+++ /dev/null
-What: /sys/fs/selinux/disable
-Date: April 2005 (predates git)
-KernelVersion: 2.6.12-rc2 (predates git)
-Contact: selinux@vger.kernel.org
-Description:
-
- The selinuxfs "disable" node allows SELinux to be disabled at runtime
- prior to a policy being loaded into the kernel. If disabled via this
- mechanism, SELinux will remain disabled until the system is rebooted.
-
- The preferred method of disabling SELinux is via the "selinux=0" boot
- parameter, but the selinuxfs "disable" node was created to make it
- easier for systems with primitive bootloaders that did not allow for
- easy modification of the kernel command line. Unfortunately, allowing
- for SELinux to be disabled at runtime makes it difficult to secure the
- kernel's LSM hooks using the "__ro_after_init" feature.
-
- Thankfully, the need for the SELinux runtime disable appears to be
- gone, the default Kconfig configuration disables this selinuxfs node,
- and only one of the major distributions, Fedora, supports disabling
- SELinux at runtime. Fedora is in the process of removing the
- selinuxfs "disable" node and once that is complete we will start the
- slow process of removing this code from the kernel.
-
- More information on /sys/fs/selinux/disable can be found under the
- CONFIG_SECURITY_SELINUX_DISABLE Kconfig option.
--- /dev/null
+What: /sys/fs/selinux/disable
+Date: April 2005 (predates git)
+KernelVersion: 2.6.12-rc2 (predates git)
+Contact: selinux@vger.kernel.org
+Description:
+
+ REMOVAL UPDATE: The SELinux runtime disable functionality was removed
+ in March 2023, the original deprecation notice is shown below.
+
+ The selinuxfs "disable" node allows SELinux to be disabled at runtime
+ prior to a policy being loaded into the kernel. If disabled via this
+ mechanism, SELinux will remain disabled until the system is rebooted.
+
+ The preferred method of disabling SELinux is via the "selinux=0" boot
+ parameter, but the selinuxfs "disable" node was created to make it
+ easier for systems with primitive bootloaders that did not allow for
+ easy modification of the kernel command line. Unfortunately, allowing
+ for SELinux to be disabled at runtime makes it difficult to secure the
+ kernel's LSM hooks using the "__ro_after_init" feature.
+
+ Thankfully, the need for the SELinux runtime disable appears to be
+ gone, the default Kconfig configuration disables this selinuxfs node,
+ and only one of the major distributions, Fedora, supports disabling
+ SELinux at runtime. Fedora is in the process of removing the
+ selinuxfs "disable" node and once that is complete we will start the
+ slow process of removing this code from the kernel.
+
+ More information on /sys/fs/selinux/disable can be found under the
+ CONFIG_SECURITY_SELINUX_DISABLE Kconfig option.
}
#endif /* CONFIG_SECURITY_SELINUX_DISABLE */
-/* Currently required to handle SELinux runtime hook disable. */
-#ifdef CONFIG_SECURITY_WRITABLE_HOOKS
-#define __lsm_ro_after_init
-#else
-#define __lsm_ro_after_init __ro_after_init
-#endif /* CONFIG_SECURITY_WRITABLE_HOOKS */
-
extern int lsm_inode_alloc(struct inode *inode);
#endif /* ! __LINUX_LSM_HOOKS_H */
If you are unsure how to answer this question, answer N.
-config SECURITY_WRITABLE_HOOKS
- depends on SECURITY
- bool
- default n
-
config SECURITYFS
bool "Enable the securityfs filesystem"
help
/*
* The cred blob is a pointer to, not an instance of, an aa_label.
*/
-struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = {
+struct lsm_blob_sizes apparmor_blob_sizes __ro_after_init = {
.lbs_cred = sizeof(struct aa_label *),
.lbs_file = sizeof(struct aa_file_ctx),
.lbs_task = sizeof(struct aa_task_ctx),
};
-static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list apparmor_hooks[] __ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
LSM_HOOK_INIT(capget, apparmor_capget),
.get = param_get_aaintbool
};
/* Boot time disable flag */
-static int apparmor_enabled __lsm_ro_after_init = 1;
+static int apparmor_enabled __ro_after_init = 1;
module_param_named(enabled, apparmor_enabled, aaintbool, 0444);
static int __init apparmor_enabled_setup(char *str)
#include <linux/lsm_hooks.h>
#include <linux/bpf_lsm.h>
-static struct security_hook_list bpf_lsm_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list bpf_lsm_hooks[] __ro_after_init = {
#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
LSM_HOOK_INIT(NAME, bpf_lsm_##NAME),
#include <linux/lsm_hook_defs.h>
return 0;
}
-struct lsm_blob_sizes bpf_lsm_blob_sizes __lsm_ro_after_init = {
+struct lsm_blob_sizes bpf_lsm_blob_sizes __ro_after_init = {
.lbs_inode = sizeof(struct bpf_storage_blob),
.lbs_task = sizeof(struct bpf_storage_blob),
};
#ifdef CONFIG_SECURITY
-static struct security_hook_list capability_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list capability_hooks[] __ro_after_init = {
LSM_HOOK_INIT(capable, cap_capable),
LSM_HOOK_INIT(settime, cap_settime),
LSM_HOOK_INIT(ptrace_access_check, cap_ptrace_access_check),
landlock_put_ruleset_deferred(dom);
}
-static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list landlock_hooks[] __ro_after_init = {
LSM_HOOK_INIT(cred_prepare, hook_cred_prepare),
LSM_HOOK_INIT(cred_free, hook_cred_free),
};
return -EACCES;
}
-static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list landlock_hooks[] __ro_after_init = {
LSM_HOOK_INIT(inode_free_security, hook_inode_free_security),
LSM_HOOK_INIT(sb_delete, hook_sb_delete),
return task_ptrace(parent, current);
}
-static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list landlock_hooks[] __ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, hook_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, hook_ptrace_traceme),
};
#include "ptrace.h"
#include "setup.h"
-bool landlock_initialized __lsm_ro_after_init = false;
+bool landlock_initialized __ro_after_init = false;
-struct lsm_blob_sizes landlock_blob_sizes __lsm_ro_after_init = {
+struct lsm_blob_sizes landlock_blob_sizes __ro_after_init = {
.lbs_cred = sizeof(struct landlock_cred_security),
.lbs_file = sizeof(struct landlock_file_security),
.lbs_inode = sizeof(struct landlock_inode_security),
return loadpin_check(NULL, (enum kernel_read_file_id) id);
}
-static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list loadpin_hooks[] __ro_after_init = {
LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security),
LSM_HOOK_INIT(kernel_read_file, loadpin_read_file),
LSM_HOOK_INIT(kernel_load_data, loadpin_load_data),
return 0;
}
-static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list lockdown_hooks[] __ro_after_init = {
LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
};
[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
};
-struct security_hook_heads security_hook_heads __lsm_ro_after_init;
+struct security_hook_heads security_hook_heads __ro_after_init;
static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain);
static struct kmem_cache *lsm_file_cache;
static struct kmem_cache *lsm_inode_cache;
char *lsm_names;
-static struct lsm_blob_sizes blob_sizes __lsm_ro_after_init;
+static struct lsm_blob_sizes blob_sizes __ro_after_init;
/* Boot-time LSM user choice */
static __initdata const char *chosen_lsm_order;
If you are unsure how to answer this question, answer N.
-config SECURITY_SELINUX_DISABLE
- bool "NSA SELinux runtime disable"
- depends on SECURITY_SELINUX
- select SECURITY_WRITABLE_HOOKS
- default n
- help
- This option enables writing to a selinuxfs node 'disable', which
- allows SELinux to be disabled at runtime prior to the policy load.
- SELinux will then remain disabled until the next boot.
- This option is similar to the selinux=0 boot parameter, but is to
- support runtime disabling of SELinux, e.g. from /sbin/init, for
- portability across platforms where boot parameters are difficult
- to employ.
-
- NOTE: selecting this option will disable the '__ro_after_init'
- kernel hardening feature for security hooks. Please consider
- using the selinux=0 boot parameter instead of enabling this
- option.
-
- WARNING: this option is deprecated and will be removed in a future
- kernel release.
-
- If you are unsure how to answer this question, answer N.
-
config SECURITY_SELINUX_DEVELOP
bool "NSA SELinux Development Support"
depends on SECURITY_SELINUX
}
#endif
-struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
+struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
.lbs_cred = sizeof(struct task_security_struct),
.lbs_file = sizeof(struct file_security_struct),
.lbs_inode = sizeof(struct inode_security_struct),
* safely. Breaking the ordering rules above might lead to NULL pointer derefs
* when disabling SELinux at runtime.
*/
-static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list selinux_hooks[] __ro_after_init = {
LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
};
#if defined(CONFIG_NETFILTER)
-
static const struct nf_hook_ops selinux_nf_ops[] = {
{
.hook = selinux_ip_postroute,
return 0;
}
__initcall(selinux_nf_ip_init);
-
-#ifdef CONFIG_SECURITY_SELINUX_DISABLE
-static void selinux_nf_ip_exit(void)
-{
- pr_debug("SELinux: Unregistering netfilter hooks\n");
-
- unregister_pernet_subsys(&selinux_net_ops);
-}
-#endif
-
-#else /* CONFIG_NETFILTER */
-
-#ifdef CONFIG_SECURITY_SELINUX_DISABLE
-#define selinux_nf_ip_exit()
-#endif
-
#endif /* CONFIG_NETFILTER */
-
-#ifdef CONFIG_SECURITY_SELINUX_DISABLE
-int selinux_disable(void)
-{
- if (selinux_initialized()) {
- /* Not permitted after initial policy load. */
- return -EINVAL;
- }
-
- if (selinux_disabled()) {
- /* Only do this once. */
- return -EINVAL;
- }
-
- selinux_mark_disabled();
-
- pr_info("SELinux: Disabled at runtime.\n");
-
- /*
- * Unregister netfilter hooks.
- * Must be done before security_delete_hooks() to avoid breaking
- * runtime disable.
- */
- selinux_nf_ip_exit();
-
- security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
-
- /* Try to destroy the avc node cache */
- avc_disable();
-
- /* Unregister selinuxfs. */
- exit_sel_fs();
-
- return 0;
-}
-#endif
struct selinux_policy;
struct selinux_state {
-#ifdef CONFIG_SECURITY_SELINUX_DISABLE
- bool disabled;
-#endif
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
bool enforcing;
#endif
return 0;
}
-#ifdef CONFIG_SECURITY_SELINUX_DISABLE
-static inline bool selinux_disabled(void)
-{
- return READ_ONCE(selinux_state.disabled);
-}
-
-static inline void selinux_mark_disabled(void)
-{
- WRITE_ONCE(selinux_state.disabled, true);
-}
-#else
-static inline bool selinux_disabled(void)
-{
- return false;
-}
-#endif
-
static inline bool selinux_policycap_netpeer(void)
{
struct selinux_state *state = &selinux_state;
extern void selinux_status_update_setenforce(int enforcing);
extern void selinux_status_update_policyload(int seqno);
extern void selinux_complete_init(void);
-extern int selinux_disable(void);
extern void exit_sel_fs(void);
extern struct path selinux_null;
extern void selnl_notify_setenforce(int val);
.llseek = generic_file_llseek,
};
-#ifdef CONFIG_SECURITY_SELINUX_DISABLE
static ssize_t sel_write_disable(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
char *page;
ssize_t length;
int new_value;
- int enforcing;
-
- /* NOTE: we are now officially considering runtime disable as
- * deprecated, and using it will become increasingly painful
- * (e.g. sleeping/blocking) as we progress through future
- * kernel releases until eventually it is removed
- */
- pr_err("SELinux: Runtime disable is deprecated, use selinux=0 on the kernel cmdline.\n");
- pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n");
- ssleep(15);
if (count >= PAGE_SIZE)
return -ENOMEM;
if (IS_ERR(page))
return PTR_ERR(page);
- length = -EINVAL;
- if (sscanf(page, "%d", &new_value) != 1)
+ if (sscanf(page, "%d", &new_value) != 1) {
+ length = -EINVAL;
goto out;
+ }
+ length = count;
if (new_value) {
- enforcing = enforcing_enabled();
- length = selinux_disable();
- if (length)
- goto out;
- audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS,
- "enforcing=%d old_enforcing=%d auid=%u ses=%u"
- " enabled=0 old-enabled=1 lsm=selinux res=1",
- enforcing, enforcing,
- from_kuid(&init_user_ns, audit_get_loginuid(current)),
- audit_get_sessionid(current));
+ pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n");
+ pr_err("SELinux: Runtime disable is not supported, use selinux=0 on the kernel cmdline.\n");
}
- length = count;
out:
kfree(page);
return length;
}
-#else
-#define sel_write_disable NULL
-#endif
static const struct file_operations sel_disable_ops = {
.write = sel_write_disable,
}
__initcall(init_sel_fs);
-
-#ifdef CONFIG_SECURITY_SELINUX_DISABLE
-void exit_sel_fs(void)
-{
- sysfs_remove_mount_point(fs_kobj, "selinux");
- dput(selinux_null.dentry);
- kern_unmount(selinuxfs_mount);
- unregister_filesystem(&sel_fs_type);
-}
-#endif
#endif /* CONFIG_IO_URING */
-struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
+struct lsm_blob_sizes smack_blob_sizes __ro_after_init = {
.lbs_cred = sizeof(struct task_smack),
.lbs_file = sizeof(struct smack_known *),
.lbs_inode = sizeof(struct inode_smack),
.lbs_superblock = sizeof(struct superblock_smack),
};
-static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list smack_hooks[] __ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme),
LSM_HOOK_INIT(syslog, smack_syslog),
return tomoyo_socket_sendmsg_permission(sock, msg, size);
}
-struct lsm_blob_sizes tomoyo_blob_sizes __lsm_ro_after_init = {
+struct lsm_blob_sizes tomoyo_blob_sizes __ro_after_init = {
.lbs_task = sizeof(struct tomoyo_task),
};
* tomoyo_security_ops is a "struct security_operations" which is used for
* registering TOMOYO.
*/
-static struct security_hook_list tomoyo_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list tomoyo_hooks[] __ro_after_init = {
LSM_HOOK_INIT(cred_prepare, tomoyo_cred_prepare),
LSM_HOOK_INIT(bprm_committed_creds, tomoyo_bprm_committed_creds),
LSM_HOOK_INIT(task_alloc, tomoyo_task_alloc),
/* Lock for GC. */
DEFINE_SRCU(tomoyo_ss);
-int tomoyo_enabled __lsm_ro_after_init = 1;
+int tomoyo_enabled __ro_after_init = 1;
/**
* tomoyo_init - Register TOMOYO Linux as a LSM module.
return rc;
}
-static struct security_hook_list yama_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list yama_hooks[] __ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, yama_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, yama_ptrace_traceme),
LSM_HOOK_INIT(task_prctl, yama_task_prctl),
projects / linux.git / commitdiff