diff options
| author | Nick Kralevich <nnk@google.com> | 2013-06-28 20:01:59 +0000 |
|---|---|---|
| committer | Android (Google) Code Review <android-gerrit@google.com> | 2013-06-28 20:02:00 +0000 |
| commit | 1d932e2bc6f09705320804215149ec072bdf9805 (patch) | |
| tree | ed1044faa514c48ba5694f1de4c98c5fe4938d10 | |
| parent | f519c04d280895287b93f13b6f1c42debb2f7565 (diff) | |
| parent | 4838aa1b7b0f279ae6194ab1606922e2d1540f90 (diff) | |
| download | system_core-1d932e2bc6f09705320804215149ec072bdf9805.zip system_core-1d932e2bc6f09705320804215149ec072bdf9805.tar.gz system_core-1d932e2bc6f09705320804215149ec072bdf9805.tar.bz2 | |
Merge "init: allow disabling selinux via a kernel command line"
| -rw-r--r-- | init/init.c | 51 |
1 files changed, 48 insertions, 3 deletions
diff --git a/init/init.c b/init/init.c index 4196620..d75adca 100644 --- a/init/init.c +++ b/init/init.c @@ -793,8 +793,52 @@ void selinux_init_all_handles(void) sehandle_prop = selinux_android_prop_context_handle(); } +static bool selinux_is_disabled(void) +{ + char tmp[PROP_VALUE_MAX]; + + if (access("/sys/fs/selinux", F_OK) != 0) { + /* SELinux is not compiled into the kernel, or has been disabled + * via the kernel command line "selinux=0". + */ + return true; + } + + if ((property_get("ro.boot.selinux", tmp) != 0) && (strcmp(tmp, "disabled") == 0)) { + /* SELinux is compiled into the kernel, but we've been told to disable it. */ + return true; + } + + return false; +} + +static bool selinux_is_enforcing(void) +{ + char tmp[PROP_VALUE_MAX]; + + if (property_get("ro.boot.selinux", tmp) == 0) { + /* Property is not set. Assume enforcing */ + return true; + } + + if (strcmp(tmp, "permissive") == 0) { + /* SELinux is in the kernel, but we've been told to go into permissive mode */ + return false; + } + + if (strcmp(tmp, "enforcing") != 0) { + ERROR("SELinux: Unknown value of ro.boot.selinux. Got: \"%s\". Assuming enforcing.\n", tmp); + } + + return true; +} + int selinux_reload_policy(void) { + if (selinux_is_disabled()) { + return -1; + } + INFO("SELinux: Attempting to reload policy files\n"); if (selinux_android_reload_policy() == -1) { @@ -819,8 +863,7 @@ int audit_callback(void *data, security_class_t cls, char *buf, size_t len) static void selinux_initialize(void) { - if (access("/sys/fs/selinux", F_OK) != 0) { - // SELinux is not compiled into this kernel. Fail gracefully. + if (selinux_is_disabled()) { return; } @@ -832,7 +875,9 @@ static void selinux_initialize(void) } selinux_init_all_handles(); - security_setenforce(1); + bool is_enforcing = selinux_is_enforcing(); + INFO("SELinux: security_setenforce(%d)\n", is_enforcing); + security_setenforce(is_enforcing); } int main(int argc, char **argv) |