| Message ID | 166389782245.2164705.1324707815130435654.stgit@olly (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | [RFC] selinux: increase the deprecation sleep for checkreqprot and runtime disable | expand |
On Thu, Sep 22, 2022 at 9:50 PM Paul Moore <paul@paul-moore.com> wrote: > > Further the checkreqprot and runtime disable deprecation efforts by > increasing the sleep time from 5 to 15 seconds to help make this more > noticeable for any users who are still using these knobs. > > Signed-off-by: Paul Moore <paul@paul-moore.com> > --- > security/selinux/selinuxfs.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) As a FYI, assuming no objections, this would be merged into selinux/next *after* the upcoming merge window closes.
On 9/22/2022 6:50 PM, Paul Moore wrote: > Further the checkreqprot and runtime disable deprecation efforts by > increasing the sleep time from 5 to 15 seconds to help make this more > noticeable for any users who are still using these knobs. > > Signed-off-by: Paul Moore <paul@paul-moore.com> To the extent it matters, Acked-by: Casey Schaufler <casey@schaufler-ca.com> > --- > security/selinux/selinuxfs.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c > index a00d191394365..0a6894cdc54d9 100644 > --- a/security/selinux/selinuxfs.c > +++ b/security/selinux/selinuxfs.c > @@ -294,7 +294,7 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf, > */ > pr_err("SELinux: Runtime disable is deprecated, use selinux=0 on the kernel cmdline.\n"); > pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n"); > - ssleep(5); > + ssleep(15); > > if (count >= PAGE_SIZE) > return -ENOMEM; > @@ -763,7 +763,7 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, > > checkreqprot_set(fsi->state, (new_value ? 1 : 0)); > if (new_value) > - ssleep(5); > + ssleep(15); > length = count; > > selinux_ima_measure_state(fsi->state); >
On Fri, Sep 23, 2022 at 11:25 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > > On 9/22/2022 6:50 PM, Paul Moore wrote: > > Further the checkreqprot and runtime disable deprecation efforts by > > increasing the sleep time from 5 to 15 seconds to help make this more > > noticeable for any users who are still using these knobs. > > > > Signed-off-by: Paul Moore <paul@paul-moore.com> > > To the extent it matters, > > Acked-by: Casey Schaufler <casey@schaufler-ca.com> Reviews *always* matter, even if sometimes the resulting conclusions are determined by the majority to be flawed[1]. [1] This is not the case here, but some folks love to weaponize quotes from the archives so I find it best to qualify absolute statements such as this one.
On Thu, Sep 22, 2022 at 9:51 PM Paul Moore <paul@paul-moore.com> wrote: > On Thu, Sep 22, 2022 at 9:50 PM Paul Moore <paul@paul-moore.com> wrote: > > > > Further the checkreqprot and runtime disable deprecation efforts by > > increasing the sleep time from 5 to 15 seconds to help make this more > > noticeable for any users who are still using these knobs. > > > > Signed-off-by: Paul Moore <paul@paul-moore.com> > > --- > > security/selinux/selinuxfs.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > As a FYI, assuming no objections, this would be merged into > selinux/next *after* the upcoming merge window closes. I just merged this into selinux/next.
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index a00d191394365..0a6894cdc54d9 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -294,7 +294,7 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf, */ pr_err("SELinux: Runtime disable is deprecated, use selinux=0 on the kernel cmdline.\n"); pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n"); - ssleep(5); + ssleep(15); if (count >= PAGE_SIZE) return -ENOMEM; @@ -763,7 +763,7 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, checkreqprot_set(fsi->state, (new_value ? 1 : 0)); if (new_value) - ssleep(5); + ssleep(15); length = count; selinux_ima_measure_state(fsi->state);
Further the checkreqprot and runtime disable deprecation efforts by increasing the sleep time from 5 to 15 seconds to help make this more noticeable for any users who are still using these knobs. Signed-off-by: Paul Moore <paul@paul-moore.com> --- security/selinux/selinuxfs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)