commit ff98935ce8bb0e98651996a034938962a2837bcb
author Jorge Lucangeli Obes <jorgelo@google.com> Tue Dec 01 08:27:50 2015 -0800
committer Kees Cook <keescook@chromium.org> Mon Jan 11 15:16:35 2016 -0800
tree 7c1f938eb3217bcd52671954d9b6721ff664f370
parent 447bd374aa73bc5553a60e5f2039807e4f8482af

Revert "ANDROID: selinux: Android kernel compatibility with M userspace"

This reverts commit abdc6632da954178edbfc512099f5f355b47157a.

Broke the Brillo build:
https://android-build-uber.corp.google.com/builds/git_mnc-brillo-dev-linux-brilloemulator_arm64-eng/2457039/logs/build_error.log

security/selinux/ss/avtab.c

diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c
index 81001a3..b64f277 100644
--- a/security/selinux/ss/avtab.c
+++ b/security/selinux/ss/avtab.c
@@ -353,32 +353,6 @@
 	       chain2_len_sum);
 }
 
-/*
- * extended permissions compatibility. Make ToT Android kernels compatible
- * with Android M releases
- */
-#define AVTAB_OPTYPE_ALLOWED	0x1000
-#define AVTAB_OPTYPE_AUDITALLOW	0x2000
-#define AVTAB_OPTYPE_DONTAUDIT	0x4000
-#define AVTAB_OPTYPE		(AVTAB_OPTYPE_ALLOWED | \
-				AVTAB_OPTYPE_AUDITALLOW | \
-				AVTAB_OPTYPE_DONTAUDIT)
-#define AVTAB_XPERMS_OPTYPE	4
-
-#define avtab_xperms_to_optype(x) (x << AVTAB_XPERMS_OPTYPE)
-#define avtab_optype_to_xperms(x) (x >> AVTAB_XPERMS_OPTYPE)
-
-static unsigned int avtab_android_m_compat;
-
-static void avtab_android_m_compat_set(void)
-{
-	if (!avtab_android_m_compat) {
-		pr_info("SELinux:  Android master kernel running Android"
-				" M policy in compatibility mode.\n");
-		avtab_android_m_compat = 1;
-	}
-}
-
 static uint16_t spec_order[] = {
 	AVTAB_ALLOWED,
 	AVTAB_AUDITDENY,
@@ -399,9 +373,6 @@
 	u32 items, items2, val, vers = pol->policyvers;
 	struct avtab_key key;
 	struct avtab_datum datum;
-	struct avtab_extended_perms xperms;
-	__le32 buf32[ARRAY_SIZE(xperms.perms.p)];
-	unsigned int android_m_compat_optype = 0;
 	int i, rc;
 	unsigned set;
 
@@ -488,13 +459,6 @@
 	key.target_class = le16_to_cpu(buf16[items++]);
 	key.specified = le16_to_cpu(buf16[items++]);
 
-	if ((key.specified & AVTAB_OPTYPE) &&
-			(vers == POLICYDB_VERSION_XPERMS_IOCTL)) {
-		key.specified = avtab_optype_to_xperms(key.specified);
-		android_m_compat_optype = 1;
-		avtab_android_m_compat_set();
-	}
-
 	if (!policydb_type_isvalid(pol, key.source_type) ||
 	    !policydb_type_isvalid(pol, key.target_type) ||
 	    !policydb_class_isvalid(pol, key.target_class)) {
@@ -512,51 +476,10 @@
 		return -EINVAL;
 	}
 
-	if ((vers < POLICYDB_VERSION_XPERMS_IOCTL) &&
-			(key.specified & AVTAB_XPERMS)) {
-		printk(KERN_ERR "SELinux:  avtab:  policy version %u does not "
-				"support extended permissions rules and one "
-				"was specified\n", vers);
-		return -EINVAL;
-	} else if (key.specified & AVTAB_XPERMS) {
-		memset(&xperms, 0, sizeof(struct avtab_extended_perms));
-		rc = next_entry(&xperms.specified, fp, sizeof(u8));
-		if (rc) {
-			printk(KERN_ERR "SELinux: avtab: truncated entry\n");
-			return rc;
-		}
-		if (avtab_android_m_compat ||
-			    ((xperms.specified != AVTAB_XPERMS_IOCTLFUNCTION) &&
-			    (xperms.specified != AVTAB_XPERMS_IOCTLDRIVER) &&
-			    (vers == POLICYDB_VERSION_XPERMS_IOCTL))) {
-			xperms.driver = xperms.specified;
-			if (android_m_compat_optype)
-				xperms.specified = AVTAB_XPERMS_IOCTLDRIVER;
-			else
-				xperms.specified = AVTAB_XPERMS_IOCTLFUNCTION;
-			avtab_android_m_compat_set();
-		} else {
-			rc = next_entry(&xperms.driver, fp, sizeof(u8));
-			if (rc) {
-				printk(KERN_ERR "SELinux: avtab: truncated entry\n");
-				return rc;
-			}
-		}
-		rc = next_entry(buf32, fp, sizeof(u32)*ARRAY_SIZE(xperms.perms.p));
-		if (rc) {
-			printk(KERN_ERR "SELinux: avtab: truncated entry\n");
-			return rc;
-		}
-		for (i = 0; i < ARRAY_SIZE(xperms.perms.p); i++)
-			xperms.perms.p[i] = le32_to_cpu(buf32[i]);
-		datum.u.xperms = &xperms;
-	} else {
-		rc = next_entry(buf32, fp, sizeof(u32));
-		if (rc) {
-			printk(KERN_ERR "SELinux: avtab: truncated entry\n");
-			return rc;
-		}
-		datum.u.data = le32_to_cpu(*buf32);
+	rc = next_entry(buf32, fp, sizeof(u32));
+	if (rc) {
+		printk(KERN_ERR "SELinux: avtab: truncated entry\n");
+		return rc;
 	}
 	datum.data = le32_to_cpu(*buf32);
 	if ((key.specified & AVTAB_TYPE) &&
@@ -626,34 +549,12 @@
 	buf16[0] = cpu_to_le16(cur->key.source_type);
 	buf16[1] = cpu_to_le16(cur->key.target_type);
 	buf16[2] = cpu_to_le16(cur->key.target_class);
-	if (avtab_android_m_compat && (cur->key.specified & AVTAB_XPERMS) &&
-		    (cur->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER))
-		buf16[3] = cpu_to_le16(avtab_xperms_to_optype(cur->key.specified));
-	else
-		buf16[3] = cpu_to_le16(cur->key.specified);
+	buf16[3] = cpu_to_le16(cur->key.specified);
 	rc = put_entry(buf16, sizeof(u16), 4, fp);
 	if (rc)
 		return rc;
-
-	if (cur->key.specified & AVTAB_XPERMS) {
-		if (avtab_android_m_compat == 0) {
-			rc = put_entry(&cur->datum.u.xperms->specified,
-					sizeof(u8), 1, fp);
-			if (rc)
-				return rc;
-		}
-		rc = put_entry(&cur->datum.u.xperms->driver, sizeof(u8), 1, fp);
-		if (rc)
-			return rc;
-		for (i = 0; i < ARRAY_SIZE(cur->datum.u.xperms->perms.p); i++)
-			buf32[i] = cpu_to_le32(cur->datum.u.xperms->perms.p[i]);
-		rc = put_entry(buf32, sizeof(u32),
-				ARRAY_SIZE(cur->datum.u.xperms->perms.p), fp);
-	} else {
-		buf32[0] = cpu_to_le32(cur->datum.u.data);
-		rc = put_entry(buf32, sizeof(u32), 1, fp);
-	}
-
+	buf32[0] = cpu_to_le32(cur->datum.data);
+	rc = put_entry(buf32, sizeof(u32), 1, fp);
 	if (rc)
 		return rc;
 	return 0;