[Linux Kernel] Selinux: selinux_enabled

Now, let's find selinux_enabled is set as 1 or 0.

 

https://elixir.bootlin.com/linux/v4.19.30/source/security/selinux/hooks.c

#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM

int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;

 

static int __init selinux_enabled_setup(char *str)

{

unsigned long enabled;

if (!kstrtoul(str, 0, &enabled))

selinux_enabled = enabled ? 1 : 0;

return 1;

}

__setup("selinux=", selinux_enabled_setup);

#else

int selinux_enabled = 1;

#endif

 

If the boot argument includes "selinux=", selinux_enabled is set to 1 inside selinux_enabled_setup().

 

But above code snippset is based on 4.19 kernel version. 

 

With v5.12 version, selinux_enabled is changed as selinux_enabled_boot.

 

https://elixir.bootlin.com/linux/v5.12.1/source/security/selinux/hooks.c

int selinux_enabled_boot __initdata = 1;

#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM

static int __init selinux_enabled_setup(char *str)

{

unsigned long enabled;

if (!kstrtoul(str, 0, &enabled))

selinux_enabled_boot = enabled ? 1 : 0;

return 1;

}

__setup("selinux=", selinux_enabled_setup);

#endif

 

Above change seems to come from below commit;

 

https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=6c5a682e6497cb1f7a67303ce098462a36bed362

 

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c

index 40ec866e48daa..659c4a81e8976 100644

--- a/security/selinux/hooks.c

+++ b/security/selinux/hooks.c

@@ -109,7 +109,7 @@ struct selinux_state selinux_state;

 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);

 

 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP

-static int selinux_enforcing_boot;

+static int selinux_enforcing_boot __initdata;

 

 static int __init enforcing_setup(char *str)

 {

@@ -123,13 +123,13 @@ __setup("enforcing=", enforcing_setup);

 #define selinux_enforcing_boot 1

 #endif

 

-int selinux_enabled __lsm_ro_after_init = 1;

+int selinux_enabled_boot __initdata = 1;

 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM

 static int __init selinux_enabled_setup(char *str)

 {

  unsigned long enabled;

  if (!kstrtoul(str, 0, &enabled))

- selinux_enabled = enabled ? 1 : 0;

+ selinux_enabled_boot = enabled ? 1 : 0;

  return 1;

 }

 __setup("selinux=", selinux_enabled_setup);

@@ -7202,7 +7202,7 @@ void selinux_complete_init(void)

 DEFINE_LSM(selinux) = {

  .name = "selinux",

  .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,

- .enabled = &selinux_enabled,

+ .enabled = &selinux_enabled_boot,

  .blobs = &selinux_blob_sizes,

  .init = selinux_init,

 };

@@ -7271,7 +7271,7 @@ static int __init selinux_nf_ip_init(void)

 {

  int err;

 

- if (!selinux_enabled)

+ if (!selinux_enabled_boot)

  return 0;

 

  pr_debug("SELinux:  Registering netfilter hooks\n");

@@ -7318,8 +7318,6 @@ int selinux_disable(struct selinux_state *state)

 

  pr_info("SELinux:  Disabled at runtime.\n");

 

- selinux_enabled = 0;

-

  security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));

 

  /* Try to destroy the avc node cache */

diff --git a/security/selinux/ibpkey.c b/security/selinux/ibpkey.c

index de92365e4324b..f68a7617cfb95 100644

--- a/security/selinux/ibpkey.c

+++ b/security/selinux/ibpkey.c

@@ -222,7 +222,7 @@ static __init int sel_ib_pkey_init(void)

 {

  int iter;

 

- if (!selinux_enabled)

+ if (!selinux_enabled_boot)

  return 0;

 

  for (iter = 0; iter < SEL_PKEY_HASH_SIZE; iter++) {

diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h

index 8c0dbbd076c6f..af623f03922ce 100644

--- a/security/selinux/include/security.h

+++ b/security/selinux/include/security.h

@@ -69,7 +69,7 @@

 

 struct netlbl_lsm_secattr;

 

-extern int selinux_enabled;

+extern int selinux_enabled_boot;

 

 /* Policy capabilities */

 enum {

@@ -99,7 +99,9 @@ struct selinux_avc;

 struct selinux_ss;

 

 struct selinux_state {

+#ifdef CONFIG_SECURITY_SELINUX_DISABLE

  bool disabled;

+#endif

 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP

  bool enforcing;

 #endif

diff --git a/security/selinux/netif.c b/security/selinux/netif.c

index e40fecd737524..15b8c1bcd7d0c 100644

--- a/security/selinux/netif.c

+++ b/security/selinux/netif.c

@@ -266,7 +266,7 @@ static __init int sel_netif_init(void)

 {

  int i;

 

- if (!selinux_enabled)

+ if (!selinux_enabled_boot)

  return 0;

 

  for (i = 0; i < SEL_NETIF_HASH_SIZE; i++)

diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c

index 9ab84efa46c7e..dff587d1e1641 100644

--- a/security/selinux/netnode.c

+++ b/security/selinux/netnode.c

@@ -291,7 +291,7 @@ static __init int sel_netnode_init(void)

 {

  int iter;

 

- if (!selinux_enabled)

+ if (!selinux_enabled_boot)

  return 0;

 

  for (iter = 0; iter < SEL_NETNODE_HASH_SIZE; iter++) {

diff --git a/security/selinux/netport.c b/security/selinux/netport.c

index 3f8b2c0458c88..de727f7489b76 100644

--- a/security/selinux/netport.c

+++ b/security/selinux/netport.c

@@ -225,7 +225,7 @@ static __init int sel_netport_init(void)

 {

  int iter;

 

- if (!selinux_enabled)

+ if (!selinux_enabled_boot)

  return 0;

 

  for (iter = 0; iter < SEL_NETPORT_HASH_SIZE; iter++) {

diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c

index dd7bb1f1dc99a..278417e67b4c6 100644

--- a/security/selinux/selinuxfs.c

+++ b/security/selinux/selinuxfs.c

@@ -168,11 +168,10 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,

  goto out;

  audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS,

  "enforcing=%d old_enforcing=%d auid=%u ses=%u"

- " enabled=%d old-enabled=%d lsm=selinux res=1",

+ " enabled=1 old-enabled=1 lsm=selinux res=1",

  new_value, old_value,

  from_kuid(&init_user_ns, audit_get_loginuid(current)),

- audit_get_sessionid(current),

- selinux_enabled, selinux_enabled);

+ audit_get_sessionid(current));

  enforcing_set(state, new_value);

  if (new_value)

  avc_ss_reset(state->avc, 0);

@@ -304,10 +303,10 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,

  goto out;

  audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS,

  "enforcing=%d old_enforcing=%d auid=%u ses=%u"

- " enabled=%d old-enabled=%d lsm=selinux res=1",

+ " enabled=0 old-enabled=1 lsm=selinux res=1",

  enforcing, enforcing,

  from_kuid(&init_user_ns, audit_get_loginuid(current)),

- audit_get_sessionid(current), 0, 1);

+ audit_get_sessionid(current));

  }

 

  length = count;

@@ -2105,7 +2104,7 @@ static int __init init_sel_fs(void)

    sizeof(NULL_FILE_NAME)-1);

  int err;

 

- if (!selinux_enabled)

+ if (!selinux_enabled_boot)

  return 0;

 

  err = sysfs_create_mount_point(fs_kobj, "selinux");

 

This patch contains very informative code, which make me know where selinux_enabled is configured.