| Message ID | 20241004172709.25165-1-stephen.smalley.work@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | [v2] selinux: Deprecate /sys/fs/selinux/user | expand |
On Oct 4, 2024 Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > The only known user of this interface was libselinux and its > internal usage of this interface for get_ordered_context_list(3) > was removed in Feb 2020, with a deprecation warning added to > security_compute_user(3) at the same time. Add a deprecation > warning to the kernel and schedule it for final removal in 2025. > > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> > --- > v2 switches to pr_warn_ratelimited(). > > Documentation/ABI/obsolete/sysfs-selinux-user | 12 ++++++++++++ > security/selinux/selinuxfs.c | 4 ++++ > 2 files changed, 16 insertions(+) > create mode 100644 Documentation/ABI/obsolete/sysfs-selinux-user Merged into selinux/dev, thanks! -- paul-moore.com
On Mon, Oct 7, 2024 at 4:39 PM Paul Moore <paul@paul-moore.com> wrote: > On Oct 4, 2024 Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > > > The only known user of this interface was libselinux and its > > internal usage of this interface for get_ordered_context_list(3) > > was removed in Feb 2020, with a deprecation warning added to > > security_compute_user(3) at the same time. Add a deprecation > > warning to the kernel and schedule it for final removal in 2025. > > > > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> > > --- > > v2 switches to pr_warn_ratelimited(). > > > > Documentation/ABI/obsolete/sysfs-selinux-user | 12 ++++++++++++ > > security/selinux/selinuxfs.c | 4 ++++ > > 2 files changed, 16 insertions(+) > > create mode 100644 Documentation/ABI/obsolete/sysfs-selinux-user > > Merged into selinux/dev, thanks! After this makes it up to Linus during the next merge window, let's start adding some ssleep() pain to this interface to help draw attention to the deprecation just as we did with our last couple of deprecation removals.
diff --git a/Documentation/ABI/obsolete/sysfs-selinux-user b/Documentation/ABI/obsolete/sysfs-selinux-user new file mode 100644 index 000000000000..8ab7557f283f --- /dev/null +++ b/Documentation/ABI/obsolete/sysfs-selinux-user @@ -0,0 +1,12 @@ +What: /sys/fs/selinux/user +Date: April 2005 (predates git) +KernelVersion: 2.6.12-rc2 (predates git) +Contact: selinux@vger.kernel.org +Description: + + The selinuxfs "user" node allows userspace to request a list + of security contexts that can be reached for a given SELinux + user from a given starting context. This was used by libselinux + when various login-style programs requested contexts for + users, but libselinux stopped using it in 2020. + Kernel support will be removed no sooner than Dec 2025. diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index e172f182b65c..234f4789b787 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -1069,6 +1069,10 @@ static ssize_t sel_write_user(struct file *file, char *buf, size_t size) int rc; u32 i, len, nsids; + pr_warn_ratelimited("SELinux: %s (%d) wrote to /sys/fs/selinux/user!" + " This will not be supported in the future; please update your" + " userspace.\n", current->comm, current->pid); + length = avc_has_perm(current_sid(), SECINITSID_SECURITY, SECCLASS_SECURITY, SECURITY__COMPUTE_USER, NULL);
The only known user of this interface was libselinux and its internal usage of this interface for get_ordered_context_list(3) was removed in Feb 2020, with a deprecation warning added to security_compute_user(3) at the same time. Add a deprecation warning to the kernel and schedule it for final removal in 2025. Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> --- v2 switches to pr_warn_ratelimited(). Documentation/ABI/obsolete/sysfs-selinux-user | 12 ++++++++++++ security/selinux/selinuxfs.c | 4 ++++ 2 files changed, 16 insertions(+) create mode 100644 Documentation/ABI/obsolete/sysfs-selinux-user