diff --git a/arch/arm64/configs/exynos7885-a7y18lte_defconfig b/arch/arm64/configs/exynos7885-a7y18lte_defconfig index ca2aae651..34bd52d4e 100644 --- a/arch/arm64/configs/exynos7885-a7y18lte_defconfig +++ b/arch/arm64/configs/exynos7885-a7y18lte_defconfig @@ -52,11 +52,8 @@ CONFIG_SWAP=y CONFIG_CROSS_MEMORY_ATTACH=y # CONFIG_FHANDLE is not set # CONFIG_USELIB is not set -CONFIG_AUDIT=y +# CONFIG_AUDIT is not set CONFIG_HAVE_ARCH_AUDITSYSCALL=y -CONFIG_AUDITSYSCALL=y -CONFIG_AUDIT_WATCH=y -CONFIG_AUDIT_TREE=y # # IRQ subsystem @@ -5067,7 +5064,6 @@ CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0 CONFIG_INTEGRITY=y CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y -CONFIG_INTEGRITY_AUDIT=y # CONFIG_IMA is not set # CONFIG_EVM is not set # CONFIG_TZ_ICCC is not set @@ -5279,9 +5275,7 @@ CONFIG_CRC32_SLICEBY8=y # CONFIG_CRC7 is not set CONFIG_LIBCRC32C=y # CONFIG_CRC8 is not set -CONFIG_AUDIT_GENERIC=y CONFIG_AUDIT_ARCH_COMPAT_GENERIC=y -CONFIG_AUDIT_COMPAT_GENERIC=y # CONFIG_RANDOM32_SELFTEST is not set CONFIG_ZLIB_INFLATE=y CONFIG_ZLIB_DEFLATE=y diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index 8691e92f2..ddd09c9cb 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -1,6 +1,6 @@ config SECURITY_SELINUX bool "NSA SELinux Support" - depends on SECURITY_NETWORK && AUDIT && NET && INET + depends on SECURITY_NETWORK && NET && INET select NETWORK_SECMARK default n help diff --git a/security/selinux/avc.c b/security/selinux/avc.c index ff70bc1b5..4fad640e8 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -107,6 +107,7 @@ static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass) return (ssid ^ (tsid<<2) ^ (tclass<<4)) & (AVC_CACHE_SLOTS - 1); } +#ifdef CONFIG_AUDIT /** * avc_dump_av - Display an access vector in human-readable form. * @tclass: target security class @@ -173,6 +174,7 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla BUG_ON(tclass >= ARRAY_SIZE(secclass_map)); audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name); } +#endif /** * avc_init - Initialize the AVC. @@ -475,6 +477,7 @@ static inline int avc_xperms_audit(u32 ssid, u32 tsid, u16 tclass, u8 perm, int result, struct common_audit_data *ad) { +#ifdef CONFIG_AUDIT u32 audited, denied; audited = avc_xperms_audit_required( @@ -483,6 +486,9 @@ static inline int avc_xperms_audit(u32 ssid, u32 tsid, u16 tclass, return 0; return slow_avc_audit(ssid, tsid, tclass, requested, audited, denied, result, ad, 0); +#else + return 0; +#endif } static void avc_node_free(struct rcu_head *rhead) @@ -709,6 +715,7 @@ out: return node; } +#ifdef CONFIG_AUDIT /** * avc_audit_pre_callback - SELinux specific information * will be called by generic audit code @@ -782,6 +789,7 @@ noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, common_lsm_audit(a, avc_audit_pre_callback, avc_audit_post_callback); return 0; } +#endif /** * avc_add_callback - Register a callback for security events. diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index fcae49254..9958ff3ea 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3035,6 +3035,7 @@ static noinline int audit_inode_permission(struct inode *inode, int result, unsigned flags) { +#ifdef CONFIG_AUDIT struct common_audit_data ad; struct inode_security_struct *isec = inode->i_security; int rc; @@ -3046,6 +3047,7 @@ static noinline int audit_inode_permission(struct inode *inode, audited, denied, result, &ad, flags); if (rc) return rc; +#endif return 0; } diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index 0999df03a..9da59efd4 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h @@ -133,6 +133,7 @@ static inline int avc_audit(u32 ssid, u32 tsid, struct common_audit_data *a, int flags) { +#ifdef CONFIG_AUDIT u32 audited, denied; audited = avc_audit_required(requested, avd, result, 0, &denied); if (likely(!audited)) @@ -140,6 +141,9 @@ static inline int avc_audit(u32 ssid, u32 tsid, return slow_avc_audit(ssid, tsid, tclass, requested, audited, denied, result, a, flags); +#else + return 0; +#endif } #define AVC_STRICT 1 /* Ignore permissive mode. */ diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 51c7af299..91bad8c54 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3275,6 +3275,7 @@ out: return match; } +#ifdef CONFIG_AUDIT static int (*aurule_callback)(void) = audit_update_lsm_rules; static int aurule_avc_callback(u32 event) @@ -3297,6 +3298,7 @@ static int __init aurule_init(void) return err; } __initcall(aurule_init); +#endif #ifdef CONFIG_NETLABEL /**