emulator: Add option to control SELinux enforcement.
This change adds the following command line
options to the emulator:
-selinux disabled
-selinux permissive
This configures SELinux in either permissive or disabled modes.
"disabled" completely disables userspace support for SELinux. No
policy is ever loaded, nor is the SELinux filesystem /sys/fs/selinux
ever mounted.
"permissive" loads the SELinux policy, but puts SELinux into
permissive mode. SELinux policy violations are logged, but not rejected.
Change-Id: I97974deb5b39d5caab36032e8b282281c1e478ea
diff --git a/android/cmdline-options.h b/android/cmdline-options.h
index 16edeac..0c75783 100644
--- a/android/cmdline-options.h
+++ b/android/cmdline-options.h
@@ -166,6 +166,8 @@
OPT_FLAG( force_32bit, "always use 32-bit emulator" )
+OPT_PARAM(selinux, "<disabled|permissive>", "Set SELinux to either disabled or permissive mode")
+
#undef CFG_FLAG
#undef CFG_PARAM
#undef OPT_FLAG
diff --git a/android/help.c b/android/help.c
index 0a9eed85..e5d3e49 100644
--- a/android/help.c
+++ b/android/help.c
@@ -1526,6 +1526,18 @@
}
static void
+help_selinux(stralloc_t* out)
+{
+ PRINTF(
+ " Use -selinux to control the SELinux enforcement mode.\n"
+ " By default, SELinux is in enforcing mode. Other modes available are:\n"
+ " -selinux permissive -> Load the SELinux policy, but do not enforce it.\n"
+ " Policy violations are logged, but not rejected.\n"
+ " -selinux disabled -> Disable kernel support for SELinux.\n"
+ );
+}
+
+static void
help_force_32bit(stralloc_t* out)
{
PRINTF(
diff --git a/android/main.c b/android/main.c
index f980d27..332183a 100644
--- a/android/main.c
+++ b/android/main.c
@@ -913,6 +913,14 @@
args[n++] = opts->gps;
}
+ if (opts->selinux) {
+ if ((strcmp(opts->selinux, "permissive") != 0)
+ && (strcmp(opts->selinux, "disabled") != 0)) {
+ derror("-selinux must be \"disabled\" or \"permissive\"");
+ exit(1);
+ }
+ }
+
if (opts->memory) {
char* end;
long ramSize = strtol(opts->memory, &end, 0);
@@ -1044,6 +1052,10 @@
p = bufprint(p, end, " androidboot.bootchart=%s", opts->bootchart);
}
+ if (opts->selinux) {
+ p = bufprint(p, end, " androidboot.selinux=%s", opts->selinux);
+ }
+
if (p >= end) {
fprintf(stderr, "### ERROR: kernel parameters too long\n");
exit(1);