From: Steve Grubb <sgrubb@redhat.com>
To: Laurent Bigonville <bigon@debian.org>
Cc: linux-audit@redhat.com
Subject: Re: Exported symbols removed in 2.5.2
Date: Tue, 03 May 2016 12:33:40 -0400 [thread overview]
Message-ID: <3328409.nvOl5qtXXs@x2> (raw)
In-Reply-To: <6c976322-72d3-d934-93c0-9695cbad6862@debian.org>
On Tuesday, May 03, 2016 05:15:01 PM Laurent Bigonville wrote:
> >> +#MISSING: 1:2.5.2-1# audit_send_user_message@Base 1:2.2.1
> >>
> >> audit_set_backlog_limit@Base 1:2.2.1
> >> audit_set_backlog_wait_time@Base 1:2.4.2
> >> audit_set_enabled@Base 1:2.2.1
> >>
> >> Is that expected that these 4 symbols have been removed?
> >
> > Yes. This corresponds to the changelog entry:
> >
> > - Revise function hiding technique to better protect audit ABI
> >
> > All functions missing are internal to the audit libraries and could cause
> > symbols collisions or worse if people start using them even though they
> > are
> > not declared in the library headers.
>
> In the private.h header file, I can see the following comment:
>
> // This is the main messaging function used internally
> // Don't hide it, it used to be a part of the public API!
> extern int audit_send_user_message(int fd, int type, hide_t hide_err,
> const char *message);
>
> So doesn't this warrant a soname bump then?
The answer is not simple. It was a hidden symbol:
hidden_proto(audit_send_user_message);
But I noticed that this broke at some point because it was hidden in old
releases but then suddenly started being visible. There has been no changes in
the hiding technique since the 1.2 release. My guess is that something changed
in gcc somewhere along the way that broke the hiding technique from Ulrich
Drepper's DSO programming guidelines.
The function was part of the public API in the 1.0.16 release. It was
deprecated/hidden in the 1.2 release which dates to 7-Apr 2006. Its been about
10 years that the function prototype has not been in libaudit.h. I would hope
that a missing prototype message would have been reported and fixed in the last
10 years. I have personally fixed use of the symbol in everything I know of 10
years ago.
The only problem people would have is in very old utilities they wrote a long
time ago, or very old versions of shadow-utils/pam. I wrote a script that
looks for that symbol in all elf files. I have to test on RHEL 4 to find the
symbol in any programs. So, I think you have a valid concern, but its been so
long that in practice it has worked itself out.
-Steve
prev parent reply other threads:[~2016-05-03 16:33 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-03 15:04 Exported symbols removed in 2.5.2 Laurent Bigonville
2016-05-03 15:10 ` Steve Grubb
2016-05-03 15:15 ` Laurent Bigonville
2016-05-03 16:33 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3328409.nvOl5qtXXs@x2 \
--to=sgrubb@redhat.com \
--cc=bigon@debian.org \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).