On Tue, Mar 3, 2020 at 7:57 PM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > On Mon, Mar 2, 2020 at 11:41 AM <bill.c.roberts@xxxxxxxxx> wrote: > > > > Version 4: > > - Fix linker option warnings. > > - Move map file to begining of options. > > > > Version 3: > > - Add more symbols that should be dropped from the dso: > > - map_class; > > - map_decision; > > - map_perm; > > > > Version 2: > > - adds a version to the linker script LIBSELINUX_1.0 > > - Adds a patch to drop some additional symbols from the dso: > > - dir_xattr_list > > - myprintf_compat > > - unmap_class > > - unmap_perm > > > > This four part patch series drops the dso.h and hidden_* > > macros. > > > > The old dso.h functionality provided libselinux with both control over > > external exported symbols as well as ensuring internal callers call into > > libselinux and not a symbol with the same name loaded by the linker > > earlier in the library list. > > > > The functionality is replaced by a linker script that requires public > > API to explicitly be opt-in. The old method required that internal API > > be explicitly annotated, and everything else is public. This should help > > make it easier to control libselinux DSO hygene going forward. > > > > The second functionality is replaced by compiler option > > -fno-semantic-interposition > > > > Note that clang has this enabled by default, and thus doesn't need it. > > > > See: > > - https://stackoverflow.com/questions/35745543/new-option-in-gcc-5-3-fno-semantic-interposition > > > > [PATCH v4 1/4] dso: drop hidden_proto and hidden_def > > [PATCH v4 2/4] Makefile: add -fno-semantic-interposition > > [PATCH v4 3/4] Makefile: add linker script to minimize exports > > [PATCH v4 4/4] libselinux: drop symbols from map > > This looks fine to me but I'd like at least one of the distro > maintainers to ack it (especially the last one). FWIW, I scanned all Fedora (32) packages that Require: libselinux using this script and it seems that nothing is using the symbols mentioned in patch 4/4 on Fedora: https://gitlab.com/omos/selinux-misc/-/blob/master/scan_imports.sh BTW, the same dso.h infrastructure is used also in libsepol and libsemanage - are there plans to do the same thing for those two? -- Ondrej Mosnacek <omosnace at redhat dot com> Software Engineer, Security Technologies Red Hat, Inc.
