Message ID | 20240623122604.34890-1-cgoettsche@seltendoof.de (mailing list archive) |
---|---|
State | Accepted |
Commit | 463584cb0592 |
Delegated to: | Petr Lautrbach |
Headers | show |
Series | [v2] libselinux: deprecate security_disable(3) | expand |
On Sun, Jun 23, 2024 at 8:26 AM Christian Göttsche <cgoettsche@seltendoof.de> wrote: > > From: Christian Göttsche <cgzones@googlemail.com> > > The runtime disable functionality has been removed in Linux 6.4. Thus > security_disable(3) will no longer work on these kernels. > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com> > --- > v2: > Ignore deprecation warning by the internal usage of > security_disable(3) in load_policy(8). > --- > libselinux/include/selinux/selinux.h | 6 +++++- > libselinux/man/man3/security_disable.3 | 3 ++- > libselinux/src/load_policy.c | 2 ++ > libselinux/src/selinux_internal.h | 18 ++++++++++++++++++ > 4 files changed, 27 insertions(+), 2 deletions(-) > > diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h > index 61c1422b..1318a66a 100644 > --- a/libselinux/include/selinux/selinux.h > +++ b/libselinux/include/selinux/selinux.h > @@ -367,7 +367,11 @@ extern int security_deny_unknown(void); > /* Get the checkreqprot value */ > extern int security_get_checkreqprot(void); > > -/* Disable SELinux at runtime (must be done prior to initial policy load). */ > +/* Disable SELinux at runtime (must be done prior to initial policy load). > + Unsupported since Linux 6.4. */ > +#ifdef __GNUC__ > +__attribute__ ((deprecated)) > +#endif > extern int security_disable(void); > > /* Get the policy version number. */ > diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3 > index 072923ce..5ad8b778 100644 > --- a/libselinux/man/man3/security_disable.3 > +++ b/libselinux/man/man3/security_disable.3 > @@ -14,7 +14,8 @@ disables the SELinux kernel code, unregisters selinuxfs from > and then unmounts > .IR /sys/fs/selinux . > .sp > -This function can only be called at runtime and prior to the initial policy > +This function is only supported on Linux 6.3 and earlier, and can only be > +called at runtime and prior to the initial policy > load. After the initial policy load, the SELinux kernel code cannot be disabled, > but only placed in "permissive" mode by using > .BR security_setenforce(3). > diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c > index 57d7aaef..dc1e4b6e 100644 > --- a/libselinux/src/load_policy.c > +++ b/libselinux/src/load_policy.c > @@ -326,7 +326,9 @@ int selinux_init_load_policy(int *enforce) > > if (seconfig == -1) { > /* Runtime disable of SELinux. */ > + IGNORE_DEPRECATED_DECLARATION_BEGIN > rc = security_disable(); > + IGNORE_DEPRECATED_DECLARATION_END > if (rc == 0) { > /* Successfully disabled, so umount selinuxfs too. */ > umount(selinux_mnt); > diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h > index b134808e..450a42c2 100644 > --- a/libselinux/src/selinux_internal.h > +++ b/libselinux/src/selinux_internal.h > @@ -113,4 +113,22 @@ void *reallocarray(void *ptr, size_t nmemb, size_t size); > #define ignore_unsigned_overflow_ > #endif > > +/* Ignore usage of deprecated declaration */ > +#ifdef __clang__ > +#define IGNORE_DEPRECATED_DECLARATION_BEGIN \ > + _Pragma("clang diagnostic push") \ > + _Pragma("clang diagnostic ignored \"-Wdeprecated-declarations\"") > +#define IGNORE_DEPRECATED_DECLARATION_END \ > + _Pragma("clang diagnostic pop") > +#elif defined __GNUC__ > +#define IGNORE_DEPRECATED_DECLARATION_BEGIN \ > + _Pragma("GCC diagnostic push") \ > + _Pragma("GCC diagnostic ignored \"-Wdeprecated-declarations\"") > +#define IGNORE_DEPRECATED_DECLARATION_END \ > + _Pragma("GCC diagnostic pop") > +#else > +#define IGNORE_DEPRECATED_DECLARATION_BEGIN > +#define IGNORE_DEPRECATED_DECLARATION_END > +#endif > + > #endif /* SELINUX_INTERNAL_H_ */ > -- > 2.45.2 > >
On Mon, Jun 24, 2024 at 9:17 AM James Carter <jwcart2@gmail.com> wrote: > > On Sun, Jun 23, 2024 at 8:26 AM Christian Göttsche > <cgoettsche@seltendoof.de> wrote: > > > > From: Christian Göttsche <cgzones@googlemail.com> > > > > The runtime disable functionality has been removed in Linux 6.4. Thus > > security_disable(3) will no longer work on these kernels. > > > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > Acked-by: James Carter <jwcart2@gmail.com> > Merged. Thanks, Jim > > --- > > v2: > > Ignore deprecation warning by the internal usage of > > security_disable(3) in load_policy(8). > > --- > > libselinux/include/selinux/selinux.h | 6 +++++- > > libselinux/man/man3/security_disable.3 | 3 ++- > > libselinux/src/load_policy.c | 2 ++ > > libselinux/src/selinux_internal.h | 18 ++++++++++++++++++ > > 4 files changed, 27 insertions(+), 2 deletions(-) > > > > diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h > > index 61c1422b..1318a66a 100644 > > --- a/libselinux/include/selinux/selinux.h > > +++ b/libselinux/include/selinux/selinux.h > > @@ -367,7 +367,11 @@ extern int security_deny_unknown(void); > > /* Get the checkreqprot value */ > > extern int security_get_checkreqprot(void); > > > > -/* Disable SELinux at runtime (must be done prior to initial policy load). */ > > +/* Disable SELinux at runtime (must be done prior to initial policy load). > > + Unsupported since Linux 6.4. */ > > +#ifdef __GNUC__ > > +__attribute__ ((deprecated)) > > +#endif > > extern int security_disable(void); > > > > /* Get the policy version number. */ > > diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3 > > index 072923ce..5ad8b778 100644 > > --- a/libselinux/man/man3/security_disable.3 > > +++ b/libselinux/man/man3/security_disable.3 > > @@ -14,7 +14,8 @@ disables the SELinux kernel code, unregisters selinuxfs from > > and then unmounts > > .IR /sys/fs/selinux . > > .sp > > -This function can only be called at runtime and prior to the initial policy > > +This function is only supported on Linux 6.3 and earlier, and can only be > > +called at runtime and prior to the initial policy > > load. After the initial policy load, the SELinux kernel code cannot be disabled, > > but only placed in "permissive" mode by using > > .BR security_setenforce(3). > > diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c > > index 57d7aaef..dc1e4b6e 100644 > > --- a/libselinux/src/load_policy.c > > +++ b/libselinux/src/load_policy.c > > @@ -326,7 +326,9 @@ int selinux_init_load_policy(int *enforce) > > > > if (seconfig == -1) { > > /* Runtime disable of SELinux. */ > > + IGNORE_DEPRECATED_DECLARATION_BEGIN > > rc = security_disable(); > > + IGNORE_DEPRECATED_DECLARATION_END > > if (rc == 0) { > > /* Successfully disabled, so umount selinuxfs too. */ > > umount(selinux_mnt); > > diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h > > index b134808e..450a42c2 100644 > > --- a/libselinux/src/selinux_internal.h > > +++ b/libselinux/src/selinux_internal.h > > @@ -113,4 +113,22 @@ void *reallocarray(void *ptr, size_t nmemb, size_t size); > > #define ignore_unsigned_overflow_ > > #endif > > > > +/* Ignore usage of deprecated declaration */ > > +#ifdef __clang__ > > +#define IGNORE_DEPRECATED_DECLARATION_BEGIN \ > > + _Pragma("clang diagnostic push") \ > > + _Pragma("clang diagnostic ignored \"-Wdeprecated-declarations\"") > > +#define IGNORE_DEPRECATED_DECLARATION_END \ > > + _Pragma("clang diagnostic pop") > > +#elif defined __GNUC__ > > +#define IGNORE_DEPRECATED_DECLARATION_BEGIN \ > > + _Pragma("GCC diagnostic push") \ > > + _Pragma("GCC diagnostic ignored \"-Wdeprecated-declarations\"") > > +#define IGNORE_DEPRECATED_DECLARATION_END \ > > + _Pragma("GCC diagnostic pop") > > +#else > > +#define IGNORE_DEPRECATED_DECLARATION_BEGIN > > +#define IGNORE_DEPRECATED_DECLARATION_END > > +#endif > > + > > #endif /* SELINUX_INTERNAL_H_ */ > > -- > > 2.45.2 > > > >
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h index 61c1422b..1318a66a 100644 --- a/libselinux/include/selinux/selinux.h +++ b/libselinux/include/selinux/selinux.h @@ -367,7 +367,11 @@ extern int security_deny_unknown(void); /* Get the checkreqprot value */ extern int security_get_checkreqprot(void); -/* Disable SELinux at runtime (must be done prior to initial policy load). */ +/* Disable SELinux at runtime (must be done prior to initial policy load). + Unsupported since Linux 6.4. */ +#ifdef __GNUC__ +__attribute__ ((deprecated)) +#endif extern int security_disable(void); /* Get the policy version number. */ diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3 index 072923ce..5ad8b778 100644 --- a/libselinux/man/man3/security_disable.3 +++ b/libselinux/man/man3/security_disable.3 @@ -14,7 +14,8 @@ disables the SELinux kernel code, unregisters selinuxfs from and then unmounts .IR /sys/fs/selinux . .sp -This function can only be called at runtime and prior to the initial policy +This function is only supported on Linux 6.3 and earlier, and can only be +called at runtime and prior to the initial policy load. After the initial policy load, the SELinux kernel code cannot be disabled, but only placed in "permissive" mode by using .BR security_setenforce(3). diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c index 57d7aaef..dc1e4b6e 100644 --- a/libselinux/src/load_policy.c +++ b/libselinux/src/load_policy.c @@ -326,7 +326,9 @@ int selinux_init_load_policy(int *enforce) if (seconfig == -1) { /* Runtime disable of SELinux. */ + IGNORE_DEPRECATED_DECLARATION_BEGIN rc = security_disable(); + IGNORE_DEPRECATED_DECLARATION_END if (rc == 0) { /* Successfully disabled, so umount selinuxfs too. */ umount(selinux_mnt); diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h index b134808e..450a42c2 100644 --- a/libselinux/src/selinux_internal.h +++ b/libselinux/src/selinux_internal.h @@ -113,4 +113,22 @@ void *reallocarray(void *ptr, size_t nmemb, size_t size); #define ignore_unsigned_overflow_ #endif +/* Ignore usage of deprecated declaration */ +#ifdef __clang__ +#define IGNORE_DEPRECATED_DECLARATION_BEGIN \ + _Pragma("clang diagnostic push") \ + _Pragma("clang diagnostic ignored \"-Wdeprecated-declarations\"") +#define IGNORE_DEPRECATED_DECLARATION_END \ + _Pragma("clang diagnostic pop") +#elif defined __GNUC__ +#define IGNORE_DEPRECATED_DECLARATION_BEGIN \ + _Pragma("GCC diagnostic push") \ + _Pragma("GCC diagnostic ignored \"-Wdeprecated-declarations\"") +#define IGNORE_DEPRECATED_DECLARATION_END \ + _Pragma("GCC diagnostic pop") +#else +#define IGNORE_DEPRECATED_DECLARATION_BEGIN +#define IGNORE_DEPRECATED_DECLARATION_END +#endif + #endif /* SELINUX_INTERNAL_H_ */