]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
projects / thirdparty / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 644132a)
selinux: prune /sys/fs/selinux/disable
authorStephen Smalley <stephen.smalley.work@gmail.com>
Tue, 5 May 2026 12:49:49 +0000 (08:49 -0400)
committerPaul Moore <paul@paul-moore.com>
Tue, 5 May 2026 19:27:43 +0000 (15:27 -0400)
Commit f22f9aaf6c3d ("selinux: remove the runtime disable
functionality") removed the underlying SELinux runtime disable
functionality but left everything else intact and started logging an
error message to warn any residual users.

Prune it to just log an error message once and to return count
(i.e. all bytes written successfully) to avoid breaking
userspace. This also fixes a local DoS from logspam.

Cc: stable@vger.kernel.org
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
security/selinux/selinuxfs.c patch | blob | blame | history

diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 6f74f87cb2b02789f15cdd4fe46e426f497efb7c..343303b73d6f72971a2e5de0dd8eee80b52d56c9 100644 (file)
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -272,35 +272,13 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
                                 size_t count, loff_t *ppos)
 
 {
-       char *page;
-       ssize_t length;
-       int new_value;
-
-       if (count >= PAGE_SIZE)
-               return -ENOMEM;
-
-       /* No partial writes. */
-       if (*ppos != 0)
-               return -EINVAL;
-
-       page = memdup_user_nul(buf, count);
-       if (IS_ERR(page))
-               return PTR_ERR(page);
-
-       if (sscanf(page, "%d", &new_value) != 1) {
-               length = -EINVAL;
-               goto out;
-       }
-       length = count;
-
-       if (new_value) {
-               pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n");
-               pr_err("SELinux: Runtime disable is not supported, use selinux=0 on the kernel cmdline.\n");
-       }
-
-out:
-       kfree(page);
-       return length;
+       /*
+        * Setting disable is no longer supported, see
+        * https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable
+        */
+       pr_err_once("SELinux: %s (%d) wrote to disable. This is no longer supported.\n",
+                   current->comm, current->pid);
+       return count;
 }
 
 static const struct file_operations sel_disable_ops = {
A mirror of Linus' kernel repository