Commit d7b6918e authored Oct 04, 2024 by Stephen Smalley Committed by Paul Moore Oct 07, 2024

selinux: Deprecate /sys/fs/selinux/user



The only known user of this interface was libselinux and its
internal usage of this interface for get_ordered_context_list(3)
was removed in Feb 2020, with a deprecation warning added to
security_compute_user(3) at the same time. Add a deprecation
warning to the kernel and schedule it for final removal in 2025.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

parent 9aba55b1

Documentation/ABI/obsolete/sysfs-selinux-user

0 → 100644

+12 −0

Original line number	Diff line number	Diff line
		What: /sys/fs/selinux/user
		Date: April 2005 (predates git)
		KernelVersion: 2.6.12-rc2 (predates git)
		Contact: selinux@vger.kernel.org
		Description:

		The selinuxfs "user" node allows userspace to request a list
		of security contexts that can be reached for a given SELinux
		user from a given starting context. This was used by libselinux
		when various login-style programs requested contexts for
		users, but libselinux stopped using it in 2020.
		Kernel support will be removed no sooner than Dec 2025.

security/selinux/selinuxfs.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -1069,6 +1069,10 @@ static ssize_t sel_write_user(struct file file, char buf, size_t size)
		int rc;
		u32 i, len, nsids;

		pr_warn_ratelimited("SELinux: %s (%d) wrote to /sys/fs/selinux/user!"
		" This will not be supported in the future; please update your"
		" userspace.\n", current->comm, current->pid);

		length = avc_has_perm(current_sid(), SECINITSID_SECURITY,
		SECCLASS_SECURITY, SECURITY__COMPUTE_USER,
		NULL);