From aaf36b28037eb99e2f405e2b19dc3a27b61cc054 Mon Sep 17 00:00:00 2001 From: Mohammad Afaneh Date: Sun, 29 May 2022 11:56:30 +0300 Subject: [PATCH] selinux: Add togglable selinux boot status --- security/selinux/Kconfig | 14 ++++++++++++++ security/selinux/selinuxfs.c | 29 +++++++++-------------------- 2 files changed, 23 insertions(+), 20 deletions(-) diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index 8297e48a2..0405565dd 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -71,6 +71,20 @@ config SECURITY_SELINUX_DEVELOP can interactively toggle the kernel between enforcing mode and permissive mode (if permitted by the policy) via /selinux/enforce. +config SECURITY_SELINUX_ALWAYS_ENFORCE + bool "NSA SELinux Always Enforcing" + depends on SECURITY_SELINUX_DEVELOP + default n + help + This option will prevent anything from setting SELinux to permissive. + +config SECURITY_SELINUX_ALWAYS_PERMISSIVE + bool "NSA SELinux Always Permissive" + depends on SECURITY_SELINUX_DEVELOP + default n + help + This option will prevent anything from setting SELinux to enforcing. + config SECURITY_SELINUX_AVC_STATS bool "NSA SELinux AVC Statistics" depends on SECURITY_SELINUX diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index fdcb62b25..fba9599d7 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -160,27 +160,16 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf, new_value = !!new_value; old_value = enforcing_enabled(state); - // [ SEC_SELINUX_PORTING_COMMON -#ifdef CONFIG_ALWAYS_ENFORCE - // If build is user build and enforce option is set, selinux is always enforcing + +#ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE + // If always enforce option is set, selinux is always enforcing new_value = 1; - length = avc_has_perm(&selinux_state, - current_sid(), SECINITSID_SECURITY, - SECCLASS_SECURITY, SECURITY__SETENFORCE, - NULL); - audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS, - "enforcing=%d old_enforcing=%d auid=%u ses=%u" - " enabled=%d old-enabled=%d lsm=selinux res=1", - new_value, selinux_enforcing, - from_kuid(&init_user_ns, audit_get_loginuid(current)), - audit_get_sessionid(current), - selinux_enabled, selinux_enabled); - enforcing_set(state, new_value); - avc_ss_reset(state->avc, 0); - selnl_notify_setenforce(new_value); - selinux_status_update_setenforce(state, new_value); -#else - if (new_value != selinux_enforcing) { // SEC_SELINUX_PORTING_COMMON Change to use RKP +#elif defined(CONFIG_SECURITY_SELINUX_ALWAYS_PERMISSIVE) + // If always permissive option is set, selinux is always permissive + new_value = 0; +#endif + if (new_value != old_value) { + length = avc_has_perm(&selinux_state, current_sid(), SECINITSID_SECURITY, SECCLASS_SECURITY, SECURITY__SETENFORCE,