kernel: support setting selinux context for profile

kernel/allowlist.c

@@ -37,7 +37,7 @@ static void init_default_profiles()
 	memset(&default_root_profile.capabilities, 0xff,
 	       sizeof(default_root_profile.capabilities));
 	default_root_profile.namespaces = 0;
-	strcpy(default_root_profile.selinux_domain, "su");
+	strcpy(default_root_profile.selinux_domain, "u:r:su:s0");
 
 	// This means that we will umount modules by default!
 	default_non_root_profile.umount_modules = true;
@@ -112,7 +112,12 @@ static bool profile_valid(struct app_profile *profile)
 		if (profile->rp_config.profile.groups_count > KSU_MAX_GROUPS) {
 			return false;
 		}
+
+		if (strlen(profile->rp_config.profile.selinux_domain) == 0) {
+			return false;
 		}
+	}
+
 	return true;
 }
 

kernel/core_hook.c

@@ -135,7 +135,7 @@ void escape_to_root(void)
 
 	setup_groups(profile, cred);
 
-	setup_selinux();
+	setup_selinux(profile->selinux_domain);
 }
 
 int ksu_handle_rename(struct dentry *old_dentry, struct dentry *new_dentry)

kernel/selinux/selinux.c

@@ -39,9 +39,9 @@ static int transive_to_domain(const char *domain)
 	return error;
 }
 
-void setup_selinux()
+void setup_selinux(const char *domain)
 {
-	if (transive_to_domain(KERNEL_SU_DOMAIN)) {
+	if (transive_to_domain(domain)) {
 		pr_err("transive domain failed.");
 		return;
 	}
@@ -88,7 +88,8 @@ bool getenforce()
 #endif
 }
 
-#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 10, 0)) && !defined(KSU_COMPAT_HAS_CURRENT_SID)
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 10, 0)) &&                         \
+	!defined(KSU_COMPAT_HAS_CURRENT_SID)
 /*
  * get the subjective security ID of the current task
  */

kernel/selinux/selinux.h

@@ -8,7 +8,7 @@
 #define KSU_COMPAT_USE_SELINUX_STATE
 #endif
 
-void setup_selinux();
+void setup_selinux(const char *);
 
 void setenforce(bool);