int main(int argc, char **argv)
{
int rc = 0;
if (argc != 2) {
usage(argv[0]);
}
if (is_selinux_enabled() <= 0) {
fprintf(stderr, "%s: SELinux is disabled\n", argv[0]);
return 1;
}
if (strlen(argv[1]) == 1 && (argv[1][0] == '0' || argv[1][0] == '1')) {
rc = security_setenforce(atoi(argv[1]));
} else {
if (strcasecmp(argv[1], "enforcing") == 0) {
rc = security_setenforce(1);
} else if (strcasecmp(argv[1], "permissive") == 0) {
rc = security_setenforce(0);
} else
usage(argv[0]);
}
if (rc < 0) {
fprintf(stderr, "%s: setenforce() failed\n", argv[0]);
return 2;
}
return 0;
}
int setenforce_main(int argc, char **argv)
{
int rc = 0;
if (argc != 2) {
bb_show_usage();
}
if (is_selinux_enabled() <= 0) {
bb_error_msg("SELinux is disabled");
return 1;
}
if (strlen(argv[1]) == 1 && (argv[1][0] == '0' || argv[1][0] == '1')) {
rc = security_setenforce(atoi(argv[1]));
} else {
if (strcasecmp(argv[1], "enforcing") == 0) {
rc = security_setenforce(1);
} else if (strcasecmp(argv[1], "permissive") == 0) {
rc = security_setenforce(0);
} else
bb_show_usage();
}
if (rc < 0) {
bb_error_msg("setenforce() failed");
return 2;
}
return 0;
}
int do_setenforce(int nargs, char **args) {
if (is_selinux_enabled() <= 0)
return 0;
if (security_setenforce(atoi(args[1])) < 0) {
return -errno;
}
return 0;
}
/*
* Function: setSELinuxEnforce
* Purpose: set the SE Linux enforcing mode
* Parameters: true (enforcing) or false (permissive)
* Return value: true (success) or false (fail)
* Exceptions: none
*/
static jboolean setSELinuxEnforce(JNIEnv *env, jobject, jboolean value) {
if (isSELinuxDisabled) {
return false;
}
int enforce = value ? 1 : 0;
return (security_setenforce(enforce) != -1) ? true : false;
}
int do_setenforce(int nargs, char **args) {
#ifdef HAVE_SELINUX
if (is_selinux_enabled() <= 0)
return 0;
if (security_setenforce(atoi(args[1])) < 0) {
return -errno;
}
#endif
return 0;
}
/*
* Function: setSELinuxEnforce
* Purpose: set the SE Linux enforcing mode
* Parameters: true (enforcing) or false (permissive)
* Return value: true (success) or false (fail)
* Exceptions: none
*/
static jboolean setSELinuxEnforce(JNIEnv *env, jobject clazz, jboolean value) {
#ifdef HAVE_SELINUX
if (isSELinuxDisabled)
return false;
int enforce = (value) ? 1 : 0;
return (security_setenforce(enforce) != -1) ? true : false;
#else
return false;
#endif
}
static void selinux_initialize(void)
{
if (selinux_is_disabled()) {
return;
}
INFO("loading selinux policy\n");
if (selinux_android_load_policy() < 0) {
ERROR("SELinux: Failed to load policy; rebooting into recovery mode\n");
android_reboot(ANDROID_RB_RESTART2, 0, "recovery");
while (1) { pause(); } // never reached
}
selinux_init_all_handles();
bool is_enforcing = selinux_is_enforcing();
INFO("SELinux: security_setenforce(%d)\n", is_enforcing);
security_setenforce(is_enforcing);
}
int setenforce_main(int argc UNUSED_PARAM, char **argv)
{
int i, rc;
if (!argv[1] || argv[2])
bb_show_usage();
selinux_or_die();
for (i = 0; setenforce_cmd[i]; i++) {
if (strcasecmp(argv[1], setenforce_cmd[i]) != 0)
continue;
rc = security_setenforce(i & 1);
if (rc < 0)
bb_perror_msg_and_die("setenforce() failed");
return 0;
}
bb_show_usage();
}
static void selinux_initialize(void)
{
if (selinux_is_disabled()) {
return;
}
INFO("loading selinux policy\n");
if (selinux_android_load_policy() < 0) {
ERROR("SELinux: Failed to load policy; rebooting into recovery mode\n");
android_reboot(ANDROID_RB_RESTART2, 0, "recovery");
while (1) { pause(); } // never reached
}
selinux_init_all_handles();
#ifndef MTK_HARDWARE
bool is_enforcing = false; // Always making selinux permissive for MTK's rild
#else
bool is_enforcing = selinux_is_enforcing();
#endif
INFO("SELinux: security_setenforce(%d)\n", is_enforcing);
security_setenforce(is_enforcing);
}
static JSBool
rpmsx_setprop(JSContext *cx, JSObject *obj, jsid id, JSBool strict, jsval *vp)
{
#if defined(WITH_SELINUX)
void * ptr = JS_GetInstancePrivate(cx, obj, &rpmsxClass, NULL);
jsint tiny = JSVAL_TO_INT(id);
security_context_t con = NULL;
int myint = 0xdeadbeef;
JSBool ok = JS_TRUE;
/* XXX the class has ptr == NULL, instances have ptr != NULL. */
if (ptr == NULL)
return JS_TRUE;
if (JSVAL_IS_STRING(*vp))
con = (security_context_t) JS_EncodeString(cx, JS_ValueToString(cx, *vp));
if (JSVAL_IS_INT(*vp))
myint = JSVAL_TO_INT(*vp);
switch (tiny) {
case _DEBUG:
if (!JS_ValueToInt32(cx, *vp, &_debug))
break;
break;
case _CURRENT: ok = _PUT_CON(setcon(con)); break;
case _EXEC: ok = _PUT_CON(setexeccon(con)); break;
case _FSCREATE: ok = _PUT_CON(setfscreatecon(con)); break;
case _KEYCREATE: ok = _PUT_CON(setkeycreatecon(con)); break;
case _SOCKCREATE: ok = _PUT_CON(setsockcreatecon(con)); break;
case _ENFORCE: ok = _PUT_INT(security_setenforce(myint)); break;
default:
break;
}
con = _free(con);
#endif
return JS_TRUE;
}
static void selinux_initialize(bool in_kernel_domain) {
Timer t;
selinux_callback cb;
cb.func_log = selinux_klog_callback;
selinux_set_callback(SELINUX_CB_LOG, cb);
cb.func_audit = audit_callback;
selinux_set_callback(SELINUX_CB_AUDIT, cb);
if (in_kernel_domain) {
INFO("Loading SELinux policy...\n");
if (selinux_android_load_policy() < 0) {
ERROR("failed to load policy: %s\n", strerror(errno));
security_failure();
}
bool kernel_enforcing = (security_getenforce() == 1);
bool is_enforcing = selinux_is_enforcing();
if (kernel_enforcing != is_enforcing) {
if (security_setenforce(is_enforcing)) {
ERROR("security_setenforce(%s) failed: %s\n",
is_enforcing ? "true" : "false", strerror(errno));
security_failure();
}
}
if (write_file("/sys/fs/selinux/checkreqprot", "0") == -1) {
security_failure();
}
NOTICE("(Initializing SELinux %s took %.2fs.)\n",
is_enforcing ? "enforcing" : "non-enforcing", t.duration());
} else {
selinux_init_all_handles();
}
}
/*
* Mount point for selinuxfs.
* This definition is private to the function below.
* Everything else uses the location determined during
* libselinux startup via /proc/mounts (see init_selinuxmnt).
* We only need the hardcoded definition for the initial mount
* required for the initial policy load.
*/
int selinux_init_load_policy(int *enforce)
{
int rc = 0, orig_enforce = 0, seconfig = -2, secmdline = -1;
FILE *cfg;
char *buf;
/*
* Reread the selinux configuration in case it has changed.
* Example: Caller has chroot'd and is now loading policy from
* chroot'd environment.
*/
selinux_reset_config();
/*
* Get desired mode (disabled, permissive, enforcing) from
* /etc/selinux/config.
*/
selinux_getenforcemode(&seconfig);
/* Check for an override of the mode via the kernel command line. */
rc = mount("proc", "/proc", "proc", 0, 0);
cfg = fopen("/proc/cmdline", "r");
if (cfg) {
char *tmp;
buf = malloc(selinux_page_size);
if (!buf) {
fclose(cfg);
return -1;
}
if (fgets(buf, selinux_page_size, cfg) &&
(tmp = strstr(buf, "enforcing="))) {
if (tmp == buf || isspace(*(tmp - 1))) {
secmdline =
atoi(tmp + sizeof("enforcing=") - 1);
}
}
fclose(cfg);
free(buf);
}
#ifndef MNT_DETACH
#define MNT_DETACH 2
#endif
if (rc == 0)
umount2("/proc", MNT_DETACH);
/*
* Determine the final desired mode.
* Command line argument takes precedence, then config file.
*/
if (secmdline >= 0)
*enforce = secmdline;
else if (seconfig >= 0)
*enforce = seconfig;
else
*enforce = 0; /* unspecified or disabled */
/*
* Check for the existence of SELinux via selinuxfs, and
* mount it if present for use in the calls below.
*/
if (mount("selinuxfs", SELINUXMNT, "selinuxfs", 0, 0) < 0 && errno != EBUSY) {
if (errno == ENODEV) {
/*
* SELinux was disabled in the kernel, either
* omitted entirely or disabled at boot via selinux=0.
* This takes precedence over any config or
* commandline enforcing setting.
*/
*enforce = 0;
} else {
/* Only emit this error if selinux was not disabled */
fprintf(stderr, "Mount failed for selinuxfs on %s: %s\n", SELINUXMNT, strerror(errno));
}
goto noload;
}
set_selinuxmnt(SELINUXMNT);
/*
* Note: The following code depends on having selinuxfs
* already mounted and selinuxmnt set above.
*/
if (seconfig == -1) {
/* Runtime disable of SELinux. */
rc = security_disable();
if (rc == 0) {
/* Successfully disabled, so umount selinuxfs too. */
umount(SELINUXMNT);
fini_selinuxmnt();
}
/*
* If we failed to disable, SELinux will still be
* effectively permissive, because no policy is loaded.
* No need to call security_setenforce(0) here.
*/
goto noload;
}
/*
* If necessary, change the kernel enforcing status to match
* the desired mode.
*/
orig_enforce = rc = security_getenforce();
if (rc < 0)
goto noload;
if (orig_enforce != *enforce) {
rc = security_setenforce(*enforce);
if (rc < 0) {
fprintf(stderr, "SELinux: Unable to switch to %s mode: %s\n", (*enforce ? "enforcing" : "permissive"), strerror(errno));
if (*enforce)
goto noload;
}
}
/* Load the policy. */
return selinux_mkload_policy(0);
noload:
/*
* Only return 0 on a successful completion of policy load.
* In any other case, we want to return an error so that init
* knows not to proceed with the re-exec for the domain transition.
* Depending on the *enforce setting, init will halt (> 0) or proceed
* normally (otherwise).
*/
return -1;
}
