* [PATCH] libselinux: re-introduce DISABLE_BOOL=y
@ 2016-09-29 18:02 william.c.roberts
2016-09-29 18:08 ` Stephen Smalley
2016-09-29 19:42 ` Stephen Smalley
0 siblings, 2 replies; 10+ messages in thread
From: william.c.roberts @ 2016-09-29 18:02 UTC (permalink / raw)
To: selinux, seandroid-list, sds
From: William Roberts <william.c.roberts@intel.com>
Provide stubs to the public boolean API that always returns -1.
On Android, boolean symbols are needed for:
external/ltrace/sysdeps/linux-gnu/trace.c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
libselinux/Makefile | 4 +++
libselinux/src/booleans.c | 64 +++++++++++++++++++++++++++++++++++++++--------
2 files changed, 58 insertions(+), 10 deletions(-)
diff --git a/libselinux/Makefile b/libselinux/Makefile
index f607115..b5f32bb 100644
--- a/libselinux/Makefile
+++ b/libselinux/Makefile
@@ -5,6 +5,7 @@ DISABLE_RPM ?= y
ANDROID_HOST ?= n
ifeq ($(ANDROID_HOST),y)
override DISABLE_SETRANS=y
+ override DISABLE_BOOL=y
endif
ifeq ($(DISABLE_RPM),y)
DISABLE_FLAGS+= -DDISABLE_RPM
@@ -12,6 +13,9 @@ endif
ifeq ($(DISABLE_SETRANS),y)
DISABLE_FLAGS+= -DDISABLE_SETRANS
endif
+ifeq ($(DISABLE_BOOL),y)
+ DISABLE_FLAGS+= -DDISABLE_BOOL
+endif
export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST
USE_PCRE2 ?= n
diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c
index c438af1..cbb0610 100644
--- a/libselinux/src/booleans.c
+++ b/libselinux/src/booleans.c
@@ -25,6 +25,8 @@
#define SELINUX_BOOL_DIR "/booleans/"
+#ifndef DISABLE_BOOL
+
static int filename_select(const struct dirent *d)
{
if (d->d_name[0] == '.'
@@ -85,8 +87,6 @@ int security_get_boolean_names(char ***names, int *len)
goto out;
}
-hidden_def(security_get_boolean_names)
-
char *selinux_boolean_sub(const char *name)
{
char *sub = NULL;
@@ -141,8 +141,6 @@ out:
return sub;
}
-hidden_def(selinux_boolean_sub)
-
static int bool_open(const char *name, int flag) {
char *fname = NULL;
char *alt_name = NULL;
@@ -262,8 +260,6 @@ int security_get_boolean_active(const char *name)
return val;
}
-hidden_def(security_get_boolean_active)
-
int security_set_boolean(const char *name, int value)
{
int fd, ret;
@@ -297,8 +293,6 @@ int security_set_boolean(const char *name, int value)
return -1;
}
-hidden_def(security_set_boolean)
-
int security_commit_booleans(void)
{
int fd, ret;
@@ -327,8 +321,6 @@ int security_commit_booleans(void)
return -1;
}
-hidden_def(security_commit_booleans)
-
static char *strtrim(char *dest, char *source, int size)
{
int i = 0;
@@ -567,3 +559,55 @@ int security_load_booleans(char *path)
errno = EINVAL;
return errors ? -1 : 0;
}
+
+#else
+int security_set_boolean_list(size_t boolcnt __attribute__((unused)),
+ SELboolean * boollist __attribute__((unused)),
+ int permanent __attribute__((unused)))
+{
+ return -1;
+}
+
+int security_load_booleans(char *path __attribute__((unused)))
+{
+ return -1;
+}
+
+int security_get_boolean_names(char ***names __attribute__((unused)),
+ int *len __attribute__((unused)))
+{
+ return -1;
+}
+
+int security_get_boolean_pending(const char *name __attribute__((unused)))
+{
+ return -1;
+}
+
+int security_get_boolean_active(const char *name __attribute__((unused)))
+{
+ return -1;
+}
+
+int security_set_boolean(const char *name __attribute__((unused)),
+ int value __attribute__((unused)))
+{
+ return -1;
+}
+
+int security_commit_booleans(void)
+{
+ return -1;
+}
+
+char *selinux_boolean_sub(const char *name __attribute__((unused)))
+{
+ return NULL;
+}
+#endif
+
+hidden_def(security_get_boolean_names)
+hidden_def(selinux_boolean_sub)
+hidden_def(security_get_boolean_active)
+hidden_def(security_set_boolean)
+hidden_def(security_commit_booleans)
--
1.9.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y
2016-09-29 18:02 [PATCH] libselinux: re-introduce DISABLE_BOOL=y william.c.roberts
@ 2016-09-29 18:08 ` Stephen Smalley
2016-09-29 18:15 ` William Roberts
2016-09-29 19:42 ` Stephen Smalley
1 sibling, 1 reply; 10+ messages in thread
From: Stephen Smalley @ 2016-09-29 18:08 UTC (permalink / raw)
To: william.c.roberts, selinux, seandroid-list
On 09/29/2016 02:02 PM, william.c.roberts@intel.com wrote:
> From: William Roberts <william.c.roberts@intel.com>
>
> Provide stubs to the public boolean API that always returns -1.
>
> On Android, boolean symbols are needed for:
> external/ltrace/sysdeps/linux-gnu/trace.c
Is this really worth doing?
>
> Signed-off-by: William Roberts <william.c.roberts@intel.com>
> ---
> libselinux/Makefile | 4 +++
> libselinux/src/booleans.c | 64 +++++++++++++++++++++++++++++++++++++++--------
> 2 files changed, 58 insertions(+), 10 deletions(-)
>
> diff --git a/libselinux/Makefile b/libselinux/Makefile
> index f607115..b5f32bb 100644
> --- a/libselinux/Makefile
> +++ b/libselinux/Makefile
> @@ -5,6 +5,7 @@ DISABLE_RPM ?= y
> ANDROID_HOST ?= n
> ifeq ($(ANDROID_HOST),y)
> override DISABLE_SETRANS=y
> + override DISABLE_BOOL=y
> endif
> ifeq ($(DISABLE_RPM),y)
> DISABLE_FLAGS+= -DDISABLE_RPM
> @@ -12,6 +13,9 @@ endif
> ifeq ($(DISABLE_SETRANS),y)
> DISABLE_FLAGS+= -DDISABLE_SETRANS
> endif
> +ifeq ($(DISABLE_BOOL),y)
> + DISABLE_FLAGS+= -DDISABLE_BOOL
> +endif
> export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST
>
> USE_PCRE2 ?= n
> diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c
> index c438af1..cbb0610 100644
> --- a/libselinux/src/booleans.c
> +++ b/libselinux/src/booleans.c
> @@ -25,6 +25,8 @@
>
> #define SELINUX_BOOL_DIR "/booleans/"
>
> +#ifndef DISABLE_BOOL
> +
> static int filename_select(const struct dirent *d)
> {
> if (d->d_name[0] == '.'
> @@ -85,8 +87,6 @@ int security_get_boolean_names(char ***names, int *len)
> goto out;
> }
>
> -hidden_def(security_get_boolean_names)
> -
> char *selinux_boolean_sub(const char *name)
> {
> char *sub = NULL;
> @@ -141,8 +141,6 @@ out:
> return sub;
> }
>
> -hidden_def(selinux_boolean_sub)
> -
> static int bool_open(const char *name, int flag) {
> char *fname = NULL;
> char *alt_name = NULL;
> @@ -262,8 +260,6 @@ int security_get_boolean_active(const char *name)
> return val;
> }
>
> -hidden_def(security_get_boolean_active)
> -
> int security_set_boolean(const char *name, int value)
> {
> int fd, ret;
> @@ -297,8 +293,6 @@ int security_set_boolean(const char *name, int value)
> return -1;
> }
>
> -hidden_def(security_set_boolean)
> -
> int security_commit_booleans(void)
> {
> int fd, ret;
> @@ -327,8 +321,6 @@ int security_commit_booleans(void)
> return -1;
> }
>
> -hidden_def(security_commit_booleans)
> -
> static char *strtrim(char *dest, char *source, int size)
> {
> int i = 0;
> @@ -567,3 +559,55 @@ int security_load_booleans(char *path)
> errno = EINVAL;
> return errors ? -1 : 0;
> }
> +
> +#else
> +int security_set_boolean_list(size_t boolcnt __attribute__((unused)),
> + SELboolean * boollist __attribute__((unused)),
> + int permanent __attribute__((unused)))
> +{
> + return -1;
> +}
> +
> +int security_load_booleans(char *path __attribute__((unused)))
> +{
> + return -1;
> +}
> +
> +int security_get_boolean_names(char ***names __attribute__((unused)),
> + int *len __attribute__((unused)))
> +{
> + return -1;
> +}
> +
> +int security_get_boolean_pending(const char *name __attribute__((unused)))
> +{
> + return -1;
> +}
> +
> +int security_get_boolean_active(const char *name __attribute__((unused)))
> +{
> + return -1;
> +}
> +
> +int security_set_boolean(const char *name __attribute__((unused)),
> + int value __attribute__((unused)))
> +{
> + return -1;
> +}
> +
> +int security_commit_booleans(void)
> +{
> + return -1;
> +}
> +
> +char *selinux_boolean_sub(const char *name __attribute__((unused)))
> +{
> + return NULL;
> +}
> +#endif
> +
> +hidden_def(security_get_boolean_names)
> +hidden_def(selinux_boolean_sub)
> +hidden_def(security_get_boolean_active)
> +hidden_def(security_set_boolean)
> +hidden_def(security_commit_booleans)
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y
2016-09-29 18:08 ` Stephen Smalley
@ 2016-09-29 18:15 ` William Roberts
2016-09-29 18:44 ` Stephen Smalley
0 siblings, 1 reply; 10+ messages in thread
From: William Roberts @ 2016-09-29 18:15 UTC (permalink / raw)
To: Stephen Smalley; +Cc: William Roberts, selinux, seandroid-list
On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 09/29/2016 02:02 PM, william.c.roberts@intel.com wrote:
>> From: William Roberts <william.c.roberts@intel.com>
>>
>> Provide stubs to the public boolean API that always returns -1.
>>
>> On Android, boolean symbols are needed for:
>> external/ltrace/sysdeps/linux-gnu/trace.c
>
> Is this really worth doing?
It's this or disabling that selinux via #define, which that source has
HAVE_LIBSELINUX.
But it would seem confusing IMHO to have a libselinux.so, so one would
set HAVE_LIBSELINUX=1,
and you're getting link errors.
Seems to be yet-another red-hat contribution from a long time ago:
commit cec06ec8282c538a40bde968ae36fe8356daffaa
Author: Petr Machata <pmachata@redhat.com>
Date: Tue Apr 10 13:31:55 2012 +0200
Warn when we fail to trace and SELinux boolean deny_ptrace is in effect
diff --git a/ChangeLog b/ChangeLog
index c095263..6107a12 100644
>
>>
>> Signed-off-by: William Roberts <william.c.roberts@intel.com>
>> ---
>> libselinux/Makefile | 4 +++
>> libselinux/src/booleans.c | 64 +++++++++++++++++++++++++++++++++++++++--------
>> 2 files changed, 58 insertions(+), 10 deletions(-)
>>
>> diff --git a/libselinux/Makefile b/libselinux/Makefile
>> index f607115..b5f32bb 100644
>> --- a/libselinux/Makefile
>> +++ b/libselinux/Makefile
>> @@ -5,6 +5,7 @@ DISABLE_RPM ?= y
>> ANDROID_HOST ?= n
>> ifeq ($(ANDROID_HOST),y)
>> override DISABLE_SETRANS=y
>> + override DISABLE_BOOL=y
>> endif
>> ifeq ($(DISABLE_RPM),y)
>> DISABLE_FLAGS+= -DDISABLE_RPM
>> @@ -12,6 +13,9 @@ endif
>> ifeq ($(DISABLE_SETRANS),y)
>> DISABLE_FLAGS+= -DDISABLE_SETRANS
>> endif
>> +ifeq ($(DISABLE_BOOL),y)
>> + DISABLE_FLAGS+= -DDISABLE_BOOL
>> +endif
>> export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST
>>
>> USE_PCRE2 ?= n
>> diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c
>> index c438af1..cbb0610 100644
>> --- a/libselinux/src/booleans.c
>> +++ b/libselinux/src/booleans.c
>> @@ -25,6 +25,8 @@
>>
>> #define SELINUX_BOOL_DIR "/booleans/"
>>
>> +#ifndef DISABLE_BOOL
>> +
>> static int filename_select(const struct dirent *d)
>> {
>> if (d->d_name[0] == '.'
>> @@ -85,8 +87,6 @@ int security_get_boolean_names(char ***names, int *len)
>> goto out;
>> }
>>
>> -hidden_def(security_get_boolean_names)
>> -
>> char *selinux_boolean_sub(const char *name)
>> {
>> char *sub = NULL;
>> @@ -141,8 +141,6 @@ out:
>> return sub;
>> }
>>
>> -hidden_def(selinux_boolean_sub)
>> -
>> static int bool_open(const char *name, int flag) {
>> char *fname = NULL;
>> char *alt_name = NULL;
>> @@ -262,8 +260,6 @@ int security_get_boolean_active(const char *name)
>> return val;
>> }
>>
>> -hidden_def(security_get_boolean_active)
>> -
>> int security_set_boolean(const char *name, int value)
>> {
>> int fd, ret;
>> @@ -297,8 +293,6 @@ int security_set_boolean(const char *name, int value)
>> return -1;
>> }
>>
>> -hidden_def(security_set_boolean)
>> -
>> int security_commit_booleans(void)
>> {
>> int fd, ret;
>> @@ -327,8 +321,6 @@ int security_commit_booleans(void)
>> return -1;
>> }
>>
>> -hidden_def(security_commit_booleans)
>> -
>> static char *strtrim(char *dest, char *source, int size)
>> {
>> int i = 0;
>> @@ -567,3 +559,55 @@ int security_load_booleans(char *path)
>> errno = EINVAL;
>> return errors ? -1 : 0;
>> }
>> +
>> +#else
>> +int security_set_boolean_list(size_t boolcnt __attribute__((unused)),
>> + SELboolean * boollist __attribute__((unused)),
>> + int permanent __attribute__((unused)))
>> +{
>> + return -1;
>> +}
>> +
>> +int security_load_booleans(char *path __attribute__((unused)))
>> +{
>> + return -1;
>> +}
>> +
>> +int security_get_boolean_names(char ***names __attribute__((unused)),
>> + int *len __attribute__((unused)))
>> +{
>> + return -1;
>> +}
>> +
>> +int security_get_boolean_pending(const char *name __attribute__((unused)))
>> +{
>> + return -1;
>> +}
>> +
>> +int security_get_boolean_active(const char *name __attribute__((unused)))
>> +{
>> + return -1;
>> +}
>> +
>> +int security_set_boolean(const char *name __attribute__((unused)),
>> + int value __attribute__((unused)))
>> +{
>> + return -1;
>> +}
>> +
>> +int security_commit_booleans(void)
>> +{
>> + return -1;
>> +}
>> +
>> +char *selinux_boolean_sub(const char *name __attribute__((unused)))
>> +{
>> + return NULL;
>> +}
>> +#endif
>> +
>> +hidden_def(security_get_boolean_names)
>> +hidden_def(selinux_boolean_sub)
>> +hidden_def(security_get_boolean_active)
>> +hidden_def(security_set_boolean)
>> +hidden_def(security_commit_booleans)
>>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
--
Respectfully,
William C Roberts
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y
2016-09-29 18:15 ` William Roberts
@ 2016-09-29 18:44 ` Stephen Smalley
2016-09-29 18:46 ` William Roberts
0 siblings, 1 reply; 10+ messages in thread
From: Stephen Smalley @ 2016-09-29 18:44 UTC (permalink / raw)
To: William Roberts; +Cc: William Roberts, selinux, seandroid-list
On 09/29/2016 02:15 PM, William Roberts wrote:
> On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> On 09/29/2016 02:02 PM, william.c.roberts@intel.com wrote:
>>> From: William Roberts <william.c.roberts@intel.com>
>>>
>>> Provide stubs to the public boolean API that always returns -1.
>>>
>>> On Android, boolean symbols are needed for:
>>> external/ltrace/sysdeps/linux-gnu/trace.c
>>
>> Is this really worth doing?
>
> It's this or disabling that selinux via #define, which that source has
> HAVE_LIBSELINUX.
>
> But it would seem confusing IMHO to have a libselinux.so, so one would
> set HAVE_LIBSELINUX=1,
> and you're getting link errors.
Maybe I don't understand. Obviously it builds today with
external/libselinux without requiring this change. Why do we need this now?
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y
2016-09-29 18:44 ` Stephen Smalley
@ 2016-09-29 18:46 ` William Roberts
2016-09-29 18:54 ` Stephen Smalley
0 siblings, 1 reply; 10+ messages in thread
From: William Roberts @ 2016-09-29 18:46 UTC (permalink / raw)
To: Stephen Smalley; +Cc: William Roberts, selinux, seandroid-list
On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 09/29/2016 02:15 PM, William Roberts wrote:
>> On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>> On 09/29/2016 02:02 PM, william.c.roberts@intel.com wrote:
>>>> From: William Roberts <william.c.roberts@intel.com>
>>>>
>>>> Provide stubs to the public boolean API that always returns -1.
>>>>
>>>> On Android, boolean symbols are needed for:
>>>> external/ltrace/sysdeps/linux-gnu/trace.c
>>>
>>> Is this really worth doing?
>>
>> It's this or disabling that selinux via #define, which that source has
>> HAVE_LIBSELINUX.
>>
>> But it would seem confusing IMHO to have a libselinux.so, so one would
>> set HAVE_LIBSELINUX=1,
>> and you're getting link errors.
>
> Maybe I don't understand. Obviously it builds today with
> external/libselinux without requiring this change. Why do we need this now?
>
Richard Haines was doing further testing, and was building a different
lunch target for the
arm emulator and hit this issue. I have only tested x86_64 emulator.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y
2016-09-29 18:46 ` William Roberts
@ 2016-09-29 18:54 ` Stephen Smalley
2016-09-29 19:15 ` William Roberts
0 siblings, 1 reply; 10+ messages in thread
From: Stephen Smalley @ 2016-09-29 18:54 UTC (permalink / raw)
To: William Roberts; +Cc: William Roberts, selinux, seandroid-list
On 09/29/2016 02:46 PM, William Roberts wrote:
> On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> On 09/29/2016 02:15 PM, William Roberts wrote:
>>> On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>>> On 09/29/2016 02:02 PM, william.c.roberts@intel.com wrote:
>>>>> From: William Roberts <william.c.roberts@intel.com>
>>>>>
>>>>> Provide stubs to the public boolean API that always returns -1.
>>>>>
>>>>> On Android, boolean symbols are needed for:
>>>>> external/ltrace/sysdeps/linux-gnu/trace.c
>>>>
>>>> Is this really worth doing?
>>>
>>> It's this or disabling that selinux via #define, which that source has
>>> HAVE_LIBSELINUX.
>>>
>>> But it would seem confusing IMHO to have a libselinux.so, so one would
>>> set HAVE_LIBSELINUX=1,
>>> and you're getting link errors.
>>
>> Maybe I don't understand. Obviously it builds today with
>> external/libselinux without requiring this change. Why do we need this now?
>>
>
> Richard Haines was doing further testing, and was building a different
> lunch target for the
> arm emulator and hit this issue. I have only tested x86_64 emulator.
No, I mean that this is not required in external/libselinux (the Android
fork) today. So why is it needed here? The Android fork builds
src/booleans.c for the target. It doesn't hurt anything to leave the
code there. The underlying kernel interface via selinuxfs still exists.
There just won't be any booleans in the policy.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y
2016-09-29 18:54 ` Stephen Smalley
@ 2016-09-29 19:15 ` William Roberts
2016-09-29 19:27 ` William Roberts
0 siblings, 1 reply; 10+ messages in thread
From: William Roberts @ 2016-09-29 19:15 UTC (permalink / raw)
To: Stephen Smalley; +Cc: William Roberts, selinux, seandroid-list
On Thu, Sep 29, 2016 at 2:54 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 09/29/2016 02:46 PM, William Roberts wrote:
>> On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>> On 09/29/2016 02:15 PM, William Roberts wrote:
>>>> On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>>>> On 09/29/2016 02:02 PM, william.c.roberts@intel.com wrote:
>>>>>> From: William Roberts <william.c.roberts@intel.com>
>>>>>>
>>>>>> Provide stubs to the public boolean API that always returns -1.
>>>>>>
>>>>>> On Android, boolean symbols are needed for:
>>>>>> external/ltrace/sysdeps/linux-gnu/trace.c
>>>>>
>>>>> Is this really worth doing?
>>>>
>>>> It's this or disabling that selinux via #define, which that source has
>>>> HAVE_LIBSELINUX.
>>>>
>>>> But it would seem confusing IMHO to have a libselinux.so, so one would
>>>> set HAVE_LIBSELINUX=1,
>>>> and you're getting link errors.
>>>
>>> Maybe I don't understand. Obviously it builds today with
>>> external/libselinux without requiring this change. Why do we need this now?
>>>
>>
>> Richard Haines was doing further testing, and was building a different
>> lunch target for the
>> arm emulator and hit this issue. I have only tested x86_64 emulator.
>
> No, I mean that this is not required in external/libselinux (the Android
> fork) today. So why is it needed here? The Android fork builds
> src/booleans.c for the target. It doesn't hurt anything to leave the
> code there. The underlying kernel interface via selinuxfs still exists.
> There just won't be any booleans in the policy.
>
The target builds a modified booleans, if use booleans as is, we start
down the config c file
rabbit hole...
external/selinux/libselinux/src/booleans.c:100: error: undefined
reference to 'selinux_booleans_subs_path'
external/selinux/libselinux/src/booleans.c:388: error: undefined
reference to 'selinux_booleans_path'
external/selinux/libselinux/src/booleans.c:529: error: undefined
reference to 'selinux_booleans_path'
external/selinux/libselinux/src/booleans.c:545: error: undefined
reference to 'selinux_booleans_path'
clang++.real: error: linker command failed with exit code 1 (use -v to
see invocation)
I can take a look at that and see how much of a PITA it would be to
pull that in.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y
2016-09-29 19:15 ` William Roberts
@ 2016-09-29 19:27 ` William Roberts
2016-09-29 19:37 ` Stephen Smalley
0 siblings, 1 reply; 10+ messages in thread
From: William Roberts @ 2016-09-29 19:27 UTC (permalink / raw)
To: Stephen Smalley; +Cc: William Roberts, selinux, seandroid-list
On Thu, Sep 29, 2016 at 3:15 PM, William Roberts
<bill.c.roberts@gmail.com> wrote:
> On Thu, Sep 29, 2016 at 2:54 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> On 09/29/2016 02:46 PM, William Roberts wrote:
>>> On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>>> On 09/29/2016 02:15 PM, William Roberts wrote:
>>>>> On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>>>>> On 09/29/2016 02:02 PM, william.c.roberts@intel.com wrote:
>>>>>>> From: William Roberts <william.c.roberts@intel.com>
>>>>>>>
>>>>>>> Provide stubs to the public boolean API that always returns -1.
>>>>>>>
>>>>>>> On Android, boolean symbols are needed for:
>>>>>>> external/ltrace/sysdeps/linux-gnu/trace.c
>>>>>>
>>>>>> Is this really worth doing?
>>>>>
>>>>> It's this or disabling that selinux via #define, which that source has
>>>>> HAVE_LIBSELINUX.
>>>>>
>>>>> But it would seem confusing IMHO to have a libselinux.so, so one would
>>>>> set HAVE_LIBSELINUX=1,
>>>>> and you're getting link errors.
>>>>
>>>> Maybe I don't understand. Obviously it builds today with
>>>> external/libselinux without requiring this change. Why do we need this now?
>>>>
>>>
>>> Richard Haines was doing further testing, and was building a different
>>> lunch target for the
>>> arm emulator and hit this issue. I have only tested x86_64 emulator.
>>
>> No, I mean that this is not required in external/libselinux (the Android
>> fork) today. So why is it needed here? The Android fork builds
>> src/booleans.c for the target. It doesn't hurt anything to leave the
>> code there. The underlying kernel interface via selinuxfs still exists.
>> There just won't be any booleans in the policy.
>>
>
> The target builds a modified booleans, if use booleans as is, we start
> down the config c file
> rabbit hole...
>
> external/selinux/libselinux/src/booleans.c:100: error: undefined
> reference to 'selinux_booleans_subs_path'
> external/selinux/libselinux/src/booleans.c:388: error: undefined
> reference to 'selinux_booleans_path'
> external/selinux/libselinux/src/booleans.c:529: error: undefined
> reference to 'selinux_booleans_path'
> external/selinux/libselinux/src/booleans.c:545: error: undefined
> reference to 'selinux_booleans_path'
> clang++.real: error: linker command failed with exit code 1 (use -v to
> see invocation)
>
> I can take a look at that and see how much of a PITA it would be to
> pull that in.
external/selinux/libselinux/src/selinux_config.c:100: error: undefined
reference to 'fgets_unlocked'
external/selinux/libselinux/src/selinux_config.c:100: error: undefined
reference to 'fgets_unlocked'
external/selinux/libselinux/src/selinux_config.c:231: error: undefined
reference to 'require_seusers'
external/selinux/libselinux/src/selinux_config.c:231: error: undefined
reference to 'load_setlocaldefs'
fgets should be easy enough
load_setlocaldefs is an exported integer value used in init_selinux_config()
require_seusers is another exported int form seusers.c
I was figuring since we don't use any bools, to keep the size down,
just stubbing dummies is the
easiest route.
We could do something like STATIC_CONFIG and just stub in what things
need and return the explicit paths.
--
Respectfully,
William C Roberts
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y
2016-09-29 19:27 ` William Roberts
@ 2016-09-29 19:37 ` Stephen Smalley
0 siblings, 0 replies; 10+ messages in thread
From: Stephen Smalley @ 2016-09-29 19:37 UTC (permalink / raw)
To: William Roberts; +Cc: seandroid-list, selinux
On 09/29/2016 03:27 PM, William Roberts wrote:
> On Thu, Sep 29, 2016 at 3:15 PM, William Roberts
> <bill.c.roberts@gmail.com> wrote:
>> On Thu, Sep 29, 2016 at 2:54 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>> On 09/29/2016 02:46 PM, William Roberts wrote:
>>>> On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>>>> On 09/29/2016 02:15 PM, William Roberts wrote:
>>>>>> On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>>>>>> On 09/29/2016 02:02 PM, william.c.roberts@intel.com wrote:
>>>>>>>> From: William Roberts <william.c.roberts@intel.com>
>>>>>>>>
>>>>>>>> Provide stubs to the public boolean API that always returns -1.
>>>>>>>>
>>>>>>>> On Android, boolean symbols are needed for:
>>>>>>>> external/ltrace/sysdeps/linux-gnu/trace.c
>>>>>>>
>>>>>>> Is this really worth doing?
>>>>>>
>>>>>> It's this or disabling that selinux via #define, which that source has
>>>>>> HAVE_LIBSELINUX.
>>>>>>
>>>>>> But it would seem confusing IMHO to have a libselinux.so, so one would
>>>>>> set HAVE_LIBSELINUX=1,
>>>>>> and you're getting link errors.
>>>>>
>>>>> Maybe I don't understand. Obviously it builds today with
>>>>> external/libselinux without requiring this change. Why do we need this now?
>>>>>
>>>>
>>>> Richard Haines was doing further testing, and was building a different
>>>> lunch target for the
>>>> arm emulator and hit this issue. I have only tested x86_64 emulator.
>>>
>>> No, I mean that this is not required in external/libselinux (the Android
>>> fork) today. So why is it needed here? The Android fork builds
>>> src/booleans.c for the target. It doesn't hurt anything to leave the
>>> code there. The underlying kernel interface via selinuxfs still exists.
>>> There just won't be any booleans in the policy.
>>>
>>
>> The target builds a modified booleans, if use booleans as is, we start
>> down the config c file
>> rabbit hole...
>>
>> external/selinux/libselinux/src/booleans.c:100: error: undefined
>> reference to 'selinux_booleans_subs_path'
>> external/selinux/libselinux/src/booleans.c:388: error: undefined
>> reference to 'selinux_booleans_path'
>> external/selinux/libselinux/src/booleans.c:529: error: undefined
>> reference to 'selinux_booleans_path'
>> external/selinux/libselinux/src/booleans.c:545: error: undefined
>> reference to 'selinux_booleans_path'
>> clang++.real: error: linker command failed with exit code 1 (use -v to
>> see invocation)
>>
>> I can take a look at that and see how much of a PITA it would be to
>> pull that in.
>
> external/selinux/libselinux/src/selinux_config.c:100: error: undefined
> reference to 'fgets_unlocked'
> external/selinux/libselinux/src/selinux_config.c:100: error: undefined
> reference to 'fgets_unlocked'
> external/selinux/libselinux/src/selinux_config.c:231: error: undefined
> reference to 'require_seusers'
> external/selinux/libselinux/src/selinux_config.c:231: error: undefined
> reference to 'load_setlocaldefs'
>
> fgets should be easy enough
> load_setlocaldefs is an exported integer value used in init_selinux_config()
> require_seusers is another exported int form seusers.c
>
> I was figuring since we don't use any bools, to keep the size down,
> just stubbing dummies is the
> easiest route.
>
> We could do something like STATIC_CONFIG and just stub in what things
> need and return the explicit paths.
Never mind, I'll take your original patch.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y
2016-09-29 18:02 [PATCH] libselinux: re-introduce DISABLE_BOOL=y william.c.roberts
2016-09-29 18:08 ` Stephen Smalley
@ 2016-09-29 19:42 ` Stephen Smalley
1 sibling, 0 replies; 10+ messages in thread
From: Stephen Smalley @ 2016-09-29 19:42 UTC (permalink / raw)
To: william.c.roberts, selinux, seandroid-list
On 09/29/2016 02:02 PM, william.c.roberts@intel.com wrote:
> From: William Roberts <william.c.roberts@intel.com>
>
> Provide stubs to the public boolean API that always returns -1.
>
> On Android, boolean symbols are needed for:
> external/ltrace/sysdeps/linux-gnu/trace.c
Thanks, applied.
>
> Signed-off-by: William Roberts <william.c.roberts@intel.com>
> ---
> libselinux/Makefile | 4 +++
> libselinux/src/booleans.c | 64 +++++++++++++++++++++++++++++++++++++++--------
> 2 files changed, 58 insertions(+), 10 deletions(-)
>
> diff --git a/libselinux/Makefile b/libselinux/Makefile
> index f607115..b5f32bb 100644
> --- a/libselinux/Makefile
> +++ b/libselinux/Makefile
> @@ -5,6 +5,7 @@ DISABLE_RPM ?= y
> ANDROID_HOST ?= n
> ifeq ($(ANDROID_HOST),y)
> override DISABLE_SETRANS=y
> + override DISABLE_BOOL=y
> endif
> ifeq ($(DISABLE_RPM),y)
> DISABLE_FLAGS+= -DDISABLE_RPM
> @@ -12,6 +13,9 @@ endif
> ifeq ($(DISABLE_SETRANS),y)
> DISABLE_FLAGS+= -DDISABLE_SETRANS
> endif
> +ifeq ($(DISABLE_BOOL),y)
> + DISABLE_FLAGS+= -DDISABLE_BOOL
> +endif
> export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST
>
> USE_PCRE2 ?= n
> diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c
> index c438af1..cbb0610 100644
> --- a/libselinux/src/booleans.c
> +++ b/libselinux/src/booleans.c
> @@ -25,6 +25,8 @@
>
> #define SELINUX_BOOL_DIR "/booleans/"
>
> +#ifndef DISABLE_BOOL
> +
> static int filename_select(const struct dirent *d)
> {
> if (d->d_name[0] == '.'
> @@ -85,8 +87,6 @@ int security_get_boolean_names(char ***names, int *len)
> goto out;
> }
>
> -hidden_def(security_get_boolean_names)
> -
> char *selinux_boolean_sub(const char *name)
> {
> char *sub = NULL;
> @@ -141,8 +141,6 @@ out:
> return sub;
> }
>
> -hidden_def(selinux_boolean_sub)
> -
> static int bool_open(const char *name, int flag) {
> char *fname = NULL;
> char *alt_name = NULL;
> @@ -262,8 +260,6 @@ int security_get_boolean_active(const char *name)
> return val;
> }
>
> -hidden_def(security_get_boolean_active)
> -
> int security_set_boolean(const char *name, int value)
> {
> int fd, ret;
> @@ -297,8 +293,6 @@ int security_set_boolean(const char *name, int value)
> return -1;
> }
>
> -hidden_def(security_set_boolean)
> -
> int security_commit_booleans(void)
> {
> int fd, ret;
> @@ -327,8 +321,6 @@ int security_commit_booleans(void)
> return -1;
> }
>
> -hidden_def(security_commit_booleans)
> -
> static char *strtrim(char *dest, char *source, int size)
> {
> int i = 0;
> @@ -567,3 +559,55 @@ int security_load_booleans(char *path)
> errno = EINVAL;
> return errors ? -1 : 0;
> }
> +
> +#else
> +int security_set_boolean_list(size_t boolcnt __attribute__((unused)),
> + SELboolean * boollist __attribute__((unused)),
> + int permanent __attribute__((unused)))
> +{
> + return -1;
> +}
> +
> +int security_load_booleans(char *path __attribute__((unused)))
> +{
> + return -1;
> +}
> +
> +int security_get_boolean_names(char ***names __attribute__((unused)),
> + int *len __attribute__((unused)))
> +{
> + return -1;
> +}
> +
> +int security_get_boolean_pending(const char *name __attribute__((unused)))
> +{
> + return -1;
> +}
> +
> +int security_get_boolean_active(const char *name __attribute__((unused)))
> +{
> + return -1;
> +}
> +
> +int security_set_boolean(const char *name __attribute__((unused)),
> + int value __attribute__((unused)))
> +{
> + return -1;
> +}
> +
> +int security_commit_booleans(void)
> +{
> + return -1;
> +}
> +
> +char *selinux_boolean_sub(const char *name __attribute__((unused)))
> +{
> + return NULL;
> +}
> +#endif
> +
> +hidden_def(security_get_boolean_names)
> +hidden_def(selinux_boolean_sub)
> +hidden_def(security_get_boolean_active)
> +hidden_def(security_set_boolean)
> +hidden_def(security_commit_booleans)
>
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2016-09-29 19:42 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-09-29 18:02 [PATCH] libselinux: re-introduce DISABLE_BOOL=y william.c.roberts
2016-09-29 18:08 ` Stephen Smalley
2016-09-29 18:15 ` William Roberts
2016-09-29 18:44 ` Stephen Smalley
2016-09-29 18:46 ` William Roberts
2016-09-29 18:54 ` Stephen Smalley
2016-09-29 19:15 ` William Roberts
2016-09-29 19:27 ` William Roberts
2016-09-29 19:37 ` Stephen Smalley
2016-09-29 19:42 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.