From 68d70de6c6264b7fd737e832d9cdebd3c2acc7ee Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Mon, 10 Feb 2025 15:24:18 -0500 Subject: [PATCH] sepolicy: Add ostree_sepolicy_set_null_log Let's quiet the output of libselinux by default, all we get is the pointless "regex version mismatch" warnings. This is what e.g. systemd does. This is exposed via the library; our binary opts in, then we expect higher level tools like e.g. bootc to do this too. Signed-off-by: Colin Walters --- Makefile-libostree.am | 6 +++--- apidoc/ostree-sections.txt | 1 + src/libostree/libostree-devel.sym | 5 +++++ src/libostree/ostree-sepolicy.c | 21 +++++++++++++++++++++ src/libostree/ostree-sepolicy.h | 3 +++ src/ostree/ot-main.c | 3 +++ 6 files changed, 36 insertions(+), 3 deletions(-) diff --git a/Makefile-libostree.am b/Makefile-libostree.am index 11a7bbedd3..915b20b8c2 100644 --- a/Makefile-libostree.am +++ b/Makefile-libostree.am @@ -175,9 +175,9 @@ endif # USE_GPGME symbol_files = $(top_srcdir)/src/libostree/libostree-released.sym # Uncomment this include when adding new development symbols. -#if BUILDOPT_IS_DEVEL_BUILD -#symbol_files += $(top_srcdir)/src/libostree/libostree-devel.sym -#endif +if BUILDOPT_IS_DEVEL_BUILD +symbol_files += $(top_srcdir)/src/libostree/libostree-devel.sym +endif # http://blog.jgc.org/2007/06/escaping-comma-and-space-in-gnu-make.html wl_versionscript_arg = -Wl,--version-script= diff --git a/apidoc/ostree-sections.txt b/apidoc/ostree-sections.txt index e934b85932..bea4cbceb6 100644 --- a/apidoc/ostree-sections.txt +++ b/apidoc/ostree-sections.txt @@ -539,6 +539,7 @@ OstreeSePolicyRestoreconFlags ostree_sepolicy_restorecon ostree_sepolicy_setfscreatecon ostree_sepolicy_fscreatecon_cleanup +ostree_sepolicy_set_null_log OSTREE_SEPOLICY OSTREE_IS_SEPOLICY diff --git a/src/libostree/libostree-devel.sym b/src/libostree/libostree-devel.sym index 6640e11c78..85169b5c40 100644 --- a/src/libostree/libostree-devel.sym +++ b/src/libostree/libostree-devel.sym @@ -20,6 +20,11 @@ - uncomment the include in Makefile-libostree.am */ +LIBOSTREE_2025.2 { +global: + ostree_sepolicy_set_null_log; +} LIBOSTREE_2025.1; + /* Stub section for the stable release *after* this development one; don't * edit this other than to update the year. This is just a copy/paste * source. Replace $LASTSTABLE with the last stable version, and $NEWVERSION diff --git a/src/libostree/ostree-sepolicy.c b/src/libostree/ostree-sepolicy.c index 2e6ec00e2a..6124e1491f 100644 --- a/src/libostree/ostree-sepolicy.c +++ b/src/libostree/ostree-sepolicy.c @@ -254,6 +254,27 @@ get_policy_checksum (char **out_csum, GCancellable *cancellable, GError **error) #endif +__attribute__ ((format (printf, 2, 3))) static int +_ostree_sepolicy_null_log (int type, const char *fmt, ...) +{ + return 0; +} + +/** + * ostree_sepolicy_set_null_log: + * Disable SELinux's builtin logging; one rarely wants this enabled. + * + * Since: 2025.2 + */ +void +ostree_sepolicy_set_null_log (void) +{ +#ifdef HAVE_SELINUX + selinux_set_callback (SELINUX_CB_LOG, + (const union selinux_callback){ .func_log = _ostree_sepolicy_null_log }); +#endif +} + /** * ostree_sepolicy_new_from_commit: * @repo: The repo diff --git a/src/libostree/ostree-sepolicy.h b/src/libostree/ostree-sepolicy.h index 2098456701..cb175ee790 100644 --- a/src/libostree/ostree-sepolicy.h +++ b/src/libostree/ostree-sepolicy.h @@ -31,6 +31,9 @@ G_BEGIN_DECLS _OSTREE_PUBLIC GType ostree_sepolicy_get_type (void); +_OSTREE_PUBLIC +void ostree_sepolicy_set_null_log (void); + _OSTREE_PUBLIC OstreeSePolicy *ostree_sepolicy_new (GFile *path, GCancellable *cancellable, GError **error); diff --git a/src/ostree/ot-main.c b/src/ostree/ot-main.c index d47a59cad5..794af31d68 100644 --- a/src/ostree/ot-main.c +++ b/src/ostree/ot-main.c @@ -613,6 +613,9 @@ ostree_admin_option_context_parse (GOptionContext *context, const GOptionEntry * return TRUE; } + // Disable this, it's just noise + ostree_sepolicy_set_null_log (); + g_autoptr (GFile) sysroot_path = NULL; if (opt_sysroot != NULL) sysroot_path = g_file_new_for_path (opt_sysroot);