| Message ID | 1475172145-16428-1-git-send-email-william.c.roberts@intel.com (mailing list archive) |
|---|---|
| State | Not Applicable |
| Headers | show |
On 09/29/2016 02:02 PM, william.c.roberts@intel.com wrote: > From: William Roberts <william.c.roberts@intel.com> > > Provide stubs to the public boolean API that always returns -1. > > On Android, boolean symbols are needed for: > external/ltrace/sysdeps/linux-gnu/trace.c Is this really worth doing? > > Signed-off-by: William Roberts <william.c.roberts@intel.com> > --- > libselinux/Makefile | 4 +++ > libselinux/src/booleans.c | 64 +++++++++++++++++++++++++++++++++++++++-------- > 2 files changed, 58 insertions(+), 10 deletions(-) > > diff --git a/libselinux/Makefile b/libselinux/Makefile > index f607115..b5f32bb 100644 > --- a/libselinux/Makefile > +++ b/libselinux/Makefile > @@ -5,6 +5,7 @@ DISABLE_RPM ?= y > ANDROID_HOST ?= n > ifeq ($(ANDROID_HOST),y) > override DISABLE_SETRANS=y > + override DISABLE_BOOL=y > endif > ifeq ($(DISABLE_RPM),y) > DISABLE_FLAGS+= -DDISABLE_RPM > @@ -12,6 +13,9 @@ endif > ifeq ($(DISABLE_SETRANS),y) > DISABLE_FLAGS+= -DDISABLE_SETRANS > endif > +ifeq ($(DISABLE_BOOL),y) > + DISABLE_FLAGS+= -DDISABLE_BOOL > +endif > export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST > > USE_PCRE2 ?= n > diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c > index c438af1..cbb0610 100644 > --- a/libselinux/src/booleans.c > +++ b/libselinux/src/booleans.c > @@ -25,6 +25,8 @@ > > #define SELINUX_BOOL_DIR "/booleans/" > > +#ifndef DISABLE_BOOL > + > static int filename_select(const struct dirent *d) > { > if (d->d_name[0] == '.' > @@ -85,8 +87,6 @@ int security_get_boolean_names(char ***names, int *len) > goto out; > } > > -hidden_def(security_get_boolean_names) > - > char *selinux_boolean_sub(const char *name) > { > char *sub = NULL; > @@ -141,8 +141,6 @@ out: > return sub; > } > > -hidden_def(selinux_boolean_sub) > - > static int bool_open(const char *name, int flag) { > char *fname = NULL; > char *alt_name = NULL; > @@ -262,8 +260,6 @@ int security_get_boolean_active(const char *name) > return val; > } > > -hidden_def(security_get_boolean_active) > - > int security_set_boolean(const char *name, int value) > { > int fd, ret; > @@ -297,8 +293,6 @@ int security_set_boolean(const char *name, int value) > return -1; > } > > -hidden_def(security_set_boolean) > - > int security_commit_booleans(void) > { > int fd, ret; > @@ -327,8 +321,6 @@ int security_commit_booleans(void) > return -1; > } > > -hidden_def(security_commit_booleans) > - > static char *strtrim(char *dest, char *source, int size) > { > int i = 0; > @@ -567,3 +559,55 @@ int security_load_booleans(char *path) > errno = EINVAL; > return errors ? -1 : 0; > } > + > +#else > +int security_set_boolean_list(size_t boolcnt __attribute__((unused)), > + SELboolean * boollist __attribute__((unused)), > + int permanent __attribute__((unused))) > +{ > + return -1; > +} > + > +int security_load_booleans(char *path __attribute__((unused))) > +{ > + return -1; > +} > + > +int security_get_boolean_names(char ***names __attribute__((unused)), > + int *len __attribute__((unused))) > +{ > + return -1; > +} > + > +int security_get_boolean_pending(const char *name __attribute__((unused))) > +{ > + return -1; > +} > + > +int security_get_boolean_active(const char *name __attribute__((unused))) > +{ > + return -1; > +} > + > +int security_set_boolean(const char *name __attribute__((unused)), > + int value __attribute__((unused))) > +{ > + return -1; > +} > + > +int security_commit_booleans(void) > +{ > + return -1; > +} > + > +char *selinux_boolean_sub(const char *name __attribute__((unused))) > +{ > + return NULL; > +} > +#endif > + > +hidden_def(security_get_boolean_names) > +hidden_def(selinux_boolean_sub) > +hidden_def(security_get_boolean_active) > +hidden_def(security_set_boolean) > +hidden_def(security_commit_booleans) >
On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On 09/29/2016 02:02 PM, william.c.roberts@intel.com wrote: >> From: William Roberts <william.c.roberts@intel.com> >> >> Provide stubs to the public boolean API that always returns -1. >> >> On Android, boolean symbols are needed for: >> external/ltrace/sysdeps/linux-gnu/trace.c > > Is this really worth doing? It's this or disabling that selinux via #define, which that source has HAVE_LIBSELINUX. But it would seem confusing IMHO to have a libselinux.so, so one would set HAVE_LIBSELINUX=1, and you're getting link errors. Seems to be yet-another red-hat contribution from a long time ago: commit cec06ec8282c538a40bde968ae36fe8356daffaa Author: Petr Machata <pmachata@redhat.com> Date: Tue Apr 10 13:31:55 2012 +0200 Warn when we fail to trace and SELinux boolean deny_ptrace is in effect diff --git a/ChangeLog b/ChangeLog index c095263..6107a12 100644 > >> >> Signed-off-by: William Roberts <william.c.roberts@intel.com> >> --- >> libselinux/Makefile | 4 +++ >> libselinux/src/booleans.c | 64 +++++++++++++++++++++++++++++++++++++++-------- >> 2 files changed, 58 insertions(+), 10 deletions(-) >> >> diff --git a/libselinux/Makefile b/libselinux/Makefile >> index f607115..b5f32bb 100644 >> --- a/libselinux/Makefile >> +++ b/libselinux/Makefile >> @@ -5,6 +5,7 @@ DISABLE_RPM ?= y >> ANDROID_HOST ?= n >> ifeq ($(ANDROID_HOST),y) >> override DISABLE_SETRANS=y >> + override DISABLE_BOOL=y >> endif >> ifeq ($(DISABLE_RPM),y) >> DISABLE_FLAGS+= -DDISABLE_RPM >> @@ -12,6 +13,9 @@ endif >> ifeq ($(DISABLE_SETRANS),y) >> DISABLE_FLAGS+= -DDISABLE_SETRANS >> endif >> +ifeq ($(DISABLE_BOOL),y) >> + DISABLE_FLAGS+= -DDISABLE_BOOL >> +endif >> export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST >> >> USE_PCRE2 ?= n >> diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c >> index c438af1..cbb0610 100644 >> --- a/libselinux/src/booleans.c >> +++ b/libselinux/src/booleans.c >> @@ -25,6 +25,8 @@ >> >> #define SELINUX_BOOL_DIR "/booleans/" >> >> +#ifndef DISABLE_BOOL >> + >> static int filename_select(const struct dirent *d) >> { >> if (d->d_name[0] == '.' >> @@ -85,8 +87,6 @@ int security_get_boolean_names(char ***names, int *len) >> goto out; >> } >> >> -hidden_def(security_get_boolean_names) >> - >> char *selinux_boolean_sub(const char *name) >> { >> char *sub = NULL; >> @@ -141,8 +141,6 @@ out: >> return sub; >> } >> >> -hidden_def(selinux_boolean_sub) >> - >> static int bool_open(const char *name, int flag) { >> char *fname = NULL; >> char *alt_name = NULL; >> @@ -262,8 +260,6 @@ int security_get_boolean_active(const char *name) >> return val; >> } >> >> -hidden_def(security_get_boolean_active) >> - >> int security_set_boolean(const char *name, int value) >> { >> int fd, ret; >> @@ -297,8 +293,6 @@ int security_set_boolean(const char *name, int value) >> return -1; >> } >> >> -hidden_def(security_set_boolean) >> - >> int security_commit_booleans(void) >> { >> int fd, ret; >> @@ -327,8 +321,6 @@ int security_commit_booleans(void) >> return -1; >> } >> >> -hidden_def(security_commit_booleans) >> - >> static char *strtrim(char *dest, char *source, int size) >> { >> int i = 0; >> @@ -567,3 +559,55 @@ int security_load_booleans(char *path) >> errno = EINVAL; >> return errors ? -1 : 0; >> } >> + >> +#else >> +int security_set_boolean_list(size_t boolcnt __attribute__((unused)), >> + SELboolean * boollist __attribute__((unused)), >> + int permanent __attribute__((unused))) >> +{ >> + return -1; >> +} >> + >> +int security_load_booleans(char *path __attribute__((unused))) >> +{ >> + return -1; >> +} >> + >> +int security_get_boolean_names(char ***names __attribute__((unused)), >> + int *len __attribute__((unused))) >> +{ >> + return -1; >> +} >> + >> +int security_get_boolean_pending(const char *name __attribute__((unused))) >> +{ >> + return -1; >> +} >> + >> +int security_get_boolean_active(const char *name __attribute__((unused))) >> +{ >> + return -1; >> +} >> + >> +int security_set_boolean(const char *name __attribute__((unused)), >> + int value __attribute__((unused))) >> +{ >> + return -1; >> +} >> + >> +int security_commit_booleans(void) >> +{ >> + return -1; >> +} >> + >> +char *selinux_boolean_sub(const char *name __attribute__((unused))) >> +{ >> + return NULL; >> +} >> +#endif >> + >> +hidden_def(security_get_boolean_names) >> +hidden_def(selinux_boolean_sub) >> +hidden_def(security_get_boolean_active) >> +hidden_def(security_set_boolean) >> +hidden_def(security_commit_booleans) >> > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
On 09/29/2016 02:15 PM, William Roberts wrote: > On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: >> On 09/29/2016 02:02 PM, william.c.roberts@intel.com wrote: >>> From: William Roberts <william.c.roberts@intel.com> >>> >>> Provide stubs to the public boolean API that always returns -1. >>> >>> On Android, boolean symbols are needed for: >>> external/ltrace/sysdeps/linux-gnu/trace.c >> >> Is this really worth doing? > > It's this or disabling that selinux via #define, which that source has > HAVE_LIBSELINUX. > > But it would seem confusing IMHO to have a libselinux.so, so one would > set HAVE_LIBSELINUX=1, > and you're getting link errors. Maybe I don't understand. Obviously it builds today with external/libselinux without requiring this change. Why do we need this now?
On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On 09/29/2016 02:15 PM, William Roberts wrote: >> On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: >>> On 09/29/2016 02:02 PM, william.c.roberts@intel.com wrote: >>>> From: William Roberts <william.c.roberts@intel.com> >>>> >>>> Provide stubs to the public boolean API that always returns -1. >>>> >>>> On Android, boolean symbols are needed for: >>>> external/ltrace/sysdeps/linux-gnu/trace.c >>> >>> Is this really worth doing? >> >> It's this or disabling that selinux via #define, which that source has >> HAVE_LIBSELINUX. >> >> But it would seem confusing IMHO to have a libselinux.so, so one would >> set HAVE_LIBSELINUX=1, >> and you're getting link errors. > > Maybe I don't understand. Obviously it builds today with > external/libselinux without requiring this change. Why do we need this now? > Richard Haines was doing further testing, and was building a different lunch target for the arm emulator and hit this issue. I have only tested x86_64 emulator.
On 09/29/2016 02:46 PM, William Roberts wrote: > On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: >> On 09/29/2016 02:15 PM, William Roberts wrote: >>> On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: >>>> On 09/29/2016 02:02 PM, william.c.roberts@intel.com wrote: >>>>> From: William Roberts <william.c.roberts@intel.com> >>>>> >>>>> Provide stubs to the public boolean API that always returns -1. >>>>> >>>>> On Android, boolean symbols are needed for: >>>>> external/ltrace/sysdeps/linux-gnu/trace.c >>>> >>>> Is this really worth doing? >>> >>> It's this or disabling that selinux via #define, which that source has >>> HAVE_LIBSELINUX. >>> >>> But it would seem confusing IMHO to have a libselinux.so, so one would >>> set HAVE_LIBSELINUX=1, >>> and you're getting link errors. >> >> Maybe I don't understand. Obviously it builds today with >> external/libselinux without requiring this change. Why do we need this now? >> > > Richard Haines was doing further testing, and was building a different > lunch target for the > arm emulator and hit this issue. I have only tested x86_64 emulator. No, I mean that this is not required in external/libselinux (the Android fork) today. So why is it needed here? The Android fork builds src/booleans.c for the target. It doesn't hurt anything to leave the code there. The underlying kernel interface via selinuxfs still exists. There just won't be any booleans in the policy.
On Thu, Sep 29, 2016 at 2:54 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On 09/29/2016 02:46 PM, William Roberts wrote: >> On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: >>> On 09/29/2016 02:15 PM, William Roberts wrote: >>>> On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: >>>>> On 09/29/2016 02:02 PM, william.c.roberts@intel.com wrote: >>>>>> From: William Roberts <william.c.roberts@intel.com> >>>>>> >>>>>> Provide stubs to the public boolean API that always returns -1. >>>>>> >>>>>> On Android, boolean symbols are needed for: >>>>>> external/ltrace/sysdeps/linux-gnu/trace.c >>>>> >>>>> Is this really worth doing? >>>> >>>> It's this or disabling that selinux via #define, which that source has >>>> HAVE_LIBSELINUX. >>>> >>>> But it would seem confusing IMHO to have a libselinux.so, so one would >>>> set HAVE_LIBSELINUX=1, >>>> and you're getting link errors. >>> >>> Maybe I don't understand. Obviously it builds today with >>> external/libselinux without requiring this change. Why do we need this now? >>> >> >> Richard Haines was doing further testing, and was building a different >> lunch target for the >> arm emulator and hit this issue. I have only tested x86_64 emulator. > > No, I mean that this is not required in external/libselinux (the Android > fork) today. So why is it needed here? The Android fork builds > src/booleans.c for the target. It doesn't hurt anything to leave the > code there. The underlying kernel interface via selinuxfs still exists. > There just won't be any booleans in the policy. > The target builds a modified booleans, if use booleans as is, we start down the config c file rabbit hole... external/selinux/libselinux/src/booleans.c:100: error: undefined reference to 'selinux_booleans_subs_path' external/selinux/libselinux/src/booleans.c:388: error: undefined reference to 'selinux_booleans_path' external/selinux/libselinux/src/booleans.c:529: error: undefined reference to 'selinux_booleans_path' external/selinux/libselinux/src/booleans.c:545: error: undefined reference to 'selinux_booleans_path' clang++.real: error: linker command failed with exit code 1 (use -v to see invocation) I can take a look at that and see how much of a PITA it would be to pull that in.
On Thu, Sep 29, 2016 at 3:15 PM, William Roberts <bill.c.roberts@gmail.com> wrote: > On Thu, Sep 29, 2016 at 2:54 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: >> On 09/29/2016 02:46 PM, William Roberts wrote: >>> On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: >>>> On 09/29/2016 02:15 PM, William Roberts wrote: >>>>> On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: >>>>>> On 09/29/2016 02:02 PM, william.c.roberts@intel.com wrote: >>>>>>> From: William Roberts <william.c.roberts@intel.com> >>>>>>> >>>>>>> Provide stubs to the public boolean API that always returns -1. >>>>>>> >>>>>>> On Android, boolean symbols are needed for: >>>>>>> external/ltrace/sysdeps/linux-gnu/trace.c >>>>>> >>>>>> Is this really worth doing? >>>>> >>>>> It's this or disabling that selinux via #define, which that source has >>>>> HAVE_LIBSELINUX. >>>>> >>>>> But it would seem confusing IMHO to have a libselinux.so, so one would >>>>> set HAVE_LIBSELINUX=1, >>>>> and you're getting link errors. >>>> >>>> Maybe I don't understand. Obviously it builds today with >>>> external/libselinux without requiring this change. Why do we need this now? >>>> >>> >>> Richard Haines was doing further testing, and was building a different >>> lunch target for the >>> arm emulator and hit this issue. I have only tested x86_64 emulator. >> >> No, I mean that this is not required in external/libselinux (the Android >> fork) today. So why is it needed here? The Android fork builds >> src/booleans.c for the target. It doesn't hurt anything to leave the >> code there. The underlying kernel interface via selinuxfs still exists. >> There just won't be any booleans in the policy. >> > > The target builds a modified booleans, if use booleans as is, we start > down the config c file > rabbit hole... > > external/selinux/libselinux/src/booleans.c:100: error: undefined > reference to 'selinux_booleans_subs_path' > external/selinux/libselinux/src/booleans.c:388: error: undefined > reference to 'selinux_booleans_path' > external/selinux/libselinux/src/booleans.c:529: error: undefined > reference to 'selinux_booleans_path' > external/selinux/libselinux/src/booleans.c:545: error: undefined > reference to 'selinux_booleans_path' > clang++.real: error: linker command failed with exit code 1 (use -v to > see invocation) > > I can take a look at that and see how much of a PITA it would be to > pull that in. external/selinux/libselinux/src/selinux_config.c:100: error: undefined reference to 'fgets_unlocked' external/selinux/libselinux/src/selinux_config.c:100: error: undefined reference to 'fgets_unlocked' external/selinux/libselinux/src/selinux_config.c:231: error: undefined reference to 'require_seusers' external/selinux/libselinux/src/selinux_config.c:231: error: undefined reference to 'load_setlocaldefs' fgets should be easy enough load_setlocaldefs is an exported integer value used in init_selinux_config() require_seusers is another exported int form seusers.c I was figuring since we don't use any bools, to keep the size down, just stubbing dummies is the easiest route. We could do something like STATIC_CONFIG and just stub in what things need and return the explicit paths.
On 09/29/2016 03:27 PM, William Roberts wrote: > On Thu, Sep 29, 2016 at 3:15 PM, William Roberts > <bill.c.roberts@gmail.com> wrote: >> On Thu, Sep 29, 2016 at 2:54 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: >>> On 09/29/2016 02:46 PM, William Roberts wrote: >>>> On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: >>>>> On 09/29/2016 02:15 PM, William Roberts wrote: >>>>>> On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: >>>>>>> On 09/29/2016 02:02 PM, william.c.roberts@intel.com wrote: >>>>>>>> From: William Roberts <william.c.roberts@intel.com> >>>>>>>> >>>>>>>> Provide stubs to the public boolean API that always returns -1. >>>>>>>> >>>>>>>> On Android, boolean symbols are needed for: >>>>>>>> external/ltrace/sysdeps/linux-gnu/trace.c >>>>>>> >>>>>>> Is this really worth doing? >>>>>> >>>>>> It's this or disabling that selinux via #define, which that source has >>>>>> HAVE_LIBSELINUX. >>>>>> >>>>>> But it would seem confusing IMHO to have a libselinux.so, so one would >>>>>> set HAVE_LIBSELINUX=1, >>>>>> and you're getting link errors. >>>>> >>>>> Maybe I don't understand. Obviously it builds today with >>>>> external/libselinux without requiring this change. Why do we need this now? >>>>> >>>> >>>> Richard Haines was doing further testing, and was building a different >>>> lunch target for the >>>> arm emulator and hit this issue. I have only tested x86_64 emulator. >>> >>> No, I mean that this is not required in external/libselinux (the Android >>> fork) today. So why is it needed here? The Android fork builds >>> src/booleans.c for the target. It doesn't hurt anything to leave the >>> code there. The underlying kernel interface via selinuxfs still exists. >>> There just won't be any booleans in the policy. >>> >> >> The target builds a modified booleans, if use booleans as is, we start >> down the config c file >> rabbit hole... >> >> external/selinux/libselinux/src/booleans.c:100: error: undefined >> reference to 'selinux_booleans_subs_path' >> external/selinux/libselinux/src/booleans.c:388: error: undefined >> reference to 'selinux_booleans_path' >> external/selinux/libselinux/src/booleans.c:529: error: undefined >> reference to 'selinux_booleans_path' >> external/selinux/libselinux/src/booleans.c:545: error: undefined >> reference to 'selinux_booleans_path' >> clang++.real: error: linker command failed with exit code 1 (use -v to >> see invocation) >> >> I can take a look at that and see how much of a PITA it would be to >> pull that in. > > external/selinux/libselinux/src/selinux_config.c:100: error: undefined > reference to 'fgets_unlocked' > external/selinux/libselinux/src/selinux_config.c:100: error: undefined > reference to 'fgets_unlocked' > external/selinux/libselinux/src/selinux_config.c:231: error: undefined > reference to 'require_seusers' > external/selinux/libselinux/src/selinux_config.c:231: error: undefined > reference to 'load_setlocaldefs' > > fgets should be easy enough > load_setlocaldefs is an exported integer value used in init_selinux_config() > require_seusers is another exported int form seusers.c > > I was figuring since we don't use any bools, to keep the size down, > just stubbing dummies is the > easiest route. > > We could do something like STATIC_CONFIG and just stub in what things > need and return the explicit paths. Never mind, I'll take your original patch.
On 09/29/2016 02:02 PM, william.c.roberts@intel.com wrote: > From: William Roberts <william.c.roberts@intel.com> > > Provide stubs to the public boolean API that always returns -1. > > On Android, boolean symbols are needed for: > external/ltrace/sysdeps/linux-gnu/trace.c Thanks, applied. > > Signed-off-by: William Roberts <william.c.roberts@intel.com> > --- > libselinux/Makefile | 4 +++ > libselinux/src/booleans.c | 64 +++++++++++++++++++++++++++++++++++++++-------- > 2 files changed, 58 insertions(+), 10 deletions(-) > > diff --git a/libselinux/Makefile b/libselinux/Makefile > index f607115..b5f32bb 100644 > --- a/libselinux/Makefile > +++ b/libselinux/Makefile > @@ -5,6 +5,7 @@ DISABLE_RPM ?= y > ANDROID_HOST ?= n > ifeq ($(ANDROID_HOST),y) > override DISABLE_SETRANS=y > + override DISABLE_BOOL=y > endif > ifeq ($(DISABLE_RPM),y) > DISABLE_FLAGS+= -DDISABLE_RPM > @@ -12,6 +13,9 @@ endif > ifeq ($(DISABLE_SETRANS),y) > DISABLE_FLAGS+= -DDISABLE_SETRANS > endif > +ifeq ($(DISABLE_BOOL),y) > + DISABLE_FLAGS+= -DDISABLE_BOOL > +endif > export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST > > USE_PCRE2 ?= n > diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c > index c438af1..cbb0610 100644 > --- a/libselinux/src/booleans.c > +++ b/libselinux/src/booleans.c > @@ -25,6 +25,8 @@ > > #define SELINUX_BOOL_DIR "/booleans/" > > +#ifndef DISABLE_BOOL > + > static int filename_select(const struct dirent *d) > { > if (d->d_name[0] == '.' > @@ -85,8 +87,6 @@ int security_get_boolean_names(char ***names, int *len) > goto out; > } > > -hidden_def(security_get_boolean_names) > - > char *selinux_boolean_sub(const char *name) > { > char *sub = NULL; > @@ -141,8 +141,6 @@ out: > return sub; > } > > -hidden_def(selinux_boolean_sub) > - > static int bool_open(const char *name, int flag) { > char *fname = NULL; > char *alt_name = NULL; > @@ -262,8 +260,6 @@ int security_get_boolean_active(const char *name) > return val; > } > > -hidden_def(security_get_boolean_active) > - > int security_set_boolean(const char *name, int value) > { > int fd, ret; > @@ -297,8 +293,6 @@ int security_set_boolean(const char *name, int value) > return -1; > } > > -hidden_def(security_set_boolean) > - > int security_commit_booleans(void) > { > int fd, ret; > @@ -327,8 +321,6 @@ int security_commit_booleans(void) > return -1; > } > > -hidden_def(security_commit_booleans) > - > static char *strtrim(char *dest, char *source, int size) > { > int i = 0; > @@ -567,3 +559,55 @@ int security_load_booleans(char *path) > errno = EINVAL; > return errors ? -1 : 0; > } > + > +#else > +int security_set_boolean_list(size_t boolcnt __attribute__((unused)), > + SELboolean * boollist __attribute__((unused)), > + int permanent __attribute__((unused))) > +{ > + return -1; > +} > + > +int security_load_booleans(char *path __attribute__((unused))) > +{ > + return -1; > +} > + > +int security_get_boolean_names(char ***names __attribute__((unused)), > + int *len __attribute__((unused))) > +{ > + return -1; > +} > + > +int security_get_boolean_pending(const char *name __attribute__((unused))) > +{ > + return -1; > +} > + > +int security_get_boolean_active(const char *name __attribute__((unused))) > +{ > + return -1; > +} > + > +int security_set_boolean(const char *name __attribute__((unused)), > + int value __attribute__((unused))) > +{ > + return -1; > +} > + > +int security_commit_booleans(void) > +{ > + return -1; > +} > + > +char *selinux_boolean_sub(const char *name __attribute__((unused))) > +{ > + return NULL; > +} > +#endif > + > +hidden_def(security_get_boolean_names) > +hidden_def(selinux_boolean_sub) > +hidden_def(security_get_boolean_active) > +hidden_def(security_set_boolean) > +hidden_def(security_commit_booleans) >
diff --git a/libselinux/Makefile b/libselinux/Makefile index f607115..b5f32bb 100644 --- a/libselinux/Makefile +++ b/libselinux/Makefile @@ -5,6 +5,7 @@ DISABLE_RPM ?= y ANDROID_HOST ?= n ifeq ($(ANDROID_HOST),y) override DISABLE_SETRANS=y + override DISABLE_BOOL=y endif ifeq ($(DISABLE_RPM),y) DISABLE_FLAGS+= -DDISABLE_RPM @@ -12,6 +13,9 @@ endif ifeq ($(DISABLE_SETRANS),y) DISABLE_FLAGS+= -DDISABLE_SETRANS endif +ifeq ($(DISABLE_BOOL),y) + DISABLE_FLAGS+= -DDISABLE_BOOL +endif export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST USE_PCRE2 ?= n diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c index c438af1..cbb0610 100644 --- a/libselinux/src/booleans.c +++ b/libselinux/src/booleans.c @@ -25,6 +25,8 @@ #define SELINUX_BOOL_DIR "/booleans/" +#ifndef DISABLE_BOOL + static int filename_select(const struct dirent *d) { if (d->d_name[0] == '.' @@ -85,8 +87,6 @@ int security_get_boolean_names(char ***names, int *len) goto out; } -hidden_def(security_get_boolean_names) - char *selinux_boolean_sub(const char *name) { char *sub = NULL; @@ -141,8 +141,6 @@ out: return sub; } -hidden_def(selinux_boolean_sub) - static int bool_open(const char *name, int flag) { char *fname = NULL; char *alt_name = NULL; @@ -262,8 +260,6 @@ int security_get_boolean_active(const char *name) return val; } -hidden_def(security_get_boolean_active) - int security_set_boolean(const char *name, int value) { int fd, ret; @@ -297,8 +293,6 @@ int security_set_boolean(const char *name, int value) return -1; } -hidden_def(security_set_boolean) - int security_commit_booleans(void) { int fd, ret; @@ -327,8 +321,6 @@ int security_commit_booleans(void) return -1; } -hidden_def(security_commit_booleans) - static char *strtrim(char *dest, char *source, int size) { int i = 0; @@ -567,3 +559,55 @@ int security_load_booleans(char *path) errno = EINVAL; return errors ? -1 : 0; } + +#else +int security_set_boolean_list(size_t boolcnt __attribute__((unused)), + SELboolean * boollist __attribute__((unused)), + int permanent __attribute__((unused))) +{ + return -1; +} + +int security_load_booleans(char *path __attribute__((unused))) +{ + return -1; +} + +int security_get_boolean_names(char ***names __attribute__((unused)), + int *len __attribute__((unused))) +{ + return -1; +} + +int security_get_boolean_pending(const char *name __attribute__((unused))) +{ + return -1; +} + +int security_get_boolean_active(const char *name __attribute__((unused))) +{ + return -1; +} + +int security_set_boolean(const char *name __attribute__((unused)), + int value __attribute__((unused))) +{ + return -1; +} + +int security_commit_booleans(void) +{ + return -1; +} + +char *selinux_boolean_sub(const char *name __attribute__((unused))) +{ + return NULL; +} +#endif + +hidden_def(security_get_boolean_names) +hidden_def(selinux_boolean_sub) +hidden_def(security_get_boolean_active) +hidden_def(security_set_boolean) +hidden_def(security_commit_booleans)