On Mon, Jun 24, 2024 at 9:17 AM James Carter <jwcart2@xxxxxxxxx> wrote: > > On Sun, Jun 23, 2024 at 8:26 AM Christian Göttsche > <cgoettsche@xxxxxxxxxxxxx> wrote: > > > > From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > > > > The runtime disable functionality has been removed in Linux 6.4. Thus > > security_disable(3) will no longer work on these kernels. > > > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > > Acked-by: James Carter <jwcart2@xxxxxxxxx> > Merged. Thanks, Jim > > --- > > v2: > > Ignore deprecation warning by the internal usage of > > security_disable(3) in load_policy(8). > > --- > > libselinux/include/selinux/selinux.h | 6 +++++- > > libselinux/man/man3/security_disable.3 | 3 ++- > > libselinux/src/load_policy.c | 2 ++ > > libselinux/src/selinux_internal.h | 18 ++++++++++++++++++ > > 4 files changed, 27 insertions(+), 2 deletions(-) > > > > diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h > > index 61c1422b..1318a66a 100644 > > --- a/libselinux/include/selinux/selinux.h > > +++ b/libselinux/include/selinux/selinux.h > > @@ -367,7 +367,11 @@ extern int security_deny_unknown(void); > > /* Get the checkreqprot value */ > > extern int security_get_checkreqprot(void); > > > > -/* Disable SELinux at runtime (must be done prior to initial policy load). */ > > +/* Disable SELinux at runtime (must be done prior to initial policy load). > > + Unsupported since Linux 6.4. */ > > +#ifdef __GNUC__ > > +__attribute__ ((deprecated)) > > +#endif > > extern int security_disable(void); > > > > /* Get the policy version number. */ > > diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3 > > index 072923ce..5ad8b778 100644 > > --- a/libselinux/man/man3/security_disable.3 > > +++ b/libselinux/man/man3/security_disable.3 > > @@ -14,7 +14,8 @@ disables the SELinux kernel code, unregisters selinuxfs from > > and then unmounts > > .IR /sys/fs/selinux . > > .sp > > -This function can only be called at runtime and prior to the initial policy > > +This function is only supported on Linux 6.3 and earlier, and can only be > > +called at runtime and prior to the initial policy > > load. After the initial policy load, the SELinux kernel code cannot be disabled, > > but only placed in "permissive" mode by using > > .BR security_setenforce(3). > > diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c > > index 57d7aaef..dc1e4b6e 100644 > > --- a/libselinux/src/load_policy.c > > +++ b/libselinux/src/load_policy.c > > @@ -326,7 +326,9 @@ int selinux_init_load_policy(int *enforce) > > > > if (seconfig == -1) { > > /* Runtime disable of SELinux. */ > > + IGNORE_DEPRECATED_DECLARATION_BEGIN > > rc = security_disable(); > > + IGNORE_DEPRECATED_DECLARATION_END > > if (rc == 0) { > > /* Successfully disabled, so umount selinuxfs too. */ > > umount(selinux_mnt); > > diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h > > index b134808e..450a42c2 100644 > > --- a/libselinux/src/selinux_internal.h > > +++ b/libselinux/src/selinux_internal.h > > @@ -113,4 +113,22 @@ void *reallocarray(void *ptr, size_t nmemb, size_t size); > > #define ignore_unsigned_overflow_ > > #endif > > > > +/* Ignore usage of deprecated declaration */ > > +#ifdef __clang__ > > +#define IGNORE_DEPRECATED_DECLARATION_BEGIN \ > > + _Pragma("clang diagnostic push") \ > > + _Pragma("clang diagnostic ignored \"-Wdeprecated-declarations\"") > > +#define IGNORE_DEPRECATED_DECLARATION_END \ > > + _Pragma("clang diagnostic pop") > > +#elif defined __GNUC__ > > +#define IGNORE_DEPRECATED_DECLARATION_BEGIN \ > > + _Pragma("GCC diagnostic push") \ > > + _Pragma("GCC diagnostic ignored \"-Wdeprecated-declarations\"") > > +#define IGNORE_DEPRECATED_DECLARATION_END \ > > + _Pragma("GCC diagnostic pop") > > +#else > > +#define IGNORE_DEPRECATED_DECLARATION_BEGIN > > +#define IGNORE_DEPRECATED_DECLARATION_END > > +#endif > > + > > #endif /* SELINUX_INTERNAL_H_ */ > > -- > > 2.45.2 > > > >