From 53be8612c8990ef160af45d5db86e18f5fbc9567 Mon Sep 17 00:00:00 2001 From: weishu Date: Tue, 6 Jun 2023 16:35:25 +0800 Subject: [PATCH] kernel: support setting selinux context for profile --- kernel/allowlist.c | 7 ++++++- kernel/core_hook.c | 2 +- kernel/selinux/selinux.c | 7 ++++--- kernel/selinux/selinux.h | 2 +- 4 files changed, 12 insertions(+), 6 deletions(-) diff --git a/kernel/allowlist.c b/kernel/allowlist.c index 298eb8bb..4a3dbc47 100644 --- a/kernel/allowlist.c +++ b/kernel/allowlist.c @@ -37,7 +37,7 @@ static void init_default_profiles() memset(&default_root_profile.capabilities, 0xff, sizeof(default_root_profile.capabilities)); default_root_profile.namespaces = 0; - strcpy(default_root_profile.selinux_domain, "su"); + strcpy(default_root_profile.selinux_domain, "u:r:su:s0"); // This means that we will umount modules by default! default_non_root_profile.umount_modules = true; @@ -112,7 +112,12 @@ static bool profile_valid(struct app_profile *profile) if (profile->rp_config.profile.groups_count > KSU_MAX_GROUPS) { return false; } + + if (strlen(profile->rp_config.profile.selinux_domain) == 0) { + return false; + } } + return true; } diff --git a/kernel/core_hook.c b/kernel/core_hook.c index 5f653fa7..0a32cdc3 100644 --- a/kernel/core_hook.c +++ b/kernel/core_hook.c @@ -135,7 +135,7 @@ void escape_to_root(void) setup_groups(profile, cred); - setup_selinux(); + setup_selinux(profile->selinux_domain); } int ksu_handle_rename(struct dentry *old_dentry, struct dentry *new_dentry) diff --git a/kernel/selinux/selinux.c b/kernel/selinux/selinux.c index aaef0630..e43b730a 100644 --- a/kernel/selinux/selinux.c +++ b/kernel/selinux/selinux.c @@ -39,9 +39,9 @@ static int transive_to_domain(const char *domain) return error; } -void setup_selinux() +void setup_selinux(const char *domain) { - if (transive_to_domain(KERNEL_SU_DOMAIN)) { + if (transive_to_domain(domain)) { pr_err("transive domain failed."); return; } @@ -88,7 +88,8 @@ bool getenforce() #endif } -#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 10, 0)) && !defined(KSU_COMPAT_HAS_CURRENT_SID) +#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 10, 0)) && \ + !defined(KSU_COMPAT_HAS_CURRENT_SID) /* * get the subjective security ID of the current task */ diff --git a/kernel/selinux/selinux.h b/kernel/selinux/selinux.h index 20694407..ce5a98e2 100644 --- a/kernel/selinux/selinux.h +++ b/kernel/selinux/selinux.h @@ -8,7 +8,7 @@ #define KSU_COMPAT_USE_SELINUX_STATE #endif -void setup_selinux(); +void setup_selinux(const char *); void setenforce(bool);