Documentation,selinux: deprecate setting checkreqprot to 1

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Deprecate setting the SELinux checkreqprot tunable to 1 via kernel
parameter or /sys/fs/selinux/checkreqprot. Setting it to 0 is left
intact for compatibility since Android and some Linux distributions
do so for security and treat an inability to set it as a fatal error.
Eventually setting it to 0 will become a no-op and the kernel will
stop using checkreqprot's value internally altogether.

checkreqprot was originally introduced as a compatibility mechanism
for legacy userspace and the READ_IMPLIES_EXEC personality flag.
However, if set to 1, it weakens security by allowing mappings to be
made executable without authorization by policy. The default value
for the SECURITY_SELINUX_CHECKREQPROT_VALUE config option was changed
from 1 to 0 in commit 2a35d196c160e3 ("selinux: change
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default") and both Android
and Linux distributions began explicitly setting
/sys/fs/selinux/checkreqprot to 0 some time ago.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>

authored by

Stephen Smalley and committed by

Paul Moore 6 years ago e9c38f9f 4b36cb77

+40 -1

6 changed files

expand all

Documentation

ABI

obsolete

sysfs-selinux-checkreqprot

admin-guide

kernel-parameters.txt

MAINTAINERS

security

selinux

Kconfig

hooks.c

selinuxfs.c

+23

Documentation/ABI/obsolete/sysfs-selinux-checkreqprot

··· 1 + What: /sys/fs/selinux/checkreqprot 2 + Date: April 2005 (predates git) 3 + KernelVersion: 2.6.12-rc2 (predates git) 4 + Contact: selinux@vger.kernel.org 5 + Description: 6 + 7 + The selinuxfs "checkreqprot" node allows SELinux to be configured 8 + to check the protection requested by userspace for mmap/mprotect 9 + calls instead of the actual protection applied by the kernel. 10 + This was a compatibility mechanism for legacy userspace and 11 + for the READ_IMPLIES_EXEC personality flag. However, if set to 12 + 1, it weakens security by allowing mappings to be made executable 13 + without authorization by policy. The default value of checkreqprot 14 + at boot was changed starting in Linux v4.4 to 0 (i.e. check the 15 + actual protection), and Android and Linux distributions have been 16 + explicitly writing a "0" to /sys/fs/selinux/checkreqprot during 17 + initialization for some time. Support for setting checkreqprot to 1 18 + will be removed in a future kernel release, at which point the kernel 19 + will always cease using checkreqprot internally and will always 20 + check the actual protections being applied upon mmap/mprotect calls. 21 + The checkreqprot selinuxfs node will remain for backward compatibility 22 + but will discard writes of the "0" value and will reject writes of the 23 + "1" value when this mechanism is removed.

Documentation/admin-guide/kernel-parameters.txt

··· 518 518 Default value is set via a kernel config option. 519 519 Value can be changed at runtime via 520 520 /sys/fs/selinux/checkreqprot. 521 + Setting checkreqprot to 1 is deprecated. 521 522 522 523 cio_ignore= [S390] 523 524 See Documentation/s390/common_io.rst for details.

MAINTAINERS

··· 14986 14986 F: scripts/selinux/ 14987 14987 F: Documentation/admin-guide/LSM/SELinux.rst 14988 14988 F: Documentation/ABI/obsolete/sysfs-selinux-disable 14989 + F: Documentation/ABI/obsolete/sysfs-selinux-checkreqprot 14989 14990 14990 14991 SENSABLE PHANTOM 14991 14992 M: Jiri Slaby <jirislaby@gmail.com>

security/selinux/Kconfig

··· 88 88 'checkreqprot=' boot parameter. It may also be changed at runtime 89 89 via /sys/fs/selinux/checkreqprot if authorized by policy. 90 90 91 + WARNING: this option is deprecated and will be removed in a future 92 + kernel release. 93 + 91 94 If you are unsure how to answer this question, answer 0. 92 95 93 96 config SECURITY_SELINUX_SIDTAB_HASH_BITS

+4 -1

security/selinux/hooks.c

··· 142 142 { 143 143 unsigned long checkreqprot; 144 144 145 - if (!kstrtoul(str, 0, &checkreqprot)) 145 + if (!kstrtoul(str, 0, &checkreqprot)) { 146 146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0; 147 + if (checkreqprot) 148 + pr_warn("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n"); 149 + } 147 150 return 1; 148 151 } 149 152 __setup("checkreqprot=", checkreqprot_setup);

security/selinux/selinuxfs.c

··· 668 668 if (sscanf(page, "%u", &new_value) != 1) 669 669 goto out; 670 670 671 + if (new_value) { 672 + char comm[sizeof(current->comm)]; 673 + 674 + memcpy(comm, current->comm, sizeof(comm)); 675 + pr_warn_once("SELinux: %s (%d) set checkreqprot to 1. This is deprecated and will be rejected in a future kernel release.\n", 676 + comm, current->pid); 677 + } 678 + 671 679 fsi->state->checkreqprot = new_value ? 1 : 0; 672 680 length = count; 673 681 out: