selinux: Deprecate /sys/fs/selinux/user

Message ID	20241004155320.16629-1-stephen.smalley.work@gmail.com (mailing list archive)
State	Superseded
Delegated to:	Paul Moore
Headers	show Received: from mail-qt1-f169.google.com (mail-qt1-f169.google.com [209.85.160.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1491D1CACEB for <selinux@vger.kernel.org>; Fri, 4 Oct 2024 15:53:50 +0000 (UTC) From: Stephen Smalley <stephen.smalley.work@gmail.com> To: selinux@vger.kernel.org Cc: paul@paul-moore.com, omosnace@redhat.com, Stephen Smalley <stephen.smalley.work@gmail.com> Subject: [PATCH] selinux: Deprecate /sys/fs/selinux/user Date: Fri, 4 Oct 2024 11:53:20 -0400 Message-Id: <20241004155320.16629-1-stephen.smalley.work@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	selinux: Deprecate /sys/fs/selinux/user \| expand selinux: Deprecate /sys/fs/selinux/user

Message ID

20241004155320.16629-1-stephen.smalley.work@gmail.com (mailing list archive)

State

Superseded

Delegated to:

Paul Moore

Headers

From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: selinux@vger.kernel.org
Cc: paul@paul-moore.com,
	omosnace@redhat.com,
	Stephen Smalley <stephen.smalley.work@gmail.com>
Subject: [PATCH] selinux: Deprecate /sys/fs/selinux/user
Date: Fri,  4 Oct 2024 11:53:20 -0400
Message-Id: <20241004155320.16629-1-stephen.smalley.work@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

selinux: Deprecate /sys/fs/selinux/user | expand

Commit Message

Stephen Smalley Oct. 4, 2024, 3:53 p.m. UTC

The only known user of this interface was libselinux and its
internal usage of this interface for get_ordered_context_list(3)
was removed in Feb 2020, with a deprecation warning added to
security_compute_user(3) at the same time. Add a deprecation
warning to the kernel and schedule it for final removal in 2025.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 Documentation/ABI/obsolete/sysfs-selinux-user | 12 ++++++++++++
 security/selinux/selinuxfs.c                  |  4 ++++
 2 files changed, 16 insertions(+)
 create mode 100644 Documentation/ABI/obsolete/sysfs-selinux-user

Comments

Paul Moore Oct. 4, 2024, 4:57 p.m. UTC | #1

On Fri, Oct 4, 2024 at 11:53 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> The only known user of this interface was libselinux and its
> internal usage of this interface for get_ordered_context_list(3)
> was removed in Feb 2020, with a deprecation warning added to
> security_compute_user(3) at the same time. Add a deprecation
> warning to the kernel and schedule it for final removal in 2025.
>
> Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> ---
>  Documentation/ABI/obsolete/sysfs-selinux-user | 12 ++++++++++++
>  security/selinux/selinuxfs.c                  |  4 ++++
>  2 files changed, 16 insertions(+)
>  create mode 100644 Documentation/ABI/obsolete/sysfs-selinux-user
>
> diff --git a/Documentation/ABI/obsolete/sysfs-selinux-user b/Documentation/ABI/obsolete/sysfs-selinux-user
> new file mode 100644
> index 000000000000..8ab7557f283f
> --- /dev/null
> +++ b/Documentation/ABI/obsolete/sysfs-selinux-user
> @@ -0,0 +1,12 @@
> +What:          /sys/fs/selinux/user
> +Date:          April 2005 (predates git)
> +KernelVersion: 2.6.12-rc2 (predates git)
> +Contact:       selinux@vger.kernel.org
> +Description:
> +
> +       The selinuxfs "user" node allows userspace to request a list
> +       of security contexts that can be reached for a given SELinux
> +       user from a given starting context. This was used by libselinux
> +       when various login-style programs requested contexts for
> +       users, but libselinux stopped using it in 2020.
> +       Kernel support will be removed no sooner than Dec 2025.
> diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
> index e172f182b65c..8117d8f6ac2d 100644
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c
> @@ -1069,6 +1069,10 @@ static ssize_t sel_write_user(struct file *file, char *buf, size_t size)
>         int rc;
>         u32 i, len, nsids;
>
> +       pr_warn_once("SELinux: %s (%d) wrote to /sys/fs/selinux/user! This "
> +               "will not be supported in the future; please update your "
> +               "userspace.\n", current->comm, current->pid);

Since this could be triggered by multiple different applications, it
is worth using pr_warn() so users have a better list of what
applications are causing this notice?  I understand that there is a
risk of log spam, but considering the limited use of this API it seems
like this is a reasonable risk?

>         length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
>                               SECCLASS_SECURITY, SECURITY__COMPUTE_USER,
>                               NULL);
> --
> 2.40.1

Stephen Smalley Oct. 4, 2024, 5:08 p.m. UTC | #2

On Fri, Oct 4, 2024 at 12:57 PM Paul Moore <paul@paul-moore.com> wrote:
>
> On Fri, Oct 4, 2024 at 11:53 AM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > The only known user of this interface was libselinux and its
> > internal usage of this interface for get_ordered_context_list(3)
> > was removed in Feb 2020, with a deprecation warning added to
> > security_compute_user(3) at the same time. Add a deprecation
> > warning to the kernel and schedule it for final removal in 2025.
> >
> > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> > ---
> >  Documentation/ABI/obsolete/sysfs-selinux-user | 12 ++++++++++++
> >  security/selinux/selinuxfs.c                  |  4 ++++
> >  2 files changed, 16 insertions(+)
> >  create mode 100644 Documentation/ABI/obsolete/sysfs-selinux-user
> >
> > diff --git a/Documentation/ABI/obsolete/sysfs-selinux-user b/Documentation/ABI/obsolete/sysfs-selinux-user
> > new file mode 100644
> > index 000000000000..8ab7557f283f
> > --- /dev/null
> > +++ b/Documentation/ABI/obsolete/sysfs-selinux-user
> > @@ -0,0 +1,12 @@
> > +What:          /sys/fs/selinux/user
> > +Date:          April 2005 (predates git)
> > +KernelVersion: 2.6.12-rc2 (predates git)
> > +Contact:       selinux@vger.kernel.org
> > +Description:
> > +
> > +       The selinuxfs "user" node allows userspace to request a list
> > +       of security contexts that can be reached for a given SELinux
> > +       user from a given starting context. This was used by libselinux
> > +       when various login-style programs requested contexts for
> > +       users, but libselinux stopped using it in 2020.
> > +       Kernel support will be removed no sooner than Dec 2025.
> > diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
> > index e172f182b65c..8117d8f6ac2d 100644
> > --- a/security/selinux/selinuxfs.c
> > +++ b/security/selinux/selinuxfs.c
> > @@ -1069,6 +1069,10 @@ static ssize_t sel_write_user(struct file *file, char *buf, size_t size)
> >         int rc;
> >         u32 i, len, nsids;
> >
> > +       pr_warn_once("SELinux: %s (%d) wrote to /sys/fs/selinux/user! This "
> > +               "will not be supported in the future; please update your "
> > +               "userspace.\n", current->comm, current->pid);
>
> Since this could be triggered by multiple different applications, it
> is worth using pr_warn() so users have a better list of what
> applications are causing this notice?  I understand that there is a
> risk of log spam, but considering the limited use of this API it seems
> like this is a reasonable risk?

I'd be fine switching it to pr_warn(), but in reality, I think the
only direct user was libselinux, so that's the component that actually
needs to be updated if it triggers.

diff --git a/Documentation/ABI/obsolete/sysfs-selinux-user b/Documentation/ABI/obsolete/sysfs-selinux-user
new file mode 100644
index 000000000000..8ab7557f283f
--- /dev/null
+++ b/Documentation/ABI/obsolete/sysfs-selinux-user
@@ -0,0 +1,12 @@ 
+What:		/sys/fs/selinux/user
+Date:		April 2005 (predates git)
+KernelVersion:	2.6.12-rc2 (predates git)
+Contact:	selinux@vger.kernel.org
+Description:
+
+	The selinuxfs "user" node allows userspace to request a list
+	of security contexts that can be reached for a given SELinux
+	user from a given starting context. This was used by libselinux
+	when various login-style programs requested contexts for
+	users, but libselinux stopped using it in 2020.
+	Kernel support will be removed no sooner than Dec 2025.
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index e172f182b65c..8117d8f6ac2d 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -1069,6 +1069,10 @@  static ssize_t sel_write_user(struct file *file, char *buf, size_t size)
 	int rc;
 	u32 i, len, nsids;
 
+	pr_warn_once("SELinux: %s (%d) wrote to /sys/fs/selinux/user! This "
+		"will not be supported in the future; please update your "
+		"userspace.\n",	current->comm, current->pid);
+
 	length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
 			      SECCLASS_SECURITY, SECURITY__COMPUTE_USER,
 			      NULL);

selinux: Deprecate /sys/fs/selinux/user

Commit Message

Comments

Patch