From: Paul Moore <paul@paul-moore.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@vger.kernel.org, omosnace@redhat.com, corbet@lwn.net,
linux-doc@vger.kernel.org
Subject: Re: [PATCH] Documentation,selinux: deprecate setting checkreqprot to 1
Date: Thu, 30 Jan 2020 22:42:36 -0500 [thread overview]
Message-ID: <CAHC9VhRf4qemBn9EEfwaxc9A11Z07o1P54wkpFVNtoTy2+QVyA@mail.gmail.com> (raw)
In-Reply-To: <CAHC9VhQFQypUnRExSr62aaeW3hQ1iaAdwguwu67v_Lc84h=5rQ@mail.gmail.com>
On Fri, Jan 10, 2020 at 3:15 PM Paul Moore <paul@paul-moore.com> wrote:
> On Wed, Jan 8, 2020 at 11:24 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > Deprecate setting the SELinux checkreqprot tunable to 1 via kernel
> > parameter or /sys/fs/selinux/checkreqprot. Setting it to 0 is left
> > intact for compatibility since Android and some Linux distributions
> > do so for security and treat an inability to set it as a fatal error.
> > Eventually setting it to 0 will become a no-op and the kernel will
> > stop using checkreqprot's value internally altogether.
> >
> > checkreqprot was originally introduced as a compatibility mechanism
> > for legacy userspace and the READ_IMPLIES_EXEC personality flag.
> > However, if set to 1, it weakens security by allowing mappings to be
> > made executable without authorization by policy. The default value
> > for the SECURITY_SELINUX_CHECKREQPROT_VALUE config option was changed
> > from 1 to 0 in commit 2a35d196c160e3 ("selinux: change
> > CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default") and both Android
> > and Linux distributions began explicitly setting
> > /sys/fs/selinux/checkreqprot to 0 some time ago.
> >
> > Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> > ---
> > .../ABI/obsolete/sysfs-selinux-checkreqprot | 23 +++++++++++++++++++
> > .../admin-guide/kernel-parameters.txt | 1 +
> > MAINTAINERS | 1 +
> > security/selinux/Kconfig | 3 +++
> > security/selinux/hooks.c | 5 +++-
> > security/selinux/selinuxfs.c | 8 +++++++
> > 6 files changed, 40 insertions(+), 1 deletion(-)
> > create mode 100644 Documentation/ABI/obsolete/sysfs-selinux-checkreqprot
>
> I think this looks fine, but considering this week was the first time
> we really discussed this, let's hold off until after the next merge
> window so we get a full cycle in linux-next for folks to complain :)
I've queued this up in selinux/next, you'll see it in the tree once
the merge window closes.
--
paul moore
www.paul-moore.com
prev parent reply other threads:[~2020-01-31 3:42 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-08 16:24 [PATCH] Documentation,selinux: deprecate setting checkreqprot to 1 Stephen Smalley
2020-01-10 20:15 ` Paul Moore
2020-01-31 3:42 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHC9VhRf4qemBn9EEfwaxc9A11Z07o1P54wkpFVNtoTy2+QVyA@mail.gmail.com \
--to=paul@paul-moore.com \
--cc=corbet@lwn.net \
--cc=linux-doc@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).