Commit 6c5a682e authored by Stephen Smalley's avatar Stephen Smalley Committed by Paul Moore
Browse files

selinux: clean up selinux_enabled/disabled/enforcing_boot 



Rename selinux_enabled to selinux_enabled_boot to make it clear that
it only reflects whether SELinux was enabled at boot.  Replace the
references to it in the MAC_STATUS audit log in sel_write_enforce()
with hardcoded "1" values because this code is only reachable if SELinux
is enabled and does not change its value, and update the corresponding
MAC_STATUS audit log in sel_write_disable().  Stop clearing
selinux_enabled in selinux_disable() since it is not used outside of
initialization code that runs before selinux_disable() can be reached.
Mark both selinux_enabled_boot and selinux_enforcing_boot as __initdata
since they are only used in initialization code.

Wrap the disabled field in the struct selinux_state with
CONFIG_SECURITY_SELINUX_DISABLE since it is only used for
runtime disable.

Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 210a2928

security/selinux/hooks.c

+5 −7
Original line number Diff line number Diff line
@@ -109,7 +109,7 @@ struct selinux_state selinux_state; 
static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);



#ifdef CONFIG_SECURITY_SELINUX_DEVELOP

static int selinux_enforcing_boot;

static int selinux_enforcing_boot __initdata;



static int __init enforcing_setup(char *str)

{
@@ -123,13 +123,13 @@ __setup("enforcing=", enforcing_setup); 
#define selinux_enforcing_boot 1

#endif



int selinux_enabled __lsm_ro_after_init = 1;

int selinux_enabled_boot __initdata = 1;

#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM

static int __init selinux_enabled_setup(char *str)

{

	unsigned long enabled;

	if (!kstrtoul(str, 0, &enabled))

		selinux_enabled = enabled ? 1 : 0;

		selinux_enabled_boot = enabled ? 1 : 0;

	return 1;

}

__setup("selinux=", selinux_enabled_setup);
@@ -7202,7 +7202,7 @@ void selinux_complete_init(void) 
DEFINE_LSM(selinux) = {

	.name = "selinux",

	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,

	.enabled = &selinux_enabled,

	.enabled = &selinux_enabled_boot,

	.blobs = &selinux_blob_sizes,

	.init = selinux_init,

};
@@ -7271,7 +7271,7 @@ static int __init selinux_nf_ip_init(void) 
{

	int err;



	if (!selinux_enabled)

	if (!selinux_enabled_boot)

		return 0;



	pr_debug("SELinux:  Registering netfilter hooks\n");
@@ -7318,8 +7318,6 @@ int selinux_disable(struct selinux_state *state) 


	pr_info("SELinux:  Disabled at runtime.\n");



	selinux_enabled = 0;



	security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));



	/* Try to destroy the avc node cache */

security/selinux/ibpkey.c

+1 −1
Original line number Diff line number Diff line
@@ -222,7 +222,7 @@ static __init int sel_ib_pkey_init(void) 
{

	int iter;



	if (!selinux_enabled)

	if (!selinux_enabled_boot)

		return 0;



	for (iter = 0; iter < SEL_PKEY_HASH_SIZE; iter++) {

security/selinux/include/security.h

+3 −1
Original line number Diff line number Diff line
@@ -69,7 +69,7 @@ 


struct netlbl_lsm_secattr;



extern int selinux_enabled;

extern int selinux_enabled_boot;



/* Policy capabilities */

enum {
@@ -99,7 +99,9 @@ struct selinux_avc; 
struct selinux_ss;



struct selinux_state {

#ifdef CONFIG_SECURITY_SELINUX_DISABLE

	bool disabled;

#endif

#ifdef CONFIG_SECURITY_SELINUX_DEVELOP

	bool enforcing;

#endif

security/selinux/netif.c

+1 −1
Original line number Diff line number Diff line
@@ -266,7 +266,7 @@ static __init int sel_netif_init(void) 
{

	int i;



	if (!selinux_enabled)

	if (!selinux_enabled_boot)

		return 0;



	for (i = 0; i < SEL_NETIF_HASH_SIZE; i++)

security/selinux/netnode.c

+1 −1
Original line number Diff line number Diff line
@@ -291,7 +291,7 @@ static __init int sel_netnode_init(void) 
{

	int iter;



	if (!selinux_enabled)

	if (!selinux_enabled_boot)

		return 0;



	for (iter = 0; iter < SEL_NETNODE_HASH_SIZE; iter++) {

CRA Git | Maintained and supported by SUSTech CRA and CCSE