On Wed, Sep 29, 2021 at 10:24 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
>
> NOTE: This patch intentionally omits any "Fixes:" metadata or stable
> tagging since it removes a SELinux access control check; while
> removing the control point is the right thing to do moving forward,
> removing it in stable kernels could be seen as a regression.
>
> The original SELinux lockdown implementation in 59438b46471a
> ("security,lockdown,selinux: implement SELinux lockdown") used the
> current task's credentials as both the subject and object in the
> SELinux lockdown hook, selinux_lockdown(). Unfortunately that
> proved to be incorrect in a number of cases as the core kernel was
> calling the LSM lockdown hook in places where the credentials from
> the "current" task_struct were not the correct credentials to use
> in the SELinux access check.
>
> Attempts were made to resolve this by adding a credential pointer
> to the LSM lockdown hook as well as suggesting that the single hook
> be split into two: one for user tasks, one for kernel tasks; however
> neither approach was deemed acceptable by Linus. Faced with the
> prospect of either changing the subj/obj in the access check to a
> constant context (likely the kernel's label) or removing the SELinux
> lockdown check entirely, the SELinux community decided that removing
> the lockdown check was preferable.
>
> The supporting changes to the general LSM layer are left intact, this
> patch only removes the SELinux implementation.
>
> Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> ---
> security/selinux/hooks.c | 30 ------------------------------
> security/selinux/include/classmap.h | 2 --
> 2 files changed, 32 deletions(-)
A quick note regarding the selinux-testsuite: the lockdown related
tests fail, unsurprisingly, but everything else succeeds.
I'm going to give this patch 24 hours or so before merging, but once
merged we should probably consider just removing the lockdown tests
from the selinux-testsuite.
--
paul moore
www.paul-moore.com
