Revert "ANDROID: selinux: Android kernel compatibility with M userspace"
This reverts commit abdc6632da954178edbfc512099f5f355b47157a.
Broke the Brillo build:
https://android-build-uber.corp.google.com/builds/git_mnc-brillo-dev-linux-brilloemulator_arm64-eng/2457039/logs/build_error.log
diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c
index 81001a3..b64f277 100644
--- a/security/selinux/ss/avtab.c
+++ b/security/selinux/ss/avtab.c
@@ -353,32 +353,6 @@
chain2_len_sum);
}
-/*
- * extended permissions compatibility. Make ToT Android kernels compatible
- * with Android M releases
- */
-#define AVTAB_OPTYPE_ALLOWED 0x1000
-#define AVTAB_OPTYPE_AUDITALLOW 0x2000
-#define AVTAB_OPTYPE_DONTAUDIT 0x4000
-#define AVTAB_OPTYPE (AVTAB_OPTYPE_ALLOWED | \
- AVTAB_OPTYPE_AUDITALLOW | \
- AVTAB_OPTYPE_DONTAUDIT)
-#define AVTAB_XPERMS_OPTYPE 4
-
-#define avtab_xperms_to_optype(x) (x << AVTAB_XPERMS_OPTYPE)
-#define avtab_optype_to_xperms(x) (x >> AVTAB_XPERMS_OPTYPE)
-
-static unsigned int avtab_android_m_compat;
-
-static void avtab_android_m_compat_set(void)
-{
- if (!avtab_android_m_compat) {
- pr_info("SELinux: Android master kernel running Android"
- " M policy in compatibility mode.\n");
- avtab_android_m_compat = 1;
- }
-}
-
static uint16_t spec_order[] = {
AVTAB_ALLOWED,
AVTAB_AUDITDENY,
@@ -399,9 +373,6 @@
u32 items, items2, val, vers = pol->policyvers;
struct avtab_key key;
struct avtab_datum datum;
- struct avtab_extended_perms xperms;
- __le32 buf32[ARRAY_SIZE(xperms.perms.p)];
- unsigned int android_m_compat_optype = 0;
int i, rc;
unsigned set;
@@ -488,13 +459,6 @@
key.target_class = le16_to_cpu(buf16[items++]);
key.specified = le16_to_cpu(buf16[items++]);
- if ((key.specified & AVTAB_OPTYPE) &&
- (vers == POLICYDB_VERSION_XPERMS_IOCTL)) {
- key.specified = avtab_optype_to_xperms(key.specified);
- android_m_compat_optype = 1;
- avtab_android_m_compat_set();
- }
-
if (!policydb_type_isvalid(pol, key.source_type) ||
!policydb_type_isvalid(pol, key.target_type) ||
!policydb_class_isvalid(pol, key.target_class)) {
@@ -512,51 +476,10 @@
return -EINVAL;
}
- if ((vers < POLICYDB_VERSION_XPERMS_IOCTL) &&
- (key.specified & AVTAB_XPERMS)) {
- printk(KERN_ERR "SELinux: avtab: policy version %u does not "
- "support extended permissions rules and one "
- "was specified\n", vers);
- return -EINVAL;
- } else if (key.specified & AVTAB_XPERMS) {
- memset(&xperms, 0, sizeof(struct avtab_extended_perms));
- rc = next_entry(&xperms.specified, fp, sizeof(u8));
- if (rc) {
- printk(KERN_ERR "SELinux: avtab: truncated entry\n");
- return rc;
- }
- if (avtab_android_m_compat ||
- ((xperms.specified != AVTAB_XPERMS_IOCTLFUNCTION) &&
- (xperms.specified != AVTAB_XPERMS_IOCTLDRIVER) &&
- (vers == POLICYDB_VERSION_XPERMS_IOCTL))) {
- xperms.driver = xperms.specified;
- if (android_m_compat_optype)
- xperms.specified = AVTAB_XPERMS_IOCTLDRIVER;
- else
- xperms.specified = AVTAB_XPERMS_IOCTLFUNCTION;
- avtab_android_m_compat_set();
- } else {
- rc = next_entry(&xperms.driver, fp, sizeof(u8));
- if (rc) {
- printk(KERN_ERR "SELinux: avtab: truncated entry\n");
- return rc;
- }
- }
- rc = next_entry(buf32, fp, sizeof(u32)*ARRAY_SIZE(xperms.perms.p));
- if (rc) {
- printk(KERN_ERR "SELinux: avtab: truncated entry\n");
- return rc;
- }
- for (i = 0; i < ARRAY_SIZE(xperms.perms.p); i++)
- xperms.perms.p[i] = le32_to_cpu(buf32[i]);
- datum.u.xperms = &xperms;
- } else {
- rc = next_entry(buf32, fp, sizeof(u32));
- if (rc) {
- printk(KERN_ERR "SELinux: avtab: truncated entry\n");
- return rc;
- }
- datum.u.data = le32_to_cpu(*buf32);
+ rc = next_entry(buf32, fp, sizeof(u32));
+ if (rc) {
+ printk(KERN_ERR "SELinux: avtab: truncated entry\n");
+ return rc;
}
datum.data = le32_to_cpu(*buf32);
if ((key.specified & AVTAB_TYPE) &&
@@ -626,34 +549,12 @@
buf16[0] = cpu_to_le16(cur->key.source_type);
buf16[1] = cpu_to_le16(cur->key.target_type);
buf16[2] = cpu_to_le16(cur->key.target_class);
- if (avtab_android_m_compat && (cur->key.specified & AVTAB_XPERMS) &&
- (cur->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER))
- buf16[3] = cpu_to_le16(avtab_xperms_to_optype(cur->key.specified));
- else
- buf16[3] = cpu_to_le16(cur->key.specified);
+ buf16[3] = cpu_to_le16(cur->key.specified);
rc = put_entry(buf16, sizeof(u16), 4, fp);
if (rc)
return rc;
-
- if (cur->key.specified & AVTAB_XPERMS) {
- if (avtab_android_m_compat == 0) {
- rc = put_entry(&cur->datum.u.xperms->specified,
- sizeof(u8), 1, fp);
- if (rc)
- return rc;
- }
- rc = put_entry(&cur->datum.u.xperms->driver, sizeof(u8), 1, fp);
- if (rc)
- return rc;
- for (i = 0; i < ARRAY_SIZE(cur->datum.u.xperms->perms.p); i++)
- buf32[i] = cpu_to_le32(cur->datum.u.xperms->perms.p[i]);
- rc = put_entry(buf32, sizeof(u32),
- ARRAY_SIZE(cur->datum.u.xperms->perms.p), fp);
- } else {
- buf32[0] = cpu_to_le32(cur->datum.u.data);
- rc = put_entry(buf32, sizeof(u32), 1, fp);
- }
-
+ buf32[0] = cpu_to_le32(cur->datum.data);
+ rc = put_entry(buf32, sizeof(u32), 1, fp);
if (rc)
return rc;
return 0;