Re: [PATCH 1/2] libselinux: deprecate security_disable(3)

James Carter <jwcart2@xxxxxxxxx> · Wed, 12 Jun 2024 16:43:26 -0400

On Sat, Jun 8, 2024 at 1:20 PM Christian Göttsche
<cgoettsche@xxxxxxxxxxxxx> wrote:
>
> From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
> The runtime disable functionality has been removed in Linux 6.4.  Thus
> security_disable(3) will no longer work on these kernels.
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> ---
>  libselinux/include/selinux/selinux.h   | 6 +++++-
>  libselinux/man/man3/security_disable.3 | 3 ++-
>  2 files changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
> index 61c1422b..1318a66a 100644
> --- a/libselinux/include/selinux/selinux.h
> +++ b/libselinux/include/selinux/selinux.h
> @@ -367,7 +367,11 @@ extern int security_deny_unknown(void);
>  /* Get the checkreqprot value */
>  extern int security_get_checkreqprot(void);
>
> -/* Disable SELinux at runtime (must be done prior to initial policy load). */
> +/* Disable SELinux at runtime (must be done prior to initial policy load).
> +   Unsupported since Linux 6.4. */
> +#ifdef __GNUC__
> +__attribute__ ((deprecated))
> +#endif
>  extern int security_disable(void);
>

This causes the userspace build to fail.

load_policy.c:329:17: error: ‘security_disable’ is deprecated
[-Werror=deprecated-declarations]
  329 |                 rc = security_disable();
      |                 ^~
In file included from selinux_internal.h:4,
                 from load_policy.c:13:

Maybe we should just print a warning message for now until we can
remove the internal usage.

Thanks,
Jim

>  /* Get the policy version number. */
> diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3
> index 072923ce..5ad8b778 100644
> --- a/libselinux/man/man3/security_disable.3
> +++ b/libselinux/man/man3/security_disable.3
> @@ -14,7 +14,8 @@ disables the SELinux kernel code, unregisters selinuxfs from
>  and then unmounts
>  .IR /sys/fs/selinux .
>  .sp
> -This function can only be called at runtime and prior to the initial policy
> +This function is only supported on Linux 6.3 and earlier, and can only be
> +called at runtime and prior to the initial policy
>  load. After the initial policy load, the SELinux kernel code cannot be disabled,
>  but only placed in "permissive" mode by using
>  .BR security_setenforce(3).
> --
> 2.45.1
>
>