On Sat, Jun 15, 2024 at 9:34 AM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > > On Wed, 12 Jun 2024 at 22:43, James Carter <jwcart2@xxxxxxxxx> wrote: > > > > On Sat, Jun 8, 2024 at 1:20 PM Christian Göttsche > > <cgoettsche@xxxxxxxxxxxxx> wrote: > > > > > > From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > > > > > > The runtime disable functionality has been removed in Linux 6.4. Thus > > > security_disable(3) will no longer work on these kernels. > > > > > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > > > --- > > > libselinux/include/selinux/selinux.h | 6 +++++- > > > libselinux/man/man3/security_disable.3 | 3 ++- > > > 2 files changed, 7 insertions(+), 2 deletions(-) > > > > > > diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h > > > index 61c1422b..1318a66a 100644 > > > --- a/libselinux/include/selinux/selinux.h > > > +++ b/libselinux/include/selinux/selinux.h > > > @@ -367,7 +367,11 @@ extern int security_deny_unknown(void); > > > /* Get the checkreqprot value */ > > > extern int security_get_checkreqprot(void); > > > > > > -/* Disable SELinux at runtime (must be done prior to initial policy load). */ > > > +/* Disable SELinux at runtime (must be done prior to initial policy load). > > > + Unsupported since Linux 6.4. */ > > > +#ifdef __GNUC__ > > > +__attribute__ ((deprecated)) > > > +#endif > > > extern int security_disable(void); > > > > > > > This causes the userspace build to fail. > > > > load_policy.c:329:17: error: ‘security_disable’ is deprecated > > [-Werror=deprecated-declarations] > > 329 | rc = security_disable(); > > | ^~ > > In file included from selinux_internal.h:4, > > from load_policy.c:13: > > > > Maybe we should just print a warning message for now until we can > > remove the internal usage. > > Sorry for obviously not build-testing this. > Printing a warning might be redundant since the kernel already does so. > Besides adding the two notes (which I guess are o.k.?) we could either > not annotate security_disable(3) or explicitly ignore the warning in > load_policy.c (via a pragma). > Do you have a preference? > Using the pragma to ignore the internal usage would be my preference. Thanks, Jim > > > > Thanks, > > Jim > > > > > /* Get the policy version number. */ > > > diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3 > > > index 072923ce..5ad8b778 100644 > > > --- a/libselinux/man/man3/security_disable.3 > > > +++ b/libselinux/man/man3/security_disable.3 > > > @@ -14,7 +14,8 @@ disables the SELinux kernel code, unregisters selinuxfs from > > > and then unmounts > > > .IR /sys/fs/selinux . > > > .sp > > > -This function can only be called at runtime and prior to the initial policy > > > +This function is only supported on Linux 6.3 and earlier, and can only be > > > +called at runtime and prior to the initial policy > > > load. After the initial policy load, the SELinux kernel code cannot be disabled, > > > but only placed in "permissive" mode by using > > > .BR security_setenforce(3). > > > -- > > > 2.45.1 > > > > > >
