Linux Security Modules development
 help / color / mirror / Atom feed
From: Casey Schaufler <casey@schaufler-ca.com>
To: Paul Moore <paul@paul-moore.com>, selinux@vger.kernel.org
Cc: linux-security-module@vger.kernel.org,
	Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [RFC PATCH] selinux: deprecate disabling SELinux and runtime
Date: Thu, 19 Dec 2019 15:40:01 -0800	[thread overview]
Message-ID: <a023c681-3ede-a08d-d9ea-67ab49f10aa3@schaufler-ca.com> (raw)
In-Reply-To: <157678334821.158235.2125894638773393579.stgit@chester>

On 12/19/2019 11:22 AM, Paul Moore wrote:
> Deprecate the CONFIG_SECURITY_SELINUX_DISABLE functionality.  The
> code was originally developed to make it easier for Linux
> distributions to support architectures where adding parameters to the
> kernel command line was difficult.  Unfortunately, supporting runtime
> disable meant we had to make some security trade-offs when it came to
> the LSM hooks, as documented in the Kconfig help text:
>
>   NOTE: selecting this option will disable the '__ro_after_init'
>   kernel hardening feature for security hooks.   Please consider
>   using the selinux=0 boot parameter instead of enabling this
>   option.
>
> Fortunately it looks as if that the original motivation for the
> runtime disable functionality is gone, and Fedora/RHEL appears to be
> the only major distribution enabling this capability at build time
> so we are now taking steps to remove it entirely from the kernel.
> The first step is to mark the functionality as deprecated and print
> an error when it is used (what this patch is doing).  As Fedora/RHEL
> makes progress in transitioning the distribution away from runtime
> disable, we will introduce follow-up patches over several kernel
> releases which will block for increasing periods of time when the
> runtime disable is used.  Finally we will remove the option entirely
> once we believe all users have moved to the kernel cmdline approach.
>
> Signed-off-by: Paul Moore <paul@paul-moore.com>

Acked-by: Casey Schaufler <casey@schaufler-ca.com>

> ---
>  security/selinux/Kconfig     |    3 +++
>  security/selinux/selinuxfs.c |    6 ++++++
>  2 files changed, 9 insertions(+)
>
> diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
> index 996d35d950f7..580ac24c7aa1 100644
> --- a/security/selinux/Kconfig
> +++ b/security/selinux/Kconfig
> @@ -42,6 +42,9 @@ config SECURITY_SELINUX_DISABLE
>  	  using the selinux=0 boot parameter instead of enabling this
>  	  option.
>  
> +	  WARNING: this option is deprecated and will be removed in a future
> +	  kernel release.
> +
>  	  If you are unsure how to answer this question, answer N.
>  
>  config SECURITY_SELINUX_DEVELOP
> diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
> index 278417e67b4c..adbe2dd35202 100644
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c
> @@ -281,6 +281,12 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
>  	int new_value;
>  	int enforcing;
>  
> +	/* NOTE: we are now officially considering runtime disable as
> +	 *       deprecated, and using it will become increasingly painful
> +	 *       (e.g. sleeping/blocking) as we progress through future
> +	 *       kernel releases until eventually it is removed */
> +	pr_err("SELinux:  Runtime disable is deprecated, use selinux=0 on the kernel cmdline.\n");
> +
>  	if (count >= PAGE_SIZE)
>  		return -ENOMEM;
>  
>
>

  reply	other threads:[~2019-12-19 23:40 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-19 19:22 [RFC PATCH] selinux: deprecate disabling SELinux and runtime Paul Moore
2019-12-19 23:40 ` Casey Schaufler [this message]
2020-01-02  9:23 ` Ondrej Mosnacek
2020-01-02 21:38   ` Paul Moore
2020-01-03  9:32     ` Ondrej Mosnacek
2020-01-03 15:55       ` Paul Moore
2020-01-06 21:26 ` Stephen Smalley
2020-01-07  3:29   ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=a023c681-3ede-a08d-d9ea-67ab49f10aa3@schaufler-ca.com \
    --to=casey@schaufler-ca.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox