From cf4161746d1597e64113e2721a0b5725016afa08 Mon Sep 17 00:00:00 2001 From: Robert Marko Date: Thu, 1 May 2025 21:23:33 +0200 Subject: [PATCH] libselinux: update to 3.8.1 Update libselinux to latest 3.8.1 release. In order to keep building on 32-bit targets with musl, one backport[1] and one patch pending[2] upstream are required. [1] https://github.com/SELinuxProject/selinux/commit/5c3fcbd931b7f9752b5ce29cec3b6813991d61c0 [2] https://lore.kernel.org/selinux/CAP+JOzQBaGv=74tNgczpjZVGpzZo93kxnHXO0isL+TzmOc4byg@mail.gmail.com/T/#t Link: https://github.com/openwrt/openwrt/pull/18674 Signed-off-by: Robert Marko --- package/libs/libselinux/Makefile | 4 +- ...con_filespec_add64-if-defined-__INO_.patch | 75 +++++++++ ...-careful-with-non-portable-LFS-macro.patch | 158 ++++++++++++++++++ 3 files changed, 235 insertions(+), 2 deletions(-) create mode 100644 package/libs/libselinux/patches/0001-Inject-matchpathcon_filespec_add64-if-defined-__INO_.patch create mode 100644 package/libs/libselinux/patches/100-v2-libselinux-be-careful-with-non-portable-LFS-macro.patch diff --git a/package/libs/libselinux/Makefile b/package/libs/libselinux/Makefile index f90d4993c83..9f65f5bf657 100644 --- a/package/libs/libselinux/Makefile +++ b/package/libs/libselinux/Makefile @@ -6,12 +6,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libselinux -PKG_VERSION:=3.5 +PKG_VERSION:=3.8.1 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/$(PKG_VERSION) -PKG_HASH:=9a3a3705ac13a2ccca2de6d652b6356fead10f36fb33115c185c5ccdf29eec19 +PKG_HASH:=ec2d2789f931152d21c1db1eb4bc202ce4eccede34d9be9e360e3b45243cee2c PKG_LICENSE:=libselinux-1.0 PKG_LICENSE_FILES:=LICENSE diff --git a/package/libs/libselinux/patches/0001-Inject-matchpathcon_filespec_add64-if-defined-__INO_.patch b/package/libs/libselinux/patches/0001-Inject-matchpathcon_filespec_add64-if-defined-__INO_.patch new file mode 100644 index 00000000000..1f9bc445a08 --- /dev/null +++ b/package/libs/libselinux/patches/0001-Inject-matchpathcon_filespec_add64-if-defined-__INO_.patch @@ -0,0 +1,75 @@ +From 5c3fcbd931b7f9752b5ce29cec3b6813991d61c0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= +Date: Thu, 20 Mar 2025 16:55:17 +0100 +Subject: [PATCH] Inject matchpathcon_filespec_add64() if + !defined(__INO_T_MATCHES_INO64_T) instead of using __BITS_PER_LONG < 64 as + proxy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The __INO_T_MATCHES_INO64_T is defined +if ino_t would be the same size as ino64_t +if -D_FILE_OFFSET_BITS=64 were not defined. + +This is /exactly/ what + /* ABI backwards-compatible shim for non-LFS 32-bit systems */ + #if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && __BITS_PER_LONG < 64 +is trying to get at, but currently fails because x32/RV32 are "LFS" +with 32-bit longs and 64-bit time_ts natively. + +Thus, the + static_assert(sizeof(unsigned long) == sizeof(__ino_t), "inode size mismatch"); +assertion fails (__ino_t is the "kernel ino_t" type, +which generally corresponds to the kernel's ulong, which is u64 on x32). + +glibc headers allow us to check the condition we care about directly. + +Fixes: commit 9395cc0322 ("Always build for LFS mode on 32-bit archs.") +Closes: #463 +Closes: Debian#1098481 +Signed-off-by: наб +Cc: Alba Mendez +Acked-by: James Carter +--- + include/selinux/selinux.h | 2 +- + src/matchpathcon.c | 8 ++++++-- + 2 files changed, 7 insertions(+), 3 deletions(-) + +--- a/include/selinux/selinux.h ++++ b/include/selinux/selinux.h +@@ -537,7 +537,7 @@ extern int matchpathcon_index(const char + with the same inode (e.g. due to multiple hard links). If so, then + use the latter of the two specifications based on their order in the + file contexts configuration. Return the used specification index. */ +-#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && __BITS_PER_LONG < 64 ++#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && !defined(__INO_T_MATCHES_INO64_T) + #define matchpathcon_filespec_add matchpathcon_filespec_add64 + #endif + extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file); +--- a/src/matchpathcon.c ++++ b/src/matchpathcon.c +@@ -261,7 +261,7 @@ int matchpathcon_filespec_add(ino_t ino, + return -1; + } + +-#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && __BITS_PER_LONG < 64 ++#if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) && !defined(__INO_T_MATCHES_INO64_T) + /* alias defined in the public header but we undefine it here */ + #undef matchpathcon_filespec_add + +@@ -280,9 +280,13 @@ int matchpathcon_filespec_add(unsigned l + { + return matchpathcon_filespec_add64(ino, specind, file); + } ++#elif (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) || defined(__INO_T_MATCHES_INO64_T) ++ ++static_assert(sizeof(uint64_t) == sizeof(ino_t), "inode size mismatch"); ++ + #else + +-static_assert(sizeof(unsigned long) == sizeof(ino_t), "inode size mismatch"); ++static_assert(sizeof(uint32_t) == sizeof(ino_t), "inode size mismatch"); + + #endif + diff --git a/package/libs/libselinux/patches/100-v2-libselinux-be-careful-with-non-portable-LFS-macro.patch b/package/libs/libselinux/patches/100-v2-libselinux-be-careful-with-non-portable-LFS-macro.patch new file mode 100644 index 00000000000..157703aaf63 --- /dev/null +++ b/package/libs/libselinux/patches/100-v2-libselinux-be-careful-with-non-portable-LFS-macro.patch @@ -0,0 +1,158 @@ +From patchwork Sat Apr 26 15:13:57 2025 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 8bit +X-Patchwork-Submitter: Alyssa Ross +X-Patchwork-Id: 14067708 +Received: from fhigh-b7-smtp.messagingengine.com + (fhigh-b7-smtp.messagingengine.com [202.12.124.158]) + (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) + (No client certificate requested) + by smtp.subspace.kernel.org (Postfix) with ESMTPS id 33F71A31 + for ; Sat, 26 Apr 2025 15:15:54 +0000 (UTC) +Authentication-Results: smtp.subspace.kernel.org; + arc=none smtp.client-ip=202.12.124.158 +ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; + t=1745680559; cv=none; + b=Pq1cEfDSDJ0fkBMv6QVCQI8UUqLnYGihmK9UeuLduv0kwLuwpvD6WOxM/TSLMRIywjgR8gd2c853qlcX7DDrHAnyddbljBfUmT7TClUWm+eES9n51wREeMkgpjwZEvuOCVXfWzMNnBJNztbAVx+10PtGeluwXSHG1odCX/NjgQI= +ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; + s=arc-20240116; t=1745680559; c=relaxed/simple; + bh=pJMDSW9OyFQkw5+mTn23RDQ0ioaHtTd6I+0qBZvmwP4=; + h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type; + b=VY6d+x8V7xkeJ2uh/a5R7YERgjbG4KKpSH0LL+z/D5ebQqDoQYyVyuQAhANwGBuFP81lunmLcZc2wMIkhtTTIzrFJyVwMsKJnPT2vLUBI6Um9ow9ZAwrpU3bMzV3KjnKaTZMGAZ87fAstIzB5jJaPIF2rhU9NiBHjpTAn5ofXYo= +ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; + dmarc=none (p=none dis=none) header.from=alyssa.is; + spf=pass smtp.mailfrom=alyssa.is; + dkim=pass (2048-bit key) header.d=alyssa.is header.i=@alyssa.is + header.b=sVvu9/jU; + dkim=pass (2048-bit key) header.d=messagingengine.com + header.i=@messagingengine.com + header.b=Oe16/9D7; arc=none smtp.client-ip=202.12.124.158 +Authentication-Results: smtp.subspace.kernel.org; + dmarc=none (p=none dis=none) header.from=alyssa.is +Authentication-Results: smtp.subspace.kernel.org; + spf=pass smtp.mailfrom=alyssa.is +Authentication-Results: smtp.subspace.kernel.org; + dkim=pass (2048-bit key) header.d=alyssa.is header.i=@alyssa.is + header.b="sVvu9/jU"; + dkim=pass (2048-bit key) header.d=messagingengine.com + header.i=@messagingengine.com header.b="Oe16/9D7" +Received: from phl-compute-02.internal (phl-compute-02.phl.internal + [10.202.2.42]) + by mailfhigh.stl.internal (Postfix) with ESMTP id ED5B02540205; + Sat, 26 Apr 2025 11:15:53 -0400 (EDT) +Received: from phl-mailfrontend-02 ([10.202.2.163]) + by phl-compute-02.internal (MEProxy); Sat, 26 Apr 2025 11:15:54 -0400 +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc + :cc:content-transfer-encoding:content-type:content-type:date + :date:from:from:in-reply-to:message-id:mime-version:reply-to + :subject:subject:to:to; s=fm2; t=1745680553; x=1745766953; bh=rW + uOFM2rzwdFfxgV2+EnHMjhI780MNjU9R+9eFq8dvg=; b=sVvu9/jU9LemQ6RFQI + DtSKhUj2+dsfX0he1Ov1CofCaTdNc+esuMzB8dGEgQnIY6sfB7FHrPAuDDQaCTEb + Qb0MW0FQNzuTyNO94P8IXvcPEN7XWpcH1UKkWyohOsX/DRQYs8YP/oyrZB7gy8h+ + LPbqcyracjmJriUdC8aesJ3FKHmyQiXY8ka08VFQyiVrksvEwfM7tleNW0mQVrVG + VpHxDigwP71zXB3gHl0ogks6VloaqH0f3EKo1nT19xuzWGcMPKtBrs3jHJFSgy8X + 9+jY/qFSAq6OvItkKnwXf08McbuKVuPnYZrrsVgx3NZFcaCo+tklqEvWJUJCPxnz + BfXw== +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= + messagingengine.com; h=cc:cc:content-transfer-encoding + :content-type:content-type:date:date:feedback-id:feedback-id + :from:from:in-reply-to:message-id:mime-version:reply-to:subject + :subject:to:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= + fm3; t=1745680553; x=1745766953; bh=rWuOFM2rzwdFfxgV2+EnHMjhI780 + MNjU9R+9eFq8dvg=; b=Oe16/9D7/7d67cUSyAPHmj+rekiHlxK3tMneIFP/5hTG + MlpQlyg5QLsVRSUxfGn/OjX1vvg5VrpRpeGYaxJyNU/oPy2jFBSwUmB1lR7/W4Lz + M4NYele9Nufotym19hpJylkMpOi266PNIqG1lT4OfK7d+ZEJSoZygq/tnsgE08ql + 2AFSMbYbTQC6YM8sk+9tk2ypCjb7W1NouIshFQ33J7LNniu67KJDcPtH3VqfkG6q + RYkGhc21tTZl/e9EQ6m8Z4c6yWk8kDqozOBI0lOh6GrhAaDEj1+/2v0DF7OAcqwG + KhqGnYTkH2Qj8pshvMSctbOWckywkqxX+fREJWN9Gw== +X-ME-Sender: + +X-ME-Received: + +X-ME-Proxy-Cause: + gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvheehheefucetufdoteggodetrf + dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv + pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpih + gvnhhtshculddquddttddmnecujfgurhephffvvefufffkofggtgfgsehtkeertdertdej + necuhfhrohhmpeetlhihshhsrgcutfhoshhsuceohhhisegrlhihshhsrgdrihhsqeenuc + ggtffrrghtthgvrhhnpeevieegveegkeefieekffeuuddtuefhtdfhgfdvfeeugfffvdeh + tdekveeufedtjeenucffohhmrghinhepghhithhhuhgsrdgtohhmnecuvehluhhsthgvrh + fuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhephhhisegrlhihshhsrgdrihhs + pdhnsggprhgtphhtthhopeegpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehmvg + esrghlsggrrdhshhdprhgtphhtthhopehjfigtrghrthdvsehgmhgrihhlrdgtohhmpdhr + tghpthhtohepnhgrsghijhgrtgiilhgvfigvlhhisehnrggsihhjrggtiihlvgifvghlih + drgiihiidprhgtphhtthhopehsvghlihhnuhigsehvghgvrhdrkhgvrhhnvghlrdhorhhg +X-ME-Proxy: + + + + +Feedback-ID: i12284293:Fastmail +Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, + 26 Apr 2025 11:15:52 -0400 (EDT) +Received: by mbp.qyliss.net (Postfix, from userid 1000) + id E07A2117F8; Sat, 26 Apr 2025 17:15:46 +0200 (CEST) +From: Alyssa Ross +To: selinux@vger.kernel.org +Cc: =?utf-8?b?0L3QsNCx?= , + James Carter , Alba Mendez +Subject: [PATCH v2] libselinux: be careful with non-portable LFS macro +Date: Sat, 26 Apr 2025 17:13:57 +0200 +Message-ID: <20250426151356.7116-2-hi@alyssa.is> +X-Mailer: git-send-email 2.47.2 +Precedence: bulk +X-Mailing-List: selinux@vger.kernel.org +List-Id: +List-Subscribe: +List-Unsubscribe: +MIME-Version: 1.0 + +musl does not provide the obsolete LFS64 APIs (like ino64_t) — ino_t +has always been 64-bit on all platforms there. That means there's +also no __INO_T_MATCHES_INO64_T macro, meaning the check would pass +and reach the static asserts for the shim, which would fail due to +there being no ino64_t to check the size of. Fix this by only +assuming the absense of __INO_T_MATCHES_INO64_t is meaningful when +another non-portable Glibc macro, __INO64_T_TYPE, is defined. If both +are missing, that probably just means there is no ino64_t. + +Fixes: 5c3fcbd9 ("Inject matchpathcon_filespec_add64() if !defined(__INO_T_MATCHES_INO64_T) instead of using __BITS_PER_LONG < 64 as proxy") +Signed-off-by: Alyssa Ross +Acked-by: James Carter +--- +v2: Made the same change to the condition in the header, as suggested + in a GitHub comment. The omission didn't seem to break anything, + but it makes sense to change it there too. + https://github.com/NixOS/nixpkgs/pull/391728#issuecomment-2832282846 + + include/selinux/selinux.h | 2 +- + src/matchpathcon.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + + +base-commit: 2647cc0fdca326b81ee3c08718cbe19b7866b53a + +--- a/include/selinux/selinux.h ++++ b/include/selinux/selinux.h +@@ -537,7 +537,7 @@ extern int matchpathcon_index(const char + with the same inode (e.g. due to multiple hard links). If so, then + use the latter of the two specifications based on their order in the + file contexts configuration. Return the used specification index. */ +-#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && !defined(__INO_T_MATCHES_INO64_T) ++#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && defined(__INO64_T_TYPE) && !defined(__INO_T_MATCHES_INO64_T) + #define matchpathcon_filespec_add matchpathcon_filespec_add64 + #endif + extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file); +--- a/src/matchpathcon.c ++++ b/src/matchpathcon.c +@@ -261,7 +261,7 @@ int matchpathcon_filespec_add(ino_t ino, + return -1; + } + +-#if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) && !defined(__INO_T_MATCHES_INO64_T) ++#if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) && defined(__INO64_T_TYPE) && !defined(__INO_T_MATCHES_INO64_T) + /* alias defined in the public header but we undefine it here */ + #undef matchpathcon_filespec_add +