Re: [PATCH] libselinux: add --undefined-version to LD_SONAME_FLAGS

SELinux Security Module development
 help / color / mirror / Atom feed

From: Petr Lautrbach <plautrba@redhat.com>
To: Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: "Christian Göttsche" <cgzones@googlemail.com>,
	selinux@vger.kernel.org, jwcart2@gmail.com, omosnace@redhat.com,
	"Pepper Gray" <hello@peppergray.xyz>
Subject: Re: [PATCH] libselinux: add --undefined-version to LD_SONAME_FLAGS
Date: Mon, 15 Jun 2026 18:51:24 +0200	[thread overview]
Message-ID: <871pe7n3w3.fsf@redhat.com> (raw)
In-Reply-To: <CAEjxPJ7K-TankL0uBE10mapBCh++SCkSNn4xx7ZEXa4UzuKT_g@mail.gmail.com>

Stephen Smalley <stephen.smalley.work@gmail.com> writes:

> On Mon, Jun 15, 2026 at 4:58 AM Petr Lautrbach <plautrba@redhat.com> wrote:
>>
>> Stephen Smalley <stephen.smalley.work@gmail.com> writes:
>>
>> > On Thu, Jun 11, 2026 at 2:50 PM Christian Göttsche
>> > <cgzones@googlemail.com> wrote:
>> >>
>> >> On Thu, 11 Jun 2026 at 15:10, Stephen Smalley
>> >> <stephen.smalley.work@gmail.com> wrote:
>> >> >
>> >> > commit 9395cc03226a0 ("Always build for LFS mode on 32-bit archs.")
>> >> > introduced a matchpathcon_filespec_add64 symbol for certain 32-bit
>> >> > configurations but added it to libselinux.map. This was benign under
>> >> > GNU ld but breaks lld due to differing defaults for
>> >> > --no-undefined-version. Add --undefined-version to LD_SONAME_FLAGS to
>> >> > avoid breakage when building with lld.
>> >> >
>> >> > Fix: #512
>> >> > Fix: #513
>> >> > Fixes: 9395cc03226a0 ("Always build for LFS mode on 32-bit archs.")
>> >> > Reported-by: Pepper Gray <hello@peppergray.xyz>
>> >> > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
>> >>
>> >> Personally I liked the fallback wrapper definition of
>> >> matchpathcon_filespec_add64() more...
>> >
>> > I don't strongly care either way. See
>> > https://github.com/SELinuxProject/selinux/pull/513#issuecomment-4674610134
>> > and https://github.com/SELinuxProject/selinux/pull/513#issuecomment-4674659036
>> > for the argument made against
>> > adding the wrapper definition.
>>
>>
>> Could we use libselinux.map.in and generate libselinux.map build time?
>>
>> Add matchpathcon_filespec_add64@LIBSELINUX_3.8 symbol when bits are lower than
>> 64, add  matchpathcon_filespec_add@LIBSELINUX_3.8 when bits are 64
>>
>>
>> Something like the patch bellow. Would it be too complicated?
>
> We would need to match the logic used in selinux.h:
> #if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && \
>         defined(__INO64_T_TYPE) && !defined(__INO_T_MATCHES_INO64_T)
> #define matchpathcon_filespec_add matchpathcon_filespec_add64
> #endif
>
> Yet another option would be to allow overriding of LD_SONAME_FLAGS or
> introduce another Makefile variable that is appended to it that can be
> overridden so that the build system could inject --undefined-version
> when linking with lld.

This would be my preferred solution together with a note in README.md or somewhere.


>>
>> 1. convert .map to map.in
>> $ sed 's/matchpathcon_filespec_add64/@matchpathcon_filespec_add64@/' libselinux/src/libselinux.map > libselinux/src/libselinux.map.in
>>
>> 2.
>>
>> diff --git a/libselinux/Makefile b/libselinux/Makefile
>> index aeede2b56e8e..f397967657bf 100644
>> --- a/libselinux/Makefile
>> +++ b/libselinux/Makefile
>> @@ -39,6 +39,8 @@ ifeq ($(USE_LFS),y)
>>         LFS_CFLAGS := -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
>>  endif
>>  export LFS_CFLAGS
>> +LONG_BIT := $(shell getconf LONG_BIT)
>> +export LONG_BIT
>>
>>  OS := $(shell uname)
>>  export OS
>> diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
>> index 9982faada9ef..5cb104fe5576 100644
>> --- a/libselinux/src/Makefile
>> +++ b/libselinux/src/Makefile
>> @@ -158,11 +158,18 @@ $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT)
>>  $(SWIGRUBYSO): $(SWIGRUBYLOBJ)
>>         $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -L. -fPIC -shared -o $@ $^ -lselinux $(RUBYLIBS)
>>
>> +libselinux.map: libselinux.map.in
>> +       if [ ${LONG_BIT} -lt 64 ]; then \
>> +               sed 's/@matchpathcon_filespec_add64@/matchpathcon_filespec_add64/' < $< > $@; \
>> +       else \
>> +           sed 's/@matchpathcon_filespec_add64@/matchpathcon_filespec_add/' < $< > $@; \
>> +       fi
>> +
>>  $(LIBA): $(OBJS)
>>         $(AR) rcs $@ $^
>>         $(RANLIB) $@
>>
>> -$(LIBSO): $(LOBJS)
>> +$(LIBSO): $(LOBJS) | libselinux.map
>>         $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -fPIC -shared -o $@ $^ $(PCRE_LDLIBS) $(FTS_LDLIBS) -ldl -Wl,$(LD_SONAME_FLAGS)
>>         ln -sf $@ $(TARGET)
>>
>> @@ -212,7 +219,7 @@ clean-rubywrap:
>>         -rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO)
>>
>>  clean: clean-pywrap clean-rubywrap
>> -       -rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET) *.o *.lo *~
>> +       -rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET) libselinux.map *.o *.lo *~
>>
>>  distclean: clean
>>         rm -f $(GENERATED) $(SWIGFILES)
>> diff --git a/libselinux/src/libselinux.map b/libselinux/src/libselinux.map.in
>> similarity index 99%
>> rename from libselinux/src/libselinux.map
>> rename to libselinux/src/libselinux.map.in
>> index 95cd53b043c2..9a1b1736aca8 100644
>> --- a/libselinux/src/libselinux.map
>> +++ b/libselinux/src/libselinux.map.in
>> @@ -255,7 +255,7 @@ LIBSELINUX_3.5 {
>>
>>  LIBSELINUX_3.8 {
>>    global:
>> -    matchpathcon_filespec_add64;
>> +    @matchpathcon_filespec_add64@;
>>  } LIBSELINUX_3.5;
>>
>>  LIBSELINUX_3.9 {
>>

     prev parent reply	other threads:[~2026-06-15 16:51 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-11 13:03 [PATCH] libselinux: add --undefined-version to LD_SONAME_FLAGS Stephen Smalley
2026-06-11 18:50 ` Christian Göttsche
2026-06-11 19:34   ` Stephen Smalley
2026-06-15  8:58     ` Petr Lautrbach
2026-06-15 12:18       ` Stephen Smalley
2026-06-15 16:51         ` Petr Lautrbach [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=871pe7n3w3.fsf@redhat.com \
    --to=plautrba@redhat.com \
    --cc=cgzones@googlemail.com \
    --cc=hello@peppergray.xyz \
    --cc=jwcart2@gmail.com \
    --cc=omosnace@redhat.com \
    --cc=selinux@vger.kernel.org \
    --cc=stephen.smalley.work@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox