Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 63594a4d authored by Alistair Delva's avatar Alistair Delva
Browse files

Allow selinux to be set by bootconfig 

The androidboot.selinux property is loaded in a special way, because it
happens in the "selinux_setup" stage, and not the true second stage.
Allow it to be passed through bootconfig instead of only via the kernel
cmdline.

Bug: 173815685
Test: launch_cvd -extra_kernel_cmdline androidboot.selinux=permissive
Test: launch_cvd -guest_enforce_security=false [bootconfig method]
[..]
init: Permissive SELinux boot, forcing sys.init.perf_lsm_hooks to 1.
[..]
Change-Id: I92003c7a2dac5d6e7d0e0f4ee2757f86cc0087c7
parent 3bb240bd

init/selinux.cpp

+10 −2
Original line number Diff line number Diff line
@@ -92,7 +92,7 @@ namespace { 


enum EnforcingStatus { SELINUX_PERMISSIVE, SELINUX_ENFORCING };



EnforcingStatus StatusFromCmdline() {

EnforcingStatus StatusFromProperty() {

    EnforcingStatus status = SELINUX_ENFORCING;



    ImportKernelCmdline([&](const std::string& key, const std::string& value) {
@@ -101,12 +101,20 @@ EnforcingStatus StatusFromCmdline() { 
        }

    });



    if (status == SELINUX_ENFORCING) {

        ImportBootconfig([&](const std::string& key, const std::string& value) {

            if (key == "androidboot.selinux" && value == "permissive") {

                status = SELINUX_PERMISSIVE;

            }

        });

    }



    return status;

}



bool IsEnforcing() {

    if (ALLOW_PERMISSIVE_SELINUX) {

        return StatusFromCmdline() == SELINUX_ENFORCING;

        return StatusFromProperty() == SELINUX_ENFORCING;

    }

    return true;

}