Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

security: selinux: Partially remove samsung changes 

Change-Id: I6dddda580ab07d5b1a7f408a538349d27ecf0569
This commit is contained in:
Luca Stefani 2017-04-18 12:51:52 +02:00
parent 98049851b6
commit 7432838118
13 changed files with 4 additions and 280 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
security/selinux/Kconfig
View File

@ -131,9 +131,3 @@ config SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
installed under /etc/selinux/$SELINUXTYPE/policy, where
SELINUXTYPE is defined in your /etc/selinux/config.
config SEC_SELINUX
bool "SEC SELinux"
depends on SECURITY_SELINUX
default n
help
This option adds sec selinux feature

18
security/selinux/Makefile
View File

@ -2,24 +2,6 @@
# Makefile for building the SELinux module as part of the kernel tree.
#
# [ SEC_SELINUX_PORTING_COMMON
ifeq ($(TARGET_BUILD_VARIANT), eng)
ifeq ($(SEC_BUILD_OPTION_PRODUCT_SHIP), false)
ifeq ($(SEC_BUILD_OPTION_SELINUX_ENFORCE),true)
EXTRA_CFLAGS += -DSEC_SELINUX_DEBUG
endif
endif
endif
ifeq ($(TARGET_BUILD_VARIANT), user)
ifeq ($(SEC_BUILD_OPTION_PRODUCT_SHIP), true)
ifeq ($(SEC_BUILD_OPTION_SELINUX_ENFORCE),true)
EXTRA_CFLAGS += -DCONFIG_ALWAYS_ENFORCE=true
endif
endif
endif
# ] SEC_SELINUX_PORTING_COMMON
obj-$(CONFIG_SECURITY_SELINUX) := selinux.o
selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \

60
security/selinux/avc.c
View File

@ -34,12 +34,6 @@
#include "avc_ss.h"
#include "classmap.h"
// [ SEC_SELINUX_PORTING_COMMON
#ifdef SEC_SELINUX_DEBUG
#include <linux/signal.h>
#endif
// ] SEC_SELINUX_PORTING_COMMON
#define AVC_CACHE_SLOTS 512
#define AVC_DEF_CACHE_THRESHOLD 512
#define AVC_CACHE_RECLAIM 16
@ -996,61 +990,7 @@ static noinline int avc_denied(u32 ssid, u32 tsid,
if (flags & AVC_STRICT)
return -EACCES;
// [ SEC_SELINUX_PORTING_COMMON
#ifdef SEC_SELINUX_DEBUG
/* SEC_SELINUX : denied && auditallow means "never happen" at current sepolicy. Valid Enforcing denial only. */
if ( (requested & avd->auditallow) && selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE) ) {
char *scontext, *tcontext;
const char **perms;
int i, perm;
int rc1, rc2;
u32 scontext_len, tcontext_len;
perms = secclass_map[tclass-1].perms;
i = 0;
perm = 1;
while (i < (sizeof(requested) * 8)) {
if ((perm & requested) && perms[i])
break;
i++;
perm <<= 1;
}
rc1 = security_sid_to_context(ssid, &scontext, &scontext_len);
rc2 = security_sid_to_context(tsid, &tcontext, &tcontext_len);
if (rc1 || rc2) {
printk(KERN_ERR "SELinux DEBUG : %s: ssid=%d tsid=%d tclass=%s perm=%s requested(%d) auditallow(%d)\n",
__func__, ssid, tsid, secclass_map[tclass-1].name, perms[i], requested, avd->auditallow);
}
else {
printk(KERN_ERR "SELinux DEBUG : %s: scontext=%s tcontext=%s tclass=%s perm=%s requested(%d) auditallow(%d)\n",
__func__, scontext, tcontext, secclass_map[tclass-1].name, perms[i], requested, avd->auditallow);
}
/* print call stack */
printk(KERN_ERR "SELinux DEBUG : FATAL denial and start dump_stack\n");
dump_stack();
/* enforcing : SIGABRT and take debuggerd log */
if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE)) {
printk(KERN_ERR "SELinux DEBUG : send SIGABRT to current tsk\n");
send_sig(SIGABRT, current, 2);
}
if (!rc1) kfree(scontext);
if (!rc2) kfree(tcontext);
}
#endif
#ifdef CONFIG_ALWAYS_ENFORCE
if (!(avd->flags & AVD_FLAGS_PERMISSIVE))
#else
if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE))
#endif
// ] SEC_SELINUX_PORTING_COMMON
return -EACCES;
avc_update_node(AVC_CALLBACK_GRANT, requested, driver, xperm, ssid,

12
security/selinux/exports.c
View File

@ -19,24 +19,12 @@
bool selinux_is_enabled(void)
{
// [ SEC_SELINUX_PORTING_COMMON
#ifdef CONFIG_ALWAYS_ENFORCE
return true;
#else
return selinux_enabled;
#endif
// ] SEC_SELINUX_PORTING_COMMON
}
EXPORT_SYMBOL_GPL(selinux_is_enabled);
bool selinux_is_enforcing(void)
{
// [ SEC_SELINUX_PORTING_COMMON
#ifdef CONFIG_ALWAYS_ENFORCE
return true;
#else
return selinux_enforcing;
#endif
// ] SEC_SELINUX_PORTING_COMMON
}
EXPORT_SYMBOL_GPL(selinux_is_enforcing);

58
security/selinux/hooks.c
View File

@ -85,9 +85,6 @@
#include <linux/msg.h>
#include <linux/shm.h>
// [ SEC_SELINUX_PORTING_COMMON
#include <linux/delay.h>
// ] SEC_SELINUX_PORTING_COMMON
#include "avc.h"
#include "objsec.h"
@ -113,13 +110,7 @@ static int __init enforcing_setup(char *str)
{
unsigned long enforcing;
if (!strict_strtoul(str, 0, &enforcing))
// [ SEC_SELINUX_PORTING_COMMON
#ifdef CONFIG_ALWAYS_ENFORCE
selinux_enforcing = 1;
#else
selinux_enforcing = enforcing ? 1 : 0;
#endif
// ] SEC_SELINUX_PORTING_COMMON
return 1;
}
__setup("enforcing=", enforcing_setup);
@ -132,13 +123,7 @@ static int __init selinux_enabled_setup(char *str)
{
unsigned long enabled;
if (!strict_strtoul(str, 0, &enabled))
// [ SEC_SELINUX_PORTING_COMMON
#ifdef CONFIG_ALWAYS_ENFORCE
selinux_enforcing = 1;
#else
selinux_enabled = enabled ? 1 : 0;
#endif
// ] SEC_SELINUX_PORTING_COMMON
return 1;
}
__setup("selinux=", selinux_enabled_setup);
@ -2755,25 +2740,6 @@ static int selinux_inode_permission(struct inode *inode, int mask)
sid = cred_sid(cred);
isec = inode->i_security;
// [ SEC_SELINUX_PORTING_COMMON
/* skip sid == 1(kernel), it means first boot time */
if(isec->initialized != 1 && sid != 1) {
int count = 5;
while(count-- > 0) {
printk(KERN_ERR "SELinux : inode->i_security is not initialized. waiting...(%d/5)\n", 5-count);
udelay(500);
if(isec->initialized == 1) {
printk(KERN_ERR "SELinux : inode->i_security is INITIALIZED.\n");
break;
}
}
if(isec->initialized != 1) {
printk(KERN_ERR "SELinux : inode->i_security is not initialized. not fixed.\n");
}
}
// ] SEC_SELINUX_PORTING_COMMON
rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
audited = avc_audit_required(perms, &avd, rc,
from_access ? FILE__AUDIT_ACCESS : 0,
@ -4680,13 +4646,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
"SELinux: unrecognized netlink message"
" type=%hu for sclass=%hu\n",
nlh->nlmsg_type, sksec->sclass);
// [ SEC_SELINUX_PORTING_COMMON
#ifdef CONFIG_ALWAYS_ENFORCE
if (security_get_allow_unknown())
#else
if (!selinux_enforcing || security_get_allow_unknown())
#endif
// ] SEC_SELINUX_PORTING_COMMON
err = 0;
}
@ -5966,13 +5926,7 @@ static struct security_operations selinux_ops = {
static __init int selinux_init(void)
{
if (!security_module_enable(&selinux_ops)) {
// [ SEC_SELINUX_PORTING_COMMON
#ifdef CONFIG_ALWAYS_ENFORCE
selinux_enabled = 1;
#else
selinux_enabled = 0;
#endif
// ] SEC_SELINUX_PORTING_COMMON
return 0;
}
@ -5998,11 +5952,7 @@ static __init int selinux_init(void)
if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
panic("SELinux: Unable to register AVC netcache callback\n");
// [ SEC_SELINUX_PORTING_COMMON
#ifdef CONFIG_ALWAYS_ENFORCE
selinux_enforcing = 1;
#endif
// ] SEC_SELINUX_PORTING_COMMON
if (selinux_enforcing)
printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
else
@ -6079,11 +6029,7 @@ static struct nf_hook_ops selinux_ipv6_ops[] = {
static int __init selinux_nf_ip_init(void)
{
int err = 0;
// [ SEC_SELINUX_PORTING_COMMON
#ifdef CONFIG_ALWAYS_ENFORCE
selinux_enabled = 1;
#endif
// ] SEC_SELINUX_PORTING_COMMON
if (!selinux_enabled)
goto out;

6
security/selinux/include/security.h
View File

@ -129,13 +129,7 @@ struct extended_perms {
};
/* definitions of av_decision.flags */
// [ SEC_SELINUX_PORTING_COMMON
#ifdef CONFIG_ALWAYS_ENFORCE
#define AVD_FLAGS_PERMISSIVE 0x0000
#else
#define AVD_FLAGS_PERMISSIVE 0x0001
#endif
// ] SEC_SELINUX_PORTING_COMMON
void security_compute_av(u32 ssid, u32 tsid,
u16 tclass, struct av_decision *avd,

18
security/selinux/netif.c
View File

@ -274,24 +274,10 @@ static struct notifier_block sel_netif_netdev_notifier = {
.notifier_call = sel_netif_netdev_notifier_handler,
};
static int sel_netif_avc_callback(u32 event)
{
if (event == AVC_CALLBACK_RESET) {
sel_netif_flush();
synchronize_net();
}
return 0;
}
static __init int sel_netif_init(void)
{
int i, err;
// [ SEC_SELINUX_PORTING_COMMON
#ifdef CONFIG_ALWAYS_ENFORCE
selinux_enabled = 1;
#endif
// ] SEC_SELINUX_PORTING_COMMON
if (!selinux_enabled)
return 0;
@ -300,10 +286,6 @@ static __init int sel_netif_init(void)
register_netdevice_notifier(&sel_netif_netdev_notifier);
err = avc_add_callback(sel_netif_avc_callback, AVC_CALLBACK_RESET);
if (err)
panic("avc_add_callback() failed, error %d\n", err);
return err;
}

18
security/selinux/netnode.c
View File

@ -299,25 +299,11 @@ void sel_netnode_flush(void)
spin_unlock_bh(&sel_netnode_lock);
}
static int sel_netnode_avc_callback(u32 event)
{
if (event == AVC_CALLBACK_RESET) {
sel_netnode_flush();
synchronize_net();
}
return 0;
}
static __init int sel_netnode_init(void)
{
int iter;
int ret;
// [ SEC_SELINUX_PORTING_COMMON
#ifdef CONFIG_ALWAYS_ENFORCE
selinux_enabled = 1;
#endif
// ] SEC_SELINUX_PORTING_COMMON
if (!selinux_enabled)
return 0;
@ -326,10 +312,6 @@ static __init int sel_netnode_init(void)
sel_netnode_hash[iter].size = 0;
}
ret = avc_add_callback(sel_netnode_avc_callback, AVC_CALLBACK_RESET);
if (ret != 0)
panic("avc_add_callback() failed, error %d\n", ret);
return ret;
}

18
security/selinux/netport.c
View File

@ -235,25 +235,11 @@ void sel_netport_flush(void)
spin_unlock_bh(&sel_netport_lock);
}
static int sel_netport_avc_callback(u32 event)
{
if (event == AVC_CALLBACK_RESET) {
sel_netport_flush();
synchronize_net();
}
return 0;
}
static __init int sel_netport_init(void)
{
int iter;
int ret;
// [ SEC_SELINUX_PORTING_COMMON
#ifdef CONFIG_ALWAYS_ENFORCE
selinux_enabled = 1;
#endif
// ] SEC_SELINUX_PORTING_COMMON
if (!selinux_enabled)
return 0;
@ -262,10 +248,6 @@ static __init int sel_netport_init(void)
sel_netport_hash[iter].size = 0;
}
ret = avc_add_callback(sel_netport_avc_callback, AVC_CALLBACK_RESET);
if (ret != 0)
panic("avc_add_callback() failed, error %d\n", ret);
return ret;
}

35
security/selinux/selinuxfs.c
View File

@ -41,10 +41,6 @@
#include "objsec.h"
#include "conditional.h"
#if defined(CONFIG_TZ_ICCC)
#include <linux/security/iccc_interface.h>
#endif
/* Policy capability filenames */
static char *policycap_names[] = {
"network_peer_controls",
@ -171,21 +167,6 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
if (sscanf(page, "%d", &new_value) != 1)
goto out;
// [ SEC_SELINUX_PORTING_COMMON
#ifdef CONFIG_ALWAYS_ENFORCE
// If build is user build and enforce option is set, selinux is always enforcing
new_value = 1;
length = task_has_security(current, SECURITY__SETENFORCE);
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
"config_always_enforce - true; enforcing=%d old_enforcing=%d auid=%u ses=%u",
new_value, selinux_enforcing,
from_kuid(&init_user_ns, audit_get_loginuid(current)),
audit_get_sessionid(current));
selinux_enforcing = new_value;
avc_ss_reset(0);
selnl_notify_setenforce(new_value);
selinux_status_update_setenforce(new_value);
#else
if (new_value != selinux_enforcing) {
length = task_has_security(current, SECURITY__SETENFORCE);
if (length)
@ -201,17 +182,7 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
selnl_notify_setenforce(selinux_enforcing);
selinux_status_update_setenforce(selinux_enforcing);
}
#endif
// ] SEC_SELINUX_PORTING_COMMON
length = count;
#if defined(CONFIG_TZ_ICCC)
if (selinux_enabled && selinux_enforcing)
Iccc_SaveData_Kernel(SELINUX_STATUS, 0x0);
else
Iccc_SaveData_Kernel(SELINUX_STATUS, 0x1);
#endif
out:
free_page((unsigned long) page);
return length;
@ -1923,11 +1894,7 @@ static struct kobject *selinuxfs_kobj;
static int __init init_sel_fs(void)
{
int err;
// [ SEC_SELINUX_PORTING_COMMON
#ifdef CONFIG_ALWAYS_ENFORCE
selinux_enabled = 1;
#endif
// ] SEC_SELINUX_PORTING_COMMON
if (!selinux_enabled)
return 0;

10
security/selinux/ss/policydb.c
View File

@ -1514,11 +1514,6 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp)
goto bad;
return 0;
bad:
// [ SEC_SELINUX_PORTING_COMMON
#ifndef CONFIG_ALWAYS_ENFORCE
panic("SELinux:Failed to type read");
#endif /*CONFIG_ALWAYS_ENFORCE*/
// ] SEC_SELINUX_PORTING_COMMON
type_destroy(key, typdatum, NULL);
return rc;
}
@ -2569,11 +2564,6 @@ int policydb_read(struct policydb *p, void *fp)
out:
return rc;
bad:
// [ SEC_SELINUX_PORTING_COMMON
#ifndef CONFIG_ALWAYS_ENFORCE
panic("SELinux:Failed to load policy");
#endif /*CONFIG_ALWAYS_ENFORCE*/
// ] SEC_SELINUX_PORTING_COMMON
policydb_destroy(p);
goto out;
}

19
security/selinux/ss/services.c
View File

@ -772,11 +772,6 @@ out:
kfree(n);
kfree(t);
// [ SEC_SELINUX_PORTING_COMMON
#ifdef CONFIG_ALWAYS_ENFORCE
selinux_enforcing = 1;
#endif
// ] SEC_SELINUX_PORTING_COMMON
if (!selinux_enforcing)
return 0;
return -EPERM;
@ -1535,11 +1530,6 @@ out:
kfree(s);
kfree(t);
kfree(n);
// [ SEC_SELINUX_PORTING_COMMON
#ifdef CONFIG_ALWAYS_ENFORCE
selinux_enforcing = 1;
#endif
// ] SEC_SELINUX_PORTING_COMMON
if (!selinux_enforcing)
return 0;
return -EACCES;
@ -1831,11 +1821,6 @@ static inline int convert_context_handle_invalid_context(struct context *context
char *s;
u32 len;
// [ SEC_SELINUX_PORTING_COMMON
#ifdef CONFIG_ALWAYS_ENFORCE
selinux_enforcing = 1;
#endif
// ] SEC_SELINUX_PORTING_COMMON
if (selinux_enforcing)
return -EINVAL;
@ -2526,7 +2511,6 @@ int security_fs_use(
{
int rc = 0;
struct ocontext *c;
u32 tmpsid;
read_lock(&policy_rwlock);
@ -2541,8 +2525,7 @@ int security_fs_use(
*behavior = c->v.behavior;
if (!c->sid[0]) {
rc = sidtab_context_to_sid(&sidtab, &c->context[0],
&tmpsid);
c->sid[0] = tmpsid;
&c->sid[0]);
if (rc)
goto out;
}

6
security/selinux/ss/status.c
View File

@ -58,13 +58,7 @@ struct page *selinux_kernel_status_page(void)
status->version = SELINUX_KERNEL_STATUS_VERSION;
status->sequence = 0;
// [ SEC_SELINUX_PORTING_COMMON
#ifdef CONFIG_ALWAYS_ENFORCE
status->enforcing = 1;
#else
status->enforcing = selinux_enforcing;
#endif
// ] SEC_SELINUX_PORTING_COMMON
/*
* NOTE: the next policyload event shall set
* a positive value on the status->policyload,