tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

selinux: clean up selinux_enabled/disabled/enforcing_boot

Rename selinux_enabled to selinux_enabled_boot to make it clear that
it only reflects whether SELinux was enabled at boot. Replace the
references to it in the MAC_STATUS audit log in sel_write_enforce()
with hardcoded "1" values because this code is only reachable if SELinux
is enabled and does not change its value, and update the corresponding
MAC_STATUS audit log in sel_write_disable(). Stop clearing
selinux_enabled in selinux_disable() since it is not used outside of
initialization code that runs before selinux_disable() can be reached.
Mark both selinux_enabled_boot and selinux_enforcing_boot as __initdata
since they are only used in initialization code.

Wrap the disabled field in the struct selinux_state with
CONFIG_SECURITY_SELINUX_DISABLE since it is only used for
runtime disable.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>

authored by

Stephen Smalley and committed by
Paul Moore 6c5a682e 210a2928

+17 -18
+5 -7
security/selinux/hooks.c
··· 109 109 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 110 110 111 111 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 112 - static int selinux_enforcing_boot; 112 + static int selinux_enforcing_boot __initdata; 113 113 114 114 static int __init enforcing_setup(char *str) 115 115 { ··· 123 123 #define selinux_enforcing_boot 1 124 124 #endif 125 125 126 - int selinux_enabled __lsm_ro_after_init = 1; 126 + int selinux_enabled_boot __initdata = 1; 127 127 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 128 128 static int __init selinux_enabled_setup(char *str) 129 129 { 130 130 unsigned long enabled; 131 131 if (!kstrtoul(str, 0, &enabled)) 132 - selinux_enabled = enabled ? 1 : 0; 132 + selinux_enabled_boot = enabled ? 1 : 0; 133 133 return 1; 134 134 } 135 135 __setup("selinux=", selinux_enabled_setup); ··· 7202 7202 DEFINE_LSM(selinux) = { 7203 7203 .name = "selinux", 7204 7204 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 7205 - .enabled = &selinux_enabled, 7205 + .enabled = &selinux_enabled_boot, 7206 7206 .blobs = &selinux_blob_sizes, 7207 7207 .init = selinux_init, 7208 7208 }; ··· 7271 7271 { 7272 7272 int err; 7273 7273 7274 - if (!selinux_enabled) 7274 + if (!selinux_enabled_boot) 7275 7275 return 0; 7276 7276 7277 7277 pr_debug("SELinux: Registering netfilter hooks\n"); ··· 7317 7317 state->disabled = 1; 7318 7318 7319 7319 pr_info("SELinux: Disabled at runtime.\n"); 7320 - 7321 - selinux_enabled = 0; 7322 7320 7323 7321 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 7324 7322
+1 -1
security/selinux/ibpkey.c
··· 222 222 { 223 223 int iter; 224 224 225 - if (!selinux_enabled) 225 + if (!selinux_enabled_boot) 226 226 return 0; 227 227 228 228 for (iter = 0; iter < SEL_PKEY_HASH_SIZE; iter++) {
+3 -1
security/selinux/include/security.h
··· 69 69 70 70 struct netlbl_lsm_secattr; 71 71 72 - extern int selinux_enabled; 72 + extern int selinux_enabled_boot; 73 73 74 74 /* Policy capabilities */ 75 75 enum { ··· 99 99 struct selinux_ss; 100 100 101 101 struct selinux_state { 102 + #ifdef CONFIG_SECURITY_SELINUX_DISABLE 102 103 bool disabled; 104 + #endif 103 105 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 104 106 bool enforcing; 105 107 #endif
+1 -1
security/selinux/netif.c
··· 266 266 { 267 267 int i; 268 268 269 - if (!selinux_enabled) 269 + if (!selinux_enabled_boot) 270 270 return 0; 271 271 272 272 for (i = 0; i < SEL_NETIF_HASH_SIZE; i++)
+1 -1
security/selinux/netnode.c
··· 291 291 { 292 292 int iter; 293 293 294 - if (!selinux_enabled) 294 + if (!selinux_enabled_boot) 295 295 return 0; 296 296 297 297 for (iter = 0; iter < SEL_NETNODE_HASH_SIZE; iter++) {
+1 -1
security/selinux/netport.c
··· 225 225 { 226 226 int iter; 227 227 228 - if (!selinux_enabled) 228 + if (!selinux_enabled_boot) 229 229 return 0; 230 230 231 231 for (iter = 0; iter < SEL_NETPORT_HASH_SIZE; iter++) {
+5 -6
security/selinux/selinuxfs.c
··· 168 168 goto out; 169 169 audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS, 170 170 "enforcing=%d old_enforcing=%d auid=%u ses=%u" 171 - " enabled=%d old-enabled=%d lsm=selinux res=1", 171 + " enabled=1 old-enabled=1 lsm=selinux res=1", 172 172 new_value, old_value, 173 173 from_kuid(&init_user_ns, audit_get_loginuid(current)), 174 - audit_get_sessionid(current), 175 - selinux_enabled, selinux_enabled); 174 + audit_get_sessionid(current)); 176 175 enforcing_set(state, new_value); 177 176 if (new_value) 178 177 avc_ss_reset(state->avc, 0); ··· 303 304 goto out; 304 305 audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS, 305 306 "enforcing=%d old_enforcing=%d auid=%u ses=%u" 306 - " enabled=%d old-enabled=%d lsm=selinux res=1", 307 + " enabled=0 old-enabled=1 lsm=selinux res=1", 307 308 enforcing, enforcing, 308 309 from_kuid(&init_user_ns, audit_get_loginuid(current)), 309 - audit_get_sessionid(current), 0, 1); 310 + audit_get_sessionid(current)); 310 311 } 311 312 312 313 length = count; ··· 2104 2105 sizeof(NULL_FILE_NAME)-1); 2105 2106 int err; 2106 2107 2107 - if (!selinux_enabled) 2108 + if (!selinux_enabled_boot) 2108 2109 return 0; 2109 2110 2110 2111 err = sysfs_create_mount_point(fs_kobj, "selinux");