* [PATCH] Documentation,selinux: deprecate setting checkreqprot to 1
@ 2020-01-08 16:24 Stephen Smalley
2020-01-10 20:15 ` Paul Moore
0 siblings, 1 reply; 3+ messages in thread
From: Stephen Smalley @ 2020-01-08 16:24 UTC (permalink / raw)
To: paul; +Cc: selinux, omosnace, corbet, linux-doc, Stephen Smalley
Deprecate setting the SELinux checkreqprot tunable to 1 via kernel
parameter or /sys/fs/selinux/checkreqprot. Setting it to 0 is left
intact for compatibility since Android and some Linux distributions
do so for security and treat an inability to set it as a fatal error.
Eventually setting it to 0 will become a no-op and the kernel will
stop using checkreqprot's value internally altogether.
checkreqprot was originally introduced as a compatibility mechanism
for legacy userspace and the READ_IMPLIES_EXEC personality flag.
However, if set to 1, it weakens security by allowing mappings to be
made executable without authorization by policy. The default value
for the SECURITY_SELINUX_CHECKREQPROT_VALUE config option was changed
from 1 to 0 in commit 2a35d196c160e3 ("selinux: change
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default") and both Android
and Linux distributions began explicitly setting
/sys/fs/selinux/checkreqprot to 0 some time ago.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
.../ABI/obsolete/sysfs-selinux-checkreqprot | 23 +++++++++++++++++++
.../admin-guide/kernel-parameters.txt | 1 +
MAINTAINERS | 1 +
security/selinux/Kconfig | 3 +++
security/selinux/hooks.c | 5 +++-
security/selinux/selinuxfs.c | 8 +++++++
6 files changed, 40 insertions(+), 1 deletion(-)
create mode 100644 Documentation/ABI/obsolete/sysfs-selinux-checkreqprot
diff --git a/Documentation/ABI/obsolete/sysfs-selinux-checkreqprot b/Documentation/ABI/obsolete/sysfs-selinux-checkreqprot
new file mode 100644
index 000000000000..49ed9c8fd1e5
--- /dev/null
+++ b/Documentation/ABI/obsolete/sysfs-selinux-checkreqprot
@@ -0,0 +1,23 @@
+What: /sys/fs/selinux/checkreqprot
+Date: April 2005 (predates git)
+KernelVersion: 2.6.12-rc2 (predates git)
+Contact: selinux@vger.kernel.org
+Description:
+
+ The selinuxfs "checkreqprot" node allows SELinux to be configured
+ to check the protection requested by userspace for mmap/mprotect
+ calls instead of the actual protection applied by the kernel.
+ This was a compatibility mechanism for legacy userspace and
+ for the READ_IMPLIES_EXEC personality flag. However, if set to
+ 1, it weakens security by allowing mappings to be made executable
+ without authorization by policy. The default value of checkreqprot
+ at boot was changed starting in Linux v4.4 to 0 (i.e. check the
+ actual protection), and Android and Linux distributions have been
+ explicitly writing a "0" to /sys/fs/selinux/checkreqprot during
+ initialization for some time. Support for setting checkreqprot to 1
+ will be removed in a future kernel release, at which point the kernel
+ will always cease using checkreqprot internally and will always
+ check the actual protections being applied upon mmap/mprotect calls.
+ The checkreqprot selinuxfs node will remain for backward compatibility
+ but will discard writes of the "0" value and will reject writes of the
+ "1" value when this mechanism is removed.
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index eed51293d6cf..c894ddfa1393 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -512,6 +512,7 @@
Default value is set via a kernel config option.
Value can be changed at runtime via
/sys/fs/selinux/checkreqprot.
+ Setting checkreqprot to 1 is deprecated.
cio_ignore= [S390]
See Documentation/s390/common_io.rst for details.
diff --git a/MAINTAINERS b/MAINTAINERS
index 9dc5767861b5..1af5e9e8abb5 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -14807,6 +14807,7 @@ F: security/selinux/
F: scripts/selinux/
F: Documentation/admin-guide/LSM/SELinux.rst
F: Documentation/ABI/obsolete/sysfs-selinux-disable
+F: Documentation/ABI/obsolete/sysfs-selinux-checkreqprot
SENSABLE PHANTOM
M: Jiri Slaby <jirislaby@gmail.com>
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index 1014cb0ee956..9e921fc72538 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -88,6 +88,9 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
'checkreqprot=' boot parameter. It may also be changed at runtime
via /sys/fs/selinux/checkreqprot if authorized by policy.
+ WARNING: this option is deprecated and will be removed in a future
+ kernel release.
+
If you are unsure how to answer this question, answer 0.
config SECURITY_SELINUX_SIDTAB_HASH_BITS
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 63a6e36abe9f..6777e04fd942 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -142,8 +142,11 @@ static int __init checkreqprot_setup(char *str)
{
unsigned long checkreqprot;
- if (!kstrtoul(str, 0, &checkreqprot))
+ if (!kstrtoul(str, 0, &checkreqprot)) {
selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
+ if (checkreqprot)
+ pr_warn("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n");
+ }
return 1;
}
__setup("checkreqprot=", checkreqprot_setup);
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 79c710911a3c..d6566adc73a6 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -668,6 +668,14 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
if (sscanf(page, "%u", &new_value) != 1)
goto out;
+ if (new_value) {
+ char comm[sizeof(current->comm)];
+
+ memcpy(comm, current->comm, sizeof(comm));
+ pr_warn_once("SELinux: %s (%d) set checkreqprot to 1. This is deprecated and will be rejected in a future kernel release.\n",
+ comm, current->pid);
+ }
+
fsi->state->checkreqprot = new_value ? 1 : 0;
length = count;
out:
--
2.24.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] Documentation,selinux: deprecate setting checkreqprot to 1
2020-01-08 16:24 [PATCH] Documentation,selinux: deprecate setting checkreqprot to 1 Stephen Smalley
@ 2020-01-10 20:15 ` Paul Moore
2020-01-31 3:42 ` Paul Moore
0 siblings, 1 reply; 3+ messages in thread
From: Paul Moore @ 2020-01-10 20:15 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux, omosnace, corbet, linux-doc
On Wed, Jan 8, 2020 at 11:24 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> Deprecate setting the SELinux checkreqprot tunable to 1 via kernel
> parameter or /sys/fs/selinux/checkreqprot. Setting it to 0 is left
> intact for compatibility since Android and some Linux distributions
> do so for security and treat an inability to set it as a fatal error.
> Eventually setting it to 0 will become a no-op and the kernel will
> stop using checkreqprot's value internally altogether.
>
> checkreqprot was originally introduced as a compatibility mechanism
> for legacy userspace and the READ_IMPLIES_EXEC personality flag.
> However, if set to 1, it weakens security by allowing mappings to be
> made executable without authorization by policy. The default value
> for the SECURITY_SELINUX_CHECKREQPROT_VALUE config option was changed
> from 1 to 0 in commit 2a35d196c160e3 ("selinux: change
> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default") and both Android
> and Linux distributions began explicitly setting
> /sys/fs/selinux/checkreqprot to 0 some time ago.
>
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
> .../ABI/obsolete/sysfs-selinux-checkreqprot | 23 +++++++++++++++++++
> .../admin-guide/kernel-parameters.txt | 1 +
> MAINTAINERS | 1 +
> security/selinux/Kconfig | 3 +++
> security/selinux/hooks.c | 5 +++-
> security/selinux/selinuxfs.c | 8 +++++++
> 6 files changed, 40 insertions(+), 1 deletion(-)
> create mode 100644 Documentation/ABI/obsolete/sysfs-selinux-checkreqprot
I think this looks fine, but considering this week was the first time
we really discussed this, let's hold off until after the next merge
window so we get a full cycle in linux-next for folks to complain :)
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] Documentation,selinux: deprecate setting checkreqprot to 1
2020-01-10 20:15 ` Paul Moore
@ 2020-01-31 3:42 ` Paul Moore
0 siblings, 0 replies; 3+ messages in thread
From: Paul Moore @ 2020-01-31 3:42 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux, omosnace, corbet, linux-doc
On Fri, Jan 10, 2020 at 3:15 PM Paul Moore <paul@paul-moore.com> wrote:
> On Wed, Jan 8, 2020 at 11:24 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > Deprecate setting the SELinux checkreqprot tunable to 1 via kernel
> > parameter or /sys/fs/selinux/checkreqprot. Setting it to 0 is left
> > intact for compatibility since Android and some Linux distributions
> > do so for security and treat an inability to set it as a fatal error.
> > Eventually setting it to 0 will become a no-op and the kernel will
> > stop using checkreqprot's value internally altogether.
> >
> > checkreqprot was originally introduced as a compatibility mechanism
> > for legacy userspace and the READ_IMPLIES_EXEC personality flag.
> > However, if set to 1, it weakens security by allowing mappings to be
> > made executable without authorization by policy. The default value
> > for the SECURITY_SELINUX_CHECKREQPROT_VALUE config option was changed
> > from 1 to 0 in commit 2a35d196c160e3 ("selinux: change
> > CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default") and both Android
> > and Linux distributions began explicitly setting
> > /sys/fs/selinux/checkreqprot to 0 some time ago.
> >
> > Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> > ---
> > .../ABI/obsolete/sysfs-selinux-checkreqprot | 23 +++++++++++++++++++
> > .../admin-guide/kernel-parameters.txt | 1 +
> > MAINTAINERS | 1 +
> > security/selinux/Kconfig | 3 +++
> > security/selinux/hooks.c | 5 +++-
> > security/selinux/selinuxfs.c | 8 +++++++
> > 6 files changed, 40 insertions(+), 1 deletion(-)
> > create mode 100644 Documentation/ABI/obsolete/sysfs-selinux-checkreqprot
>
> I think this looks fine, but considering this week was the first time
> we really discussed this, let's hold off until after the next merge
> window so we get a full cycle in linux-next for folks to complain :)
I've queued this up in selinux/next, you'll see it in the tree once
the merge window closes.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-01-31 3:42 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-08 16:24 [PATCH] Documentation,selinux: deprecate setting checkreqprot to 1 Stephen Smalley
2020-01-10 20:15 ` Paul Moore
2020-01-31 3:42 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.