From a03d891cfad40498caa3e14ba44dd641968169dc Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Fri, 30 Oct 2020 13:27:17 +0100 Subject: [PATCH] Rebase on db0f2f382e31 at SELinuxProject - drop deprecated functions and duplicated symbols - change library version to libsemanage.so.2 - temporary ship -compat with libsemanage.so.1 - based on upstream db0f2f382e31 - re-enable lto flags --- ...-Remove-legacy-and-duplicate-symbols.patch | 233 ++++++++++++++++++ ...ibsemanage-Drop-deprecated-functions.patch | 100 ++++++++ ...semanage-Bump-libsemanage.so-version.patch | 45 ++++ ...RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch | 6 +- libsemanage.spec | 29 ++- 5 files changed, 403 insertions(+), 10 deletions(-) create mode 100644 0001-libsemanage-Remove-legacy-and-duplicate-symbols.patch create mode 100644 0002-libsemanage-Drop-deprecated-functions.patch create mode 100644 0003-libsemanage-Bump-libsemanage.so-version.patch rename 0001-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch => 0004-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch (92%) diff --git a/0001-libsemanage-Remove-legacy-and-duplicate-symbols.patch b/0001-libsemanage-Remove-legacy-and-duplicate-symbols.patch new file mode 100644 index 0000000..14cacc2 --- /dev/null +++ b/0001-libsemanage-Remove-legacy-and-duplicate-symbols.patch @@ -0,0 +1,233 @@ +From b46406de8a93abe10e685c422597516517c0bff3 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Fri, 9 Oct 2020 15:00:50 +0200 +Subject: [PATCH] libsemanage: Remove legacy and duplicate symbols + +Versioned duplicate symbols cause problems for LTO. These symbols were +introduced during the CIL integration several releases ago and were only +consumed by other SELinux userspace components. + +Related: https://github.com/SELinuxProject/selinux/issues/245 + +Signed-off-by: Petr Lautrbach +--- + libsemanage/include/semanage/modules.h | 2 +- + libsemanage/src/libsemanage.map | 5 -- + libsemanage/src/modules.c | 100 +------------------------ + libsemanage/src/modules.h | 9 +-- + libsemanage/src/semanageswig_python.i | 2 - + 5 files changed, 4 insertions(+), 114 deletions(-) + +diff --git a/libsemanage/include/semanage/modules.h b/libsemanage/include/semanage/modules.h +index ac4039314857..b51f61f033d5 100644 +--- a/libsemanage/include/semanage/modules.h ++++ b/libsemanage/include/semanage/modules.h +@@ -33,7 +33,7 @@ typedef struct semanage_module_key semanage_module_key_t; + */ + + extern int semanage_module_install(semanage_handle_t *, +- char *module_data, size_t data_len, char *name, char *ext_lang); ++ char *module_data, size_t data_len, const char *name, const char *ext_lang); + extern int semanage_module_install_file(semanage_handle_t *, + const char *module_name); + extern int semanage_module_remove(semanage_handle_t *, char *module_name); +diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map +index 1375a8ca0ea7..4bec06aaae27 100644 +--- a/libsemanage/src/libsemanage.map ++++ b/libsemanage/src/libsemanage.map +@@ -167,18 +167,13 @@ LIBSEMANAGE_1.0 { + semanage_mls_enabled; + semanage_module_disable; + semanage_module_enable; +- semanage_module_get_enabled; + semanage_module_get_name; + semanage_module_get_version; + semanage_module_info_datum_destroy; +- semanage_module_install; +- semanage_module_install_base; +- semanage_module_install_base_file; + semanage_module_install_file; + semanage_module_list; + semanage_module_list_nth; + semanage_module_remove; +- semanage_module_upgrade; + semanage_module_upgrade_file; + semanage_msg_get_channel; + semanage_msg_get_fname; +diff --git a/libsemanage/src/modules.c b/libsemanage/src/modules.c +index 6d3eb60ae462..8b36801038df 100644 +--- a/libsemanage/src/modules.c ++++ b/libsemanage/src/modules.c +@@ -42,70 +42,7 @@ + #include "modules.h" + #include "debug.h" + +-asm(".symver semanage_module_get_enabled_1_1,semanage_module_get_enabled@@LIBSEMANAGE_1.1"); +-asm(".symver semanage_module_get_enabled_1_0,semanage_module_get_enabled@LIBSEMANAGE_1.0"); +-asm(".symver semanage_module_install_pp,semanage_module_install@LIBSEMANAGE_1.0"); +-asm(".symver semanage_module_install_hll,semanage_module_install@@LIBSEMANAGE_1.1"); +- +-/* Takes a module stored in 'module_data' and parses its headers. +- * Sets reference variables 'module_name' to module's name and +- * 'version' to module's version. The caller is responsible for +- * free()ing 'module_name' and 'version'; they will be +- * set to NULL upon entering this function. Returns 0 on success, -1 +- * if out of memory, or -2 if data did not represent a module. +- */ +-static int parse_module_headers(semanage_handle_t * sh, char *module_data, +- size_t data_len, char **module_name, char **version) +-{ +- struct sepol_policy_file *pf; +- int file_type; +- *version = NULL; +- +- if (sepol_policy_file_create(&pf)) { +- ERR(sh, "Out of memory!"); +- return -1; +- } +- sepol_policy_file_set_mem(pf, module_data, data_len); +- sepol_policy_file_set_handle(pf, sh->sepolh); +- if (module_data == NULL || +- data_len == 0 || +- sepol_module_package_info(pf, &file_type, module_name, version) == -1) { +- sepol_policy_file_free(pf); +- ERR(sh, "Could not parse module data."); +- return -2; +- } +- sepol_policy_file_free(pf); +- if (file_type != SEPOL_POLICY_MOD) { +- ERR(sh, "Data did not represent a pp module. Please upgrade to the latest version of libsemanage to support hll modules."); +- return -2; +- } +- +- return 0; +-} +- +-/* This function is used to preserve ABI compatibility with +- * versions of semodule using LIBSEMANAGE_1.0 +- */ +-int semanage_module_install_pp(semanage_handle_t * sh, +- char *module_data, size_t data_len) +-{ +- char *name = NULL; +- char *version = NULL; +- int status; +- +- if ((status = parse_module_headers(sh, module_data, data_len, &name, &version)) != 0) { +- goto cleanup; +- } +- +- status = semanage_module_install_hll(sh, module_data, data_len, name, "pp"); +- +-cleanup: +- free(name); +- free(version); +- return status; +-} +- +-int semanage_module_install_hll(semanage_handle_t * sh, ++int semanage_module_install(semanage_handle_t * sh, + char *module_data, size_t data_len, const char *name, const char *ext_lang) + { + if (sh->funcs->install == NULL) { +@@ -160,16 +97,6 @@ int semanage_module_extract(semanage_handle_t * sh, + return sh->funcs->extract(sh, modkey, extract_cil, mapped_data, data_len, modinfo); + } + +-/* Legacy function that remains to preserve ABI +- * compatibility. Please use semanage_module_install instead. +- */ +-int semanage_module_upgrade(semanage_handle_t * sh, +- char *module_data, size_t data_len) +-{ +- return semanage_module_install_pp(sh, module_data, data_len); +- +-} +- + /* Legacy function that remains to preserve ABI + * compatibility. Please use semanage_module_install_file instead. + */ +@@ -179,24 +106,6 @@ int semanage_module_upgrade_file(semanage_handle_t * sh, + return semanage_module_install_file(sh, module_name); + } + +-/* Legacy function that remains to preserve ABI +- * compatibility. Please use semanage_module_install instead. +- */ +-int semanage_module_install_base(semanage_handle_t * sh, +- char *module_data, size_t data_len) +-{ +- return semanage_module_install_pp(sh, module_data, data_len); +-} +- +-/* Legacy function that remains to preserve ABI +- * compatibility. Please use semanage_module_install_file instead. +- */ +-int semanage_module_install_base_file(semanage_handle_t * sh, +- const char *module_name) +-{ +- return semanage_module_install_file(sh, module_name); +-} +- + int semanage_module_remove(semanage_handle_t * sh, char *module_name) + { + if (sh->funcs->remove == NULL) { +@@ -780,7 +689,7 @@ int semanage_module_key_set_priority(semanage_handle_t *sh, + } + + +-int semanage_module_get_enabled_1_1(semanage_handle_t *sh, ++int semanage_module_get_enabled(semanage_handle_t *sh, + const semanage_module_key_t *modkey, + int *enabled) + { +@@ -800,11 +709,6 @@ int semanage_module_get_enabled_1_1(semanage_handle_t *sh, + return sh->funcs->get_enabled(sh, modkey, enabled); + } + +-int semanage_module_get_enabled_1_0(semanage_module_info_t *modinfo) +-{ +- return modinfo->enabled; +-} +- + int semanage_module_set_enabled(semanage_handle_t *sh, + const semanage_module_key_t *modkey, + int enabled) +diff --git a/libsemanage/src/modules.h b/libsemanage/src/modules.h +index 2d3576fb15df..64d4a157f5ca 100644 +--- a/libsemanage/src/modules.h ++++ b/libsemanage/src/modules.h +@@ -26,16 +26,9 @@ + + #include "semanage/modules.h" + +-int semanage_module_install_pp(semanage_handle_t * sh, +- char *module_data, size_t data_len); +-int semanage_module_install_hll(semanage_handle_t * sh, +- char *module_data, size_t data_len, const char *name, const char *ext_lang); +-int semanage_module_upgrade(semanage_handle_t * sh, +- char *module_data, size_t data_len); ++ + int semanage_module_upgrade_file(semanage_handle_t * sh, + const char *module_name); +-int semanage_module_install_base(semanage_handle_t * sh, +- char *module_data, size_t data_len); + int semanage_module_install_base_file(semanage_handle_t * sh, + const char *module_name); + +diff --git a/libsemanage/src/semanageswig_python.i b/libsemanage/src/semanageswig_python.i +index 8dd79fc24213..5f0113966962 100644 +--- a/libsemanage/src/semanageswig_python.i ++++ b/libsemanage/src/semanageswig_python.i +@@ -30,8 +30,6 @@ + %} + + %include "stdint.i" +-%ignore semanage_module_install_pp; +-%ignore semanage_module_install_hll; + + %wrapper %{ + +-- +2.29.0 + diff --git a/0002-libsemanage-Drop-deprecated-functions.patch b/0002-libsemanage-Drop-deprecated-functions.patch new file mode 100644 index 0000000..5165e5e --- /dev/null +++ b/0002-libsemanage-Drop-deprecated-functions.patch @@ -0,0 +1,100 @@ +From c08b73d7183e2dbab0ba43c3df32f4214abbc9c6 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Fri, 9 Oct 2020 15:00:51 +0200 +Subject: [PATCH] libsemanage: Drop deprecated functions + +semanage_module_enable() and semanage_module_disable() were deprecated +by commit 9fbc6d14418f ("libsemanage: add back original module +enable/disable functions for ABI compatability") in 2014 in order to +preserve ABI compatibility. As we the libsemanage ABI is changed by the +previous commit, it makes sense to drop them completely. + +Signed-off-by: Petr Lautrbach +--- + libsemanage/src/libsemanage.map | 2 -- + libsemanage/src/modules.c | 56 --------------------------------- + 2 files changed, 58 deletions(-) + +diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map +index 4bec06aaae27..3ea7b60f97bb 100644 +--- a/libsemanage/src/libsemanage.map ++++ b/libsemanage/src/libsemanage.map +@@ -165,8 +165,6 @@ LIBSEMANAGE_1.0 { + semanage_is_connected; + semanage_is_managed; + semanage_mls_enabled; +- semanage_module_disable; +- semanage_module_enable; + semanage_module_get_name; + semanage_module_get_version; + semanage_module_info_datum_destroy; +diff --git a/libsemanage/src/modules.c b/libsemanage/src/modules.c +index 8b36801038df..b6dd456cac32 100644 +--- a/libsemanage/src/modules.c ++++ b/libsemanage/src/modules.c +@@ -734,62 +734,6 @@ int semanage_module_set_enabled(semanage_handle_t *sh, + } + + +-/* This function exists only for ABI compatibility. It has been deprecated and +- * should not be used. Instead, use semanage_module_set_enabled() */ +-int semanage_module_enable(semanage_handle_t *sh, char *module_name) +-{ +- int rc = -1; +- semanage_module_key_t *modkey = NULL; +- +- rc = semanage_module_key_create(sh, &modkey); +- if (rc != 0) +- goto exit; +- +- rc = semanage_module_key_set_name(sh, modkey, module_name); +- if (rc != 0) +- goto exit; +- +- rc = semanage_module_set_enabled(sh, modkey, 1); +- if (rc != 0) +- goto exit; +- +- rc = 0; +- +-exit: +- semanage_module_key_destroy(sh, modkey); +- free(modkey); +- +- return rc; +-} +- +-/* This function exists only for ABI compatibility. It has been deprecated and +- * should not be used. Instead, use semanage_module_set_enabled() */ +-int semanage_module_disable(semanage_handle_t *sh, char *module_name) +-{ +- int rc = -1; +- semanage_module_key_t *modkey = NULL; +- +- rc = semanage_module_key_create(sh, &modkey); +- if (rc != 0) +- goto exit; +- +- rc = semanage_module_key_set_name(sh, modkey, module_name); +- if (rc != 0) +- goto exit; +- +- rc = semanage_module_set_enabled(sh, modkey, 0); +- if (rc != 0) +- goto exit; +- +- rc = 0; +- +-exit: +- semanage_module_key_destroy(sh, modkey); +- free(modkey); +- +- return rc; +-} +- + /* Converts a string to a priority + * + * returns -1 if str is not a valid priority. +-- +2.29.0 + diff --git a/0003-libsemanage-Bump-libsemanage.so-version.patch b/0003-libsemanage-Bump-libsemanage.so-version.patch new file mode 100644 index 0000000..7520262 --- /dev/null +++ b/0003-libsemanage-Bump-libsemanage.so-version.patch @@ -0,0 +1,45 @@ +From 6ebb35d261eaa8701b53b9f68184b05de8dfd868 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Fri, 9 Oct 2020 15:00:52 +0200 +Subject: [PATCH] libsemanage: Bump libsemanage.so version + +Previous commits removed some symbols and broke ABI, therefore we need to change +SONAME. + +See the following quotes from distribution guidelines: + +https://www.debian.org/doc/debian-policy/ch-sharedlibs.html#run-time-shared-libraries + +Every time the shared library ABI changes in a way that may break +binaries linked against older versions of the shared library, the SONAME +of the library and the corresponding name for the binary package +containing the runtime shared library should change. + +https://docs.fedoraproject.org/en-US/packaging-guidelines/#_downstream_so_name_versioning + +When new versions of the library are released, you should use an ABI +comparison tool to check for ABI differences in the built shared +libraries. If it detects any incompatibilities, bump the n number by +one. + +Signed-off-by: Petr Lautrbach +--- + libsemanage/src/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile +index a0eb3747d74b..ab6cae51f5c3 100644 +--- a/libsemanage/src/Makefile ++++ b/libsemanage/src/Makefile +@@ -32,7 +32,7 @@ YACC = bison + YFLAGS = -d + + VERSION = $(shell cat ../VERSION) +-LIBVERSION = 1 ++LIBVERSION = 2 + + LIBA=libsemanage.a + TARGET=libsemanage.so +-- +2.29.0 + diff --git a/0001-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch b/0004-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch similarity index 92% rename from 0001-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch rename to 0004-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch index 13dea09..1b6dadb 100644 --- a/0001-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch +++ b/0004-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch @@ -1,4 +1,4 @@ -From 4a8aa78cd21b400c13b1895c03a97a8974aeff47 Mon Sep 17 00:00:00 2001 +From fc966a746653cc15a14d1e1a80f01fc2f567ee08 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Wed, 7 Nov 2018 18:17:34 +0100 Subject: [PATCH] libsemanage: Fix RESOURCE_LEAK and USE_AFTER_FREE coverity @@ -9,7 +9,7 @@ Subject: [PATCH] libsemanage: Fix RESOURCE_LEAK and USE_AFTER_FREE coverity 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c -index 1088a0ac6165..79aa72b98cf5 100644 +index d2b91fb24292..f445cd4d6fb5 100644 --- a/libsemanage/src/direct_api.c +++ b/libsemanage/src/direct_api.c @@ -1028,7 +1028,7 @@ static int semanage_direct_write_langext(semanage_handle_t *sh, @@ -62,5 +62,5 @@ index 1088a0ac6165..79aa72b98cf5 100644 } -- -2.23.0 +2.29.0 diff --git a/libsemanage.spec b/libsemanage.spec index 2abbd60..f6efa54 100644 --- a/libsemanage.spec +++ b/libsemanage.spec @@ -1,5 +1,5 @@ -%define libsepolver 3.1-3 -%define libselinuxver 3.1-2 +%define libsepolver 3.1-4 +%define libselinuxver 3.1-4 Summary: SELinux binary policy manipulation library Name: libsemanage @@ -10,7 +10,10 @@ Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/li # fedora-selinux/selinux: git format-patch -N libsemanage-3.1 -- libsemanage # i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done # Patch list start -Patch0001: 0001-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch +Patch0001: 0001-libsemanage-Remove-legacy-and-duplicate-symbols.patch +Patch0002: 0002-libsemanage-Drop-deprecated-functions.patch +Patch0003: 0003-libsemanage-Bump-libsemanage.so-version.patch +Patch0004: 0004-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch # Patch list end URL: https://github.com/SELinuxProject/selinux/wiki Source1: semanage.conf @@ -51,6 +54,12 @@ Requires: libsemanage-devel%{_isa} = %{version}-%{release} The semanage-static package contains the static libraries needed for developing applications that manipulate binary policies. +%package compat +Summary: Temporary compat libsemanage.so.1 used for transition to libsemanage.so.2 + +%description compat +Temporary compat libsemanage.so.1 used for transition to libsemanage.so.2 + %package devel Summary: Header files and libraries used to build policy manipulation tools Requires: %{name}%{?_isa} = %{version}-%{release} @@ -78,8 +87,6 @@ SELinux management applications. %build -# Disable LTO -%define _lto_cflags %{nil} %set_build_flags CFLAGS="$CFLAGS -fno-semantic-interposition" @@ -124,14 +131,19 @@ InstallPythonWrapper \ $(python3-config --extension-suffix) cp %{SOURCE1} ${RPM_BUILD_ROOT}/etc/selinux/semanage.conf -ln -sf %{_libdir}/libsemanage.so.1 ${RPM_BUILD_ROOT}/%{_libdir}/libsemanage.so + +%set_build_flags +CFLAGS="$CFLAGS -fno-semantic-interposition" +sed -i 's/LIBVERSION = 2/LIBVERSION = 1/' src/Makefile +%make_build +cp src/libsemanage.so.1 ${RPM_BUILD_ROOT}/%{_libdir}/libsemanage.so.1 %files %{!?_licensedir:%global license %%doc} %license COPYING %dir %{_sysconfdir}/selinux %config(noreplace) %{_sysconfdir}/selinux/semanage.conf -%{_libdir}/libsemanage.so.1 +%{_libdir}/libsemanage.so.2 %{_mandir}/man5/* %{_mandir}/ru/man5/* %dir %{_libexecdir}/selinux @@ -143,6 +155,9 @@ ln -sf %{_libdir}/libsemanage.so.1 ${RPM_BUILD_ROOT}/%{_libdir}/libsemanage.so %files static %{_libdir}/libsemanage.a +%files compat +%{_libdir}/libsemanage.so.1 + %files devel %{_libdir}/libsemanage.so %{_libdir}/pkgconfig/libsemanage.pc