[apparmor] [patch] libapparmor: aa_query_label symbol versioning

John Johansen john.johansen at canonical.com
Sat Mar 1 12:41:51 UTC 2014 

On 02/28/2014 01:46 PM, Steve Beattie wrote:
> In the course of developing apparmor dbus mediation, the aa_query_label
> symbol was added to libapparmor on trunk, and given the symbol version
> (via libapparmor.map) of APPARMOR_3.0. As apparmor upstream, we have
> not made a release where this would have been exported.
> 
> Unfortunately, in Ubuntu, a version was released in 13.10 that included
> the aa_query_label() symbol with a version of APPARMOR_1.1. This
> can cause a breakage on that platform with the incorporation of the
> impending apparmor 2.9 release.
> 
> Given that no other version of this symbol should exist anywhere,
> one solution to this is to simply re-version the symbol to match the
> version used in Ubuntu. The first patch I've attached does this,
> as well as adding a comment on where to add symbols, as well as
> re-versioning the APPARMOR_3.0 section to APPARMOR_2.9 (but there
> are no other symbols there, so it's a bit of a no-op section).
> 
> A slightly more invasive but conservative solution is to provide both
> versions (APPARMOR_1.1 and APPARMOR_3.0) of the aa_query_label()
> symbol. It requires the function name in kernel_interface.c to
> be renamed (similar to how the deprecated change_hat() symbol is
> named in the source as __change_hat()), otherwise linking fails
> with duplicated symbols. The default symbol used will still be the
> APPARMOR_3.0 version, but binaries linked with the APPARMOR_1.1 version
> would still continue to work unchanged. Keeping the (misleading)
> APPARMOR_3.0 version would prevent breaking anyone currently using
> a snapshot of trunk. This is the second patch attached.
> 
So in general I like this, I question keeping the symbol version at
APPARMOR_3.0, as we your other patch added a place holder 2.9
which would seem to be the right place for it

Also does the aa_query_label for the both versions have to be
present in the map? The patch only adds it for 1.1

> -- Steve Beattie <sbeattie at ubuntu.com> http://NxNW.org/~steve/
> 
> 
> libapparmor-adjust_symbol_map.patch
> 
> 
> Signed-off-by: Steve Beattie <steve at nxnw.org>

Acked-by: John Johansen <john.johansen at canonical.com>

> ---
>  libraries/libapparmor/src/libapparmor.map |   13 +++++++++----
>  1 file changed, 9 insertions(+), 4 deletions(-)
> 
> Index: b/libraries/libapparmor/src/libapparmor.map
> ===================================================================
> --- a/libraries/libapparmor/src/libapparmor.map
> +++ b/libraries/libapparmor/src/libapparmor.map
> @@ -1,4 +1,8 @@
> -#If you update this file please update the library version in Makefile.am
> +# Please add new symbols in a section that corresponds to the upcoming
> +# release version, adding a new section if necessary
> +#
> +# If you update this file please follow the instructions on library
> +# versioning in Makefile.am
>  
>  IMMUNIX_1.0 {
>    global:
> @@ -33,14 +37,15 @@ APPARMOR_1.1 {
>          free_record;
>          aa_getprocattr_raw;
>          aa_getprocattr;
> +        aa_query_label;
> +
> +	# no more symbols here, please
>  
>    local:
>  	*;
>  } APPARMOR_1.0;
>  
> -APPARMOR_3.0 {
> -  global:
> -	aa_query_label;
> +APPARMOR_2.9 {
>    local:
>  	*;
>  } APPARMOR_1.1;
> 
> 
> libapparmor-adjust_symbol_map-more_invasive_version.patch
> 
> 
> Signed-off-by: Steve Beattie <steve at nxnw.org>
> ---
>  libraries/libapparmor/src/kernel_interface.c |   10 ++++++++--
>  libraries/libapparmor/src/libapparmor.map    |    9 ++++++++-
>  2 files changed, 16 insertions(+), 3 deletions(-)
> 
> Index: b/libraries/libapparmor/src/libapparmor.map
> ===================================================================
> --- a/libraries/libapparmor/src/libapparmor.map
> +++ b/libraries/libapparmor/src/libapparmor.map
> @@ -1,4 +1,8 @@
> -#If you update this file please update the library version in Makefile.am
> +# Please add new symbols in a section that corresponds to the upcoming
> +# release version, adding a new section if necessary
> +#
> +# If you update this file please follow the instructions on library
> +# versioning in Makefile.am
>  
>  IMMUNIX_1.0 {
>    global:
> @@ -33,6 +37,9 @@ APPARMOR_1.1 {
>          free_record;
>          aa_getprocattr_raw;
>          aa_getprocattr;
> +        aa_query_label;
> +
> +	# no more symbols here, please
>  
>    local:
>  	*;
> Index: b/libraries/libapparmor/src/kernel_interface.c
> ===================================================================
> --- a/libraries/libapparmor/src/kernel_interface.c
> +++ b/libraries/libapparmor/src/kernel_interface.c
> @@ -702,8 +702,8 @@ static void aafs_access_init_once(void)
>   *          ENOENT, the subject label in the query string is unknown to the
>   *          kernel.
>   */
> -int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
> -		   int *audited)
> +int query_label(uint32_t mask, char *query, size_t size, int *allowed,
> +		int *audited)
>  {
>  	char buf[QUERY_LABEL_REPLY_LEN];
>  	uint32_t allow, deny, audit, quiet;
> @@ -770,3 +770,9 @@ int aa_query_label(uint32_t mask, char *
>  
>  	return 0;
>  }
> +
> +/* export multiple aa_query_label symbols to compensate for downstream
> + * releases with differing symbol versions. */
> +extern typeof((query_label)) __aa_query_label __attribute__((alias ("query_label")));
> +symbol_version(__aa_query_label, aa_query_label, APPARMOR_1.1);
> +default_symbol_version(query_label, aa_query_label, APPARMOR_3.0);
> 
> 
> 
> -- AppArmor mailing list AppArmor at lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>

More information about the AppArmor mailing list