Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Annotate libselinux functions #357

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

Annotate libselinux functions #357

Changes from 1 commit
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
9f30d63
libselinux: annotate interfaces with compiler attributes
cgzones Jun 16, 2022
154a956
libselinux: deprecate matchpathcon and compute_user interfaces
cgzones Jun 16, 2022
aad6324
libselinux: declare avc_open(3) options parameter const
cgzones Jun 16, 2022
a0b882f
mcstrans: check getcon(3) and context_range_set(3) for failure
cgzones Jun 16, 2022
1e59a42
libselinux: explicitly ignore return values
cgzones Jun 16, 2022
80a5c86
libselinux: ignore internal use of deprecated interfaces
cgzones Jun 16, 2022
9ff1915
secon: check selinux_raw_to_trans_context(3) for failure
cgzones Jun 16, 2022
3e05a92
restorecond: check selinux_restorecon(3) for failure
cgzones Jun 16, 2022
87daeb4
restorecond: drop last matchpathcon call
cgzones Jun 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Prev Previous commit
Next Next commit
libselinux: deprecate matchpathcon and compute_user interfaces 
Annotate interfaces of the matchpathcon family and
security_compute_user(3) and security_compute_user_raw(3) as deprecated.

Signed-off-by: Christian Göttsche <[email protected]>
  • Loading branch information
@cgzones
cgzones committed May 12, 2023
commit 154a956918a3d510d1c7eaeafbb562e483077d91
28 changes: 15 additions & 13 deletions libselinux/include/selinux/selinux.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,10 +261,12 @@ extern int security_compute_member_raw(const char * scon,
*/
extern int security_compute_user(const char * scon,
const char *username,
char *** con) selinux_nonnull((1,2,3)) selinux_nodiscard;
char *** con) selinux_nonnull((1,2,3)) selinux_nodiscard
selinux_deprecated("Use get_ordered_context_list(3) family");
extern int security_compute_user_raw(const char * scon,
const char *username,
char *** con) selinux_nonnull((1,2,3)) selinux_nodiscard;
char *** con) selinux_nonnull((1,2,3)) selinux_nodiscard
selinux_deprecated("Use get_ordered_context_list(3) family");

/* Validate a transition. This determines whether a transition from scon to newcon
using tcon as the target for object class tclass is valid in the loaded policy.
Expand Down Expand Up @@ -435,7 +437,7 @@ extern void selinux_flush_class_cache(void);
/* Set the function used by matchpathcon_init when displaying
errors about the file_contexts configuration. If not set,
then this defaults to fprintf(stderr, fmt, ...). */
extern void set_matchpathcon_printf(void (*f) (const char *fmt, ...));
extern void set_matchpathcon_printf(void (*f) (const char *fmt, ...)) selinux_deprecated("matchpathcon family is deprecated");

/* Set the function used by matchpathcon_init when checking the
validity of a context in the file contexts configuration. If not set,
Expand All @@ -444,21 +446,21 @@ extern void set_matchpathcon_printf(void (*f) (const char *fmt, ...));
may include the 'path' and 'lineno' in such error messages. */
extern void set_matchpathcon_invalidcon(int (*f) (const char *path,
unsigned lineno,
char *context));
char *context)) selinux_deprecated("matchpathcon family is deprecated");

/* Same as above, but also allows canonicalization of the context,
by changing *context to refer to the canonical form. If not set,
and invalidcon is also not set, then this defaults to calling
security_canonicalize_context(). */
extern void set_matchpathcon_canoncon(int (*f) (const char *path,
unsigned lineno,
char **context));
char **context)) selinux_deprecated("matchpathcon family is deprecated");

/* Set flags controlling operation of matchpathcon_init or matchpathcon. */
#define MATCHPATHCON_BASEONLY 1 /* Only process the base file_contexts file. */
#define MATCHPATHCON_NOTRANS 2 /* Do not perform any context translation. */
#define MATCHPATHCON_VALIDATE 4 /* Validate/canonicalize contexts at init time. */
extern void set_matchpathcon_flags(unsigned int flags);
extern void set_matchpathcon_flags(unsigned int flags) selinux_deprecated("matchpathcon family is deprecated");

/* Load the file contexts configuration specified by 'path'
into memory for use by subsequent matchpathcon calls.
Expand All @@ -472,15 +474,15 @@ extern int matchpathcon_init(const char *path) selinux_nodiscard selinux_depreca

/* Same as matchpathcon_init, but only load entries with
regexes that have stems that are prefixes of 'prefix'. */
extern int matchpathcon_init_prefix(const char *path, const char *prefix) selinux_nodiscard;
extern int matchpathcon_init_prefix(const char *path, const char *prefix) selinux_nodiscard selinux_deprecated("Use selabel_open(3) with backend SELABEL_CTX_FILE");

/* Free the memory allocated by matchpathcon_init. */
extern void matchpathcon_fini(void) selinux_deprecated("Use selabel_close(3)");

/* Resolve all of the symlinks and relative portions of a pathname, but NOT
* the final component (same a realpath() unless the final component is a
* symlink. Resolved path must be a path of size PATH_MAX + 1 */
extern int realpath_not_final(const char *name, char *resolved_path) selinux_nonnull((1,2)) selinux_nodiscard;
extern int realpath_not_final(const char *name, char *resolved_path) selinux_nonnull((1,2)) selinux_nodiscard selinux_deprecated("Not meant for external use");

/* Match the specified pathname and mode against the file contexts
configuration and set *con to refer to the resulting context.
Expand All @@ -494,25 +496,25 @@ extern int matchpathcon(const char *path,
/* Same as above, but return a specification index for
later use in a matchpathcon_filespec_add() call - see below. */
extern int matchpathcon_index(const char *path,
mode_t mode, char ** con) selinux_nonnull((1,3)) selinux_nodiscard;
mode_t mode, char ** con) selinux_nonnull((1,3)) selinux_nodiscard selinux_deprecated("Use selabel_lookup(3)");

/* Maintain an association between an inode and a specification index,
and check whether a conflicting specification is already associated
with the same inode (e.g. due to multiple hard links). If so, then
use the latter of the two specifications based on their order in the
file contexts configuration. Return the used specification index. */
extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file) selinux_nonnull((3)) selinux_nodiscard;
extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file) selinux_nonnull((3)) selinux_nodiscard selinux_deprecated("matchpathcon family is deprecated");

/* Destroy any inode associations that have been added, e.g. to restart
for a new filesystem. */
extern void matchpathcon_filespec_destroy(void);
extern void matchpathcon_filespec_destroy(void) selinux_deprecated("matchpathcon family is deprecated");

/* Display statistics on the hash table usage for the associations. */
extern void matchpathcon_filespec_eval(void);
extern void matchpathcon_filespec_eval(void) selinux_deprecated("matchpathcon family is deprecated");

/* Check to see whether any specifications had no matches and report them.
The 'str' is used as a prefix for any warning messages. */
extern void matchpathcon_checkmatches(char *str);
extern void matchpathcon_checkmatches(char *str) selinux_deprecated("matchpathcon family is deprecated");

/* Match the specified media and against the media contexts
configuration and set *con to refer to the resulting context.
Expand Down