Thanks for your kind reminder. The bitbucket pull reqeust link is:
https://bitbucket.org/seandroid/external-libselinux/pull-request/6/permanent-sebooleans-feature/diff Thanks, Haiqing On Wed, Dec 11, 2013 at 5:59 PM, William Roberts <[email protected]>wrote: > On Wed, Dec 11, 2013 at 8:39 PM, Haiqing Jiang <[email protected]> > wrote: > > --- > > include/selinux/selinux.h | 6 ++ > > src/android.c | 4 + > > src/booleans.c | 183 > +++++++++++++++++++++++++++++++++++++++++++-- > > src/selinux_internal.h | 2 + > > 4 files changed, 187 insertions(+), 8 deletions(-) > > > > diff --git a/include/selinux/selinux.h b/include/selinux/selinux.h > > index c7c2571..c8690f4 100644 > > --- a/include/selinux/selinux.h > > +++ b/include/selinux/selinux.h > > @@ -244,6 +244,12 @@ extern int security_get_boolean_active(const char > *name); > > /* Set the pending value for the boolean */ > > extern int security_set_boolean(const char *name, int value); > > > > +/* Set the pending value for the permanent boolean */ > > +extern int security_set_permanent_boolean(const char *name, int value); > > + > > +/* reload permanent booleans */ > > +extern int security_reload_permanent_boolean(void); > > + > > /* Commit the pending values for the booleans */ > > extern int security_commit_booleans(void); > > > > diff --git a/src/android.c b/src/android.c > > index 8aa1ef6..146d0d7 100644 > > --- a/src/android.c > > +++ b/src/android.c > > @@ -774,6 +774,10 @@ int selinux_android_reload_policy(void) > > close(fd); > > selinux_log(SELINUX_INFO, "SELinux: Loaded policy from %s\n", > sepolicy_file[i-1]); > > > > + rc = security_reload_permanent_boolean(); > > + if (rc) > > + selinux_log(SELINUX_INFO, "SELinux: Fail to reload permanent > sebooleans\n"); > > + > > return 0; > > } > > > > diff --git a/src/booleans.c b/src/booleans.c > > index 60bf963..d3d289c 100644 > > --- a/src/booleans.c > > +++ b/src/booleans.c > > @@ -18,11 +18,13 @@ > > #include <limits.h> > > #include <ctype.h> > > #include <errno.h> > > +#include <fts.h> > > > > #include "selinux_internal.h" > > #include "policy.h" > > > > #define SELINUX_BOOL_DIR "/booleans/" > > +#define SELINUX_PBOOL_DIR "/data/security/booleans/" > > > > static int filename_select(const struct dirent *d) > > { > > @@ -33,6 +35,43 @@ static int filename_select(const struct dirent *d) > > return 1; > > } > > > > +static int readx(int fd, void *buf, size_t count) > > +{ > > + char *b = buf; > > + size_t n = 0, r; > > + > > + while (n < count) { > > + r = read(fd, b + n, count - n); > > + if (r < 0) { > > + if (errno == EINTR) > > + continue; > > + return -1; > > + } else { > > + if (r == 0) > > + return 0; /* EOF */ > > + } > > + n += r; > > + } > > + return 0; > > +} > > + > > +static int writex(int fd, const void *buf, size_t count) > > +{ > > + const char *b = buf; > > + size_t n = 0, r; > > + > > + while (n < count) { > > + r = write(fd, b + n, count - n); > > + if (r < 0) { > > + if (errno == EINTR) > > + continue; > > + return -1; > > + } > > + n += r; > > + } > > + return 0; > > +} > > + > > int security_get_boolean_names(char ***names, int *len) > > { > > char path[PATH_MAX]; > > @@ -202,6 +241,132 @@ int security_set_boolean(const char *name, int > value) > > > > hidden_def(security_set_boolean) > > > > +int security_set_permanent_boolean(const char *name, int value) > > +{ > > + int fd, ret, len; > > + char buf[2], *fname; > > + struct stat fstat; > > + > > + ret = security_set_boolean(name, value); > > + if (ret) { > > + fprintf(stderr, "Exceptions in security_set_boolean:%s\n", > > + strerror(errno)); > > + return -1; > > + } > > + len = strlen(name) + strlen(SELINUX_PBOOL_DIR) + 1; > > + fname = (char *)malloc(sizeof(char) * len); > > + if (!fname) > > + return -1; > > + snprintf(fname, len, "%s%s", SELINUX_PBOOL_DIR, name); > > + ret = stat(SELINUX_PBOOL_DIR, &fstat); > > + if (ret) > > + goto out; > > + > > + fd = open(fname, O_WRONLY | O_CREAT, S_IWUSR | S_IRUSR); > > + if (fd < 0) { > > + ret = -1; > > + goto out; > > + } > > + > > + if (value) > > + buf[0] = '1'; > > + else > > + buf[0] = '0'; > > + buf[1] = '\0'; > > + > > + ret = writex(fd, buf, 2); > > + close(fd); > > + out: > > + free(fname); > > + return ret; > > +} > > + > > +hidden_def(security_set_permanent_boolean) > > + > > +static int do_reload_permanent_boolean(FTSENT *ftsent) > > +{ > > + int fd, ret; > > + char buf[2]; > > + SELboolean b; > > + > > + fd = open(ftsent->fts_path, O_RDONLY); > > + if (fd < 0) { > > + fprintf(stderr, "Cannot open file %s:%s\n", > > + ftsent->fts_path, strerror(errno)); > > + return -1; > > + } > > + ret = readx(fd, buf, 2); > > + if (ret < 0) { > > + ret = -1; > > + goto out; > > + } > > + b.name = ftsent->fts_accpath; > > + switch (buf[0]) { > > + case '0': > > + b.value = 0; > > + break; > > + case '1': > > + b.value = 1; > > + break; > > + default: > > + fprintf(stderr, "No effective value for %s\n", b.name); > > + ret = -1; > > + goto out; > > + } > > + ret = security_set_boolean_list(1, &b, 0); > > + if (ret) { > > + fprintf(stderr, "Could not set %s to %s: %s\n", > > + ftsent->fts_accpath, buf, strerror(errno)); > > + ret = -1; > > + goto out; > > + } > > + ret = 0; > > + > > + out: > > + close(fd); > > + return ret; > > +} > > + > > +int security_reload_permanent_boolean(void) > > +{ > > + int ret; > > + int ftsflags = FTS_PHYSICAL; > > + FTS *fts; > > + FTSENT *ftsent; > > + > > + char *persbool[2] = { SELINUX_PBOOL_DIR, NULL }; > > + fts = fts_open(persbool, ftsflags, NULL); > > + if (!fts) { > > + fprintf(stderr, "Could not open %s:%s\n", > > + SELINUX_PBOOL_DIR, strerror(errno)); > > + return -1; > > + } > > + while ((ftsent = fts_read(fts))) { > > + switch (ftsent->fts_info) { > > + case FTS_DP: > > + break; > > + case FTS_DNR: > > + case FTS_ERR: > > + case FTS_NS: > > + fprintf(stderr, "Could not access %s: %s\n", > > + ftsent->fts_path,strerror(errno)); > > + fts_set(fts, ftsent, FTS_SKIP); > > + break; > > + case FTS_F: > > + ret = do_reload_permanent_boolean(ftsent); > > + if (ret) > > + fprintf(stderr, "Could not reload permanent > booleans successfully\n"); > > + break; > > + default: > > + break; > > + } > > + } > > + fts_close(fts); > > + return 0; > > +} > > + > > +hidden_def(security_reload_permanent_boolean) > > + > > int security_commit_booleans(void) > > { > > int fd, ret; > > @@ -243,16 +408,18 @@ static void rollback(SELboolean * boollist, int > end) > > } > > > > int security_set_boolean_list(size_t boolcnt, SELboolean * boollist, > > - int permanent __attribute__((unused))) > > + int permanent ) > > { > > - > > size_t i; > > - for (i = 0; i < boolcnt; i++) { > > - if (security_set_boolean(boollist[i].name, > boollist[i].value)) { > > - rollback(boollist, i); > > - return -1; > > - } > > - } > > + int (*setbool_function)(char *, int) = permanent ? > > + security_set_permanent_boolean : > security_set_boolean; > > + > > + for (i = 0; i < boolcnt; i++) { > > + if (setbool_function(boollist[i].name, boollist[i].value)) { > > + rollback(boollist, i); > > + return -1; > > + } > > + } > > > > /* OK, let's do the commit */ > > if (security_commit_booleans()) { > > diff --git a/src/selinux_internal.h b/src/selinux_internal.h > > index 5087bb6..ccd5753 100644 > > --- a/src/selinux_internal.h > > +++ b/src/selinux_internal.h > > @@ -10,6 +10,8 @@ hidden_proto(selinux_mkload_policy) > > hidden_proto(security_get_boolean_active) > > hidden_proto(security_get_boolean_names) > > hidden_proto(security_set_boolean) > > + hidden_proto(security_set_permanent_boolean) > > + hidden_proto(security_reload_permanent_boolean) > > hidden_proto(security_commit_booleans) > > hidden_proto(security_check_context) > > hidden_proto(security_check_context_raw) > > -- > > 1.7.9.5 > > > > > > -- > > This message was distributed to subscribers of the seandroid-list > mailing list. > > If you no longer wish to subscribe, send mail to [email protected] > > the words "unsubscribe seandroid-list" without quotes as the message. > > > You also should send out your pull request links. The NSA guys get > those if you email them on this list, > and will review, and merge as necessary. The code review tools are way > nicer then email. > -- Thanks, Haiqing Jiang
