[Toybox] cp --preserve=a doesn't preserve security context of directories.
Rob Landley
rob at landley.net
Fri Aug 18 11:47:54 PDT 2023
On 8/16/23 15:26, enh wrote:
>> I long ago came to the conclusion I can't make a system secure, all I can do is
>> annoy attackers into choosing a less vexing target. But I don't want to the the
>> same to users or developers, so it's always a balancing act.
>
> meh, if your selinux labels are wrong, stuff stops working. you can
> either fix it yourself or `setenforce 0` if you _know_ what you're
> doing isn't compatible with selinux rules for actual shipping systems
> and don't care because you're just testing a thing.
...> fwiw, i wouldn't assume it's actually ever been tested? i'd imagine
> most [OS] developers are doing `adb sync` instead anyway. any `cp -r`
> action is most likely just a quick test in /data/local/tmp --- which
> is so useful _because_ it's the wild west where many of the usual
> rules don't apply (but only the root or shell users can do anything
> with it).
Speaking of tested, what does a good selinux test _look_ like here? The ls -Z
stuff is using regexes. I have a Fedora 36 ISO image that says:
$ ls -Z .
unconfined_u:object_r:user_home_t:s0 Desktop
unconfined_u:object_r:user_home_t:s0 Documents
unconfined_u:object_r:user_home_t:s0 Downloads
unconfined_u:object_r:audio_home_t:s0 Music
unconfined_u:object_r:user_home_t:s0 Pictures
unconfined_u:object_r:user_home_t:s0 Public
unconfined_u:object_r:user_home_t:s0 Templates
unconfined_u:object_r:user_home_t:s0 Videos
And I don't know what any of that means? (I always delete all the directories
except "Downloads" immediately on any new install, and only keep that one
because every web browser uses it.)
(I still haven't managed to build a vanilla Android system that boots under
vanilla kvm. Did
https://www.xda-developers.com/microdroid-stripped-down-android-virtual-machines/
ever turn into a thing?)
Anyway, I've been poking at the whole tests-under-mkroot thing so I can run
tests as root under a known environment for things like "yes the host system and
this filesystem are capable of doing selinux but haven't got any weird rules
that make stuff go 'boing' by themselves", but setting up a hand-crafted test
environment doesn't help if I don't know what success looks like.
I'm hoping I can "setprop" something, cp -a, and then "getprop" to see that it
got propagated successfully? I suppose I can just copy one of the Fedora labels...
Rob
More information about the Toybox
mailing list