Remove -guest_audit_security launcher flag
SELinux enforcement is so important now, and avc: messages are a primary
way these bugs are found, so there is no longer a reason to be able to
disable the SELinux audit messages at runtime. Interested users can
still do so at compile time. Move the "audit=1" kernel command line to
the shared BootConfig.mk file.
Bug: 216304872
Change-Id: I566c645a57b254bb42b77e3595359a27b27ae447
diff --git a/host/commands/assemble_cvd/flags.cc b/host/commands/assemble_cvd/flags.cc
index 8aabc4f..ee00265 100644
--- a/host/commands/assemble_cvd/flags.cc
+++ b/host/commands/assemble_cvd/flags.cc
@@ -88,8 +88,6 @@
"requires ':=' instead of '='.");
DEFINE_bool(guest_enforce_security, true,
"Whether to run in enforcing mode (non permissive).");
-DEFINE_bool(guest_audit_security, true,
- "Whether to log security audits.");
DEFINE_int32(memory_mb, 0, "Total amount of memory available for guest, MB.");
DEFINE_string(serial_number, cuttlefish::ForCurrentInstance("CUTTLEFISHCVD"),
"Serial number to use for the device");
@@ -623,7 +621,6 @@
tmp_config_obj.set_gdb_port(FLAGS_gdb_port);
tmp_config_obj.set_guest_enforce_security(FLAGS_guest_enforce_security);
- tmp_config_obj.set_guest_audit_security(FLAGS_guest_audit_security);
tmp_config_obj.set_extra_kernel_cmdline(FLAGS_extra_kernel_cmdline);
tmp_config_obj.set_extra_bootconfig_args(FLAGS_extra_bootconfig_args);
diff --git a/host/libs/config/cuttlefish_config.cpp b/host/libs/config/cuttlefish_config.cpp
index 63bd4b2..ddbebf8 100644
--- a/host/libs/config/cuttlefish_config.cpp
+++ b/host/libs/config/cuttlefish_config.cpp
@@ -564,14 +564,6 @@
return (*dictionary_)[kGuestEnforceSecurity].asBool();
}
-const char* kGuestAuditSecurity = "guest_audit_security";
-void CuttlefishConfig::set_guest_audit_security(bool guest_audit_security) {
- (*dictionary_)[kGuestAuditSecurity] = guest_audit_security;
-}
-bool CuttlefishConfig::guest_audit_security() const {
- return (*dictionary_)[kGuestAuditSecurity].asBool();
-}
-
static constexpr char kenableHostBluetooth[] = "enable_host_bluetooth";
void CuttlefishConfig::set_enable_host_bluetooth(bool enable_host_bluetooth) {
(*dictionary_)[kenableHostBluetooth] = enable_host_bluetooth;
diff --git a/host/libs/config/cuttlefish_config.h b/host/libs/config/cuttlefish_config.h
index 0e95469..546dd37 100644
--- a/host/libs/config/cuttlefish_config.h
+++ b/host/libs/config/cuttlefish_config.h
@@ -198,9 +198,6 @@
void set_guest_enforce_security(bool guest_enforce_security);
bool guest_enforce_security() const;
- void set_guest_audit_security(bool guest_audit_security);
- bool guest_audit_security() const;
-
void set_enable_host_bluetooth(bool enable_host_bluetooth);
bool enable_host_bluetooth() const;
diff --git a/host/libs/config/kernel_args.cpp b/host/libs/config/kernel_args.cpp
index a2bb42a..aaddfb7 100644
--- a/host/libs/config/kernel_args.cpp
+++ b/host/libs/config/kernel_args.cpp
@@ -96,17 +96,8 @@
std::vector<std::string> KernelCommandLineFromConfig(
const CuttlefishConfig& config) {
std::vector<std::string> kernel_cmdline;
-
AppendVector(&kernel_cmdline, VmManagerKernelCmdline(config));
-
- if (config.guest_audit_security()) {
- kernel_cmdline.push_back("audit=1");
- } else {
- kernel_cmdline.push_back("audit=0");
- }
-
AppendVector(&kernel_cmdline, config.extra_kernel_cmdline());
-
return kernel_cmdline;
}
diff --git a/shared/BoardConfig.mk b/shared/BoardConfig.mk
index fbaf875..a6a359f 100644
--- a/shared/BoardConfig.mk
+++ b/shared/BoardConfig.mk
@@ -225,6 +225,9 @@
# The default is 5 messages per second amortized, with a burst of up to 10.
BOARD_KERNEL_CMDLINE += printk.devkmsg=on
+# Print audit messages for all security check failures
+BOARD_KERNEL_CMDLINE += audit=1
+
# Reboot immediately on panic
BOARD_KERNEL_CMDLINE += panic=-1