[openwrt/openwrt] libselinux: update to 3.8.1
LEDE Commits
lede-commits at lists.infradead.org
Fri May 2 10:15:47 PDT 2025
robimarko pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/cf4161746d1597e64113e2721a0b5725016afa08
commit cf4161746d1597e64113e2721a0b5725016afa08
Author: Robert Marko <robimarko at gmail.com>
AuthorDate: Thu May 1 21:23:33 2025 +0200
libselinux: update to 3.8.1
Update libselinux to latest 3.8.1 release.
In order to keep building on 32-bit targets with musl, one backport[1]
and one patch pending[2] upstream are required.
[1] https://github.com/SELinuxProject/selinux/commit/5c3fcbd931b7f9752b5ce29cec3b6813991d61c0
[2] https://lore.kernel.org/selinux/CAP+JOzQBaGv=74tNgczpjZVGpzZo93kxnHXO0isL+TzmOc4byg@mail.gmail.com/T/#t
Link: https://github.com/openwrt/openwrt/pull/18674
Signed-off-by: Robert Marko <robimarko at gmail.com>
---
package/libs/libselinux/Makefile | 4 +-
...hpathcon_filespec_add64-if-defined-__INO_.patch | 75 ++++++++++
...ux-be-careful-with-non-portable-LFS-macro.patch | 158 +++++++++++++++++++++
3 files changed, 235 insertions(+), 2 deletions(-)
diff --git a/package/libs/libselinux/Makefile b/package/libs/libselinux/Makefile
index f90d4993c8..9f65f5bf65 100644
--- a/package/libs/libselinux/Makefile
+++ b/package/libs/libselinux/Makefile
@@ -6,12 +6,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=libselinux
-PKG_VERSION:=3.5
+PKG_VERSION:=3.8.1
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/$(PKG_VERSION)
-PKG_HASH:=9a3a3705ac13a2ccca2de6d652b6356fead10f36fb33115c185c5ccdf29eec19
+PKG_HASH:=ec2d2789f931152d21c1db1eb4bc202ce4eccede34d9be9e360e3b45243cee2c
PKG_LICENSE:=libselinux-1.0
PKG_LICENSE_FILES:=LICENSE
diff --git a/package/libs/libselinux/patches/0001-Inject-matchpathcon_filespec_add64-if-defined-__INO_.patch b/package/libs/libselinux/patches/0001-Inject-matchpathcon_filespec_add64-if-defined-__INO_.patch
new file mode 100644
index 0000000000..1f9bc445a0
--- /dev/null
+++ b/package/libs/libselinux/patches/0001-Inject-matchpathcon_filespec_add64-if-defined-__INO_.patch
@@ -0,0 +1,75 @@
+From 5c3fcbd931b7f9752b5ce29cec3b6813991d61c0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= <nabijaczleweli at nabijaczleweli.xyz>
+Date: Thu, 20 Mar 2025 16:55:17 +0100
+Subject: [PATCH] Inject matchpathcon_filespec_add64() if
+ !defined(__INO_T_MATCHES_INO64_T) instead of using __BITS_PER_LONG < 64 as
+ proxy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The __INO_T_MATCHES_INO64_T is defined
+if ino_t would be the same size as ino64_t
+if -D_FILE_OFFSET_BITS=64 were not defined.
+
+This is /exactly/ what
+ /* ABI backwards-compatible shim for non-LFS 32-bit systems */
+ #if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && __BITS_PER_LONG < 64
+is trying to get at, but currently fails because x32/RV32 are "LFS"
+with 32-bit longs and 64-bit time_ts natively.
+
+Thus, the
+ static_assert(sizeof(unsigned long) == sizeof(__ino_t), "inode size mismatch");
+assertion fails (__ino_t is the "kernel ino_t" type,
+which generally corresponds to the kernel's ulong, which is u64 on x32).
+
+glibc headers allow us to check the condition we care about directly.
+
+Fixes: commit 9395cc0322 ("Always build for LFS mode on 32-bit archs.")
+Closes: #463
+Closes: Debian#1098481
+Signed-off-by: наб <nabijaczleweli at nabijaczleweli.xyz>
+Cc: Alba Mendez <me at alba.sh>
+Acked-by: James Carter <jwcart2 at gmail.com>
+---
+ include/selinux/selinux.h | 2 +-
+ src/matchpathcon.c | 8 ++++++--
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+--- a/include/selinux/selinux.h
++++ b/include/selinux/selinux.h
+@@ -537,7 +537,7 @@ extern int matchpathcon_index(const char
+ with the same inode (e.g. due to multiple hard links). If so, then
+ use the latter of the two specifications based on their order in the
+ file contexts configuration. Return the used specification index. */
+-#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && __BITS_PER_LONG < 64
++#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && !defined(__INO_T_MATCHES_INO64_T)
+ #define matchpathcon_filespec_add matchpathcon_filespec_add64
+ #endif
+ extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file);
+--- a/src/matchpathcon.c
++++ b/src/matchpathcon.c
+@@ -261,7 +261,7 @@ int matchpathcon_filespec_add(ino_t ino,
+ return -1;
+ }
+
+-#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && __BITS_PER_LONG < 64
++#if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) && !defined(__INO_T_MATCHES_INO64_T)
+ /* alias defined in the public header but we undefine it here */
+ #undef matchpathcon_filespec_add
+
+@@ -280,9 +280,13 @@ int matchpathcon_filespec_add(unsigned l
+ {
+ return matchpathcon_filespec_add64(ino, specind, file);
+ }
++#elif (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) || defined(__INO_T_MATCHES_INO64_T)
++
++static_assert(sizeof(uint64_t) == sizeof(ino_t), "inode size mismatch");
++
+ #else
+
+-static_assert(sizeof(unsigned long) == sizeof(ino_t), "inode size mismatch");
++static_assert(sizeof(uint32_t) == sizeof(ino_t), "inode size mismatch");
+
+ #endif
+
diff --git a/package/libs/libselinux/patches/100-v2-libselinux-be-careful-with-non-portable-LFS-macro.patch b/package/libs/libselinux/patches/100-v2-libselinux-be-careful-with-non-portable-LFS-macro.patch
new file mode 100644
index 0000000000..157703aaf6
--- /dev/null
+++ b/package/libs/libselinux/patches/100-v2-libselinux-be-careful-with-non-portable-LFS-macro.patch
@@ -0,0 +1,158 @@
+From patchwork Sat Apr 26 15:13:57 2025
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 8bit
+X-Patchwork-Submitter: Alyssa Ross <hi at alyssa.is>
+X-Patchwork-Id: 14067708
+Received: from fhigh-b7-smtp.messagingengine.com
+ (fhigh-b7-smtp.messagingengine.com [202.12.124.158])
+ (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
+ (No client certificate requested)
+ by smtp.subspace.kernel.org (Postfix) with ESMTPS id 33F71A31
+ for <selinux at vger.kernel.org>; Sat, 26 Apr 2025 15:15:54 +0000 (UTC)
+Authentication-Results: smtp.subspace.kernel.org;
+ arc=none smtp.client-ip=202.12.124.158
+ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
+ t=1745680559; cv=none;
+ b=Pq1cEfDSDJ0fkBMv6QVCQI8UUqLnYGihmK9UeuLduv0kwLuwpvD6WOxM/TSLMRIywjgR8gd2c853qlcX7DDrHAnyddbljBfUmT7TClUWm+eES9n51wREeMkgpjwZEvuOCVXfWzMNnBJNztbAVx+10PtGeluwXSHG1odCX/NjgQI=
+ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
+ s=arc-20240116; t=1745680559; c=relaxed/simple;
+ bh=pJMDSW9OyFQkw5+mTn23RDQ0ioaHtTd6I+0qBZvmwP4=;
+ h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type;
+ b=VY6d+x8V7xkeJ2uh/a5R7YERgjbG4KKpSH0LL+z/D5ebQqDoQYyVyuQAhANwGBuFP81lunmLcZc2wMIkhtTTIzrFJyVwMsKJnPT2vLUBI6Um9ow9ZAwrpU3bMzV3KjnKaTZMGAZ87fAstIzB5jJaPIF2rhU9NiBHjpTAn5ofXYo=
+ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
+ dmarc=none (p=none dis=none) header.from=alyssa.is;
+ spf=pass smtp.mailfrom=alyssa.is;
+ dkim=pass (2048-bit key) header.d=alyssa.is header.i=@alyssa.is
+ header.b=sVvu9/jU;
+ dkim=pass (2048-bit key) header.d=messagingengine.com
+ header.i=@messagingengine.com
+ header.b=Oe16/9D7; arc=none smtp.client-ip=202.12.124.158
+Authentication-Results: smtp.subspace.kernel.org;
+ dmarc=none (p=none dis=none) header.from=alyssa.is
+Authentication-Results: smtp.subspace.kernel.org;
+ spf=pass smtp.mailfrom=alyssa.is
+Authentication-Results: smtp.subspace.kernel.org;
+ dkim=pass (2048-bit key) header.d=alyssa.is header.i=@alyssa.is
+ header.b="sVvu9/jU";
+ dkim=pass (2048-bit key) header.d=messagingengine.com
+ header.i=@messagingengine.com header.b="Oe16/9D7"
+Received: from phl-compute-02.internal (phl-compute-02.phl.internal
+ [10.202.2.42])
+ by mailfhigh.stl.internal (Postfix) with ESMTP id ED5B02540205;
+ Sat, 26 Apr 2025 11:15:53 -0400 (EDT)
+Received: from phl-mailfrontend-02 ([10.202.2.163])
+ by phl-compute-02.internal (MEProxy); Sat, 26 Apr 2025 11:15:54 -0400
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc
+ :cc:content-transfer-encoding:content-type:content-type:date
+ :date:from:from:in-reply-to:message-id:mime-version:reply-to
+ :subject:subject:to:to; s=fm2; t=1745680553; x=1745766953; bh=rW
+ uOFM2rzwdFfxgV2+EnHMjhI780MNjU9R+9eFq8dvg=; b=sVvu9/jU9LemQ6RFQI
+ DtSKhUj2+dsfX0he1Ov1CofCaTdNc+esuMzB8dGEgQnIY6sfB7FHrPAuDDQaCTEb
+ Qb0MW0FQNzuTyNO94P8IXvcPEN7XWpcH1UKkWyohOsX/DRQYs8YP/oyrZB7gy8h+
+ LPbqcyracjmJriUdC8aesJ3FKHmyQiXY8ka08VFQyiVrksvEwfM7tleNW0mQVrVG
+ VpHxDigwP71zXB3gHl0ogks6VloaqH0f3EKo1nT19xuzWGcMPKtBrs3jHJFSgy8X
+ 9+jY/qFSAq6OvItkKnwXf08McbuKVuPnYZrrsVgx3NZFcaCo+tklqEvWJUJCPxnz
+ BfXw==
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
+ messagingengine.com; h=cc:cc:content-transfer-encoding
+ :content-type:content-type:date:date:feedback-id:feedback-id
+ :from:from:in-reply-to:message-id:mime-version:reply-to:subject
+ :subject:to:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
+ fm3; t=1745680553; x=1745766953; bh=rWuOFM2rzwdFfxgV2+EnHMjhI780
+ MNjU9R+9eFq8dvg=; b=Oe16/9D7/7d67cUSyAPHmj+rekiHlxK3tMneIFP/5hTG
+ MlpQlyg5QLsVRSUxfGn/OjX1vvg5VrpRpeGYaxJyNU/oPy2jFBSwUmB1lR7/W4Lz
+ M4NYele9Nufotym19hpJylkMpOi266PNIqG1lT4OfK7d+ZEJSoZygq/tnsgE08ql
+ 2AFSMbYbTQC6YM8sk+9tk2ypCjb7W1NouIshFQ33J7LNniu67KJDcPtH3VqfkG6q
+ RYkGhc21tTZl/e9EQ6m8Z4c6yWk8kDqozOBI0lOh6GrhAaDEj1+/2v0DF7OAcqwG
+ KhqGnYTkH2Qj8pshvMSctbOWckywkqxX+fREJWN9Gw==
+X-ME-Sender: <xms:qfgMaJE8VrzV69Ds-EsG48fFI5UaqMSYVinivYKJ4ML0p0Qd_UDicQ>
+ <xme:qfgMaOUrxIYKlodKAw1Xg57c4yZT6ZBIwMc_Jxf2xmsgkKIf3HHUkRikoeiSWWlvF
+ 2vLA9kyO05KG8VGKQ>
+X-ME-Received:
+ <xmr:qfgMaLLGcqX6upspD9CqnV5CuWYyVoe7dkYN-ilEpG08JiM1cEurmgjMsOzEj6QU>
+X-ME-Proxy-Cause:
+ gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvheehheefucetufdoteggodetrf
+ dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv
+ pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpih
+ gvnhhtshculddquddttddmnecujfgurhephffvvefufffkofggtgfgsehtkeertdertdej
+ necuhfhrohhmpeetlhihshhsrgcutfhoshhsuceohhhisegrlhihshhsrgdrihhsqeenuc
+ ggtffrrghtthgvrhhnpeevieegveegkeefieekffeuuddtuefhtdfhgfdvfeeugfffvdeh
+ tdekveeufedtjeenucffohhmrghinhepghhithhhuhgsrdgtohhmnecuvehluhhsthgvrh
+ fuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhephhhisegrlhihshhsrgdrihhs
+ pdhnsggprhgtphhtthhopeegpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehmvg
+ esrghlsggrrdhshhdprhgtphhtthhopehjfigtrghrthdvsehgmhgrihhlrdgtohhmpdhr
+ tghpthhtohepnhgrsghijhgrtgiilhgvfigvlhhisehnrggsihhjrggtiihlvgifvghlih
+ drgiihiidprhgtphhtthhopehsvghlihhnuhigsehvghgvrhdrkhgvrhhnvghlrdhorhhg
+X-ME-Proxy: <xmx:qfgMaPHxXV0etoyRJkgcYPe-u5lQsB6cvXgoxiMYU6OgH09vt9RJJA>
+ <xmx:qfgMaPVNzmzj8XlzIEYZvhuhOvK7xCeHS_NHGryjhfN_xqE-mmaCSA>
+ <xmx:qfgMaKPro4JgdEKJ3LZ0e1t9yipSpo-CqpVMe_Xg9n4ohUp0rhtvEw>
+ <xmx:qfgMaO1XYewudNFS8g1h7cOv-f3pWJTH7mubtCGLTV6fyEUJfKdQJQ>
+ <xmx:qfgMaPC5FGWuV_5Cknij04lvxGSeCOFW3wA8lCW6fChGDgA8HzuEfqKb>
+Feedback-ID: i12284293:Fastmail
+Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat,
+ 26 Apr 2025 11:15:52 -0400 (EDT)
+Received: by mbp.qyliss.net (Postfix, from userid 1000)
+ id E07A2117F8; Sat, 26 Apr 2025 17:15:46 +0200 (CEST)
+From: Alyssa Ross <hi at alyssa.is>
+To: selinux at vger.kernel.org
+Cc: =?utf-8?b?0L3QsNCx?= <nabijaczleweli at nabijaczleweli.xyz>,
+ James Carter <jwcart2 at gmail.com>, Alba Mendez <me at alba.sh>
+Subject: [PATCH v2] libselinux: be careful with non-portable LFS macro
+Date: Sat, 26 Apr 2025 17:13:57 +0200
+Message-ID: <20250426151356.7116-2-hi at alyssa.is>
+X-Mailer: git-send-email 2.47.2
+Precedence: bulk
+X-Mailing-List: selinux at vger.kernel.org
+List-Id: <selinux.vger.kernel.org>
+List-Subscribe: <mailto:selinux+subscribe at vger.kernel.org>
+List-Unsubscribe: <mailto:selinux+unsubscribe at vger.kernel.org>
+MIME-Version: 1.0
+
+musl does not provide the obsolete LFS64 APIs (like ino64_t) — ino_t
+has always been 64-bit on all platforms there. That means there's
+also no __INO_T_MATCHES_INO64_T macro, meaning the check would pass
+and reach the static asserts for the shim, which would fail due to
+there being no ino64_t to check the size of. Fix this by only
+assuming the absense of __INO_T_MATCHES_INO64_t is meaningful when
+another non-portable Glibc macro, __INO64_T_TYPE, is defined. If both
+are missing, that probably just means there is no ino64_t.
+
+Fixes: 5c3fcbd9 ("Inject matchpathcon_filespec_add64() if !defined(__INO_T_MATCHES_INO64_T) instead of using __BITS_PER_LONG < 64 as proxy")
+Signed-off-by: Alyssa Ross <hi at alyssa.is>
+Acked-by: James Carter <jwcart2 at gmail.com>
+---
+v2: Made the same change to the condition in the header, as suggested
+ in a GitHub comment. The omission didn't seem to break anything,
+ but it makes sense to change it there too.
+ https://github.com/NixOS/nixpkgs/pull/391728#issuecomment-2832282846
+
+ include/selinux/selinux.h | 2 +-
+ src/matchpathcon.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+
+base-commit: 2647cc0fdca326b81ee3c08718cbe19b7866b53a
+
+--- a/include/selinux/selinux.h
++++ b/include/selinux/selinux.h
+@@ -537,7 +537,7 @@ extern int matchpathcon_index(const char
+ with the same inode (e.g. due to multiple hard links). If so, then
+ use the latter of the two specifications based on their order in the
+ file contexts configuration. Return the used specification index. */
+-#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && !defined(__INO_T_MATCHES_INO64_T)
++#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && defined(__INO64_T_TYPE) && !defined(__INO_T_MATCHES_INO64_T)
+ #define matchpathcon_filespec_add matchpathcon_filespec_add64
+ #endif
+ extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file);
+--- a/src/matchpathcon.c
++++ b/src/matchpathcon.c
+@@ -261,7 +261,7 @@ int matchpathcon_filespec_add(ino_t ino,
+ return -1;
+ }
+
+-#if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) && !defined(__INO_T_MATCHES_INO64_T)
++#if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) && defined(__INO64_T_TYPE) && !defined(__INO_T_MATCHES_INO64_T)
+ /* alias defined in the public header but we undefine it here */
+ #undef matchpathcon_filespec_add
+
More information about the lede-commits
mailing list