parent
a0e1f77f78
commit
ca10ac8130
@ -0,0 +1,95 @@
|
||||
From b4b002ffef9431cc3af8409a32e243cd7b057feb Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Sun, 23 Jun 2024 14:26:04 +0200
|
||||
Subject: [PATCH] libselinux: deprecate security_disable(3)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The runtime disable functionality has been removed in Linux 6.4. Thus
|
||||
security_disable(3) will no longer work on these kernels.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
Acked-by: James Carter <jwcart2@gmail.com>
|
||||
---
|
||||
libselinux/include/selinux/selinux.h | 6 +++++-
|
||||
libselinux/man/man3/security_disable.3 | 3 ++-
|
||||
libselinux/src/load_policy.c | 2 ++
|
||||
libselinux/src/selinux_internal.h | 18 ++++++++++++++++++
|
||||
4 files changed, 27 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
|
||||
index 61c1422b..1318a66a 100644
|
||||
--- a/libselinux/include/selinux/selinux.h
|
||||
+++ b/libselinux/include/selinux/selinux.h
|
||||
@@ -367,7 +367,11 @@ extern int security_deny_unknown(void);
|
||||
/* Get the checkreqprot value */
|
||||
extern int security_get_checkreqprot(void);
|
||||
|
||||
-/* Disable SELinux at runtime (must be done prior to initial policy load). */
|
||||
+/* Disable SELinux at runtime (must be done prior to initial policy load).
|
||||
+ Unsupported since Linux 6.4. */
|
||||
+#ifdef __GNUC__
|
||||
+__attribute__ ((deprecated))
|
||||
+#endif
|
||||
extern int security_disable(void);
|
||||
|
||||
/* Get the policy version number. */
|
||||
diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3
|
||||
index 072923ce..5ad8b778 100644
|
||||
--- a/libselinux/man/man3/security_disable.3
|
||||
+++ b/libselinux/man/man3/security_disable.3
|
||||
@@ -14,7 +14,8 @@ disables the SELinux kernel code, unregisters selinuxfs from
|
||||
and then unmounts
|
||||
.IR /sys/fs/selinux .
|
||||
.sp
|
||||
-This function can only be called at runtime and prior to the initial policy
|
||||
+This function is only supported on Linux 6.3 and earlier, and can only be
|
||||
+called at runtime and prior to the initial policy
|
||||
load. After the initial policy load, the SELinux kernel code cannot be disabled,
|
||||
but only placed in "permissive" mode by using
|
||||
.BR security_setenforce(3).
|
||||
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
|
||||
index 57d7aaef..dc1e4b6e 100644
|
||||
--- a/libselinux/src/load_policy.c
|
||||
+++ b/libselinux/src/load_policy.c
|
||||
@@ -326,7 +326,9 @@ int selinux_init_load_policy(int *enforce)
|
||||
|
||||
if (seconfig == -1) {
|
||||
/* Runtime disable of SELinux. */
|
||||
+ IGNORE_DEPRECATED_DECLARATION_BEGIN
|
||||
rc = security_disable();
|
||||
+ IGNORE_DEPRECATED_DECLARATION_END
|
||||
if (rc == 0) {
|
||||
/* Successfully disabled, so umount selinuxfs too. */
|
||||
umount(selinux_mnt);
|
||||
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
|
||||
index b134808e..450a42c2 100644
|
||||
--- a/libselinux/src/selinux_internal.h
|
||||
+++ b/libselinux/src/selinux_internal.h
|
||||
@@ -113,4 +113,22 @@ void *reallocarray(void *ptr, size_t nmemb, size_t size);
|
||||
#define ignore_unsigned_overflow_
|
||||
#endif
|
||||
|
||||
+/* Ignore usage of deprecated declaration */
|
||||
+#ifdef __clang__
|
||||
+#define IGNORE_DEPRECATED_DECLARATION_BEGIN \
|
||||
+ _Pragma("clang diagnostic push") \
|
||||
+ _Pragma("clang diagnostic ignored \"-Wdeprecated-declarations\"")
|
||||
+#define IGNORE_DEPRECATED_DECLARATION_END \
|
||||
+ _Pragma("clang diagnostic pop")
|
||||
+#elif defined __GNUC__
|
||||
+#define IGNORE_DEPRECATED_DECLARATION_BEGIN \
|
||||
+ _Pragma("GCC diagnostic push") \
|
||||
+ _Pragma("GCC diagnostic ignored \"-Wdeprecated-declarations\"")
|
||||
+#define IGNORE_DEPRECATED_DECLARATION_END \
|
||||
+ _Pragma("GCC diagnostic pop")
|
||||
+#else
|
||||
+#define IGNORE_DEPRECATED_DECLARATION_BEGIN
|
||||
+#define IGNORE_DEPRECATED_DECLARATION_END
|
||||
+#endif
|
||||
+
|
||||
#endif /* SELINUX_INTERNAL_H_ */
|
||||
--
|
||||
2.46.0
|
||||
|
Loading…
Reference in new issue