Deprecate use of flask.h and av_permissions.h.

Also remove all internal uses by libselinux. This requires deleting the old class/perm string lookup tables and compatibility code for kernels that predate the /sys/fs/selinux/class tree, i.e. Linux < 2.6.23. This also fixes a longstanding bug in the stringrep code; it was allocating NVECTORS (number of vectors in the legacy av_perm_to_string table, i.e. the total number of legacy permissions) entries in the per-class perms array rather than MAXVECTORS (the maximum number of permissions in any access vector). Ho hum. I already fixed this in Android but forgot it here. Signed-off-by: Stephen Smalley <[email protected]>
SELinuxProject · Jul 9, 2014 · 76913d8 · 76913d8
1 parent ac33098
commit 76913d8
Show file tree

Hide file tree

Showing 13 changed files with 15 additions and 808 deletions.
diff --git a/libselinux/include/selinux/av_permissions.h b/libselinux/include/selinux/av_permissions.h
@@ -1,3 +1,6 @@
+#warning "Please remove any #include of this header in your source code."
+#warning "Instead, use string_to_av_perm() to map the permission name to a value."
+
 /* This file is automatically generated. Do not edit. */
 #define COMMON_FILE__IOCTL 0x00000001UL
 #define COMMON_FILE__READ 0x00000002UL

diff --git a/libselinux/include/selinux/flask.h b/libselinux/include/selinux/flask.h
@@ -2,6 +2,9 @@
 #ifndef _SELINUX_FLASK_H_
 #define _SELINUX_FLASK_H_
 
+#warning "Please remove any #include's of this header in your source code."
+#warning "Instead, use string_to_security_class() to map the class name to a value."
+
 /*
  * Security object class definitions
  */

diff --git a/libselinux/src/av_inherit.h b/libselinux/src/av_inherit.h
diff --git a/libselinux/src/av_perm_to_string.h b/libselinux/src/av_perm_to_string.h
diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
@@ -4,9 +4,7 @@
 #include <stdlib.h>
 #include <errno.h>
 #include "selinux_internal.h"
-#include <selinux/flask.h>
 #include <selinux/avc.h>
-#include <selinux/av_permissions.h>
 #include "avc_internal.h"
 
 static pthread_once_t once = PTHREAD_ONCE_INIT;

diff --git a/libselinux/src/class_to_string.h b/libselinux/src/class_to_string.h
diff --git a/libselinux/src/common_perm_to_string.h b/libselinux/src/common_perm_to_string.h
diff --git a/libselinux/src/selinuxswig.i b/libselinux/src/selinuxswig.i
@@ -5,9 +5,7 @@
 %module selinux
 %{
  #include "../include/selinux/avc.h"
- #include "../include/selinux/av_permissions.h"
  #include "../include/selinux/context.h"
- #include "../include/selinux/flask.h"
  #include "../include/selinux/get_context_list.h"
  #include "../include/selinux/get_default_type.h"
  #include "../include/selinux/label.h"

diff --git a/libselinux/src/setexecfilecon.c b/libselinux/src/setexecfilecon.c
@@ -1,7 +1,6 @@
 #include <unistd.h>
 #include <fcntl.h>
 #include <string.h>
-#include <selinux/flask.h>
 #include "selinux_internal.h"
 #include "context_internal.h"
 
@@ -22,7 +21,7 @@ int setexecfilecon(const char *filename, const char *fallback_type)
  if (rc < 0)
  goto out;
 
- rc = security_compute_create(mycon, fcon, SECCLASS_PROCESS, &newcon);
+ rc = security_compute_create(mycon, fcon, string_to_security_class("process"), &newcon);
  if (rc < 0)
  goto out;