asgardius/android_kernel_samsung_heroqlte
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

patch: selinux enforce/permissive patch

Browse source 
original patch: jcadduono/nethunter_kernel_herolte@2af9cf4
	adapted patch: lyapota/s7e_marshmallow@1673195
	adapted patch: Tkkg1994/SuperKernel@ab9d79d
This commit is contained in:
HackerOO7 2016-08-18 14:00:13 +08:00
parent 09c11af8e7
commit ce658c9e52
16 changed files with 83 additions and 38 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -85,3 +85,4 @@ GTAGS
\#*# \#*#
/build/ /build/
out/

2
arch/arm64/configs/heroqlte_chnzc_defconfig Normal file → Executable file
View file

@ -4577,6 +4577,8 @@ CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
# CONFIG_SECURITY_SELINUX_DISABLE is not set # CONFIG_SECURITY_SELINUX_DISABLE is not set
CONFIG_SECURITY_SELINUX_DEVELOP=y CONFIG_SECURITY_SELINUX_DEVELOP=y
# CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE is not set
CONFIG_SECURITY_SELINUX_NEVER_ENFORCE=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set # CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set

24
security/selinux/Kconfig
View file

@ -65,6 +65,20 @@ config SECURITY_SELINUX_DEVELOP
can interactively toggle the kernel between enforcing mode and can interactively toggle the kernel between enforcing mode and
permissive mode (if permitted by the policy) via /selinux/enforce. permissive mode (if permitted by the policy) via /selinux/enforce.
config SECURITY_SELINUX_ALWAYS_ENFORCE
bool "NSA SELinux Always Enforcing"
depends on SECURITY_SELINUX_DEVELOP
default n
help
This option will prevent anything from setting SELinux to permissive.
config SECURITY_SELINUX_NEVER_ENFORCE
bool "NSA SELinux Never Enforcing"
depends on SECURITY_SELINUX_DEVELOP
default n
help
This option will prevent anything from setting SELinux to enforcing.
config SECURITY_SELINUX_AVC_STATS config SECURITY_SELINUX_AVC_STATS
bool "NSA SELinux AVC Statistics" bool "NSA SELinux AVC Statistics"
depends on SECURITY_SELINUX depends on SECURITY_SELINUX
@ -74,6 +88,16 @@ config SECURITY_SELINUX_AVC_STATS
/selinux/avc/cache_stats, which may be monitored via /selinux/avc/cache_stats, which may be monitored via
tools such as avcstat. tools such as avcstat.
config SECURITY_SELINUX_ENFORCING
int "NSA SELinux Enforcing default value"
depends on SECURITY_SELINUX && !SECURITY_SELINUX_DEVELOP
range 0 1
default 1
help
This option sets the value of selinux_enforcing, permanently
deciding whether the kernel should run in enforcing or
permissive mode.
config SECURITY_SELINUX_CHECKREQPROT_VALUE config SECURITY_SELINUX_CHECKREQPROT_VALUE
int "NSA SELinux checkreqprot default value" int "NSA SELinux checkreqprot default value"
depends on SECURITY_SELINUX depends on SECURITY_SELINUX

6
security/selinux/Makefile
View file

@ -11,12 +11,6 @@ endif
endif endif
endif endif
ifeq ($(SEC_BUILD_OPTION_PRODUCT_SHIP), true)
ifeq ($(SEC_BUILD_OPTION_SELINUX_ENFORCE),true)
EXTRA_CFLAGS += -DCONFIG_ALWAYS_ENFORCE=true
endif
endif
obj-$(CONFIG_SECURITY_SELINUX) := selinux.o obj-$(CONFIG_SECURITY_SELINUX) := selinux.o
selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \ selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \

9
security/selinux/avc.c
View file

@ -1052,12 +1052,13 @@ static noinline int avc_denied(u32 ssid, u32 tsid,
} }
#endif #endif
#ifdef CONFIG_ALWAYS_ENFORCE #if defined(CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE)
if (!(avd->flags & AVD_FLAGS_PERMISSIVE)) if (!(avd->flags & AVD_FLAGS_PERMISSIVE))
#else
if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE))
#endif
return -EACCES; return -EACCES;
#elif !defined(CONFIG_SECURITY_SELINUX_NEVER_ENFORCE)
if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE))
return -EACCES;
#endif
avc_update_node(AVC_CALLBACK_GRANT, requested, cmd, ssid, avc_update_node(AVC_CALLBACK_GRANT, requested, cmd, ssid,
tsid, tclass, avd->seqno, NULL, flags); tsid, tclass, avd->seqno, NULL, flags);

6
security/selinux/exports.c
View file

@ -19,7 +19,7 @@
bool selinux_is_enabled(void) bool selinux_is_enabled(void)
{ {
#ifdef CONFIG_ALWAYS_ENFORCE #ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
return true; return true;
#else #else
return selinux_enabled; return selinux_enabled;
@ -29,8 +29,10 @@ EXPORT_SYMBOL_GPL(selinux_is_enabled);
bool selinux_is_enforcing(void) bool selinux_is_enforcing(void)
{ {
#ifdef CONFIG_ALWAYS_ENFORCE #if defined(CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE)
return true; return true;
#elif defined(CONFIG_SECURITY_SELINUX_NEVER_ENFORCE)
return false;
#else #else
return selinux_enforcing; return selinux_enforcing;
#endif #endif

16
security/selinux/hooks.c
View file

@ -186,8 +186,10 @@ static int __init enforcing_setup(char *str)
{ {
unsigned long enforcing; unsigned long enforcing;
if (!kstrtoul(str, 0, &enforcing)) if (!kstrtoul(str, 0, &enforcing))
#ifdef CONFIG_ALWAYS_ENFORCE #if defined(CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE)
selinux_enforcing = 1; selinux_enforcing = 1;
#elif defined(CONFIG_SECURITY_SELINUX_NEVER_ENFORCE)
selinux_enforcing = 0;
#else #else
selinux_enforcing = enforcing ? 1 : 0; selinux_enforcing = enforcing ? 1 : 0;
#endif #endif
@ -203,7 +205,7 @@ static int __init selinux_enabled_setup(char *str)
{ {
unsigned long enabled; unsigned long enabled;
if (!kstrtoul(str, 0, &enabled)) if (!kstrtoul(str, 0, &enabled))
#ifdef CONFIG_ALWAYS_ENFORCE #ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
selinux_enabled = 1; selinux_enabled = 1;
#else #else
selinux_enabled = enabled ? 1 : 0; selinux_enabled = enabled ? 1 : 0;
@ -5714,7 +5716,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
"SELinux: unrecognized netlink message:" "SELinux: unrecognized netlink message:"
" protocol=%hu nlmsg_type=%hu sclass=%hu\n", " protocol=%hu nlmsg_type=%hu sclass=%hu\n",
sk->sk_protocol, nlh->nlmsg_type, sksec->sclass); sk->sk_protocol, nlh->nlmsg_type, sksec->sclass);
#ifdef CONFIG_ALWAYS_ENFORCE #ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
if (security_get_allow_unknown()) if (security_get_allow_unknown())
#else #else
if (!selinux_enforcing || security_get_allow_unknown()) if (!selinux_enforcing || security_get_allow_unknown())
@ -7201,7 +7203,7 @@ static struct security_operations selinux_ops = {
static __init int selinux_init(void) static __init int selinux_init(void)
{ {
if (!security_module_enable(&selinux_ops)) { if (!security_module_enable(&selinux_ops)) {
#ifdef CONFIG_ALWAYS_ENFORCE #ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
selinux_enabled = 1; selinux_enabled = 1;
#else #else
selinux_enabled = 0; selinux_enabled = 0;
@ -7231,8 +7233,10 @@ static __init int selinux_init(void)
if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
panic("SELinux: Unable to register AVC netcache callback\n"); panic("SELinux: Unable to register AVC netcache callback\n");
#ifdef CONFIG_ALWAYS_ENFORCE #ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
selinux_enforcing = 1; selinux_enforcing = 1;
#elif defined(CONFIG_SECURITY_SELINUX_NEVER_ENFORCE)
selinux_enforcing = 0;
#endif #endif
if (selinux_enforcing) if (selinux_enforcing)
printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
@ -7305,7 +7309,7 @@ static struct nf_hook_ops selinux_nf_ops[] = {
static int __init selinux_nf_ip_init(void) static int __init selinux_nf_ip_init(void)
{ {
int err; int err;
#ifdef CONFIG_ALWAYS_ENFORCE #ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
selinux_enabled = 1; selinux_enabled = 1;
#endif #endif
if (!selinux_enabled) if (!selinux_enabled)

2
security/selinux/include/avc.h
View file

@ -22,7 +22,7 @@
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
extern int selinux_enforcing; extern int selinux_enforcing;
#else #else
#define selinux_enforcing 1 #define selinux_enforcing CONFIG_SECURITY_SELINUX_ENFORCING
#endif #endif
/* /*

2
security/selinux/include/security.h
View file

@ -137,7 +137,7 @@ struct operation {
/* definitions of av_decision.flags */ /* definitions of av_decision.flags */
// START_SEC_SELINUX_PORTING_COMMON // START_SEC_SELINUX_PORTING_COMMON
#ifdef CONFIG_ALWAYS_ENFORCE #ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
#define AVD_FLAGS_PERMISSIVE 0x0000 #define AVD_FLAGS_PERMISSIVE 0x0000
#else #else
#define AVD_FLAGS_PERMISSIVE 0x0001 #define AVD_FLAGS_PERMISSIVE 0x0001

2
security/selinux/netif.c
View file

@ -278,7 +278,7 @@ static __init int sel_netif_init(void)
{ {
int i; int i;
#ifdef CONFIG_ALWAYS_ENFORCE #ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
selinux_enabled = 1; selinux_enabled = 1;
#endif #endif

2
security/selinux/netnode.c
View file

@ -305,7 +305,7 @@ static __init int sel_netnode_init(void)
{ {
int iter; int iter;
#ifdef CONFIG_ALWAYS_ENFORCE #ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
selinux_enabled = 1; selinux_enabled = 1;
#endif #endif

2
security/selinux/netport.c
View file

@ -239,7 +239,7 @@ static __init int sel_netport_init(void)
{ {
int iter; int iter;
#ifdef CONFIG_ALWAYS_ENFORCE #ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
selinux_enabled = 1; selinux_enabled = 1;
#endif #endif

14
security/selinux/selinuxfs.c
View file

@ -173,7 +173,7 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
if (sscanf(page, "%d", &new_value) != 1) if (sscanf(page, "%d", &new_value) != 1)
goto out; goto out;
#ifdef CONFIG_ALWAYS_ENFORCE #ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
// If build is user build and enforce option is set, selinux is always enforcing // If build is user build and enforce option is set, selinux is always enforcing
new_value = 1; new_value = 1;
length = task_has_security(current, SECURITY__SETENFORCE); length = task_has_security(current, SECURITY__SETENFORCE);
@ -186,6 +186,18 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
avc_ss_reset(0); avc_ss_reset(0);
selnl_notify_setenforce(new_value); selnl_notify_setenforce(new_value);
selinux_status_update_setenforce(new_value); selinux_status_update_setenforce(new_value);
#elif defined(CONFIG_SECURITY_SELINUX_NEVER_ENFORCE)
// If build is user build and permissive option is set, selinux is always permissive
new_value = 0;
length = task_has_security(current, SECURITY__SETENFORCE);
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
"config_never_enforce - true; enforcing=%d old_enforcing=%d auid=%u ses=%u",
new_value, selinux_enforcing,
from_kuid(&init_user_ns, audit_get_loginuid(current)),
audit_get_sessionid(current));
selinux_enforcing = new_value;
selnl_notify_setenforce(new_value);
selinux_status_update_setenforce(new_value);
#else #else
if (new_value != selinux_enforcing) { if (new_value != selinux_enforcing) {
length = task_has_security(current, SECURITY__SETENFORCE); length = task_has_security(current, SECURITY__SETENFORCE);

8
security/selinux/ss/policydb.c
View file

@ -1500,9 +1500,9 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp)
goto bad; goto bad;
return 0; return 0;
bad: bad:
#ifndef CONFIG_ALWAYS_ENFORCE #ifndef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
panic("SELinux:Failed to type read"); panic("SELinux:Failed to type read");
#endif /*CONFIG_ALWAYS_ENFORCE*/ #endif /*CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE*/
type_destroy(key, typdatum, NULL); type_destroy(key, typdatum, NULL);
return rc; return rc;
} }
@ -2511,9 +2511,9 @@ int policydb_read(struct policydb *p, void *fp)
out: out:
return rc; return rc;
bad: bad:
#ifndef CONFIG_ALWAYS_ENFORCE #ifndef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
panic("SELinux:Failed to load policy"); panic("SELinux:Failed to load policy");
#endif /*CONFIG_ALWAYS_ENFORCE*/ #endif /*CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE*/
policydb_destroy(p); policydb_destroy(p);
goto out; goto out;
} }

21
security/selinux/ss/services.c
View file

@ -771,12 +771,13 @@ out:
kfree(n); kfree(n);
kfree(t); kfree(t);
#ifdef CONFIG_ALWAYS_ENFORCE #ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
selinux_enforcing = 1; return -EPERM;
#endif #else
if (!selinux_enforcing) if (!selinux_enforcing)
return 0; return 0;
return -EPERM; return -EPERM;
#endif
} }
int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
@ -1526,12 +1527,13 @@ out:
kfree(t); kfree(t);
kfree(n); kfree(n);
#ifdef CONFIG_ALWAYS_ENFORCE #ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
selinux_enforcing = 1; return -EACCES;
#endif #else
if (!selinux_enforcing) if (!selinux_enforcing)
return 0; return 0;
return -EACCES; return -EACCES;
#endif
} }
static void filename_compute_type(struct policydb *p, struct context *newcontext, static void filename_compute_type(struct policydb *p, struct context *newcontext,
@ -1820,9 +1822,9 @@ static inline int convert_context_handle_invalid_context(struct context *context
char *s; char *s;
u32 len; u32 len;
#ifdef CONFIG_ALWAYS_ENFORCE #ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
selinux_enforcing = 1; return -EINVAL;
#endif #else
if (selinux_enforcing) if (selinux_enforcing)
return -EINVAL; return -EINVAL;
@ -1831,6 +1833,7 @@ static inline int convert_context_handle_invalid_context(struct context *context
kfree(s); kfree(s);
} }
return 0; return 0;
#endif
} }
struct convert_context_args { struct convert_context_args {

4
security/selinux/ss/status.c
View file

@ -58,8 +58,10 @@ struct page *selinux_kernel_status_page(void)
status->version = SELINUX_KERNEL_STATUS_VERSION; status->version = SELINUX_KERNEL_STATUS_VERSION;
status->sequence = 0; status->sequence = 0;
#ifdef CONFIG_ALWAYS_ENFORCE #if defined(CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE)
status->enforcing = 1; status->enforcing = 1;
#elif defined(CONFIG_SECURITY_SELINUX_NEVER_ENFORCE)
status->enforcing = 0;
#else #else
status->enforcing = selinux_enforcing; status->enforcing = selinux_enforcing;
#endif #endif