All of lore.kernel.org
 help / color / mirror / Atom feed
From: Petr Lautrbach <plautrba@redhat.com>
To: "Stephen Smalley" <stephen.smalley.work@gmail.com>,
	"Christian Göttsche" <cgzones@googlemail.com>
Cc: selinux@vger.kernel.org, jwcart2@gmail.com, omosnace@redhat.com,
	Pepper Gray <hello@peppergray.xyz>
Subject: Re: [PATCH] libselinux: add --undefined-version to LD_SONAME_FLAGS
Date: Mon, 15 Jun 2026 10:58:00 +0200	[thread overview]
Message-ID: <875x3kmb8n.fsf@redhat.com> (raw)
In-Reply-To: <CAEjxPJ4hhWE_9wAywrdPT4UdUJt9cgo6=ckH6_4=2gnxuET6UA@mail.gmail.com>

Stephen Smalley <stephen.smalley.work@gmail.com> writes:

> On Thu, Jun 11, 2026 at 2:50 PM Christian Göttsche
> <cgzones@googlemail.com> wrote:
>>
>> On Thu, 11 Jun 2026 at 15:10, Stephen Smalley
>> <stephen.smalley.work@gmail.com> wrote:
>> >
>> > commit 9395cc03226a0 ("Always build for LFS mode on 32-bit archs.")
>> > introduced a matchpathcon_filespec_add64 symbol for certain 32-bit
>> > configurations but added it to libselinux.map. This was benign under
>> > GNU ld but breaks lld due to differing defaults for
>> > --no-undefined-version. Add --undefined-version to LD_SONAME_FLAGS to
>> > avoid breakage when building with lld.
>> >
>> > Fix: #512
>> > Fix: #513
>> > Fixes: 9395cc03226a0 ("Always build for LFS mode on 32-bit archs.")
>> > Reported-by: Pepper Gray <hello@peppergray.xyz>
>> > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
>>
>> Personally I liked the fallback wrapper definition of
>> matchpathcon_filespec_add64() more...
>
> I don't strongly care either way. See
> https://github.com/SELinuxProject/selinux/pull/513#issuecomment-4674610134
> and https://github.com/SELinuxProject/selinux/pull/513#issuecomment-4674659036
> for the argument made against
> adding the wrapper definition.


Could we use libselinux.map.in and generate libselinux.map build time?

Add matchpathcon_filespec_add64@LIBSELINUX_3.8 symbol when bits are lower than
64, add  matchpathcon_filespec_add@LIBSELINUX_3.8 when bits are 64


Something like the patch bellow. Would it be too complicated?

1. convert .map to map.in
$ sed 's/matchpathcon_filespec_add64/@matchpathcon_filespec_add64@/' libselinux/src/libselinux.map > libselinux/src/libselinux.map.in

2.

diff --git a/libselinux/Makefile b/libselinux/Makefile
index aeede2b56e8e..f397967657bf 100644
--- a/libselinux/Makefile
+++ b/libselinux/Makefile
@@ -39,6 +39,8 @@ ifeq ($(USE_LFS),y)
 	LFS_CFLAGS := -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
 endif
 export LFS_CFLAGS
+LONG_BIT := $(shell getconf LONG_BIT)
+export LONG_BIT
 
 OS := $(shell uname)
 export OS
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 9982faada9ef..5cb104fe5576 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -158,11 +158,18 @@ $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT)
 $(SWIGRUBYSO): $(SWIGRUBYLOBJ)
 	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -L. -fPIC -shared -o $@ $^ -lselinux $(RUBYLIBS)
 
+libselinux.map: libselinux.map.in
+	if [ ${LONG_BIT} -lt 64 ]; then \
+		sed 's/@matchpathcon_filespec_add64@/matchpathcon_filespec_add64/' < $< > $@; \
+	else \
+	    sed 's/@matchpathcon_filespec_add64@/matchpathcon_filespec_add/' < $< > $@; \
+	fi
+
 $(LIBA): $(OBJS)
 	$(AR) rcs $@ $^
 	$(RANLIB) $@
 
-$(LIBSO): $(LOBJS)
+$(LIBSO): $(LOBJS) | libselinux.map
 	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -fPIC -shared -o $@ $^ $(PCRE_LDLIBS) $(FTS_LDLIBS) -ldl -Wl,$(LD_SONAME_FLAGS)
 	ln -sf $@ $(TARGET)
 
@@ -212,7 +219,7 @@ clean-rubywrap:
 	-rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO)
 
 clean: clean-pywrap clean-rubywrap
-	-rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET) *.o *.lo *~
+	-rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET) libselinux.map *.o *.lo *~
 
 distclean: clean
 	rm -f $(GENERATED) $(SWIGFILES)
diff --git a/libselinux/src/libselinux.map b/libselinux/src/libselinux.map.in
similarity index 99%
rename from libselinux/src/libselinux.map
rename to libselinux/src/libselinux.map.in
index 95cd53b043c2..9a1b1736aca8 100644
--- a/libselinux/src/libselinux.map
+++ b/libselinux/src/libselinux.map.in
@@ -255,7 +255,7 @@ LIBSELINUX_3.5 {
 
 LIBSELINUX_3.8 {
   global:
-    matchpathcon_filespec_add64;
+    @matchpathcon_filespec_add64@;
 } LIBSELINUX_3.5;
 
 LIBSELINUX_3.9 {


  reply	other threads:[~2026-06-15  8:58 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-11 13:03 [PATCH] libselinux: add --undefined-version to LD_SONAME_FLAGS Stephen Smalley
2026-06-11 18:50 ` Christian Göttsche
2026-06-11 19:34   ` Stephen Smalley
2026-06-15  8:58     ` Petr Lautrbach [this message]
2026-06-15 12:18       ` Stephen Smalley
2026-06-15 16:51         ` Petr Lautrbach

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=875x3kmb8n.fsf@redhat.com \
    --to=plautrba@redhat.com \
    --cc=cgzones@googlemail.com \
    --cc=hello@peppergray.xyz \
    --cc=jwcart2@gmail.com \
    --cc=omosnace@redhat.com \
    --cc=selinux@vger.kernel.org \
    --cc=stephen.smalley.work@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.