db600d5ea0
* kernel: add report_event cmd * ksud: report event * kernel: trigger on_post_fs_data * ksud: comment unused code * [skip ci] run clang-format Signed-off-by: Ylarod <me@ylarod.cn> * ci: use custom key to sign official bootimgs * format ksud * reject non root * remove Signed-off-by: Ylarod <me@ylarod.cn>
79 lines
1.4 KiB
C
79 lines
1.4 KiB
C
#include "selinux.h"
|
|
#include "objsec.h"
|
|
|
|
#include "../klog.h" // IWYU pragma: keep
|
|
|
|
#define KERNEL_SU_DOMAIN "u:r:su:s0"
|
|
|
|
static u32 ksu_sid;
|
|
|
|
static int transive_to_domain(const char *domain)
|
|
{
|
|
struct cred *cred;
|
|
struct task_security_struct *tsec;
|
|
u32 sid;
|
|
int error;
|
|
|
|
cred = (struct cred *)__task_cred(current);
|
|
|
|
tsec = cred->security;
|
|
if (!tsec) {
|
|
pr_err("tsec == NULL!\n");
|
|
return -1;
|
|
}
|
|
|
|
error = security_secctx_to_secid(domain, strlen(domain), &sid);
|
|
pr_info("error: %d, sid: %d\n", error, sid);
|
|
if (!error) {
|
|
if (!ksu_sid)
|
|
ksu_sid = sid;
|
|
|
|
tsec->sid = sid;
|
|
tsec->create_sid = 0;
|
|
tsec->keycreate_sid = 0;
|
|
tsec->sockcreate_sid = 0;
|
|
}
|
|
return error;
|
|
}
|
|
|
|
void setup_selinux()
|
|
{
|
|
if (transive_to_domain(KERNEL_SU_DOMAIN)) {
|
|
pr_err("transive domain failed.");
|
|
return;
|
|
}
|
|
|
|
/* we didn't need this now, we have change selinux rules when boot!
|
|
if (!is_domain_permissive) {
|
|
if (set_domain_permissive() == 0) {
|
|
is_domain_permissive = true;
|
|
}
|
|
}*/
|
|
}
|
|
|
|
void setenforce(bool enforce)
|
|
{
|
|
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
|
|
selinux_state.enforcing = enforce;
|
|
#endif
|
|
}
|
|
|
|
bool getenforce()
|
|
{
|
|
#ifdef CONFIG_SECURITY_SELINUX_DISABLE
|
|
if (selinux_state.disabled) {
|
|
return false;
|
|
}
|
|
#endif
|
|
|
|
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
|
|
return selinux_state.enforcing;
|
|
#else
|
|
return false;
|
|
#endif
|
|
}
|
|
|
|
bool is_ksu_domain()
|
|
{
|
|
return ksu_sid && current_sid() == ksu_sid;
|
|
} |