On Wed, 12 Jun 2024 at 22:43, James Carter <jwcart2@xxxxxxxxx> wrote: > > On Sat, Jun 8, 2024 at 1:20 PM Christian Göttsche > <cgoettsche@xxxxxxxxxxxxx> wrote: > > > > From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > > > > The runtime disable functionality has been removed in Linux 6.4. Thus > > security_disable(3) will no longer work on these kernels. > > > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > > --- > > libselinux/include/selinux/selinux.h | 6 +++++- > > libselinux/man/man3/security_disable.3 | 3 ++- > > 2 files changed, 7 insertions(+), 2 deletions(-) > > > > diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h > > index 61c1422b..1318a66a 100644 > > --- a/libselinux/include/selinux/selinux.h > > +++ b/libselinux/include/selinux/selinux.h > > @@ -367,7 +367,11 @@ extern int security_deny_unknown(void); > > /* Get the checkreqprot value */ > > extern int security_get_checkreqprot(void); > > > > -/* Disable SELinux at runtime (must be done prior to initial policy load). */ > > +/* Disable SELinux at runtime (must be done prior to initial policy load). > > + Unsupported since Linux 6.4. */ > > +#ifdef __GNUC__ > > +__attribute__ ((deprecated)) > > +#endif > > extern int security_disable(void); > > > > This causes the userspace build to fail. > > load_policy.c:329:17: error: ‘security_disable’ is deprecated > [-Werror=deprecated-declarations] > 329 | rc = security_disable(); > | ^~ > In file included from selinux_internal.h:4, > from load_policy.c:13: > > Maybe we should just print a warning message for now until we can > remove the internal usage. Sorry for obviously not build-testing this. Printing a warning might be redundant since the kernel already does so. Besides adding the two notes (which I guess are o.k.?) we could either not annotate security_disable(3) or explicitly ignore the warning in load_policy.c (via a pragma). Do you have a preference? > > Thanks, > Jim > > > /* Get the policy version number. */ > > diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3 > > index 072923ce..5ad8b778 100644 > > --- a/libselinux/man/man3/security_disable.3 > > +++ b/libselinux/man/man3/security_disable.3 > > @@ -14,7 +14,8 @@ disables the SELinux kernel code, unregisters selinuxfs from > > and then unmounts > > .IR /sys/fs/selinux . > > .sp > > -This function can only be called at runtime and prior to the initial policy > > +This function is only supported on Linux 6.3 and earlier, and can only be > > +called at runtime and prior to the initial policy > > load. After the initial policy load, the SELinux kernel code cannot be disabled, > > but only placed in "permissive" mode by using > > .BR security_setenforce(3). > > -- > > 2.45.1 > > > >
