From b3e44926634aa84ce0dbe31e61c8fc973e8f0858 Mon Sep 17 00:00:00 2001 From: seuzw <930zhaowei@163.com> Date: Tue, 22 Sep 2020 23:57:20 +0800 Subject: [PATCH] fix build with libselinux >= 3.1 --- ...arnings-introduced-in-libselinux-3.1.patch | 126 ++++++++++++++++++ glibc.spec | 8 +- makedb-fix-build-with-libselinux-3.1.patch | 93 +++++++++++++ 3 files changed, 226 insertions(+), 1 deletion(-) create mode 100644 Workaround-deprecation-warnings-introduced-in-libselinux-3.1.patch create mode 100644 makedb-fix-build-with-libselinux-3.1.patch diff --git a/Workaround-deprecation-warnings-introduced-in-libselinux-3.1.patch b/Workaround-deprecation-warnings-introduced-in-libselinux-3.1.patch new file mode 100644 index 0000000..8bcc95b --- /dev/null +++ b/Workaround-deprecation-warnings-introduced-in-libselinux-3.1.patch @@ -0,0 +1,126 @@ +From: Aurelien Jarno +To: libc-alpha@sourceware.org +Subject: [PATCH] Workaround deprecation warnings introduced in libselinux >= 3.1 +Date: Tue, 21 Jul 2020 22:21:18 +0200 +Message-Id: <20200721202118.300350-1-aurelien@aurel32.net> + +------------------------------------------ +glibc doesn't build with libselinux 3.1 that has been released recently +due to new deprecations introduced in that version and the fact that +glibc is built with -Werror by default: + +| makedb.c: In function ‘set_file_creation_context’: +| makedb.c:849:3: error: ‘security_context_t’ is deprecated [-Werror=deprecated-declarations] +| 849 | security_context_t ctx; +| | ^~~~~~~~~~~~~~~~~~ +| makedb.c:863:3: error: ‘matchpathcon’ is deprecated: Use selabel_lookup instead [-Werror=deprecated-declarations] +| 863 | if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL) +| | ^~ +| In file included from makedb.c:50: +| /usr/include/selinux/selinux.h:500:12: note: declared here +| 500 | extern int matchpathcon(const char *path, +| | ^~~~~~~~~~~~ +| cc1: all warnings being treated as errors + +and + +| selinux.c: In function ‘nscd_avc_init’: +| selinux.c:330:3: error: ‘avc_init’ is deprecated: Use avc_open and selinux_set_callback [-Werror=deprecated-declarations] +| 330 | if (avc_init ("avc", NULL, &log_cb, &thread_cb, &lock_cb) < 0) +| | ^~ +| In file included from selinux.c:31: +| /usr/include/selinux/avc.h:199:12: note: declared here +| 199 | extern int avc_init(const char *msgprefix, +| | ^~~~~~~~ +| selinux.c: In function ‘nscd_request_avc_has_perm’: +| selinux.c:355:3: error: ‘security_context_t’ is deprecated [-Werror=deprecated-declarations] +| 355 | security_context_t scon = NULL; +| | ^~~~~~~~~~~~~~~~~~ +| selinux.c:356:3: error: ‘security_context_t’ is deprecated [-Werror=deprecated-declarations] +| 356 | security_context_t tcon = NULL; +| | ^~~~~~~~~~~~~~~~~~ +| selinux.c:419:5: error: ‘sidput’ is deprecated [-Werror=deprecated-declarations] +| 419 | sidput (ssid); +| | ^~~~~~ +| In file included from selinux.c:31: +| /usr/include/selinux/avc.h:83:12: note: declared here +| 83 | extern int sidput(security_id_t sid) +| | ^~~~~~ +| selinux.c:421:5: error: ‘sidput’ is deprecated [-Werror=deprecated-declarations] +| 421 | sidput (tsid); +| | ^~~~~~ +| In file included from selinux.c:31: +| /usr/include/selinux/avc.h:83:12: note: declared here +| 83 | extern int sidput(security_id_t sid) +| | ^~~~~~ +| cc1: all warnings being treated as errors + +This patch workarounds the issue until the deprecated code is +rewritten. #pragma GCC diagnostic annotations are used to disable +-Wdeprecated-declarations warning in the problematic functions. This is +probably the safest option for stable releases to avoid introducing +regressions. +--- + nscd/selinux.c | 6 ++++++ + nss/makedb.c | 3 +++ + 2 files changed, 9 insertions(+) + +diff --git a/nscd/selinux.c b/nscd/selinux.c +index a4ea8008e20..0411e0f7fdf 100644 +--- a/nscd/selinux.c ++++ b/nscd/selinux.c +@@ -322,6 +322,8 @@ avc_free_lock (void *lock) + + /* Initialize the user space access vector cache (AVC) for NSCD along with + log/thread/lock callbacks. */ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wdeprecated-declarations" + void + nscd_avc_init (void) + { +@@ -335,6 +337,7 @@ nscd_avc_init (void) + audit_init (); + #endif + } ++#pragma GCC diagnostic pop + + + /* Check the permission from the caller (via getpeercon) to nscd. +@@ -348,6 +351,8 @@ nscd_avc_init (void) + use security_deny_unknown to determine what to do if selinux-policy* doesn't + have a definition for the the permission or object class we are looking + up. */ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wdeprecated-declarations" + int + nscd_request_avc_has_perm (int fd, request_type req) + { +@@ -422,6 +427,7 @@ out: + + return rc; + } ++#pragma GCC diagnostic pop + + + /* Wrapper to get AVC statistics. */ +diff --git a/nss/makedb.c b/nss/makedb.c +index 8e389a16837..7a365894cec 100644 +--- a/nss/makedb.c ++++ b/nss/makedb.c +@@ -842,6 +842,8 @@ print_database (int fd) + + + #ifdef HAVE_SELINUX ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wdeprecated-declarations" + static void + set_file_creation_context (const char *outname, mode_t mode) + { +@@ -883,6 +885,7 @@ set_file_creation_context (const char *outname, mode_t mode) + /* Close the file contexts backend. */ + selabel_close(label_hnd); + } ++#pragma GCC diagnostic pop + + static void + reset_file_creation_context (void) diff --git a/glibc.spec b/glibc.spec index fdabe35..604d53f 100644 --- a/glibc.spec +++ b/glibc.spec @@ -59,7 +59,7 @@ ############################################################################## Name: glibc Version: 2.28 -Release: 44 +Release: 45 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -91,6 +91,8 @@ Patch14: Fix-memory-leak-in-__printf_fp_l-bug-26215.patch Patch15: Fix-CVE-2020-6096-001.patch Patch16: Fix-CVE-2020-6096-002.patch Patch17: backport-Correct-locking-and-cancellation-cleanup-in-syslog-functions.patch +Patch18: makedb-fix-build-with-libselinux-3.1.patch +Patch19: Workaround-deprecation-warnings-introduced-in-libselinux-3.1.patch Provides: ldconfig rtld(GNU_HASH) bundled(gnulib) @@ -1086,6 +1088,10 @@ fi %doc hesiod/README.hesiod %changelog +* Tue Sep 22 2020 zhaowei - 2.28-45 +- fix bug 965941: fix build with libselinux >= 3.1 +- origin bugzilla link is https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965941 + * Tue Sep 12 2020 liqingqing_1229 - 2.28-44 - fix bug 26100: correct locking and cancellation cleanup in syslog functions. - origin bugzilla link is https://sourceware.org/bugzilla/show_bug.cgi?id=26100 diff --git a/makedb-fix-build-with-libselinux-3.1.patch b/makedb-fix-build-with-libselinux-3.1.patch new file mode 100644 index 0000000..478dac9 --- /dev/null +++ b/makedb-fix-build-with-libselinux-3.1.patch @@ -0,0 +1,93 @@ +From: Aurelien Jarno +To: libc-alpha@sourceware.org +Subject: [PATCH] makedb: fix build with libselinux >= 3.1 +Date: Tue, 21 Jul 2020 07:01:16 +0200 +Message-Id: <20200721050115.204181-1-aurelien@aurel32.net> +URL: http://patchwork.sourceware.org/project/glibc/patch/20200721050115.204181-1-aurelien@aurel32.net/ + +-------------------------------------------------------------------- +glibc doesn't build with libselinux 3.1 that has been released recently +due to new deprecations introduced in that version and the fact that +glibc is built with -Werror by default: + +| makedb.c: In function ‘set_file_creation_context’: +| makedb.c:849:3: error: ‘security_context_t’ is deprecated [-Werror=deprecated-declarations] +| 849 | security_context_t ctx; +| | ^~~~~~~~~~~~~~~~~~ +| makedb.c:863:3: error: ‘matchpathcon’ is deprecated: Use selabel_lookup instead [-Werror=deprecated-declarations] +| 863 | if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL) +| | ^~ +| In file included from makedb.c:50: +| /usr/include/selinux/selinux.h:500:12: note: declared here +| 500 | extern int matchpathcon(const char *path, +| | ^~~~~~~~~~~~ +| cc1: all warnings being treated as errors + +This patch is an attempt to fix that. It has only built tested, as I do +not have a system nor the knowledge to test that. I have checked that +the functions used as replacement are available since at least selinux +2.0.96, released more than 10 years ago, so we probably do not need any +version check in the configure script. +--- + nss/makedb.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +I believe this patch is not acceptable for glibc 2.32, I guess we should +just add a #pragma to ignore -Werror=deprecated-declarations in that +file. + +Note: there is the same issue in nscd/selinux.c. I plan to have a look +once we settle on a strategy. + +diff --git a/nss/makedb.c b/nss/makedb.c +index 8e389a16837..a5c4b521172 100644 +--- a/nss/makedb.c ++++ b/nss/makedb.c +@@ -47,6 +47,7 @@ + + /* SELinux support. */ + #ifdef HAVE_SELINUX ++# include + # include + #endif + +@@ -846,7 +847,8 @@ set_file_creation_context (const char *outname, mode_t mode) + { + static int enabled; + static int enforcing; +- security_context_t ctx; ++ struct selabel_handle *label_hnd = NULL; ++ char* ctx; + + /* Check if SELinux is enabled, and remember. */ + if (enabled == 0) +@@ -858,9 +860,16 @@ set_file_creation_context (const char *outname, mode_t mode) + if (enforcing == 0) + enforcing = security_getenforce () ? 1 : -1; + ++ /* Open the file contexts backend. */ ++ label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0); ++ if (!label_hnd) ++ if (setfscreatecon (ctx) != 0) ++ error (enforcing > 0 ? EXIT_FAILURE : 0, 0, ++ gettext ("cannot initialize SELinux context")); ++ + /* Determine the context which the file should have. */ + ctx = NULL; +- if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL) ++ if (selabel_lookup(label_hnd, &ctx, outname, S_IFREG | mode) == 0 && ctx != NULL) + { + if (setfscreatecon (ctx) != 0) + error (enforcing > 0 ? EXIT_FAILURE : 0, 0, +@@ -868,7 +877,11 @@ set_file_creation_context (const char *outname, mode_t mode) + outname); + + freecon (ctx); ++ selabel_close(label_hnd); + } ++ ++ /* Close the file contexts backend. */ ++ selabel_close(label_hnd); + } + + static void -- Gitee