Commit a7e4676e authored by Paul Moore's avatar Paul Moore

selinux: remove the 'checkreqprot' functionality

We originally promised that the SELinux 'checkreqprot' functionality
would be removed no sooner than June 2021, and now that it is March
2023 it seems like it is a good time to do the final removal.  The
deprecation notice in the kernel provides plenty of detail on why
'checkreqprot' is not desirable, with the key point repeated below:

  This was a compatibility mechanism for legacy userspace and
  for the READ_IMPLIES_EXEC personality flag.  However, if set to
  1, it weakens security by allowing mappings to be made executable
  without authorization by policy.  The default value of checkreqprot
  at boot was changed starting in Linux v4.4 to 0 (i.e. check the
  actual protection), and Android and Linux distributions have been
  explicitly writing a "0" to /sys/fs/selinux/checkreqprot during
  initialization for some time.

Along with the official deprecation notice, we have been discussing
this on-list and directly with several of the larger SELinux-based
distros and everyone is happy to see this feature finally removed.
In an attempt to catch all of the smaller, and DIY, Linux systems
we have been writing a deprecation notice URL into the kernel log,
along with a growing ssleep() penalty, when admins enabled
checkreqprot at runtime or via the kernel command line.  We have
yet to have anyone come to us and raise an objection to the
deprecation or planned removal.

It is worth noting that while this patch removes the checkreqprot
functionality, it leaves the user visible interfaces (kernel command
line and selinuxfs file) intact, just inert.  This should help
prevent breakages with existing userspace tools that correctly, but
unnecessarily, disable checkreqprot at boot or runtime.  Admins
that attempt to enable checkreqprot will be met with a removal
message in the kernel log.
Acked-by: default avatarStephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent e67b7985
...@@ -4,6 +4,9 @@ KernelVersion: 2.6.12-rc2 (predates git) ...@@ -4,6 +4,9 @@ KernelVersion: 2.6.12-rc2 (predates git)
Contact: selinux@vger.kernel.org Contact: selinux@vger.kernel.org
Description: Description:
REMOVAL UPDATE: The SELinux checkreqprot functionality was removed in
March 2023, the original deprecation notice is shown below.
The selinuxfs "checkreqprot" node allows SELinux to be configured The selinuxfs "checkreqprot" node allows SELinux to be configured
to check the protection requested by userspace for mmap/mprotect to check the protection requested by userspace for mmap/mprotect
calls instead of the actual protection applied by the kernel. calls instead of the actual protection applied by the kernel.
......
...@@ -70,29 +70,6 @@ config SECURITY_SELINUX_AVC_STATS ...@@ -70,29 +70,6 @@ config SECURITY_SELINUX_AVC_STATS
/sys/fs/selinux/avc/cache_stats, which may be monitored via /sys/fs/selinux/avc/cache_stats, which may be monitored via
tools such as avcstat. tools such as avcstat.
config SECURITY_SELINUX_CHECKREQPROT_VALUE
int "NSA SELinux checkreqprot default value"
depends on SECURITY_SELINUX
range 0 1
default 0
help
This option sets the default value for the 'checkreqprot' flag
that determines whether SELinux checks the protection requested
by the application or the protection that will be applied by the
kernel (including any implied execute for read-implies-exec) for
mmap and mprotect calls. If this option is set to 0 (zero),
SELinux will default to checking the protection that will be applied
by the kernel. If this option is set to 1 (one), SELinux will
default to checking the protection requested by the application.
The checkreqprot flag may be changed from the default via the
'checkreqprot=' boot parameter. It may also be changed at runtime
via /sys/fs/selinux/checkreqprot if authorized by policy.
WARNING: this option is deprecated and will be removed in a future
kernel release.
If you are unsure how to answer this question, answer 0.
config SECURITY_SELINUX_SIDTAB_HASH_BITS config SECURITY_SELINUX_SIDTAB_HASH_BITS
int "NSA SELinux sidtab hashtable size" int "NSA SELinux sidtab hashtable size"
depends on SECURITY_SELINUX depends on SECURITY_SELINUX
......
...@@ -136,17 +136,13 @@ static int __init selinux_enabled_setup(char *str) ...@@ -136,17 +136,13 @@ static int __init selinux_enabled_setup(char *str)
__setup("selinux=", selinux_enabled_setup); __setup("selinux=", selinux_enabled_setup);
#endif #endif
static unsigned int selinux_checkreqprot_boot =
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
static int __init checkreqprot_setup(char *str) static int __init checkreqprot_setup(char *str)
{ {
unsigned long checkreqprot; unsigned long checkreqprot;
if (!kstrtoul(str, 0, &checkreqprot)) { if (!kstrtoul(str, 0, &checkreqprot)) {
selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
if (checkreqprot) if (checkreqprot)
pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n"); pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is no longer supported.\n");
} }
return 1; return 1;
} }
...@@ -3712,7 +3708,8 @@ static int selinux_mmap_addr(unsigned long addr) ...@@ -3712,7 +3708,8 @@ static int selinux_mmap_addr(unsigned long addr)
return rc; return rc;
} }
static int selinux_mmap_file(struct file *file, unsigned long reqprot, static int selinux_mmap_file(struct file *file,
unsigned long reqprot __always_unused,
unsigned long prot, unsigned long flags) unsigned long prot, unsigned long flags)
{ {
struct common_audit_data ad; struct common_audit_data ad;
...@@ -3727,23 +3724,17 @@ static int selinux_mmap_file(struct file *file, unsigned long reqprot, ...@@ -3727,23 +3724,17 @@ static int selinux_mmap_file(struct file *file, unsigned long reqprot,
return rc; return rc;
} }
if (checkreqprot_get())
prot = reqprot;
return file_map_prot_check(file, prot, return file_map_prot_check(file, prot,
(flags & MAP_TYPE) == MAP_SHARED); (flags & MAP_TYPE) == MAP_SHARED);
} }
static int selinux_file_mprotect(struct vm_area_struct *vma, static int selinux_file_mprotect(struct vm_area_struct *vma,
unsigned long reqprot, unsigned long reqprot __always_unused,
unsigned long prot) unsigned long prot)
{ {
const struct cred *cred = current_cred(); const struct cred *cred = current_cred();
u32 sid = cred_sid(cred); u32 sid = cred_sid(cred);
if (checkreqprot_get())
prot = reqprot;
if (default_noexec && if (default_noexec &&
(prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
int rc = 0; int rc = 0;
...@@ -7202,9 +7193,6 @@ static __init int selinux_init(void) ...@@ -7202,9 +7193,6 @@ static __init int selinux_init(void)
memset(&selinux_state, 0, sizeof(selinux_state)); memset(&selinux_state, 0, sizeof(selinux_state));
enforcing_set(selinux_enforcing_boot); enforcing_set(selinux_enforcing_boot);
if (CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE)
pr_err("SELinux: CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE is non-zero. This is deprecated and will be rejected in a future kernel release.\n");
checkreqprot_set(selinux_checkreqprot_boot);
selinux_avc_init(); selinux_avc_init();
mutex_init(&selinux_state.status_lock); mutex_init(&selinux_state.status_lock);
mutex_init(&selinux_state.policy_mutex); mutex_init(&selinux_state.policy_mutex);
......
...@@ -95,7 +95,6 @@ struct selinux_state { ...@@ -95,7 +95,6 @@ struct selinux_state {
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
bool enforcing; bool enforcing;
#endif #endif
bool checkreqprot;
bool initialized; bool initialized;
bool policycap[__POLICYDB_CAP_MAX]; bool policycap[__POLICYDB_CAP_MAX];
...@@ -145,14 +144,8 @@ static inline void enforcing_set(bool value) ...@@ -145,14 +144,8 @@ static inline void enforcing_set(bool value)
static inline bool checkreqprot_get(void) static inline bool checkreqprot_get(void)
{ {
return READ_ONCE(selinux_state.checkreqprot); /* non-zero/true checkreqprot values are no longer supported */
} return 0;
static inline void checkreqprot_set(bool value)
{
if (value)
pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-checkreqprot\n");
WRITE_ONCE(selinux_state.checkreqprot, value);
} }
#ifdef CONFIG_SECURITY_SELINUX_DISABLE #ifdef CONFIG_SECURITY_SELINUX_DISABLE
......
...@@ -728,23 +728,20 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, ...@@ -728,23 +728,20 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
if (IS_ERR(page)) if (IS_ERR(page))
return PTR_ERR(page); return PTR_ERR(page);
length = -EINVAL; if (sscanf(page, "%u", &new_value) != 1) {
if (sscanf(page, "%u", &new_value) != 1) length = -EINVAL;
goto out; goto out;
}
length = count;
if (new_value) { if (new_value) {
char comm[sizeof(current->comm)]; char comm[sizeof(current->comm)];
memcpy(comm, current->comm, sizeof(comm)); memcpy(comm, current->comm, sizeof(comm));
pr_err("SELinux: %s (%d) set checkreqprot to 1. This is deprecated and will be rejected in a future kernel release.\n", pr_err("SELinux: %s (%d) set checkreqprot to 1. This is no longer supported.\n",
comm, current->pid); comm, current->pid);
} }
checkreqprot_set((new_value ? 1 : 0));
if (new_value)
ssleep(15);
length = count;
selinux_ima_measure_state(); selinux_ima_measure_state();
out: out:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment