Revert "selinux: mega switch"

This reverts commit 25ec2170d7.
2020-04-06 19:40:33 +05:30 · 2020-04-06 19:40:33 +05:30 · c3a97e0a7f
commit c3a97e0a7f
parent 3571e2c33d
12 changed files with 18 additions and 67 deletions
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@ -65,28 +65,6 @@ config SECURITY_SELINUX_DEVELOP
 	  can interactively toggle the kernel between enforcing mode and
 	  permissive mode (if permitted by the policy) via /selinux/enforce.

-	  
-config SECURITY_SELINUX_FAKE_ENFORCE
-	bool "NSA SELinux Fake Enforcing"
-	depends on SECURITY_SELINUX_DEVELOP
-	default n
-	help
-	  This option will set SELinux to permissive with fake enforcing status.
-
-config SECURITY_SELINUX_ALWAYS_ENFORCE
-	bool "NSA SELinux Always Enforcing"
-	depends on SECURITY_SELINUX_DEVELOP
-	default n
-	help
-	  This option will prevent anything from setting SELinux to permissive.
-
-config SECURITY_SELINUX_NEVER_ENFORCE
-	bool "NSA SELinux Never Enforcing"
-	depends on SECURITY_SELINUX_DEVELOP
-	default n
-	help
-	  This option will prevent anything from setting SELinux to enforcing.
-	  
 config SECURITY_SELINUX_AVC_STATS
 	bool "NSA SELinux AVC Statistics"
 	depends on SECURITY_SELINUX
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@ -1047,7 +1047,7 @@ static noinline int avc_denied(u32 ssid, u32 tsid,
 	}
 #endif

-#if defined(CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE)
+#ifdef CONFIG_ALWAYS_ENFORCE
 	if (!(avd->flags & AVD_FLAGS_PERMISSIVE))
 #else
 	if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE))
--- a/security/selinux/exports.c
+++ b/security/selinux/exports.c
@ -20,7 +20,7 @@
 bool selinux_is_enabled(void)
 {
 // [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
+#ifdef CONFIG_ALWAYS_ENFORCE
 	return true;
 #else
 	return selinux_enabled;
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@ -207,10 +207,8 @@ static int __init enforcing_setup(char *str)
 	unsigned long enforcing;
 	if (!kstrtoul(str, 0, &enforcing))
 // [ SEC_SELINUX_PORTING_COMMON
-#if defined(CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE)
- 		selinux_enforcing = 1;
-#elif defined(CONFIG_SECURITY_SELINUX_NEVER_ENFORCE)
-		selinux_enforcing = 0;
+#ifdef CONFIG_ALWAYS_ENFORCE
+		selinux_enforcing = 1;
 #else
 		selinux_enforcing = enforcing ? 1 : 0;
 #endif
@ -229,7 +227,7 @@ static int __init selinux_enabled_setup(char *str)
 	unsigned long enabled;
 	if (!kstrtoul(str, 0, &enabled))
 // [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
+#ifdef CONFIG_ALWAYS_ENFORCE
 		selinux_enabled = 1;
 #else
 		selinux_enabled = enabled ? 1 : 0;
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@ -135,7 +135,7 @@ struct extended_perms {

 /* definitions of av_decision.flags */
 // [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
+#ifdef CONFIG_ALWAYS_ENFORCE
 #define AVD_FLAGS_PERMISSIVE	0x0000
 #else
 #define AVD_FLAGS_PERMISSIVE	0x0001
--- a/security/selinux/netif.c
+++ b/security/selinux/netif.c
@ -278,7 +278,7 @@ static __init int sel_netif_init(void)
 	int i;
 	
 // [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
+#ifdef CONFIG_ALWAYS_ENFORCE
 	selinux_enabled = 1;
 #endif
 // ] SEC_SELINUX_PORTING_COMMON
--- a/security/selinux/netnode.c
+++ b/security/selinux/netnode.c
@ -305,7 +305,7 @@ static __init int sel_netnode_init(void)
 	int iter;
 	
 // [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
+#ifdef CONFIG_ALWAYS_ENFORCE
 	selinux_enabled = 1;
 #endif
 // ] SEC_SELINUX_PORTING_COMMON
--- a/security/selinux/netport.c
+++ b/security/selinux/netport.c
@ -239,7 +239,7 @@ static __init int sel_netport_init(void)
 	int iter;
 	
 // [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
+#ifdef CONFIG_ALWAYS_ENFORCE
 	selinux_enabled = 1;
 #endif
 // ] SEC_SELINUX_PORTING_COMMON
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@ -128,19 +128,13 @@ static unsigned long sel_last_ino = SEL_INO_NEXT - 1;
 #define SEL_INO_MASK			0x00ffffff

 #define TMPBUFLEN	12
-#ifdef CONFIG_SECURITY_SELINUX_FAKE_ENFORCE
-static int user_selinux_enforcing = 0;
-#endif
 static ssize_t sel_read_enforce(struct file *filp, char __user *buf,
 				size_t count, loff_t *ppos)
 {
 	char tmpbuf[TMPBUFLEN];
 	ssize_t length;
-#ifdef CONFIG_SECURITY_SELINUX_FAKE_ENFORCE
-	length = scnprintf(tmpbuf, TMPBUFLEN, "%d", user_selinux_enforcing);
-#else	
+
 	length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_enforcing);
-#endif
 	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
 }

@ -176,7 +170,7 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
 		goto out;

 // [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
+#ifdef CONFIG_ALWAYS_ENFORCE
 	// If build is user build and enforce option is set, selinux is always enforcing
 	new_value = 1;
 	length = task_has_security(current, SECURITY__SETENFORCE);
@ -191,24 +185,7 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
 	avc_ss_reset(0);
 	selnl_notify_setenforce(new_value);
 	selinux_status_update_setenforce(new_value);
-#elif defined(CONFIG_SECURITY_SELINUX_NEVER_ENFORCE)
-	// If build is user build and permissive option is set, selinux is always permissive
-	new_value = 0;
-	length = task_has_security(current, SECURITY__SETENFORCE);
-	audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
-                        "config_never_enforce - true; enforcing=%d old_enforcing=%d auid=%u ses=%u",
-                        new_value, selinux_enforcing,
-                        from_kuid(&init_user_ns, audit_get_loginuid(current)),
-                        audit_get_sessionid(current));
-	selinux_enforcing = new_value;
-	selnl_notify_setenforce(new_value);
-	selinux_status_update_setenforce(new_value);
 #else
-#ifdef CONFIG_SECURITY_SELINUX_FAKE_ENFORCE
-	user_selinux_enforcing = new_value;
-	length = count;
-	goto out;
-#endif
 	if (new_value != selinux_enforcing) {
 		length = task_has_security(current, SECURITY__SETENFORCE);
 		if (length)
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@ -1506,9 +1506,9 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp)
 	return 0;
 bad:
 // [ SEC_SELINUX_PORTING_COMMON
-#ifndef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
+#ifndef CONFIG_ALWAYS_ENFORCE
 	panic("SELinux:Failed to type read");
-#endif /*CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE*/
+#endif /*CONFIG_ALWAYS_ENFORCE*/
 // ] SEC_SELINUX_PORTING_COMMON
 	type_destroy(key, typdatum, NULL);
 	return rc;
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@ -774,7 +774,7 @@ out:
 	kfree(t);

 // [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
+#ifdef CONFIG_ALWAYS_ENFORCE
 #if !defined(CONFIG_RKP_KDP)
 	selinux_enforcing = 1;
 #endif
@ -1545,7 +1545,7 @@ out:
 	kfree(n);

 // [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
+#ifdef CONFIG_ALWAYS_ENFORCE
 #if !defined(CONFIG_RKP_KDP)
 	selinux_enforcing = 1;
 #endif
@ -1843,7 +1843,7 @@ static inline int convert_context_handle_invalid_context(struct context *context
 	u32 len;

 // [ SEC_SELINUX_PORTING_COMMON
-#ifdef CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE
+#ifdef CONFIG_ALWAYS_ENFORCE
 	selinux_enforcing = 1;
 #endif
 // ] SEC_SELINUX_PORTING_COMMON
--- a/security/selinux/ss/status.c
+++ b/security/selinux/ss/status.c
@ -59,10 +59,8 @@ struct page *selinux_kernel_status_page(void)
 			status->version = SELINUX_KERNEL_STATUS_VERSION;
 			status->sequence = 0;
 // [ SEC_SELINUX_PORTING_COMMON
-#if defined(CONFIG_SECURITY_SELINUX_ALWAYS_ENFORCE)
- 			status->enforcing = 1;
-#elif defined(CONFIG_SECURITY_SELINUX_NEVER_ENFORCE)
-			status->enforcing = 0;
+#ifdef CONFIG_ALWAYS_ENFORCE
+			status->enforcing = 1;
 #else
 			status->enforcing = selinux_enforcing;
 #endif