On Tue, Jan 7, 2020 at 3:22 PM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
>
> Deprecate setting the SELinux checkreqprot tunable to 1 via kernel
> parameter or /sys/fs/selinux/checkreqprot. Setting it to 0 is left
> intact for compatibility since Android and some Linux distributions
> do so for security and treat an inability to set it as a fatal error.
> Eventually setting it to 0 will become a no-op and the kernel will
> stop using checkreqprot's value internally altogether.
>
> checkreqprot was originally introduced as a compatibility mechanism
> for legacy userspace and the READ_IMPLIES_EXEC personality flag.
> However, if set to 1, it weakens security by allowing mappings to be
> made executable without authorization by policy. The default value
> for the SECURITY_SELINUX_CHECKREQPROT_VALUE config option was changed
> from 1 to 0 in commit 2a35d196c160e3 ("selinux: change
> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default") and both Android
> and Linux distributions began explicitly setting
> /sys/fs/selinux/checkreqprot to 0 some time ago.
>
> Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
> ---
> RFC-only, not yet tested.
>
> Documentation/admin-guide/kernel-parameters.txt | 1 +
> security/selinux/Kconfig | 3 +++
> security/selinux/hooks.c | 4 ++++
> security/selinux/selinuxfs.c | 6 ++++++
> 4 files changed, 14 insertions(+)
No objection so long as the testing goes okay, although I don't think
we will see any surprises.
However, as you pointed out earlier, we should probably add an entry
to Documentation/ABI/obsolete; while the "checkreqprot" selinuxfs node
isn't going away, we are restricting it in a way which was previously
allowed.
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index eed51293d6cf..c894ddfa1393 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -512,6 +512,7 @@
> Default value is set via a kernel config option.
> Value can be changed at runtime via
> /sys/fs/selinux/checkreqprot.
> + Setting checkreqprot to 1 is deprecated.
>
> cio_ignore= [S390]
> See Documentation/s390/common_io.rst for details.
> diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
> index 1014cb0ee956..9e921fc72538 100644
> --- a/security/selinux/Kconfig
> +++ b/security/selinux/Kconfig
> @@ -88,6 +88,9 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
> 'checkreqprot=' boot parameter. It may also be changed at runtime
> via /sys/fs/selinux/checkreqprot if authorized by policy.
>
> + WARNING: this option is deprecated and will be removed in a future
> + kernel release.
> +
> If you are unsure how to answer this question, answer 0.
>
> config SECURITY_SELINUX_SIDTAB_HASH_BITS
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 63a6e36abe9f..11d47bb7d40a 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -7149,7 +7149,11 @@ static __init int selinux_init(void)
>
> memset(&selinux_state, 0, sizeof(selinux_state));
> enforcing_set(&selinux_state, selinux_enforcing_boot);
> +
> selinux_state.checkreqprot = selinux_checkreqprot_boot;
> + if (selinux_state.checkreqprot)
> + pr_warn("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated.\n");
> +
> selinux_ss_init(&selinux_state.ss);
> selinux_avc_init(&selinux_state.avc);
>
> diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
> index 79c710911a3c..c6c136eee371 100644
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c
> @@ -668,6 +668,12 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
> if (sscanf(page, "%u", &new_value) != 1)
> goto out;
>
> + if (new_value) {
> + char comm[sizeof(current->comm)];
> + memcpy(comm, current->comm, sizeof(comm));
> + pr_warn_once("SELinux: %s (%d) set checkreqprot to 1. This is deprecated.\n", comm, current->pid);
> + }
> +
> fsi->state->checkreqprot = new_value ? 1 : 0;
> length = count;
> out:
> --
> 2.24.1
--
paul moore
www.paul-moore.com
