SELinux Security Module development
 help / color / mirror / Atom feed
From: Petr Lautrbach <plautrba@redhat.com>
To: "Stephen Smalley" <stephen.smalley.work@gmail.com>,
	"Christian Göttsche" <cgzones@googlemail.com>
Cc: selinux@vger.kernel.org, jwcart2@gmail.com, omosnace@redhat.com,
	Pepper Gray <hello@peppergray.xyz>
Subject: Re: [PATCH] libselinux: add --undefined-version to LD_SONAME_FLAGS
Date: Mon, 15 Jun 2026 10:58:00 +0200	[thread overview]
Message-ID: <875x3kmb8n.fsf@redhat.com> (raw)
In-Reply-To: <CAEjxPJ4hhWE_9wAywrdPT4UdUJt9cgo6=ckH6_4=2gnxuET6UA@mail.gmail.com>

Stephen Smalley <stephen.smalley.work@gmail.com> writes:

> On Thu, Jun 11, 2026 at 2:50 PM Christian Göttsche
> <cgzones@googlemail.com> wrote:
>>
>> On Thu, 11 Jun 2026 at 15:10, Stephen Smalley
>> <stephen.smalley.work@gmail.com> wrote:
>> >
>> > commit 9395cc03226a0 ("Always build for LFS mode on 32-bit archs.")
>> > introduced a matchpathcon_filespec_add64 symbol for certain 32-bit
>> > configurations but added it to libselinux.map. This was benign under
>> > GNU ld but breaks lld due to differing defaults for
>> > --no-undefined-version. Add --undefined-version to LD_SONAME_FLAGS to
>> > avoid breakage when building with lld.
>> >
>> > Fix: #512
>> > Fix: #513
>> > Fixes: 9395cc03226a0 ("Always build for LFS mode on 32-bit archs.")
>> > Reported-by: Pepper Gray <hello@peppergray.xyz>
>> > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
>>
>> Personally I liked the fallback wrapper definition of
>> matchpathcon_filespec_add64() more...
>
> I don't strongly care either way. See
> https://github.com/SELinuxProject/selinux/pull/513#issuecomment-4674610134
> and https://github.com/SELinuxProject/selinux/pull/513#issuecomment-4674659036
> for the argument made against
> adding the wrapper definition.


Could we use libselinux.map.in and generate libselinux.map build time?

Add matchpathcon_filespec_add64@LIBSELINUX_3.8 symbol when bits are lower than
64, add  matchpathcon_filespec_add@LIBSELINUX_3.8 when bits are 64


Something like the patch bellow. Would it be too complicated?

1. convert .map to map.in
$ sed 's/matchpathcon_filespec_add64/@matchpathcon_filespec_add64@/' libselinux/src/libselinux.map > libselinux/src/libselinux.map.in

2.

diff --git a/libselinux/Makefile b/libselinux/Makefile
index aeede2b56e8e..f397967657bf 100644
--- a/libselinux/Makefile
+++ b/libselinux/Makefile
@@ -39,6 +39,8 @@ ifeq ($(USE_LFS),y)
 	LFS_CFLAGS := -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
 endif
 export LFS_CFLAGS
+LONG_BIT := $(shell getconf LONG_BIT)
+export LONG_BIT
 
 OS := $(shell uname)
 export OS
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 9982faada9ef..5cb104fe5576 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -158,11 +158,18 @@ $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT)
 $(SWIGRUBYSO): $(SWIGRUBYLOBJ)
 	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -L. -fPIC -shared -o $@ $^ -lselinux $(RUBYLIBS)
 
+libselinux.map: libselinux.map.in
+	if [ ${LONG_BIT} -lt 64 ]; then \
+		sed 's/@matchpathcon_filespec_add64@/matchpathcon_filespec_add64/' < $< > $@; \
+	else \
+	    sed 's/@matchpathcon_filespec_add64@/matchpathcon_filespec_add/' < $< > $@; \
+	fi
+
 $(LIBA): $(OBJS)
 	$(AR) rcs $@ $^
 	$(RANLIB) $@
 
-$(LIBSO): $(LOBJS)
+$(LIBSO): $(LOBJS) | libselinux.map
 	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -fPIC -shared -o $@ $^ $(PCRE_LDLIBS) $(FTS_LDLIBS) -ldl -Wl,$(LD_SONAME_FLAGS)
 	ln -sf $@ $(TARGET)
 
@@ -212,7 +219,7 @@ clean-rubywrap:
 	-rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO)
 
 clean: clean-pywrap clean-rubywrap
-	-rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET) *.o *.lo *~
+	-rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET) libselinux.map *.o *.lo *~
 
 distclean: clean
 	rm -f $(GENERATED) $(SWIGFILES)
diff --git a/libselinux/src/libselinux.map b/libselinux/src/libselinux.map.in
similarity index 99%
rename from libselinux/src/libselinux.map
rename to libselinux/src/libselinux.map.in
index 95cd53b043c2..9a1b1736aca8 100644
--- a/libselinux/src/libselinux.map
+++ b/libselinux/src/libselinux.map.in
@@ -255,7 +255,7 @@ LIBSELINUX_3.5 {
 
 LIBSELINUX_3.8 {
   global:
-    matchpathcon_filespec_add64;
+    @matchpathcon_filespec_add64@;
 } LIBSELINUX_3.5;
 
 LIBSELINUX_3.9 {


  reply	other threads:[~2026-06-15  8:58 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-11 13:03 [PATCH] libselinux: add --undefined-version to LD_SONAME_FLAGS Stephen Smalley
2026-06-11 18:50 ` Christian Göttsche
2026-06-11 19:34   ` Stephen Smalley
2026-06-15  8:58     ` Petr Lautrbach [this message]
2026-06-15 12:18       ` Stephen Smalley
2026-06-15 16:51         ` Petr Lautrbach

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=875x3kmb8n.fsf@redhat.com \
    --to=plautrba@redhat.com \
    --cc=cgzones@googlemail.com \
    --cc=hello@peppergray.xyz \
    --cc=jwcart2@gmail.com \
    --cc=omosnace@redhat.com \
    --cc=selinux@vger.kernel.org \
    --cc=stephen.smalley.work@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox