Only allow disabling SELinux on userdebug / eng builds

Only parse and honor the kernel command line on userdebug or eng builds. On user builds, assume that selinux is always enabled and enforcing. Change-Id: I71c66e4365bdf2f226800634126a38b716d96599
2014-06-02 20:56:04 -07:00 · 2014-06-02 20:56:04 -07:00 · f3c85b2488
commit f3c85b2488
parent 676f7d509d
2 changed files with 5 additions and 1 deletions
--- a/init/Android.mk
+++ b/init/Android.mk
@ -25,7 +25,7 @@ LOCAL_CFLAGS    += -DBOOTCHART=1
 endif

 ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
-LOCAL_CFLAGS += -DALLOW_LOCAL_PROP_OVERRIDE=1
+LOCAL_CFLAGS += -DALLOW_LOCAL_PROP_OVERRIDE=1 -DALLOW_DISABLE_SELINUX=1
 endif

 # Enable ueventd logging
--- a/init/init.c
+++ b/init/init.c
@ -868,6 +868,7 @@ void selinux_init_all_handles(void)

 static bool selinux_is_disabled(void)
 {
+#ifdef ALLOW_DISABLE_SELINUX
    char tmp[PROP_VALUE_MAX];

    if (access("/sys/fs/selinux", F_OK) != 0) {
@ -881,12 +882,14 @@ static bool selinux_is_disabled(void)
        /* SELinux is compiled into the kernel, but we've been told to disable it. */
        return true;
    }
+#endif

    return false;
 }

 static bool selinux_is_enforcing(void)
 {
+#ifdef ALLOW_DISABLE_SELINUX
    char tmp[PROP_VALUE_MAX];

    if (property_get("ro.boot.selinux", tmp) == 0) {
@ -903,6 +906,7 @@ static bool selinux_is_enforcing(void)
        ERROR("SELinux: Unknown value of ro.boot.selinux. Got: \"%s\". Assuming enforcing.\n", tmp);
    }

+#endif
    return true;
 }