On Tue, 10 Oct 2023 at 20:45, Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
>
> On Tue, Oct 10, 2023 at 1:08 PM James Carter <jwcart2@xxxxxxxxx> wrote:
> >
> > On Mon, Aug 14, 2023 at 9:41 AM Christian Göttsche
> > <cgzones@xxxxxxxxxxxxxx> wrote:
> > >
> > > The selabel_file(5) option SELABEL_OPT_SUBSET has been deprecated in
> > > commit 26e05da0fc2d ("libselinux: matchpathcon/selabel_file: Fix man
> > > pages.") for version 2.5.
> > >
> > > Drop the support to easy refactoring the selabel_file related code.
> > >
> > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> > > ---
> > > libselinux/include/selinux/label.h | 2 +-
> > > libselinux/include/selinux/selinux.h | 6 +++++-
> > > libselinux/src/Makefile | 4 ++++
> > > libselinux/src/label_file.c | 19 ++++++++-----------
> > > libselinux/src/label_file.h | 13 ++-----------
> > > libselinux/src/matchpathcon.c | 4 +---
> > > libselinux/utils/matchpathcon.c | 11 ++---------
> > > libselinux/utils/sefcontext_compile.c | 3 +--
> > > 8 files changed, 24 insertions(+), 38 deletions(-)
> > >
> > > diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h
> > > index ce189a3a..6cb2d782 100644
> > > --- a/libselinux/include/selinux/label.h
> > > +++ b/libselinux/include/selinux/label.h
> > > @@ -50,7 +50,7 @@ struct selabel_handle;
> > > #define SELABEL_OPT_BASEONLY 2
> > > /* specify an alternate path to use when loading backend data */
> > > #define SELABEL_OPT_PATH 3
> > > -/* select a subset of the search space as an optimization (file backend) */
> > > +/* Unsupported since v3.6: select a subset of the search space as an optimization (file backend) */
> > > #define SELABEL_OPT_SUBSET 4
> > > /* require a hash calculation on spec files */
> > > #define SELABEL_OPT_DIGEST 5
> > > diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
> > > index a0948853..3b23cb50 100644
> > > --- a/libselinux/include/selinux/selinux.h
> > > +++ b/libselinux/include/selinux/selinux.h
> > > @@ -484,7 +484,11 @@ extern int matchpathcon_init(const char *path)
> > >
> > > /* Same as matchpathcon_init, but only load entries with
> > > regexes that have stems that are prefixes of 'prefix'. */
> > > -extern int matchpathcon_init_prefix(const char *path, const char *prefix);
> > > +extern int matchpathcon_init_prefix(const char *path, const char *prefix)
> > > +#ifdef __GNUC__
> > > + __attribute__ ((deprecated("Use selabel_open with backend SELABEL_CTX_FILE")))
> > > +#endif
> > > +;
> > >
> > > /* Free the memory allocated by matchpathcon_init. */
> > > extern void matchpathcon_fini(void)
> > > diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
> > > index ac656257..15d224e1 100644
> > > --- a/libselinux/src/Makefile
> > > +++ b/libselinux/src/Makefile
> > > @@ -144,6 +144,10 @@ ifeq ($(DISABLE_X11),y)
> > > SRCS:= $(filter-out label_x.c, $(SRCS))
> > > endif
> > >
> > > +# ignore usage of matchpathcon_init_prefix(3)
> > > +matchpathcon.o: CFLAGS += -Wno-deprecated -Wno-deprecated-declarations
> > > +matchpathcon.lo: CFLAGS += -Wno-deprecated -Wno-deprecated-declarations
> > > +
> >
> > "-Wno-deprecated" means do not warn about deprecated features and
> > seems to be about deprecated c++ features. I don't think we need it
> > here.
> >
> > Everything else looks ok to me as long as no distro is depending on
> > this deprecated option.
>
> Removing an option flag defined in the public API of libselinux would
> be an API and ABI break, requiring a major version change. Not worth
> it IMHO.
No function or macro from the public header, and no exported symbol in
the shared library is removed or changed, so it's not an API or ABI
break.
It is an behavior change since a lookup of /etc/shadow with the prefix
of /usr will now return a result, and not ENOENT.
It seems the flag was introduced as a performance optimization, which
should no longer be necessary by the followup rewrite.
I could try to continue to support to the flag however.
