aubrey/kernel_samsung_a34x-permissive
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

selinux: Add togglable selinux boot status

Browse source
This commit is contained in:
Mohammad Afaneh 2022-05-29 11:56:30 +03:00 committed by dmpstr
parent a4195b3e8b
commit aaf36b2803
2 changed files with 23 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
security/selinux/Kconfig
View file

@ -71,6 +71,20 @@ config SECURITY_SELINUX_DEVELOP
can interactively toggle the kernel between enforcing mode and can interactively toggle the kernel between enforcing mode and
permissive mode (if permitted by the policy) via /selinux/enforce. permissive mode (if permitted by the policy) via /selinux/enforce.
config SECURITY_SELINUX_ALWAYS_ENFORCE
bool "NSA SELinux Always Enforcing"
depends on SECURITY_SELINUX_DEVELOP
default n
help
This option will prevent anything from setting SELinux to permissive.
config SECURITY_SELINUX_ALWAYS_PERMISSIVE
bool "NSA SELinux Always Permissive"
depends on SECURITY_SELINUX_DEVELOP
default n
help
This option will prevent anything from setting SELinux to enforcing.
config SECURITY_SELINUX_AVC_STATS config SECURITY_SELINUX_AVC_STATS
bool "NSA SELinux AVC Statistics" bool "NSA SELinux AVC Statistics"
depends on SECURITY_SELINUX depends on SECURITY_SELINUX

29
security/selinux/selinuxfs.c
View file

@ -160,27 +160,16 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
new_value = !!new_value; new_value = !!new_value;
old_value = enforcing_enabled(state); old_value = enforcing_enabled(state);
// [ SEC_SELINUX_PORTING_COMMON
#ifdef CONFIG_ALWAYS_ENFORCE #ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
// If build is user build and enforce option is set, selinux is always enforcing // If always enforce option is set, selinux is always enforcing
new_value = 1; new_value = 1;
length = avc_has_perm(&selinux_state, #elif defined(CONFIG_SECURITY_SELINUX_ALWAYS_PERMISSIVE)
current_sid(), SECINITSID_SECURITY, // If always permissive option is set, selinux is always permissive
SECCLASS_SECURITY, SECURITY__SETENFORCE, new_value = 0;
NULL); #endif
audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS, if (new_value != old_value) {
"enforcing=%d old_enforcing=%d auid=%u ses=%u"
" enabled=%d old-enabled=%d lsm=selinux res=1",
new_value, selinux_enforcing,
from_kuid(&init_user_ns, audit_get_loginuid(current)),
audit_get_sessionid(current),
selinux_enabled, selinux_enabled);
enforcing_set(state, new_value);
avc_ss_reset(state->avc, 0);
selnl_notify_setenforce(new_value);
selinux_status_update_setenforce(state, new_value);
#else
if (new_value != selinux_enforcing) { // SEC_SELINUX_PORTING_COMMON Change to use RKP
length = avc_has_perm(&selinux_state, length = avc_has_perm(&selinux_state,
current_sid(), SECINITSID_SECURITY, current_sid(), SECINITSID_SECURITY,
SECCLASS_SECURITY, SECURITY__SETENFORCE, SECCLASS_SECURITY, SECURITY__SETENFORCE,