[apparmor] [patch] libapparmor: aa_query_label symbol versioning

Steve Beattie Fri, 28 Feb 2014 13:47:27 -0800

In the course of developing apparmor dbus mediation, the aa_query_label
symbol was added to libapparmor on trunk, and given the symbol version
(via libapparmor.map) of APPARMOR_3.0. As apparmor upstream, we have
not made a release where this would have been exported.


Unfortunately, in Ubuntu, a version was released in 13.10 that included
the aa_query_label() symbol with a version of APPARMOR_1.1. This
can cause a breakage on that platform with the incorporation of the
impending apparmor 2.9 release.

Given that no other version of this symbol should exist anywhere,
one solution to this is to simply re-version the symbol to match the
version used in Ubuntu. The first patch I've attached does this,
as well as adding a comment on where to add symbols, as well as
re-versioning the APPARMOR_3.0 section to APPARMOR_2.9 (but there
are no other symbols there, so it's a bit of a no-op section).

A slightly more invasive but conservative solution is to provide both
versions (APPARMOR_1.1 and APPARMOR_3.0) of the aa_query_label()
symbol. It requires the function name in kernel_interface.c to
be renamed (similar to how the deprecated change_hat() symbol is
named in the source as __change_hat()), otherwise linking fails
with duplicated symbols. The default symbol used will still be the
APPARMOR_3.0 version, but binaries linked with the APPARMOR_1.1 version
would still continue to work unchanged. Keeping the (misleading)
APPARMOR_3.0 version would prevent breaking anyone currently using
a snapshot of trunk. This is the second patch attached.

-- 
Steve Beattie
<sbeat...@ubuntu.com>
http://NxNW.org/~steve/

Signed-off-by: Steve Beattie <st...@nxnw.org>
---
 libraries/libapparmor/src/libapparmor.map |   13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

Index: b/libraries/libapparmor/src/libapparmor.map
===================================================================
--- a/libraries/libapparmor/src/libapparmor.map
+++ b/libraries/libapparmor/src/libapparmor.map
@@ -1,4 +1,8 @@
-#If you update this file please update the library version in Makefile.am
+# Please add new symbols in a section that corresponds to the upcoming
+# release version, adding a new section if necessary
+#
+# If you update this file please follow the instructions on library
+# versioning in Makefile.am
 
 IMMUNIX_1.0 {
   global:
@@ -33,14 +37,15 @@ APPARMOR_1.1 {
         free_record;
         aa_getprocattr_raw;
         aa_getprocattr;
+        aa_query_label;
+
+	# no more symbols here, please
 
   local:
 	*;
 } APPARMOR_1.0;
 
-APPARMOR_3.0 {
-  global:
-	aa_query_label;
+APPARMOR_2.9 {
   local:
 	*;
 } APPARMOR_1.1;

Signed-off-by: Steve Beattie <st...@nxnw.org>
---
 libraries/libapparmor/src/kernel_interface.c |   10 ++++++++--
 libraries/libapparmor/src/libapparmor.map    |    9 ++++++++-
 2 files changed, 16 insertions(+), 3 deletions(-)

Index: b/libraries/libapparmor/src/libapparmor.map
===================================================================
--- a/libraries/libapparmor/src/libapparmor.map
+++ b/libraries/libapparmor/src/libapparmor.map
@@ -1,4 +1,8 @@
-#If you update this file please update the library version in Makefile.am
+# Please add new symbols in a section that corresponds to the upcoming
+# release version, adding a new section if necessary
+#
+# If you update this file please follow the instructions on library
+# versioning in Makefile.am
 
 IMMUNIX_1.0 {
   global:
@@ -33,6 +37,9 @@ APPARMOR_1.1 {
         free_record;
         aa_getprocattr_raw;
         aa_getprocattr;
+        aa_query_label;
+
+	# no more symbols here, please
 
   local:
 	*;
Index: b/libraries/libapparmor/src/kernel_interface.c
===================================================================
--- a/libraries/libapparmor/src/kernel_interface.c
+++ b/libraries/libapparmor/src/kernel_interface.c
@@ -702,8 +702,8 @@ static void aafs_access_init_once(void)
  *          ENOENT, the subject label in the query string is unknown to the
  *          kernel.
  */
-int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
-		   int *audited)
+int query_label(uint32_t mask, char *query, size_t size, int *allowed,
+		int *audited)
 {
 	char buf[QUERY_LABEL_REPLY_LEN];
 	uint32_t allow, deny, audit, quiet;
@@ -770,3 +770,9 @@ int aa_query_label(uint32_t mask, char *
 
 	return 0;
 }
+
+/* export multiple aa_query_label symbols to compensate for downstream
+ * releases with differing symbol versions. */
+extern typeof((query_label)) __aa_query_label __attribute__((alias ("query_label")));
+symbol_version(__aa_query_label, aa_query_label, APPARMOR_1.1);
+default_symbol_version(query_label, aa_query_label, APPARMOR_3.0);

signature.asc
Description: Digital signature

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] [patch] libapparmor: aa_query_label symbol versioning

Reply via email to