selinux: clean up selinux_enabled/disabled/enforcing_boot

Rename selinux_enabled to selinux_enabled_boot to make it clear that it only reflects whether SELinux was enabled at boot. Replace the references to it in the MAC_STATUS audit log in sel_write_enforce() with hardcoded "1" values because this code is only reachable if SELinux is enabled and does not change its value, and update the corresponding MAC_STATUS audit log in sel_write_disable(). Stop clearing selinux_enabled in selinux_disable() since it is not used outside of initialization code that runs before selinux_disable() can be reached. Mark both selinux_enabled_boot and selinux_enforcing_boot as __initdata since they are only used in initialization code. Wrap the disabled field in the struct selinux_state with CONFIG_SECURITY_SELINUX_DISABLE since it is only used for runtime disable. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
2019-12-17 09:15:10 -05:00 · 2019-12-17 09:15:10 -05:00 · 6c5a682e64
commit 6c5a682e64
parent 210a292874
7 changed files with 17 additions and 18 deletions
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@ -109,7 +109,7 @@ struct selinux_state selinux_state;
 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);

 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
-static int selinux_enforcing_boot;
+static int selinux_enforcing_boot __initdata;

 static int __init enforcing_setup(char *str)
 {
@ -123,13 +123,13 @@ __setup("enforcing=", enforcing_setup);
 #define selinux_enforcing_boot 1
 #endif

-int selinux_enabled __lsm_ro_after_init = 1;
+int selinux_enabled_boot __initdata = 1;
 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
 static int __init selinux_enabled_setup(char *str)
 {
 	unsigned long enabled;
 	if (!kstrtoul(str, 0, &enabled))
-		selinux_enabled = enabled ? 1 : 0;
+		selinux_enabled_boot = enabled ? 1 : 0;
 	return 1;
 }
 __setup("selinux=", selinux_enabled_setup);
@ -7202,7 +7202,7 @@ void selinux_complete_init(void)
 DEFINE_LSM(selinux) = {
 	.name = "selinux",
 	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
-	.enabled = &selinux_enabled,
+	.enabled = &selinux_enabled_boot,
 	.blobs = &selinux_blob_sizes,
 	.init = selinux_init,
 };
@ -7271,7 +7271,7 @@ static int __init selinux_nf_ip_init(void)
 {
 	int err;

-	if (!selinux_enabled)
+	if (!selinux_enabled_boot)
 		return 0;

 	pr_debug("SELinux:  Registering netfilter hooks\n");
@ -7318,8 +7318,6 @@ int selinux_disable(struct selinux_state *state)

 	pr_info("SELinux:  Disabled at runtime.\n");

-	selinux_enabled = 0;
-
 	security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));

 	/* Try to destroy the avc node cache */
--- a/security/selinux/ibpkey.c
+++ b/security/selinux/ibpkey.c
@ -222,7 +222,7 @@ static __init int sel_ib_pkey_init(void)
 {
 	int iter;

-	if (!selinux_enabled)
+	if (!selinux_enabled_boot)
 		return 0;

 	for (iter = 0; iter < SEL_PKEY_HASH_SIZE; iter++) {
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@ -69,7 +69,7 @@

 struct netlbl_lsm_secattr;

-extern int selinux_enabled;
+extern int selinux_enabled_boot;

 /* Policy capabilities */
 enum {
@ -99,7 +99,9 @@ struct selinux_avc;
 struct selinux_ss;

 struct selinux_state {
+#ifdef CONFIG_SECURITY_SELINUX_DISABLE
 	bool disabled;
+#endif
 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
 	bool enforcing;
 #endif
--- a/security/selinux/netif.c
+++ b/security/selinux/netif.c
@ -266,7 +266,7 @@ static __init int sel_netif_init(void)
 {
 	int i;

-	if (!selinux_enabled)
+	if (!selinux_enabled_boot)
 		return 0;

 	for (i = 0; i < SEL_NETIF_HASH_SIZE; i++)
--- a/security/selinux/netnode.c
+++ b/security/selinux/netnode.c
@ -291,7 +291,7 @@ static __init int sel_netnode_init(void)
 {
 	int iter;

-	if (!selinux_enabled)
+	if (!selinux_enabled_boot)
 		return 0;

 	for (iter = 0; iter < SEL_NETNODE_HASH_SIZE; iter++) {
--- a/security/selinux/netport.c
+++ b/security/selinux/netport.c
@ -225,7 +225,7 @@ static __init int sel_netport_init(void)
 {
 	int iter;

-	if (!selinux_enabled)
+	if (!selinux_enabled_boot)
 		return 0;

 	for (iter = 0; iter < SEL_NETPORT_HASH_SIZE; iter++) {
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@ -168,11 +168,10 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
 			goto out;
 		audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS,
 			"enforcing=%d old_enforcing=%d auid=%u ses=%u"
-			" enabled=%d old-enabled=%d lsm=selinux res=1",
+			" enabled=1 old-enabled=1 lsm=selinux res=1",
 			new_value, old_value,
 			from_kuid(&init_user_ns, audit_get_loginuid(current)),
-			audit_get_sessionid(current),
-			selinux_enabled, selinux_enabled);
+			audit_get_sessionid(current));
 		enforcing_set(state, new_value);
 		if (new_value)
 			avc_ss_reset(state->avc, 0);
@ -304,10 +303,10 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
 			goto out;
 		audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS,
 			"enforcing=%d old_enforcing=%d auid=%u ses=%u"
-			" enabled=%d old-enabled=%d lsm=selinux res=1",
+			" enabled=0 old-enabled=1 lsm=selinux res=1",
 			enforcing, enforcing,
 			from_kuid(&init_user_ns, audit_get_loginuid(current)),
-			audit_get_sessionid(current), 0, 1);
+			audit_get_sessionid(current));
 	}

 	length = count;
@ -2105,7 +2104,7 @@ static int __init init_sel_fs(void)
 					  sizeof(NULL_FILE_NAME)-1);
 	int err;

-	if (!selinux_enabled)
+	if (!selinux_enabled_boot)
 		return 0;

 	err = sysfs_create_mount_point(fs_kobj, "selinux");