Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d34e407a authored by Nick Kralevich's avatar Nick Kralevich
Browse files

init: remove support for disabled SELinux 

Remove support for androidboot.selinux=disabled. Running with SELinux
disabled is not a supported configuration anymore. SELinux must be
in enforcing in shipping devices, but we also support permissive for
userdebug/eng builds.

Don't try security_setenforce() if we're already in enforcing mode.
A kernel compiled without CONFIG_SECURITY_SELINUX_DEVELOP does
not have a permissive mode, so the kernel will already be enforcing
once the policy is loaded.

Bug: 19702273
Change-Id: I07525a017ddb682020ec0d42e56a2702c053bdeb
parent 2b3a4939

init/Android.mk

+2 −2
Original line number Original line Diff line number Diff line
@@ -5,9 +5,9 @@ LOCAL_PATH:= $(call my-dir) 
# --

# --





ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))

ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))

init_options += -DALLOW_LOCAL_PROP_OVERRIDE=1 -DALLOW_DISABLE_SELINUX=1

init_options += -DALLOW_LOCAL_PROP_OVERRIDE=1 -DALLOW_PERMISSIVE_SELINUX=1

else

else

init_options += -DALLOW_LOCAL_PROP_OVERRIDE=0 -DALLOW_DISABLE_SELINUX=0

init_options += -DALLOW_LOCAL_PROP_OVERRIDE=0 -DALLOW_PERMISSIVE_SELINUX=0

endif

endif





init_options += -DLOG_UEVENTS=0

init_options += -DLOG_UEVENTS=0

init/init.cpp

+11 −29
Original line number Original line Diff line number Diff line
@@ -860,7 +860,7 @@ static void selinux_init_all_handles(void) 
    sehandle_prop = selinux_android_prop_context_handle();

    sehandle_prop = selinux_android_prop_context_handle();

}

}





enum selinux_enforcing_status { SELINUX_DISABLED, SELINUX_PERMISSIVE, SELINUX_ENFORCING };

enum selinux_enforcing_status { SELINUX_PERMISSIVE, SELINUX_ENFORCING };





static selinux_enforcing_status selinux_status_from_cmdline() {

static selinux_enforcing_status selinux_status_from_cmdline() {

    selinux_enforcing_status status = SELINUX_ENFORCING;

    selinux_enforcing_status status = SELINUX_ENFORCING;
@@ -870,9 +870,7 @@ static selinux_enforcing_status selinux_status_from_cmdline() { 
        if (value == nullptr) { return; }

        if (value == nullptr) { return; }

        *value++ = '\0';

        *value++ = '\0';

        if (strcmp(name, "androidboot.selinux") == 0) {

        if (strcmp(name, "androidboot.selinux") == 0) {

            if (strcmp(value, "disabled") == 0) {

            if (strcmp(value, "permissive") == 0) {

                status = SELINUX_DISABLED;

            } else if (strcmp(value, "permissive") == 0) {

                status = SELINUX_PERMISSIVE;

                status = SELINUX_PERMISSIVE;

            }

            }

        }

        }
@@ -882,24 +880,9 @@ static selinux_enforcing_status selinux_status_from_cmdline() { 
    return status;

    return status;

}

}







static bool selinux_is_disabled(void)

{

    if (ALLOW_DISABLE_SELINUX) {

        if (access("/sys/fs/selinux", F_OK) != 0) {

            // SELinux is not compiled into the kernel, or has been disabled

            // via the kernel command line "selinux=0".

            return true;

        }

        return selinux_status_from_cmdline() == SELINUX_DISABLED;

    }



    return false;

}



static bool selinux_is_enforcing(void)

static bool selinux_is_enforcing(void)

{

{

    if (ALLOW_DISABLE_SELINUX) {

    if (ALLOW_PERMISSIVE_SELINUX) {

        return selinux_status_from_cmdline() == SELINUX_ENFORCING;

        return selinux_status_from_cmdline() == SELINUX_ENFORCING;

    }

    }

    return true;

    return true;
@@ -907,10 +890,6 @@ static bool selinux_is_enforcing(void) 




int selinux_reload_policy(void)

int selinux_reload_policy(void)

{

{

    if (selinux_is_disabled()) {

        return -1;

    }



    INFO("SELinux: Attempting to reload policy files\n");

    INFO("SELinux: Attempting to reload policy files\n");





    if (selinux_android_reload_policy() == -1) {

    if (selinux_android_reload_policy() == -1) {
@@ -947,10 +926,6 @@ static void selinux_initialize(bool in_kernel_domain) { 
    cb.func_audit = audit_callback;

    cb.func_audit = audit_callback;

    selinux_set_callback(SELINUX_CB_AUDIT, cb);

    selinux_set_callback(SELINUX_CB_AUDIT, cb);





    if (selinux_is_disabled()) {

        return;

    }



    if (in_kernel_domain) {

    if (in_kernel_domain) {

        INFO("Loading SELinux policy...\n");

        INFO("Loading SELinux policy...\n");

        if (selinux_android_load_policy() < 0) {

        if (selinux_android_load_policy() < 0) {
@@ -958,8 +933,15 @@ static void selinux_initialize(bool in_kernel_domain) { 
            security_failure();

            security_failure();

        }

        }





        bool kernel_enforcing = (security_getenforce() == 1);

        bool is_enforcing = selinux_is_enforcing();

        bool is_enforcing = selinux_is_enforcing();

        security_setenforce(is_enforcing);

        if (kernel_enforcing != is_enforcing) {

            if (security_setenforce(is_enforcing)) {

                ERROR("security_setenforce(%s) failed: %s\n",

                      is_enforcing ? "true" : "false", strerror(errno));

                security_failure();

            }

        }





        if (write_file("/sys/fs/selinux/checkreqprot", "0") == -1) {

        if (write_file("/sys/fs/selinux/checkreqprot", "0") == -1) {

            security_failure();

            security_failure();