On Wed, Nov 1, 2023 at 1:29 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> On Tue, 10 Oct 2023 at 20:45, Stephen Smalley
> <stephen.smalley.work@xxxxxxxxx> wrote:
> >
> > On Tue, Oct 10, 2023 at 1:08 PM James Carter <jwcart2@xxxxxxxxx> wrote:
> > >
> > > On Mon, Aug 14, 2023 at 9:41 AM Christian Göttsche
> > > <cgzones@xxxxxxxxxxxxxx> wrote:
> > > >
> > > > The selabel_file(5) option SELABEL_OPT_SUBSET has been deprecated in
> > > > commit 26e05da0fc2d ("libselinux: matchpathcon/selabel_file: Fix man
> > > > pages.") for version 2.5.
> > > >
> > > > Drop the support to easy refactoring the selabel_file related code.
> > > >
> > > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> > > > ---
> > > > libselinux/include/selinux/label.h | 2 +-
> > > > libselinux/include/selinux/selinux.h | 6 +++++-
> > > > libselinux/src/Makefile | 4 ++++
> > > > libselinux/src/label_file.c | 19 ++++++++-----------
> > > > libselinux/src/label_file.h | 13 ++-----------
> > > > libselinux/src/matchpathcon.c | 4 +---
> > > > libselinux/utils/matchpathcon.c | 11 ++---------
> > > > libselinux/utils/sefcontext_compile.c | 3 +--
> > > > 8 files changed, 24 insertions(+), 38 deletions(-)
> > > >
> > > > diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h
> > > > index ce189a3a..6cb2d782 100644
> > > > --- a/libselinux/include/selinux/label.h
> > > > +++ b/libselinux/include/selinux/label.h
> > > > @@ -50,7 +50,7 @@ struct selabel_handle;
> > > > #define SELABEL_OPT_BASEONLY 2
> > > > /* specify an alternate path to use when loading backend data */
> > > > #define SELABEL_OPT_PATH 3
> > > > -/* select a subset of the search space as an optimization (file backend) */
> > > > +/* Unsupported since v3.6: select a subset of the search space as an optimization (file backend) */
> > > > #define SELABEL_OPT_SUBSET 4
> > > > /* require a hash calculation on spec files */
> > > > #define SELABEL_OPT_DIGEST 5
> > > > diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
> > > > index a0948853..3b23cb50 100644
> > > > --- a/libselinux/include/selinux/selinux.h
> > > > +++ b/libselinux/include/selinux/selinux.h
> > > > @@ -484,7 +484,11 @@ extern int matchpathcon_init(const char *path)
> > > >
> > > > /* Same as matchpathcon_init, but only load entries with
> > > > regexes that have stems that are prefixes of 'prefix'. */
> > > > -extern int matchpathcon_init_prefix(const char *path, const char *prefix);
> > > > +extern int matchpathcon_init_prefix(const char *path, const char *prefix)
> > > > +#ifdef __GNUC__
> > > > + __attribute__ ((deprecated("Use selabel_open with backend SELABEL_CTX_FILE")))
> > > > +#endif
> > > > +;
> > > >
> > > > /* Free the memory allocated by matchpathcon_init. */
> > > > extern void matchpathcon_fini(void)
> > > > diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
> > > > index ac656257..15d224e1 100644
> > > > --- a/libselinux/src/Makefile
> > > > +++ b/libselinux/src/Makefile
> > > > @@ -144,6 +144,10 @@ ifeq ($(DISABLE_X11),y)
> > > > SRCS:= $(filter-out label_x.c, $(SRCS))
> > > > endif
> > > >
> > > > +# ignore usage of matchpathcon_init_prefix(3)
> > > > +matchpathcon.o: CFLAGS += -Wno-deprecated -Wno-deprecated-declarations
> > > > +matchpathcon.lo: CFLAGS += -Wno-deprecated -Wno-deprecated-declarations
> > > > +
> > >
> > > "-Wno-deprecated" means do not warn about deprecated features and
> > > seems to be about deprecated c++ features. I don't think we need it
> > > here.
> > >
> > > Everything else looks ok to me as long as no distro is depending on
> > > this deprecated option.
> >
> > Removing an option flag defined in the public API of libselinux would
> > be an API and ABI break, requiring a major version change. Not worth
> > it IMHO.
>
> No function or macro from the public header, and no exported symbol in
> the shared library is removed or changed, so it's not an API or ABI
> break.
Fair point - my apologies.
> It is an behavior change since a lookup of /etc/shadow with the prefix
> of /usr will now return a result, and not ENOENT.
That still seems like a reason to keep it to me, or if not, to change
the .so version to reflect the compatibility break.
Others are free to disagree.
> It seems the flag was introduced as a performance optimization, which
> should no longer be necessary by the followup rewrite.
> I could try to continue to support to the flag however.
