[Toybox] cp --preserve=a doesn't preserve security context of directories.

Fri Aug 18 11:54:49 PDT 2023

On Fri, Aug 18, 2023 at 11:45 AM Rob Landley <rob at landley.net> wrote:
>
> On 8/16/23 15:26, enh wrote:
> >> I long ago came to the conclusion I can't make a system secure, all I can do is
> >> annoy attackers into choosing a less vexing target. But I don't want to the the
> >> same to users or developers, so it's always a balancing act.
> >
> > meh, if your selinux labels are wrong, stuff stops working. you can
> > either fix it yourself or `setenforce 0` if you _know_ what you're
> > doing isn't compatible with selinux rules for actual shipping systems
> > and don't care because you're just testing a thing.
> ...> fwiw, i wouldn't assume it's actually ever been tested? i'd imagine
> > most [OS] developers are doing `adb sync` instead anyway. any `cp -r`
> > action is most likely just a quick test in /data/local/tmp --- which
> > is so useful _because_ it's the wild west where many of the usual
> > rules don't apply (but only the root or shell users can do anything
> > with it).
>
> Speaking of tested, what does a good selinux test _look_ like here? The ls -Z
> stuff is using regexes. I have a Fedora 36 ISO image that says:
>
> $ ls -Z .
>  unconfined_u:object_r:user_home_t:s0 Desktop
>  unconfined_u:object_r:user_home_t:s0 Documents
>  unconfined_u:object_r:user_home_t:s0 Downloads
> unconfined_u:object_r:audio_home_t:s0 Music
>  unconfined_u:object_r:user_home_t:s0 Pictures
>  unconfined_u:object_r:user_home_t:s0 Public
>  unconfined_u:object_r:user_home_t:s0 Templates
>  unconfined_u:object_r:user_home_t:s0 Videos
>
> And I don't know what any of that means? (I always delete all the directories
> except "Downloads" immediately on any new install, and only keep that one
> because every web browser uses it.)

selinux labels are [insert usual disclaimer about my level of
knowledge/understanding here] basically just arbitrary strings. i
don't think they "mean" anything more than "enh" or the corresponding
integer uid "means" anything. they're useful because you can then say
things like "this process can read but not write files with this
label" or whatever.

> (I still haven't managed to build a vanilla Android system that boots under
> vanilla kvm. Did
> https://www.xda-developers.com/microdroid-stripped-down-android-virtual-machines/
> ever turn into a thing?)

https://source.android.com/docs/core/virtualization/microdroid

"cuttlefish" is probably what you want though? i run the riscv64
cuttlefish, and you can see instructions at
https://github.com/google/android-riscv64/#can-i-try-it --- the x86-64
cuttlefish is probably a lot more useful for you (and definitely a lot
faster!).

> Anyway, I've been poking at the whole tests-under-mkroot thing so I can run
> tests as root under a known environment for things like "yes the host system and
> this filesystem are capable of doing selinux but haven't got any weird rules
> that make stuff go 'boing' by themselves", but setting up a hand-crafted test
> environment doesn't help if I don't know what success looks like.
>
> I'm hoping I can "setprop" something, cp -a, and then "getprop" to see that it
> got propagated successfully? I suppose I can just copy one of the Fedora labels...

i think you mean chcon(1)? but otherwise, "yes". (though i don't have
a good trick for "give me two distinct labels" in the same way we grep
/etc/passwd or whatever...)

> Rob