Updated to 4.0.0

kernel/selinux/selinux.c

@@ -1,4 +1,6 @@
 #include "selinux.h"
+#include "linux/cred.h"
+#include "linux/sched.h"
 #include "objsec.h"
 #include "linux/version.h"
 #include "../klog.h" // IWYU pragma: keep
@@ -7,124 +9,146 @@
 
 static int transive_to_domain(const char *domain)
 {
-	struct cred *cred;
-	struct task_security_struct *tsec;
-	u32 sid;
-	int error;
+    struct cred *cred;
+    struct task_security_struct *tsec;
+    u32 sid;
+    int error;
 
-	cred = (struct cred *)__task_cred(current);
+    cred = (struct cred *)__task_cred(current);
 
-	tsec = cred->security;
-	if (!tsec) {
-		pr_err("tsec == NULL!\n");
-		return -1;
-	}
+    tsec = cred->security;
+    if (!tsec) {
+        pr_err("tsec == NULL!\n");
+        return -1;
+    }
 
-	error = security_secctx_to_secid(domain, strlen(domain), &sid);
-	if (error) {
-		pr_info("security_secctx_to_secid %s -> sid: %d, error: %d\n",
-			domain, sid, error);
-	}
-	if (!error) {
-		tsec->sid = sid;
-		tsec->create_sid = 0;
-		tsec->keycreate_sid = 0;
-		tsec->sockcreate_sid = 0;
-	}
-	return error;
+    error = security_secctx_to_secid(domain, strlen(domain), &sid);
+    if (error) {
+        pr_info("security_secctx_to_secid %s -> sid: %d, error: %d\n",
+            domain, sid, error);
+    }
+    if (!error) {
+        tsec->sid = sid;
+        tsec->create_sid = 0;
+        tsec->keycreate_sid = 0;
+        tsec->sockcreate_sid = 0;
+    }
+    return error;
 }
 
 void setup_selinux(const char *domain)
 {
-	if (transive_to_domain(domain)) {
-		pr_err("transive domain failed.\n");
-		return;
-	}
-
-	/* we didn't need this now, we have change selinux rules when boot!
-if (!is_domain_permissive) {
-  if (set_domain_permissive() == 0) {
-      is_domain_permissive = true;
-  }
-}*/
+    if (transive_to_domain(domain)) {
+        pr_err("transive domain failed.\n");
+        return;
+    }
 }
 
 void setenforce(bool enforce)
 {
 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
-	selinux_state.enforcing = enforce;
+    selinux_state.enforcing = enforce;
 #endif
 }
 
 bool getenforce()
 {
 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
-	if (selinux_state.disabled) {
-		return false;
-	}
+    if (selinux_state.disabled) {
+        return false;
+    }
 #endif
 
 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
-	return selinux_state.enforcing;
+    return selinux_state.enforcing;
 #else
-	return true;
+    return true;
 #endif
 }
 
-#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 10, 0)) &&                         \
-	!defined(KSU_COMPAT_HAS_CURRENT_SID)
-/*
- * get the subjective security ID of the current task
- */
-static inline u32 current_sid(void)
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 14, 0)
+struct lsm_context {
+    char *context;
+    u32 len;
+};
+
+static int __security_secid_to_secctx(u32 secid, struct lsm_context *cp)
 {
-	const struct task_security_struct *tsec = current_security();
-
-	return tsec->sid;
+    return security_secid_to_secctx(secid, &cp->context, &cp->len);
 }
+static void __security_release_secctx(struct lsm_context *cp)
+{
+    return security_release_secctx(cp->context, cp->len);
+}
+#else
+#define __security_secid_to_secctx security_secid_to_secctx
+#define __security_release_secctx security_release_secctx
 #endif
 
+bool is_task_ksu_domain(const struct cred* cred)
+{
+    struct lsm_context ctx;
+    bool result;
+    if (!cred) {
+        return false;
+    }
+    const struct task_security_struct *tsec = selinux_cred(cred);
+    if (!tsec) {
+        return false;
+    }
+    int err = __security_secid_to_secctx(tsec->sid, &ctx);
+    if (err) {
+        return false;
+    }
+    result = strncmp(KERNEL_SU_DOMAIN, ctx.context, ctx.len) == 0;
+    __security_release_secctx(&ctx);
+    return result;
+}
+
 bool is_ksu_domain()
 {
-	char *domain;
-	u32 seclen;
-	bool result;
-	int err = security_secid_to_secctx(current_sid(), &domain, &seclen);
-	if (err) {
-		return false;
-	}
-	result = strncmp(KERNEL_SU_DOMAIN, domain, seclen) == 0;
-	security_release_secctx(domain, seclen);
-	return result;
+    current_sid();
+    return is_task_ksu_domain(current_cred());
 }
 
-bool is_zygote(void *sec)
+bool is_context(const struct cred* cred, const char* context)
 {
-	struct task_security_struct *tsec = (struct task_security_struct *)sec;
-	if (!tsec) {
-		return false;
-	}
-	char *domain;
-	u32 seclen;
-	bool result;
-	int err = security_secid_to_secctx(tsec->sid, &domain, &seclen);
-	if (err) {
-		return false;
-	}
-	result = strncmp("u:r:zygote:s0", domain, seclen) == 0;
-	security_release_secctx(domain, seclen);
-	return result;
+    if (!cred) {
+        return false;
+    }
+    const struct task_security_struct * tsec = selinux_cred(cred);
+    if (!tsec) {
+        return false;
+    }
+    struct lsm_context ctx;
+    bool result;
+    int err = __security_secid_to_secctx(tsec->sid, &ctx);
+    if (err) {
+        return false;
+    }
+    result = strncmp(context, ctx.context, ctx.len) == 0;
+    __security_release_secctx(&ctx);
+    return result;
 }
 
-#define DEVPTS_DOMAIN "u:object_r:ksu_file:s0"
-
-u32 ksu_get_devpts_sid()
+bool is_zygote(const struct cred* cred)
 {
-	u32 devpts_sid = 0;
-	int err = security_secctx_to_secid(DEVPTS_DOMAIN, strlen(DEVPTS_DOMAIN),
-					   &devpts_sid);
-	if (err) {
-		pr_info("get devpts sid err %d\n", err);
-	}
-	return devpts_sid;
+    return is_context(cred, "u:r:zygote:s0");
+}
+
+bool is_init(const struct cred* cred) {
+    return is_context(cred, "u:r:init:s0");
+}
+
+#define KSU_FILE_DOMAIN "u:object_r:ksu_file:s0"
+
+u32 ksu_get_ksu_file_sid()
+{
+    u32 ksu_file_sid = 0;
+    int err = security_secctx_to_secid(KSU_FILE_DOMAIN, strlen(KSU_FILE_DOMAIN),
+                       &ksu_file_sid);
+    if (err) {
+        pr_info("get ksufile sid err %d\n", err);
+    }
+    return ksu_file_sid;
 }