| Message ID | pjdmuo8fl9s.fsf@redhat.com (mailing list archive) |
|---|---|
| State | Not Applicable |
| Headers | show |
| Series | RFC: introduce new library versions for added symbols | expand |
On 1/10/19 12:57 PM, Petr Lautrbach wrote: > I used abi-compliance-checker [1] and compared the latest sources with > 2.8 release [2]. > It looks like there's one symbol added to audit2why.so. audit2why.so needs a .map file or equivalent; it shouldn't be exporting all of the libsepol.a symbols. We don't guarantee ABI or API compatibility for anything not in libsepol.map. > > Then I tried the same thing with 2.7 [3] and 2.6 [4] and noticed that > there were added new symbols even to LIBSEMANAGE_1.0 while since 2.3 > there's already LIBSEMANAGE_1.1. > It's a bug which breaks automatic dependency checking. So I propose > to fix symbol version mappings in order to be in relation with the > release where they was introduced, e.g. for libsemanage: > > diff --git a/libsemanage/src/libsemanage.map > b/libsemanage/src/libsemanage.map > index 02036696..45e90215 100644 > --- a/libsemanage/src/libsemanage.map > +++ b/libsemanage/src/libsemanage.map > @@ -18,8 +18,6 @@ LIBSEMANAGE_1.0 { > semanage_root; > semanage_user_*; semanage_bool_*; semanage_seuser_*; > semanage_iface_*; semanage_port_*; semanage_context_*; > - semanage_ibpkey_*; > - semanage_ibendport_*; > semanage_node_*; > semanage_fcontext_*; semanage_access_check; > semanage_set_create_store; > semanage_is_connected; semanage_get_disable_dontaudit; > semanage_set_disable_dontaudit; > @@ -63,3 +61,19 @@ LIBSEMANAGE_1.1 { > semanage_module_remove_key; > semanage_set_store_root; > } LIBSEMANAGE_1.0; > + > +LIBSEMANAGE_2.5 { > + global: > + semanage_module_extract; > +} LIBSEMANAGE_1.1; > + > +LIBSEMANAGE_2.7 { > + global: > + semanage_ibpkey_*; > + semanage_ibendport_*; > +} LIBSEMANAGE_2.5; > + > +LIBSEMANAGE_2.8 { > + global: > + semanage_fcontext_list_homedirs; > +} LIBSEMANAGE_2.7; > > > If this is acceptable, I would prepare a patch with symbol versions > starting with 2.5 as LIBSEMANAGE_1.1 was introduced in 2.4. Will this break compatibility for binaries built against earlier versions? > > [1] http://lvc.github.io/abi-compliance-checker/ > [2] > https://plautrba.fedorapeople.org/selinux/compat_reports/2.8_to_2.9-rc0/compat_report.html > > [3] > https://plautrba.fedorapeople.org/selinux/compat_reports/2.7_to_2.9-rc0/compat_report.html > > [4] > https://plautrba.fedorapeople.org/selinux/compat_reports/2.6_to_2.9-rc0/compat_report.html > > > Petr
Stephen Smalley <sds@tycho.nsa.gov> writes: > On 1/10/19 12:57 PM, Petr Lautrbach wrote: >> I used abi-compliance-checker [1] and compared the latest >> sources with 2.8 >> release [2]. >> It looks like there's one symbol added to audit2why.so. > > audit2why.so needs a .map file or equivalent; it shouldn't be > exporting all of > the libsepol.a symbols. We don't guarantee ABI or API > compatibility for > anything not in libsepol.map. > I'll prepare a patch for that. >> >> Then I tried the same thing with 2.7 [3] and 2.6 [4] and >> noticed that >> there were added new symbols even to LIBSEMANAGE_1.0 while >> since 2.3 >> there's already LIBSEMANAGE_1.1. >> It's a bug which breaks automatic dependency checking. So I >> propose >> to fix symbol version mappings in order to be in relation with >> the >> release where they was introduced, e.g. for libsemanage: >> >> diff --git a/libsemanage/src/libsemanage.map >> b/libsemanage/src/libsemanage.map >> index 02036696..45e90215 100644 >> --- a/libsemanage/src/libsemanage.map >> +++ b/libsemanage/src/libsemanage.map >> @@ -18,8 +18,6 @@ LIBSEMANAGE_1.0 { >> semanage_root; >> semanage_user_*; semanage_bool_*; semanage_seuser_*; >> semanage_iface_*; semanage_port_*; semanage_context_*; >> - semanage_ibpkey_*; >> - semanage_ibendport_*; >> semanage_node_*; >> semanage_fcontext_*; semanage_access_check; >> semanage_set_create_store; >> semanage_is_connected; semanage_get_disable_dontaudit; >> semanage_set_disable_dontaudit; >> @@ -63,3 +61,19 @@ LIBSEMANAGE_1.1 { >> semanage_module_remove_key; >> semanage_set_store_root; >> } LIBSEMANAGE_1.0; >> + >> +LIBSEMANAGE_2.5 { >> + global: >> + semanage_module_extract; >> +} LIBSEMANAGE_1.1; >> + >> +LIBSEMANAGE_2.7 { >> + global: >> + semanage_ibpkey_*; >> + semanage_ibendport_*; >> +} LIBSEMANAGE_2.5; >> + >> +LIBSEMANAGE_2.8 { >> + global: >> + semanage_fcontext_list_homedirs; >> +} LIBSEMANAGE_2.7; >> >> >> If this is acceptable, I would prepare a patch with symbol >> versions >> starting with 2.5 as LIBSEMANAGE_1.1 was introduced in 2.4. > > Will this break compatibility for binaries built against earlier > versions? I was under impression that is should be enough to list symbols in different versions but it looks like a symbol is assigned only to one/the latest version. # semodule -B semodule: relocation error: /lib64/libsemanage.so.1: symbol sepol_ibendport_modify version LIBSEPOL_1.0 not defined in file libsepol.so.1 with link time reference I'm still investigating this but given that there's only one reported change between the latest and 2.8 and it should be covered by audit2why map file, it probably doesn't make sense to do this change retroactively now. Just for the future we need to keep in mind that new symbols needs new versions in .map files. > >> >> [1] http://lvc.github.io/abi-compliance-checker/ >> [2] >> https://plautrba.fedorapeople.org/selinux/compat_reports/2.8_to_2.9-rc0/compat_report.html >> >> [3] >> https://plautrba.fedorapeople.org/selinux/compat_reports/2.7_to_2.9-rc0/compat_report.html >> >> [4] >> https://plautrba.fedorapeople.org/selinux/compat_reports/2.6_to_2.9-rc0/compat_report.html >> >> >> Petr
On 1/11/19 7:24 AM, Petr Lautrbach wrote: > > Stephen Smalley <sds@tycho.nsa.gov> writes: > >> On 1/10/19 12:57 PM, Petr Lautrbach wrote: >>> I used abi-compliance-checker [1] and compared the latest sources >>> with 2.8 >>> release [2]. >>> It looks like there's one symbol added to audit2why.so. >> >> audit2why.so needs a .map file or equivalent; it shouldn't be >> exporting all of >> the libsepol.a symbols. We don't guarantee ABI or API compatibility for >> anything not in libsepol.map. >> > > I'll prepare a patch for that. Does audit2why.so actually need to export any symbols other than PyInit_audit2why()? It only gets used for audit2why. > >>> >>> Then I tried the same thing with 2.7 [3] and 2.6 [4] and noticed that >>> there were added new symbols even to LIBSEMANAGE_1.0 while since 2.3 >>> there's already LIBSEMANAGE_1.1. >>> It's a bug which breaks automatic dependency checking. So I propose >>> to fix symbol version mappings in order to be in relation with the >>> release where they was introduced, e.g. for libsemanage: >>> >>> diff --git a/libsemanage/src/libsemanage.map >>> b/libsemanage/src/libsemanage.map >>> index 02036696..45e90215 100644 >>> --- a/libsemanage/src/libsemanage.map >>> +++ b/libsemanage/src/libsemanage.map >>> @@ -18,8 +18,6 @@ LIBSEMANAGE_1.0 { >>> semanage_root; >>> semanage_user_*; semanage_bool_*; semanage_seuser_*; >>> semanage_iface_*; semanage_port_*; semanage_context_*; >>> - semanage_ibpkey_*; >>> - semanage_ibendport_*; >>> semanage_node_*; >>> semanage_fcontext_*; semanage_access_check; >>> semanage_set_create_store; >>> semanage_is_connected; semanage_get_disable_dontaudit; >>> semanage_set_disable_dontaudit; >>> @@ -63,3 +61,19 @@ LIBSEMANAGE_1.1 { >>> semanage_module_remove_key; >>> semanage_set_store_root; >>> } LIBSEMANAGE_1.0; >>> + >>> +LIBSEMANAGE_2.5 { >>> + global: >>> + semanage_module_extract; >>> +} LIBSEMANAGE_1.1; >>> + >>> +LIBSEMANAGE_2.7 { >>> + global: >>> + semanage_ibpkey_*; >>> + semanage_ibendport_*; >>> +} LIBSEMANAGE_2.5; >>> + >>> +LIBSEMANAGE_2.8 { >>> + global: >>> + semanage_fcontext_list_homedirs; >>> +} LIBSEMANAGE_2.7; >>> >>> >>> If this is acceptable, I would prepare a patch with symbol versions >>> starting with 2.5 as LIBSEMANAGE_1.1 was introduced in 2.4. >> >> Will this break compatibility for binaries built against earlier >> versions? > > I was under impression that is should be enough to list symbols in > different versions but it looks like a symbol is assigned only to > one/the latest version. > > # semodule -B > semodule: relocation error: /lib64/libsemanage.so.1: symbol > sepol_ibendport_modify version LIBSEPOL_1.0 not defined in file > libsepol.so.1 with link time reference > > I'm still investigating this but given that there's only one reported > change between the latest and 2.8 and it should be covered by audit2why > map file, it probably doesn't make sense to do this change retroactively > now. > > Just for the future we need to keep in mind that new symbols needs new > versions > in .map files. > > > >> >>> >>> [1] http://lvc.github.io/abi-compliance-checker/ >>> [2] >>> https://plautrba.fedorapeople.org/selinux/compat_reports/2.8_to_2.9-rc0/compat_report.html >>> >>> [3] >>> https://plautrba.fedorapeople.org/selinux/compat_reports/2.7_to_2.9-rc0/compat_report.html >>> >>> [4] >>> https://plautrba.fedorapeople.org/selinux/compat_reports/2.6_to_2.9-rc0/compat_report.html >>> >>> >>> Petr >
diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map index 02036696..45e90215 100644 --- a/libsemanage/src/libsemanage.map +++ b/libsemanage/src/libsemanage.map @@ -18,8 +18,6 @@ LIBSEMANAGE_1.0 { semanage_root; semanage_user_*; semanage_bool_*; semanage_seuser_*; semanage_iface_*; semanage_port_*; semanage_context_*; - semanage_ibpkey_*; - semanage_ibendport_*; semanage_node_*; semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
I used abi-compliance-checker [1] and compared the latest sources with 2.8 release [2]. It looks like there's one symbol added to audit2why.so. Then I tried the same thing with 2.7 [3] and 2.6 [4] and noticed that there were added new symbols even to LIBSEMANAGE_1.0 while since 2.3 there's already LIBSEMANAGE_1.1. It's a bug which breaks automatic dependency checking. So I propose to fix symbol version mappings in order to be in relation with the release where they was introduced, e.g. for libsemanage: semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit; @@ -63,3 +61,19 @@ LIBSEMANAGE_1.1 { semanage_module_remove_key; semanage_set_store_root; } LIBSEMANAGE_1.0; + +LIBSEMANAGE_2.5 { + global: + semanage_module_extract; +} LIBSEMANAGE_1.1; + +LIBSEMANAGE_2.7 { + global: + semanage_ibpkey_*; + semanage_ibendport_*; +} LIBSEMANAGE_2.5; + +LIBSEMANAGE_2.8 { + global: + semanage_fcontext_list_homedirs; +} LIBSEMANAGE_2.7; If this is acceptable, I would prepare a patch with symbol versions starting with 2.5 as LIBSEMANAGE_1.1 was introduced in 2.4. [1] http://lvc.github.io/abi-compliance-checker/ [2] https://plautrba.fedorapeople.org/selinux/compat_reports/2.8_to_2.9-rc0/compat_report.html [3] https://plautrba.fedorapeople.org/selinux/compat_reports/2.7_to_2.9-rc0/compat_report.html [4] https://plautrba.fedorapeople.org/selinux/compat_reports/2.6_to_2.9-rc0/compat_report.html Petr