96 lines
3.6 KiB
Diff
96 lines
3.6 KiB
Diff
|
From b4b002ffef9431cc3af8409a32e243cd7b057feb Mon Sep 17 00:00:00 2001
|
||
|
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||
|
Date: Sun, 23 Jun 2024 14:26:04 +0200
|
||
|
Subject: [PATCH] libselinux: deprecate security_disable(3)
|
||
|
MIME-Version: 1.0
|
||
|
Content-Type: text/plain; charset=UTF-8
|
||
|
Content-Transfer-Encoding: 8bit
|
||
|
|
||
|
The runtime disable functionality has been removed in Linux 6.4. Thus
|
||
|
security_disable(3) will no longer work on these kernels.
|
||
|
|
||
|
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||
|
Acked-by: James Carter <jwcart2@gmail.com>
|
||
|
---
|
||
|
libselinux/include/selinux/selinux.h | 6 +++++-
|
||
|
libselinux/man/man3/security_disable.3 | 3 ++-
|
||
|
libselinux/src/load_policy.c | 2 ++
|
||
|
libselinux/src/selinux_internal.h | 18 ++++++++++++++++++
|
||
|
4 files changed, 27 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
|
||
|
index 61c1422b..1318a66a 100644
|
||
|
--- a/libselinux/include/selinux/selinux.h
|
||
|
+++ b/libselinux/include/selinux/selinux.h
|
||
|
@@ -367,7 +367,11 @@ extern int security_deny_unknown(void);
|
||
|
/* Get the checkreqprot value */
|
||
|
extern int security_get_checkreqprot(void);
|
||
|
|
||
|
-/* Disable SELinux at runtime (must be done prior to initial policy load). */
|
||
|
+/* Disable SELinux at runtime (must be done prior to initial policy load).
|
||
|
+ Unsupported since Linux 6.4. */
|
||
|
+#ifdef __GNUC__
|
||
|
+__attribute__ ((deprecated))
|
||
|
+#endif
|
||
|
extern int security_disable(void);
|
||
|
|
||
|
/* Get the policy version number. */
|
||
|
diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3
|
||
|
index 072923ce..5ad8b778 100644
|
||
|
--- a/libselinux/man/man3/security_disable.3
|
||
|
+++ b/libselinux/man/man3/security_disable.3
|
||
|
@@ -14,7 +14,8 @@ disables the SELinux kernel code, unregisters selinuxfs from
|
||
|
and then unmounts
|
||
|
.IR /sys/fs/selinux .
|
||
|
.sp
|
||
|
-This function can only be called at runtime and prior to the initial policy
|
||
|
+This function is only supported on Linux 6.3 and earlier, and can only be
|
||
|
+called at runtime and prior to the initial policy
|
||
|
load. After the initial policy load, the SELinux kernel code cannot be disabled,
|
||
|
but only placed in "permissive" mode by using
|
||
|
.BR security_setenforce(3).
|
||
|
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
|
||
|
index 57d7aaef..dc1e4b6e 100644
|
||
|
--- a/libselinux/src/load_policy.c
|
||
|
+++ b/libselinux/src/load_policy.c
|
||
|
@@ -326,7 +326,9 @@ int selinux_init_load_policy(int *enforce)
|
||
|
|
||
|
if (seconfig == -1) {
|
||
|
/* Runtime disable of SELinux. */
|
||
|
+ IGNORE_DEPRECATED_DECLARATION_BEGIN
|
||
|
rc = security_disable();
|
||
|
+ IGNORE_DEPRECATED_DECLARATION_END
|
||
|
if (rc == 0) {
|
||
|
/* Successfully disabled, so umount selinuxfs too. */
|
||
|
umount(selinux_mnt);
|
||
|
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
|
||
|
index b134808e..450a42c2 100644
|
||
|
--- a/libselinux/src/selinux_internal.h
|
||
|
+++ b/libselinux/src/selinux_internal.h
|
||
|
@@ -113,4 +113,22 @@ void *reallocarray(void *ptr, size_t nmemb, size_t size);
|
||
|
#define ignore_unsigned_overflow_
|
||
|
#endif
|
||
|
|
||
|
+/* Ignore usage of deprecated declaration */
|
||
|
+#ifdef __clang__
|
||
|
+#define IGNORE_DEPRECATED_DECLARATION_BEGIN \
|
||
|
+ _Pragma("clang diagnostic push") \
|
||
|
+ _Pragma("clang diagnostic ignored \"-Wdeprecated-declarations\"")
|
||
|
+#define IGNORE_DEPRECATED_DECLARATION_END \
|
||
|
+ _Pragma("clang diagnostic pop")
|
||
|
+#elif defined __GNUC__
|
||
|
+#define IGNORE_DEPRECATED_DECLARATION_BEGIN \
|
||
|
+ _Pragma("GCC diagnostic push") \
|
||
|
+ _Pragma("GCC diagnostic ignored \"-Wdeprecated-declarations\"")
|
||
|
+#define IGNORE_DEPRECATED_DECLARATION_END \
|
||
|
+ _Pragma("GCC diagnostic pop")
|
||
|
+#else
|
||
|
+#define IGNORE_DEPRECATED_DECLARATION_BEGIN
|
||
|
+#define IGNORE_DEPRECATED_DECLARATION_END
|
||
|
+#endif
|
||
|
+
|
||
|
#endif /* SELINUX_INTERNAL_H_ */
|
||
|
--
|
||
|
2.46.0
|
||
|
|