[RFC PATCH] selinux: deprecate disabling SELinux and runtime

Thu Jan 2 09:23:59 UTC 2020

On Thu, Dec 19, 2019 at 8:22 PM Paul Moore <paul at paul-moore.com> wrote:
> Deprecate the CONFIG_SECURITY_SELINUX_DISABLE functionality.  The
> code was originally developed to make it easier for Linux
> distributions to support architectures where adding parameters to the
> kernel command line was difficult.  Unfortunately, supporting runtime
> disable meant we had to make some security trade-offs when it came to
> the LSM hooks, as documented in the Kconfig help text:
>
>   NOTE: selecting this option will disable the '__ro_after_init'
>   kernel hardening feature for security hooks.   Please consider
>   using the selinux=0 boot parameter instead of enabling this
>   option.
>
> Fortunately it looks as if that the original motivation for the
> runtime disable functionality is gone, and Fedora/RHEL appears to be
> the only major distribution enabling this capability at build time
> so we are now taking steps to remove it entirely from the kernel.
> The first step is to mark the functionality as deprecated and print
> an error when it is used (what this patch is doing).  As Fedora/RHEL
> makes progress in transitioning the distribution away from runtime
> disable, we will introduce follow-up patches over several kernel
> releases which will block for increasing periods of time when the
> runtime disable is used.  Finally we will remove the option entirely
> once we believe all users have moved to the kernel cmdline approach.
>
> Signed-off-by: Paul Moore <paul at paul-moore.com>

Looks reasonable, informal ACK from me.

> ---
>  security/selinux/Kconfig     |    3 +++
>  security/selinux/selinuxfs.c |    6 ++++++
>  2 files changed, 9 insertions(+)
>
> diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
> index 996d35d950f7..580ac24c7aa1 100644
> --- a/security/selinux/Kconfig
> +++ b/security/selinux/Kconfig
> @@ -42,6 +42,9 @@ config SECURITY_SELINUX_DISABLE
>           using the selinux=0 boot parameter instead of enabling this
>           option.
>
> +         WARNING: this option is deprecated and will be removed in a future
> +         kernel release.
> +
>           If you are unsure how to answer this question, answer N.
>
>  config SECURITY_SELINUX_DEVELOP
> diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
> index 278417e67b4c..adbe2dd35202 100644
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c
> @@ -281,6 +281,12 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
>         int new_value;
>         int enforcing;
>
> +       /* NOTE: we are now officially considering runtime disable as
> +        *       deprecated, and using it will become increasingly painful
> +        *       (e.g. sleeping/blocking) as we progress through future
> +        *       kernel releases until eventually it is removed */
> +       pr_err("SELinux:  Runtime disable is deprecated, use selinux=0 on the kernel cmdline.\n");
> +
>         if (count >= PAGE_SIZE)
>                 return -ENOMEM;
>
>

-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.