kernel: Refactor selinux/selinux.c (#2881)

Signed-off-by: shadichy <shadichy@blisslabs.org> Co-authored-by: Wang Han <416810799@qq.com>
2025-11-07 21:18:05 +07:00
parent c24ed3b5c4
commit f39d4f0f38
2 changed files with 19 additions and 53 deletions
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -118,14 +118,6 @@ else
 $(info -- KPM is disabled)
 endif
 # SELinux drivers check
 ifeq ($(shell grep -q "current_sid(void)" $(srctree)/security/selinux/include/objsec.h; echo $$?),0)
 ccflags-y += -DKSU_COMPAT_HAS_CURRENT_SID
 endif
 ifeq ($(shell grep -q "struct selinux_state " $(srctree)/security/selinux/include/security.h; echo $$?),0)
 ccflags-y += -DKSU_COMPAT_HAS_SELINUX_STATE
 endif
 # Handle optional backports
 ifeq ($(shell grep -q "strncpy_from_user_nofault" $(srctree)/include/linux/uaccess.h; echo $$?),0)
 ccflags-y += -DKSU_OPTIONAL_STRNCPY
--- a/kernel/selinux/selinux.c
+++ b/kernel/selinux/selinux.c
@@ -90,27 +90,28 @@ bool getenforce(void)
    return __is_selinux_enforcing();
 }
-#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 10, 0)) &&                         \
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 14, 0)
-    !defined(KSU_COMPAT_HAS_CURRENT_SID)
+struct lsm_context {
-/*
+    char *context;
- * get the subjective security ID of the current task
+    u32 len;
- */
+};
 static inline u32 current_sid(void)
 {
    const struct task_security_struct *tsec = current_security();
-    return tsec->sid;
+static int __security_secid_to_secctx(u32 secid, struct lsm_context *cp)
 {
    return security_secid_to_secctx(secid, &cp->context, &cp->len);
 }
 static void __security_release_secctx(struct lsm_context *cp)
 {
    return security_release_secctx(cp->context, cp->len);
 }
 #else
 #define __security_secid_to_secctx security_secid_to_secctx
 #define __security_release_secctx security_release_secctx
 #endif
 bool is_task_ksu_domain(const struct cred* cred)
 {
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
    struct lsm_context ctx;
 #else
    char *domain;
    u32 seclen;
 #endif
    bool result;
    if (!cred) {
        return false;
@@ -119,23 +120,12 @@ bool is_task_ksu_domain(const struct cred* cred)
    if (!tsec) {
        return false;
    }
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
+    int err = __security_secid_to_secctx(tsec->sid, &ctx);
    int err = security_secid_to_secctx(tsec->sid, &ctx);
 #else
    int err = security_secid_to_secctx(tsec->sid, &domain, &seclen);
 #endif
    if (err) {
        return false;
    }
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
    result = strncmp(KERNEL_SU_DOMAIN, ctx.context, ctx.len) == 0;
-    security_release_secctx(&ctx);
+    __security_release_secctx(&ctx);
 #else
    result = strncmp(KERNEL_SU_DOMAIN, domain, seclen) == 0;
    security_release_secctx(domain, seclen);
 #endif
    return result;
 }
@@ -154,30 +144,14 @@ bool is_zygote(const struct cred* cred)
    if (!tsec) {
        return false;
    }
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
    struct lsm_context ctx;
 #else
    char *domain;
    u32 seclen;
 #endif
    bool result;
-
+    int err = __security_secid_to_secctx(tsec->sid, &ctx);
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
    int err = security_secid_to_secctx(tsec->sid, &ctx);
 #else
    int err = security_secid_to_secctx(tsec->sid, &domain, &seclen);
 #endif
    if (err) {
        return false;
    }
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
    result = strncmp("u:r:zygote:s0", ctx.context, ctx.len) == 0;
-    security_release_secctx(&ctx);
+    __security_release_secctx(&ctx);
 #else
    result = strncmp("u:r:zygote:s0", domain, seclen) == 0;
    security_release_secctx(domain, seclen);
 #endif
    return result;
 }