diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2015-04-17 09:25:51 -0400 |
---|---|---|
committer | Stephen Smalley <sds@tycho.nsa.gov> | 2015-04-17 13:35:05 -0400 |
commit | 801cd60478e994c505ff740271b5506e2036278c (patch) | |
tree | a04048942a2e201ed8406e87f3fe08a41224f104 | |
parent | fab180eabbbe956b0860b92fb856ab87256924e7 (diff) | |
download | libselinux-801cd60478e994c505ff740271b5506e2036278c.tar.gz |
libselinux: is_selinux_enabled(): drop no-policy-loaded test.
upstream commit 685f4aeeadc0b60f3770404d4f149610d656e3c8.
SELinux can be disabled via the selinux=0 kernel parameter or via
/sys/fs/selinux/disable (triggered by setting SELINUX=disabled in
/etc/selinux/config). In either case, selinuxfs will be unmounted
and unregistered and therefore it is sufficient to check for the
selinuxfs mount. We do not need to check for no-policy-loaded and
treat that as SELinux-disabled anymore; that is a relic of Fedora Core 2
days. Drop the no-policy-loaded test, which was a bit of a hack anyway
(checking whether getcon_raw() returned "kernel" as that can only happen
if no policy is yet loaded and therefore security_sid_to_context() only
has the initial SID name available to return as the context).
May possibly fix https://bugzilla.redhat.com/show_bug.cgi?id=1195074
by virtue of removing the call to getcon_raw() and therefore avoiding
use of tls on is_selinux_enabled() calls. Regardless, it will make
is_selinux_enabled() faster and simpler.
[sds: Adapted for the Android libselinux port. Also drops the
fallback to scanning /proc/filesystems for selinuxfs as this was
already done upstream; init mounts selinuxfs via libselinux prior to any
is_selinux_enabled() checks. The tls bug is not relevant in Android
since the Android libselinux port does not use tls, but this change
is nonetheless useful to optimize is_selinux_enabled().]
Change-Id: Ia8b484a3a2fe7f604b0bfb8f5b109ad7674c1152
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
-rw-r--r-- | src/enabled.c | 48 |
1 files changed, 1 insertions, 47 deletions
diff --git a/src/enabled.c b/src/enabled.c index ab015a4..c60eb19 100644 --- a/src/enabled.c +++ b/src/enabled.c @@ -10,56 +10,10 @@ int is_selinux_enabled(void) { - char buf[BUFSIZ]; - FILE *fp; - char *bufp; - int enabled = 0; - char * con; - /* init_selinuxmnt() gets called before this function. We * will assume that if a selinux file system is mounted, then * selinux is enabled. */ - if (selinux_mnt) { - - /* Since a file system is mounted, we consider selinux - * enabled. If getcon fails, selinux is still enabled. - * We only consider it disabled if no policy is loaded. */ - enabled = 1; - if (getcon(&con) == 0) { - if (!strcmp(con, "kernel")) - enabled = 0; - freecon(con); - } - return enabled; - } - - /* Drop back to detecting it the long way. */ - fp = fopen("/proc/filesystems", "r"); - if (!fp) - return -1; - - while ((bufp = fgets(buf, sizeof buf - 1, fp)) != NULL) { - if (strstr(buf, "selinuxfs")) { - enabled = 1; - break; - } - } - - if (!bufp) - goto out; - - /* Since an selinux file system is available, we consider - * selinux enabled. If getcon fails, selinux is still - * enabled. We only consider it disabled if no policy is loaded. */ - if (getcon(&con) == 0) { - if (!strcmp(con, "kernel")) - enabled = 0; - freecon(con); - } - - out: - fclose(fp); - return enabled; + return (selinux_mnt ? 1 : 0); } hidden_def(is_selinux_enabled) |