On Sun, Jun 23, 2024 at 8:26 AM Christian Göttsche
<cgoettsche@xxxxxxxxxxxxx> wrote:
>
> From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
> The runtime disable functionality has been removed in Linux 6.4. Thus
> security_disable(3) will no longer work on these kernels.
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
Acked-by: James Carter <jwcart2@xxxxxxxxx>
> ---
> v2:
> Ignore deprecation warning by the internal usage of
> security_disable(3) in load_policy(8).
> ---
> libselinux/include/selinux/selinux.h | 6 +++++-
> libselinux/man/man3/security_disable.3 | 3 ++-
> libselinux/src/load_policy.c | 2 ++
> libselinux/src/selinux_internal.h | 18 ++++++++++++++++++
> 4 files changed, 27 insertions(+), 2 deletions(-)
>
> diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
> index 61c1422b..1318a66a 100644
> --- a/libselinux/include/selinux/selinux.h
> +++ b/libselinux/include/selinux/selinux.h
> @@ -367,7 +367,11 @@ extern int security_deny_unknown(void);
> /* Get the checkreqprot value */
> extern int security_get_checkreqprot(void);
>
> -/* Disable SELinux at runtime (must be done prior to initial policy load). */
> +/* Disable SELinux at runtime (must be done prior to initial policy load).
> + Unsupported since Linux 6.4. */
> +#ifdef __GNUC__
> +__attribute__ ((deprecated))
> +#endif
> extern int security_disable(void);
>
> /* Get the policy version number. */
> diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3
> index 072923ce..5ad8b778 100644
> --- a/libselinux/man/man3/security_disable.3
> +++ b/libselinux/man/man3/security_disable.3
> @@ -14,7 +14,8 @@ disables the SELinux kernel code, unregisters selinuxfs from
> and then unmounts
> .IR /sys/fs/selinux .
> .sp
> -This function can only be called at runtime and prior to the initial policy
> +This function is only supported on Linux 6.3 and earlier, and can only be
> +called at runtime and prior to the initial policy
> load. After the initial policy load, the SELinux kernel code cannot be disabled,
> but only placed in "permissive" mode by using
> .BR security_setenforce(3).
> diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
> index 57d7aaef..dc1e4b6e 100644
> --- a/libselinux/src/load_policy.c
> +++ b/libselinux/src/load_policy.c
> @@ -326,7 +326,9 @@ int selinux_init_load_policy(int *enforce)
>
> if (seconfig == -1) {
> /* Runtime disable of SELinux. */
> + IGNORE_DEPRECATED_DECLARATION_BEGIN
> rc = security_disable();
> + IGNORE_DEPRECATED_DECLARATION_END
> if (rc == 0) {
> /* Successfully disabled, so umount selinuxfs too. */
> umount(selinux_mnt);
> diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
> index b134808e..450a42c2 100644
> --- a/libselinux/src/selinux_internal.h
> +++ b/libselinux/src/selinux_internal.h
> @@ -113,4 +113,22 @@ void *reallocarray(void *ptr, size_t nmemb, size_t size);
> #define ignore_unsigned_overflow_
> #endif
>
> +/* Ignore usage of deprecated declaration */
> +#ifdef __clang__
> +#define IGNORE_DEPRECATED_DECLARATION_BEGIN \
> + _Pragma("clang diagnostic push") \
> + _Pragma("clang diagnostic ignored \"-Wdeprecated-declarations\"")
> +#define IGNORE_DEPRECATED_DECLARATION_END \
> + _Pragma("clang diagnostic pop")
> +#elif defined __GNUC__
> +#define IGNORE_DEPRECATED_DECLARATION_BEGIN \
> + _Pragma("GCC diagnostic push") \
> + _Pragma("GCC diagnostic ignored \"-Wdeprecated-declarations\"")
> +#define IGNORE_DEPRECATED_DECLARATION_END \
> + _Pragma("GCC diagnostic pop")
> +#else
> +#define IGNORE_DEPRECATED_DECLARATION_BEGIN
> +#define IGNORE_DEPRECATED_DECLARATION_END
> +#endif
> +
> #endif /* SELINUX_INTERNAL_H_ */
> --
> 2.45.2
>
>
