[PATCH] selinux: provide a "no sooner than" date for the checkreqprot removal

[PATCH] selinux: provide a "no sooner than" date for the checkreqprot removal

[Paul Moore]

We marked /sys/fs/selinux/checkreqprot as deprecated in Linux v5.7,
but didn't provide any guidance as to the timeframe.  Considering
the state of checkreqprot, it seems like one year should be enough
time.

Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 .../ABI/obsolete/sysfs-selinux-checkreqprot        |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Documentation/ABI/obsolete/sysfs-selinux-checkreqprot b/Documentation/ABI/obsolete/sysfs-selinux-checkreqprot
index 49ed9c8fd1e5..ed6b52ca210f 100644
--- a/Documentation/ABI/obsolete/sysfs-selinux-checkreqprot
+++ b/Documentation/ABI/obsolete/sysfs-selinux-checkreqprot
@@ -15,7 +15,7 @@ Description:
 	actual protection), and Android and Linux distributions have been
 	explicitly writing a "0" to /sys/fs/selinux/checkreqprot during
 	initialization for some time.  Support for setting checkreqprot to 1
-	will be	removed in a future kernel release, at which point the kernel
+	will be	removed no sooner than June 2021, at which point the kernel
 	will always cease using checkreqprot internally and will always
 	check the actual protections being applied upon mmap/mprotect calls.
 	The checkreqprot selinuxfs node will remain for backward compatibility

Re: [PATCH] selinux: provide a "no sooner than" date for the checkreqprot removal

[Stephen Smalley]

On Sun, Sep 27, 2020 at 10:37 PM Paul Moore <paul@paul-moore.com> wrote:
>
> We marked /sys/fs/selinux/checkreqprot as deprecated in Linux v5.7,
> but didn't provide any guidance as to the timeframe.  Considering
> the state of checkreqprot, it seems like one year should be enough
> time.
>
> Signed-off-by: Paul Moore <paul@paul-moore.com>

Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

Re: [PATCH] selinux: provide a "no sooner than" date for the checkreqprot removal

[Paul Moore]

On Sun, Sep 27, 2020 at 10:37 PM Paul Moore <paul@paul-moore.com> wrote:
>
> We marked /sys/fs/selinux/checkreqprot as deprecated in Linux v5.7,
> but didn't provide any guidance as to the timeframe.  Considering
> the state of checkreqprot, it seems like one year should be enough
> time.
>
> Signed-off-by: Paul Moore <paul@paul-moore.com>
> ---
>  .../ABI/obsolete/sysfs-selinux-checkreqprot        |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/Documentation/ABI/obsolete/sysfs-selinux-checkreqprot b/Documentation/ABI/obsolete/sysfs-selinux-checkreqprot
> index 49ed9c8fd1e5..ed6b52ca210f 100644
> --- a/Documentation/ABI/obsolete/sysfs-selinux-checkreqprot
> +++ b/Documentation/ABI/obsolete/sysfs-selinux-checkreqprot
> @@ -15,7 +15,7 @@ Description:
>         actual protection), and Android and Linux distributions have been
>         explicitly writing a "0" to /sys/fs/selinux/checkreqprot during
>         initialization for some time.  Support for setting checkreqprot to 1
> -       will be removed in a future kernel release, at which point the kernel
> +       will be removed no sooner than June 2021, at which point the kernel
>         will always cease using checkreqprot internally and will always
>         check the actual protections being applied upon mmap/mprotect calls.
>         The checkreqprot selinuxfs node will remain for backward compatibility

As this is a minor documentation change and not anything more
significant I've gone ahead and merged this into selinux/next.

-- 
paul moore
www.paul-moore.com