From: Michael Benedict Date: Sat, 25 May 2019 06:57:58 +0000 (+1000) Subject: selinux: remove sec_selinux X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=3c256f54dcb6a4b2aacfda6f52403a3e3e8ace58;p=GitHub%2Fexynos8895%2Fandroid_kernel_samsung_universal8895.git selinux: remove sec_selinux Signed-off-by: Michael Benedict --- diff --git a/security/selinux_n/Makefile b/security/selinux_n/Makefile index cdfb747513ba..ad5cd76ec231 100644 --- a/security/selinux_n/Makefile +++ b/security/selinux_n/Makefile @@ -2,24 +2,6 @@ # Makefile for building the SELinux module as part of the kernel tree. # -# [ SEC_SELINUX_PORTING_COMMON -ifeq ($(TARGET_BUILD_VARIANT), eng) -ifeq ($(SEC_BUILD_OPTION_PRODUCT_SHIP), false) -ifeq ($(SEC_BUILD_OPTION_SELINUX_ENFORCE),true) -EXTRA_CFLAGS += -DSEC_SELINUX_DEBUG -endif -endif -endif - -ifeq ($(TARGET_BUILD_VARIANT), user) -ifeq ($(SEC_BUILD_OPTION_PRODUCT_SHIP), true) -ifeq ($(SEC_BUILD_OPTION_SELINUX_ENFORCE),true) -EXTRA_CFLAGS += -DCONFIG_ALWAYS_ENFORCE=true -endif -endif -endif -# ] SEC_SELINUX_PORTING_COMMON - obj-$(CONFIG_SECURITY_SELINUX) := selinux.o selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \ diff --git a/security/selinux_n/avc.c b/security/selinux_n/avc.c index 8611fa9339e4..e60c79de13e1 100644 --- a/security/selinux_n/avc.c +++ b/security/selinux_n/avc.c @@ -34,12 +34,6 @@ #include "avc_ss.h" #include "classmap.h" -// [ SEC_SELINUX_PORTING_COMMON -#ifdef SEC_SELINUX_DEBUG -#include -#endif -// ] SEC_SELINUX_PORTING_COMMON - #define AVC_CACHE_SLOTS 512 #define AVC_DEF_CACHE_THRESHOLD 512 #define AVC_CACHE_RECLAIM 16 @@ -992,62 +986,7 @@ static noinline int avc_denied(u32 ssid, u32 tsid, if (flags & AVC_STRICT) return -EACCES; -// [ SEC_SELINUX_PORTING_COMMON -#ifdef SEC_SELINUX_DEBUG - - /* SEC_SELINUX : denied && auditallow means "never happen" at current sepolicy. Valid Enforcing denial only. */ - if ( (requested & avd->auditallow) && selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE) ) { - - char *scontext, *tcontext; - const char **perms; - int i, perm; - int rc1, rc2; - u32 scontext_len, tcontext_len; - - perms = secclass_map[tclass-1].perms; - i = 0; - perm = 1; - while (i < (sizeof(requested) * 8)) { - if ((perm & requested) && perms[i]) - break; - i++; - perm <<= 1; - } - - rc1 = security_sid_to_context(ssid, &scontext, &scontext_len); - rc2 = security_sid_to_context(tsid, &tcontext, &tcontext_len); - - if (rc1 || rc2) { - printk(KERN_ERR "SELinux DEBUG : %s: ssid=%d tsid=%d tclass=%s perm=%s requested(%d) auditallow(%d)\n", - __func__, ssid, tsid, secclass_map[tclass-1].name, perms[i], requested, avd->auditallow); - } - else { - printk(KERN_ERR "SELinux DEBUG : %s: scontext=%s tcontext=%s tclass=%s perm=%s requested(%d) auditallow(%d)\n", - __func__, scontext, tcontext, secclass_map[tclass-1].name, perms[i], requested, avd->auditallow); - } - - /* print call stack */ - printk(KERN_ERR "SELinux DEBUG : FATAL denial and start dump_stack\n"); - dump_stack(); - - /* enforcing : SIGABRT and take debuggerd log */ - if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE)) { - printk(KERN_ERR "SELinux DEBUG : send SIGABRT to current tsk\n"); - send_sig(SIGABRT, current, 2); - } - - if (!rc1) kfree(scontext); - if (!rc2) kfree(tcontext); - - } -#endif - -#ifdef CONFIG_ALWAYS_ENFORCE - if (!(avd->flags & AVD_FLAGS_PERMISSIVE)) -#else if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE)) -#endif -// ] SEC_SELINUX_PORTING_COMMON return -EACCES; avc_update_node(AVC_CALLBACK_GRANT, requested, driver, xperm, ssid, diff --git a/security/selinux_n/exports.c b/security/selinux_n/exports.c index d117290dad0c..b1c92f4f966f 100644 --- a/security/selinux_n/exports.c +++ b/security/selinux_n/exports.c @@ -19,24 +19,12 @@ bool selinux_is_enabled(void) { -// [ SEC_SELINUX_PORTING_COMMON -#ifdef CONFIG_ALWAYS_ENFORCE - return true; -#else return selinux_enabled; -#endif -// ] SEC_SELINUX_PORTING_COMMON } EXPORT_SYMBOL_GPL(selinux_is_enabled); bool selinux_is_enforcing(void) { -// [ SEC_SELINUX_PORTING_COMMON -#ifdef CONFIG_ALWAYS_ENFORCE - return true; -#else return selinux_enforcing; -#endif -// ] SEC_SELINUX_PORTING_COMMON } EXPORT_SYMBOL_GPL(selinux_is_enforcing); \ No newline at end of file diff --git a/security/selinux_n/hooks.c b/security/selinux_n/hooks.c index fbe6ff9d77bf..4228f26c3cd8 100644 --- a/security/selinux_n/hooks.c +++ b/security/selinux_n/hooks.c @@ -84,10 +84,6 @@ #include #include -// [ SEC_SELINUX_PORTING_COMMON -#include -// ] SEC_SELINUX_PORTING_COMMON - #ifdef CONFIG_LOD_SEC #include #endif @@ -192,54 +188,33 @@ unsigned int rkp_get_offset_bp_cred(void) /* SECMARK reference count */ static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); -// [ SEC_SELINUX_PORTING_COMMON -static DEFINE_MUTEX(selinux_sdcardfs_lock); -// ] SEC_SELINUX_PORTING_COMMON #ifdef CONFIG_SECURITY_SELINUX_DEVELOP -// [ SEC_SELINUX_PORTING_COMMON -#if defined(CONFIG_ALWAYS_ENFORCE) && defined(CONFIG_RKP_KDP) -RKP_RO_AREA int selinux_enforcing; -#else int selinux_enforcing; -#endif -// ] SEC_SELINUX_PORTING_COMMON static int __init enforcing_setup(char *str) { unsigned long enforcing; if (!kstrtoul(str, 0, &enforcing)) -// [ SEC_SELINUX_PORTING_COMMON -#ifdef CONFIG_ALWAYS_ENFORCE - selinux_enforcing = 1; -#else selinux_enforcing = enforcing ? 1 : 0; -#endif -// ] SEC_SELINUX_PORTING_COMMON return 1; } __setup("enforcing=", enforcing_setup); #endif #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM -RKP_RO_AREA int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; +int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; static int __init selinux_enabled_setup(char *str) { unsigned long enabled; if (!kstrtoul(str, 0, &enabled)) -// [ SEC_SELINUX_PORTING_COMMON -#ifdef CONFIG_ALWAYS_ENFORCE - selinux_enabled = 1; -#else selinux_enabled = enabled ? 1 : 0; -#endif -// ] SEC_SELINUX_PORTING_COMMON return 1; } __setup("selinux=", selinux_enabled_setup); #else -RKP_RO_AREA int selinux_enabled = 1; +int selinux_enabled = 1; #endif static struct kmem_cache *sel_inode_cache; @@ -2970,33 +2945,17 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) struct common_audit_data ad; int rc; -#ifdef CONFIG_RKP_KDP - if ((rc = security_integrity_current())) - return rc; -#endif /* CONFIG_RKP_KDP */ - - // [ SEC_SELINUX_PORTING_COMMON - if((strcmp(sb->s_type->name,"sdcardfs")) == 0) - mutex_lock(&selinux_sdcardfs_lock); - rc = superblock_doinit(sb, data); if (rc) - goto out; + return rc; /* Allow all mounts performed by the kernel */ if (flags & MS_KERNMOUNT) - goto out; + return 0; ad.type = LSM_AUDIT_DATA_DENTRY; ad.u.dentry = sb->s_root; - rc = superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); - -out: - if((strcmp(sb->s_type->name,"sdcardfs")) == 0) - mutex_unlock(&selinux_sdcardfs_lock); - // ] SEC_SELINUX_PORTING_COMMON - - return rc; + return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); } static int selinux_sb_statfs(struct dentry *dentry) @@ -3322,25 +3281,6 @@ static int selinux_inode_permission(struct inode *inode, int mask) sid = cred_sid(cred); isec = inode->i_security; -// [ SEC_SELINUX_PORTING_COMMON - /* skip sid == 1(kernel), it means first boot time */ - if(isec->initialized != 1 && sid != 1) { - int count = 5; - - while(count-- > 0) { - printk(KERN_ERR "SELinux : inode->i_security is not initialized. waiting...(%d/5)\n", 5-count); - udelay(500); - if(isec->initialized == 1) { - printk(KERN_ERR "SELinux : inode->i_security is INITIALIZED.\n"); - break; - } - } - if(isec->initialized != 1) { - printk(KERN_ERR "SELinux : inode->i_security is not initialized. not fixed.\n"); - } - } -// ] SEC_SELINUX_PORTING_COMMON - rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); audited = avc_audit_required(perms, &avd, rc, from_access ? FILE__AUDIT_ACCESS : 0, @@ -5727,13 +5667,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) " protocol=%hu nlmsg_type=%hu sclass=%s\n", sk->sk_protocol, nlh->nlmsg_type, secclass_map[sksec->sclass - 1].name); -// [ SEC_SELINUX_PORTING_COMMON -#ifdef CONFIG_ALWAYS_ENFORCE - if (security_get_allow_unknown()) -#else if (!selinux_enforcing || security_get_allow_unknown()) -#endif -// ] SEC_SELINUX_PORTING_COMMON err = 0; } @@ -7201,13 +7135,7 @@ RKP_RO_AREA static struct security_hook_list selinux_hooks[] = { static __init int selinux_init(void) { if (!security_module_enable("selinux")) { -// [ SEC_SELINUX_PORTING_COMMON -#ifdef CONFIG_ALWAYS_ENFORCE - selinux_enabled = 1; -#else selinux_enabled = 0; -#endif -// ] SEC_SELINUX_PORTING_COMMON return 0; } @@ -7235,11 +7163,6 @@ static __init int selinux_init(void) if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) panic("SELinux: Unable to register AVC netcache callback\n"); -// [ SEC_SELINUX_PORTING_COMMON -#ifdef CONFIG_ALWAYS_ENFORCE - selinux_enforcing = 1; -#endif -// ] SEC_SELINUX_PORTING_COMMON if (selinux_enforcing) printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); else @@ -7306,11 +7229,6 @@ static struct nf_hook_ops selinux_nf_ops[] = { static int __init selinux_nf_ip_init(void) { int err; -// [ SEC_SELINUX_PORTING_COMMON -#ifdef CONFIG_ALWAYS_ENFORCE - selinux_enabled = 1; -#endif -// ] SEC_SELINUX_PORTING_COMMON if (!selinux_enabled) return 0; diff --git a/security/selinux_n/include/security.h b/security/selinux_n/include/security.h index f1d3af16939a..223e9fd15d66 100644 --- a/security/selinux_n/include/security.h +++ b/security/selinux_n/include/security.h @@ -134,13 +134,7 @@ struct extended_perms { }; /* definitions of av_decision.flags */ -// [ SEC_SELINUX_PORTING_COMMON -#ifdef CONFIG_ALWAYS_ENFORCE -#define AVD_FLAGS_PERMISSIVE 0x0000 -#else #define AVD_FLAGS_PERMISSIVE 0x0001 -#endif -// ] SEC_SELINUX_PORTING_COMMON void security_compute_av(u32 ssid, u32 tsid, u16 tclass, struct av_decision *avd, diff --git a/security/selinux_n/netif.c b/security/selinux_n/netif.c index 95c9949f6ffd..e607b4473ef6 100644 --- a/security/selinux_n/netif.c +++ b/security/selinux_n/netif.c @@ -276,12 +276,6 @@ static struct notifier_block sel_netif_netdev_notifier = { static __init int sel_netif_init(void) { int i; - -// [ SEC_SELINUX_PORTING_COMMON -#ifdef CONFIG_ALWAYS_ENFORCE - selinux_enabled = 1; -#endif -// ] SEC_SELINUX_PORTING_COMMON if (!selinux_enabled) return 0; diff --git a/security/selinux_n/netnode.c b/security/selinux_n/netnode.c index d52e7f6088fb..da923f89d2a9 100644 --- a/security/selinux_n/netnode.c +++ b/security/selinux_n/netnode.c @@ -303,12 +303,6 @@ void sel_netnode_flush(void) static __init int sel_netnode_init(void) { int iter; - -// [ SEC_SELINUX_PORTING_COMMON -#ifdef CONFIG_ALWAYS_ENFORCE - selinux_enabled = 1; -#endif -// ] SEC_SELINUX_PORTING_COMMON if (!selinux_enabled) return 0; diff --git a/security/selinux_n/netport.c b/security/selinux_n/netport.c index ae28c9c3becc..3311cc393cb4 100644 --- a/security/selinux_n/netport.c +++ b/security/selinux_n/netport.c @@ -237,12 +237,6 @@ void sel_netport_flush(void) static __init int sel_netport_init(void) { int iter; - -// [ SEC_SELINUX_PORTING_COMMON -#ifdef CONFIG_ALWAYS_ENFORCE - selinux_enabled = 1; -#endif -// ] SEC_SELINUX_PORTING_COMMON if (!selinux_enabled) return 0; diff --git a/security/selinux_n/selinuxfs.c b/security/selinux_n/selinuxfs.c index 8bafc3186632..02f7435b80c4 100644 --- a/security/selinux_n/selinuxfs.c +++ b/security/selinux_n/selinuxfs.c @@ -41,10 +41,6 @@ #include "objsec.h" #include "conditional.h" -#if defined(CONFIG_TZ_ICCC) -#include -#endif - /* Policy capability filenames */ static char *policycap_names[] = { "network_peer_controls", @@ -173,23 +169,6 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf, if (sscanf(page, "%d", &new_value) != 1) goto out; -// [ SEC_SELINUX_PORTING_COMMON -#ifdef CONFIG_ALWAYS_ENFORCE - // If build is user build and enforce option is set, selinux is always enforcing - new_value = 1; - length = task_has_security(current, SECURITY__SETENFORCE); - audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS, - "config_always_enforce - true; enforcing=%d old_enforcing=%d auid=%u ses=%u", - new_value, selinux_enforcing, - from_kuid(&init_user_ns, audit_get_loginuid(current)), - audit_get_sessionid(current)); -#if !defined(CONFIG_RKP_KDP) - selinux_enforcing = new_value; -#endif - avc_ss_reset(0); - selnl_notify_setenforce(new_value); - selinux_status_update_setenforce(new_value); -#else new_value = 0; if (new_value != selinux_enforcing) { length = task_has_security(current, SECURITY__SETENFORCE); @@ -206,23 +185,8 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf, selnl_notify_setenforce(selinux_enforcing); selinux_status_update_setenforce(selinux_enforcing); } -#endif -// ] SEC_SELINUX_PORTING_COMMON length = count; -#if defined(CONFIG_TZ_ICCC) - if (selinux_enabled && selinux_enforcing) { - if (0 != Iccc_SaveData_Kernel(SELINUX_STATUS,0x0)) { - printk(KERN_ERR "%s: Iccc_SaveData_Kernel failed, type = %x, value =%x\n", __func__,SELINUX_STATUS,0x0); - } - } - else { - if (0 != Iccc_SaveData_Kernel(SELINUX_STATUS,0x1)) { - printk(KERN_ERR "%s: Iccc_SaveData_Kernel failed, type = %x, value =%x\n", __func__,SELINUX_STATUS,0x1); - } - } -#endif - out: free_page((unsigned long) page); return length; @@ -1887,11 +1851,6 @@ struct vfsmount *selinuxfs_mount; static int __init init_sel_fs(void) { int err; -// [ SEC_SELINUX_PORTING_COMMON -#ifdef CONFIG_ALWAYS_ENFORCE - selinux_enabled = 1; -#endif -// ] SEC_SELINUX_PORTING_COMMON if (!selinux_enabled) return 0; diff --git a/security/selinux_n/ss/policydb.c b/security/selinux_n/ss/policydb.c index ced787926f7a..992a31530825 100644 --- a/security/selinux_n/ss/policydb.c +++ b/security/selinux_n/ss/policydb.c @@ -1504,11 +1504,6 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp) goto bad; return 0; bad: -// [ SEC_SELINUX_PORTING_COMMON -#ifndef CONFIG_ALWAYS_ENFORCE - panic("SELinux:Failed to type read"); -#endif /*CONFIG_ALWAYS_ENFORCE*/ -// ] SEC_SELINUX_PORTING_COMMON type_destroy(key, typdatum, NULL); return rc; } @@ -2517,11 +2512,6 @@ int policydb_read(struct policydb *p, void *fp) out: return rc; bad: -// [ SEC_SELINUX_PORTING_COMMON -#ifndef CONFIG_ALWAYS_ENFORCE - panic("SELinux:Failed to load policy"); -#endif /*CONFIG_ALWAYS_ENFORCE*/ -// ] SEC_SELINUX_PORTING_COMMON policydb_destroy(p); goto out; } diff --git a/security/selinux_n/ss/services.c b/security/selinux_n/ss/services.c index 75e1306527a7..f7d7b398ecd3 100644 --- a/security/selinux_n/ss/services.c +++ b/security/selinux_n/ss/services.c @@ -773,13 +773,6 @@ out: kfree(n); kfree(t); -// [ SEC_SELINUX_PORTING_COMMON -#ifdef CONFIG_ALWAYS_ENFORCE -#if !defined(CONFIG_RKP_KDP) - selinux_enforcing = 1; -#endif -#endif -// ] SEC_SELINUX_PORTING_COMMON if (!selinux_enforcing) return 0; return -EPERM; @@ -1543,13 +1536,6 @@ out: kfree(t); kfree(n); -// [ SEC_SELINUX_PORTING_COMMON -#ifdef CONFIG_ALWAYS_ENFORCE -#if !defined(CONFIG_RKP_KDP) - selinux_enforcing = 1; -#endif -#endif -// ] SEC_SELINUX_PORTING_COMMON if (!selinux_enforcing) return 0; return -EACCES; @@ -1841,13 +1827,6 @@ static inline int convert_context_handle_invalid_context(struct context *context char *s; u32 len; -// [ SEC_SELINUX_PORTING_COMMON -#ifdef CONFIG_ALWAYS_ENFORCE -#if !defined(CONFIG_RKP_KDP) - selinux_enforcing = 1; -#endif -#endif -// ] SEC_SELINUX_PORTING_COMMON if (selinux_enforcing) return -EINVAL; @@ -2573,10 +2552,6 @@ int security_fs_use(struct super_block *sb) { int rc = 0; struct ocontext *c; -// [ SEC_SELINUX_PORTING_COMMON - u32 tmpsid; -// ] SEC_SELINUX_PORTING_COMMON - struct superblock_security_struct *sbsec = sb->s_security; const char *fstype = sb->s_type->name; @@ -2592,21 +2567,15 @@ int security_fs_use(struct super_block *sb) if (c) { sbsec->behavior = c->v.behavior; if (!c->sid[0]) { -// [ SEC_SELINUX_PORTING_COMMON rc = sidtab_context_to_sid(&sidtab, &c->context[0], - &tmpsid); - c->sid[0] = tmpsid; -// ] SEC_SELINUX_PORTING_COMMON + &c->sid[0]); if (rc) goto out; } sbsec->sid = c->sid[0]; } else { -// [ SEC_SELINUX_PORTING_COMMON rc = __security_genfs_sid(fstype, "/", SECCLASS_DIR, - &tmpsid); - sbsec->sid = tmpsid; -// ] SEC_SELINUX_PORTING_COMMON + &sbsec->sid); if (rc) { sbsec->behavior = SECURITY_FS_USE_NONE; rc = 0; diff --git a/security/selinux_n/ss/status.c b/security/selinux_n/ss/status.c index d8e9947d136e..d982365f9d1a 100644 --- a/security/selinux_n/ss/status.c +++ b/security/selinux_n/ss/status.c @@ -58,13 +58,7 @@ struct page *selinux_kernel_status_page(void) status->version = SELINUX_KERNEL_STATUS_VERSION; status->sequence = 0; -// [ SEC_SELINUX_PORTING_COMMON -#ifdef CONFIG_ALWAYS_ENFORCE - status->enforcing = 1; -#else status->enforcing = selinux_enforcing; -#endif -// ] SEC_SELINUX_PORTING_COMMON /* * NOTE: the next policyload event shall set * a positive value on the status->policyload,