From c6d9f76c7b0d7c353834a7b8b43036c741a78860 Mon Sep 17 00:00:00 2001 From: Shadichy <60534636+shadichy@users.noreply.github.com> Date: Fri, 7 Nov 2025 21:18:05 +0700 Subject: [PATCH] kernel: Refactor selinux/selinux.c (#2881) Signed-off-by: shadichy Co-authored-by: Wang Han <416810799@qq.com> --- kernel/selinux/Makefile | 8 ----- kernel/selinux/selinux.c | 71 +++++++++++----------------------------- 2 files changed, 19 insertions(+), 60 deletions(-) diff --git a/kernel/selinux/Makefile b/kernel/selinux/Makefile index 8e7cef1f..d35413d9 100644 --- a/kernel/selinux/Makefile +++ b/kernel/selinux/Makefile @@ -2,14 +2,6 @@ obj-y += selinux.o obj-y += sepolicy.o obj-y += rules.o -ifeq ($(shell grep -q " current_sid(void)" $(srctree)/security/selinux/include/objsec.h; echo $$?),0) -ccflags-y += -DKSU_COMPAT_HAS_CURRENT_SID -endif - -ifeq ($(shell grep -q "struct selinux_state " $(srctree)/security/selinux/include/security.h; echo $$?),0) -ccflags-y += -DKSU_COMPAT_HAS_SELINUX_STATE -endif - ccflags-y += -Wno-strict-prototypes -Wno-int-conversion ccflags-y += -Wno-declaration-after-statement -Wno-unused-function ccflags-y += -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include diff --git a/kernel/selinux/selinux.c b/kernel/selinux/selinux.c index e3a3a653..0e007fc9 100644 --- a/kernel/selinux/selinux.c +++ b/kernel/selinux/selinux.c @@ -42,13 +42,6 @@ void setup_selinux(const char *domain) pr_err("transive domain failed.\n"); return; } - - /* we didn't need this now, we have change selinux rules when boot! -if (!is_domain_permissive) { - if (set_domain_permissive() == 0) { - is_domain_permissive = true; - } -}*/ } void setenforce(bool enforce) @@ -73,27 +66,28 @@ bool getenforce() #endif } -#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 10, 0)) && \ - !defined(KSU_COMPAT_HAS_CURRENT_SID) -/* - * get the subjective security ID of the current task - */ -static inline u32 current_sid(void) -{ - const struct task_security_struct *tsec = current_security(); +#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 14, 0) +struct lsm_context { + char *context; + u32 len; +}; - return tsec->sid; +static int __security_secid_to_secctx(u32 secid, struct lsm_context *cp) +{ + return security_secid_to_secctx(secid, &cp->context, &cp->len); } +static void __security_release_secctx(struct lsm_context *cp) +{ + return security_release_secctx(cp->context, cp->len); +} +#else +#define __security_secid_to_secctx security_secid_to_secctx +#define __security_release_secctx security_release_secctx #endif bool is_task_ksu_domain(const struct cred* cred) { -#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0) struct lsm_context ctx; -#else - char *domain; - u32 seclen; -#endif bool result; if (!cred) { return false; @@ -102,23 +96,12 @@ bool is_task_ksu_domain(const struct cred* cred) if (!tsec) { return false; } -#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0) - int err = security_secid_to_secctx(tsec->sid, &ctx); -#else - int err = security_secid_to_secctx(tsec->sid, &domain, &seclen); -#endif - + int err = __security_secid_to_secctx(tsec->sid, &ctx); if (err) { return false; } - -#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0) result = strncmp(KERNEL_SU_DOMAIN, ctx.context, ctx.len) == 0; - security_release_secctx(&ctx); -#else - result = strncmp(KERNEL_SU_DOMAIN, domain, seclen) == 0; - security_release_secctx(domain, seclen); -#endif + __security_release_secctx(&ctx); return result; } @@ -137,30 +120,14 @@ bool is_zygote(const struct cred* cred) if (!tsec) { return false; } -#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0) struct lsm_context ctx; -#else - char *domain; - u32 seclen; -#endif bool result; - -#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0) - int err = security_secid_to_secctx(tsec->sid, &ctx); -#else - int err = security_secid_to_secctx(tsec->sid, &domain, &seclen); -#endif + int err = __security_secid_to_secctx(tsec->sid, &ctx); if (err) { return false; } - -#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0) result = strncmp("u:r:zygote:s0", ctx.context, ctx.len) == 0; - security_release_secctx(&ctx); -#else - result = strncmp("u:r:zygote:s0", domain, seclen) == 0; - security_release_secctx(domain, seclen); -#endif + __security_release_secctx(&ctx); return result; }