summaryrefslogtreecommitdiffstats
path: root/init
diff options
context:
space:
mode:
authorNick Kralevich <nnk@google.com>2013-06-26 15:37:26 -0700
committerNick Kralevich <nnk@google.com>2013-06-28 12:05:07 -0700
commit4838aa1b7b0f279ae6194ab1606922e2d1540f90 (patch)
tree206ebed5c12fa1911cb910416173940532b3146a /init
parenteecf40fce8d502a9b35f79d73bba708bc35c9632 (diff)
downloadsystem_core-4838aa1b7b0f279ae6194ab1606922e2d1540f90.zip
system_core-4838aa1b7b0f279ae6194ab1606922e2d1540f90.tar.gz
system_core-4838aa1b7b0f279ae6194ab1606922e2d1540f90.tar.bz2
init: allow disabling selinux via a kernel command line
Create a new "androidboot.selinux" option, to control how userspace handles SELinux. This kernel command line can have three options: * disabled * permissive * enforcing "disabled" completely disables userspace support for SELinux. No policy is ever loaded, nor is the SELinux filesystem /sys/fs/selinux ever mounted. "permissive" loads the SELinux policy, but puts SELinux into permissive mode. SELinux policy violations are logged, but not rejected. "enforcing", the default, loads the SELinux policy, and places SELinux into enforcing mode. Policy violations are rejected. This change addresses post review comments for change b710ed21dec88c0dde8209264df054c842561589 . Change-Id: I912583db8e6a0e9c63380de32ad8ffc47a8a440f
Diffstat (limited to 'init')
-rw-r--r--init/init.c51
1 files changed, 48 insertions, 3 deletions
diff --git a/init/init.c b/init/init.c
index 4196620..d75adca 100644
--- a/init/init.c
+++ b/init/init.c
@@ -793,8 +793,52 @@ void selinux_init_all_handles(void)
sehandle_prop = selinux_android_prop_context_handle();
}
+static bool selinux_is_disabled(void)
+{
+ char tmp[PROP_VALUE_MAX];
+
+ if (access("/sys/fs/selinux", F_OK) != 0) {
+ /* SELinux is not compiled into the kernel, or has been disabled
+ * via the kernel command line "selinux=0".
+ */
+ return true;
+ }
+
+ if ((property_get("ro.boot.selinux", tmp) != 0) && (strcmp(tmp, "disabled") == 0)) {
+ /* SELinux is compiled into the kernel, but we've been told to disable it. */
+ return true;
+ }
+
+ return false;
+}
+
+static bool selinux_is_enforcing(void)
+{
+ char tmp[PROP_VALUE_MAX];
+
+ if (property_get("ro.boot.selinux", tmp) == 0) {
+ /* Property is not set. Assume enforcing */
+ return true;
+ }
+
+ if (strcmp(tmp, "permissive") == 0) {
+ /* SELinux is in the kernel, but we've been told to go into permissive mode */
+ return false;
+ }
+
+ if (strcmp(tmp, "enforcing") != 0) {
+ ERROR("SELinux: Unknown value of ro.boot.selinux. Got: \"%s\". Assuming enforcing.\n", tmp);
+ }
+
+ return true;
+}
+
int selinux_reload_policy(void)
{
+ if (selinux_is_disabled()) {
+ return -1;
+ }
+
INFO("SELinux: Attempting to reload policy files\n");
if (selinux_android_reload_policy() == -1) {
@@ -819,8 +863,7 @@ int audit_callback(void *data, security_class_t cls, char *buf, size_t len)
static void selinux_initialize(void)
{
- if (access("/sys/fs/selinux", F_OK) != 0) {
- // SELinux is not compiled into this kernel. Fail gracefully.
+ if (selinux_is_disabled()) {
return;
}
@@ -832,7 +875,9 @@ static void selinux_initialize(void)
}
selinux_init_all_handles();
- security_setenforce(1);
+ bool is_enforcing = selinux_is_enforcing();
+ INFO("SELinux: security_setenforce(%d)\n", is_enforcing);
+ security_setenforce(is_enforcing);
}
int main(int argc, char **argv)