|
| 1 | +From 670932828666f8e755e7fcef81cffaa49074214b Mon Sep 17 00:00:00 2001 |
| 2 | +From: Fede2782 <78815152+Fede2782@users.noreply.github.com> |
| 3 | +Date: Wed, 19 Nov 2025 21:45:56 +0100 |
| 4 | +Subject: [PATCH] selinux: make permissive |
| 5 | + |
| 6 | +--- |
| 7 | + security/selinux/hooks.c | 15 +---------- |
| 8 | + security/selinux/selinuxfs.c | 50 +----------------------------------- |
| 9 | + 2 files changed, 2 insertions(+), 63 deletions(-) |
| 10 | + |
| 11 | +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c |
| 12 | +index 7851c9fd4..c6ce1ed2e 100644 |
| 13 | +--- a/security/selinux/hooks.c |
| 14 | ++++ b/security/selinux/hooks.c |
| 15 | +@@ -111,20 +111,7 @@ struct selinux_state selinux_state; |
| 16 | + /* SECMARK reference count */ |
| 17 | + static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); |
| 18 | + |
| 19 | +-#ifdef CONFIG_SECURITY_SELINUX_DEVELOP |
| 20 | +-static int selinux_enforcing_boot __initdata; |
| 21 | +- |
| 22 | +-static int __init enforcing_setup(char *str) |
| 23 | +-{ |
| 24 | +- unsigned long enforcing; |
| 25 | +- if (!kstrtoul(str, 0, &enforcing)) |
| 26 | +- selinux_enforcing_boot = enforcing ? 1 : 0; |
| 27 | +- return 1; |
| 28 | +-} |
| 29 | +-__setup("enforcing=", enforcing_setup); |
| 30 | +-#else |
| 31 | +-#define selinux_enforcing_boot 1 |
| 32 | +-#endif |
| 33 | ++#define selinux_enforcing_boot 0 |
| 34 | + |
| 35 | + int selinux_enabled_boot __initdata = 1; |
| 36 | + #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM |
| 37 | +diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c |
| 38 | +index f01c07499..83b7ebdd5 100644 |
| 39 | +--- a/security/selinux/selinuxfs.c |
| 40 | ++++ b/security/selinux/selinuxfs.c |
| 41 | +@@ -137,55 +137,7 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf, |
| 42 | + size_t count, loff_t *ppos) |
| 43 | + |
| 44 | + { |
| 45 | +- char *page = NULL; |
| 46 | +- ssize_t length; |
| 47 | +- int scan_value; |
| 48 | +- bool old_value, new_value; |
| 49 | +- |
| 50 | +- if (count >= PAGE_SIZE) |
| 51 | +- return -ENOMEM; |
| 52 | +- |
| 53 | +- /* No partial writes. */ |
| 54 | +- if (*ppos != 0) |
| 55 | +- return -EINVAL; |
| 56 | +- |
| 57 | +- page = memdup_user_nul(buf, count); |
| 58 | +- if (IS_ERR(page)) |
| 59 | +- return PTR_ERR(page); |
| 60 | +- |
| 61 | +- length = -EINVAL; |
| 62 | +- if (sscanf(page, "%d", &scan_value) != 1) |
| 63 | +- goto out; |
| 64 | +- |
| 65 | +- new_value = !!scan_value; |
| 66 | +- |
| 67 | +- old_value = enforcing_enabled(); |
| 68 | +- if (new_value != old_value) { |
| 69 | +- length = avc_has_perm(current_sid(), SECINITSID_SECURITY, |
| 70 | +- SECCLASS_SECURITY, SECURITY__SETENFORCE, |
| 71 | +- NULL); |
| 72 | +- if (length) |
| 73 | +- goto out; |
| 74 | +- audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS, |
| 75 | +- "enforcing=%d old_enforcing=%d auid=%u ses=%u" |
| 76 | +- " enabled=1 old-enabled=1 lsm=selinux res=1", |
| 77 | +- new_value, old_value, |
| 78 | +- from_kuid(&init_user_ns, audit_get_loginuid(current)), |
| 79 | +- audit_get_sessionid(current)); |
| 80 | +- enforcing_set(new_value); |
| 81 | +- if (new_value) |
| 82 | +- avc_ss_reset(0); |
| 83 | +- selnl_notify_setenforce(new_value); |
| 84 | +- selinux_status_update_setenforce(new_value); |
| 85 | +- if (!new_value) |
| 86 | +- call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL); |
| 87 | +- |
| 88 | +- selinux_ima_measure_state(); |
| 89 | +- } |
| 90 | +- length = count; |
| 91 | +-out: |
| 92 | +- kfree(page); |
| 93 | +- return length; |
| 94 | ++ return count; |
| 95 | + } |
| 96 | + #else |
| 97 | + #define sel_write_enforce NULL |
| 98 | +-- |
| 99 | +2.48.1 |
| 100 | + |
0 commit comments