# Makefile for building the SELinux module as part of the kernel tree.
#
-# [ SEC_SELINUX_PORTING_COMMON
-ifeq ($(TARGET_BUILD_VARIANT), eng)
-ifeq ($(SEC_BUILD_OPTION_PRODUCT_SHIP), false)
-ifeq ($(SEC_BUILD_OPTION_SELINUX_ENFORCE),true)
-EXTRA_CFLAGS += -DSEC_SELINUX_DEBUG
-endif
-endif
-endif
-
-ifeq ($(TARGET_BUILD_VARIANT), user)
-ifeq ($(SEC_BUILD_OPTION_PRODUCT_SHIP), true)
-ifeq ($(SEC_BUILD_OPTION_SELINUX_ENFORCE),true)
-EXTRA_CFLAGS += -DCONFIG_ALWAYS_ENFORCE=true
-endif
-endif
-endif
-# ] SEC_SELINUX_PORTING_COMMON
-
obj-$(CONFIG_SECURITY_SELINUX) := selinux.o
selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \
#include "avc_ss.h"
#include "classmap.h"
-// [ SEC_SELINUX_PORTING_COMMON
-#ifdef SEC_SELINUX_DEBUG
-#include <linux/signal.h>
-#endif
-// ] SEC_SELINUX_PORTING_COMMON
-
#define AVC_CACHE_SLOTS 512
#define AVC_DEF_CACHE_THRESHOLD 512
#define AVC_CACHE_RECLAIM 16
if (flags & AVC_STRICT)
return -EACCES;
-// [ SEC_SELINUX_PORTING_COMMON
-#ifdef SEC_SELINUX_DEBUG
-
- /* SEC_SELINUX : denied && auditallow means "never happen" at current sepolicy. Valid Enforcing denial only. */
- if ( (requested & avd->auditallow) && selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE) ) {
-
- char *scontext, *tcontext;
- const char **perms;
- int i, perm;
- int rc1, rc2;
- u32 scontext_len, tcontext_len;
-
- perms = secclass_map[tclass-1].perms;
- i = 0;
- perm = 1;
- while (i < (sizeof(requested) * 8)) {
- if ((perm & requested) && perms[i])
- break;
- i++;
- perm <<= 1;
- }
-
- rc1 = security_sid_to_context(ssid, &scontext, &scontext_len);
- rc2 = security_sid_to_context(tsid, &tcontext, &tcontext_len);
-
- if (rc1 || rc2) {
- printk(KERN_ERR "SELinux DEBUG : %s: ssid=%d tsid=%d tclass=%s perm=%s requested(%d) auditallow(%d)\n",
- __func__, ssid, tsid, secclass_map[tclass-1].name, perms[i], requested, avd->auditallow);
- }
- else {
- printk(KERN_ERR "SELinux DEBUG : %s: scontext=%s tcontext=%s tclass=%s perm=%s requested(%d) auditallow(%d)\n",
- __func__, scontext, tcontext, secclass_map[tclass-1].name, perms[i], requested, avd->auditallow);
- }
-
- /* print call stack */
- printk(KERN_ERR "SELinux DEBUG : FATAL denial and start dump_stack\n");
- dump_stack();
-
- /* enforcing : SIGABRT and take debuggerd log */
- if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE)) {
- printk(KERN_ERR "SELinux DEBUG : send SIGABRT to current tsk\n");
- send_sig(SIGABRT, current, 2);
- }
-
- if (!rc1) kfree(scontext);
- if (!rc2) kfree(tcontext);
-
- }
-#endif
-
-#ifdef CONFIG_ALWAYS_ENFORCE
- if (!(avd->flags & AVD_FLAGS_PERMISSIVE))
-#else
if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE))
-#endif
-// ] SEC_SELINUX_PORTING_COMMON
return -EACCES;
avc_update_node(AVC_CALLBACK_GRANT, requested, driver, xperm, ssid,
bool selinux_is_enabled(void)
{
-// [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_ALWAYS_ENFORCE
- return true;
-#else
return selinux_enabled;
-#endif
-// ] SEC_SELINUX_PORTING_COMMON
}
EXPORT_SYMBOL_GPL(selinux_is_enabled);
bool selinux_is_enforcing(void)
{
-// [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_ALWAYS_ENFORCE
- return true;
-#else
return selinux_enforcing;
-#endif
-// ] SEC_SELINUX_PORTING_COMMON
}
EXPORT_SYMBOL_GPL(selinux_is_enforcing);
\ No newline at end of file
#include <linux/msg.h>
#include <linux/shm.h>
-// [ SEC_SELINUX_PORTING_COMMON
-#include <linux/delay.h>
-// ] SEC_SELINUX_PORTING_COMMON
-
#ifdef CONFIG_LOD_SEC
#include <linux/linux_on_dex.h>
#endif
/* SECMARK reference count */
static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
-// [ SEC_SELINUX_PORTING_COMMON
-static DEFINE_MUTEX(selinux_sdcardfs_lock);
-// ] SEC_SELINUX_PORTING_COMMON
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
-// [ SEC_SELINUX_PORTING_COMMON
-#if defined(CONFIG_ALWAYS_ENFORCE) && defined(CONFIG_RKP_KDP)
-RKP_RO_AREA int selinux_enforcing;
-#else
int selinux_enforcing;
-#endif
-// ] SEC_SELINUX_PORTING_COMMON
static int __init enforcing_setup(char *str)
{
unsigned long enforcing;
if (!kstrtoul(str, 0, &enforcing))
-// [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_ALWAYS_ENFORCE
- selinux_enforcing = 1;
-#else
selinux_enforcing = enforcing ? 1 : 0;
-#endif
-// ] SEC_SELINUX_PORTING_COMMON
return 1;
}
__setup("enforcing=", enforcing_setup);
#endif
#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
-RKP_RO_AREA int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
+int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
static int __init selinux_enabled_setup(char *str)
{
unsigned long enabled;
if (!kstrtoul(str, 0, &enabled))
-// [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_ALWAYS_ENFORCE
- selinux_enabled = 1;
-#else
selinux_enabled = enabled ? 1 : 0;
-#endif
-// ] SEC_SELINUX_PORTING_COMMON
return 1;
}
__setup("selinux=", selinux_enabled_setup);
#else
-RKP_RO_AREA int selinux_enabled = 1;
+int selinux_enabled = 1;
#endif
static struct kmem_cache *sel_inode_cache;
struct common_audit_data ad;
int rc;
-#ifdef CONFIG_RKP_KDP
- if ((rc = security_integrity_current()))
- return rc;
-#endif /* CONFIG_RKP_KDP */
-
- // [ SEC_SELINUX_PORTING_COMMON
- if((strcmp(sb->s_type->name,"sdcardfs")) == 0)
- mutex_lock(&selinux_sdcardfs_lock);
-
rc = superblock_doinit(sb, data);
if (rc)
- goto out;
+ return rc;
/* Allow all mounts performed by the kernel */
if (flags & MS_KERNMOUNT)
- goto out;
+ return 0;
ad.type = LSM_AUDIT_DATA_DENTRY;
ad.u.dentry = sb->s_root;
- rc = superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
-
-out:
- if((strcmp(sb->s_type->name,"sdcardfs")) == 0)
- mutex_unlock(&selinux_sdcardfs_lock);
- // ] SEC_SELINUX_PORTING_COMMON
-
- return rc;
+ return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
}
static int selinux_sb_statfs(struct dentry *dentry)
sid = cred_sid(cred);
isec = inode->i_security;
-// [ SEC_SELINUX_PORTING_COMMON
- /* skip sid == 1(kernel), it means first boot time */
- if(isec->initialized != 1 && sid != 1) {
- int count = 5;
-
- while(count-- > 0) {
- printk(KERN_ERR "SELinux : inode->i_security is not initialized. waiting...(%d/5)\n", 5-count);
- udelay(500);
- if(isec->initialized == 1) {
- printk(KERN_ERR "SELinux : inode->i_security is INITIALIZED.\n");
- break;
- }
- }
- if(isec->initialized != 1) {
- printk(KERN_ERR "SELinux : inode->i_security is not initialized. not fixed.\n");
- }
- }
-// ] SEC_SELINUX_PORTING_COMMON
-
rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
audited = avc_audit_required(perms, &avd, rc,
from_access ? FILE__AUDIT_ACCESS : 0,
" protocol=%hu nlmsg_type=%hu sclass=%s\n",
sk->sk_protocol, nlh->nlmsg_type,
secclass_map[sksec->sclass - 1].name);
-// [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_ALWAYS_ENFORCE
- if (security_get_allow_unknown())
-#else
if (!selinux_enforcing || security_get_allow_unknown())
-#endif
-// ] SEC_SELINUX_PORTING_COMMON
err = 0;
}
static __init int selinux_init(void)
{
if (!security_module_enable("selinux")) {
-// [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_ALWAYS_ENFORCE
- selinux_enabled = 1;
-#else
selinux_enabled = 0;
-#endif
-// ] SEC_SELINUX_PORTING_COMMON
return 0;
}
if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
panic("SELinux: Unable to register AVC netcache callback\n");
-// [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_ALWAYS_ENFORCE
- selinux_enforcing = 1;
-#endif
-// ] SEC_SELINUX_PORTING_COMMON
if (selinux_enforcing)
printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
else
static int __init selinux_nf_ip_init(void)
{
int err;
-// [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_ALWAYS_ENFORCE
- selinux_enabled = 1;
-#endif
-// ] SEC_SELINUX_PORTING_COMMON
if (!selinux_enabled)
return 0;
};
/* definitions of av_decision.flags */
-// [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_ALWAYS_ENFORCE
-#define AVD_FLAGS_PERMISSIVE 0x0000
-#else
#define AVD_FLAGS_PERMISSIVE 0x0001
-#endif
-// ] SEC_SELINUX_PORTING_COMMON
void security_compute_av(u32 ssid, u32 tsid,
u16 tclass, struct av_decision *avd,
static __init int sel_netif_init(void)
{
int i;
-
-// [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_ALWAYS_ENFORCE
- selinux_enabled = 1;
-#endif
-// ] SEC_SELINUX_PORTING_COMMON
if (!selinux_enabled)
return 0;
static __init int sel_netnode_init(void)
{
int iter;
-
-// [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_ALWAYS_ENFORCE
- selinux_enabled = 1;
-#endif
-// ] SEC_SELINUX_PORTING_COMMON
if (!selinux_enabled)
return 0;
static __init int sel_netport_init(void)
{
int iter;
-
-// [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_ALWAYS_ENFORCE
- selinux_enabled = 1;
-#endif
-// ] SEC_SELINUX_PORTING_COMMON
if (!selinux_enabled)
return 0;
#include "objsec.h"
#include "conditional.h"
-#if defined(CONFIG_TZ_ICCC)
-#include <linux/security/Iccc_Interface.h>
-#endif
-
/* Policy capability filenames */
static char *policycap_names[] = {
"network_peer_controls",
if (sscanf(page, "%d", &new_value) != 1)
goto out;
-// [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_ALWAYS_ENFORCE
- // If build is user build and enforce option is set, selinux is always enforcing
- new_value = 1;
- length = task_has_security(current, SECURITY__SETENFORCE);
- audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
- "config_always_enforce - true; enforcing=%d old_enforcing=%d auid=%u ses=%u",
- new_value, selinux_enforcing,
- from_kuid(&init_user_ns, audit_get_loginuid(current)),
- audit_get_sessionid(current));
-#if !defined(CONFIG_RKP_KDP)
- selinux_enforcing = new_value;
-#endif
- avc_ss_reset(0);
- selnl_notify_setenforce(new_value);
- selinux_status_update_setenforce(new_value);
-#else
new_value = 0;
if (new_value != selinux_enforcing) {
length = task_has_security(current, SECURITY__SETENFORCE);
selnl_notify_setenforce(selinux_enforcing);
selinux_status_update_setenforce(selinux_enforcing);
}
-#endif
-// ] SEC_SELINUX_PORTING_COMMON
length = count;
-#if defined(CONFIG_TZ_ICCC)
- if (selinux_enabled && selinux_enforcing) {
- if (0 != Iccc_SaveData_Kernel(SELINUX_STATUS,0x0)) {
- printk(KERN_ERR "%s: Iccc_SaveData_Kernel failed, type = %x, value =%x\n", __func__,SELINUX_STATUS,0x0);
- }
- }
- else {
- if (0 != Iccc_SaveData_Kernel(SELINUX_STATUS,0x1)) {
- printk(KERN_ERR "%s: Iccc_SaveData_Kernel failed, type = %x, value =%x\n", __func__,SELINUX_STATUS,0x1);
- }
- }
-#endif
-
out:
free_page((unsigned long) page);
return length;
static int __init init_sel_fs(void)
{
int err;
-// [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_ALWAYS_ENFORCE
- selinux_enabled = 1;
-#endif
-// ] SEC_SELINUX_PORTING_COMMON
if (!selinux_enabled)
return 0;
goto bad;
return 0;
bad:
-// [ SEC_SELINUX_PORTING_COMMON
-#ifndef CONFIG_ALWAYS_ENFORCE
- panic("SELinux:Failed to type read");
-#endif /*CONFIG_ALWAYS_ENFORCE*/
-// ] SEC_SELINUX_PORTING_COMMON
type_destroy(key, typdatum, NULL);
return rc;
}
out:
return rc;
bad:
-// [ SEC_SELINUX_PORTING_COMMON
-#ifndef CONFIG_ALWAYS_ENFORCE
- panic("SELinux:Failed to load policy");
-#endif /*CONFIG_ALWAYS_ENFORCE*/
-// ] SEC_SELINUX_PORTING_COMMON
policydb_destroy(p);
goto out;
}
kfree(n);
kfree(t);
-// [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_ALWAYS_ENFORCE
-#if !defined(CONFIG_RKP_KDP)
- selinux_enforcing = 1;
-#endif
-#endif
-// ] SEC_SELINUX_PORTING_COMMON
if (!selinux_enforcing)
return 0;
return -EPERM;
kfree(t);
kfree(n);
-// [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_ALWAYS_ENFORCE
-#if !defined(CONFIG_RKP_KDP)
- selinux_enforcing = 1;
-#endif
-#endif
-// ] SEC_SELINUX_PORTING_COMMON
if (!selinux_enforcing)
return 0;
return -EACCES;
char *s;
u32 len;
-// [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_ALWAYS_ENFORCE
-#if !defined(CONFIG_RKP_KDP)
- selinux_enforcing = 1;
-#endif
-#endif
-// ] SEC_SELINUX_PORTING_COMMON
if (selinux_enforcing)
return -EINVAL;
{
int rc = 0;
struct ocontext *c;
-// [ SEC_SELINUX_PORTING_COMMON
- u32 tmpsid;
-// ] SEC_SELINUX_PORTING_COMMON
-
struct superblock_security_struct *sbsec = sb->s_security;
const char *fstype = sb->s_type->name;
if (c) {
sbsec->behavior = c->v.behavior;
if (!c->sid[0]) {
-// [ SEC_SELINUX_PORTING_COMMON
rc = sidtab_context_to_sid(&sidtab, &c->context[0],
- &tmpsid);
- c->sid[0] = tmpsid;
-// ] SEC_SELINUX_PORTING_COMMON
+ &c->sid[0]);
if (rc)
goto out;
}
sbsec->sid = c->sid[0];
} else {
-// [ SEC_SELINUX_PORTING_COMMON
rc = __security_genfs_sid(fstype, "/", SECCLASS_DIR,
- &tmpsid);
- sbsec->sid = tmpsid;
-// ] SEC_SELINUX_PORTING_COMMON
+ &sbsec->sid);
if (rc) {
sbsec->behavior = SECURITY_FS_USE_NONE;
rc = 0;
status->version = SELINUX_KERNEL_STATUS_VERSION;
status->sequence = 0;
-// [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_ALWAYS_ENFORCE
- status->enforcing = 1;
-#else
status->enforcing = selinux_enforcing;
-#endif
-// ] SEC_SELINUX_PORTING_COMMON
/*
* NOTE: the next policyload event shall set
* a positive value on the status->policyload,
projects / GitHub / exynos8895 / android_kernel_samsung_universal8895.git / commitdiff