From f39d4f0f38d438c9ec22ed11339bed9a63b9cba5 Mon Sep 17 00:00:00 2001 From: Shadichy <60534636+shadichy@users.noreply.github.com> Date: Fri, 7 Nov 2025 21:18:05 +0700 Subject: [PATCH] kernel: Refactor selinux/selinux.c (#2881) Signed-off-by: shadichy Co-authored-by: Wang Han <416810799@qq.com> --- kernel/Makefile | 8 ----- kernel/selinux/selinux.c | 64 ++++++++++++---------------------------- 2 files changed, 19 insertions(+), 53 deletions(-) diff --git a/kernel/Makefile b/kernel/Makefile index 93978ea0..701a9e02 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -118,14 +118,6 @@ else $(info -- KPM is disabled) endif -# SELinux drivers check -ifeq ($(shell grep -q "current_sid(void)" $(srctree)/security/selinux/include/objsec.h; echo $$?),0) -ccflags-y += -DKSU_COMPAT_HAS_CURRENT_SID -endif -ifeq ($(shell grep -q "struct selinux_state " $(srctree)/security/selinux/include/security.h; echo $$?),0) -ccflags-y += -DKSU_COMPAT_HAS_SELINUX_STATE -endif - # Handle optional backports ifeq ($(shell grep -q "strncpy_from_user_nofault" $(srctree)/include/linux/uaccess.h; echo $$?),0) ccflags-y += -DKSU_OPTIONAL_STRNCPY diff --git a/kernel/selinux/selinux.c b/kernel/selinux/selinux.c index 051384a7..57c2be1b 100644 --- a/kernel/selinux/selinux.c +++ b/kernel/selinux/selinux.c @@ -90,27 +90,28 @@ bool getenforce(void) return __is_selinux_enforcing(); } -#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 10, 0)) && \ - !defined(KSU_COMPAT_HAS_CURRENT_SID) -/* - * get the subjective security ID of the current task - */ -static inline u32 current_sid(void) -{ - const struct task_security_struct *tsec = current_security(); +#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 14, 0) +struct lsm_context { + char *context; + u32 len; +}; - return tsec->sid; +static int __security_secid_to_secctx(u32 secid, struct lsm_context *cp) +{ + return security_secid_to_secctx(secid, &cp->context, &cp->len); } +static void __security_release_secctx(struct lsm_context *cp) +{ + return security_release_secctx(cp->context, cp->len); +} +#else +#define __security_secid_to_secctx security_secid_to_secctx +#define __security_release_secctx security_release_secctx #endif bool is_task_ksu_domain(const struct cred* cred) { -#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0) struct lsm_context ctx; -#else - char *domain; - u32 seclen; -#endif bool result; if (!cred) { return false; @@ -119,23 +120,12 @@ bool is_task_ksu_domain(const struct cred* cred) if (!tsec) { return false; } -#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0) - int err = security_secid_to_secctx(tsec->sid, &ctx); -#else - int err = security_secid_to_secctx(tsec->sid, &domain, &seclen); -#endif - + int err = __security_secid_to_secctx(tsec->sid, &ctx); if (err) { return false; } - -#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0) result = strncmp(KERNEL_SU_DOMAIN, ctx.context, ctx.len) == 0; - security_release_secctx(&ctx); -#else - result = strncmp(KERNEL_SU_DOMAIN, domain, seclen) == 0; - security_release_secctx(domain, seclen); -#endif + __security_release_secctx(&ctx); return result; } @@ -154,30 +144,14 @@ bool is_zygote(const struct cred* cred) if (!tsec) { return false; } -#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0) struct lsm_context ctx; -#else - char *domain; - u32 seclen; -#endif bool result; - -#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0) - int err = security_secid_to_secctx(tsec->sid, &ctx); -#else - int err = security_secid_to_secctx(tsec->sid, &domain, &seclen); -#endif + int err = __security_secid_to_secctx(tsec->sid, &ctx); if (err) { return false; } - -#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0) result = strncmp("u:r:zygote:s0", ctx.context, ctx.len) == 0; - security_release_secctx(&ctx); -#else - result = strncmp("u:r:zygote:s0", domain, seclen) == 0; - security_release_secctx(domain, seclen); -#endif + __security_release_secctx(&ctx); return result; }