selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Annotate Deprecated Functions in libselinux
@ 2020-02-25 20:02 bill.c.roberts
  2020-02-25 20:02 ` [PATCH 01/17] security_load_booleans: update return comment bill.c.roberts
                   ` (19 more replies)
  0 siblings, 20 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-02-25 20:02 UTC (permalink / raw)
  To: sds, plautrba, selinux

I went through and annotated deprecated routines we have in
libselinux that are mentioned to be deprecated either in code
comments and/or manpages.

External users, when compiling will see a warning similair to some
sample output:

a.c: In function ‘main’:
a.c:18:2: warning: ‘foo’ is deprecated: foo bar msg [-Wdeprecated-declarations]
  foo();
  ^~~
a.c:5:5: note: declared here
 int foo(void) {
     ^~~
a.c:19:2: warning: ‘boo’ is deprecated [-Wdeprecated-declarations]
  boo();
  ^~~
a.c:11:5: note: declared here
 int boo(void) {

The annoying part is internal users of the routines. We could always make
a v2 version of the function for internal callers, and leave the old
interfaces intact to work around the warnings, or just pragma them out.
This series pragma's them out.

diagnostic push has been supported since GCC v4.6. Earlier versions will
warn on this, and the sideffect is that the diagnostic ignored pragma
will be valid for the rest of the file. Clang has similair support thats
been around *at least* since clang 6.0.

[PATCH 01/17] security_load_booleans: update return comment
[PATCH 02/17] selinux_booleans_path: annotate deprecated
[PATCH 03/17] selinux_booleans_path: annotate deprecated
[PATCH 04/17] selinux_users_path: annotate deprecated
[PATCH 05/17] rpm_execcon: annotate deprecated
[PATCH 06/17] sidget: annotate deprecated
[PATCH 07/17] sidput: annotate deprecated
[PATCH 08/17] checkPasswdAccess: annotate deprecated
[PATCH 09/17] matchpathcon_init: annotate deprecated
[PATCH 10/17] matchpathcon_fini: annotate deprecated
[PATCH 11/17] matchpathcon: annotate deprecated
[PATCH 12/17] avc_init: annotate deprecated
[PATCH 13/17] src/selinux_internal.h: fix hidden_proto indents
[PATCH 14/17] selinux_internal.h: disable warnings on deprecated
[PATCH 15/17] avc_open: mark allowed use of avc_init
[PATCH 16/17] src/matchpathcon: allow use of deprecated funcs
[PATCH 17/17] utils/matchpathcon: allow use of deprecated funcs


^ permalink raw reply	[flat|nested] 97+ messages in thread

* [PATCH 01/17] security_load_booleans: update return comment
  2020-02-25 20:02 Annotate Deprecated Functions in libselinux bill.c.roberts
@ 2020-02-25 20:02 ` bill.c.roberts
  2020-02-25 20:02 ` [PATCH 02/17] selinux_booleans_path: annotate deprecated bill.c.roberts
                   ` (18 subsequent siblings)
  19 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-02-25 20:02 UTC (permalink / raw)
  To: sds, plautrba, selinux; +Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

The code returns -1 not 0, correct it.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 883d8b85742c..ee808dd954ad 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -319,7 +319,7 @@ extern int security_set_boolean_list(size_t boolcnt,
 				     SELboolean * boollist, int permanent);
 
 /* Load policy boolean settings. Deprecated as local policy booleans no
- * longer supported. Will always return 0.
+ * longer supported. Will always return -1.
  */
 extern int security_load_booleans(char *path);
 
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH 02/17] selinux_booleans_path: annotate deprecated
  2020-02-25 20:02 Annotate Deprecated Functions in libselinux bill.c.roberts
  2020-02-25 20:02 ` [PATCH 01/17] security_load_booleans: update return comment bill.c.roberts
@ 2020-02-25 20:02 ` bill.c.roberts
  2020-02-25 20:02 ` [PATCH 03/17] " bill.c.roberts
                   ` (17 subsequent siblings)
  19 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-02-25 20:02 UTC (permalink / raw)
  To: sds, plautrba, selinux; +Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index ee808dd954ad..97834cc842dd 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -321,7 +321,7 @@ extern int security_set_boolean_list(size_t boolcnt,
 /* Load policy boolean settings. Deprecated as local policy booleans no
  * longer supported. Will always return -1.
  */
-extern int security_load_booleans(char *path);
+extern int security_load_booleans(char *path) __attribute__ ((deprecated));
 
 /* Check the validity of a security context. */
 extern int security_check_context(const char * con);
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH 03/17] selinux_booleans_path: annotate deprecated
  2020-02-25 20:02 Annotate Deprecated Functions in libselinux bill.c.roberts
  2020-02-25 20:02 ` [PATCH 01/17] security_load_booleans: update return comment bill.c.roberts
  2020-02-25 20:02 ` [PATCH 02/17] selinux_booleans_path: annotate deprecated bill.c.roberts
@ 2020-02-25 20:02 ` bill.c.roberts
  2020-02-25 20:02 ` [PATCH 04/17] selinux_users_path: " bill.c.roberts
                   ` (16 subsequent siblings)
  19 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-02-25 20:02 UTC (permalink / raw)
  To: sds, plautrba, selinux; +Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 97834cc842dd..0f77debaa06c 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -571,7 +571,7 @@ extern const char *selinux_contexts_path(void);
 extern const char *selinux_securetty_types_path(void);
 extern const char *selinux_booleans_subs_path(void);
 /* Deprecated as local policy booleans no longer supported. */
-extern const char *selinux_booleans_path(void);
+extern const char *selinux_booleans_path(void) __attribute__ ((deprecated));
 extern const char *selinux_customizable_types_path(void);
 /* Deprecated as policy ./users no longer supported. */
 extern const char *selinux_users_path(void);
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH 04/17] selinux_users_path: annotate deprecated
  2020-02-25 20:02 Annotate Deprecated Functions in libselinux bill.c.roberts
                   ` (2 preceding siblings ...)
  2020-02-25 20:02 ` [PATCH 03/17] " bill.c.roberts
@ 2020-02-25 20:02 ` bill.c.roberts
  2020-02-25 20:02 ` [PATCH 05/17] rpm_execcon: " bill.c.roberts
                   ` (15 subsequent siblings)
  19 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-02-25 20:02 UTC (permalink / raw)
  To: sds, plautrba, selinux; +Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 0f77debaa06c..e5c8fdf3e4fb 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -574,7 +574,7 @@ extern const char *selinux_booleans_subs_path(void);
 extern const char *selinux_booleans_path(void) __attribute__ ((deprecated));
 extern const char *selinux_customizable_types_path(void);
 /* Deprecated as policy ./users no longer supported. */
-extern const char *selinux_users_path(void);
+extern const char *selinux_users_path(void) __attribute__ ((deprecated));
 extern const char *selinux_usersconf_path(void);
 extern const char *selinux_translations_path(void);
 extern const char *selinux_colors_path(void);
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH 05/17] rpm_execcon: annotate deprecated
  2020-02-25 20:02 Annotate Deprecated Functions in libselinux bill.c.roberts
                   ` (3 preceding siblings ...)
  2020-02-25 20:02 ` [PATCH 04/17] selinux_users_path: " bill.c.roberts
@ 2020-02-25 20:02 ` bill.c.roberts
  2020-02-25 20:02 ` [PATCH 06/17] sidget: " bill.c.roberts
                   ` (14 subsequent siblings)
  19 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-02-25 20:02 UTC (permalink / raw)
  To: sds, plautrba, selinux; +Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index e5c8fdf3e4fb..e531f927be1e 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -629,7 +629,8 @@ extern int setexecfilecon(const char *filename, const char *fallback_type);
 /* Execute a helper for rpm in an appropriate security context. */
 extern int rpm_execcon(unsigned int verified,
 		       const char *filename,
-		       char *const argv[], char *const envp[]);
+		       char *const argv[], char *const envp[])
+	__attribute__((deprecated("Use setexecfilecon and execve")));
 #endif
 
 /* Returns whether a file context is customizable, and should not 
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH 06/17] sidget: annotate deprecated
  2020-02-25 20:02 Annotate Deprecated Functions in libselinux bill.c.roberts
                   ` (4 preceding siblings ...)
  2020-02-25 20:02 ` [PATCH 05/17] rpm_execcon: " bill.c.roberts
@ 2020-02-25 20:02 ` bill.c.roberts
  2020-02-25 20:02 ` [PATCH 07/17] sidput: " bill.c.roberts
                   ` (13 subsequent siblings)
  19 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-02-25 20:02 UTC (permalink / raw)
  To: sds, plautrba, selinux; +Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/avc.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/avc.h b/libselinux/include/selinux/avc.h
index 46c51419f588..c5c842a34470 100644
--- a/libselinux/include/selinux/avc.h
+++ b/libselinux/include/selinux/avc.h
@@ -64,7 +64,7 @@ extern int avc_context_to_sid_raw(const char * ctx, security_id_t * sid);
  * reference count).  Note that avc_context_to_sid() also
  * increments reference counts.
  */
-extern int sidget(security_id_t sid);
+extern int sidget(security_id_t sid) __attribute__ ((deprecated));
 
 /**
  * sidput - decrement SID reference counter.
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH 07/17] sidput: annotate deprecated
  2020-02-25 20:02 Annotate Deprecated Functions in libselinux bill.c.roberts
                   ` (5 preceding siblings ...)
  2020-02-25 20:02 ` [PATCH 06/17] sidget: " bill.c.roberts
@ 2020-02-25 20:02 ` bill.c.roberts
  2020-02-25 20:02 ` [PATCH 08/17] checkPasswdAccess: " bill.c.roberts
                   ` (12 subsequent siblings)
  19 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-02-25 20:02 UTC (permalink / raw)
  To: sds, plautrba, selinux; +Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/avc.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/avc.h b/libselinux/include/selinux/avc.h
index c5c842a34470..472f6918ca83 100644
--- a/libselinux/include/selinux/avc.h
+++ b/libselinux/include/selinux/avc.h
@@ -76,7 +76,7 @@ extern int sidget(security_id_t sid) __attribute__ ((deprecated));
  * zero, the SID is invalid, and avc_context_to_sid() must
  * be called to obtain a new SID for the security context.
  */
-extern int sidput(security_id_t sid);
+extern int sidput(security_id_t sid) __attribute__ ((deprecated));
 
 /**
  * avc_get_initial_sid - get SID for an initial kernel security identifier
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH 08/17] checkPasswdAccess: annotate deprecated
  2020-02-25 20:02 Annotate Deprecated Functions in libselinux bill.c.roberts
                   ` (6 preceding siblings ...)
  2020-02-25 20:02 ` [PATCH 07/17] sidput: " bill.c.roberts
@ 2020-02-25 20:02 ` bill.c.roberts
  2020-02-25 20:58   ` Stephen Smalley
  2020-02-25 20:02 ` [PATCH 09/17] matchpathcon_init: " bill.c.roberts
                   ` (11 subsequent siblings)
  19 siblings, 1 reply; 97+ messages in thread
From: bill.c.roberts @ 2020-02-25 20:02 UTC (permalink / raw)
  To: sds, plautrba, selinux; +Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index e531f927be1e..3704eabc7545 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -603,7 +603,8 @@ extern int selinux_check_access(const char * scon, const char * tcon, const char
 /* Check a permission in the passwd class.
    Return 0 if granted or -1 otherwise. */
 extern int selinux_check_passwd_access(access_vector_t requested);
-extern int checkPasswdAccess(access_vector_t requested);
+extern int checkPasswdAccess(access_vector_t requested)
+   __attribute__ ((deprecated("Use selinux_check_passwd_access")));
 
 /* Check if the tty_context is defined as a securetty
    Return 0 if secure, < 0 otherwise. */
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH 09/17] matchpathcon_init: annotate deprecated
  2020-02-25 20:02 Annotate Deprecated Functions in libselinux bill.c.roberts
                   ` (7 preceding siblings ...)
  2020-02-25 20:02 ` [PATCH 08/17] checkPasswdAccess: " bill.c.roberts
@ 2020-02-25 20:02 ` bill.c.roberts
  2020-02-25 20:02 ` [PATCH 10/17] matchpathcon_fini: " bill.c.roberts
                   ` (10 subsequent siblings)
  19 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-02-25 20:02 UTC (permalink / raw)
  To: sds, plautrba, selinux; +Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 3704eabc7545..20ac8498ac9c 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -457,7 +457,8 @@ extern void set_matchpathcon_flags(unsigned int flags);
    function also checks for a 'path'.homedirs file and 
    a 'path'.local file and loads additional specifications 
    from them if present. */
-extern int matchpathcon_init(const char *path);
+extern int matchpathcon_init(const char *path)
+   __attribute__ ((deprecated("Use selabel_open with backend SELABEL_CTX_FILE")));
 
 /* Same as matchpathcon_init, but only load entries with
    regexes that have stems that are prefixes of 'prefix'. */
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH 10/17] matchpathcon_fini: annotate deprecated
  2020-02-25 20:02 Annotate Deprecated Functions in libselinux bill.c.roberts
                   ` (8 preceding siblings ...)
  2020-02-25 20:02 ` [PATCH 09/17] matchpathcon_init: " bill.c.roberts
@ 2020-02-25 20:02 ` bill.c.roberts
  2020-02-25 20:02 ` [PATCH 11/17] matchpathcon: " bill.c.roberts
                   ` (9 subsequent siblings)
  19 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-02-25 20:02 UTC (permalink / raw)
  To: sds, plautrba, selinux; +Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 20ac8498ac9c..26f8432cd4c3 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -465,7 +465,8 @@ extern int matchpathcon_init(const char *path)
 extern int matchpathcon_init_prefix(const char *path, const char *prefix);
 
 /* Free the memory allocated by matchpathcon_init. */
-extern void matchpathcon_fini(void);
+extern void matchpathcon_fini(void)
+   __attribute__ ((deprecated("Use selabel_close")));
 
 /* Resolve all of the symlinks and relative portions of a pathname, but NOT
  * the final component (same a realpath() unless the final component is a
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH 11/17] matchpathcon: annotate deprecated
  2020-02-25 20:02 Annotate Deprecated Functions in libselinux bill.c.roberts
                   ` (9 preceding siblings ...)
  2020-02-25 20:02 ` [PATCH 10/17] matchpathcon_fini: " bill.c.roberts
@ 2020-02-25 20:02 ` bill.c.roberts
  2020-02-25 20:02 ` [PATCH 12/17] avc_init: " bill.c.roberts
                   ` (8 subsequent siblings)
  19 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-02-25 20:02 UTC (permalink / raw)
  To: sds, plautrba, selinux; +Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 26f8432cd4c3..ed00367b14fe 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -480,7 +480,8 @@ extern int realpath_not_final(const char *name, char *resolved_path);
    If matchpathcon_init has not already been called, then this function
    will call it upon its first invocation with a NULL path. */
 extern int matchpathcon(const char *path,
-			mode_t mode, char ** con);
+			mode_t mode, char ** con)
+	__attribute__ ((deprecated("Use selabel_lookup instead")));
 
 /* Same as above, but return a specification index for 
    later use in a matchpathcon_filespec_add() call - see below. */
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH 12/17] avc_init: annotate deprecated
  2020-02-25 20:02 Annotate Deprecated Functions in libselinux bill.c.roberts
                   ` (10 preceding siblings ...)
  2020-02-25 20:02 ` [PATCH 11/17] matchpathcon: " bill.c.roberts
@ 2020-02-25 20:02 ` bill.c.roberts
  2020-02-25 20:02 ` [PATCH 13/17] src/selinux_internal.h: fix hidden_proto indents bill.c.roberts
                   ` (7 subsequent siblings)
  19 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-02-25 20:02 UTC (permalink / raw)
  To: sds, plautrba, selinux; +Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/avc.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/avc.h b/libselinux/include/selinux/avc.h
index 472f6918ca83..7487b62f41c3 100644
--- a/libselinux/include/selinux/avc.h
+++ b/libselinux/include/selinux/avc.h
@@ -192,7 +192,8 @@ extern int avc_init(const char *msgprefix,
 		    const struct avc_memory_callback *mem_callbacks,
 		    const struct avc_log_callback *log_callbacks,
 		    const struct avc_thread_callback *thread_callbacks,
-		    const struct avc_lock_callback *lock_callbacks);
+		    const struct avc_lock_callback *lock_callbacks)
+	__attribute__ ((deprecated("Use avc_open and selinux_set_callback")));
 
 /**
  * avc_open - Initialize the AVC.
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH 13/17] src/selinux_internal.h: fix hidden_proto indents
  2020-02-25 20:02 Annotate Deprecated Functions in libselinux bill.c.roberts
                   ` (11 preceding siblings ...)
  2020-02-25 20:02 ` [PATCH 12/17] avc_init: " bill.c.roberts
@ 2020-02-25 20:02 ` bill.c.roberts
  2020-02-25 20:02 ` [PATCH 14/17] selinux_internal.h: disable warnings on deprecated bill.c.roberts
                   ` (6 subsequent siblings)
  19 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-02-25 20:02 UTC (permalink / raw)
  To: sds, plautrba, selinux; +Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/selinux_internal.h | 190 +++++++++++++++---------------
 1 file changed, 95 insertions(+), 95 deletions(-)

diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index 61b78aaa7c10..f6a50cd36f63 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -3,107 +3,107 @@
 #include "dso.h"
 
 hidden_proto(selinux_mkload_policy)
-    hidden_proto(fini_selinuxmnt)
-    hidden_proto(set_selinuxmnt)
-    hidden_proto(selinuxfs_exists)
-    hidden_proto(security_disable)
-    hidden_proto(security_policyvers)
-    hidden_proto(security_load_policy)
-    hidden_proto(security_get_boolean_active)
-    hidden_proto(security_get_boolean_names)
-    hidden_proto(security_set_boolean)
-    hidden_proto(security_commit_booleans)
-    hidden_proto(security_check_context)
-    hidden_proto(security_check_context_raw)
-    hidden_proto(security_canonicalize_context)
-    hidden_proto(security_canonicalize_context_raw)
-    hidden_proto(security_compute_av)
-    hidden_proto(security_compute_av_raw)
-    hidden_proto(security_compute_av_flags)
-    hidden_proto(security_compute_av_flags_raw)
-    hidden_proto(security_compute_user)
-    hidden_proto(security_compute_user_raw)
-    hidden_proto(security_compute_create)
-    hidden_proto(security_compute_create_raw)
-    hidden_proto(security_compute_create_name)
-    hidden_proto(security_compute_create_name_raw)
-    hidden_proto(security_compute_member_raw)
-    hidden_proto(security_compute_relabel_raw)
-    hidden_proto(security_validatetrans)
-    hidden_proto(security_validatetrans_raw)
-    hidden_proto(is_selinux_enabled)
-    hidden_proto(is_selinux_mls_enabled)
-    hidden_proto(freecon)
-    hidden_proto(freeconary)
-    hidden_proto(getprevcon)
-    hidden_proto(getprevcon_raw)
-    hidden_proto(getcon)
-    hidden_proto(getcon_raw)
-    hidden_proto(setcon_raw)
-    hidden_proto(getpeercon_raw)
-    hidden_proto(getpidcon_raw)
-    hidden_proto(getexeccon_raw)
-    hidden_proto(getfilecon)
-    hidden_proto(getfilecon_raw)
-    hidden_proto(lgetfilecon_raw)
-    hidden_proto(fgetfilecon_raw)
-    hidden_proto(setfilecon_raw)
-    hidden_proto(lsetfilecon_raw)
-    hidden_proto(fsetfilecon_raw)
-    hidden_proto(setexeccon)
-    hidden_proto(setexeccon_raw)
-    hidden_proto(getfscreatecon_raw)
-    hidden_proto(getkeycreatecon_raw)
-    hidden_proto(getsockcreatecon_raw)
-    hidden_proto(setfscreatecon_raw)
-    hidden_proto(setkeycreatecon_raw)
-    hidden_proto(setsockcreatecon_raw)
-    hidden_proto(security_getenforce)
-    hidden_proto(security_setenforce)
-    hidden_proto(security_deny_unknown)
-    hidden_proto(security_reject_unknown)
-    hidden_proto(security_get_checkreqprot)
-    hidden_proto(selinux_boolean_sub)
-    hidden_proto(selinux_current_policy_path)
-    hidden_proto(selinux_binary_policy_path)
-    hidden_proto(selinux_booleans_subs_path)
-    hidden_proto(selinux_default_context_path)
-    hidden_proto(selinux_securetty_types_path)
-    hidden_proto(selinux_failsafe_context_path)
-    hidden_proto(selinux_removable_context_path)
-    hidden_proto(selinux_virtual_domain_context_path)
-    hidden_proto(selinux_virtual_image_context_path)
-    hidden_proto(selinux_lxc_contexts_path)
-    hidden_proto(selinux_file_context_path)
-    hidden_proto(selinux_file_context_homedir_path)
-    hidden_proto(selinux_file_context_local_path)
-    hidden_proto(selinux_file_context_subs_dist_path)
-    hidden_proto(selinux_file_context_subs_path)
-    hidden_proto(selinux_netfilter_context_path)
-    hidden_proto(selinux_homedir_context_path)
-    hidden_proto(selinux_user_contexts_path)
-    hidden_proto(selinux_booleans_path)
-    hidden_proto(selinux_customizable_types_path)
-    hidden_proto(selinux_media_context_path)
-    hidden_proto(selinux_x_context_path)
-    hidden_proto(selinux_sepgsql_context_path)
-    hidden_proto(selinux_openrc_contexts_path)
-    hidden_proto(selinux_openssh_contexts_path)
-    hidden_proto(selinux_snapperd_contexts_path)
-    hidden_proto(selinux_systemd_contexts_path)
-    hidden_proto(selinux_path)
-    hidden_proto(selinux_check_passwd_access)
-    hidden_proto(selinux_check_securetty_context)
-    hidden_proto(matchpathcon_init_prefix)
-    hidden_proto(selinux_users_path)
-    hidden_proto(selinux_usersconf_path);
+hidden_proto(fini_selinuxmnt)
+hidden_proto(set_selinuxmnt)
+hidden_proto(selinuxfs_exists)
+hidden_proto(security_disable)
+hidden_proto(security_policyvers)
+hidden_proto(security_load_policy)
+hidden_proto(security_get_boolean_active)
+hidden_proto(security_get_boolean_names)
+hidden_proto(security_set_boolean)
+hidden_proto(security_commit_booleans)
+hidden_proto(security_check_context)
+hidden_proto(security_check_context_raw)
+hidden_proto(security_canonicalize_context)
+hidden_proto(security_canonicalize_context_raw)
+hidden_proto(security_compute_av)
+hidden_proto(security_compute_av_raw)
+hidden_proto(security_compute_av_flags)
+hidden_proto(security_compute_av_flags_raw)
+hidden_proto(security_compute_user)
+hidden_proto(security_compute_user_raw)
+hidden_proto(security_compute_create)
+hidden_proto(security_compute_create_raw)
+hidden_proto(security_compute_create_name)
+hidden_proto(security_compute_create_name_raw)
+hidden_proto(security_compute_member_raw)
+hidden_proto(security_compute_relabel_raw)
+hidden_proto(security_validatetrans)
+hidden_proto(security_validatetrans_raw)
+hidden_proto(is_selinux_enabled)
+hidden_proto(is_selinux_mls_enabled)
+hidden_proto(freecon)
+hidden_proto(freeconary)
+hidden_proto(getprevcon)
+hidden_proto(getprevcon_raw)
+hidden_proto(getcon)
+hidden_proto(getcon_raw)
+hidden_proto(setcon_raw)
+hidden_proto(getpeercon_raw)
+hidden_proto(getpidcon_raw)
+hidden_proto(getexeccon_raw)
+hidden_proto(getfilecon)
+hidden_proto(getfilecon_raw)
+hidden_proto(lgetfilecon_raw)
+hidden_proto(fgetfilecon_raw)
+hidden_proto(setfilecon_raw)
+hidden_proto(lsetfilecon_raw)
+hidden_proto(fsetfilecon_raw)
+hidden_proto(setexeccon)
+hidden_proto(setexeccon_raw)
+hidden_proto(getfscreatecon_raw)
+hidden_proto(getkeycreatecon_raw)
+hidden_proto(getsockcreatecon_raw)
+hidden_proto(setfscreatecon_raw)
+hidden_proto(setkeycreatecon_raw)
+hidden_proto(setsockcreatecon_raw)
+hidden_proto(security_getenforce)
+hidden_proto(security_setenforce)
+hidden_proto(security_deny_unknown)
+hidden_proto(security_reject_unknown)
+hidden_proto(security_get_checkreqprot)
+hidden_proto(selinux_boolean_sub)
+hidden_proto(selinux_current_policy_path)
+hidden_proto(selinux_binary_policy_path)
+hidden_proto(selinux_booleans_subs_path)
+hidden_proto(selinux_default_context_path)
+hidden_proto(selinux_securetty_types_path)
+hidden_proto(selinux_failsafe_context_path)
+hidden_proto(selinux_removable_context_path)
+hidden_proto(selinux_virtual_domain_context_path)
+hidden_proto(selinux_virtual_image_context_path)
+hidden_proto(selinux_lxc_contexts_path)
+hidden_proto(selinux_file_context_path)
+hidden_proto(selinux_file_context_homedir_path)
+hidden_proto(selinux_file_context_local_path)
+hidden_proto(selinux_file_context_subs_dist_path)
+hidden_proto(selinux_file_context_subs_path)
+hidden_proto(selinux_netfilter_context_path)
+hidden_proto(selinux_homedir_context_path)
+hidden_proto(selinux_user_contexts_path)
+hidden_proto(selinux_booleans_path)
+hidden_proto(selinux_customizable_types_path)
+hidden_proto(selinux_media_context_path)
+hidden_proto(selinux_x_context_path)
+hidden_proto(selinux_sepgsql_context_path)
+hidden_proto(selinux_openrc_contexts_path)
+hidden_proto(selinux_openssh_contexts_path)
+hidden_proto(selinux_snapperd_contexts_path)
+hidden_proto(selinux_systemd_contexts_path)
+hidden_proto(selinux_path)
+hidden_proto(selinux_check_passwd_access)
+hidden_proto(selinux_check_securetty_context)
+hidden_proto(matchpathcon_init_prefix)
+hidden_proto(selinux_users_path)
+hidden_proto(selinux_usersconf_path);
 hidden_proto(selinux_translations_path);
 hidden_proto(selinux_colors_path);
 hidden_proto(selinux_getenforcemode);
 hidden_proto(selinux_getpolicytype);
 hidden_proto(selinux_raw_to_trans_context);
 hidden_proto(selinux_trans_to_raw_context);
-    hidden_proto(selinux_raw_context_to_color);
+hidden_proto(selinux_raw_context_to_color);
 hidden_proto(security_get_initial_context);
 hidden_proto(security_get_initial_context_raw);
 hidden_proto(selinux_reset_config);
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH 14/17] selinux_internal.h: disable warnings on deprecated
  2020-02-25 20:02 Annotate Deprecated Functions in libselinux bill.c.roberts
                   ` (12 preceding siblings ...)
  2020-02-25 20:02 ` [PATCH 13/17] src/selinux_internal.h: fix hidden_proto indents bill.c.roberts
@ 2020-02-25 20:02 ` bill.c.roberts
  2020-02-25 20:02 ` [PATCH 15/17] avc_open: mark allowed use of avc_init bill.c.roberts
                   ` (5 subsequent siblings)
  19 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-02-25 20:02 UTC (permalink / raw)
  To: sds, plautrba, selinux; +Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

selinux_internal.h marks the visibility of symbols, many of these are
the deprecated routines that get marked as hidden. This causes compilers
to warn about deprecated uses. However this is a valid annotation that
we want to keep, until the functions are finally removed.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/selinux_internal.h | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index f6a50cd36f63..2d9373b86190 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -2,6 +2,12 @@
 #include <pthread.h>
 #include "dso.h"
 
+/*
+ * Disable deprecated warnings for users internal to the library.
+ */
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+
 hidden_proto(selinux_mkload_policy)
 hidden_proto(fini_selinuxmnt)
 hidden_proto(set_selinuxmnt)
@@ -181,3 +187,5 @@ extern int selinux_page_size hidden;
 #define SELINUXCONFIG SELINUXDIR "config"
 
 extern int has_selinux_config hidden;
+
+#pragma GCC diagnostic pop
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH 15/17] avc_open: mark allowed use of avc_init
  2020-02-25 20:02 Annotate Deprecated Functions in libselinux bill.c.roberts
                   ` (13 preceding siblings ...)
  2020-02-25 20:02 ` [PATCH 14/17] selinux_internal.h: disable warnings on deprecated bill.c.roberts
@ 2020-02-25 20:02 ` bill.c.roberts
  2020-02-25 20:02 ` [PATCH 16/17] src/matchpathcon: allow use of deprecated funcs bill.c.roberts
                   ` (4 subsequent siblings)
  19 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-02-25 20:02 UTC (permalink / raw)
  To: sds, plautrba, selinux; +Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

avc_init is deprecated, however avc_open internally uses it.
Mark this deprecated use as OK. Another approach could be to
define an avc_init2 as a hidden, internal symbol and call that, but this
was seemed simpler and clear.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/avc.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
index 5230efd2323a..7d30f0052f7c 100644
--- a/libselinux/src/avc.c
+++ b/libselinux/src/avc.c
@@ -156,8 +156,10 @@ int avc_open(struct selinux_opt *opts, unsigned nopts)
 			avc_enforcing = !!opts[nopts].value;
 			break;
 		}
-
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
 	return avc_init("avc", NULL, NULL, NULL, NULL);
+#pragma GCC diagnostic pop
 }
 
 int avc_init(const char *prefix,
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH 16/17] src/matchpathcon: allow use of deprecated funcs
  2020-02-25 20:02 Annotate Deprecated Functions in libselinux bill.c.roberts
                   ` (14 preceding siblings ...)
  2020-02-25 20:02 ` [PATCH 15/17] avc_open: mark allowed use of avc_init bill.c.roberts
@ 2020-02-25 20:02 ` bill.c.roberts
  2020-02-25 20:02 ` [PATCH 17/17] utils/matchpathcon: " bill.c.roberts
                   ` (3 subsequent siblings)
  19 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-02-25 20:02 UTC (permalink / raw)
  To: sds, plautrba, selinux; +Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

Internally users of deprecated functions are ok so allow it.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/matchpathcon.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
index 05a5cfa4cfd5..2e5aa347b52b 100644
--- a/libselinux/src/matchpathcon.c
+++ b/libselinux/src/matchpathcon.c
@@ -317,7 +317,10 @@ void matchpathcon_filespec_destroy(void)
 
 static void matchpathcon_thread_destructor(void __attribute__((unused)) *ptr)
 {
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
 	matchpathcon_fini();
+#pragma GCC diagnostic pop
 }
 
 void __attribute__((destructor)) matchpathcon_lib_destructor(void);
@@ -451,8 +454,10 @@ int matchpathcon(const char *path, mode_t mode, char ** con)
 
 int matchpathcon_index(const char *name, mode_t mode, char ** con)
 {
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
 	int i = matchpathcon(name, mode, con);
-
+#pragma GCC diagnostic pop
 	if (i < 0)
 		return -1;
 
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH 17/17] utils/matchpathcon: allow use of deprecated funcs
  2020-02-25 20:02 Annotate Deprecated Functions in libselinux bill.c.roberts
                   ` (15 preceding siblings ...)
  2020-02-25 20:02 ` [PATCH 16/17] src/matchpathcon: allow use of deprecated funcs bill.c.roberts
@ 2020-02-25 20:02 ` bill.c.roberts
  2020-02-25 20:51 ` Annotate Deprecated Functions in libselinux Stephen Smalley
                   ` (2 subsequent siblings)
  19 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-02-25 20:02 UTC (permalink / raw)
  To: sds, plautrba, selinux; +Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

Internally users of deprecated functions are ok so allow it.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/utils/matchpathcon.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c
index eb39a1881066..139ee9b45556 100644
--- a/libselinux/utils/matchpathcon.c
+++ b/libselinux/utils/matchpathcon.c
@@ -22,7 +22,10 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
 static int printmatchpathcon(const char *path, int header, int mode)
 {
 	char *buf;
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
 	int rc = matchpathcon(path, mode, &buf);
+#pragma GCC diagnostic pop
 	if (rc < 0) {
 		if (errno == ENOENT) {
 			buf = strdup("<<none>>");
@@ -103,7 +106,10 @@ int main(int argc, char **argv)
 				exit(1);
 			}
 			init = 1;
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
 			if (matchpathcon_init(optarg)) {
+#pragma GCC diagnostic pop
 				fprintf(stderr,
 					"Error while processing %s:  %s\n",
 					optarg,
@@ -195,6 +201,9 @@ int main(int argc, char **argv)
 			error |= printmatchpathcon(path, header, mode);
 		}
 	}
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
 	matchpathcon_fini();
+#pragma GCC diagnostic pop
 	return error;
 }
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* Re: Annotate Deprecated Functions in libselinux
  2020-02-25 20:02 Annotate Deprecated Functions in libselinux bill.c.roberts
                   ` (16 preceding siblings ...)
  2020-02-25 20:02 ` [PATCH 17/17] utils/matchpathcon: " bill.c.roberts
@ 2020-02-25 20:51 ` Stephen Smalley
  2020-02-25 21:06   ` William Roberts
  2020-04-16 15:43 ` bill.c.roberts
  2020-04-27 20:22 ` [v4] Annotate Deprecated Functions in libselinux bill.c.roberts
  19 siblings, 1 reply; 97+ messages in thread
From: Stephen Smalley @ 2020-02-25 20:51 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: Stephen Smalley, plautrba, selinux

On Tue, Feb 25, 2020 at 3:03 PM <bill.c.roberts@gmail.com> wrote:
> The annoying part is internal users of the routines. We could always make
> a v2 version of the function for internal callers, and leave the old
> interfaces intact to work around the warnings, or just pragma them out.
> This series pragma's them out.
>
> diagnostic push has been supported since GCC v4.6. Earlier versions will
> warn on this, and the sideffect is that the diagnostic ignored pragma
> will be valid for the rest of the file. Clang has similair support thats
> been around *at least* since clang 6.0.

My inclination (and others are free to disagree) would be to rename
the deprecated functions for internal users (and mark them hidden),
and add stubs for the old interfaces that call the hidden functions to
avoid the need for this pragma.  Also, FWIW, there is a push to remove
the hidden_def/hidden_proto stuff for LTO, see
https://github.com/SELinuxProject/selinux/issues/204, although I don't
yet know how that will turn out for libselinux.

^ permalink raw reply	[flat|nested] 97+ messages in thread

* Re: [PATCH 08/17] checkPasswdAccess: annotate deprecated
  2020-02-25 20:02 ` [PATCH 08/17] checkPasswdAccess: " bill.c.roberts
@ 2020-02-25 20:58   ` Stephen Smalley
  0 siblings, 0 replies; 97+ messages in thread
From: Stephen Smalley @ 2020-02-25 20:58 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: Stephen Smalley, plautrba, selinux, William Roberts

On Tue, Feb 25, 2020 at 3:03 PM <bill.c.roberts@gmail.com> wrote:
> diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
> index e531f927be1e..3704eabc7545 100644
> --- a/libselinux/include/selinux/selinux.h
> +++ b/libselinux/include/selinux/selinux.h
> @@ -603,7 +603,8 @@ extern int selinux_check_access(const char * scon, const char * tcon, const char
>  /* Check a permission in the passwd class.
>     Return 0 if granted or -1 otherwise. */
>  extern int selinux_check_passwd_access(access_vector_t requested);
> -extern int checkPasswdAccess(access_vector_t requested);
> +extern int checkPasswdAccess(access_vector_t requested)
> +   __attribute__ ((deprecated("Use selinux_check_passwd_access")));

I'd actually recommend deprecating that one too and recommending the
use of selinux_check_access() instead.
That way they get dynamic lookup of the permission and handling of
per-domain permissive and handle_unknown settings.
Only drawback is that they have to call getprevcon_raw() themselves
first and pass it in.

^ permalink raw reply	[flat|nested] 97+ messages in thread

* Re: Annotate Deprecated Functions in libselinux
  2020-02-25 20:51 ` Annotate Deprecated Functions in libselinux Stephen Smalley
@ 2020-02-25 21:06   ` William Roberts
  2020-02-27 18:41     ` William Roberts
  0 siblings, 1 reply; 97+ messages in thread
From: William Roberts @ 2020-02-25 21:06 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: Stephen Smalley, Petr Lautrbach, selinux

On Tue, Feb 25, 2020 at 2:49 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Tue, Feb 25, 2020 at 3:03 PM <bill.c.roberts@gmail.com> wrote:
> > The annoying part is internal users of the routines. We could always make
> > a v2 version of the function for internal callers, and leave the old
> > interfaces intact to work around the warnings, or just pragma them out.
> > This series pragma's them out.
> >
> > diagnostic push has been supported since GCC v4.6. Earlier versions will
> > warn on this, and the sideffect is that the diagnostic ignored pragma
> > will be valid for the rest of the file. Clang has similair support thats
> > been around *at least* since clang 6.0.
>
> My inclination (and others are free to disagree) would be to rename
> the deprecated functions for internal users (and mark them hidden),
> and add stubs for the old interfaces that call the hidden functions to
> avoid the need for this pragma.

I'm actually leaning that way myself after thinking about it more.

> Also, FWIW, there is a push to remove
> the hidden_def/hidden_proto stuff for LTO, see
> https://github.com/SELinuxProject/selinux/issues/204, although I don't
> yet know how that will turn out for libselinux.

Good to know.

^ permalink raw reply	[flat|nested] 97+ messages in thread

* Re: Annotate Deprecated Functions in libselinux
  2020-02-25 21:06   ` William Roberts
@ 2020-02-27 18:41     ` William Roberts
  2020-02-27 19:48       ` Stephen Smalley
  0 siblings, 1 reply; 97+ messages in thread
From: William Roberts @ 2020-02-27 18:41 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: Stephen Smalley, Petr Lautrbach, SElinux list

On Tue, Feb 25, 2020 at 3:06 PM William Roberts
<bill.c.roberts@gmail.com> wrote:
>
> On Tue, Feb 25, 2020 at 2:49 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > On Tue, Feb 25, 2020 at 3:03 PM <bill.c.roberts@gmail.com> wrote:
> > > The annoying part is internal users of the routines. We could always make
> > > a v2 version of the function for internal callers, and leave the old
> > > interfaces intact to work around the warnings, or just pragma them out.
> > > This series pragma's them out.
> > >
> > > diagnostic push has been supported since GCC v4.6. Earlier versions will
> > > warn on this, and the sideffect is that the diagnostic ignored pragma
> > > will be valid for the rest of the file. Clang has similair support thats
> > > been around *at least* since clang 6.0.
> >
> > My inclination (and others are free to disagree) would be to rename
> > the deprecated functions for internal users (and mark them hidden),
> > and add stubs for the old interfaces that call the hidden functions to
> > avoid the need for this pragma.
>
> I'm actually leaning that way myself after thinking about it more.

It doesn't get us around all the issues, anything marked deprecated in selinux.h
and marked hidden_proto in selinux_internal.h, will still need a pragma.

This would be much simpler if we drop the whole hidden_proto stuff, I guess
kloczek is proposing patches? Who is that, I see the Github name as:
Tomasz Kłoczko

But I can't find any matching author in the git logs to CC them.

I'm looking at those macros:
hidden_def
hidden_proto

They both seem to take a function and create an _internal symbol, and
set the global symbol equal to the internal one. Essentially, both the
normal and _internal functions are pointing to the same address.

$ readelf -s ./src/libselinux.so | grep setexeccon_raw
   176: 0000000000017c26    63 FUNC    GLOBAL DEFAULT   12 setexeccon_raw
   279: 0000000000017c26    63 FUNC    LOCAL  DEFAULT   12
setexeccon_raw_internal
   606: 0000000000017c26    63 FUNC    GLOBAL DEFAULT   12 setexeccon_raw

The hidden one, additionally
sets the visibility to hidden, which if IIUC, just requires one to
statically link. We can see above the
visibility is local.

What I don't understand, is why one would do this? What actual
performance enhancement do we get?

>
> > Also, FWIW, there is a push to remove
> > the hidden_def/hidden_proto stuff for LTO, see
> > https://github.com/SELinuxProject/selinux/issues/204, although I don't
> > yet know how that will turn out for libselinux.
>
> Good to know.

^ permalink raw reply	[flat|nested] 97+ messages in thread

* Re: Annotate Deprecated Functions in libselinux
  2020-02-27 18:41     ` William Roberts
@ 2020-02-27 19:48       ` Stephen Smalley
  2020-02-27 20:03         ` Ondrej Mosnacek
  0 siblings, 1 reply; 97+ messages in thread
From: Stephen Smalley @ 2020-02-27 19:48 UTC (permalink / raw)
  To: William Roberts; +Cc: Stephen Smalley, Petr Lautrbach, SElinux list

On Thu, Feb 27, 2020 at 1:41 PM William Roberts
<bill.c.roberts@gmail.com> wrote:
> It doesn't get us around all the issues, anything marked deprecated in selinux.h
> and marked hidden_proto in selinux_internal.h, will still need a pragma.
>
> This would be much simpler if we drop the whole hidden_proto stuff, I guess
> kloczek is proposing patches? Who is that, I see the Github name as:
> Tomasz Kłoczko
>
> But I can't find any matching author in the git logs to CC them.

I don't actually know him myself but he has opened a number of issues
on the selinux userspace and appears to be involved in Fedora in some
capacity.

> I'm looking at those macros:
> hidden_def
> hidden_proto
>
> They both seem to take a function and create an _internal symbol, and
> set the global symbol equal to the internal one. Essentially, both the
> normal and _internal functions are pointing to the same address.
>
> $ readelf -s ./src/libselinux.so | grep setexeccon_raw
>    176: 0000000000017c26    63 FUNC    GLOBAL DEFAULT   12 setexeccon_raw
>    279: 0000000000017c26    63 FUNC    LOCAL  DEFAULT   12
> setexeccon_raw_internal
>    606: 0000000000017c26    63 FUNC    GLOBAL DEFAULT   12 setexeccon_raw
>
> The hidden one, additionally
> sets the visibility to hidden, which if IIUC, just requires one to
> statically link. We can see above the
> visibility is local.
>
> What I don't understand, is why one would do this? What actual
> performance enhancement do we get?

The hidden_def/hidden_proto stuff originally came from Ulrich Drepper,
glibc maintainer at the time, to eliminate unnecessary runtime
relocations and PLT entries being used for local symbols.  Per the
comments in https://github.com/SELinuxProject/selinux/issues/204,
these might not be needed anymore and are breaking building with LTO.
Willing to get rid of them if it doesn't produce a significant
regression.

^ permalink raw reply	[flat|nested] 97+ messages in thread

* Re: Annotate Deprecated Functions in libselinux
  2020-02-27 19:48       ` Stephen Smalley
@ 2020-02-27 20:03         ` Ondrej Mosnacek
  2020-02-27 20:10           ` William Roberts
  2020-02-27 20:43           ` Ulrich Drepper
  0 siblings, 2 replies; 97+ messages in thread
From: Ondrej Mosnacek @ 2020-02-27 20:03 UTC (permalink / raw)
  To: Stephen Smalley
  Cc: William Roberts, Stephen Smalley, Petr Lautrbach, SElinux list,
	Ulrich Drepper

(Adding Ulrich himself to Cc...)

On Thu, Feb 27, 2020 at 8:47 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Thu, Feb 27, 2020 at 1:41 PM William Roberts
> <bill.c.roberts@gmail.com> wrote:
> > It doesn't get us around all the issues, anything marked deprecated in selinux.h
> > and marked hidden_proto in selinux_internal.h, will still need a pragma.
> >
> > This would be much simpler if we drop the whole hidden_proto stuff, I guess
> > kloczek is proposing patches? Who is that, I see the Github name as:
> > Tomasz Kłoczko
> >
> > But I can't find any matching author in the git logs to CC them.
>
> I don't actually know him myself but he has opened a number of issues
> on the selinux userspace and appears to be involved in Fedora in some
> capacity.
>
> > I'm looking at those macros:
> > hidden_def
> > hidden_proto
> >
> > They both seem to take a function and create an _internal symbol, and
> > set the global symbol equal to the internal one. Essentially, both the
> > normal and _internal functions are pointing to the same address.
> >
> > $ readelf -s ./src/libselinux.so | grep setexeccon_raw
> >    176: 0000000000017c26    63 FUNC    GLOBAL DEFAULT   12 setexeccon_raw
> >    279: 0000000000017c26    63 FUNC    LOCAL  DEFAULT   12
> > setexeccon_raw_internal
> >    606: 0000000000017c26    63 FUNC    GLOBAL DEFAULT   12 setexeccon_raw
> >
> > The hidden one, additionally
> > sets the visibility to hidden, which if IIUC, just requires one to
> > statically link. We can see above the
> > visibility is local.
> >
> > What I don't understand, is why one would do this? What actual
> > performance enhancement do we get?
>
> The hidden_def/hidden_proto stuff originally came from Ulrich Drepper,
> glibc maintainer at the time, to eliminate unnecessary runtime
> relocations and PLT entries being used for local symbols.  Per the
> comments in https://github.com/SELinuxProject/selinux/issues/204,
> these might not be needed anymore and are breaking building with LTO.
> Willing to get rid of them if it doesn't produce a significant
> regression.

Ulrich, could you help us understand the macros you proposed to add to
the SELinux libraries (probably a very long time ago)? Specifically,
we are talking about those defined in "dso.h" header files such as
this one [1]. See also GH issue 204 [2] for related discussion.

Thanks,

[1] https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/dso.h
[2] https://github.com/SELinuxProject/selinux/issues/204

-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.


^ permalink raw reply	[flat|nested] 97+ messages in thread

* Re: Annotate Deprecated Functions in libselinux
  2020-02-27 20:03         ` Ondrej Mosnacek
@ 2020-02-27 20:10           ` William Roberts
  2020-02-27 20:24             ` Stephen Smalley
  2020-02-27 20:43           ` Ulrich Drepper
  1 sibling, 1 reply; 97+ messages in thread
From: William Roberts @ 2020-02-27 20:10 UTC (permalink / raw)
  To: Ondrej Mosnacek
  Cc: Stephen Smalley, Stephen Smalley, Petr Lautrbach, SElinux list,
	Ulrich Drepper

<snip>
> > The hidden_def/hidden_proto stuff originally came from Ulrich Drepper,
> > glibc maintainer at the time, to eliminate unnecessary runtime
> > relocations and PLT entries being used for local symbols.  Per the
> > comments in https://github.com/SELinuxProject/selinux/issues/204,
> > these might not be needed anymore and are breaking building with LTO.
> > Willing to get rid of them if it doesn't produce a significant
> > regression.

I guess that's my major question, how do we determine this is a regression?
Obviously a functional break is self explanatory.

>
> Ulrich, could you help us understand the macros you proposed to add to
> the SELinux libraries (probably a very long time ago)? Specifically,
> we are talking about those defined in "dso.h" header files such as
> this one [1]. See also GH issue 204 [2] for related discussion.
>
> Thanks,
>
> [1] https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/dso.h
> [2] https://github.com/SELinuxProject/selinux/issues/204
>
> --
> Ondrej Mosnacek <omosnace at redhat dot com>
> Software Engineer, Security Technologies
> Red Hat, Inc.
>

^ permalink raw reply	[flat|nested] 97+ messages in thread

* Re: Annotate Deprecated Functions in libselinux
  2020-02-27 20:10           ` William Roberts
@ 2020-02-27 20:24             ` Stephen Smalley
  0 siblings, 0 replies; 97+ messages in thread
From: Stephen Smalley @ 2020-02-27 20:24 UTC (permalink / raw)
  To: William Roberts
  Cc: Ondrej Mosnacek, Stephen Smalley, Petr Lautrbach, SElinux list,
	Ulrich Drepper

On Thu, Feb 27, 2020 at 3:11 PM William Roberts
<bill.c.roberts@gmail.com> wrote:
>
> <snip>
> > > The hidden_def/hidden_proto stuff originally came from Ulrich Drepper,
> > > glibc maintainer at the time, to eliminate unnecessary runtime
> > > relocations and PLT entries being used for local symbols.  Per the
> > > comments in https://github.com/SELinuxProject/selinux/issues/204,
> > > these might not be needed anymore and are breaking building with LTO.
> > > Willing to get rid of them if it doesn't produce a significant
> > > regression.
>
> I guess that's my major question, how do we determine this is a regression?
> Obviously a functional break is self explanatory.

The original statistics used to justify it were generated by the
relinfo.pl script available from
https://www.akkadia.org/drepper/relinfo.pl.

^ permalink raw reply	[flat|nested] 97+ messages in thread

* Re: Annotate Deprecated Functions in libselinux
  2020-02-27 20:03         ` Ondrej Mosnacek
  2020-02-27 20:10           ` William Roberts
@ 2020-02-27 20:43           ` Ulrich Drepper
  2020-02-27 21:05             ` William Roberts
  1 sibling, 1 reply; 97+ messages in thread
From: Ulrich Drepper @ 2020-02-27 20:43 UTC (permalink / raw)
  To: Ondrej Mosnacek, Stephen Smalley
  Cc: William Roberts, Stephen Smalley, Petr Lautrbach, SElinux list


[-- Attachment #1.1: Type: text/plain, Size: 1253 bytes --]

On 2/27/20 9:03 PM, Ondrej Mosnacek wrote:
> Ulrich, could you help us understand the macros you proposed to add to
> the SELinux libraries (probably a very long time ago)? Specifically,
> we are talking about those defined in "dso.h" header files such as
> this one [1]. See also GH issue 204 [2] for related discussion.

The use of the hidden infrastructure is not just a means to reduce
overhead in the form of PLTs.  It also ensures that internals for the
library don't leak out.  If calls between functions within the same DSO
use the PLT they can be intercepted by DSO earlier in the search path of
the dynamic linker.  This can have unwanted consequences.

I advise that this isn't changed.  The infrastructure to do this should
change, though.  You could look at the code glibc uses today.  The
functionality is still there, just slightly changed.

An alternative is to use gcc's -fno-semantic-interposition option.  This
should ensure that PLT entries are avoided.  For Python this was used to
achieve significant speedups due to the PLT reduction.  I know you don't
care about speed that much but this is a way to achieve it.  Python uses
LTO but since the compiler is told about the symbol use there are not
problems.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

^ permalink raw reply	[flat|nested] 97+ messages in thread

* Re: Annotate Deprecated Functions in libselinux
  2020-02-27 20:43           ` Ulrich Drepper
@ 2020-02-27 21:05             ` William Roberts
  2020-02-27 21:13               ` Stephen Smalley
  2020-02-27 21:19               ` Ulrich Drepper
  0 siblings, 2 replies; 97+ messages in thread
From: William Roberts @ 2020-02-27 21:05 UTC (permalink / raw)
  To: Ulrich Drepper
  Cc: Ondrej Mosnacek, Stephen Smalley, Stephen Smalley,
	Petr Lautrbach, SElinux list

On Thu, Feb 27, 2020 at 2:43 PM Ulrich Drepper <drepper@redhat.com> wrote:
>
> On 2/27/20 9:03 PM, Ondrej Mosnacek wrote:
> > Ulrich, could you help us understand the macros you proposed to add to
> > the SELinux libraries (probably a very long time ago)? Specifically,
> > we are talking about those defined in "dso.h" header files such as
> > this one [1]. See also GH issue 204 [2] for related discussion.
>
> The use of the hidden infrastructure is not just a means to reduce
> overhead in the form of PLTs.  It also ensures that internals for the
> library don't leak out.

Linker script? We just use a map file that has everything local except for what
we want to export.

> If calls between functions within the same DSO
> use the PLT they can be intercepted by DSO earlier in the search path of
> the dynamic linker.  This can have unwanted consequences.

Huh? I'm not following? If we just remove this, what would actually
break in libselinux?

>
> I advise that this isn't changed.  The infrastructure to do this should
> change, though.  You could look at the code glibc uses today.  The
> functionality is still there, just slightly changed.
>
> An alternative is to use gcc's -fno-semantic-interposition option.  This
> should ensure that PLT entries are avoided.  For Python this was used to
> achieve significant speedups due to the PLT reduction.  I know you don't
> care about speed that much but this is a way to achieve it.  Python uses
> LTO but since the compiler is told about the symbol use there are not
> problems.

This minor overhead on the first call to a routine to resolve the symbol isn't
really much overhead. After it's resolved its like an extra jmp or something.

If you really wanted to avoid relocation, couldn't you just link statically?

This seems like it might be good for specific issues, but I don't see how this
infrastructure really prevents or fixes anything besides complicating the code,
perhaps enlighten me?

I can see how perhaps for large things like python/glibc it could be
useful but for
libselinux this just seems like an over-engineered solution to a
non-existent problem.

^ permalink raw reply	[flat|nested] 97+ messages in thread

* Re: Annotate Deprecated Functions in libselinux
  2020-02-27 21:05             ` William Roberts
@ 2020-02-27 21:13               ` Stephen Smalley
  2020-02-27 21:18                 ` William Roberts
  2020-02-27 21:19               ` Ulrich Drepper
  1 sibling, 1 reply; 97+ messages in thread
From: Stephen Smalley @ 2020-02-27 21:13 UTC (permalink / raw)
  To: William Roberts
  Cc: Ulrich Drepper, Ondrej Mosnacek, Stephen Smalley, Petr Lautrbach,
	SElinux list

On Thu, Feb 27, 2020 at 4:05 PM William Roberts
<bill.c.roberts@gmail.com> wrote:
>
> On Thu, Feb 27, 2020 at 2:43 PM Ulrich Drepper <drepper@redhat.com> wrote:
> > The use of the hidden infrastructure is not just a means to reduce
> > overhead in the form of PLTs.  It also ensures that internals for the
> > library don't leak out.
>
> Linker script? We just use a map file that has everything local except for what
> we want to export.

That just controls what is exported.  The hidden_proto/hidden_def
stuff is to ensure that when libselinux calls one of its own exported
symbols, that symbol resolves to the actual libselinux implementation
and not something provided by some other DSO earlier in the search
path, which is otherwise possible.

^ permalink raw reply	[flat|nested] 97+ messages in thread

* Re: Annotate Deprecated Functions in libselinux
  2020-02-27 21:13               ` Stephen Smalley
@ 2020-02-27 21:18                 ` William Roberts
  2020-02-27 21:32                   ` Stephen Smalley
  0 siblings, 1 reply; 97+ messages in thread
From: William Roberts @ 2020-02-27 21:18 UTC (permalink / raw)
  To: Stephen Smalley
  Cc: Ulrich Drepper, Ondrej Mosnacek, Stephen Smalley, Petr Lautrbach,
	SElinux list

On Thu, Feb 27, 2020 at 3:11 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Thu, Feb 27, 2020 at 4:05 PM William Roberts
> <bill.c.roberts@gmail.com> wrote:
> >
> > On Thu, Feb 27, 2020 at 2:43 PM Ulrich Drepper <drepper@redhat.com> wrote:
> > > The use of the hidden infrastructure is not just a means to reduce
> > > overhead in the form of PLTs.  It also ensures that internals for the
> > > library don't leak out.
> >
> > Linker script? We just use a map file that has everything local except for what
> > we want to export.
>
> That just controls what is exported.  The hidden_proto/hidden_def
> stuff is to ensure that when libselinux calls one of its own exported
> symbols, that symbol resolves to the actual libselinux implementation
> and not something provided by some other DSO earlier in the search
> path, which is otherwise possible.

Sure, but do we actually care about that?

If we actually do care, we could throw a script in the build to make sure
anything in the linker script map is not used internally.

Right now, all this DSO hygiene and look up protection is opt-in, which
usually always results in missed cases. With the linker script, it's opt-out,
which is usually always how you want to do things.

^ permalink raw reply	[flat|nested] 97+ messages in thread

* Re: Annotate Deprecated Functions in libselinux
  2020-02-27 21:05             ` William Roberts
  2020-02-27 21:13               ` Stephen Smalley
@ 2020-02-27 21:19               ` Ulrich Drepper
  2020-02-27 21:31                 ` William Roberts
  1 sibling, 1 reply; 97+ messages in thread
From: Ulrich Drepper @ 2020-02-27 21:19 UTC (permalink / raw)
  To: William Roberts
  Cc: Ondrej Mosnacek, Stephen Smalley, Stephen Smalley,
	Petr Lautrbach, SElinux list


[-- Attachment #1.1: Type: text/plain, Size: 1442 bytes --]

On 2/27/20 10:05 PM, William Roberts wrote:
> Linker script? We just use a map file that has everything local except for what
> we want to export.

That's not the same.  If you call an exported function that call might
actually end up somewhere else.


> Huh? I'm not following? If we just remove this, what would actually
> break in libselinux?

It's not breaking anything per-se.  It can break something if a symbol
is inadvertently or deliberately defined elsewhere.


> This minor overhead on the first call to a routine to resolve the symbol isn't
> really much overhead. After it's resolved its like an extra jmp or something.

It's not as much about the overhead of the lookup.  The indirect calls
are expensive.  And so is the loss of opportunities to optimize for the
compiler.


> If you really wanted to avoid relocation, couldn't you just link statically?

Aside from the fact that you don't have the whole picture linking
statically is problematic:

https://akkadia.org/drepper/no_static_linking.html


> This seems like it might be good for specific issues, but I don't see how this
> infrastructure really prevents or fixes anything besides complicating the code,
> perhaps enlighten me?

Again, it's a semantic change in addition to a performance regression.
Didn't you read the part where I suggested just using this one compiler
option?  How much less work are you willing to invest?


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

^ permalink raw reply	[flat|nested] 97+ messages in thread

* Re: Annotate Deprecated Functions in libselinux
  2020-02-27 21:19               ` Ulrich Drepper
@ 2020-02-27 21:31                 ` William Roberts
  0 siblings, 0 replies; 97+ messages in thread
From: William Roberts @ 2020-02-27 21:31 UTC (permalink / raw)
  To: Ulrich Drepper
  Cc: Ondrej Mosnacek, Stephen Smalley, Stephen Smalley,
	Petr Lautrbach, SElinux list

<snip>

>
> > This seems like it might be good for specific issues, but I don't see how this
> > infrastructure really prevents or fixes anything besides complicating the code,
> > perhaps enlighten me?
>
> Again, it's a semantic change in addition to a performance regression.
> Didn't you read the part where I suggested just using this one compiler
> option?  How much less work are you willing to invest?
>

No I saw that, and it's it's fine and all and we can add it, but
it limits us to gcc 5.3+.

But we would still need a map file for basic hygiene on what we are exporting.

But this still seems like solving a problem that practically doesn't exist.

^ permalink raw reply	[flat|nested] 97+ messages in thread

* Re: Annotate Deprecated Functions in libselinux
  2020-02-27 21:18                 ` William Roberts
@ 2020-02-27 21:32                   ` Stephen Smalley
  2020-02-27 21:34                     ` William Roberts
  0 siblings, 1 reply; 97+ messages in thread
From: Stephen Smalley @ 2020-02-27 21:32 UTC (permalink / raw)
  To: William Roberts
  Cc: Ulrich Drepper, Ondrej Mosnacek, Stephen Smalley, Petr Lautrbach,
	SElinux list

On Thu, Feb 27, 2020 at 4:19 PM William Roberts
<bill.c.roberts@gmail.com> wrote:
>
> On Thu, Feb 27, 2020 at 3:11 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> > That just controls what is exported.  The hidden_proto/hidden_def
> > stuff is to ensure that when libselinux calls one of its own exported
> > symbols, that symbol resolves to the actual libselinux implementation
> > and not something provided by some other DSO earlier in the search
> > path, which is otherwise possible.
>
> Sure, but do we actually care about that?
>
> If we actually do care, we could throw a script in the build to make sure
> anything in the linker script map is not used internally.
>
> Right now, all this DSO hygiene and look up protection is opt-in, which
> usually always results in missed cases. With the linker script, it's opt-out,
> which is usually always how you want to do things.

There are lots of cases where libselinux calls one of its own exported
symbols, so you can't just prohibit that.
-fno-semantic-interposition sounds like the right solution to me, and
appears to be the default in clang.
Dropping the hidden_def/hidden_proto stuff without enabling
-fno-semantic-interposition could potentially break because
libselinux could suddenly start using some external implementation of
one of its own functions.
Adding a map file and defaulting to hidden visibility would be a good
idea but is separate.

^ permalink raw reply	[flat|nested] 97+ messages in thread

* Re: Annotate Deprecated Functions in libselinux
  2020-02-27 21:32                   ` Stephen Smalley
@ 2020-02-27 21:34                     ` William Roberts
  0 siblings, 0 replies; 97+ messages in thread
From: William Roberts @ 2020-02-27 21:34 UTC (permalink / raw)
  To: Stephen Smalley
  Cc: Ulrich Drepper, Ondrej Mosnacek, Stephen Smalley, Petr Lautrbach,
	SElinux list

On Thu, Feb 27, 2020 at 3:31 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Thu, Feb 27, 2020 at 4:19 PM William Roberts
> <bill.c.roberts@gmail.com> wrote:
> >
> > On Thu, Feb 27, 2020 at 3:11 PM Stephen Smalley
> > <stephen.smalley.work@gmail.com> wrote:
> > > That just controls what is exported.  The hidden_proto/hidden_def
> > > stuff is to ensure that when libselinux calls one of its own exported
> > > symbols, that symbol resolves to the actual libselinux implementation
> > > and not something provided by some other DSO earlier in the search
> > > path, which is otherwise possible.
> >
> > Sure, but do we actually care about that?
> >
> > If we actually do care, we could throw a script in the build to make sure
> > anything in the linker script map is not used internally.
> >
> > Right now, all this DSO hygiene and look up protection is opt-in, which
> > usually always results in missed cases. With the linker script, it's opt-out,
> > which is usually always how you want to do things.
>
> There are lots of cases where libselinux calls one of its own exported
> symbols, so you can't just prohibit that.
> -fno-semantic-interposition sounds like the right solution to me, and
> appears to be the default in clang.

Interesting to note.

> Dropping the hidden_def/hidden_proto stuff without enabling
> -fno-semantic-interposition could potentially break because
> libselinux could suddenly start using some external implementation of
> one of its own functions.

Conjecture.

> Adding a map file and defaulting to hidden visibility would be a good
> idea but is separate.

IIUC, not really, the current code attempts to limit our exported symbols.

You would need both the compiler option and a map file to keep functional
parity with whats there. Which is fine, that's easy enough to do and should
be some welcome housekeeping.

^ permalink raw reply	[flat|nested] 97+ messages in thread

* Annotate Deprecated Functions in libselinux
  2020-02-25 20:02 Annotate Deprecated Functions in libselinux bill.c.roberts
                   ` (17 preceding siblings ...)
  2020-02-25 20:51 ` Annotate Deprecated Functions in libselinux Stephen Smalley
@ 2020-04-16 15:43 ` bill.c.roberts
  2020-04-16 15:43   ` [PATCH v2 01/18] security_load_booleans: update return comment bill.c.roberts
                     ` (18 more replies)
  2020-04-27 20:22 ` [v4] Annotate Deprecated Functions in libselinux bill.c.roberts
  19 siblings, 19 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-16 15:43 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux

V2:
- Simplified now that dso.h stuff has been removed.
- selinux_check_passwd_access has been deprecated and now
  both selinux_check_passwd_access and checkPasswdAccess
  are recomending selinux_check_access.
- matchpathcon is linked statically to get access to deprecated
  routines and prints a deprecated warning to stderr.

V1:
I went through and annotated deprecated routines we have in
libselinux that are mentioned to be deprecated either in code
comments and/or manpages.

External users, when compiling will see a warning similair to some
sample output:

a.c: In function ‘main’:
a.c:18:2: warning: ‘foo’ is deprecated: foo bar msg [-Wdeprecated-declarations]
  foo();
  ^~~
a.c:5:5: note: declared here
 int foo(void) {
     ^~~
a.c:19:2: warning: ‘boo’ is deprecated [-Wdeprecated-declarations]
  boo();
  ^~~
a.c:11:5: note: declared here
 int boo(void) {

[PATCH v2 01/18] security_load_booleans: update return comment
[PATCH v2 02/18] security_load_booleans: annotate deprecated
[PATCH v2 03/18] selinux_booleans_path: annotate deprecated
[PATCH v2 04/18] selinux_users_path: annotate deprecated
[PATCH v2 05/18] rpm_execcon: annotate deprecated
[PATCH v2 06/18] sidget: annotate deprecated
[PATCH v2 07/18] sidput: annotate deprecated
[PATCH v2 08/18] checkPasswdAccess: annotate deprecated
[PATCH v2 09/18] matchpathcon_init: annotate deprecated
[PATCH v2 10/18] matchpathcon_fini: annotate deprecated
[PATCH v2 11/18] matchpathcon: annotate deprecated
[PATCH v2 12/18] avc_init: annotate deprecated
[PATCH v2 13/18] avc: create internal avc_init interface
[PATCH v2 14/18] matchpathcon: create internal matchpathcon_fini
[PATCH v2 15/18] matchpathcon: create internal matchpathcon interface
[PATCH v2 16/18] selinux_check_passwd_access: annotate deprecated
[PATCH v2 17/18] utils: matchpathcon to use interal interfaces
[PATCH v2 18/18] utils: matchpathcon add deprecated warning


^ permalink raw reply	[flat|nested] 97+ messages in thread

* [PATCH v2 01/18] security_load_booleans: update return comment
  2020-04-16 15:43 ` bill.c.roberts
@ 2020-04-16 15:43   ` bill.c.roberts
  2020-04-16 15:43   ` [PATCH v2 02/18] security_load_booleans: annotate deprecated bill.c.roberts
                     ` (17 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-16 15:43 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

The code returns -1 not 0, correct it.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 6a512b383325..948ca0689a07 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -323,7 +323,7 @@ extern int security_set_boolean_list(size_t boolcnt,
 				     SELboolean * boollist, int permanent);
 
 /* Load policy boolean settings. Deprecated as local policy booleans no
- * longer supported. Will always return 0.
+ * longer supported. Will always return -1.
  */
 extern int security_load_booleans(char *path);
 
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v2 02/18] security_load_booleans: annotate deprecated
  2020-04-16 15:43 ` bill.c.roberts
  2020-04-16 15:43   ` [PATCH v2 01/18] security_load_booleans: update return comment bill.c.roberts
@ 2020-04-16 15:43   ` bill.c.roberts
  2020-04-16 15:43   ` [PATCH v2 03/18] selinux_booleans_path: " bill.c.roberts
                     ` (16 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-16 15:43 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 948ca0689a07..38030fa8802e 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -325,7 +325,7 @@ extern int security_set_boolean_list(size_t boolcnt,
 /* Load policy boolean settings. Deprecated as local policy booleans no
  * longer supported. Will always return -1.
  */
-extern int security_load_booleans(char *path);
+extern int security_load_booleans(char *path) __attribute__ ((deprecated));
 
 /* Check the validity of a security context. */
 extern int security_check_context(const char * con);
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v2 03/18] selinux_booleans_path: annotate deprecated
  2020-04-16 15:43 ` bill.c.roberts
  2020-04-16 15:43   ` [PATCH v2 01/18] security_load_booleans: update return comment bill.c.roberts
  2020-04-16 15:43   ` [PATCH v2 02/18] security_load_booleans: annotate deprecated bill.c.roberts
@ 2020-04-16 15:43   ` bill.c.roberts
  2020-04-16 15:43   ` [PATCH v2 04/18] selinux_users_path: " bill.c.roberts
                     ` (15 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-16 15:43 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 38030fa8802e..454d3772ec38 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -575,7 +575,7 @@ extern const char *selinux_contexts_path(void);
 extern const char *selinux_securetty_types_path(void);
 extern const char *selinux_booleans_subs_path(void);
 /* Deprecated as local policy booleans no longer supported. */
-extern const char *selinux_booleans_path(void);
+extern const char *selinux_booleans_path(void) __attribute__ ((deprecated));
 extern const char *selinux_customizable_types_path(void);
 /* Deprecated as policy ./users no longer supported. */
 extern const char *selinux_users_path(void);
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v2 04/18] selinux_users_path: annotate deprecated
  2020-04-16 15:43 ` bill.c.roberts
                     ` (2 preceding siblings ...)
  2020-04-16 15:43   ` [PATCH v2 03/18] selinux_booleans_path: " bill.c.roberts
@ 2020-04-16 15:43   ` bill.c.roberts
  2020-04-16 15:43   ` [PATCH v2 05/18] rpm_execcon: " bill.c.roberts
                     ` (14 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-16 15:43 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 454d3772ec38..cf2b81ba3162 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -578,7 +578,7 @@ extern const char *selinux_booleans_subs_path(void);
 extern const char *selinux_booleans_path(void) __attribute__ ((deprecated));
 extern const char *selinux_customizable_types_path(void);
 /* Deprecated as policy ./users no longer supported. */
-extern const char *selinux_users_path(void);
+extern const char *selinux_users_path(void) __attribute__ ((deprecated));
 extern const char *selinux_usersconf_path(void);
 extern const char *selinux_translations_path(void);
 extern const char *selinux_colors_path(void);
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v2 05/18] rpm_execcon: annotate deprecated
  2020-04-16 15:43 ` bill.c.roberts
                     ` (3 preceding siblings ...)
  2020-04-16 15:43   ` [PATCH v2 04/18] selinux_users_path: " bill.c.roberts
@ 2020-04-16 15:43   ` bill.c.roberts
  2020-04-16 15:43   ` [PATCH v2 06/18] sidget: " bill.c.roberts
                     ` (13 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-16 15:43 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index cf2b81ba3162..0b99850ad23d 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -633,7 +633,8 @@ extern int setexecfilecon(const char *filename, const char *fallback_type);
 /* Execute a helper for rpm in an appropriate security context. */
 extern int rpm_execcon(unsigned int verified,
 		       const char *filename,
-		       char *const argv[], char *const envp[]);
+		       char *const argv[], char *const envp[])
+	__attribute__((deprecated("Use setexecfilecon and execve")));
 #endif
 
 /* Returns whether a file context is customizable, and should not 
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v2 06/18] sidget: annotate deprecated
  2020-04-16 15:43 ` bill.c.roberts
                     ` (4 preceding siblings ...)
  2020-04-16 15:43   ` [PATCH v2 05/18] rpm_execcon: " bill.c.roberts
@ 2020-04-16 15:43   ` bill.c.roberts
  2020-04-16 15:43   ` [PATCH v2 07/18] sidput: " bill.c.roberts
                     ` (12 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-16 15:43 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/avc.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/avc.h b/libselinux/include/selinux/avc.h
index 46c51419f588..c5c842a34470 100644
--- a/libselinux/include/selinux/avc.h
+++ b/libselinux/include/selinux/avc.h
@@ -64,7 +64,7 @@ extern int avc_context_to_sid_raw(const char * ctx, security_id_t * sid);
  * reference count).  Note that avc_context_to_sid() also
  * increments reference counts.
  */
-extern int sidget(security_id_t sid);
+extern int sidget(security_id_t sid) __attribute__ ((deprecated));
 
 /**
  * sidput - decrement SID reference counter.
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v2 07/18] sidput: annotate deprecated
  2020-04-16 15:43 ` bill.c.roberts
                     ` (5 preceding siblings ...)
  2020-04-16 15:43   ` [PATCH v2 06/18] sidget: " bill.c.roberts
@ 2020-04-16 15:43   ` bill.c.roberts
  2020-04-16 15:43   ` [PATCH v2 08/18] checkPasswdAccess: " bill.c.roberts
                     ` (11 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-16 15:43 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/avc.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/avc.h b/libselinux/include/selinux/avc.h
index c5c842a34470..472f6918ca83 100644
--- a/libselinux/include/selinux/avc.h
+++ b/libselinux/include/selinux/avc.h
@@ -76,7 +76,7 @@ extern int sidget(security_id_t sid) __attribute__ ((deprecated));
  * zero, the SID is invalid, and avc_context_to_sid() must
  * be called to obtain a new SID for the security context.
  */
-extern int sidput(security_id_t sid);
+extern int sidput(security_id_t sid) __attribute__ ((deprecated));
 
 /**
  * avc_get_initial_sid - get SID for an initial kernel security identifier
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v2 08/18] checkPasswdAccess: annotate deprecated
  2020-04-16 15:43 ` bill.c.roberts
                     ` (6 preceding siblings ...)
  2020-04-16 15:43   ` [PATCH v2 07/18] sidput: " bill.c.roberts
@ 2020-04-16 15:43   ` bill.c.roberts
  2020-04-16 15:43   ` [PATCH v2 09/18] matchpathcon_init: " bill.c.roberts
                     ` (10 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-16 15:43 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 0b99850ad23d..2767daff17e7 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -607,7 +607,8 @@ extern int selinux_check_access(const char * scon, const char * tcon, const char
 /* Check a permission in the passwd class.
    Return 0 if granted or -1 otherwise. */
 extern int selinux_check_passwd_access(access_vector_t requested);
-extern int checkPasswdAccess(access_vector_t requested);
+extern int checkPasswdAccess(access_vector_t requested)
+   __attribute__ ((deprecated("Use selinux_check_access")));
 
 /* Check if the tty_context is defined as a securetty
    Return 0 if secure, < 0 otherwise. */
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v2 09/18] matchpathcon_init: annotate deprecated
  2020-04-16 15:43 ` bill.c.roberts
                     ` (7 preceding siblings ...)
  2020-04-16 15:43   ` [PATCH v2 08/18] checkPasswdAccess: " bill.c.roberts
@ 2020-04-16 15:43   ` bill.c.roberts
  2020-04-16 15:43   ` [PATCH v2 10/18] matchpathcon_fini: " bill.c.roberts
                     ` (9 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-16 15:43 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 2767daff17e7..9e209d2ab75e 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -461,7 +461,8 @@ extern void set_matchpathcon_flags(unsigned int flags);
    function also checks for a 'path'.homedirs file and 
    a 'path'.local file and loads additional specifications 
    from them if present. */
-extern int matchpathcon_init(const char *path);
+extern int matchpathcon_init(const char *path)
+   __attribute__ ((deprecated("Use selabel_open with backend SELABEL_CTX_FILE")));
 
 /* Same as matchpathcon_init, but only load entries with
    regexes that have stems that are prefixes of 'prefix'. */
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v2 10/18] matchpathcon_fini: annotate deprecated
  2020-04-16 15:43 ` bill.c.roberts
                     ` (8 preceding siblings ...)
  2020-04-16 15:43   ` [PATCH v2 09/18] matchpathcon_init: " bill.c.roberts
@ 2020-04-16 15:43   ` bill.c.roberts
  2020-04-16 15:43   ` [PATCH v2 11/18] matchpathcon: " bill.c.roberts
                     ` (8 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-16 15:43 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 9e209d2ab75e..96a071a8dea4 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -469,7 +469,8 @@ extern int matchpathcon_init(const char *path)
 extern int matchpathcon_init_prefix(const char *path, const char *prefix);
 
 /* Free the memory allocated by matchpathcon_init. */
-extern void matchpathcon_fini(void);
+extern void matchpathcon_fini(void)
+   __attribute__ ((deprecated("Use selabel_close")));
 
 /* Resolve all of the symlinks and relative portions of a pathname, but NOT
  * the final component (same a realpath() unless the final component is a
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v2 11/18] matchpathcon: annotate deprecated
  2020-04-16 15:43 ` bill.c.roberts
                     ` (9 preceding siblings ...)
  2020-04-16 15:43   ` [PATCH v2 10/18] matchpathcon_fini: " bill.c.roberts
@ 2020-04-16 15:43   ` bill.c.roberts
  2020-04-16 15:43   ` [PATCH v2 12/18] avc_init: " bill.c.roberts
                     ` (7 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-16 15:43 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 96a071a8dea4..5a66fa6f9d78 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -484,7 +484,8 @@ extern int realpath_not_final(const char *name, char *resolved_path);
    If matchpathcon_init has not already been called, then this function
    will call it upon its first invocation with a NULL path. */
 extern int matchpathcon(const char *path,
-			mode_t mode, char ** con);
+			mode_t mode, char ** con)
+	__attribute__ ((deprecated("Use selabel_lookup instead")));
 
 /* Same as above, but return a specification index for 
    later use in a matchpathcon_filespec_add() call - see below. */
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v2 12/18] avc_init: annotate deprecated
  2020-04-16 15:43 ` bill.c.roberts
                     ` (10 preceding siblings ...)
  2020-04-16 15:43   ` [PATCH v2 11/18] matchpathcon: " bill.c.roberts
@ 2020-04-16 15:43   ` bill.c.roberts
  2020-04-16 15:43   ` [PATCH v2 13/18] avc: create internal avc_init interface bill.c.roberts
                     ` (6 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-16 15:43 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/avc.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/avc.h b/libselinux/include/selinux/avc.h
index 472f6918ca83..7487b62f41c3 100644
--- a/libselinux/include/selinux/avc.h
+++ b/libselinux/include/selinux/avc.h
@@ -192,7 +192,8 @@ extern int avc_init(const char *msgprefix,
 		    const struct avc_memory_callback *mem_callbacks,
 		    const struct avc_log_callback *log_callbacks,
 		    const struct avc_thread_callback *thread_callbacks,
-		    const struct avc_lock_callback *lock_callbacks);
+		    const struct avc_lock_callback *lock_callbacks)
+	__attribute__ ((deprecated("Use avc_open and selinux_set_callback")));
 
 /**
  * avc_open - Initialize the AVC.
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v2 13/18] avc: create internal avc_init interface
  2020-04-16 15:43 ` bill.c.roberts
                     ` (11 preceding siblings ...)
  2020-04-16 15:43   ` [PATCH v2 12/18] avc_init: " bill.c.roberts
@ 2020-04-16 15:43   ` bill.c.roberts
  2020-04-16 15:43   ` [PATCH v2 14/18] matchpathcon: create internal matchpathcon_fini interface bill.c.roberts
                     ` (5 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-16 15:43 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Now that avc_init is marked deprecated, create an avc_init2 interface
for internal users.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/avc.c          | 11 ++++++++++-
 libselinux/src/avc_internal.h |  5 +++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
index ab10b0f9f1cb..505641406995 100644
--- a/libselinux/src/avc.c
+++ b/libselinux/src/avc.c
@@ -157,7 +157,7 @@ int avc_open(struct selinux_opt *opts, unsigned nopts)
 			break;
 		}
 
-	return avc_init("avc", NULL, NULL, NULL, NULL);
+	return avc_init2("avc", NULL, NULL, NULL, NULL);
 }
 
 int avc_init(const char *prefix,
@@ -165,6 +165,15 @@ int avc_init(const char *prefix,
 	     const struct avc_log_callback *log_cb,
 	     const struct avc_thread_callback *thread_cb,
 	     const struct avc_lock_callback *lock_cb)
+{
+	return avc_init2(prefix, mem_cb, log_cb, thread_cb, lock_cb);
+}
+
+int avc_init2(const char *prefix,
+	     const struct avc_memory_callback *mem_cb,
+	     const struct avc_log_callback *log_cb,
+	     const struct avc_thread_callback *thread_cb,
+	     const struct avc_lock_callback *lock_cb)
 {
 	struct avc_node *new;
 	int i, rc = 0;
diff --git a/libselinux/src/avc_internal.h b/libselinux/src/avc_internal.h
index 3f8a6bb1cf84..c8d26a8ae254 100644
--- a/libselinux/src/avc_internal.h
+++ b/libselinux/src/avc_internal.h
@@ -173,4 +173,9 @@ int avc_ss_set_auditdeny(security_id_t ssid, security_id_t tsid,
 /* netlink kernel message code */
 extern int avc_netlink_trouble ;
 
+extern int avc_init2(const char *msgprefix,
+		    const struct avc_memory_callback *mem_callbacks,
+		    const struct avc_log_callback *log_callbacks,
+		    const struct avc_thread_callback *thread_callbacks,
+		    const struct avc_lock_callback *lock_callbacks);
 #endif				/* _SELINUX_AVC_INTERNAL_H_ */
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v2 14/18] matchpathcon: create internal matchpathcon_fini interface
  2020-04-16 15:43 ` bill.c.roberts
                     ` (12 preceding siblings ...)
  2020-04-16 15:43   ` [PATCH v2 13/18] avc: create internal avc_init interface bill.c.roberts
@ 2020-04-16 15:43   ` bill.c.roberts
  2020-04-16 15:43   ` [PATCH v2 15/18] matchpathcon: create internal matchpathcon interface bill.c.roberts
                     ` (4 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-16 15:43 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Now that matchpathcon_fini is marked deprecated, create an
matchpathcon_fini2 interface for internal users. We create
a new header file for matchpathcon_internal interfaces.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/matchpathcon.c          | 10 ++++++++--
 libselinux/src/matchpathcon_internal.h |  6 ++++++
 2 files changed, 14 insertions(+), 2 deletions(-)
 create mode 100644 libselinux/src/matchpathcon_internal.h

diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
index bddf77a49ce1..8515c88c2bb8 100644
--- a/libselinux/src/matchpathcon.c
+++ b/libselinux/src/matchpathcon.c
@@ -3,6 +3,7 @@
 #include <errno.h>
 #include <stdio.h>
 #include "selinux_internal.h"
+#include "matchpathcon_internal.h"
 #include "label_internal.h"
 #include "callbacks.h"
 #include <limits.h>
@@ -317,7 +318,7 @@ void matchpathcon_filespec_destroy(void)
 
 static void matchpathcon_thread_destructor(void __attribute__((unused)) *ptr)
 {
-	matchpathcon_fini();
+	matchpathcon_fini2();
 }
 
 void __attribute__((destructor)) matchpathcon_lib_destructor(void);
@@ -357,7 +358,7 @@ int matchpathcon_init(const char *path)
 	return matchpathcon_init_prefix(path, NULL);
 }
 
-void matchpathcon_fini(void)
+void matchpathcon_fini2(void)
 {
 	free_array_elts();
 
@@ -367,6 +368,11 @@ void matchpathcon_fini(void)
 	}
 }
 
+void matchpathcon_fini(void)
+{
+	matchpathcon_fini2();
+}
+
 /*
  * We do not want to resolve a symlink to a real path if it is the final
  * component of the name.  Thus we split the pathname on the last "/" and
diff --git a/libselinux/src/matchpathcon_internal.h b/libselinux/src/matchpathcon_internal.h
new file mode 100644
index 000000000000..3affa687327f
--- /dev/null
+++ b/libselinux/src/matchpathcon_internal.h
@@ -0,0 +1,6 @@
+#ifndef SRC_MATCHPATHCON_INTERNAL_H_
+#define SRC_MATCHPATHCON_INTERNAL_H_
+
+void matchpathcon_fini2(void);
+
+#endif
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v2 15/18] matchpathcon: create internal matchpathcon interface
  2020-04-16 15:43 ` bill.c.roberts
                     ` (13 preceding siblings ...)
  2020-04-16 15:43   ` [PATCH v2 14/18] matchpathcon: create internal matchpathcon_fini interface bill.c.roberts
@ 2020-04-16 15:43   ` bill.c.roberts
  2020-04-16 15:43   ` [PATCH v2 16/18] selinux_check_passwd_access: annotate deprecated bill.c.roberts
                     ` (3 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-16 15:43 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Now that matchpathcon is marked deprecated, create an
matchpathcon2 interface for internal users.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/matchpathcon.c          | 8 ++++++--
 libselinux/src/matchpathcon_internal.h | 2 ++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
index 8515c88c2bb8..88539e627f5d 100644
--- a/libselinux/src/matchpathcon.c
+++ b/libselinux/src/matchpathcon.c
@@ -433,7 +433,11 @@ out:
 	return rc;
 }
 
-int matchpathcon(const char *path, mode_t mode, char ** con)
+int matchpathcon(const char *path, mode_t mode, char ** con) {
+	return matchpathcon2(path, mode, con);
+}
+
+int matchpathcon2(const char *path, mode_t mode, char ** con)
 {
 	char stackpath[PATH_MAX + 1];
 	char *p = NULL;
@@ -456,7 +460,7 @@ int matchpathcon(const char *path, mode_t mode, char ** con)
 
 int matchpathcon_index(const char *name, mode_t mode, char ** con)
 {
-	int i = matchpathcon(name, mode, con);
+	int i = matchpathcon2(name, mode, con);
 
 	if (i < 0)
 		return -1;
diff --git a/libselinux/src/matchpathcon_internal.h b/libselinux/src/matchpathcon_internal.h
index 3affa687327f..c63bcecfec89 100644
--- a/libselinux/src/matchpathcon_internal.h
+++ b/libselinux/src/matchpathcon_internal.h
@@ -3,4 +3,6 @@
 
 void matchpathcon_fini2(void);
 
+int matchpathcon2(const char *path, mode_t mode, char ** con);
+
 #endif
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v2 16/18] selinux_check_passwd_access: annotate deprecated
  2020-04-16 15:43 ` bill.c.roberts
                     ` (14 preceding siblings ...)
  2020-04-16 15:43   ` [PATCH v2 15/18] matchpathcon: create internal matchpathcon interface bill.c.roberts
@ 2020-04-16 15:43   ` bill.c.roberts
  2020-04-16 15:43   ` [PATCH v2 17/18] utils: matchpathcon to use interal interfaces bill.c.roberts
                     ` (2 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-16 15:43 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Update the one internal tree caller in the same file to
call selinux_check_passwd_access2.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 4 +++-
 libselinux/src/checkAccess.c         | 7 +++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 5a66fa6f9d78..b8d011fa07a7 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -609,7 +609,9 @@ extern int selinux_check_access(const char * scon, const char * tcon, const char
 
 /* Check a permission in the passwd class.
    Return 0 if granted or -1 otherwise. */
-extern int selinux_check_passwd_access(access_vector_t requested);
+extern int selinux_check_passwd_access(access_vector_t requested)
+  __attribute__ ((deprecated("Use selinux_check_access")));
+
 extern int checkPasswdAccess(access_vector_t requested)
    __attribute__ ((deprecated("Use selinux_check_access")));
 
diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
index 677e2ecd7df4..555d7ff3cca5 100644
--- a/libselinux/src/checkAccess.c
+++ b/libselinux/src/checkAccess.c
@@ -64,7 +64,7 @@ int selinux_check_access(const char *scon, const char *tcon, const char *class,
        return avc_has_perm (scon_id, tcon_id, sclass, av, NULL, aux);
 }
 
-int selinux_check_passwd_access(access_vector_t requested)
+static int selinux_check_passwd_access2(access_vector_t requested)
 {
 	int status = -1;
 	char *user_context;
@@ -99,8 +99,11 @@ int selinux_check_passwd_access(access_vector_t requested)
 	return status;
 }
 
+int selinux_check_passwd_access(access_vector_t requested) {
+	return selinux_check_passwd_access2(requested);
+}
 
 int checkPasswdAccess(access_vector_t requested)
 {
-	return selinux_check_passwd_access(requested);
+	return selinux_check_passwd_access2(requested);
 }
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v2 17/18] utils: matchpathcon to use interal interfaces
  2020-04-16 15:43 ` bill.c.roberts
                     ` (15 preceding siblings ...)
  2020-04-16 15:43   ` [PATCH v2 16/18] selinux_check_passwd_access: annotate deprecated bill.c.roberts
@ 2020-04-16 15:43   ` bill.c.roberts
  2020-04-16 15:43   ` [PATCH v2 18/18] utils: matchpathcon add deprecated warning bill.c.roberts
  2020-04-19 13:46   ` Annotate Deprecated Functions in libselinux Nicolas Iooss
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-16 15:43 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Not that the matchpathcon library interfaces are deprecated,
matchpathcon needs to use the 2 variants and statically link.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/matchpathcon.c          | 6 +++++-
 libselinux/src/matchpathcon_internal.h | 2 ++
 libselinux/utils/Makefile              | 6 ++++++
 libselinux/utils/matchpathcon.c        | 9 ++++++---
 4 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
index 88539e627f5d..d71e792c3f8e 100644
--- a/libselinux/src/matchpathcon.c
+++ b/libselinux/src/matchpathcon.c
@@ -352,10 +352,14 @@ int matchpathcon_init_prefix(const char *path, const char *subset)
 	return hnd ? 0 : -1;
 }
 
+int matchpathcon_init2(const char *path)
+{
+	return matchpathcon_init_prefix(path, NULL);
+}
 
 int matchpathcon_init(const char *path)
 {
-	return matchpathcon_init_prefix(path, NULL);
+	return matchpathcon_init2(path);
 }
 
 void matchpathcon_fini2(void)
diff --git a/libselinux/src/matchpathcon_internal.h b/libselinux/src/matchpathcon_internal.h
index c63bcecfec89..73f0c78fc9d0 100644
--- a/libselinux/src/matchpathcon_internal.h
+++ b/libselinux/src/matchpathcon_internal.h
@@ -1,6 +1,8 @@
 #ifndef SRC_MATCHPATHCON_INTERNAL_H_
 #define SRC_MATCHPATHCON_INTERNAL_H_
 
+int matchpathcon_init2(const char *path);
+
 void matchpathcon_fini2(void);
 
 int matchpathcon2(const char *path, mode_t mode, char ** con);
diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
index a5632b7c38ec..5f16ab957610 100644
--- a/libselinux/utils/Makefile
+++ b/libselinux/utils/Makefile
@@ -58,6 +58,12 @@ sefcontext_compile: LDLIBS += $(PCRE_LDLIBS) ../src/libselinux.a -lsepol
 
 sefcontext_compile: sefcontext_compile.o ../src/regex.o
 
+matchpathcon: LDLIBS += $(PCRE_LDLIBS) ../src/libselinux.a
+
+matchpathcon: CFLAGS += -I../src
+
+matchpathcon: matchpathcon.o ../src/regex.o
+
 all: $(TARGETS)
 
 install: all
diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c
index eb39a1881066..3d94af365071 100644
--- a/libselinux/utils/matchpathcon.c
+++ b/libselinux/utils/matchpathcon.c
@@ -11,6 +11,9 @@
 #include <limits.h>
 #include <stdlib.h>
 
+#include "matchpathcon_internal.h"
+
+
 static __attribute__ ((__noreturn__)) void usage(const char *progname)
 {
 	fprintf(stderr,
@@ -22,7 +25,7 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
 static int printmatchpathcon(const char *path, int header, int mode)
 {
 	char *buf;
-	int rc = matchpathcon(path, mode, &buf);
+	int rc = matchpathcon2(path, mode, &buf);
 	if (rc < 0) {
 		if (errno == ENOENT) {
 			buf = strdup("<<none>>");
@@ -103,7 +106,7 @@ int main(int argc, char **argv)
 				exit(1);
 			}
 			init = 1;
-			if (matchpathcon_init(optarg)) {
+			if (matchpathcon_init2(optarg)) {
 				fprintf(stderr,
 					"Error while processing %s:  %s\n",
 					optarg,
@@ -195,6 +198,6 @@ int main(int argc, char **argv)
 			error |= printmatchpathcon(path, header, mode);
 		}
 	}
-	matchpathcon_fini();
+	matchpathcon_fini2();
 	return error;
 }
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v2 18/18] utils: matchpathcon add deprecated warning
  2020-04-16 15:43 ` bill.c.roberts
                     ` (16 preceding siblings ...)
  2020-04-16 15:43   ` [PATCH v2 17/18] utils: matchpathcon to use interal interfaces bill.c.roberts
@ 2020-04-16 15:43   ` bill.c.roberts
  2020-04-19 13:46   ` Annotate Deprecated Functions in libselinux Nicolas Iooss
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-16 15:43 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Add a deprecated warning to matchpathcon encouraging users to switch to
selabel_lookup.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/utils/matchpathcon.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c
index 3d94af365071..2615a7fd3d25 100644
--- a/libselinux/utils/matchpathcon.c
+++ b/libselinux/utils/matchpathcon.c
@@ -76,6 +76,9 @@ int main(int argc, char **argv)
 	int error = 0;
 	int quiet = 0;
 
+	fprintf(stderr,
+		"Deprecated, use selabel_lookup\n");
+
 	if (argc < 2)
 		usage(argv[0]);
 
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* Re: Annotate Deprecated Functions in libselinux
  2020-04-16 15:43 ` bill.c.roberts
                     ` (17 preceding siblings ...)
  2020-04-16 15:43   ` [PATCH v2 18/18] utils: matchpathcon add deprecated warning bill.c.roberts
@ 2020-04-19 13:46   ` Nicolas Iooss
  2020-04-20 14:34     ` Roberts, William C
  2020-04-20 15:45     ` [v3] " bill.c.roberts
  18 siblings, 2 replies; 97+ messages in thread
From: Nicolas Iooss @ 2020-04-19 13:46 UTC (permalink / raw)
  To: William Roberts; +Cc: SElinux list

Hello,

Does "make install && make install-pywrap" works for you? On both my
development system (Arch Linux with swig 4.0.1) and Travis-CI
(https://travis-ci.org/github/fishilico/selinux/jobs/675842719), swig
fails to build libselinux Python bindings (with your patches):

building 'selinux._selinux' extension
swigging selinuxswig_python.i to selinuxswig_python_wrap.c
swig -python -o selinuxswig_python_wrap.c selinuxswig_python.i
../include/selinux/avc.h:67: Error: Syntax error - possibly a missing semicolon.
error: command 'swig' failed with exit status 1
Makefile:133: recipe for target 'pywrap' failed

The problematic line is:

extern int sidget(security_id_t sid) __attribute__ ((deprecated));

It seems that swig does not understand this attribute.

Nicolas

On Thu, Apr 16, 2020 at 5:44 PM <bill.c.roberts@gmail.com> wrote:
>
> V2:
> - Simplified now that dso.h stuff has been removed.
> - selinux_check_passwd_access has been deprecated and now
>   both selinux_check_passwd_access and checkPasswdAccess
>   are recomending selinux_check_access.
> - matchpathcon is linked statically to get access to deprecated
>   routines and prints a deprecated warning to stderr.
>
> V1:
> I went through and annotated deprecated routines we have in
> libselinux that are mentioned to be deprecated either in code
> comments and/or manpages.
>
> External users, when compiling will see a warning similair to some
> sample output:
>
> a.c: In function ‘main’:
> a.c:18:2: warning: ‘foo’ is deprecated: foo bar msg [-Wdeprecated-declarations]
>   foo();
>   ^~~
> a.c:5:5: note: declared here
>  int foo(void) {
>      ^~~
> a.c:19:2: warning: ‘boo’ is deprecated [-Wdeprecated-declarations]
>   boo();
>   ^~~
> a.c:11:5: note: declared here
>  int boo(void) {
>
> [PATCH v2 01/18] security_load_booleans: update return comment
> [PATCH v2 02/18] security_load_booleans: annotate deprecated
> [PATCH v2 03/18] selinux_booleans_path: annotate deprecated
> [PATCH v2 04/18] selinux_users_path: annotate deprecated
> [PATCH v2 05/18] rpm_execcon: annotate deprecated
> [PATCH v2 06/18] sidget: annotate deprecated
> [PATCH v2 07/18] sidput: annotate deprecated
> [PATCH v2 08/18] checkPasswdAccess: annotate deprecated
> [PATCH v2 09/18] matchpathcon_init: annotate deprecated
> [PATCH v2 10/18] matchpathcon_fini: annotate deprecated
> [PATCH v2 11/18] matchpathcon: annotate deprecated
> [PATCH v2 12/18] avc_init: annotate deprecated
> [PATCH v2 13/18] avc: create internal avc_init interface
> [PATCH v2 14/18] matchpathcon: create internal matchpathcon_fini
> [PATCH v2 15/18] matchpathcon: create internal matchpathcon interface
> [PATCH v2 16/18] selinux_check_passwd_access: annotate deprecated
> [PATCH v2 17/18] utils: matchpathcon to use interal interfaces
> [PATCH v2 18/18] utils: matchpathcon add deprecated warning
>


^ permalink raw reply	[flat|nested] 97+ messages in thread

* RE: Annotate Deprecated Functions in libselinux
  2020-04-19 13:46   ` Annotate Deprecated Functions in libselinux Nicolas Iooss
@ 2020-04-20 14:34     ` Roberts, William C
  2020-04-20 15:45     ` [v3] " bill.c.roberts
  1 sibling, 0 replies; 97+ messages in thread
From: Roberts, William C @ 2020-04-20 14:34 UTC (permalink / raw)
  To: Nicolas Iooss, William Roberts; +Cc: SElinux list



> -----Original Message-----
> From: selinux-owner@vger.kernel.org [mailto:selinux-owner@vger.kernel.org]
> On Behalf Of Nicolas Iooss
> Sent: Sunday, April 19, 2020 8:47 AM
> To: William Roberts <bill.c.roberts@gmail.com>
> Cc: SElinux list <selinux@vger.kernel.org>
> Subject: Re: Annotate Deprecated Functions in libselinux
> 
> Hello,
> 
> Does "make install && make install-pywrap" works for you? On both my

No because I didn't build the python bindings, I total forgot.

> development system (Arch Linux with swig 4.0.1) and Travis-CI (https://travis-
> ci.org/github/fishilico/selinux/jobs/675842719), swig fails to build libselinux
> Python bindings (with your patches):
> 
> building 'selinux._selinux' extension
> swigging selinuxswig_python.i to selinuxswig_python_wrap.c swig -python -o
> selinuxswig_python_wrap.c selinuxswig_python.i
> ../include/selinux/avc.h:67: Error: Syntax error - possibly a missing semicolon.
> error: command 'swig' failed with exit status 1
> Makefile:133: recipe for target 'pywrap' failed
> 
> The problematic line is:
> 
> extern int sidget(security_id_t sid) __attribute__ ((deprecated));
> 
> It seems that swig does not understand this attribute.

Yeah, I agree with your triage of the issue. I think I'll have to define a
DEPRECATED() macro and turn it off when SWIG is defined.

We also might even want to consider using:
https://pypi.org/project/Deprecated/


> 
> Nicolas
> 
> On Thu, Apr 16, 2020 at 5:44 PM <bill.c.roberts@gmail.com> wrote:
> >
> > V2:
> > - Simplified now that dso.h stuff has been removed.
> > - selinux_check_passwd_access has been deprecated and now
> >   both selinux_check_passwd_access and checkPasswdAccess
> >   are recomending selinux_check_access.
> > - matchpathcon is linked statically to get access to deprecated
> >   routines and prints a deprecated warning to stderr.
> >
> > V1:
> > I went through and annotated deprecated routines we have in libselinux
> > that are mentioned to be deprecated either in code comments and/or
> > manpages.
> >
> > External users, when compiling will see a warning similair to some
> > sample output:
> >
> > a.c: In function ‘main’:
> > a.c:18:2: warning: ‘foo’ is deprecated: foo bar msg [-Wdeprecated-declarations]
> >   foo();
> >   ^~~
> > a.c:5:5: note: declared here
> >  int foo(void) {
> >      ^~~
> > a.c:19:2: warning: ‘boo’ is deprecated [-Wdeprecated-declarations]
> >   boo();
> >   ^~~
> > a.c:11:5: note: declared here
> >  int boo(void) {
> >
> > [PATCH v2 01/18] security_load_booleans: update return comment [PATCH
> > v2 02/18] security_load_booleans: annotate deprecated [PATCH v2 03/18]
> > selinux_booleans_path: annotate deprecated [PATCH v2 04/18]
> > selinux_users_path: annotate deprecated [PATCH v2 05/18] rpm_execcon:
> > annotate deprecated [PATCH v2 06/18] sidget: annotate deprecated
> > [PATCH v2 07/18] sidput: annotate deprecated [PATCH v2 08/18]
> > checkPasswdAccess: annotate deprecated [PATCH v2 09/18]
> > matchpathcon_init: annotate deprecated [PATCH v2 10/18]
> > matchpathcon_fini: annotate deprecated [PATCH v2 11/18] matchpathcon:
> > annotate deprecated [PATCH v2 12/18] avc_init: annotate deprecated
> > [PATCH v2 13/18] avc: create internal avc_init interface [PATCH v2
> > 14/18] matchpathcon: create internal matchpathcon_fini [PATCH v2
> > 15/18] matchpathcon: create internal matchpathcon interface [PATCH v2
> > 16/18] selinux_check_passwd_access: annotate deprecated [PATCH v2
> > 17/18] utils: matchpathcon to use interal interfaces [PATCH v2 18/18]
> > utils: matchpathcon add deprecated warning
> >


^ permalink raw reply	[flat|nested] 97+ messages in thread

* [v3] Annotate Deprecated Functions in libselinux
  2020-04-19 13:46   ` Annotate Deprecated Functions in libselinux Nicolas Iooss
  2020-04-20 14:34     ` Roberts, William C
@ 2020-04-20 15:45     ` bill.c.roberts
  2020-04-20 15:45       ` [PATCH v3 01/19] security_load_booleans: update return comment bill.c.roberts
                         ` (18 more replies)
  1 sibling, 19 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-20 15:45 UTC (permalink / raw)
  To: nicolas.iooss; +Cc: bill.c.roberts, selinux

V3:
- Made the deprecated annotation dependent on __GNUC__ like
  the __format__(printf,...) specifiers. This will allow these
  not be defined when swig is building, so this will fix the
  swig syntax issues.
- Swig's build flags include -Wno-deprecated-declarations becuase the
  bindings need to pull the fill API out, even deprecated functions.
- Rather than compile matchpathcon with static selinux, I just set its
  compile flags to include -Wno-deprecated-declarations. Essentially
  saying, yes use this old interface it's Ok in this instance.

V2:
- Simplified now that dso.h stuff has been removed.
- selinux_check_passwd_access has been deprecated and now
  both selinux_check_passwd_access and checkPasswdAccess
  are recomending selinux_check_access.
- matchpathcon is linked statically to get access to deprecated
  routines and prints a deprecated warning to stderr.

V1:
I went through and annotated deprecated routines we have in
libselinux that are mentioned to be deprecated either in code
comments and/or manpages.

External users, when compiling will see a warning similair to some
sample output:

a.c: In function ‘main’:
a.c:18:2: warning: ‘foo’ is deprecated: foo bar msg [-Wdeprecated-declarations]
  foo();
  ^~~
a.c:5:5: note: declared here
 int foo(void) {
      ^~~
a.c:19:2: warning: ‘boo’ is deprecated [-Wdeprecated-declarations]
  boo();
  ^~~
a.c:11:5: note: declared here
 int boo(void) {

[PATCH v3 01/19] security_load_booleans: update return comment
[PATCH v3 02/19] security_load_booleans: annotate deprecated
[PATCH v3 03/19] selinux_booleans_path: annotate deprecated
[PATCH v3 04/19] selinux_users_path: annotate deprecated
[PATCH v3 05/19] rpm_execcon: annotate deprecated
[PATCH v3 06/19] sidget: annotate deprecated
[PATCH v3 07/19] sidput: annotate deprecated
[PATCH v3 08/19] checkPasswdAccess: annotate deprecated
[PATCH v3 09/19] matchpathcon_init: annotate deprecated
[PATCH v3 10/19] matchpathcon_fini: annotate deprecated
[PATCH v3 11/19] matchpathcon: annotate deprecated
[PATCH v3 12/19] avc_init: annotate deprecated
[PATCH v3 13/19] avc: create internal avc_init interface
[PATCH v3 14/19] matchpathcon: create internal matchpathcon_fini
[PATCH v3 15/19] matchpathcon: create internal matchpathcon interface
[PATCH v3 16/19] selinux_check_passwd_access: annotate deprecated
[PATCH v3 17/19] matchpathcon: allow use of deprecated routines
[PATCH v3 18/19] utils: matchpathcon add deprecated warning
[PATCH v3 19/19] Makefile: swig build allow deprecated functions


^ permalink raw reply	[flat|nested] 97+ messages in thread

* [PATCH v3 01/19] security_load_booleans: update return comment
  2020-04-20 15:45     ` [v3] " bill.c.roberts
@ 2020-04-20 15:45       ` bill.c.roberts
  2020-04-20 15:45       ` [PATCH v3 02/19] security_load_booleans: annotate deprecated bill.c.roberts
                         ` (17 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-20 15:45 UTC (permalink / raw)
  To: nicolas.iooss; +Cc: bill.c.roberts, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

The code returns -1 not 0, correct it.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 6a512b383325..948ca0689a07 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -323,7 +323,7 @@ extern int security_set_boolean_list(size_t boolcnt,
 				     SELboolean * boollist, int permanent);
 
 /* Load policy boolean settings. Deprecated as local policy booleans no
- * longer supported. Will always return 0.
+ * longer supported. Will always return -1.
  */
 extern int security_load_booleans(char *path);
 
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v3 02/19] security_load_booleans: annotate deprecated
  2020-04-20 15:45     ` [v3] " bill.c.roberts
  2020-04-20 15:45       ` [PATCH v3 01/19] security_load_booleans: update return comment bill.c.roberts
@ 2020-04-20 15:45       ` bill.c.roberts
  2020-04-20 15:45       ` [PATCH v3 03/19] selinux_booleans_path: " bill.c.roberts
                         ` (16 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-20 15:45 UTC (permalink / raw)
  To: nicolas.iooss; +Cc: bill.c.roberts, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 948ca0689a07..ae70479511db 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -325,7 +325,11 @@ extern int security_set_boolean_list(size_t boolcnt,
 /* Load policy boolean settings. Deprecated as local policy booleans no
  * longer supported. Will always return -1.
  */
-extern int security_load_booleans(char *path);
+extern int security_load_booleans(char *path)
+#ifdef __GNUC__
+__attribute__ ((deprecated))
+#endif
+;
 
 /* Check the validity of a security context. */
 extern int security_check_context(const char * con);
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v3 03/19] selinux_booleans_path: annotate deprecated
  2020-04-20 15:45     ` [v3] " bill.c.roberts
  2020-04-20 15:45       ` [PATCH v3 01/19] security_load_booleans: update return comment bill.c.roberts
  2020-04-20 15:45       ` [PATCH v3 02/19] security_load_booleans: annotate deprecated bill.c.roberts
@ 2020-04-20 15:45       ` bill.c.roberts
  2020-04-20 15:45       ` [PATCH v3 04/19] selinux_users_path: " bill.c.roberts
                         ` (15 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-20 15:45 UTC (permalink / raw)
  To: nicolas.iooss; +Cc: bill.c.roberts, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index ae70479511db..19b22c166651 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -579,7 +579,11 @@ extern const char *selinux_contexts_path(void);
 extern const char *selinux_securetty_types_path(void);
 extern const char *selinux_booleans_subs_path(void);
 /* Deprecated as local policy booleans no longer supported. */
-extern const char *selinux_booleans_path(void);
+extern const char *selinux_booleans_path(void)
+#ifdef __GNUC__
+__attribute__ ((deprecated))
+#endif
+;
 extern const char *selinux_customizable_types_path(void);
 /* Deprecated as policy ./users no longer supported. */
 extern const char *selinux_users_path(void);
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v3 04/19] selinux_users_path: annotate deprecated
  2020-04-20 15:45     ` [v3] " bill.c.roberts
                         ` (2 preceding siblings ...)
  2020-04-20 15:45       ` [PATCH v3 03/19] selinux_booleans_path: " bill.c.roberts
@ 2020-04-20 15:45       ` bill.c.roberts
  2020-04-20 15:45       ` [PATCH v3 05/19] rpm_execcon: " bill.c.roberts
                         ` (14 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-20 15:45 UTC (permalink / raw)
  To: nicolas.iooss; +Cc: bill.c.roberts, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 19b22c166651..75f65e367bf4 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -586,7 +586,11 @@ __attribute__ ((deprecated))
 ;
 extern const char *selinux_customizable_types_path(void);
 /* Deprecated as policy ./users no longer supported. */
-extern const char *selinux_users_path(void);
+extern const char *selinux_users_path(void)
+#ifdef __GNUC__
+__attribute__ ((deprecated))
+#endif
+;
 extern const char *selinux_usersconf_path(void);
 extern const char *selinux_translations_path(void);
 extern const char *selinux_colors_path(void);
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v3 05/19] rpm_execcon: annotate deprecated
  2020-04-20 15:45     ` [v3] " bill.c.roberts
                         ` (3 preceding siblings ...)
  2020-04-20 15:45       ` [PATCH v3 04/19] selinux_users_path: " bill.c.roberts
@ 2020-04-20 15:45       ` bill.c.roberts
  2020-04-20 15:45       ` [PATCH v3 06/19] sidget: " bill.c.roberts
                         ` (13 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-20 15:45 UTC (permalink / raw)
  To: nicolas.iooss; +Cc: bill.c.roberts, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 75f65e367bf4..deaa3f172586 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -645,7 +645,11 @@ extern int setexecfilecon(const char *filename, const char *fallback_type);
 /* Execute a helper for rpm in an appropriate security context. */
 extern int rpm_execcon(unsigned int verified,
 		       const char *filename,
-		       char *const argv[], char *const envp[]);
+		       char *const argv[], char *const envp[])
+#ifdef __GNUC__
+	__attribute__((deprecated("Use setexecfilecon and execve")))
+#endif
+;
 #endif
 
 /* Returns whether a file context is customizable, and should not 
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v3 06/19] sidget: annotate deprecated
  2020-04-20 15:45     ` [v3] " bill.c.roberts
                         ` (4 preceding siblings ...)
  2020-04-20 15:45       ` [PATCH v3 05/19] rpm_execcon: " bill.c.roberts
@ 2020-04-20 15:45       ` bill.c.roberts
  2020-04-20 15:45       ` [PATCH v3 07/19] sidput: " bill.c.roberts
                         ` (12 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-20 15:45 UTC (permalink / raw)
  To: nicolas.iooss; +Cc: bill.c.roberts, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/avc.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/avc.h b/libselinux/include/selinux/avc.h
index 46c51419f588..0589935651b4 100644
--- a/libselinux/include/selinux/avc.h
+++ b/libselinux/include/selinux/avc.h
@@ -64,7 +64,11 @@ extern int avc_context_to_sid_raw(const char * ctx, security_id_t * sid);
  * reference count).  Note that avc_context_to_sid() also
  * increments reference counts.
  */
-extern int sidget(security_id_t sid);
+extern int sidget(security_id_t sid)
+#ifdef __GNUC__
+__attribute__ ((deprecated))
+#endif
+;
 
 /**
  * sidput - decrement SID reference counter.
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v3 07/19] sidput: annotate deprecated
  2020-04-20 15:45     ` [v3] " bill.c.roberts
                         ` (5 preceding siblings ...)
  2020-04-20 15:45       ` [PATCH v3 06/19] sidget: " bill.c.roberts
@ 2020-04-20 15:45       ` bill.c.roberts
  2020-04-20 15:45       ` [PATCH v3 08/19] checkPasswdAccess: " bill.c.roberts
                         ` (11 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-20 15:45 UTC (permalink / raw)
  To: nicolas.iooss; +Cc: bill.c.roberts, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/avc.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/avc.h b/libselinux/include/selinux/avc.h
index 0589935651b4..c732824129cb 100644
--- a/libselinux/include/selinux/avc.h
+++ b/libselinux/include/selinux/avc.h
@@ -80,7 +80,11 @@ __attribute__ ((deprecated))
  * zero, the SID is invalid, and avc_context_to_sid() must
  * be called to obtain a new SID for the security context.
  */
-extern int sidput(security_id_t sid);
+extern int sidput(security_id_t sid)
+#ifdef __GNUC__
+__attribute__ ((deprecated))
+#endif
+;
 
 /**
  * avc_get_initial_sid - get SID for an initial kernel security identifier
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v3 08/19] checkPasswdAccess: annotate deprecated
  2020-04-20 15:45     ` [v3] " bill.c.roberts
                         ` (6 preceding siblings ...)
  2020-04-20 15:45       ` [PATCH v3 07/19] sidput: " bill.c.roberts
@ 2020-04-20 15:45       ` bill.c.roberts
  2020-04-20 15:45       ` [PATCH v3 09/19] matchpathcon_init: " bill.c.roberts
                         ` (10 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-20 15:45 UTC (permalink / raw)
  To: nicolas.iooss; +Cc: bill.c.roberts, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index deaa3f172586..9dcb3220264a 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -619,7 +619,11 @@ extern int selinux_check_access(const char * scon, const char * tcon, const char
 /* Check a permission in the passwd class.
    Return 0 if granted or -1 otherwise. */
 extern int selinux_check_passwd_access(access_vector_t requested);
-extern int checkPasswdAccess(access_vector_t requested);
+extern int checkPasswdAccess(access_vector_t requested)
+#ifdef __GNUC__
+   __attribute__ ((deprecated("Use selinux_check_access")))
+#endif
+;
 
 /* Check if the tty_context is defined as a securetty
    Return 0 if secure, < 0 otherwise. */
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v3 09/19] matchpathcon_init: annotate deprecated
  2020-04-20 15:45     ` [v3] " bill.c.roberts
                         ` (7 preceding siblings ...)
  2020-04-20 15:45       ` [PATCH v3 08/19] checkPasswdAccess: " bill.c.roberts
@ 2020-04-20 15:45       ` bill.c.roberts
  2020-04-20 15:45       ` [PATCH v3 10/19] matchpathcon_fini: " bill.c.roberts
                         ` (9 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-20 15:45 UTC (permalink / raw)
  To: nicolas.iooss; +Cc: bill.c.roberts, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 9dcb3220264a..940c43eff8c9 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -465,7 +465,11 @@ extern void set_matchpathcon_flags(unsigned int flags);
    function also checks for a 'path'.homedirs file and 
    a 'path'.local file and loads additional specifications 
    from them if present. */
-extern int matchpathcon_init(const char *path);
+extern int matchpathcon_init(const char *path)
+#ifdef __GNUC__
+   __attribute__ ((deprecated("Use selabel_open with backend SELABEL_CTX_FILE")))
+#endif
+;
 
 /* Same as matchpathcon_init, but only load entries with
    regexes that have stems that are prefixes of 'prefix'. */
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v3 10/19] matchpathcon_fini: annotate deprecated
  2020-04-20 15:45     ` [v3] " bill.c.roberts
                         ` (8 preceding siblings ...)
  2020-04-20 15:45       ` [PATCH v3 09/19] matchpathcon_init: " bill.c.roberts
@ 2020-04-20 15:45       ` bill.c.roberts
  2020-04-20 15:45       ` [PATCH v3 11/19] matchpathcon: " bill.c.roberts
                         ` (8 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-20 15:45 UTC (permalink / raw)
  To: nicolas.iooss; +Cc: bill.c.roberts, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 940c43eff8c9..b04f34a1b3bb 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -476,7 +476,11 @@ extern int matchpathcon_init(const char *path)
 extern int matchpathcon_init_prefix(const char *path, const char *prefix);
 
 /* Free the memory allocated by matchpathcon_init. */
-extern void matchpathcon_fini(void);
+extern void matchpathcon_fini(void)
+#ifdef __GNUC__
+   __attribute__ ((deprecated("Use selabel_close")))
+#endif
+;
 
 /* Resolve all of the symlinks and relative portions of a pathname, but NOT
  * the final component (same a realpath() unless the final component is a
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v3 11/19] matchpathcon: annotate deprecated
  2020-04-20 15:45     ` [v3] " bill.c.roberts
                         ` (9 preceding siblings ...)
  2020-04-20 15:45       ` [PATCH v3 10/19] matchpathcon_fini: " bill.c.roberts
@ 2020-04-20 15:45       ` bill.c.roberts
  2020-04-20 15:45       ` [PATCH v3 12/19] avc_init: " bill.c.roberts
                         ` (7 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-20 15:45 UTC (permalink / raw)
  To: nicolas.iooss; +Cc: bill.c.roberts, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index b04f34a1b3bb..5633cf40607d 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -494,7 +494,11 @@ extern int realpath_not_final(const char *name, char *resolved_path);
    If matchpathcon_init has not already been called, then this function
    will call it upon its first invocation with a NULL path. */
 extern int matchpathcon(const char *path,
-			mode_t mode, char ** con);
+			mode_t mode, char ** con)
+#ifdef __GNUC__
+	__attribute__ ((deprecated("Use selabel_lookup instead")))
+#endif
+;
 
 /* Same as above, but return a specification index for 
    later use in a matchpathcon_filespec_add() call - see below. */
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v3 12/19] avc_init: annotate deprecated
  2020-04-20 15:45     ` [v3] " bill.c.roberts
                         ` (10 preceding siblings ...)
  2020-04-20 15:45       ` [PATCH v3 11/19] matchpathcon: " bill.c.roberts
@ 2020-04-20 15:45       ` bill.c.roberts
  2020-04-20 15:45       ` [PATCH v3 13/19] avc: create internal avc_init interface bill.c.roberts
                         ` (6 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-20 15:45 UTC (permalink / raw)
  To: nicolas.iooss; +Cc: bill.c.roberts, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/avc.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/avc.h b/libselinux/include/selinux/avc.h
index c732824129cb..9b23357ad17f 100644
--- a/libselinux/include/selinux/avc.h
+++ b/libselinux/include/selinux/avc.h
@@ -200,7 +200,11 @@ extern int avc_init(const char *msgprefix,
 		    const struct avc_memory_callback *mem_callbacks,
 		    const struct avc_log_callback *log_callbacks,
 		    const struct avc_thread_callback *thread_callbacks,
-		    const struct avc_lock_callback *lock_callbacks);
+		    const struct avc_lock_callback *lock_callbacks)
+#ifdef __GNUC__
+	__attribute__ ((deprecated("Use avc_open and selinux_set_callback")))
+#endif
+;
 
 /**
  * avc_open - Initialize the AVC.
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v3 13/19] avc: create internal avc_init interface
  2020-04-20 15:45     ` [v3] " bill.c.roberts
                         ` (11 preceding siblings ...)
  2020-04-20 15:45       ` [PATCH v3 12/19] avc_init: " bill.c.roberts
@ 2020-04-20 15:45       ` bill.c.roberts
  2020-04-26 13:33         ` Nicolas Iooss
  2020-04-20 15:45       ` [PATCH v3 14/19] matchpathcon: create internal matchpathcon_fini interface bill.c.roberts
                         ` (5 subsequent siblings)
  18 siblings, 1 reply; 97+ messages in thread
From: bill.c.roberts @ 2020-04-20 15:45 UTC (permalink / raw)
  To: nicolas.iooss; +Cc: bill.c.roberts, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Now that avc_init is marked deprecated, create an avc_init2 interface
for internal users.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/avc.c          | 11 ++++++++++-
 libselinux/src/avc_internal.h |  5 +++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
index ab10b0f9f1cb..505641406995 100644
--- a/libselinux/src/avc.c
+++ b/libselinux/src/avc.c
@@ -157,7 +157,7 @@ int avc_open(struct selinux_opt *opts, unsigned nopts)
 			break;
 		}
 
-	return avc_init("avc", NULL, NULL, NULL, NULL);
+	return avc_init2("avc", NULL, NULL, NULL, NULL);
 }
 
 int avc_init(const char *prefix,
@@ -165,6 +165,15 @@ int avc_init(const char *prefix,
 	     const struct avc_log_callback *log_cb,
 	     const struct avc_thread_callback *thread_cb,
 	     const struct avc_lock_callback *lock_cb)
+{
+	return avc_init2(prefix, mem_cb, log_cb, thread_cb, lock_cb);
+}
+
+int avc_init2(const char *prefix,
+	     const struct avc_memory_callback *mem_cb,
+	     const struct avc_log_callback *log_cb,
+	     const struct avc_thread_callback *thread_cb,
+	     const struct avc_lock_callback *lock_cb)
 {
 	struct avc_node *new;
 	int i, rc = 0;
diff --git a/libselinux/src/avc_internal.h b/libselinux/src/avc_internal.h
index 3f8a6bb1cf84..c8d26a8ae254 100644
--- a/libselinux/src/avc_internal.h
+++ b/libselinux/src/avc_internal.h
@@ -173,4 +173,9 @@ int avc_ss_set_auditdeny(security_id_t ssid, security_id_t tsid,
 /* netlink kernel message code */
 extern int avc_netlink_trouble ;
 
+extern int avc_init2(const char *msgprefix,
+		    const struct avc_memory_callback *mem_callbacks,
+		    const struct avc_log_callback *log_callbacks,
+		    const struct avc_thread_callback *thread_callbacks,
+		    const struct avc_lock_callback *lock_callbacks);
 #endif				/* _SELINUX_AVC_INTERNAL_H_ */
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v3 14/19] matchpathcon: create internal matchpathcon_fini interface
  2020-04-20 15:45     ` [v3] " bill.c.roberts
                         ` (12 preceding siblings ...)
  2020-04-20 15:45       ` [PATCH v3 13/19] avc: create internal avc_init interface bill.c.roberts
@ 2020-04-20 15:45       ` bill.c.roberts
  2020-04-20 15:45       ` [PATCH v3 15/19] matchpathcon: create internal matchpathcon interface bill.c.roberts
                         ` (4 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-20 15:45 UTC (permalink / raw)
  To: nicolas.iooss; +Cc: bill.c.roberts, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Now that matchpathcon_fini is marked deprecated, create an
matchpathcon_fini2 interface for internal users. We create
a new header file for matchpathcon_internal interfaces.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/matchpathcon.c          | 10 ++++++++--
 libselinux/src/matchpathcon_internal.h |  6 ++++++
 2 files changed, 14 insertions(+), 2 deletions(-)
 create mode 100644 libselinux/src/matchpathcon_internal.h

diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
index bddf77a49ce1..8515c88c2bb8 100644
--- a/libselinux/src/matchpathcon.c
+++ b/libselinux/src/matchpathcon.c
@@ -3,6 +3,7 @@
 #include <errno.h>
 #include <stdio.h>
 #include "selinux_internal.h"
+#include "matchpathcon_internal.h"
 #include "label_internal.h"
 #include "callbacks.h"
 #include <limits.h>
@@ -317,7 +318,7 @@ void matchpathcon_filespec_destroy(void)
 
 static void matchpathcon_thread_destructor(void __attribute__((unused)) *ptr)
 {
-	matchpathcon_fini();
+	matchpathcon_fini2();
 }
 
 void __attribute__((destructor)) matchpathcon_lib_destructor(void);
@@ -357,7 +358,7 @@ int matchpathcon_init(const char *path)
 	return matchpathcon_init_prefix(path, NULL);
 }
 
-void matchpathcon_fini(void)
+void matchpathcon_fini2(void)
 {
 	free_array_elts();
 
@@ -367,6 +368,11 @@ void matchpathcon_fini(void)
 	}
 }
 
+void matchpathcon_fini(void)
+{
+	matchpathcon_fini2();
+}
+
 /*
  * We do not want to resolve a symlink to a real path if it is the final
  * component of the name.  Thus we split the pathname on the last "/" and
diff --git a/libselinux/src/matchpathcon_internal.h b/libselinux/src/matchpathcon_internal.h
new file mode 100644
index 000000000000..3affa687327f
--- /dev/null
+++ b/libselinux/src/matchpathcon_internal.h
@@ -0,0 +1,6 @@
+#ifndef SRC_MATCHPATHCON_INTERNAL_H_
+#define SRC_MATCHPATHCON_INTERNAL_H_
+
+void matchpathcon_fini2(void);
+
+#endif
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v3 15/19] matchpathcon: create internal matchpathcon interface
  2020-04-20 15:45     ` [v3] " bill.c.roberts
                         ` (13 preceding siblings ...)
  2020-04-20 15:45       ` [PATCH v3 14/19] matchpathcon: create internal matchpathcon_fini interface bill.c.roberts
@ 2020-04-20 15:45       ` bill.c.roberts
  2020-04-20 15:45       ` [PATCH v3 16/19] selinux_check_passwd_access: annotate deprecated bill.c.roberts
                         ` (3 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-20 15:45 UTC (permalink / raw)
  To: nicolas.iooss; +Cc: bill.c.roberts, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Now that matchpathcon is marked deprecated, create an
matchpathcon2 interface for internal users.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/matchpathcon.c          | 8 ++++++--
 libselinux/src/matchpathcon_internal.h | 2 ++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
index 8515c88c2bb8..88539e627f5d 100644
--- a/libselinux/src/matchpathcon.c
+++ b/libselinux/src/matchpathcon.c
@@ -433,7 +433,11 @@ out:
 	return rc;
 }
 
-int matchpathcon(const char *path, mode_t mode, char ** con)
+int matchpathcon(const char *path, mode_t mode, char ** con) {
+	return matchpathcon2(path, mode, con);
+}
+
+int matchpathcon2(const char *path, mode_t mode, char ** con)
 {
 	char stackpath[PATH_MAX + 1];
 	char *p = NULL;
@@ -456,7 +460,7 @@ int matchpathcon(const char *path, mode_t mode, char ** con)
 
 int matchpathcon_index(const char *name, mode_t mode, char ** con)
 {
-	int i = matchpathcon(name, mode, con);
+	int i = matchpathcon2(name, mode, con);
 
 	if (i < 0)
 		return -1;
diff --git a/libselinux/src/matchpathcon_internal.h b/libselinux/src/matchpathcon_internal.h
index 3affa687327f..c63bcecfec89 100644
--- a/libselinux/src/matchpathcon_internal.h
+++ b/libselinux/src/matchpathcon_internal.h
@@ -3,4 +3,6 @@
 
 void matchpathcon_fini2(void);
 
+int matchpathcon2(const char *path, mode_t mode, char ** con);
+
 #endif
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v3 16/19] selinux_check_passwd_access: annotate deprecated
  2020-04-20 15:45     ` [v3] " bill.c.roberts
                         ` (14 preceding siblings ...)
  2020-04-20 15:45       ` [PATCH v3 15/19] matchpathcon: create internal matchpathcon interface bill.c.roberts
@ 2020-04-20 15:45       ` bill.c.roberts
  2020-04-20 15:45       ` [PATCH v3 17/19] matchpathcon: allow use of deprecated routines bill.c.roberts
                         ` (2 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-20 15:45 UTC (permalink / raw)
  To: nicolas.iooss; +Cc: bill.c.roberts, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Update the one internal tree caller in the same file to
call selinux_check_passwd_access2.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 7 ++++++-
 libselinux/src/checkAccess.c         | 7 +++++--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 5633cf40607d..aaf28ffdf9be 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -630,7 +630,12 @@ extern int selinux_check_access(const char * scon, const char * tcon, const char
 
 /* Check a permission in the passwd class.
    Return 0 if granted or -1 otherwise. */
-extern int selinux_check_passwd_access(access_vector_t requested);
+extern int selinux_check_passwd_access(access_vector_t requested)
+#ifdef __GNUC__
+  __attribute__ ((deprecated("Use selinux_check_access")))
+#endif
+;
+
 extern int checkPasswdAccess(access_vector_t requested)
 #ifdef __GNUC__
    __attribute__ ((deprecated("Use selinux_check_access")))
diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
index 677e2ecd7df4..555d7ff3cca5 100644
--- a/libselinux/src/checkAccess.c
+++ b/libselinux/src/checkAccess.c
@@ -64,7 +64,7 @@ int selinux_check_access(const char *scon, const char *tcon, const char *class,
        return avc_has_perm (scon_id, tcon_id, sclass, av, NULL, aux);
 }
 
-int selinux_check_passwd_access(access_vector_t requested)
+static int selinux_check_passwd_access2(access_vector_t requested)
 {
 	int status = -1;
 	char *user_context;
@@ -99,8 +99,11 @@ int selinux_check_passwd_access(access_vector_t requested)
 	return status;
 }
 
+int selinux_check_passwd_access(access_vector_t requested) {
+	return selinux_check_passwd_access2(requested);
+}
 
 int checkPasswdAccess(access_vector_t requested)
 {
-	return selinux_check_passwd_access(requested);
+	return selinux_check_passwd_access2(requested);
 }
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v3 17/19] matchpathcon: allow use of deprecated routines
  2020-04-20 15:45     ` [v3] " bill.c.roberts
                         ` (15 preceding siblings ...)
  2020-04-20 15:45       ` [PATCH v3 16/19] selinux_check_passwd_access: annotate deprecated bill.c.roberts
@ 2020-04-20 15:45       ` bill.c.roberts
  2020-04-20 15:45       ` [PATCH v3 18/19] utils: matchpathcon add deprecated warning bill.c.roberts
  2020-04-20 15:45       ` [PATCH v3 19/19] Makefile: swig build allow deprecated functions bill.c.roberts
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-20 15:45 UTC (permalink / raw)
  To: nicolas.iooss; +Cc: bill.c.roberts, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Utility matchpathcon uses the matchpathcon interface which has been
deprectaed. However, this tool will continue to live on, so allow it to
use the deprecated interface.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/utils/Makefile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
index a5632b7c38ec..d66c333ec65a 100644
--- a/libselinux/utils/Makefile
+++ b/libselinux/utils/Makefile
@@ -58,6 +58,8 @@ sefcontext_compile: LDLIBS += $(PCRE_LDLIBS) ../src/libselinux.a -lsepol
 
 sefcontext_compile: sefcontext_compile.o ../src/regex.o
 
+matchpathcon: CFLAGS += -Wno-deprecated-declarations
+
 all: $(TARGETS)
 
 install: all
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v3 18/19] utils: matchpathcon add deprecated warning
  2020-04-20 15:45     ` [v3] " bill.c.roberts
                         ` (16 preceding siblings ...)
  2020-04-20 15:45       ` [PATCH v3 17/19] matchpathcon: allow use of deprecated routines bill.c.roberts
@ 2020-04-20 15:45       ` bill.c.roberts
  2020-04-20 15:45       ` [PATCH v3 19/19] Makefile: swig build allow deprecated functions bill.c.roberts
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-20 15:45 UTC (permalink / raw)
  To: nicolas.iooss; +Cc: bill.c.roberts, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Add a deprecated warning to matchpathcon encouraging users to switch to
selabel_lookup.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/utils/matchpathcon.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c
index eb39a1881066..cc018d213f4c 100644
--- a/libselinux/utils/matchpathcon.c
+++ b/libselinux/utils/matchpathcon.c
@@ -73,6 +73,9 @@ int main(int argc, char **argv)
 	int error = 0;
 	int quiet = 0;
 
+	fprintf(stderr,
+		"Deprecated, use selabel_lookup\n");
+
 	if (argc < 2)
 		usage(argv[0]);
 
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v3 19/19] Makefile: swig build allow deprecated functions
  2020-04-20 15:45     ` [v3] " bill.c.roberts
                         ` (17 preceding siblings ...)
  2020-04-20 15:45       ` [PATCH v3 18/19] utils: matchpathcon add deprecated warning bill.c.roberts
@ 2020-04-20 15:45       ` bill.c.roberts
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-20 15:45 UTC (permalink / raw)
  To: nicolas.iooss; +Cc: bill.c.roberts, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

The SWIG C build should allow deprecated functions and not warn on them
because it is exposing the full interface including deprecated routines.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/Makefile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 9992221f5fc5..73303c3666c9 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -105,7 +105,8 @@ FTS_LDLIBS ?=
 override CFLAGS += -I../include -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS)
 
 SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-parameter \
-		-Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations
+		-Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations \
+		-Wno-deprecated-declarations
 
 RANLIB ?= ranlib
 
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* Re: [PATCH v3 13/19] avc: create internal avc_init interface
  2020-04-20 15:45       ` [PATCH v3 13/19] avc: create internal avc_init interface bill.c.roberts
@ 2020-04-26 13:33         ` Nicolas Iooss
  2020-04-26 15:53           ` William Roberts
  0 siblings, 1 reply; 97+ messages in thread
From: Nicolas Iooss @ 2020-04-26 13:33 UTC (permalink / raw)
  To: SElinux list, William Roberts; +Cc: William Roberts

On Mon, Apr 20, 2020 at 5:46 PM <bill.c.roberts@gmail.com> wrote:
>
> From: William Roberts <william.c.roberts@intel.com>
>
> Now that avc_init is marked deprecated, create an avc_init2 interface
> for internal users.
>
> Signed-off-by: William Roberts <william.c.roberts@intel.com>
> ---
>  libselinux/src/avc.c          | 11 ++++++++++-
>  libselinux/src/avc_internal.h |  5 +++++
>  2 files changed, 15 insertions(+), 1 deletion(-)
>
> diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
> index ab10b0f9f1cb..505641406995 100644
> --- a/libselinux/src/avc.c
> +++ b/libselinux/src/avc.c
> @@ -157,7 +157,7 @@ int avc_open(struct selinux_opt *opts, unsigned nopts)
>                         break;
>                 }
>
> -       return avc_init("avc", NULL, NULL, NULL, NULL);
> +       return avc_init2("avc", NULL, NULL, NULL, NULL);
>  }
>
>  int avc_init(const char *prefix,
> @@ -165,6 +165,15 @@ int avc_init(const char *prefix,
>              const struct avc_log_callback *log_cb,
>              const struct avc_thread_callback *thread_cb,
>              const struct avc_lock_callback *lock_cb)
> +{
> +       return avc_init2(prefix, mem_cb, log_cb, thread_cb, lock_cb);
> +}
> +
> +int avc_init2(const char *prefix,
> +            const struct avc_memory_callback *mem_cb,
> +            const struct avc_log_callback *log_cb,
> +            const struct avc_thread_callback *thread_cb,
> +            const struct avc_lock_callback *lock_cb)
>  {
>         struct avc_node *new;
>         int i, rc = 0;
> diff --git a/libselinux/src/avc_internal.h b/libselinux/src/avc_internal.h
> index 3f8a6bb1cf84..c8d26a8ae254 100644
> --- a/libselinux/src/avc_internal.h
> +++ b/libselinux/src/avc_internal.h
> @@ -173,4 +173,9 @@ int avc_ss_set_auditdeny(security_id_t ssid, security_id_t tsid,
>  /* netlink kernel message code */
>  extern int avc_netlink_trouble ;
>
> +extern int avc_init2(const char *msgprefix,
> +                   const struct avc_memory_callback *mem_callbacks,
> +                   const struct avc_log_callback *log_callbacks,
> +                   const struct avc_thread_callback *thread_callbacks,
> +                   const struct avc_lock_callback *lock_callbacks);
>  #endif                         /* _SELINUX_AVC_INTERNAL_H_ */
> --
> 2.17.1

Hello,
I do not see the point of having a new avc_init2() "internal
interface". I get that avc_init() is deprecated, that avc_open()
should be used, and that internally a new function (named avc_init2)
is created to make the transition easier. But why is adding
avc_init2() to avc_internal.h necessary? Which internal code is
expected to use it?
If none, I would prefer to make avc_init2() static (changing this
patch to "static init avc_init2(const char*msgprefix,", with a
declaration before avc_open() if you do not want to move the function
in the file).

I have the same question for matchpathcon_fini2(), matchpathcon2(), etc.

Moreover, I do not really like the "...2" naming (this is my own point
of view and I won't block the patch because of it), because it seems
to carry the meaning of "please now use this inferface", which is
untrue. I suggest using avc_init_internal(),
matchpathcon_fini_internal()... that do not carry such a meaning.

Thanks,
Nicolas


^ permalink raw reply	[flat|nested] 97+ messages in thread

* Re: [PATCH v3 13/19] avc: create internal avc_init interface
  2020-04-26 13:33         ` Nicolas Iooss
@ 2020-04-26 15:53           ` William Roberts
  0 siblings, 0 replies; 97+ messages in thread
From: William Roberts @ 2020-04-26 15:53 UTC (permalink / raw)
  To: Nicolas Iooss; +Cc: SElinux list, William Roberts

On Sun, Apr 26, 2020 at 8:34 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
>
> On Mon, Apr 20, 2020 at 5:46 PM <bill.c.roberts@gmail.com> wrote:
> >
> > From: William Roberts <william.c.roberts@intel.com>
> >
> > Now that avc_init is marked deprecated, create an avc_init2 interface
> > for internal users.
> >
> > Signed-off-by: William Roberts <william.c.roberts@intel.com>
> > ---
> >  libselinux/src/avc.c          | 11 ++++++++++-
> >  libselinux/src/avc_internal.h |  5 +++++
> >  2 files changed, 15 insertions(+), 1 deletion(-)
> >
> > diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
> > index ab10b0f9f1cb..505641406995 100644
> > --- a/libselinux/src/avc.c
> > +++ b/libselinux/src/avc.c
> > @@ -157,7 +157,7 @@ int avc_open(struct selinux_opt *opts, unsigned nopts)
> >                         break;
> >                 }
> >
> > -       return avc_init("avc", NULL, NULL, NULL, NULL);
> > +       return avc_init2("avc", NULL, NULL, NULL, NULL);
> >  }
> >
> >  int avc_init(const char *prefix,
> > @@ -165,6 +165,15 @@ int avc_init(const char *prefix,
> >              const struct avc_log_callback *log_cb,
> >              const struct avc_thread_callback *thread_cb,
> >              const struct avc_lock_callback *lock_cb)
> > +{
> > +       return avc_init2(prefix, mem_cb, log_cb, thread_cb, lock_cb);
> > +}
> > +
> > +int avc_init2(const char *prefix,
> > +            const struct avc_memory_callback *mem_cb,
> > +            const struct avc_log_callback *log_cb,
> > +            const struct avc_thread_callback *thread_cb,
> > +            const struct avc_lock_callback *lock_cb)
> >  {
> >         struct avc_node *new;
> >         int i, rc = 0;
> > diff --git a/libselinux/src/avc_internal.h b/libselinux/src/avc_internal.h
> > index 3f8a6bb1cf84..c8d26a8ae254 100644
> > --- a/libselinux/src/avc_internal.h
> > +++ b/libselinux/src/avc_internal.h
> > @@ -173,4 +173,9 @@ int avc_ss_set_auditdeny(security_id_t ssid, security_id_t tsid,
> >  /* netlink kernel message code */
> >  extern int avc_netlink_trouble ;
> >
> > +extern int avc_init2(const char *msgprefix,
> > +                   const struct avc_memory_callback *mem_callbacks,
> > +                   const struct avc_log_callback *log_callbacks,
> > +                   const struct avc_thread_callback *thread_callbacks,
> > +                   const struct avc_lock_callback *lock_callbacks);
> >  #endif                         /* _SELINUX_AVC_INTERNAL_H_ */
> > --
> > 2.17.1
>
> Hello,
> I do not see the point of having a new avc_init2() "internal
> interface". I get that avc_init() is deprecated, that avc_open()
> should be used, and that internally a new function (named avc_init2)
> is created to make the transition easier. But why is adding

Its not just transition, its so internal callers can call into an
interface that isn't marked
deprecated and we can keep the selinux build -Wdeprecated warning enabled.

> avc_init2() to avc_internal.h necessary? Which internal code is
> expected to use it?

Its not, it can be static in the file.

> If none, I would prefer to make avc_init2() static (changing this
> patch to "static init avc_init2(const char*msgprefix,", with a
> declaration before avc_open() if you do not want to move the function
> in the file).
>
> I have the same question for matchpathcon_fini2(), matchpathcon2(), etc.

matchpathcon2

>
> Moreover, I do not really like the "...2" naming (this is my own point
> of view and I won't block the patch because of it), because it seems
> to carry the meaning of "please now use this inferface", which is
> untrue. I suggest using avc_init_internal(),
> matchpathcon_fini_internal()... that do not carry such a meaning.

Thats fine, I just picked one because it was the exact naming convention
I used when discussing this with @sds. I didn't want to change that
unless someone suggested it.

>
> Thanks,
> Nicolas
>

^ permalink raw reply	[flat|nested] 97+ messages in thread

* [v4] Annotate Deprecated Functions in libselinux
  2020-02-25 20:02 Annotate Deprecated Functions in libselinux bill.c.roberts
                   ` (18 preceding siblings ...)
  2020-04-16 15:43 ` bill.c.roberts
@ 2020-04-27 20:22 ` bill.c.roberts
  2020-04-27 20:22   ` [PATCH v4 01/18] security_load_booleans: update return comment bill.c.roberts
                     ` (18 more replies)
  19 siblings, 19 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-27 20:22 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux

V4:
- Drop the internal header interfaces, they were unused and pointless.

V3:
- Made the deprecated annotation dependent on __GNUC__ like
  the __format__(printf,...) specifiers. This will allow these
  not be defined when swig is building, so this will fix the
  swig syntax issues.
- Swig's build flags include -Wno-deprecated-declarations becuase the
  bindings need to pull the fill API out, even deprecated functions.
- Rather than compile matchpathcon with static selinux, I just set its
  compile flags to include -Wno-deprecated-declarations. Essentially
  saying, yes use this old interface it's Ok in this instance.

V2:
- Simplified now that dso.h stuff has been removed.
- selinux_check_passwd_access has been deprecated and now
  both selinux_check_passwd_access and checkPasswdAccess
  are recomending selinux_check_access.
- matchpathcon is linked statically to get access to deprecated
  routines and prints a deprecated warning to stderr.

V1:
I went through and annotated deprecated routines we have in
libselinux that are mentioned to be deprecated either in code
comments and/or manpages.

External users, when compiling will see a warning similair to some
sample output:

a.c: In function ‘main’:
a.c:18:2: warning: ‘foo’ is deprecated: foo bar msg [-Wdeprecated-declarations]
  foo();
  ^~~
a.c:5:5: note: declared here
 int foo(void) {
      ^~~
a.c:19:2: warning: ‘boo’ is deprecated [-Wdeprecated-declarations]
  boo();
  ^~~
a.c:11:5: note: declared here
 int boo(void) {

[PATCH v4 01/18] security_load_booleans: update return comment
[PATCH v4 02/18] security_load_booleans: annotate deprecated
[PATCH v4 03/18] selinux_booleans_path: annotate deprecated
[PATCH v4 04/18] selinux_users_path: annotate deprecated
[PATCH v4 05/18] rpm_execcon: annotate deprecated
[PATCH v4 06/18] sidget: annotate deprecated
[PATCH v4 07/18] sidput: annotate deprecated
[PATCH v4 08/18] checkPasswdAccess: annotate deprecated
[PATCH v4 09/18] matchpathcon_init: annotate deprecated
[PATCH v4 10/18] matchpathcon_fini: annotate deprecated
[PATCH v4 11/18] matchpathcon: annotate deprecated
[PATCH v4 12/18] avc_init: annotate deprecated
[PATCH v4 13/18] avc: create internal avc_init interface
[PATCH v4 14/18] matchpathcon: create internal matchpathcon_fini
[PATCH v4 15/18] selinux_check_passwd_access: annotate deprecated
[PATCH v4 16/18] matchpathcon: allow use of deprecated routines
[PATCH v4 17/18] utils: matchpathcon add deprecated warning
[PATCH v4 18/18] Makefile: swig build allow deprecated functions


^ permalink raw reply	[flat|nested] 97+ messages in thread

* [PATCH v4 01/18] security_load_booleans: update return comment
  2020-04-27 20:22 ` [v4] Annotate Deprecated Functions in libselinux bill.c.roberts
@ 2020-04-27 20:22   ` bill.c.roberts
  2020-04-27 20:22   ` [PATCH v4 02/18] security_load_booleans: annotate deprecated bill.c.roberts
                     ` (17 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-27 20:22 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

The code returns -1 not 0, correct it.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 6a512b383325..948ca0689a07 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -323,7 +323,7 @@ extern int security_set_boolean_list(size_t boolcnt,
 				     SELboolean * boollist, int permanent);
 
 /* Load policy boolean settings. Deprecated as local policy booleans no
- * longer supported. Will always return 0.
+ * longer supported. Will always return -1.
  */
 extern int security_load_booleans(char *path);
 
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v4 02/18] security_load_booleans: annotate deprecated
  2020-04-27 20:22 ` [v4] Annotate Deprecated Functions in libselinux bill.c.roberts
  2020-04-27 20:22   ` [PATCH v4 01/18] security_load_booleans: update return comment bill.c.roberts
@ 2020-04-27 20:22   ` bill.c.roberts
  2020-04-27 20:23   ` [PATCH v4 03/18] selinux_booleans_path: " bill.c.roberts
                     ` (16 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-27 20:22 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 948ca0689a07..ae70479511db 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -325,7 +325,11 @@ extern int security_set_boolean_list(size_t boolcnt,
 /* Load policy boolean settings. Deprecated as local policy booleans no
  * longer supported. Will always return -1.
  */
-extern int security_load_booleans(char *path);
+extern int security_load_booleans(char *path)
+#ifdef __GNUC__
+__attribute__ ((deprecated))
+#endif
+;
 
 /* Check the validity of a security context. */
 extern int security_check_context(const char * con);
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v4 03/18] selinux_booleans_path: annotate deprecated
  2020-04-27 20:22 ` [v4] Annotate Deprecated Functions in libselinux bill.c.roberts
  2020-04-27 20:22   ` [PATCH v4 01/18] security_load_booleans: update return comment bill.c.roberts
  2020-04-27 20:22   ` [PATCH v4 02/18] security_load_booleans: annotate deprecated bill.c.roberts
@ 2020-04-27 20:23   ` bill.c.roberts
  2020-04-27 20:23   ` [PATCH v4 04/18] selinux_users_path: " bill.c.roberts
                     ` (15 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-27 20:23 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index ae70479511db..19b22c166651 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -579,7 +579,11 @@ extern const char *selinux_contexts_path(void);
 extern const char *selinux_securetty_types_path(void);
 extern const char *selinux_booleans_subs_path(void);
 /* Deprecated as local policy booleans no longer supported. */
-extern const char *selinux_booleans_path(void);
+extern const char *selinux_booleans_path(void)
+#ifdef __GNUC__
+__attribute__ ((deprecated))
+#endif
+;
 extern const char *selinux_customizable_types_path(void);
 /* Deprecated as policy ./users no longer supported. */
 extern const char *selinux_users_path(void);
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v4 04/18] selinux_users_path: annotate deprecated
  2020-04-27 20:22 ` [v4] Annotate Deprecated Functions in libselinux bill.c.roberts
                     ` (2 preceding siblings ...)
  2020-04-27 20:23   ` [PATCH v4 03/18] selinux_booleans_path: " bill.c.roberts
@ 2020-04-27 20:23   ` bill.c.roberts
  2020-04-27 20:23   ` [PATCH v4 05/18] rpm_execcon: " bill.c.roberts
                     ` (14 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-27 20:23 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 19b22c166651..75f65e367bf4 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -586,7 +586,11 @@ __attribute__ ((deprecated))
 ;
 extern const char *selinux_customizable_types_path(void);
 /* Deprecated as policy ./users no longer supported. */
-extern const char *selinux_users_path(void);
+extern const char *selinux_users_path(void)
+#ifdef __GNUC__
+__attribute__ ((deprecated))
+#endif
+;
 extern const char *selinux_usersconf_path(void);
 extern const char *selinux_translations_path(void);
 extern const char *selinux_colors_path(void);
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v4 05/18] rpm_execcon: annotate deprecated
  2020-04-27 20:22 ` [v4] Annotate Deprecated Functions in libselinux bill.c.roberts
                     ` (3 preceding siblings ...)
  2020-04-27 20:23   ` [PATCH v4 04/18] selinux_users_path: " bill.c.roberts
@ 2020-04-27 20:23   ` bill.c.roberts
  2020-04-27 20:23   ` [PATCH v4 06/18] sidget: " bill.c.roberts
                     ` (13 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-27 20:23 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 75f65e367bf4..deaa3f172586 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -645,7 +645,11 @@ extern int setexecfilecon(const char *filename, const char *fallback_type);
 /* Execute a helper for rpm in an appropriate security context. */
 extern int rpm_execcon(unsigned int verified,
 		       const char *filename,
-		       char *const argv[], char *const envp[]);
+		       char *const argv[], char *const envp[])
+#ifdef __GNUC__
+	__attribute__((deprecated("Use setexecfilecon and execve")))
+#endif
+;
 #endif
 
 /* Returns whether a file context is customizable, and should not 
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v4 06/18] sidget: annotate deprecated
  2020-04-27 20:22 ` [v4] Annotate Deprecated Functions in libselinux bill.c.roberts
                     ` (4 preceding siblings ...)
  2020-04-27 20:23   ` [PATCH v4 05/18] rpm_execcon: " bill.c.roberts
@ 2020-04-27 20:23   ` bill.c.roberts
  2020-04-27 20:23   ` [PATCH v4 07/18] sidput: " bill.c.roberts
                     ` (12 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-27 20:23 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/avc.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/avc.h b/libselinux/include/selinux/avc.h
index 46c51419f588..0589935651b4 100644
--- a/libselinux/include/selinux/avc.h
+++ b/libselinux/include/selinux/avc.h
@@ -64,7 +64,11 @@ extern int avc_context_to_sid_raw(const char * ctx, security_id_t * sid);
  * reference count).  Note that avc_context_to_sid() also
  * increments reference counts.
  */
-extern int sidget(security_id_t sid);
+extern int sidget(security_id_t sid)
+#ifdef __GNUC__
+__attribute__ ((deprecated))
+#endif
+;
 
 /**
  * sidput - decrement SID reference counter.
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v4 07/18] sidput: annotate deprecated
  2020-04-27 20:22 ` [v4] Annotate Deprecated Functions in libselinux bill.c.roberts
                     ` (5 preceding siblings ...)
  2020-04-27 20:23   ` [PATCH v4 06/18] sidget: " bill.c.roberts
@ 2020-04-27 20:23   ` bill.c.roberts
  2020-04-27 20:23   ` [PATCH v4 08/18] checkPasswdAccess: " bill.c.roberts
                     ` (11 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-27 20:23 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/avc.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/avc.h b/libselinux/include/selinux/avc.h
index 0589935651b4..c732824129cb 100644
--- a/libselinux/include/selinux/avc.h
+++ b/libselinux/include/selinux/avc.h
@@ -80,7 +80,11 @@ __attribute__ ((deprecated))
  * zero, the SID is invalid, and avc_context_to_sid() must
  * be called to obtain a new SID for the security context.
  */
-extern int sidput(security_id_t sid);
+extern int sidput(security_id_t sid)
+#ifdef __GNUC__
+__attribute__ ((deprecated))
+#endif
+;
 
 /**
  * avc_get_initial_sid - get SID for an initial kernel security identifier
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v4 08/18] checkPasswdAccess: annotate deprecated
  2020-04-27 20:22 ` [v4] Annotate Deprecated Functions in libselinux bill.c.roberts
                     ` (6 preceding siblings ...)
  2020-04-27 20:23   ` [PATCH v4 07/18] sidput: " bill.c.roberts
@ 2020-04-27 20:23   ` bill.c.roberts
  2020-04-27 20:23   ` [PATCH v4 09/18] matchpathcon_init: " bill.c.roberts
                     ` (10 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-27 20:23 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index deaa3f172586..9dcb3220264a 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -619,7 +619,11 @@ extern int selinux_check_access(const char * scon, const char * tcon, const char
 /* Check a permission in the passwd class.
    Return 0 if granted or -1 otherwise. */
 extern int selinux_check_passwd_access(access_vector_t requested);
-extern int checkPasswdAccess(access_vector_t requested);
+extern int checkPasswdAccess(access_vector_t requested)
+#ifdef __GNUC__
+   __attribute__ ((deprecated("Use selinux_check_access")))
+#endif
+;
 
 /* Check if the tty_context is defined as a securetty
    Return 0 if secure, < 0 otherwise. */
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v4 09/18] matchpathcon_init: annotate deprecated
  2020-04-27 20:22 ` [v4] Annotate Deprecated Functions in libselinux bill.c.roberts
                     ` (7 preceding siblings ...)
  2020-04-27 20:23   ` [PATCH v4 08/18] checkPasswdAccess: " bill.c.roberts
@ 2020-04-27 20:23   ` bill.c.roberts
  2020-04-27 20:23   ` [PATCH v4 10/18] matchpathcon_fini: " bill.c.roberts
                     ` (9 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-27 20:23 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 9dcb3220264a..940c43eff8c9 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -465,7 +465,11 @@ extern void set_matchpathcon_flags(unsigned int flags);
    function also checks for a 'path'.homedirs file and 
    a 'path'.local file and loads additional specifications 
    from them if present. */
-extern int matchpathcon_init(const char *path);
+extern int matchpathcon_init(const char *path)
+#ifdef __GNUC__
+   __attribute__ ((deprecated("Use selabel_open with backend SELABEL_CTX_FILE")))
+#endif
+;
 
 /* Same as matchpathcon_init, but only load entries with
    regexes that have stems that are prefixes of 'prefix'. */
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v4 10/18] matchpathcon_fini: annotate deprecated
  2020-04-27 20:22 ` [v4] Annotate Deprecated Functions in libselinux bill.c.roberts
                     ` (8 preceding siblings ...)
  2020-04-27 20:23   ` [PATCH v4 09/18] matchpathcon_init: " bill.c.roberts
@ 2020-04-27 20:23   ` bill.c.roberts
  2020-04-27 20:23   ` [PATCH v4 11/18] matchpathcon: " bill.c.roberts
                     ` (8 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-27 20:23 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 940c43eff8c9..b04f34a1b3bb 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -476,7 +476,11 @@ extern int matchpathcon_init(const char *path)
 extern int matchpathcon_init_prefix(const char *path, const char *prefix);
 
 /* Free the memory allocated by matchpathcon_init. */
-extern void matchpathcon_fini(void);
+extern void matchpathcon_fini(void)
+#ifdef __GNUC__
+   __attribute__ ((deprecated("Use selabel_close")))
+#endif
+;
 
 /* Resolve all of the symlinks and relative portions of a pathname, but NOT
  * the final component (same a realpath() unless the final component is a
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v4 11/18] matchpathcon: annotate deprecated
  2020-04-27 20:22 ` [v4] Annotate Deprecated Functions in libselinux bill.c.roberts
                     ` (9 preceding siblings ...)
  2020-04-27 20:23   ` [PATCH v4 10/18] matchpathcon_fini: " bill.c.roberts
@ 2020-04-27 20:23   ` bill.c.roberts
  2020-04-27 20:23   ` [PATCH v4 12/18] avc_init: " bill.c.roberts
                     ` (7 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-27 20:23 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index b04f34a1b3bb..5633cf40607d 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -494,7 +494,11 @@ extern int realpath_not_final(const char *name, char *resolved_path);
    If matchpathcon_init has not already been called, then this function
    will call it upon its first invocation with a NULL path. */
 extern int matchpathcon(const char *path,
-			mode_t mode, char ** con);
+			mode_t mode, char ** con)
+#ifdef __GNUC__
+	__attribute__ ((deprecated("Use selabel_lookup instead")))
+#endif
+;
 
 /* Same as above, but return a specification index for 
    later use in a matchpathcon_filespec_add() call - see below. */
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v4 12/18] avc_init: annotate deprecated
  2020-04-27 20:22 ` [v4] Annotate Deprecated Functions in libselinux bill.c.roberts
                     ` (10 preceding siblings ...)
  2020-04-27 20:23   ` [PATCH v4 11/18] matchpathcon: " bill.c.roberts
@ 2020-04-27 20:23   ` bill.c.roberts
  2020-04-27 20:23   ` [PATCH v4 13/18] avc: create internal avc_init interface bill.c.roberts
                     ` (6 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-27 20:23 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/avc.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libselinux/include/selinux/avc.h b/libselinux/include/selinux/avc.h
index c732824129cb..9b23357ad17f 100644
--- a/libselinux/include/selinux/avc.h
+++ b/libselinux/include/selinux/avc.h
@@ -200,7 +200,11 @@ extern int avc_init(const char *msgprefix,
 		    const struct avc_memory_callback *mem_callbacks,
 		    const struct avc_log_callback *log_callbacks,
 		    const struct avc_thread_callback *thread_callbacks,
-		    const struct avc_lock_callback *lock_callbacks);
+		    const struct avc_lock_callback *lock_callbacks)
+#ifdef __GNUC__
+	__attribute__ ((deprecated("Use avc_open and selinux_set_callback")))
+#endif
+;
 
 /**
  * avc_open - Initialize the AVC.
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v4 13/18] avc: create internal avc_init interface
  2020-04-27 20:22 ` [v4] Annotate Deprecated Functions in libselinux bill.c.roberts
                     ` (11 preceding siblings ...)
  2020-04-27 20:23   ` [PATCH v4 12/18] avc_init: " bill.c.roberts
@ 2020-04-27 20:23   ` bill.c.roberts
  2020-04-27 20:23   ` [PATCH v4 14/18] matchpathcon: create internal matchpathcon_fini interface bill.c.roberts
                     ` (5 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-27 20:23 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Now that avc_init is marked deprecated, create an avc_init2 interface
for internal users.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/avc.c | 41 +++++++++++++++++++++++++----------------
 1 file changed, 25 insertions(+), 16 deletions(-)

diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
index ab10b0f9f1cb..b4648b2de170 100644
--- a/libselinux/src/avc.c
+++ b/libselinux/src/avc.c
@@ -145,22 +145,7 @@ int avc_get_initial_sid(const char * name, security_id_t * sid)
 	return rc;
 }
 
-int avc_open(struct selinux_opt *opts, unsigned nopts)
-{
-	avc_setenforce = 0;
-
-	while (nopts--)
-		switch(opts[nopts].type) {
-		case AVC_OPT_SETENFORCE:
-			avc_setenforce = 1;
-			avc_enforcing = !!opts[nopts].value;
-			break;
-		}
-
-	return avc_init("avc", NULL, NULL, NULL, NULL);
-}
-
-int avc_init(const char *prefix,
+static int avc_init_internal(const char *prefix,
 	     const struct avc_memory_callback *mem_cb,
 	     const struct avc_log_callback *log_cb,
 	     const struct avc_thread_callback *thread_cb,
@@ -246,6 +231,30 @@ int avc_init(const char *prefix,
 	return rc;
 }
 
+int avc_open(struct selinux_opt *opts, unsigned nopts)
+{
+	avc_setenforce = 0;
+
+	while (nopts--)
+		switch(opts[nopts].type) {
+		case AVC_OPT_SETENFORCE:
+			avc_setenforce = 1;
+			avc_enforcing = !!opts[nopts].value;
+			break;
+		}
+
+	return avc_init_internal("avc", NULL, NULL, NULL, NULL);
+}
+
+int avc_init(const char *prefix,
+	     const struct avc_memory_callback *mem_cb,
+	     const struct avc_log_callback *log_cb,
+	     const struct avc_thread_callback *thread_cb,
+	     const struct avc_lock_callback *lock_cb)
+{
+	return avc_init_internal(prefix, mem_cb, log_cb, thread_cb, lock_cb);
+}
+
 void avc_cache_stats(struct avc_cache_stats *p)
 {
 	memcpy(p, &cache_stats, sizeof(cache_stats));
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v4 14/18] matchpathcon: create internal matchpathcon_fini interface
  2020-04-27 20:22 ` [v4] Annotate Deprecated Functions in libselinux bill.c.roberts
                     ` (12 preceding siblings ...)
  2020-04-27 20:23   ` [PATCH v4 13/18] avc: create internal avc_init interface bill.c.roberts
@ 2020-04-27 20:23   ` bill.c.roberts
  2020-04-27 20:23   ` [PATCH v4 15/18] selinux_check_passwd_access: annotate deprecated bill.c.roberts
                     ` (4 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-27 20:23 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Now that matchpathcon_fini is marked deprecated, create an
matchpathcon_fini2 interface for internal users. We create
a new header file for matchpathcon_internal interfaces.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/matchpathcon.c | 27 ++++++++++++++++++---------
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
index bddf77a49ce1..2ec66650cae0 100644
--- a/libselinux/src/matchpathcon.c
+++ b/libselinux/src/matchpathcon.c
@@ -315,9 +315,19 @@ void matchpathcon_filespec_destroy(void)
 	fl_head = NULL;
 }
 
+static void matchpathcon_fini_internal(void)
+{
+	free_array_elts();
+
+	if (hnd) {
+		selabel_close(hnd);
+		hnd = NULL;
+	}
+}
+
 static void matchpathcon_thread_destructor(void __attribute__((unused)) *ptr)
 {
-	matchpathcon_fini();
+	matchpathcon_fini_internal();
 }
 
 void __attribute__((destructor)) matchpathcon_lib_destructor(void);
@@ -359,12 +369,7 @@ int matchpathcon_init(const char *path)
 
 void matchpathcon_fini(void)
 {
-	free_array_elts();
-
-	if (hnd) {
-		selabel_close(hnd);
-		hnd = NULL;
-	}
+	matchpathcon_fini_internal();
 }
 
 /*
@@ -427,7 +432,7 @@ out:
 	return rc;
 }
 
-int matchpathcon(const char *path, mode_t mode, char ** con)
+static int matchpathcon_internal(const char *path, mode_t mode, char ** con)
 {
 	char stackpath[PATH_MAX + 1];
 	char *p = NULL;
@@ -448,9 +453,13 @@ int matchpathcon(const char *path, mode_t mode, char ** con)
 		selabel_lookup(hnd, con, path, mode);
 }
 
+int matchpathcon(const char *path, mode_t mode, char ** con) {
+	return matchpathcon_internal(path, mode, con);
+}
+
 int matchpathcon_index(const char *name, mode_t mode, char ** con)
 {
-	int i = matchpathcon(name, mode, con);
+	int i = matchpathcon_internal(name, mode, con);
 
 	if (i < 0)
 		return -1;
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v4 15/18] selinux_check_passwd_access: annotate deprecated
  2020-04-27 20:22 ` [v4] Annotate Deprecated Functions in libselinux bill.c.roberts
                     ` (13 preceding siblings ...)
  2020-04-27 20:23   ` [PATCH v4 14/18] matchpathcon: create internal matchpathcon_fini interface bill.c.roberts
@ 2020-04-27 20:23   ` bill.c.roberts
  2020-04-27 20:23   ` [PATCH v4 16/18] matchpathcon: allow use of deprecated routines bill.c.roberts
                     ` (3 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-27 20:23 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Update the one internal tree caller in the same file to
call selinux_check_passwd_access2.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/include/selinux/selinux.h | 7 ++++++-
 libselinux/src/checkAccess.c         | 7 +++++--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 5633cf40607d..aaf28ffdf9be 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -630,7 +630,12 @@ extern int selinux_check_access(const char * scon, const char * tcon, const char
 
 /* Check a permission in the passwd class.
    Return 0 if granted or -1 otherwise. */
-extern int selinux_check_passwd_access(access_vector_t requested);
+extern int selinux_check_passwd_access(access_vector_t requested)
+#ifdef __GNUC__
+  __attribute__ ((deprecated("Use selinux_check_access")))
+#endif
+;
+
 extern int checkPasswdAccess(access_vector_t requested)
 #ifdef __GNUC__
    __attribute__ ((deprecated("Use selinux_check_access")))
diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
index 677e2ecd7df4..3491fded7895 100644
--- a/libselinux/src/checkAccess.c
+++ b/libselinux/src/checkAccess.c
@@ -64,7 +64,7 @@ int selinux_check_access(const char *scon, const char *tcon, const char *class,
        return avc_has_perm (scon_id, tcon_id, sclass, av, NULL, aux);
 }
 
-int selinux_check_passwd_access(access_vector_t requested)
+static int selinux_check_passwd_access_internal(access_vector_t requested)
 {
 	int status = -1;
 	char *user_context;
@@ -99,8 +99,11 @@ int selinux_check_passwd_access(access_vector_t requested)
 	return status;
 }
 
+int selinux_check_passwd_access(access_vector_t requested) {
+	return selinux_check_passwd_access_internal(requested);
+}
 
 int checkPasswdAccess(access_vector_t requested)
 {
-	return selinux_check_passwd_access(requested);
+	return selinux_check_passwd_access_internal(requested);
 }
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v4 16/18] matchpathcon: allow use of deprecated routines
  2020-04-27 20:22 ` [v4] Annotate Deprecated Functions in libselinux bill.c.roberts
                     ` (14 preceding siblings ...)
  2020-04-27 20:23   ` [PATCH v4 15/18] selinux_check_passwd_access: annotate deprecated bill.c.roberts
@ 2020-04-27 20:23   ` bill.c.roberts
  2020-04-27 20:23   ` [PATCH v4 17/18] utils: matchpathcon add deprecated warning bill.c.roberts
                     ` (2 subsequent siblings)
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-27 20:23 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Utility matchpathcon uses the matchpathcon interface which has been
deprectaed. However, this tool will continue to live on, so allow it to
use the deprecated interface.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/utils/Makefile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
index b018a08acbe0..aa2d3e1b144f 100644
--- a/libselinux/utils/Makefile
+++ b/libselinux/utils/Makefile
@@ -56,6 +56,8 @@ sefcontext_compile: LDLIBS += $(PCRE_LDLIBS) ../src/libselinux.a -lsepol
 
 sefcontext_compile: sefcontext_compile.o ../src/regex.o
 
+matchpathcon: CFLAGS += -Wno-deprecated-declarations
+
 all: $(TARGETS)
 
 install: all
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v4 17/18] utils: matchpathcon add deprecated warning
  2020-04-27 20:22 ` [v4] Annotate Deprecated Functions in libselinux bill.c.roberts
                     ` (15 preceding siblings ...)
  2020-04-27 20:23   ` [PATCH v4 16/18] matchpathcon: allow use of deprecated routines bill.c.roberts
@ 2020-04-27 20:23   ` bill.c.roberts
  2020-04-27 20:23   ` [PATCH v4 18/18] Makefile: swig build allow deprecated functions bill.c.roberts
  2020-04-28 21:25   ` [v4] Annotate Deprecated Functions in libselinux Nicolas Iooss
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-27 20:23 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Add a deprecated warning to matchpathcon encouraging users to switch to
selabel_lookup.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/utils/matchpathcon.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c
index eb39a1881066..cc018d213f4c 100644
--- a/libselinux/utils/matchpathcon.c
+++ b/libselinux/utils/matchpathcon.c
@@ -73,6 +73,9 @@ int main(int argc, char **argv)
 	int error = 0;
 	int quiet = 0;
 
+	fprintf(stderr,
+		"Deprecated, use selabel_lookup\n");
+
 	if (argc < 2)
 		usage(argv[0]);
 
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* [PATCH v4 18/18] Makefile: swig build allow deprecated functions
  2020-04-27 20:22 ` [v4] Annotate Deprecated Functions in libselinux bill.c.roberts
                     ` (16 preceding siblings ...)
  2020-04-27 20:23   ` [PATCH v4 17/18] utils: matchpathcon add deprecated warning bill.c.roberts
@ 2020-04-27 20:23   ` bill.c.roberts
  2020-04-28 21:25   ` [v4] Annotate Deprecated Functions in libselinux Nicolas Iooss
  18 siblings, 0 replies; 97+ messages in thread
From: bill.c.roberts @ 2020-04-27 20:23 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: plautrba, sds, selinux, William Roberts

From: William Roberts <william.c.roberts@intel.com>

The SWIG C build should allow deprecated functions and not warn on them
because it is exposing the full interface including deprecated routines.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/Makefile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 9992221f5fc5..73303c3666c9 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -105,7 +105,8 @@ FTS_LDLIBS ?=
 override CFLAGS += -I../include -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS)
 
 SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-parameter \
-		-Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations
+		-Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations \
+		-Wno-deprecated-declarations
 
 RANLIB ?= ranlib
 
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 97+ messages in thread

* Re: [v4] Annotate Deprecated Functions in libselinux
  2020-04-27 20:22 ` [v4] Annotate Deprecated Functions in libselinux bill.c.roberts
                     ` (17 preceding siblings ...)
  2020-04-27 20:23   ` [PATCH v4 18/18] Makefile: swig build allow deprecated functions bill.c.roberts
@ 2020-04-28 21:25   ` Nicolas Iooss
  18 siblings, 0 replies; 97+ messages in thread
From: Nicolas Iooss @ 2020-04-28 21:25 UTC (permalink / raw)
  To: William Roberts; +Cc: Petr Lautrbach, Stephen Smalley, SElinux list

On Mon, Apr 27, 2020 at 10:23 PM <bill.c.roberts@gmail.com> wrote:
>
> V4:
> - Drop the internal header interfaces, they were unused and pointless.
>
> V3:
> - Made the deprecated annotation dependent on __GNUC__ like
>   the __format__(printf,...) specifiers. This will allow these
>   not be defined when swig is building, so this will fix the
>   swig syntax issues.
> - Swig's build flags include -Wno-deprecated-declarations becuase the
>   bindings need to pull the fill API out, even deprecated functions.
> - Rather than compile matchpathcon with static selinux, I just set its
>   compile flags to include -Wno-deprecated-declarations. Essentially
>   saying, yes use this old interface it's Ok in this instance.
>
> V2:
> - Simplified now that dso.h stuff has been removed.
> - selinux_check_passwd_access has been deprecated and now
>   both selinux_check_passwd_access and checkPasswdAccess
>   are recomending selinux_check_access.
> - matchpathcon is linked statically to get access to deprecated
>   routines and prints a deprecated warning to stderr.
>
> V1:
> I went through and annotated deprecated routines we have in
> libselinux that are mentioned to be deprecated either in code
> comments and/or manpages.
>
> External users, when compiling will see a warning similair to some
> sample output:
>
> a.c: In function ‘main’:
> a.c:18:2: warning: ‘foo’ is deprecated: foo bar msg [-Wdeprecated-declarations]
>   foo();
>   ^~~
> a.c:5:5: note: declared here
>  int foo(void) {
>       ^~~
> a.c:19:2: warning: ‘boo’ is deprecated [-Wdeprecated-declarations]
>   boo();
>   ^~~
> a.c:11:5: note: declared here
>  int boo(void) {
>
> [PATCH v4 01/18] security_load_booleans: update return comment
> [PATCH v4 02/18] security_load_booleans: annotate deprecated
> [PATCH v4 03/18] selinux_booleans_path: annotate deprecated
> [PATCH v4 04/18] selinux_users_path: annotate deprecated
> [PATCH v4 05/18] rpm_execcon: annotate deprecated
> [PATCH v4 06/18] sidget: annotate deprecated
> [PATCH v4 07/18] sidput: annotate deprecated
> [PATCH v4 08/18] checkPasswdAccess: annotate deprecated
> [PATCH v4 09/18] matchpathcon_init: annotate deprecated
> [PATCH v4 10/18] matchpathcon_fini: annotate deprecated
> [PATCH v4 11/18] matchpathcon: annotate deprecated
> [PATCH v4 12/18] avc_init: annotate deprecated
> [PATCH v4 13/18] avc: create internal avc_init interface
> [PATCH v4 14/18] matchpathcon: create internal matchpathcon_fini
> [PATCH v4 15/18] selinux_check_passwd_access: annotate deprecated
> [PATCH v4 16/18] matchpathcon: allow use of deprecated routines
> [PATCH v4 17/18] utils: matchpathcon add deprecated warning
> [PATCH v4 18/18] Makefile: swig build allow deprecated functions

Hello,
Thanks for this v4. Some commit descriptions still use "...2" instead
of "..._internal", but I do not think this needs to be fixed in
another iteration, because the patches look otherwise good to me.

Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>

Feel free to apply them (eventually with fixed descriptions).
Otherwise I will apply them tomorrow.
Nicolas


^ permalink raw reply	[flat|nested] 97+ messages in thread

end of thread, other threads:[~2020-04-28 21:25 UTC | newest]

Thread overview: 97+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-25 20:02 Annotate Deprecated Functions in libselinux bill.c.roberts
2020-02-25 20:02 ` [PATCH 01/17] security_load_booleans: update return comment bill.c.roberts
2020-02-25 20:02 ` [PATCH 02/17] selinux_booleans_path: annotate deprecated bill.c.roberts
2020-02-25 20:02 ` [PATCH 03/17] " bill.c.roberts
2020-02-25 20:02 ` [PATCH 04/17] selinux_users_path: " bill.c.roberts
2020-02-25 20:02 ` [PATCH 05/17] rpm_execcon: " bill.c.roberts
2020-02-25 20:02 ` [PATCH 06/17] sidget: " bill.c.roberts
2020-02-25 20:02 ` [PATCH 07/17] sidput: " bill.c.roberts
2020-02-25 20:02 ` [PATCH 08/17] checkPasswdAccess: " bill.c.roberts
2020-02-25 20:58   ` Stephen Smalley
2020-02-25 20:02 ` [PATCH 09/17] matchpathcon_init: " bill.c.roberts
2020-02-25 20:02 ` [PATCH 10/17] matchpathcon_fini: " bill.c.roberts
2020-02-25 20:02 ` [PATCH 11/17] matchpathcon: " bill.c.roberts
2020-02-25 20:02 ` [PATCH 12/17] avc_init: " bill.c.roberts
2020-02-25 20:02 ` [PATCH 13/17] src/selinux_internal.h: fix hidden_proto indents bill.c.roberts
2020-02-25 20:02 ` [PATCH 14/17] selinux_internal.h: disable warnings on deprecated bill.c.roberts
2020-02-25 20:02 ` [PATCH 15/17] avc_open: mark allowed use of avc_init bill.c.roberts
2020-02-25 20:02 ` [PATCH 16/17] src/matchpathcon: allow use of deprecated funcs bill.c.roberts
2020-02-25 20:02 ` [PATCH 17/17] utils/matchpathcon: " bill.c.roberts
2020-02-25 20:51 ` Annotate Deprecated Functions in libselinux Stephen Smalley
2020-02-25 21:06   ` William Roberts
2020-02-27 18:41     ` William Roberts
2020-02-27 19:48       ` Stephen Smalley
2020-02-27 20:03         ` Ondrej Mosnacek
2020-02-27 20:10           ` William Roberts
2020-02-27 20:24             ` Stephen Smalley
2020-02-27 20:43           ` Ulrich Drepper
2020-02-27 21:05             ` William Roberts
2020-02-27 21:13               ` Stephen Smalley
2020-02-27 21:18                 ` William Roberts
2020-02-27 21:32                   ` Stephen Smalley
2020-02-27 21:34                     ` William Roberts
2020-02-27 21:19               ` Ulrich Drepper
2020-02-27 21:31                 ` William Roberts
2020-04-16 15:43 ` bill.c.roberts
2020-04-16 15:43   ` [PATCH v2 01/18] security_load_booleans: update return comment bill.c.roberts
2020-04-16 15:43   ` [PATCH v2 02/18] security_load_booleans: annotate deprecated bill.c.roberts
2020-04-16 15:43   ` [PATCH v2 03/18] selinux_booleans_path: " bill.c.roberts
2020-04-16 15:43   ` [PATCH v2 04/18] selinux_users_path: " bill.c.roberts
2020-04-16 15:43   ` [PATCH v2 05/18] rpm_execcon: " bill.c.roberts
2020-04-16 15:43   ` [PATCH v2 06/18] sidget: " bill.c.roberts
2020-04-16 15:43   ` [PATCH v2 07/18] sidput: " bill.c.roberts
2020-04-16 15:43   ` [PATCH v2 08/18] checkPasswdAccess: " bill.c.roberts
2020-04-16 15:43   ` [PATCH v2 09/18] matchpathcon_init: " bill.c.roberts
2020-04-16 15:43   ` [PATCH v2 10/18] matchpathcon_fini: " bill.c.roberts
2020-04-16 15:43   ` [PATCH v2 11/18] matchpathcon: " bill.c.roberts
2020-04-16 15:43   ` [PATCH v2 12/18] avc_init: " bill.c.roberts
2020-04-16 15:43   ` [PATCH v2 13/18] avc: create internal avc_init interface bill.c.roberts
2020-04-16 15:43   ` [PATCH v2 14/18] matchpathcon: create internal matchpathcon_fini interface bill.c.roberts
2020-04-16 15:43   ` [PATCH v2 15/18] matchpathcon: create internal matchpathcon interface bill.c.roberts
2020-04-16 15:43   ` [PATCH v2 16/18] selinux_check_passwd_access: annotate deprecated bill.c.roberts
2020-04-16 15:43   ` [PATCH v2 17/18] utils: matchpathcon to use interal interfaces bill.c.roberts
2020-04-16 15:43   ` [PATCH v2 18/18] utils: matchpathcon add deprecated warning bill.c.roberts
2020-04-19 13:46   ` Annotate Deprecated Functions in libselinux Nicolas Iooss
2020-04-20 14:34     ` Roberts, William C
2020-04-20 15:45     ` [v3] " bill.c.roberts
2020-04-20 15:45       ` [PATCH v3 01/19] security_load_booleans: update return comment bill.c.roberts
2020-04-20 15:45       ` [PATCH v3 02/19] security_load_booleans: annotate deprecated bill.c.roberts
2020-04-20 15:45       ` [PATCH v3 03/19] selinux_booleans_path: " bill.c.roberts
2020-04-20 15:45       ` [PATCH v3 04/19] selinux_users_path: " bill.c.roberts
2020-04-20 15:45       ` [PATCH v3 05/19] rpm_execcon: " bill.c.roberts
2020-04-20 15:45       ` [PATCH v3 06/19] sidget: " bill.c.roberts
2020-04-20 15:45       ` [PATCH v3 07/19] sidput: " bill.c.roberts
2020-04-20 15:45       ` [PATCH v3 08/19] checkPasswdAccess: " bill.c.roberts
2020-04-20 15:45       ` [PATCH v3 09/19] matchpathcon_init: " bill.c.roberts
2020-04-20 15:45       ` [PATCH v3 10/19] matchpathcon_fini: " bill.c.roberts
2020-04-20 15:45       ` [PATCH v3 11/19] matchpathcon: " bill.c.roberts
2020-04-20 15:45       ` [PATCH v3 12/19] avc_init: " bill.c.roberts
2020-04-20 15:45       ` [PATCH v3 13/19] avc: create internal avc_init interface bill.c.roberts
2020-04-26 13:33         ` Nicolas Iooss
2020-04-26 15:53           ` William Roberts
2020-04-20 15:45       ` [PATCH v3 14/19] matchpathcon: create internal matchpathcon_fini interface bill.c.roberts
2020-04-20 15:45       ` [PATCH v3 15/19] matchpathcon: create internal matchpathcon interface bill.c.roberts
2020-04-20 15:45       ` [PATCH v3 16/19] selinux_check_passwd_access: annotate deprecated bill.c.roberts
2020-04-20 15:45       ` [PATCH v3 17/19] matchpathcon: allow use of deprecated routines bill.c.roberts
2020-04-20 15:45       ` [PATCH v3 18/19] utils: matchpathcon add deprecated warning bill.c.roberts
2020-04-20 15:45       ` [PATCH v3 19/19] Makefile: swig build allow deprecated functions bill.c.roberts
2020-04-27 20:22 ` [v4] Annotate Deprecated Functions in libselinux bill.c.roberts
2020-04-27 20:22   ` [PATCH v4 01/18] security_load_booleans: update return comment bill.c.roberts
2020-04-27 20:22   ` [PATCH v4 02/18] security_load_booleans: annotate deprecated bill.c.roberts
2020-04-27 20:23   ` [PATCH v4 03/18] selinux_booleans_path: " bill.c.roberts
2020-04-27 20:23   ` [PATCH v4 04/18] selinux_users_path: " bill.c.roberts
2020-04-27 20:23   ` [PATCH v4 05/18] rpm_execcon: " bill.c.roberts
2020-04-27 20:23   ` [PATCH v4 06/18] sidget: " bill.c.roberts
2020-04-27 20:23   ` [PATCH v4 07/18] sidput: " bill.c.roberts
2020-04-27 20:23   ` [PATCH v4 08/18] checkPasswdAccess: " bill.c.roberts
2020-04-27 20:23   ` [PATCH v4 09/18] matchpathcon_init: " bill.c.roberts
2020-04-27 20:23   ` [PATCH v4 10/18] matchpathcon_fini: " bill.c.roberts
2020-04-27 20:23   ` [PATCH v4 11/18] matchpathcon: " bill.c.roberts
2020-04-27 20:23   ` [PATCH v4 12/18] avc_init: " bill.c.roberts
2020-04-27 20:23   ` [PATCH v4 13/18] avc: create internal avc_init interface bill.c.roberts
2020-04-27 20:23   ` [PATCH v4 14/18] matchpathcon: create internal matchpathcon_fini interface bill.c.roberts
2020-04-27 20:23   ` [PATCH v4 15/18] selinux_check_passwd_access: annotate deprecated bill.c.roberts
2020-04-27 20:23   ` [PATCH v4 16/18] matchpathcon: allow use of deprecated routines bill.c.roberts
2020-04-27 20:23   ` [PATCH v4 17/18] utils: matchpathcon add deprecated warning bill.c.roberts
2020-04-27 20:23   ` [PATCH v4 18/18] Makefile: swig build allow deprecated functions bill.c.roberts
2020-04-28 21:25   ` [v4] Annotate Deprecated Functions in libselinux Nicolas Iooss

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).