toybox: ls -Z doesn't seem to print selinux context

ToT toybox ls -Z is working for me on Android, with the Android libselinux.

on the host with your repro case i see coreutils do:

lstat("camera", {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0
lgetxattr("camera", "security.selinux", "u:object_r:persist_camera_file:s"..., 255) = 34

but toybox does:

newfstatat(4, "camera", {st_mode=S_IFDIR|0775, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0
openat(4, "camera", O_RDONLY|O_NOFOLLOW|O_PATH) = 5
fgetxattr(5, "security.selinux", 0x55ec2c1f7900, 255) = -1 EBADF (Bad file descriptor)
lgetxattr("/proc/self/fd/5", "security.selinux", 0x55ec2c1f7900, 255) = -1 EOPNOTSUPP (Operation not supported)

whereas on Android i’m seeing:

newfstatat(4, "product", {st_mode=S_IFDIR|0755, st_size=3488, ...}, AT_SYMLINK_NOFOLLOW) = 0
openat(4, "product", O_RDONLY|O_NOFOLLOW|O_PATH) = 5
fgetxattr(5, "security.selinux", 0x79dbe28000, 255) = -1 EBADF (Bad file descriptor)
fcntl(5, F_GETFL)                       = 0x208000 (flags O_RDONLY|O_NOFOLLOW|O_PATH)
getxattr("/proc/self/fd/5", "security.selinux", "u:object_r:system_file:s0", 255) = 26
close(5)                                = 0

looking at bionic’s fgetxattr(), i see…

  // fd could be an O_PATH file descriptor, and the kernel
  // may not directly support fgetxattr() on such a file descriptor.
  // Use /proc/self/fd instead to emulate this support.

so i guess glibc (2.28) just assumes the kernel can fgetxattr() on an O_PATH fd, but linux 5.2 at least still can’t.

I just did an ls -Z in there and yes, it showed something. And then I did an ls -Z with toybox and it didn’t, and “ldd ls” isn’t showing libselinux even though the link command line had it. Looks like i have some debugging to do, but I’m in the middle of 3 other things already at the moment.

Thanks for the test case. Added to the todo heap.

yeah you can do that, don’t actually have to enable selinux for that.(I tried chcon, but that doesn’t seem to work for me) This is how I did: Just download,unzip and mount the persist.img file to an empty directory. persist.zip mkdir output sudo mount -t ext4 -o loop,rw persist.img output Go to output folder and copy any file you like (all files have selinux context attached to it, try ls -Z) Note -a flag is important to preserve the selinux context while copying: sudo cp -a filename pathtocopy sudo umount output Now ls -Z filename and you can see the selinux getting printed, you can use that file to test whether the ls -Z supports selinux context print or not.

I also compiled coreutils (ls -Z) at my end to make sure there is no issue at my vm in creating selinux enabled binaries and I can see compiled ls can print selinux context with no issues whatsoever.

And one more thing, I am pretty sure there is something else the android build system is doing on the top of your code and that is what adding selinux support (I used mma command to build toybox and this way android build system takes care of everything)

Alas, I added selinux support because Elliott asked me to, and have never had a local test environment for it. (I just built an selinux enabled ls and -Z puts a ? after every file I’ve examined on devuan 2.0. Whether it’s the host ls or the toybox ls: same behavior.) I’ve pretty much been taking Elliott’s word that this feature works, because I don’t use it.

How would I set up an selinux test environment? (Can I just glue specific xattrs onto stuff without actually enabling selinux in the kernel?)