remove SEC_SELINUX_PORTING_COMMON and make switch to permissive selinux (26958421) · Commits · e / devices / android_kernel_samsung_exynos5433

kernel/auditsc.c

+0 −6

Original line number	Diff line number	Diff line
		@@ -1364,9 +1364,6 @@ static void audit_log_exit(struct audit_context context, struct task_struct ts
		/* tsk == current */
		context->personality = tsk->personality;

		// [ SEC_SELINUX_PORTING_COMMON
		if (context->major != __NR_setsockopt && context->major != 294 ) {
		// ] SEC_SELINUX_PORTING_COMMON
		ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
		if (!ab)
		return; /* audit_panic has been called */
		@@ -1477,9 +1474,6 @@ static void audit_log_exit(struct audit_context context, struct task_struct ts
		audit_log_name(context, n, NULL, i++, &call_panic);

		audit_log_proctitle(tsk, context);
		// [ SEC_SELINUX_PORTING_COMMON
		} // End of context->major != __NR_setsockopt
		// ] SEC_SELINUX_PORTING_COMMON
		/* Send end of event record to help user space know we are finished */
		ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
		if (ab)

security/selinux/Kconfig

+7 −0

Original line number	Diff line number	Diff line
		@@ -138,3 +138,10 @@ config SEC_SELINUX
		help
		This option adds sec selinux feature

		config SECURITY_SELINUX_PERMISSIVE
		bool "SELinux permissive"
		depends on SECURITY_SELINUX
		default n
		help
		This option switches SELinux to permissive mode

security/selinux/Makefile

+0 −18

Original line number	Diff line number	Diff line
		@@ -2,24 +2,6 @@
		# Makefile for building the SELinux module as part of the kernel tree.
		#

		# [ SEC_SELINUX_PORTING_COMMON
		ifeq ($(TARGET_BUILD_VARIANT), eng)
		ifeq ($(SEC_BUILD_OPTION_PRODUCT_SHIP), false)
		ifeq ($(SEC_BUILD_OPTION_SELINUX_ENFORCE),true)
		EXTRA_CFLAGS += -DSEC_SELINUX_DEBUG
		endif
		endif
		endif

		ifeq ($(TARGET_BUILD_VARIANT), user)
		ifeq ($(SEC_BUILD_OPTION_PRODUCT_SHIP), true)
		ifeq ($(SEC_BUILD_OPTION_SELINUX_ENFORCE),true)
		EXTRA_CFLAGS += -DCONFIG_ALWAYS_ENFORCE=true
		endif
		endif
		endif
		# ] SEC_SELINUX_PORTING_COMMON

		obj-$(CONFIG_SECURITY_SELINUX) := selinux.o

		selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \

security/selinux/avc.c

+0 −61

Original line number	Diff line number	Diff line
		@@ -34,12 +34,6 @@
		#include "avc_ss.h"
		#include "classmap.h"

		// [ SEC_SELINUX_PORTING_COMMON
		#ifdef SEC_SELINUX_DEBUG
		#include <linux/signal.h>
		#endif
		// ] SEC_SELINUX_PORTING_COMMON

		#define AVC_CACHE_SLOTS 512
		#define AVC_DEF_CACHE_THRESHOLD 512
		#define AVC_CACHE_RECLAIM 16
		@@ -991,62 +985,7 @@ static noinline int avc_denied(u32 ssid, u32 tsid,
		if (flags & AVC_STRICT)
		return -EACCES;

		// [ SEC_SELINUX_PORTING_COMMON
		#ifdef SEC_SELINUX_DEBUG

		/* SEC_SELINUX : denied && auditallow means "never happen" at current sepolicy. Valid Enforcing denial only. */
		if ( (requested & avd->auditallow) && selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE) ) {

		char scontext, tcontext;
		const char **perms;
		int i, perm;
		int rc1, rc2;
		u32 scontext_len, tcontext_len;

		perms = secclass_map[tclass-1].perms;
		i = 0;
		perm = 1;
		while (i < (sizeof(requested) * 8)) {
		if ((perm & requested) && perms[i])
		break;
		i++;
		perm <<= 1;
		}

		rc1 = security_sid_to_context(ssid, &scontext, &scontext_len);
		rc2 = security_sid_to_context(tsid, &tcontext, &tcontext_len);

		if (rc1 \|\| rc2) {
		printk(KERN_ERR "SELinux DEBUG : %s: ssid=%d tsid=%d tclass=%s perm=%s requested(%d) auditallow(%d)\n",
		__func__, ssid, tsid, secclass_map[tclass-1].name, perms[i], requested, avd->auditallow);
		}
		else {
		printk(KERN_ERR "SELinux DEBUG : %s: scontext=%s tcontext=%s tclass=%s perm=%s requested(%d) auditallow(%d)\n",
		__func__, scontext, tcontext, secclass_map[tclass-1].name, perms[i], requested, avd->auditallow);
		}

		/* print call stack */
		printk(KERN_ERR "SELinux DEBUG : FATAL denial and start dump_stack\n");
		dump_stack();

		/* enforcing : SIGABRT and take debuggerd log */
		if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE)) {
		printk(KERN_ERR "SELinux DEBUG : send SIGABRT to current tsk\n");
		send_sig(SIGABRT, current, 2);
		}

		if (!rc1) kfree(scontext);
		if (!rc2) kfree(tcontext);

		}
		#endif

		#ifdef CONFIG_ALWAYS_ENFORCE
		if (!(avd->flags & AVD_FLAGS_PERMISSIVE))
		#else
		if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE))
		#endif
		// ] SEC_SELINUX_PORTING_COMMON
		return -EACCES;

		avc_update_node(AVC_CALLBACK_GRANT, requested, driver, xperm, ssid,

security/selinux/exports.c

+2 −10

Original line number	Diff line number	Diff line
		@@ -19,24 +19,16 @@

		bool selinux_is_enabled(void)
		{
		// [ SEC_SELINUX_PORTING_COMMON
		#ifdef CONFIG_ALWAYS_ENFORCE
		return true;
		#else
		return selinux_enabled;
		#endif
		// ] SEC_SELINUX_PORTING_COMMON
		}
		EXPORT_SYMBOL_GPL(selinux_is_enabled);

		bool selinux_is_enforcing(void)
		{
		// [ SEC_SELINUX_PORTING_COMMON
		#ifdef CONFIG_ALWAYS_ENFORCE
		return true;
		#ifdef CONFIG_SECURITY_SELINUX_PERMISSIVE
		return false;
		#else
		return selinux_enforcing;
		#endif
		// ] SEC_SELINUX_PORTING_COMMON
		}
		EXPORT_SYMBOL_GPL(selinux_is_enforcing);
		No newline at end of file