On Tue, Mar 8, 2022 at 5:11 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
>
> The checkreqprot functionality was disabled by default back in
> Linux v4.4 (2015) with commit 2a35d196c160e3 ("selinux: change
> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default") and it was
> officially marked as deprecated in Linux v5.7. It was always a
> bit of a hack to workaround very old userspace and to the best of
> our knowledge, the checkreqprot functionality has been disabled by
> Linux distributions for quite some time.
>
> This patch moves the deprecation messages from KERN_WARNING to
> KERN_ERR and adds a five second sleep to anyone using it to help
> draw their attention to the deprecation and provide a URL which
> helps explain things in more detail.
>
> Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> ---
> security/selinux/hooks.c | 4 +++-
> security/selinux/include/security.h | 6 ++++++
> security/selinux/selinuxfs.c | 4 ++--
> 3 files changed, 11 insertions(+), 3 deletions(-)
As with the runtime disable RFC, comments on the wiki text are welcome as well.
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index b12e14b2797b..cff129f96e97 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -146,7 +146,7 @@ static int __init checkreqprot_setup(char *str)
> if (!kstrtoul(str, 0, &checkreqprot)) {
> selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
> if (checkreqprot)
> - pr_warn("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n");
> + pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n");
> }
> return 1;
> }
> @@ -7295,6 +7295,8 @@ static __init int selinux_init(void)
>
> memset(&selinux_state, 0, sizeof(selinux_state));
> enforcing_set(&selinux_state, selinux_enforcing_boot);
> + if (CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE)
> + pr_err("SELinux: CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE is non-zero. This is deprecated and will be rejected in a future kernel release.\n");
> checkreqprot_set(&selinux_state, selinux_checkreqprot_boot);
> selinux_avc_init(&selinux_state.avc);
> mutex_init(&selinux_state.status_lock);
> diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
> index ace4bd13e808..f7e6be63adfb 100644
> --- a/security/selinux/include/security.h
> +++ b/security/selinux/include/security.h
> @@ -16,6 +16,8 @@
> #include <linux/rcupdate.h>
> #include <linux/refcount.h>
> #include <linux/workqueue.h>
> +#include <linux/delay.h>
> +#include <linux/printk.h>
> #include "flask.h"
> #include "policycap.h"
>
> @@ -150,6 +152,10 @@ static inline bool checkreqprot_get(const struct selinux_state *state)
>
> static inline void checkreqprot_set(struct selinux_state *state, bool value)
> {
> + if (value) {
> + pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-checkreqprot\n";);
> + ssleep(5);
> + }
> WRITE_ONCE(state->checkreqprot, value);
> }
>
> diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
> index 6568bc48cd3e..6c8b6a0ddecf 100644
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c
> @@ -757,8 +757,8 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
> char comm[sizeof(current->comm)];
>
> memcpy(comm, current->comm, sizeof(comm));
> - pr_warn_once("SELinux: %s (%d) set checkreqprot to 1. This is deprecated and will be rejected in a future kernel release.\n",
> - comm, current->pid);
> + pr_err("SELinux: %s (%d) set checkreqprot to 1. This is deprecated and will be rejected in a future kernel release.\n",
> + comm, current->pid);
> }
>
> checkreqprot_set(fsi->state, (new_value ? 1 : 0));
>
--
paul-moore.com
