From patchwork Thu Dec 19 19:22:28 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 11304327 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9EB60138D for ; Thu, 19 Dec 2019 19:22:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 790D6206D3 for ; Thu, 19 Dec 2019 19:22:31 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="ZZsgX4iL" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727119AbfLSTWb (ORCPT ); Thu, 19 Dec 2019 14:22:31 -0500 Received: from mail-qv1-f65.google.com ([209.85.219.65]:35401 "EHLO mail-qv1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726836AbfLSTWa (ORCPT ); Thu, 19 Dec 2019 14:22:30 -0500 Received: by mail-qv1-f65.google.com with SMTP id u10so2603663qvi.2 for ; Thu, 19 Dec 2019 11:22:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=subject:from:to:cc:date:message-id:user-agent:mime-version :content-transfer-encoding; bh=Tk44M4MmiCe5UGxROPjh8h4LC7InK62EBAS7k51RBJc=; b=ZZsgX4iLxT/XhypjZqh0PIvanO/AUgxRpus6JP+u35Ng2y7jI3t13RejEcUL4SoCCk 4du1PJYQLQyJAXryBmovMUEmDPp2xOh5rojDbrgqHhkL8eJKEY12nO32VjEXhewf/aay UE7St2NiQxLeoM+2Jb/9KZ2n8EkVzcTC/vZHTTZkzcub8wgwxJbGCr9nOiUBEGDAY2AR cf/Rk4wjNxE4vBelmak86lkKTsfEUMfiWji7dk/X4EXuWcLQXh2thxirbRuhlRYH/d6B yYcnnE/Zo8DQr8gHv9htHJAEbBctpTPJOwTATf34vmJj61NZjh6lekCc1ZQnyGW1UM5x bUCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:cc:date:message-id:user-agent :mime-version:content-transfer-encoding; bh=Tk44M4MmiCe5UGxROPjh8h4LC7InK62EBAS7k51RBJc=; b=Dct+vb+swJCPyi0nOv0Sk8qVGsYXD5cxdnRlwiLOtCTez23n6vy7arvassYJM/ChSu iuwbnkN7uSKGfohMQYBtEHeoDjZB0g1e+LrT/EJfzikobyoCtIMs5oGgC2CcwMxE2aNk dKcYdvPtfTwoMc0azOQ7IHoBjarTKTMVTBhJKDjBFgmTJcCiboxVH6X2/tnL+0Lgi1rZ kIu6ARyk4OejODu1pOlfUYtBqmnh2hz7YRIMGYF97H+K0P3eAKBem1QcSKnQ+XqcgmLP 9rw5+DcC1IQAoO8Frrko54RhDduxxzKGNcKZvict/4dkusMsJQEuC6zNNF60kPe3ptyv jjRg== X-Gm-Message-State: APjAAAXwv3XMPRDmWZRoGLh3INUnVrp295O1bEBzsAL6Y5677TYLzm54 Bs3OkIXlRN2EtAiCVGYDyKZdKSLA0Q== X-Google-Smtp-Source: APXvYqzBo0FgALq9tMmqgmngIwmokTnYYZkmHNOgqt09ZMIAgFCXtZNw143H/zLf7OL+5h3Z69JA/g== X-Received: by 2002:ad4:518b:: with SMTP id b11mr2921159qvp.195.1576783349897; Thu, 19 Dec 2019 11:22:29 -0800 (PST) Received: from localhost (static-96-233-112-89.bstnma.ftas.verizon.net. [96.233.112.89]) by smtp.gmail.com with ESMTPSA id 53sm2214736qtu.40.2019.12.19.11.22.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Dec 2019 11:22:29 -0800 (PST) Subject: [RFC PATCH] selinux: deprecate disabling SELinux and runtime From: Paul Moore To: selinux@vger.kernel.org Cc: linux-security-module@vger.kernel.org Date: Thu, 19 Dec 2019 14:22:28 -0500 Message-ID: <157678334821.158235.2125894638773393579.stgit@chester> User-Agent: StGit/0.21 MIME-Version: 1.0 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: Deprecate the CONFIG_SECURITY_SELINUX_DISABLE functionality. The code was originally developed to make it easier for Linux distributions to support architectures where adding parameters to the kernel command line was difficult. Unfortunately, supporting runtime disable meant we had to make some security trade-offs when it came to the LSM hooks, as documented in the Kconfig help text: NOTE: selecting this option will disable the '__ro_after_init' kernel hardening feature for security hooks. Please consider using the selinux=0 boot parameter instead of enabling this option. Fortunately it looks as if that the original motivation for the runtime disable functionality is gone, and Fedora/RHEL appears to be the only major distribution enabling this capability at build time so we are now taking steps to remove it entirely from the kernel. The first step is to mark the functionality as deprecated and print an error when it is used (what this patch is doing). As Fedora/RHEL makes progress in transitioning the distribution away from runtime disable, we will introduce follow-up patches over several kernel releases which will block for increasing periods of time when the runtime disable is used. Finally we will remove the option entirely once we believe all users have moved to the kernel cmdline approach. Signed-off-by: Paul Moore Acked-by: Casey Schaufler Acked-by: Ondrej Mosnacek Acked-by: Stephen Smalley --- security/selinux/Kconfig | 3 +++ security/selinux/selinuxfs.c | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index 996d35d950f7..580ac24c7aa1 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -42,6 +42,9 @@ config SECURITY_SELINUX_DISABLE using the selinux=0 boot parameter instead of enabling this option. + WARNING: this option is deprecated and will be removed in a future + kernel release. + If you are unsure how to answer this question, answer N. config SECURITY_SELINUX_DEVELOP diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 278417e67b4c..adbe2dd35202 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -281,6 +281,12 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf, int new_value; int enforcing; + /* NOTE: we are now officially considering runtime disable as + * deprecated, and using it will become increasingly painful + * (e.g. sleeping/blocking) as we progress through future + * kernel releases until eventually it is removed */ + pr_err("SELinux: Runtime disable is deprecated, use selinux=0 on the kernel cmdline.\n"); + if (count >= PAGE_SIZE) return -ENOMEM;