iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Documentation,selinux: deprecate setting checkreqprot to 1

Browse Source 
Deprecate setting the SELinux checkreqprot tunable to 1 via kernel
parameter or /sys/fs/selinux/checkreqprot.  Setting it to 0 is left
intact for compatibility since Android and some Linux distributions
do so for security and treat an inability to set it as a fatal error.
Eventually setting it to 0 will become a no-op and the kernel will
stop using checkreqprot's value internally altogether.

checkreqprot was originally introduced as a compatibility mechanism
for legacy userspace and the READ_IMPLIES_EXEC personality flag.
However, if set to 1, it weakens security by allowing mappings to be
made executable without authorization by policy.  The default value
for the SECURITY_SELINUX_CHECKREQPROT_VALUE config option was changed
from 1 to 0 in commit 2a35d196c1 ("selinux: change
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default") and both Android
and Linux distributions began explicitly setting
/sys/fs/selinux/checkreqprot to 0 some time ago.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Stephen Smalley 2020-01-08 11:24:47 -05:00 committed by Paul Moore
parent 4b36cb773a
commit e9c38f9fc2
6 changed files with 40 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
Documentation/ABI/obsolete/sysfs-selinux-checkreqprot Normal file
View File

@ -0,0 +1,23 @@
What: /sys/fs/selinux/checkreqprot
Date: April 2005 (predates git)
KernelVersion: 2.6.12-rc2 (predates git)
Contact: selinux@vger.kernel.org
Description:
The selinuxfs "checkreqprot" node allows SELinux to be configured
to check the protection requested by userspace for mmap/mprotect
calls instead of the actual protection applied by the kernel.
This was a compatibility mechanism for legacy userspace and
for the READ_IMPLIES_EXEC personality flag. However, if set to
1, it weakens security by allowing mappings to be made executable
without authorization by policy. The default value of checkreqprot
at boot was changed starting in Linux v4.4 to 0 (i.e. check the
actual protection), and Android and Linux distributions have been
explicitly writing a "0" to /sys/fs/selinux/checkreqprot during
initialization for some time. Support for setting checkreqprot to 1
will be removed in a future kernel release, at which point the kernel
will always cease using checkreqprot internally and will always
check the actual protections being applied upon mmap/mprotect calls.
The checkreqprot selinuxfs node will remain for backward compatibility
but will discard writes of the "0" value and will reject writes of the
"1" value when this mechanism is removed.

1
Documentation/admin-guide/kernel-parameters.txt
View File

@ -518,6 +518,7 @@
Default value is set via a kernel config option. Default value is set via a kernel config option.
Value can be changed at runtime via Value can be changed at runtime via
/sys/fs/selinux/checkreqprot. /sys/fs/selinux/checkreqprot.
Setting checkreqprot to 1 is deprecated.
cio_ignore= [S390] cio_ignore= [S390]
See Documentation/s390/common_io.rst for details. See Documentation/s390/common_io.rst for details.

1
MAINTAINERS
View File

@ -14986,6 +14986,7 @@ F: security/selinux/
F: scripts/selinux/ F: scripts/selinux/
F: Documentation/admin-guide/LSM/SELinux.rst F: Documentation/admin-guide/LSM/SELinux.rst
F: Documentation/ABI/obsolete/sysfs-selinux-disable F: Documentation/ABI/obsolete/sysfs-selinux-disable
F: Documentation/ABI/obsolete/sysfs-selinux-checkreqprot
SENSABLE PHANTOM SENSABLE PHANTOM
M: Jiri Slaby <jirislaby@gmail.com> M: Jiri Slaby <jirislaby@gmail.com>

3
security/selinux/Kconfig
View File

@ -88,6 +88,9 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
'checkreqprot=' boot parameter. It may also be changed at runtime 'checkreqprot=' boot parameter. It may also be changed at runtime
via /sys/fs/selinux/checkreqprot if authorized by policy. via /sys/fs/selinux/checkreqprot if authorized by policy.
WARNING: this option is deprecated and will be removed in a future
kernel release.
If you are unsure how to answer this question, answer 0. If you are unsure how to answer this question, answer 0.
config SECURITY_SELINUX_SIDTAB_HASH_BITS config SECURITY_SELINUX_SIDTAB_HASH_BITS

5
security/selinux/hooks.c
View File

@ -142,8 +142,11 @@ static int __init checkreqprot_setup(char *str)
{ {
unsigned long checkreqprot; unsigned long checkreqprot;
if (!kstrtoul(str, 0, &checkreqprot)) if (!kstrtoul(str, 0, &checkreqprot)) {
selinux_checkreqprot_boot = checkreqprot ? 1 : 0; selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
if (checkreqprot)
pr_warn("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n");
}
return 1; return 1;
} }
__setup("checkreqprot=", checkreqprot_setup); __setup("checkreqprot=", checkreqprot_setup);

8
security/selinux/selinuxfs.c
View File

@ -668,6 +668,14 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
if (sscanf(page, "%u", &new_value) != 1) if (sscanf(page, "%u", &new_value) != 1)
goto out; goto out;
if (new_value) {
char comm[sizeof(current->comm)];
memcpy(comm, current->comm, sizeof(comm));
pr_warn_once("SELinux: %s (%d) set checkreqprot to 1. This is deprecated and will be rejected in a future kernel release.\n",
comm, current->pid);
}
fsi->state->checkreqprot = new_value ? 1 : 0; fsi->state->checkreqprot = new_value ? 1 : 0;
length = count; length = count;
out: out: