summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorPaul Moore <paul@paul-moore.com>2023-03-17 12:43:07 -0400
committerPaul Moore <paul@paul-moore.com>2023-03-20 12:34:23 -0400
commitf22f9aaf6c3d92ebd5ad9e67acc03afebaaeb289 (patch)
treec47a7b91ce9f53aebcc8398582a5232d640b5c65 /security
parenta7e4676e8e2cb158a4d24123de778087955e1b36 (diff)
selinux: remove the runtime disable functionality
After working with the larger SELinux-based distros for several years, we're finally at a place where we can disable the SELinux runtime disable functionality. The existing kernel deprecation notice explains the functionality and why we want to remove it: The selinuxfs "disable" node allows SELinux to be disabled at runtime prior to a policy being loaded into the kernel. If disabled via this mechanism, SELinux will remain disabled until the system is rebooted. The preferred method of disabling SELinux is via the "selinux=0" boot parameter, but the selinuxfs "disable" node was created to make it easier for systems with primitive bootloaders that did not allow for easy modification of the kernel command line. Unfortunately, allowing for SELinux to be disabled at runtime makes it difficult to secure the kernel's LSM hooks using the "__ro_after_init" feature. It is that last sentence, mentioning the '__ro_after_init' hardening, which is the real motivation for this change, and if you look at the diffstat you'll see that the impact of this patch reaches across all the different LSMs, helping prevent tampering at the LSM hook level. From a SELinux perspective, it is important to note that if you continue to disable SELinux via "/etc/selinux/config" it may appear that SELinux is disabled, but it is simply in an uninitialized state. If you load a policy with `load_policy -i`, you will see SELinux come alive just as if you had loaded the policy during early-boot. It is also worth noting that the "/sys/fs/selinux/disable" file is always writable now, regardless of the Kconfig settings, but writing to the file has no effect on the system, other than to display an error on the console if a non-zero/true value is written. Finally, in the several years where we have been working on deprecating this functionality, there has only been one instance of someone mentioning any user visible breakage. In this particular case it was an individual's kernel test system, and the workaround documented in the deprecation notice ("selinux=0" on the kernel command line) resolved the issue without problem. Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
-rw-r--r--security/Kconfig5
-rw-r--r--security/apparmor/lsm.c6
-rw-r--r--security/bpf/hooks.c4
-rw-r--r--security/commoncap.c2
-rw-r--r--security/landlock/cred.c2
-rw-r--r--security/landlock/fs.c2
-rw-r--r--security/landlock/ptrace.c2
-rw-r--r--security/landlock/setup.c4
-rw-r--r--security/loadpin/loadpin.c2
-rw-r--r--security/lockdown/lockdown.c2
-rw-r--r--security/security.c4
-rw-r--r--security/selinux/Kconfig24
-rw-r--r--security/selinux/hooks.c57
-rw-r--r--security/selinux/include/security.h21
-rw-r--r--security/selinux/selinuxfs.c43
-rw-r--r--security/smack/smack_lsm.c4
-rw-r--r--security/tomoyo/tomoyo.c6
-rw-r--r--security/yama/yama_lsm.c2
18 files changed, 29 insertions, 163 deletions
diff --git a/security/Kconfig b/security/Kconfig
index e6db09a779b7..9009893fb3f5 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -32,11 +32,6 @@ config SECURITY
If you are unsure how to answer this question, answer N.
-config SECURITY_WRITABLE_HOOKS
- depends on SECURITY
- bool
- default n
-
config SECURITYFS
bool "Enable the securityfs filesystem"
help
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index d6cc4812ca53..cebba4824e60 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1209,13 +1209,13 @@ static int apparmor_inet_conn_request(const struct sock *sk, struct sk_buff *skb
/*
* The cred blob is a pointer to, not an instance of, an aa_label.
*/
-struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = {
+struct lsm_blob_sizes apparmor_blob_sizes __ro_after_init = {
.lbs_cred = sizeof(struct aa_label *),
.lbs_file = sizeof(struct aa_file_ctx),
.lbs_task = sizeof(struct aa_task_ctx),
};
-static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list apparmor_hooks[] __ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
LSM_HOOK_INIT(capget, apparmor_capget),
@@ -1427,7 +1427,7 @@ static const struct kernel_param_ops param_ops_aaintbool = {
.get = param_get_aaintbool
};
/* Boot time disable flag */
-static int apparmor_enabled __lsm_ro_after_init = 1;
+static int apparmor_enabled __ro_after_init = 1;
module_param_named(enabled, apparmor_enabled, aaintbool, 0444);
static int __init apparmor_enabled_setup(char *str)
diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c
index e5971fa74fd7..cfaf1d0e6a5f 100644
--- a/security/bpf/hooks.c
+++ b/security/bpf/hooks.c
@@ -6,7 +6,7 @@
#include <linux/lsm_hooks.h>
#include <linux/bpf_lsm.h>
-static struct security_hook_list bpf_lsm_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list bpf_lsm_hooks[] __ro_after_init = {
#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
LSM_HOOK_INIT(NAME, bpf_lsm_##NAME),
#include <linux/lsm_hook_defs.h>
@@ -22,7 +22,7 @@ static int __init bpf_lsm_init(void)
return 0;
}
-struct lsm_blob_sizes bpf_lsm_blob_sizes __lsm_ro_after_init = {
+struct lsm_blob_sizes bpf_lsm_blob_sizes __ro_after_init = {
.lbs_inode = sizeof(struct bpf_storage_blob),
.lbs_task = sizeof(struct bpf_storage_blob),
};
diff --git a/security/commoncap.c b/security/commoncap.c
index 5bb7d1e96277..0b3fc2f3afe7 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -1440,7 +1440,7 @@ int cap_mmap_file(struct file *file, unsigned long reqprot,
#ifdef CONFIG_SECURITY
-static struct security_hook_list capability_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list capability_hooks[] __ro_after_init = {
LSM_HOOK_INIT(capable, cap_capable),
LSM_HOOK_INIT(settime, cap_settime),
LSM_HOOK_INIT(ptrace_access_check, cap_ptrace_access_check),
diff --git a/security/landlock/cred.c b/security/landlock/cred.c
index ec6c37f04a19..13dff2a31545 100644
--- a/security/landlock/cred.c
+++ b/security/landlock/cred.c
@@ -34,7 +34,7 @@ static void hook_cred_free(struct cred *const cred)
landlock_put_ruleset_deferred(dom);
}
-static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list landlock_hooks[] __ro_after_init = {
LSM_HOOK_INIT(cred_prepare, hook_cred_prepare),
LSM_HOOK_INIT(cred_free, hook_cred_free),
};
diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index adcea0fe7e68..1c0c198f6fdb 100644
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -1280,7 +1280,7 @@ static int hook_file_truncate(struct file *const file)
return -EACCES;
}
-static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list landlock_hooks[] __ro_after_init = {
LSM_HOOK_INIT(inode_free_security, hook_inode_free_security),
LSM_HOOK_INIT(sb_delete, hook_sb_delete),
diff --git a/security/landlock/ptrace.c b/security/landlock/ptrace.c
index 4c5b9cd71286..8a06d6c492bf 100644
--- a/security/landlock/ptrace.c
+++ b/security/landlock/ptrace.c
@@ -108,7 +108,7 @@ static int hook_ptrace_traceme(struct task_struct *const parent)
return task_ptrace(parent, current);
}
-static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list landlock_hooks[] __ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, hook_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, hook_ptrace_traceme),
};
diff --git a/security/landlock/setup.c b/security/landlock/setup.c
index 3f196d2ce4f9..0f6113528fa4 100644
--- a/security/landlock/setup.c
+++ b/security/landlock/setup.c
@@ -15,9 +15,9 @@
#include "ptrace.h"
#include "setup.h"
-bool landlock_initialized __lsm_ro_after_init = false;
+bool landlock_initialized __ro_after_init = false;
-struct lsm_blob_sizes landlock_blob_sizes __lsm_ro_after_init = {
+struct lsm_blob_sizes landlock_blob_sizes __ro_after_init = {
.lbs_cred = sizeof(struct landlock_cred_security),
.lbs_file = sizeof(struct landlock_file_security),
.lbs_inode = sizeof(struct landlock_inode_security),
diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c
index d73a281adf86..b9d773f11232 100644
--- a/security/loadpin/loadpin.c
+++ b/security/loadpin/loadpin.c
@@ -214,7 +214,7 @@ static int loadpin_load_data(enum kernel_load_data_id id, bool contents)
return loadpin_check(NULL, (enum kernel_read_file_id) id);
}
-static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list loadpin_hooks[] __ro_after_init = {
LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security),
LSM_HOOK_INIT(kernel_read_file, loadpin_read_file),
LSM_HOOK_INIT(kernel_load_data, loadpin_load_data),
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index a79b985e917e..68d19632aeb7 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -71,7 +71,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
return 0;
}
-static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list lockdown_hooks[] __ro_after_init = {
LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
};
diff --git a/security/security.c b/security/security.c
index cf6cc576736f..f4e45992472e 100644
--- a/security/security.c
+++ b/security/security.c
@@ -74,14 +74,14 @@ const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
};
-struct security_hook_heads security_hook_heads __lsm_ro_after_init;
+struct security_hook_heads security_hook_heads __ro_after_init;
static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain);
static struct kmem_cache *lsm_file_cache;
static struct kmem_cache *lsm_inode_cache;
char *lsm_names;
-static struct lsm_blob_sizes blob_sizes __lsm_ro_after_init;
+static struct lsm_blob_sizes blob_sizes __ro_after_init;
/* Boot-time LSM user choice */
static __initdata const char *chosen_lsm_order;
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index 4ea946123255..95a186ec0fcb 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -23,30 +23,6 @@ config SECURITY_SELINUX_BOOTPARAM
If you are unsure how to answer this question, answer N.
-config SECURITY_SELINUX_DISABLE
- bool "NSA SELinux runtime disable"
- depends on SECURITY_SELINUX
- select SECURITY_WRITABLE_HOOKS
- default n
- help
- This option enables writing to a selinuxfs node 'disable', which
- allows SELinux to be disabled at runtime prior to the policy load.
- SELinux will then remain disabled until the next boot.
- This option is similar to the selinux=0 boot parameter, but is to
- support runtime disabling of SELinux, e.g. from /sbin/init, for
- portability across platforms where boot parameters are difficult
- to employ.
-
- NOTE: selecting this option will disable the '__ro_after_init'
- kernel hardening feature for security hooks. Please consider
- using the selinux=0 boot parameter instead of enabling this
- option.
-
- WARNING: this option is deprecated and will be removed in a future
- kernel release.
-
- If you are unsure how to answer this question, answer N.
-
config SECURITY_SELINUX_DEVELOP
bool "NSA SELinux Development Support"
depends on SECURITY_SELINUX
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 9a58971f9a16..79b4890e9936 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6769,7 +6769,7 @@ static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
}
#endif
-struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
+struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
.lbs_cred = sizeof(struct task_security_struct),
.lbs_file = sizeof(struct file_security_struct),
.lbs_inode = sizeof(struct inode_security_struct),
@@ -6905,7 +6905,7 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
* safely. Breaking the ordering rules above might lead to NULL pointer derefs
* when disabling SELinux at runtime.
*/
-static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list selinux_hooks[] __ro_after_init = {
LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
@@ -7253,7 +7253,6 @@ DEFINE_LSM(selinux) = {
};
#if defined(CONFIG_NETFILTER)
-
static const struct nf_hook_ops selinux_nf_ops[] = {
{
.hook = selinux_ip_postroute,
@@ -7328,56 +7327,4 @@ static int __init selinux_nf_ip_init(void)
return 0;
}
__initcall(selinux_nf_ip_init);
-
-#ifdef CONFIG_SECURITY_SELINUX_DISABLE
-static void selinux_nf_ip_exit(void)
-{
- pr_debug("SELinux: Unregistering netfilter hooks\n");
-
- unregister_pernet_subsys(&selinux_net_ops);
-}
-#endif
-
-#else /* CONFIG_NETFILTER */
-
-#ifdef CONFIG_SECURITY_SELINUX_DISABLE
-#define selinux_nf_ip_exit()
-#endif
-
#endif /* CONFIG_NETFILTER */
-
-#ifdef CONFIG_SECURITY_SELINUX_DISABLE
-int selinux_disable(void)
-{
- if (selinux_initialized()) {
- /* Not permitted after initial policy load. */
- return -EINVAL;
- }
-
- if (selinux_disabled()) {
- /* Only do this once. */
- return -EINVAL;
- }
-
- selinux_mark_disabled();
-
- pr_info("SELinux: Disabled at runtime.\n");
-
- /*
- * Unregister netfilter hooks.
- * Must be done before security_delete_hooks() to avoid breaking
- * runtime disable.
- */
- selinux_nf_ip_exit();
-
- security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
-
- /* Try to destroy the avc node cache */
- avc_disable();
-
- /* Unregister selinuxfs. */
- exit_sel_fs();
-
- return 0;
-}
-#endif
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 312112d214bb..8746fafeb778 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -89,9 +89,6 @@ extern int selinux_enabled_boot;
struct selinux_policy;
struct selinux_state {
-#ifdef CONFIG_SECURITY_SELINUX_DISABLE
- bool disabled;
-#endif
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
bool enforcing;
#endif
@@ -148,23 +145,6 @@ static inline bool checkreqprot_get(void)
return 0;
}
-#ifdef CONFIG_SECURITY_SELINUX_DISABLE
-static inline bool selinux_disabled(void)
-{
- return READ_ONCE(selinux_state.disabled);
-}
-
-static inline void selinux_mark_disabled(void)
-{
- WRITE_ONCE(selinux_state.disabled, true);
-}
-#else
-static inline bool selinux_disabled(void)
-{
- return false;
-}
-#endif
-
static inline bool selinux_policycap_netpeer(void)
{
struct selinux_state *state = &selinux_state;
@@ -404,7 +384,6 @@ struct selinux_kernel_status {
extern void selinux_status_update_setenforce(int enforcing);
extern void selinux_status_update_policyload(int seqno);
extern void selinux_complete_init(void);
-extern int selinux_disable(void);
extern void exit_sel_fs(void);
extern struct path selinux_null;
extern void selnl_notify_setenforce(int val);
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 68688bc84912..69a583b91fc5 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -267,7 +267,6 @@ static const struct file_operations sel_handle_status_ops = {
.llseek = generic_file_llseek,
};
-#ifdef CONFIG_SECURITY_SELINUX_DISABLE
static ssize_t sel_write_disable(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
@@ -275,16 +274,6 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
char *page;
ssize_t length;
int new_value;
- int enforcing;
-
- /* NOTE: we are now officially considering runtime disable as
- * deprecated, and using it will become increasingly painful
- * (e.g. sleeping/blocking) as we progress through future
- * kernel releases until eventually it is removed
- */
- pr_err("SELinux: Runtime disable is deprecated, use selinux=0 on the kernel cmdline.\n");
- pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n");
- ssleep(15);
if (count >= PAGE_SIZE)
return -ENOMEM;
@@ -297,31 +286,21 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
if (IS_ERR(page))
return PTR_ERR(page);
- length = -EINVAL;
- if (sscanf(page, "%d", &new_value) != 1)
+ if (sscanf(page, "%d", &new_value) != 1) {
+ length = -EINVAL;
goto out;
+ }
+ length = count;
if (new_value) {
- enforcing = enforcing_enabled();
- length = selinux_disable();
- if (length)
- goto out;
- audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS,
- "enforcing=%d old_enforcing=%d auid=%u ses=%u"
- " enabled=0 old-enabled=1 lsm=selinux res=1",
- enforcing, enforcing,
- from_kuid(&init_user_ns, audit_get_loginuid(current)),
- audit_get_sessionid(current));
+ pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n");
+ pr_err("SELinux: Runtime disable is not supported, use selinux=0 on the kernel cmdline.\n");
}
- length = count;
out:
kfree(page);
return length;
}
-#else
-#define sel_write_disable NULL
-#endif
static const struct file_operations sel_disable_ops = {
.write = sel_write_disable,
@@ -2194,13 +2173,3 @@ static int __init init_sel_fs(void)
}
__initcall(init_sel_fs);
-
-#ifdef CONFIG_SECURITY_SELINUX_DISABLE
-void exit_sel_fs(void)
-{
- sysfs_remove_mount_point(fs_kobj, "selinux");
- dput(selinux_null.dentry);
- kern_unmount(selinuxfs_mount);
- unregister_filesystem(&sel_fs_type);
-}
-#endif
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index cfcbb748da25..bc3c3e553133 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4847,7 +4847,7 @@ static int smack_uring_cmd(struct io_uring_cmd *ioucmd)
#endif /* CONFIG_IO_URING */
-struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
+struct lsm_blob_sizes smack_blob_sizes __ro_after_init = {
.lbs_cred = sizeof(struct task_smack),
.lbs_file = sizeof(struct smack_known *),
.lbs_inode = sizeof(struct inode_smack),
@@ -4856,7 +4856,7 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
.lbs_superblock = sizeof(struct superblock_smack),
};
-static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list smack_hooks[] __ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme),
LSM_HOOK_INIT(syslog, smack_syslog),
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index af04a7b7eb28..25006fddc964 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -499,7 +499,7 @@ static int tomoyo_socket_sendmsg(struct socket *sock, struct msghdr *msg,
return tomoyo_socket_sendmsg_permission(sock, msg, size);
}
-struct lsm_blob_sizes tomoyo_blob_sizes __lsm_ro_after_init = {
+struct lsm_blob_sizes tomoyo_blob_sizes __ro_after_init = {
.lbs_task = sizeof(struct tomoyo_task),
};
@@ -546,7 +546,7 @@ static void tomoyo_task_free(struct task_struct *task)
* tomoyo_security_ops is a "struct security_operations" which is used for
* registering TOMOYO.
*/
-static struct security_hook_list tomoyo_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list tomoyo_hooks[] __ro_after_init = {
LSM_HOOK_INIT(cred_prepare, tomoyo_cred_prepare),
LSM_HOOK_INIT(bprm_committed_creds, tomoyo_bprm_committed_creds),
LSM_HOOK_INIT(task_alloc, tomoyo_task_alloc),
@@ -583,7 +583,7 @@ static struct security_hook_list tomoyo_hooks[] __lsm_ro_after_init = {
/* Lock for GC. */
DEFINE_SRCU(tomoyo_ss);
-int tomoyo_enabled __lsm_ro_after_init = 1;
+int tomoyo_enabled __ro_after_init = 1;
/**
* tomoyo_init - Register TOMOYO Linux as a LSM module.
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index 06e226166aab..478be269571a 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -421,7 +421,7 @@ static int yama_ptrace_traceme(struct task_struct *parent)
return rc;
}
-static struct security_hook_list yama_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list yama_hooks[] __ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, yama_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, yama_ptrace_traceme),
LSM_HOOK_INIT(task_prctl, yama_task_prctl),