| Message ID | 20240608172025.137795-1-cgoettsche@seltendoof.de (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Petr Lautrbach |
| Headers | show |
| Series | [1/2] libselinux: deprecate security_disable(3) | expand |
On Sat, Jun 8, 2024 at 1:20 PM Christian Göttsche <cgoettsche@seltendoof.de> wrote: > > From: Christian Göttsche <cgzones@googlemail.com> > > The runtime disable functionality has been removed in Linux 6.4. Thus > security_disable(3) will no longer work on these kernels. > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > --- > libselinux/include/selinux/selinux.h | 6 +++++- > libselinux/man/man3/security_disable.3 | 3 ++- > 2 files changed, 7 insertions(+), 2 deletions(-) > > diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h > index 61c1422b..1318a66a 100644 > --- a/libselinux/include/selinux/selinux.h > +++ b/libselinux/include/selinux/selinux.h > @@ -367,7 +367,11 @@ extern int security_deny_unknown(void); > /* Get the checkreqprot value */ > extern int security_get_checkreqprot(void); > > -/* Disable SELinux at runtime (must be done prior to initial policy load). */ > +/* Disable SELinux at runtime (must be done prior to initial policy load). > + Unsupported since Linux 6.4. */ > +#ifdef __GNUC__ > +__attribute__ ((deprecated)) > +#endif > extern int security_disable(void); > This causes the userspace build to fail. load_policy.c:329:17: error: ‘security_disable’ is deprecated [-Werror=deprecated-declarations] 329 | rc = security_disable(); | ^~ In file included from selinux_internal.h:4, from load_policy.c:13: Maybe we should just print a warning message for now until we can remove the internal usage. Thanks, Jim > /* Get the policy version number. */ > diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3 > index 072923ce..5ad8b778 100644 > --- a/libselinux/man/man3/security_disable.3 > +++ b/libselinux/man/man3/security_disable.3 > @@ -14,7 +14,8 @@ disables the SELinux kernel code, unregisters selinuxfs from > and then unmounts > .IR /sys/fs/selinux . > .sp > -This function can only be called at runtime and prior to the initial policy > +This function is only supported on Linux 6.3 and earlier, and can only be > +called at runtime and prior to the initial policy > load. After the initial policy load, the SELinux kernel code cannot be disabled, > but only placed in "permissive" mode by using > .BR security_setenforce(3). > -- > 2.45.1 > >
On Wed, 12 Jun 2024 at 22:43, James Carter <jwcart2@gmail.com> wrote: > > On Sat, Jun 8, 2024 at 1:20 PM Christian Göttsche > <cgoettsche@seltendoof.de> wrote: > > > > From: Christian Göttsche <cgzones@googlemail.com> > > > > The runtime disable functionality has been removed in Linux 6.4. Thus > > security_disable(3) will no longer work on these kernels. > > > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > --- > > libselinux/include/selinux/selinux.h | 6 +++++- > > libselinux/man/man3/security_disable.3 | 3 ++- > > 2 files changed, 7 insertions(+), 2 deletions(-) > > > > diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h > > index 61c1422b..1318a66a 100644 > > --- a/libselinux/include/selinux/selinux.h > > +++ b/libselinux/include/selinux/selinux.h > > @@ -367,7 +367,11 @@ extern int security_deny_unknown(void); > > /* Get the checkreqprot value */ > > extern int security_get_checkreqprot(void); > > > > -/* Disable SELinux at runtime (must be done prior to initial policy load). */ > > +/* Disable SELinux at runtime (must be done prior to initial policy load). > > + Unsupported since Linux 6.4. */ > > +#ifdef __GNUC__ > > +__attribute__ ((deprecated)) > > +#endif > > extern int security_disable(void); > > > > This causes the userspace build to fail. > > load_policy.c:329:17: error: ‘security_disable’ is deprecated > [-Werror=deprecated-declarations] > 329 | rc = security_disable(); > | ^~ > In file included from selinux_internal.h:4, > from load_policy.c:13: > > Maybe we should just print a warning message for now until we can > remove the internal usage. Sorry for obviously not build-testing this. Printing a warning might be redundant since the kernel already does so. Besides adding the two notes (which I guess are o.k.?) we could either not annotate security_disable(3) or explicitly ignore the warning in load_policy.c (via a pragma). Do you have a preference? > > Thanks, > Jim > > > /* Get the policy version number. */ > > diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3 > > index 072923ce..5ad8b778 100644 > > --- a/libselinux/man/man3/security_disable.3 > > +++ b/libselinux/man/man3/security_disable.3 > > @@ -14,7 +14,8 @@ disables the SELinux kernel code, unregisters selinuxfs from > > and then unmounts > > .IR /sys/fs/selinux . > > .sp > > -This function can only be called at runtime and prior to the initial policy > > +This function is only supported on Linux 6.3 and earlier, and can only be > > +called at runtime and prior to the initial policy > > load. After the initial policy load, the SELinux kernel code cannot be disabled, > > but only placed in "permissive" mode by using > > .BR security_setenforce(3). > > -- > > 2.45.1 > > > >
On Sat, Jun 15, 2024 at 9:34 AM Christian Göttsche <cgzones@googlemail.com> wrote: > > On Wed, 12 Jun 2024 at 22:43, James Carter <jwcart2@gmail.com> wrote: > > > > On Sat, Jun 8, 2024 at 1:20 PM Christian Göttsche > > <cgoettsche@seltendoof.de> wrote: > > > > > > From: Christian Göttsche <cgzones@googlemail.com> > > > > > > The runtime disable functionality has been removed in Linux 6.4. Thus > > > security_disable(3) will no longer work on these kernels. > > > > > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > > --- > > > libselinux/include/selinux/selinux.h | 6 +++++- > > > libselinux/man/man3/security_disable.3 | 3 ++- > > > 2 files changed, 7 insertions(+), 2 deletions(-) > > > > > > diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h > > > index 61c1422b..1318a66a 100644 > > > --- a/libselinux/include/selinux/selinux.h > > > +++ b/libselinux/include/selinux/selinux.h > > > @@ -367,7 +367,11 @@ extern int security_deny_unknown(void); > > > /* Get the checkreqprot value */ > > > extern int security_get_checkreqprot(void); > > > > > > -/* Disable SELinux at runtime (must be done prior to initial policy load). */ > > > +/* Disable SELinux at runtime (must be done prior to initial policy load). > > > + Unsupported since Linux 6.4. */ > > > +#ifdef __GNUC__ > > > +__attribute__ ((deprecated)) > > > +#endif > > > extern int security_disable(void); > > > > > > > This causes the userspace build to fail. > > > > load_policy.c:329:17: error: ‘security_disable’ is deprecated > > [-Werror=deprecated-declarations] > > 329 | rc = security_disable(); > > | ^~ > > In file included from selinux_internal.h:4, > > from load_policy.c:13: > > > > Maybe we should just print a warning message for now until we can > > remove the internal usage. > > Sorry for obviously not build-testing this. > Printing a warning might be redundant since the kernel already does so. > Besides adding the two notes (which I guess are o.k.?) we could either > not annotate security_disable(3) or explicitly ignore the warning in > load_policy.c (via a pragma). > Do you have a preference? > Using the pragma to ignore the internal usage would be my preference. Thanks, Jim > > > > Thanks, > > Jim > > > > > /* Get the policy version number. */ > > > diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3 > > > index 072923ce..5ad8b778 100644 > > > --- a/libselinux/man/man3/security_disable.3 > > > +++ b/libselinux/man/man3/security_disable.3 > > > @@ -14,7 +14,8 @@ disables the SELinux kernel code, unregisters selinuxfs from > > > and then unmounts > > > .IR /sys/fs/selinux . > > > .sp > > > -This function can only be called at runtime and prior to the initial policy > > > +This function is only supported on Linux 6.3 and earlier, and can only be > > > +called at runtime and prior to the initial policy > > > load. After the initial policy load, the SELinux kernel code cannot be disabled, > > > but only placed in "permissive" mode by using > > > .BR security_setenforce(3). > > > -- > > > 2.45.1 > > > > > >
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h index 61c1422b..1318a66a 100644 --- a/libselinux/include/selinux/selinux.h +++ b/libselinux/include/selinux/selinux.h @@ -367,7 +367,11 @@ extern int security_deny_unknown(void); /* Get the checkreqprot value */ extern int security_get_checkreqprot(void); -/* Disable SELinux at runtime (must be done prior to initial policy load). */ +/* Disable SELinux at runtime (must be done prior to initial policy load). + Unsupported since Linux 6.4. */ +#ifdef __GNUC__ +__attribute__ ((deprecated)) +#endif extern int security_disable(void); /* Get the policy version number. */ diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3 index 072923ce..5ad8b778 100644 --- a/libselinux/man/man3/security_disable.3 +++ b/libselinux/man/man3/security_disable.3 @@ -14,7 +14,8 @@ disables the SELinux kernel code, unregisters selinuxfs from and then unmounts .IR /sys/fs/selinux . .sp -This function can only be called at runtime and prior to the initial policy +This function is only supported on Linux 6.3 and earlier, and can only be +called at runtime and prior to the initial policy load. After the initial policy load, the SELinux kernel code cannot be disabled, but only placed in "permissive" mode by using .BR security_setenforce(3).