kernel: Refactor selinux/selinux.c (#2881)

Signed-off-by: shadichy <shadichy@blisslabs.org>
Co-authored-by: Wang Han <416810799@qq.com>

kernel/selinux/Makefile

@@ -2,14 +2,6 @@ obj-y += selinux.o
 obj-y += sepolicy.o
 obj-y += rules.o
 
-ifeq ($(shell grep -q " current_sid(void)" $(srctree)/security/selinux/include/objsec.h; echo $$?),0)
-ccflags-y += -DKSU_COMPAT_HAS_CURRENT_SID
-endif
-
-ifeq ($(shell grep -q "struct selinux_state " $(srctree)/security/selinux/include/security.h; echo $$?),0)
-ccflags-y += -DKSU_COMPAT_HAS_SELINUX_STATE
-endif
-
 ccflags-y += -Wno-strict-prototypes -Wno-int-conversion
 ccflags-y += -Wno-declaration-after-statement -Wno-unused-function
 ccflags-y += -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include

kernel/selinux/selinux.c

@@ -42,13 +42,6 @@ void setup_selinux(const char *domain)
         pr_err("transive domain failed.\n");
         return;
     }
-
-    /* we didn't need this now, we have change selinux rules when boot!
-if (!is_domain_permissive) {
-  if (set_domain_permissive() == 0) {
-      is_domain_permissive = true;
-  }
-}*/
 }
 
 void setenforce(bool enforce)
@@ -73,27 +66,28 @@ bool getenforce()
 #endif
 }
 
-#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 10, 0)) &&                         \
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 14, 0)
-    !defined(KSU_COMPAT_HAS_CURRENT_SID)
+struct lsm_context {
-/*
+    char *context;
- * get the subjective security ID of the current task
+    u32 len;
- */
+};
-static inline u32 current_sid(void)
-{
-    const struct task_security_struct *tsec = current_security();
 
-    return tsec->sid;
+static int __security_secid_to_secctx(u32 secid, struct lsm_context *cp)
+{
+    return security_secid_to_secctx(secid, &cp->context, &cp->len);
 }
+static void __security_release_secctx(struct lsm_context *cp)
+{
+    return security_release_secctx(cp->context, cp->len);
+}
+#else
+#define __security_secid_to_secctx security_secid_to_secctx
+#define __security_release_secctx security_release_secctx
 #endif
 
 bool is_task_ksu_domain(const struct cred* cred)
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
     struct lsm_context ctx;
-#else
-    char *domain;
-    u32 seclen;
-#endif
     bool result;
     if (!cred) {
         return false;
@@ -102,23 +96,12 @@ bool is_task_ksu_domain(const struct cred* cred)
     if (!tsec) {
         return false;
     }
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
+    int err = __security_secid_to_secctx(tsec->sid, &ctx);
-    int err = security_secid_to_secctx(tsec->sid, &ctx);
-#else
-    int err = security_secid_to_secctx(tsec->sid, &domain, &seclen);
-#endif
-
     if (err) {
         return false;
     }
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
     result = strncmp(KERNEL_SU_DOMAIN, ctx.context, ctx.len) == 0;
-    security_release_secctx(&ctx);
+    __security_release_secctx(&ctx);
-#else
-    result = strncmp(KERNEL_SU_DOMAIN, domain, seclen) == 0;
-    security_release_secctx(domain, seclen);
-#endif
     return result;
 }
 
@@ -137,30 +120,14 @@ bool is_zygote(const struct cred* cred)
     if (!tsec) {
         return false;
     }
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
     struct lsm_context ctx;
-#else
-    char *domain;
-    u32 seclen;
-#endif
     bool result;
-
+    int err = __security_secid_to_secctx(tsec->sid, &ctx);
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
-    int err = security_secid_to_secctx(tsec->sid, &ctx);
-#else
-    int err = security_secid_to_secctx(tsec->sid, &domain, &seclen);
-#endif
     if (err) {
         return false;
     }
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
     result = strncmp("u:r:zygote:s0", ctx.context, ctx.len) == 0;
-    security_release_secctx(&ctx);
+    __security_release_secctx(&ctx);
-#else
-    result = strncmp("u:r:zygote:s0", domain, seclen) == 0;
-    security_release_secctx(domain, seclen);
-#endif
     return result;
 }