init: remove support for disabled SELinux
Remove support for androidboot.selinux=disabled. Running with SELinux
disabled is not a supported configuration anymore. SELinux must be
in enforcing in shipping devices, but we also support permissive for
userdebug/eng builds.
Don't try security_setenforce() if we're already in enforcing mode.
A kernel compiled without CONFIG_SECURITY_SELINUX_DEVELOP does
not have a permissive mode, so the kernel will already be enforcing
once the policy is loaded.
Bug: 19702273
Change-Id: I07525a017ddb682020ec0d42e56a2702c053bdeb
diff --git a/init/Android.mk b/init/Android.mk
index 4bd4f3d..0dc257d 100644
--- a/init/Android.mk
+++ b/init/Android.mk
@@ -5,9 +5,9 @@
# --
ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
-init_options += -DALLOW_LOCAL_PROP_OVERRIDE=1 -DALLOW_DISABLE_SELINUX=1
+init_options += -DALLOW_LOCAL_PROP_OVERRIDE=1 -DALLOW_PERMISSIVE_SELINUX=1
else
-init_options += -DALLOW_LOCAL_PROP_OVERRIDE=0 -DALLOW_DISABLE_SELINUX=0
+init_options += -DALLOW_LOCAL_PROP_OVERRIDE=0 -DALLOW_PERMISSIVE_SELINUX=0
endif
init_options += -DLOG_UEVENTS=0
diff --git a/init/init.cpp b/init/init.cpp
index dd74538..68c8b7f 100644
--- a/init/init.cpp
+++ b/init/init.cpp
@@ -860,7 +860,7 @@
sehandle_prop = selinux_android_prop_context_handle();
}
-enum selinux_enforcing_status { SELINUX_DISABLED, SELINUX_PERMISSIVE, SELINUX_ENFORCING };
+enum selinux_enforcing_status { SELINUX_PERMISSIVE, SELINUX_ENFORCING };
static selinux_enforcing_status selinux_status_from_cmdline() {
selinux_enforcing_status status = SELINUX_ENFORCING;
@@ -870,9 +870,7 @@
if (value == nullptr) { return; }
*value++ = '\0';
if (strcmp(name, "androidboot.selinux") == 0) {
- if (strcmp(value, "disabled") == 0) {
- status = SELINUX_DISABLED;
- } else if (strcmp(value, "permissive") == 0) {
+ if (strcmp(value, "permissive") == 0) {
status = SELINUX_PERMISSIVE;
}
}
@@ -882,24 +880,9 @@
return status;
}
-
-static bool selinux_is_disabled(void)
-{
- if (ALLOW_DISABLE_SELINUX) {
- if (access("/sys/fs/selinux", F_OK) != 0) {
- // SELinux is not compiled into the kernel, or has been disabled
- // via the kernel command line "selinux=0".
- return true;
- }
- return selinux_status_from_cmdline() == SELINUX_DISABLED;
- }
-
- return false;
-}
-
static bool selinux_is_enforcing(void)
{
- if (ALLOW_DISABLE_SELINUX) {
+ if (ALLOW_PERMISSIVE_SELINUX) {
return selinux_status_from_cmdline() == SELINUX_ENFORCING;
}
return true;
@@ -907,10 +890,6 @@
int selinux_reload_policy(void)
{
- if (selinux_is_disabled()) {
- return -1;
- }
-
INFO("SELinux: Attempting to reload policy files\n");
if (selinux_android_reload_policy() == -1) {
@@ -947,10 +926,6 @@
cb.func_audit = audit_callback;
selinux_set_callback(SELINUX_CB_AUDIT, cb);
- if (selinux_is_disabled()) {
- return;
- }
-
if (in_kernel_domain) {
INFO("Loading SELinux policy...\n");
if (selinux_android_load_policy() < 0) {
@@ -958,8 +933,15 @@
security_failure();
}
+ bool kernel_enforcing = (security_getenforce() == 1);
bool is_enforcing = selinux_is_enforcing();
- security_setenforce(is_enforcing);
+ if (kernel_enforcing != is_enforcing) {
+ if (security_setenforce(is_enforcing)) {
+ ERROR("security_setenforce(%s) failed: %s\n",
+ is_enforcing ? "true" : "false", strerror(errno));
+ security_failure();
+ }
+ }
if (write_file("/sys/fs/selinux/checkreqprot", "0") == -1) {
security_failure();
