , full_name, ( mode | (is_dir ? > S_IFDIR : S_IFREG { > secontext = strdup("u:object_r:unlabeled:s0"); > } > > printf(" selabel=%s",

Re: initial_sid context via libsepol

> > >> SIDs, with the values in ->sid[0] and the context structures in >> ->context[0]. Richard's sample program showed you how to walk it and >> print out all the entries. The symbolic names themselves aren't in the >> policydb, as he noted; you can grab it from the kernel source >>

Re: Exposing secid to secctx mapping to user-space

On Mon, Dec 14, 2015 at 2:11 PM, Stephen Smalley wrote: > On 12/14/2015 04:29 PM, Roberts, William C wrote: > >> >> >>> Subject: Re: Exposing secid to secctx mapping to user-space >>> >>> On 12/13/2015 2:06 PM, Paul Moore wrote: >>> On Friday, December 11, 2015 05:14:38

Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)

On Oct 20, 2015 7:46 AM, "Stephen Smalley" wrote: > > On 10/20/2015 08:27 AM, Richard Haines wrote: >> >> >> >> >> >>> On Monday, 19 October 2015, 19:10, Stephen Smalley wrote: On 10/18/2015 11:00 AM, Richard Haines wrote: > On

Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)

FYI you can take just 1 C and H file from crypt lib. You don't need it all. On Oct 20, 2015 8:42 AM, "Richard Haines" <richard_c_hai...@btinternet.com> wrote: > > On Tuesday, 20 October 2015, 15:00, William Roberts < > bill.c.robe...@gmail.com> wrote: > >

Re: Find attributes for a type with sepol

On Sep 29, 2015 12:12 PM, "Joshua Brindle" <brin...@quarksecurity.com> wrote: > > William Roberts wrote: >> >> Out of curiosity, whats the purpose of the types field in the struct >> type_datum? This seems to never have anything in it. >> > &

<    1   2   3