~hc/RK356X_SDK_RELEASE.git

..	..	@@ -13,9 +13,11 @@
13	13	#include <linux/dcache.h>
14	14	#include <linux/magic.h>
15	15	#include <linux/types.h>
	16	+#include <linux/rcupdate.h>
16	17	#include <linux/refcount.h>
17	18	#include <linux/workqueue.h>
18	19	#include "flask.h"
	20	+#include "policycap.h"
19	21
20	22	#define SECSID_NULL 0x00000000 /* unspecified SID */
21	23	#define SECSID_WILD 0xffffffff /* wildcard SID */
..	..	@@ -40,10 +42,12 @@
40	42	#define POLICYDB_VERSION_CONSTRAINT_NAMES 29
41	43	#define POLICYDB_VERSION_XPERMS_IOCTL 30
42	44	#define POLICYDB_VERSION_INFINIBAND 31
	45	+#define POLICYDB_VERSION_GLBLUB 32
	46	+#define POLICYDB_VERSION_COMP_FTRANS 33 /* compressed filename transitions */
43	47
44	48	/* Range of policy versions we understand*/
45	49	#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
46		-#define POLICYDB_VERSION_MAX POLICYDB_VERSION_INFINIBAND
	50	+#define POLICYDB_VERSION_MAX POLICYDB_VERSION_COMP_FTRANS
47	51
48	52	/* Mask for just the mount related flags */
49	53	#define SE_MNTMASK 0x0f
..	..	@@ -58,30 +62,17 @@
58	62	#define SE_SBINITIALIZED 0x0100
59	63	#define SE_SBPROC 0x0200
60	64	#define SE_SBGENFS 0x0400
	65	+#define SE_SBGENFS_XATTR 0x0800
61	66
62		-#define CONTEXT_STR "context="
63		-#define FSCONTEXT_STR "fscontext="
64		-#define ROOTCONTEXT_STR "rootcontext="
65		-#define DEFCONTEXT_STR "defcontext="
66		-#define LABELSUPP_STR "seclabel"
	67	+#define CONTEXT_STR "context"
	68	+#define FSCONTEXT_STR "fscontext"
	69	+#define ROOTCONTEXT_STR "rootcontext"
	70	+#define DEFCONTEXT_STR "defcontext"
	71	+#define SECLABEL_STR "seclabel"
67	72
68	73	struct netlbl_lsm_secattr;
69	74
70		-extern int selinux_enabled;
71		-
72		-/* Policy capabilities */
73		-enum {
74		- POLICYDB_CAPABILITY_NETPEER,
75		- POLICYDB_CAPABILITY_OPENPERM,
76		- POLICYDB_CAPABILITY_EXTSOCKCLASS,
77		- POLICYDB_CAPABILITY_ALWAYSNETWORK,
78		- POLICYDB_CAPABILITY_CGROUPSECLABEL,
79		- POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION,
80		- __POLICYDB_CAPABILITY_MAX
81		-};
82		-#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
83		-
84		-extern const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX];
	75	+extern int selinux_enabled_boot;
85	76
86	77	/*
87	78	* type_datum properties
..	..	@@ -94,10 +85,12 @@
94	85	#define POLICYDB_BOUNDS_MAXDEPTH 4
95	86
96	87	struct selinux_avc;
97		-struct selinux_ss;
	88	+struct selinux_policy;
98	89
99	90	struct selinux_state {
	91	+#ifdef CONFIG_SECURITY_SELINUX_DISABLE
100	92	bool disabled;
	93	+#endif
101	94	#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102	95	bool enforcing;
103	96	#endif
..	..	@@ -107,24 +100,39 @@
107	100	bool android_netlink_route;
108	101	bool android_netlink_getneigh;
109	102
110		- struct selinux_avc *avc;
111		- struct selinux_ss *ss;
112		-};
	103	+ struct page *status_page;
	104	+ struct mutex status_lock;
113	105
114		-void selinux_ss_init(struct selinux_ss **ss);
	106	+ struct selinux_avc *avc;
	107	+ struct selinux_policy __rcu *policy;
	108	+ struct mutex policy_mutex;
	109	+} __randomize_layout;
	110	+
115	111	void selinux_avc_init(struct selinux_avc **avc);
116	112
117	113	extern struct selinux_state selinux_state;
118	114
	115	+static inline bool selinux_initialized(const struct selinux_state *state)
	116	+{
	117	+ /* do a synchronized load to avoid race conditions */
	118	+ return smp_load_acquire(&state->initialized);
	119	+}
	120	+
	121	+static inline void selinux_mark_initialized(struct selinux_state *state)
	122	+{
	123	+ /* do a synchronized write to avoid race conditions */
	124	+ smp_store_release(&state->initialized, true);
	125	+}
	126	+
119	127	#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
120	128	static inline bool enforcing_enabled(struct selinux_state *state)
121	129	{
122		- return state->enforcing;
	130	+ return READ_ONCE(state->enforcing);
123	131	}
124	132
125	133	static inline void enforcing_set(struct selinux_state *state, bool value)
126	134	{
127		- state->enforcing = value;
	135	+ WRITE_ONCE(state->enforcing, value);
128	136	}
129	137	#else
130	138	static inline bool enforcing_enabled(struct selinux_state *state)
..	..	@@ -137,46 +145,87 @@
137	145	}
138	146	#endif
139	147
	148	+static inline bool checkreqprot_get(const struct selinux_state *state)
	149	+{
	150	+ return READ_ONCE(state->checkreqprot);
	151	+}
	152	+
	153	+static inline void checkreqprot_set(struct selinux_state *state, bool value)
	154	+{
	155	+ WRITE_ONCE(state->checkreqprot, value);
	156	+}
	157	+
	158	+#ifdef CONFIG_SECURITY_SELINUX_DISABLE
	159	+static inline bool selinux_disabled(struct selinux_state *state)
	160	+{
	161	+ return READ_ONCE(state->disabled);
	162	+}
	163	+
	164	+static inline void selinux_mark_disabled(struct selinux_state *state)
	165	+{
	166	+ WRITE_ONCE(state->disabled, true);
	167	+}
	168	+#else
	169	+static inline bool selinux_disabled(struct selinux_state *state)
	170	+{
	171	+ return false;
	172	+}
	173	+#endif
	174	+
140	175	static inline bool selinux_policycap_netpeer(void)
141	176	{
142	177	struct selinux_state *state = &selinux_state;
143	178
144		- return state->policycap[POLICYDB_CAPABILITY_NETPEER];
	179	+ return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_NETPEER]);
145	180	}
146	181
147	182	static inline bool selinux_policycap_openperm(void)
148	183	{
149	184	struct selinux_state *state = &selinux_state;
150	185
151		- return state->policycap[POLICYDB_CAPABILITY_OPENPERM];
	186	+ return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_OPENPERM]);
152	187	}
153	188
154	189	static inline bool selinux_policycap_extsockclass(void)
155	190	{
156	191	struct selinux_state *state = &selinux_state;
157	192
158		- return state->policycap[POLICYDB_CAPABILITY_EXTSOCKCLASS];
	193	+ return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_EXTSOCKCLASS]);
159	194	}
160	195
161	196	static inline bool selinux_policycap_alwaysnetwork(void)
162	197	{
163	198	struct selinux_state *state = &selinux_state;
164	199
165		- return state->policycap[POLICYDB_CAPABILITY_ALWAYSNETWORK];
	200	+ return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_ALWAYSNETWORK]);
166	201	}
167	202
168	203	static inline bool selinux_policycap_cgroupseclabel(void)
169	204	{
170	205	struct selinux_state *state = &selinux_state;
171	206
172		- return state->policycap[POLICYDB_CAPABILITY_CGROUPSECLABEL];
	207	+ return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_CGROUPSECLABEL]);
173	208	}
174	209
175	210	static inline bool selinux_policycap_nnp_nosuid_transition(void)
176	211	{
177	212	struct selinux_state *state = &selinux_state;
178	213
179		- return state->policycap[POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION];
	214	+ return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION]);
	215	+}
	216	+
	217	+static inline bool selinux_policycap_genfs_seclabel_symlinks(void)
	218	+{
	219	+ struct selinux_state *state = &selinux_state;
	220	+
	221	+ return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS]);
	222	+}
	223	+
	224	+static inline bool selinux_policycap_ioctl_skip_cloexec(void)
	225	+{
	226	+ struct selinux_state *state = &selinux_state;
	227	+
	228	+ return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_IOCTL_SKIP_CLOEXEC]);
180	229	}
181	230
182	231	static inline bool selinux_android_nlroute_getlink(void)
..	..	@@ -193,12 +242,23 @@
193	242	return state->android_netlink_getneigh;
194	243	}
195	244
	245	+struct selinux_policy_convert_data;
	246	+
	247	+struct selinux_load_state {
	248	+ struct selinux_policy *policy;
	249	+ struct selinux_policy_convert_data *convert_data;
	250	+};
	251	+
196	252	int security_mls_enabled(struct selinux_state *state);
197	253	int security_load_policy(struct selinux_state *state,
198		- void *data, size_t len);
	254	+ void *data, size_t len,
	255	+ struct selinux_load_state *load_state);
	256	+void selinux_policy_commit(struct selinux_state *state,
	257	+ struct selinux_load_state *load_state);
	258	+void selinux_policy_cancel(struct selinux_state *state,
	259	+ struct selinux_load_state *load_state);
199	260	int security_read_policy(struct selinux_state *state,
200	261	void *data, size_t len);
201		-size_t security_policydb_len(struct selinux_state *state);
202	262
203	263	int security_policycap_supported(struct selinux_state *state,
204	264	unsigned int req_cap);
..	..	@@ -272,6 +332,9 @@
272	332	int security_sid_to_context_force(struct selinux_state *state,
273	333	u32 sid, char *scontext, u32 scontext_len);
274	334
	335	+int security_sid_to_context_inval(struct selinux_state *state,
	336	+ u32 sid, char *scontext, u32 scontext_len);
	337	+
275	338	int security_context_to_sid(struct selinux_state *state,
276	339	const char *scontext, u32 scontext_len,
277	340	u32 *out_sid, gfp_t gfp);
..	..	@@ -326,9 +389,9 @@
326	389	u32 xfrm_sid,
327	390	u32 *peer_sid);
328	391
329		-int security_get_classes(struct selinux_state *state,
	392	+int security_get_classes(struct selinux_policy *policy,
330	393	char **classes, int nclasses);
331		-int security_get_permissions(struct selinux_state *state,
	394	+int security_get_permissions(struct selinux_policy *policy,
332	395	char class, char *perms, int nperms);
333	396	int security_get_reject_unknown(struct selinux_state *state);
334	397	int security_get_allow_unknown(struct selinux_state *state);
..	..	@@ -345,6 +408,10 @@
345	408	int security_fs_use(struct selinux_state state, struct super_block sb);
346	409
347	410	int security_genfs_sid(struct selinux_state *state,
	411	+ const char fstype, char name, u16 sclass,
	412	+ u32 *sid);
	413	+
	414	+int selinux_policy_genfs_sid(struct selinux_policy *policy,
348	415	const char fstype, char name, u16 sclass,
349	416	u32 *sid);
350	417
..	..	@@ -407,7 +474,7 @@
407	474	extern void avtab_cache_init(void);
408	475	extern void ebitmap_cache_init(void);
409	476	extern void hashtab_cache_init(void);
410		-extern void selinux_nlmsg_init(void);
411	477	extern int security_sidtab_hash_stats(struct selinux_state state, char page);
	478	+extern void selinux_nlmsg_init(void);
412	479
413	480	#endif /* _SELINUX_SECURITY_H_ */