int main(int argc, char **argv) { int rc = 0; if (argc != 2) { usage(argv[0]); } if (is_selinux_enabled() <= 0) { fprintf(stderr, "%s: SELinux is disabled\n", argv[0]); return 1; } if (strlen(argv[1]) == 1 && (argv[1][0] == '0' || argv[1][0] == '1')) { rc = security_setenforce(atoi(argv[1])); } else { if (strcasecmp(argv[1], "enforcing") == 0) { rc = security_setenforce(1); } else if (strcasecmp(argv[1], "permissive") == 0) { rc = security_setenforce(0); } else usage(argv[0]); } if (rc < 0) { fprintf(stderr, "%s: setenforce() failed\n", argv[0]); return 2; } return 0; }
int setenforce_main(int argc, char **argv) { int rc = 0; if (argc != 2) { bb_show_usage(); } if (is_selinux_enabled() <= 0) { bb_error_msg("SELinux is disabled"); return 1; } if (strlen(argv[1]) == 1 && (argv[1][0] == '0' || argv[1][0] == '1')) { rc = security_setenforce(atoi(argv[1])); } else { if (strcasecmp(argv[1], "enforcing") == 0) { rc = security_setenforce(1); } else if (strcasecmp(argv[1], "permissive") == 0) { rc = security_setenforce(0); } else bb_show_usage(); } if (rc < 0) { bb_error_msg("setenforce() failed"); return 2; } return 0; }
int do_setenforce(int nargs, char **args) { if (is_selinux_enabled() <= 0) return 0; if (security_setenforce(atoi(args[1])) < 0) { return -errno; } return 0; }
/* * Function: setSELinuxEnforce * Purpose: set the SE Linux enforcing mode * Parameters: true (enforcing) or false (permissive) * Return value: true (success) or false (fail) * Exceptions: none */ static jboolean setSELinuxEnforce(JNIEnv *env, jobject, jboolean value) { if (isSELinuxDisabled) { return false; } int enforce = value ? 1 : 0; return (security_setenforce(enforce) != -1) ? true : false; }
int do_setenforce(int nargs, char **args) { #ifdef HAVE_SELINUX if (is_selinux_enabled() <= 0) return 0; if (security_setenforce(atoi(args[1])) < 0) { return -errno; } #endif return 0; }
/* * Function: setSELinuxEnforce * Purpose: set the SE Linux enforcing mode * Parameters: true (enforcing) or false (permissive) * Return value: true (success) or false (fail) * Exceptions: none */ static jboolean setSELinuxEnforce(JNIEnv *env, jobject clazz, jboolean value) { #ifdef HAVE_SELINUX if (isSELinuxDisabled) return false; int enforce = (value) ? 1 : 0; return (security_setenforce(enforce) != -1) ? true : false; #else return false; #endif }
static void selinux_initialize(void) { if (selinux_is_disabled()) { return; } INFO("loading selinux policy\n"); if (selinux_android_load_policy() < 0) { ERROR("SELinux: Failed to load policy; rebooting into recovery mode\n"); android_reboot(ANDROID_RB_RESTART2, 0, "recovery"); while (1) { pause(); } // never reached } selinux_init_all_handles(); bool is_enforcing = selinux_is_enforcing(); INFO("SELinux: security_setenforce(%d)\n", is_enforcing); security_setenforce(is_enforcing); }
int setenforce_main(int argc UNUSED_PARAM, char **argv) { int i, rc; if (!argv[1] || argv[2]) bb_show_usage(); selinux_or_die(); for (i = 0; setenforce_cmd[i]; i++) { if (strcasecmp(argv[1], setenforce_cmd[i]) != 0) continue; rc = security_setenforce(i & 1); if (rc < 0) bb_perror_msg_and_die("setenforce() failed"); return 0; } bb_show_usage(); }
static void selinux_initialize(void) { if (selinux_is_disabled()) { return; } INFO("loading selinux policy\n"); if (selinux_android_load_policy() < 0) { ERROR("SELinux: Failed to load policy; rebooting into recovery mode\n"); android_reboot(ANDROID_RB_RESTART2, 0, "recovery"); while (1) { pause(); } // never reached } selinux_init_all_handles(); #ifndef MTK_HARDWARE bool is_enforcing = false; // Always making selinux permissive for MTK's rild #else bool is_enforcing = selinux_is_enforcing(); #endif INFO("SELinux: security_setenforce(%d)\n", is_enforcing); security_setenforce(is_enforcing); }
static JSBool rpmsx_setprop(JSContext *cx, JSObject *obj, jsid id, JSBool strict, jsval *vp) { #if defined(WITH_SELINUX) void * ptr = JS_GetInstancePrivate(cx, obj, &rpmsxClass, NULL); jsint tiny = JSVAL_TO_INT(id); security_context_t con = NULL; int myint = 0xdeadbeef; JSBool ok = JS_TRUE; /* XXX the class has ptr == NULL, instances have ptr != NULL. */ if (ptr == NULL) return JS_TRUE; if (JSVAL_IS_STRING(*vp)) con = (security_context_t) JS_EncodeString(cx, JS_ValueToString(cx, *vp)); if (JSVAL_IS_INT(*vp)) myint = JSVAL_TO_INT(*vp); switch (tiny) { case _DEBUG: if (!JS_ValueToInt32(cx, *vp, &_debug)) break; break; case _CURRENT: ok = _PUT_CON(setcon(con)); break; case _EXEC: ok = _PUT_CON(setexeccon(con)); break; case _FSCREATE: ok = _PUT_CON(setfscreatecon(con)); break; case _KEYCREATE: ok = _PUT_CON(setkeycreatecon(con)); break; case _SOCKCREATE: ok = _PUT_CON(setsockcreatecon(con)); break; case _ENFORCE: ok = _PUT_INT(security_setenforce(myint)); break; default: break; } con = _free(con); #endif return JS_TRUE; }
static void selinux_initialize(bool in_kernel_domain) { Timer t; selinux_callback cb; cb.func_log = selinux_klog_callback; selinux_set_callback(SELINUX_CB_LOG, cb); cb.func_audit = audit_callback; selinux_set_callback(SELINUX_CB_AUDIT, cb); if (in_kernel_domain) { INFO("Loading SELinux policy...\n"); if (selinux_android_load_policy() < 0) { ERROR("failed to load policy: %s\n", strerror(errno)); security_failure(); } bool kernel_enforcing = (security_getenforce() == 1); bool is_enforcing = selinux_is_enforcing(); if (kernel_enforcing != is_enforcing) { if (security_setenforce(is_enforcing)) { ERROR("security_setenforce(%s) failed: %s\n", is_enforcing ? "true" : "false", strerror(errno)); security_failure(); } } if (write_file("/sys/fs/selinux/checkreqprot", "0") == -1) { security_failure(); } NOTICE("(Initializing SELinux %s took %.2fs.)\n", is_enforcing ? "enforcing" : "non-enforcing", t.duration()); } else { selinux_init_all_handles(); } }
/* * Mount point for selinuxfs. * This definition is private to the function below. * Everything else uses the location determined during * libselinux startup via /proc/mounts (see init_selinuxmnt). * We only need the hardcoded definition for the initial mount * required for the initial policy load. */ int selinux_init_load_policy(int *enforce) { int rc = 0, orig_enforce = 0, seconfig = -2, secmdline = -1; FILE *cfg; char *buf; /* * Reread the selinux configuration in case it has changed. * Example: Caller has chroot'd and is now loading policy from * chroot'd environment. */ selinux_reset_config(); /* * Get desired mode (disabled, permissive, enforcing) from * /etc/selinux/config. */ selinux_getenforcemode(&seconfig); /* Check for an override of the mode via the kernel command line. */ rc = mount("proc", "/proc", "proc", 0, 0); cfg = fopen("/proc/cmdline", "r"); if (cfg) { char *tmp; buf = malloc(selinux_page_size); if (!buf) { fclose(cfg); return -1; } if (fgets(buf, selinux_page_size, cfg) && (tmp = strstr(buf, "enforcing="))) { if (tmp == buf || isspace(*(tmp - 1))) { secmdline = atoi(tmp + sizeof("enforcing=") - 1); } } fclose(cfg); free(buf); } #ifndef MNT_DETACH #define MNT_DETACH 2 #endif if (rc == 0) umount2("/proc", MNT_DETACH); /* * Determine the final desired mode. * Command line argument takes precedence, then config file. */ if (secmdline >= 0) *enforce = secmdline; else if (seconfig >= 0) *enforce = seconfig; else *enforce = 0; /* unspecified or disabled */ /* * Check for the existence of SELinux via selinuxfs, and * mount it if present for use in the calls below. */ if (mount("selinuxfs", SELINUXMNT, "selinuxfs", 0, 0) < 0 && errno != EBUSY) { if (errno == ENODEV) { /* * SELinux was disabled in the kernel, either * omitted entirely or disabled at boot via selinux=0. * This takes precedence over any config or * commandline enforcing setting. */ *enforce = 0; } else { /* Only emit this error if selinux was not disabled */ fprintf(stderr, "Mount failed for selinuxfs on %s: %s\n", SELINUXMNT, strerror(errno)); } goto noload; } set_selinuxmnt(SELINUXMNT); /* * Note: The following code depends on having selinuxfs * already mounted and selinuxmnt set above. */ if (seconfig == -1) { /* Runtime disable of SELinux. */ rc = security_disable(); if (rc == 0) { /* Successfully disabled, so umount selinuxfs too. */ umount(SELINUXMNT); fini_selinuxmnt(); } /* * If we failed to disable, SELinux will still be * effectively permissive, because no policy is loaded. * No need to call security_setenforce(0) here. */ goto noload; } /* * If necessary, change the kernel enforcing status to match * the desired mode. */ orig_enforce = rc = security_getenforce(); if (rc < 0) goto noload; if (orig_enforce != *enforce) { rc = security_setenforce(*enforce); if (rc < 0) { fprintf(stderr, "SELinux: Unable to switch to %s mode: %s\n", (*enforce ? "enforcing" : "permissive"), strerror(errno)); if (*enforce) goto noload; } } /* Load the policy. */ return selinux_mkload_policy(0); noload: /* * Only return 0 on a successful completion of policy load. * In any other case, we want to return an error so that init * knows not to proceed with the re-exec for the domain transition. * Depending on the *enforce setting, init will halt (> 0) or proceed * normally (otherwise). */ return -1; }