selinux: clean up selinux_enabled/disabled/enforcing_boot

Rename selinux_enabled to selinux_enabled_boot to make it clear that
it only reflects whether SELinux was enabled at boot.  Replace the
references to it in the MAC_STATUS audit log in sel_write_enforce()
with hardcoded "1" values because this code is only reachable if SELinux
is enabled and does not change its value, and update the corresponding
MAC_STATUS audit log in sel_write_disable().  Stop clearing
selinux_enabled in selinux_disable() since it is not used outside of
initialization code that runs before selinux_disable() can be reached.
Mark both selinux_enabled_boot and selinux_enforcing_boot as __initdata
since they are only used in initialization code.

Wrap the disabled field in the struct selinux_state with
CONFIG_SECURITY_SELINUX_DISABLE since it is only used for
runtime disable.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 40ec866..659c4a8 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -109,7 +109,7 @@ struct selinux_state selinux_state;
 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
 
 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
-static int selinux_enforcing_boot;
+static int selinux_enforcing_boot __initdata;
 
 static int __init enforcing_setup(char *str)
 {
@@ -123,13 +123,13 @@ __setup("enforcing=", enforcing_setup);
 #define selinux_enforcing_boot 1
 #endif
 
-int selinux_enabled __lsm_ro_after_init = 1;
+int selinux_enabled_boot __initdata = 1;
 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
 static int __init selinux_enabled_setup(char *str)
 {
        unsigned long enabled;
        if (!kstrtoul(str, 0, &enabled))
-               selinux_enabled = enabled ? 1 : 0;
+               selinux_enabled_boot = enabled ? 1 : 0;
        return 1;
 }
 __setup("selinux=", selinux_enabled_setup);
@@ -7202,7 +7202,7 @@ void selinux_complete_init(void)
 DEFINE_LSM(selinux) = {
        .name = "selinux",
        .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
-       .enabled = &selinux_enabled,
+       .enabled = &selinux_enabled_boot,
        .blobs = &selinux_blob_sizes,
        .init = selinux_init,
 };
@@ -7271,7 +7271,7 @@ static int __init selinux_nf_ip_init(void)
 {
        int err;
 
-       if (!selinux_enabled)
+       if (!selinux_enabled_boot)
                return 0;
 
        pr_debug("SELinux:  Registering netfilter hooks\n");
@@ -7318,8 +7318,6 @@ int selinux_disable(struct selinux_state *state)
 
        pr_info("SELinux:  Disabled at runtime.\n");
 
-       selinux_enabled = 0;
-
        security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
 
        /* Try to destroy the avc node cache */

diff --git a/security/selinux/ibpkey.c b/security/selinux/ibpkey.c
index de92365..f68a761 100644 (file)
--- a/security/selinux/ibpkey.c
+++ b/security/selinux/ibpkey.c
@@ -222,7 +222,7 @@ static __init int sel_ib_pkey_init(void)
 {
        int iter;
 
-       if (!selinux_enabled)
+       if (!selinux_enabled_boot)
                return 0;
 
        for (iter = 0; iter < SEL_PKEY_HASH_SIZE; iter++) {

diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 8c0dbbd..af623f0 100644 (file)
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -69,7 +69,7 @@
 
 struct netlbl_lsm_secattr;
 
-extern int selinux_enabled;
+extern int selinux_enabled_boot;
 
 /* Policy capabilities */
 enum {
@@ -99,7 +99,9 @@ struct selinux_avc;
 struct selinux_ss;
 
 struct selinux_state {
+#ifdef CONFIG_SECURITY_SELINUX_DISABLE
        bool disabled;
+#endif
 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
        bool enforcing;
 #endif

diff --git a/security/selinux/netif.c b/security/selinux/netif.c
index e40fecd..15b8c1b 100644 (file)
--- a/security/selinux/netif.c
+++ b/security/selinux/netif.c
@@ -266,7 +266,7 @@ static __init int sel_netif_init(void)
 {
        int i;
 
-       if (!selinux_enabled)
+       if (!selinux_enabled_boot)
                return 0;
 
        for (i = 0; i < SEL_NETIF_HASH_SIZE; i++)

diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
index 9ab84ef..dff587d 100644 (file)
--- a/security/selinux/netnode.c
+++ b/security/selinux/netnode.c
@@ -291,7 +291,7 @@ static __init int sel_netnode_init(void)
 {
        int iter;
 
-       if (!selinux_enabled)
+       if (!selinux_enabled_boot)
                return 0;
 
        for (iter = 0; iter < SEL_NETNODE_HASH_SIZE; iter++) {

diff --git a/security/selinux/netport.c b/security/selinux/netport.c
index 3f8b2c0..de727f7 100644 (file)
--- a/security/selinux/netport.c
+++ b/security/selinux/netport.c
@@ -225,7 +225,7 @@ static __init int sel_netport_init(void)
 {
        int iter;
 
-       if (!selinux_enabled)
+       if (!selinux_enabled_boot)
                return 0;
 
        for (iter = 0; iter < SEL_NETPORT_HASH_SIZE; iter++) {

diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index dd7bb1f..278417e 100644 (file)
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -168,11 +168,10 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
                        goto out;
                audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS,
                        "enforcing=%d old_enforcing=%d auid=%u ses=%u"
-                       " enabled=%d old-enabled=%d lsm=selinux res=1",
+                       " enabled=1 old-enabled=1 lsm=selinux res=1",
                        new_value, old_value,
                        from_kuid(&init_user_ns, audit_get_loginuid(current)),
-                       audit_get_sessionid(current),
-                       selinux_enabled, selinux_enabled);
+                       audit_get_sessionid(current));
                enforcing_set(state, new_value);
                if (new_value)
                        avc_ss_reset(state->avc, 0);
@@ -304,10 +303,10 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
                        goto out;
                audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS,
                        "enforcing=%d old_enforcing=%d auid=%u ses=%u"
-                       " enabled=%d old-enabled=%d lsm=selinux res=1",
+                       " enabled=0 old-enabled=1 lsm=selinux res=1",
                        enforcing, enforcing,
                        from_kuid(&init_user_ns, audit_get_loginuid(current)),
-                       audit_get_sessionid(current), 0, 1);
+                       audit_get_sessionid(current));
        }
 
        length = count;
@@ -2105,7 +2104,7 @@ static int __init init_sel_fs(void)
                                          sizeof(NULL_FILE_NAME)-1);
        int err;
 
-       if (!selinux_enabled)
+       if (!selinux_enabled_boot)
                return 0;
 
        err = sysfs_create_mount_point(fs_kobj, "selinux");