Re: [PATCH] libselinux: add --undefined-version to LD_SONAME_FLAGS

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Petr Lautrbach <plautrba@redhat.com>
To: Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: "Christian Göttsche" <cgzones@googlemail.com>,
	selinux@vger.kernel.org, jwcart2@gmail.com, omosnace@redhat.com,
	"Pepper Gray" <hello@peppergray.xyz>
Subject: Re: [PATCH] libselinux: add --undefined-version to LD_SONAME_FLAGS
Date: Mon, 15 Jun 2026 18:51:24 +0200	[thread overview]
Message-ID: <871pe7n3w3.fsf@redhat.com> (raw)
In-Reply-To: <CAEjxPJ7K-TankL0uBE10mapBCh++SCkSNn4xx7ZEXa4UzuKT_g@mail.gmail.com>

Stephen Smalley <stephen.smalley.work@gmail.com> writes:

> On Mon, Jun 15, 2026 at 4:58 AM Petr Lautrbach <plautrba@redhat.com> wrote:
>>
>> Stephen Smalley <stephen.smalley.work@gmail.com> writes:
>>
>> > On Thu, Jun 11, 2026 at 2:50 PM Christian Göttsche
>> > <cgzones@googlemail.com> wrote:
>> >>
>> >> On Thu, 11 Jun 2026 at 15:10, Stephen Smalley
>> >> <stephen.smalley.work@gmail.com> wrote:
>> >> >
>> >> > commit 9395cc03226a0 ("Always build for LFS mode on 32-bit archs.")
>> >> > introduced a matchpathcon_filespec_add64 symbol for certain 32-bit
>> >> > configurations but added it to libselinux.map. This was benign under
>> >> > GNU ld but breaks lld due to differing defaults for
>> >> > --no-undefined-version. Add --undefined-version to LD_SONAME_FLAGS to
>> >> > avoid breakage when building with lld.
>> >> >
>> >> > Fix: #512
>> >> > Fix: #513
>> >> > Fixes: 9395cc03226a0 ("Always build for LFS mode on 32-bit archs.")
>> >> > Reported-by: Pepper Gray <hello@peppergray.xyz>
>> >> > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
>> >>
>> >> Personally I liked the fallback wrapper definition of
>> >> matchpathcon_filespec_add64() more...
>> >
>> > I don't strongly care either way. See
>> > https://github.com/SELinuxProject/selinux/pull/513#issuecomment-4674610134
>> > and https://github.com/SELinuxProject/selinux/pull/513#issuecomment-4674659036
>> > for the argument made against
>> > adding the wrapper definition.
>>
>>
>> Could we use libselinux.map.in and generate libselinux.map build time?
>>
>> Add matchpathcon_filespec_add64@LIBSELINUX_3.8 symbol when bits are lower than
>> 64, add  matchpathcon_filespec_add@LIBSELINUX_3.8 when bits are 64
>>
>>
>> Something like the patch bellow. Would it be too complicated?
>
> We would need to match the logic used in selinux.h:
> #if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && \
>         defined(__INO64_T_TYPE) && !defined(__INO_T_MATCHES_INO64_T)
> #define matchpathcon_filespec_add matchpathcon_filespec_add64
> #endif
>
> Yet another option would be to allow overriding of LD_SONAME_FLAGS or
> introduce another Makefile variable that is appended to it that can be
> overridden so that the build system could inject --undefined-version
> when linking with lld.

This would be my preferred solution together with a note in README.md or somewhere.


>>
>> 1. convert .map to map.in
>> $ sed 's/matchpathcon_filespec_add64/@matchpathcon_filespec_add64@/' libselinux/src/libselinux.map > libselinux/src/libselinux.map.in
>>
>> 2.
>>
>> diff --git a/libselinux/Makefile b/libselinux/Makefile
>> index aeede2b56e8e..f397967657bf 100644
>> --- a/libselinux/Makefile
>> +++ b/libselinux/Makefile
>> @@ -39,6 +39,8 @@ ifeq ($(USE_LFS),y)
>>         LFS_CFLAGS := -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
>>  endif
>>  export LFS_CFLAGS
>> +LONG_BIT := $(shell getconf LONG_BIT)
>> +export LONG_BIT
>>
>>  OS := $(shell uname)
>>  export OS
>> diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
>> index 9982faada9ef..5cb104fe5576 100644
>> --- a/libselinux/src/Makefile
>> +++ b/libselinux/src/Makefile
>> @@ -158,11 +158,18 @@ $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT)
>>  $(SWIGRUBYSO): $(SWIGRUBYLOBJ)
>>         $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -L. -fPIC -shared -o $@ $^ -lselinux $(RUBYLIBS)
>>
>> +libselinux.map: libselinux.map.in
>> +       if [ ${LONG_BIT} -lt 64 ]; then \
>> +               sed 's/@matchpathcon_filespec_add64@/matchpathcon_filespec_add64/' < $< > $@; \
>> +       else \
>> +           sed 's/@matchpathcon_filespec_add64@/matchpathcon_filespec_add/' < $< > $@; \
>> +       fi
>> +
>>  $(LIBA): $(OBJS)
>>         $(AR) rcs $@ $^
>>         $(RANLIB) $@
>>
>> -$(LIBSO): $(LOBJS)
>> +$(LIBSO): $(LOBJS) | libselinux.map
>>         $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -fPIC -shared -o $@ $^ $(PCRE_LDLIBS) $(FTS_LDLIBS) -ldl -Wl,$(LD_SONAME_FLAGS)
>>         ln -sf $@ $(TARGET)
>>
>> @@ -212,7 +219,7 @@ clean-rubywrap:
>>         -rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO)
>>
>>  clean: clean-pywrap clean-rubywrap
>> -       -rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET) *.o *.lo *~
>> +       -rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET) libselinux.map *.o *.lo *~
>>
>>  distclean: clean
>>         rm -f $(GENERATED) $(SWIGFILES)
>> diff --git a/libselinux/src/libselinux.map b/libselinux/src/libselinux.map.in
>> similarity index 99%
>> rename from libselinux/src/libselinux.map
>> rename to libselinux/src/libselinux.map.in
>> index 95cd53b043c2..9a1b1736aca8 100644
>> --- a/libselinux/src/libselinux.map
>> +++ b/libselinux/src/libselinux.map.in
>> @@ -255,7 +255,7 @@ LIBSELINUX_3.5 {
>>
>>  LIBSELINUX_3.8 {
>>    global:
>> -    matchpathcon_filespec_add64;
>> +    @matchpathcon_filespec_add64@;
>>  } LIBSELINUX_3.5;
>>
>>  LIBSELINUX_3.9 {
>>

     prev parent reply	other threads:[~2026-06-15 16:51 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-11 13:03 [PATCH] libselinux: add --undefined-version to LD_SONAME_FLAGS Stephen Smalley
2026-06-11 18:50 ` Christian Göttsche
2026-06-11 19:34   ` Stephen Smalley
2026-06-15  8:58     ` Petr Lautrbach
2026-06-15 12:18       ` Stephen Smalley
2026-06-15 16:51         ` Petr Lautrbach [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=871pe7n3w3.fsf@redhat.com \
    --to=plautrba@redhat.com \
    --cc=cgzones@googlemail.com \
    --cc=hello@peppergray.xyz \
    --cc=jwcart2@gmail.com \
    --cc=omosnace@redhat.com \
    --cc=selinux@vger.kernel.org \
    --cc=stephen.smalley.work@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.