From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EC0383B1EE2; Tue, 12 May 2026 17:44:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778607893; cv=none; b=ol+PR3UPDn0AFIT+w51hcPdCMfL5fiJAUUT/pcYvM7rnfbWwqwI7pmTDiUIk+LTnjMLGUllaWdpqnegdjx/2Qoe2jX2uoefrL+Ank740T4v9VnPBK6UIJoS0txA3Vcht6/SZQrUBbSrKZrYL/R0TrX0IRIKex1zyKtAKvg7Ryvs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778607893; c=relaxed/simple; bh=4dVKDYypU2qdAQV5YHd4RpVOgFs2PidQbvO1eHSiVWE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=V5AemaIWsz1hMZjS2uYtvE7cLcG87mdUFBuVHC+fPNshPde/tRo3I7sVygNJ9vgZ3waxuBgWphOfKTdwlVT8ermns0bm4XktongL/miTmKTUbbvr0Fd+wITkhdj/p87tb6W/Vpk9+VffqgdPgW8A/ucubHnwDqnhx43pv9WYkGM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=FP5+Yknc; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="FP5+Yknc" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7A9EBC2BCB0; Tue, 12 May 2026 17:44:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778607892; bh=4dVKDYypU2qdAQV5YHd4RpVOgFs2PidQbvO1eHSiVWE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FP5+YkncJinfpG7wCMxb5I2smXCdW5O6Mprv/8BxWpzFIxHcOiXeIiaHOSMDn9cMR RVrHMFPsUldjv1DNiPnTotFFntvcMWvnZJuxdZFvFMZN/OFd8/Q8yPQ2NvYyZKXCJ2 Z7IsFLvgBBJPftJS3ikZkDn8JaK3sSdqrYHjnLCU= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Stephen Smalley , Paul Moore Subject: [PATCH 6.12 059/206] selinux: prune /sys/fs/selinux/disable Date: Tue, 12 May 2026 19:38:31 +0200 Message-ID: <20260512173934.091358987@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260512173932.810559588@linuxfoundation.org> References: <20260512173932.810559588@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.12-stable review patch. If anyone has any objections, please let me know. ------------------ From: Stephen Smalley commit 19cfa0099024bb9cd40f6d950caa7f47ff8e77f6 upstream. Commit f22f9aaf6c3d ("selinux: remove the runtime disable functionality") removed the underlying SELinux runtime disable functionality but left everything else intact and started logging an error message to warn any residual users. Prune it to just log an error message once and to return count (i.e. all bytes written successfully) to avoid breaking userspace. This also fixes a local DoS from logspam. Cc: stable@vger.kernel.org Signed-off-by: Stephen Smalley Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman --- security/selinux/selinuxfs.c | 36 +++++++----------------------------- 1 file changed, 7 insertions(+), 29 deletions(-) --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -272,35 +272,13 @@ static ssize_t sel_write_disable(struct size_t count, loff_t *ppos) { - char *page; - ssize_t length; - int new_value; - - if (count >= PAGE_SIZE) - return -ENOMEM; - - /* No partial writes. */ - if (*ppos != 0) - return -EINVAL; - - page = memdup_user_nul(buf, count); - if (IS_ERR(page)) - return PTR_ERR(page); - - if (sscanf(page, "%d", &new_value) != 1) { - length = -EINVAL; - goto out; - } - length = count; - - if (new_value) { - pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n"); - pr_err("SELinux: Runtime disable is not supported, use selinux=0 on the kernel cmdline.\n"); - } - -out: - kfree(page); - return length; + /* + * Setting disable is no longer supported, see + * https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable + */ + pr_err_once("SELinux: %s (%d) wrote to disable. This is no longer supported.\n", + current->comm, current->pid); + return count; } static const struct file_operations sel_disable_ops = {