From: Stephen Smalley <sds@tycho.nsa.gov>
To: Paul Moore <paul@paul-moore.com>, keescook@chromium.org
Cc: James Morris <jmorris@namei.org>,
casey@schaufler-ca.com, john.johansen@canonical.com,
penguin-kernel@i-love.sakura.ne.jp, casey.schaufler@intel.com,
linux-security-module@vger.kernel.org, corbet@lwn.net,
linux-doc@vger.kernel.org, linux-arch@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter
Date: Tue, 2 Oct 2018 09:42:58 -0400 [thread overview]
Message-ID: <785ef6a9-ae46-3533-0348-74bcf6f10928@tycho.nsa.gov> (raw)
In-Reply-To: <CAHC9VhQjMfH6Q+Tif8nBknZojgxrb6x+oDz4vHRiZN8rb8MZ5Q@mail.gmail.com>
On 10/02/2018 08:12 AM, Paul Moore wrote:
> On Mon, Oct 1, 2018 at 9:04 PM Kees Cook <keescook@chromium.org> wrote:
>> Since LSM enabling is now centralized with CONFIG_LSM_ENABLE and
>> "lsm.enable=...", this removes the LSM-specific enabling logic from
>> SELinux.
>>
>> Signed-off-by: Kees Cook <keescook@chromium.org>
>> ---
>> .../admin-guide/kernel-parameters.txt | 9 ------
>> security/selinux/Kconfig | 29 -------------------
>> security/selinux/hooks.c | 15 +---------
>> 3 files changed, 1 insertion(+), 52 deletions(-)
>>
>> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
>> index cf963febebb0..0d10ab3d020e 100644
>> --- a/Documentation/admin-guide/kernel-parameters.txt
>> +++ b/Documentation/admin-guide/kernel-parameters.txt
>> @@ -4045,15 +4045,6 @@
>> loaded. An invalid security module name will be treated
>> as if no module has been chosen.
>>
>> - selinux= [SELINUX] Disable or enable SELinux at boot time.
>> - Format: { "0" | "1" }
>> - See security/selinux/Kconfig help text.
>> - 0 -- disable.
>> - 1 -- enable.
>> - Default value is set via kernel config option.
>> - If enabled at boot time, /selinux/disable can be used
>> - later to disable prior to initial policy load.
>
> No comments yet on the rest of the patchset, but the subject line of
> this patch caught my eye and I wanted to comment quickly on this one
> ...
>
> Not a fan unfortunately.
>
> Much like the SELinux bits under /proc/self/attr, this is a user
> visible thing which has made its way into a lot of docs, scripts, and
> minds; I believe removing it would be a big mistake.
Yes, we can't suddenly break existing systems that had selinux=0 in
their grub config. We have to retain the support.
>
>> serialnumber [BUGS=X86-32]
>>
>> shapers= [NET]
>> diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
>> index 8af7a690eb40..86936528a0bb 100644
>> --- a/security/selinux/Kconfig
>> +++ b/security/selinux/Kconfig
>> @@ -8,35 +8,6 @@ config SECURITY_SELINUX
>> You will also need a policy configuration and a labeled filesystem.
>> If you are unsure how to answer this question, answer N.
>>
>> -config SECURITY_SELINUX_BOOTPARAM
>> - bool "NSA SELinux boot parameter"
>> - depends on SECURITY_SELINUX
>> - default n
>> - help
>> - This option adds a kernel parameter 'selinux', which allows SELinux
>> - to be disabled at boot. If this option is selected, SELinux
>> - functionality can be disabled with selinux=0 on the kernel
>> - command line. The purpose of this option is to allow a single
>> - kernel image to be distributed with SELinux built in, but not
>> - necessarily enabled.
>> -
>> - If you are unsure how to answer this question, answer N.
>> -
>> -config SECURITY_SELINUX_BOOTPARAM_VALUE
>> - int "NSA SELinux boot parameter default value"
>> - depends on SECURITY_SELINUX_BOOTPARAM
>> - range 0 1
>> - default 1
>> - help
>> - This option sets the default value for the kernel parameter
>> - 'selinux', which allows SELinux to be disabled at boot. If this
>> - option is set to 0 (zero), the SELinux kernel parameter will
>> - default to 0, disabling SELinux at bootup. If this option is
>> - set to 1 (one), the SELinux kernel parameter will default to 1,
>> - enabling SELinux at bootup.
>> -
>> - If you are unsure how to answer this question, answer 1.
>> -
>> config SECURITY_SELINUX_DISABLE
>> bool "NSA SELinux runtime disable"
>> depends on SECURITY_SELINUX
>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index 71a10fedecb3..8f5eea097612 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -120,20 +120,7 @@ __setup("enforcing=", enforcing_setup);
>> #define selinux_enforcing_boot 1
>> #endif
>>
>> -#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
>> -int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
>> -
>> -static int __init selinux_enabled_setup(char *str)
>> -{
>> - unsigned long enabled;
>> - if (!kstrtoul(str, 0, &enabled))
>> - selinux_enabled = enabled ? 1 : 0;
>> - return 1;
>> -}
>> -__setup("selinux=", selinux_enabled_setup);
>> -#else
>> -int selinux_enabled = 1;
>> -#endif
>> +int selinux_enabled __lsm_ro_after_init;
>>
>> static unsigned int selinux_checkreqprot_boot =
>> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
>> --
>> 2.17.1
>>
>
>
next prev parent reply other threads:[~2018-10-02 13:41 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-02 0:54 [PATCH security-next v4 00/32] LSM: Explict LSM ordering Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 01/32] LSM: Correctly announce start of LSM initialization Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 02/32] vmlinux.lds.h: Avoid copy/paste of security_init section Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 03/32] LSM: Rename .security_initcall section to .lsm_info Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 04/32] LSM: Remove initcall tracing Kees Cook
2018-10-02 21:14 ` James Morris
2018-10-02 0:54 ` [PATCH security-next v4 05/32] LSM: Convert from initcall to struct lsm_info Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 06/32] vmlinux.lds.h: Move LSM_TABLE into INIT_DATA Kees Cook
2018-10-02 21:15 ` James Morris
2018-10-02 0:54 ` [PATCH security-next v4 07/32] LSM: Convert security_initcall() into DEFINE_LSM() Kees Cook
2018-10-02 21:16 ` James Morris
2018-10-02 0:54 ` [PATCH security-next v4 08/32] LSM: Record LSM name in struct lsm_info Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 09/32] LSM: Provide init debugging infrastructure Kees Cook
2018-10-02 21:17 ` James Morris
2018-10-02 0:54 ` [PATCH security-next v4 10/32] LSM: Don't ignore initialization failures Kees Cook
2018-10-02 21:20 ` James Morris
2018-10-02 21:38 ` Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 11/32] LSM: Introduce LSM_FLAG_LEGACY_MAJOR Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 12/32] LSM: Provide separate ordered initialization Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 13/32] LoadPin: Rename "enable" to "enforce" Kees Cook
2018-10-02 1:06 ` Randy Dunlap
2018-10-02 4:47 ` Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 14/32] LSM: Plumb visibility into optional "enabled" state Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 15/32] LSM: Lift LSM selection out of individual LSMs Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 16/32] LSM: Prepare for arbitrary LSM enabling Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 17/32] LSM: Introduce CONFIG_LSM_ENABLE Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 18/32] LSM: Introduce lsm.enable= and lsm.disable= Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 19/32] LSM: Prepare for reorganizing "security=" logic Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 20/32] LSM: Refactor "security=" in terms of enable/disable Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 21/32] LSM: Finalize centralized LSM enabling logic Kees Cook
2018-10-02 1:18 ` Randy Dunlap
2018-10-02 4:49 ` Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 22/32] apparmor: Remove boot parameter Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 23/32] selinux: " Kees Cook
2018-10-02 12:12 ` Paul Moore
2018-10-02 13:42 ` Stephen Smalley [this message]
2018-10-02 14:44 ` Kees Cook
2018-10-02 14:58 ` Stephen Smalley
2018-10-02 16:33 ` Jordan Glover
2018-10-02 16:54 ` Kees Cook
2018-10-02 18:33 ` Stephen Smalley
2018-10-02 19:02 ` Kees Cook
2018-10-02 18:57 ` John Johansen
2018-10-02 19:17 ` Kees Cook
2018-10-02 19:47 ` John Johansen
2018-10-02 20:29 ` Kees Cook
2018-10-02 21:11 ` John Johansen
2018-10-02 22:06 ` James Morris
2018-10-02 23:06 ` Kees Cook
2018-10-02 23:46 ` John Johansen
2018-10-02 23:54 ` Kees Cook
2018-10-03 0:05 ` John Johansen
2018-10-03 0:12 ` Kees Cook
2018-10-03 13:15 ` John Johansen
2018-10-03 13:39 ` Stephen Smalley
2018-10-03 17:26 ` Kees Cook
2018-10-03 19:43 ` Stephen Smalley
2018-10-04 5:38 ` John Johansen
2018-10-04 16:02 ` Kees Cook
2018-10-08 14:25 ` Paul Moore
2018-10-03 18:17 ` James Morris
2018-10-03 18:20 ` Kees Cook
2018-10-03 18:28 ` James Morris
2018-10-03 20:10 ` Kees Cook
2018-10-03 20:36 ` Kees Cook
2018-10-03 21:19 ` James Morris
2018-10-04 5:56 ` John Johansen
2018-10-04 16:18 ` Kees Cook
2018-10-04 17:40 ` Jordan Glover
2018-10-04 17:42 ` Kees Cook
2018-10-03 21:34 ` James Morris
2018-10-03 23:55 ` Kees Cook
2018-10-03 23:59 ` Randy Dunlap
2018-10-04 0:03 ` Kees Cook
2018-10-04 6:22 ` John Johansen
2018-10-04 6:18 ` John Johansen
2018-10-04 17:49 ` James Morris
2018-10-05 0:05 ` Kees Cook
2018-10-05 4:58 ` James Morris
2018-10-05 16:29 ` James Morris
2018-10-05 16:35 ` Kees Cook
2018-10-02 23:28 ` John Johansen
2018-10-02 16:34 ` Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 24/32] LSM: Build ordered list of ordered LSMs for init Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 25/32] LSM: Introduce CONFIG_LSM_ORDER Kees Cook
2018-10-02 0:54 ` [PATCH security-next v4 26/32] LSM: Introduce "lsm.order=" for boottime ordering Kees Cook
2018-10-02 0:55 ` [PATCH security-next v4 27/32] LoadPin: Initialize as ordered LSM Kees Cook
2018-10-02 0:55 ` [PATCH security-next v4 28/32] Yama: " Kees Cook
2018-10-02 0:55 ` [PATCH security-next v4 29/32] LSM: Introduce enum lsm_order Kees Cook
2018-10-02 0:55 ` [PATCH security-next v4 30/32] capability: Initialize as LSM_ORDER_FIRST Kees Cook
2018-10-02 0:55 ` [PATCH security-next v4 31/32] LSM: Separate idea of "major" LSM from "exclusive" LSM Kees Cook
2018-10-02 0:55 ` [PATCH security-next v4 32/32] LSM: Add all exclusive LSMs to ordered initialization Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=785ef6a9-ae46-3533-0348-74bcf6f10928@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=casey.schaufler@intel.com \
--cc=casey@schaufler-ca.com \
--cc=corbet@lwn.net \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).