kernel: Fix compilation flags in Makefiles and optimize SELinux rule handling

Co-authored-by: rsuntk <90097027+rsuntk@users.noreply.github.com>

kernel/selinux/rules.c

@@ -91,6 +91,7 @@ void ksu_apply_kernelsu_rules()
 	ksu_allow(db, "init", "adb_data_file", "file", ALL);
 	ksu_allow(db, "init", "adb_data_file", "dir", ALL); // #1289
 	ksu_allow(db, "init", KERNEL_SU_DOMAIN, ALL, ALL);
+
 	// we need to umount modules in zygote
 	ksu_allow(db, "zygote", "adb_data_file", "dir", "search");
 
@@ -130,9 +131,9 @@ void ksu_apply_kernelsu_rules()
 	// Allow all binder transactions
 	ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "binder", ALL);
 
-    // Allow system server kill su process
-    ksu_allow(db, "system_server", KERNEL_SU_DOMAIN, "process", "getpgid");
-    ksu_allow(db, "system_server", KERNEL_SU_DOMAIN, "process", "sigkill");
+	// Allow system server kill su process
+	ksu_allow(db, "system_server", KERNEL_SU_DOMAIN, "process", "getpgid");
+	ksu_allow(db, "system_server", KERNEL_SU_DOMAIN, "process", "sigkill");
 
 #ifdef CONFIG_KSU_SUSFS
 	// Allow umount in zygote process without installing zygisk
@@ -157,34 +158,30 @@ void ksu_apply_kernelsu_rules()
 #define CMD_TYPE_CHANGE 8
 #define CMD_GENFSCON 9
 
-#ifdef CONFIG_64BIT
-struct sepol_data {
-	u32 cmd;
-	u32 subcmd;
-	u64 field_sepol1;
-	u64 field_sepol2;
-	u64 field_sepol3;
-	u64 field_sepol4;
-	u64 field_sepol5;
-	u64 field_sepol6;
-	u64 field_sepol7;
-};
-#ifdef CONFIG_COMPAT
+// keep it!
 extern bool ksu_is_compat __read_mostly;
-struct sepol_compat_data {
-	u32 cmd;
-	u32 subcmd;
-	u32 field_sepol1;
-	u32 field_sepol2;
-	u32 field_sepol3;
-	u32 field_sepol4;
-	u32 field_sepol5;
-	u32 field_sepol6;
-	u32 field_sepol7;
-};
-#endif // CONFIG_COMPAT
+
+// armv7l kernel compat
+#ifdef CONFIG_64BIT
+#define usize	u64
 #else
+#define usize	u32
+#endif
+
 struct sepol_data {
+	u32 cmd;
+	u32 subcmd;
+	usize field_sepol1;
+	usize field_sepol2;
+	usize field_sepol3;
+	usize field_sepol4;
+	usize field_sepol5;
+	usize field_sepol6;
+	usize field_sepol7;
+};
+
+// ksud 32-bit on arm64 kernel
+struct __maybe_unused sepol_data_compat {
 	u32 cmd;
 	u32 subcmd;
 	u32 field_sepol1;
@@ -195,7 +192,6 @@ struct sepol_data {
 	u32 field_sepol6;
 	u32 field_sepol7;
 };
-#endif // CONFIG_64BIT
 
 static int get_object(char *buf, char __user *user_object, size_t buf_sz,
 		      char **object)
@@ -217,7 +213,8 @@ static int get_object(char *buf, char __user *user_object, size_t buf_sz,
 // reset avc cache table, otherwise the new rules will not take effect if already denied
 static void reset_avc_cache()
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0) || !defined(KSU_COMPAT_USE_SELINUX_STATE)
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0) ||	\
+	!defined(KSU_COMPAT_USE_SELINUX_STATE)
 	avc_ss_reset(0);
 	selnl_notify_policyload(0);
 	selinux_status_update_policyload(0);
@@ -243,22 +240,22 @@ int ksu_handle_sepolicy(unsigned long arg3, void __user *arg4)
 	u32 cmd, subcmd;
 	char __user *sepol1, *sepol2, *sepol3, *sepol4, *sepol5, *sepol6, *sepol7;
 
-#if defined(CONFIG_64BIT) && defined(CONFIG_COMPAT)
 	if (unlikely(ksu_is_compat)) {
-		struct sepol_compat_data compat_data;
-		if (copy_from_user(&compat_data, arg4, sizeof(struct sepol_compat_data))) {
+		struct sepol_data_compat data_compat;
+		if (copy_from_user(&data_compat, arg4, sizeof(struct sepol_data_compat))) {
 			pr_err("sepol: copy sepol_data failed.\n");
 			return -1;
 		}
-		sepol1 = compat_ptr(compat_data.field_sepol1);
-		sepol2 = compat_ptr(compat_data.field_sepol2);
-		sepol3 = compat_ptr(compat_data.field_sepol3);
-		sepol4 = compat_ptr(compat_data.field_sepol4);
-		sepol5 = compat_ptr(compat_data.field_sepol5);
-		sepol6 = compat_ptr(compat_data.field_sepol6);
-		sepol7 = compat_ptr(compat_data.field_sepol7);
-		cmd = compat_data.cmd;
-		subcmd = compat_data.subcmd;
+		pr_info("sepol: running in compat mode!\n");
+		sepol1 = compat_ptr(data_compat.field_sepol1);
+		sepol2 = compat_ptr(data_compat.field_sepol2);
+		sepol3 = compat_ptr(data_compat.field_sepol3);
+		sepol4 = compat_ptr(data_compat.field_sepol4);
+		sepol5 = compat_ptr(data_compat.field_sepol5);
+		sepol6 = compat_ptr(data_compat.field_sepol6);
+		sepol7 = compat_ptr(data_compat.field_sepol7);
+		cmd = data_compat.cmd;
+		subcmd = data_compat.subcmd;
 	} else {
 		struct sepol_data data;
 		if (copy_from_user(&data, arg4, sizeof(struct sepol_data))) {
@@ -275,26 +272,6 @@ int ksu_handle_sepolicy(unsigned long arg3, void __user *arg4)
 		cmd = data.cmd;
 		subcmd = data.subcmd;
 	}
-#else 
-	// basically for full native, say (64BIT=y COMPAT=n) || (64BIT=n)
-
-	struct sepol_data data;
-	if (copy_from_user(&data, arg4, sizeof(struct sepol_data))) {
-		pr_err("sepol: copy sepol_data failed.\n");
-		return -1;
-	}
-
-
-	sepol1 = data.field_sepol1;
-	sepol2 = data.field_sepol2;
-	sepol3 = data.field_sepol3;
-	sepol4 = data.field_sepol4;
-	sepol5 = data.field_sepol5;
-	sepol6 = data.field_sepol6;
-	sepol7 = data.field_sepol7;
-	cmd = data.cmd;
-	subcmd = data.subcmd;
-#endif
 
 	rcu_read_lock();
 

kernel/selinux/selinux.c

@@ -2,6 +2,9 @@
 #include "objsec.h"
 #include "linux/version.h"
 #include "../klog.h" // IWYU pragma: keep
+#ifdef SAMSUNG_SELINUX_PORTING
+#include "security.h" // Samsung SELinux Porting
+#endif
 #ifndef KSU_COMPAT_USE_SELINUX_STATE
 #include "avc.h"
 #endif
@@ -72,18 +75,14 @@ void ksu_setup_selinux(const char *domain)
 		pr_err("transive domain failed.\n");
 		return;
 	}
-
-	/* we didn't need this now, we have change selinux rules when boot!
-if (!is_domain_permissive) {
-  if (set_domain_permissive() == 0) {
-      is_domain_permissive = true;
-  }
-}*/
 }
 
 void ksu_setenforce(bool enforce)
 {
 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
+#ifdef SAMSUNG_SELINUX_PORTING
+	selinux_enforcing = enforce;
+#endif
 #ifdef KSU_COMPAT_USE_SELINUX_STATE
 	selinux_state.enforcing = enforce;
 #else
@@ -105,6 +104,9 @@ bool ksu_getenforce()
 #endif
 
 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
+#ifdef SAMSUNG_SELINUX_PORTING
+	return selinux_enforcing;
+#endif
 #ifdef KSU_COMPAT_USE_SELINUX_STATE
 	return selinux_state.enforcing;
 #else