diff mbox series

[RFC,v2,17/27] libselinux: remove SELABEL_OPT_SUBSET support from selabel_file(5)

Message ID 20230814132025.45364-18-cgzones@googlemail.com (mailing list archive)
State New, archived
Delegated to: Petr Lautrbach
Headers show
Series libselinux: rework selabel_file(5) database | expand

Commit Message

Christian Göttsche Aug. 14, 2023, 1:20 p.m. UTC
The selabel_file(5) option SELABEL_OPT_SUBSET has been deprecated in
commit 26e05da0fc2d ("libselinux: matchpathcon/selabel_file: Fix man
pages.") for version 2.5.

Drop the support to easy refactoring the selabel_file related code.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libselinux/include/selinux/label.h    |  2 +-
 libselinux/include/selinux/selinux.h  |  6 +++++-
 libselinux/src/Makefile               |  4 ++++
 libselinux/src/label_file.c           | 19 ++++++++-----------
 libselinux/src/label_file.h           | 13 ++-----------
 libselinux/src/matchpathcon.c         |  4 +---
 libselinux/utils/matchpathcon.c       | 11 ++---------
 libselinux/utils/sefcontext_compile.c |  3 +--
 8 files changed, 24 insertions(+), 38 deletions(-)

Comments

James Carter Oct. 10, 2023, 5:07 p.m. UTC | #1
On Mon, Aug 14, 2023 at 9:41 AM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> The selabel_file(5) option SELABEL_OPT_SUBSET has been deprecated in
> commit 26e05da0fc2d ("libselinux: matchpathcon/selabel_file: Fix man
> pages.") for version 2.5.
>
> Drop the support to easy refactoring the selabel_file related code.
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
>  libselinux/include/selinux/label.h    |  2 +-
>  libselinux/include/selinux/selinux.h  |  6 +++++-
>  libselinux/src/Makefile               |  4 ++++
>  libselinux/src/label_file.c           | 19 ++++++++-----------
>  libselinux/src/label_file.h           | 13 ++-----------
>  libselinux/src/matchpathcon.c         |  4 +---
>  libselinux/utils/matchpathcon.c       | 11 ++---------
>  libselinux/utils/sefcontext_compile.c |  3 +--
>  8 files changed, 24 insertions(+), 38 deletions(-)
>
> diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h
> index ce189a3a..6cb2d782 100644
> --- a/libselinux/include/selinux/label.h
> +++ b/libselinux/include/selinux/label.h
> @@ -50,7 +50,7 @@ struct selabel_handle;
>  #define SELABEL_OPT_BASEONLY   2
>  /* specify an alternate path to use when loading backend data */
>  #define SELABEL_OPT_PATH       3
> -/* select a subset of the search space as an optimization (file backend) */
> +/* Unsupported since v3.6: select a subset of the search space as an optimization (file backend) */
>  #define SELABEL_OPT_SUBSET     4
>  /* require a hash calculation on spec files */
>  #define SELABEL_OPT_DIGEST     5
> diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
> index a0948853..3b23cb50 100644
> --- a/libselinux/include/selinux/selinux.h
> +++ b/libselinux/include/selinux/selinux.h
> @@ -484,7 +484,11 @@ extern int matchpathcon_init(const char *path)
>
>  /* Same as matchpathcon_init, but only load entries with
>     regexes that have stems that are prefixes of 'prefix'. */
> -extern int matchpathcon_init_prefix(const char *path, const char *prefix);
> +extern int matchpathcon_init_prefix(const char *path, const char *prefix)
> +#ifdef __GNUC__
> +   __attribute__ ((deprecated("Use selabel_open with backend SELABEL_CTX_FILE")))
> +#endif
> +;
>
>  /* Free the memory allocated by matchpathcon_init. */
>  extern void matchpathcon_fini(void)
> diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
> index ac656257..15d224e1 100644
> --- a/libselinux/src/Makefile
> +++ b/libselinux/src/Makefile
> @@ -144,6 +144,10 @@ ifeq ($(DISABLE_X11),y)
>  SRCS:= $(filter-out label_x.c, $(SRCS))
>  endif
>
> +# ignore usage of matchpathcon_init_prefix(3)
> +matchpathcon.o:  CFLAGS += -Wno-deprecated -Wno-deprecated-declarations
> +matchpathcon.lo: CFLAGS += -Wno-deprecated -Wno-deprecated-declarations
> +

"-Wno-deprecated" means do not warn about deprecated features and
seems to be about deprecated c++ features. I don't think we need it
here.

Everything else looks ok to me as long as no distro is depending on
this deprecated option.

Thanks,
Jim

>  SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
>
>  all: $(LIBA) $(LIBSO) $(LIBPC)
> diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
> index b9be1c9d..f9f4648a 100644
> --- a/libselinux/src/label_file.c
> +++ b/libselinux/src/label_file.c
> @@ -166,7 +166,7 @@ static int nodups_specs(struct saved_data *data, const char *path)
>         return rc;
>  }
>
> -static int process_text_file(FILE *fp, const char *prefix,
> +static int process_text_file(FILE *fp,
>                              struct selabel_handle *rec, const char *path)
>  {
>         int rc;
> @@ -175,7 +175,7 @@ static int process_text_file(FILE *fp, const char *prefix,
>         char *line_buf = NULL;
>
>         while (getline(&line_buf, &line_len, fp) > 0) {
> -               rc = process_line(rec, path, prefix, line_buf, ++lineno);
> +               rc = process_line(rec, path, line_buf, ++lineno);
>                 if (rc)
>                         goto out;
>         }
> @@ -603,7 +603,7 @@ static FILE *open_file(const char *path, const char *suffix,
>
>  static int process_file(const char *path, const char *suffix,
>                           struct selabel_handle *rec,
> -                         const char *prefix, struct selabel_digest *digest)
> +                         struct selabel_digest *digest)
>  {
>         int rc;
>         unsigned int i;
> @@ -624,7 +624,7 @@ static int process_file(const char *path, const char *suffix,
>
>                 rc = fcontext_is_binary(fp) ?
>                                 load_mmap(fp, sb.st_size, rec, found_path) :
> -                               process_text_file(fp, prefix, rec, found_path);
> +                               process_text_file(fp, rec, found_path);
>                 if (!rc)
>                         rc = digest_add_specfile(digest, fp, NULL, sb.st_size,
>                                 found_path);
> @@ -785,7 +785,6 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts,
>  {
>         struct saved_data *data = (struct saved_data *)rec->data;
>         const char *path = NULL;
> -       const char *prefix = NULL;
>         int status = -1, baseonly = 0;
>
>         /* Process arguments */
> @@ -795,7 +794,7 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts,
>                         path = opts[n].value;
>                         break;
>                 case SELABEL_OPT_SUBSET:
> -                       prefix = opts[n].value;
> +                       selinux_log(SELINUX_WARNING, "selabel_open(3): SELABEL_OPT_SUBSET support has been removed, ignoring option\n");
>                         break;
>                 case SELABEL_OPT_BASEONLY:
>                         baseonly = !!opts[n].value;
> @@ -839,7 +838,7 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts,
>         /*
>          * The do detailed validation of the input and fill the spec array
>          */
> -       status = process_file(path, NULL, rec, prefix, rec->digest);
> +       status = process_file(path, NULL, rec, rec->digest);
>         if (status)
>                 goto finish;
>
> @@ -850,13 +849,11 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts,
>         }
>
>         if (!baseonly) {
> -               status = process_file(path, "homedirs", rec, prefix,
> -                                                           rec->digest);
> +               status = process_file(path, "homedirs", rec, rec->digest);
>                 if (status && errno != ENOENT)
>                         goto finish;
>
> -               status = process_file(path, "local", rec, prefix,
> -                                                           rec->digest);
> +               status = process_file(path, "local", rec, rec->digest);
>                 if (status && errno != ENOENT)
>                         goto finish;
>         }
> diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h
> index 1363c83c..56439e2d 100644
> --- a/libselinux/src/label_file.h
> +++ b/libselinux/src/label_file.h
> @@ -425,10 +425,10 @@ static inline int compile_regex(struct spec *spec, const char **errbuf)
>  /* This service is used by label_file.c process_file() and
>   * utils/sefcontext_compile.c */
>  static inline int process_line(struct selabel_handle *rec,
> -                       const char *path, const char *prefix,
> +                       const char *path,
>                         char *line_buf, unsigned lineno)
>  {
> -       int items, len, rc;
> +       int items, rc;
>         char *regex = NULL, *type = NULL, *context = NULL;
>         struct saved_data *data = (struct saved_data *)rec->data;
>         struct spec *spec_arr;
> @@ -466,15 +466,6 @@ static inline int process_line(struct selabel_handle *rec,
>                 type = 0;
>         }
>
> -       len = get_stem_from_spec(regex);
> -       if (len && prefix && strncmp(prefix, regex, len)) {
> -               /* Stem of regex does not match requested prefix, discard. */
> -               free(regex);
> -               free(type);
> -               free(context);
> -               return 0;
> -       }
> -
>         rc = grow_specs(data);
>         if (rc)
>                 return rc;
> diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
> index a1c5b0cc..971ace62 100644
> --- a/libselinux/src/matchpathcon.c
> +++ b/libselinux/src/matchpathcon.c
> @@ -347,7 +347,7 @@ static void matchpathcon_init_once(void)
>                 destructor_key_initialized = 1;
>  }
>
> -int matchpathcon_init_prefix(const char *path, const char *subset)
> +int matchpathcon_init_prefix(const char *path, const char *prefix __attribute__((unused)))
>  {
>         if (!mycanoncon)
>                 mycanoncon = default_canoncon;
> @@ -355,8 +355,6 @@ int matchpathcon_init_prefix(const char *path, const char *subset)
>         __selinux_once(once, matchpathcon_init_once);
>         __selinux_setspecific(destructor_key, /* some valid address to please GCC */ &selinux_page_size);
>
> -       options[SELABEL_OPT_SUBSET].type = SELABEL_OPT_SUBSET;
> -       options[SELABEL_OPT_SUBSET].value = subset;
>         options[SELABEL_OPT_PATH].type = SELABEL_OPT_PATH;
>         options[SELABEL_OPT_PATH].value = path;
>
> diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c
> index 1d713c01..8e1c45c1 100644
> --- a/libselinux/utils/matchpathcon.c
> +++ b/libselinux/utils/matchpathcon.c
> @@ -13,7 +13,7 @@
>  static __attribute__ ((__noreturn__)) void usage(const char *progname)
>  {
>         fprintf(stderr,
> -               "usage:  %s [-V] [-N] [-n] [-m type] [-f file_contexts_file] [-p prefix] [-P policy_root_path] filepath...\n",
> +               "usage:  %s [-V] [-N] [-n] [-m type] [-f file_contexts_file] [-P policy_root_path] filepath...\n",
>                 progname);
>         exit(1);
>  }
> @@ -83,7 +83,7 @@ int main(int argc, char **argv)
>         if (argc < 2)
>                 usage(argv[0]);
>
> -       while ((opt = getopt(argc, argv, "m:Nnf:P:p:Vq")) > 0) {
> +       while ((opt = getopt(argc, argv, "m:Nnf:P:Vq")) > 0) {
>                 switch (opt) {
>                 case 'n':
>                         header = 0;
> @@ -114,13 +114,6 @@ int main(int argc, char **argv)
>                                 exit(1);
>                         }
>                         break;
> -               case 'p':
> -                       // This option has been deprecated since libselinux 2.5 (2016):
> -                       // https://github.com/SELinuxProject/selinux/commit/26e05da0fc2d0a4bd274320968a88f8acbb3b6a6
> -                       fprintf(stderr, "Warning: using %s -p is deprecated\n", argv[0]);
> -                       options[SELABEL_OPT_SUBSET].type = SELABEL_OPT_SUBSET;
> -                       options[SELABEL_OPT_SUBSET].value = optarg;
> -                       break;
>                 case 'q':
>                         quiet = 1;
>                         break;
> diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c
> index 6c32172d..eed6e4fd 100644
> --- a/libselinux/utils/sefcontext_compile.c
> +++ b/libselinux/utils/sefcontext_compile.c
> @@ -36,7 +36,6 @@ static int process_file(struct selabel_handle *rec, const char *filename)
>         char *line_buf = NULL;
>         size_t line_len = 0;
>         FILE *context_file;
> -       const char *prefix = NULL;
>
>         context_file = fopen(filename, "r");
>         if (!context_file) {
> @@ -48,7 +47,7 @@ static int process_file(struct selabel_handle *rec, const char *filename)
>         line_num = 0;
>         rc = 0;
>         while (getline(&line_buf, &line_len, context_file) > 0) {
> -               rc = process_line(rec, filename, prefix, line_buf, ++line_num);
> +               rc = process_line(rec, filename, line_buf, ++line_num);
>                 if (rc || ctx_err) {
>                         /* With -p option need to check and fail if ctx err as
>                          * process_line() context validation on Linux does not
> --
> 2.40.1
>
Stephen Smalley Oct. 10, 2023, 6:45 p.m. UTC | #2
On Tue, Oct 10, 2023 at 1:08 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Mon, Aug 14, 2023 at 9:41 AM Christian Göttsche
> <cgzones@googlemail.com> wrote:
> >
> > The selabel_file(5) option SELABEL_OPT_SUBSET has been deprecated in
> > commit 26e05da0fc2d ("libselinux: matchpathcon/selabel_file: Fix man
> > pages.") for version 2.5.
> >
> > Drop the support to easy refactoring the selabel_file related code.
> >
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> > ---
> >  libselinux/include/selinux/label.h    |  2 +-
> >  libselinux/include/selinux/selinux.h  |  6 +++++-
> >  libselinux/src/Makefile               |  4 ++++
> >  libselinux/src/label_file.c           | 19 ++++++++-----------
> >  libselinux/src/label_file.h           | 13 ++-----------
> >  libselinux/src/matchpathcon.c         |  4 +---
> >  libselinux/utils/matchpathcon.c       | 11 ++---------
> >  libselinux/utils/sefcontext_compile.c |  3 +--
> >  8 files changed, 24 insertions(+), 38 deletions(-)
> >
> > diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h
> > index ce189a3a..6cb2d782 100644
> > --- a/libselinux/include/selinux/label.h
> > +++ b/libselinux/include/selinux/label.h
> > @@ -50,7 +50,7 @@ struct selabel_handle;
> >  #define SELABEL_OPT_BASEONLY   2
> >  /* specify an alternate path to use when loading backend data */
> >  #define SELABEL_OPT_PATH       3
> > -/* select a subset of the search space as an optimization (file backend) */
> > +/* Unsupported since v3.6: select a subset of the search space as an optimization (file backend) */
> >  #define SELABEL_OPT_SUBSET     4
> >  /* require a hash calculation on spec files */
> >  #define SELABEL_OPT_DIGEST     5
> > diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
> > index a0948853..3b23cb50 100644
> > --- a/libselinux/include/selinux/selinux.h
> > +++ b/libselinux/include/selinux/selinux.h
> > @@ -484,7 +484,11 @@ extern int matchpathcon_init(const char *path)
> >
> >  /* Same as matchpathcon_init, but only load entries with
> >     regexes that have stems that are prefixes of 'prefix'. */
> > -extern int matchpathcon_init_prefix(const char *path, const char *prefix);
> > +extern int matchpathcon_init_prefix(const char *path, const char *prefix)
> > +#ifdef __GNUC__
> > +   __attribute__ ((deprecated("Use selabel_open with backend SELABEL_CTX_FILE")))
> > +#endif
> > +;
> >
> >  /* Free the memory allocated by matchpathcon_init. */
> >  extern void matchpathcon_fini(void)
> > diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
> > index ac656257..15d224e1 100644
> > --- a/libselinux/src/Makefile
> > +++ b/libselinux/src/Makefile
> > @@ -144,6 +144,10 @@ ifeq ($(DISABLE_X11),y)
> >  SRCS:= $(filter-out label_x.c, $(SRCS))
> >  endif
> >
> > +# ignore usage of matchpathcon_init_prefix(3)
> > +matchpathcon.o:  CFLAGS += -Wno-deprecated -Wno-deprecated-declarations
> > +matchpathcon.lo: CFLAGS += -Wno-deprecated -Wno-deprecated-declarations
> > +
>
> "-Wno-deprecated" means do not warn about deprecated features and
> seems to be about deprecated c++ features. I don't think we need it
> here.
>
> Everything else looks ok to me as long as no distro is depending on
> this deprecated option.

Removing an option flag defined in the public API of libselinux would
be an API and ABI break, requiring a major version change. Not worth
it IMHO.
Christian Göttsche Nov. 1, 2023, 5:29 p.m. UTC | #3
On Tue, 10 Oct 2023 at 20:45, Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Tue, Oct 10, 2023 at 1:08 PM James Carter <jwcart2@gmail.com> wrote:
> >
> > On Mon, Aug 14, 2023 at 9:41 AM Christian Göttsche
> > <cgzones@googlemail.com> wrote:
> > >
> > > The selabel_file(5) option SELABEL_OPT_SUBSET has been deprecated in
> > > commit 26e05da0fc2d ("libselinux: matchpathcon/selabel_file: Fix man
> > > pages.") for version 2.5.
> > >
> > > Drop the support to easy refactoring the selabel_file related code.
> > >
> > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> > > ---
> > >  libselinux/include/selinux/label.h    |  2 +-
> > >  libselinux/include/selinux/selinux.h  |  6 +++++-
> > >  libselinux/src/Makefile               |  4 ++++
> > >  libselinux/src/label_file.c           | 19 ++++++++-----------
> > >  libselinux/src/label_file.h           | 13 ++-----------
> > >  libselinux/src/matchpathcon.c         |  4 +---
> > >  libselinux/utils/matchpathcon.c       | 11 ++---------
> > >  libselinux/utils/sefcontext_compile.c |  3 +--
> > >  8 files changed, 24 insertions(+), 38 deletions(-)
> > >
> > > diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h
> > > index ce189a3a..6cb2d782 100644
> > > --- a/libselinux/include/selinux/label.h
> > > +++ b/libselinux/include/selinux/label.h
> > > @@ -50,7 +50,7 @@ struct selabel_handle;
> > >  #define SELABEL_OPT_BASEONLY   2
> > >  /* specify an alternate path to use when loading backend data */
> > >  #define SELABEL_OPT_PATH       3
> > > -/* select a subset of the search space as an optimization (file backend) */
> > > +/* Unsupported since v3.6: select a subset of the search space as an optimization (file backend) */
> > >  #define SELABEL_OPT_SUBSET     4
> > >  /* require a hash calculation on spec files */
> > >  #define SELABEL_OPT_DIGEST     5
> > > diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
> > > index a0948853..3b23cb50 100644
> > > --- a/libselinux/include/selinux/selinux.h
> > > +++ b/libselinux/include/selinux/selinux.h
> > > @@ -484,7 +484,11 @@ extern int matchpathcon_init(const char *path)
> > >
> > >  /* Same as matchpathcon_init, but only load entries with
> > >     regexes that have stems that are prefixes of 'prefix'. */
> > > -extern int matchpathcon_init_prefix(const char *path, const char *prefix);
> > > +extern int matchpathcon_init_prefix(const char *path, const char *prefix)
> > > +#ifdef __GNUC__
> > > +   __attribute__ ((deprecated("Use selabel_open with backend SELABEL_CTX_FILE")))
> > > +#endif
> > > +;
> > >
> > >  /* Free the memory allocated by matchpathcon_init. */
> > >  extern void matchpathcon_fini(void)
> > > diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
> > > index ac656257..15d224e1 100644
> > > --- a/libselinux/src/Makefile
> > > +++ b/libselinux/src/Makefile
> > > @@ -144,6 +144,10 @@ ifeq ($(DISABLE_X11),y)
> > >  SRCS:= $(filter-out label_x.c, $(SRCS))
> > >  endif
> > >
> > > +# ignore usage of matchpathcon_init_prefix(3)
> > > +matchpathcon.o:  CFLAGS += -Wno-deprecated -Wno-deprecated-declarations
> > > +matchpathcon.lo: CFLAGS += -Wno-deprecated -Wno-deprecated-declarations
> > > +
> >
> > "-Wno-deprecated" means do not warn about deprecated features and
> > seems to be about deprecated c++ features. I don't think we need it
> > here.
> >
> > Everything else looks ok to me as long as no distro is depending on
> > this deprecated option.
>
> Removing an option flag defined in the public API of libselinux would
> be an API and ABI break, requiring a major version change. Not worth
> it IMHO.

No function or macro from the public header, and no exported symbol in
the shared library is removed or changed, so it's not an API or ABI
break.
It is an behavior change since a lookup of /etc/shadow with the prefix
of /usr will now return a result, and not ENOENT.
It seems the flag was introduced as a performance optimization, which
should no longer be necessary by the followup rewrite.
I could try to continue to support to the flag however.
Stephen Smalley Nov. 2, 2023, 1:50 p.m. UTC | #4
On Wed, Nov 1, 2023 at 1:29 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> On Tue, 10 Oct 2023 at 20:45, Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > On Tue, Oct 10, 2023 at 1:08 PM James Carter <jwcart2@gmail.com> wrote:
> > >
> > > On Mon, Aug 14, 2023 at 9:41 AM Christian Göttsche
> > > <cgzones@googlemail.com> wrote:
> > > >
> > > > The selabel_file(5) option SELABEL_OPT_SUBSET has been deprecated in
> > > > commit 26e05da0fc2d ("libselinux: matchpathcon/selabel_file: Fix man
> > > > pages.") for version 2.5.
> > > >
> > > > Drop the support to easy refactoring the selabel_file related code.
> > > >
> > > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> > > > ---
> > > >  libselinux/include/selinux/label.h    |  2 +-
> > > >  libselinux/include/selinux/selinux.h  |  6 +++++-
> > > >  libselinux/src/Makefile               |  4 ++++
> > > >  libselinux/src/label_file.c           | 19 ++++++++-----------
> > > >  libselinux/src/label_file.h           | 13 ++-----------
> > > >  libselinux/src/matchpathcon.c         |  4 +---
> > > >  libselinux/utils/matchpathcon.c       | 11 ++---------
> > > >  libselinux/utils/sefcontext_compile.c |  3 +--
> > > >  8 files changed, 24 insertions(+), 38 deletions(-)
> > > >
> > > > diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h
> > > > index ce189a3a..6cb2d782 100644
> > > > --- a/libselinux/include/selinux/label.h
> > > > +++ b/libselinux/include/selinux/label.h
> > > > @@ -50,7 +50,7 @@ struct selabel_handle;
> > > >  #define SELABEL_OPT_BASEONLY   2
> > > >  /* specify an alternate path to use when loading backend data */
> > > >  #define SELABEL_OPT_PATH       3
> > > > -/* select a subset of the search space as an optimization (file backend) */
> > > > +/* Unsupported since v3.6: select a subset of the search space as an optimization (file backend) */
> > > >  #define SELABEL_OPT_SUBSET     4
> > > >  /* require a hash calculation on spec files */
> > > >  #define SELABEL_OPT_DIGEST     5
> > > > diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
> > > > index a0948853..3b23cb50 100644
> > > > --- a/libselinux/include/selinux/selinux.h
> > > > +++ b/libselinux/include/selinux/selinux.h
> > > > @@ -484,7 +484,11 @@ extern int matchpathcon_init(const char *path)
> > > >
> > > >  /* Same as matchpathcon_init, but only load entries with
> > > >     regexes that have stems that are prefixes of 'prefix'. */
> > > > -extern int matchpathcon_init_prefix(const char *path, const char *prefix);
> > > > +extern int matchpathcon_init_prefix(const char *path, const char *prefix)
> > > > +#ifdef __GNUC__
> > > > +   __attribute__ ((deprecated("Use selabel_open with backend SELABEL_CTX_FILE")))
> > > > +#endif
> > > > +;
> > > >
> > > >  /* Free the memory allocated by matchpathcon_init. */
> > > >  extern void matchpathcon_fini(void)
> > > > diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
> > > > index ac656257..15d224e1 100644
> > > > --- a/libselinux/src/Makefile
> > > > +++ b/libselinux/src/Makefile
> > > > @@ -144,6 +144,10 @@ ifeq ($(DISABLE_X11),y)
> > > >  SRCS:= $(filter-out label_x.c, $(SRCS))
> > > >  endif
> > > >
> > > > +# ignore usage of matchpathcon_init_prefix(3)
> > > > +matchpathcon.o:  CFLAGS += -Wno-deprecated -Wno-deprecated-declarations
> > > > +matchpathcon.lo: CFLAGS += -Wno-deprecated -Wno-deprecated-declarations
> > > > +
> > >
> > > "-Wno-deprecated" means do not warn about deprecated features and
> > > seems to be about deprecated c++ features. I don't think we need it
> > > here.
> > >
> > > Everything else looks ok to me as long as no distro is depending on
> > > this deprecated option.
> >
> > Removing an option flag defined in the public API of libselinux would
> > be an API and ABI break, requiring a major version change. Not worth
> > it IMHO.
>
> No function or macro from the public header, and no exported symbol in
> the shared library is removed or changed, so it's not an API or ABI
> break.

Fair point - my apologies.

> It is an behavior change since a lookup of /etc/shadow with the prefix
> of /usr will now return a result, and not ENOENT.

That still seems like a reason to keep it to me, or if not, to change
the .so version to reflect the compatibility break.
Others are free to disagree.

> It seems the flag was introduced as a performance optimization, which
> should no longer be necessary by the followup rewrite.
> I could try to continue to support to the flag however.
diff mbox series

Patch

diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h
index ce189a3a..6cb2d782 100644
--- a/libselinux/include/selinux/label.h
+++ b/libselinux/include/selinux/label.h
@@ -50,7 +50,7 @@  struct selabel_handle;
 #define SELABEL_OPT_BASEONLY	2
 /* specify an alternate path to use when loading backend data */
 #define SELABEL_OPT_PATH	3
-/* select a subset of the search space as an optimization (file backend) */
+/* Unsupported since v3.6: select a subset of the search space as an optimization (file backend) */
 #define SELABEL_OPT_SUBSET	4
 /* require a hash calculation on spec files */
 #define SELABEL_OPT_DIGEST	5
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index a0948853..3b23cb50 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -484,7 +484,11 @@  extern int matchpathcon_init(const char *path)
 
 /* Same as matchpathcon_init, but only load entries with
    regexes that have stems that are prefixes of 'prefix'. */
-extern int matchpathcon_init_prefix(const char *path, const char *prefix);
+extern int matchpathcon_init_prefix(const char *path, const char *prefix)
+#ifdef __GNUC__
+   __attribute__ ((deprecated("Use selabel_open with backend SELABEL_CTX_FILE")))
+#endif
+;
 
 /* Free the memory allocated by matchpathcon_init. */
 extern void matchpathcon_fini(void)
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index ac656257..15d224e1 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -144,6 +144,10 @@  ifeq ($(DISABLE_X11),y)
 SRCS:= $(filter-out label_x.c, $(SRCS))
 endif
 
+# ignore usage of matchpathcon_init_prefix(3)
+matchpathcon.o:  CFLAGS += -Wno-deprecated -Wno-deprecated-declarations
+matchpathcon.lo: CFLAGS += -Wno-deprecated -Wno-deprecated-declarations
+
 SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
 
 all: $(LIBA) $(LIBSO) $(LIBPC)
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index b9be1c9d..f9f4648a 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -166,7 +166,7 @@  static int nodups_specs(struct saved_data *data, const char *path)
 	return rc;
 }
 
-static int process_text_file(FILE *fp, const char *prefix,
+static int process_text_file(FILE *fp,
 			     struct selabel_handle *rec, const char *path)
 {
 	int rc;
@@ -175,7 +175,7 @@  static int process_text_file(FILE *fp, const char *prefix,
 	char *line_buf = NULL;
 
 	while (getline(&line_buf, &line_len, fp) > 0) {
-		rc = process_line(rec, path, prefix, line_buf, ++lineno);
+		rc = process_line(rec, path, line_buf, ++lineno);
 		if (rc)
 			goto out;
 	}
@@ -603,7 +603,7 @@  static FILE *open_file(const char *path, const char *suffix,
 
 static int process_file(const char *path, const char *suffix,
 			  struct selabel_handle *rec,
-			  const char *prefix, struct selabel_digest *digest)
+			  struct selabel_digest *digest)
 {
 	int rc;
 	unsigned int i;
@@ -624,7 +624,7 @@  static int process_file(const char *path, const char *suffix,
 
 		rc = fcontext_is_binary(fp) ?
 				load_mmap(fp, sb.st_size, rec, found_path) :
-				process_text_file(fp, prefix, rec, found_path);
+				process_text_file(fp, rec, found_path);
 		if (!rc)
 			rc = digest_add_specfile(digest, fp, NULL, sb.st_size,
 				found_path);
@@ -785,7 +785,6 @@  static int init(struct selabel_handle *rec, const struct selinux_opt *opts,
 {
 	struct saved_data *data = (struct saved_data *)rec->data;
 	const char *path = NULL;
-	const char *prefix = NULL;
 	int status = -1, baseonly = 0;
 
 	/* Process arguments */
@@ -795,7 +794,7 @@  static int init(struct selabel_handle *rec, const struct selinux_opt *opts,
 			path = opts[n].value;
 			break;
 		case SELABEL_OPT_SUBSET:
-			prefix = opts[n].value;
+			selinux_log(SELINUX_WARNING, "selabel_open(3): SELABEL_OPT_SUBSET support has been removed, ignoring option\n");
 			break;
 		case SELABEL_OPT_BASEONLY:
 			baseonly = !!opts[n].value;
@@ -839,7 +838,7 @@  static int init(struct selabel_handle *rec, const struct selinux_opt *opts,
 	/*
 	 * The do detailed validation of the input and fill the spec array
 	 */
-	status = process_file(path, NULL, rec, prefix, rec->digest);
+	status = process_file(path, NULL, rec, rec->digest);
 	if (status)
 		goto finish;
 
@@ -850,13 +849,11 @@  static int init(struct selabel_handle *rec, const struct selinux_opt *opts,
 	}
 
 	if (!baseonly) {
-		status = process_file(path, "homedirs", rec, prefix,
-							    rec->digest);
+		status = process_file(path, "homedirs", rec, rec->digest);
 		if (status && errno != ENOENT)
 			goto finish;
 
-		status = process_file(path, "local", rec, prefix,
-							    rec->digest);
+		status = process_file(path, "local", rec, rec->digest);
 		if (status && errno != ENOENT)
 			goto finish;
 	}
diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h
index 1363c83c..56439e2d 100644
--- a/libselinux/src/label_file.h
+++ b/libselinux/src/label_file.h
@@ -425,10 +425,10 @@  static inline int compile_regex(struct spec *spec, const char **errbuf)
 /* This service is used by label_file.c process_file() and
  * utils/sefcontext_compile.c */
 static inline int process_line(struct selabel_handle *rec,
-			const char *path, const char *prefix,
+			const char *path,
 			char *line_buf, unsigned lineno)
 {
-	int items, len, rc;
+	int items, rc;
 	char *regex = NULL, *type = NULL, *context = NULL;
 	struct saved_data *data = (struct saved_data *)rec->data;
 	struct spec *spec_arr;
@@ -466,15 +466,6 @@  static inline int process_line(struct selabel_handle *rec,
 		type = 0;
 	}
 
-	len = get_stem_from_spec(regex);
-	if (len && prefix && strncmp(prefix, regex, len)) {
-		/* Stem of regex does not match requested prefix, discard. */
-		free(regex);
-		free(type);
-		free(context);
-		return 0;
-	}
-
 	rc = grow_specs(data);
 	if (rc)
 		return rc;
diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
index a1c5b0cc..971ace62 100644
--- a/libselinux/src/matchpathcon.c
+++ b/libselinux/src/matchpathcon.c
@@ -347,7 +347,7 @@  static void matchpathcon_init_once(void)
 		destructor_key_initialized = 1;
 }
 
-int matchpathcon_init_prefix(const char *path, const char *subset)
+int matchpathcon_init_prefix(const char *path, const char *prefix __attribute__((unused)))
 {
 	if (!mycanoncon)
 		mycanoncon = default_canoncon;
@@ -355,8 +355,6 @@  int matchpathcon_init_prefix(const char *path, const char *subset)
 	__selinux_once(once, matchpathcon_init_once);
 	__selinux_setspecific(destructor_key, /* some valid address to please GCC */ &selinux_page_size);
 
-	options[SELABEL_OPT_SUBSET].type = SELABEL_OPT_SUBSET;
-	options[SELABEL_OPT_SUBSET].value = subset;
 	options[SELABEL_OPT_PATH].type = SELABEL_OPT_PATH;
 	options[SELABEL_OPT_PATH].value = path;
 
diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c
index 1d713c01..8e1c45c1 100644
--- a/libselinux/utils/matchpathcon.c
+++ b/libselinux/utils/matchpathcon.c
@@ -13,7 +13,7 @@ 
 static __attribute__ ((__noreturn__)) void usage(const char *progname)
 {
 	fprintf(stderr,
-		"usage:  %s [-V] [-N] [-n] [-m type] [-f file_contexts_file] [-p prefix] [-P policy_root_path] filepath...\n",
+		"usage:  %s [-V] [-N] [-n] [-m type] [-f file_contexts_file] [-P policy_root_path] filepath...\n",
 		progname);
 	exit(1);
 }
@@ -83,7 +83,7 @@  int main(int argc, char **argv)
 	if (argc < 2)
 		usage(argv[0]);
 
-	while ((opt = getopt(argc, argv, "m:Nnf:P:p:Vq")) > 0) {
+	while ((opt = getopt(argc, argv, "m:Nnf:P:Vq")) > 0) {
 		switch (opt) {
 		case 'n':
 			header = 0;
@@ -114,13 +114,6 @@  int main(int argc, char **argv)
 				exit(1);
 			}
 			break;
-		case 'p':
-			// This option has been deprecated since libselinux 2.5 (2016):
-			// https://github.com/SELinuxProject/selinux/commit/26e05da0fc2d0a4bd274320968a88f8acbb3b6a6
-			fprintf(stderr, "Warning: using %s -p is deprecated\n", argv[0]);
-			options[SELABEL_OPT_SUBSET].type = SELABEL_OPT_SUBSET;
-			options[SELABEL_OPT_SUBSET].value = optarg;
-			break;
 		case 'q':
 			quiet = 1;
 			break;
diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c
index 6c32172d..eed6e4fd 100644
--- a/libselinux/utils/sefcontext_compile.c
+++ b/libselinux/utils/sefcontext_compile.c
@@ -36,7 +36,6 @@  static int process_file(struct selabel_handle *rec, const char *filename)
 	char *line_buf = NULL;
 	size_t line_len = 0;
 	FILE *context_file;
-	const char *prefix = NULL;
 
 	context_file = fopen(filename, "r");
 	if (!context_file) {
@@ -48,7 +47,7 @@  static int process_file(struct selabel_handle *rec, const char *filename)
 	line_num = 0;
 	rc = 0;
 	while (getline(&line_buf, &line_len, context_file) > 0) {
-		rc = process_line(rec, filename, prefix, line_buf, ++line_num);
+		rc = process_line(rec, filename, line_buf, ++line_num);
 		if (rc || ctx_err) {
 			/* With -p option need to check and fail if ctx err as
 			 * process_line() context validation on Linux does not