On Tue, Jun 2, 2020 at 8:47 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
>
> We deprecated the SELinux runtime disable functionality in Linux
> v5.6, add a five second sleep to anyone using it to help draw their
> attention to the deprecation.
>
> Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> ---
> security/selinux/selinuxfs.c | 2 ++
> 1 file changed, 2 insertions(+)
Warning: while trivial, I've done no testing beyond a quick compile
yet. I'm posting this now to see what everyone thinks about starting
to make it a bit more painful to use the runtime disable
functionality.
> diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
> index 4781314c2510..07af1334d9c9 100644
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c
> @@ -30,6 +30,7 @@
> #include <linux/uaccess.h>
> #include <linux/kobject.h>
> #include <linux/ctype.h>
> +#include <linux/delay.h>
>
> /* selinuxfs pseudo filesystem for exporting the security policy API.
> Based on the proc code and the fs/nfsd/nfsctl.c code. */
> @@ -287,6 +288,7 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
> * kernel releases until eventually it is removed
> */
> pr_err("SELinux: Runtime disable is deprecated, use selinux=0 on the kernel cmdline.\n");
> + ssleep(5);
>
> if (count >= PAGE_SIZE)
> return -ENOMEM;
>
--
paul moore
www.paul-moore.com
