selinux: Remove awful CONFIG_ALWAYS_ENFORCE

Change-Id: I0411903968d625fd8399d7464d77e181e2951aaa

security/selinux/Makefile

@@ -2,12 +2,6 @@
 # Makefile for building the SELinux module as part of the kernel tree.
 #
 
-ifeq ($(CONFIG_SAMSUNG_PRODUCT_SHIP),y)
-ifeq ($(SEC_BUILD_OPTION_SELINUX_ENFORCE),true)
-EXTRA_CFLAGS += -DCONFIG_ALWAYS_ENFORCE=true
-endif
-endif
-
 obj-$(CONFIG_SECURITY_SELINUX) := selinux.o
 
 selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \

security/selinux/avc.c

@@ -685,11 +685,7 @@ static noinline int avc_denied(u32 ssid, u32 tsid,
 {
 	if (flags & AVC_STRICT)
 		return -EACCES;
-#ifdef CONFIG_ALWAYS_ENFORCE
-	if (!(avd->flags & AVD_FLAGS_PERMISSIVE))
-#else
 	if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE))
-#endif
 		return -EACCES;
 
 	avc_update_node(AVC_CALLBACK_GRANT, requested, ssid,

security/selinux/exports.c

@@ -18,10 +18,6 @@
 
 bool selinux_is_enabled(void)
 {
-#ifdef CONFIG_ALWAYS_ENFORCE
-	return true;
-#else
 	return selinux_enabled;
-#endif
 }
 EXPORT_SYMBOL_GPL(selinux_is_enabled);

security/selinux/hooks.c

@@ -109,11 +109,7 @@ static int __init enforcing_setup(char *str)
 {
 	unsigned long enforcing;
 	if (!strict_strtoul(str, 0, &enforcing))
-#ifdef CONFIG_ALWAYS_ENFORCE
-		selinux_enforcing = 1;
-#else
 		selinux_enforcing = enforcing ? 1 : 0;
-#endif
 	return 1;
 }
 __setup("enforcing=", enforcing_setup);
@@ -126,11 +122,7 @@ static int __init selinux_enabled_setup(char *str)
 {
 	unsigned long enabled;
 	if (!strict_strtoul(str, 0, &enabled))
-#ifdef CONFIG_ALWAYS_ENFORCE
-		selinux_enabled = 1;
-#else
 		selinux_enabled = enabled ? 1 : 0;
-#endif
 	return 1;
 }
 __setup("selinux=", selinux_enabled_setup);
@@ -4668,11 +4660,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
 				  "SELinux:  unrecognized netlink message"
 				  " type=%hu for sclass=%hu\n",
 				  nlh->nlmsg_type, sksec->sclass);
-#ifdef CONFIG_ALWAYS_ENFORCE
-			if (security_get_allow_unknown())
-#else
 			if (!selinux_enforcing || security_get_allow_unknown())
-#endif
 				err = 0;
 		}
 
@@ -5954,11 +5942,7 @@ static struct security_operations selinux_ops = {
 static __init int selinux_init(void)
 {
 	if (!security_module_enable(&selinux_ops)) {
-#ifdef CONFIG_ALWAYS_ENFORCE
-		selinux_enabled = 1;
-#else
 		selinux_enabled = 0;
-#endif
 		return 0;
 	}
 
@@ -5981,9 +5965,6 @@ static __init int selinux_init(void)
 
 	if (register_security(&selinux_ops))
 		panic("SELinux: Unable to register with kernel.\n");
-#ifdef CONFIG_ALWAYS_ENFORCE
-	selinux_enforcing = 1;
-#endif
 	if (selinux_enforcing)
 		printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
 	else
@@ -6060,9 +6041,6 @@ static struct nf_hook_ops selinux_ipv6_ops[] = {
 static int __init selinux_nf_ip_init(void)
 {
 	int err = 0;
-#ifdef CONFIG_ALWAYS_ENFORCE
-	selinux_enabled = 1;
-#endif
 	if (!selinux_enabled)
 		goto out;
 

security/selinux/netif.c

@@ -283,9 +283,6 @@ static __init int sel_netif_init(void)
 {
 	int i, err;
 
-#ifdef CONFIG_ALWAYS_ENFORCE
-	selinux_enabled = 1;
-#endif
 	if (!selinux_enabled)
 		return 0;
 

security/selinux/netnode.c

@@ -312,9 +312,6 @@ static __init int sel_netnode_init(void)
 	int iter;
 	int ret;
 
-#ifdef CONFIG_ALWAYS_ENFORCE
-	selinux_enabled = 1;
-#endif
 	if (!selinux_enabled)
 		return 0;
 

security/selinux/netport.c

@@ -247,9 +247,6 @@ static __init int sel_netport_init(void)
 {
 	int iter;
 	int ret;
-#ifdef CONFIG_ALWAYS_ENFORCE
-	selinux_enabled = 1;
-#endif
 	if (!selinux_enabled)
 		return 0;
 

security/selinux/selinuxfs.c

@@ -166,20 +166,7 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
 	length = -EINVAL;
 	if (sscanf(page, "%d", &new_value) != 1)
 		goto out;
-#ifdef CONFIG_ALWAYS_ENFORCE
-	// If build is user build and enforce option is set, selinux is always enforcing
-	new_value = 1;
-	length = task_has_security(current, SECURITY__SETENFORCE);
-	audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
-                        "config_always_enforce - true; enforcing=%d old_enforcing=%d auid=%u ses=%u",
-                        new_value, selinux_enforcing,
-                        from_kuid(&init_user_ns, audit_get_loginuid(current)),
-                        audit_get_sessionid(current));
-	selinux_enforcing = new_value;
-	avc_ss_reset(0);
-	selnl_notify_setenforce(new_value);
-	selinux_status_update_setenforce(new_value);
-#else
+
 	if (new_value != selinux_enforcing) {
 		length = task_has_security(current, SECURITY__SETENFORCE);
 		if (length)
@@ -195,7 +182,6 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
 		selnl_notify_setenforce(selinux_enforcing);
 		selinux_status_update_setenforce(selinux_enforcing);
 	}
-#endif
 	length = count;
 out:
 	free_page((unsigned long) page);

security/selinux/ss/services.c

@@ -735,9 +735,6 @@ static int security_validtrans_handle_fail(struct context *ocontext,
 	kfree(n);
 	kfree(t);
 
-#ifdef CONFIG_ALWAYS_ENFORCE
-	selinux_enforcing = 1;
-#endif
 	if (!selinux_enforcing)
 		return 0;
 	return -EPERM;
@@ -1360,9 +1357,6 @@ static int compute_sid_handle_invalid_context(
 	kfree(s);
 	kfree(t);
 	kfree(n);
-#ifdef CONFIG_ALWAYS_ENFORCE
-	selinux_enforcing = 1;
-#endif
 	if (!selinux_enforcing)
 		return 0;
 	return -EACCES;
@@ -1653,9 +1647,6 @@ static inline int convert_context_handle_invalid_context(struct context *context
 {
 	char *s;
 	u32 len;
-#ifdef CONFIG_ALWAYS_ENFORCE
-	selinux_enforcing = 1;
-#endif
 	if (selinux_enforcing)
 		return -EINVAL;
 

security/selinux/ss/status.c

@@ -58,11 +58,7 @@ struct page *selinux_kernel_status_page(void)
 
 			status->version = SELINUX_KERNEL_STATUS_VERSION;
 			status->sequence = 0;
-#ifdef CONFIG_ALWAYS_ENFORCE
-			status->enforcing = 1;
-#else
 			status->enforcing = selinux_enforcing;
-#endif
 			/*
 			 * NOTE: the next policyload event shall set
 			 * a positive value on the status->policyload,