When building with clang, multiple noreturn issues arise,
for instance:
selabel_partial_match.c:11:1: error: function 'usage' could be declared with attribute 'noreturn' [-Werror,-Wmissing-noreturn]
Fix these.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
As reported by Nicolas Iooss, the clang + linux build seems
broken:
clang-3.9: warning: argument unused during compilation: '-undefined
dynamic_lookup'
/usr/bin/ld: unrecognised option: -install_name
clang-3.9: error: linker command failed with exit code 1 (use -v to
see invocation)
We already have those options set for Darwin, just drop them from the
clang side.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Loop designed for stripping leading "//" was changing
the only pointer referencing block of memory allocated
by "strdup", resulting in "free()" failure. The loop
had no effect because "realpath" is used later on.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1376598
Signed-off-by: vmojzis <vmojzis@redhat.com>
Add clean targets to just clean the python and ruby wrapper objects
Also clean $(SWIGRUBYSO) and $(AUDIT2WHYLOBJ) objects
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
We build booleans.c with DISABLE_BOOL set on Android host
and target. Add that file to the upstream Makefile.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Some systems, like Mac, don't have stdio_ext.h. Since we're
building with DISABLE_BOOL=y on Mac, just include the
header files with the DISABLE define, and use the bare
minimum headers for DISABLE_BOOL=y.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
To build on mac, first build libsepol with
no DESTDIR set.
Secondly, build libselinux with ANDROID_HOST=y
This configuration can be used to test the Android
host build on Mac.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When building on mac, one encounters this error:
sefcontext_compile.c:270:1: error: function 'usage' could be declared with attribute 'noreturn' [-Werror,-Wmissing-noreturn]
To correct this, add the attribute noreturn to the function.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When building on mac with ANDROID_HOST=y, clang complains:
sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align]
CHAR64LONG16* block = (CHAR64LONG16*) workspace;
Rather then casting the bytearray to the CHAR64LONG16 union,
just create a stack workspace of type CHAR64LONG16.
This will prevent alignment issues with the data accesses.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When building on Mac, outside of the Android tree, with ANDROID_HOST=y, this warning
is observed:
label.c:102:9: warning: implicit declaration of function 'fgets_unlocked' is invalid in C99 [-Wimplicit-function-declaration]
while (fgets_unlocked(buf, sizeof(buf) - 1, cfg)) {
Fix it by using the fgets_unlocked define that was introduced for Android, just apply it for mac builds
as well.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
The realpath logic in selinux_restorecon() was taken from the
Android libselinux fork. However, bionic dirname() and basename()
do not modify their argument and therefore are safe to call on a
const string. POSIX dirname() and basename() can modify their argument.
There is a GNU basename() that does not modify its argument, but not
for dirname().
For portability, create copies of the original pathname for each call
and keep them around until finished using the result.
Fixes "restorecon -r goes up the tree?" bug reported by Jason Zaman.
Reported-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Gentoo and Arch have pkg-config entries for "ruby-$(RUBYLIBVER)" but not
for "ruby". Check if that exists first then fall back to plain ruby if
it does not.
The ruby install paths were incorrect. Fedora 20 installed to
/usr/lib64/ruby/vendor_ruby/, Arch needs it to be vendor_ruby as well,
site_ruby does not work. Thanks to Nicolas Iooss for the correct way to
query for the path.
Signed-off-by: Jason Zaman <jason@perfinion.com>
Provide stubs to the public boolean API that always returns -1.
On Android, boolean symbols are needed for:
external/ltrace/sysdeps/linux-gnu/trace.c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Android label back ends are now configurable by NO_ANDROID_BACKEND,
which is set if on ANDROID_HOST != y.
Signed-off-by: Janis Danisevskis <jdanis@android.com>
We use the same lookup function for service contexts
that we use for property contexts. However, property
contexts are namespace based and only compare the
prefix. This may lead to service associations with
a wrong label.
This patch introduces a new back end for android
services with a stricter lookup function. Now the
service name must match the key of the service label
exactly.
Signed-off-by: Janis Danisevskis <jdanis@android.com>
Change the default build behavior to always use DISABLE_RPM.
To get the old behavior call make with DISABLE_RPM=n.
eg.)
make DISABLE_RPM=n
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Change EMFLAGS variable, used for setting additional CFLAGS
to DISABLE_FLAGS, to indicate its usage better.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When building for Android, this error manifests itself:
label_file.c:570:7: error: unused variable ‘subs_file’ [-Werror=unused-variable]
char subs_file[PATH_MAX + 1];
Fix it by moving the variable into the ifdef'd usage block.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
The "-r" flag of sefcontext_compile now causes it to omit the
precompiled regular expressions from the output.
Signed-off-by: Janis Danisevskis <jdanis@android.com>
Adds the "-i" flag, which prints the version and
architecture identifier of the regular expression back end.
Signed-off-by: Janis Danisevskis <jdanis@android.com>
Serialized precompiled regular expressins are architecture
dependent when using PCRE2. This patch
- bumps the SELINUX_COMPILED_FCONTEXT version to 5 and
- adds a field to the output indicating the architecture
compatibility.
libselinux can cope with an architecture mismatch by
ignoring the precompiled data in the input file and recompiling
the regular expressions at runtime. It can also load older
versions of file_contexts.bin if they where built with
sefcontext_compile using the exact same version of the
pcre1/2 as selinux.
Signed-off-by: Janis Danisevskis <jdanis@android.com>
sefcontext_compile was failing silently on various error paths.
Generate a suitable error message to stderr for each error.
Before:
$ sefcontext_compile /path/to/unwritabledirectory/file_contexts
<no output, although non-zero exit status>
After:
$ sefcontext_compile /path/to/unwritabledirectory/file_contexts
sefcontext_compile: mkstemp /path/to/unwritabledirectory/file_contexts.binNmQJqa failed: Permission denied
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
