From: William Roberts <bill.c.roberts@gmail.com>
To: Ulrich Drepper <drepper@redhat.com>
Cc: Ondrej Mosnacek <omosnace@redhat.com>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
Petr Lautrbach <plautrba@redhat.com>,
SElinux list <selinux@vger.kernel.org>
Subject: Re: Annotate Deprecated Functions in libselinux
Date: Thu, 27 Feb 2020 15:05:24 -0600 [thread overview]
Message-ID: <CAFftDdri97VAa8jwN+3JcLW90mFXjEBMfPnynix=ZpYW6R51rA@mail.gmail.com> (raw)
In-Reply-To: <19b672ed-e4d6-5c14-6839-a9203690b7e1@redhat.com>
On Thu, Feb 27, 2020 at 2:43 PM Ulrich Drepper <drepper@redhat.com> wrote:
>
> On 2/27/20 9:03 PM, Ondrej Mosnacek wrote:
> > Ulrich, could you help us understand the macros you proposed to add to
> > the SELinux libraries (probably a very long time ago)? Specifically,
> > we are talking about those defined in "dso.h" header files such as
> > this one [1]. See also GH issue 204 [2] for related discussion.
>
> The use of the hidden infrastructure is not just a means to reduce
> overhead in the form of PLTs. It also ensures that internals for the
> library don't leak out.
Linker script? We just use a map file that has everything local except for what
we want to export.
> If calls between functions within the same DSO
> use the PLT they can be intercepted by DSO earlier in the search path of
> the dynamic linker. This can have unwanted consequences.
Huh? I'm not following? If we just remove this, what would actually
break in libselinux?
>
> I advise that this isn't changed. The infrastructure to do this should
> change, though. You could look at the code glibc uses today. The
> functionality is still there, just slightly changed.
>
> An alternative is to use gcc's -fno-semantic-interposition option. This
> should ensure that PLT entries are avoided. For Python this was used to
> achieve significant speedups due to the PLT reduction. I know you don't
> care about speed that much but this is a way to achieve it. Python uses
> LTO but since the compiler is told about the symbol use there are not
> problems.
This minor overhead on the first call to a routine to resolve the symbol isn't
really much overhead. After it's resolved its like an extra jmp or something.
If you really wanted to avoid relocation, couldn't you just link statically?
This seems like it might be good for specific issues, but I don't see how this
infrastructure really prevents or fixes anything besides complicating the code,
perhaps enlighten me?
I can see how perhaps for large things like python/glibc it could be
useful but for
libselinux this just seems like an over-engineered solution to a
non-existent problem.
next prev parent reply other threads:[~2020-02-27 21:05 UTC|newest]
Thread overview: 97+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-25 20:02 Annotate Deprecated Functions in libselinux bill.c.roberts
2020-02-25 20:02 ` [PATCH 01/17] security_load_booleans: update return comment bill.c.roberts
2020-02-25 20:02 ` [PATCH 02/17] selinux_booleans_path: annotate deprecated bill.c.roberts
2020-02-25 20:02 ` [PATCH 03/17] " bill.c.roberts
2020-02-25 20:02 ` [PATCH 04/17] selinux_users_path: " bill.c.roberts
2020-02-25 20:02 ` [PATCH 05/17] rpm_execcon: " bill.c.roberts
2020-02-25 20:02 ` [PATCH 06/17] sidget: " bill.c.roberts
2020-02-25 20:02 ` [PATCH 07/17] sidput: " bill.c.roberts
2020-02-25 20:02 ` [PATCH 08/17] checkPasswdAccess: " bill.c.roberts
2020-02-25 20:58 ` Stephen Smalley
2020-02-25 20:02 ` [PATCH 09/17] matchpathcon_init: " bill.c.roberts
2020-02-25 20:02 ` [PATCH 10/17] matchpathcon_fini: " bill.c.roberts
2020-02-25 20:02 ` [PATCH 11/17] matchpathcon: " bill.c.roberts
2020-02-25 20:02 ` [PATCH 12/17] avc_init: " bill.c.roberts
2020-02-25 20:02 ` [PATCH 13/17] src/selinux_internal.h: fix hidden_proto indents bill.c.roberts
2020-02-25 20:02 ` [PATCH 14/17] selinux_internal.h: disable warnings on deprecated bill.c.roberts
2020-02-25 20:02 ` [PATCH 15/17] avc_open: mark allowed use of avc_init bill.c.roberts
2020-02-25 20:02 ` [PATCH 16/17] src/matchpathcon: allow use of deprecated funcs bill.c.roberts
2020-02-25 20:02 ` [PATCH 17/17] utils/matchpathcon: " bill.c.roberts
2020-02-25 20:51 ` Annotate Deprecated Functions in libselinux Stephen Smalley
2020-02-25 21:06 ` William Roberts
2020-02-27 18:41 ` William Roberts
2020-02-27 19:48 ` Stephen Smalley
2020-02-27 20:03 ` Ondrej Mosnacek
2020-02-27 20:10 ` William Roberts
2020-02-27 20:24 ` Stephen Smalley
2020-02-27 20:43 ` Ulrich Drepper
2020-02-27 21:05 ` William Roberts [this message]
2020-02-27 21:13 ` Stephen Smalley
2020-02-27 21:18 ` William Roberts
2020-02-27 21:32 ` Stephen Smalley
2020-02-27 21:34 ` William Roberts
2020-02-27 21:19 ` Ulrich Drepper
2020-02-27 21:31 ` William Roberts
2020-04-16 15:43 ` bill.c.roberts
2020-04-16 15:43 ` [PATCH v2 01/18] security_load_booleans: update return comment bill.c.roberts
2020-04-16 15:43 ` [PATCH v2 02/18] security_load_booleans: annotate deprecated bill.c.roberts
2020-04-16 15:43 ` [PATCH v2 03/18] selinux_booleans_path: " bill.c.roberts
2020-04-16 15:43 ` [PATCH v2 04/18] selinux_users_path: " bill.c.roberts
2020-04-16 15:43 ` [PATCH v2 05/18] rpm_execcon: " bill.c.roberts
2020-04-16 15:43 ` [PATCH v2 06/18] sidget: " bill.c.roberts
2020-04-16 15:43 ` [PATCH v2 07/18] sidput: " bill.c.roberts
2020-04-16 15:43 ` [PATCH v2 08/18] checkPasswdAccess: " bill.c.roberts
2020-04-16 15:43 ` [PATCH v2 09/18] matchpathcon_init: " bill.c.roberts
2020-04-16 15:43 ` [PATCH v2 10/18] matchpathcon_fini: " bill.c.roberts
2020-04-16 15:43 ` [PATCH v2 11/18] matchpathcon: " bill.c.roberts
2020-04-16 15:43 ` [PATCH v2 12/18] avc_init: " bill.c.roberts
2020-04-16 15:43 ` [PATCH v2 13/18] avc: create internal avc_init interface bill.c.roberts
2020-04-16 15:43 ` [PATCH v2 14/18] matchpathcon: create internal matchpathcon_fini interface bill.c.roberts
2020-04-16 15:43 ` [PATCH v2 15/18] matchpathcon: create internal matchpathcon interface bill.c.roberts
2020-04-16 15:43 ` [PATCH v2 16/18] selinux_check_passwd_access: annotate deprecated bill.c.roberts
2020-04-16 15:43 ` [PATCH v2 17/18] utils: matchpathcon to use interal interfaces bill.c.roberts
2020-04-16 15:43 ` [PATCH v2 18/18] utils: matchpathcon add deprecated warning bill.c.roberts
2020-04-19 13:46 ` Annotate Deprecated Functions in libselinux Nicolas Iooss
2020-04-20 14:34 ` Roberts, William C
2020-04-20 15:45 ` [v3] " bill.c.roberts
2020-04-20 15:45 ` [PATCH v3 01/19] security_load_booleans: update return comment bill.c.roberts
2020-04-20 15:45 ` [PATCH v3 02/19] security_load_booleans: annotate deprecated bill.c.roberts
2020-04-20 15:45 ` [PATCH v3 03/19] selinux_booleans_path: " bill.c.roberts
2020-04-20 15:45 ` [PATCH v3 04/19] selinux_users_path: " bill.c.roberts
2020-04-20 15:45 ` [PATCH v3 05/19] rpm_execcon: " bill.c.roberts
2020-04-20 15:45 ` [PATCH v3 06/19] sidget: " bill.c.roberts
2020-04-20 15:45 ` [PATCH v3 07/19] sidput: " bill.c.roberts
2020-04-20 15:45 ` [PATCH v3 08/19] checkPasswdAccess: " bill.c.roberts
2020-04-20 15:45 ` [PATCH v3 09/19] matchpathcon_init: " bill.c.roberts
2020-04-20 15:45 ` [PATCH v3 10/19] matchpathcon_fini: " bill.c.roberts
2020-04-20 15:45 ` [PATCH v3 11/19] matchpathcon: " bill.c.roberts
2020-04-20 15:45 ` [PATCH v3 12/19] avc_init: " bill.c.roberts
2020-04-20 15:45 ` [PATCH v3 13/19] avc: create internal avc_init interface bill.c.roberts
2020-04-26 13:33 ` Nicolas Iooss
2020-04-26 15:53 ` William Roberts
2020-04-20 15:45 ` [PATCH v3 14/19] matchpathcon: create internal matchpathcon_fini interface bill.c.roberts
2020-04-20 15:45 ` [PATCH v3 15/19] matchpathcon: create internal matchpathcon interface bill.c.roberts
2020-04-20 15:45 ` [PATCH v3 16/19] selinux_check_passwd_access: annotate deprecated bill.c.roberts
2020-04-20 15:45 ` [PATCH v3 17/19] matchpathcon: allow use of deprecated routines bill.c.roberts
2020-04-20 15:45 ` [PATCH v3 18/19] utils: matchpathcon add deprecated warning bill.c.roberts
2020-04-20 15:45 ` [PATCH v3 19/19] Makefile: swig build allow deprecated functions bill.c.roberts
2020-04-27 20:22 ` [v4] Annotate Deprecated Functions in libselinux bill.c.roberts
2020-04-27 20:22 ` [PATCH v4 01/18] security_load_booleans: update return comment bill.c.roberts
2020-04-27 20:22 ` [PATCH v4 02/18] security_load_booleans: annotate deprecated bill.c.roberts
2020-04-27 20:23 ` [PATCH v4 03/18] selinux_booleans_path: " bill.c.roberts
2020-04-27 20:23 ` [PATCH v4 04/18] selinux_users_path: " bill.c.roberts
2020-04-27 20:23 ` [PATCH v4 05/18] rpm_execcon: " bill.c.roberts
2020-04-27 20:23 ` [PATCH v4 06/18] sidget: " bill.c.roberts
2020-04-27 20:23 ` [PATCH v4 07/18] sidput: " bill.c.roberts
2020-04-27 20:23 ` [PATCH v4 08/18] checkPasswdAccess: " bill.c.roberts
2020-04-27 20:23 ` [PATCH v4 09/18] matchpathcon_init: " bill.c.roberts
2020-04-27 20:23 ` [PATCH v4 10/18] matchpathcon_fini: " bill.c.roberts
2020-04-27 20:23 ` [PATCH v4 11/18] matchpathcon: " bill.c.roberts
2020-04-27 20:23 ` [PATCH v4 12/18] avc_init: " bill.c.roberts
2020-04-27 20:23 ` [PATCH v4 13/18] avc: create internal avc_init interface bill.c.roberts
2020-04-27 20:23 ` [PATCH v4 14/18] matchpathcon: create internal matchpathcon_fini interface bill.c.roberts
2020-04-27 20:23 ` [PATCH v4 15/18] selinux_check_passwd_access: annotate deprecated bill.c.roberts
2020-04-27 20:23 ` [PATCH v4 16/18] matchpathcon: allow use of deprecated routines bill.c.roberts
2020-04-27 20:23 ` [PATCH v4 17/18] utils: matchpathcon add deprecated warning bill.c.roberts
2020-04-27 20:23 ` [PATCH v4 18/18] Makefile: swig build allow deprecated functions bill.c.roberts
2020-04-28 21:25 ` [v4] Annotate Deprecated Functions in libselinux Nicolas Iooss
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAFftDdri97VAa8jwN+3JcLW90mFXjEBMfPnynix=ZpYW6R51rA@mail.gmail.com' \
--to=bill.c.roberts@gmail.com \
--cc=drepper@redhat.com \
--cc=omosnace@redhat.com \
--cc=plautrba@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.