From 4d87095ebfefdb9e641492462f0a0e21d5b96ecf Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Fri, 12 Jun 2015 22:03:50 -0700 Subject: [PATCH] Remove calls to is_selinux_enabled() d34e407aeb5898f19d4f042b7558420bbb3a1817 removed support for running with SELinux completely disabled. SELinux must either be in permissive or enforcing mode now. Remove unnecessary calls to is_selinux_enabled(). It always returns true now. Change-Id: Ife3156b74b13b2e590afe4accf716fc7776567e5 --- adb/daemon/main.cpp | 2 +- debuggerd/debuggerd.cpp | 6 ---- init/devices.cpp | 15 ++++------ init/init.cpp | 62 +++++++++++++++++++-------------------- init/property_service.cpp | 3 -- 5 files changed, 36 insertions(+), 52 deletions(-) diff --git a/adb/daemon/main.cpp b/adb/daemon/main.cpp index 78ab3f661..d7fa362c7 100644 --- a/adb/daemon/main.cpp +++ b/adb/daemon/main.cpp @@ -171,7 +171,7 @@ int adbd_main(int server_port) { D("Local port disabled\n"); } else { - if ((root_seclabel != nullptr) && (is_selinux_enabled() > 0)) { + if (root_seclabel != nullptr) { if (setcon(root_seclabel) < 0) { LOG(FATAL) << "Could not set selinux context"; } diff --git a/debuggerd/debuggerd.cpp b/debuggerd/debuggerd.cpp index b84a4e587..26d63894d 100644 --- a/debuggerd/debuggerd.cpp +++ b/debuggerd/debuggerd.cpp @@ -134,8 +134,6 @@ static int get_process_info(pid_t tid, pid_t* out_pid, uid_t* out_uid, uid_t* ou return fields == 7 ? 0 : -1; } -static int selinux_enabled; - /* * Corresponds with debugger_action_t enum type in * include/cutils/debugger.h. @@ -153,9 +151,6 @@ static bool selinux_action_allowed(int s, pid_t tid, debugger_action_t action) const char *perm; bool allowed = false; - if (selinux_enabled <= 0) - return true; - if (action <= 0 || action >= (sizeof(debuggerd_perms)/sizeof(debuggerd_perms[0]))) { ALOGE("SELinux: No permission defined for debugger action %d", action); return false; @@ -589,7 +584,6 @@ static void usage() { int main(int argc, char** argv) { union selinux_callback cb; if (argc == 1) { - selinux_enabled = is_selinux_enabled(); cb.func_log = selinux_log_callback; selinux_set_callback(SELINUX_CB_LOG, cb); return do_server(); diff --git a/init/devices.cpp b/init/devices.cpp index 2c7f5a9cd..3652c579e 100644 --- a/init/devices.cpp +++ b/init/devices.cpp @@ -241,10 +241,8 @@ static void make_device(const char *path, mode = get_device_perm(path, links, &uid, &gid) | (block ? S_IFBLK : S_IFCHR); - if (sehandle) { - selabel_lookup_best_match(sehandle, &secontext, path, links, mode); - setfscreatecon(secontext); - } + selabel_lookup_best_match(sehandle, &secontext, path, links, mode); + setfscreatecon(secontext); dev = makedev(major, minor); /* Temporarily change egid to avoid race condition setting the gid of the @@ -907,7 +905,7 @@ void handle_device_fd() struct uevent uevent; parse_event(msg, &uevent); - if (sehandle && selinux_status_updated() > 0) { + if (selinux_status_updated() > 0) { struct selabel_handle *sehandle2; sehandle2 = selinux_android_file_context_handle(); if (sehandle2) { @@ -974,11 +972,8 @@ static void coldboot(const char *path) } void device_init() { - sehandle = NULL; - if (is_selinux_enabled() > 0) { - sehandle = selinux_android_file_context_handle(); - selinux_status_open(true); - } + sehandle = selinux_android_file_context_handle(); + selinux_status_open(true); /* is 256K enough? udev uses 16MB! */ device_fd = uevent_open_socket(256*1024, true); diff --git a/init/init.cpp b/init/init.cpp index 250098536..8ea60dd80 100644 --- a/init/init.cpp +++ b/init/init.cpp @@ -220,40 +220,38 @@ void service_start(struct service *svc, const char *dynamic_args) } char* scon = NULL; - if (is_selinux_enabled() > 0) { - if (svc->seclabel) { - scon = strdup(svc->seclabel); - if (!scon) { - ERROR("Out of memory while starting '%s'\n", svc->name); - return; - } - } else { - char *mycon = NULL, *fcon = NULL; + if (svc->seclabel) { + scon = strdup(svc->seclabel); + if (!scon) { + ERROR("Out of memory while starting '%s'\n", svc->name); + return; + } + } else { + char *mycon = NULL, *fcon = NULL; - INFO("computing context for service '%s'\n", svc->args[0]); - int rc = getcon(&mycon); - if (rc < 0) { - ERROR("could not get context while starting '%s'\n", svc->name); - return; - } + INFO("computing context for service '%s'\n", svc->args[0]); + int rc = getcon(&mycon); + if (rc < 0) { + ERROR("could not get context while starting '%s'\n", svc->name); + return; + } - rc = getfilecon(svc->args[0], &fcon); - if (rc < 0) { - ERROR("could not get context while starting '%s'\n", svc->name); - freecon(mycon); - return; - } - - rc = security_compute_create(mycon, fcon, string_to_security_class("process"), &scon); - if (rc == 0 && !strcmp(scon, mycon)) { - ERROR("Warning! Service %s needs a SELinux domain defined; please fix!\n", svc->name); - } + rc = getfilecon(svc->args[0], &fcon); + if (rc < 0) { + ERROR("could not get context while starting '%s'\n", svc->name); freecon(mycon); - freecon(fcon); - if (rc < 0) { - ERROR("could not get context while starting '%s'\n", svc->name); - return; - } + return; + } + + rc = security_compute_create(mycon, fcon, string_to_security_class("process"), &scon); + if (rc == 0 && !strcmp(scon, mycon)) { + ERROR("Warning! Service %s needs a SELinux domain defined; please fix!\n", svc->name); + } + freecon(mycon); + freecon(fcon); + if (rc < 0) { + ERROR("could not get context while starting '%s'\n", svc->name); + return; } } @@ -335,7 +333,7 @@ void service_start(struct service *svc, const char *dynamic_args) } } if (svc->seclabel) { - if (is_selinux_enabled() > 0 && setexeccon(svc->seclabel) < 0) { + if (setexeccon(svc->seclabel) < 0) { ERROR("cannot setexeccon('%s'): %s\n", svc->seclabel, strerror(errno)); _exit(127); } diff --git a/init/property_service.cpp b/init/property_service.cpp index 0ee0351fb..5b7a1cbc6 100644 --- a/init/property_service.cpp +++ b/init/property_service.cpp @@ -92,9 +92,6 @@ void property_init() { static int check_mac_perms(const char *name, char *sctx) { - if (is_selinux_enabled() <= 0) - return 1; - char *tctx = NULL; int result = 0;