libselinux: update to 3.8.1

Update libselinux to latest 3.8.1 release. In order to keep building on 32-bit targets with musl, one backport[1] and one patch pending[2] upstream are required. [1] 5c3fcbd931 [2] https://lore.kernel.org/selinux/CAP+JOzQBaGv=74tNgczpjZVGpzZo93kxnHXO0isL+TzmOc4byg@mail.gmail.com/T/#t Link: https://github.com/openwrt/openwrt/pull/18674 Signed-off-by: Robert Marko <robimarko@gmail.com>
2025-05-01 21:23:33 +02:00 · 2025-05-01 21:23:33 +02:00 · cf4161746d
commit cf4161746d
parent d3216173ab
3 changed files with 235 additions and 2 deletions
--- a/package/libs/libselinux/Makefile
+++ b/package/libs/libselinux/Makefile
@ -6,12 +6,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=libselinux
-PKG_VERSION:=3.5
+PKG_VERSION:=3.8.1
 PKG_RELEASE:=1

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/$(PKG_VERSION)
-PKG_HASH:=9a3a3705ac13a2ccca2de6d652b6356fead10f36fb33115c185c5ccdf29eec19
+PKG_HASH:=ec2d2789f931152d21c1db1eb4bc202ce4eccede34d9be9e360e3b45243cee2c

 PKG_LICENSE:=libselinux-1.0
 PKG_LICENSE_FILES:=LICENSE
--- a/package/libs/libselinux/patches/0001-Inject-matchpathcon_filespec_add64-if-defined-__INO_.patch
+++ b/package/libs/libselinux/patches/0001-Inject-matchpathcon_filespec_add64-if-defined-__INO_.patch
@ -0,0 +1,75 @@
+From 5c3fcbd931b7f9752b5ce29cec3b6813991d61c0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= <nabijaczleweli@nabijaczleweli.xyz>
+Date: Thu, 20 Mar 2025 16:55:17 +0100
+Subject: [PATCH] Inject matchpathcon_filespec_add64() if
+ !defined(__INO_T_MATCHES_INO64_T) instead of using __BITS_PER_LONG < 64 as
+ proxy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The __INO_T_MATCHES_INO64_T is defined
+if ino_t would be the same size as ino64_t
+if -D_FILE_OFFSET_BITS=64 were not defined.
+
+This is /exactly/ what
+  /* ABI backwards-compatible shim for non-LFS 32-bit systems */
+  #if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && __BITS_PER_LONG < 64
+is trying to get at, but currently fails because x32/RV32 are "LFS"
+with 32-bit longs and 64-bit time_ts natively.
+
+Thus, the
+  static_assert(sizeof(unsigned long) == sizeof(__ino_t), "inode size mismatch");
+assertion fails (__ino_t is the "kernel ino_t" type,
+which generally corresponds to the kernel's ulong, which is u64 on x32).
+
+glibc headers allow us to check the condition we care about directly.
+
+Fixes: commit 9395cc0322 ("Always build for LFS mode on 32-bit archs.")
+Closes: #463
+Closes: Debian#1098481
+Signed-off-by: наб <nabijaczleweli@nabijaczleweli.xyz>
+Cc: Alba Mendez <me@alba.sh>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ include/selinux/selinux.h | 2 +-
+ src/matchpathcon.c        | 8 ++++++--
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+--- a/include/selinux/selinux.h
+++ b/include/selinux/selinux.h
+@@ -537,7 +537,7 @@ extern int matchpathcon_index(const char
+    with the same inode (e.g. due to multiple hard links).  If so, then
+    use the latter of the two specifications based on their order in the 
+    file contexts configuration.  Return the used specification index. */
+-#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && __BITS_PER_LONG < 64
+#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && !defined(__INO_T_MATCHES_INO64_T)
+ #define matchpathcon_filespec_add matchpathcon_filespec_add64
+ #endif
+ extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file);
+--- a/src/matchpathcon.c
+++ b/src/matchpathcon.c
+@@ -261,7 +261,7 @@ int matchpathcon_filespec_add(ino_t ino,
+ 	return -1;
+ }
+ 
+-#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && __BITS_PER_LONG < 64
+#if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) && !defined(__INO_T_MATCHES_INO64_T)
+ /* alias defined in the public header but we undefine it here */
+ #undef matchpathcon_filespec_add
+ 
+@@ -280,9 +280,13 @@ int matchpathcon_filespec_add(unsigned l
+ {
+ 	return matchpathcon_filespec_add64(ino, specind, file);
+ }
+#elif (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) || defined(__INO_T_MATCHES_INO64_T)
+
+static_assert(sizeof(uint64_t) == sizeof(ino_t), "inode size mismatch");
+
+ #else
+ 
+-static_assert(sizeof(unsigned long) == sizeof(ino_t), "inode size mismatch");
+static_assert(sizeof(uint32_t) == sizeof(ino_t), "inode size mismatch");
+ 
+ #endif
+ 
--- a/package/libs/libselinux/patches/100-v2-libselinux-be-careful-with-non-portable-LFS-macro.patch
+++ b/package/libs/libselinux/patches/100-v2-libselinux-be-careful-with-non-portable-LFS-macro.patch
@ -0,0 +1,158 @@
+From patchwork Sat Apr 26 15:13:57 2025
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 8bit
+X-Patchwork-Submitter: Alyssa Ross <hi@alyssa.is>
+X-Patchwork-Id: 14067708
+Received: from fhigh-b7-smtp.messagingengine.com
+ (fhigh-b7-smtp.messagingengine.com [202.12.124.158])
+	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
+	(No client certificate requested)
+	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 33F71A31
+	for <selinux@vger.kernel.org>; Sat, 26 Apr 2025 15:15:54 +0000 (UTC)
+Authentication-Results: smtp.subspace.kernel.org;
+ arc=none smtp.client-ip=202.12.124.158
+ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
+	t=1745680559; cv=none;
+ b=Pq1cEfDSDJ0fkBMv6QVCQI8UUqLnYGihmK9UeuLduv0kwLuwpvD6WOxM/TSLMRIywjgR8gd2c853qlcX7DDrHAnyddbljBfUmT7TClUWm+eES9n51wREeMkgpjwZEvuOCVXfWzMNnBJNztbAVx+10PtGeluwXSHG1odCX/NjgQI=
+ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
+	s=arc-20240116; t=1745680559; c=relaxed/simple;
+	bh=pJMDSW9OyFQkw5+mTn23RDQ0ioaHtTd6I+0qBZvmwP4=;
+	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type;
+ b=VY6d+x8V7xkeJ2uh/a5R7YERgjbG4KKpSH0LL+z/D5ebQqDoQYyVyuQAhANwGBuFP81lunmLcZc2wMIkhtTTIzrFJyVwMsKJnPT2vLUBI6Um9ow9ZAwrpU3bMzV3KjnKaTZMGAZ87fAstIzB5jJaPIF2rhU9NiBHjpTAn5ofXYo=
+ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
+ dmarc=none (p=none dis=none) header.from=alyssa.is;
+ spf=pass smtp.mailfrom=alyssa.is;
+ dkim=pass (2048-bit key) header.d=alyssa.is header.i=@alyssa.is
+ header.b=sVvu9/jU;
+ dkim=pass (2048-bit key) header.d=messagingengine.com
+ header.i=@messagingengine.com
+ header.b=Oe16/9D7; arc=none smtp.client-ip=202.12.124.158
+Authentication-Results: smtp.subspace.kernel.org;
+ dmarc=none (p=none dis=none) header.from=alyssa.is
+Authentication-Results: smtp.subspace.kernel.org;
+ spf=pass smtp.mailfrom=alyssa.is
+Authentication-Results: smtp.subspace.kernel.org;
+	dkim=pass (2048-bit key) header.d=alyssa.is header.i=@alyssa.is
+ header.b="sVvu9/jU";
+	dkim=pass (2048-bit key) header.d=messagingengine.com
+ header.i=@messagingengine.com header.b="Oe16/9D7"
+Received: from phl-compute-02.internal (phl-compute-02.phl.internal
+ [10.202.2.42])
+	by mailfhigh.stl.internal (Postfix) with ESMTP id ED5B02540205;
+	Sat, 26 Apr 2025 11:15:53 -0400 (EDT)
+Received: from phl-mailfrontend-02 ([10.202.2.163])
+  by phl-compute-02.internal (MEProxy); Sat, 26 Apr 2025 11:15:54 -0400
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc
+	:cc:content-transfer-encoding:content-type:content-type:date
+	:date:from:from:in-reply-to:message-id:mime-version:reply-to
+	:subject:subject:to:to; s=fm2; t=1745680553; x=1745766953; bh=rW
+	uOFM2rzwdFfxgV2+EnHMjhI780MNjU9R+9eFq8dvg=; b=sVvu9/jU9LemQ6RFQI
+	DtSKhUj2+dsfX0he1Ov1CofCaTdNc+esuMzB8dGEgQnIY6sfB7FHrPAuDDQaCTEb
+	Qb0MW0FQNzuTyNO94P8IXvcPEN7XWpcH1UKkWyohOsX/DRQYs8YP/oyrZB7gy8h+
+	LPbqcyracjmJriUdC8aesJ3FKHmyQiXY8ka08VFQyiVrksvEwfM7tleNW0mQVrVG
+	VpHxDigwP71zXB3gHl0ogks6VloaqH0f3EKo1nT19xuzWGcMPKtBrs3jHJFSgy8X
+	9+jY/qFSAq6OvItkKnwXf08McbuKVuPnYZrrsVgx3NZFcaCo+tklqEvWJUJCPxnz
+	BfXw==
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
+	messagingengine.com; h=cc:cc:content-transfer-encoding
+	:content-type:content-type:date:date:feedback-id:feedback-id
+	:from:from:in-reply-to:message-id:mime-version:reply-to:subject
+	:subject:to:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
+	fm3; t=1745680553; x=1745766953; bh=rWuOFM2rzwdFfxgV2+EnHMjhI780
+	MNjU9R+9eFq8dvg=; b=Oe16/9D7/7d67cUSyAPHmj+rekiHlxK3tMneIFP/5hTG
+	MlpQlyg5QLsVRSUxfGn/OjX1vvg5VrpRpeGYaxJyNU/oPy2jFBSwUmB1lR7/W4Lz
+	M4NYele9Nufotym19hpJylkMpOi266PNIqG1lT4OfK7d+ZEJSoZygq/tnsgE08ql
+	2AFSMbYbTQC6YM8sk+9tk2ypCjb7W1NouIshFQ33J7LNniu67KJDcPtH3VqfkG6q
+	RYkGhc21tTZl/e9EQ6m8Z4c6yWk8kDqozOBI0lOh6GrhAaDEj1+/2v0DF7OAcqwG
+	KhqGnYTkH2Qj8pshvMSctbOWckywkqxX+fREJWN9Gw==
+X-ME-Sender: <xms:qfgMaJE8VrzV69Ds-EsG48fFI5UaqMSYVinivYKJ4ML0p0Qd_UDicQ>
+    <xme:qfgMaOUrxIYKlodKAw1Xg57c4yZT6ZBIwMc_Jxf2xmsgkKIf3HHUkRikoeiSWWlvF
+    2vLA9kyO05KG8VGKQ>
+X-ME-Received: 
+ <xmr:qfgMaLLGcqX6upspD9CqnV5CuWYyVoe7dkYN-ilEpG08JiM1cEurmgjMsOzEj6QU>
+X-ME-Proxy-Cause: 
+ gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvheehheefucetufdoteggodetrf
+    dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv
+    pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpih
+    gvnhhtshculddquddttddmnecujfgurhephffvvefufffkofggtgfgsehtkeertdertdej
+    necuhfhrohhmpeetlhihshhsrgcutfhoshhsuceohhhisegrlhihshhsrgdrihhsqeenuc
+    ggtffrrghtthgvrhhnpeevieegveegkeefieekffeuuddtuefhtdfhgfdvfeeugfffvdeh
+    tdekveeufedtjeenucffohhmrghinhepghhithhhuhgsrdgtohhmnecuvehluhhsthgvrh
+    fuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhephhhisegrlhihshhsrgdrihhs
+    pdhnsggprhgtphhtthhopeegpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehmvg
+    esrghlsggrrdhshhdprhgtphhtthhopehjfigtrghrthdvsehgmhgrihhlrdgtohhmpdhr
+    tghpthhtohepnhgrsghijhgrtgiilhgvfigvlhhisehnrggsihhjrggtiihlvgifvghlih
+    drgiihiidprhgtphhtthhopehsvghlihhnuhigsehvghgvrhdrkhgvrhhnvghlrdhorhhg
+X-ME-Proxy: <xmx:qfgMaPHxXV0etoyRJkgcYPe-u5lQsB6cvXgoxiMYU6OgH09vt9RJJA>
+    <xmx:qfgMaPVNzmzj8XlzIEYZvhuhOvK7xCeHS_NHGryjhfN_xqE-mmaCSA>
+    <xmx:qfgMaKPro4JgdEKJ3LZ0e1t9yipSpo-CqpVMe_Xg9n4ohUp0rhtvEw>
+    <xmx:qfgMaO1XYewudNFS8g1h7cOv-f3pWJTH7mubtCGLTV6fyEUJfKdQJQ>
+    <xmx:qfgMaPC5FGWuV_5Cknij04lvxGSeCOFW3wA8lCW6fChGDgA8HzuEfqKb>
+Feedback-ID: i12284293:Fastmail
+Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat,
+ 26 Apr 2025 11:15:52 -0400 (EDT)
+Received: by mbp.qyliss.net (Postfix, from userid 1000)
+	id E07A2117F8; Sat, 26 Apr 2025 17:15:46 +0200 (CEST)
+From: Alyssa Ross <hi@alyssa.is>
+To: selinux@vger.kernel.org
+Cc: =?utf-8?b?0L3QsNCx?= <nabijaczleweli@nabijaczleweli.xyz>,
+ James Carter <jwcart2@gmail.com>, Alba Mendez <me@alba.sh>
+Subject: [PATCH v2] libselinux: be careful with non-portable LFS macro
+Date: Sat, 26 Apr 2025 17:13:57 +0200
+Message-ID: <20250426151356.7116-2-hi@alyssa.is>
+X-Mailer: git-send-email 2.47.2
+Precedence: bulk
+X-Mailing-List: selinux@vger.kernel.org
+List-Id: <selinux.vger.kernel.org>
+List-Subscribe: <mailto:selinux+subscribe@vger.kernel.org>
+List-Unsubscribe: <mailto:selinux+unsubscribe@vger.kernel.org>
+MIME-Version: 1.0
+
+musl does not provide the obsolete LFS64 APIs (like ino64_t) — ino_t
+has always been 64-bit on all platforms there.  That means there's
+also no __INO_T_MATCHES_INO64_T macro, meaning the check would pass
+and reach the static asserts for the shim, which would fail due to
+there being no ino64_t to check the size of.  Fix this by only
+assuming the absense of __INO_T_MATCHES_INO64_t is meaningful when
+another non-portable Glibc macro, __INO64_T_TYPE, is defined.  If both
+are missing, that probably just means there is no ino64_t.
+
+Fixes: 5c3fcbd9 ("Inject matchpathcon_filespec_add64() if !defined(__INO_T_MATCHES_INO64_T) instead of using __BITS_PER_LONG < 64 as proxy")
+Signed-off-by: Alyssa Ross <hi@alyssa.is>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+v2: Made the same change to the condition in the header, as suggested
+    in a GitHub comment.  The omission didn't seem to break anything,
+    but it makes sense to change it there too.
+    https://github.com/NixOS/nixpkgs/pull/391728#issuecomment-2832282846
+
+ include/selinux/selinux.h | 2 +-
+ src/matchpathcon.c        | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+
+base-commit: 2647cc0fdca326b81ee3c08718cbe19b7866b53a
+
+--- a/include/selinux/selinux.h
+++ b/include/selinux/selinux.h
+@@ -537,7 +537,7 @@ extern int matchpathcon_index(const char
+    with the same inode (e.g. due to multiple hard links).  If so, then
+    use the latter of the two specifications based on their order in the 
+    file contexts configuration.  Return the used specification index. */
+-#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && !defined(__INO_T_MATCHES_INO64_T)
+#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && defined(__INO64_T_TYPE) && !defined(__INO_T_MATCHES_INO64_T)
+ #define matchpathcon_filespec_add matchpathcon_filespec_add64
+ #endif
+ extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file);
+--- a/src/matchpathcon.c
+++ b/src/matchpathcon.c
+@@ -261,7 +261,7 @@ int matchpathcon_filespec_add(ino_t ino,
+ 	return -1;
+ }
+ 
+-#if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) && !defined(__INO_T_MATCHES_INO64_T)
+#if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) && defined(__INO64_T_TYPE) && !defined(__INO_T_MATCHES_INO64_T)
+ /* alias defined in the public header but we undefine it here */
+ #undef matchpathcon_filespec_add
+