On Mon, Jun 24, 2024 at 9:17 AM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> On Sun, Jun 23, 2024 at 8:26 AM Christian Göttsche
> <cgoettsche@xxxxxxxxxxxxx> wrote:
> >
> > From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> >
> > The runtime disable functionality has been removed in Linux 6.4. Thus
> > security_disable(3) will no longer work on these kernels.
> >
> > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
> Acked-by: James Carter <jwcart2@xxxxxxxxx>
>
Merged.
Thanks,
Jim
> > ---
> > v2:
> > Ignore deprecation warning by the internal usage of
> > security_disable(3) in load_policy(8).
> > ---
> > libselinux/include/selinux/selinux.h | 6 +++++-
> > libselinux/man/man3/security_disable.3 | 3 ++-
> > libselinux/src/load_policy.c | 2 ++
> > libselinux/src/selinux_internal.h | 18 ++++++++++++++++++
> > 4 files changed, 27 insertions(+), 2 deletions(-)
> >
> > diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
> > index 61c1422b..1318a66a 100644
> > --- a/libselinux/include/selinux/selinux.h
> > +++ b/libselinux/include/selinux/selinux.h
> > @@ -367,7 +367,11 @@ extern int security_deny_unknown(void);
> > /* Get the checkreqprot value */
> > extern int security_get_checkreqprot(void);
> >
> > -/* Disable SELinux at runtime (must be done prior to initial policy load). */
> > +/* Disable SELinux at runtime (must be done prior to initial policy load).
> > + Unsupported since Linux 6.4. */
> > +#ifdef __GNUC__
> > +__attribute__ ((deprecated))
> > +#endif
> > extern int security_disable(void);
> >
> > /* Get the policy version number. */
> > diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3
> > index 072923ce..5ad8b778 100644
> > --- a/libselinux/man/man3/security_disable.3
> > +++ b/libselinux/man/man3/security_disable.3
> > @@ -14,7 +14,8 @@ disables the SELinux kernel code, unregisters selinuxfs from
> > and then unmounts
> > .IR /sys/fs/selinux .
> > .sp
> > -This function can only be called at runtime and prior to the initial policy
> > +This function is only supported on Linux 6.3 and earlier, and can only be
> > +called at runtime and prior to the initial policy
> > load. After the initial policy load, the SELinux kernel code cannot be disabled,
> > but only placed in "permissive" mode by using
> > .BR security_setenforce(3).
> > diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
> > index 57d7aaef..dc1e4b6e 100644
> > --- a/libselinux/src/load_policy.c
> > +++ b/libselinux/src/load_policy.c
> > @@ -326,7 +326,9 @@ int selinux_init_load_policy(int *enforce)
> >
> > if (seconfig == -1) {
> > /* Runtime disable of SELinux. */
> > + IGNORE_DEPRECATED_DECLARATION_BEGIN
> > rc = security_disable();
> > + IGNORE_DEPRECATED_DECLARATION_END
> > if (rc == 0) {
> > /* Successfully disabled, so umount selinuxfs too. */
> > umount(selinux_mnt);
> > diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
> > index b134808e..450a42c2 100644
> > --- a/libselinux/src/selinux_internal.h
> > +++ b/libselinux/src/selinux_internal.h
> > @@ -113,4 +113,22 @@ void *reallocarray(void *ptr, size_t nmemb, size_t size);
> > #define ignore_unsigned_overflow_
> > #endif
> >
> > +/* Ignore usage of deprecated declaration */
> > +#ifdef __clang__
> > +#define IGNORE_DEPRECATED_DECLARATION_BEGIN \
> > + _Pragma("clang diagnostic push") \
> > + _Pragma("clang diagnostic ignored \"-Wdeprecated-declarations\"")
> > +#define IGNORE_DEPRECATED_DECLARATION_END \
> > + _Pragma("clang diagnostic pop")
> > +#elif defined __GNUC__
> > +#define IGNORE_DEPRECATED_DECLARATION_BEGIN \
> > + _Pragma("GCC diagnostic push") \
> > + _Pragma("GCC diagnostic ignored \"-Wdeprecated-declarations\"")
> > +#define IGNORE_DEPRECATED_DECLARATION_END \
> > + _Pragma("GCC diagnostic pop")
> > +#else
> > +#define IGNORE_DEPRECATED_DECLARATION_BEGIN
> > +#define IGNORE_DEPRECATED_DECLARATION_END
> > +#endif
> > +
> > #endif /* SELINUX_INTERNAL_H_ */
> > --
> > 2.45.2
> >
> >
