+++ /dev/null
-What: /sys/fs/selinux/checkreqprot
-Date: April 2005 (predates git)
-KernelVersion: 2.6.12-rc2 (predates git)
-Contact: selinux@vger.kernel.org
-Description:
-
- The selinuxfs "checkreqprot" node allows SELinux to be configured
- to check the protection requested by userspace for mmap/mprotect
- calls instead of the actual protection applied by the kernel.
- This was a compatibility mechanism for legacy userspace and
- for the READ_IMPLIES_EXEC personality flag. However, if set to
- 1, it weakens security by allowing mappings to be made executable
- without authorization by policy. The default value of checkreqprot
- at boot was changed starting in Linux v4.4 to 0 (i.e. check the
- actual protection), and Android and Linux distributions have been
- explicitly writing a "0" to /sys/fs/selinux/checkreqprot during
- initialization for some time. Support for setting checkreqprot to 1
- will be removed no sooner than June 2021, at which point the kernel
- will always cease using checkreqprot internally and will always
- check the actual protections being applied upon mmap/mprotect calls.
- The checkreqprot selinuxfs node will remain for backward compatibility
- but will discard writes of the "0" value and will reject writes of the
- "1" value when this mechanism is removed.
--- /dev/null
+What: /sys/fs/selinux/checkreqprot
+Date: April 2005 (predates git)
+KernelVersion: 2.6.12-rc2 (predates git)
+Contact: selinux@vger.kernel.org
+Description:
+
+ REMOVAL UPDATE: The SELinux checkreqprot functionality was removed in
+ March 2023, the original deprecation notice is shown below.
+
+ The selinuxfs "checkreqprot" node allows SELinux to be configured
+ to check the protection requested by userspace for mmap/mprotect
+ calls instead of the actual protection applied by the kernel.
+ This was a compatibility mechanism for legacy userspace and
+ for the READ_IMPLIES_EXEC personality flag. However, if set to
+ 1, it weakens security by allowing mappings to be made executable
+ without authorization by policy. The default value of checkreqprot
+ at boot was changed starting in Linux v4.4 to 0 (i.e. check the
+ actual protection), and Android and Linux distributions have been
+ explicitly writing a "0" to /sys/fs/selinux/checkreqprot during
+ initialization for some time. Support for setting checkreqprot to 1
+ will be removed no sooner than June 2021, at which point the kernel
+ will always cease using checkreqprot internally and will always
+ check the actual protections being applied upon mmap/mprotect calls.
+ The checkreqprot selinuxfs node will remain for backward compatibility
+ but will discard writes of the "0" value and will reject writes of the
+ "1" value when this mechanism is removed.
/sys/fs/selinux/avc/cache_stats, which may be monitored via
tools such as avcstat.
-config SECURITY_SELINUX_CHECKREQPROT_VALUE
- int "NSA SELinux checkreqprot default value"
- depends on SECURITY_SELINUX
- range 0 1
- default 0
- help
- This option sets the default value for the 'checkreqprot' flag
- that determines whether SELinux checks the protection requested
- by the application or the protection that will be applied by the
- kernel (including any implied execute for read-implies-exec) for
- mmap and mprotect calls. If this option is set to 0 (zero),
- SELinux will default to checking the protection that will be applied
- by the kernel. If this option is set to 1 (one), SELinux will
- default to checking the protection requested by the application.
- The checkreqprot flag may be changed from the default via the
- 'checkreqprot=' boot parameter. It may also be changed at runtime
- via /sys/fs/selinux/checkreqprot if authorized by policy.
-
- WARNING: this option is deprecated and will be removed in a future
- kernel release.
-
- If you are unsure how to answer this question, answer 0.
-
config SECURITY_SELINUX_SIDTAB_HASH_BITS
int "NSA SELinux sidtab hashtable size"
depends on SECURITY_SELINUX
__setup("selinux=", selinux_enabled_setup);
#endif
-static unsigned int selinux_checkreqprot_boot =
- CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
-
static int __init checkreqprot_setup(char *str)
{
unsigned long checkreqprot;
if (!kstrtoul(str, 0, &checkreqprot)) {
- selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
if (checkreqprot)
- pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n");
+ pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is no longer supported.\n");
}
return 1;
}
return rc;
}
-static int selinux_mmap_file(struct file *file, unsigned long reqprot,
+static int selinux_mmap_file(struct file *file,
+ unsigned long reqprot __always_unused,
unsigned long prot, unsigned long flags)
{
struct common_audit_data ad;
return rc;
}
- if (checkreqprot_get())
- prot = reqprot;
-
return file_map_prot_check(file, prot,
(flags & MAP_TYPE) == MAP_SHARED);
}
static int selinux_file_mprotect(struct vm_area_struct *vma,
- unsigned long reqprot,
+ unsigned long reqprot __always_unused,
unsigned long prot)
{
const struct cred *cred = current_cred();
u32 sid = cred_sid(cred);
- if (checkreqprot_get())
- prot = reqprot;
-
if (default_noexec &&
(prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
int rc = 0;
memset(&selinux_state, 0, sizeof(selinux_state));
enforcing_set(selinux_enforcing_boot);
- if (CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE)
- pr_err("SELinux: CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE is non-zero. This is deprecated and will be rejected in a future kernel release.\n");
- checkreqprot_set(selinux_checkreqprot_boot);
selinux_avc_init();
mutex_init(&selinux_state.status_lock);
mutex_init(&selinux_state.policy_mutex);
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
bool enforcing;
#endif
- bool checkreqprot;
bool initialized;
bool policycap[__POLICYDB_CAP_MAX];
static inline bool checkreqprot_get(void)
{
- return READ_ONCE(selinux_state.checkreqprot);
-}
-
-static inline void checkreqprot_set(bool value)
-{
- if (value)
- pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-checkreqprot\n");
- WRITE_ONCE(selinux_state.checkreqprot, value);
+ /* non-zero/true checkreqprot values are no longer supported */
+ return 0;
}
#ifdef CONFIG_SECURITY_SELINUX_DISABLE
if (IS_ERR(page))
return PTR_ERR(page);
- length = -EINVAL;
- if (sscanf(page, "%u", &new_value) != 1)
+ if (sscanf(page, "%u", &new_value) != 1) {
+ length = -EINVAL;
goto out;
+ }
+ length = count;
if (new_value) {
char comm[sizeof(current->comm)];
memcpy(comm, current->comm, sizeof(comm));
- pr_err("SELinux: %s (%d) set checkreqprot to 1. This is deprecated and will be rejected in a future kernel release.\n",
+ pr_err("SELinux: %s (%d) set checkreqprot to 1. This is no longer supported.\n",
comm, current->pid);
}
- checkreqprot_set((new_value ? 1 : 0));
- if (new_value)
- ssleep(15);
- length = count;
-
selinux_ima_measure_state();
out:
projects / linux.git / commitdiff