Revert "[TEMP] selinux: enforce permissive" (afb5aa5c) · Commits · e / devices / samsung / android_kernel_samsung_exynos7420

arch/arm64/configs/lineageos_zerofltexx_defconfig

+0 −5

Original line number	Original line	Diff line number	Diff line
	@@ -4419,11 +4419,6 @@ CONFIG_SECURITY_SELINUX_DEVELOP=y
	CONFIG_SECURITY_SELINUX_AVC_STATS=y		CONFIG_SECURITY_SELINUX_AVC_STATS=y
	CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1		CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
	# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set		# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
	# CONFIG_SECURITY_SELINUX_DEFAULT_ENFORCE is not set
	# CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE is not set
	CONFIG_SECURITY_SELINUX_DEFAULT_PERMISSIVE=y
	# CONFIG_SECURITY_SELINUX_ALWAYS_PERMISSIVE is not set
	CONFIG_SECURITY_SELINUX_PRETEND_ENFORCE=y
	# CONFIG_SECURITY_SMACK is not set		# CONFIG_SECURITY_SMACK is not set
	# CONFIG_SECURITY_TOMOYO is not set		# CONFIG_SECURITY_TOMOYO is not set
	# CONFIG_SECURITY_APPARMOR is not set		# CONFIG_SECURITY_APPARMOR is not set

+0 −5

Original line number	Original line	Diff line number	Diff line
	@@ -4419,11 +4419,6 @@ CONFIG_SECURITY_SELINUX_DEVELOP=y
	CONFIG_SECURITY_SELINUX_AVC_STATS=y		CONFIG_SECURITY_SELINUX_AVC_STATS=y
	CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1		CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
	# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set		# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
	# CONFIG_SECURITY_SELINUX_DEFAULT_ENFORCE is not set
	# CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE is not set
	CONFIG_SECURITY_SELINUX_DEFAULT_PERMISSIVE=y
	# CONFIG_SECURITY_SELINUX_ALWAYS_PERMISSIVE is not set
	CONFIG_SECURITY_SELINUX_PRETEND_ENFORCE=y
	# CONFIG_SECURITY_SMACK is not set		# CONFIG_SECURITY_SMACK is not set
	# CONFIG_SECURITY_TOMOYO is not set		# CONFIG_SECURITY_TOMOYO is not set
	# CONFIG_SECURITY_APPARMOR is not set		# CONFIG_SECURITY_APPARMOR is not set

+0 −36

Original line number	Original line	Diff line number	Diff line
	@@ -131,39 +131,3 @@ config SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
	installed under /etc/selinux/$SELINUXTYPE/policy, where		installed under /etc/selinux/$SELINUXTYPE/policy, where
	SELINUXTYPE is defined in your /etc/selinux/config.		SELINUXTYPE is defined in your /etc/selinux/config.

	config SECURITY_SELINUX_DEFAULT_ENFORCE
	bool "NSA SELinux use Enforced as default"
	depends on SECURITY_SELINUX
	default n
	help
	Uses "Enforced" as the state while initializing

	config SECURITY_SELINUX_ALWAYS_ENFORCE
	bool "NSA SELinux always use Enforced"
	depends on SECURITY_SELINUX
	default n
	help
	Always use the "Enforced"-state, ignoring any changes requested
	by the user or the kernel

	config SECURITY_SELINUX_DEFAULT_PERMISSIVE
	bool "NSA SELinux use Permissive as default"
	depends on SECURITY_SELINUX
	default n
	help
	Uses "Permissive" as the state while initializing

	config SECURITY_SELINUX_ALWAYS_PERMISSIVE
	bool "NSA SELinux always use Permissive"
	depends on SECURITY_SELINUX
	default n
	help
	Always use the "Permissive"-state, ignoring any changes requested
	by the user or the kernel

	config SECURITY_SELINUX_PRETEND_ENFORCE
	bool "NSA SELinux pretend to be Enforced"
	depends on SECURITY_SELINUX
	default n
	help
	Pretends to use the "Enforced"-state, regarding the current state

+3 −17

Original line number	Original line	Diff line number	Diff line
	@@ -2,24 +2,10 @@
	# Makefile for building the SELinux module as part of the kernel tree.		# Makefile for building the SELinux module as part of the kernel tree.
	#		#

	ifeq ($(CONFIG_SECURITY_SELINUX_DEFAULT_PERMISSIVE),y)		ifeq ($(TARGET_BUILD_VARIANT), user)
	EXTRA_CFLAGS += -DSELINUX_DEFAULT_PERMISSIVE=true		ifeq ($(SEC_BUILD_OPTION_PRODUCT_SHIP),true)
			EXTRA_CFLAGS += -DCONFIG_ALWAYS_ENFORCE=true
	endif		endif

	ifeq ($(CONFIG_SECURITY_SELINUX_ALWAYS_PERMISSIVE),y)
	EXTRA_CFLAGS += -DSELINUX_ALWAYS_PERMISSIVE=true
	endif

	ifeq ($(CONFIG_SECURITY_SELINUX_DEFAULT_ENFORCE),y)
	EXTRA_CFLAGS += -DSELINUX_DEFAULT_ENFORCE=true
	endif

	ifeq ($(CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE),y)
	EXTRA_CFLAGS += -DSELINUX_ALWAYS_ENFORCE=true
	endif

	ifeq ($(CONFIG_SECURITY_SELINUX_PRETEND_ENFORCE),y)
	EXTRA_CFLAGS += -DSELINUX_PRETEND_ENFORCE=true
	endif		endif

	obj-$(CONFIG_SECURITY_SELINUX) := selinux.o		obj-$(CONFIG_SECURITY_SELINUX) := selinux.o

+2 −5

Original line number	Original line	Diff line number	Diff line
	@@ -19,8 +19,7 @@

	bool selinux_is_enabled(void)		bool selinux_is_enabled(void)
	{		{
	#if defined(SELINUX_ALWAYS_ENFORCE) \|\| \		#ifdef CONFIG_ALWAYS_ENFORCE
	defined(SELINUX_ALWAYS_PERMISSIVE)
	return true;		return true;
	#else		#else
	return selinux_enabled;		return selinux_enabled;
	@@ -30,10 +29,8 @@ EXPORT_SYMBOL_GPL(selinux_is_enabled);

	bool selinux_is_enforcing(void)		bool selinux_is_enforcing(void)
	{		{
	#if defined(SELINUX_ALWAYS_ENFORCE)		#ifdef CONFIG_ALWAYS_ENFORCE
	return true;		return true;
	#elif defined(SELINUX_ALWAYS_PERMISSIVE)
	return false;
	#else		#else
	return selinux_enforcing;		return selinux_enforcing;
	#endif		#endif