* Re: Security label of file in Yaffs2 on Android
[not found] <CAPG=pduMTUpeY+Goikvh6nOAtcAvxn4h1Ai36H0ihwqfCHs9Eg@mail.gmail.com>
@ 2013-01-14 13:27 ` Stephen Smalley
2013-01-14 13:35 ` Stephen Smalley
[not found] ` <CAPG=pdsAfAFBDakun1JTMOmbNbwdNAFX+=CNGTTVkXJvuAPqGg@mail.gmail.com>
0 siblings, 2 replies; 3+ messages in thread
From: Stephen Smalley @ 2013-01-14 13:27 UTC (permalink / raw)
To: 董钰; +Cc: selinux, seandroid-list
On 01/13/2013 11:15 PM, 董钰 wrote:
> Hello
> I want to set security label(use xattr security.mylabel) of the file in
> Yaffs2 on Android.
> I've been able to use setxattr syscall to set security label, and use
> getxattr syscall to verify the change right after that.
> The problem is that the change is gone when i reboot the emulator.I used
> to try the same process on linux and ext2 filesystem,and the change
> will last like forever.
>
> Is is about the emulator? Or it is all about the support level of xattr
> in Yaffs2?
>
> Thank you for any help.
What kernel are you using? We had to patch the emulator kernel for SE
Android, back-porting a more recent snapshot of the yaffs2 code that
provides native support for xattrs and applying a further change to
ensure that new inodes are assigned a SELinux attribute on creation.
Also, how are you invoking the emulator?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Security label of file in Yaffs2 on Android
2013-01-14 13:27 ` Security label of file in Yaffs2 on Android Stephen Smalley
@ 2013-01-14 13:35 ` Stephen Smalley
[not found] ` <CAPG=pdsAfAFBDakun1JTMOmbNbwdNAFX+=CNGTTVkXJvuAPqGg@mail.gmail.com>
1 sibling, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2013-01-14 13:35 UTC (permalink / raw)
To: 董钰; +Cc: selinux, seandroid-list
On 01/14/2013 08:27 AM, Stephen Smalley wrote:
> On 01/13/2013 11:15 PM, 董钰 wrote:
>> Hello
>> I want to set security label(use xattr security.mylabel) of the file in
>> Yaffs2 on Android.
>> I've been able to use setxattr syscall to set security label, and use
>> getxattr syscall to verify the change right after that.
>> The problem is that the change is gone when i reboot the emulator.I used
>> to try the same process on linux and ext2 filesystem,and the change
>> will last like forever.
>>
>> Is is about the emulator? Or it is all about the support level of xattr
>> in Yaffs2?
>>
>> Thank you for any help.
>
> What kernel are you using? We had to patch the emulator kernel for SE
> Android, back-porting a more recent snapshot of the yaffs2 code that
> provides native support for xattrs and applying a further change to
> ensure that new inodes are assigned a SELinux attribute on creation.
>
> Also, how are you invoking the emulator?
And which partition are you trying to modify? /data or /system?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Security label of file in Yaffs2 on Android
[not found] ` <CAPG=pdvW9n4oAwankdawNo1u_duQQH=BM0cNNuEhC3Lm_phk+A@mail.gmail.com>
@ 2013-01-15 14:14 ` Stephen Smalley
0 siblings, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2013-01-15 14:14 UTC (permalink / raw)
To: 董钰; +Cc: selinux, seandroid-list
On 01/15/2013 04:52 AM, 董钰 wrote:
> LOL,Too early to end the problem.
> My goal is to "attached every file and dir in android with a security
> label".
> The files under /data can be setxattr and the change can last after the
> reboot of the emulator now, but the change of setxattr to the files
> under /system still can't last after the reboot of the emulator. That's
> really weird. According to init.rc, both the /data and /system were
> mounted in yaffs type. I can't figure out any difference between them to
> cause this.
> ps:
> I modified init.rc to make /system mounted rw.
http://developer.android.com/tools/devices/emulator.html#diskimages
"The emulator does not permit renaming the temporary system image or
persisting it at device power-off."
This is presumably because system images aren't normally modified at
runtime, unlike the user data images.
To create a system image with security labels for SE Android, we
modified mkyaffs2image to create the image with the extended attributes
already set based on our external/sepolicy/file_contexts configuration,
which specifies a mapping from pathname regexes to security contexts.
It shouldn't be hard to generalize our code to support other xattrs.
Our changes to external/yaffs2 have been merged into AOSP. We also did
the same thing for make_ext4fs (system/extras/ext4_utils), as ext4 is
used on modern devices.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-01-15 14:14 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <CAPG=pduMTUpeY+Goikvh6nOAtcAvxn4h1Ai36H0ihwqfCHs9Eg@mail.gmail.com>
2013-01-14 13:27 ` Security label of file in Yaffs2 on Android Stephen Smalley
2013-01-14 13:35 ` Stephen Smalley
[not found] ` <CAPG=pdsAfAFBDakun1JTMOmbNbwdNAFX+=CNGTTVkXJvuAPqGg@mail.gmail.com>
[not found] ` <CAPG=pdvVT4fAees1q2FsXafnBrsD8-y3dePbM_OMLAdC==r+nA@mail.gmail.com>
[not found] ` <CAPG=pdvW9n4oAwankdawNo1u_duQQH=BM0cNNuEhC3Lm_phk+A@mail.gmail.com>
2013-01-15 14:14 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.