All of lore.kernel.org
 help / color / mirror / Atom feed
* libsepol drop dso.h
@ 2020-03-09 15:25 bill.c.roberts
  2020-03-09 15:25 ` [PATCH 1/2] libsepol/dso: drop hidden_proto and hidden_def bill.c.roberts
                   ` (2 more replies)
  0 siblings, 3 replies; 36+ messages in thread
From: bill.c.roberts @ 2020-03-09 15:25 UTC (permalink / raw)
  To: nicolas.iooss, selinux
  Cc: bill.c.roberts, drepper, omosnace, plautrba,
	stephen.smalley.work, william.c.roberts

Following up with the dso.h drop, this follows in the same footsteps
using -fno-semantic-interposition and a linker map script. Libsepol
already had a linker map, so nothing to do there, I just had to add
the -fno-semantic-interposition. Also, in keeping with similair
behavior to libselinux, I set the option on the overridable CFLAGS.

[PATCH 1/2] libsepol/dso: drop hidden_proto and hidden_def
[PATCH 2/2] libsepol/Makefile: add -fno-semantic-interposition


^ permalink raw reply	[flat|nested] 36+ messages in thread

* [PATCH 1/2] libsepol/dso: drop hidden_proto and hidden_def
  2020-03-09 15:25 libsepol drop dso.h bill.c.roberts
@ 2020-03-09 15:25 ` bill.c.roberts
  2020-03-10 20:10   ` Stephen Smalley
  2020-03-09 15:25 ` [PATCH 2/2] libsepol/Makefile: add -fno-semantic-interposition bill.c.roberts
  2020-03-10 21:08 ` V2 libsepol drop dso.h bill.c.roberts
  2 siblings, 1 reply; 36+ messages in thread
From: bill.c.roberts @ 2020-03-09 15:25 UTC (permalink / raw)
  To: nicolas.iooss, selinux
  Cc: bill.c.roberts, drepper, omosnace, plautrba,
	stephen.smalley.work, william.c.roberts

From: William Roberts <william.c.roberts@intel.com>

libsepol already has a linker script controlling it's exports, so this
patch has a net 0 affect, with the exception that internal callers of
external routines, which there could be 0 of, could potentially call a
non-libsepol routine depending on library load order.

Additionally, verify that nothing changed in external symbols as well:

This was checked by generating an old export map (from master):
nm --defined-only -g ./src/libsepol.so | cut -d' ' -f 3-3 | grep -v '^_' > old.map

Then creating a new one for this library after this patch is applied:
nm --defined-only -g ./src/libsepol.so | cut -d' ' -f 3-3 | grep -v '^_' > new.map

And diffing them:
diff old.map new.map

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libsepol/src/boolean_internal.h   |  9 -----
 libsepol/src/boolean_record.c     |  8 -----
 libsepol/src/context_internal.h   | 13 --------
 libsepol/src/context_record.c     | 12 -------
 libsepol/src/debug.c              |  5 +--
 libsepol/src/debug.h              |  6 +---
 libsepol/src/dso.h                | 27 ---------------
 libsepol/src/ibendport_internal.h | 11 -------
 libsepol/src/ibendport_record.c   | 10 ------
 libsepol/src/ibpkey_internal.h    | 14 --------
 libsepol/src/ibpkey_record.c      | 13 --------
 libsepol/src/iface_internal.h     | 11 -------
 libsepol/src/iface_record.c       | 10 ------
 libsepol/src/module.c             |  2 --
 libsepol/src/module_internal.h    |  3 --
 libsepol/src/node_internal.h      | 19 -----------
 libsepol/src/node_record.c        | 18 ----------
 libsepol/src/policydb_internal.h  |  3 --
 libsepol/src/policydb_public.c    |  2 --
 libsepol/src/port_internal.h      | 13 --------
 libsepol/src/port_record.c        | 12 -------
 libsepol/src/private.h            |  7 ++--
 libsepol/src/services.c           | 55 +++++++++++++++----------------
 libsepol/src/user_internal.h      | 13 --------
 libsepol/src/user_record.c        | 12 -------
 libsepol/src/util.c               |  3 +-
 26 files changed, 33 insertions(+), 278 deletions(-)
 delete mode 100644 libsepol/src/dso.h

diff --git a/libsepol/src/boolean_internal.h b/libsepol/src/boolean_internal.h
index aad7adecb314..1c1e6a39ce09 100644
--- a/libsepol/src/boolean_internal.h
+++ b/libsepol/src/boolean_internal.h
@@ -3,14 +3,5 @@
 
 #include <sepol/boolean_record.h>
 #include <sepol/booleans.h>
-#include "dso.h"
 
-hidden_proto(sepol_bool_key_create)
-    hidden_proto(sepol_bool_key_unpack)
-    hidden_proto(sepol_bool_get_name)
-    hidden_proto(sepol_bool_set_name)
-    hidden_proto(sepol_bool_get_value)
-    hidden_proto(sepol_bool_set_value)
-    hidden_proto(sepol_bool_create)
-    hidden_proto(sepol_bool_free)
 #endif
diff --git a/libsepol/src/boolean_record.c b/libsepol/src/boolean_record.c
index a194704e851a..6cbf627a5f02 100644
--- a/libsepol/src/boolean_record.c
+++ b/libsepol/src/boolean_record.c
@@ -41,7 +41,6 @@ int sepol_bool_key_create(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_bool_key_create)
 
 void sepol_bool_key_unpack(const sepol_bool_key_t * key, const char **name)
 {
@@ -49,7 +48,6 @@ void sepol_bool_key_unpack(const sepol_bool_key_t * key, const char **name)
 	*name = key->name;
 }
 
-hidden_def(sepol_bool_key_unpack)
 
 int sepol_bool_key_extract(sepol_handle_t * handle,
 			   const sepol_bool_t * boolean,
@@ -94,7 +92,6 @@ const char *sepol_bool_get_name(const sepol_bool_t * boolean)
 	return boolean->name;
 }
 
-hidden_def(sepol_bool_get_name)
 
 int sepol_bool_set_name(sepol_handle_t * handle,
 			sepol_bool_t * boolean, const char *name)
@@ -110,7 +107,6 @@ int sepol_bool_set_name(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_bool_set_name)
 
 /* Value */
 int sepol_bool_get_value(const sepol_bool_t * boolean)
@@ -119,7 +115,6 @@ int sepol_bool_get_value(const sepol_bool_t * boolean)
 	return boolean->value;
 }
 
-hidden_def(sepol_bool_get_value)
 
 void sepol_bool_set_value(sepol_bool_t * boolean, int value)
 {
@@ -127,7 +122,6 @@ void sepol_bool_set_value(sepol_bool_t * boolean, int value)
 	boolean->value = value;
 }
 
-hidden_def(sepol_bool_set_value)
 
 /* Create */
 int sepol_bool_create(sepol_handle_t * handle, sepol_bool_t ** bool_ptr)
@@ -148,7 +142,6 @@ int sepol_bool_create(sepol_handle_t * handle, sepol_bool_t ** bool_ptr)
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_bool_create)
 
 /* Deep copy clone */
 int sepol_bool_clone(sepol_handle_t * handle,
@@ -185,4 +178,3 @@ void sepol_bool_free(sepol_bool_t * boolean)
 	free(boolean);
 }
 
-hidden_def(sepol_bool_free)
diff --git a/libsepol/src/context_internal.h b/libsepol/src/context_internal.h
index 7987c1cef22d..3cae28cc1c67 100644
--- a/libsepol/src/context_internal.h
+++ b/libsepol/src/context_internal.h
@@ -2,18 +2,5 @@
 #define _SEPOL_CONTEXT_INTERNAL_H_
 
 #include <sepol/context_record.h>
-#include "dso.h"
 
-hidden_proto(sepol_context_clone)
-    hidden_proto(sepol_context_create)
-    hidden_proto(sepol_context_free)
-    hidden_proto(sepol_context_from_string)
-    hidden_proto(sepol_context_get_mls)
-    hidden_proto(sepol_context_get_role)
-    hidden_proto(sepol_context_get_type)
-    hidden_proto(sepol_context_get_user)
-    hidden_proto(sepol_context_set_mls)
-    hidden_proto(sepol_context_set_role)
-    hidden_proto(sepol_context_set_type)
-    hidden_proto(sepol_context_set_user)
 #endif
diff --git a/libsepol/src/context_record.c b/libsepol/src/context_record.c
index 0a8bbf6db407..317a42133884 100644
--- a/libsepol/src/context_record.c
+++ b/libsepol/src/context_record.c
@@ -29,7 +29,6 @@ const char *sepol_context_get_user(const sepol_context_t * con)
 	return con->user;
 }
 
-hidden_def(sepol_context_get_user)
 
 int sepol_context_set_user(sepol_handle_t * handle,
 			   sepol_context_t * con, const char *user)
@@ -47,7 +46,6 @@ int sepol_context_set_user(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_context_set_user)
 
 /* Role */
 const char *sepol_context_get_role(const sepol_context_t * con)
@@ -56,7 +54,6 @@ const char *sepol_context_get_role(const sepol_context_t * con)
 	return con->role;
 }
 
-hidden_def(sepol_context_get_role)
 
 int sepol_context_set_role(sepol_handle_t * handle,
 			   sepol_context_t * con, const char *role)
@@ -73,7 +70,6 @@ int sepol_context_set_role(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_context_set_role)
 
 /* Type */
 const char *sepol_context_get_type(const sepol_context_t * con)
@@ -82,7 +78,6 @@ const char *sepol_context_get_type(const sepol_context_t * con)
 	return con->type;
 }
 
-hidden_def(sepol_context_get_type)
 
 int sepol_context_set_type(sepol_handle_t * handle,
 			   sepol_context_t * con, const char *type)
@@ -99,7 +94,6 @@ int sepol_context_set_type(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_context_set_type)
 
 /* MLS */
 const char *sepol_context_get_mls(const sepol_context_t * con)
@@ -108,7 +102,6 @@ const char *sepol_context_get_mls(const sepol_context_t * con)
 	return con->mls;
 }
 
-hidden_def(sepol_context_get_mls)
 
 int sepol_context_set_mls(sepol_handle_t * handle,
 			  sepol_context_t * con, const char *mls)
@@ -125,7 +118,6 @@ int sepol_context_set_mls(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_context_set_mls)
 
 /* Create */
 int sepol_context_create(sepol_handle_t * handle, sepol_context_t ** con_ptr)
@@ -147,7 +139,6 @@ int sepol_context_create(sepol_handle_t * handle, sepol_context_t ** con_ptr)
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_context_create)
 
 /* Deep copy clone */
 int sepol_context_clone(sepol_handle_t * handle,
@@ -188,7 +179,6 @@ int sepol_context_clone(sepol_handle_t * handle,
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_context_clone)
 
 /* Destroy */
 void sepol_context_free(sepol_context_t * con)
@@ -204,7 +194,6 @@ void sepol_context_free(sepol_context_t * con)
 	free(con);
 }
 
-hidden_def(sepol_context_free)
 
 int sepol_context_from_string(sepol_handle_t * handle,
 			      const char *str, sepol_context_t ** con)
@@ -278,7 +267,6 @@ int sepol_context_from_string(sepol_handle_t * handle,
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_context_from_string)
 
 static inline int safe_sum(size_t *sum, const size_t augends[], const size_t cnt) {
 
diff --git a/libsepol/src/debug.c b/libsepol/src/debug.c
index db57090fafd0..0458e3538884 100644
--- a/libsepol/src/debug.c
+++ b/libsepol/src/debug.c
@@ -23,25 +23,22 @@ int sepol_msg_get_level(sepol_handle_t * handle)
 	return handle->msg_level;
 }
 
-hidden_def(sepol_msg_get_level)
 
 const char *sepol_msg_get_channel(sepol_handle_t * handle)
 {
 	return handle->msg_channel;
 }
 
-hidden_def(sepol_msg_get_channel)
 
 const char *sepol_msg_get_fname(sepol_handle_t * handle)
 {
 	return handle->msg_fname;
 }
 
-hidden_def(sepol_msg_get_fname)
 #ifdef __GNUC__
     __attribute__ ((format(printf, 3, 4)))
 #endif
-void hidden sepol_msg_default_handler(void *varg __attribute__ ((unused)),
+void sepol_msg_default_handler(void *varg __attribute__ ((unused)),
 				      sepol_handle_t * handle,
 				      const char *fmt, ...)
 {
diff --git a/libsepol/src/debug.h b/libsepol/src/debug.h
index 56b397b58310..0b3965d8c500 100644
--- a/libsepol/src/debug.h
+++ b/libsepol/src/debug.h
@@ -21,7 +21,6 @@
 
 #include <stdio.h>
 #include <sepol/debug.h>
-#include "dso.h"
 #include "handle.h"
 
 #define STATUS_SUCCESS 0
@@ -62,13 +61,10 @@
 #ifdef __GNUC__
 __attribute__ ((format(printf, 3, 4)))
 #endif
-extern void hidden sepol_msg_default_handler(void *varg,
+extern void sepol_msg_default_handler(void *varg,
 					     sepol_handle_t * msg,
 					     const char *fmt, ...);
 
 extern struct sepol_handle sepol_compat_handle;
 
-hidden_proto(sepol_msg_get_channel)
-    hidden_proto(sepol_msg_get_fname)
-    hidden_proto(sepol_msg_get_level)
 #endif
diff --git a/libsepol/src/dso.h b/libsepol/src/dso.h
deleted file mode 100644
index a06e3496cc06..000000000000
--- a/libsepol/src/dso.h
+++ /dev/null
@@ -1,27 +0,0 @@
-#ifndef _SEPOL_DSO_H
-#define _SEPOL_DSO_H	1
-
-#if !defined(SHARED) || defined(ANDROID)
-    #define DISABLE_SYMVER 1
-#endif
-
-#ifdef SHARED
-# define hidden __attribute__ ((visibility ("hidden")))
-# define hidden_proto(fct) __hidden_proto (fct, fct##_internal)
-# define __hidden_proto(fct, internal)	\
-     extern __typeof (fct) internal;	\
-     extern __typeof (fct) fct __asm (#internal) hidden;
-# if defined(__alpha__) || defined(__mips__)
-#  define hidden_def(fct) \
-     asm (".globl " #fct "\n" #fct " = " #fct "_internal");
-# else
-#  define hidden_def(fct) \
-     asm (".globl " #fct "\n.set " #fct ", " #fct "_internal");
-#endif
-#else
-# define hidden
-# define hidden_proto(fct)
-# define hidden_def(fct)
-#endif
-
-#endif
diff --git a/libsepol/src/ibendport_internal.h b/libsepol/src/ibendport_internal.h
index ed8f9b4dd3d3..8bfb499e5c1b 100644
--- a/libsepol/src/ibendport_internal.h
+++ b/libsepol/src/ibendport_internal.h
@@ -3,16 +3,5 @@
 
 #include <sepol/ibendport_record.h>
 #include <sepol/ibendports.h>
-#include "dso.h"
 
-hidden_proto(sepol_ibendport_create)
-hidden_proto(sepol_ibendport_free)
-hidden_proto(sepol_ibendport_get_con)
-hidden_proto(sepol_ibendport_get_port)
-hidden_proto(sepol_ibendport_key_create)
-hidden_proto(sepol_ibendport_key_unpack)
-hidden_proto(sepol_ibendport_set_con)
-hidden_proto(sepol_ibendport_set_port)
-hidden_proto(sepol_ibendport_get_ibdev_name)
-hidden_proto(sepol_ibendport_set_ibdev_name)
 #endif
diff --git a/libsepol/src/ibendport_record.c b/libsepol/src/ibendport_record.c
index bc56f090d3a4..adf671615e5c 100644
--- a/libsepol/src/ibendport_record.c
+++ b/libsepol/src/ibendport_record.c
@@ -78,7 +78,6 @@ err:
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_ibendport_key_create)
 
 void sepol_ibendport_key_unpack(const sepol_ibendport_key_t *key,
 				const char **ibdev_name, int *port)
@@ -87,7 +86,6 @@ void sepol_ibendport_key_unpack(const sepol_ibendport_key_t *key,
 	*port = key->port;
 }
 
-hidden_def(sepol_ibendport_key_unpack)
 
 int sepol_ibendport_key_extract(sepol_handle_t *handle,
 				const sepol_ibendport_t *ibendport,
@@ -152,14 +150,12 @@ int sepol_ibendport_get_port(const sepol_ibendport_t *ibendport)
 	return ibendport->port;
 }
 
-hidden_def(sepol_ibendport_get_port)
 
 void sepol_ibendport_set_port(sepol_ibendport_t *ibendport, int port)
 {
 	ibendport->port = port;
 }
 
-hidden_def(sepol_ibendport_set_port)
 
 int sepol_ibendport_get_ibdev_name(sepol_handle_t *handle,
 				   const sepol_ibendport_t *ibendport,
@@ -180,7 +176,6 @@ err:
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_ibendport_get_ibdev_name)
 
 int sepol_ibendport_set_ibdev_name(sepol_handle_t *handle,
 				   sepol_ibendport_t *ibendport,
@@ -202,7 +197,6 @@ err:
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_ibendport_set_ibdev_name)
 
 /* Create */
 int sepol_ibendport_create(sepol_handle_t *handle, sepol_ibendport_t **ibendport)
@@ -222,7 +216,6 @@ int sepol_ibendport_create(sepol_handle_t *handle, sepol_ibendport_t **ibendport
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_ibendport_create)
 
 /* Deep copy clone */
 int sepol_ibendport_clone(sepol_handle_t *handle,
@@ -267,7 +260,6 @@ void sepol_ibendport_free(sepol_ibendport_t *ibendport)
 	free(ibendport);
 }
 
-hidden_def(sepol_ibendport_free)
 
 /* Context */
 sepol_context_t *sepol_ibendport_get_con(const sepol_ibendport_t *ibendport)
@@ -275,7 +267,6 @@ sepol_context_t *sepol_ibendport_get_con(const sepol_ibendport_t *ibendport)
 	return ibendport->con;
 }
 
-hidden_def(sepol_ibendport_get_con)
 
 int sepol_ibendport_set_con(sepol_handle_t *handle,
 			    sepol_ibendport_t *ibendport, sepol_context_t *con)
@@ -292,4 +283,3 @@ int sepol_ibendport_set_con(sepol_handle_t *handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_ibendport_set_con)
diff --git a/libsepol/src/ibpkey_internal.h b/libsepol/src/ibpkey_internal.h
index addf80a8bf7d..b875f942f8d1 100644
--- a/libsepol/src/ibpkey_internal.h
+++ b/libsepol/src/ibpkey_internal.h
@@ -3,19 +3,5 @@
 
 #include <sepol/ibpkey_record.h>
 #include <sepol/ibpkeys.h>
-#include "dso.h"
 
-hidden_proto(sepol_ibpkey_create)
-hidden_proto(sepol_ibpkey_free)
-hidden_proto(sepol_ibpkey_get_con)
-hidden_proto(sepol_ibpkey_get_high)
-hidden_proto(sepol_ibpkey_get_low)
-hidden_proto(sepol_ibpkey_key_create)
-hidden_proto(sepol_ibpkey_key_unpack)
-hidden_proto(sepol_ibpkey_set_con)
-hidden_proto(sepol_ibpkey_set_range)
-hidden_proto(sepol_ibpkey_get_subnet_prefix)
-hidden_proto(sepol_ibpkey_get_subnet_prefix_bytes)
-hidden_proto(sepol_ibpkey_set_subnet_prefix)
-hidden_proto(sepol_ibpkey_set_subnet_prefix_bytes)
 #endif
diff --git a/libsepol/src/ibpkey_record.c b/libsepol/src/ibpkey_record.c
index badf2b3b6338..6f7aa65602d1 100644
--- a/libsepol/src/ibpkey_record.c
+++ b/libsepol/src/ibpkey_record.c
@@ -128,7 +128,6 @@ err:
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_ibpkey_key_create)
 
 void sepol_ibpkey_key_unpack(const sepol_ibpkey_key_t *key,
 			     uint64_t *subnet_prefix, int *low, int *high)
@@ -138,7 +137,6 @@ void sepol_ibpkey_key_unpack(const sepol_ibpkey_key_t *key,
 	*high = key->high;
 }
 
-hidden_def(sepol_ibpkey_key_unpack)
 
 int sepol_ibpkey_key_extract(sepol_handle_t *handle,
 			     const sepol_ibpkey_t *ibpkey,
@@ -213,14 +211,12 @@ int sepol_ibpkey_get_low(const sepol_ibpkey_t *ibpkey)
 	return ibpkey->low;
 }
 
-hidden_def(sepol_ibpkey_get_low)
 
 int sepol_ibpkey_get_high(const sepol_ibpkey_t *ibpkey)
 {
 	return ibpkey->high;
 }
 
-hidden_def(sepol_ibpkey_get_high)
 
 void sepol_ibpkey_set_pkey(sepol_ibpkey_t *ibpkey, int pkey_num)
 {
@@ -234,7 +230,6 @@ void sepol_ibpkey_set_range(sepol_ibpkey_t *ibpkey, int low, int high)
 	ibpkey->high = high;
 }
 
-hidden_def(sepol_ibpkey_set_range)
 
 int sepol_ibpkey_get_subnet_prefix(sepol_handle_t *handle,
 				   const sepol_ibpkey_t *ibpkey,
@@ -257,7 +252,6 @@ err:
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_ibpkey_get_subnet_prefix)
 
 /* Subnet prefix */
 uint64_t sepol_ibpkey_get_subnet_prefix_bytes(const sepol_ibpkey_t *ibpkey)
@@ -265,7 +259,6 @@ uint64_t sepol_ibpkey_get_subnet_prefix_bytes(const sepol_ibpkey_t *ibpkey)
 	return ibpkey->subnet_prefix;
 }
 
-hidden_def(sepol_ibpkey_get_subnet_prefix_bytes)
 
 int sepol_ibpkey_set_subnet_prefix(sepol_handle_t *handle,
 				   sepol_ibpkey_t *ibpkey,
@@ -284,7 +277,6 @@ err:
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_ibpkey_set_subnet_prefix)
 
 void sepol_ibpkey_set_subnet_prefix_bytes(sepol_ibpkey_t *ibpkey,
 					  uint64_t subnet_prefix)
@@ -292,7 +284,6 @@ void sepol_ibpkey_set_subnet_prefix_bytes(sepol_ibpkey_t *ibpkey,
 	ibpkey->subnet_prefix = subnet_prefix;
 }
 
-hidden_def(sepol_ibpkey_set_subnet_prefix_bytes)
 
 /* Create */
 int sepol_ibpkey_create(sepol_handle_t *handle, sepol_ibpkey_t **ibpkey)
@@ -313,7 +304,6 @@ int sepol_ibpkey_create(sepol_handle_t *handle, sepol_ibpkey_t **ibpkey)
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_ibpkey_create)
 
 /* Deep copy clone */
 int sepol_ibpkey_clone(sepol_handle_t *handle,
@@ -351,7 +341,6 @@ void sepol_ibpkey_free(sepol_ibpkey_t *ibpkey)
 	free(ibpkey);
 }
 
-hidden_def(sepol_ibpkey_free)
 
 /* Context */
 sepol_context_t *sepol_ibpkey_get_con(const sepol_ibpkey_t *ibpkey)
@@ -359,7 +348,6 @@ sepol_context_t *sepol_ibpkey_get_con(const sepol_ibpkey_t *ibpkey)
 	return ibpkey->con;
 }
 
-hidden_def(sepol_ibpkey_get_con)
 
 int sepol_ibpkey_set_con(sepol_handle_t *handle,
 			 sepol_ibpkey_t *ibpkey, sepol_context_t *con)
@@ -376,4 +364,3 @@ int sepol_ibpkey_set_con(sepol_handle_t *handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_ibpkey_set_con)
diff --git a/libsepol/src/iface_internal.h b/libsepol/src/iface_internal.h
index 5b78d9bd93ff..82fb60cb2c85 100644
--- a/libsepol/src/iface_internal.h
+++ b/libsepol/src/iface_internal.h
@@ -3,16 +3,5 @@
 
 #include <sepol/iface_record.h>
 #include <sepol/interfaces.h>
-#include "dso.h"
 
-hidden_proto(sepol_iface_create)
-    hidden_proto(sepol_iface_free)
-    hidden_proto(sepol_iface_get_ifcon)
-    hidden_proto(sepol_iface_get_msgcon)
-    hidden_proto(sepol_iface_get_name)
-    hidden_proto(sepol_iface_key_create)
-    hidden_proto(sepol_iface_key_unpack)
-    hidden_proto(sepol_iface_set_ifcon)
-    hidden_proto(sepol_iface_set_msgcon)
-    hidden_proto(sepol_iface_set_name)
 #endif
diff --git a/libsepol/src/iface_record.c b/libsepol/src/iface_record.c
index 6d568355468d..e77569898900 100644
--- a/libsepol/src/iface_record.c
+++ b/libsepol/src/iface_record.c
@@ -47,7 +47,6 @@ int sepol_iface_key_create(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_iface_key_create)
 
 void sepol_iface_key_unpack(const sepol_iface_key_t * key, const char **name)
 {
@@ -55,7 +54,6 @@ void sepol_iface_key_unpack(const sepol_iface_key_t * key, const char **name)
 	*name = key->name;
 }
 
-hidden_def(sepol_iface_key_unpack)
 
 int sepol_iface_key_extract(sepol_handle_t * handle,
 			    const sepol_iface_t * iface,
@@ -114,7 +112,6 @@ int sepol_iface_create(sepol_handle_t * handle, sepol_iface_t ** iface)
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_iface_create)
 
 /* Name */
 const char *sepol_iface_get_name(const sepol_iface_t * iface)
@@ -123,7 +120,6 @@ const char *sepol_iface_get_name(const sepol_iface_t * iface)
 	return iface->name;
 }
 
-hidden_def(sepol_iface_get_name)
 
 int sepol_iface_set_name(sepol_handle_t * handle,
 			 sepol_iface_t * iface, const char *name)
@@ -139,7 +135,6 @@ int sepol_iface_set_name(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_iface_set_name)
 
 /* Interface Context */
 sepol_context_t *sepol_iface_get_ifcon(const sepol_iface_t * iface)
@@ -148,7 +143,6 @@ sepol_context_t *sepol_iface_get_ifcon(const sepol_iface_t * iface)
 	return iface->netif_con;
 }
 
-hidden_def(sepol_iface_get_ifcon)
 
 int sepol_iface_set_ifcon(sepol_handle_t * handle,
 			  sepol_iface_t * iface, sepol_context_t * con)
@@ -166,7 +160,6 @@ int sepol_iface_set_ifcon(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_iface_set_ifcon)
 
 /* Message Context */
 sepol_context_t *sepol_iface_get_msgcon(const sepol_iface_t * iface)
@@ -175,7 +168,6 @@ sepol_context_t *sepol_iface_get_msgcon(const sepol_iface_t * iface)
 	return iface->netmsg_con;
 }
 
-hidden_def(sepol_iface_get_msgcon)
 
 int sepol_iface_set_msgcon(sepol_handle_t * handle,
 			   sepol_iface_t * iface, sepol_context_t * con)
@@ -192,7 +184,6 @@ int sepol_iface_set_msgcon(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_iface_set_msgcon)
 
 /* Deep copy clone */
 int sepol_iface_clone(sepol_handle_t * handle,
@@ -238,4 +229,3 @@ void sepol_iface_free(sepol_iface_t * iface)
 	free(iface);
 }
 
-hidden_def(sepol_iface_free)
diff --git a/libsepol/src/module.c b/libsepol/src/module.c
index 3b8a0a59ca68..836da308f8d3 100644
--- a/libsepol/src/module.c
+++ b/libsepol/src/module.c
@@ -132,7 +132,6 @@ int sepol_module_package_create(sepol_module_package_t ** p)
 	return rc;
 }
 
-hidden_def(sepol_module_package_create)
 
 /* Deallocates all memory associated with a module package, including
  * the pointer itself.  Does nothing if p is NULL.
@@ -150,7 +149,6 @@ void sepol_module_package_free(sepol_module_package_t * p)
 	free(p);
 }
 
-hidden_def(sepol_module_package_free)
 
 char *sepol_module_package_get_file_contexts(sepol_module_package_t * p)
 {
diff --git a/libsepol/src/module_internal.h b/libsepol/src/module_internal.h
index cdd5ec65cfff..ac1be36a2f72 100644
--- a/libsepol/src/module_internal.h
+++ b/libsepol/src/module_internal.h
@@ -1,5 +1,2 @@
 #include <sepol/module.h>
-#include "dso.h"
 
-hidden_proto(sepol_module_package_create)
-    hidden_proto(sepol_module_package_free)
diff --git a/libsepol/src/node_internal.h b/libsepol/src/node_internal.h
index 802cda97c181..6d3c250543ae 100644
--- a/libsepol/src/node_internal.h
+++ b/libsepol/src/node_internal.h
@@ -3,24 +3,5 @@
 
 #include <sepol/node_record.h>
 #include <sepol/nodes.h>
-#include "dso.h"
 
-hidden_proto(sepol_node_create)
-    hidden_proto(sepol_node_key_free)
-    hidden_proto(sepol_node_free)
-    hidden_proto(sepol_node_get_con)
-    hidden_proto(sepol_node_get_addr)
-    hidden_proto(sepol_node_get_addr_bytes)
-    hidden_proto(sepol_node_get_mask)
-    hidden_proto(sepol_node_get_mask_bytes)
-    hidden_proto(sepol_node_get_proto)
-    hidden_proto(sepol_node_get_proto_str)
-    hidden_proto(sepol_node_key_create)
-    hidden_proto(sepol_node_key_unpack)
-    hidden_proto(sepol_node_set_con)
-    hidden_proto(sepol_node_set_addr)
-    hidden_proto(sepol_node_set_addr_bytes)
-    hidden_proto(sepol_node_set_mask)
-    hidden_proto(sepol_node_set_mask_bytes)
-    hidden_proto(sepol_node_set_proto)
 #endif
diff --git a/libsepol/src/node_record.c b/libsepol/src/node_record.c
index f3e78ff3c788..9ef429da8768 100644
--- a/libsepol/src/node_record.c
+++ b/libsepol/src/node_record.c
@@ -259,7 +259,6 @@ int sepol_node_key_create(sepol_handle_t * handle,
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_node_key_create)
 
 void sepol_node_key_unpack(const sepol_node_key_t * key,
 			   const char **addr, const char **mask, int *proto)
@@ -270,7 +269,6 @@ void sepol_node_key_unpack(const sepol_node_key_t * key,
 	*proto = key->proto;
 }
 
-hidden_def(sepol_node_key_unpack)
 
 int sepol_node_key_extract(sepol_handle_t * handle,
 			   const sepol_node_t * node,
@@ -314,7 +312,6 @@ void sepol_node_key_free(sepol_node_key_t * key)
 	free(key);
 }
 
-hidden_def(sepol_node_key_free)
 
 int sepol_node_compare(const sepol_node_t * node, const sepol_node_key_t * key)
 {
@@ -375,7 +372,6 @@ int sepol_node_get_addr(sepol_handle_t * handle,
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_node_get_addr)
 
 int sepol_node_get_addr_bytes(sepol_handle_t * handle,
 			      const sepol_node_t * node,
@@ -394,7 +390,6 @@ int sepol_node_get_addr_bytes(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_node_get_addr_bytes)
 
 int sepol_node_set_addr(sepol_handle_t * handle,
 			sepol_node_t * node, int proto, const char *addr)
@@ -420,7 +415,6 @@ int sepol_node_set_addr(sepol_handle_t * handle,
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_node_set_addr)
 
 int sepol_node_set_addr_bytes(sepol_handle_t * handle,
 			      sepol_node_t * node,
@@ -440,7 +434,6 @@ int sepol_node_set_addr_bytes(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_node_set_addr_bytes)
 
 /* Mask */
 int sepol_node_get_mask(sepol_handle_t * handle,
@@ -464,7 +457,6 @@ int sepol_node_get_mask(sepol_handle_t * handle,
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_node_get_mask)
 
 int sepol_node_get_mask_bytes(sepol_handle_t * handle,
 			      const sepol_node_t * node,
@@ -483,7 +475,6 @@ int sepol_node_get_mask_bytes(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_node_get_mask_bytes)
 
 int sepol_node_set_mask(sepol_handle_t * handle,
 			sepol_node_t * node, int proto, const char *mask)
@@ -509,7 +500,6 @@ int sepol_node_set_mask(sepol_handle_t * handle,
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_node_set_mask)
 
 int sepol_node_set_mask_bytes(sepol_handle_t * handle,
 			      sepol_node_t * node,
@@ -528,7 +518,6 @@ int sepol_node_set_mask_bytes(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_node_set_mask_bytes)
 
 /* Protocol */
 int sepol_node_get_proto(const sepol_node_t * node)
@@ -537,7 +526,6 @@ int sepol_node_get_proto(const sepol_node_t * node)
 	return node->proto;
 }
 
-hidden_def(sepol_node_get_proto)
 
 void sepol_node_set_proto(sepol_node_t * node, int proto)
 {
@@ -545,7 +533,6 @@ void sepol_node_set_proto(sepol_node_t * node, int proto)
 	node->proto = proto;
 }
 
-hidden_def(sepol_node_set_proto)
 
 const char *sepol_node_get_proto_str(int proto)
 {
@@ -560,7 +547,6 @@ const char *sepol_node_get_proto_str(int proto)
 	}
 }
 
-hidden_def(sepol_node_get_proto_str)
 
 /* Create */
 int sepol_node_create(sepol_handle_t * handle, sepol_node_t ** node)
@@ -584,7 +570,6 @@ int sepol_node_create(sepol_handle_t * handle, sepol_node_t ** node)
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_node_create)
 
 /* Deep copy clone */
 int sepol_node_clone(sepol_handle_t * handle,
@@ -637,7 +622,6 @@ void sepol_node_free(sepol_node_t * node)
 	free(node);
 }
 
-hidden_def(sepol_node_free)
 
 /* Context */
 sepol_context_t *sepol_node_get_con(const sepol_node_t * node)
@@ -646,7 +630,6 @@ sepol_context_t *sepol_node_get_con(const sepol_node_t * node)
 	return node->con;
 }
 
-hidden_def(sepol_node_get_con)
 
 int sepol_node_set_con(sepol_handle_t * handle,
 		       sepol_node_t * node, sepol_context_t * con)
@@ -664,4 +647,3 @@ int sepol_node_set_con(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_node_set_con)
diff --git a/libsepol/src/policydb_internal.h b/libsepol/src/policydb_internal.h
index f7bcdfa3df31..06ba5c8be144 100644
--- a/libsepol/src/policydb_internal.h
+++ b/libsepol/src/policydb_internal.h
@@ -2,9 +2,6 @@
 #define _SEPOL_POLICYDB_INTERNAL_H_
 
 #include <sepol/policydb.h>
-#include "dso.h"
 
-hidden_proto(sepol_policydb_create)
-    hidden_proto(sepol_policydb_free)
 extern const char *policydb_target_strings[];
 #endif
diff --git a/libsepol/src/policydb_public.c b/libsepol/src/policydb_public.c
index 747a43ff0a5c..e5def7078eb0 100644
--- a/libsepol/src/policydb_public.c
+++ b/libsepol/src/policydb_public.c
@@ -73,7 +73,6 @@ int sepol_policydb_create(sepol_policydb_t ** sp)
 	return 0;
 }
 
-hidden_def(sepol_policydb_create)
 
 void sepol_policydb_free(sepol_policydb_t * p)
 {
@@ -83,7 +82,6 @@ void sepol_policydb_free(sepol_policydb_t * p)
 	free(p);
 }
 
-hidden_def(sepol_policydb_free)
 
 int sepol_policy_kern_vers_min(void)
 {
diff --git a/libsepol/src/port_internal.h b/libsepol/src/port_internal.h
index ffb5f65ad20b..80cf5c25366d 100644
--- a/libsepol/src/port_internal.h
+++ b/libsepol/src/port_internal.h
@@ -3,18 +3,5 @@
 
 #include <sepol/port_record.h>
 #include <sepol/ports.h>
-#include "dso.h"
 
-hidden_proto(sepol_port_create)
-    hidden_proto(sepol_port_free)
-    hidden_proto(sepol_port_get_con)
-    hidden_proto(sepol_port_get_high)
-    hidden_proto(sepol_port_get_low)
-    hidden_proto(sepol_port_get_proto)
-    hidden_proto(sepol_port_get_proto_str)
-    hidden_proto(sepol_port_key_create)
-    hidden_proto(sepol_port_key_unpack)
-    hidden_proto(sepol_port_set_con)
-    hidden_proto(sepol_port_set_proto)
-    hidden_proto(sepol_port_set_range)
 #endif
diff --git a/libsepol/src/port_record.c b/libsepol/src/port_record.c
index 15fb198fb359..7054dbc2e1b4 100644
--- a/libsepol/src/port_record.c
+++ b/libsepol/src/port_record.c
@@ -46,7 +46,6 @@ int sepol_port_key_create(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_port_key_create)
 
 void sepol_port_key_unpack(const sepol_port_key_t * key,
 			   int *low, int *high, int *proto)
@@ -57,7 +56,6 @@ void sepol_port_key_unpack(const sepol_port_key_t * key,
 	*proto = key->proto;
 }
 
-hidden_def(sepol_port_key_unpack)
 
 int sepol_port_key_extract(sepol_handle_t * handle,
 			   const sepol_port_t * port,
@@ -141,7 +139,6 @@ int sepol_port_get_low(const sepol_port_t * port)
 	return port->low;
 }
 
-hidden_def(sepol_port_get_low)
 
 int sepol_port_get_high(const sepol_port_t * port)
 {
@@ -149,7 +146,6 @@ int sepol_port_get_high(const sepol_port_t * port)
 	return port->high;
 }
 
-hidden_def(sepol_port_get_high)
 
 void sepol_port_set_port(sepol_port_t * port, int port_num)
 {
@@ -165,7 +161,6 @@ void sepol_port_set_range(sepol_port_t * port, int low, int high)
 	port->high = high;
 }
 
-hidden_def(sepol_port_set_range)
 
 /* Protocol */
 int sepol_port_get_proto(const sepol_port_t * port)
@@ -174,7 +169,6 @@ int sepol_port_get_proto(const sepol_port_t * port)
 	return port->proto;
 }
 
-hidden_def(sepol_port_get_proto)
 
 const char *sepol_port_get_proto_str(int proto)
 {
@@ -193,7 +187,6 @@ const char *sepol_port_get_proto_str(int proto)
 	}
 }
 
-hidden_def(sepol_port_get_proto_str)
 
 void sepol_port_set_proto(sepol_port_t * port, int proto)
 {
@@ -201,7 +194,6 @@ void sepol_port_set_proto(sepol_port_t * port, int proto)
 	port->proto = proto;
 }
 
-hidden_def(sepol_port_set_proto)
 
 /* Create */
 int sepol_port_create(sepol_handle_t * handle, sepol_port_t ** port)
@@ -223,7 +215,6 @@ int sepol_port_create(sepol_handle_t * handle, sepol_port_t ** port)
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_port_create)
 
 /* Deep copy clone */
 int sepol_port_clone(sepol_handle_t * handle,
@@ -262,7 +253,6 @@ void sepol_port_free(sepol_port_t * port)
 	free(port);
 }
 
-hidden_def(sepol_port_free)
 
 /* Context */
 sepol_context_t *sepol_port_get_con(const sepol_port_t * port)
@@ -271,7 +261,6 @@ sepol_context_t *sepol_port_get_con(const sepol_port_t * port)
 	return port->con;
 }
 
-hidden_def(sepol_port_get_con)
 
 int sepol_port_set_con(sepol_handle_t * handle,
 		       sepol_port_t * port, sepol_context_t * con)
@@ -289,4 +278,3 @@ int sepol_port_set_con(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_port_set_con)
diff --git a/libsepol/src/private.h b/libsepol/src/private.h
index b884c23b91fe..f5b5277f183a 100644
--- a/libsepol/src/private.h
+++ b/libsepol/src/private.h
@@ -14,7 +14,6 @@
 #endif
 
 #include <errno.h>
-#include <dso.h>
 
 #ifdef __APPLE__
 #define __BYTE_ORDER  BYTE_ORDER
@@ -62,7 +61,7 @@ extern struct policydb_compat_info *policydb_lookup_compat(unsigned int version,
 						unsigned int target_platform);
 
 /* Reading from a policy "file". */
-extern int next_entry(void *buf, struct policy_file *fp, size_t bytes) hidden;
+extern int next_entry(void *buf, struct policy_file *fp, size_t bytes);
 extern size_t put_entry(const void *ptr, size_t size, size_t n,
-		        struct policy_file *fp) hidden;
-extern int str_read(char **strp, struct policy_file *fp, size_t len) hidden;
+		        struct policy_file *fp);
+extern int str_read(char **strp, struct policy_file *fp, size_t len);
diff --git a/libsepol/src/services.c b/libsepol/src/services.c
index 3758436f8e34..51314dabb574 100644
--- a/libsepol/src/services.c
+++ b/libsepol/src/services.c
@@ -66,7 +66,6 @@
 #include "private.h"
 #include "context.h"
 #include "av_permissions.h"
-#include "dso.h"
 #include "mls.h"
 
 #define BUG() do { ERR(NULL, "Badness at %s:%d", __FILE__, __LINE__); } while (0)
@@ -121,13 +120,13 @@ static char *pop(void)
 }
 /* End Stack services */
 
-int hidden sepol_set_sidtab(sidtab_t * s)
+int sepol_set_sidtab(sidtab_t * s)
 {
 	sidtab = s;
 	return 0;
 }
 
-int hidden sepol_set_policydb(policydb_t * p)
+int sepol_set_policydb(policydb_t * p)
 {
 	policydb = p;
 	return 0;
@@ -1013,7 +1012,7 @@ static int context_struct_compute_av(context_struct_t * scontext,
 	return 0;
 }
 
-int hidden sepol_validate_transition(sepol_security_id_t oldsid,
+int sepol_validate_transition(sepol_security_id_t oldsid,
 				     sepol_security_id_t newsid,
 				     sepol_security_id_t tasksid,
 				     sepol_security_class_t tclass)
@@ -1064,7 +1063,7 @@ int hidden sepol_validate_transition(sepol_security_id_t oldsid,
  * sepol_validate_transition_reason_buffer - the reason buffer is realloc'd
  * in the constraint_expr_eval_reason() function.
  */
-int hidden sepol_validate_transition_reason_buffer(sepol_security_id_t oldsid,
+int sepol_validate_transition_reason_buffer(sepol_security_id_t oldsid,
 				     sepol_security_id_t newsid,
 				     sepol_security_id_t tasksid,
 				     sepol_security_class_t tclass,
@@ -1122,7 +1121,7 @@ int hidden sepol_validate_transition_reason_buffer(sepol_security_id_t oldsid,
 	return 0;
 }
 
-int hidden sepol_compute_av_reason(sepol_security_id_t ssid,
+int sepol_compute_av_reason(sepol_security_id_t ssid,
 				   sepol_security_id_t tsid,
 				   sepol_security_class_t tclass,
 				   sepol_access_vector_t requested,
@@ -1156,7 +1155,7 @@ int hidden sepol_compute_av_reason(sepol_security_id_t ssid,
  * REASON_BUF_SIZE. If the buffer size is exceeded, then it is realloc'd
  * in the constraint_expr_eval_reason() function.
  */
-int hidden sepol_compute_av_reason_buffer(sepol_security_id_t ssid,
+int sepol_compute_av_reason_buffer(sepol_security_id_t ssid,
 				   sepol_security_id_t tsid,
 				   sepol_security_class_t tclass,
 				   sepol_access_vector_t requested,
@@ -1198,7 +1197,7 @@ out:
 	return rc;
 }
 
-int hidden sepol_compute_av(sepol_security_id_t ssid,
+int sepol_compute_av(sepol_security_id_t ssid,
 			    sepol_security_id_t tsid,
 			    sepol_security_class_t tclass,
 			    sepol_access_vector_t requested,
@@ -1213,7 +1212,7 @@ int hidden sepol_compute_av(sepol_security_id_t ssid,
  * Return a class ID associated with the class string specified by
  * class_name.
  */
-int hidden sepol_string_to_security_class(const char *class_name,
+int sepol_string_to_security_class(const char *class_name,
 			sepol_security_class_t *tclass)
 {
 	class_datum_t *tclass_datum;
@@ -1232,7 +1231,7 @@ int hidden sepol_string_to_security_class(const char *class_name,
  * Return access vector bit associated with the class ID and permission
  * string.
  */
-int hidden sepol_string_to_av_perm(sepol_security_class_t tclass,
+int sepol_string_to_av_perm(sepol_security_class_t tclass,
 					const char *perm_name,
 					sepol_access_vector_t *av)
 {
@@ -1277,7 +1276,7 @@ out:
  * to point to this string and set `*scontext_len' to
  * the length of the string.
  */
-int hidden sepol_sid_to_context(sepol_security_id_t sid,
+int sepol_sid_to_context(sepol_security_id_t sid,
 				sepol_security_context_t * scontext,
 				size_t * scontext_len)
 {
@@ -1300,7 +1299,7 @@ int hidden sepol_sid_to_context(sepol_security_id_t sid,
  * Return a SID associated with the security context that
  * has the string representation specified by `scontext'.
  */
-int hidden sepol_context_to_sid(const sepol_security_context_t scontext,
+int sepol_context_to_sid(const sepol_security_context_t scontext,
 				size_t scontext_len, sepol_security_id_t * sid)
 {
 
@@ -1480,7 +1479,7 @@ static int sepol_compute_sid(sepol_security_id_t ssid,
  * Compute a SID to use for labeling a new object in the 
  * class `tclass' based on a SID pair.  
  */
-int hidden sepol_transition_sid(sepol_security_id_t ssid,
+int sepol_transition_sid(sepol_security_id_t ssid,
 				sepol_security_id_t tsid,
 				sepol_security_class_t tclass,
 				sepol_security_id_t * out_sid)
@@ -1493,7 +1492,7 @@ int hidden sepol_transition_sid(sepol_security_id_t ssid,
  * polyinstantiated object of class `tclass' based on 
  * a SID pair.
  */
-int hidden sepol_member_sid(sepol_security_id_t ssid,
+int sepol_member_sid(sepol_security_id_t ssid,
 			    sepol_security_id_t tsid,
 			    sepol_security_class_t tclass,
 			    sepol_security_id_t * out_sid)
@@ -1505,7 +1504,7 @@ int hidden sepol_member_sid(sepol_security_id_t ssid,
  * Compute a SID to use for relabeling an object in the 
  * class `tclass' based on a SID pair.  
  */
-int hidden sepol_change_sid(sepol_security_id_t ssid,
+int sepol_change_sid(sepol_security_id_t ssid,
 			    sepol_security_id_t tsid,
 			    sepol_security_class_t tclass,
 			    sepol_security_id_t * out_sid)
@@ -1691,7 +1690,7 @@ static int convert_context(sepol_security_id_t key __attribute__ ((unused)),
 }
 
 /* Reading from a policy "file". */
-int hidden next_entry(void *buf, struct policy_file *fp, size_t bytes)
+int next_entry(void *buf, struct policy_file *fp, size_t bytes)
 {
 	size_t nread;
 
@@ -1718,7 +1717,7 @@ int hidden next_entry(void *buf, struct policy_file *fp, size_t bytes)
 	return 0;
 }
 
-size_t hidden put_entry(const void *ptr, size_t size, size_t n,
+size_t put_entry(const void *ptr, size_t size, size_t n,
 			struct policy_file *fp)
 {
 	size_t bytes = size * n;
@@ -1753,7 +1752,7 @@ size_t hidden put_entry(const void *ptr, size_t size, size_t n,
  *   0 - Success
  *  -1 - Failure with errno set
  */
-int hidden str_read(char **strp, struct policy_file *fp, size_t len)
+int str_read(char **strp, struct policy_file *fp, size_t len)
 {
 	int rc;
 	char *str;
@@ -1796,7 +1795,7 @@ int hidden str_read(char **strp, struct policy_file *fp, size_t len)
  *
  * Reset the access vector cache.
  */
-int hidden sepol_load_policy(void *data, size_t len)
+int sepol_load_policy(void *data, size_t len)
 {
 	policydb_t oldpolicydb, newpolicydb;
 	sidtab_t oldsidtab, newsidtab;
@@ -1869,7 +1868,7 @@ int hidden sepol_load_policy(void *data, size_t len)
  * the file system and the `file_sid' SID is returned
  * for all files within that file system.
  */
-int hidden sepol_fs_sid(char *name,
+int sepol_fs_sid(char *name,
 			sepol_security_id_t * fs_sid,
 			sepol_security_id_t * file_sid)
 {
@@ -1911,7 +1910,7 @@ int hidden sepol_fs_sid(char *name,
  * Return the SID of the ibpkey specified by
  * `subnet prefix', and `pkey number'.
  */
-int hidden sepol_ibpkey_sid(uint64_t subnet_prefix,
+int sepol_ibpkey_sid(uint64_t subnet_prefix,
 			    uint16_t pkey, sepol_security_id_t *out_sid)
 {
 	ocontext_t *c;
@@ -1947,7 +1946,7 @@ out:
  * Return the SID of the subnet management interface specified by
  * `device name', and `port'.
  */
-int hidden sepol_ibendport_sid(char *dev_name,
+int sepol_ibendport_sid(char *dev_name,
 			       uint8_t port,
 			       sepol_security_id_t *out_sid)
 {
@@ -1984,7 +1983,7 @@ out:
  * Return the SID of the port specified by
  * `domain', `type', `protocol', and `port'.
  */
-int hidden sepol_port_sid(uint16_t domain __attribute__ ((unused)),
+int sepol_port_sid(uint16_t domain __attribute__ ((unused)),
 			  uint16_t type __attribute__ ((unused)),
 			  uint8_t protocol,
 			  uint16_t port, sepol_security_id_t * out_sid)
@@ -2024,7 +2023,7 @@ int hidden sepol_port_sid(uint16_t domain __attribute__ ((unused)),
  * the default SID for messages received on the
  * interface.
  */
-int hidden sepol_netif_sid(char *name,
+int sepol_netif_sid(char *name,
 			   sepol_security_id_t * if_sid,
 			   sepol_security_id_t * msg_sid)
 {
@@ -2082,7 +2081,7 @@ static int match_ipv6_addrmask(uint32_t * input, uint32_t * addr,
  * in bytes and `domain' is the communications domain or
  * address family in which the address should be interpreted.
  */
-int hidden sepol_node_sid(uint16_t domain,
+int sepol_node_sid(uint16_t domain,
 			  void *addrp,
 			  size_t addrlen, sepol_security_id_t * out_sid)
 {
@@ -2155,7 +2154,7 @@ int hidden sepol_node_sid(uint16_t domain,
  */
 #define SIDS_NEL 25
 
-int hidden sepol_get_user_sids(sepol_security_id_t fromsid,
+int sepol_get_user_sids(sepol_security_id_t fromsid,
 			       char *username,
 			       sepol_security_id_t ** sids, uint32_t * nel)
 {
@@ -2250,7 +2249,7 @@ int hidden sepol_get_user_sids(sepol_security_id_t fromsid,
  * that cannot support a persistent label mapping or use another
  * fixed labeling behavior like transition SIDs or task SIDs.
  */
-int hidden sepol_genfs_sid(const char *fstype,
+int sepol_genfs_sid(const char *fstype,
 			   const char *path,
 			   sepol_security_class_t sclass,
 			   sepol_security_id_t * sid)
@@ -2297,7 +2296,7 @@ int hidden sepol_genfs_sid(const char *fstype,
 	return rc;
 }
 
-int hidden sepol_fs_use(const char *fstype,
+int sepol_fs_use(const char *fstype,
 			unsigned int *behavior, sepol_security_id_t * sid)
 {
 	int rc = 0;
diff --git a/libsepol/src/user_internal.h b/libsepol/src/user_internal.h
index 7523b7d54076..f5b22b023034 100644
--- a/libsepol/src/user_internal.h
+++ b/libsepol/src/user_internal.h
@@ -3,18 +3,5 @@
 
 #include <sepol/user_record.h>
 #include <sepol/users.h>
-#include "dso.h"
 
-hidden_proto(sepol_user_add_role)
-    hidden_proto(sepol_user_create)
-    hidden_proto(sepol_user_free)
-    hidden_proto(sepol_user_get_mlslevel)
-    hidden_proto(sepol_user_get_mlsrange)
-    hidden_proto(sepol_user_get_roles)
-    hidden_proto(sepol_user_has_role)
-    hidden_proto(sepol_user_key_create)
-    hidden_proto(sepol_user_key_unpack)
-    hidden_proto(sepol_user_set_mlslevel)
-    hidden_proto(sepol_user_set_mlsrange)
-    hidden_proto(sepol_user_set_name)
 #endif
diff --git a/libsepol/src/user_record.c b/libsepol/src/user_record.c
index fa95f2d1b227..ac5200604091 100644
--- a/libsepol/src/user_record.c
+++ b/libsepol/src/user_record.c
@@ -51,7 +51,6 @@ int sepol_user_key_create(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_user_key_create)
 
 void sepol_user_key_unpack(const sepol_user_key_t * key, const char **name)
 {
@@ -59,7 +58,6 @@ void sepol_user_key_unpack(const sepol_user_key_t * key, const char **name)
 	*name = key->name;
 }
 
-hidden_def(sepol_user_key_unpack)
 
 int sepol_user_key_extract(sepol_handle_t * handle,
 			   const sepol_user_t * user,
@@ -115,7 +113,6 @@ int sepol_user_set_name(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_user_set_name)
 
 /* MLS */
 const char *sepol_user_get_mlslevel(const sepol_user_t * user)
@@ -124,7 +121,6 @@ const char *sepol_user_get_mlslevel(const sepol_user_t * user)
 	return user->mls_level;
 }
 
-hidden_def(sepol_user_get_mlslevel)
 
 int sepol_user_set_mlslevel(sepol_handle_t * handle,
 			    sepol_user_t * user, const char *mls_level)
@@ -141,7 +137,6 @@ int sepol_user_set_mlslevel(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_user_set_mlslevel)
 
 const char *sepol_user_get_mlsrange(const sepol_user_t * user)
 {
@@ -149,7 +144,6 @@ const char *sepol_user_get_mlsrange(const sepol_user_t * user)
 	return user->mls_range;
 }
 
-hidden_def(sepol_user_get_mlsrange)
 
 int sepol_user_set_mlsrange(sepol_handle_t * handle,
 			    sepol_user_t * user, const char *mls_range)
@@ -166,7 +160,6 @@ int sepol_user_set_mlsrange(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_user_set_mlsrange)
 
 /* Roles */
 int sepol_user_get_num_roles(const sepol_user_t * user)
@@ -207,7 +200,6 @@ int sepol_user_add_role(sepol_handle_t * handle,
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_user_add_role)
 
 int sepol_user_has_role(const sepol_user_t * user, const char *role)
 {
@@ -220,7 +212,6 @@ int sepol_user_has_role(const sepol_user_t * user, const char *role)
 	return 0;
 }
 
-hidden_def(sepol_user_has_role)
 
 int sepol_user_set_roles(sepol_handle_t * handle,
 			 sepol_user_t * user,
@@ -292,7 +283,6 @@ int sepol_user_get_roles(sepol_handle_t * handle,
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_user_get_roles)
 
 void sepol_user_del_role(sepol_user_t * user, const char *role)
 {
@@ -330,7 +320,6 @@ int sepol_user_create(sepol_handle_t * handle, sepol_user_t ** user_ptr)
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_user_create)
 
 /* Deep copy clone */
 int sepol_user_clone(sepol_handle_t * handle,
@@ -386,4 +375,3 @@ void sepol_user_free(sepol_user_t * user)
 	free(user);
 }
 
-hidden_def(sepol_user_free)
diff --git a/libsepol/src/util.c b/libsepol/src/util.c
index a4008882b94b..d51750af3fa1 100644
--- a/libsepol/src/util.c
+++ b/libsepol/src/util.c
@@ -27,7 +27,6 @@
 #include <sepol/policydb/flask_types.h>
 #include <sepol/policydb/policydb.h>
 #include <sepol/policydb/util.h>
-#include <dso.h>
 
 struct val_to_name {
 	unsigned int val;
@@ -250,7 +249,7 @@ static inline int tokenize_str(char delim, char **str, char **ptr, size_t *len)
  * contain the remaining content of line_buf. If the delimiter is any whitespace
  * character, then all whitespace will be squashed.
  */
-int hidden tokenize(char *line_buf, char delim, int num_args, ...)
+int tokenize(char *line_buf, char delim, int num_args, ...)
 {
 	char **arg, *buf_p;
 	int rc, items;
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 36+ messages in thread

* [PATCH 2/2] libsepol/Makefile: add -fno-semantic-interposition
  2020-03-09 15:25 libsepol drop dso.h bill.c.roberts
  2020-03-09 15:25 ` [PATCH 1/2] libsepol/dso: drop hidden_proto and hidden_def bill.c.roberts
@ 2020-03-09 15:25 ` bill.c.roberts
  2020-03-10 21:08 ` V2 libsepol drop dso.h bill.c.roberts
  2 siblings, 0 replies; 36+ messages in thread
From: bill.c.roberts @ 2020-03-09 15:25 UTC (permalink / raw)
  To: nicolas.iooss, selinux
  Cc: bill.c.roberts, drepper, omosnace, plautrba,
	stephen.smalley.work, william.c.roberts

From: William Roberts <william.c.roberts@intel.com>

Add -fno-semantic-interposition to CFLAGS. This will restore
the DSO infrastructures protections to insure internal callers
of exported symbols call into libselinux and not something loading first
in the library list.

Clang has this enabled by default.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libsepol/src/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libsepol/src/Makefile b/libsepol/src/Makefile
index ccb702338446..8d466f56ed0e 100644
--- a/libsepol/src/Makefile
+++ b/libsepol/src/Makefile
@@ -19,7 +19,7 @@ LIBMAP=libsepol.map
 LIBSO=$(TARGET).$(LIBVERSION)
 OBJS= $(patsubst %.c,%.o,$(sort $(wildcard *.c)))
 LOBJS= $(patsubst %.c,%.lo,$(sort $(wildcard *.c)))
-CFLAGS ?= -Werror -Wall -W -Wundef -Wshadow -Wmissing-format-attribute -O2
+CFLAGS ?= -Werror -Wall -W -Wundef -Wshadow -Wmissing-format-attribute -O2 -fno-semantic-interposition
 
 override CFLAGS += -I. -I../include -D_GNU_SOURCE
 
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 36+ messages in thread

* Re: [PATCH 1/2] libsepol/dso: drop hidden_proto and hidden_def
  2020-03-09 15:25 ` [PATCH 1/2] libsepol/dso: drop hidden_proto and hidden_def bill.c.roberts
@ 2020-03-10 20:10   ` Stephen Smalley
  2020-03-10 20:15     ` William Roberts
  0 siblings, 1 reply; 36+ messages in thread
From: Stephen Smalley @ 2020-03-10 20:10 UTC (permalink / raw)
  To: William Roberts
  Cc: Nicolas Iooss, SElinux list, Ulrich Drepper, Ondrej Mosnacek,
	Petr Lautrbach, William Roberts

On Mon, Mar 9, 2020 at 11:25 AM <bill.c.roberts@gmail.com> wrote:
>
> From: William Roberts <william.c.roberts@intel.com>
>
> libsepol already has a linker script controlling it's exports, so this
> patch has a net 0 affect, with the exception that internal callers of
> external routines, which there could be 0 of, could potentially call a
> non-libsepol routine depending on library load order.
>
> Additionally, verify that nothing changed in external symbols as well:
>
> This was checked by generating an old export map (from master):
> nm --defined-only -g ./src/libsepol.so | cut -d' ' -f 3-3 | grep -v '^_' > old.map
>
> Then creating a new one for this library after this patch is applied:
> nm --defined-only -g ./src/libsepol.so | cut -d' ' -f 3-3 | grep -v '^_' > new.map
>
> And diffing them:
> diff old.map new.map
>
> Signed-off-by: William Roberts <william.c.roberts@intel.com>

I get the following differences when I do the same:

$ diff oldmap newmap
62a63
> sepol_context_to_sid
93a95
> sepol_ibendport_sid
117a120
> sepol_ibpkey_sid
163a167
> sepol_msg_default_handler
194a199
> sepol_node_sid
240a246
> sepol_port_sid

Looks like these were marked hidden previously but get pulled into the
map through wildcards if that isn't retained.
Maybe we should drop wildcards from the version script.

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: [PATCH 1/2] libsepol/dso: drop hidden_proto and hidden_def
  2020-03-10 20:10   ` Stephen Smalley
@ 2020-03-10 20:15     ` William Roberts
  0 siblings, 0 replies; 36+ messages in thread
From: William Roberts @ 2020-03-10 20:15 UTC (permalink / raw)
  To: Stephen Smalley
  Cc: Nicolas Iooss, SElinux list, Ulrich Drepper, Ondrej Mosnacek,
	Petr Lautrbach, William Roberts

On Tue, Mar 10, 2020 at 3:09 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Mon, Mar 9, 2020 at 11:25 AM <bill.c.roberts@gmail.com> wrote:
> >
> > From: William Roberts <william.c.roberts@intel.com>
> >
> > libsepol already has a linker script controlling it's exports, so this
> > patch has a net 0 affect, with the exception that internal callers of
> > external routines, which there could be 0 of, could potentially call a
> > non-libsepol routine depending on library load order.
> >
> > Additionally, verify that nothing changed in external symbols as well:
> >
> > This was checked by generating an old export map (from master):
> > nm --defined-only -g ./src/libsepol.so | cut -d' ' -f 3-3 | grep -v '^_' > old.map
> >
> > Then creating a new one for this library after this patch is applied:
> > nm --defined-only -g ./src/libsepol.so | cut -d' ' -f 3-3 | grep -v '^_' > new.map
> >
> > And diffing them:
> > diff old.map new.map
> >
> > Signed-off-by: William Roberts <william.c.roberts@intel.com>
>
> I get the following differences when I do the same:
>
> $ diff oldmap newmap
> 62a63
> > sepol_context_to_sid
> 93a95
> > sepol_ibendport_sid
> 117a120
> > sepol_ibpkey_sid
> 163a167
> > sepol_msg_default_handler
> 194a199
> > sepol_node_sid
> 240a246
> > sepol_port_sid
>
> Looks like these were marked hidden previously but get pulled into the
> map through wildcards if that isn't retained.
> Maybe we should drop wildcards from the version script.

Interesting, i'm glad you double checked that. I wonder why my diff came out
clean, perhaps I fat fingered something or didn't have a clean environment.

Yeah pulling out those wild cards is probably smart anyway, even if the diff
did come back clean.

^ permalink raw reply	[flat|nested] 36+ messages in thread

* V2 libsepol drop dso.h
  2020-03-09 15:25 libsepol drop dso.h bill.c.roberts
  2020-03-09 15:25 ` [PATCH 1/2] libsepol/dso: drop hidden_proto and hidden_def bill.c.roberts
  2020-03-09 15:25 ` [PATCH 2/2] libsepol/Makefile: add -fno-semantic-interposition bill.c.roberts
@ 2020-03-10 21:08 ` bill.c.roberts
  2020-03-10 21:08   ` [PATCH v2 1/3] libsepol/dso: drop hidden_proto and hidden_def bill.c.roberts
                     ` (2 more replies)
  2 siblings, 3 replies; 36+ messages in thread
From: bill.c.roberts @ 2020-03-10 21:08 UTC (permalink / raw)
  To: nicolas.iooss, selinux
  Cc: bill.c.roberts, drepper, omosnace, plautrba,
	stephen.smalley.work, william.c.roberts

V2:
  - Add a third patch that removes the wildcard from the map file
    and gets the exported symbol diff between master clean.

Following up with the dso.h drop, this follows in the same footsteps
using -fno-semantic-interposition and a linker map script. Libsepol
already had a linker map, but was using wild cards. So a patch to
drop the wildcards and explicitly add the exported routines was
needed. Since that patch to the map file is so large, I also sorted
the list so its easy to follow. Additionally, like the other pathes
for libselinux, add the -fno-semantic-interposition. Also, in keeping
with similair behavior to libselinux, I set the option on the
overridable CFLAGS.

[PATCH v2 1/3] libsepol/dso: drop hidden_proto and hidden_def
[PATCH v2 2/3] libsepol/Makefile: add -fno-semantic-interposition
[PATCH v2 3/3] lbespol: remove wild cards in mapfile


^ permalink raw reply	[flat|nested] 36+ messages in thread

* [PATCH v2 1/3] libsepol/dso: drop hidden_proto and hidden_def
  2020-03-10 21:08 ` V2 libsepol drop dso.h bill.c.roberts
@ 2020-03-10 21:08   ` bill.c.roberts
  2020-03-10 21:08   ` [PATCH v2 2/3] libsepol/Makefile: add -fno-semantic-interposition bill.c.roberts
  2020-03-10 21:08   ` [PATCH v2 3/3] lbespol: remove wild cards in mapfile bill.c.roberts
  2 siblings, 0 replies; 36+ messages in thread
From: bill.c.roberts @ 2020-03-10 21:08 UTC (permalink / raw)
  To: nicolas.iooss, selinux
  Cc: bill.c.roberts, drepper, omosnace, plautrba,
	stephen.smalley.work, william.c.roberts

From: William Roberts <william.c.roberts@intel.com>

libsepol already has a linker script controlling it's exports, so this
patch has a net 0 affect, with the exception that internal callers of
external routines, which there could be 0 of, could potentially call a
non-libsepol routine depending on library load order.

NOTE A FEW SYMBOLS ARE EXPORTED THAT NORMALLY WOULDN'T BE
  - sepol_context_to_sid
  - sepol_ibendport_sid
  - sepol_ibpkey_sid
  - sepol_msg_default_handler
  - sepol_node_sid
  - sepol_port_sid

A subsequent map update will follow.

This list was generated by generating an old export map (from master):
nm --defined-only -g ./src/libsepol.so | cut -d' ' -f 3-3 | grep -v '^_' > old.map

Then creating a new one for this library after this patch is applied:
nm --defined-only -g ./src/libsepol.so | cut -d' ' -f 3-3 | grep -v '^_' > new.map

And diffing them:
diff old.map new.map

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libsepol/src/boolean_internal.h   |  9 -----
 libsepol/src/boolean_record.c     |  8 -----
 libsepol/src/context_internal.h   | 13 --------
 libsepol/src/context_record.c     | 12 -------
 libsepol/src/debug.c              |  5 +--
 libsepol/src/debug.h              |  6 +---
 libsepol/src/dso.h                | 27 ---------------
 libsepol/src/ibendport_internal.h | 11 -------
 libsepol/src/ibendport_record.c   | 10 ------
 libsepol/src/ibpkey_internal.h    | 14 --------
 libsepol/src/ibpkey_record.c      | 13 --------
 libsepol/src/iface_internal.h     | 11 -------
 libsepol/src/iface_record.c       | 10 ------
 libsepol/src/module.c             |  2 --
 libsepol/src/module_internal.h    |  3 --
 libsepol/src/node_internal.h      | 19 -----------
 libsepol/src/node_record.c        | 18 ----------
 libsepol/src/policydb_internal.h  |  3 --
 libsepol/src/policydb_public.c    |  2 --
 libsepol/src/port_internal.h      | 13 --------
 libsepol/src/port_record.c        | 12 -------
 libsepol/src/private.h            |  7 ++--
 libsepol/src/services.c           | 55 +++++++++++++++----------------
 libsepol/src/user_internal.h      | 13 --------
 libsepol/src/user_record.c        | 12 -------
 libsepol/src/util.c               |  3 +-
 26 files changed, 33 insertions(+), 278 deletions(-)
 delete mode 100644 libsepol/src/dso.h

diff --git a/libsepol/src/boolean_internal.h b/libsepol/src/boolean_internal.h
index aad7adecb314..1c1e6a39ce09 100644
--- a/libsepol/src/boolean_internal.h
+++ b/libsepol/src/boolean_internal.h
@@ -3,14 +3,5 @@
 
 #include <sepol/boolean_record.h>
 #include <sepol/booleans.h>
-#include "dso.h"
 
-hidden_proto(sepol_bool_key_create)
-    hidden_proto(sepol_bool_key_unpack)
-    hidden_proto(sepol_bool_get_name)
-    hidden_proto(sepol_bool_set_name)
-    hidden_proto(sepol_bool_get_value)
-    hidden_proto(sepol_bool_set_value)
-    hidden_proto(sepol_bool_create)
-    hidden_proto(sepol_bool_free)
 #endif
diff --git a/libsepol/src/boolean_record.c b/libsepol/src/boolean_record.c
index a194704e851a..6cbf627a5f02 100644
--- a/libsepol/src/boolean_record.c
+++ b/libsepol/src/boolean_record.c
@@ -41,7 +41,6 @@ int sepol_bool_key_create(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_bool_key_create)
 
 void sepol_bool_key_unpack(const sepol_bool_key_t * key, const char **name)
 {
@@ -49,7 +48,6 @@ void sepol_bool_key_unpack(const sepol_bool_key_t * key, const char **name)
 	*name = key->name;
 }
 
-hidden_def(sepol_bool_key_unpack)
 
 int sepol_bool_key_extract(sepol_handle_t * handle,
 			   const sepol_bool_t * boolean,
@@ -94,7 +92,6 @@ const char *sepol_bool_get_name(const sepol_bool_t * boolean)
 	return boolean->name;
 }
 
-hidden_def(sepol_bool_get_name)
 
 int sepol_bool_set_name(sepol_handle_t * handle,
 			sepol_bool_t * boolean, const char *name)
@@ -110,7 +107,6 @@ int sepol_bool_set_name(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_bool_set_name)
 
 /* Value */
 int sepol_bool_get_value(const sepol_bool_t * boolean)
@@ -119,7 +115,6 @@ int sepol_bool_get_value(const sepol_bool_t * boolean)
 	return boolean->value;
 }
 
-hidden_def(sepol_bool_get_value)
 
 void sepol_bool_set_value(sepol_bool_t * boolean, int value)
 {
@@ -127,7 +122,6 @@ void sepol_bool_set_value(sepol_bool_t * boolean, int value)
 	boolean->value = value;
 }
 
-hidden_def(sepol_bool_set_value)
 
 /* Create */
 int sepol_bool_create(sepol_handle_t * handle, sepol_bool_t ** bool_ptr)
@@ -148,7 +142,6 @@ int sepol_bool_create(sepol_handle_t * handle, sepol_bool_t ** bool_ptr)
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_bool_create)
 
 /* Deep copy clone */
 int sepol_bool_clone(sepol_handle_t * handle,
@@ -185,4 +178,3 @@ void sepol_bool_free(sepol_bool_t * boolean)
 	free(boolean);
 }
 
-hidden_def(sepol_bool_free)
diff --git a/libsepol/src/context_internal.h b/libsepol/src/context_internal.h
index 7987c1cef22d..3cae28cc1c67 100644
--- a/libsepol/src/context_internal.h
+++ b/libsepol/src/context_internal.h
@@ -2,18 +2,5 @@
 #define _SEPOL_CONTEXT_INTERNAL_H_
 
 #include <sepol/context_record.h>
-#include "dso.h"
 
-hidden_proto(sepol_context_clone)
-    hidden_proto(sepol_context_create)
-    hidden_proto(sepol_context_free)
-    hidden_proto(sepol_context_from_string)
-    hidden_proto(sepol_context_get_mls)
-    hidden_proto(sepol_context_get_role)
-    hidden_proto(sepol_context_get_type)
-    hidden_proto(sepol_context_get_user)
-    hidden_proto(sepol_context_set_mls)
-    hidden_proto(sepol_context_set_role)
-    hidden_proto(sepol_context_set_type)
-    hidden_proto(sepol_context_set_user)
 #endif
diff --git a/libsepol/src/context_record.c b/libsepol/src/context_record.c
index 0a8bbf6db407..317a42133884 100644
--- a/libsepol/src/context_record.c
+++ b/libsepol/src/context_record.c
@@ -29,7 +29,6 @@ const char *sepol_context_get_user(const sepol_context_t * con)
 	return con->user;
 }
 
-hidden_def(sepol_context_get_user)
 
 int sepol_context_set_user(sepol_handle_t * handle,
 			   sepol_context_t * con, const char *user)
@@ -47,7 +46,6 @@ int sepol_context_set_user(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_context_set_user)
 
 /* Role */
 const char *sepol_context_get_role(const sepol_context_t * con)
@@ -56,7 +54,6 @@ const char *sepol_context_get_role(const sepol_context_t * con)
 	return con->role;
 }
 
-hidden_def(sepol_context_get_role)
 
 int sepol_context_set_role(sepol_handle_t * handle,
 			   sepol_context_t * con, const char *role)
@@ -73,7 +70,6 @@ int sepol_context_set_role(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_context_set_role)
 
 /* Type */
 const char *sepol_context_get_type(const sepol_context_t * con)
@@ -82,7 +78,6 @@ const char *sepol_context_get_type(const sepol_context_t * con)
 	return con->type;
 }
 
-hidden_def(sepol_context_get_type)
 
 int sepol_context_set_type(sepol_handle_t * handle,
 			   sepol_context_t * con, const char *type)
@@ -99,7 +94,6 @@ int sepol_context_set_type(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_context_set_type)
 
 /* MLS */
 const char *sepol_context_get_mls(const sepol_context_t * con)
@@ -108,7 +102,6 @@ const char *sepol_context_get_mls(const sepol_context_t * con)
 	return con->mls;
 }
 
-hidden_def(sepol_context_get_mls)
 
 int sepol_context_set_mls(sepol_handle_t * handle,
 			  sepol_context_t * con, const char *mls)
@@ -125,7 +118,6 @@ int sepol_context_set_mls(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_context_set_mls)
 
 /* Create */
 int sepol_context_create(sepol_handle_t * handle, sepol_context_t ** con_ptr)
@@ -147,7 +139,6 @@ int sepol_context_create(sepol_handle_t * handle, sepol_context_t ** con_ptr)
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_context_create)
 
 /* Deep copy clone */
 int sepol_context_clone(sepol_handle_t * handle,
@@ -188,7 +179,6 @@ int sepol_context_clone(sepol_handle_t * handle,
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_context_clone)
 
 /* Destroy */
 void sepol_context_free(sepol_context_t * con)
@@ -204,7 +194,6 @@ void sepol_context_free(sepol_context_t * con)
 	free(con);
 }
 
-hidden_def(sepol_context_free)
 
 int sepol_context_from_string(sepol_handle_t * handle,
 			      const char *str, sepol_context_t ** con)
@@ -278,7 +267,6 @@ int sepol_context_from_string(sepol_handle_t * handle,
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_context_from_string)
 
 static inline int safe_sum(size_t *sum, const size_t augends[], const size_t cnt) {
 
diff --git a/libsepol/src/debug.c b/libsepol/src/debug.c
index db57090fafd0..0458e3538884 100644
--- a/libsepol/src/debug.c
+++ b/libsepol/src/debug.c
@@ -23,25 +23,22 @@ int sepol_msg_get_level(sepol_handle_t * handle)
 	return handle->msg_level;
 }
 
-hidden_def(sepol_msg_get_level)
 
 const char *sepol_msg_get_channel(sepol_handle_t * handle)
 {
 	return handle->msg_channel;
 }
 
-hidden_def(sepol_msg_get_channel)
 
 const char *sepol_msg_get_fname(sepol_handle_t * handle)
 {
 	return handle->msg_fname;
 }
 
-hidden_def(sepol_msg_get_fname)
 #ifdef __GNUC__
     __attribute__ ((format(printf, 3, 4)))
 #endif
-void hidden sepol_msg_default_handler(void *varg __attribute__ ((unused)),
+void sepol_msg_default_handler(void *varg __attribute__ ((unused)),
 				      sepol_handle_t * handle,
 				      const char *fmt, ...)
 {
diff --git a/libsepol/src/debug.h b/libsepol/src/debug.h
index 56b397b58310..0b3965d8c500 100644
--- a/libsepol/src/debug.h
+++ b/libsepol/src/debug.h
@@ -21,7 +21,6 @@
 
 #include <stdio.h>
 #include <sepol/debug.h>
-#include "dso.h"
 #include "handle.h"
 
 #define STATUS_SUCCESS 0
@@ -62,13 +61,10 @@
 #ifdef __GNUC__
 __attribute__ ((format(printf, 3, 4)))
 #endif
-extern void hidden sepol_msg_default_handler(void *varg,
+extern void sepol_msg_default_handler(void *varg,
 					     sepol_handle_t * msg,
 					     const char *fmt, ...);
 
 extern struct sepol_handle sepol_compat_handle;
 
-hidden_proto(sepol_msg_get_channel)
-    hidden_proto(sepol_msg_get_fname)
-    hidden_proto(sepol_msg_get_level)
 #endif
diff --git a/libsepol/src/dso.h b/libsepol/src/dso.h
deleted file mode 100644
index a06e3496cc06..000000000000
--- a/libsepol/src/dso.h
+++ /dev/null
@@ -1,27 +0,0 @@
-#ifndef _SEPOL_DSO_H
-#define _SEPOL_DSO_H	1
-
-#if !defined(SHARED) || defined(ANDROID)
-    #define DISABLE_SYMVER 1
-#endif
-
-#ifdef SHARED
-# define hidden __attribute__ ((visibility ("hidden")))
-# define hidden_proto(fct) __hidden_proto (fct, fct##_internal)
-# define __hidden_proto(fct, internal)	\
-     extern __typeof (fct) internal;	\
-     extern __typeof (fct) fct __asm (#internal) hidden;
-# if defined(__alpha__) || defined(__mips__)
-#  define hidden_def(fct) \
-     asm (".globl " #fct "\n" #fct " = " #fct "_internal");
-# else
-#  define hidden_def(fct) \
-     asm (".globl " #fct "\n.set " #fct ", " #fct "_internal");
-#endif
-#else
-# define hidden
-# define hidden_proto(fct)
-# define hidden_def(fct)
-#endif
-
-#endif
diff --git a/libsepol/src/ibendport_internal.h b/libsepol/src/ibendport_internal.h
index ed8f9b4dd3d3..8bfb499e5c1b 100644
--- a/libsepol/src/ibendport_internal.h
+++ b/libsepol/src/ibendport_internal.h
@@ -3,16 +3,5 @@
 
 #include <sepol/ibendport_record.h>
 #include <sepol/ibendports.h>
-#include "dso.h"
 
-hidden_proto(sepol_ibendport_create)
-hidden_proto(sepol_ibendport_free)
-hidden_proto(sepol_ibendport_get_con)
-hidden_proto(sepol_ibendport_get_port)
-hidden_proto(sepol_ibendport_key_create)
-hidden_proto(sepol_ibendport_key_unpack)
-hidden_proto(sepol_ibendport_set_con)
-hidden_proto(sepol_ibendport_set_port)
-hidden_proto(sepol_ibendport_get_ibdev_name)
-hidden_proto(sepol_ibendport_set_ibdev_name)
 #endif
diff --git a/libsepol/src/ibendport_record.c b/libsepol/src/ibendport_record.c
index bc56f090d3a4..adf671615e5c 100644
--- a/libsepol/src/ibendport_record.c
+++ b/libsepol/src/ibendport_record.c
@@ -78,7 +78,6 @@ err:
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_ibendport_key_create)
 
 void sepol_ibendport_key_unpack(const sepol_ibendport_key_t *key,
 				const char **ibdev_name, int *port)
@@ -87,7 +86,6 @@ void sepol_ibendport_key_unpack(const sepol_ibendport_key_t *key,
 	*port = key->port;
 }
 
-hidden_def(sepol_ibendport_key_unpack)
 
 int sepol_ibendport_key_extract(sepol_handle_t *handle,
 				const sepol_ibendport_t *ibendport,
@@ -152,14 +150,12 @@ int sepol_ibendport_get_port(const sepol_ibendport_t *ibendport)
 	return ibendport->port;
 }
 
-hidden_def(sepol_ibendport_get_port)
 
 void sepol_ibendport_set_port(sepol_ibendport_t *ibendport, int port)
 {
 	ibendport->port = port;
 }
 
-hidden_def(sepol_ibendport_set_port)
 
 int sepol_ibendport_get_ibdev_name(sepol_handle_t *handle,
 				   const sepol_ibendport_t *ibendport,
@@ -180,7 +176,6 @@ err:
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_ibendport_get_ibdev_name)
 
 int sepol_ibendport_set_ibdev_name(sepol_handle_t *handle,
 				   sepol_ibendport_t *ibendport,
@@ -202,7 +197,6 @@ err:
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_ibendport_set_ibdev_name)
 
 /* Create */
 int sepol_ibendport_create(sepol_handle_t *handle, sepol_ibendport_t **ibendport)
@@ -222,7 +216,6 @@ int sepol_ibendport_create(sepol_handle_t *handle, sepol_ibendport_t **ibendport
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_ibendport_create)
 
 /* Deep copy clone */
 int sepol_ibendport_clone(sepol_handle_t *handle,
@@ -267,7 +260,6 @@ void sepol_ibendport_free(sepol_ibendport_t *ibendport)
 	free(ibendport);
 }
 
-hidden_def(sepol_ibendport_free)
 
 /* Context */
 sepol_context_t *sepol_ibendport_get_con(const sepol_ibendport_t *ibendport)
@@ -275,7 +267,6 @@ sepol_context_t *sepol_ibendport_get_con(const sepol_ibendport_t *ibendport)
 	return ibendport->con;
 }
 
-hidden_def(sepol_ibendport_get_con)
 
 int sepol_ibendport_set_con(sepol_handle_t *handle,
 			    sepol_ibendport_t *ibendport, sepol_context_t *con)
@@ -292,4 +283,3 @@ int sepol_ibendport_set_con(sepol_handle_t *handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_ibendport_set_con)
diff --git a/libsepol/src/ibpkey_internal.h b/libsepol/src/ibpkey_internal.h
index addf80a8bf7d..b875f942f8d1 100644
--- a/libsepol/src/ibpkey_internal.h
+++ b/libsepol/src/ibpkey_internal.h
@@ -3,19 +3,5 @@
 
 #include <sepol/ibpkey_record.h>
 #include <sepol/ibpkeys.h>
-#include "dso.h"
 
-hidden_proto(sepol_ibpkey_create)
-hidden_proto(sepol_ibpkey_free)
-hidden_proto(sepol_ibpkey_get_con)
-hidden_proto(sepol_ibpkey_get_high)
-hidden_proto(sepol_ibpkey_get_low)
-hidden_proto(sepol_ibpkey_key_create)
-hidden_proto(sepol_ibpkey_key_unpack)
-hidden_proto(sepol_ibpkey_set_con)
-hidden_proto(sepol_ibpkey_set_range)
-hidden_proto(sepol_ibpkey_get_subnet_prefix)
-hidden_proto(sepol_ibpkey_get_subnet_prefix_bytes)
-hidden_proto(sepol_ibpkey_set_subnet_prefix)
-hidden_proto(sepol_ibpkey_set_subnet_prefix_bytes)
 #endif
diff --git a/libsepol/src/ibpkey_record.c b/libsepol/src/ibpkey_record.c
index badf2b3b6338..6f7aa65602d1 100644
--- a/libsepol/src/ibpkey_record.c
+++ b/libsepol/src/ibpkey_record.c
@@ -128,7 +128,6 @@ err:
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_ibpkey_key_create)
 
 void sepol_ibpkey_key_unpack(const sepol_ibpkey_key_t *key,
 			     uint64_t *subnet_prefix, int *low, int *high)
@@ -138,7 +137,6 @@ void sepol_ibpkey_key_unpack(const sepol_ibpkey_key_t *key,
 	*high = key->high;
 }
 
-hidden_def(sepol_ibpkey_key_unpack)
 
 int sepol_ibpkey_key_extract(sepol_handle_t *handle,
 			     const sepol_ibpkey_t *ibpkey,
@@ -213,14 +211,12 @@ int sepol_ibpkey_get_low(const sepol_ibpkey_t *ibpkey)
 	return ibpkey->low;
 }
 
-hidden_def(sepol_ibpkey_get_low)
 
 int sepol_ibpkey_get_high(const sepol_ibpkey_t *ibpkey)
 {
 	return ibpkey->high;
 }
 
-hidden_def(sepol_ibpkey_get_high)
 
 void sepol_ibpkey_set_pkey(sepol_ibpkey_t *ibpkey, int pkey_num)
 {
@@ -234,7 +230,6 @@ void sepol_ibpkey_set_range(sepol_ibpkey_t *ibpkey, int low, int high)
 	ibpkey->high = high;
 }
 
-hidden_def(sepol_ibpkey_set_range)
 
 int sepol_ibpkey_get_subnet_prefix(sepol_handle_t *handle,
 				   const sepol_ibpkey_t *ibpkey,
@@ -257,7 +252,6 @@ err:
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_ibpkey_get_subnet_prefix)
 
 /* Subnet prefix */
 uint64_t sepol_ibpkey_get_subnet_prefix_bytes(const sepol_ibpkey_t *ibpkey)
@@ -265,7 +259,6 @@ uint64_t sepol_ibpkey_get_subnet_prefix_bytes(const sepol_ibpkey_t *ibpkey)
 	return ibpkey->subnet_prefix;
 }
 
-hidden_def(sepol_ibpkey_get_subnet_prefix_bytes)
 
 int sepol_ibpkey_set_subnet_prefix(sepol_handle_t *handle,
 				   sepol_ibpkey_t *ibpkey,
@@ -284,7 +277,6 @@ err:
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_ibpkey_set_subnet_prefix)
 
 void sepol_ibpkey_set_subnet_prefix_bytes(sepol_ibpkey_t *ibpkey,
 					  uint64_t subnet_prefix)
@@ -292,7 +284,6 @@ void sepol_ibpkey_set_subnet_prefix_bytes(sepol_ibpkey_t *ibpkey,
 	ibpkey->subnet_prefix = subnet_prefix;
 }
 
-hidden_def(sepol_ibpkey_set_subnet_prefix_bytes)
 
 /* Create */
 int sepol_ibpkey_create(sepol_handle_t *handle, sepol_ibpkey_t **ibpkey)
@@ -313,7 +304,6 @@ int sepol_ibpkey_create(sepol_handle_t *handle, sepol_ibpkey_t **ibpkey)
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_ibpkey_create)
 
 /* Deep copy clone */
 int sepol_ibpkey_clone(sepol_handle_t *handle,
@@ -351,7 +341,6 @@ void sepol_ibpkey_free(sepol_ibpkey_t *ibpkey)
 	free(ibpkey);
 }
 
-hidden_def(sepol_ibpkey_free)
 
 /* Context */
 sepol_context_t *sepol_ibpkey_get_con(const sepol_ibpkey_t *ibpkey)
@@ -359,7 +348,6 @@ sepol_context_t *sepol_ibpkey_get_con(const sepol_ibpkey_t *ibpkey)
 	return ibpkey->con;
 }
 
-hidden_def(sepol_ibpkey_get_con)
 
 int sepol_ibpkey_set_con(sepol_handle_t *handle,
 			 sepol_ibpkey_t *ibpkey, sepol_context_t *con)
@@ -376,4 +364,3 @@ int sepol_ibpkey_set_con(sepol_handle_t *handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_ibpkey_set_con)
diff --git a/libsepol/src/iface_internal.h b/libsepol/src/iface_internal.h
index 5b78d9bd93ff..82fb60cb2c85 100644
--- a/libsepol/src/iface_internal.h
+++ b/libsepol/src/iface_internal.h
@@ -3,16 +3,5 @@
 
 #include <sepol/iface_record.h>
 #include <sepol/interfaces.h>
-#include "dso.h"
 
-hidden_proto(sepol_iface_create)
-    hidden_proto(sepol_iface_free)
-    hidden_proto(sepol_iface_get_ifcon)
-    hidden_proto(sepol_iface_get_msgcon)
-    hidden_proto(sepol_iface_get_name)
-    hidden_proto(sepol_iface_key_create)
-    hidden_proto(sepol_iface_key_unpack)
-    hidden_proto(sepol_iface_set_ifcon)
-    hidden_proto(sepol_iface_set_msgcon)
-    hidden_proto(sepol_iface_set_name)
 #endif
diff --git a/libsepol/src/iface_record.c b/libsepol/src/iface_record.c
index 6d568355468d..e77569898900 100644
--- a/libsepol/src/iface_record.c
+++ b/libsepol/src/iface_record.c
@@ -47,7 +47,6 @@ int sepol_iface_key_create(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_iface_key_create)
 
 void sepol_iface_key_unpack(const sepol_iface_key_t * key, const char **name)
 {
@@ -55,7 +54,6 @@ void sepol_iface_key_unpack(const sepol_iface_key_t * key, const char **name)
 	*name = key->name;
 }
 
-hidden_def(sepol_iface_key_unpack)
 
 int sepol_iface_key_extract(sepol_handle_t * handle,
 			    const sepol_iface_t * iface,
@@ -114,7 +112,6 @@ int sepol_iface_create(sepol_handle_t * handle, sepol_iface_t ** iface)
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_iface_create)
 
 /* Name */
 const char *sepol_iface_get_name(const sepol_iface_t * iface)
@@ -123,7 +120,6 @@ const char *sepol_iface_get_name(const sepol_iface_t * iface)
 	return iface->name;
 }
 
-hidden_def(sepol_iface_get_name)
 
 int sepol_iface_set_name(sepol_handle_t * handle,
 			 sepol_iface_t * iface, const char *name)
@@ -139,7 +135,6 @@ int sepol_iface_set_name(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_iface_set_name)
 
 /* Interface Context */
 sepol_context_t *sepol_iface_get_ifcon(const sepol_iface_t * iface)
@@ -148,7 +143,6 @@ sepol_context_t *sepol_iface_get_ifcon(const sepol_iface_t * iface)
 	return iface->netif_con;
 }
 
-hidden_def(sepol_iface_get_ifcon)
 
 int sepol_iface_set_ifcon(sepol_handle_t * handle,
 			  sepol_iface_t * iface, sepol_context_t * con)
@@ -166,7 +160,6 @@ int sepol_iface_set_ifcon(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_iface_set_ifcon)
 
 /* Message Context */
 sepol_context_t *sepol_iface_get_msgcon(const sepol_iface_t * iface)
@@ -175,7 +168,6 @@ sepol_context_t *sepol_iface_get_msgcon(const sepol_iface_t * iface)
 	return iface->netmsg_con;
 }
 
-hidden_def(sepol_iface_get_msgcon)
 
 int sepol_iface_set_msgcon(sepol_handle_t * handle,
 			   sepol_iface_t * iface, sepol_context_t * con)
@@ -192,7 +184,6 @@ int sepol_iface_set_msgcon(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_iface_set_msgcon)
 
 /* Deep copy clone */
 int sepol_iface_clone(sepol_handle_t * handle,
@@ -238,4 +229,3 @@ void sepol_iface_free(sepol_iface_t * iface)
 	free(iface);
 }
 
-hidden_def(sepol_iface_free)
diff --git a/libsepol/src/module.c b/libsepol/src/module.c
index 3b8a0a59ca68..836da308f8d3 100644
--- a/libsepol/src/module.c
+++ b/libsepol/src/module.c
@@ -132,7 +132,6 @@ int sepol_module_package_create(sepol_module_package_t ** p)
 	return rc;
 }
 
-hidden_def(sepol_module_package_create)
 
 /* Deallocates all memory associated with a module package, including
  * the pointer itself.  Does nothing if p is NULL.
@@ -150,7 +149,6 @@ void sepol_module_package_free(sepol_module_package_t * p)
 	free(p);
 }
 
-hidden_def(sepol_module_package_free)
 
 char *sepol_module_package_get_file_contexts(sepol_module_package_t * p)
 {
diff --git a/libsepol/src/module_internal.h b/libsepol/src/module_internal.h
index cdd5ec65cfff..ac1be36a2f72 100644
--- a/libsepol/src/module_internal.h
+++ b/libsepol/src/module_internal.h
@@ -1,5 +1,2 @@
 #include <sepol/module.h>
-#include "dso.h"
 
-hidden_proto(sepol_module_package_create)
-    hidden_proto(sepol_module_package_free)
diff --git a/libsepol/src/node_internal.h b/libsepol/src/node_internal.h
index 802cda97c181..6d3c250543ae 100644
--- a/libsepol/src/node_internal.h
+++ b/libsepol/src/node_internal.h
@@ -3,24 +3,5 @@
 
 #include <sepol/node_record.h>
 #include <sepol/nodes.h>
-#include "dso.h"
 
-hidden_proto(sepol_node_create)
-    hidden_proto(sepol_node_key_free)
-    hidden_proto(sepol_node_free)
-    hidden_proto(sepol_node_get_con)
-    hidden_proto(sepol_node_get_addr)
-    hidden_proto(sepol_node_get_addr_bytes)
-    hidden_proto(sepol_node_get_mask)
-    hidden_proto(sepol_node_get_mask_bytes)
-    hidden_proto(sepol_node_get_proto)
-    hidden_proto(sepol_node_get_proto_str)
-    hidden_proto(sepol_node_key_create)
-    hidden_proto(sepol_node_key_unpack)
-    hidden_proto(sepol_node_set_con)
-    hidden_proto(sepol_node_set_addr)
-    hidden_proto(sepol_node_set_addr_bytes)
-    hidden_proto(sepol_node_set_mask)
-    hidden_proto(sepol_node_set_mask_bytes)
-    hidden_proto(sepol_node_set_proto)
 #endif
diff --git a/libsepol/src/node_record.c b/libsepol/src/node_record.c
index f3e78ff3c788..9ef429da8768 100644
--- a/libsepol/src/node_record.c
+++ b/libsepol/src/node_record.c
@@ -259,7 +259,6 @@ int sepol_node_key_create(sepol_handle_t * handle,
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_node_key_create)
 
 void sepol_node_key_unpack(const sepol_node_key_t * key,
 			   const char **addr, const char **mask, int *proto)
@@ -270,7 +269,6 @@ void sepol_node_key_unpack(const sepol_node_key_t * key,
 	*proto = key->proto;
 }
 
-hidden_def(sepol_node_key_unpack)
 
 int sepol_node_key_extract(sepol_handle_t * handle,
 			   const sepol_node_t * node,
@@ -314,7 +312,6 @@ void sepol_node_key_free(sepol_node_key_t * key)
 	free(key);
 }
 
-hidden_def(sepol_node_key_free)
 
 int sepol_node_compare(const sepol_node_t * node, const sepol_node_key_t * key)
 {
@@ -375,7 +372,6 @@ int sepol_node_get_addr(sepol_handle_t * handle,
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_node_get_addr)
 
 int sepol_node_get_addr_bytes(sepol_handle_t * handle,
 			      const sepol_node_t * node,
@@ -394,7 +390,6 @@ int sepol_node_get_addr_bytes(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_node_get_addr_bytes)
 
 int sepol_node_set_addr(sepol_handle_t * handle,
 			sepol_node_t * node, int proto, const char *addr)
@@ -420,7 +415,6 @@ int sepol_node_set_addr(sepol_handle_t * handle,
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_node_set_addr)
 
 int sepol_node_set_addr_bytes(sepol_handle_t * handle,
 			      sepol_node_t * node,
@@ -440,7 +434,6 @@ int sepol_node_set_addr_bytes(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_node_set_addr_bytes)
 
 /* Mask */
 int sepol_node_get_mask(sepol_handle_t * handle,
@@ -464,7 +457,6 @@ int sepol_node_get_mask(sepol_handle_t * handle,
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_node_get_mask)
 
 int sepol_node_get_mask_bytes(sepol_handle_t * handle,
 			      const sepol_node_t * node,
@@ -483,7 +475,6 @@ int sepol_node_get_mask_bytes(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_node_get_mask_bytes)
 
 int sepol_node_set_mask(sepol_handle_t * handle,
 			sepol_node_t * node, int proto, const char *mask)
@@ -509,7 +500,6 @@ int sepol_node_set_mask(sepol_handle_t * handle,
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_node_set_mask)
 
 int sepol_node_set_mask_bytes(sepol_handle_t * handle,
 			      sepol_node_t * node,
@@ -528,7 +518,6 @@ int sepol_node_set_mask_bytes(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_node_set_mask_bytes)
 
 /* Protocol */
 int sepol_node_get_proto(const sepol_node_t * node)
@@ -537,7 +526,6 @@ int sepol_node_get_proto(const sepol_node_t * node)
 	return node->proto;
 }
 
-hidden_def(sepol_node_get_proto)
 
 void sepol_node_set_proto(sepol_node_t * node, int proto)
 {
@@ -545,7 +533,6 @@ void sepol_node_set_proto(sepol_node_t * node, int proto)
 	node->proto = proto;
 }
 
-hidden_def(sepol_node_set_proto)
 
 const char *sepol_node_get_proto_str(int proto)
 {
@@ -560,7 +547,6 @@ const char *sepol_node_get_proto_str(int proto)
 	}
 }
 
-hidden_def(sepol_node_get_proto_str)
 
 /* Create */
 int sepol_node_create(sepol_handle_t * handle, sepol_node_t ** node)
@@ -584,7 +570,6 @@ int sepol_node_create(sepol_handle_t * handle, sepol_node_t ** node)
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_node_create)
 
 /* Deep copy clone */
 int sepol_node_clone(sepol_handle_t * handle,
@@ -637,7 +622,6 @@ void sepol_node_free(sepol_node_t * node)
 	free(node);
 }
 
-hidden_def(sepol_node_free)
 
 /* Context */
 sepol_context_t *sepol_node_get_con(const sepol_node_t * node)
@@ -646,7 +630,6 @@ sepol_context_t *sepol_node_get_con(const sepol_node_t * node)
 	return node->con;
 }
 
-hidden_def(sepol_node_get_con)
 
 int sepol_node_set_con(sepol_handle_t * handle,
 		       sepol_node_t * node, sepol_context_t * con)
@@ -664,4 +647,3 @@ int sepol_node_set_con(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_node_set_con)
diff --git a/libsepol/src/policydb_internal.h b/libsepol/src/policydb_internal.h
index f7bcdfa3df31..06ba5c8be144 100644
--- a/libsepol/src/policydb_internal.h
+++ b/libsepol/src/policydb_internal.h
@@ -2,9 +2,6 @@
 #define _SEPOL_POLICYDB_INTERNAL_H_
 
 #include <sepol/policydb.h>
-#include "dso.h"
 
-hidden_proto(sepol_policydb_create)
-    hidden_proto(sepol_policydb_free)
 extern const char *policydb_target_strings[];
 #endif
diff --git a/libsepol/src/policydb_public.c b/libsepol/src/policydb_public.c
index 747a43ff0a5c..e5def7078eb0 100644
--- a/libsepol/src/policydb_public.c
+++ b/libsepol/src/policydb_public.c
@@ -73,7 +73,6 @@ int sepol_policydb_create(sepol_policydb_t ** sp)
 	return 0;
 }
 
-hidden_def(sepol_policydb_create)
 
 void sepol_policydb_free(sepol_policydb_t * p)
 {
@@ -83,7 +82,6 @@ void sepol_policydb_free(sepol_policydb_t * p)
 	free(p);
 }
 
-hidden_def(sepol_policydb_free)
 
 int sepol_policy_kern_vers_min(void)
 {
diff --git a/libsepol/src/port_internal.h b/libsepol/src/port_internal.h
index ffb5f65ad20b..80cf5c25366d 100644
--- a/libsepol/src/port_internal.h
+++ b/libsepol/src/port_internal.h
@@ -3,18 +3,5 @@
 
 #include <sepol/port_record.h>
 #include <sepol/ports.h>
-#include "dso.h"
 
-hidden_proto(sepol_port_create)
-    hidden_proto(sepol_port_free)
-    hidden_proto(sepol_port_get_con)
-    hidden_proto(sepol_port_get_high)
-    hidden_proto(sepol_port_get_low)
-    hidden_proto(sepol_port_get_proto)
-    hidden_proto(sepol_port_get_proto_str)
-    hidden_proto(sepol_port_key_create)
-    hidden_proto(sepol_port_key_unpack)
-    hidden_proto(sepol_port_set_con)
-    hidden_proto(sepol_port_set_proto)
-    hidden_proto(sepol_port_set_range)
 #endif
diff --git a/libsepol/src/port_record.c b/libsepol/src/port_record.c
index 15fb198fb359..7054dbc2e1b4 100644
--- a/libsepol/src/port_record.c
+++ b/libsepol/src/port_record.c
@@ -46,7 +46,6 @@ int sepol_port_key_create(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_port_key_create)
 
 void sepol_port_key_unpack(const sepol_port_key_t * key,
 			   int *low, int *high, int *proto)
@@ -57,7 +56,6 @@ void sepol_port_key_unpack(const sepol_port_key_t * key,
 	*proto = key->proto;
 }
 
-hidden_def(sepol_port_key_unpack)
 
 int sepol_port_key_extract(sepol_handle_t * handle,
 			   const sepol_port_t * port,
@@ -141,7 +139,6 @@ int sepol_port_get_low(const sepol_port_t * port)
 	return port->low;
 }
 
-hidden_def(sepol_port_get_low)
 
 int sepol_port_get_high(const sepol_port_t * port)
 {
@@ -149,7 +146,6 @@ int sepol_port_get_high(const sepol_port_t * port)
 	return port->high;
 }
 
-hidden_def(sepol_port_get_high)
 
 void sepol_port_set_port(sepol_port_t * port, int port_num)
 {
@@ -165,7 +161,6 @@ void sepol_port_set_range(sepol_port_t * port, int low, int high)
 	port->high = high;
 }
 
-hidden_def(sepol_port_set_range)
 
 /* Protocol */
 int sepol_port_get_proto(const sepol_port_t * port)
@@ -174,7 +169,6 @@ int sepol_port_get_proto(const sepol_port_t * port)
 	return port->proto;
 }
 
-hidden_def(sepol_port_get_proto)
 
 const char *sepol_port_get_proto_str(int proto)
 {
@@ -193,7 +187,6 @@ const char *sepol_port_get_proto_str(int proto)
 	}
 }
 
-hidden_def(sepol_port_get_proto_str)
 
 void sepol_port_set_proto(sepol_port_t * port, int proto)
 {
@@ -201,7 +194,6 @@ void sepol_port_set_proto(sepol_port_t * port, int proto)
 	port->proto = proto;
 }
 
-hidden_def(sepol_port_set_proto)
 
 /* Create */
 int sepol_port_create(sepol_handle_t * handle, sepol_port_t ** port)
@@ -223,7 +215,6 @@ int sepol_port_create(sepol_handle_t * handle, sepol_port_t ** port)
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_port_create)
 
 /* Deep copy clone */
 int sepol_port_clone(sepol_handle_t * handle,
@@ -262,7 +253,6 @@ void sepol_port_free(sepol_port_t * port)
 	free(port);
 }
 
-hidden_def(sepol_port_free)
 
 /* Context */
 sepol_context_t *sepol_port_get_con(const sepol_port_t * port)
@@ -271,7 +261,6 @@ sepol_context_t *sepol_port_get_con(const sepol_port_t * port)
 	return port->con;
 }
 
-hidden_def(sepol_port_get_con)
 
 int sepol_port_set_con(sepol_handle_t * handle,
 		       sepol_port_t * port, sepol_context_t * con)
@@ -289,4 +278,3 @@ int sepol_port_set_con(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_port_set_con)
diff --git a/libsepol/src/private.h b/libsepol/src/private.h
index b884c23b91fe..f5b5277f183a 100644
--- a/libsepol/src/private.h
+++ b/libsepol/src/private.h
@@ -14,7 +14,6 @@
 #endif
 
 #include <errno.h>
-#include <dso.h>
 
 #ifdef __APPLE__
 #define __BYTE_ORDER  BYTE_ORDER
@@ -62,7 +61,7 @@ extern struct policydb_compat_info *policydb_lookup_compat(unsigned int version,
 						unsigned int target_platform);
 
 /* Reading from a policy "file". */
-extern int next_entry(void *buf, struct policy_file *fp, size_t bytes) hidden;
+extern int next_entry(void *buf, struct policy_file *fp, size_t bytes);
 extern size_t put_entry(const void *ptr, size_t size, size_t n,
-		        struct policy_file *fp) hidden;
-extern int str_read(char **strp, struct policy_file *fp, size_t len) hidden;
+		        struct policy_file *fp);
+extern int str_read(char **strp, struct policy_file *fp, size_t len);
diff --git a/libsepol/src/services.c b/libsepol/src/services.c
index 3758436f8e34..51314dabb574 100644
--- a/libsepol/src/services.c
+++ b/libsepol/src/services.c
@@ -66,7 +66,6 @@
 #include "private.h"
 #include "context.h"
 #include "av_permissions.h"
-#include "dso.h"
 #include "mls.h"
 
 #define BUG() do { ERR(NULL, "Badness at %s:%d", __FILE__, __LINE__); } while (0)
@@ -121,13 +120,13 @@ static char *pop(void)
 }
 /* End Stack services */
 
-int hidden sepol_set_sidtab(sidtab_t * s)
+int sepol_set_sidtab(sidtab_t * s)
 {
 	sidtab = s;
 	return 0;
 }
 
-int hidden sepol_set_policydb(policydb_t * p)
+int sepol_set_policydb(policydb_t * p)
 {
 	policydb = p;
 	return 0;
@@ -1013,7 +1012,7 @@ static int context_struct_compute_av(context_struct_t * scontext,
 	return 0;
 }
 
-int hidden sepol_validate_transition(sepol_security_id_t oldsid,
+int sepol_validate_transition(sepol_security_id_t oldsid,
 				     sepol_security_id_t newsid,
 				     sepol_security_id_t tasksid,
 				     sepol_security_class_t tclass)
@@ -1064,7 +1063,7 @@ int hidden sepol_validate_transition(sepol_security_id_t oldsid,
  * sepol_validate_transition_reason_buffer - the reason buffer is realloc'd
  * in the constraint_expr_eval_reason() function.
  */
-int hidden sepol_validate_transition_reason_buffer(sepol_security_id_t oldsid,
+int sepol_validate_transition_reason_buffer(sepol_security_id_t oldsid,
 				     sepol_security_id_t newsid,
 				     sepol_security_id_t tasksid,
 				     sepol_security_class_t tclass,
@@ -1122,7 +1121,7 @@ int hidden sepol_validate_transition_reason_buffer(sepol_security_id_t oldsid,
 	return 0;
 }
 
-int hidden sepol_compute_av_reason(sepol_security_id_t ssid,
+int sepol_compute_av_reason(sepol_security_id_t ssid,
 				   sepol_security_id_t tsid,
 				   sepol_security_class_t tclass,
 				   sepol_access_vector_t requested,
@@ -1156,7 +1155,7 @@ int hidden sepol_compute_av_reason(sepol_security_id_t ssid,
  * REASON_BUF_SIZE. If the buffer size is exceeded, then it is realloc'd
  * in the constraint_expr_eval_reason() function.
  */
-int hidden sepol_compute_av_reason_buffer(sepol_security_id_t ssid,
+int sepol_compute_av_reason_buffer(sepol_security_id_t ssid,
 				   sepol_security_id_t tsid,
 				   sepol_security_class_t tclass,
 				   sepol_access_vector_t requested,
@@ -1198,7 +1197,7 @@ out:
 	return rc;
 }
 
-int hidden sepol_compute_av(sepol_security_id_t ssid,
+int sepol_compute_av(sepol_security_id_t ssid,
 			    sepol_security_id_t tsid,
 			    sepol_security_class_t tclass,
 			    sepol_access_vector_t requested,
@@ -1213,7 +1212,7 @@ int hidden sepol_compute_av(sepol_security_id_t ssid,
  * Return a class ID associated with the class string specified by
  * class_name.
  */
-int hidden sepol_string_to_security_class(const char *class_name,
+int sepol_string_to_security_class(const char *class_name,
 			sepol_security_class_t *tclass)
 {
 	class_datum_t *tclass_datum;
@@ -1232,7 +1231,7 @@ int hidden sepol_string_to_security_class(const char *class_name,
  * Return access vector bit associated with the class ID and permission
  * string.
  */
-int hidden sepol_string_to_av_perm(sepol_security_class_t tclass,
+int sepol_string_to_av_perm(sepol_security_class_t tclass,
 					const char *perm_name,
 					sepol_access_vector_t *av)
 {
@@ -1277,7 +1276,7 @@ out:
  * to point to this string and set `*scontext_len' to
  * the length of the string.
  */
-int hidden sepol_sid_to_context(sepol_security_id_t sid,
+int sepol_sid_to_context(sepol_security_id_t sid,
 				sepol_security_context_t * scontext,
 				size_t * scontext_len)
 {
@@ -1300,7 +1299,7 @@ int hidden sepol_sid_to_context(sepol_security_id_t sid,
  * Return a SID associated with the security context that
  * has the string representation specified by `scontext'.
  */
-int hidden sepol_context_to_sid(const sepol_security_context_t scontext,
+int sepol_context_to_sid(const sepol_security_context_t scontext,
 				size_t scontext_len, sepol_security_id_t * sid)
 {
 
@@ -1480,7 +1479,7 @@ static int sepol_compute_sid(sepol_security_id_t ssid,
  * Compute a SID to use for labeling a new object in the 
  * class `tclass' based on a SID pair.  
  */
-int hidden sepol_transition_sid(sepol_security_id_t ssid,
+int sepol_transition_sid(sepol_security_id_t ssid,
 				sepol_security_id_t tsid,
 				sepol_security_class_t tclass,
 				sepol_security_id_t * out_sid)
@@ -1493,7 +1492,7 @@ int hidden sepol_transition_sid(sepol_security_id_t ssid,
  * polyinstantiated object of class `tclass' based on 
  * a SID pair.
  */
-int hidden sepol_member_sid(sepol_security_id_t ssid,
+int sepol_member_sid(sepol_security_id_t ssid,
 			    sepol_security_id_t tsid,
 			    sepol_security_class_t tclass,
 			    sepol_security_id_t * out_sid)
@@ -1505,7 +1504,7 @@ int hidden sepol_member_sid(sepol_security_id_t ssid,
  * Compute a SID to use for relabeling an object in the 
  * class `tclass' based on a SID pair.  
  */
-int hidden sepol_change_sid(sepol_security_id_t ssid,
+int sepol_change_sid(sepol_security_id_t ssid,
 			    sepol_security_id_t tsid,
 			    sepol_security_class_t tclass,
 			    sepol_security_id_t * out_sid)
@@ -1691,7 +1690,7 @@ static int convert_context(sepol_security_id_t key __attribute__ ((unused)),
 }
 
 /* Reading from a policy "file". */
-int hidden next_entry(void *buf, struct policy_file *fp, size_t bytes)
+int next_entry(void *buf, struct policy_file *fp, size_t bytes)
 {
 	size_t nread;
 
@@ -1718,7 +1717,7 @@ int hidden next_entry(void *buf, struct policy_file *fp, size_t bytes)
 	return 0;
 }
 
-size_t hidden put_entry(const void *ptr, size_t size, size_t n,
+size_t put_entry(const void *ptr, size_t size, size_t n,
 			struct policy_file *fp)
 {
 	size_t bytes = size * n;
@@ -1753,7 +1752,7 @@ size_t hidden put_entry(const void *ptr, size_t size, size_t n,
  *   0 - Success
  *  -1 - Failure with errno set
  */
-int hidden str_read(char **strp, struct policy_file *fp, size_t len)
+int str_read(char **strp, struct policy_file *fp, size_t len)
 {
 	int rc;
 	char *str;
@@ -1796,7 +1795,7 @@ int hidden str_read(char **strp, struct policy_file *fp, size_t len)
  *
  * Reset the access vector cache.
  */
-int hidden sepol_load_policy(void *data, size_t len)
+int sepol_load_policy(void *data, size_t len)
 {
 	policydb_t oldpolicydb, newpolicydb;
 	sidtab_t oldsidtab, newsidtab;
@@ -1869,7 +1868,7 @@ int hidden sepol_load_policy(void *data, size_t len)
  * the file system and the `file_sid' SID is returned
  * for all files within that file system.
  */
-int hidden sepol_fs_sid(char *name,
+int sepol_fs_sid(char *name,
 			sepol_security_id_t * fs_sid,
 			sepol_security_id_t * file_sid)
 {
@@ -1911,7 +1910,7 @@ int hidden sepol_fs_sid(char *name,
  * Return the SID of the ibpkey specified by
  * `subnet prefix', and `pkey number'.
  */
-int hidden sepol_ibpkey_sid(uint64_t subnet_prefix,
+int sepol_ibpkey_sid(uint64_t subnet_prefix,
 			    uint16_t pkey, sepol_security_id_t *out_sid)
 {
 	ocontext_t *c;
@@ -1947,7 +1946,7 @@ out:
  * Return the SID of the subnet management interface specified by
  * `device name', and `port'.
  */
-int hidden sepol_ibendport_sid(char *dev_name,
+int sepol_ibendport_sid(char *dev_name,
 			       uint8_t port,
 			       sepol_security_id_t *out_sid)
 {
@@ -1984,7 +1983,7 @@ out:
  * Return the SID of the port specified by
  * `domain', `type', `protocol', and `port'.
  */
-int hidden sepol_port_sid(uint16_t domain __attribute__ ((unused)),
+int sepol_port_sid(uint16_t domain __attribute__ ((unused)),
 			  uint16_t type __attribute__ ((unused)),
 			  uint8_t protocol,
 			  uint16_t port, sepol_security_id_t * out_sid)
@@ -2024,7 +2023,7 @@ int hidden sepol_port_sid(uint16_t domain __attribute__ ((unused)),
  * the default SID for messages received on the
  * interface.
  */
-int hidden sepol_netif_sid(char *name,
+int sepol_netif_sid(char *name,
 			   sepol_security_id_t * if_sid,
 			   sepol_security_id_t * msg_sid)
 {
@@ -2082,7 +2081,7 @@ static int match_ipv6_addrmask(uint32_t * input, uint32_t * addr,
  * in bytes and `domain' is the communications domain or
  * address family in which the address should be interpreted.
  */
-int hidden sepol_node_sid(uint16_t domain,
+int sepol_node_sid(uint16_t domain,
 			  void *addrp,
 			  size_t addrlen, sepol_security_id_t * out_sid)
 {
@@ -2155,7 +2154,7 @@ int hidden sepol_node_sid(uint16_t domain,
  */
 #define SIDS_NEL 25
 
-int hidden sepol_get_user_sids(sepol_security_id_t fromsid,
+int sepol_get_user_sids(sepol_security_id_t fromsid,
 			       char *username,
 			       sepol_security_id_t ** sids, uint32_t * nel)
 {
@@ -2250,7 +2249,7 @@ int hidden sepol_get_user_sids(sepol_security_id_t fromsid,
  * that cannot support a persistent label mapping or use another
  * fixed labeling behavior like transition SIDs or task SIDs.
  */
-int hidden sepol_genfs_sid(const char *fstype,
+int sepol_genfs_sid(const char *fstype,
 			   const char *path,
 			   sepol_security_class_t sclass,
 			   sepol_security_id_t * sid)
@@ -2297,7 +2296,7 @@ int hidden sepol_genfs_sid(const char *fstype,
 	return rc;
 }
 
-int hidden sepol_fs_use(const char *fstype,
+int sepol_fs_use(const char *fstype,
 			unsigned int *behavior, sepol_security_id_t * sid)
 {
 	int rc = 0;
diff --git a/libsepol/src/user_internal.h b/libsepol/src/user_internal.h
index 7523b7d54076..f5b22b023034 100644
--- a/libsepol/src/user_internal.h
+++ b/libsepol/src/user_internal.h
@@ -3,18 +3,5 @@
 
 #include <sepol/user_record.h>
 #include <sepol/users.h>
-#include "dso.h"
 
-hidden_proto(sepol_user_add_role)
-    hidden_proto(sepol_user_create)
-    hidden_proto(sepol_user_free)
-    hidden_proto(sepol_user_get_mlslevel)
-    hidden_proto(sepol_user_get_mlsrange)
-    hidden_proto(sepol_user_get_roles)
-    hidden_proto(sepol_user_has_role)
-    hidden_proto(sepol_user_key_create)
-    hidden_proto(sepol_user_key_unpack)
-    hidden_proto(sepol_user_set_mlslevel)
-    hidden_proto(sepol_user_set_mlsrange)
-    hidden_proto(sepol_user_set_name)
 #endif
diff --git a/libsepol/src/user_record.c b/libsepol/src/user_record.c
index fa95f2d1b227..ac5200604091 100644
--- a/libsepol/src/user_record.c
+++ b/libsepol/src/user_record.c
@@ -51,7 +51,6 @@ int sepol_user_key_create(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_user_key_create)
 
 void sepol_user_key_unpack(const sepol_user_key_t * key, const char **name)
 {
@@ -59,7 +58,6 @@ void sepol_user_key_unpack(const sepol_user_key_t * key, const char **name)
 	*name = key->name;
 }
 
-hidden_def(sepol_user_key_unpack)
 
 int sepol_user_key_extract(sepol_handle_t * handle,
 			   const sepol_user_t * user,
@@ -115,7 +113,6 @@ int sepol_user_set_name(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_user_set_name)
 
 /* MLS */
 const char *sepol_user_get_mlslevel(const sepol_user_t * user)
@@ -124,7 +121,6 @@ const char *sepol_user_get_mlslevel(const sepol_user_t * user)
 	return user->mls_level;
 }
 
-hidden_def(sepol_user_get_mlslevel)
 
 int sepol_user_set_mlslevel(sepol_handle_t * handle,
 			    sepol_user_t * user, const char *mls_level)
@@ -141,7 +137,6 @@ int sepol_user_set_mlslevel(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_user_set_mlslevel)
 
 const char *sepol_user_get_mlsrange(const sepol_user_t * user)
 {
@@ -149,7 +144,6 @@ const char *sepol_user_get_mlsrange(const sepol_user_t * user)
 	return user->mls_range;
 }
 
-hidden_def(sepol_user_get_mlsrange)
 
 int sepol_user_set_mlsrange(sepol_handle_t * handle,
 			    sepol_user_t * user, const char *mls_range)
@@ -166,7 +160,6 @@ int sepol_user_set_mlsrange(sepol_handle_t * handle,
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_user_set_mlsrange)
 
 /* Roles */
 int sepol_user_get_num_roles(const sepol_user_t * user)
@@ -207,7 +200,6 @@ int sepol_user_add_role(sepol_handle_t * handle,
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_user_add_role)
 
 int sepol_user_has_role(const sepol_user_t * user, const char *role)
 {
@@ -220,7 +212,6 @@ int sepol_user_has_role(const sepol_user_t * user, const char *role)
 	return 0;
 }
 
-hidden_def(sepol_user_has_role)
 
 int sepol_user_set_roles(sepol_handle_t * handle,
 			 sepol_user_t * user,
@@ -292,7 +283,6 @@ int sepol_user_get_roles(sepol_handle_t * handle,
 	return STATUS_ERR;
 }
 
-hidden_def(sepol_user_get_roles)
 
 void sepol_user_del_role(sepol_user_t * user, const char *role)
 {
@@ -330,7 +320,6 @@ int sepol_user_create(sepol_handle_t * handle, sepol_user_t ** user_ptr)
 	return STATUS_SUCCESS;
 }
 
-hidden_def(sepol_user_create)
 
 /* Deep copy clone */
 int sepol_user_clone(sepol_handle_t * handle,
@@ -386,4 +375,3 @@ void sepol_user_free(sepol_user_t * user)
 	free(user);
 }
 
-hidden_def(sepol_user_free)
diff --git a/libsepol/src/util.c b/libsepol/src/util.c
index a4008882b94b..d51750af3fa1 100644
--- a/libsepol/src/util.c
+++ b/libsepol/src/util.c
@@ -27,7 +27,6 @@
 #include <sepol/policydb/flask_types.h>
 #include <sepol/policydb/policydb.h>
 #include <sepol/policydb/util.h>
-#include <dso.h>
 
 struct val_to_name {
 	unsigned int val;
@@ -250,7 +249,7 @@ static inline int tokenize_str(char delim, char **str, char **ptr, size_t *len)
  * contain the remaining content of line_buf. If the delimiter is any whitespace
  * character, then all whitespace will be squashed.
  */
-int hidden tokenize(char *line_buf, char delim, int num_args, ...)
+int tokenize(char *line_buf, char delim, int num_args, ...)
 {
 	char **arg, *buf_p;
 	int rc, items;
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 36+ messages in thread

* [PATCH v2 2/3] libsepol/Makefile: add -fno-semantic-interposition
  2020-03-10 21:08 ` V2 libsepol drop dso.h bill.c.roberts
  2020-03-10 21:08   ` [PATCH v2 1/3] libsepol/dso: drop hidden_proto and hidden_def bill.c.roberts
@ 2020-03-10 21:08   ` bill.c.roberts
  2020-03-10 21:08   ` [PATCH v2 3/3] lbespol: remove wild cards in mapfile bill.c.roberts
  2 siblings, 0 replies; 36+ messages in thread
From: bill.c.roberts @ 2020-03-10 21:08 UTC (permalink / raw)
  To: nicolas.iooss, selinux
  Cc: bill.c.roberts, drepper, omosnace, plautrba,
	stephen.smalley.work, william.c.roberts

From: William Roberts <william.c.roberts@intel.com>

Add -fno-semantic-interposition to CFLAGS. This will restore
the DSO infrastructures protections to insure internal callers
of exported symbols call into libselinux and not something loading first
in the library list.

Clang has this enabled by default.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libsepol/src/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libsepol/src/Makefile b/libsepol/src/Makefile
index ccb702338446..8d466f56ed0e 100644
--- a/libsepol/src/Makefile
+++ b/libsepol/src/Makefile
@@ -19,7 +19,7 @@ LIBMAP=libsepol.map
 LIBSO=$(TARGET).$(LIBVERSION)
 OBJS= $(patsubst %.c,%.o,$(sort $(wildcard *.c)))
 LOBJS= $(patsubst %.c,%.lo,$(sort $(wildcard *.c)))
-CFLAGS ?= -Werror -Wall -W -Wundef -Wshadow -Wmissing-format-attribute -O2
+CFLAGS ?= -Werror -Wall -W -Wundef -Wshadow -Wmissing-format-attribute -O2 -fno-semantic-interposition
 
 override CFLAGS += -I. -I../include -D_GNU_SOURCE
 
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 36+ messages in thread

* [PATCH v2 3/3] lbespol: remove wild cards in mapfile
  2020-03-10 21:08 ` V2 libsepol drop dso.h bill.c.roberts
  2020-03-10 21:08   ` [PATCH v2 1/3] libsepol/dso: drop hidden_proto and hidden_def bill.c.roberts
  2020-03-10 21:08   ` [PATCH v2 2/3] libsepol/Makefile: add -fno-semantic-interposition bill.c.roberts
@ 2020-03-10 21:08   ` bill.c.roberts
  2020-03-11 18:53     ` Stephen Smalley
  2 siblings, 1 reply; 36+ messages in thread
From: bill.c.roberts @ 2020-03-10 21:08 UTC (permalink / raw)
  To: nicolas.iooss, selinux
  Cc: bill.c.roberts, drepper, omosnace, plautrba,
	stephen.smalley.work, william.c.roberts

From: William Roberts <william.c.roberts@intel.com>

With the old hidden_def and hidden_proto DSO infrastructure removed,
correctness of the map file becomes paramount, as it is what filters out
public API. Because of this, the wild cards should not be used, as it
lets some functions through that should not be made public API. Thus
remove the wild cards, and sort the list.

Additionally, verify that nothing changed in external symbols as well:

This was checked by generating an old export map (from master):
nm --defined-only -g ./src/libsepol.so | cut -d' ' -f 3-3 | grep -v '^_' > old.map

Then creating a new one for this library after this patch is applied:
nm --defined-only -g ./src/libsepol.so | cut -d' ' -f 3-3 | grep -v '^_' > new.map

And diffing them:
diff old.map new.map

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libsepol/src/libsepol.map.in | 275 +++++++++++++++++++++++++++++++----
 1 file changed, 245 insertions(+), 30 deletions(-)

diff --git a/libsepol/src/libsepol.map.in b/libsepol/src/libsepol.map.in
index f4946a79cae7..f08c2a861693 100644
--- a/libsepol/src/libsepol.map.in
+++ b/libsepol/src/libsepol.map.in
@@ -1,39 +1,254 @@
 LIBSEPOL_1.0 {
-  global: 
-	expand_module_avrules;
-	sepol_module_package_*; sepol_link_modules; sepol_expand_module; sepol_link_packages;
-	sepol_bool_*; sepol_genbools*; 
-	sepol_context_*; sepol_mls_*; sepol_check_context;
-	sepol_iface_*; 
-	sepol_port_*;
-	sepol_ibpkey_*;
-	sepol_ibendport_*;
-	sepol_node_*;
-	sepol_user_*; sepol_genusers; sepol_set_delusers;
-	sepol_msg_*; sepol_debug;
-	sepol_handle_*;
-	sepol_policydb_*; sepol_set_policydb_from_file; 
-	sepol_policy_kern_*;
-	sepol_policy_file_*;
-	sepol_get_disable_dontaudit;
-	sepol_set_disable_dontaudit;
-	sepol_set_expand_consume_base;
-	sepol_get_preserve_tunables; sepol_set_preserve_tunables;
+  global:
+	cil_add_file;
+	cil_build_policydb;
+	cil_compile;
+	cil_db_destroy;
 	cil_db_init;
+	cil_filecons_to_string;
+	cil_selinuxusers_to_string;
 	cil_set_disable_dontaudit;
 	cil_set_disable_neverallow;
-	cil_set_preserve_tunables;
 	cil_set_handle_unknown;
-	cil_db_destroy;
-	cil_add_file;
-	cil_compile;
-	cil_build_policydb;
-	cil_userprefixes_to_string;
-	cil_selinuxusers_to_string;
-	cil_filecons_to_string;
-	cil_set_log_level;
 	cil_set_log_handler;
-	cil_set_malloc_error_handler;
+	cil_set_log_level;
+	cil_set_preserve_tunables;
+	cil_userprefixes_to_string;
+	expand_module_avrules;
+	sepol_bool_clone;
+	sepol_bool_compare;
+	sepol_bool_compare2;
+	sepol_bool_count;
+	sepol_bool_create;
+	sepol_bool_exists;
+	sepol_bool_free;
+	sepol_bool_get_name;
+	sepol_bool_get_value;
+	sepol_bool_iterate;
+	sepol_bool_key_create;
+	sepol_bool_key_extract;
+	sepol_bool_key_free;
+	sepol_bool_key_unpack;
+	sepol_bool_query;
+	sepol_bool_set;
+	sepol_bool_set_name;
+	sepol_bool_set_value;
+	sepol_check_context;
+	sepol_context_check;
+	sepol_context_clone;
+	sepol_context_create;
+	sepol_context_free;
+	sepol_context_from_string;
+	sepol_context_get_mls;
+	sepol_context_get_role;
+	sepol_context_get_type;
+	sepol_context_get_user;
+	sepol_context_set_mls;
+	sepol_context_set_role;
+	sepol_context_set_type;
+	sepol_context_set_user;
+	sepol_context_to_string;
+	sepol_debug;
+	sepol_expand_module;
+	sepol_genbools;
+	sepol_genbools_array;
+	sepol_genusers;
+	sepol_get_disable_dontaudit;
+	sepol_get_preserve_tunables;
+	sepol_handle_create;
+	sepol_handle_destroy;
+	sepol_ibendport_alloc_ibdev_name;
+	sepol_ibendport_clone;
+	sepol_ibendport_compare;
+	sepol_ibendport_compare2;
+	sepol_ibendport_count;
+	sepol_ibendport_create;
+	sepol_ibendport_exists;
+	sepol_ibendport_free;
+	sepol_ibendport_get_con;
+	sepol_ibendport_get_ibdev_name;
+	sepol_ibendport_get_port;
+	sepol_ibendport_iterate;
+	sepol_ibendport_key_create;
+	sepol_ibendport_key_extract;
+	sepol_ibendport_key_free;
+	sepol_ibendport_key_unpack;
+	sepol_ibendport_modify;
+	sepol_ibendport_query;
+	sepol_ibendport_set_con;
+	sepol_ibendport_set_ibdev_name;
+	sepol_ibendport_set_port;
+	sepol_ibpkey_clone;
+	sepol_ibpkey_compare;
+	sepol_ibpkey_compare2;
+	sepol_ibpkey_count;
+	sepol_ibpkey_create;
+	sepol_ibpkey_exists;
+	sepol_ibpkey_free;
+	sepol_ibpkey_get_con;
+	sepol_ibpkey_get_high;
+	sepol_ibpkey_get_low;
+	sepol_ibpkey_get_subnet_prefix;
+	sepol_ibpkey_get_subnet_prefix_bytes;
+	sepol_ibpkey_iterate;
+	sepol_ibpkey_key_create;
+	sepol_ibpkey_key_extract;
+	sepol_ibpkey_key_free;
+	sepol_ibpkey_key_unpack;
+	sepol_ibpkey_modify;
+	sepol_ibpkey_query;
+	sepol_ibpkey_set_con;
+	sepol_ibpkey_set_pkey;
+	sepol_ibpkey_set_range;
+	sepol_ibpkey_set_subnet_prefix;
+	sepol_ibpkey_set_subnet_prefix_bytes;
+	sepol_iface_clone;
+	sepol_iface_compare;
+	sepol_iface_compare2;
+	sepol_iface_count;
+	sepol_iface_create;
+	sepol_iface_exists;
+	sepol_iface_free;
+	sepol_iface_get_ifcon;
+	sepol_iface_get_msgcon;
+	sepol_iface_get_name;
+	sepol_iface_iterate;
+	sepol_iface_key_create;
+	sepol_iface_key_extract;
+	sepol_iface_key_free;
+	sepol_iface_key_unpack;
+	sepol_iface_modify;
+	sepol_iface_query;
+	sepol_iface_set_ifcon;
+	sepol_iface_set_msgcon;
+	sepol_iface_set_name;
+	sepol_link_modules;
+	sepol_link_packages;
+	sepol_mls_check;
+	sepol_mls_contains;
+	sepol_module_package_create;
+	sepol_module_package_free;
+	sepol_module_package_get_file_contexts;
+	sepol_module_package_get_file_contexts_len;
+	sepol_module_package_get_netfilter_contexts;
+	sepol_module_package_get_netfilter_contexts_len;
+	sepol_module_package_get_policy;
+	sepol_module_package_get_seusers;
+	sepol_module_package_get_seusers_len;
+	sepol_module_package_get_user_extra;
+	sepol_module_package_get_user_extra_len;
+	sepol_module_package_info;
+	sepol_module_package_read;
+	sepol_module_package_set_file_contexts;
+	sepol_module_package_set_netfilter_contexts;
+	sepol_module_package_set_seusers;
+	sepol_module_package_set_user_extra;
+	sepol_module_package_write;
+	sepol_msg_get_channel;
+	sepol_msg_get_fname;
+	sepol_msg_get_level;
+	sepol_msg_set_callback;
+	sepol_node_clone;
+	sepol_node_compare;
+	sepol_node_compare2;
+	sepol_node_count;
+	sepol_node_create;
+	sepol_node_exists;
+	sepol_node_free;
+	sepol_node_get_addr;
+	sepol_node_get_addr_bytes;
+	sepol_node_get_con;
+	sepol_node_get_mask;
+	sepol_node_get_mask_bytes;
+	sepol_node_get_proto;
+	sepol_node_get_proto_str;
+	sepol_node_iterate;
+	sepol_node_key_create;
+	sepol_node_key_extract;
+	sepol_node_key_free;
+	sepol_node_key_unpack;
+	sepol_node_modify;
+	sepol_node_query;
+	sepol_node_set_addr;
+	sepol_node_set_addr_bytes;
+	sepol_node_set_con;
+	sepol_node_set_mask;
+	sepol_node_set_mask_bytes;
+	sepol_node_set_proto;
+	sepol_policydb_compat_net;
+	sepol_policydb_create;
+	sepol_policydb_free;
+	sepol_policydb_from_image;
+	sepol_policydb_mls_enabled;
+	sepol_policydb_read;
+	sepol_policydb_set_handle_unknown;
+	sepol_policydb_set_target_platform;
+	sepol_policydb_set_typevers;
+	sepol_policydb_set_vers;
+	sepol_policydb_to_image;
+	sepol_policydb_write;
+	sepol_policy_file_create;
+	sepol_policy_file_free;
+	sepol_policy_file_get_len;
+	sepol_policy_file_set_fp;
+	sepol_policy_file_set_handle;
+	sepol_policy_file_set_mem;
+	sepol_policy_kern_vers_max;
+	sepol_policy_kern_vers_min;
+	sepol_port_clone;
+	sepol_port_compare;
+	sepol_port_compare2;
+	sepol_port_count;
+	sepol_port_create;
+	sepol_port_exists;
+	sepol_port_free;
+	sepol_port_get_con;
+	sepol_port_get_high;
+	sepol_port_get_low;
+	sepol_port_get_proto;
+	sepol_port_get_proto_str;
+	sepol_port_iterate;
+	sepol_port_key_create;
+	sepol_port_key_extract;
+	sepol_port_key_free;
+	sepol_port_key_unpack;
+	sepol_port_modify;
+	sepol_port_query;
+	sepol_port_set_con;
+	sepol_port_set_port;
+	sepol_port_set_proto;
+	sepol_port_set_range;
+	sepol_set_delusers;
+	sepol_set_disable_dontaudit;
+	sepol_set_expand_consume_base;
+	sepol_set_policydb_from_file;
+	sepol_set_preserve_tunables;
+	sepol_user_add_role;
+	sepol_user_clone;
+	sepol_user_compare;
+	sepol_user_compare2;
+	sepol_user_count;
+	sepol_user_create;
+	sepol_user_del_role;
+	sepol_user_exists;
+	sepol_user_free;
+	sepol_user_get_mlslevel;
+	sepol_user_get_mlsrange;
+	sepol_user_get_name;
+	sepol_user_get_num_roles;
+	sepol_user_get_roles;
+	sepol_user_has_role;
+	sepol_user_iterate;
+	sepol_user_key_create;
+	sepol_user_key_extract;
+	sepol_user_key_free;
+	sepol_user_key_unpack;
+	sepol_user_modify;
+	sepol_user_query;
+	sepol_user_set_mlslevel;
+	sepol_user_set_mlsrange;
+	sepol_user_set_name;
+	sepol_user_set_roles;
   local: *;
 };
 
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 36+ messages in thread

* Re: [PATCH v2 3/3] lbespol: remove wild cards in mapfile
  2020-03-10 21:08   ` [PATCH v2 3/3] lbespol: remove wild cards in mapfile bill.c.roberts
@ 2020-03-11 18:53     ` Stephen Smalley
  2020-03-11 18:54       ` Stephen Smalley
  0 siblings, 1 reply; 36+ messages in thread
From: Stephen Smalley @ 2020-03-11 18:53 UTC (permalink / raw)
  To: William Roberts
  Cc: Nicolas Iooss, SElinux list, Ulrich Drepper, Ondrej Mosnacek,
	Petr Lautrbach, William Roberts

On Tue, Mar 10, 2020 at 5:09 PM <bill.c.roberts@gmail.com> wrote:
>
> From: William Roberts <william.c.roberts@intel.com>
>
> With the old hidden_def and hidden_proto DSO infrastructure removed,
> correctness of the map file becomes paramount, as it is what filters out
> public API. Because of this, the wild cards should not be used, as it
> lets some functions through that should not be made public API. Thus
> remove the wild cards, and sort the list.
>
> Additionally, verify that nothing changed in external symbols as well:
>
> This was checked by generating an old export map (from master):
> nm --defined-only -g ./src/libsepol.so | cut -d' ' -f 3-3 | grep -v '^_' > old.map
>
> Then creating a new one for this library after this patch is applied:
> nm --defined-only -g ./src/libsepol.so | cut -d' ' -f 3-3 | grep -v '^_' > new.map
>
> And diffing them:
> diff old.map new.map
>
> Signed-off-by: William Roberts <william.c.roberts@intel.com>

Other than the typo in the subject line,
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>

This should fix https://github.com/SELinuxProject/selinux/issues/204

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: [PATCH v2 3/3] lbespol: remove wild cards in mapfile
  2020-03-11 18:53     ` Stephen Smalley
@ 2020-03-11 18:54       ` Stephen Smalley
  2020-03-12 13:59         ` William Roberts
  0 siblings, 1 reply; 36+ messages in thread
From: Stephen Smalley @ 2020-03-11 18:54 UTC (permalink / raw)
  To: William Roberts
  Cc: Nicolas Iooss, SElinux list, Ulrich Drepper, Ondrej Mosnacek,
	Petr Lautrbach, William Roberts

On Wed, Mar 11, 2020 at 2:53 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Tue, Mar 10, 2020 at 5:09 PM <bill.c.roberts@gmail.com> wrote:
> >
> > From: William Roberts <william.c.roberts@intel.com>
> >
> > With the old hidden_def and hidden_proto DSO infrastructure removed,
> > correctness of the map file becomes paramount, as it is what filters out
> > public API. Because of this, the wild cards should not be used, as it
> > lets some functions through that should not be made public API. Thus
> > remove the wild cards, and sort the list.
> >
> > Additionally, verify that nothing changed in external symbols as well:
> >
> > This was checked by generating an old export map (from master):
> > nm --defined-only -g ./src/libsepol.so | cut -d' ' -f 3-3 | grep -v '^_' > old.map
> >
> > Then creating a new one for this library after this patch is applied:
> > nm --defined-only -g ./src/libsepol.so | cut -d' ' -f 3-3 | grep -v '^_' > new.map
> >
> > And diffing them:
> > diff old.map new.map
> >
> > Signed-off-by: William Roberts <william.c.roberts@intel.com>
>
> Other than the typo in the subject line,
> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
>
> This should fix https://github.com/SELinuxProject/selinux/issues/204

and https://github.com/SELinuxProject/selinux/issues/165

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: [PATCH v2 3/3] lbespol: remove wild cards in mapfile
  2020-03-11 18:54       ` Stephen Smalley
@ 2020-03-12 13:59         ` William Roberts
  2020-03-12 20:22           ` Stephen Smalley
  0 siblings, 1 reply; 36+ messages in thread
From: William Roberts @ 2020-03-12 13:59 UTC (permalink / raw)
  To: Stephen Smalley
  Cc: Nicolas Iooss, SElinux list, Ulrich Drepper, Ondrej Mosnacek,
	Petr Lautrbach, William Roberts

I will fix the subject and add the Fixes: #165 to the commit when I
stage them if thats ok?

On Wed, Mar 11, 2020 at 1:53 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Wed, Mar 11, 2020 at 2:53 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > On Tue, Mar 10, 2020 at 5:09 PM <bill.c.roberts@gmail.com> wrote:
> > >
> > > From: William Roberts <william.c.roberts@intel.com>
> > >
> > > With the old hidden_def and hidden_proto DSO infrastructure removed,
> > > correctness of the map file becomes paramount, as it is what filters out
> > > public API. Because of this, the wild cards should not be used, as it
> > > lets some functions through that should not be made public API. Thus
> > > remove the wild cards, and sort the list.
> > >
> > > Additionally, verify that nothing changed in external symbols as well:
> > >
> > > This was checked by generating an old export map (from master):
> > > nm --defined-only -g ./src/libsepol.so | cut -d' ' -f 3-3 | grep -v '^_' > old.map
> > >
> > > Then creating a new one for this library after this patch is applied:
> > > nm --defined-only -g ./src/libsepol.so | cut -d' ' -f 3-3 | grep -v '^_' > new.map
> > >
> > > And diffing them:
> > > diff old.map new.map
> > >
> > > Signed-off-by: William Roberts <william.c.roberts@intel.com>
> >
> > Other than the typo in the subject line,
> > Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
> >
> > This should fix https://github.com/SELinuxProject/selinux/issues/204
>
> and https://github.com/SELinuxProject/selinux/issues/165

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: [PATCH v2 3/3] lbespol: remove wild cards in mapfile
  2020-03-12 13:59         ` William Roberts
@ 2020-03-12 20:22           ` Stephen Smalley
  2020-03-12 21:42             ` William Roberts
  0 siblings, 1 reply; 36+ messages in thread
From: Stephen Smalley @ 2020-03-12 20:22 UTC (permalink / raw)
  To: William Roberts
  Cc: Nicolas Iooss, SElinux list, Ulrich Drepper, Ondrej Mosnacek,
	Petr Lautrbach, William Roberts

On Thu, Mar 12, 2020 at 9:59 AM William Roberts
<bill.c.roberts@gmail.com> wrote:
>
> I will fix the subject and add the Fixes: #165 to the commit when I
> stage them if thats ok?

Fixes both 165 and 204 IIUC because the real underlying issue for both was the
fact that he was building with LTO and it was doing the wrong thing
with hidden_def/hidden_proto.
Otherwise works for me.  You can download the series from patchwork or
via get-lore-mbox
to pick up all the Acks automatically.

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: [PATCH v2 3/3] lbespol: remove wild cards in mapfile
  2020-03-12 20:22           ` Stephen Smalley
@ 2020-03-12 21:42             ` William Roberts
  2020-03-13 11:03               ` Ondrej Mosnacek
  2020-03-17 17:46               ` Stephen Smalley
  0 siblings, 2 replies; 36+ messages in thread
From: William Roberts @ 2020-03-12 21:42 UTC (permalink / raw)
  To: Stephen Smalley
  Cc: Nicolas Iooss, SElinux list, Ulrich Drepper, Ondrej Mosnacek,
	Petr Lautrbach, William Roberts

On Thu, Mar 12, 2020 at 3:21 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Thu, Mar 12, 2020 at 9:59 AM William Roberts
> <bill.c.roberts@gmail.com> wrote:
> >
> > I will fix the subject and add the Fixes: #165 to the commit when I
> > stage them if thats ok?
>
> Fixes both 165 and 204 IIUC because the real underlying issue for both was the
> fact that he was building with LTO and it was doing the wrong thing
> with hidden_def/hidden_proto.
> Otherwise works for me.  You can download the series from patchwork or
> via get-lore-mbox
> to pick up all the Acks automatically.

I have no idea how to do that, Ill have to spend some time and
familiarize myself with it.
For now I just manually added the acks and did the edits we discussed
and rebased ontop
of current master. Their was a simple conflict in libsepol/src/services.c.

I have them staged here:
https://github.com/SELinuxProject/selinux/pull/207

And since their were some minor edits before they go in, ill let them
sit a couple
of days for any last objections. Ill merge Monday March 16 end of workday if all
is silent.

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: [PATCH v2 3/3] lbespol: remove wild cards in mapfile
  2020-03-12 21:42             ` William Roberts
@ 2020-03-13 11:03               ` Ondrej Mosnacek
  2020-03-13 14:22                 ` William Roberts
  2020-03-17 17:46               ` Stephen Smalley
  1 sibling, 1 reply; 36+ messages in thread
From: Ondrej Mosnacek @ 2020-03-13 11:03 UTC (permalink / raw)
  To: William Roberts
  Cc: Stephen Smalley, Nicolas Iooss, SElinux list, Ulrich Drepper,
	Petr Lautrbach, William Roberts

On Thu, Mar 12, 2020 at 10:42 PM William Roberts
<bill.c.roberts@gmail.com> wrote:
> On Thu, Mar 12, 2020 at 3:21 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > On Thu, Mar 12, 2020 at 9:59 AM William Roberts
> > <bill.c.roberts@gmail.com> wrote:
> > >
> > > I will fix the subject and add the Fixes: #165 to the commit when I
> > > stage them if thats ok?
> >
> > Fixes both 165 and 204 IIUC because the real underlying issue for both was the
> > fact that he was building with LTO and it was doing the wrong thing
> > with hidden_def/hidden_proto.
> > Otherwise works for me.  You can download the series from patchwork or
> > via get-lore-mbox
> > to pick up all the Acks automatically.
>
> I have no idea how to do that, Ill have to spend some time and
> familiarize myself with it.

You can simply go to
https://patchwork.kernel.org/project/selinux/list/, click on any patch
in the series (e.g. https://patchwork.kernel.org/patch/11430261/) and
copy the address of the "series" button/link in the upper right
corner. Then you just do:

curl <link> | git am

There is certainly a faster way to do it using the Patchwork CLI, but
I never bothered to set that up :)

> For now I just manually added the acks and did the edits we discussed
> and rebased ontop
> of current master. Their was a simple conflict in libsepol/src/services.c.
>
> I have them staged here:
> https://github.com/SELinuxProject/selinux/pull/207

The CI failed because libsepol/src/services.c still includes "dso.h"
in the rebased commits. You'll need to fix that first.

>
> And since their were some minor edits before they go in, ill let them
> sit a couple
> of days for any last objections. Ill merge Monday March 16 end of workday if all
> is silent.

--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.


^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: [PATCH v2 3/3] lbespol: remove wild cards in mapfile
  2020-03-13 11:03               ` Ondrej Mosnacek
@ 2020-03-13 14:22                 ` William Roberts
  2020-03-13 14:41                   ` Ondrej Mosnacek
  0 siblings, 1 reply; 36+ messages in thread
From: William Roberts @ 2020-03-13 14:22 UTC (permalink / raw)
  To: Ondrej Mosnacek
  Cc: Stephen Smalley, Nicolas Iooss, SElinux list, Ulrich Drepper,
	Petr Lautrbach, William Roberts

On Fri, Mar 13, 2020 at 6:03 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> On Thu, Mar 12, 2020 at 10:42 PM William Roberts
> <bill.c.roberts@gmail.com> wrote:
> > On Thu, Mar 12, 2020 at 3:21 PM Stephen Smalley
> > <stephen.smalley.work@gmail.com> wrote:
> > >
> > > On Thu, Mar 12, 2020 at 9:59 AM William Roberts
> > > <bill.c.roberts@gmail.com> wrote:
> > > >
> > > > I will fix the subject and add the Fixes: #165 to the commit when I
> > > > stage them if thats ok?
> > >
> > > Fixes both 165 and 204 IIUC because the real underlying issue for both was the
> > > fact that he was building with LTO and it was doing the wrong thing
> > > with hidden_def/hidden_proto.
> > > Otherwise works for me.  You can download the series from patchwork or
> > > via get-lore-mbox
> > > to pick up all the Acks automatically.
> >
> > I have no idea how to do that, Ill have to spend some time and
> > familiarize myself with it.
>
> You can simply go to
> https://patchwork.kernel.org/project/selinux/list/, click on any patch
> in the series (e.g. https://patchwork.kernel.org/patch/11430261/) and
> copy the address of the "series" button/link in the upper right
> corner. Then you just do:
>
> curl <link> | git am
>
> There is certainly a faster way to do it using the Patchwork CLI, but
> I never bothered to set that up :)

Thanks, ill have to try that next time!

>
> > For now I just manually added the acks and did the edits we discussed
> > and rebased ontop
> > of current master. Their was a simple conflict in libsepol/src/services.c.
> >
> > I have them staged here:
> > https://github.com/SELinuxProject/selinux/pull/207
>
> The CI failed because libsepol/src/services.c still includes "dso.h"
> in the rebased commits. You'll need to fix that first.

I'm sitting here thinking, "I built and ran the tests, how?" Looking
at bash history,
for libselinux, not libsepol!

>
> >
> > And since their were some minor edits before they go in, ill let them
> > sit a couple
> > of days for any last objections. Ill merge Monday March 16 end of workday if all
> > is silent.
>
> --
> Ondrej Mosnacek <omosnace at redhat dot com>
> Software Engineer, Security Technologies
> Red Hat, Inc.
>

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: [PATCH v2 3/3] lbespol: remove wild cards in mapfile
  2020-03-13 14:22                 ` William Roberts
@ 2020-03-13 14:41                   ` Ondrej Mosnacek
  2020-03-13 14:51                     ` William Roberts
  0 siblings, 1 reply; 36+ messages in thread
From: Ondrej Mosnacek @ 2020-03-13 14:41 UTC (permalink / raw)
  To: William Roberts
  Cc: Stephen Smalley, Nicolas Iooss, SElinux list, Ulrich Drepper,
	Petr Lautrbach, William Roberts

On Fri, Mar 13, 2020 at 3:23 PM William Roberts
<bill.c.roberts@gmail.com> wrote:
> On Fri, Mar 13, 2020 at 6:03 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> >
> > On Thu, Mar 12, 2020 at 10:42 PM William Roberts
> > <bill.c.roberts@gmail.com> wrote:
> > > On Thu, Mar 12, 2020 at 3:21 PM Stephen Smalley
> > > <stephen.smalley.work@gmail.com> wrote:
> > > >
> > > > On Thu, Mar 12, 2020 at 9:59 AM William Roberts
> > > > <bill.c.roberts@gmail.com> wrote:
> > > > >
> > > > > I will fix the subject and add the Fixes: #165 to the commit when I
> > > > > stage them if thats ok?
> > > >
> > > > Fixes both 165 and 204 IIUC because the real underlying issue for both was the
> > > > fact that he was building with LTO and it was doing the wrong thing
> > > > with hidden_def/hidden_proto.
> > > > Otherwise works for me.  You can download the series from patchwork or
> > > > via get-lore-mbox
> > > > to pick up all the Acks automatically.
> > >
> > > I have no idea how to do that, Ill have to spend some time and
> > > familiarize myself with it.
> >
> > You can simply go to
> > https://patchwork.kernel.org/project/selinux/list/, click on any patch
> > in the series (e.g. https://patchwork.kernel.org/patch/11430261/) and
> > copy the address of the "series" button/link in the upper right
> > corner. Then you just do:
> >
> > curl <link> | git am
> >
> > There is certainly a faster way to do it using the Patchwork CLI, but
> > I never bothered to set that up :)
>
> Thanks, ill have to try that next time!
>
> >
> > > For now I just manually added the acks and did the edits we discussed
> > > and rebased ontop
> > > of current master. Their was a simple conflict in libsepol/src/services.c.
> > >
> > > I have them staged here:
> > > https://github.com/SELinuxProject/selinux/pull/207
> >
> > The CI failed because libsepol/src/services.c still includes "dso.h"
> > in the rebased commits. You'll need to fix that first.
>
> I'm sitting here thinking, "I built and ran the tests, how?" Looking
> at bash history,
> for libselinux, not libsepol!

No worries, fortunately we have CI to cover our backs :)

Anyway, I just noticed that there is still a typo in the last commit's
title ("libespol").

-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.


^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: [PATCH v2 3/3] lbespol: remove wild cards in mapfile
  2020-03-13 14:41                   ` Ondrej Mosnacek
@ 2020-03-13 14:51                     ` William Roberts
  0 siblings, 0 replies; 36+ messages in thread
From: William Roberts @ 2020-03-13 14:51 UTC (permalink / raw)
  To: Ondrej Mosnacek
  Cc: Stephen Smalley, Nicolas Iooss, SElinux list, Ulrich Drepper,
	Petr Lautrbach, William Roberts

On Fri, Mar 13, 2020 at 9:41 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> On Fri, Mar 13, 2020 at 3:23 PM William Roberts
> <bill.c.roberts@gmail.com> wrote:
> > On Fri, Mar 13, 2020 at 6:03 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > >
> > > On Thu, Mar 12, 2020 at 10:42 PM William Roberts
> > > <bill.c.roberts@gmail.com> wrote:
> > > > On Thu, Mar 12, 2020 at 3:21 PM Stephen Smalley
> > > > <stephen.smalley.work@gmail.com> wrote:
> > > > >
> > > > > On Thu, Mar 12, 2020 at 9:59 AM William Roberts
> > > > > <bill.c.roberts@gmail.com> wrote:
> > > > > >
> > > > > > I will fix the subject and add the Fixes: #165 to the commit when I
> > > > > > stage them if thats ok?
> > > > >
> > > > > Fixes both 165 and 204 IIUC because the real underlying issue for both was the
> > > > > fact that he was building with LTO and it was doing the wrong thing
> > > > > with hidden_def/hidden_proto.
> > > > > Otherwise works for me.  You can download the series from patchwork or
> > > > > via get-lore-mbox
> > > > > to pick up all the Acks automatically.
> > > >
> > > > I have no idea how to do that, Ill have to spend some time and
> > > > familiarize myself with it.
> > >
> > > You can simply go to
> > > https://patchwork.kernel.org/project/selinux/list/, click on any patch
> > > in the series (e.g. https://patchwork.kernel.org/patch/11430261/) and
> > > copy the address of the "series" button/link in the upper right
> > > corner. Then you just do:
> > >
> > > curl <link> | git am
> > >
> > > There is certainly a faster way to do it using the Patchwork CLI, but
> > > I never bothered to set that up :)
> >
> > Thanks, ill have to try that next time!
> >
> > >
> > > > For now I just manually added the acks and did the edits we discussed
> > > > and rebased ontop
> > > > of current master. Their was a simple conflict in libsepol/src/services.c.
> > > >
> > > > I have them staged here:
> > > > https://github.com/SELinuxProject/selinux/pull/207
> > >
> > > The CI failed because libsepol/src/services.c still includes "dso.h"
> > > in the rebased commits. You'll need to fix that first.
> >
> > I'm sitting here thinking, "I built and ran the tests, how?" Looking
> > at bash history,
> > for libselinux, not libsepol!
>
> No worries, fortunately we have CI to cover our backs :)

Why I love CI, free checking.

>
> Anyway, I just noticed that there is still a typo in the last commit's
> title ("libespol").

Agghhh, kill me now! Updated.

>
> --
> Ondrej Mosnacek <omosnace at redhat dot com>
> Software Engineer, Security Technologies
> Red Hat, Inc.
>

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: [PATCH v2 3/3] lbespol: remove wild cards in mapfile
  2020-03-12 21:42             ` William Roberts
  2020-03-13 11:03               ` Ondrej Mosnacek
@ 2020-03-17 17:46               ` Stephen Smalley
  2020-03-19 19:46                 ` William Roberts
  1 sibling, 1 reply; 36+ messages in thread
From: Stephen Smalley @ 2020-03-17 17:46 UTC (permalink / raw)
  To: William Roberts
  Cc: Nicolas Iooss, SElinux list, Ulrich Drepper, Ondrej Mosnacek,
	Petr Lautrbach, William Roberts

On Thu, Mar 12, 2020 at 5:42 PM William Roberts
<bill.c.roberts@gmail.com> wrote:
>
> On Thu, Mar 12, 2020 at 3:21 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > On Thu, Mar 12, 2020 at 9:59 AM William Roberts
> > <bill.c.roberts@gmail.com> wrote:
> > >
> > > I will fix the subject and add the Fixes: #165 to the commit when I
> > > stage them if thats ok?
> >
> > Fixes both 165 and 204 IIUC because the real underlying issue for both was the
> > fact that he was building with LTO and it was doing the wrong thing
> > with hidden_def/hidden_proto.
> > Otherwise works for me.  You can download the series from patchwork or
> > via get-lore-mbox
> > to pick up all the Acks automatically.
>
> I have no idea how to do that, Ill have to spend some time and
> familiarize myself with it.
> For now I just manually added the acks and did the edits we discussed
> and rebased ontop
> of current master. Their was a simple conflict in libsepol/src/services.c.
>
> I have them staged here:
> https://github.com/SELinuxProject/selinux/pull/207
>
> And since their were some minor edits before they go in, ill let them
> sit a couple
> of days for any last objections. Ill merge Monday March 16 end of workday if all
> is silent.

I merged this pull request.

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: [PATCH v2 3/3] lbespol: remove wild cards in mapfile
  2020-03-17 17:46               ` Stephen Smalley
@ 2020-03-19 19:46                 ` William Roberts
  2020-03-19 19:48                   ` [PATCH] cil: drop remaining dso.h include bill.c.roberts
  0 siblings, 1 reply; 36+ messages in thread
From: William Roberts @ 2020-03-19 19:46 UTC (permalink / raw)
  To: Stephen Smalley
  Cc: Nicolas Iooss, SElinux list, Ulrich Drepper, Ondrej Mosnacek,
	Petr Lautrbach, William Roberts

FYI: Looks like I missed a dso.h in cil.c:
https://github.com/SELinuxProject/selinux/blob/master/libsepol/cil/src/cil.c#L53

Doesn't seem to be breaking anything, ill submit a patch to the mailing list.

On Tue, Mar 17, 2020 at 12:46 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Thu, Mar 12, 2020 at 5:42 PM William Roberts
> <bill.c.roberts@gmail.com> wrote:
> >
> > On Thu, Mar 12, 2020 at 3:21 PM Stephen Smalley
> > <stephen.smalley.work@gmail.com> wrote:
> > >
> > > On Thu, Mar 12, 2020 at 9:59 AM William Roberts
> > > <bill.c.roberts@gmail.com> wrote:
> > > >
> > > > I will fix the subject and add the Fixes: #165 to the commit when I
> > > > stage them if thats ok?
> > >
> > > Fixes both 165 and 204 IIUC because the real underlying issue for both was the
> > > fact that he was building with LTO and it was doing the wrong thing
> > > with hidden_def/hidden_proto.
> > > Otherwise works for me.  You can download the series from patchwork or
> > > via get-lore-mbox
> > > to pick up all the Acks automatically.
> >
> > I have no idea how to do that, Ill have to spend some time and
> > familiarize myself with it.
> > For now I just manually added the acks and did the edits we discussed
> > and rebased ontop
> > of current master. Their was a simple conflict in libsepol/src/services.c.
> >
> > I have them staged here:
> > https://github.com/SELinuxProject/selinux/pull/207
> >
> > And since their were some minor edits before they go in, ill let them
> > sit a couple
> > of days for any last objections. Ill merge Monday March 16 end of workday if all
> > is silent.
>
> I merged this pull request.

^ permalink raw reply	[flat|nested] 36+ messages in thread

* [PATCH] cil: drop remaining dso.h include
  2020-03-19 19:46                 ` William Roberts
@ 2020-03-19 19:48                   ` bill.c.roberts
  2020-03-20  8:08                     ` Ondrej Mosnacek
  0 siblings, 1 reply; 36+ messages in thread
From: bill.c.roberts @ 2020-03-19 19:48 UTC (permalink / raw)
  To: bill.c.roberts; +Cc: selinux, stephen.smalley.work, William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libsepol/cil/src/cil.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
index c010ca2aeaf4..12cc28eff389 100644
--- a/libsepol/cil/src/cil.c
+++ b/libsepol/cil/src/cil.c
@@ -50,7 +50,6 @@
 #include "cil_binary.h"
 #include "cil_policy.h"
 #include "cil_strpool.h"
-#include "dso.h"
 
 #ifndef DISABLE_SYMVER
 asm(".symver cil_build_policydb_pdb,        cil_build_policydb@LIBSEPOL_1.0");
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 36+ messages in thread

* Re: [PATCH] cil: drop remaining dso.h include
  2020-03-19 19:48                   ` [PATCH] cil: drop remaining dso.h include bill.c.roberts
@ 2020-03-20  8:08                     ` Ondrej Mosnacek
  2020-03-23 15:35                       ` William Roberts
  0 siblings, 1 reply; 36+ messages in thread
From: Ondrej Mosnacek @ 2020-03-20  8:08 UTC (permalink / raw)
  To: William Roberts; +Cc: SElinux list, Stephen Smalley, William Roberts

On Thu, Mar 19, 2020 at 8:49 PM <bill.c.roberts@gmail.com> wrote:
> From: William Roberts <william.c.roberts@intel.com>
>
> Signed-off-by: William Roberts <william.c.roberts@intel.com>
> ---
>  libsepol/cil/src/cil.c | 1 -
>  1 file changed, 1 deletion(-)
>
> diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
> index c010ca2aeaf4..12cc28eff389 100644
> --- a/libsepol/cil/src/cil.c
> +++ b/libsepol/cil/src/cil.c
> @@ -50,7 +50,6 @@
>  #include "cil_binary.h"
>  #include "cil_policy.h"
>  #include "cil_strpool.h"
> -#include "dso.h"
>
>  #ifndef DISABLE_SYMVER
>  asm(".symver cil_build_policydb_pdb,        cil_build_policydb@LIBSEPOL_1.0");
> --
> 2.17.1
>

Acked-by: Ondrej Mosnacek <omosnace@redhat.com>

-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.


^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: [PATCH] cil: drop remaining dso.h include
  2020-03-20  8:08                     ` Ondrej Mosnacek
@ 2020-03-23 15:35                       ` William Roberts
  2020-03-26 15:16                         ` Joshua Brindle
  0 siblings, 1 reply; 36+ messages in thread
From: William Roberts @ 2020-03-23 15:35 UTC (permalink / raw)
  To: Ondrej Mosnacek; +Cc: SElinux list, Stephen Smalley, William Roberts

On Fri, Mar 20, 2020 at 3:08 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> On Thu, Mar 19, 2020 at 8:49 PM <bill.c.roberts@gmail.com> wrote:
> > From: William Roberts <william.c.roberts@intel.com>
> >
> > Signed-off-by: William Roberts <william.c.roberts@intel.com>
> > ---
> >  libsepol/cil/src/cil.c | 1 -
> >  1 file changed, 1 deletion(-)
> >
> > diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
> > index c010ca2aeaf4..12cc28eff389 100644
> > --- a/libsepol/cil/src/cil.c
> > +++ b/libsepol/cil/src/cil.c
> > @@ -50,7 +50,6 @@
> >  #include "cil_binary.h"
> >  #include "cil_policy.h"
> >  #include "cil_strpool.h"
> > -#include "dso.h"
> >
> >  #ifndef DISABLE_SYMVER
> >  asm(".symver cil_build_policydb_pdb,        cil_build_policydb@LIBSEPOL_1.0");
> > --
> > 2.17.1
> >
>
> Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
>
Merged: https://github.com/SELinuxProject/selinux/pull/210

Thanks

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: [PATCH] cil: drop remaining dso.h include
  2020-03-23 15:35                       ` William Roberts
@ 2020-03-26 15:16                         ` Joshua Brindle
  2020-03-26 15:35                           ` William Roberts
                                             ` (2 more replies)
  0 siblings, 3 replies; 36+ messages in thread
From: Joshua Brindle @ 2020-03-26 15:16 UTC (permalink / raw)
  To: William Roberts
  Cc: Ondrej Mosnacek, SElinux list, Stephen Smalley, William Roberts

On Mon, Mar 23, 2020 at 11:35 AM William Roberts
<bill.c.roberts@gmail.com> wrote:
>
> On Fri, Mar 20, 2020 at 3:08 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> >
> > On Thu, Mar 19, 2020 at 8:49 PM <bill.c.roberts@gmail.com> wrote:
> > > From: William Roberts <william.c.roberts@intel.com>
> > >
> > > Signed-off-by: William Roberts <william.c.roberts@intel.com>
> > > ---
> > >  libsepol/cil/src/cil.c | 1 -
> > >  1 file changed, 1 deletion(-)
> > >
> > > diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
> > > index c010ca2aeaf4..12cc28eff389 100644
> > > --- a/libsepol/cil/src/cil.c
> > > +++ b/libsepol/cil/src/cil.c
> > > @@ -50,7 +50,6 @@
> > >  #include "cil_binary.h"
> > >  #include "cil_policy.h"
> > >  #include "cil_strpool.h"
> > > -#include "dso.h"
> > >
> > >  #ifndef DISABLE_SYMVER
> > >  asm(".symver cil_build_policydb_pdb,        cil_build_policydb@LIBSEPOL_1.0");
> > > --
> > > 2.17.1
> > >
> >
> > Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
> >
> Merged: https://github.com/SELinuxProject/selinux/pull/210
>
> Thanks

It looks like this change broke building on MacOS:

<inline asm>:1:1: error: unknown directive
.symver cil_build_policydb_pdb,        cil_build_policydb@LIBSEPOL_1.0
^

(on all of them).

Previously dso.h defined DISABLE_SYMVER for Android and Apple, is
support for those intended to go away?

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: [PATCH] cil: drop remaining dso.h include
  2020-03-26 15:16                         ` Joshua Brindle
@ 2020-03-26 15:35                           ` William Roberts
  2020-03-26 15:46                           ` cil: Fix DISABLE_SYMVER support and drop last dso.h bill.c.roberts
  2020-03-26 16:50                           ` [PATCH] cil: drop remaining dso.h include Stephen Smalley
  2 siblings, 0 replies; 36+ messages in thread
From: William Roberts @ 2020-03-26 15:35 UTC (permalink / raw)
  To: Joshua Brindle
  Cc: Ondrej Mosnacek, SElinux list, Stephen Smalley, William Roberts

On Thu, Mar 26, 2020 at 10:17 AM Joshua Brindle
<joshua.brindle@crunchydata.com> wrote:
>
> On Mon, Mar 23, 2020 at 11:35 AM William Roberts
> <bill.c.roberts@gmail.com> wrote:
> >
> > On Fri, Mar 20, 2020 at 3:08 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > >
> > > On Thu, Mar 19, 2020 at 8:49 PM <bill.c.roberts@gmail.com> wrote:
> > > > From: William Roberts <william.c.roberts@intel.com>
> > > >
> > > > Signed-off-by: William Roberts <william.c.roberts@intel.com>
> > > > ---
> > > >  libsepol/cil/src/cil.c | 1 -
> > > >  1 file changed, 1 deletion(-)
> > > >
> > > > diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
> > > > index c010ca2aeaf4..12cc28eff389 100644
> > > > --- a/libsepol/cil/src/cil.c
> > > > +++ b/libsepol/cil/src/cil.c
> > > > @@ -50,7 +50,6 @@
> > > >  #include "cil_binary.h"
> > > >  #include "cil_policy.h"
> > > >  #include "cil_strpool.h"
> > > > -#include "dso.h"
> > > >
> > > >  #ifndef DISABLE_SYMVER
> > > >  asm(".symver cil_build_policydb_pdb,        cil_build_policydb@LIBSEPOL_1.0");
> > > > --
> > > > 2.17.1
> > > >
> > >
> > > Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
> > >
> > Merged: https://github.com/SELinuxProject/selinux/pull/210
> >
> > Thanks
>
> It looks like this change broke building on MacOS:
>
> <inline asm>:1:1: error: unknown directive
> .symver cil_build_policydb_pdb,        cil_build_policydb@LIBSEPOL_1.0
> ^
>
> (on all of them).
>
> Previously dso.h defined DISABLE_SYMVER for Android and Apple, is
> support for those intended to go away?

No, patches forthcoming.

^ permalink raw reply	[flat|nested] 36+ messages in thread

* cil: Fix DISABLE_SYMVER support and drop last dso.h
  2020-03-26 15:16                         ` Joshua Brindle
  2020-03-26 15:35                           ` William Roberts
@ 2020-03-26 15:46                           ` bill.c.roberts
  2020-03-26 15:46                             ` [PATCH 1/2] cil: rm dead dso.h file bill.c.roberts
                                               ` (2 more replies)
  2020-03-26 16:50                           ` [PATCH] cil: drop remaining dso.h include Stephen Smalley
  2 siblings, 3 replies; 36+ messages in thread
From: bill.c.roberts @ 2020-03-26 15:46 UTC (permalink / raw)
  To: joshua.brindle
  Cc: bill.c.roberts, omosnace, selinux, stephen.smalley.work,
	william.c.roberts

I missed a dso.h file in cil code, and broke the DISABLE_SYMVER support.
this deletes that file and restores DISABLE_SYMVER support.

Sorry... 

[PATCH 1/2] cil: rm dead dso.h file
[PATCH 2/2] cil: re-enable DISABLE_SYMVER define


^ permalink raw reply	[flat|nested] 36+ messages in thread

* [PATCH 1/2] cil: rm dead dso.h file
  2020-03-26 15:46                           ` cil: Fix DISABLE_SYMVER support and drop last dso.h bill.c.roberts
@ 2020-03-26 15:46                             ` bill.c.roberts
  2020-03-26 15:46                             ` [PATCH 2/2] cil: re-enable DISABLE_SYMVER define bill.c.roberts
  2020-03-26 15:47                             ` cil: Fix DISABLE_SYMVER support and drop last dso.h William Roberts
  2 siblings, 0 replies; 36+ messages in thread
From: bill.c.roberts @ 2020-03-26 15:46 UTC (permalink / raw)
  To: joshua.brindle
  Cc: bill.c.roberts, omosnace, selinux, stephen.smalley.work,
	william.c.roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libsepol/cil/src/dso.h | 27 ---------------------------
 1 file changed, 27 deletions(-)
 delete mode 100644 libsepol/cil/src/dso.h

diff --git a/libsepol/cil/src/dso.h b/libsepol/cil/src/dso.h
deleted file mode 100644
index 64a162cef86b..000000000000
--- a/libsepol/cil/src/dso.h
+++ /dev/null
@@ -1,27 +0,0 @@
-#ifndef _SEPOL_DSO_H
-#define _SEPOL_DSO_H	1
-
-#if !defined(SHARED) || defined(ANDROID) || defined(__APPLE__)
-    #define DISABLE_SYMVER 1
-#endif
-
-#ifdef SHARED
-# define hidden __attribute__ ((visibility ("hidden")))
-# define hidden_proto(fct) __hidden_proto (fct, fct##_internal)
-# define __hidden_proto(fct, internal)	\
-     extern __typeof (fct) internal;	\
-     extern __typeof (fct) fct __asm (#internal) hidden;
-# if defined(__alpha__) || defined(__mips__)
-#  define hidden_def(fct) \
-     asm (".globl " #fct "\n" #fct " = " #fct "_internal");
-# else
-#  define hidden_def(fct) \
-     asm (".globl " #fct "\n.set " #fct ", " #fct "_internal");
-#endif
-#else
-# define hidden
-# define hidden_proto(fct)
-# define hidden_def(fct)
-#endif
-
-#endif
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 36+ messages in thread

* [PATCH 2/2] cil: re-enable DISABLE_SYMVER define
  2020-03-26 15:46                           ` cil: Fix DISABLE_SYMVER support and drop last dso.h bill.c.roberts
  2020-03-26 15:46                             ` [PATCH 1/2] cil: rm dead dso.h file bill.c.roberts
@ 2020-03-26 15:46                             ` bill.c.roberts
  2020-03-26 15:47                             ` cil: Fix DISABLE_SYMVER support and drop last dso.h William Roberts
  2 siblings, 0 replies; 36+ messages in thread
From: bill.c.roberts @ 2020-03-26 15:46 UTC (permalink / raw)
  To: joshua.brindle
  Cc: bill.c.roberts, omosnace, selinux, stephen.smalley.work,
	william.c.roberts

From: William Roberts <william.c.roberts@intel.com>

Fix issues like:
<inline asm>:1:1: error: unknown directive
.symver cil_build_policydb_pdb,        cil_build_policydb@LIBSEPOL_1.0

Which was caused by the DISABLE_SYMVER define not being defined
for static, Mac or Android builds.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libsepol/cil/src/cil.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
index 12cc28eff389..c8e27c04c954 100644
--- a/libsepol/cil/src/cil.c
+++ b/libsepol/cil/src/cil.c
@@ -51,6 +51,10 @@
 #include "cil_policy.h"
 #include "cil_strpool.h"
 
+#if !defined(SHARED) || defined(ANDROID) || defined(__APPLE__)
+    #define DISABLE_SYMVER 1
+#endif
+
 #ifndef DISABLE_SYMVER
 asm(".symver cil_build_policydb_pdb,        cil_build_policydb@LIBSEPOL_1.0");
 asm(".symver cil_build_policydb_create_pdb, cil_build_policydb@@LIBSEPOL_1.1");
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 36+ messages in thread

* Re: cil: Fix DISABLE_SYMVER support and drop last dso.h
  2020-03-26 15:46                           ` cil: Fix DISABLE_SYMVER support and drop last dso.h bill.c.roberts
  2020-03-26 15:46                             ` [PATCH 1/2] cil: rm dead dso.h file bill.c.roberts
  2020-03-26 15:46                             ` [PATCH 2/2] cil: re-enable DISABLE_SYMVER define bill.c.roberts
@ 2020-03-26 15:47                             ` William Roberts
  2020-03-26 16:05                               ` Joshua Brindle
  2 siblings, 1 reply; 36+ messages in thread
From: William Roberts @ 2020-03-26 15:47 UTC (permalink / raw)
  To: Joshua Brindle
  Cc: Ondrej Mosnacek, SElinux list, Stephen Smalley, William Roberts

Josh can you run this on Mac build, I don't have one anymore.

On Thu, Mar 26, 2020 at 10:46 AM <bill.c.roberts@gmail.com> wrote:
>
> I missed a dso.h file in cil code, and broke the DISABLE_SYMVER support.
> this deletes that file and restores DISABLE_SYMVER support.
>
> Sorry...
>
> [PATCH 1/2] cil: rm dead dso.h file
> [PATCH 2/2] cil: re-enable DISABLE_SYMVER define
>

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: cil: Fix DISABLE_SYMVER support and drop last dso.h
  2020-03-26 15:47                             ` cil: Fix DISABLE_SYMVER support and drop last dso.h William Roberts
@ 2020-03-26 16:05                               ` Joshua Brindle
  2020-03-26 16:18                                 ` William Roberts
  0 siblings, 1 reply; 36+ messages in thread
From: Joshua Brindle @ 2020-03-26 16:05 UTC (permalink / raw)
  To: William Roberts
  Cc: Ondrej Mosnacek, SElinux list, Stephen Smalley, William Roberts

On Thu, Mar 26, 2020 at 11:48 AM William Roberts
<bill.c.roberts@gmail.com> wrote:
>
> Josh can you run this on Mac build, I don't have one anymore.
>

LGTM

Acked-by: Joshua Brindle <joshua.brindle@crunchydata.com>


> On Thu, Mar 26, 2020 at 10:46 AM <bill.c.roberts@gmail.com> wrote:
> >
> > I missed a dso.h file in cil code, and broke the DISABLE_SYMVER support.
> > this deletes that file and restores DISABLE_SYMVER support.
> >
> > Sorry...
> >
> > [PATCH 1/2] cil: rm dead dso.h file
> > [PATCH 2/2] cil: re-enable DISABLE_SYMVER define
> >

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: cil: Fix DISABLE_SYMVER support and drop last dso.h
  2020-03-26 16:05                               ` Joshua Brindle
@ 2020-03-26 16:18                                 ` William Roberts
  2020-03-27 14:27                                   ` William Roberts
  0 siblings, 1 reply; 36+ messages in thread
From: William Roberts @ 2020-03-26 16:18 UTC (permalink / raw)
  To: Joshua Brindle
  Cc: Ondrej Mosnacek, SElinux list, Stephen Smalley, William Roberts

> > Josh can you run this on Mac build, I don't have one anymore.
> >
>
> LGTM
>
> Acked-by: Joshua Brindle <joshua.brindle@crunchydata.com>
Thanks!

Staged: https://github.com/SELinuxProject/selinux/pull/214

Will merge tomorrow afternoon unless I hear otherwise.

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: [PATCH] cil: drop remaining dso.h include
  2020-03-26 15:16                         ` Joshua Brindle
  2020-03-26 15:35                           ` William Roberts
  2020-03-26 15:46                           ` cil: Fix DISABLE_SYMVER support and drop last dso.h bill.c.roberts
@ 2020-03-26 16:50                           ` Stephen Smalley
  2020-03-26 16:51                             ` William Roberts
  2 siblings, 1 reply; 36+ messages in thread
From: Stephen Smalley @ 2020-03-26 16:50 UTC (permalink / raw)
  To: Joshua Brindle
  Cc: William Roberts, Ondrej Mosnacek, SElinux list, William Roberts

On Thu, Mar 26, 2020 at 11:17 AM Joshua Brindle
<joshua.brindle@crunchydata.com> wrote:
> It looks like this change broke building on MacOS:
>
> <inline asm>:1:1: error: unknown directive
> .symver cil_build_policydb_pdb,        cil_build_policydb@LIBSEPOL_1.0
> ^
>
> (on all of them).
>
> Previously dso.h defined DISABLE_SYMVER for Android and Apple, is
> support for those intended to go away?

Maybe we should add an osx build to our .travis.yml file and just test
building libsepol/checkpolicy/secilc?

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: [PATCH] cil: drop remaining dso.h include
  2020-03-26 16:50                           ` [PATCH] cil: drop remaining dso.h include Stephen Smalley
@ 2020-03-26 16:51                             ` William Roberts
  0 siblings, 0 replies; 36+ messages in thread
From: William Roberts @ 2020-03-26 16:51 UTC (permalink / raw)
  To: Stephen Smalley
  Cc: Joshua Brindle, Ondrej Mosnacek, SElinux list, William Roberts

On Thu, Mar 26, 2020 at 11:49 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Thu, Mar 26, 2020 at 11:17 AM Joshua Brindle
> <joshua.brindle@crunchydata.com> wrote:
> > It looks like this change broke building on MacOS:
> >
> > <inline asm>:1:1: error: unknown directive
> > .symver cil_build_policydb_pdb,        cil_build_policydb@LIBSEPOL_1.0
> > ^
> >
> > (on all of them).
> >
> > Previously dso.h defined DISABLE_SYMVER for Android and Apple, is
> > support for those intended to go away?
>
> Maybe we should add an osx build to our .travis.yml file and just test
> building libsepol/checkpolicy/secilc?

Definitely, I didn't realize travis had osx target. I can try and
queue this up for next week.

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: cil: Fix DISABLE_SYMVER support and drop last dso.h
  2020-03-26 16:18                                 ` William Roberts
@ 2020-03-27 14:27                                   ` William Roberts
  2020-03-27 14:47                                     ` Stephen Smalley
  0 siblings, 1 reply; 36+ messages in thread
From: William Roberts @ 2020-03-27 14:27 UTC (permalink / raw)
  To: Joshua Brindle
  Cc: Ondrej Mosnacek, SElinux list, Stephen Smalley, William Roberts

On Thu, Mar 26, 2020 at 11:18 AM William Roberts
<bill.c.roberts@gmail.com> wrote:
>
> > > Josh can you run this on Mac build, I don't have one anymore.
> > >
> >
> > LGTM
> >
> > Acked-by: Joshua Brindle <joshua.brindle@crunchydata.com>
> Thanks!
>
> Staged: https://github.com/SELinuxProject/selinux/pull/214
>
> Will merge tomorrow afternoon unless I hear otherwise.
Merged: https://github.com/SELinuxProject/selinux/pull/214

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: cil: Fix DISABLE_SYMVER support and drop last dso.h
  2020-03-27 14:27                                   ` William Roberts
@ 2020-03-27 14:47                                     ` Stephen Smalley
  2020-03-27 15:02                                       ` William Roberts
  0 siblings, 1 reply; 36+ messages in thread
From: Stephen Smalley @ 2020-03-27 14:47 UTC (permalink / raw)
  To: William Roberts
  Cc: Joshua Brindle, Ondrej Mosnacek, SElinux list, William Roberts

On Fri, Mar 27, 2020 at 10:27 AM William Roberts
<bill.c.roberts@gmail.com> wrote:
>
> On Thu, Mar 26, 2020 at 11:18 AM William Roberts
> <bill.c.roberts@gmail.com> wrote:
> >
> > > > Josh can you run this on Mac build, I don't have one anymore.
> > > >
> > >
> > > LGTM
> > >
> > > Acked-by: Joshua Brindle <joshua.brindle@crunchydata.com>
> > Thanks!
> >
> > Staged: https://github.com/SELinuxProject/selinux/pull/214
> >
> > Will merge tomorrow afternoon unless I hear otherwise.
> Merged: https://github.com/SELinuxProject/selinux/pull/214

Please remember to update patchwork (status -> Accepted) when you merge a patch.

^ permalink raw reply	[flat|nested] 36+ messages in thread

* Re: cil: Fix DISABLE_SYMVER support and drop last dso.h
  2020-03-27 14:47                                     ` Stephen Smalley
@ 2020-03-27 15:02                                       ` William Roberts
  0 siblings, 0 replies; 36+ messages in thread
From: William Roberts @ 2020-03-27 15:02 UTC (permalink / raw)
  To: Stephen Smalley
  Cc: Joshua Brindle, Ondrej Mosnacek, SElinux list, William Roberts

On Fri, Mar 27, 2020 at 9:46 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Fri, Mar 27, 2020 at 10:27 AM William Roberts
> <bill.c.roberts@gmail.com> wrote:
> >
> > On Thu, Mar 26, 2020 at 11:18 AM William Roberts
> > <bill.c.roberts@gmail.com> wrote:
> > >
> > > > > Josh can you run this on Mac build, I don't have one anymore.
> > > > >
> > > >
> > > > LGTM
> > > >
> > > > Acked-by: Joshua Brindle <joshua.brindle@crunchydata.com>
> > > Thanks!
> > >
> > > Staged: https://github.com/SELinuxProject/selinux/pull/214
> > >
> > > Will merge tomorrow afternoon unless I hear otherwise.
> > Merged: https://github.com/SELinuxProject/selinux/pull/214
>
> Please remember to update patchwork (status -> Accepted) when you merge a patch.
I never even used patchwork, will do and done. But I still want to
grumble, I wish we moved out
of 1960's development.

^ permalink raw reply	[flat|nested] 36+ messages in thread

end of thread, other threads:[~2020-03-27 15:02 UTC | newest]

Thread overview: 36+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-09 15:25 libsepol drop dso.h bill.c.roberts
2020-03-09 15:25 ` [PATCH 1/2] libsepol/dso: drop hidden_proto and hidden_def bill.c.roberts
2020-03-10 20:10   ` Stephen Smalley
2020-03-10 20:15     ` William Roberts
2020-03-09 15:25 ` [PATCH 2/2] libsepol/Makefile: add -fno-semantic-interposition bill.c.roberts
2020-03-10 21:08 ` V2 libsepol drop dso.h bill.c.roberts
2020-03-10 21:08   ` [PATCH v2 1/3] libsepol/dso: drop hidden_proto and hidden_def bill.c.roberts
2020-03-10 21:08   ` [PATCH v2 2/3] libsepol/Makefile: add -fno-semantic-interposition bill.c.roberts
2020-03-10 21:08   ` [PATCH v2 3/3] lbespol: remove wild cards in mapfile bill.c.roberts
2020-03-11 18:53     ` Stephen Smalley
2020-03-11 18:54       ` Stephen Smalley
2020-03-12 13:59         ` William Roberts
2020-03-12 20:22           ` Stephen Smalley
2020-03-12 21:42             ` William Roberts
2020-03-13 11:03               ` Ondrej Mosnacek
2020-03-13 14:22                 ` William Roberts
2020-03-13 14:41                   ` Ondrej Mosnacek
2020-03-13 14:51                     ` William Roberts
2020-03-17 17:46               ` Stephen Smalley
2020-03-19 19:46                 ` William Roberts
2020-03-19 19:48                   ` [PATCH] cil: drop remaining dso.h include bill.c.roberts
2020-03-20  8:08                     ` Ondrej Mosnacek
2020-03-23 15:35                       ` William Roberts
2020-03-26 15:16                         ` Joshua Brindle
2020-03-26 15:35                           ` William Roberts
2020-03-26 15:46                           ` cil: Fix DISABLE_SYMVER support and drop last dso.h bill.c.roberts
2020-03-26 15:46                             ` [PATCH 1/2] cil: rm dead dso.h file bill.c.roberts
2020-03-26 15:46                             ` [PATCH 2/2] cil: re-enable DISABLE_SYMVER define bill.c.roberts
2020-03-26 15:47                             ` cil: Fix DISABLE_SYMVER support and drop last dso.h William Roberts
2020-03-26 16:05                               ` Joshua Brindle
2020-03-26 16:18                                 ` William Roberts
2020-03-27 14:27                                   ` William Roberts
2020-03-27 14:47                                     ` Stephen Smalley
2020-03-27 15:02                                       ` William Roberts
2020-03-26 16:50                           ` [PATCH] cil: drop remaining dso.h include Stephen Smalley
2020-03-26 16:51                             ` William Roberts

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.