From f3c85b2488529404a170a28f9bc72538b1ace97d Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 2 Jun 2014 20:56:04 -0700
Subject: [PATCH] Only allow disabling SELinux on userdebug / eng builds

Only parse and honor the kernel command line on userdebug
or eng builds. On user builds, assume that selinux is always enabled
and enforcing.

Change-Id: I71c66e4365bdf2f226800634126a38b716d96599
---
 init/Android.mk | 2 +-
 init/init.c     | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/init/Android.mk b/init/Android.mk
index 15a23be58..489dc93e1 100644
--- a/init/Android.mk
+++ b/init/Android.mk
@@ -25,7 +25,7 @@ LOCAL_CFLAGS    += -DBOOTCHART=1
 endif
 
 ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
-LOCAL_CFLAGS += -DALLOW_LOCAL_PROP_OVERRIDE=1
+LOCAL_CFLAGS += -DALLOW_LOCAL_PROP_OVERRIDE=1 -DALLOW_DISABLE_SELINUX=1
 endif
 
 # Enable ueventd logging
diff --git a/init/init.c b/init/init.c
index 7ba25dc0a..c79929bf7 100644
--- a/init/init.c
+++ b/init/init.c
@@ -868,6 +868,7 @@ void selinux_init_all_handles(void)
 
 static bool selinux_is_disabled(void)
 {
+#ifdef ALLOW_DISABLE_SELINUX
     char tmp[PROP_VALUE_MAX];
 
     if (access("/sys/fs/selinux", F_OK) != 0) {
@@ -881,12 +882,14 @@ static bool selinux_is_disabled(void)
         /* SELinux is compiled into the kernel, but we've been told to disable it. */
         return true;
     }
+#endif
 
     return false;
 }
 
 static bool selinux_is_enforcing(void)
 {
+#ifdef ALLOW_DISABLE_SELINUX
     char tmp[PROP_VALUE_MAX];
 
     if (property_get("ro.boot.selinux", tmp) == 0) {
@@ -903,6 +906,7 @@ static bool selinux_is_enforcing(void)
         ERROR("SELinux: Unknown value of ro.boot.selinux. Got: \"%s\". Assuming enforcing.\n", tmp);
     }
 
+#endif
     return true;
 }