am f0d24737: Merge "init: remove support for disabled SELinux"

* commit 'f0d24737354819738adc40bf47a006e56652d27a': init: remove support for disabled SELinux
2015-04-28 20:25:00 +00:00 · 2015-04-28 20:25:00 +00:00 · 3ef42dd20f
commit 3ef42dd20f
parent 6a5244bcc2 f0d2473735
2 changed files with 13 additions and 31 deletions
--- a/init/Android.mk
+++ b/init/Android.mk
@ -5,9 +5,9 @@ LOCAL_PATH:= $(call my-dir)
 # --
 ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
-init_options += -DALLOW_LOCAL_PROP_OVERRIDE=1 -DALLOW_DISABLE_SELINUX=1
+init_options += -DALLOW_LOCAL_PROP_OVERRIDE=1 -DALLOW_PERMISSIVE_SELINUX=1
 else
-init_options += -DALLOW_LOCAL_PROP_OVERRIDE=0 -DALLOW_DISABLE_SELINUX=0
+init_options += -DALLOW_LOCAL_PROP_OVERRIDE=0 -DALLOW_PERMISSIVE_SELINUX=0
 endif
 init_options += -DLOG_UEVENTS=0
--- a/init/init.cpp
+++ b/init/init.cpp
@ -860,7 +860,7 @@ static void selinux_init_all_handles(void)
    sehandle_prop = selinux_android_prop_context_handle();
 }
-enum selinux_enforcing_status { SELINUX_DISABLED, SELINUX_PERMISSIVE, SELINUX_ENFORCING };
+enum selinux_enforcing_status { SELINUX_PERMISSIVE, SELINUX_ENFORCING };
 static selinux_enforcing_status selinux_status_from_cmdline() {
    selinux_enforcing_status status = SELINUX_ENFORCING;
@ -870,9 +870,7 @@ static selinux_enforcing_status selinux_status_from_cmdline() {
        if (value == nullptr) { return; }
        *value++ = '\0';
        if (strcmp(name, "androidboot.selinux") == 0) {
-            if (strcmp(value, "disabled") == 0) {
+            if (strcmp(value, "permissive") == 0) {
                status = SELINUX_DISABLED;
            } else if (strcmp(value, "permissive") == 0) {
                status = SELINUX_PERMISSIVE;
            }
        }
@ -882,24 +880,9 @@ static selinux_enforcing_status selinux_status_from_cmdline() {
    return status;
 }
 static bool selinux_is_disabled(void)
 {
    if (ALLOW_DISABLE_SELINUX) {
        if (access("/sys/fs/selinux", F_OK) != 0) {
            // SELinux is not compiled into the kernel, or has been disabled
            // via the kernel command line "selinux=0".
            return true;
        }
        return selinux_status_from_cmdline() == SELINUX_DISABLED;
    }
    return false;
 }
 static bool selinux_is_enforcing(void)
 {
-    if (ALLOW_DISABLE_SELINUX) {
+    if (ALLOW_PERMISSIVE_SELINUX) {
        return selinux_status_from_cmdline() == SELINUX_ENFORCING;
    }
    return true;
@ -907,10 +890,6 @@ static bool selinux_is_enforcing(void)
 int selinux_reload_policy(void)
 {
    if (selinux_is_disabled()) {
        return -1;
    }
    INFO("SELinux: Attempting to reload policy files\n");
    if (selinux_android_reload_policy() == -1) {
@ -947,10 +926,6 @@ static void selinux_initialize(bool in_kernel_domain) {
    cb.func_audit = audit_callback;
    selinux_set_callback(SELINUX_CB_AUDIT, cb);
    if (selinux_is_disabled()) {
        return;
    }
    if (in_kernel_domain) {
        INFO("Loading SELinux policy...\n");
        if (selinux_android_load_policy() < 0) {
@ -958,8 +933,15 @@ static void selinux_initialize(bool in_kernel_domain) {
            security_failure();
        }
        bool kernel_enforcing = (security_getenforce() == 1);
        bool is_enforcing = selinux_is_enforcing();
-        security_setenforce(is_enforcing);
+        if (kernel_enforcing != is_enforcing) {
            if (security_setenforce(is_enforcing)) {
                ERROR("security_setenforce(%s) failed: %s\n",
                      is_enforcing ? "true" : "false", strerror(errno));
                security_failure();
            }
        }
        if (write_file("/sys/fs/selinux/checkreqprot", "0") == -1) {
            security_failure();