Commit 644132a4 authored by Stephen Smalley's avatar Stephen Smalley Committed by Paul Moore
Browse files

selinux: prune /sys/fs/selinux/checkreqprot 



commit a7e4676e ("selinux: remove the 'checkreqprot'
functionality") removed the ability to modify the checkreqprot setting
but left everything except the updating of the checkreqprot value
intact. Aside from unnecessary processing, this could produce a local
DoS from log spam and incorrectly calls selinux_ima_measure_state() on
each write even though no state has changed. Prune it to just log an
error message once and return count (i.e. all bytes written
successfully) so that userspace never breaks.

Cc: stable@vger.kernel.org
Signed-off-by: default avatarStephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 7fd2df20

security/selinux/selinuxfs.c

+7 −40
Original line number Diff line number Diff line
@@ -689,46 +689,13 @@ static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf, 
static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,

				      size_t count, loff_t *ppos)

{

	char *page;

	ssize_t length;

	unsigned int new_value;



	length = avc_has_perm(current_sid(), SECINITSID_SECURITY,

			      SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT,

			      NULL);

	if (length)

		return length;



	if (count >= PAGE_SIZE)

		return -ENOMEM;



	/* No partial writes. */

	if (*ppos != 0)

		return -EINVAL;



	page = memdup_user_nul(buf, count);

	if (IS_ERR(page))

		return PTR_ERR(page);



	if (sscanf(page, "%u", &new_value) != 1) {

		length = -EINVAL;

		goto out;

	}

	length = count;



	if (new_value) {

		char comm[sizeof(current->comm)];



		strscpy(comm, current->comm);

		pr_err("SELinux: %s (%d) set checkreqprot to 1. This is no longer supported.\n",

		       comm, current->pid);

	}



	selinux_ima_measure_state();



out:

	kfree(page);

	return length;

	/*

	 * Setting checkreqprot is no longer supported, see

	 * https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-checkreqprot

	 */

	pr_err_once("SELinux: %s (%d) wrote to checkreqprot. This is no longer supported.\n",

		    current->comm, current->pid);

	return count;

}

static const struct file_operations sel_checkreqprot_ops = {

	.read		= sel_read_checkreqprot,