Accepting request 814134 from home:pmonrealgonzalez:branches:security:SELinux

- Fix build with LTO: [bsc#1133102] * Enable LTO (Link Time Optimization) and build with -ffat-lto-objects * Update map file to include new symbols and remove wildcards - Add libsemanage-update-map-file.patch - Fix build with LTO: [bsc#1133102] * Enable LTO (Link Time Optimization) * Update map file to include new symbols and remove wildcards - Add libsemanage-update-map-file.patch OBS-URL: https://build.opensuse.org/request/show/814134 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libsemanage?expand=0&rev=82
2020-06-15 07:22:03 +00:00 · 2020-06-15 07:22:03 +00:00 · 23f21e2372
commit 23f21e2372
parent e8e279ff6b
5 changed files with 433 additions and 4 deletions
--- a/libsemanage-update-map-file.patch
+++ b/libsemanage-update-map-file.patch
@ -0,0 +1,409 @@
+From 3fc08f8908571195dfaac7d3179504873f37b4c0 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Mon, 23 Mar 2020 11:52:33 -0500
+Subject: [PATCH] libsemanage: update linker script
+
+With the old hidden_def and hidden_proto DSO infrastructure removed,
+correctness of the map file becomes paramount, as it is what filters out
+public API. Because of this, the wild cards should not be used, as it
+lets some functions through that should not be made public API. Thus
+remove the wild cards, and sort the list.
+
+Additionally, verify that nothing changed in external symbols as well:
+
+This was checked by generating an old export map (from master):
+nm --defined-only -g ./src/libsemanage.so | cut -d' ' -f 3-3 | grep -v '^_' > old.map
+
+Then creating a new one for this library after this patch is applied:
+nm --defined-only -g ./src/libsemanage.so | cut -d' ' -f 3-3 | grep -v '^_' > new.map
+
+And diffing them:
+diff old.map new.map
+
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+---
+ libsemanage/src/libsemanage.map | 372 +++++++++++++++++++++++++++++---
+ 1 file changed, 345 insertions(+), 27 deletions(-)
+
+diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map
+index 020366967..e1861ccbe 100644
+--- a/libsemanage/src/libsemanage.map
+++ b/libsemanage/src/libsemanage.map
+@@ -1,31 +1,349 @@
+ LIBSEMANAGE_1.0 {
+-  global: semanage_handle_create; semanage_handle_destroy; 
+-          semanage_is_managed; semanage_connect; semanage_disconnect; 
+-	  semanage_msg_*;
+-          semanage_begin_transaction; semanage_commit;
+-	  semanage_module_install; semanage_module_install_file;
+-	  semanage_module_upgrade; semanage_module_upgrade_file;
+-	  semanage_module_install_base; semanage_module_install_base_file;
+-	  semanage_module_enable;
+-	  semanage_module_disable;
+-	  semanage_module_remove;
+-	  semanage_module_list; semanage_module_info_datum_destroy;
+-	  semanage_module_list_nth; semanage_module_get_name;
+-	  semanage_module_get_version; semanage_select_store;
+-	  semanage_module_get_enabled;
+-	  semanage_reload_policy; semanage_set_reload; semanage_set_rebuild;
+-	  semanage_set_root;
+-	  semanage_root;
+-	  semanage_user_*; semanage_bool_*; semanage_seuser_*;
+-	  semanage_iface_*; semanage_port_*; semanage_context_*;
+-	  semanage_ibpkey_*;
+-	  semanage_ibendport_*;
+-	  semanage_node_*;
+-	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
+-	  semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
+-	  semanage_mls_enabled;
+-	  semanage_set_check_contexts;
+-	  semanage_get_preserve_tunables; semanage_set_preserve_tunables;
+  global:
+    semanage_access_check;
+    semanage_begin_transaction;
+    semanage_bool_clone;
+    semanage_bool_compare;
+    semanage_bool_compare2;
+    semanage_bool_count;
+    semanage_bool_count_active;
+    semanage_bool_count_local;
+    semanage_bool_create;
+    semanage_bool_del_local;
+    semanage_bool_exists;
+    semanage_bool_exists_active;
+    semanage_bool_exists_local;
+    semanage_bool_free;
+    semanage_bool_get_name;
+    semanage_bool_get_value;
+    semanage_bool_iterate;
+    semanage_bool_iterate_active;
+    semanage_bool_iterate_local;
+    semanage_bool_key_create;
+    semanage_bool_key_extract;
+    semanage_bool_key_free;
+    semanage_bool_list;
+    semanage_bool_list_active;
+    semanage_bool_list_local;
+    semanage_bool_modify_local;
+    semanage_bool_query;
+    semanage_bool_query_active;
+    semanage_bool_query_local;
+    semanage_bool_set_active;
+    semanage_bool_set_name;
+    semanage_bool_set_value;
+    semanage_commit;
+    semanage_connect;
+    semanage_context_clone;
+    semanage_context_create;
+    semanage_context_free;
+    semanage_context_from_string;
+    semanage_context_get_mls;
+    semanage_context_get_role;
+    semanage_context_get_type;
+    semanage_context_get_user;
+    semanage_context_set_mls;
+    semanage_context_set_role;
+    semanage_context_set_type;
+    semanage_context_set_user;
+    semanage_context_to_string;
+    semanage_disconnect;
+    semanage_fcontext_clone;
+    semanage_fcontext_compare;
+    semanage_fcontext_compare2;
+    semanage_fcontext_count;
+    semanage_fcontext_count_local;
+    semanage_fcontext_create;
+    semanage_fcontext_del_local;
+    semanage_fcontext_exists;
+    semanage_fcontext_exists_local;
+    semanage_fcontext_free;
+    semanage_fcontext_get_con;
+    semanage_fcontext_get_expr;
+    semanage_fcontext_get_type;
+    semanage_fcontext_get_type_str;
+    semanage_fcontext_iterate;
+    semanage_fcontext_iterate_local;
+    semanage_fcontext_key_create;
+    semanage_fcontext_key_extract;
+    semanage_fcontext_key_free;
+    semanage_fcontext_list;
+    semanage_fcontext_list_homedirs;
+    semanage_fcontext_list_local;
+    semanage_fcontext_modify_local;
+    semanage_fcontext_query;
+    semanage_fcontext_query_local;
+    semanage_fcontext_set_con;
+    semanage_fcontext_set_expr;
+    semanage_fcontext_set_type;
+    semanage_get_default_priority;
+    semanage_get_disable_dontaudit;
+    semanage_get_hll_compiler_path;
+    semanage_get_ignore_module_cache;
+    semanage_get_preserve_tunables;
+    semanage_handle_create;
+    semanage_handle_destroy;
+    semanage_ibendport_clone;
+    semanage_ibendport_compare;
+    semanage_ibendport_compare2;
+    semanage_ibendport_count;
+    semanage_ibendport_count_local;
+    semanage_ibendport_create;
+    semanage_ibendport_del_local;
+    semanage_ibendport_exists;
+    semanage_ibendport_exists_local;
+    semanage_ibendport_free;
+    semanage_ibendport_get_con;
+    semanage_ibendport_get_ibdev_name;
+    semanage_ibendport_get_port;
+    semanage_ibendport_iterate;
+    semanage_ibendport_iterate_local;
+    semanage_ibendport_key_create;
+    semanage_ibendport_key_extract;
+    semanage_ibendport_key_free;
+    semanage_ibendport_list;
+    semanage_ibendport_list_local;
+    semanage_ibendport_modify_local;
+    semanage_ibendport_query;
+    semanage_ibendport_query_local;
+    semanage_ibendport_set_con;
+    semanage_ibendport_set_ibdev_name;
+    semanage_ibendport_set_port;
+    semanage_ibpkey_clone;
+    semanage_ibpkey_compare;
+    semanage_ibpkey_compare2;
+    semanage_ibpkey_count;
+    semanage_ibpkey_count_local;
+    semanage_ibpkey_create;
+    semanage_ibpkey_del_local;
+    semanage_ibpkey_exists;
+    semanage_ibpkey_exists_local;
+    semanage_ibpkey_free;
+    semanage_ibpkey_get_con;
+    semanage_ibpkey_get_high;
+    semanage_ibpkey_get_low;
+    semanage_ibpkey_get_subnet_prefix;
+    semanage_ibpkey_get_subnet_prefix_bytes;
+    semanage_ibpkey_iterate;
+    semanage_ibpkey_iterate_local;
+    semanage_ibpkey_key_create;
+    semanage_ibpkey_key_extract;
+    semanage_ibpkey_key_free;
+    semanage_ibpkey_list;
+    semanage_ibpkey_list_local;
+    semanage_ibpkey_modify_local;
+    semanage_ibpkey_query;
+    semanage_ibpkey_query_local;
+    semanage_ibpkey_set_con;
+    semanage_ibpkey_set_pkey;
+    semanage_ibpkey_set_range;
+    semanage_ibpkey_set_subnet_prefix;
+    semanage_ibpkey_set_subnet_prefix_bytes;
+    semanage_iface_clone;
+    semanage_iface_compare;
+    semanage_iface_compare2;
+    semanage_iface_count;
+    semanage_iface_count_local;
+    semanage_iface_create;
+    semanage_iface_del_local;
+    semanage_iface_exists;
+    semanage_iface_exists_local;
+    semanage_iface_free;
+    semanage_iface_get_ifcon;
+    semanage_iface_get_msgcon;
+    semanage_iface_get_name;
+    semanage_iface_iterate;
+    semanage_iface_iterate_local;
+    semanage_iface_key_create;
+    semanage_iface_key_extract;
+    semanage_iface_key_free;
+    semanage_iface_list;
+    semanage_iface_list_local;
+    semanage_iface_modify_local;
+    semanage_iface_query;
+    semanage_iface_query_local;
+    semanage_iface_set_ifcon;
+    semanage_iface_set_msgcon;
+    semanage_iface_set_name;
+    semanage_is_connected;
+    semanage_is_managed;
+    semanage_mls_enabled;
+    semanage_module_disable;
+    semanage_module_enable;
+    semanage_module_extract;
+    semanage_module_get_enabled;
+    semanage_module_get_module_info;
+    semanage_module_get_name;
+    semanage_module_get_version;
+    semanage_module_info_create;
+    semanage_module_info_datum_destroy;
+    semanage_module_info_destroy;
+    semanage_module_info_get_enabled;
+    semanage_module_info_get_lang_ext;
+    semanage_module_info_get_name;
+    semanage_module_info_get_priority;
+    semanage_module_info_set_enabled;
+    semanage_module_info_set_lang_ext;
+    semanage_module_info_set_name;
+    semanage_module_info_set_priority;
+    semanage_module_install;
+    semanage_module_install_base;
+    semanage_module_install_base_file;
+    semanage_module_install_file;
+    semanage_module_install_info;
+    semanage_module_key_create;
+    semanage_module_key_destroy;
+    semanage_module_key_get_name;
+    semanage_module_key_get_priority;
+    semanage_module_key_set_name;
+    semanage_module_key_set_priority;
+    semanage_module_list;
+    semanage_module_list_all;
+    semanage_module_list_nth;
+    semanage_module_remove;
+    semanage_module_remove_key;
+    semanage_module_set_enabled;
+    semanage_module_upgrade;
+    semanage_module_upgrade_file;
+    semanage_msg_get_channel;
+    semanage_msg_get_fname;
+    semanage_msg_get_level;
+    semanage_msg_set_callback;
+    semanage_node_clone;
+    semanage_node_compare;
+    semanage_node_compare2;
+    semanage_node_count;
+    semanage_node_count_local;
+    semanage_node_create;
+    semanage_node_del_local;
+    semanage_node_exists;
+    semanage_node_exists_local;
+    semanage_node_free;
+    semanage_node_get_addr;
+    semanage_node_get_addr_bytes;
+    semanage_node_get_con;
+    semanage_node_get_mask;
+    semanage_node_get_mask_bytes;
+    semanage_node_get_proto;
+    semanage_node_get_proto_str;
+    semanage_node_iterate;
+    semanage_node_iterate_local;
+    semanage_node_key_create;
+    semanage_node_key_extract;
+    semanage_node_key_free;
+    semanage_node_list;
+    semanage_node_list_local;
+    semanage_node_modify_local;
+    semanage_node_query;
+    semanage_node_query_local;
+    semanage_node_set_addr;
+    semanage_node_set_addr_bytes;
+    semanage_node_set_con;
+    semanage_node_set_mask;
+    semanage_node_set_mask_bytes;
+    semanage_node_set_proto;
+    semanage_port_clone;
+    semanage_port_compare;
+    semanage_port_compare2;
+    semanage_port_count;
+    semanage_port_count_local;
+    semanage_port_create;
+    semanage_port_del_local;
+    semanage_port_exists;
+    semanage_port_exists_local;
+    semanage_port_free;
+    semanage_port_get_con;
+    semanage_port_get_high;
+    semanage_port_get_low;
+    semanage_port_get_proto;
+    semanage_port_get_proto_str;
+    semanage_port_iterate;
+    semanage_port_iterate_local;
+    semanage_port_key_create;
+    semanage_port_key_extract;
+    semanage_port_key_free;
+    semanage_port_list;
+    semanage_port_list_local;
+    semanage_port_modify_local;
+    semanage_port_query;
+    semanage_port_query_local;
+    semanage_port_set_con;
+    semanage_port_set_port;
+    semanage_port_set_proto;
+    semanage_port_set_range;
+    semanage_reload_policy;
+    semanage_root;
+    semanage_select_store;
+    semanage_set_check_contexts;
+    semanage_set_create_store;
+    semanage_set_default_priority;
+    semanage_set_disable_dontaudit;
+    semanage_set_ignore_module_cache;
+    semanage_set_preserve_tunables;
+    semanage_set_rebuild;
+    semanage_set_reload;
+    semanage_set_root;
+    semanage_set_store_root;
+    semanage_seuser_clone;
+    semanage_seuser_compare;
+    semanage_seuser_compare2;
+    semanage_seuser_count;
+    semanage_seuser_count_local;
+    semanage_seuser_create;
+    semanage_seuser_del_local;
+    semanage_seuser_exists;
+    semanage_seuser_exists_local;
+    semanage_seuser_free;
+    semanage_seuser_get_mlsrange;
+    semanage_seuser_get_name;
+    semanage_seuser_get_sename;
+    semanage_seuser_iterate;
+    semanage_seuser_iterate_local;
+    semanage_seuser_key_create;
+    semanage_seuser_key_extract;
+    semanage_seuser_key_free;
+    semanage_seuser_list;
+    semanage_seuser_list_local;
+    semanage_seuser_modify_local;
+    semanage_seuser_query;
+    semanage_seuser_query_local;
+    semanage_seuser_set_mlsrange;
+    semanage_seuser_set_name;
+    semanage_seuser_set_sename;
+    semanage_user_add_role;
+    semanage_user_clone;
+    semanage_user_compare;
+    semanage_user_compare2;
+    semanage_user_count;
+    semanage_user_count_local;
+    semanage_user_create;
+    semanage_user_del_local;
+    semanage_user_del_role;
+    semanage_user_exists;
+    semanage_user_exists_local;
+    semanage_user_free;
+    semanage_user_get_mlslevel;
+    semanage_user_get_mlsrange;
+    semanage_user_get_name;
+    semanage_user_get_num_roles;
+    semanage_user_get_prefix;
+    semanage_user_get_roles;
+    semanage_user_has_role;
+    semanage_user_iterate;
+    semanage_user_iterate_local;
+    semanage_user_key_create;
+    semanage_user_key_extract;
+    semanage_user_key_free;
+    semanage_user_list;
+    semanage_user_list_local;
+    semanage_user_modify_local;
+    semanage_user_query;
+    semanage_user_query_local;
+    semanage_user_set_mlslevel;
+    semanage_user_set_mlsrange;
+    semanage_user_set_name;
+    semanage_user_set_prefix;
+    semanage_user_set_roles;
+   local: *;
+ };
+ 
--- a/libsemanage.changes
+++ b/libsemanage.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Fri Jun 12 09:07:31 UTC 2020 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
+
+- Fix build with LTO: [bsc#1133102]
+  * Enable LTO (Link Time Optimization) and build with -ffat-lto-objects
+  * Update map file to include new symbols and remove wildcards
+- Add libsemanage-update-map-file.patch
+
 -------------------------------------------------------------------
 Thu Jun  4 09:57:51 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>

--- a/libsemanage.spec
+++ b/libsemanage.spec
@ -26,6 +26,8 @@ URL:            https://github.com/SELinuxProject/selinux/wiki/Releases
 Source:         https://github.com/SELinuxProject/selinux/releases/download/20191204/%{name}-%{version}.tar.gz
 Source1:        baselibs.conf
 Source2:        semanage.conf
+# PATCH-FIX-UPSTREAM bsc#1133102 LTO: Update map file to include new symbols and remove wildcards
+Patch0:         libsemanage-update-map-file.patch
 BuildRequires:  audit-devel
 BuildRequires:  bison
 BuildRequires:  fdupes
@ -90,14 +92,14 @@ stores must be migrated before any commands that modify or use the store

 %prep
 %setup -q
+%patch0 -p2
 # Replace /usr/libexec with whatever the distro defines as libexecdir - across all files
 grep /usr/libexec . -rl | xargs sed -i "s|/usr/libexec|%{_libexecdir}|g"

 %build
-%define _lto_cflags %{nil}
 make %{?_smp_mflags} clean
-make -j1 CFLAGS="%{optflags}" CC="gcc"
-make -j1 CFLAGS="%{optflags}" LIBDIR="%{_libdir}" LIBEXECDIR="%{_libexecdir}" SHLIBDIR="%{_lib}" CC="gcc" all
+make -j1 CFLAGS="%{optflags} -ffat-lto-objects" CC="gcc"
+make -j1 CFLAGS="%{optflags} -ffat-lto-objects" LIBDIR="%{_libdir}" LIBEXECDIR="%{_libexecdir}" SHLIBDIR="%{_lib}" CC="gcc" all

 %install
 mkdir -p %{buildroot}/%{_lib}
--- a/python-semanage.changes
+++ b/python-semanage.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Fri Jun 12 09:07:31 UTC 2020 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
+
+- Fix build with LTO: [bsc#1133102]
+  * Enable LTO (Link Time Optimization)
+  * Update map file to include new symbols and remove wildcards
+- Add libsemanage-update-map-file.patch
+
 -------------------------------------------------------------------
 Thu Jun  4 09:57:51 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>

--- a/python-semanage.spec
+++ b/python-semanage.spec
@ -26,6 +26,8 @@ Group:          Development/Languages/Python
 URL:            https://github.com/SELinuxProject/selinux
 Source:         https://github.com/SELinuxProject/selinux/releases/download/20191204/libsemanage-%{version}.tar.gz
 Source1:        baselibs.conf
+# PATCH-FIX-UPSTREAM bsc#1133102 LTO: Update map file to include new symbols and remove wildcards
+Patch0:         libsemanage-update-map-file.patch
 BuildRequires:  %{python_module devel}
 BuildRequires:  audit-devel
 BuildRequires:  bison
@ -46,11 +48,11 @@ SELinux policy management applications.

 %prep
 %setup -q -n libsemanage-%{version}
+%patch0 -p2
 # Replace /usr/libexec with whatever the distro defines as libexecdir - across all files
 grep /usr/libexec . -rl | xargs sed -i "s|/usr/libexec|%{_libexecdir}|g"

 %build
-%define _lto_cflags %{nil}
 make %{?_smp_mflags} clean
 %{python_expand # loop over possible pythons
 make -j1 PYTHON=$python CFLAGS="%{optflags}" swigify