diff --git a/kernel/selinux/selinux.c b/kernel/selinux/selinux.c index 7e85815b..502d891d 100644 --- a/kernel/selinux/selinux.c +++ b/kernel/selinux/selinux.c @@ -1,13 +1,6 @@ -#include "selinux.h" -#include "objsec.h" -#include "linux/version.h" +#include +#include "selinux_defs.h" #include "../klog.h" // IWYU pragma: keep -#ifdef SAMSUNG_SELINUX_PORTING -#include "security.h" // Samsung SELinux Porting -#endif -#ifndef KSU_COMPAT_USE_SELINUX_STATE -#include "avc.h" -#endif #define KERNEL_SU_DOMAIN "u:r:su:s0" @@ -41,15 +34,18 @@ static int transive_to_domain(const char *domain) pr_info("security_secctx_to_secid %s -> sid: %d, error: %d\n", domain, sid, error); } + if (!error) { tsec->sid = sid; tsec->create_sid = 0; tsec->keycreate_sid = 0; tsec->sockcreate_sid = 0; } + return error; } +#if LINUX_VERSION_CODE <= KERNEL_VERSION(4, 19, 0) bool __maybe_unused is_ksu_transition(const struct task_security_struct *old_tsec, const struct task_security_struct *new_tsec) { @@ -59,7 +55,7 @@ bool __maybe_unused is_ksu_transition(const struct task_security_struct *old_tse bool allowed = false; if (!ksu_sid) - security_secctx_to_secid("u:r:su:s0", strlen("u:r:su:s0"), &ksu_sid); + security_secctx_to_secid(KERNEL_SU_DOMAIN, strlen(KERNEL_SU_DOMAIN), &ksu_sid); if (security_secid_to_secctx(old_tsec->sid, &secdata, &seclen)) return false; @@ -68,6 +64,7 @@ bool __maybe_unused is_ksu_transition(const struct task_security_struct *old_tse security_release_secctx(secdata, seclen); return allowed; } +#endif void ksu_setup_selinux(const char *domain) { @@ -79,42 +76,16 @@ void ksu_setup_selinux(const char *domain) void ksu_setenforce(bool enforce) { -#ifdef CONFIG_SECURITY_SELINUX_DEVELOP -#ifdef SAMSUNG_SELINUX_PORTING - selinux_enforcing = enforce; -#endif -#ifdef KSU_COMPAT_USE_SELINUX_STATE - selinux_state.enforcing = enforce; -#else - selinux_enforcing = enforce; -#endif -#endif + __setenforce(enforce); } -bool ksu_getenforce() +bool ksu_getenforce(void) { -#ifdef CONFIG_SECURITY_SELINUX_DISABLE -#ifdef KSU_COMPAT_USE_SELINUX_STATE - if (selinux_state.disabled) { -#else - if (selinux_disabled) { -#endif + if (is_selinux_disabled()) { return false; } -#endif - -#ifdef CONFIG_SECURITY_SELINUX_DEVELOP -#ifdef SAMSUNG_SELINUX_PORTING - return selinux_enforcing; -#endif -#ifdef KSU_COMPAT_USE_SELINUX_STATE - return selinux_state.enforcing; -#else - return selinux_enforcing; -#endif -#else - return true; -#endif + + return __is_selinux_enforcing(); } #if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 10, 0)) && \ @@ -135,10 +106,12 @@ bool ksu_is_ksu_domain() char *domain; u32 seclen; bool result; + int err = security_secid_to_secctx(current_sid(), &domain, &seclen); if (err) { return false; } + result = strncmp(KERNEL_SU_DOMAIN, domain, seclen) == 0; security_release_secctx(domain, seclen); return result; @@ -150,13 +123,16 @@ bool ksu_is_zygote(void *sec) if (!tsec) { return false; } + char *domain; u32 seclen; bool result; + int err = security_secid_to_secctx(tsec->sid, &domain, &seclen); if (err) { return false; } + result = strncmp("u:r:zygote:s0", domain, seclen) == 0; security_release_secctx(domain, seclen); return result; @@ -251,8 +227,9 @@ u32 ksu_get_devpts_sid() u32 devpts_sid = 0; int err = security_secctx_to_secid(DEVPTS_DOMAIN, strlen(DEVPTS_DOMAIN), &devpts_sid); - if (err) { + + if (err) pr_info("get devpts sid err %d\n", err); - } + return devpts_sid; } diff --git a/kernel/selinux/selinux.h b/kernel/selinux/selinux.h index d0dfdf9c..e146ba15 100644 --- a/kernel/selinux/selinux.h +++ b/kernel/selinux/selinux.h @@ -1,8 +1,8 @@ #ifndef __KSU_H_SELINUX #define __KSU_H_SELINUX -#include "linux/types.h" -#include "linux/version.h" +#include +#include #if (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)) || defined(KSU_COMPAT_HAS_SELINUX_STATE) #define KSU_COMPAT_USE_SELINUX_STATE @@ -12,7 +12,7 @@ void ksu_setup_selinux(const char *); void ksu_setenforce(bool); -bool ksu_getenforce(); +bool ksu_getenforce(void); bool ksu_is_ksu_domain(); diff --git a/kernel/selinux/selinux_defs.h b/kernel/selinux/selinux_defs.h new file mode 100644 index 00000000..391da8ad --- /dev/null +++ b/kernel/selinux/selinux_defs.h @@ -0,0 +1,36 @@ +#ifndef __KSU_H_SELINUX_DEFS +#define __KSU_H_SELINUX_DEFS + +#include "selinux.h" +#include "objsec.h" +#ifdef SAMSUNG_SELINUX_PORTING +#include "security.h" // Samsung SELinux Porting +#endif +#ifndef KSU_COMPAT_USE_SELINUX_STATE +#include "avc.h" +#endif + +#ifdef CONFIG_SECURITY_SELINUX_DISABLE +#ifdef KSU_COMPAT_USE_SELINUX_STATE +#define is_selinux_disabled() (selinux_state.disabled) +#else +#define is_selinux_disabled() (selinux_disabled) +#endif +#else +#define is_selinux_disabled() (0) +#endif + +#ifdef CONFIG_SECURITY_SELINUX_DEVELOP +#ifdef KSU_COMPAT_USE_SELINUX_STATE +#define __is_selinux_enforcing() (selinux_state.enforcing) +#define __setenforce(val) selinux_state.enforcing = val +#elif defined(SAMSUNG_SELINUX_PORTING) || !defined(KSU_COMPAT_USE_SELINUX_STATE) +#define __is_selinux_enforcing() (selinux_enforcing) +#define __setenforce(val) selinux_enforcing = val +#endif +#else +#define __is_selinux_enforcing() (1) +#define __setenforce(val) +#endif + +#endif