Commit 19cfa009 authored by Stephen Smalley's avatar Stephen Smalley Committed by Paul Moore
Browse files

selinux: prune /sys/fs/selinux/disable 



Commit f22f9aaf ("selinux: remove the runtime disable
functionality") removed the underlying SELinux runtime disable
functionality but left everything else intact and started logging an
error message to warn any residual users.

Prune it to just log an error message once and to return count
(i.e. all bytes written successfully) to avoid breaking
userspace. This also fixes a local DoS from logspam.

Cc: stable@vger.kernel.org
Signed-off-by: default avatarStephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 644132a4

security/selinux/selinuxfs.c

+7 −29
Original line number Diff line number Diff line
@@ -272,35 +272,13 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf, 
				 size_t count, loff_t *ppos)



{

	char *page;

	ssize_t length;

	int new_value;



	if (count >= PAGE_SIZE)

		return -ENOMEM;



	/* No partial writes. */

	if (*ppos != 0)

		return -EINVAL;



	page = memdup_user_nul(buf, count);

	if (IS_ERR(page))

		return PTR_ERR(page);



	if (sscanf(page, "%d", &new_value) != 1) {

		length = -EINVAL;

		goto out;

	}

	length = count;



	if (new_value) {

		pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n");

		pr_err("SELinux: Runtime disable is not supported, use selinux=0 on the kernel cmdline.\n");

	}



out:

	kfree(page);

	return length;

	/*

	 * Setting disable is no longer supported, see

	 * https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable

	 */

	pr_err_once("SELinux: %s (%d) wrote to disable. This is no longer supported.\n",

		    current->comm, current->pid);

	return count;

}



static const struct file_operations sel_disable_ops = {