Loading security/selinux_n/Makefile +0 −18 Original line number Diff line number Diff line Loading @@ -2,24 +2,6 @@ # Makefile for building the SELinux module as part of the kernel tree. # # [ SEC_SELINUX_PORTING_COMMON ifeq ($(TARGET_BUILD_VARIANT), eng) ifeq ($(SEC_BUILD_OPTION_PRODUCT_SHIP), false) ifeq ($(SEC_BUILD_OPTION_SELINUX_ENFORCE),true) EXTRA_CFLAGS += -DSEC_SELINUX_DEBUG endif endif endif ifeq ($(TARGET_BUILD_VARIANT), user) ifeq ($(SEC_BUILD_OPTION_PRODUCT_SHIP), true) ifeq ($(SEC_BUILD_OPTION_SELINUX_ENFORCE),true) EXTRA_CFLAGS += -DCONFIG_ALWAYS_ENFORCE=true endif endif endif # ] SEC_SELINUX_PORTING_COMMON obj-$(CONFIG_SECURITY_SELINUX) := selinux.o selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \ Loading security/selinux_n/avc.c +0 −61 Original line number Diff line number Diff line Loading @@ -34,12 +34,6 @@ #include "avc_ss.h" #include "classmap.h" // [ SEC_SELINUX_PORTING_COMMON #ifdef SEC_SELINUX_DEBUG #include <linux/signal.h> #endif // ] SEC_SELINUX_PORTING_COMMON #define AVC_CACHE_SLOTS 512 #define AVC_DEF_CACHE_THRESHOLD 512 #define AVC_CACHE_RECLAIM 16 Loading Loading @@ -992,62 +986,7 @@ static noinline int avc_denied(u32 ssid, u32 tsid, if (flags & AVC_STRICT) return -EACCES; // [ SEC_SELINUX_PORTING_COMMON #ifdef SEC_SELINUX_DEBUG /* SEC_SELINUX : denied && auditallow means "never happen" at current sepolicy. Valid Enforcing denial only. */ if ( (requested & avd->auditallow) && selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE) ) { char *scontext, *tcontext; const char **perms; int i, perm; int rc1, rc2; u32 scontext_len, tcontext_len; perms = secclass_map[tclass-1].perms; i = 0; perm = 1; while (i < (sizeof(requested) * 8)) { if ((perm & requested) && perms[i]) break; i++; perm <<= 1; } rc1 = security_sid_to_context(ssid, &scontext, &scontext_len); rc2 = security_sid_to_context(tsid, &tcontext, &tcontext_len); if (rc1 || rc2) { printk(KERN_ERR "SELinux DEBUG : %s: ssid=%d tsid=%d tclass=%s perm=%s requested(%d) auditallow(%d)\n", __func__, ssid, tsid, secclass_map[tclass-1].name, perms[i], requested, avd->auditallow); } else { printk(KERN_ERR "SELinux DEBUG : %s: scontext=%s tcontext=%s tclass=%s perm=%s requested(%d) auditallow(%d)\n", __func__, scontext, tcontext, secclass_map[tclass-1].name, perms[i], requested, avd->auditallow); } /* print call stack */ printk(KERN_ERR "SELinux DEBUG : FATAL denial and start dump_stack\n"); dump_stack(); /* enforcing : SIGABRT and take debuggerd log */ if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE)) { printk(KERN_ERR "SELinux DEBUG : send SIGABRT to current tsk\n"); send_sig(SIGABRT, current, 2); } if (!rc1) kfree(scontext); if (!rc2) kfree(tcontext); } #endif #ifdef CONFIG_ALWAYS_ENFORCE if (!(avd->flags & AVD_FLAGS_PERMISSIVE)) #else if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE)) #endif // ] SEC_SELINUX_PORTING_COMMON return -EACCES; avc_update_node(AVC_CALLBACK_GRANT, requested, driver, xperm, ssid, Loading security/selinux_n/exports.c +0 −12 Original line number Diff line number Diff line Loading @@ -19,24 +19,12 @@ bool selinux_is_enabled(void) { // [ SEC_SELINUX_PORTING_COMMON #ifdef CONFIG_ALWAYS_ENFORCE return true; #else return selinux_enabled; #endif // ] SEC_SELINUX_PORTING_COMMON } EXPORT_SYMBOL_GPL(selinux_is_enabled); bool selinux_is_enforcing(void) { // [ SEC_SELINUX_PORTING_COMMON #ifdef CONFIG_ALWAYS_ENFORCE return true; #else return selinux_enforcing; #endif // ] SEC_SELINUX_PORTING_COMMON } EXPORT_SYMBOL_GPL(selinux_is_enforcing); No newline at end of file security/selinux_n/hooks.c +5 −87 Original line number Diff line number Diff line Loading @@ -84,10 +84,6 @@ #include <linux/msg.h> #include <linux/shm.h> // [ SEC_SELINUX_PORTING_COMMON #include <linux/delay.h> // ] SEC_SELINUX_PORTING_COMMON #ifdef CONFIG_LOD_SEC #include <linux/linux_on_dex.h> #endif Loading Loading @@ -192,54 +188,33 @@ unsigned int rkp_get_offset_bp_cred(void) /* SECMARK reference count */ static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); // [ SEC_SELINUX_PORTING_COMMON static DEFINE_MUTEX(selinux_sdcardfs_lock); // ] SEC_SELINUX_PORTING_COMMON #ifdef CONFIG_SECURITY_SELINUX_DEVELOP // [ SEC_SELINUX_PORTING_COMMON #if defined(CONFIG_ALWAYS_ENFORCE) && defined(CONFIG_RKP_KDP) RKP_RO_AREA int selinux_enforcing; #else int selinux_enforcing; #endif // ] SEC_SELINUX_PORTING_COMMON static int __init enforcing_setup(char *str) { unsigned long enforcing; if (!kstrtoul(str, 0, &enforcing)) // [ SEC_SELINUX_PORTING_COMMON #ifdef CONFIG_ALWAYS_ENFORCE selinux_enforcing = 1; #else selinux_enforcing = enforcing ? 1 : 0; #endif // ] SEC_SELINUX_PORTING_COMMON return 1; } __setup("enforcing=", enforcing_setup); #endif #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM RKP_RO_AREA int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; static int __init selinux_enabled_setup(char *str) { unsigned long enabled; if (!kstrtoul(str, 0, &enabled)) // [ SEC_SELINUX_PORTING_COMMON #ifdef CONFIG_ALWAYS_ENFORCE selinux_enabled = 1; #else selinux_enabled = enabled ? 1 : 0; #endif // ] SEC_SELINUX_PORTING_COMMON return 1; } __setup("selinux=", selinux_enabled_setup); #else RKP_RO_AREA int selinux_enabled = 1; int selinux_enabled = 1; #endif static struct kmem_cache *sel_inode_cache; Loading Loading @@ -2970,33 +2945,17 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) struct common_audit_data ad; int rc; #ifdef CONFIG_RKP_KDP if ((rc = security_integrity_current())) return rc; #endif /* CONFIG_RKP_KDP */ // [ SEC_SELINUX_PORTING_COMMON if((strcmp(sb->s_type->name,"sdcardfs")) == 0) mutex_lock(&selinux_sdcardfs_lock); rc = superblock_doinit(sb, data); if (rc) goto out; return rc; /* Allow all mounts performed by the kernel */ if (flags & MS_KERNMOUNT) goto out; return 0; ad.type = LSM_AUDIT_DATA_DENTRY; ad.u.dentry = sb->s_root; rc = superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); out: if((strcmp(sb->s_type->name,"sdcardfs")) == 0) mutex_unlock(&selinux_sdcardfs_lock); // ] SEC_SELINUX_PORTING_COMMON return rc; return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); } static int selinux_sb_statfs(struct dentry *dentry) Loading Loading @@ -3322,25 +3281,6 @@ static int selinux_inode_permission(struct inode *inode, int mask) sid = cred_sid(cred); isec = inode->i_security; // [ SEC_SELINUX_PORTING_COMMON /* skip sid == 1(kernel), it means first boot time */ if(isec->initialized != 1 && sid != 1) { int count = 5; while(count-- > 0) { printk(KERN_ERR "SELinux : inode->i_security is not initialized. waiting...(%d/5)\n", 5-count); udelay(500); if(isec->initialized == 1) { printk(KERN_ERR "SELinux : inode->i_security is INITIALIZED.\n"); break; } } if(isec->initialized != 1) { printk(KERN_ERR "SELinux : inode->i_security is not initialized. not fixed.\n"); } } // ] SEC_SELINUX_PORTING_COMMON rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); audited = avc_audit_required(perms, &avd, rc, from_access ? FILE__AUDIT_ACCESS : 0, Loading Loading @@ -5727,13 +5667,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) " protocol=%hu nlmsg_type=%hu sclass=%s\n", sk->sk_protocol, nlh->nlmsg_type, secclass_map[sksec->sclass - 1].name); // [ SEC_SELINUX_PORTING_COMMON #ifdef CONFIG_ALWAYS_ENFORCE if (security_get_allow_unknown()) #else if (!selinux_enforcing || security_get_allow_unknown()) #endif // ] SEC_SELINUX_PORTING_COMMON err = 0; } Loading Loading @@ -7201,13 +7135,7 @@ RKP_RO_AREA static struct security_hook_list selinux_hooks[] = { static __init int selinux_init(void) { if (!security_module_enable("selinux")) { // [ SEC_SELINUX_PORTING_COMMON #ifdef CONFIG_ALWAYS_ENFORCE selinux_enabled = 1; #else selinux_enabled = 0; #endif // ] SEC_SELINUX_PORTING_COMMON return 0; } Loading Loading @@ -7235,11 +7163,6 @@ static __init int selinux_init(void) if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) panic("SELinux: Unable to register AVC netcache callback\n"); // [ SEC_SELINUX_PORTING_COMMON #ifdef CONFIG_ALWAYS_ENFORCE selinux_enforcing = 1; #endif // ] SEC_SELINUX_PORTING_COMMON if (selinux_enforcing) printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); else Loading Loading @@ -7306,11 +7229,6 @@ static struct nf_hook_ops selinux_nf_ops[] = { static int __init selinux_nf_ip_init(void) { int err; // [ SEC_SELINUX_PORTING_COMMON #ifdef CONFIG_ALWAYS_ENFORCE selinux_enabled = 1; #endif // ] SEC_SELINUX_PORTING_COMMON if (!selinux_enabled) return 0; Loading security/selinux_n/include/security.h +0 −6 Original line number Diff line number Diff line Loading @@ -134,13 +134,7 @@ struct extended_perms { }; /* definitions of av_decision.flags */ // [ SEC_SELINUX_PORTING_COMMON #ifdef CONFIG_ALWAYS_ENFORCE #define AVD_FLAGS_PERMISSIVE 0x0000 #else #define AVD_FLAGS_PERMISSIVE 0x0001 #endif // ] SEC_SELINUX_PORTING_COMMON void security_compute_av(u32 ssid, u32 tsid, u16 tclass, struct av_decision *avd, Loading Loading
security/selinux_n/Makefile +0 −18 Original line number Diff line number Diff line Loading @@ -2,24 +2,6 @@ # Makefile for building the SELinux module as part of the kernel tree. # # [ SEC_SELINUX_PORTING_COMMON ifeq ($(TARGET_BUILD_VARIANT), eng) ifeq ($(SEC_BUILD_OPTION_PRODUCT_SHIP), false) ifeq ($(SEC_BUILD_OPTION_SELINUX_ENFORCE),true) EXTRA_CFLAGS += -DSEC_SELINUX_DEBUG endif endif endif ifeq ($(TARGET_BUILD_VARIANT), user) ifeq ($(SEC_BUILD_OPTION_PRODUCT_SHIP), true) ifeq ($(SEC_BUILD_OPTION_SELINUX_ENFORCE),true) EXTRA_CFLAGS += -DCONFIG_ALWAYS_ENFORCE=true endif endif endif # ] SEC_SELINUX_PORTING_COMMON obj-$(CONFIG_SECURITY_SELINUX) := selinux.o selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \ Loading
security/selinux_n/avc.c +0 −61 Original line number Diff line number Diff line Loading @@ -34,12 +34,6 @@ #include "avc_ss.h" #include "classmap.h" // [ SEC_SELINUX_PORTING_COMMON #ifdef SEC_SELINUX_DEBUG #include <linux/signal.h> #endif // ] SEC_SELINUX_PORTING_COMMON #define AVC_CACHE_SLOTS 512 #define AVC_DEF_CACHE_THRESHOLD 512 #define AVC_CACHE_RECLAIM 16 Loading Loading @@ -992,62 +986,7 @@ static noinline int avc_denied(u32 ssid, u32 tsid, if (flags & AVC_STRICT) return -EACCES; // [ SEC_SELINUX_PORTING_COMMON #ifdef SEC_SELINUX_DEBUG /* SEC_SELINUX : denied && auditallow means "never happen" at current sepolicy. Valid Enforcing denial only. */ if ( (requested & avd->auditallow) && selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE) ) { char *scontext, *tcontext; const char **perms; int i, perm; int rc1, rc2; u32 scontext_len, tcontext_len; perms = secclass_map[tclass-1].perms; i = 0; perm = 1; while (i < (sizeof(requested) * 8)) { if ((perm & requested) && perms[i]) break; i++; perm <<= 1; } rc1 = security_sid_to_context(ssid, &scontext, &scontext_len); rc2 = security_sid_to_context(tsid, &tcontext, &tcontext_len); if (rc1 || rc2) { printk(KERN_ERR "SELinux DEBUG : %s: ssid=%d tsid=%d tclass=%s perm=%s requested(%d) auditallow(%d)\n", __func__, ssid, tsid, secclass_map[tclass-1].name, perms[i], requested, avd->auditallow); } else { printk(KERN_ERR "SELinux DEBUG : %s: scontext=%s tcontext=%s tclass=%s perm=%s requested(%d) auditallow(%d)\n", __func__, scontext, tcontext, secclass_map[tclass-1].name, perms[i], requested, avd->auditallow); } /* print call stack */ printk(KERN_ERR "SELinux DEBUG : FATAL denial and start dump_stack\n"); dump_stack(); /* enforcing : SIGABRT and take debuggerd log */ if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE)) { printk(KERN_ERR "SELinux DEBUG : send SIGABRT to current tsk\n"); send_sig(SIGABRT, current, 2); } if (!rc1) kfree(scontext); if (!rc2) kfree(tcontext); } #endif #ifdef CONFIG_ALWAYS_ENFORCE if (!(avd->flags & AVD_FLAGS_PERMISSIVE)) #else if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE)) #endif // ] SEC_SELINUX_PORTING_COMMON return -EACCES; avc_update_node(AVC_CALLBACK_GRANT, requested, driver, xperm, ssid, Loading
security/selinux_n/exports.c +0 −12 Original line number Diff line number Diff line Loading @@ -19,24 +19,12 @@ bool selinux_is_enabled(void) { // [ SEC_SELINUX_PORTING_COMMON #ifdef CONFIG_ALWAYS_ENFORCE return true; #else return selinux_enabled; #endif // ] SEC_SELINUX_PORTING_COMMON } EXPORT_SYMBOL_GPL(selinux_is_enabled); bool selinux_is_enforcing(void) { // [ SEC_SELINUX_PORTING_COMMON #ifdef CONFIG_ALWAYS_ENFORCE return true; #else return selinux_enforcing; #endif // ] SEC_SELINUX_PORTING_COMMON } EXPORT_SYMBOL_GPL(selinux_is_enforcing); No newline at end of file
security/selinux_n/hooks.c +5 −87 Original line number Diff line number Diff line Loading @@ -84,10 +84,6 @@ #include <linux/msg.h> #include <linux/shm.h> // [ SEC_SELINUX_PORTING_COMMON #include <linux/delay.h> // ] SEC_SELINUX_PORTING_COMMON #ifdef CONFIG_LOD_SEC #include <linux/linux_on_dex.h> #endif Loading Loading @@ -192,54 +188,33 @@ unsigned int rkp_get_offset_bp_cred(void) /* SECMARK reference count */ static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); // [ SEC_SELINUX_PORTING_COMMON static DEFINE_MUTEX(selinux_sdcardfs_lock); // ] SEC_SELINUX_PORTING_COMMON #ifdef CONFIG_SECURITY_SELINUX_DEVELOP // [ SEC_SELINUX_PORTING_COMMON #if defined(CONFIG_ALWAYS_ENFORCE) && defined(CONFIG_RKP_KDP) RKP_RO_AREA int selinux_enforcing; #else int selinux_enforcing; #endif // ] SEC_SELINUX_PORTING_COMMON static int __init enforcing_setup(char *str) { unsigned long enforcing; if (!kstrtoul(str, 0, &enforcing)) // [ SEC_SELINUX_PORTING_COMMON #ifdef CONFIG_ALWAYS_ENFORCE selinux_enforcing = 1; #else selinux_enforcing = enforcing ? 1 : 0; #endif // ] SEC_SELINUX_PORTING_COMMON return 1; } __setup("enforcing=", enforcing_setup); #endif #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM RKP_RO_AREA int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; static int __init selinux_enabled_setup(char *str) { unsigned long enabled; if (!kstrtoul(str, 0, &enabled)) // [ SEC_SELINUX_PORTING_COMMON #ifdef CONFIG_ALWAYS_ENFORCE selinux_enabled = 1; #else selinux_enabled = enabled ? 1 : 0; #endif // ] SEC_SELINUX_PORTING_COMMON return 1; } __setup("selinux=", selinux_enabled_setup); #else RKP_RO_AREA int selinux_enabled = 1; int selinux_enabled = 1; #endif static struct kmem_cache *sel_inode_cache; Loading Loading @@ -2970,33 +2945,17 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) struct common_audit_data ad; int rc; #ifdef CONFIG_RKP_KDP if ((rc = security_integrity_current())) return rc; #endif /* CONFIG_RKP_KDP */ // [ SEC_SELINUX_PORTING_COMMON if((strcmp(sb->s_type->name,"sdcardfs")) == 0) mutex_lock(&selinux_sdcardfs_lock); rc = superblock_doinit(sb, data); if (rc) goto out; return rc; /* Allow all mounts performed by the kernel */ if (flags & MS_KERNMOUNT) goto out; return 0; ad.type = LSM_AUDIT_DATA_DENTRY; ad.u.dentry = sb->s_root; rc = superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); out: if((strcmp(sb->s_type->name,"sdcardfs")) == 0) mutex_unlock(&selinux_sdcardfs_lock); // ] SEC_SELINUX_PORTING_COMMON return rc; return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); } static int selinux_sb_statfs(struct dentry *dentry) Loading Loading @@ -3322,25 +3281,6 @@ static int selinux_inode_permission(struct inode *inode, int mask) sid = cred_sid(cred); isec = inode->i_security; // [ SEC_SELINUX_PORTING_COMMON /* skip sid == 1(kernel), it means first boot time */ if(isec->initialized != 1 && sid != 1) { int count = 5; while(count-- > 0) { printk(KERN_ERR "SELinux : inode->i_security is not initialized. waiting...(%d/5)\n", 5-count); udelay(500); if(isec->initialized == 1) { printk(KERN_ERR "SELinux : inode->i_security is INITIALIZED.\n"); break; } } if(isec->initialized != 1) { printk(KERN_ERR "SELinux : inode->i_security is not initialized. not fixed.\n"); } } // ] SEC_SELINUX_PORTING_COMMON rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); audited = avc_audit_required(perms, &avd, rc, from_access ? FILE__AUDIT_ACCESS : 0, Loading Loading @@ -5727,13 +5667,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) " protocol=%hu nlmsg_type=%hu sclass=%s\n", sk->sk_protocol, nlh->nlmsg_type, secclass_map[sksec->sclass - 1].name); // [ SEC_SELINUX_PORTING_COMMON #ifdef CONFIG_ALWAYS_ENFORCE if (security_get_allow_unknown()) #else if (!selinux_enforcing || security_get_allow_unknown()) #endif // ] SEC_SELINUX_PORTING_COMMON err = 0; } Loading Loading @@ -7201,13 +7135,7 @@ RKP_RO_AREA static struct security_hook_list selinux_hooks[] = { static __init int selinux_init(void) { if (!security_module_enable("selinux")) { // [ SEC_SELINUX_PORTING_COMMON #ifdef CONFIG_ALWAYS_ENFORCE selinux_enabled = 1; #else selinux_enabled = 0; #endif // ] SEC_SELINUX_PORTING_COMMON return 0; } Loading Loading @@ -7235,11 +7163,6 @@ static __init int selinux_init(void) if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) panic("SELinux: Unable to register AVC netcache callback\n"); // [ SEC_SELINUX_PORTING_COMMON #ifdef CONFIG_ALWAYS_ENFORCE selinux_enforcing = 1; #endif // ] SEC_SELINUX_PORTING_COMMON if (selinux_enforcing) printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); else Loading Loading @@ -7306,11 +7229,6 @@ static struct nf_hook_ops selinux_nf_ops[] = { static int __init selinux_nf_ip_init(void) { int err; // [ SEC_SELINUX_PORTING_COMMON #ifdef CONFIG_ALWAYS_ENFORCE selinux_enabled = 1; #endif // ] SEC_SELINUX_PORTING_COMMON if (!selinux_enabled) return 0; Loading
security/selinux_n/include/security.h +0 −6 Original line number Diff line number Diff line Loading @@ -134,13 +134,7 @@ struct extended_perms { }; /* definitions of av_decision.flags */ // [ SEC_SELINUX_PORTING_COMMON #ifdef CONFIG_ALWAYS_ENFORCE #define AVD_FLAGS_PERMISSIVE 0x0000 #else #define AVD_FLAGS_PERMISSIVE 0x0001 #endif // ] SEC_SELINUX_PORTING_COMMON void security_compute_av(u32 ssid, u32 tsid, u16 tclass, struct av_decision *avd, Loading
Michael Benedict <michaelbt@live.com>Michael Benedict <michaelbt@live.com>