| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <785ef6a9-ae46-3533-0348-74bcf6f10928@tycho.nsa.gov>
Date: Tue, 2 Oct 2018 09:42:58 -0400
From: Stephen Smalley <sds@...ho.nsa.gov>
To: Paul Moore <paul@...l-moore.com>, keescook@...omium.org
Cc: James Morris <jmorris@...ei.org>, casey@...aufler-ca.com,
john.johansen@...onical.com, penguin-kernel@...ove.sakura.ne.jp,
casey.schaufler@...el.com, linux-security-module@...r.kernel.org,
corbet@....net, linux-doc@...r.kernel.org,
linux-arch@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter
On 10/02/2018 08:12 AM, Paul Moore wrote:
> On Mon, Oct 1, 2018 at 9:04 PM Kees Cook <keescook@...omium.org> wrote:
>> Since LSM enabling is now centralized with CONFIG_LSM_ENABLE and
>> "lsm.enable=...", this removes the LSM-specific enabling logic from
>> SELinux.
>>
>> Signed-off-by: Kees Cook <keescook@...omium.org>
>> ---
>> .../admin-guide/kernel-parameters.txt | 9 ------
>> security/selinux/Kconfig | 29 -------------------
>> security/selinux/hooks.c | 15 +---------
>> 3 files changed, 1 insertion(+), 52 deletions(-)
>>
>> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
>> index cf963febebb0..0d10ab3d020e 100644
>> --- a/Documentation/admin-guide/kernel-parameters.txt
>> +++ b/Documentation/admin-guide/kernel-parameters.txt
>> @@ -4045,15 +4045,6 @@
>> loaded. An invalid security module name will be treated
>> as if no module has been chosen.
>>
>> - selinux= [SELINUX] Disable or enable SELinux at boot time.
>> - Format: { "0" | "1" }
>> - See security/selinux/Kconfig help text.
>> - 0 -- disable.
>> - 1 -- enable.
>> - Default value is set via kernel config option.
>> - If enabled at boot time, /selinux/disable can be used
>> - later to disable prior to initial policy load.
>
> No comments yet on the rest of the patchset, but the subject line of
> this patch caught my eye and I wanted to comment quickly on this one
> ...
>
> Not a fan unfortunately.
>
> Much like the SELinux bits under /proc/self/attr, this is a user
> visible thing which has made its way into a lot of docs, scripts, and
> minds; I believe removing it would be a big mistake.
Yes, we can't suddenly break existing systems that had selinux=0 in
their grub config. We have to retain the support.
>
>> serialnumber [BUGS=X86-32]
>>
>> shapers= [NET]
>> diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
>> index 8af7a690eb40..86936528a0bb 100644
>> --- a/security/selinux/Kconfig
>> +++ b/security/selinux/Kconfig
>> @@ -8,35 +8,6 @@ config SECURITY_SELINUX
>> You will also need a policy configuration and a labeled filesystem.
>> If you are unsure how to answer this question, answer N.
>>
>> -config SECURITY_SELINUX_BOOTPARAM
>> - bool "NSA SELinux boot parameter"
>> - depends on SECURITY_SELINUX
>> - default n
>> - help
>> - This option adds a kernel parameter 'selinux', which allows SELinux
>> - to be disabled at boot. If this option is selected, SELinux
>> - functionality can be disabled with selinux=0 on the kernel
>> - command line. The purpose of this option is to allow a single
>> - kernel image to be distributed with SELinux built in, but not
>> - necessarily enabled.
>> -
>> - If you are unsure how to answer this question, answer N.
>> -
>> -config SECURITY_SELINUX_BOOTPARAM_VALUE
>> - int "NSA SELinux boot parameter default value"
>> - depends on SECURITY_SELINUX_BOOTPARAM
>> - range 0 1
>> - default 1
>> - help
>> - This option sets the default value for the kernel parameter
>> - 'selinux', which allows SELinux to be disabled at boot. If this
>> - option is set to 0 (zero), the SELinux kernel parameter will
>> - default to 0, disabling SELinux at bootup. If this option is
>> - set to 1 (one), the SELinux kernel parameter will default to 1,
>> - enabling SELinux at bootup.
>> -
>> - If you are unsure how to answer this question, answer 1.
>> -
>> config SECURITY_SELINUX_DISABLE
>> bool "NSA SELinux runtime disable"
>> depends on SECURITY_SELINUX
>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index 71a10fedecb3..8f5eea097612 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -120,20 +120,7 @@ __setup("enforcing=", enforcing_setup);
>> #define selinux_enforcing_boot 1
>> #endif
>>
>> -#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
>> -int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
>> -
>> -static int __init selinux_enabled_setup(char *str)
>> -{
>> - unsigned long enabled;
>> - if (!kstrtoul(str, 0, &enabled))
>> - selinux_enabled = enabled ? 1 : 0;
>> - return 1;
>> -}
>> -__setup("selinux=", selinux_enabled_setup);
>> -#else
>> -int selinux_enabled = 1;
>> -#endif
>> +int selinux_enabled __lsm_ro_after_init;
>>
>> static unsigned int selinux_checkreqprot_boot =
>> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
>> --
>> 2.17.1
>>
>
>
Powered by blists - more mailing lists