The toolchain automatically handles them and they break cross compiling.
LDFLAGS should also come before object files, some flags (eg,
-Wl,as-needed) can break things if they are in the wrong place)
Gentoo-Bug: https://bugs.gentoo.org/500674
Signed-off-by: Jason Zaman <jason@perfinion.com>
Added "-G, --expand_generated" option to specify that all automatically
generated attributes should be expanded and removed.
Added "-X, --expand_size <SIZE>" option to specify which attributes
are expanded when building a kernel policy. All attributes that have
less types assigned to it than SIZE will be expanded when writing AV
rules.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Please see go/android-upstream for merging a remote tracking branch into
Android. Automatic replication is already enabled for external/selinux.
This just merges those changes into Android's master branch.
The following patches are included in this merge:
7fe9a7be libsepol/cil: use __cil_ordered_lists_destroy() to free unordered_classorder_lists
602385d7 libsepol/cil: free the first operand if the second one is invalid
9feaf038 libsepol/cil: do not leak left-hand side of an invalid constraint
95e5c103 libsepol/cil: free bitmaps in cil_level_equals()
a2d40aae libsepol/cil: Move initialization of bitmap in __cil_permx_to_bitmap()
1cd3e1a4 libselinux, libsemanage: make PYPREFIX computation more robust
ed51e23f sepolgen: strip non-printable characters when parsing audit messages
32288896 semodule_package: do not leak memory when using -u or -s
ddaf0afe libsepol/cil: do not dereference args before checking it was not null
4176a292 libsemanage: never call memcpy with a NULL value
ccfbd9aa libsemanage/tests: include libsepol headers from $DESTDIR
6305bfbc mcstrans: do not dereference color_str if it is NULL
ded385d3 libselinux: initialize temp value in SWIG wrapper to prevent freeing garbage
43b24f01 libsepol: Define cgroup_seclabel policy capability
e720859f restorecond: add noreturn attribute to exitApp()
ef61dd7d checkpolicy: add noreturn attribute to usage()
840a7c91 secilc: add noreturn attribute to usage()
2f8926f7 mcstrans: add noreturn attribute to usage()
28a6a560 semodule-utils: add noreturn attribute to usage()
cd20f9c2 policycoreutils: add noreturn attribute to usage()
718bc4bc python/sepolicy: fix obtaining domain name in HTMLManPages
fba9d010 Python 3.6 invalid escape sequence deprecation fixes
317743bb python/semanage: fix export of fcontext socket entries
08648145 libsepol/cil: make reporting conflicting type transitions work
6707526f libsepol/cil: avoid freeing uninitialized values
9087bb9c checkpolicy: dereference rangehead after checking it was not NULL
dd11ab6f checkpolicy: Fix minor memory leak in checkpolicy
c408c70b libsepol/cil: Allow hexadecimal numbers in Xen context rules
526d0dad libsepol: Update module_to_cil to output hexadecimal for Xen rules
da2f2316 libsepol/cil: Use hexadecimal numbers when writing Xen rules
af0ce03e libsepol/cil: Add hexadecimal support for Xen ioportcon statements
4ccc267f mcstrans: fix typo in mcstransd.8 man page
6e3c3595 libsepol/cil: do not dereference a NULL pointer when calloc() fails
8c662db9 policycoreutils: fixfiles should handle path arguments more robustly
d0fafe03 policycoreutils: fixfiles: handle unexpected spaces in command
1da6fb06 policycoreutils/setfiles: stdout messages don't need program prefix
1ac883f1 policycoreutils/setfiles: don't scramble stdout and stderr together
5ed45797 policycoreutils: fixfiles: remove useless use of cat
a83f1cfd libsepol: do not dereference a NULL pointer when stack_init() fails
76f8c04c libsepol: make process_boolean() fail on invalid lines
b6579d26 libsepol: constify sepol_genbools()'s boolpath parameter
b251dbba libsepol: fix use-after-free in sepol_user_clone()
0438d5c4 libsemanage: do not close uninitialized file descriptors
85da6194 libsemanage: do not dereference a NULL pointer when calloc() fails
03298a22 libsemanage: genhomedircon: fix possible double-free
70a480bf libsepol: Add ability to convert binary policy to CIL
0a08fd1e libsepol: Add ability to convert binary policy to policy.conf file
13c27d6c checkpolicy: Add options to convert binary policy to CIL or a policy.conf
92f22e19 libsepol: In module_to_cil create one attribute for each unique set
Bug: 36508258
Test: code compiles and device boots, no obvious problems.
Change-Id: Id4b3df6aa651eca267f4fc28af1cfeb8825218c0
Changes included in this merge:
9872b04a libsepol: check decl_id bounds before using it
fb237459 libsepol: detect duplicated symbol IDs
a206297e mcstrans/utils: make "make all" use $DESTDIR
527380a1 libsepol/tests: use LDFLAGS when linking
1c187d79 checkpolicy: remove -lfl from LDLIBS
ab270850 libsepol,libsemanage: write file name in flex output
c034875c policycoreutils/sepolicy/gui: fix current selinux state radiobutton
cf8625be libsepol: do not #include <sys/cdefs.h>
dd8d5671 libselinux: avcstat: Clean up redundant condition
fff90bd2 libsepol: sepol_av_to_string: clear static buffer
7e09f584 libsepol,libselinux,audit2allow: teach audit2why about type bounds failures
041e0010 python/sepolicy/sepolicy/gui: Fix getting python lib path
86e568c2 python/semanage/semanage: Unify argument handling
3fe4499f libsepol/cil: Add ability to write policy.conf file from CIL AST
93e677d8 secilc: Add secil2conf which creates a policy.conf from CIL policy
9e81e611 libsepol: Fix neverallow checking to also check the other types when self is included in a target type set.
468a0dba seobject: Handle python error returns correctly
Test: Android compiles and the device boots
Change-Id: I3ceb4d0ff9ee96d6347d33e6351e4846a8f37038
The program secil2conf uses the libsepol function
cil_write_policy_conf() to create a policy.conf file from CIL policy.
By default a file called "policy.conf" will be created, but the "-o"
option can be used to write to a different file. The "-M" option can
be used to override the mls statement in CIL. The "-P" option will
cause tunables to be treated as booleans.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Commits included in this merge:
2e4d0bc8 Move policycoreutils/gui to gui.
4cc80867 Move policycoreutils/mcstrans to mcstrans.
00be1363 Move policycoreutils/restorecond to restorecond.
97bf196c Move policycoreutils/sandbox to sandbox.
63e6dba9 Move policycoreutils/sepolicy dbus service files to dbus.
48dc2326 Move policycoreutils/{sepolicy,audit2allow,semanage,scripts/chcat*} and sepolgen to python.
c9c97d6e Move policycoreutils/semodule_{deps,expand,link} to semodule-utils.
3dcdc463 Make it easy to omit optional components.
fe740954 Build mcstrans.
233fe333 mcstrans: Add .gitignore file
eeba5952 mcstrans: Add a relabel target.
50be5fcc Move sepolicy desktop and png files to gui.
b97d959a Move policycoreutils/sepolgen-ifgen into python/audit2allow.
6e4bb702 mcstrans: fix clang warnings
1c8505da Update release script for the new structure.
f0cc9543 Fix release script for packages that need prefixes.
6bd0b553 Add VERSION files for new components
65f5868c Move policycoreutils/semodule_package to semodule-utils.
44801294 restorecond: break source dependency on policycoreutils/setfiles
f0e61d33 Fix release script
25c167a6 Add COPYING files for new subdirs.
618a64ae semodule-utils: Drop -lselinux from Makefiles.
30cbe52c mcstrans: Fix Werror=shadow errors
089000ad mcstrans: take LIBDIR from args, dont guess
9123b38c Add stub make test targets to new subdirs
62cb9fc1 mcstrans: Add utils gitignore
c094ca96 restorecond: Add gitignore
7935dee8 Drop ChangeLog files
07ba7c68 mcstrans: Fix signed/unsigned warnings
af9f477f policydb.h: use AVTAB macros to avoid duplications
dcd473d5 expand_avrule_helper: cleanup
4129eb49 expand_terule_helper: cleanups
945bc885 sandbox: make test not fail on systems without SELinux
a441d510 mcstrans: fix global "make install"
489dd595 libselinux: audit2why: remove unused module_state structure
9140de74 libselinux, libsemanage: use Python-specific .so extension
a609434b libselinux: normalize enforce values from the kernel
49bfee85 checkpolicy: treat -self as an error
8f9057c2 label_file.h: actually use the results of compat_validate
Test: device boots with no obvious problems.
Change-Id: Ie0631d36bdfcbab4cd35d3f115e88e5e5b7ecf70
When running "make all" several times in the root directory of the
project, the following lines always appear (and the command takes some
seconds to complete on my system with a slow hard drive):
xmlto man secilc.8.xml
Note: Writing secilc.8
This is because "make man" always builds secilc.8 even though
secilc.8.xml has not been modified. Introduce an intermediate target to
avoid this behavior.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Also clean up some LOCAL_C_INCLUDES as it should be included
by LOCAL_EXPORT_C_INCLUDE_DIRS from libsepol.
BUG=31366888
Change-Id: I0e21279097f0635761672b838ad26861fc49e9ea
As per discussion in https://android-review.googlesource.com/#/c/221980,
we should be using #ifdef __APPLE__ rather than our own custom-defined
DARWIN for building on MacOS X.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This adds CIL and checkpolicy support for the (portcon dccp ...)
statement. The kernel already handles name_bind and name_connect
permissions for the dccp_socket class.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
- Update libsepol dependency to 2.5
- Update Makefile to build the man page when just running 'make'
https://marc.info/?l=selinux&m=145220517200709&w=2
Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Converting to github markdown allows for easier integration with the
SELinux project wiki and viewing of documentation directly on github without
creating PDFs or reading through DocBook XML.
The conversion of DocBook to github markdown would not format tables or
keyword links properly. By maintaining the documentation in github
markdown in the repository, the content is well formatted with a table of
contents when viewing in the github wiki or in the repository.
The migration from DocBook to github markdown was done using Pandoc and
manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook
conversion were added back. An introduction and design philosphy was
also pulled from the SELinux project wiki to provide more cohesion
to the current documentation.
Running make will now convert the github markdown into PDF and HTML.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Resolves https://github.com/SELinuxProject/cil/issues/3
An 'unordered' keyword provides the ability to append classes to the current
list of ordered classes. This allows users to not need knowledge of existing
classes when creating a class and fixes dependencies on classes when removing a
module. This enables userspace object managers with custom objects to be
modularized.
If a class is declared in both an unordered and ordered statement, then the
ordered statement will supercede the unordered declaration.
Example usage:
; Appends new_class to the existing list of classes
(class new_class ())
(classorder (unordered new_class))
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
This adds a userattribute statement that may be used in userroles and
constraints. The syntax is the same as typeattributset.
Also, disallow roleattributes where roles are accepted in contexts.
Specify a userattribute
(userattribute foo)
Add users to the set foo
(userattributeset foo (u1 u2))
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Also removes *bounds statements in policy.cil, which had bounds
violations and are better tested in other test files.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Acked-by: James Carter <jwcart2@tycho.nsa.gov>
So that building from top-level as per the README does not
fail when it reaches the secilc directory.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The Android build does not like the symbol versioning introduced
by commit 8147bc7; the build fails with:
host SharedLib: libsepol (out/host/linux-x86/obj/lib/libsepol.so)
prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.15-4.8//x86_64-linux/bin/ld: error: symbol cil_build_policydb has undefined version
prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.15-4.8//x86_64-linux/bin/ld: error: symbol cil_build_policydb has undefined version LIBSEPOL_1.1
clang: error: linker command failed with exit code 1 (use -v to see invocation)
Omit the versioned symbols and simply use the current interfaces
when building on Android.
Commit 36f62b7 also broke the Android build by moving secilc out of
libsepol, because the libsepol headers were not installed by the Android.mk
file.
Export the required libsepol headers for use by secilc and adjust secilc
to pick them up from the right location on Android.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Since the secilc compiler is independent of libsepol, move secilc out of
libsepol. Linke secilc dynamically rather than statically with libsepol.
- Move secilc source, test policies, docs, and secilc manpage to secilc
directory.
- Remove unneeded Makefile from libsepol/cil. To build secilc, run make
in the secilc directory.
- Add target to install the secilc binary to /usr/bin/.
- Create an Android makefile for secilc and move secilc out of libsepol
Android makefile.
- Add cil_set_mls to libsepol public API as it is needed by secilc.
- Remove policy.conf from testing since it is no longer used.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>