Google Git
Sign in
android / platform / external / qemu / 185231a^! / .
commit185231afe57ba2ed56bb7c77a39ce8bbd64d38d1[log] [tgz]
authorNick Kralevich <nnk@google.com>Mon Oct 07 13:54:31 2013 -0700
committerNick Kralevich <nnk@google.com>Mon Oct 07 14:16:51 2013 -0700
treef7d0f5c08bfe640926d7a71ae68d1edaed0a6b02
parent4c8845bf44d4844a08e0a8806d56ea8cc74060fa [diff]
emulator: Add option to control SELinux enforcement.

This change adds the following command line
options to the emulator:

  -selinux disabled
  -selinux permissive

This configures SELinux in either permissive or disabled modes.

"disabled" completely disables userspace support for SELinux. No
policy is ever loaded, nor is the SELinux filesystem /sys/fs/selinux
ever mounted.

"permissive" loads the SELinux policy, but puts SELinux into
permissive mode. SELinux policy violations are logged, but not rejected.

Change-Id: I97974deb5b39d5caab36032e8b282281c1e478ea

diff --git a/android/cmdline-options.h b/android/cmdline-options.h
index 16edeac..0c75783 100644
--- a/android/cmdline-options.h
+++ b/android/cmdline-options.h

@@ -166,6 +166,8 @@
 
 OPT_FLAG( force_32bit, "always use 32-bit emulator" )
 
+OPT_PARAM(selinux, "<disabled|permissive>", "Set SELinux to either disabled or permissive mode")
+
 #undef CFG_FLAG
 #undef CFG_PARAM
 #undef OPT_FLAG

diff --git a/android/help.c b/android/help.c
index 0a9eed85..e5d3e49 100644
--- a/android/help.c
+++ b/android/help.c

@@ -1526,6 +1526,18 @@
 }
 
 static void
+help_selinux(stralloc_t* out)
+{
+    PRINTF(
+    "  Use -selinux to control the SELinux enforcement mode.\n"
+    "  By default, SELinux is in enforcing mode. Other modes available are:\n"
+    "     -selinux permissive   -> Load the SELinux policy, but do not enforce it.\n"
+    "                              Policy violations are logged, but not rejected.\n"
+    "     -selinux disabled     -> Disable kernel support for SELinux.\n"
+    );
+}
+
+static void
 help_force_32bit(stralloc_t* out)
 {
     PRINTF(

diff --git a/android/main.c b/android/main.c
index f980d27..332183a 100644
--- a/android/main.c
+++ b/android/main.c

@@ -913,6 +913,14 @@
         args[n++] = opts->gps;
     }
 
+    if (opts->selinux) {
+        if ((strcmp(opts->selinux, "permissive") != 0)
+                && (strcmp(opts->selinux, "disabled") != 0)) {
+            derror("-selinux must be \"disabled\" or \"permissive\"");
+            exit(1);
+        }
+    }
+
     if (opts->memory) {
         char*  end;
         long   ramSize = strtol(opts->memory, &end, 0);
@@ -1044,6 +1052,10 @@
             p = bufprint(p, end, " androidboot.bootchart=%s", opts->bootchart);
         }
 
+        if (opts->selinux) {
+            p = bufprint(p, end, " androidboot.selinux=%s", opts->selinux);
+        }
+
         if (p >= end) {
             fprintf(stderr, "### ERROR: kernel parameters too long\n");
             exit(1);