diff mbox series

Workaround deprecation warnings introduced in libselinux >= 3.1

Message ID 20200721202118.300350-1-aurelien@aurel32.net
State Superseded
Headers
Series Workaround deprecation warnings introduced in libselinux >= 3.1 |

Commit Message

Aurelien Jarno July 21, 2020, 8:21 p.m. UTC 
  glibc doesn't build with libselinux 3.1 that has been released recently
due to new deprecations introduced in that version and the fact that
glibc is built with -Werror by default:

| makedb.c: In function ‘set_file_creation_context’:
| makedb.c:849:3: error: ‘security_context_t’ is deprecated [-Werror=deprecated-declarations]
|   849 |   security_context_t ctx;
|       |   ^~~~~~~~~~~~~~~~~~
| makedb.c:863:3: error: ‘matchpathcon’ is deprecated: Use selabel_lookup instead [-Werror=deprecated-declarations]
|   863 |   if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL)
|       |   ^~
| In file included from makedb.c:50:
| /usr/include/selinux/selinux.h:500:12: note: declared here
|   500 | extern int matchpathcon(const char *path,
|       |            ^~~~~~~~~~~~
| cc1: all warnings being treated as errors

and

| selinux.c: In function ‘nscd_avc_init’:
| selinux.c:330:3: error: ‘avc_init’ is deprecated: Use avc_open and selinux_set_callback [-Werror=deprecated-declarations]
|   330 |   if (avc_init ("avc", NULL, &log_cb, &thread_cb, &lock_cb) < 0)
|       |   ^~
| In file included from selinux.c:31:
| /usr/include/selinux/avc.h:199:12: note: declared here
|   199 | extern int avc_init(const char *msgprefix,
|       |            ^~~~~~~~
| selinux.c: In function ‘nscd_request_avc_has_perm’:
| selinux.c:355:3: error: ‘security_context_t’ is deprecated [-Werror=deprecated-declarations]
|   355 |   security_context_t scon = NULL;
|       |   ^~~~~~~~~~~~~~~~~~
| selinux.c:356:3: error: ‘security_context_t’ is deprecated [-Werror=deprecated-declarations]
|   356 |   security_context_t tcon = NULL;
|       |   ^~~~~~~~~~~~~~~~~~
| selinux.c:419:5: error: ‘sidput’ is deprecated [-Werror=deprecated-declarations]
|   419 |     sidput (ssid);
|       |     ^~~~~~
| In file included from selinux.c:31:
| /usr/include/selinux/avc.h:83:12: note: declared here
|    83 | extern int sidput(security_id_t sid)
|       |            ^~~~~~
| selinux.c:421:5: error: ‘sidput’ is deprecated [-Werror=deprecated-declarations]
|   421 |     sidput (tsid);
|       |     ^~~~~~
| In file included from selinux.c:31:
| /usr/include/selinux/avc.h:83:12: note: declared here
|    83 | extern int sidput(security_id_t sid)
|       |            ^~~~~~
| cc1: all warnings being treated as errors

This patch workarounds the issue until the deprecated code is
rewritten. #pragma GCC diagnostic annotations are used to disable
-Wdeprecated-declarations warning in the problematic functions. This is
probably the safest option for stable releases to avoid introducing
regressions.
---
 nscd/selinux.c | 6 ++++++
 nss/makedb.c   | 3 +++
 2 files changed, 9 insertions(+)

Comments

Joseph Myers July 21, 2020, 8:27 p.m. UTC | #1 
On Tue, 21 Jul 2020, Aurelien Jarno wrote:

>  /* Initialize the user space access vector cache (AVC) for NSCD along with
>     log/thread/lock callbacks.  */
> +#pragma GCC diagnostic push
> +#pragma GCC diagnostic ignored "-Wdeprecated-declarations"

Rather than using the pragmas directly, we use the DIAG_*_NEEDS_COMMENT 
macros from libc-diag.h - with a comment explaining exactly why the 
disgnostics are being ignored.
Arjun Shankar July 22, 2020, 3:03 p.m. UTC | #2 
On Tue, Jul 21, 2020 at 08:27:19PM +0000, Joseph Myers wrote:
> On Tue, 21 Jul 2020, Aurelien Jarno wrote:
> 
> >  /* Initialize the user space access vector cache (AVC) for NSCD along with
> >     log/thread/lock callbacks.  */
> > +#pragma GCC diagnostic push
> > +#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
> 
> Rather than using the pragmas directly, we use the DIAG_*_NEEDS_COMMENT 
> macros from libc-diag.h - with a comment explaining exactly why the 
> disgnostics are being ignored.

Florian wrote a patch using those that we applied to Fedora rawhide last
night. It was at the file level, though. I'll post something in a bit.
diff mbox series

Patch

diff --git a/nscd/selinux.c b/nscd/selinux.c
index a4ea8008e20..0411e0f7fdf 100644
--- a/nscd/selinux.c
+++ b/nscd/selinux.c
@@ -322,6 +322,8 @@  avc_free_lock (void *lock)
 
 /* Initialize the user space access vector cache (AVC) for NSCD along with
    log/thread/lock callbacks.  */
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
 void
 nscd_avc_init (void)
 {
@@ -335,6 +337,7 @@  nscd_avc_init (void)
   audit_init ();
 #endif
 }
+#pragma GCC diagnostic pop
 
 
 /* Check the permission from the caller (via getpeercon) to nscd.
@@ -348,6 +351,8 @@  nscd_avc_init (void)
    use security_deny_unknown to determine what to do if selinux-policy* doesn't
    have a definition for the the permission or object class we are looking
    up.  */
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
 int
 nscd_request_avc_has_perm (int fd, request_type req)
 {
@@ -422,6 +427,7 @@  out:
 
   return rc;
 }
+#pragma GCC diagnostic pop
 
 
 /* Wrapper to get AVC statistics.  */
diff --git a/nss/makedb.c b/nss/makedb.c
index 8e389a16837..7a365894cec 100644
--- a/nss/makedb.c
+++ b/nss/makedb.c
@@ -841,6 +841,8 @@  print_database (int fd)
 
 
 #ifdef HAVE_SELINUX
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
 static void
 set_file_creation_context (const char *outname, mode_t mode)
 {
@@ -870,6 +872,7 @@  set_file_creation_context (const char *outname, mode_t mode)
       freecon (ctx);
     }
 }
+#pragma GCC diagnostic pop
 
 static void
 reset_file_creation_context (void)