libselinux: deprecate security_compute_user(), update man pages
diff mbox series

Message ID 20200221083819.1124890-1-plautrba@redhat.com
State Accepted
Headers show
Series
  • libselinux: deprecate security_compute_user(), update man pages
Related show

Commit Message

Petr Lautrbach Feb. 21, 2020, 8:38 a.m. UTC
From: Stephen Smalley <sds@tycho.nsa.gov>

commit 1f89c4e7879fcf6da5d8d1b025dcc03371f30fc9 ("libselinux: Eliminate
use of security_compute_user()") eliminated the use of
security_compute_user() by get_ordered_context_list().  Deprecate
all use of security_compute_user() by updating the headers and man
pages and logging a warning message on any calls to it.  Remove
the example utility that called the interface. While here, also
fix the documentation of correct usage of the user argument to these
interfaces.

Fixes: https://github.com/SELinuxProject/selinux/issues/70
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
---

It looks like the original email didn't get to the mailing list. Therefore
I'm resending it for a broader audience.


 libselinux/include/selinux/selinux.h          |  8 +++-
 .../man/man3/get_ordered_context_list.3       | 24 +++++++++---
 libselinux/man/man3/security_compute_av.3     |  5 ++-
 libselinux/src/compute_user.c                 |  3 ++
 libselinux/utils/compute_user.c               | 38 -------------------
 5 files changed, 31 insertions(+), 47 deletions(-)
 delete mode 100644 libselinux/utils/compute_user.c

Comments

William Roberts Feb. 24, 2020, 6:52 p.m. UTC | #1
On Mon, Feb 24, 2020 at 12:44 PM William Roberts
<bill.c.roberts@gmail.com> wrote:
>
>
>
> On Mon, Feb 24, 2020 at 11:00 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>
>> On 2/24/20 11:49 AM, William Roberts wrote:
>> > On Fri, Feb 21, 2020 at 2:40 AM Petr Lautrbach <plautrba@redhat.com
>> > <mailto:plautrba@redhat.com>> wrote:
>> >
>> >     From: Stephen Smalley <sds@tycho.nsa.gov <mailto:sds@tycho.nsa.gov>>
>> >
>> >     commit 1f89c4e7879fcf6da5d8d1b025dcc03371f30fc9 ("libselinux: Eliminate
>> >     use of security_compute_user()") eliminated the use of
>> >     security_compute_user() by get_ordered_context_list().  Deprecate
>> >     all use of security_compute_user() by updating the headers and man
>> >     pages and logging a warning message on any calls to it.  Remove
>> >     the example utility that called the interface. While here, also
>> >     fix the documentation of correct usage of the user argument to these
>> >     interfaces.
>> >
>> >     Fixes: https://github.com/SELinuxProject/selinux/issues/70
>> >     Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov
>> >     <mailto:sds@tycho.nsa.gov>>
>> >     Acked-by: Petr Lautrbach <plautrba@redhat.com
>> >     <mailto:plautrba@redhat.com>>
>> >     ---
>>
>> >     diff --git a/libselinux/include/selinux/selinux.h
>> >     b/libselinux/include/selinux/selinux.h
>> >     index 883d8b85742c..6a512b383325 100644
>> >     --- a/libselinux/include/selinux/selinux.h
>> >     +++ b/libselinux/include/selinux/selinux.h
>> >     @@ -246,8 +246,12 @@ extern int security_compute_member_raw(const
>> >     char * scon,
>> >                                             security_class_t tclass,
>> >                                             char ** newcon);
>> >
>> >     -/* Compute the set of reachable user contexts and set *con to refer to
>> >     -   the NULL-terminated array of contexts.  Caller must free via
>> >     freeconary. */
>> >     +/*
>> >     + * Compute the set of reachable user contexts and set *con to refer to
>> >     + * the NULL-terminated array of contexts.  Caller must free via
>> >     freeconary.
>> >     + * These interfaces are deprecated.  Use get_ordered_context_list() or
>> >     + * one of its variant interfaces instead.
>> >     + */
>> >       extern int security_compute_user(const char * scon,
>> >                                       const char *username,
>> >                                       char *** con);
>> >
>> >
>> > Any reason we're not tagging this with __attribute__ ((deprecated));?
>>
>> Doesn't appear that we've ever used that.  Is it widely supported across
>> compilers and versions or limited to recent gcc?
>>
>
> Its at least since GCC 3.3 and it's been supported in every clang compiler version I am aware of (linked to 3.3).
> https://gcc.gnu.org/onlinedocs/gcc-3.3/gcc/Type-Attributes.html
> https://releases.llvm.org/3.3/tools/clang/docs/LanguageExtensions.html
>

Sorry for the HTML, apparently Google stopped making that my default
when replying...

>
William Roberts Feb. 24, 2020, 8:04 p.m. UTC | #2
Ill go through and post a follow up with the deprecated tag for all
the "deprecated" interfaces.

Ill work on these and post em out next week.

Bill

On Mon, Feb 24, 2020 at 1:25 PM Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
> On 2/24/20 1:44 PM, William Roberts wrote:
> > On Mon, Feb 24, 2020 at 11:00 AM Stephen Smalley <sds@tycho.nsa.gov
> > <mailto:sds@tycho.nsa.gov>> wrote:
> >
> >     On 2/24/20 11:49 AM, William Roberts wrote:
> >      > Any reason we're not tagging this with __attribute__ ((deprecated));?
> >
> >     Doesn't appear that we've ever used that.  Is it widely supported
> >     across
> >     compilers and versions or limited to recent gcc?
> >
> > Its at least since GCC 3.3 and it's been supported in every clang
> > compiler version I am aware of (linked to 3.3).
> > https://gcc.gnu.org/onlinedocs/gcc-3.3/gcc/Type-Attributes.html
> > https://releases.llvm.org/3.3/tools/clang/docs/LanguageExtensions.html
>
> Ok, I have no particular objection to adding it but am not in a position
> currently to post any patches to the list so someone else will have to
> either re-spin it or do it as a follow-up.  There are certainly a
> variety of other interfaces in libse* that are considered deprecated but
> have never been marked in this way.
>
>
>
Stephen Smalley Feb. 27, 2020, 4:24 p.m. UTC | #3
On Fri, Feb 21, 2020 at 3:40 AM Petr Lautrbach <plautrba@redhat.com> wrote:
>
> From: Stephen Smalley <sds@tycho.nsa.gov>
>
> commit 1f89c4e7879fcf6da5d8d1b025dcc03371f30fc9 ("libselinux: Eliminate
> use of security_compute_user()") eliminated the use of
> security_compute_user() by get_ordered_context_list().  Deprecate
> all use of security_compute_user() by updating the headers and man
> pages and logging a warning message on any calls to it.  Remove
> the example utility that called the interface. While here, also
> fix the documentation of correct usage of the user argument to these
> interfaces.
>
> Fixes: https://github.com/SELinuxProject/selinux/issues/70
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> Acked-by: Petr Lautrbach <plautrba@redhat.com>
> ---
>
> It looks like the original email didn't get to the mailing list. Therefore
> I'm resending it for a broader audience.

Can this be merged?
Petr Lautrbach Feb. 27, 2020, 4:32 p.m. UTC | #4
Stephen Smalley <stephen.smalley@gmail.com> writes:

> On Fri, Feb 21, 2020 at 3:40 AM Petr Lautrbach <plautrba@redhat.com> wrote:
>>
>> From: Stephen Smalley <sds@tycho.nsa.gov>
>>
>> commit 1f89c4e7879fcf6da5d8d1b025dcc03371f30fc9 ("libselinux: Eliminate
>> use of security_compute_user()") eliminated the use of
>> security_compute_user() by get_ordered_context_list().  Deprecate
>> all use of security_compute_user() by updating the headers and man
>> pages and logging a warning message on any calls to it.  Remove
>> the example utility that called the interface. While here, also
>> fix the documentation of correct usage of the user argument to these
>> interfaces.
>>
>> Fixes: https://github.com/SELinuxProject/selinux/issues/70
>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>> Acked-by: Petr Lautrbach <plautrba@redhat.com>
>> ---
>>
>> It looks like the original email didn't get to the mailing list. Therefore
>> I'm resending it for a broader audience.
>
> Can this be merged?

I'm sorry I mis-read
https://lore.kernel.org/selinux/CAFftDdqKkRc5S236+OjXJkfJaHVw8F-1XicHUb2aaxYqZK1QSQ@mail.gmail.com/
and I though that there would be a re-spin, but the mail says that it will
be follow up.

It's merged now. Thanks!


Petr

Patch
diff mbox series

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 883d8b85742c..6a512b383325 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -246,8 +246,12 @@  extern int security_compute_member_raw(const char * scon,
 				       security_class_t tclass,
 				       char ** newcon);
 
-/* Compute the set of reachable user contexts and set *con to refer to 
-   the NULL-terminated array of contexts.  Caller must free via freeconary. */
+/*
+ * Compute the set of reachable user contexts and set *con to refer to
+ * the NULL-terminated array of contexts.  Caller must free via freeconary.
+ * These interfaces are deprecated.  Use get_ordered_context_list() or
+ * one of its variant interfaces instead.
+ */
 extern int security_compute_user(const char * scon,
 				 const char *username,
 				 char *** con);
diff --git a/libselinux/man/man3/get_ordered_context_list.3 b/libselinux/man/man3/get_ordered_context_list.3
index e084da406af1..3ed14a96879c 100644
--- a/libselinux/man/man3/get_ordered_context_list.3
+++ b/libselinux/man/man3/get_ordered_context_list.3
@@ -26,14 +26,28 @@  get_ordered_context_list, get_ordered_context_list_with_level, get_default_conte
 .BI "int get_default_type(const char *" role ", char **" type );
 .
 .SH "DESCRIPTION"
+
+This family of functions can be used to obtain either a prioritized list of
+all reachable security contexts for a given SELinux user or a single default
+(highest priority) context for a given SELinux user for use by login-like
+programs.  These functions takes a SELinux user identity that must
+be defined in the SELinux policy as their input, not a Linux username.
+Most callers should typically first call
+.BR getseuserbyname(3)
+to look up the SELinux user identity and level for a given
+Linux username and then invoke one of
+.BR get_ordered_context_list_with_level ()
+or
+.BR get_default_context_with_level ()
+with the returned SELinux user and level as inputs.
+
 .BR get_ordered_context_list ()
-invokes the 
-.BR security_compute_user (3)
-function to obtain the list of contexts for the specified
+obtains the list of contexts for the specified
+SELinux
 .I user
-that are reachable from the specified
+identity that are reachable from the specified
 .I fromcon
-context.  The function then orders the resulting list based on the global
+context based on the global
 .I \%/etc/selinux/{SELINUXTYPE}/contexts/default_contexts
 file and the per-user
 .I \%/etc/selinux/{SELINUXTYPE}/contexts/users/<username>
diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
index 3de1b0fe7f1b..efa4baf3304f 100644
--- a/libselinux/man/man3/security_compute_av.3
+++ b/libselinux/man/man3/security_compute_av.3
@@ -134,8 +134,9 @@  instance.
 
 .BR security_compute_user ()
 is used to determine the set of user contexts that can be reached from a
-source context. It is mainly used by
-.BR get_ordered_context_list (3).
+source context. This function is deprecated; use
+.BR get_ordered_context_list (3)
+instead.
 
 .BR security_validatetrans ()
 is used to determine if a transition from scon to newcon using tcon as the object
diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c
index 7b8812155750..e7da964ff46d 100644
--- a/libselinux/src/compute_user.c
+++ b/libselinux/src/compute_user.c
@@ -8,6 +8,7 @@ 
 #include "selinux_internal.h"
 #include "policy.h"
 #include <limits.h>
+#include "callbacks.h"
 
 int security_compute_user_raw(const char * scon,
 			      const char *user, char *** con)
@@ -24,6 +25,8 @@  int security_compute_user_raw(const char * scon,
 		return -1;
 	}
 
+	selinux_log(SELINUX_WARNING, "Direct use of security_compute_user() is deprecated, switch to get_ordered_context_list()\n");
+
 	snprintf(path, sizeof path, "%s/user", selinux_mnt);
 	fd = open(path, O_RDWR | O_CLOEXEC);
 	if (fd < 0)
diff --git a/libselinux/utils/compute_user.c b/libselinux/utils/compute_user.c
deleted file mode 100644
index 86d00a6eff1c..000000000000
--- a/libselinux/utils/compute_user.c
+++ /dev/null
@@ -1,38 +0,0 @@ 
-#include <unistd.h>
-#include <sys/types.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <string.h>
-#include <ctype.h>
-#include <selinux/selinux.h>
-
-int main(int argc, char **argv)
-{
-	char **buf, **ptr;
-	int ret;
-
-	if (argc != 3) {
-		fprintf(stderr, "usage:  %s context user\n", argv[0]);
-		exit(1);
-	}
-
-	ret = security_compute_user(argv[1], argv[2], &buf);
-	if (ret < 0) {
-		fprintf(stderr, "%s:  security_compute_user(%s,%s) failed\n",
-			argv[0], argv[1], argv[2]);
-		exit(2);
-	}
-
-	if (!buf[0]) {
-		printf("none\n");
-		exit(EXIT_SUCCESS);
-	}
-
-	for (ptr = buf; *ptr; ptr++) {
-		printf("%s\n", *ptr);
-	}
-	freeconary(buf);
-	exit(EXIT_SUCCESS);
-}