On Fri, Feb 28, 2020 at 2:59 PM William Roberts <bill.c.roberts@xxxxxxxxx> wrote: > > On Fri, Feb 28, 2020 at 7:50 AM Stephen Smalley > <stephen.smalley.work@xxxxxxxxx> wrote: > > > > On Thu, Feb 27, 2020 at 6:01 PM <bill.c.roberts@xxxxxxxxx> wrote: > > > > > > From: William Roberts <william.c.roberts@xxxxxxxxx> > > > > > > Add -fno-semantic-interposition to CFLAGS. This will restore > > > the DSO infrastructures protections to insure internal callers > > > of exported symbols call into libselinux and not something laoding first > > > in the library list. > > > > > > Clang has this enabled by default. > > > > > > Signed-off-by: William Roberts <william.c.roberts@xxxxxxxxx> > > > > I'm fine with this but since Nicolas pointed out the option of using > > -Bsymbolic to > > the linker as an alternative to hidden_def/hidden_proto in > > https://github.com/SELinuxProject/selinux/issues/204#issuecomment-591092288 > > I was wondering how they differ. I guess -Bsymbolic only affects the > > linker while -fno-semantic-interposition > > permits the compiler to further optimize the code. > > That's my understanding of the difference as well. -B is only link > time, so the compiler can't > really optimize the calls, but IIUC the compiler can only optimize > whats in the compilation > unit, so it can only optimize call sites for calls within the compilation unit. > > -B also only works for elf builds, so we would conditionally need to > modify LDFLAGS based > on host type. The compiler option is just a clang/gcc split, which is > already there. To go > to symbolic we would have to conditionally set that... a tad bit more work :-p I am not very familiar with -Bsymbolic and did not know about -fno-semantic-interposition before a few days ago. As far as I understand, -Bsymbolic puts an entry of type "SYMBOLIC" in the dynamic section of the .so file, which changes the behavior of the dynamic linker at link time without modifying anything in the build-time linking process. It is only compatible with ELF files and seems quite uncommon. With this in mind, -fno-semantic-interposition seems more powerful and better suited for what we want to achieve (to optimize the compilation). I agree with the approach of this patchset and would have given an Acked-By if there weren't an issue with "-z,relro-Wl" ;) Thanks for working on this! Nicolas
