selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* libselinux: drop dso.h
@ 2020-02-27 23:01 bill.c.roberts
  2020-02-27 23:01 ` [PATCH 1/3] dso: drop hidden_proto and hidden_def bill.c.roberts
                   ` (3 more replies)
  0 siblings, 4 replies; 37+ messages in thread
From: bill.c.roberts @ 2020-02-27 23:01 UTC (permalink / raw)
  To: selinux, drepper, omosnace, stephen.smalley.work, plautrba

This three part patch series drops the dso.h and hidden_*
macros.

The old dso.h functionality provided libselinux with both control over
external exported symbols as well as ensuring internal callers call into
libselinux and not a symbol with the same name loaded by the linker
earlier in the library list.

The functionality is replaced by a linker script that requires public
API to explicitly be opt-in. The old method required that internal API
be explicitly annotated, and everything else is public. This should help
make it easier to control libselinux DSO hygene going forward.

The second functionality is replaced by compiler option
-fno-semantic-interposition

Note that clang has this enabled by default, and thus doesn't need it.

See:
  - https://stackoverflow.com/questions/35745543/new-option-in-gcc-5-3-fno-semantic-interposition

[PATCH 1/3] dso: drop hidden_proto and hidden_def
[PATCH 2/3] Makefile: add -fno-semantic-interposition
[PATCH 3/3] Makefile: add linker script to minimize exports


^ permalink raw reply	[flat|nested] 37+ messages in thread

* [PATCH 1/3] dso: drop hidden_proto and hidden_def
  2020-02-27 23:01 libselinux: drop dso.h bill.c.roberts
@ 2020-02-27 23:01 ` bill.c.roberts
  2020-02-27 23:01 ` [PATCH 2/3] Makefile: add -fno-semantic-interposition bill.c.roberts
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 37+ messages in thread
From: bill.c.roberts @ 2020-02-27 23:01 UTC (permalink / raw)
  To: selinux, drepper, omosnace, stephen.smalley.work, plautrba
  Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/avc.c                          |   5 -
 libselinux/src/avc_internal.h                 |  52 ++++----
 libselinux/src/avc_sidtab.h                   |  11 +-
 libselinux/src/booleans.c                     |   5 -
 libselinux/src/callbacks.h                    |  11 +-
 libselinux/src/canonicalize_context.c         |   2 -
 libselinux/src/checkAccess.c                  |   1 -
 libselinux/src/check_context.c                |   2 -
 libselinux/src/checkreqprot.c                 |   1 -
 libselinux/src/compute_av.c                   |   4 -
 libselinux/src/compute_create.c               |   4 -
 libselinux/src/compute_member.c               |   1 -
 libselinux/src/compute_relabel.c              |   1 -
 libselinux/src/compute_user.c                 |   2 -
 libselinux/src/context.c                      |   9 +-
 libselinux/src/context_internal.h             |  12 --
 libselinux/src/deny_unknown.c                 |   1 -
 libselinux/src/disable.c                      |   1 -
 libselinux/src/dso.h                          |  23 ----
 libselinux/src/enabled.c                      |   2 -
 libselinux/src/fgetfilecon.c                  |   1 -
 libselinux/src/freecon.c                      |   1 -
 libselinux/src/freeconary.c                   |   1 -
 libselinux/src/fsetfilecon.c                  |   1 -
 libselinux/src/get_context_list.c             |   3 -
 libselinux/src/get_context_list_internal.h    |   4 -
 libselinux/src/get_default_type_internal.h    |   2 -
 libselinux/src/get_initial_context.c          |   2 -
 libselinux/src/getenforce.c                   |   1 -
 libselinux/src/getfilecon.c                   |   2 -
 libselinux/src/getpeercon.c                   |   1 -
 libselinux/src/init.c                         |   4 -
 libselinux/src/label_internal.h               |  19 ++-
 libselinux/src/label_support.c                |   6 +-
 libselinux/src/lgetfilecon.c                  |   1 -
 libselinux/src/load_policy.c                  |   2 -
 libselinux/src/lsetfilecon.c                  |   1 -
 libselinux/src/matchpathcon.c                 |   3 +-
 libselinux/src/policyvers.c                   |   2 -
 libselinux/src/procattr.c                     |  21 +---
 libselinux/src/regex.h                        |  21 ++--
 libselinux/src/reject_unknown.c               |   1 -
 .../src/selinux_check_securetty_context.c     |   1 -
 libselinux/src/selinux_config.c               |  36 ------
 libselinux/src/selinux_internal.h             | 117 +-----------------
 libselinux/src/setenforce.c                   |   1 -
 libselinux/src/setfilecon.c                   |   1 -
 libselinux/src/setrans_client.c               |   8 +-
 libselinux/src/seusers.c                      |   2 +-
 libselinux/src/sha1.c                         |   7 +-
 libselinux/src/stringrep.c                    |   1 -
 libselinux/src/validatetrans.c                |   2 -
 52 files changed, 69 insertions(+), 357 deletions(-)
 delete mode 100644 libselinux/src/dso.h

diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
index 5230efd2323a..ab10b0f9f1cb 100644
--- a/libselinux/src/avc.c
+++ b/libselinux/src/avc.c
@@ -294,7 +294,6 @@ void avc_av_stats(void)
 		slots_used, AVC_CACHE_SLOTS, max_chain_len);
 }
 
-hidden_def(avc_av_stats)
 
 static inline struct avc_node *avc_reclaim_node(void)
 {
@@ -494,7 +493,6 @@ void avc_cleanup(void)
 {
 }
 
-hidden_def(avc_cleanup)
 
 int avc_reset(void)
 {
@@ -539,7 +537,6 @@ int avc_reset(void)
 	return rc;
 }
 
-hidden_def(avc_reset)
 
 void avc_destroy(void)
 {
@@ -733,7 +730,6 @@ void avc_audit(security_id_t ssid, security_id_t tsid,
 	avc_release_lock(avc_log_lock);
 }
 
-hidden_def(avc_audit)
 
 
 static void avd_init(struct av_decision *avd)
@@ -825,7 +821,6 @@ int avc_has_perm_noaudit(security_id_t ssid,
 	return rc;
 }
 
-hidden_def(avc_has_perm_noaudit)
 
 int avc_has_perm(security_id_t ssid, security_id_t tsid,
 		 security_class_t tclass, access_vector_t requested,
diff --git a/libselinux/src/avc_internal.h b/libselinux/src/avc_internal.h
index f8516590bd75..3f8a6bb1cf84 100644
--- a/libselinux/src/avc_internal.h
+++ b/libselinux/src/avc_internal.h
@@ -14,24 +14,23 @@
 #include <string.h>
 #include <selinux/avc.h>
 #include "callbacks.h"
-#include "dso.h"
 
 /* callback pointers */
-extern void *(*avc_func_malloc) (size_t) hidden;
-extern void (*avc_func_free) (void *)hidden;
+extern void *(*avc_func_malloc) (size_t) ;
+extern void (*avc_func_free) (void *);
 
-extern void (*avc_func_log) (const char *, ...) __attribute__((__format__(printf,1,2))) hidden;
-extern void (*avc_func_audit) (void *, security_class_t, char *, size_t)hidden;
+extern void (*avc_func_log) (const char *, ...) __attribute__((__format__(printf,1,2))) ;
+extern void (*avc_func_audit) (void *, security_class_t, char *, size_t);
 
-extern int avc_using_threads hidden;
-extern int avc_app_main_loop hidden;
-extern void *(*avc_func_create_thread) (void (*)(void))hidden;
-extern void (*avc_func_stop_thread) (void *)hidden;
+extern int avc_using_threads ;
+extern int avc_app_main_loop ;
+extern void *(*avc_func_create_thread) (void (*)(void));
+extern void (*avc_func_stop_thread) (void *);
 
-extern void *(*avc_func_alloc_lock) (void)hidden;
-extern void (*avc_func_get_lock) (void *)hidden;
-extern void (*avc_func_release_lock) (void *)hidden;
-extern void (*avc_func_free_lock) (void *)hidden;
+extern void *(*avc_func_alloc_lock) (void);
+extern void (*avc_func_get_lock) (void *);
+extern void (*avc_func_release_lock) (void *);
+extern void (*avc_func_free_lock) (void *);
 
 static inline void set_callbacks(const struct avc_memory_callback *mem_cb,
 				 const struct avc_log_callback *log_cb,
@@ -61,10 +60,10 @@ static inline void set_callbacks(const struct avc_memory_callback *mem_cb,
 
 /* message prefix and enforcing mode*/
 #define AVC_PREFIX_SIZE 16
-extern char avc_prefix[AVC_PREFIX_SIZE] hidden;
-extern int avc_running hidden;
-extern int avc_enforcing hidden;
-extern int avc_setenforce hidden;
+extern char avc_prefix[AVC_PREFIX_SIZE] ;
+extern int avc_running ;
+extern int avc_enforcing ;
+extern int avc_setenforce ;
 
 /* user-supplied callback interface for avc */
 static inline void *avc_malloc(size_t size)
@@ -155,28 +154,23 @@ static inline void avc_free_lock(void *lock)
 /* internal callbacks */
 int avc_ss_grant(security_id_t ssid, security_id_t tsid,
 		 security_class_t tclass, access_vector_t perms,
-		 uint32_t seqno) hidden;
+		 uint32_t seqno) ;
 int avc_ss_try_revoke(security_id_t ssid, security_id_t tsid,
 		      security_class_t tclass,
 		      access_vector_t perms, uint32_t seqno,
-		      access_vector_t * out_retained) hidden;
+		      access_vector_t * out_retained) ;
 int avc_ss_revoke(security_id_t ssid, security_id_t tsid,
 		  security_class_t tclass, access_vector_t perms,
-		  uint32_t seqno) hidden;
-int avc_ss_reset(uint32_t seqno) hidden;
+		  uint32_t seqno) ;
+int avc_ss_reset(uint32_t seqno) ;
 int avc_ss_set_auditallow(security_id_t ssid, security_id_t tsid,
 			  security_class_t tclass, access_vector_t perms,
-			  uint32_t seqno, uint32_t enable) hidden;
+			  uint32_t seqno, uint32_t enable) ;
 int avc_ss_set_auditdeny(security_id_t ssid, security_id_t tsid,
 			 security_class_t tclass, access_vector_t perms,
-			 uint32_t seqno, uint32_t enable) hidden;
+			 uint32_t seqno, uint32_t enable) ;
 
 /* netlink kernel message code */
-extern int avc_netlink_trouble hidden;
+extern int avc_netlink_trouble ;
 
-hidden_proto(avc_av_stats)
-    hidden_proto(avc_cleanup)
-    hidden_proto(avc_reset)
-    hidden_proto(avc_audit)
-    hidden_proto(avc_has_perm_noaudit)
 #endif				/* _SELINUX_AVC_INTERNAL_H_ */
diff --git a/libselinux/src/avc_sidtab.h b/libselinux/src/avc_sidtab.h
index bce9b877ae79..cc5abe354a01 100644
--- a/libselinux/src/avc_sidtab.h
+++ b/libselinux/src/avc_sidtab.h
@@ -7,7 +7,6 @@
 
 #include <selinux/selinux.h>
 #include <selinux/avc.h>
-#include "dso.h"
 
 struct sidtab_node {
 	struct security_id sid_s;
@@ -24,13 +23,13 @@ struct sidtab {
 	unsigned nel;
 };
 
-int sidtab_init(struct sidtab *s) hidden;
-int sidtab_insert(struct sidtab *s, const char * ctx) hidden;
+int sidtab_init(struct sidtab *s) ;
+int sidtab_insert(struct sidtab *s, const char * ctx) ;
 
 int sidtab_context_to_sid(struct sidtab *s,
-			  const char * ctx, security_id_t * sid) hidden;
+			  const char * ctx, security_id_t * sid) ;
 
-void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen) hidden;
-void sidtab_destroy(struct sidtab *s) hidden;
+void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen) ;
+void sidtab_destroy(struct sidtab *s) ;
 
 #endif				/* _SELINUX_AVC_SIDTAB_H_ */
diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c
index ffa8d26b0f3a..ef1f64a05d84 100644
--- a/libselinux/src/booleans.c
+++ b/libselinux/src/booleans.c
@@ -414,8 +414,3 @@ char *selinux_boolean_sub(const char *name __attribute__((unused)))
 }
 #endif
 
-hidden_def(security_get_boolean_names)
-hidden_def(selinux_boolean_sub)
-hidden_def(security_get_boolean_active)
-hidden_def(security_set_boolean)
-hidden_def(security_commit_booleans)
diff --git a/libselinux/src/callbacks.h b/libselinux/src/callbacks.h
index 2a572e08d534..03d87f0cbdfe 100644
--- a/libselinux/src/callbacks.h
+++ b/libselinux/src/callbacks.h
@@ -9,22 +9,21 @@
 #include <stdlib.h>
 #include <string.h>
 #include <selinux/selinux.h>
-#include "dso.h"
 
 /* callback pointers */
 extern int __attribute__ ((format(printf, 2, 3)))
-(*selinux_log) (int type, const char *, ...) hidden;
+(*selinux_log) (int type, const char *, ...) ;
 
 extern int
-(*selinux_audit) (void *, security_class_t, char *, size_t) hidden;
+(*selinux_audit) (void *, security_class_t, char *, size_t) ;
 
 extern int
-(*selinux_validate)(char **ctx) hidden;
+(*selinux_validate)(char **ctx) ;
 
 extern int
-(*selinux_netlink_setenforce) (int enforcing) hidden;
+(*selinux_netlink_setenforce) (int enforcing) ;
 
 extern int
-(*selinux_netlink_policyload) (int seqno) hidden;
+(*selinux_netlink_policyload) (int seqno) ;
 
 #endif				/* _SELINUX_CALLBACKS_H_ */
diff --git a/libselinux/src/canonicalize_context.c b/libselinux/src/canonicalize_context.c
index ba4c9a2c7d46..faab730592c2 100644
--- a/libselinux/src/canonicalize_context.c
+++ b/libselinux/src/canonicalize_context.c
@@ -60,7 +60,6 @@ int security_canonicalize_context_raw(const char * con,
 	return ret;
 }
 
-hidden_def(security_canonicalize_context_raw)
 
 int security_canonicalize_context(const char * con,
 				      char ** canoncon)
@@ -83,4 +82,3 @@ int security_canonicalize_context(const char * con,
 	return ret;
 }
 
-hidden_def(security_canonicalize_context)
diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
index 7227ffe51eac..677e2ecd7df4 100644
--- a/libselinux/src/checkAccess.c
+++ b/libselinux/src/checkAccess.c
@@ -99,7 +99,6 @@ int selinux_check_passwd_access(access_vector_t requested)
 	return status;
 }
 
-hidden_def(selinux_check_passwd_access)
 
 int checkPasswdAccess(access_vector_t requested)
 {
diff --git a/libselinux/src/check_context.c b/libselinux/src/check_context.c
index 8a7997f03598..5096a2c40993 100644
--- a/libselinux/src/check_context.c
+++ b/libselinux/src/check_context.c
@@ -31,7 +31,6 @@ int security_check_context_raw(const char * con)
 	return 0;
 }
 
-hidden_def(security_check_context_raw)
 
 int security_check_context(const char * con)
 {
@@ -48,4 +47,3 @@ int security_check_context(const char * con)
 	return ret;
 }
 
-hidden_def(security_check_context)
diff --git a/libselinux/src/checkreqprot.c b/libselinux/src/checkreqprot.c
index 9b4b12d75021..3dc79d9719c5 100644
--- a/libselinux/src/checkreqprot.c
+++ b/libselinux/src/checkreqprot.c
@@ -37,4 +37,3 @@ int security_get_checkreqprot(void)
 	return checkreqprot;
 }
 
-hidden_def(security_get_checkreqprot);
diff --git a/libselinux/src/compute_av.c b/libselinux/src/compute_av.c
index a47cffe98662..9d17339d1a32 100644
--- a/libselinux/src/compute_av.c
+++ b/libselinux/src/compute_av.c
@@ -80,7 +80,6 @@ int security_compute_av_flags_raw(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_av_flags_raw)
 
 int security_compute_av_raw(const char * scon,
 			    const char * tcon,
@@ -107,7 +106,6 @@ int security_compute_av_raw(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_av_raw)
 
 int security_compute_av_flags(const char * scon,
 			      const char * tcon,
@@ -134,7 +132,6 @@ int security_compute_av_flags(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_av_flags)
 
 int security_compute_av(const char * scon,
 			const char * tcon,
@@ -162,4 +159,3 @@ int security_compute_av(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_av)
diff --git a/libselinux/src/compute_create.c b/libselinux/src/compute_create.c
index 0975aeac2224..1d75714d852d 100644
--- a/libselinux/src/compute_create.c
+++ b/libselinux/src/compute_create.c
@@ -105,7 +105,6 @@ int security_compute_create_name_raw(const char * scon,
 	close(fd);
 	return ret;
 }
-hidden_def(security_compute_create_name_raw)
 
 int security_compute_create_raw(const char * scon,
 				const char * tcon,
@@ -115,7 +114,6 @@ int security_compute_create_raw(const char * scon,
 	return security_compute_create_name_raw(scon, tcon, tclass,
 						NULL, newcon);
 }
-hidden_def(security_compute_create_raw)
 
 int security_compute_create_name(const char * scon,
 				 const char * tcon,
@@ -146,7 +144,6 @@ int security_compute_create_name(const char * scon,
 
 	return ret;
 }
-hidden_def(security_compute_create_name)
 
 int security_compute_create(const char * scon,
 				const char * tcon,
@@ -155,4 +152,3 @@ int security_compute_create(const char * scon,
 {
 	return security_compute_create_name(scon, tcon, tclass, NULL, newcon);
 }
-hidden_def(security_compute_create)
diff --git a/libselinux/src/compute_member.c b/libselinux/src/compute_member.c
index 4e2d221ef9ea..16234b7908f2 100644
--- a/libselinux/src/compute_member.c
+++ b/libselinux/src/compute_member.c
@@ -60,7 +60,6 @@ int security_compute_member_raw(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_member_raw)
 
 int security_compute_member(const char * scon,
 			    const char * tcon,
diff --git a/libselinux/src/compute_relabel.c b/libselinux/src/compute_relabel.c
index 49f77ef3344c..dd20d6525993 100644
--- a/libselinux/src/compute_relabel.c
+++ b/libselinux/src/compute_relabel.c
@@ -60,7 +60,6 @@ int security_compute_relabel_raw(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_relabel_raw)
 
 int security_compute_relabel(const char * scon,
 			     const char * tcon,
diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c
index e7da964ff46d..ae5e7b4a8f68 100644
--- a/libselinux/src/compute_user.c
+++ b/libselinux/src/compute_user.c
@@ -80,7 +80,6 @@ int security_compute_user_raw(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_user_raw)
 
 int security_compute_user(const char * scon,
 			  const char *user, char *** con)
@@ -110,4 +109,3 @@ int security_compute_user(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_user)
diff --git a/libselinux/src/context.c b/libselinux/src/context.c
index b673733e1f48..090264a49eb1 100644
--- a/libselinux/src/context.c
+++ b/libselinux/src/context.c
@@ -82,7 +82,6 @@ context_t context_new(const char *str)
 	return 0;
 }
 
-hidden_def(context_new)
 
 static void conditional_free(char **v)
 {
@@ -113,7 +112,6 @@ void context_free(context_t context)
 	}
 }
 
-hidden_def(context_free)
 
 /*
  * Return a pointer to the string value of the context.
@@ -144,7 +142,6 @@ char *context_str(context_t context)
 	return n->current_str;
 }
 
-hidden_def(context_str)
 
 /* Returns nonzero iff failed */
 static int set_comp(context_private_t * n, int idx, const char *str)
@@ -176,8 +173,7 @@ const char * context_ ## name ## _get(context_t context) \
 { \
         context_private_t *n = context->ptr; \
         return n->component[tag]; \
-} \
-hidden_def(context_ ## name ## _get)
+}
 
 def_get(type, COMP_TYPE)
     def_get(user, COMP_USER)
@@ -187,8 +183,7 @@ def_get(type, COMP_TYPE)
 int context_ ## name ## _set(context_t context, const char* str) \
 { \
         return set_comp(context->ptr,tag,str);\
-} \
-hidden_def(context_ ## name ## _set)
+}
     def_set(type, COMP_TYPE)
     def_set(role, COMP_ROLE)
     def_set(user, COMP_USER)
diff --git a/libselinux/src/context_internal.h b/libselinux/src/context_internal.h
index 3c71e8027080..a7698106923e 100644
--- a/libselinux/src/context_internal.h
+++ b/libselinux/src/context_internal.h
@@ -1,14 +1,2 @@
 #include <selinux/context.h>
-#include "dso.h"
 
-hidden_proto(context_new)
-    hidden_proto(context_free)
-    hidden_proto(context_str)
-    hidden_proto(context_type_set)
-    hidden_proto(context_type_get)
-    hidden_proto(context_role_set)
-    hidden_proto(context_role_get)
-    hidden_proto(context_user_set)
-    hidden_proto(context_user_get)
-    hidden_proto(context_range_set)
-    hidden_proto(context_range_get)
diff --git a/libselinux/src/deny_unknown.c b/libselinux/src/deny_unknown.c
index 77d04e370f30..fdd32b50a246 100644
--- a/libselinux/src/deny_unknown.c
+++ b/libselinux/src/deny_unknown.c
@@ -37,4 +37,3 @@ int security_deny_unknown(void)
 	return deny_unknown;
 }
 
-hidden_def(security_deny_unknown);
diff --git a/libselinux/src/disable.c b/libselinux/src/disable.c
index 8d66262aff03..1a5ae4172a8d 100644
--- a/libselinux/src/disable.c
+++ b/libselinux/src/disable.c
@@ -35,4 +35,3 @@ int security_disable(void)
 	return 0;
 }
 
-hidden_def(security_disable)
diff --git a/libselinux/src/dso.h b/libselinux/src/dso.h
deleted file mode 100644
index 12c3d1160fb0..000000000000
--- a/libselinux/src/dso.h
+++ /dev/null
@@ -1,23 +0,0 @@
-#ifndef _SELINUX_DSO_H
-#define _SELINUX_DSO_H	1
-
-#ifdef SHARED
-# define hidden __attribute__ ((visibility ("hidden")))
-# define hidden_proto(fct) __hidden_proto (fct, fct##_internal)
-# define __hidden_proto(fct, internal)	\
-     extern __typeof (fct) internal;	\
-     extern __typeof (fct) fct __asm (#internal) hidden;
-# if defined(__alpha__) || defined(__mips__)
-#  define hidden_def(fct) \
-     asm (".globl " #fct "\n" #fct " = " #fct "_internal");
-# else
-#  define hidden_def(fct) \
-     asm (".globl " #fct "\n.set " #fct ", " #fct "_internal");
-#endif
-#else
-# define hidden
-# define hidden_proto(fct)
-# define hidden_def(fct)
-#endif
-
-#endif
diff --git a/libselinux/src/enabled.c b/libselinux/src/enabled.c
index dd628fba86a8..fefb0bd9ae02 100644
--- a/libselinux/src/enabled.c
+++ b/libselinux/src/enabled.c
@@ -20,7 +20,6 @@ int is_selinux_enabled(void)
 #endif
 }
 
-hidden_def(is_selinux_enabled)
 
 /*
  * Function: is_selinux_mls_enabled()
@@ -55,4 +54,3 @@ int is_selinux_mls_enabled(void)
 	return enabled;
 }
 
-hidden_def(is_selinux_mls_enabled)
diff --git a/libselinux/src/fgetfilecon.c b/libselinux/src/fgetfilecon.c
index 5522ac16e385..8c748f8a2e64 100644
--- a/libselinux/src/fgetfilecon.c
+++ b/libselinux/src/fgetfilecon.c
@@ -49,7 +49,6 @@ int fgetfilecon_raw(int fd, char ** context)
 	return ret;
 }
 
-hidden_def(fgetfilecon_raw)
 
 int fgetfilecon(int fd, char ** context)
 {
diff --git a/libselinux/src/freecon.c b/libselinux/src/freecon.c
index 5290dfa13bc4..df2d7e2827ea 100644
--- a/libselinux/src/freecon.c
+++ b/libselinux/src/freecon.c
@@ -8,4 +8,3 @@ void freecon(char * con)
 	free(con);
 }
 
-hidden_def(freecon)
diff --git a/libselinux/src/freeconary.c b/libselinux/src/freeconary.c
index 8d07718ed5f9..fd2dbaabfbcf 100644
--- a/libselinux/src/freeconary.c
+++ b/libselinux/src/freeconary.c
@@ -16,4 +16,3 @@ void freeconary(char ** con)
 	free(con);
 }
 
-hidden_def(freeconary)
diff --git a/libselinux/src/fsetfilecon.c b/libselinux/src/fsetfilecon.c
index 52707d05ddd4..5cf34e3fa5d0 100644
--- a/libselinux/src/fsetfilecon.c
+++ b/libselinux/src/fsetfilecon.c
@@ -25,7 +25,6 @@ int fsetfilecon_raw(int fd, const char * context)
 	return rc;
 }
 
-hidden_def(fsetfilecon_raw)
 
 int fsetfilecon(int fd, const char *context)
 {
diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
index 26d7b3b98e75..b43652ffd28c 100644
--- a/libselinux/src/get_context_list.c
+++ b/libselinux/src/get_context_list.c
@@ -52,7 +52,6 @@ int get_default_context_with_role(const char *user,
 	return rc;
 }
 
-hidden_def(get_default_context_with_role)
 
 int get_default_context_with_rolelevel(const char *user,
 				       const char *role,
@@ -385,7 +384,6 @@ int get_ordered_context_list_with_level(const char *user,
 	return rc;
 }
 
-hidden_def(get_ordered_context_list_with_level)
 
 int get_default_context_with_level(const char *user,
 				   const char *level,
@@ -497,4 +495,3 @@ int get_ordered_context_list(const char *user,
 	goto out;
 }
 
-hidden_def(get_ordered_context_list)
diff --git a/libselinux/src/get_context_list_internal.h b/libselinux/src/get_context_list_internal.h
index c224834ebfb4..a7c1d41ba07f 100644
--- a/libselinux/src/get_context_list_internal.h
+++ b/libselinux/src/get_context_list_internal.h
@@ -1,6 +1,2 @@
 #include <selinux/get_context_list.h>
-#include "dso.h"
 
-hidden_proto(get_ordered_context_list)
-    hidden_proto(get_ordered_context_list_with_level)
-    hidden_proto(get_default_context_with_role)
diff --git a/libselinux/src/get_default_type_internal.h b/libselinux/src/get_default_type_internal.h
index 0da3c512d6fb..deb5d2963211 100644
--- a/libselinux/src/get_default_type_internal.h
+++ b/libselinux/src/get_default_type_internal.h
@@ -1,4 +1,2 @@
 #include <selinux/get_default_type.h>
-#include "dso.h"
 
-hidden_proto(selinux_default_type_path)
diff --git a/libselinux/src/get_initial_context.c b/libselinux/src/get_initial_context.c
index 5e919f478b63..97ae3dcfb5a6 100644
--- a/libselinux/src/get_initial_context.c
+++ b/libselinux/src/get_initial_context.c
@@ -53,7 +53,6 @@ int security_get_initial_context_raw(const char * name, char ** con)
 	return ret;
 }
 
-hidden_def(security_get_initial_context_raw)
 
 int security_get_initial_context(const char * name, char ** con)
 {
@@ -69,4 +68,3 @@ int security_get_initial_context(const char * name, char ** con)
 	return ret;
 }
 
-hidden_def(security_get_initial_context)
diff --git a/libselinux/src/getenforce.c b/libselinux/src/getenforce.c
index d909dced73c6..3f1e20021a4e 100644
--- a/libselinux/src/getenforce.c
+++ b/libselinux/src/getenforce.c
@@ -37,4 +37,3 @@ int security_getenforce(void)
 	return !!enforce;
 }
 
-hidden_def(security_getenforce)
diff --git a/libselinux/src/getfilecon.c b/libselinux/src/getfilecon.c
index 20bee8abdbfc..4bee31372172 100644
--- a/libselinux/src/getfilecon.c
+++ b/libselinux/src/getfilecon.c
@@ -49,7 +49,6 @@ int getfilecon_raw(const char *path, char ** context)
 	return ret;
 }
 
-hidden_def(getfilecon_raw)
 
 int getfilecon(const char *path, char ** context)
 {
@@ -70,4 +69,3 @@ int getfilecon(const char *path, char ** context)
 	return ret;
 }
 
-hidden_def(getfilecon)
diff --git a/libselinux/src/getpeercon.c b/libselinux/src/getpeercon.c
index 3a77a2de2c95..a9dca73e438a 100644
--- a/libselinux/src/getpeercon.c
+++ b/libselinux/src/getpeercon.c
@@ -43,7 +43,6 @@ int getpeercon_raw(int fd, char ** context)
 	return ret;
 }
 
-hidden_def(getpeercon_raw)
 
 int getpeercon(int fd, char ** context)
 {
diff --git a/libselinux/src/init.c b/libselinux/src/init.c
index 083638c47fbf..542c979b9da6 100644
--- a/libselinux/src/init.c
+++ b/libselinux/src/init.c
@@ -12,7 +12,6 @@
 #include <stdint.h>
 #include <limits.h>
 
-#include "dso.h"
 #include "policy.h"
 #include "selinux_internal.h"
 #include "setrans_internal.h"
@@ -79,7 +78,6 @@ int selinuxfs_exists(void)
 	fclose(fp);
 	return exists;
 }
-hidden_def(selinuxfs_exists)
 
 static void init_selinuxmnt(void)
 {
@@ -138,14 +136,12 @@ void fini_selinuxmnt(void)
 	selinux_mnt = NULL;
 }
 
-hidden_def(fini_selinuxmnt)
 
 void set_selinuxmnt(const char *mnt)
 {
 	selinux_mnt = strdup(mnt);
 }
 
-hidden_def(set_selinuxmnt)
 
 static void init_lib(void) __attribute__ ((constructor));
 static void init_lib(void)
diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
index 7ed2a43770a7..361b443cb9c4 100644
--- a/libselinux/src/label_internal.h
+++ b/libselinux/src/label_internal.h
@@ -13,7 +13,6 @@
 #include <stdio.h>
 #include <selinux/selinux.h>
 #include <selinux/label.h>
-#include "dso.h"
 #include "sha1.h"
 
 #if defined(ANDROID) || defined(__APPLE__)
@@ -26,22 +25,22 @@
  */
 int selabel_file_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) hidden;
+			    unsigned nopts) ;
 int selabel_media_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) hidden;
+			    unsigned nopts) ;
 int selabel_x_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) hidden;
+			    unsigned nopts) ;
 int selabel_db_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) hidden;
+			    unsigned nopts) ;
 int selabel_property_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) hidden;
+			    unsigned nopts) ;
 int selabel_service_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) hidden;
+			    unsigned nopts) ;
 
 /*
  * Labeling internal structures
@@ -120,14 +119,14 @@ struct selabel_handle {
  */
 extern int
 selabel_validate(struct selabel_handle *rec,
-		 struct selabel_lookup_rec *contexts) hidden;
+		 struct selabel_lookup_rec *contexts) ;
 
 /*
  * Compatibility support
  */
 extern int myprintf_compat;
 extern void __attribute__ ((format(printf, 1, 2)))
-(*myprintf) (const char *fmt, ...) hidden;
+(*myprintf) (const char *fmt, ...) ;
 
 #define COMPAT_LOG(type, fmt...) if (myprintf_compat)	  \
 		myprintf(fmt);				  \
@@ -137,7 +136,7 @@ extern void __attribute__ ((format(printf, 1, 2)))
 extern int
 compat_validate(struct selabel_handle *rec,
 		struct selabel_lookup_rec *contexts,
-		const char *path, unsigned lineno) hidden;
+		const char *path, unsigned lineno) ;
 
 /*
  * The read_spec_entries function may be used to
diff --git a/libselinux/src/label_support.c b/libselinux/src/label_support.c
index 26f9ef155dcf..94ed6e4273cb 100644
--- a/libselinux/src/label_support.c
+++ b/libselinux/src/label_support.c
@@ -63,7 +63,7 @@ static inline int read_spec_entry(char **entry, char **ptr, int *len, const char
  * This function calls read_spec_entry() to do the actual string processing.
  * As such, can return anything from that function as well.
  */
-int hidden read_spec_entries(char *line_buf, const char **errbuf, int num_args, ...)
+int  read_spec_entries(char *line_buf, const char **errbuf, int num_args, ...)
 {
 	char **spec_entry, *buf_p;
 	int len, rc, items, entry_len = 0;
@@ -113,7 +113,7 @@ int hidden read_spec_entries(char *line_buf, const char **errbuf, int num_args,
 }
 
 /* Once all the specfiles are in the hash_buf, generate the hash. */
-void hidden digest_gen_hash(struct selabel_digest *digest)
+void  digest_gen_hash(struct selabel_digest *digest)
 {
 	Sha1Context context;
 
@@ -141,7 +141,7 @@ void hidden digest_gen_hash(struct selabel_digest *digest)
  *
  * Return %0 on success, -%1 with @errno set on failure.
  */
-int hidden digest_add_specfile(struct selabel_digest *digest, FILE *fp,
+int  digest_add_specfile(struct selabel_digest *digest, FILE *fp,
 				    char *from_addr, size_t buf_len,
 				    const char *path)
 {
diff --git a/libselinux/src/lgetfilecon.c b/libselinux/src/lgetfilecon.c
index db67bc60ffe6..d1fb821b23ef 100644
--- a/libselinux/src/lgetfilecon.c
+++ b/libselinux/src/lgetfilecon.c
@@ -49,7 +49,6 @@ int lgetfilecon_raw(const char *path, char ** context)
 	return ret;
 }
 
-hidden_def(lgetfilecon_raw)
 
 int lgetfilecon(const char *path, char ** context)
 {
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index 9e75292d2528..fa1a3bf1f441 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -45,7 +45,6 @@ int security_load_policy(void *data, size_t len)
 	return 0;
 }
 
-hidden_def(security_load_policy)
 
 #ifndef ANDROID
 #undef max
@@ -213,7 +212,6 @@ int selinux_mkload_policy(int preservebools __attribute__((unused)))
 	return rc;
 }
 
-hidden_def(selinux_mkload_policy)
 
 /*
  * Mount point for selinuxfs. 
diff --git a/libselinux/src/lsetfilecon.c b/libselinux/src/lsetfilecon.c
index 1d3b28a1c5fc..213fb684fc66 100644
--- a/libselinux/src/lsetfilecon.c
+++ b/libselinux/src/lsetfilecon.c
@@ -25,7 +25,6 @@ int lsetfilecon_raw(const char *path, const char * context)
 	return rc;
 }
 
-hidden_def(lsetfilecon_raw)
 
 int lsetfilecon(const char *path, const char *context)
 {
diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
index 05a5cfa4cfd5..bddf77a49ce1 100644
--- a/libselinux/src/matchpathcon.c
+++ b/libselinux/src/matchpathcon.c
@@ -322,7 +322,7 @@ static void matchpathcon_thread_destructor(void __attribute__((unused)) *ptr)
 
 void __attribute__((destructor)) matchpathcon_lib_destructor(void);
 
-void hidden __attribute__((destructor)) matchpathcon_lib_destructor(void)
+void  __attribute__((destructor)) matchpathcon_lib_destructor(void)
 {
 	if (destructor_key_initialized)
 		__selinux_key_delete(destructor_key);
@@ -351,7 +351,6 @@ int matchpathcon_init_prefix(const char *path, const char *subset)
 	return hnd ? 0 : -1;
 }
 
-hidden_def(matchpathcon_init_prefix)
 
 int matchpathcon_init(const char *path)
 {
diff --git a/libselinux/src/policyvers.c b/libselinux/src/policyvers.c
index c97dd9df7a8a..e5aa2f3f2d55 100644
--- a/libselinux/src/policyvers.c
+++ b/libselinux/src/policyvers.c
@@ -7,7 +7,6 @@
 #include "selinux_internal.h"
 #include <stdio.h>
 #include "policy.h"
-#include "dso.h"
 #include <limits.h>
 
 int security_policyvers(void)
@@ -42,4 +41,3 @@ int security_policyvers(void)
 	return vers;
 }
 
-hidden_def(security_policyvers)
diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c
index c6799ef27533..1aa67ac53f39 100644
--- a/libselinux/src/procattr.c
+++ b/libselinux/src/procattr.c
@@ -57,7 +57,7 @@ static void procattr_thread_destructor(void __attribute__((unused)) *unused)
 
 void __attribute__((destructor)) procattr_destructor(void);
 
-void hidden __attribute__((destructor)) procattr_destructor(void)
+void  __attribute__((destructor)) procattr_destructor(void)
 {
 	if (destructor_key_initialized)
 		__selinux_key_delete(destructor_key);
@@ -345,22 +345,3 @@ all_selfattr_def(con, current)
     all_selfattr_def(sockcreatecon, sockcreate)
     all_selfattr_def(keycreatecon, keycreate)
 
-    hidden_def(getcon_raw)
-    hidden_def(getcon)
-    hidden_def(getexeccon_raw)
-    hidden_def(getfilecon_raw)
-    hidden_def(getfilecon)
-    hidden_def(getfscreatecon_raw)
-    hidden_def(getkeycreatecon_raw)
-    hidden_def(getpeercon_raw)
-    hidden_def(getpidcon_raw)
-    hidden_def(getprevcon_raw)
-    hidden_def(getprevcon)
-    hidden_def(getsockcreatecon_raw)
-    hidden_def(setcon_raw)
-    hidden_def(setexeccon_raw)
-    hidden_def(setexeccon)
-    hidden_def(setfilecon_raw)
-    hidden_def(setfscreatecon_raw)
-    hidden_def(setkeycreatecon_raw)
-    hidden_def(setsockcreatecon_raw)
diff --git a/libselinux/src/regex.h b/libselinux/src/regex.h
index 6732b349984c..10c3df7856e1 100644
--- a/libselinux/src/regex.h
+++ b/libselinux/src/regex.h
@@ -10,7 +10,6 @@
 #include <pcre.h>
 #endif
 
-#include "dso.h"
 
 enum { REGEX_MATCH,
        REGEX_MATCH_PARTIAL,
@@ -42,7 +41,7 @@ struct mmap_area;
  * expressions are not portable across architectures that do not have a
  * matching arch-string.
  */
-char const *regex_arch_string(void) hidden;
+char const *regex_arch_string(void) ;
 
 /**
  * regex_verison returns the version string of the underlying regular
@@ -55,12 +54,12 @@ char const *regex_arch_string(void) hidden;
  *
  * It may return NULL on error.
  */
-char const *regex_version(void) hidden;
+char const *regex_version(void) ;
 /**
  * This constructor function allocates a buffer for a regex_data structure.
  * The buffer is being initialized with zeroes.
  */
-struct regex_data *regex_data_create(void) hidden;
+struct regex_data *regex_data_create(void) ;
 /**
  * This complementary destructor function frees the a given regex_data buffer.
  * It also frees any non NULL member pointers with the appropriate pcreX_X_free
@@ -68,7 +67,7 @@ struct regex_data *regex_data_create(void) hidden;
  * the pcre_extra data conditionally. Calling this function on a NULL pointer is
  * save.
  */
-void regex_data_free(struct regex_data *regex) hidden;
+void regex_data_free(struct regex_data *regex) ;
 /**
  * This function compiles the regular expression. Additionally, it prepares
  * data structures required by the different underlying engines. For PCRE
@@ -88,7 +87,7 @@ void regex_data_free(struct regex_data *regex) hidden;
  * @retval -1 on error
  */
 int regex_prepare_data(struct regex_data **regex, char const *pattern_string,
-		       struct regex_error_data *errordata) hidden;
+		       struct regex_error_data *errordata) ;
 /**
  * This function loads a serialized precompiled pattern from a contiguous
  * data region given by map_area.
@@ -109,7 +108,7 @@ int regex_prepare_data(struct regex_data **regex, char const *pattern_string,
 int regex_load_mmap(struct mmap_area *map_area,
 		    struct regex_data **regex,
 		    int do_load_precompregex,
-		    bool *regex_compiled) hidden;
+		    bool *regex_compiled) ;
 /**
  * This function stores a precompiled regular expression to a file.
  * In the case of PCRE, it just dumps the binary representation of the
@@ -122,7 +121,7 @@ int regex_load_mmap(struct mmap_area *map_area,
  *			      the output file (ignored by PCRE1 back-end).
  */
 int regex_writef(struct regex_data *regex, FILE *fp,
-		 int do_write_precompregex) hidden;
+		 int do_write_precompregex) ;
 /**
  * This function applies a precompiled pattern to a subject string and
  * returns whether or not a match was found.
@@ -139,7 +138,7 @@ int regex_writef(struct regex_data *regex, FILE *fp,
  *                     regular expression
  */
 int regex_match(struct regex_data *regex, char const *subject,
-		int partial) hidden;
+		int partial) ;
 /**
  * This function compares two compiled regular expressions (regex1 and regex2).
  * It compares the binary representations of the compiled patterns. It is a very
@@ -150,7 +149,7 @@ int regex_match(struct regex_data *regex, char const *subject,
  *                       the same
  * @retval SELABEL_INCOMPARABLE otherwise
  */
-int regex_cmp(struct regex_data *regex1, struct regex_data *regex2) hidden;
+int regex_cmp(struct regex_data *regex1, struct regex_data *regex2) ;
 /**
  * This function takes the error data returned by regex_prepare_data and turns
  * it in to a human readable error message.
@@ -163,5 +162,5 @@ int regex_cmp(struct regex_data *regex1, struct regex_data *regex2) hidden;
  * @arg buf_size Total size of the given buffer in bytes.
  */
 void regex_format_error(struct regex_error_data const *error_data, char *buffer,
-			size_t buf_size) hidden;
+			size_t buf_size) ;
 #endif /* SRC_REGEX_H_ */
diff --git a/libselinux/src/reject_unknown.c b/libselinux/src/reject_unknown.c
index 5c1d36053812..96e60be396ea 100644
--- a/libselinux/src/reject_unknown.c
+++ b/libselinux/src/reject_unknown.c
@@ -37,4 +37,3 @@ int security_reject_unknown(void)
 	return reject_unknown;
 }
 
-hidden_def(security_reject_unknown);
diff --git a/libselinux/src/selinux_check_securetty_context.c b/libselinux/src/selinux_check_securetty_context.c
index 55d4e039ea41..c5c557fd3492 100644
--- a/libselinux/src/selinux_check_securetty_context.c
+++ b/libselinux/src/selinux_check_securetty_context.c
@@ -50,4 +50,3 @@ int selinux_check_securetty_context(const char * tty_context)
 	return found;
 }
 
-hidden_def(selinux_check_securetty_context)
diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
index b16a3851ad4a..6c5238953cb1 100644
--- a/libselinux/src/selinux_config.c
+++ b/libselinux/src/selinux_config.c
@@ -128,7 +128,6 @@ int selinux_getenforcemode(int *enforce)
 	return ret;
 }
 
-hidden_def(selinux_getenforcemode)
 
 static char *selinux_policytype;
 
@@ -141,7 +140,6 @@ int selinux_getpolicytype(char **type)
 	return *type ? 0 : -1;
 }
 
-hidden_def(selinux_getpolicytype)
 
 static int setpolicytype(const char *type)
 {
@@ -249,7 +247,6 @@ void selinux_reset_config(void)
 	init_selinux_config();
 }
 
-hidden_def(selinux_reset_config)
 
 static const char *get_path(int idx)
 {
@@ -262,7 +259,6 @@ const char *selinux_default_type_path(void)
 	return get_path(DEFAULT_TYPE);
 }
 
-hidden_def(selinux_default_type_path)
 
 const char *selinux_policy_root(void)
 {
@@ -305,42 +301,36 @@ const char *selinux_path(void)
 	return selinux_rootpath;
 }
 
-hidden_def(selinux_path)
 
 const char *selinux_default_context_path(void)
 {
 	return get_path(DEFAULT_CONTEXTS);
 }
 
-hidden_def(selinux_default_context_path)
 
 const char *selinux_securetty_types_path(void)
 {
 	return get_path(SECURETTY_TYPES);
 }
 
-hidden_def(selinux_securetty_types_path)
 
 const char *selinux_failsafe_context_path(void)
 {
 	return get_path(FAILSAFE_CONTEXT);
 }
 
-hidden_def(selinux_failsafe_context_path)
 
 const char *selinux_removable_context_path(void)
 {
 	return get_path(REMOVABLE_CONTEXT);
 }
 
-hidden_def(selinux_removable_context_path)
 
 const char *selinux_binary_policy_path(void)
 {
 	return get_path(BINPOLICY);
 }
 
-hidden_def(selinux_binary_policy_path)
 
 const char *selinux_current_policy_path(void)
 {
@@ -365,35 +355,30 @@ const char *selinux_current_policy_path(void)
 	return policy_path;
 }
 
-hidden_def(selinux_current_policy_path)
 
 const char *selinux_file_context_path(void)
 {
 	return get_path(FILE_CONTEXTS);
 }
 
-hidden_def(selinux_file_context_path)
 
 const char *selinux_homedir_context_path(void)
 {
 	return get_path(HOMEDIR_CONTEXTS);
 }
 
-hidden_def(selinux_homedir_context_path)
 
 const char *selinux_media_context_path(void)
 {
 	return get_path(MEDIA_CONTEXTS);
 }
 
-hidden_def(selinux_media_context_path)
 
 const char *selinux_customizable_types_path(void)
 {
 	return get_path(CUSTOMIZABLE_TYPES);
 }
 
-hidden_def(selinux_customizable_types_path)
 
 const char *selinux_contexts_path(void)
 {
@@ -405,7 +390,6 @@ const char *selinux_user_contexts_path(void)
 	return get_path(USER_CONTEXTS);
 }
 
-hidden_def(selinux_user_contexts_path)
 
 /* Deprecated as local policy booleans no longer supported. */
 const char *selinux_booleans_path(void)
@@ -413,7 +397,6 @@ const char *selinux_booleans_path(void)
 	return get_path(BOOLEANS);
 }
 
-hidden_def(selinux_booleans_path)
 
 /* Deprecated as no longer supported. */
 const char *selinux_users_path(void)
@@ -421,127 +404,108 @@ const char *selinux_users_path(void)
 	return get_path(USERS_DIR);
 }
 
-hidden_def(selinux_users_path)
 
 const char *selinux_usersconf_path(void)
 {
 	return get_path(SEUSERS);
 }
 
-hidden_def(selinux_usersconf_path)
 
 const char *selinux_translations_path(void)
 {
 	return get_path(TRANSLATIONS);
 }
 
-hidden_def(selinux_translations_path)
 
 const char *selinux_colors_path(void)
 {
 	return get_path(COLORS);
 }
 
-hidden_def(selinux_colors_path)
 
 const char *selinux_netfilter_context_path(void)
 {
 	return get_path(NETFILTER_CONTEXTS);
 }
 
-hidden_def(selinux_netfilter_context_path)
 
 const char *selinux_file_context_homedir_path(void)
 {
 	return get_path(FILE_CONTEXTS_HOMEDIR);
 }
 
-hidden_def(selinux_file_context_homedir_path)
 
 const char *selinux_file_context_local_path(void)
 {
 	return get_path(FILE_CONTEXTS_LOCAL);
 }
 
-hidden_def(selinux_file_context_local_path)
 
 const char *selinux_x_context_path(void)
 {
 	return get_path(X_CONTEXTS);
 }
 
-hidden_def(selinux_x_context_path)
 
 const char *selinux_virtual_domain_context_path(void)
 {
 	return get_path(VIRTUAL_DOMAIN);
 }
 
-hidden_def(selinux_virtual_domain_context_path)
 
 const char *selinux_virtual_image_context_path(void)
 {
 	return get_path(VIRTUAL_IMAGE);
 }
 
-hidden_def(selinux_virtual_image_context_path)
 
 const char *selinux_lxc_contexts_path(void)
 {
 	return get_path(LXC_CONTEXTS);
 }
 
-hidden_def(selinux_lxc_contexts_path)
 
 const char *selinux_openrc_contexts_path(void)
 {
     return get_path(OPENRC_CONTEXTS);
 }
 
-hidden_def(selinux_openrc_contexts_path)
 
 const char *selinux_openssh_contexts_path(void)
 {
     return get_path(OPENSSH_CONTEXTS);
 }
 
-hidden_def(selinux_openssh_contexts_path)
 
 const char *selinux_snapperd_contexts_path(void)
 {
     return get_path(SNAPPERD_CONTEXTS);
 }
 
-hidden_def(selinux_snapperd_contexts_path)
 
 const char *selinux_systemd_contexts_path(void)
 {
 	return get_path(SYSTEMD_CONTEXTS);
 }
 
-hidden_def(selinux_systemd_contexts_path)
 
 const char * selinux_booleans_subs_path(void) {
 	return get_path(BOOLEAN_SUBS);
 }
 
-hidden_def(selinux_booleans_subs_path)
 
 const char * selinux_file_context_subs_path(void) {
 	return get_path(FILE_CONTEXT_SUBS);
 }
 
-hidden_def(selinux_file_context_subs_path)
 
 const char * selinux_file_context_subs_dist_path(void) {
 	return get_path(FILE_CONTEXT_SUBS_DIST);
 }
 
-hidden_def(selinux_file_context_subs_dist_path)
 
 const char *selinux_sepgsql_context_path(void)
 {
 	return get_path(SEPGSQL_CONTEXTS);
 }
 
-hidden_def(selinux_sepgsql_context_path)
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index 61b78aaa7c10..27e9ac532c3f 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -1,116 +1,9 @@
 #include <selinux/selinux.h>
 #include <pthread.h>
-#include "dso.h"
-
-hidden_proto(selinux_mkload_policy)
-    hidden_proto(fini_selinuxmnt)
-    hidden_proto(set_selinuxmnt)
-    hidden_proto(selinuxfs_exists)
-    hidden_proto(security_disable)
-    hidden_proto(security_policyvers)
-    hidden_proto(security_load_policy)
-    hidden_proto(security_get_boolean_active)
-    hidden_proto(security_get_boolean_names)
-    hidden_proto(security_set_boolean)
-    hidden_proto(security_commit_booleans)
-    hidden_proto(security_check_context)
-    hidden_proto(security_check_context_raw)
-    hidden_proto(security_canonicalize_context)
-    hidden_proto(security_canonicalize_context_raw)
-    hidden_proto(security_compute_av)
-    hidden_proto(security_compute_av_raw)
-    hidden_proto(security_compute_av_flags)
-    hidden_proto(security_compute_av_flags_raw)
-    hidden_proto(security_compute_user)
-    hidden_proto(security_compute_user_raw)
-    hidden_proto(security_compute_create)
-    hidden_proto(security_compute_create_raw)
-    hidden_proto(security_compute_create_name)
-    hidden_proto(security_compute_create_name_raw)
-    hidden_proto(security_compute_member_raw)
-    hidden_proto(security_compute_relabel_raw)
-    hidden_proto(security_validatetrans)
-    hidden_proto(security_validatetrans_raw)
-    hidden_proto(is_selinux_enabled)
-    hidden_proto(is_selinux_mls_enabled)
-    hidden_proto(freecon)
-    hidden_proto(freeconary)
-    hidden_proto(getprevcon)
-    hidden_proto(getprevcon_raw)
-    hidden_proto(getcon)
-    hidden_proto(getcon_raw)
-    hidden_proto(setcon_raw)
-    hidden_proto(getpeercon_raw)
-    hidden_proto(getpidcon_raw)
-    hidden_proto(getexeccon_raw)
-    hidden_proto(getfilecon)
-    hidden_proto(getfilecon_raw)
-    hidden_proto(lgetfilecon_raw)
-    hidden_proto(fgetfilecon_raw)
-    hidden_proto(setfilecon_raw)
-    hidden_proto(lsetfilecon_raw)
-    hidden_proto(fsetfilecon_raw)
-    hidden_proto(setexeccon)
-    hidden_proto(setexeccon_raw)
-    hidden_proto(getfscreatecon_raw)
-    hidden_proto(getkeycreatecon_raw)
-    hidden_proto(getsockcreatecon_raw)
-    hidden_proto(setfscreatecon_raw)
-    hidden_proto(setkeycreatecon_raw)
-    hidden_proto(setsockcreatecon_raw)
-    hidden_proto(security_getenforce)
-    hidden_proto(security_setenforce)
-    hidden_proto(security_deny_unknown)
-    hidden_proto(security_reject_unknown)
-    hidden_proto(security_get_checkreqprot)
-    hidden_proto(selinux_boolean_sub)
-    hidden_proto(selinux_current_policy_path)
-    hidden_proto(selinux_binary_policy_path)
-    hidden_proto(selinux_booleans_subs_path)
-    hidden_proto(selinux_default_context_path)
-    hidden_proto(selinux_securetty_types_path)
-    hidden_proto(selinux_failsafe_context_path)
-    hidden_proto(selinux_removable_context_path)
-    hidden_proto(selinux_virtual_domain_context_path)
-    hidden_proto(selinux_virtual_image_context_path)
-    hidden_proto(selinux_lxc_contexts_path)
-    hidden_proto(selinux_file_context_path)
-    hidden_proto(selinux_file_context_homedir_path)
-    hidden_proto(selinux_file_context_local_path)
-    hidden_proto(selinux_file_context_subs_dist_path)
-    hidden_proto(selinux_file_context_subs_path)
-    hidden_proto(selinux_netfilter_context_path)
-    hidden_proto(selinux_homedir_context_path)
-    hidden_proto(selinux_user_contexts_path)
-    hidden_proto(selinux_booleans_path)
-    hidden_proto(selinux_customizable_types_path)
-    hidden_proto(selinux_media_context_path)
-    hidden_proto(selinux_x_context_path)
-    hidden_proto(selinux_sepgsql_context_path)
-    hidden_proto(selinux_openrc_contexts_path)
-    hidden_proto(selinux_openssh_contexts_path)
-    hidden_proto(selinux_snapperd_contexts_path)
-    hidden_proto(selinux_systemd_contexts_path)
-    hidden_proto(selinux_path)
-    hidden_proto(selinux_check_passwd_access)
-    hidden_proto(selinux_check_securetty_context)
-    hidden_proto(matchpathcon_init_prefix)
-    hidden_proto(selinux_users_path)
-    hidden_proto(selinux_usersconf_path);
-hidden_proto(selinux_translations_path);
-hidden_proto(selinux_colors_path);
-hidden_proto(selinux_getenforcemode);
-hidden_proto(selinux_getpolicytype);
-hidden_proto(selinux_raw_to_trans_context);
-hidden_proto(selinux_trans_to_raw_context);
-    hidden_proto(selinux_raw_context_to_color);
-hidden_proto(security_get_initial_context);
-hidden_proto(security_get_initial_context_raw);
-hidden_proto(selinux_reset_config);
-hidden_proto(selinux_flush_class_cache);
-
-extern int require_seusers hidden;
-extern int selinux_page_size hidden;
+
+
+extern int require_seusers ;
+extern int selinux_page_size ;
 
 /* Make pthread_once optional */
 #pragma weak pthread_once
@@ -180,4 +73,4 @@ extern int selinux_page_size hidden;
 #define SELINUXDIR "/etc/selinux/"
 #define SELINUXCONFIG SELINUXDIR "config"
 
-extern int has_selinux_config hidden;
+extern int has_selinux_config ;
diff --git a/libselinux/src/setenforce.c b/libselinux/src/setenforce.c
index 09cad3ceaf9d..a87ff2d08e30 100644
--- a/libselinux/src/setenforce.c
+++ b/libselinux/src/setenforce.c
@@ -34,4 +34,3 @@ int security_setenforce(int value)
 	return 0;
 }
 
-hidden_def(security_setenforce)
diff --git a/libselinux/src/setfilecon.c b/libselinux/src/setfilecon.c
index d05969c6c2f3..bd45f12cf707 100644
--- a/libselinux/src/setfilecon.c
+++ b/libselinux/src/setfilecon.c
@@ -25,7 +25,6 @@ int setfilecon_raw(const char *path, const char * context)
 	return rc;
 }
 
-hidden_def(setfilecon_raw)
 
 int setfilecon(const char *path, const char *context)
 {
diff --git a/libselinux/src/setrans_client.c b/libselinux/src/setrans_client.c
index fa188a824f78..52a8ba78b2ad 100644
--- a/libselinux/src/setrans_client.c
+++ b/libselinux/src/setrans_client.c
@@ -19,7 +19,6 @@
 #include <ctype.h>
 #include <unistd.h>
 #include <sys/uio.h>
-#include "dso.h"
 #include "selinux_internal.h"
 #include "setrans_internal.h"
 
@@ -260,7 +259,7 @@ static void setrans_thread_destructor(void __attribute__((unused)) *unused)
 
 void __attribute__((destructor)) setrans_lib_destructor(void);
 
-void hidden __attribute__((destructor)) setrans_lib_destructor(void)
+void  __attribute__((destructor)) setrans_lib_destructor(void)
 {
 	if (!has_setrans)
 		return;
@@ -327,7 +326,6 @@ int selinux_trans_to_raw_context(const char * trans,
 	return *rawp ? 0 : -1;
 }
 
-hidden_def(selinux_trans_to_raw_context)
 
 int selinux_raw_to_trans_context(const char * raw,
 				 char ** transp)
@@ -369,7 +367,6 @@ int selinux_raw_to_trans_context(const char * raw,
 	return *transp ? 0 : -1;
 }
 
-hidden_def(selinux_raw_to_trans_context)
 
 int selinux_raw_context_to_color(const char * raw, char **transp)
 {
@@ -410,7 +407,6 @@ int selinux_raw_context_to_color(const char * raw, char **transp)
 	return *transp ? 0 : -1;
 }
 
-hidden_def(selinux_raw_context_to_color)
 #else /*DISABLE_SETRANS*/
 
 int selinux_trans_to_raw_context(const char * trans,
@@ -426,7 +422,6 @@ int selinux_trans_to_raw_context(const char * trans,
 	return *rawp ? 0 : -1;
 }
 
-hidden_def(selinux_trans_to_raw_context)
 
 int selinux_raw_to_trans_context(const char * raw,
 				 char ** transp)
@@ -440,5 +435,4 @@ int selinux_raw_to_trans_context(const char * raw,
 	return *transp ? 0 : -1;
 }
 
-hidden_def(selinux_raw_to_trans_context)
 #endif /*DISABLE_SETRANS*/
diff --git a/libselinux/src/seusers.c b/libselinux/src/seusers.c
index 7ec7d12c4546..fff80c1ad47b 100644
--- a/libselinux/src/seusers.c
+++ b/libselinux/src/seusers.c
@@ -88,7 +88,7 @@ static int process_seusers(const char *buffer,
 	return -2;		/* error */
 }
 
-int require_seusers hidden = 0;
+int require_seusers  = 0;
 
 #include <pwd.h>
 #include <grp.h>
diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c
index 004fcd3b28c0..9a8ce01dceda 100644
--- a/libselinux/src/sha1.c
+++ b/libselinux/src/sha1.c
@@ -23,7 +23,6 @@
 ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 
 #include "sha1.h"
-#include "dso.h"
 #include <memory.h>
 
 ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@@ -126,7 +125,7 @@ void
 //
 //  Initialises an SHA1 Context. Use this to initialise/reset a context.
 ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void hidden
+void 
     Sha1Initialise
     (
         Sha1Context*                Context
@@ -148,7 +147,7 @@ void hidden
 //  Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on
 //  calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash.
 ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void hidden
+void 
     Sha1Update
     (
         Sha1Context*        Context,
@@ -191,7 +190,7 @@ void hidden
 //  Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After
 //  calling this, Sha1Initialised must be used to reuse the context.
 ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void hidden
+void 
     Sha1Finalise
     (
         Sha1Context*                Context,
diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c
index 29757b750878..012a740a622e 100644
--- a/libselinux/src/stringrep.c
+++ b/libselinux/src/stringrep.c
@@ -180,7 +180,6 @@ void selinux_flush_class_cache(void)
 	discover_class_cache = NULL;
 }
 
-hidden_def(selinux_flush_class_cache)
 
 security_class_t string_to_security_class(const char *s)
 {
diff --git a/libselinux/src/validatetrans.c b/libselinux/src/validatetrans.c
index 2aa300cfd90a..66ac7405baac 100644
--- a/libselinux/src/validatetrans.c
+++ b/libselinux/src/validatetrans.c
@@ -57,7 +57,6 @@ out:
 	return ret;
 }
 
-hidden_def(security_validatetrans_raw)
 
 int security_validatetrans(const char *scon,
 			   const char *tcon,
@@ -91,4 +90,3 @@ out:
 	return ret;
 }
 
-hidden_def(security_validatetrans)
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 37+ messages in thread

* [PATCH 2/3] Makefile: add -fno-semantic-interposition
  2020-02-27 23:01 libselinux: drop dso.h bill.c.roberts
  2020-02-27 23:01 ` [PATCH 1/3] dso: drop hidden_proto and hidden_def bill.c.roberts
@ 2020-02-27 23:01 ` bill.c.roberts
  2020-02-28 13:51   ` Stephen Smalley
  2020-02-27 23:01 ` [PATCH 3/3] Makefile: add linker script to minimize exports bill.c.roberts
  2020-02-28 15:48 ` [V3] libselinux: drop dso.h bill.c.roberts
  3 siblings, 1 reply; 37+ messages in thread
From: bill.c.roberts @ 2020-02-27 23:01 UTC (permalink / raw)
  To: selinux, drepper, omosnace, stephen.smalley.work, plautrba
  Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

Add -fno-semantic-interposition to CFLAGS. This will restore
the DSO infrastructures protections to insure internal callers
of exported symbols call into libselinux and not something laoding first
in the library list.

Clang has this enabled by default.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 7f5a5d7418e9..c76110fbc650 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -65,7 +65,7 @@ EXTRA_CFLAGS = -fipa-pure-const -Wlogical-op -Wpacked-bitfield-compat -Wsync-nan
 	-Wcoverage-mismatch -Wcpp -Wformat-contains-nul -Wnormalized=nfc -Wsuggest-attribute=const \
 	-Wsuggest-attribute=noreturn -Wsuggest-attribute=pure -Wtrampolines -Wjump-misses-init \
 	-Wno-suggest-attribute=pure -Wno-suggest-attribute=const -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 \
-	-Wstrict-overflow=5
+	-Wstrict-overflow=5 -fno-semantic-interposition
 else
 EXTRA_CFLAGS = -Wunused-command-line-argument
 endif
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 37+ messages in thread

* [PATCH 3/3] Makefile: add linker script to minimize exports
  2020-02-27 23:01 libselinux: drop dso.h bill.c.roberts
  2020-02-27 23:01 ` [PATCH 1/3] dso: drop hidden_proto and hidden_def bill.c.roberts
  2020-02-27 23:01 ` [PATCH 2/3] Makefile: add -fno-semantic-interposition bill.c.roberts
@ 2020-02-27 23:01 ` bill.c.roberts
  2020-02-28 13:36   ` Stephen Smalley
  2020-02-28 15:48 ` [V3] libselinux: drop dso.h bill.c.roberts
  3 siblings, 1 reply; 37+ messages in thread
From: bill.c.roberts @ 2020-02-27 23:01 UTC (permalink / raw)
  To: selinux, drepper, omosnace, stephen.smalley.work, plautrba
  Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

Add a linker script that exports only what was previosly exported by
libselinux.

This was checked by generating an old export map (from master):
nm --defined-only -g ./src/libselinux.so | cut -d' ' -f 3-3 | grep -v '^_' > old.map

Then creating a new one for this library after this patch is applied:
nm --defined-only -g ./src/libselinux.so | cut -d' ' -f 3-3 | grep -v '^_' > new.map

And diffing them:
diff old.map new.map

Fixes: #179

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/Makefile       |   2 +-
 libselinux/src/libselinux.map | 249 ++++++++++++++++++++++++++++++++++
 2 files changed, 250 insertions(+), 1 deletion(-)
 create mode 100644 libselinux/src/libselinux.map

diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index c76110fbc650..f74dbeb983dd 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -90,7 +90,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi
           -Werror -Wno-aggregate-return -Wno-redundant-decls \
           $(EXTRA_CFLAGS)
 
-LD_SONAME_FLAGS=-soname,$(LIBSO),-z,defs,-z,relro
+LD_SONAME_FLAGS=-soname,$(LIBSO),-z,defs,-z,relro-Wl,--version-script=libselinux.map
 
 ifeq ($(OS), Darwin)
 override CFLAGS += -I/opt/local/include
diff --git a/libselinux/src/libselinux.map b/libselinux/src/libselinux.map
new file mode 100644
index 000000000000..823abeee9a36
--- /dev/null
+++ b/libselinux/src/libselinux.map
@@ -0,0 +1,249 @@
+{
+  global:
+    avc_add_callback;
+    avc_audit;
+    avc_av_stats;
+    avc_cache_stats;
+    avc_cleanup;
+    avc_compute_create;
+    avc_compute_member;
+    avc_context_to_sid;
+    avc_context_to_sid_raw;
+    avc_destroy;
+    avc_get_initial_sid;
+    avc_has_perm;
+    avc_has_perm_noaudit;
+    avc_init;
+    avc_netlink_acquire_fd;
+    avc_netlink_check_nb;
+    avc_netlink_close;
+    avc_netlink_loop;
+    avc_netlink_open;
+    avc_netlink_release_fd;
+    avc_open;
+    avc_reset;
+    avc_sid_stats;
+    avc_sid_to_context;
+    avc_sid_to_context_raw;
+    checkPasswdAccess;
+    context_free;
+    context_new;
+    context_range_get;
+    context_range_set;
+    context_role_get;
+    context_role_set;
+    context_str;
+    context_type_get;
+    context_type_set;
+    context_user_get;
+    context_user_set;
+    dir_xattr_list;
+    fgetfilecon;
+    fgetfilecon_raw;
+    fini_selinuxmnt;
+    freecon;
+    freeconary;
+    fsetfilecon;
+    fsetfilecon_raw;
+    getcon;
+    getcon_raw;
+    get_default_context;
+    get_default_context_with_level;
+    get_default_context_with_role;
+    get_default_context_with_rolelevel;
+    get_default_type;
+    getexeccon;
+    getexeccon_raw;
+    getfilecon;
+    getfilecon_raw;
+    getfscreatecon;
+    getfscreatecon_raw;
+    getkeycreatecon;
+    getkeycreatecon_raw;
+    get_ordered_context_list;
+    get_ordered_context_list_with_level;
+    getpeercon;
+    getpeercon_raw;
+    getpidcon;
+    getpidcon_raw;
+    getprevcon;
+    getprevcon_raw;
+    getseuser;
+    getseuserbyname;
+    getsockcreatecon;
+    getsockcreatecon_raw;
+    is_context_customizable;
+    is_selinux_enabled;
+    is_selinux_mls_enabled;
+    lgetfilecon;
+    lgetfilecon_raw;
+    lsetfilecon;
+    lsetfilecon_raw;
+    manual_user_enter_context;
+    map_class;
+    map_decision;
+    map_perm;
+    matchmediacon;
+    matchpathcon;
+    matchpathcon_checkmatches;
+    matchpathcon_filespec_add;
+    matchpathcon_filespec_destroy;
+    matchpathcon_filespec_eval;
+    matchpathcon_fini;
+    matchpathcon_index;
+    matchpathcon_init;
+    matchpathcon_init_prefix;
+    mode_to_security_class;
+    myprintf_compat;
+    print_access_vector;
+    query_user_context;
+    realpath_not_final;
+    rpm_execcon;
+    security_av_perm_to_string;
+    security_av_string;
+    security_canonicalize_context;
+    security_canonicalize_context_raw;
+    security_check_context;
+    security_check_context_raw;
+    security_class_to_string;
+    security_commit_booleans;
+    security_compute_av;
+    security_compute_av_flags;
+    security_compute_av_flags_raw;
+    security_compute_av_raw;
+    security_compute_create;
+    security_compute_create_name;
+    security_compute_create_name_raw;
+    security_compute_create_raw;
+    security_compute_member;
+    security_compute_member_raw;
+    security_compute_relabel;
+    security_compute_relabel_raw;
+    security_compute_user;
+    security_compute_user_raw;
+    security_deny_unknown;
+    security_disable;
+    security_get_boolean_active;
+    security_get_boolean_names;
+    security_get_boolean_pending;
+    security_get_checkreqprot;
+    security_getenforce;
+    security_get_initial_context;
+    security_get_initial_context_raw;
+    security_load_booleans;
+    security_load_policy;
+    security_policyvers;
+    security_reject_unknown;
+    security_set_boolean;
+    security_set_boolean_list;
+    security_setenforce;
+    security_validatetrans;
+    security_validatetrans_raw;
+    selabel_close;
+    selabel_cmp;
+    selabel_digest;
+    selabel_get_digests_all_partial_matches;
+    selabel_hash_all_partial_matches;
+    selabel_lookup;
+    selabel_lookup_best_match;
+    selabel_lookup_best_match_raw;
+    selabel_lookup_raw;
+    selabel_open;
+    selabel_partial_match;
+    selabel_stats;
+    selinux_binary_policy_path;
+    selinux_booleans_path;
+    selinux_booleans_subs_path;
+    selinux_boolean_sub;
+    selinux_check_access;
+    selinux_check_passwd_access;
+    selinux_check_securetty_context;
+    selinux_colors_path;
+    selinux_contexts_path;
+    selinux_current_policy_path;
+    selinux_customizable_types_path;
+    selinux_default_context_path;
+    selinux_default_type_path;
+    selinux_failsafe_context_path;
+    selinux_file_context_cmp;
+    selinux_file_context_homedir_path;
+    selinux_file_context_local_path;
+    selinux_file_context_path;
+    selinux_file_context_subs_dist_path;
+    selinux_file_context_subs_path;
+    selinux_file_context_verify;
+    selinux_flush_class_cache;
+    selinuxfs_exists;
+    selinux_get_callback;
+    selinux_getenforcemode;
+    selinux_getpolicytype;
+    selinux_homedir_context_path;
+    selinux_init_load_policy;
+    selinux_lsetfilecon_default;
+    selinux_lxc_contexts_path;
+    selinux_media_context_path;
+    selinux_mkload_policy;
+    selinux_mnt;
+    selinux_netfilter_context_path;
+    selinux_openrc_contexts_path;
+    selinux_openssh_contexts_path;
+    selinux_path;
+    selinux_policy_root;
+    selinux_raw_context_to_color;
+    selinux_raw_to_trans_context;
+    selinux_removable_context_path;
+    selinux_reset_config;
+    selinux_restorecon;
+    selinux_restorecon_default_handle;
+    selinux_restorecon_set_alt_rootpath;
+    selinux_restorecon_set_exclude_list;
+    selinux_restorecon_set_sehandle;
+    selinux_restorecon_xattr;
+    selinux_securetty_types_path;
+    selinux_sepgsql_context_path;
+    selinux_set_callback;
+    selinux_set_mapping;
+    selinux_set_policy_root;
+    selinux_snapperd_contexts_path;
+    selinux_status_close;
+    selinux_status_deny_unknown;
+    selinux_status_getenforce;
+    selinux_status_open;
+    selinux_status_policyload;
+    selinux_status_updated;
+    selinux_systemd_contexts_path;
+    selinux_translations_path;
+    selinux_trans_to_raw_context;
+    selinux_user_contexts_path;
+    selinux_usersconf_path;
+    selinux_users_path;
+    selinux_virtual_domain_context_path;
+    selinux_virtual_image_context_path;
+    selinux_x_context_path;
+    setcon;
+    setcon_raw;
+    setexeccon;
+    setexeccon_raw;
+    setexecfilecon;
+    setfilecon;
+    setfilecon_raw;
+    setfscreatecon;
+    setfscreatecon_raw;
+    setkeycreatecon;
+    setkeycreatecon_raw;
+    set_matchpathcon_canoncon;
+    set_matchpathcon_flags;
+    set_matchpathcon_invalidcon;
+    set_matchpathcon_printf;
+    set_selinuxmnt;
+    setsockcreatecon;
+    setsockcreatecon_raw;
+    sidget;
+    sidput;
+    string_to_av_perm;
+    string_to_security_class;
+    unmap_class;
+    unmap_perm;
+  local:
+    *;
+};
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 37+ messages in thread

* Re: [PATCH 3/3] Makefile: add linker script to minimize exports
  2020-02-27 23:01 ` [PATCH 3/3] Makefile: add linker script to minimize exports bill.c.roberts
@ 2020-02-28 13:36   ` Stephen Smalley
  2020-02-28 13:38     ` William Roberts
  2020-02-28 14:05     ` [V2] libselinux: drop dso.h bill.c.roberts
  0 siblings, 2 replies; 37+ messages in thread
From: Stephen Smalley @ 2020-02-28 13:36 UTC (permalink / raw)
  To: William Roberts
  Cc: SElinux list, Ulrich Drepper, Ondrej Mosnacek, Petr Lautrbach,
	William Roberts

On Thu, Feb 27, 2020 at 6:01 PM <bill.c.roberts@gmail.com> wrote:
>
> From: William Roberts <william.c.roberts@intel.com>
>
> Add a linker script that exports only what was previosly exported by
> libselinux.
>
> This was checked by generating an old export map (from master):
> nm --defined-only -g ./src/libselinux.so | cut -d' ' -f 3-3 | grep -v '^_' > old.map
>
> Then creating a new one for this library after this patch is applied:
> nm --defined-only -g ./src/libselinux.so | cut -d' ' -f 3-3 | grep -v '^_' > new.map
>
> And diffing them:
> diff old.map new.map
>
> Fixes: #179
>
> Signed-off-by: William Roberts <william.c.roberts@intel.com>
> ---
>  libselinux/src/Makefile       |   2 +-
>  libselinux/src/libselinux.map | 249 ++++++++++++++++++++++++++++++++++
>  2 files changed, 250 insertions(+), 1 deletion(-)
>  create mode 100644 libselinux/src/libselinux.map
>

> diff --git a/libselinux/src/libselinux.map b/libselinux/src/libselinux.map
> new file mode 100644
> index 000000000000..823abeee9a36
> --- /dev/null
> +++ b/libselinux/src/libselinux.map
> @@ -0,0 +1,249 @@
> +{
> +  global:

Our other map files (for libsepol and libsemanage) have a versioned
symbolic name before the {, ala
LIBSELINUX_1.0 {

> +    dir_xattr_list;

I doubt this was intentionally made public and certainly isn't
declared in the public headers.  Can we hide it?

> +    map_class;
> +    map_decision;
> +    map_perm;

Ditto for these three.

> +    myprintf_compat;

And again.

> +    unmap_class;
> +    unmap_perm;

Likewise.

^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [PATCH 3/3] Makefile: add linker script to minimize exports
  2020-02-28 13:36   ` Stephen Smalley
@ 2020-02-28 13:38     ` William Roberts
  2020-02-28 14:05     ` [V2] libselinux: drop dso.h bill.c.roberts
  1 sibling, 0 replies; 37+ messages in thread
From: William Roberts @ 2020-02-28 13:38 UTC (permalink / raw)
  To: Stephen Smalley
  Cc: SElinux list, Ulrich Drepper, Ondrej Mosnacek, Petr Lautrbach,
	William Roberts

On Fri, Feb 28, 2020 at 7:34 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Thu, Feb 27, 2020 at 6:01 PM <bill.c.roberts@gmail.com> wrote:
> >
> > From: William Roberts <william.c.roberts@intel.com>
> >
> > Add a linker script that exports only what was previosly exported by
> > libselinux.
> >
> > This was checked by generating an old export map (from master):
> > nm --defined-only -g ./src/libselinux.so | cut -d' ' -f 3-3 | grep -v '^_' > old.map
> >
> > Then creating a new one for this library after this patch is applied:
> > nm --defined-only -g ./src/libselinux.so | cut -d' ' -f 3-3 | grep -v '^_' > new.map
> >
> > And diffing them:
> > diff old.map new.map
> >
> > Fixes: #179
> >
> > Signed-off-by: William Roberts <william.c.roberts@intel.com>
> > ---
> >  libselinux/src/Makefile       |   2 +-
> >  libselinux/src/libselinux.map | 249 ++++++++++++++++++++++++++++++++++
> >  2 files changed, 250 insertions(+), 1 deletion(-)
> >  create mode 100644 libselinux/src/libselinux.map
> >
>
> > diff --git a/libselinux/src/libselinux.map b/libselinux/src/libselinux.map
> > new file mode 100644
> > index 000000000000..823abeee9a36
> > --- /dev/null
> > +++ b/libselinux/src/libselinux.map
> > @@ -0,0 +1,249 @@
> > +{
> > +  global:
>
> Our other map files (for libsepol and libsemanage) have a versioned
> symbolic name before the {, ala
> LIBSELINUX_1.0 {

Ok will add.

>
> > +    dir_xattr_list;
>
> I doubt this was intentionally made public and certainly isn't
> declared in the public headers.  Can we hide it?
>
> > +    map_class;
> > +    map_decision;
> > +    map_perm;
>
> Ditto for these three.
>
> > +    myprintf_compat;
>
> And again.
>
> > +    unmap_class;
> > +    unmap_perm;
>
> Likewise.

Perfect, I was wondering if this was overzealous, but I didn't want to
break things.
Will drop these. This provides evidence that opting in to hide symbols, wasn't
doing what we expected.

^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [PATCH 2/3] Makefile: add -fno-semantic-interposition
  2020-02-27 23:01 ` [PATCH 2/3] Makefile: add -fno-semantic-interposition bill.c.roberts
@ 2020-02-28 13:51   ` Stephen Smalley
  2020-02-28 13:59     ` William Roberts
  0 siblings, 1 reply; 37+ messages in thread
From: Stephen Smalley @ 2020-02-28 13:51 UTC (permalink / raw)
  To: William Roberts
  Cc: SElinux list, Ulrich Drepper, Ondrej Mosnacek, Petr Lautrbach,
	William Roberts

On Thu, Feb 27, 2020 at 6:01 PM <bill.c.roberts@gmail.com> wrote:
>
> From: William Roberts <william.c.roberts@intel.com>
>
> Add -fno-semantic-interposition to CFLAGS. This will restore
> the DSO infrastructures protections to insure internal callers
> of exported symbols call into libselinux and not something laoding first
> in the library list.
>
> Clang has this enabled by default.
>
> Signed-off-by: William Roberts <william.c.roberts@intel.com>

I'm fine with this but since Nicolas pointed out the option of using
-Bsymbolic to
the linker as an alternative to hidden_def/hidden_proto in
https://github.com/SELinuxProject/selinux/issues/204#issuecomment-591092288
I was wondering how they differ.  I guess -Bsymbolic only affects the
linker while -fno-semantic-interposition
permits the compiler to further optimize the code.

^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [PATCH 2/3] Makefile: add -fno-semantic-interposition
  2020-02-28 13:51   ` Stephen Smalley
@ 2020-02-28 13:59     ` William Roberts
  2020-03-01 20:32       ` Nicolas Iooss
  0 siblings, 1 reply; 37+ messages in thread
From: William Roberts @ 2020-02-28 13:59 UTC (permalink / raw)
  To: Stephen Smalley
  Cc: SElinux list, Ulrich Drepper, Ondrej Mosnacek, Petr Lautrbach,
	William Roberts

On Fri, Feb 28, 2020 at 7:50 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Thu, Feb 27, 2020 at 6:01 PM <bill.c.roberts@gmail.com> wrote:
> >
> > From: William Roberts <william.c.roberts@intel.com>
> >
> > Add -fno-semantic-interposition to CFLAGS. This will restore
> > the DSO infrastructures protections to insure internal callers
> > of exported symbols call into libselinux and not something laoding first
> > in the library list.
> >
> > Clang has this enabled by default.
> >
> > Signed-off-by: William Roberts <william.c.roberts@intel.com>
>
> I'm fine with this but since Nicolas pointed out the option of using
> -Bsymbolic to
> the linker as an alternative to hidden_def/hidden_proto in
> https://github.com/SELinuxProject/selinux/issues/204#issuecomment-591092288
> I was wondering how they differ.  I guess -Bsymbolic only affects the
> linker while -fno-semantic-interposition
> permits the compiler to further optimize the code.

That's my understanding of the difference as well. -B is only link
time, so the compiler can't
really optimize the calls, but IIUC the compiler can only optimize
whats in the compilation
unit, so it can only optimize call sites for calls within the compilation unit.

-B also only works for elf builds, so we would conditionally need to
modify LDFLAGS based
on host type. The compiler option is just a clang/gcc split, which is
already there. To go
to symbolic we would have to conditionally set that... a tad bit more work :-p

^ permalink raw reply	[flat|nested] 37+ messages in thread

* [V2] libselinux: drop dso.h
  2020-02-28 13:36   ` Stephen Smalley
  2020-02-28 13:38     ` William Roberts
@ 2020-02-28 14:05     ` bill.c.roberts
  2020-02-28 14:05       ` [PATCH v2 1/4] dso: drop hidden_proto and hidden_def bill.c.roberts
                         ` (3 more replies)
  1 sibling, 4 replies; 37+ messages in thread
From: bill.c.roberts @ 2020-02-28 14:05 UTC (permalink / raw)
  To: selinux, drepper, omosnace, stephen.smalley.work, plautrba

Version 2:
  - adds a version to the linker script LIBSELINUX_1.0
  - Adds a patch to drop some additional symbols from the dso.
    - dir_xattr_list
    - myprintf_compat
    - unmap_class
    - unmap_perm

This four part patch series drops the dso.h and hidden_*
macros.

The old dso.h functionality provided libselinux with both control over
external exported symbols as well as ensuring internal callers call into
libselinux and not a symbol with the same name loaded by the linker
earlier in the library list.

The functionality is replaced by a linker script that requires public
API to explicitly be opt-in. The old method required that internal API
be explicitly annotated, and everything else is public. This should help
make it easier to control libselinux DSO hygene going forward.

The second functionality is replaced by compiler option
-fno-semantic-interposition

Note that clang has this enabled by default, and thus doesn't need it.

See:
  - https://stackoverflow.com/questions/35745543/new-option-in-gcc-5-3-fno-semantic-interposition

[PATCH v2 1/4] dso: drop hidden_proto and hidden_def
[PATCH v2 2/4] Makefile: add -fno-semantic-interposition
[PATCH v2 3/4] Makefile: add linker script to minimize exports
[PATCH v2 4/4] libselinux: drop symbols from map


^ permalink raw reply	[flat|nested] 37+ messages in thread

* [PATCH v2 1/4] dso: drop hidden_proto and hidden_def
  2020-02-28 14:05     ` [V2] libselinux: drop dso.h bill.c.roberts
@ 2020-02-28 14:05       ` bill.c.roberts
  2020-02-28 14:05       ` [PATCH v2 2/4] Makefile: add -fno-semantic-interposition bill.c.roberts
                         ` (2 subsequent siblings)
  3 siblings, 0 replies; 37+ messages in thread
From: bill.c.roberts @ 2020-02-28 14:05 UTC (permalink / raw)
  To: selinux, drepper, omosnace, stephen.smalley.work, plautrba
  Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/avc.c                          |   5 -
 libselinux/src/avc_internal.h                 |  52 ++++----
 libselinux/src/avc_sidtab.h                   |  11 +-
 libselinux/src/booleans.c                     |   5 -
 libselinux/src/callbacks.h                    |  11 +-
 libselinux/src/canonicalize_context.c         |   2 -
 libselinux/src/checkAccess.c                  |   1 -
 libselinux/src/check_context.c                |   2 -
 libselinux/src/checkreqprot.c                 |   1 -
 libselinux/src/compute_av.c                   |   4 -
 libselinux/src/compute_create.c               |   4 -
 libselinux/src/compute_member.c               |   1 -
 libselinux/src/compute_relabel.c              |   1 -
 libselinux/src/compute_user.c                 |   2 -
 libselinux/src/context.c                      |   9 +-
 libselinux/src/context_internal.h             |  12 --
 libselinux/src/deny_unknown.c                 |   1 -
 libselinux/src/disable.c                      |   1 -
 libselinux/src/dso.h                          |  23 ----
 libselinux/src/enabled.c                      |   2 -
 libselinux/src/fgetfilecon.c                  |   1 -
 libselinux/src/freecon.c                      |   1 -
 libselinux/src/freeconary.c                   |   1 -
 libselinux/src/fsetfilecon.c                  |   1 -
 libselinux/src/get_context_list.c             |   3 -
 libselinux/src/get_context_list_internal.h    |   4 -
 libselinux/src/get_default_type_internal.h    |   2 -
 libselinux/src/get_initial_context.c          |   2 -
 libselinux/src/getenforce.c                   |   1 -
 libselinux/src/getfilecon.c                   |   2 -
 libselinux/src/getpeercon.c                   |   1 -
 libselinux/src/init.c                         |   4 -
 libselinux/src/label_internal.h               |  19 ++-
 libselinux/src/label_support.c                |   6 +-
 libselinux/src/lgetfilecon.c                  |   1 -
 libselinux/src/load_policy.c                  |   2 -
 libselinux/src/lsetfilecon.c                  |   1 -
 libselinux/src/matchpathcon.c                 |   3 +-
 libselinux/src/policyvers.c                   |   2 -
 libselinux/src/procattr.c                     |  21 +---
 libselinux/src/regex.h                        |  21 ++--
 libselinux/src/reject_unknown.c               |   1 -
 .../src/selinux_check_securetty_context.c     |   1 -
 libselinux/src/selinux_config.c               |  36 ------
 libselinux/src/selinux_internal.h             | 117 +-----------------
 libselinux/src/setenforce.c                   |   1 -
 libselinux/src/setfilecon.c                   |   1 -
 libselinux/src/setrans_client.c               |   8 +-
 libselinux/src/seusers.c                      |   2 +-
 libselinux/src/sha1.c                         |   7 +-
 libselinux/src/stringrep.c                    |   1 -
 libselinux/src/validatetrans.c                |   2 -
 52 files changed, 69 insertions(+), 357 deletions(-)
 delete mode 100644 libselinux/src/dso.h

diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
index 5230efd2323a..ab10b0f9f1cb 100644
--- a/libselinux/src/avc.c
+++ b/libselinux/src/avc.c
@@ -294,7 +294,6 @@ void avc_av_stats(void)
 		slots_used, AVC_CACHE_SLOTS, max_chain_len);
 }
 
-hidden_def(avc_av_stats)
 
 static inline struct avc_node *avc_reclaim_node(void)
 {
@@ -494,7 +493,6 @@ void avc_cleanup(void)
 {
 }
 
-hidden_def(avc_cleanup)
 
 int avc_reset(void)
 {
@@ -539,7 +537,6 @@ int avc_reset(void)
 	return rc;
 }
 
-hidden_def(avc_reset)
 
 void avc_destroy(void)
 {
@@ -733,7 +730,6 @@ void avc_audit(security_id_t ssid, security_id_t tsid,
 	avc_release_lock(avc_log_lock);
 }
 
-hidden_def(avc_audit)
 
 
 static void avd_init(struct av_decision *avd)
@@ -825,7 +821,6 @@ int avc_has_perm_noaudit(security_id_t ssid,
 	return rc;
 }
 
-hidden_def(avc_has_perm_noaudit)
 
 int avc_has_perm(security_id_t ssid, security_id_t tsid,
 		 security_class_t tclass, access_vector_t requested,
diff --git a/libselinux/src/avc_internal.h b/libselinux/src/avc_internal.h
index f8516590bd75..3f8a6bb1cf84 100644
--- a/libselinux/src/avc_internal.h
+++ b/libselinux/src/avc_internal.h
@@ -14,24 +14,23 @@
 #include <string.h>
 #include <selinux/avc.h>
 #include "callbacks.h"
-#include "dso.h"
 
 /* callback pointers */
-extern void *(*avc_func_malloc) (size_t) hidden;
-extern void (*avc_func_free) (void *)hidden;
+extern void *(*avc_func_malloc) (size_t) ;
+extern void (*avc_func_free) (void *);
 
-extern void (*avc_func_log) (const char *, ...) __attribute__((__format__(printf,1,2))) hidden;
-extern void (*avc_func_audit) (void *, security_class_t, char *, size_t)hidden;
+extern void (*avc_func_log) (const char *, ...) __attribute__((__format__(printf,1,2))) ;
+extern void (*avc_func_audit) (void *, security_class_t, char *, size_t);
 
-extern int avc_using_threads hidden;
-extern int avc_app_main_loop hidden;
-extern void *(*avc_func_create_thread) (void (*)(void))hidden;
-extern void (*avc_func_stop_thread) (void *)hidden;
+extern int avc_using_threads ;
+extern int avc_app_main_loop ;
+extern void *(*avc_func_create_thread) (void (*)(void));
+extern void (*avc_func_stop_thread) (void *);
 
-extern void *(*avc_func_alloc_lock) (void)hidden;
-extern void (*avc_func_get_lock) (void *)hidden;
-extern void (*avc_func_release_lock) (void *)hidden;
-extern void (*avc_func_free_lock) (void *)hidden;
+extern void *(*avc_func_alloc_lock) (void);
+extern void (*avc_func_get_lock) (void *);
+extern void (*avc_func_release_lock) (void *);
+extern void (*avc_func_free_lock) (void *);
 
 static inline void set_callbacks(const struct avc_memory_callback *mem_cb,
 				 const struct avc_log_callback *log_cb,
@@ -61,10 +60,10 @@ static inline void set_callbacks(const struct avc_memory_callback *mem_cb,
 
 /* message prefix and enforcing mode*/
 #define AVC_PREFIX_SIZE 16
-extern char avc_prefix[AVC_PREFIX_SIZE] hidden;
-extern int avc_running hidden;
-extern int avc_enforcing hidden;
-extern int avc_setenforce hidden;
+extern char avc_prefix[AVC_PREFIX_SIZE] ;
+extern int avc_running ;
+extern int avc_enforcing ;
+extern int avc_setenforce ;
 
 /* user-supplied callback interface for avc */
 static inline void *avc_malloc(size_t size)
@@ -155,28 +154,23 @@ static inline void avc_free_lock(void *lock)
 /* internal callbacks */
 int avc_ss_grant(security_id_t ssid, security_id_t tsid,
 		 security_class_t tclass, access_vector_t perms,
-		 uint32_t seqno) hidden;
+		 uint32_t seqno) ;
 int avc_ss_try_revoke(security_id_t ssid, security_id_t tsid,
 		      security_class_t tclass,
 		      access_vector_t perms, uint32_t seqno,
-		      access_vector_t * out_retained) hidden;
+		      access_vector_t * out_retained) ;
 int avc_ss_revoke(security_id_t ssid, security_id_t tsid,
 		  security_class_t tclass, access_vector_t perms,
-		  uint32_t seqno) hidden;
-int avc_ss_reset(uint32_t seqno) hidden;
+		  uint32_t seqno) ;
+int avc_ss_reset(uint32_t seqno) ;
 int avc_ss_set_auditallow(security_id_t ssid, security_id_t tsid,
 			  security_class_t tclass, access_vector_t perms,
-			  uint32_t seqno, uint32_t enable) hidden;
+			  uint32_t seqno, uint32_t enable) ;
 int avc_ss_set_auditdeny(security_id_t ssid, security_id_t tsid,
 			 security_class_t tclass, access_vector_t perms,
-			 uint32_t seqno, uint32_t enable) hidden;
+			 uint32_t seqno, uint32_t enable) ;
 
 /* netlink kernel message code */
-extern int avc_netlink_trouble hidden;
+extern int avc_netlink_trouble ;
 
-hidden_proto(avc_av_stats)
-    hidden_proto(avc_cleanup)
-    hidden_proto(avc_reset)
-    hidden_proto(avc_audit)
-    hidden_proto(avc_has_perm_noaudit)
 #endif				/* _SELINUX_AVC_INTERNAL_H_ */
diff --git a/libselinux/src/avc_sidtab.h b/libselinux/src/avc_sidtab.h
index bce9b877ae79..cc5abe354a01 100644
--- a/libselinux/src/avc_sidtab.h
+++ b/libselinux/src/avc_sidtab.h
@@ -7,7 +7,6 @@
 
 #include <selinux/selinux.h>
 #include <selinux/avc.h>
-#include "dso.h"
 
 struct sidtab_node {
 	struct security_id sid_s;
@@ -24,13 +23,13 @@ struct sidtab {
 	unsigned nel;
 };
 
-int sidtab_init(struct sidtab *s) hidden;
-int sidtab_insert(struct sidtab *s, const char * ctx) hidden;
+int sidtab_init(struct sidtab *s) ;
+int sidtab_insert(struct sidtab *s, const char * ctx) ;
 
 int sidtab_context_to_sid(struct sidtab *s,
-			  const char * ctx, security_id_t * sid) hidden;
+			  const char * ctx, security_id_t * sid) ;
 
-void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen) hidden;
-void sidtab_destroy(struct sidtab *s) hidden;
+void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen) ;
+void sidtab_destroy(struct sidtab *s) ;
 
 #endif				/* _SELINUX_AVC_SIDTAB_H_ */
diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c
index ffa8d26b0f3a..ef1f64a05d84 100644
--- a/libselinux/src/booleans.c
+++ b/libselinux/src/booleans.c
@@ -414,8 +414,3 @@ char *selinux_boolean_sub(const char *name __attribute__((unused)))
 }
 #endif
 
-hidden_def(security_get_boolean_names)
-hidden_def(selinux_boolean_sub)
-hidden_def(security_get_boolean_active)
-hidden_def(security_set_boolean)
-hidden_def(security_commit_booleans)
diff --git a/libselinux/src/callbacks.h b/libselinux/src/callbacks.h
index 2a572e08d534..03d87f0cbdfe 100644
--- a/libselinux/src/callbacks.h
+++ b/libselinux/src/callbacks.h
@@ -9,22 +9,21 @@
 #include <stdlib.h>
 #include <string.h>
 #include <selinux/selinux.h>
-#include "dso.h"
 
 /* callback pointers */
 extern int __attribute__ ((format(printf, 2, 3)))
-(*selinux_log) (int type, const char *, ...) hidden;
+(*selinux_log) (int type, const char *, ...) ;
 
 extern int
-(*selinux_audit) (void *, security_class_t, char *, size_t) hidden;
+(*selinux_audit) (void *, security_class_t, char *, size_t) ;
 
 extern int
-(*selinux_validate)(char **ctx) hidden;
+(*selinux_validate)(char **ctx) ;
 
 extern int
-(*selinux_netlink_setenforce) (int enforcing) hidden;
+(*selinux_netlink_setenforce) (int enforcing) ;
 
 extern int
-(*selinux_netlink_policyload) (int seqno) hidden;
+(*selinux_netlink_policyload) (int seqno) ;
 
 #endif				/* _SELINUX_CALLBACKS_H_ */
diff --git a/libselinux/src/canonicalize_context.c b/libselinux/src/canonicalize_context.c
index ba4c9a2c7d46..faab730592c2 100644
--- a/libselinux/src/canonicalize_context.c
+++ b/libselinux/src/canonicalize_context.c
@@ -60,7 +60,6 @@ int security_canonicalize_context_raw(const char * con,
 	return ret;
 }
 
-hidden_def(security_canonicalize_context_raw)
 
 int security_canonicalize_context(const char * con,
 				      char ** canoncon)
@@ -83,4 +82,3 @@ int security_canonicalize_context(const char * con,
 	return ret;
 }
 
-hidden_def(security_canonicalize_context)
diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
index 7227ffe51eac..677e2ecd7df4 100644
--- a/libselinux/src/checkAccess.c
+++ b/libselinux/src/checkAccess.c
@@ -99,7 +99,6 @@ int selinux_check_passwd_access(access_vector_t requested)
 	return status;
 }
 
-hidden_def(selinux_check_passwd_access)
 
 int checkPasswdAccess(access_vector_t requested)
 {
diff --git a/libselinux/src/check_context.c b/libselinux/src/check_context.c
index 8a7997f03598..5096a2c40993 100644
--- a/libselinux/src/check_context.c
+++ b/libselinux/src/check_context.c
@@ -31,7 +31,6 @@ int security_check_context_raw(const char * con)
 	return 0;
 }
 
-hidden_def(security_check_context_raw)
 
 int security_check_context(const char * con)
 {
@@ -48,4 +47,3 @@ int security_check_context(const char * con)
 	return ret;
 }
 
-hidden_def(security_check_context)
diff --git a/libselinux/src/checkreqprot.c b/libselinux/src/checkreqprot.c
index 9b4b12d75021..3dc79d9719c5 100644
--- a/libselinux/src/checkreqprot.c
+++ b/libselinux/src/checkreqprot.c
@@ -37,4 +37,3 @@ int security_get_checkreqprot(void)
 	return checkreqprot;
 }
 
-hidden_def(security_get_checkreqprot);
diff --git a/libselinux/src/compute_av.c b/libselinux/src/compute_av.c
index a47cffe98662..9d17339d1a32 100644
--- a/libselinux/src/compute_av.c
+++ b/libselinux/src/compute_av.c
@@ -80,7 +80,6 @@ int security_compute_av_flags_raw(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_av_flags_raw)
 
 int security_compute_av_raw(const char * scon,
 			    const char * tcon,
@@ -107,7 +106,6 @@ int security_compute_av_raw(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_av_raw)
 
 int security_compute_av_flags(const char * scon,
 			      const char * tcon,
@@ -134,7 +132,6 @@ int security_compute_av_flags(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_av_flags)
 
 int security_compute_av(const char * scon,
 			const char * tcon,
@@ -162,4 +159,3 @@ int security_compute_av(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_av)
diff --git a/libselinux/src/compute_create.c b/libselinux/src/compute_create.c
index 0975aeac2224..1d75714d852d 100644
--- a/libselinux/src/compute_create.c
+++ b/libselinux/src/compute_create.c
@@ -105,7 +105,6 @@ int security_compute_create_name_raw(const char * scon,
 	close(fd);
 	return ret;
 }
-hidden_def(security_compute_create_name_raw)
 
 int security_compute_create_raw(const char * scon,
 				const char * tcon,
@@ -115,7 +114,6 @@ int security_compute_create_raw(const char * scon,
 	return security_compute_create_name_raw(scon, tcon, tclass,
 						NULL, newcon);
 }
-hidden_def(security_compute_create_raw)
 
 int security_compute_create_name(const char * scon,
 				 const char * tcon,
@@ -146,7 +144,6 @@ int security_compute_create_name(const char * scon,
 
 	return ret;
 }
-hidden_def(security_compute_create_name)
 
 int security_compute_create(const char * scon,
 				const char * tcon,
@@ -155,4 +152,3 @@ int security_compute_create(const char * scon,
 {
 	return security_compute_create_name(scon, tcon, tclass, NULL, newcon);
 }
-hidden_def(security_compute_create)
diff --git a/libselinux/src/compute_member.c b/libselinux/src/compute_member.c
index 4e2d221ef9ea..16234b7908f2 100644
--- a/libselinux/src/compute_member.c
+++ b/libselinux/src/compute_member.c
@@ -60,7 +60,6 @@ int security_compute_member_raw(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_member_raw)
 
 int security_compute_member(const char * scon,
 			    const char * tcon,
diff --git a/libselinux/src/compute_relabel.c b/libselinux/src/compute_relabel.c
index 49f77ef3344c..dd20d6525993 100644
--- a/libselinux/src/compute_relabel.c
+++ b/libselinux/src/compute_relabel.c
@@ -60,7 +60,6 @@ int security_compute_relabel_raw(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_relabel_raw)
 
 int security_compute_relabel(const char * scon,
 			     const char * tcon,
diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c
index e7da964ff46d..ae5e7b4a8f68 100644
--- a/libselinux/src/compute_user.c
+++ b/libselinux/src/compute_user.c
@@ -80,7 +80,6 @@ int security_compute_user_raw(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_user_raw)
 
 int security_compute_user(const char * scon,
 			  const char *user, char *** con)
@@ -110,4 +109,3 @@ int security_compute_user(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_user)
diff --git a/libselinux/src/context.c b/libselinux/src/context.c
index b673733e1f48..090264a49eb1 100644
--- a/libselinux/src/context.c
+++ b/libselinux/src/context.c
@@ -82,7 +82,6 @@ context_t context_new(const char *str)
 	return 0;
 }
 
-hidden_def(context_new)
 
 static void conditional_free(char **v)
 {
@@ -113,7 +112,6 @@ void context_free(context_t context)
 	}
 }
 
-hidden_def(context_free)
 
 /*
  * Return a pointer to the string value of the context.
@@ -144,7 +142,6 @@ char *context_str(context_t context)
 	return n->current_str;
 }
 
-hidden_def(context_str)
 
 /* Returns nonzero iff failed */
 static int set_comp(context_private_t * n, int idx, const char *str)
@@ -176,8 +173,7 @@ const char * context_ ## name ## _get(context_t context) \
 { \
         context_private_t *n = context->ptr; \
         return n->component[tag]; \
-} \
-hidden_def(context_ ## name ## _get)
+}
 
 def_get(type, COMP_TYPE)
     def_get(user, COMP_USER)
@@ -187,8 +183,7 @@ def_get(type, COMP_TYPE)
 int context_ ## name ## _set(context_t context, const char* str) \
 { \
         return set_comp(context->ptr,tag,str);\
-} \
-hidden_def(context_ ## name ## _set)
+}
     def_set(type, COMP_TYPE)
     def_set(role, COMP_ROLE)
     def_set(user, COMP_USER)
diff --git a/libselinux/src/context_internal.h b/libselinux/src/context_internal.h
index 3c71e8027080..a7698106923e 100644
--- a/libselinux/src/context_internal.h
+++ b/libselinux/src/context_internal.h
@@ -1,14 +1,2 @@
 #include <selinux/context.h>
-#include "dso.h"
 
-hidden_proto(context_new)
-    hidden_proto(context_free)
-    hidden_proto(context_str)
-    hidden_proto(context_type_set)
-    hidden_proto(context_type_get)
-    hidden_proto(context_role_set)
-    hidden_proto(context_role_get)
-    hidden_proto(context_user_set)
-    hidden_proto(context_user_get)
-    hidden_proto(context_range_set)
-    hidden_proto(context_range_get)
diff --git a/libselinux/src/deny_unknown.c b/libselinux/src/deny_unknown.c
index 77d04e370f30..fdd32b50a246 100644
--- a/libselinux/src/deny_unknown.c
+++ b/libselinux/src/deny_unknown.c
@@ -37,4 +37,3 @@ int security_deny_unknown(void)
 	return deny_unknown;
 }
 
-hidden_def(security_deny_unknown);
diff --git a/libselinux/src/disable.c b/libselinux/src/disable.c
index 8d66262aff03..1a5ae4172a8d 100644
--- a/libselinux/src/disable.c
+++ b/libselinux/src/disable.c
@@ -35,4 +35,3 @@ int security_disable(void)
 	return 0;
 }
 
-hidden_def(security_disable)
diff --git a/libselinux/src/dso.h b/libselinux/src/dso.h
deleted file mode 100644
index 12c3d1160fb0..000000000000
--- a/libselinux/src/dso.h
+++ /dev/null
@@ -1,23 +0,0 @@
-#ifndef _SELINUX_DSO_H
-#define _SELINUX_DSO_H	1
-
-#ifdef SHARED
-# define hidden __attribute__ ((visibility ("hidden")))
-# define hidden_proto(fct) __hidden_proto (fct, fct##_internal)
-# define __hidden_proto(fct, internal)	\
-     extern __typeof (fct) internal;	\
-     extern __typeof (fct) fct __asm (#internal) hidden;
-# if defined(__alpha__) || defined(__mips__)
-#  define hidden_def(fct) \
-     asm (".globl " #fct "\n" #fct " = " #fct "_internal");
-# else
-#  define hidden_def(fct) \
-     asm (".globl " #fct "\n.set " #fct ", " #fct "_internal");
-#endif
-#else
-# define hidden
-# define hidden_proto(fct)
-# define hidden_def(fct)
-#endif
-
-#endif
diff --git a/libselinux/src/enabled.c b/libselinux/src/enabled.c
index dd628fba86a8..fefb0bd9ae02 100644
--- a/libselinux/src/enabled.c
+++ b/libselinux/src/enabled.c
@@ -20,7 +20,6 @@ int is_selinux_enabled(void)
 #endif
 }
 
-hidden_def(is_selinux_enabled)
 
 /*
  * Function: is_selinux_mls_enabled()
@@ -55,4 +54,3 @@ int is_selinux_mls_enabled(void)
 	return enabled;
 }
 
-hidden_def(is_selinux_mls_enabled)
diff --git a/libselinux/src/fgetfilecon.c b/libselinux/src/fgetfilecon.c
index 5522ac16e385..8c748f8a2e64 100644
--- a/libselinux/src/fgetfilecon.c
+++ b/libselinux/src/fgetfilecon.c
@@ -49,7 +49,6 @@ int fgetfilecon_raw(int fd, char ** context)
 	return ret;
 }
 
-hidden_def(fgetfilecon_raw)
 
 int fgetfilecon(int fd, char ** context)
 {
diff --git a/libselinux/src/freecon.c b/libselinux/src/freecon.c
index 5290dfa13bc4..df2d7e2827ea 100644
--- a/libselinux/src/freecon.c
+++ b/libselinux/src/freecon.c
@@ -8,4 +8,3 @@ void freecon(char * con)
 	free(con);
 }
 
-hidden_def(freecon)
diff --git a/libselinux/src/freeconary.c b/libselinux/src/freeconary.c
index 8d07718ed5f9..fd2dbaabfbcf 100644
--- a/libselinux/src/freeconary.c
+++ b/libselinux/src/freeconary.c
@@ -16,4 +16,3 @@ void freeconary(char ** con)
 	free(con);
 }
 
-hidden_def(freeconary)
diff --git a/libselinux/src/fsetfilecon.c b/libselinux/src/fsetfilecon.c
index 52707d05ddd4..5cf34e3fa5d0 100644
--- a/libselinux/src/fsetfilecon.c
+++ b/libselinux/src/fsetfilecon.c
@@ -25,7 +25,6 @@ int fsetfilecon_raw(int fd, const char * context)
 	return rc;
 }
 
-hidden_def(fsetfilecon_raw)
 
 int fsetfilecon(int fd, const char *context)
 {
diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
index 26d7b3b98e75..b43652ffd28c 100644
--- a/libselinux/src/get_context_list.c
+++ b/libselinux/src/get_context_list.c
@@ -52,7 +52,6 @@ int get_default_context_with_role(const char *user,
 	return rc;
 }
 
-hidden_def(get_default_context_with_role)
 
 int get_default_context_with_rolelevel(const char *user,
 				       const char *role,
@@ -385,7 +384,6 @@ int get_ordered_context_list_with_level(const char *user,
 	return rc;
 }
 
-hidden_def(get_ordered_context_list_with_level)
 
 int get_default_context_with_level(const char *user,
 				   const char *level,
@@ -497,4 +495,3 @@ int get_ordered_context_list(const char *user,
 	goto out;
 }
 
-hidden_def(get_ordered_context_list)
diff --git a/libselinux/src/get_context_list_internal.h b/libselinux/src/get_context_list_internal.h
index c224834ebfb4..a7c1d41ba07f 100644
--- a/libselinux/src/get_context_list_internal.h
+++ b/libselinux/src/get_context_list_internal.h
@@ -1,6 +1,2 @@
 #include <selinux/get_context_list.h>
-#include "dso.h"
 
-hidden_proto(get_ordered_context_list)
-    hidden_proto(get_ordered_context_list_with_level)
-    hidden_proto(get_default_context_with_role)
diff --git a/libselinux/src/get_default_type_internal.h b/libselinux/src/get_default_type_internal.h
index 0da3c512d6fb..deb5d2963211 100644
--- a/libselinux/src/get_default_type_internal.h
+++ b/libselinux/src/get_default_type_internal.h
@@ -1,4 +1,2 @@
 #include <selinux/get_default_type.h>
-#include "dso.h"
 
-hidden_proto(selinux_default_type_path)
diff --git a/libselinux/src/get_initial_context.c b/libselinux/src/get_initial_context.c
index 5e919f478b63..97ae3dcfb5a6 100644
--- a/libselinux/src/get_initial_context.c
+++ b/libselinux/src/get_initial_context.c
@@ -53,7 +53,6 @@ int security_get_initial_context_raw(const char * name, char ** con)
 	return ret;
 }
 
-hidden_def(security_get_initial_context_raw)
 
 int security_get_initial_context(const char * name, char ** con)
 {
@@ -69,4 +68,3 @@ int security_get_initial_context(const char * name, char ** con)
 	return ret;
 }
 
-hidden_def(security_get_initial_context)
diff --git a/libselinux/src/getenforce.c b/libselinux/src/getenforce.c
index d909dced73c6..3f1e20021a4e 100644
--- a/libselinux/src/getenforce.c
+++ b/libselinux/src/getenforce.c
@@ -37,4 +37,3 @@ int security_getenforce(void)
 	return !!enforce;
 }
 
-hidden_def(security_getenforce)
diff --git a/libselinux/src/getfilecon.c b/libselinux/src/getfilecon.c
index 20bee8abdbfc..4bee31372172 100644
--- a/libselinux/src/getfilecon.c
+++ b/libselinux/src/getfilecon.c
@@ -49,7 +49,6 @@ int getfilecon_raw(const char *path, char ** context)
 	return ret;
 }
 
-hidden_def(getfilecon_raw)
 
 int getfilecon(const char *path, char ** context)
 {
@@ -70,4 +69,3 @@ int getfilecon(const char *path, char ** context)
 	return ret;
 }
 
-hidden_def(getfilecon)
diff --git a/libselinux/src/getpeercon.c b/libselinux/src/getpeercon.c
index 3a77a2de2c95..a9dca73e438a 100644
--- a/libselinux/src/getpeercon.c
+++ b/libselinux/src/getpeercon.c
@@ -43,7 +43,6 @@ int getpeercon_raw(int fd, char ** context)
 	return ret;
 }
 
-hidden_def(getpeercon_raw)
 
 int getpeercon(int fd, char ** context)
 {
diff --git a/libselinux/src/init.c b/libselinux/src/init.c
index 083638c47fbf..542c979b9da6 100644
--- a/libselinux/src/init.c
+++ b/libselinux/src/init.c
@@ -12,7 +12,6 @@
 #include <stdint.h>
 #include <limits.h>
 
-#include "dso.h"
 #include "policy.h"
 #include "selinux_internal.h"
 #include "setrans_internal.h"
@@ -79,7 +78,6 @@ int selinuxfs_exists(void)
 	fclose(fp);
 	return exists;
 }
-hidden_def(selinuxfs_exists)
 
 static void init_selinuxmnt(void)
 {
@@ -138,14 +136,12 @@ void fini_selinuxmnt(void)
 	selinux_mnt = NULL;
 }
 
-hidden_def(fini_selinuxmnt)
 
 void set_selinuxmnt(const char *mnt)
 {
 	selinux_mnt = strdup(mnt);
 }
 
-hidden_def(set_selinuxmnt)
 
 static void init_lib(void) __attribute__ ((constructor));
 static void init_lib(void)
diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
index 7ed2a43770a7..361b443cb9c4 100644
--- a/libselinux/src/label_internal.h
+++ b/libselinux/src/label_internal.h
@@ -13,7 +13,6 @@
 #include <stdio.h>
 #include <selinux/selinux.h>
 #include <selinux/label.h>
-#include "dso.h"
 #include "sha1.h"
 
 #if defined(ANDROID) || defined(__APPLE__)
@@ -26,22 +25,22 @@
  */
 int selabel_file_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) hidden;
+			    unsigned nopts) ;
 int selabel_media_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) hidden;
+			    unsigned nopts) ;
 int selabel_x_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) hidden;
+			    unsigned nopts) ;
 int selabel_db_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) hidden;
+			    unsigned nopts) ;
 int selabel_property_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) hidden;
+			    unsigned nopts) ;
 int selabel_service_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) hidden;
+			    unsigned nopts) ;
 
 /*
  * Labeling internal structures
@@ -120,14 +119,14 @@ struct selabel_handle {
  */
 extern int
 selabel_validate(struct selabel_handle *rec,
-		 struct selabel_lookup_rec *contexts) hidden;
+		 struct selabel_lookup_rec *contexts) ;
 
 /*
  * Compatibility support
  */
 extern int myprintf_compat;
 extern void __attribute__ ((format(printf, 1, 2)))
-(*myprintf) (const char *fmt, ...) hidden;
+(*myprintf) (const char *fmt, ...) ;
 
 #define COMPAT_LOG(type, fmt...) if (myprintf_compat)	  \
 		myprintf(fmt);				  \
@@ -137,7 +136,7 @@ extern void __attribute__ ((format(printf, 1, 2)))
 extern int
 compat_validate(struct selabel_handle *rec,
 		struct selabel_lookup_rec *contexts,
-		const char *path, unsigned lineno) hidden;
+		const char *path, unsigned lineno) ;
 
 /*
  * The read_spec_entries function may be used to
diff --git a/libselinux/src/label_support.c b/libselinux/src/label_support.c
index 26f9ef155dcf..94ed6e4273cb 100644
--- a/libselinux/src/label_support.c
+++ b/libselinux/src/label_support.c
@@ -63,7 +63,7 @@ static inline int read_spec_entry(char **entry, char **ptr, int *len, const char
  * This function calls read_spec_entry() to do the actual string processing.
  * As such, can return anything from that function as well.
  */
-int hidden read_spec_entries(char *line_buf, const char **errbuf, int num_args, ...)
+int  read_spec_entries(char *line_buf, const char **errbuf, int num_args, ...)
 {
 	char **spec_entry, *buf_p;
 	int len, rc, items, entry_len = 0;
@@ -113,7 +113,7 @@ int hidden read_spec_entries(char *line_buf, const char **errbuf, int num_args,
 }
 
 /* Once all the specfiles are in the hash_buf, generate the hash. */
-void hidden digest_gen_hash(struct selabel_digest *digest)
+void  digest_gen_hash(struct selabel_digest *digest)
 {
 	Sha1Context context;
 
@@ -141,7 +141,7 @@ void hidden digest_gen_hash(struct selabel_digest *digest)
  *
  * Return %0 on success, -%1 with @errno set on failure.
  */
-int hidden digest_add_specfile(struct selabel_digest *digest, FILE *fp,
+int  digest_add_specfile(struct selabel_digest *digest, FILE *fp,
 				    char *from_addr, size_t buf_len,
 				    const char *path)
 {
diff --git a/libselinux/src/lgetfilecon.c b/libselinux/src/lgetfilecon.c
index db67bc60ffe6..d1fb821b23ef 100644
--- a/libselinux/src/lgetfilecon.c
+++ b/libselinux/src/lgetfilecon.c
@@ -49,7 +49,6 @@ int lgetfilecon_raw(const char *path, char ** context)
 	return ret;
 }
 
-hidden_def(lgetfilecon_raw)
 
 int lgetfilecon(const char *path, char ** context)
 {
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index 9e75292d2528..fa1a3bf1f441 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -45,7 +45,6 @@ int security_load_policy(void *data, size_t len)
 	return 0;
 }
 
-hidden_def(security_load_policy)
 
 #ifndef ANDROID
 #undef max
@@ -213,7 +212,6 @@ int selinux_mkload_policy(int preservebools __attribute__((unused)))
 	return rc;
 }
 
-hidden_def(selinux_mkload_policy)
 
 /*
  * Mount point for selinuxfs. 
diff --git a/libselinux/src/lsetfilecon.c b/libselinux/src/lsetfilecon.c
index 1d3b28a1c5fc..213fb684fc66 100644
--- a/libselinux/src/lsetfilecon.c
+++ b/libselinux/src/lsetfilecon.c
@@ -25,7 +25,6 @@ int lsetfilecon_raw(const char *path, const char * context)
 	return rc;
 }
 
-hidden_def(lsetfilecon_raw)
 
 int lsetfilecon(const char *path, const char *context)
 {
diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
index 05a5cfa4cfd5..bddf77a49ce1 100644
--- a/libselinux/src/matchpathcon.c
+++ b/libselinux/src/matchpathcon.c
@@ -322,7 +322,7 @@ static void matchpathcon_thread_destructor(void __attribute__((unused)) *ptr)
 
 void __attribute__((destructor)) matchpathcon_lib_destructor(void);
 
-void hidden __attribute__((destructor)) matchpathcon_lib_destructor(void)
+void  __attribute__((destructor)) matchpathcon_lib_destructor(void)
 {
 	if (destructor_key_initialized)
 		__selinux_key_delete(destructor_key);
@@ -351,7 +351,6 @@ int matchpathcon_init_prefix(const char *path, const char *subset)
 	return hnd ? 0 : -1;
 }
 
-hidden_def(matchpathcon_init_prefix)
 
 int matchpathcon_init(const char *path)
 {
diff --git a/libselinux/src/policyvers.c b/libselinux/src/policyvers.c
index c97dd9df7a8a..e5aa2f3f2d55 100644
--- a/libselinux/src/policyvers.c
+++ b/libselinux/src/policyvers.c
@@ -7,7 +7,6 @@
 #include "selinux_internal.h"
 #include <stdio.h>
 #include "policy.h"
-#include "dso.h"
 #include <limits.h>
 
 int security_policyvers(void)
@@ -42,4 +41,3 @@ int security_policyvers(void)
 	return vers;
 }
 
-hidden_def(security_policyvers)
diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c
index c6799ef27533..1aa67ac53f39 100644
--- a/libselinux/src/procattr.c
+++ b/libselinux/src/procattr.c
@@ -57,7 +57,7 @@ static void procattr_thread_destructor(void __attribute__((unused)) *unused)
 
 void __attribute__((destructor)) procattr_destructor(void);
 
-void hidden __attribute__((destructor)) procattr_destructor(void)
+void  __attribute__((destructor)) procattr_destructor(void)
 {
 	if (destructor_key_initialized)
 		__selinux_key_delete(destructor_key);
@@ -345,22 +345,3 @@ all_selfattr_def(con, current)
     all_selfattr_def(sockcreatecon, sockcreate)
     all_selfattr_def(keycreatecon, keycreate)
 
-    hidden_def(getcon_raw)
-    hidden_def(getcon)
-    hidden_def(getexeccon_raw)
-    hidden_def(getfilecon_raw)
-    hidden_def(getfilecon)
-    hidden_def(getfscreatecon_raw)
-    hidden_def(getkeycreatecon_raw)
-    hidden_def(getpeercon_raw)
-    hidden_def(getpidcon_raw)
-    hidden_def(getprevcon_raw)
-    hidden_def(getprevcon)
-    hidden_def(getsockcreatecon_raw)
-    hidden_def(setcon_raw)
-    hidden_def(setexeccon_raw)
-    hidden_def(setexeccon)
-    hidden_def(setfilecon_raw)
-    hidden_def(setfscreatecon_raw)
-    hidden_def(setkeycreatecon_raw)
-    hidden_def(setsockcreatecon_raw)
diff --git a/libselinux/src/regex.h b/libselinux/src/regex.h
index 6732b349984c..10c3df7856e1 100644
--- a/libselinux/src/regex.h
+++ b/libselinux/src/regex.h
@@ -10,7 +10,6 @@
 #include <pcre.h>
 #endif
 
-#include "dso.h"
 
 enum { REGEX_MATCH,
        REGEX_MATCH_PARTIAL,
@@ -42,7 +41,7 @@ struct mmap_area;
  * expressions are not portable across architectures that do not have a
  * matching arch-string.
  */
-char const *regex_arch_string(void) hidden;
+char const *regex_arch_string(void) ;
 
 /**
  * regex_verison returns the version string of the underlying regular
@@ -55,12 +54,12 @@ char const *regex_arch_string(void) hidden;
  *
  * It may return NULL on error.
  */
-char const *regex_version(void) hidden;
+char const *regex_version(void) ;
 /**
  * This constructor function allocates a buffer for a regex_data structure.
  * The buffer is being initialized with zeroes.
  */
-struct regex_data *regex_data_create(void) hidden;
+struct regex_data *regex_data_create(void) ;
 /**
  * This complementary destructor function frees the a given regex_data buffer.
  * It also frees any non NULL member pointers with the appropriate pcreX_X_free
@@ -68,7 +67,7 @@ struct regex_data *regex_data_create(void) hidden;
  * the pcre_extra data conditionally. Calling this function on a NULL pointer is
  * save.
  */
-void regex_data_free(struct regex_data *regex) hidden;
+void regex_data_free(struct regex_data *regex) ;
 /**
  * This function compiles the regular expression. Additionally, it prepares
  * data structures required by the different underlying engines. For PCRE
@@ -88,7 +87,7 @@ void regex_data_free(struct regex_data *regex) hidden;
  * @retval -1 on error
  */
 int regex_prepare_data(struct regex_data **regex, char const *pattern_string,
-		       struct regex_error_data *errordata) hidden;
+		       struct regex_error_data *errordata) ;
 /**
  * This function loads a serialized precompiled pattern from a contiguous
  * data region given by map_area.
@@ -109,7 +108,7 @@ int regex_prepare_data(struct regex_data **regex, char const *pattern_string,
 int regex_load_mmap(struct mmap_area *map_area,
 		    struct regex_data **regex,
 		    int do_load_precompregex,
-		    bool *regex_compiled) hidden;
+		    bool *regex_compiled) ;
 /**
  * This function stores a precompiled regular expression to a file.
  * In the case of PCRE, it just dumps the binary representation of the
@@ -122,7 +121,7 @@ int regex_load_mmap(struct mmap_area *map_area,
  *			      the output file (ignored by PCRE1 back-end).
  */
 int regex_writef(struct regex_data *regex, FILE *fp,
-		 int do_write_precompregex) hidden;
+		 int do_write_precompregex) ;
 /**
  * This function applies a precompiled pattern to a subject string and
  * returns whether or not a match was found.
@@ -139,7 +138,7 @@ int regex_writef(struct regex_data *regex, FILE *fp,
  *                     regular expression
  */
 int regex_match(struct regex_data *regex, char const *subject,
-		int partial) hidden;
+		int partial) ;
 /**
  * This function compares two compiled regular expressions (regex1 and regex2).
  * It compares the binary representations of the compiled patterns. It is a very
@@ -150,7 +149,7 @@ int regex_match(struct regex_data *regex, char const *subject,
  *                       the same
  * @retval SELABEL_INCOMPARABLE otherwise
  */
-int regex_cmp(struct regex_data *regex1, struct regex_data *regex2) hidden;
+int regex_cmp(struct regex_data *regex1, struct regex_data *regex2) ;
 /**
  * This function takes the error data returned by regex_prepare_data and turns
  * it in to a human readable error message.
@@ -163,5 +162,5 @@ int regex_cmp(struct regex_data *regex1, struct regex_data *regex2) hidden;
  * @arg buf_size Total size of the given buffer in bytes.
  */
 void regex_format_error(struct regex_error_data const *error_data, char *buffer,
-			size_t buf_size) hidden;
+			size_t buf_size) ;
 #endif /* SRC_REGEX_H_ */
diff --git a/libselinux/src/reject_unknown.c b/libselinux/src/reject_unknown.c
index 5c1d36053812..96e60be396ea 100644
--- a/libselinux/src/reject_unknown.c
+++ b/libselinux/src/reject_unknown.c
@@ -37,4 +37,3 @@ int security_reject_unknown(void)
 	return reject_unknown;
 }
 
-hidden_def(security_reject_unknown);
diff --git a/libselinux/src/selinux_check_securetty_context.c b/libselinux/src/selinux_check_securetty_context.c
index 55d4e039ea41..c5c557fd3492 100644
--- a/libselinux/src/selinux_check_securetty_context.c
+++ b/libselinux/src/selinux_check_securetty_context.c
@@ -50,4 +50,3 @@ int selinux_check_securetty_context(const char * tty_context)
 	return found;
 }
 
-hidden_def(selinux_check_securetty_context)
diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
index b16a3851ad4a..6c5238953cb1 100644
--- a/libselinux/src/selinux_config.c
+++ b/libselinux/src/selinux_config.c
@@ -128,7 +128,6 @@ int selinux_getenforcemode(int *enforce)
 	return ret;
 }
 
-hidden_def(selinux_getenforcemode)
 
 static char *selinux_policytype;
 
@@ -141,7 +140,6 @@ int selinux_getpolicytype(char **type)
 	return *type ? 0 : -1;
 }
 
-hidden_def(selinux_getpolicytype)
 
 static int setpolicytype(const char *type)
 {
@@ -249,7 +247,6 @@ void selinux_reset_config(void)
 	init_selinux_config();
 }
 
-hidden_def(selinux_reset_config)
 
 static const char *get_path(int idx)
 {
@@ -262,7 +259,6 @@ const char *selinux_default_type_path(void)
 	return get_path(DEFAULT_TYPE);
 }
 
-hidden_def(selinux_default_type_path)
 
 const char *selinux_policy_root(void)
 {
@@ -305,42 +301,36 @@ const char *selinux_path(void)
 	return selinux_rootpath;
 }
 
-hidden_def(selinux_path)
 
 const char *selinux_default_context_path(void)
 {
 	return get_path(DEFAULT_CONTEXTS);
 }
 
-hidden_def(selinux_default_context_path)
 
 const char *selinux_securetty_types_path(void)
 {
 	return get_path(SECURETTY_TYPES);
 }
 
-hidden_def(selinux_securetty_types_path)
 
 const char *selinux_failsafe_context_path(void)
 {
 	return get_path(FAILSAFE_CONTEXT);
 }
 
-hidden_def(selinux_failsafe_context_path)
 
 const char *selinux_removable_context_path(void)
 {
 	return get_path(REMOVABLE_CONTEXT);
 }
 
-hidden_def(selinux_removable_context_path)
 
 const char *selinux_binary_policy_path(void)
 {
 	return get_path(BINPOLICY);
 }
 
-hidden_def(selinux_binary_policy_path)
 
 const char *selinux_current_policy_path(void)
 {
@@ -365,35 +355,30 @@ const char *selinux_current_policy_path(void)
 	return policy_path;
 }
 
-hidden_def(selinux_current_policy_path)
 
 const char *selinux_file_context_path(void)
 {
 	return get_path(FILE_CONTEXTS);
 }
 
-hidden_def(selinux_file_context_path)
 
 const char *selinux_homedir_context_path(void)
 {
 	return get_path(HOMEDIR_CONTEXTS);
 }
 
-hidden_def(selinux_homedir_context_path)
 
 const char *selinux_media_context_path(void)
 {
 	return get_path(MEDIA_CONTEXTS);
 }
 
-hidden_def(selinux_media_context_path)
 
 const char *selinux_customizable_types_path(void)
 {
 	return get_path(CUSTOMIZABLE_TYPES);
 }
 
-hidden_def(selinux_customizable_types_path)
 
 const char *selinux_contexts_path(void)
 {
@@ -405,7 +390,6 @@ const char *selinux_user_contexts_path(void)
 	return get_path(USER_CONTEXTS);
 }
 
-hidden_def(selinux_user_contexts_path)
 
 /* Deprecated as local policy booleans no longer supported. */
 const char *selinux_booleans_path(void)
@@ -413,7 +397,6 @@ const char *selinux_booleans_path(void)
 	return get_path(BOOLEANS);
 }
 
-hidden_def(selinux_booleans_path)
 
 /* Deprecated as no longer supported. */
 const char *selinux_users_path(void)
@@ -421,127 +404,108 @@ const char *selinux_users_path(void)
 	return get_path(USERS_DIR);
 }
 
-hidden_def(selinux_users_path)
 
 const char *selinux_usersconf_path(void)
 {
 	return get_path(SEUSERS);
 }
 
-hidden_def(selinux_usersconf_path)
 
 const char *selinux_translations_path(void)
 {
 	return get_path(TRANSLATIONS);
 }
 
-hidden_def(selinux_translations_path)
 
 const char *selinux_colors_path(void)
 {
 	return get_path(COLORS);
 }
 
-hidden_def(selinux_colors_path)
 
 const char *selinux_netfilter_context_path(void)
 {
 	return get_path(NETFILTER_CONTEXTS);
 }
 
-hidden_def(selinux_netfilter_context_path)
 
 const char *selinux_file_context_homedir_path(void)
 {
 	return get_path(FILE_CONTEXTS_HOMEDIR);
 }
 
-hidden_def(selinux_file_context_homedir_path)
 
 const char *selinux_file_context_local_path(void)
 {
 	return get_path(FILE_CONTEXTS_LOCAL);
 }
 
-hidden_def(selinux_file_context_local_path)
 
 const char *selinux_x_context_path(void)
 {
 	return get_path(X_CONTEXTS);
 }
 
-hidden_def(selinux_x_context_path)
 
 const char *selinux_virtual_domain_context_path(void)
 {
 	return get_path(VIRTUAL_DOMAIN);
 }
 
-hidden_def(selinux_virtual_domain_context_path)
 
 const char *selinux_virtual_image_context_path(void)
 {
 	return get_path(VIRTUAL_IMAGE);
 }
 
-hidden_def(selinux_virtual_image_context_path)
 
 const char *selinux_lxc_contexts_path(void)
 {
 	return get_path(LXC_CONTEXTS);
 }
 
-hidden_def(selinux_lxc_contexts_path)
 
 const char *selinux_openrc_contexts_path(void)
 {
     return get_path(OPENRC_CONTEXTS);
 }
 
-hidden_def(selinux_openrc_contexts_path)
 
 const char *selinux_openssh_contexts_path(void)
 {
     return get_path(OPENSSH_CONTEXTS);
 }
 
-hidden_def(selinux_openssh_contexts_path)
 
 const char *selinux_snapperd_contexts_path(void)
 {
     return get_path(SNAPPERD_CONTEXTS);
 }
 
-hidden_def(selinux_snapperd_contexts_path)
 
 const char *selinux_systemd_contexts_path(void)
 {
 	return get_path(SYSTEMD_CONTEXTS);
 }
 
-hidden_def(selinux_systemd_contexts_path)
 
 const char * selinux_booleans_subs_path(void) {
 	return get_path(BOOLEAN_SUBS);
 }
 
-hidden_def(selinux_booleans_subs_path)
 
 const char * selinux_file_context_subs_path(void) {
 	return get_path(FILE_CONTEXT_SUBS);
 }
 
-hidden_def(selinux_file_context_subs_path)
 
 const char * selinux_file_context_subs_dist_path(void) {
 	return get_path(FILE_CONTEXT_SUBS_DIST);
 }
 
-hidden_def(selinux_file_context_subs_dist_path)
 
 const char *selinux_sepgsql_context_path(void)
 {
 	return get_path(SEPGSQL_CONTEXTS);
 }
 
-hidden_def(selinux_sepgsql_context_path)
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index 61b78aaa7c10..27e9ac532c3f 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -1,116 +1,9 @@
 #include <selinux/selinux.h>
 #include <pthread.h>
-#include "dso.h"
-
-hidden_proto(selinux_mkload_policy)
-    hidden_proto(fini_selinuxmnt)
-    hidden_proto(set_selinuxmnt)
-    hidden_proto(selinuxfs_exists)
-    hidden_proto(security_disable)
-    hidden_proto(security_policyvers)
-    hidden_proto(security_load_policy)
-    hidden_proto(security_get_boolean_active)
-    hidden_proto(security_get_boolean_names)
-    hidden_proto(security_set_boolean)
-    hidden_proto(security_commit_booleans)
-    hidden_proto(security_check_context)
-    hidden_proto(security_check_context_raw)
-    hidden_proto(security_canonicalize_context)
-    hidden_proto(security_canonicalize_context_raw)
-    hidden_proto(security_compute_av)
-    hidden_proto(security_compute_av_raw)
-    hidden_proto(security_compute_av_flags)
-    hidden_proto(security_compute_av_flags_raw)
-    hidden_proto(security_compute_user)
-    hidden_proto(security_compute_user_raw)
-    hidden_proto(security_compute_create)
-    hidden_proto(security_compute_create_raw)
-    hidden_proto(security_compute_create_name)
-    hidden_proto(security_compute_create_name_raw)
-    hidden_proto(security_compute_member_raw)
-    hidden_proto(security_compute_relabel_raw)
-    hidden_proto(security_validatetrans)
-    hidden_proto(security_validatetrans_raw)
-    hidden_proto(is_selinux_enabled)
-    hidden_proto(is_selinux_mls_enabled)
-    hidden_proto(freecon)
-    hidden_proto(freeconary)
-    hidden_proto(getprevcon)
-    hidden_proto(getprevcon_raw)
-    hidden_proto(getcon)
-    hidden_proto(getcon_raw)
-    hidden_proto(setcon_raw)
-    hidden_proto(getpeercon_raw)
-    hidden_proto(getpidcon_raw)
-    hidden_proto(getexeccon_raw)
-    hidden_proto(getfilecon)
-    hidden_proto(getfilecon_raw)
-    hidden_proto(lgetfilecon_raw)
-    hidden_proto(fgetfilecon_raw)
-    hidden_proto(setfilecon_raw)
-    hidden_proto(lsetfilecon_raw)
-    hidden_proto(fsetfilecon_raw)
-    hidden_proto(setexeccon)
-    hidden_proto(setexeccon_raw)
-    hidden_proto(getfscreatecon_raw)
-    hidden_proto(getkeycreatecon_raw)
-    hidden_proto(getsockcreatecon_raw)
-    hidden_proto(setfscreatecon_raw)
-    hidden_proto(setkeycreatecon_raw)
-    hidden_proto(setsockcreatecon_raw)
-    hidden_proto(security_getenforce)
-    hidden_proto(security_setenforce)
-    hidden_proto(security_deny_unknown)
-    hidden_proto(security_reject_unknown)
-    hidden_proto(security_get_checkreqprot)
-    hidden_proto(selinux_boolean_sub)
-    hidden_proto(selinux_current_policy_path)
-    hidden_proto(selinux_binary_policy_path)
-    hidden_proto(selinux_booleans_subs_path)
-    hidden_proto(selinux_default_context_path)
-    hidden_proto(selinux_securetty_types_path)
-    hidden_proto(selinux_failsafe_context_path)
-    hidden_proto(selinux_removable_context_path)
-    hidden_proto(selinux_virtual_domain_context_path)
-    hidden_proto(selinux_virtual_image_context_path)
-    hidden_proto(selinux_lxc_contexts_path)
-    hidden_proto(selinux_file_context_path)
-    hidden_proto(selinux_file_context_homedir_path)
-    hidden_proto(selinux_file_context_local_path)
-    hidden_proto(selinux_file_context_subs_dist_path)
-    hidden_proto(selinux_file_context_subs_path)
-    hidden_proto(selinux_netfilter_context_path)
-    hidden_proto(selinux_homedir_context_path)
-    hidden_proto(selinux_user_contexts_path)
-    hidden_proto(selinux_booleans_path)
-    hidden_proto(selinux_customizable_types_path)
-    hidden_proto(selinux_media_context_path)
-    hidden_proto(selinux_x_context_path)
-    hidden_proto(selinux_sepgsql_context_path)
-    hidden_proto(selinux_openrc_contexts_path)
-    hidden_proto(selinux_openssh_contexts_path)
-    hidden_proto(selinux_snapperd_contexts_path)
-    hidden_proto(selinux_systemd_contexts_path)
-    hidden_proto(selinux_path)
-    hidden_proto(selinux_check_passwd_access)
-    hidden_proto(selinux_check_securetty_context)
-    hidden_proto(matchpathcon_init_prefix)
-    hidden_proto(selinux_users_path)
-    hidden_proto(selinux_usersconf_path);
-hidden_proto(selinux_translations_path);
-hidden_proto(selinux_colors_path);
-hidden_proto(selinux_getenforcemode);
-hidden_proto(selinux_getpolicytype);
-hidden_proto(selinux_raw_to_trans_context);
-hidden_proto(selinux_trans_to_raw_context);
-    hidden_proto(selinux_raw_context_to_color);
-hidden_proto(security_get_initial_context);
-hidden_proto(security_get_initial_context_raw);
-hidden_proto(selinux_reset_config);
-hidden_proto(selinux_flush_class_cache);
-
-extern int require_seusers hidden;
-extern int selinux_page_size hidden;
+
+
+extern int require_seusers ;
+extern int selinux_page_size ;
 
 /* Make pthread_once optional */
 #pragma weak pthread_once
@@ -180,4 +73,4 @@ extern int selinux_page_size hidden;
 #define SELINUXDIR "/etc/selinux/"
 #define SELINUXCONFIG SELINUXDIR "config"
 
-extern int has_selinux_config hidden;
+extern int has_selinux_config ;
diff --git a/libselinux/src/setenforce.c b/libselinux/src/setenforce.c
index 09cad3ceaf9d..a87ff2d08e30 100644
--- a/libselinux/src/setenforce.c
+++ b/libselinux/src/setenforce.c
@@ -34,4 +34,3 @@ int security_setenforce(int value)
 	return 0;
 }
 
-hidden_def(security_setenforce)
diff --git a/libselinux/src/setfilecon.c b/libselinux/src/setfilecon.c
index d05969c6c2f3..bd45f12cf707 100644
--- a/libselinux/src/setfilecon.c
+++ b/libselinux/src/setfilecon.c
@@ -25,7 +25,6 @@ int setfilecon_raw(const char *path, const char * context)
 	return rc;
 }
 
-hidden_def(setfilecon_raw)
 
 int setfilecon(const char *path, const char *context)
 {
diff --git a/libselinux/src/setrans_client.c b/libselinux/src/setrans_client.c
index fa188a824f78..52a8ba78b2ad 100644
--- a/libselinux/src/setrans_client.c
+++ b/libselinux/src/setrans_client.c
@@ -19,7 +19,6 @@
 #include <ctype.h>
 #include <unistd.h>
 #include <sys/uio.h>
-#include "dso.h"
 #include "selinux_internal.h"
 #include "setrans_internal.h"
 
@@ -260,7 +259,7 @@ static void setrans_thread_destructor(void __attribute__((unused)) *unused)
 
 void __attribute__((destructor)) setrans_lib_destructor(void);
 
-void hidden __attribute__((destructor)) setrans_lib_destructor(void)
+void  __attribute__((destructor)) setrans_lib_destructor(void)
 {
 	if (!has_setrans)
 		return;
@@ -327,7 +326,6 @@ int selinux_trans_to_raw_context(const char * trans,
 	return *rawp ? 0 : -1;
 }
 
-hidden_def(selinux_trans_to_raw_context)
 
 int selinux_raw_to_trans_context(const char * raw,
 				 char ** transp)
@@ -369,7 +367,6 @@ int selinux_raw_to_trans_context(const char * raw,
 	return *transp ? 0 : -1;
 }
 
-hidden_def(selinux_raw_to_trans_context)
 
 int selinux_raw_context_to_color(const char * raw, char **transp)
 {
@@ -410,7 +407,6 @@ int selinux_raw_context_to_color(const char * raw, char **transp)
 	return *transp ? 0 : -1;
 }
 
-hidden_def(selinux_raw_context_to_color)
 #else /*DISABLE_SETRANS*/
 
 int selinux_trans_to_raw_context(const char * trans,
@@ -426,7 +422,6 @@ int selinux_trans_to_raw_context(const char * trans,
 	return *rawp ? 0 : -1;
 }
 
-hidden_def(selinux_trans_to_raw_context)
 
 int selinux_raw_to_trans_context(const char * raw,
 				 char ** transp)
@@ -440,5 +435,4 @@ int selinux_raw_to_trans_context(const char * raw,
 	return *transp ? 0 : -1;
 }
 
-hidden_def(selinux_raw_to_trans_context)
 #endif /*DISABLE_SETRANS*/
diff --git a/libselinux/src/seusers.c b/libselinux/src/seusers.c
index 7ec7d12c4546..fff80c1ad47b 100644
--- a/libselinux/src/seusers.c
+++ b/libselinux/src/seusers.c
@@ -88,7 +88,7 @@ static int process_seusers(const char *buffer,
 	return -2;		/* error */
 }
 
-int require_seusers hidden = 0;
+int require_seusers  = 0;
 
 #include <pwd.h>
 #include <grp.h>
diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c
index 004fcd3b28c0..9a8ce01dceda 100644
--- a/libselinux/src/sha1.c
+++ b/libselinux/src/sha1.c
@@ -23,7 +23,6 @@
 ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 
 #include "sha1.h"
-#include "dso.h"
 #include <memory.h>
 
 ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@@ -126,7 +125,7 @@ void
 //
 //  Initialises an SHA1 Context. Use this to initialise/reset a context.
 ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void hidden
+void 
     Sha1Initialise
     (
         Sha1Context*                Context
@@ -148,7 +147,7 @@ void hidden
 //  Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on
 //  calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash.
 ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void hidden
+void 
     Sha1Update
     (
         Sha1Context*        Context,
@@ -191,7 +190,7 @@ void hidden
 //  Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After
 //  calling this, Sha1Initialised must be used to reuse the context.
 ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void hidden
+void 
     Sha1Finalise
     (
         Sha1Context*                Context,
diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c
index 29757b750878..012a740a622e 100644
--- a/libselinux/src/stringrep.c
+++ b/libselinux/src/stringrep.c
@@ -180,7 +180,6 @@ void selinux_flush_class_cache(void)
 	discover_class_cache = NULL;
 }
 
-hidden_def(selinux_flush_class_cache)
 
 security_class_t string_to_security_class(const char *s)
 {
diff --git a/libselinux/src/validatetrans.c b/libselinux/src/validatetrans.c
index 2aa300cfd90a..66ac7405baac 100644
--- a/libselinux/src/validatetrans.c
+++ b/libselinux/src/validatetrans.c
@@ -57,7 +57,6 @@ out:
 	return ret;
 }
 
-hidden_def(security_validatetrans_raw)
 
 int security_validatetrans(const char *scon,
 			   const char *tcon,
@@ -91,4 +90,3 @@ out:
 	return ret;
 }
 
-hidden_def(security_validatetrans)
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 37+ messages in thread

* [PATCH v2 2/4] Makefile: add -fno-semantic-interposition
  2020-02-28 14:05     ` [V2] libselinux: drop dso.h bill.c.roberts
  2020-02-28 14:05       ` [PATCH v2 1/4] dso: drop hidden_proto and hidden_def bill.c.roberts
@ 2020-02-28 14:05       ` bill.c.roberts
  2020-02-28 14:05       ` [PATCH v2 3/4] Makefile: add linker script to minimize exports bill.c.roberts
  2020-02-28 14:05       ` [PATCH v2 4/4] libselinux: drop symbols from map bill.c.roberts
  3 siblings, 0 replies; 37+ messages in thread
From: bill.c.roberts @ 2020-02-28 14:05 UTC (permalink / raw)
  To: selinux, drepper, omosnace, stephen.smalley.work, plautrba
  Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

Add -fno-semantic-interposition to CFLAGS. This will restore
the DSO infrastructures protections to insure internal callers
of exported symbols call into libselinux and not something laoding first
in the library list.

Clang has this enabled by default.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 7f5a5d7418e9..c76110fbc650 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -65,7 +65,7 @@ EXTRA_CFLAGS = -fipa-pure-const -Wlogical-op -Wpacked-bitfield-compat -Wsync-nan
 	-Wcoverage-mismatch -Wcpp -Wformat-contains-nul -Wnormalized=nfc -Wsuggest-attribute=const \
 	-Wsuggest-attribute=noreturn -Wsuggest-attribute=pure -Wtrampolines -Wjump-misses-init \
 	-Wno-suggest-attribute=pure -Wno-suggest-attribute=const -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 \
-	-Wstrict-overflow=5
+	-Wstrict-overflow=5 -fno-semantic-interposition
 else
 EXTRA_CFLAGS = -Wunused-command-line-argument
 endif
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 37+ messages in thread

* [PATCH v2 3/4] Makefile: add linker script to minimize exports
  2020-02-28 14:05     ` [V2] libselinux: drop dso.h bill.c.roberts
  2020-02-28 14:05       ` [PATCH v2 1/4] dso: drop hidden_proto and hidden_def bill.c.roberts
  2020-02-28 14:05       ` [PATCH v2 2/4] Makefile: add -fno-semantic-interposition bill.c.roberts
@ 2020-02-28 14:05       ` bill.c.roberts
  2020-02-28 14:05       ` [PATCH v2 4/4] libselinux: drop symbols from map bill.c.roberts
  3 siblings, 0 replies; 37+ messages in thread
From: bill.c.roberts @ 2020-02-28 14:05 UTC (permalink / raw)
  To: selinux, drepper, omosnace, stephen.smalley.work, plautrba
  Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

Add a linker script that exports only what was previosly exported by
libselinux.

This was checked by generating an old export map (from master):
nm --defined-only -g ./src/libselinux.so | cut -d' ' -f 3-3 | grep -v '^_' > old.map

Then creating a new one for this library after this patch is applied:
nm --defined-only -g ./src/libselinux.so | cut -d' ' -f 3-3 | grep -v '^_' > new.map

And diffing them:
diff old.map new.map

Fixes: #179

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/Makefile       |   2 +-
 libselinux/src/libselinux.map | 249 ++++++++++++++++++++++++++++++++++
 2 files changed, 250 insertions(+), 1 deletion(-)
 create mode 100644 libselinux/src/libselinux.map

diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index c76110fbc650..f74dbeb983dd 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -90,7 +90,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi
           -Werror -Wno-aggregate-return -Wno-redundant-decls \
           $(EXTRA_CFLAGS)
 
-LD_SONAME_FLAGS=-soname,$(LIBSO),-z,defs,-z,relro
+LD_SONAME_FLAGS=-soname,$(LIBSO),-z,defs,-z,relro-Wl,--version-script=libselinux.map
 
 ifeq ($(OS), Darwin)
 override CFLAGS += -I/opt/local/include
diff --git a/libselinux/src/libselinux.map b/libselinux/src/libselinux.map
new file mode 100644
index 000000000000..73f4c072af02
--- /dev/null
+++ b/libselinux/src/libselinux.map
@@ -0,0 +1,249 @@
+LIBSELINUX_1.0 {
+  global:
+    avc_add_callback;
+    avc_audit;
+    avc_av_stats;
+    avc_cache_stats;
+    avc_cleanup;
+    avc_compute_create;
+    avc_compute_member;
+    avc_context_to_sid;
+    avc_context_to_sid_raw;
+    avc_destroy;
+    avc_get_initial_sid;
+    avc_has_perm;
+    avc_has_perm_noaudit;
+    avc_init;
+    avc_netlink_acquire_fd;
+    avc_netlink_check_nb;
+    avc_netlink_close;
+    avc_netlink_loop;
+    avc_netlink_open;
+    avc_netlink_release_fd;
+    avc_open;
+    avc_reset;
+    avc_sid_stats;
+    avc_sid_to_context;
+    avc_sid_to_context_raw;
+    checkPasswdAccess;
+    context_free;
+    context_new;
+    context_range_get;
+    context_range_set;
+    context_role_get;
+    context_role_set;
+    context_str;
+    context_type_get;
+    context_type_set;
+    context_user_get;
+    context_user_set;
+    dir_xattr_list;
+    fgetfilecon;
+    fgetfilecon_raw;
+    fini_selinuxmnt;
+    freecon;
+    freeconary;
+    fsetfilecon;
+    fsetfilecon_raw;
+    getcon;
+    getcon_raw;
+    get_default_context;
+    get_default_context_with_level;
+    get_default_context_with_role;
+    get_default_context_with_rolelevel;
+    get_default_type;
+    getexeccon;
+    getexeccon_raw;
+    getfilecon;
+    getfilecon_raw;
+    getfscreatecon;
+    getfscreatecon_raw;
+    getkeycreatecon;
+    getkeycreatecon_raw;
+    get_ordered_context_list;
+    get_ordered_context_list_with_level;
+    getpeercon;
+    getpeercon_raw;
+    getpidcon;
+    getpidcon_raw;
+    getprevcon;
+    getprevcon_raw;
+    getseuser;
+    getseuserbyname;
+    getsockcreatecon;
+    getsockcreatecon_raw;
+    is_context_customizable;
+    is_selinux_enabled;
+    is_selinux_mls_enabled;
+    lgetfilecon;
+    lgetfilecon_raw;
+    lsetfilecon;
+    lsetfilecon_raw;
+    manual_user_enter_context;
+    map_class;
+    map_decision;
+    map_perm;
+    matchmediacon;
+    matchpathcon;
+    matchpathcon_checkmatches;
+    matchpathcon_filespec_add;
+    matchpathcon_filespec_destroy;
+    matchpathcon_filespec_eval;
+    matchpathcon_fini;
+    matchpathcon_index;
+    matchpathcon_init;
+    matchpathcon_init_prefix;
+    mode_to_security_class;
+    myprintf_compat;
+    print_access_vector;
+    query_user_context;
+    realpath_not_final;
+    rpm_execcon;
+    security_av_perm_to_string;
+    security_av_string;
+    security_canonicalize_context;
+    security_canonicalize_context_raw;
+    security_check_context;
+    security_check_context_raw;
+    security_class_to_string;
+    security_commit_booleans;
+    security_compute_av;
+    security_compute_av_flags;
+    security_compute_av_flags_raw;
+    security_compute_av_raw;
+    security_compute_create;
+    security_compute_create_name;
+    security_compute_create_name_raw;
+    security_compute_create_raw;
+    security_compute_member;
+    security_compute_member_raw;
+    security_compute_relabel;
+    security_compute_relabel_raw;
+    security_compute_user;
+    security_compute_user_raw;
+    security_deny_unknown;
+    security_disable;
+    security_get_boolean_active;
+    security_get_boolean_names;
+    security_get_boolean_pending;
+    security_get_checkreqprot;
+    security_getenforce;
+    security_get_initial_context;
+    security_get_initial_context_raw;
+    security_load_booleans;
+    security_load_policy;
+    security_policyvers;
+    security_reject_unknown;
+    security_set_boolean;
+    security_set_boolean_list;
+    security_setenforce;
+    security_validatetrans;
+    security_validatetrans_raw;
+    selabel_close;
+    selabel_cmp;
+    selabel_digest;
+    selabel_get_digests_all_partial_matches;
+    selabel_hash_all_partial_matches;
+    selabel_lookup;
+    selabel_lookup_best_match;
+    selabel_lookup_best_match_raw;
+    selabel_lookup_raw;
+    selabel_open;
+    selabel_partial_match;
+    selabel_stats;
+    selinux_binary_policy_path;
+    selinux_booleans_path;
+    selinux_booleans_subs_path;
+    selinux_boolean_sub;
+    selinux_check_access;
+    selinux_check_passwd_access;
+    selinux_check_securetty_context;
+    selinux_colors_path;
+    selinux_contexts_path;
+    selinux_current_policy_path;
+    selinux_customizable_types_path;
+    selinux_default_context_path;
+    selinux_default_type_path;
+    selinux_failsafe_context_path;
+    selinux_file_context_cmp;
+    selinux_file_context_homedir_path;
+    selinux_file_context_local_path;
+    selinux_file_context_path;
+    selinux_file_context_subs_dist_path;
+    selinux_file_context_subs_path;
+    selinux_file_context_verify;
+    selinux_flush_class_cache;
+    selinuxfs_exists;
+    selinux_get_callback;
+    selinux_getenforcemode;
+    selinux_getpolicytype;
+    selinux_homedir_context_path;
+    selinux_init_load_policy;
+    selinux_lsetfilecon_default;
+    selinux_lxc_contexts_path;
+    selinux_media_context_path;
+    selinux_mkload_policy;
+    selinux_mnt;
+    selinux_netfilter_context_path;
+    selinux_openrc_contexts_path;
+    selinux_openssh_contexts_path;
+    selinux_path;
+    selinux_policy_root;
+    selinux_raw_context_to_color;
+    selinux_raw_to_trans_context;
+    selinux_removable_context_path;
+    selinux_reset_config;
+    selinux_restorecon;
+    selinux_restorecon_default_handle;
+    selinux_restorecon_set_alt_rootpath;
+    selinux_restorecon_set_exclude_list;
+    selinux_restorecon_set_sehandle;
+    selinux_restorecon_xattr;
+    selinux_securetty_types_path;
+    selinux_sepgsql_context_path;
+    selinux_set_callback;
+    selinux_set_mapping;
+    selinux_set_policy_root;
+    selinux_snapperd_contexts_path;
+    selinux_status_close;
+    selinux_status_deny_unknown;
+    selinux_status_getenforce;
+    selinux_status_open;
+    selinux_status_policyload;
+    selinux_status_updated;
+    selinux_systemd_contexts_path;
+    selinux_translations_path;
+    selinux_trans_to_raw_context;
+    selinux_user_contexts_path;
+    selinux_usersconf_path;
+    selinux_users_path;
+    selinux_virtual_domain_context_path;
+    selinux_virtual_image_context_path;
+    selinux_x_context_path;
+    setcon;
+    setcon_raw;
+    setexeccon;
+    setexeccon_raw;
+    setexecfilecon;
+    setfilecon;
+    setfilecon_raw;
+    setfscreatecon;
+    setfscreatecon_raw;
+    setkeycreatecon;
+    setkeycreatecon_raw;
+    set_matchpathcon_canoncon;
+    set_matchpathcon_flags;
+    set_matchpathcon_invalidcon;
+    set_matchpathcon_printf;
+    set_selinuxmnt;
+    setsockcreatecon;
+    setsockcreatecon_raw;
+    sidget;
+    sidput;
+    string_to_av_perm;
+    string_to_security_class;
+    unmap_class;
+    unmap_perm;
+  local:
+    *;
+};
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 37+ messages in thread

* [PATCH v2 4/4] libselinux: drop symbols from map
  2020-02-28 14:05     ` [V2] libselinux: drop dso.h bill.c.roberts
                         ` (2 preceding siblings ...)
  2020-02-28 14:05       ` [PATCH v2 3/4] Makefile: add linker script to minimize exports bill.c.roberts
@ 2020-02-28 14:05       ` bill.c.roberts
  2020-02-28 15:39         ` Stephen Smalley
  3 siblings, 1 reply; 37+ messages in thread
From: bill.c.roberts @ 2020-02-28 14:05 UTC (permalink / raw)
  To: selinux, drepper, omosnace, stephen.smalley.work, plautrba
  Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

Previously, libselinux was exporting the following symbols:
  - dir_xattr_list;
  - myprintf_compat;
  - unmap_class;
  - unmap_perm;

However, these appear to be unused and can safely be dropped.

This is done as a seperate commit to so it can easily be reverted
seperately for any reasons.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/libselinux.map | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/libselinux/src/libselinux.map b/libselinux/src/libselinux.map
index 73f4c072af02..31342ca6b58a 100644
--- a/libselinux/src/libselinux.map
+++ b/libselinux/src/libselinux.map
@@ -37,7 +37,6 @@ LIBSELINUX_1.0 {
     context_type_set;
     context_user_get;
     context_user_set;
-    dir_xattr_list;
     fgetfilecon;
     fgetfilecon_raw;
     fini_selinuxmnt;
@@ -94,7 +93,6 @@ LIBSELINUX_1.0 {
     matchpathcon_init;
     matchpathcon_init_prefix;
     mode_to_security_class;
-    myprintf_compat;
     print_access_vector;
     query_user_context;
     realpath_not_final;
@@ -242,8 +240,6 @@ LIBSELINUX_1.0 {
     sidput;
     string_to_av_perm;
     string_to_security_class;
-    unmap_class;
-    unmap_perm;
   local:
     *;
 };
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 37+ messages in thread

* Re: [PATCH v2 4/4] libselinux: drop symbols from map
  2020-02-28 14:05       ` [PATCH v2 4/4] libselinux: drop symbols from map bill.c.roberts
@ 2020-02-28 15:39         ` Stephen Smalley
  2020-02-28 15:40           ` William Roberts
  0 siblings, 1 reply; 37+ messages in thread
From: Stephen Smalley @ 2020-02-28 15:39 UTC (permalink / raw)
  To: William Roberts
  Cc: SElinux list, Ulrich Drepper, Ondrej Mosnacek, Petr Lautrbach,
	William Roberts

On Fri, Feb 28, 2020 at 9:05 AM <bill.c.roberts@gmail.com> wrote:
>
> From: William Roberts <william.c.roberts@intel.com>
>
> Previously, libselinux was exporting the following symbols:
>   - dir_xattr_list;
>   - myprintf_compat;
>   - unmap_class;
>   - unmap_perm;

I had also suggested removing map_class, map_decision, map_perm.

^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [PATCH v2 4/4] libselinux: drop symbols from map
  2020-02-28 15:39         ` Stephen Smalley
@ 2020-02-28 15:40           ` William Roberts
  0 siblings, 0 replies; 37+ messages in thread
From: William Roberts @ 2020-02-28 15:40 UTC (permalink / raw)
  To: Stephen Smalley
  Cc: SElinux list, Ulrich Drepper, Ondrej Mosnacek, Petr Lautrbach,
	William Roberts

On Fri, Feb 28, 2020 at 9:38 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Fri, Feb 28, 2020 at 9:05 AM <bill.c.roberts@gmail.com> wrote:
> >
> > From: William Roberts <william.c.roberts@intel.com>
> >
> > Previously, libselinux was exporting the following symbols:
> >   - dir_xattr_list;
> >   - myprintf_compat;
> >   - unmap_class;
> >   - unmap_perm;
>
> I had also suggested removing map_class, map_decision, map_perm.

Yes you did, I can't believe I skipped over them.

^ permalink raw reply	[flat|nested] 37+ messages in thread

* [V3] libselinux: drop dso.h
  2020-02-27 23:01 libselinux: drop dso.h bill.c.roberts
                   ` (2 preceding siblings ...)
  2020-02-27 23:01 ` [PATCH 3/3] Makefile: add linker script to minimize exports bill.c.roberts
@ 2020-02-28 15:48 ` bill.c.roberts
  2020-02-28 15:48   ` [PATCH v3 1/4] dso: drop hidden_proto and hidden_def bill.c.roberts
                     ` (3 more replies)
  3 siblings, 4 replies; 37+ messages in thread
From: bill.c.roberts @ 2020-02-28 15:48 UTC (permalink / raw)
  To: selinux, drepper, omosnace, stephen.smalley.work, plautrba

Version 3:
  - Add more symbols that should be dropped from the dso:
    - map_class;
    - map_decision;
    - map_perm;

Version 2:
  - adds a version to the linker script LIBSELINUX_1.0
  - Adds a patch to drop some additional symbols from the dso:
    - dir_xattr_list
    - myprintf_compat
    - unmap_class
    - unmap_perm

This four part patch series drops the dso.h and hidden_*
macros.

The old dso.h functionality provided libselinux with both control over
external exported symbols as well as ensuring internal callers call into
libselinux and not a symbol with the same name loaded by the linker
earlier in the library list.

The functionality is replaced by a linker script that requires public
API to explicitly be opt-in. The old method required that internal API
be explicitly annotated, and everything else is public. This should help
make it easier to control libselinux DSO hygene going forward.

The second functionality is replaced by compiler option
-fno-semantic-interposition

Note that clang has this enabled by default, and thus doesn't need it.

See:
  - https://stackoverflow.com/questions/35745543/new-option-in-gcc-5-3-fno-semantic-interposition

[PATCH v3 1/4] dso: drop hidden_proto and hidden_def
[PATCH v3 2/4] Makefile: add -fno-semantic-interposition
[PATCH v3 3/4] Makefile: add linker script to minimize exports
[PATCH v3 4/4] libselinux: drop symbols from map


^ permalink raw reply	[flat|nested] 37+ messages in thread

* [PATCH v3 1/4] dso: drop hidden_proto and hidden_def
  2020-02-28 15:48 ` [V3] libselinux: drop dso.h bill.c.roberts
@ 2020-02-28 15:48   ` bill.c.roberts
  2020-02-28 15:48   ` [PATCH v3 2/4] Makefile: add -fno-semantic-interposition bill.c.roberts
                     ` (2 subsequent siblings)
  3 siblings, 0 replies; 37+ messages in thread
From: bill.c.roberts @ 2020-02-28 15:48 UTC (permalink / raw)
  To: selinux, drepper, omosnace, stephen.smalley.work, plautrba
  Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/avc.c                          |   5 -
 libselinux/src/avc_internal.h                 |  52 ++++----
 libselinux/src/avc_sidtab.h                   |  11 +-
 libselinux/src/booleans.c                     |   5 -
 libselinux/src/callbacks.h                    |  11 +-
 libselinux/src/canonicalize_context.c         |   2 -
 libselinux/src/checkAccess.c                  |   1 -
 libselinux/src/check_context.c                |   2 -
 libselinux/src/checkreqprot.c                 |   1 -
 libselinux/src/compute_av.c                   |   4 -
 libselinux/src/compute_create.c               |   4 -
 libselinux/src/compute_member.c               |   1 -
 libselinux/src/compute_relabel.c              |   1 -
 libselinux/src/compute_user.c                 |   2 -
 libselinux/src/context.c                      |   9 +-
 libselinux/src/context_internal.h             |  12 --
 libselinux/src/deny_unknown.c                 |   1 -
 libselinux/src/disable.c                      |   1 -
 libselinux/src/dso.h                          |  23 ----
 libselinux/src/enabled.c                      |   2 -
 libselinux/src/fgetfilecon.c                  |   1 -
 libselinux/src/freecon.c                      |   1 -
 libselinux/src/freeconary.c                   |   1 -
 libselinux/src/fsetfilecon.c                  |   1 -
 libselinux/src/get_context_list.c             |   3 -
 libselinux/src/get_context_list_internal.h    |   4 -
 libselinux/src/get_default_type_internal.h    |   2 -
 libselinux/src/get_initial_context.c          |   2 -
 libselinux/src/getenforce.c                   |   1 -
 libselinux/src/getfilecon.c                   |   2 -
 libselinux/src/getpeercon.c                   |   1 -
 libselinux/src/init.c                         |   4 -
 libselinux/src/label_internal.h               |  19 ++-
 libselinux/src/label_support.c                |   6 +-
 libselinux/src/lgetfilecon.c                  |   1 -
 libselinux/src/load_policy.c                  |   2 -
 libselinux/src/lsetfilecon.c                  |   1 -
 libselinux/src/matchpathcon.c                 |   3 +-
 libselinux/src/policyvers.c                   |   2 -
 libselinux/src/procattr.c                     |  21 +---
 libselinux/src/regex.h                        |  21 ++--
 libselinux/src/reject_unknown.c               |   1 -
 .../src/selinux_check_securetty_context.c     |   1 -
 libselinux/src/selinux_config.c               |  36 ------
 libselinux/src/selinux_internal.h             | 117 +-----------------
 libselinux/src/setenforce.c                   |   1 -
 libselinux/src/setfilecon.c                   |   1 -
 libselinux/src/setrans_client.c               |   8 +-
 libselinux/src/seusers.c                      |   2 +-
 libselinux/src/sha1.c                         |   7 +-
 libselinux/src/stringrep.c                    |   1 -
 libselinux/src/validatetrans.c                |   2 -
 52 files changed, 69 insertions(+), 357 deletions(-)
 delete mode 100644 libselinux/src/dso.h

diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
index 5230efd2323a..ab10b0f9f1cb 100644
--- a/libselinux/src/avc.c
+++ b/libselinux/src/avc.c
@@ -294,7 +294,6 @@ void avc_av_stats(void)
 		slots_used, AVC_CACHE_SLOTS, max_chain_len);
 }
 
-hidden_def(avc_av_stats)
 
 static inline struct avc_node *avc_reclaim_node(void)
 {
@@ -494,7 +493,6 @@ void avc_cleanup(void)
 {
 }
 
-hidden_def(avc_cleanup)
 
 int avc_reset(void)
 {
@@ -539,7 +537,6 @@ int avc_reset(void)
 	return rc;
 }
 
-hidden_def(avc_reset)
 
 void avc_destroy(void)
 {
@@ -733,7 +730,6 @@ void avc_audit(security_id_t ssid, security_id_t tsid,
 	avc_release_lock(avc_log_lock);
 }
 
-hidden_def(avc_audit)
 
 
 static void avd_init(struct av_decision *avd)
@@ -825,7 +821,6 @@ int avc_has_perm_noaudit(security_id_t ssid,
 	return rc;
 }
 
-hidden_def(avc_has_perm_noaudit)
 
 int avc_has_perm(security_id_t ssid, security_id_t tsid,
 		 security_class_t tclass, access_vector_t requested,
diff --git a/libselinux/src/avc_internal.h b/libselinux/src/avc_internal.h
index f8516590bd75..3f8a6bb1cf84 100644
--- a/libselinux/src/avc_internal.h
+++ b/libselinux/src/avc_internal.h
@@ -14,24 +14,23 @@
 #include <string.h>
 #include <selinux/avc.h>
 #include "callbacks.h"
-#include "dso.h"
 
 /* callback pointers */
-extern void *(*avc_func_malloc) (size_t) hidden;
-extern void (*avc_func_free) (void *)hidden;
+extern void *(*avc_func_malloc) (size_t) ;
+extern void (*avc_func_free) (void *);
 
-extern void (*avc_func_log) (const char *, ...) __attribute__((__format__(printf,1,2))) hidden;
-extern void (*avc_func_audit) (void *, security_class_t, char *, size_t)hidden;
+extern void (*avc_func_log) (const char *, ...) __attribute__((__format__(printf,1,2))) ;
+extern void (*avc_func_audit) (void *, security_class_t, char *, size_t);
 
-extern int avc_using_threads hidden;
-extern int avc_app_main_loop hidden;
-extern void *(*avc_func_create_thread) (void (*)(void))hidden;
-extern void (*avc_func_stop_thread) (void *)hidden;
+extern int avc_using_threads ;
+extern int avc_app_main_loop ;
+extern void *(*avc_func_create_thread) (void (*)(void));
+extern void (*avc_func_stop_thread) (void *);
 
-extern void *(*avc_func_alloc_lock) (void)hidden;
-extern void (*avc_func_get_lock) (void *)hidden;
-extern void (*avc_func_release_lock) (void *)hidden;
-extern void (*avc_func_free_lock) (void *)hidden;
+extern void *(*avc_func_alloc_lock) (void);
+extern void (*avc_func_get_lock) (void *);
+extern void (*avc_func_release_lock) (void *);
+extern void (*avc_func_free_lock) (void *);
 
 static inline void set_callbacks(const struct avc_memory_callback *mem_cb,
 				 const struct avc_log_callback *log_cb,
@@ -61,10 +60,10 @@ static inline void set_callbacks(const struct avc_memory_callback *mem_cb,
 
 /* message prefix and enforcing mode*/
 #define AVC_PREFIX_SIZE 16
-extern char avc_prefix[AVC_PREFIX_SIZE] hidden;
-extern int avc_running hidden;
-extern int avc_enforcing hidden;
-extern int avc_setenforce hidden;
+extern char avc_prefix[AVC_PREFIX_SIZE] ;
+extern int avc_running ;
+extern int avc_enforcing ;
+extern int avc_setenforce ;
 
 /* user-supplied callback interface for avc */
 static inline void *avc_malloc(size_t size)
@@ -155,28 +154,23 @@ static inline void avc_free_lock(void *lock)
 /* internal callbacks */
 int avc_ss_grant(security_id_t ssid, security_id_t tsid,
 		 security_class_t tclass, access_vector_t perms,
-		 uint32_t seqno) hidden;
+		 uint32_t seqno) ;
 int avc_ss_try_revoke(security_id_t ssid, security_id_t tsid,
 		      security_class_t tclass,
 		      access_vector_t perms, uint32_t seqno,
-		      access_vector_t * out_retained) hidden;
+		      access_vector_t * out_retained) ;
 int avc_ss_revoke(security_id_t ssid, security_id_t tsid,
 		  security_class_t tclass, access_vector_t perms,
-		  uint32_t seqno) hidden;
-int avc_ss_reset(uint32_t seqno) hidden;
+		  uint32_t seqno) ;
+int avc_ss_reset(uint32_t seqno) ;
 int avc_ss_set_auditallow(security_id_t ssid, security_id_t tsid,
 			  security_class_t tclass, access_vector_t perms,
-			  uint32_t seqno, uint32_t enable) hidden;
+			  uint32_t seqno, uint32_t enable) ;
 int avc_ss_set_auditdeny(security_id_t ssid, security_id_t tsid,
 			 security_class_t tclass, access_vector_t perms,
-			 uint32_t seqno, uint32_t enable) hidden;
+			 uint32_t seqno, uint32_t enable) ;
 
 /* netlink kernel message code */
-extern int avc_netlink_trouble hidden;
+extern int avc_netlink_trouble ;
 
-hidden_proto(avc_av_stats)
-    hidden_proto(avc_cleanup)
-    hidden_proto(avc_reset)
-    hidden_proto(avc_audit)
-    hidden_proto(avc_has_perm_noaudit)
 #endif				/* _SELINUX_AVC_INTERNAL_H_ */
diff --git a/libselinux/src/avc_sidtab.h b/libselinux/src/avc_sidtab.h
index bce9b877ae79..cc5abe354a01 100644
--- a/libselinux/src/avc_sidtab.h
+++ b/libselinux/src/avc_sidtab.h
@@ -7,7 +7,6 @@
 
 #include <selinux/selinux.h>
 #include <selinux/avc.h>
-#include "dso.h"
 
 struct sidtab_node {
 	struct security_id sid_s;
@@ -24,13 +23,13 @@ struct sidtab {
 	unsigned nel;
 };
 
-int sidtab_init(struct sidtab *s) hidden;
-int sidtab_insert(struct sidtab *s, const char * ctx) hidden;
+int sidtab_init(struct sidtab *s) ;
+int sidtab_insert(struct sidtab *s, const char * ctx) ;
 
 int sidtab_context_to_sid(struct sidtab *s,
-			  const char * ctx, security_id_t * sid) hidden;
+			  const char * ctx, security_id_t * sid) ;
 
-void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen) hidden;
-void sidtab_destroy(struct sidtab *s) hidden;
+void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen) ;
+void sidtab_destroy(struct sidtab *s) ;
 
 #endif				/* _SELINUX_AVC_SIDTAB_H_ */
diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c
index ffa8d26b0f3a..ef1f64a05d84 100644
--- a/libselinux/src/booleans.c
+++ b/libselinux/src/booleans.c
@@ -414,8 +414,3 @@ char *selinux_boolean_sub(const char *name __attribute__((unused)))
 }
 #endif
 
-hidden_def(security_get_boolean_names)
-hidden_def(selinux_boolean_sub)
-hidden_def(security_get_boolean_active)
-hidden_def(security_set_boolean)
-hidden_def(security_commit_booleans)
diff --git a/libselinux/src/callbacks.h b/libselinux/src/callbacks.h
index 2a572e08d534..03d87f0cbdfe 100644
--- a/libselinux/src/callbacks.h
+++ b/libselinux/src/callbacks.h
@@ -9,22 +9,21 @@
 #include <stdlib.h>
 #include <string.h>
 #include <selinux/selinux.h>
-#include "dso.h"
 
 /* callback pointers */
 extern int __attribute__ ((format(printf, 2, 3)))
-(*selinux_log) (int type, const char *, ...) hidden;
+(*selinux_log) (int type, const char *, ...) ;
 
 extern int
-(*selinux_audit) (void *, security_class_t, char *, size_t) hidden;
+(*selinux_audit) (void *, security_class_t, char *, size_t) ;
 
 extern int
-(*selinux_validate)(char **ctx) hidden;
+(*selinux_validate)(char **ctx) ;
 
 extern int
-(*selinux_netlink_setenforce) (int enforcing) hidden;
+(*selinux_netlink_setenforce) (int enforcing) ;
 
 extern int
-(*selinux_netlink_policyload) (int seqno) hidden;
+(*selinux_netlink_policyload) (int seqno) ;
 
 #endif				/* _SELINUX_CALLBACKS_H_ */
diff --git a/libselinux/src/canonicalize_context.c b/libselinux/src/canonicalize_context.c
index ba4c9a2c7d46..faab730592c2 100644
--- a/libselinux/src/canonicalize_context.c
+++ b/libselinux/src/canonicalize_context.c
@@ -60,7 +60,6 @@ int security_canonicalize_context_raw(const char * con,
 	return ret;
 }
 
-hidden_def(security_canonicalize_context_raw)
 
 int security_canonicalize_context(const char * con,
 				      char ** canoncon)
@@ -83,4 +82,3 @@ int security_canonicalize_context(const char * con,
 	return ret;
 }
 
-hidden_def(security_canonicalize_context)
diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
index 7227ffe51eac..677e2ecd7df4 100644
--- a/libselinux/src/checkAccess.c
+++ b/libselinux/src/checkAccess.c
@@ -99,7 +99,6 @@ int selinux_check_passwd_access(access_vector_t requested)
 	return status;
 }
 
-hidden_def(selinux_check_passwd_access)
 
 int checkPasswdAccess(access_vector_t requested)
 {
diff --git a/libselinux/src/check_context.c b/libselinux/src/check_context.c
index 8a7997f03598..5096a2c40993 100644
--- a/libselinux/src/check_context.c
+++ b/libselinux/src/check_context.c
@@ -31,7 +31,6 @@ int security_check_context_raw(const char * con)
 	return 0;
 }
 
-hidden_def(security_check_context_raw)
 
 int security_check_context(const char * con)
 {
@@ -48,4 +47,3 @@ int security_check_context(const char * con)
 	return ret;
 }
 
-hidden_def(security_check_context)
diff --git a/libselinux/src/checkreqprot.c b/libselinux/src/checkreqprot.c
index 9b4b12d75021..3dc79d9719c5 100644
--- a/libselinux/src/checkreqprot.c
+++ b/libselinux/src/checkreqprot.c
@@ -37,4 +37,3 @@ int security_get_checkreqprot(void)
 	return checkreqprot;
 }
 
-hidden_def(security_get_checkreqprot);
diff --git a/libselinux/src/compute_av.c b/libselinux/src/compute_av.c
index a47cffe98662..9d17339d1a32 100644
--- a/libselinux/src/compute_av.c
+++ b/libselinux/src/compute_av.c
@@ -80,7 +80,6 @@ int security_compute_av_flags_raw(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_av_flags_raw)
 
 int security_compute_av_raw(const char * scon,
 			    const char * tcon,
@@ -107,7 +106,6 @@ int security_compute_av_raw(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_av_raw)
 
 int security_compute_av_flags(const char * scon,
 			      const char * tcon,
@@ -134,7 +132,6 @@ int security_compute_av_flags(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_av_flags)
 
 int security_compute_av(const char * scon,
 			const char * tcon,
@@ -162,4 +159,3 @@ int security_compute_av(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_av)
diff --git a/libselinux/src/compute_create.c b/libselinux/src/compute_create.c
index 0975aeac2224..1d75714d852d 100644
--- a/libselinux/src/compute_create.c
+++ b/libselinux/src/compute_create.c
@@ -105,7 +105,6 @@ int security_compute_create_name_raw(const char * scon,
 	close(fd);
 	return ret;
 }
-hidden_def(security_compute_create_name_raw)
 
 int security_compute_create_raw(const char * scon,
 				const char * tcon,
@@ -115,7 +114,6 @@ int security_compute_create_raw(const char * scon,
 	return security_compute_create_name_raw(scon, tcon, tclass,
 						NULL, newcon);
 }
-hidden_def(security_compute_create_raw)
 
 int security_compute_create_name(const char * scon,
 				 const char * tcon,
@@ -146,7 +144,6 @@ int security_compute_create_name(const char * scon,
 
 	return ret;
 }
-hidden_def(security_compute_create_name)
 
 int security_compute_create(const char * scon,
 				const char * tcon,
@@ -155,4 +152,3 @@ int security_compute_create(const char * scon,
 {
 	return security_compute_create_name(scon, tcon, tclass, NULL, newcon);
 }
-hidden_def(security_compute_create)
diff --git a/libselinux/src/compute_member.c b/libselinux/src/compute_member.c
index 4e2d221ef9ea..16234b7908f2 100644
--- a/libselinux/src/compute_member.c
+++ b/libselinux/src/compute_member.c
@@ -60,7 +60,6 @@ int security_compute_member_raw(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_member_raw)
 
 int security_compute_member(const char * scon,
 			    const char * tcon,
diff --git a/libselinux/src/compute_relabel.c b/libselinux/src/compute_relabel.c
index 49f77ef3344c..dd20d6525993 100644
--- a/libselinux/src/compute_relabel.c
+++ b/libselinux/src/compute_relabel.c
@@ -60,7 +60,6 @@ int security_compute_relabel_raw(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_relabel_raw)
 
 int security_compute_relabel(const char * scon,
 			     const char * tcon,
diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c
index e7da964ff46d..ae5e7b4a8f68 100644
--- a/libselinux/src/compute_user.c
+++ b/libselinux/src/compute_user.c
@@ -80,7 +80,6 @@ int security_compute_user_raw(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_user_raw)
 
 int security_compute_user(const char * scon,
 			  const char *user, char *** con)
@@ -110,4 +109,3 @@ int security_compute_user(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_user)
diff --git a/libselinux/src/context.c b/libselinux/src/context.c
index b673733e1f48..090264a49eb1 100644
--- a/libselinux/src/context.c
+++ b/libselinux/src/context.c
@@ -82,7 +82,6 @@ context_t context_new(const char *str)
 	return 0;
 }
 
-hidden_def(context_new)
 
 static void conditional_free(char **v)
 {
@@ -113,7 +112,6 @@ void context_free(context_t context)
 	}
 }
 
-hidden_def(context_free)
 
 /*
  * Return a pointer to the string value of the context.
@@ -144,7 +142,6 @@ char *context_str(context_t context)
 	return n->current_str;
 }
 
-hidden_def(context_str)
 
 /* Returns nonzero iff failed */
 static int set_comp(context_private_t * n, int idx, const char *str)
@@ -176,8 +173,7 @@ const char * context_ ## name ## _get(context_t context) \
 { \
         context_private_t *n = context->ptr; \
         return n->component[tag]; \
-} \
-hidden_def(context_ ## name ## _get)
+}
 
 def_get(type, COMP_TYPE)
     def_get(user, COMP_USER)
@@ -187,8 +183,7 @@ def_get(type, COMP_TYPE)
 int context_ ## name ## _set(context_t context, const char* str) \
 { \
         return set_comp(context->ptr,tag,str);\
-} \
-hidden_def(context_ ## name ## _set)
+}
     def_set(type, COMP_TYPE)
     def_set(role, COMP_ROLE)
     def_set(user, COMP_USER)
diff --git a/libselinux/src/context_internal.h b/libselinux/src/context_internal.h
index 3c71e8027080..a7698106923e 100644
--- a/libselinux/src/context_internal.h
+++ b/libselinux/src/context_internal.h
@@ -1,14 +1,2 @@
 #include <selinux/context.h>
-#include "dso.h"
 
-hidden_proto(context_new)
-    hidden_proto(context_free)
-    hidden_proto(context_str)
-    hidden_proto(context_type_set)
-    hidden_proto(context_type_get)
-    hidden_proto(context_role_set)
-    hidden_proto(context_role_get)
-    hidden_proto(context_user_set)
-    hidden_proto(context_user_get)
-    hidden_proto(context_range_set)
-    hidden_proto(context_range_get)
diff --git a/libselinux/src/deny_unknown.c b/libselinux/src/deny_unknown.c
index 77d04e370f30..fdd32b50a246 100644
--- a/libselinux/src/deny_unknown.c
+++ b/libselinux/src/deny_unknown.c
@@ -37,4 +37,3 @@ int security_deny_unknown(void)
 	return deny_unknown;
 }
 
-hidden_def(security_deny_unknown);
diff --git a/libselinux/src/disable.c b/libselinux/src/disable.c
index 8d66262aff03..1a5ae4172a8d 100644
--- a/libselinux/src/disable.c
+++ b/libselinux/src/disable.c
@@ -35,4 +35,3 @@ int security_disable(void)
 	return 0;
 }
 
-hidden_def(security_disable)
diff --git a/libselinux/src/dso.h b/libselinux/src/dso.h
deleted file mode 100644
index 12c3d1160fb0..000000000000
--- a/libselinux/src/dso.h
+++ /dev/null
@@ -1,23 +0,0 @@
-#ifndef _SELINUX_DSO_H
-#define _SELINUX_DSO_H	1
-
-#ifdef SHARED
-# define hidden __attribute__ ((visibility ("hidden")))
-# define hidden_proto(fct) __hidden_proto (fct, fct##_internal)
-# define __hidden_proto(fct, internal)	\
-     extern __typeof (fct) internal;	\
-     extern __typeof (fct) fct __asm (#internal) hidden;
-# if defined(__alpha__) || defined(__mips__)
-#  define hidden_def(fct) \
-     asm (".globl " #fct "\n" #fct " = " #fct "_internal");
-# else
-#  define hidden_def(fct) \
-     asm (".globl " #fct "\n.set " #fct ", " #fct "_internal");
-#endif
-#else
-# define hidden
-# define hidden_proto(fct)
-# define hidden_def(fct)
-#endif
-
-#endif
diff --git a/libselinux/src/enabled.c b/libselinux/src/enabled.c
index dd628fba86a8..fefb0bd9ae02 100644
--- a/libselinux/src/enabled.c
+++ b/libselinux/src/enabled.c
@@ -20,7 +20,6 @@ int is_selinux_enabled(void)
 #endif
 }
 
-hidden_def(is_selinux_enabled)
 
 /*
  * Function: is_selinux_mls_enabled()
@@ -55,4 +54,3 @@ int is_selinux_mls_enabled(void)
 	return enabled;
 }
 
-hidden_def(is_selinux_mls_enabled)
diff --git a/libselinux/src/fgetfilecon.c b/libselinux/src/fgetfilecon.c
index 5522ac16e385..8c748f8a2e64 100644
--- a/libselinux/src/fgetfilecon.c
+++ b/libselinux/src/fgetfilecon.c
@@ -49,7 +49,6 @@ int fgetfilecon_raw(int fd, char ** context)
 	return ret;
 }
 
-hidden_def(fgetfilecon_raw)
 
 int fgetfilecon(int fd, char ** context)
 {
diff --git a/libselinux/src/freecon.c b/libselinux/src/freecon.c
index 5290dfa13bc4..df2d7e2827ea 100644
--- a/libselinux/src/freecon.c
+++ b/libselinux/src/freecon.c
@@ -8,4 +8,3 @@ void freecon(char * con)
 	free(con);
 }
 
-hidden_def(freecon)
diff --git a/libselinux/src/freeconary.c b/libselinux/src/freeconary.c
index 8d07718ed5f9..fd2dbaabfbcf 100644
--- a/libselinux/src/freeconary.c
+++ b/libselinux/src/freeconary.c
@@ -16,4 +16,3 @@ void freeconary(char ** con)
 	free(con);
 }
 
-hidden_def(freeconary)
diff --git a/libselinux/src/fsetfilecon.c b/libselinux/src/fsetfilecon.c
index 52707d05ddd4..5cf34e3fa5d0 100644
--- a/libselinux/src/fsetfilecon.c
+++ b/libselinux/src/fsetfilecon.c
@@ -25,7 +25,6 @@ int fsetfilecon_raw(int fd, const char * context)
 	return rc;
 }
 
-hidden_def(fsetfilecon_raw)
 
 int fsetfilecon(int fd, const char *context)
 {
diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
index 26d7b3b98e75..b43652ffd28c 100644
--- a/libselinux/src/get_context_list.c
+++ b/libselinux/src/get_context_list.c
@@ -52,7 +52,6 @@ int get_default_context_with_role(const char *user,
 	return rc;
 }
 
-hidden_def(get_default_context_with_role)
 
 int get_default_context_with_rolelevel(const char *user,
 				       const char *role,
@@ -385,7 +384,6 @@ int get_ordered_context_list_with_level(const char *user,
 	return rc;
 }
 
-hidden_def(get_ordered_context_list_with_level)
 
 int get_default_context_with_level(const char *user,
 				   const char *level,
@@ -497,4 +495,3 @@ int get_ordered_context_list(const char *user,
 	goto out;
 }
 
-hidden_def(get_ordered_context_list)
diff --git a/libselinux/src/get_context_list_internal.h b/libselinux/src/get_context_list_internal.h
index c224834ebfb4..a7c1d41ba07f 100644
--- a/libselinux/src/get_context_list_internal.h
+++ b/libselinux/src/get_context_list_internal.h
@@ -1,6 +1,2 @@
 #include <selinux/get_context_list.h>
-#include "dso.h"
 
-hidden_proto(get_ordered_context_list)
-    hidden_proto(get_ordered_context_list_with_level)
-    hidden_proto(get_default_context_with_role)
diff --git a/libselinux/src/get_default_type_internal.h b/libselinux/src/get_default_type_internal.h
index 0da3c512d6fb..deb5d2963211 100644
--- a/libselinux/src/get_default_type_internal.h
+++ b/libselinux/src/get_default_type_internal.h
@@ -1,4 +1,2 @@
 #include <selinux/get_default_type.h>
-#include "dso.h"
 
-hidden_proto(selinux_default_type_path)
diff --git a/libselinux/src/get_initial_context.c b/libselinux/src/get_initial_context.c
index 5e919f478b63..97ae3dcfb5a6 100644
--- a/libselinux/src/get_initial_context.c
+++ b/libselinux/src/get_initial_context.c
@@ -53,7 +53,6 @@ int security_get_initial_context_raw(const char * name, char ** con)
 	return ret;
 }
 
-hidden_def(security_get_initial_context_raw)
 
 int security_get_initial_context(const char * name, char ** con)
 {
@@ -69,4 +68,3 @@ int security_get_initial_context(const char * name, char ** con)
 	return ret;
 }
 
-hidden_def(security_get_initial_context)
diff --git a/libselinux/src/getenforce.c b/libselinux/src/getenforce.c
index d909dced73c6..3f1e20021a4e 100644
--- a/libselinux/src/getenforce.c
+++ b/libselinux/src/getenforce.c
@@ -37,4 +37,3 @@ int security_getenforce(void)
 	return !!enforce;
 }
 
-hidden_def(security_getenforce)
diff --git a/libselinux/src/getfilecon.c b/libselinux/src/getfilecon.c
index 20bee8abdbfc..4bee31372172 100644
--- a/libselinux/src/getfilecon.c
+++ b/libselinux/src/getfilecon.c
@@ -49,7 +49,6 @@ int getfilecon_raw(const char *path, char ** context)
 	return ret;
 }
 
-hidden_def(getfilecon_raw)
 
 int getfilecon(const char *path, char ** context)
 {
@@ -70,4 +69,3 @@ int getfilecon(const char *path, char ** context)
 	return ret;
 }
 
-hidden_def(getfilecon)
diff --git a/libselinux/src/getpeercon.c b/libselinux/src/getpeercon.c
index 3a77a2de2c95..a9dca73e438a 100644
--- a/libselinux/src/getpeercon.c
+++ b/libselinux/src/getpeercon.c
@@ -43,7 +43,6 @@ int getpeercon_raw(int fd, char ** context)
 	return ret;
 }
 
-hidden_def(getpeercon_raw)
 
 int getpeercon(int fd, char ** context)
 {
diff --git a/libselinux/src/init.c b/libselinux/src/init.c
index 083638c47fbf..542c979b9da6 100644
--- a/libselinux/src/init.c
+++ b/libselinux/src/init.c
@@ -12,7 +12,6 @@
 #include <stdint.h>
 #include <limits.h>
 
-#include "dso.h"
 #include "policy.h"
 #include "selinux_internal.h"
 #include "setrans_internal.h"
@@ -79,7 +78,6 @@ int selinuxfs_exists(void)
 	fclose(fp);
 	return exists;
 }
-hidden_def(selinuxfs_exists)
 
 static void init_selinuxmnt(void)
 {
@@ -138,14 +136,12 @@ void fini_selinuxmnt(void)
 	selinux_mnt = NULL;
 }
 
-hidden_def(fini_selinuxmnt)
 
 void set_selinuxmnt(const char *mnt)
 {
 	selinux_mnt = strdup(mnt);
 }
 
-hidden_def(set_selinuxmnt)
 
 static void init_lib(void) __attribute__ ((constructor));
 static void init_lib(void)
diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
index 7ed2a43770a7..361b443cb9c4 100644
--- a/libselinux/src/label_internal.h
+++ b/libselinux/src/label_internal.h
@@ -13,7 +13,6 @@
 #include <stdio.h>
 #include <selinux/selinux.h>
 #include <selinux/label.h>
-#include "dso.h"
 #include "sha1.h"
 
 #if defined(ANDROID) || defined(__APPLE__)
@@ -26,22 +25,22 @@
  */
 int selabel_file_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) hidden;
+			    unsigned nopts) ;
 int selabel_media_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) hidden;
+			    unsigned nopts) ;
 int selabel_x_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) hidden;
+			    unsigned nopts) ;
 int selabel_db_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) hidden;
+			    unsigned nopts) ;
 int selabel_property_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) hidden;
+			    unsigned nopts) ;
 int selabel_service_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) hidden;
+			    unsigned nopts) ;
 
 /*
  * Labeling internal structures
@@ -120,14 +119,14 @@ struct selabel_handle {
  */
 extern int
 selabel_validate(struct selabel_handle *rec,
-		 struct selabel_lookup_rec *contexts) hidden;
+		 struct selabel_lookup_rec *contexts) ;
 
 /*
  * Compatibility support
  */
 extern int myprintf_compat;
 extern void __attribute__ ((format(printf, 1, 2)))
-(*myprintf) (const char *fmt, ...) hidden;
+(*myprintf) (const char *fmt, ...) ;
 
 #define COMPAT_LOG(type, fmt...) if (myprintf_compat)	  \
 		myprintf(fmt);				  \
@@ -137,7 +136,7 @@ extern void __attribute__ ((format(printf, 1, 2)))
 extern int
 compat_validate(struct selabel_handle *rec,
 		struct selabel_lookup_rec *contexts,
-		const char *path, unsigned lineno) hidden;
+		const char *path, unsigned lineno) ;
 
 /*
  * The read_spec_entries function may be used to
diff --git a/libselinux/src/label_support.c b/libselinux/src/label_support.c
index 26f9ef155dcf..94ed6e4273cb 100644
--- a/libselinux/src/label_support.c
+++ b/libselinux/src/label_support.c
@@ -63,7 +63,7 @@ static inline int read_spec_entry(char **entry, char **ptr, int *len, const char
  * This function calls read_spec_entry() to do the actual string processing.
  * As such, can return anything from that function as well.
  */
-int hidden read_spec_entries(char *line_buf, const char **errbuf, int num_args, ...)
+int  read_spec_entries(char *line_buf, const char **errbuf, int num_args, ...)
 {
 	char **spec_entry, *buf_p;
 	int len, rc, items, entry_len = 0;
@@ -113,7 +113,7 @@ int hidden read_spec_entries(char *line_buf, const char **errbuf, int num_args,
 }
 
 /* Once all the specfiles are in the hash_buf, generate the hash. */
-void hidden digest_gen_hash(struct selabel_digest *digest)
+void  digest_gen_hash(struct selabel_digest *digest)
 {
 	Sha1Context context;
 
@@ -141,7 +141,7 @@ void hidden digest_gen_hash(struct selabel_digest *digest)
  *
  * Return %0 on success, -%1 with @errno set on failure.
  */
-int hidden digest_add_specfile(struct selabel_digest *digest, FILE *fp,
+int  digest_add_specfile(struct selabel_digest *digest, FILE *fp,
 				    char *from_addr, size_t buf_len,
 				    const char *path)
 {
diff --git a/libselinux/src/lgetfilecon.c b/libselinux/src/lgetfilecon.c
index db67bc60ffe6..d1fb821b23ef 100644
--- a/libselinux/src/lgetfilecon.c
+++ b/libselinux/src/lgetfilecon.c
@@ -49,7 +49,6 @@ int lgetfilecon_raw(const char *path, char ** context)
 	return ret;
 }
 
-hidden_def(lgetfilecon_raw)
 
 int lgetfilecon(const char *path, char ** context)
 {
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index 9e75292d2528..fa1a3bf1f441 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -45,7 +45,6 @@ int security_load_policy(void *data, size_t len)
 	return 0;
 }
 
-hidden_def(security_load_policy)
 
 #ifndef ANDROID
 #undef max
@@ -213,7 +212,6 @@ int selinux_mkload_policy(int preservebools __attribute__((unused)))
 	return rc;
 }
 
-hidden_def(selinux_mkload_policy)
 
 /*
  * Mount point for selinuxfs. 
diff --git a/libselinux/src/lsetfilecon.c b/libselinux/src/lsetfilecon.c
index 1d3b28a1c5fc..213fb684fc66 100644
--- a/libselinux/src/lsetfilecon.c
+++ b/libselinux/src/lsetfilecon.c
@@ -25,7 +25,6 @@ int lsetfilecon_raw(const char *path, const char * context)
 	return rc;
 }
 
-hidden_def(lsetfilecon_raw)
 
 int lsetfilecon(const char *path, const char *context)
 {
diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
index 05a5cfa4cfd5..bddf77a49ce1 100644
--- a/libselinux/src/matchpathcon.c
+++ b/libselinux/src/matchpathcon.c
@@ -322,7 +322,7 @@ static void matchpathcon_thread_destructor(void __attribute__((unused)) *ptr)
 
 void __attribute__((destructor)) matchpathcon_lib_destructor(void);
 
-void hidden __attribute__((destructor)) matchpathcon_lib_destructor(void)
+void  __attribute__((destructor)) matchpathcon_lib_destructor(void)
 {
 	if (destructor_key_initialized)
 		__selinux_key_delete(destructor_key);
@@ -351,7 +351,6 @@ int matchpathcon_init_prefix(const char *path, const char *subset)
 	return hnd ? 0 : -1;
 }
 
-hidden_def(matchpathcon_init_prefix)
 
 int matchpathcon_init(const char *path)
 {
diff --git a/libselinux/src/policyvers.c b/libselinux/src/policyvers.c
index c97dd9df7a8a..e5aa2f3f2d55 100644
--- a/libselinux/src/policyvers.c
+++ b/libselinux/src/policyvers.c
@@ -7,7 +7,6 @@
 #include "selinux_internal.h"
 #include <stdio.h>
 #include "policy.h"
-#include "dso.h"
 #include <limits.h>
 
 int security_policyvers(void)
@@ -42,4 +41,3 @@ int security_policyvers(void)
 	return vers;
 }
 
-hidden_def(security_policyvers)
diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c
index c6799ef27533..1aa67ac53f39 100644
--- a/libselinux/src/procattr.c
+++ b/libselinux/src/procattr.c
@@ -57,7 +57,7 @@ static void procattr_thread_destructor(void __attribute__((unused)) *unused)
 
 void __attribute__((destructor)) procattr_destructor(void);
 
-void hidden __attribute__((destructor)) procattr_destructor(void)
+void  __attribute__((destructor)) procattr_destructor(void)
 {
 	if (destructor_key_initialized)
 		__selinux_key_delete(destructor_key);
@@ -345,22 +345,3 @@ all_selfattr_def(con, current)
     all_selfattr_def(sockcreatecon, sockcreate)
     all_selfattr_def(keycreatecon, keycreate)
 
-    hidden_def(getcon_raw)
-    hidden_def(getcon)
-    hidden_def(getexeccon_raw)
-    hidden_def(getfilecon_raw)
-    hidden_def(getfilecon)
-    hidden_def(getfscreatecon_raw)
-    hidden_def(getkeycreatecon_raw)
-    hidden_def(getpeercon_raw)
-    hidden_def(getpidcon_raw)
-    hidden_def(getprevcon_raw)
-    hidden_def(getprevcon)
-    hidden_def(getsockcreatecon_raw)
-    hidden_def(setcon_raw)
-    hidden_def(setexeccon_raw)
-    hidden_def(setexeccon)
-    hidden_def(setfilecon_raw)
-    hidden_def(setfscreatecon_raw)
-    hidden_def(setkeycreatecon_raw)
-    hidden_def(setsockcreatecon_raw)
diff --git a/libselinux/src/regex.h b/libselinux/src/regex.h
index 6732b349984c..10c3df7856e1 100644
--- a/libselinux/src/regex.h
+++ b/libselinux/src/regex.h
@@ -10,7 +10,6 @@
 #include <pcre.h>
 #endif
 
-#include "dso.h"
 
 enum { REGEX_MATCH,
        REGEX_MATCH_PARTIAL,
@@ -42,7 +41,7 @@ struct mmap_area;
  * expressions are not portable across architectures that do not have a
  * matching arch-string.
  */
-char const *regex_arch_string(void) hidden;
+char const *regex_arch_string(void) ;
 
 /**
  * regex_verison returns the version string of the underlying regular
@@ -55,12 +54,12 @@ char const *regex_arch_string(void) hidden;
  *
  * It may return NULL on error.
  */
-char const *regex_version(void) hidden;
+char const *regex_version(void) ;
 /**
  * This constructor function allocates a buffer for a regex_data structure.
  * The buffer is being initialized with zeroes.
  */
-struct regex_data *regex_data_create(void) hidden;
+struct regex_data *regex_data_create(void) ;
 /**
  * This complementary destructor function frees the a given regex_data buffer.
  * It also frees any non NULL member pointers with the appropriate pcreX_X_free
@@ -68,7 +67,7 @@ struct regex_data *regex_data_create(void) hidden;
  * the pcre_extra data conditionally. Calling this function on a NULL pointer is
  * save.
  */
-void regex_data_free(struct regex_data *regex) hidden;
+void regex_data_free(struct regex_data *regex) ;
 /**
  * This function compiles the regular expression. Additionally, it prepares
  * data structures required by the different underlying engines. For PCRE
@@ -88,7 +87,7 @@ void regex_data_free(struct regex_data *regex) hidden;
  * @retval -1 on error
  */
 int regex_prepare_data(struct regex_data **regex, char const *pattern_string,
-		       struct regex_error_data *errordata) hidden;
+		       struct regex_error_data *errordata) ;
 /**
  * This function loads a serialized precompiled pattern from a contiguous
  * data region given by map_area.
@@ -109,7 +108,7 @@ int regex_prepare_data(struct regex_data **regex, char const *pattern_string,
 int regex_load_mmap(struct mmap_area *map_area,
 		    struct regex_data **regex,
 		    int do_load_precompregex,
-		    bool *regex_compiled) hidden;
+		    bool *regex_compiled) ;
 /**
  * This function stores a precompiled regular expression to a file.
  * In the case of PCRE, it just dumps the binary representation of the
@@ -122,7 +121,7 @@ int regex_load_mmap(struct mmap_area *map_area,
  *			      the output file (ignored by PCRE1 back-end).
  */
 int regex_writef(struct regex_data *regex, FILE *fp,
-		 int do_write_precompregex) hidden;
+		 int do_write_precompregex) ;
 /**
  * This function applies a precompiled pattern to a subject string and
  * returns whether or not a match was found.
@@ -139,7 +138,7 @@ int regex_writef(struct regex_data *regex, FILE *fp,
  *                     regular expression
  */
 int regex_match(struct regex_data *regex, char const *subject,
-		int partial) hidden;
+		int partial) ;
 /**
  * This function compares two compiled regular expressions (regex1 and regex2).
  * It compares the binary representations of the compiled patterns. It is a very
@@ -150,7 +149,7 @@ int regex_match(struct regex_data *regex, char const *subject,
  *                       the same
  * @retval SELABEL_INCOMPARABLE otherwise
  */
-int regex_cmp(struct regex_data *regex1, struct regex_data *regex2) hidden;
+int regex_cmp(struct regex_data *regex1, struct regex_data *regex2) ;
 /**
  * This function takes the error data returned by regex_prepare_data and turns
  * it in to a human readable error message.
@@ -163,5 +162,5 @@ int regex_cmp(struct regex_data *regex1, struct regex_data *regex2) hidden;
  * @arg buf_size Total size of the given buffer in bytes.
  */
 void regex_format_error(struct regex_error_data const *error_data, char *buffer,
-			size_t buf_size) hidden;
+			size_t buf_size) ;
 #endif /* SRC_REGEX_H_ */
diff --git a/libselinux/src/reject_unknown.c b/libselinux/src/reject_unknown.c
index 5c1d36053812..96e60be396ea 100644
--- a/libselinux/src/reject_unknown.c
+++ b/libselinux/src/reject_unknown.c
@@ -37,4 +37,3 @@ int security_reject_unknown(void)
 	return reject_unknown;
 }
 
-hidden_def(security_reject_unknown);
diff --git a/libselinux/src/selinux_check_securetty_context.c b/libselinux/src/selinux_check_securetty_context.c
index 55d4e039ea41..c5c557fd3492 100644
--- a/libselinux/src/selinux_check_securetty_context.c
+++ b/libselinux/src/selinux_check_securetty_context.c
@@ -50,4 +50,3 @@ int selinux_check_securetty_context(const char * tty_context)
 	return found;
 }
 
-hidden_def(selinux_check_securetty_context)
diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
index b16a3851ad4a..6c5238953cb1 100644
--- a/libselinux/src/selinux_config.c
+++ b/libselinux/src/selinux_config.c
@@ -128,7 +128,6 @@ int selinux_getenforcemode(int *enforce)
 	return ret;
 }
 
-hidden_def(selinux_getenforcemode)
 
 static char *selinux_policytype;
 
@@ -141,7 +140,6 @@ int selinux_getpolicytype(char **type)
 	return *type ? 0 : -1;
 }
 
-hidden_def(selinux_getpolicytype)
 
 static int setpolicytype(const char *type)
 {
@@ -249,7 +247,6 @@ void selinux_reset_config(void)
 	init_selinux_config();
 }
 
-hidden_def(selinux_reset_config)
 
 static const char *get_path(int idx)
 {
@@ -262,7 +259,6 @@ const char *selinux_default_type_path(void)
 	return get_path(DEFAULT_TYPE);
 }
 
-hidden_def(selinux_default_type_path)
 
 const char *selinux_policy_root(void)
 {
@@ -305,42 +301,36 @@ const char *selinux_path(void)
 	return selinux_rootpath;
 }
 
-hidden_def(selinux_path)
 
 const char *selinux_default_context_path(void)
 {
 	return get_path(DEFAULT_CONTEXTS);
 }
 
-hidden_def(selinux_default_context_path)
 
 const char *selinux_securetty_types_path(void)
 {
 	return get_path(SECURETTY_TYPES);
 }
 
-hidden_def(selinux_securetty_types_path)
 
 const char *selinux_failsafe_context_path(void)
 {
 	return get_path(FAILSAFE_CONTEXT);
 }
 
-hidden_def(selinux_failsafe_context_path)
 
 const char *selinux_removable_context_path(void)
 {
 	return get_path(REMOVABLE_CONTEXT);
 }
 
-hidden_def(selinux_removable_context_path)
 
 const char *selinux_binary_policy_path(void)
 {
 	return get_path(BINPOLICY);
 }
 
-hidden_def(selinux_binary_policy_path)
 
 const char *selinux_current_policy_path(void)
 {
@@ -365,35 +355,30 @@ const char *selinux_current_policy_path(void)
 	return policy_path;
 }
 
-hidden_def(selinux_current_policy_path)
 
 const char *selinux_file_context_path(void)
 {
 	return get_path(FILE_CONTEXTS);
 }
 
-hidden_def(selinux_file_context_path)
 
 const char *selinux_homedir_context_path(void)
 {
 	return get_path(HOMEDIR_CONTEXTS);
 }
 
-hidden_def(selinux_homedir_context_path)
 
 const char *selinux_media_context_path(void)
 {
 	return get_path(MEDIA_CONTEXTS);
 }
 
-hidden_def(selinux_media_context_path)
 
 const char *selinux_customizable_types_path(void)
 {
 	return get_path(CUSTOMIZABLE_TYPES);
 }
 
-hidden_def(selinux_customizable_types_path)
 
 const char *selinux_contexts_path(void)
 {
@@ -405,7 +390,6 @@ const char *selinux_user_contexts_path(void)
 	return get_path(USER_CONTEXTS);
 }
 
-hidden_def(selinux_user_contexts_path)
 
 /* Deprecated as local policy booleans no longer supported. */
 const char *selinux_booleans_path(void)
@@ -413,7 +397,6 @@ const char *selinux_booleans_path(void)
 	return get_path(BOOLEANS);
 }
 
-hidden_def(selinux_booleans_path)
 
 /* Deprecated as no longer supported. */
 const char *selinux_users_path(void)
@@ -421,127 +404,108 @@ const char *selinux_users_path(void)
 	return get_path(USERS_DIR);
 }
 
-hidden_def(selinux_users_path)
 
 const char *selinux_usersconf_path(void)
 {
 	return get_path(SEUSERS);
 }
 
-hidden_def(selinux_usersconf_path)
 
 const char *selinux_translations_path(void)
 {
 	return get_path(TRANSLATIONS);
 }
 
-hidden_def(selinux_translations_path)
 
 const char *selinux_colors_path(void)
 {
 	return get_path(COLORS);
 }
 
-hidden_def(selinux_colors_path)
 
 const char *selinux_netfilter_context_path(void)
 {
 	return get_path(NETFILTER_CONTEXTS);
 }
 
-hidden_def(selinux_netfilter_context_path)
 
 const char *selinux_file_context_homedir_path(void)
 {
 	return get_path(FILE_CONTEXTS_HOMEDIR);
 }
 
-hidden_def(selinux_file_context_homedir_path)
 
 const char *selinux_file_context_local_path(void)
 {
 	return get_path(FILE_CONTEXTS_LOCAL);
 }
 
-hidden_def(selinux_file_context_local_path)
 
 const char *selinux_x_context_path(void)
 {
 	return get_path(X_CONTEXTS);
 }
 
-hidden_def(selinux_x_context_path)
 
 const char *selinux_virtual_domain_context_path(void)
 {
 	return get_path(VIRTUAL_DOMAIN);
 }
 
-hidden_def(selinux_virtual_domain_context_path)
 
 const char *selinux_virtual_image_context_path(void)
 {
 	return get_path(VIRTUAL_IMAGE);
 }
 
-hidden_def(selinux_virtual_image_context_path)
 
 const char *selinux_lxc_contexts_path(void)
 {
 	return get_path(LXC_CONTEXTS);
 }
 
-hidden_def(selinux_lxc_contexts_path)
 
 const char *selinux_openrc_contexts_path(void)
 {
     return get_path(OPENRC_CONTEXTS);
 }
 
-hidden_def(selinux_openrc_contexts_path)
 
 const char *selinux_openssh_contexts_path(void)
 {
     return get_path(OPENSSH_CONTEXTS);
 }
 
-hidden_def(selinux_openssh_contexts_path)
 
 const char *selinux_snapperd_contexts_path(void)
 {
     return get_path(SNAPPERD_CONTEXTS);
 }
 
-hidden_def(selinux_snapperd_contexts_path)
 
 const char *selinux_systemd_contexts_path(void)
 {
 	return get_path(SYSTEMD_CONTEXTS);
 }
 
-hidden_def(selinux_systemd_contexts_path)
 
 const char * selinux_booleans_subs_path(void) {
 	return get_path(BOOLEAN_SUBS);
 }
 
-hidden_def(selinux_booleans_subs_path)
 
 const char * selinux_file_context_subs_path(void) {
 	return get_path(FILE_CONTEXT_SUBS);
 }
 
-hidden_def(selinux_file_context_subs_path)
 
 const char * selinux_file_context_subs_dist_path(void) {
 	return get_path(FILE_CONTEXT_SUBS_DIST);
 }
 
-hidden_def(selinux_file_context_subs_dist_path)
 
 const char *selinux_sepgsql_context_path(void)
 {
 	return get_path(SEPGSQL_CONTEXTS);
 }
 
-hidden_def(selinux_sepgsql_context_path)
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index 61b78aaa7c10..27e9ac532c3f 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -1,116 +1,9 @@
 #include <selinux/selinux.h>
 #include <pthread.h>
-#include "dso.h"
-
-hidden_proto(selinux_mkload_policy)
-    hidden_proto(fini_selinuxmnt)
-    hidden_proto(set_selinuxmnt)
-    hidden_proto(selinuxfs_exists)
-    hidden_proto(security_disable)
-    hidden_proto(security_policyvers)
-    hidden_proto(security_load_policy)
-    hidden_proto(security_get_boolean_active)
-    hidden_proto(security_get_boolean_names)
-    hidden_proto(security_set_boolean)
-    hidden_proto(security_commit_booleans)
-    hidden_proto(security_check_context)
-    hidden_proto(security_check_context_raw)
-    hidden_proto(security_canonicalize_context)
-    hidden_proto(security_canonicalize_context_raw)
-    hidden_proto(security_compute_av)
-    hidden_proto(security_compute_av_raw)
-    hidden_proto(security_compute_av_flags)
-    hidden_proto(security_compute_av_flags_raw)
-    hidden_proto(security_compute_user)
-    hidden_proto(security_compute_user_raw)
-    hidden_proto(security_compute_create)
-    hidden_proto(security_compute_create_raw)
-    hidden_proto(security_compute_create_name)
-    hidden_proto(security_compute_create_name_raw)
-    hidden_proto(security_compute_member_raw)
-    hidden_proto(security_compute_relabel_raw)
-    hidden_proto(security_validatetrans)
-    hidden_proto(security_validatetrans_raw)
-    hidden_proto(is_selinux_enabled)
-    hidden_proto(is_selinux_mls_enabled)
-    hidden_proto(freecon)
-    hidden_proto(freeconary)
-    hidden_proto(getprevcon)
-    hidden_proto(getprevcon_raw)
-    hidden_proto(getcon)
-    hidden_proto(getcon_raw)
-    hidden_proto(setcon_raw)
-    hidden_proto(getpeercon_raw)
-    hidden_proto(getpidcon_raw)
-    hidden_proto(getexeccon_raw)
-    hidden_proto(getfilecon)
-    hidden_proto(getfilecon_raw)
-    hidden_proto(lgetfilecon_raw)
-    hidden_proto(fgetfilecon_raw)
-    hidden_proto(setfilecon_raw)
-    hidden_proto(lsetfilecon_raw)
-    hidden_proto(fsetfilecon_raw)
-    hidden_proto(setexeccon)
-    hidden_proto(setexeccon_raw)
-    hidden_proto(getfscreatecon_raw)
-    hidden_proto(getkeycreatecon_raw)
-    hidden_proto(getsockcreatecon_raw)
-    hidden_proto(setfscreatecon_raw)
-    hidden_proto(setkeycreatecon_raw)
-    hidden_proto(setsockcreatecon_raw)
-    hidden_proto(security_getenforce)
-    hidden_proto(security_setenforce)
-    hidden_proto(security_deny_unknown)
-    hidden_proto(security_reject_unknown)
-    hidden_proto(security_get_checkreqprot)
-    hidden_proto(selinux_boolean_sub)
-    hidden_proto(selinux_current_policy_path)
-    hidden_proto(selinux_binary_policy_path)
-    hidden_proto(selinux_booleans_subs_path)
-    hidden_proto(selinux_default_context_path)
-    hidden_proto(selinux_securetty_types_path)
-    hidden_proto(selinux_failsafe_context_path)
-    hidden_proto(selinux_removable_context_path)
-    hidden_proto(selinux_virtual_domain_context_path)
-    hidden_proto(selinux_virtual_image_context_path)
-    hidden_proto(selinux_lxc_contexts_path)
-    hidden_proto(selinux_file_context_path)
-    hidden_proto(selinux_file_context_homedir_path)
-    hidden_proto(selinux_file_context_local_path)
-    hidden_proto(selinux_file_context_subs_dist_path)
-    hidden_proto(selinux_file_context_subs_path)
-    hidden_proto(selinux_netfilter_context_path)
-    hidden_proto(selinux_homedir_context_path)
-    hidden_proto(selinux_user_contexts_path)
-    hidden_proto(selinux_booleans_path)
-    hidden_proto(selinux_customizable_types_path)
-    hidden_proto(selinux_media_context_path)
-    hidden_proto(selinux_x_context_path)
-    hidden_proto(selinux_sepgsql_context_path)
-    hidden_proto(selinux_openrc_contexts_path)
-    hidden_proto(selinux_openssh_contexts_path)
-    hidden_proto(selinux_snapperd_contexts_path)
-    hidden_proto(selinux_systemd_contexts_path)
-    hidden_proto(selinux_path)
-    hidden_proto(selinux_check_passwd_access)
-    hidden_proto(selinux_check_securetty_context)
-    hidden_proto(matchpathcon_init_prefix)
-    hidden_proto(selinux_users_path)
-    hidden_proto(selinux_usersconf_path);
-hidden_proto(selinux_translations_path);
-hidden_proto(selinux_colors_path);
-hidden_proto(selinux_getenforcemode);
-hidden_proto(selinux_getpolicytype);
-hidden_proto(selinux_raw_to_trans_context);
-hidden_proto(selinux_trans_to_raw_context);
-    hidden_proto(selinux_raw_context_to_color);
-hidden_proto(security_get_initial_context);
-hidden_proto(security_get_initial_context_raw);
-hidden_proto(selinux_reset_config);
-hidden_proto(selinux_flush_class_cache);
-
-extern int require_seusers hidden;
-extern int selinux_page_size hidden;
+
+
+extern int require_seusers ;
+extern int selinux_page_size ;
 
 /* Make pthread_once optional */
 #pragma weak pthread_once
@@ -180,4 +73,4 @@ extern int selinux_page_size hidden;
 #define SELINUXDIR "/etc/selinux/"
 #define SELINUXCONFIG SELINUXDIR "config"
 
-extern int has_selinux_config hidden;
+extern int has_selinux_config ;
diff --git a/libselinux/src/setenforce.c b/libselinux/src/setenforce.c
index 09cad3ceaf9d..a87ff2d08e30 100644
--- a/libselinux/src/setenforce.c
+++ b/libselinux/src/setenforce.c
@@ -34,4 +34,3 @@ int security_setenforce(int value)
 	return 0;
 }
 
-hidden_def(security_setenforce)
diff --git a/libselinux/src/setfilecon.c b/libselinux/src/setfilecon.c
index d05969c6c2f3..bd45f12cf707 100644
--- a/libselinux/src/setfilecon.c
+++ b/libselinux/src/setfilecon.c
@@ -25,7 +25,6 @@ int setfilecon_raw(const char *path, const char * context)
 	return rc;
 }
 
-hidden_def(setfilecon_raw)
 
 int setfilecon(const char *path, const char *context)
 {
diff --git a/libselinux/src/setrans_client.c b/libselinux/src/setrans_client.c
index fa188a824f78..52a8ba78b2ad 100644
--- a/libselinux/src/setrans_client.c
+++ b/libselinux/src/setrans_client.c
@@ -19,7 +19,6 @@
 #include <ctype.h>
 #include <unistd.h>
 #include <sys/uio.h>
-#include "dso.h"
 #include "selinux_internal.h"
 #include "setrans_internal.h"
 
@@ -260,7 +259,7 @@ static void setrans_thread_destructor(void __attribute__((unused)) *unused)
 
 void __attribute__((destructor)) setrans_lib_destructor(void);
 
-void hidden __attribute__((destructor)) setrans_lib_destructor(void)
+void  __attribute__((destructor)) setrans_lib_destructor(void)
 {
 	if (!has_setrans)
 		return;
@@ -327,7 +326,6 @@ int selinux_trans_to_raw_context(const char * trans,
 	return *rawp ? 0 : -1;
 }
 
-hidden_def(selinux_trans_to_raw_context)
 
 int selinux_raw_to_trans_context(const char * raw,
 				 char ** transp)
@@ -369,7 +367,6 @@ int selinux_raw_to_trans_context(const char * raw,
 	return *transp ? 0 : -1;
 }
 
-hidden_def(selinux_raw_to_trans_context)
 
 int selinux_raw_context_to_color(const char * raw, char **transp)
 {
@@ -410,7 +407,6 @@ int selinux_raw_context_to_color(const char * raw, char **transp)
 	return *transp ? 0 : -1;
 }
 
-hidden_def(selinux_raw_context_to_color)
 #else /*DISABLE_SETRANS*/
 
 int selinux_trans_to_raw_context(const char * trans,
@@ -426,7 +422,6 @@ int selinux_trans_to_raw_context(const char * trans,
 	return *rawp ? 0 : -1;
 }
 
-hidden_def(selinux_trans_to_raw_context)
 
 int selinux_raw_to_trans_context(const char * raw,
 				 char ** transp)
@@ -440,5 +435,4 @@ int selinux_raw_to_trans_context(const char * raw,
 	return *transp ? 0 : -1;
 }
 
-hidden_def(selinux_raw_to_trans_context)
 #endif /*DISABLE_SETRANS*/
diff --git a/libselinux/src/seusers.c b/libselinux/src/seusers.c
index 7ec7d12c4546..fff80c1ad47b 100644
--- a/libselinux/src/seusers.c
+++ b/libselinux/src/seusers.c
@@ -88,7 +88,7 @@ static int process_seusers(const char *buffer,
 	return -2;		/* error */
 }
 
-int require_seusers hidden = 0;
+int require_seusers  = 0;
 
 #include <pwd.h>
 #include <grp.h>
diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c
index 004fcd3b28c0..9a8ce01dceda 100644
--- a/libselinux/src/sha1.c
+++ b/libselinux/src/sha1.c
@@ -23,7 +23,6 @@
 ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 
 #include "sha1.h"
-#include "dso.h"
 #include <memory.h>
 
 ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@@ -126,7 +125,7 @@ void
 //
 //  Initialises an SHA1 Context. Use this to initialise/reset a context.
 ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void hidden
+void 
     Sha1Initialise
     (
         Sha1Context*                Context
@@ -148,7 +147,7 @@ void hidden
 //  Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on
 //  calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash.
 ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void hidden
+void 
     Sha1Update
     (
         Sha1Context*        Context,
@@ -191,7 +190,7 @@ void hidden
 //  Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After
 //  calling this, Sha1Initialised must be used to reuse the context.
 ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void hidden
+void 
     Sha1Finalise
     (
         Sha1Context*                Context,
diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c
index 29757b750878..012a740a622e 100644
--- a/libselinux/src/stringrep.c
+++ b/libselinux/src/stringrep.c
@@ -180,7 +180,6 @@ void selinux_flush_class_cache(void)
 	discover_class_cache = NULL;
 }
 
-hidden_def(selinux_flush_class_cache)
 
 security_class_t string_to_security_class(const char *s)
 {
diff --git a/libselinux/src/validatetrans.c b/libselinux/src/validatetrans.c
index 2aa300cfd90a..66ac7405baac 100644
--- a/libselinux/src/validatetrans.c
+++ b/libselinux/src/validatetrans.c
@@ -57,7 +57,6 @@ out:
 	return ret;
 }
 
-hidden_def(security_validatetrans_raw)
 
 int security_validatetrans(const char *scon,
 			   const char *tcon,
@@ -91,4 +90,3 @@ out:
 	return ret;
 }
 
-hidden_def(security_validatetrans)
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 37+ messages in thread

* [PATCH v3 2/4] Makefile: add -fno-semantic-interposition
  2020-02-28 15:48 ` [V3] libselinux: drop dso.h bill.c.roberts
  2020-02-28 15:48   ` [PATCH v3 1/4] dso: drop hidden_proto and hidden_def bill.c.roberts
@ 2020-02-28 15:48   ` bill.c.roberts
  2020-02-28 15:48   ` [PATCH v3 3/4] Makefile: add linker script to minimize exports bill.c.roberts
  2020-02-28 15:48   ` [PATCH v3 4/4] libselinux: drop symbols from map bill.c.roberts
  3 siblings, 0 replies; 37+ messages in thread
From: bill.c.roberts @ 2020-02-28 15:48 UTC (permalink / raw)
  To: selinux, drepper, omosnace, stephen.smalley.work, plautrba
  Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

Add -fno-semantic-interposition to CFLAGS. This will restore
the DSO infrastructures protections to insure internal callers
of exported symbols call into libselinux and not something laoding first
in the library list.

Clang has this enabled by default.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 7f5a5d7418e9..c76110fbc650 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -65,7 +65,7 @@ EXTRA_CFLAGS = -fipa-pure-const -Wlogical-op -Wpacked-bitfield-compat -Wsync-nan
 	-Wcoverage-mismatch -Wcpp -Wformat-contains-nul -Wnormalized=nfc -Wsuggest-attribute=const \
 	-Wsuggest-attribute=noreturn -Wsuggest-attribute=pure -Wtrampolines -Wjump-misses-init \
 	-Wno-suggest-attribute=pure -Wno-suggest-attribute=const -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 \
-	-Wstrict-overflow=5
+	-Wstrict-overflow=5 -fno-semantic-interposition
 else
 EXTRA_CFLAGS = -Wunused-command-line-argument
 endif
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 37+ messages in thread

* [PATCH v3 3/4] Makefile: add linker script to minimize exports
  2020-02-28 15:48 ` [V3] libselinux: drop dso.h bill.c.roberts
  2020-02-28 15:48   ` [PATCH v3 1/4] dso: drop hidden_proto and hidden_def bill.c.roberts
  2020-02-28 15:48   ` [PATCH v3 2/4] Makefile: add -fno-semantic-interposition bill.c.roberts
@ 2020-02-28 15:48   ` bill.c.roberts
       [not found]     ` <CAEjxPJ7CuMf5QeW_jjEonRN=kfcpTV8c4UnUMyEjyb2hee1YXg@mail.gmail.com>
  2020-02-28 15:48   ` [PATCH v3 4/4] libselinux: drop symbols from map bill.c.roberts
  3 siblings, 1 reply; 37+ messages in thread
From: bill.c.roberts @ 2020-02-28 15:48 UTC (permalink / raw)
  To: selinux, drepper, omosnace, stephen.smalley.work, plautrba
  Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

Add a linker script that exports only what was previosly exported by
libselinux.

This was checked by generating an old export map (from master):
nm --defined-only -g ./src/libselinux.so | cut -d' ' -f 3-3 | grep -v '^_' > old.map

Then creating a new one for this library after this patch is applied:
nm --defined-only -g ./src/libselinux.so | cut -d' ' -f 3-3 | grep -v '^_' > new.map

And diffing them:
diff old.map new.map

Fixes: #179

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/Makefile       |   2 +-
 libselinux/src/libselinux.map | 249 ++++++++++++++++++++++++++++++++++
 2 files changed, 250 insertions(+), 1 deletion(-)
 create mode 100644 libselinux/src/libselinux.map

diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index c76110fbc650..f74dbeb983dd 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -90,7 +90,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi
           -Werror -Wno-aggregate-return -Wno-redundant-decls \
           $(EXTRA_CFLAGS)
 
-LD_SONAME_FLAGS=-soname,$(LIBSO),-z,defs,-z,relro
+LD_SONAME_FLAGS=-soname,$(LIBSO),-z,defs,-z,relro-Wl,--version-script=libselinux.map
 
 ifeq ($(OS), Darwin)
 override CFLAGS += -I/opt/local/include
diff --git a/libselinux/src/libselinux.map b/libselinux/src/libselinux.map
new file mode 100644
index 000000000000..73f4c072af02
--- /dev/null
+++ b/libselinux/src/libselinux.map
@@ -0,0 +1,249 @@
+LIBSELINUX_1.0 {
+  global:
+    avc_add_callback;
+    avc_audit;
+    avc_av_stats;
+    avc_cache_stats;
+    avc_cleanup;
+    avc_compute_create;
+    avc_compute_member;
+    avc_context_to_sid;
+    avc_context_to_sid_raw;
+    avc_destroy;
+    avc_get_initial_sid;
+    avc_has_perm;
+    avc_has_perm_noaudit;
+    avc_init;
+    avc_netlink_acquire_fd;
+    avc_netlink_check_nb;
+    avc_netlink_close;
+    avc_netlink_loop;
+    avc_netlink_open;
+    avc_netlink_release_fd;
+    avc_open;
+    avc_reset;
+    avc_sid_stats;
+    avc_sid_to_context;
+    avc_sid_to_context_raw;
+    checkPasswdAccess;
+    context_free;
+    context_new;
+    context_range_get;
+    context_range_set;
+    context_role_get;
+    context_role_set;
+    context_str;
+    context_type_get;
+    context_type_set;
+    context_user_get;
+    context_user_set;
+    dir_xattr_list;
+    fgetfilecon;
+    fgetfilecon_raw;
+    fini_selinuxmnt;
+    freecon;
+    freeconary;
+    fsetfilecon;
+    fsetfilecon_raw;
+    getcon;
+    getcon_raw;
+    get_default_context;
+    get_default_context_with_level;
+    get_default_context_with_role;
+    get_default_context_with_rolelevel;
+    get_default_type;
+    getexeccon;
+    getexeccon_raw;
+    getfilecon;
+    getfilecon_raw;
+    getfscreatecon;
+    getfscreatecon_raw;
+    getkeycreatecon;
+    getkeycreatecon_raw;
+    get_ordered_context_list;
+    get_ordered_context_list_with_level;
+    getpeercon;
+    getpeercon_raw;
+    getpidcon;
+    getpidcon_raw;
+    getprevcon;
+    getprevcon_raw;
+    getseuser;
+    getseuserbyname;
+    getsockcreatecon;
+    getsockcreatecon_raw;
+    is_context_customizable;
+    is_selinux_enabled;
+    is_selinux_mls_enabled;
+    lgetfilecon;
+    lgetfilecon_raw;
+    lsetfilecon;
+    lsetfilecon_raw;
+    manual_user_enter_context;
+    map_class;
+    map_decision;
+    map_perm;
+    matchmediacon;
+    matchpathcon;
+    matchpathcon_checkmatches;
+    matchpathcon_filespec_add;
+    matchpathcon_filespec_destroy;
+    matchpathcon_filespec_eval;
+    matchpathcon_fini;
+    matchpathcon_index;
+    matchpathcon_init;
+    matchpathcon_init_prefix;
+    mode_to_security_class;
+    myprintf_compat;
+    print_access_vector;
+    query_user_context;
+    realpath_not_final;
+    rpm_execcon;
+    security_av_perm_to_string;
+    security_av_string;
+    security_canonicalize_context;
+    security_canonicalize_context_raw;
+    security_check_context;
+    security_check_context_raw;
+    security_class_to_string;
+    security_commit_booleans;
+    security_compute_av;
+    security_compute_av_flags;
+    security_compute_av_flags_raw;
+    security_compute_av_raw;
+    security_compute_create;
+    security_compute_create_name;
+    security_compute_create_name_raw;
+    security_compute_create_raw;
+    security_compute_member;
+    security_compute_member_raw;
+    security_compute_relabel;
+    security_compute_relabel_raw;
+    security_compute_user;
+    security_compute_user_raw;
+    security_deny_unknown;
+    security_disable;
+    security_get_boolean_active;
+    security_get_boolean_names;
+    security_get_boolean_pending;
+    security_get_checkreqprot;
+    security_getenforce;
+    security_get_initial_context;
+    security_get_initial_context_raw;
+    security_load_booleans;
+    security_load_policy;
+    security_policyvers;
+    security_reject_unknown;
+    security_set_boolean;
+    security_set_boolean_list;
+    security_setenforce;
+    security_validatetrans;
+    security_validatetrans_raw;
+    selabel_close;
+    selabel_cmp;
+    selabel_digest;
+    selabel_get_digests_all_partial_matches;
+    selabel_hash_all_partial_matches;
+    selabel_lookup;
+    selabel_lookup_best_match;
+    selabel_lookup_best_match_raw;
+    selabel_lookup_raw;
+    selabel_open;
+    selabel_partial_match;
+    selabel_stats;
+    selinux_binary_policy_path;
+    selinux_booleans_path;
+    selinux_booleans_subs_path;
+    selinux_boolean_sub;
+    selinux_check_access;
+    selinux_check_passwd_access;
+    selinux_check_securetty_context;
+    selinux_colors_path;
+    selinux_contexts_path;
+    selinux_current_policy_path;
+    selinux_customizable_types_path;
+    selinux_default_context_path;
+    selinux_default_type_path;
+    selinux_failsafe_context_path;
+    selinux_file_context_cmp;
+    selinux_file_context_homedir_path;
+    selinux_file_context_local_path;
+    selinux_file_context_path;
+    selinux_file_context_subs_dist_path;
+    selinux_file_context_subs_path;
+    selinux_file_context_verify;
+    selinux_flush_class_cache;
+    selinuxfs_exists;
+    selinux_get_callback;
+    selinux_getenforcemode;
+    selinux_getpolicytype;
+    selinux_homedir_context_path;
+    selinux_init_load_policy;
+    selinux_lsetfilecon_default;
+    selinux_lxc_contexts_path;
+    selinux_media_context_path;
+    selinux_mkload_policy;
+    selinux_mnt;
+    selinux_netfilter_context_path;
+    selinux_openrc_contexts_path;
+    selinux_openssh_contexts_path;
+    selinux_path;
+    selinux_policy_root;
+    selinux_raw_context_to_color;
+    selinux_raw_to_trans_context;
+    selinux_removable_context_path;
+    selinux_reset_config;
+    selinux_restorecon;
+    selinux_restorecon_default_handle;
+    selinux_restorecon_set_alt_rootpath;
+    selinux_restorecon_set_exclude_list;
+    selinux_restorecon_set_sehandle;
+    selinux_restorecon_xattr;
+    selinux_securetty_types_path;
+    selinux_sepgsql_context_path;
+    selinux_set_callback;
+    selinux_set_mapping;
+    selinux_set_policy_root;
+    selinux_snapperd_contexts_path;
+    selinux_status_close;
+    selinux_status_deny_unknown;
+    selinux_status_getenforce;
+    selinux_status_open;
+    selinux_status_policyload;
+    selinux_status_updated;
+    selinux_systemd_contexts_path;
+    selinux_translations_path;
+    selinux_trans_to_raw_context;
+    selinux_user_contexts_path;
+    selinux_usersconf_path;
+    selinux_users_path;
+    selinux_virtual_domain_context_path;
+    selinux_virtual_image_context_path;
+    selinux_x_context_path;
+    setcon;
+    setcon_raw;
+    setexeccon;
+    setexeccon_raw;
+    setexecfilecon;
+    setfilecon;
+    setfilecon_raw;
+    setfscreatecon;
+    setfscreatecon_raw;
+    setkeycreatecon;
+    setkeycreatecon_raw;
+    set_matchpathcon_canoncon;
+    set_matchpathcon_flags;
+    set_matchpathcon_invalidcon;
+    set_matchpathcon_printf;
+    set_selinuxmnt;
+    setsockcreatecon;
+    setsockcreatecon_raw;
+    sidget;
+    sidput;
+    string_to_av_perm;
+    string_to_security_class;
+    unmap_class;
+    unmap_perm;
+  local:
+    *;
+};
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 37+ messages in thread

* [PATCH v3 4/4] libselinux: drop symbols from map
  2020-02-28 15:48 ` [V3] libselinux: drop dso.h bill.c.roberts
                     ` (2 preceding siblings ...)
  2020-02-28 15:48   ` [PATCH v3 3/4] Makefile: add linker script to minimize exports bill.c.roberts
@ 2020-02-28 15:48   ` bill.c.roberts
  3 siblings, 0 replies; 37+ messages in thread
From: bill.c.roberts @ 2020-02-28 15:48 UTC (permalink / raw)
  To: selinux, drepper, omosnace, stephen.smalley.work, plautrba
  Cc: William Roberts

From: William Roberts <william.c.roberts@intel.com>

Previously, libselinux was exporting the following symbols:
  - dir_xattr_list;
  - map_class;
  - map_decision;
  - map_perm;
  - myprintf_compat;
  - unmap_class;
  - unmap_perm;

However, these appear to be unused and can safely be dropped.

This is done as a seperate commit to so it can easily be reverted
seperately for any reasons.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/libselinux.map | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/libselinux/src/libselinux.map b/libselinux/src/libselinux.map
index 73f4c072af02..2a368e93f9fd 100644
--- a/libselinux/src/libselinux.map
+++ b/libselinux/src/libselinux.map
@@ -37,7 +37,6 @@ LIBSELINUX_1.0 {
     context_type_set;
     context_user_get;
     context_user_set;
-    dir_xattr_list;
     fgetfilecon;
     fgetfilecon_raw;
     fini_selinuxmnt;
@@ -80,9 +79,6 @@ LIBSELINUX_1.0 {
     lsetfilecon;
     lsetfilecon_raw;
     manual_user_enter_context;
-    map_class;
-    map_decision;
-    map_perm;
     matchmediacon;
     matchpathcon;
     matchpathcon_checkmatches;
@@ -94,7 +90,6 @@ LIBSELINUX_1.0 {
     matchpathcon_init;
     matchpathcon_init_prefix;
     mode_to_security_class;
-    myprintf_compat;
     print_access_vector;
     query_user_context;
     realpath_not_final;
@@ -242,8 +237,6 @@ LIBSELINUX_1.0 {
     sidput;
     string_to_av_perm;
     string_to_security_class;
-    unmap_class;
-    unmap_perm;
   local:
     *;
 };
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 37+ messages in thread

* Re: [PATCH v3 3/4] Makefile: add linker script to minimize exports
       [not found]       ` <CAFftDdpeP39qvXNTe06EWkc3Kp_TMu5bGOf8WN6Q-k2Cehn_3w@mail.gmail.com>
@ 2020-02-28 19:05         ` Stephen Smalley
  2020-03-01 20:04           ` Nicolas Iooss
  0 siblings, 1 reply; 37+ messages in thread
From: Stephen Smalley @ 2020-02-28 19:05 UTC (permalink / raw)
  To: William Roberts, SElinux list, Petr Lautrbach, Stephen Smalley,
	Ulrich Drepper, Ondrej Mosnacek

On Fri, Feb 28, 2020 at 1:43 PM William Roberts
<bill.c.roberts@gmail.com> wrote:
>
> On Fri, Feb 28, 2020 at 12:35 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > On Fri, Feb 28, 2020 at 10:49 AM <bill.c.roberts@gmail.com> wrote:
> > > diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
> > > index c76110fbc650..f74dbeb983dd 100644
> > > --- a/libselinux/src/Makefile
> > > +++ b/libselinux/src/Makefile
> > > @@ -90,7 +90,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi
> > >            -Werror -Wno-aggregate-return -Wno-redundant-decls \
> > >            $(EXTRA_CFLAGS)
> > >
> > > -LD_SONAME_FLAGS=-soname,$(LIBSO),-z,defs,-z,relro
> > > +LD_SONAME_FLAGS=-soname,$(LIBSO),-z,defs,-z,relro-Wl,--version-script=libselinux.map
> >
> > /usr/bin/ld: warning: -z relro-Wl ignored
> > I guess you meant relro,-Wl but you don't want that either.  -Wl has
> > to precede all the flags and it is already pre-pended later in the
> > Makefile.
>
> Grumble, did I ever say I *hate* Makefiles! v4 coming, im going to
> hold them so I can coalesce any other feedback
> into v4.

(restored cc; I accidentally only replied to you)

^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [PATCH v3 3/4] Makefile: add linker script to minimize exports
  2020-02-28 19:05         ` Stephen Smalley
@ 2020-03-01 20:04           ` Nicolas Iooss
  0 siblings, 0 replies; 37+ messages in thread
From: Nicolas Iooss @ 2020-03-01 20:04 UTC (permalink / raw)
  To: William Roberts
  Cc: SElinux list, Stephen Smalley, Petr Lautrbach, Stephen Smalley,
	Ulrich Drepper, Ondrej Mosnacek

On Fri, Feb 28, 2020 at 8:04 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Fri, Feb 28, 2020 at 1:43 PM William Roberts
> <bill.c.roberts@gmail.com> wrote:
> >
> > On Fri, Feb 28, 2020 at 12:35 PM Stephen Smalley
> > <stephen.smalley.work@gmail.com> wrote:
> > >
> > > On Fri, Feb 28, 2020 at 10:49 AM <bill.c.roberts@gmail.com> wrote:
> > > > diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
> > > > index c76110fbc650..f74dbeb983dd 100644
> > > > --- a/libselinux/src/Makefile
> > > > +++ b/libselinux/src/Makefile
> > > > @@ -90,7 +90,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi
> > > >            -Werror -Wno-aggregate-return -Wno-redundant-decls \
> > > >            $(EXTRA_CFLAGS)
> > > >
> > > > -LD_SONAME_FLAGS=-soname,$(LIBSO),-z,defs,-z,relro
> > > > +LD_SONAME_FLAGS=-soname,$(LIBSO),-z,defs,-z,relro-Wl,--version-script=libselinux.map
> > >
> > > /usr/bin/ld: warning: -z relro-Wl ignored
> > > I guess you meant relro,-Wl but you don't want that either.  -Wl has
> > > to precede all the flags and it is already pre-pended later in the
> > > Makefile.
> >
> > Grumble, did I ever say I *hate* Makefiles! v4 coming, im going to
> > hold them so I can coalesce any other feedback
> > into v4.
>
> (restored cc; I accidentally only replied to you)

While at it, I personally prefer if options -soname and
--version-script come first (like in libsepol/src/Makefile). This way,
it is "easier" for packagers to make a difference between options that
are really required and the options that could be removed if the need
arises (-z,defs,-z,relro). But this is nitpicking, so feel free to
ignore my comment.

Thanks,
Nicolas


^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [PATCH 2/3] Makefile: add -fno-semantic-interposition
  2020-02-28 13:59     ` William Roberts
@ 2020-03-01 20:32       ` Nicolas Iooss
  2020-03-02 16:41         ` [V4] libselinux: drop dso.h bill.c.roberts
  0 siblings, 1 reply; 37+ messages in thread
From: Nicolas Iooss @ 2020-03-01 20:32 UTC (permalink / raw)
  To: William Roberts
  Cc: Stephen Smalley, SElinux list, Ulrich Drepper, Ondrej Mosnacek,
	Petr Lautrbach, William Roberts

On Fri, Feb 28, 2020 at 2:59 PM William Roberts
<bill.c.roberts@gmail.com> wrote:
>
> On Fri, Feb 28, 2020 at 7:50 AM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > On Thu, Feb 27, 2020 at 6:01 PM <bill.c.roberts@gmail.com> wrote:
> > >
> > > From: William Roberts <william.c.roberts@intel.com>
> > >
> > > Add -fno-semantic-interposition to CFLAGS. This will restore
> > > the DSO infrastructures protections to insure internal callers
> > > of exported symbols call into libselinux and not something laoding first
> > > in the library list.
> > >
> > > Clang has this enabled by default.
> > >
> > > Signed-off-by: William Roberts <william.c.roberts@intel.com>
> >
> > I'm fine with this but since Nicolas pointed out the option of using
> > -Bsymbolic to
> > the linker as an alternative to hidden_def/hidden_proto in
> > https://github.com/SELinuxProject/selinux/issues/204#issuecomment-591092288
> > I was wondering how they differ.  I guess -Bsymbolic only affects the
> > linker while -fno-semantic-interposition
> > permits the compiler to further optimize the code.
>
> That's my understanding of the difference as well. -B is only link
> time, so the compiler can't
> really optimize the calls, but IIUC the compiler can only optimize
> whats in the compilation
> unit, so it can only optimize call sites for calls within the compilation unit.
>
> -B also only works for elf builds, so we would conditionally need to
> modify LDFLAGS based
> on host type. The compiler option is just a clang/gcc split, which is
> already there. To go
> to symbolic we would have to conditionally set that... a tad bit more work :-p

I am not very familiar with -Bsymbolic and did not know about
-fno-semantic-interposition before a few days ago. As far as I
understand, -Bsymbolic puts an entry of type "SYMBOLIC" in the dynamic
section of the .so file, which changes the behavior of the dynamic
linker at link time without modifying anything in the build-time
linking process. It is only compatible with ELF files and seems quite
uncommon.
With this in mind, -fno-semantic-interposition seems more powerful and
better suited for what we want to achieve (to optimize the
compilation). I agree with the approach of this patchset and would
have given an Acked-By if there weren't an issue with "-z,relro-Wl" ;)

Thanks for working on this!
Nicolas


^ permalink raw reply	[flat|nested] 37+ messages in thread

* [V4] libselinux: drop dso.h
  2020-03-01 20:32       ` Nicolas Iooss
@ 2020-03-02 16:41         ` bill.c.roberts
  2020-03-02 16:41           ` [PATCH v4 1/4] dso: drop hidden_proto and hidden_def bill.c.roberts
                             ` (4 more replies)
  0 siblings, 5 replies; 37+ messages in thread
From: bill.c.roberts @ 2020-03-02 16:41 UTC (permalink / raw)
  To: nicolas.iooss
  Cc: bill.c.roberts, drepper, omosnace, plautrba, selinux,
	stephen.smalley.work, william.c.roberts

Version 4:
  - Fix linker option warnings.
  - Move map file to begining of options.

Version 3:
  - Add more symbols that should be dropped from the dso:
    - map_class;
    - map_decision;
    - map_perm;

Version 2:
  - adds a version to the linker script LIBSELINUX_1.0
  - Adds a patch to drop some additional symbols from the dso:
    - dir_xattr_list
    - myprintf_compat
    - unmap_class
    - unmap_perm

This four part patch series drops the dso.h and hidden_*
macros.

The old dso.h functionality provided libselinux with both control over
external exported symbols as well as ensuring internal callers call into
libselinux and not a symbol with the same name loaded by the linker
earlier in the library list.

The functionality is replaced by a linker script that requires public
API to explicitly be opt-in. The old method required that internal API
be explicitly annotated, and everything else is public. This should help
make it easier to control libselinux DSO hygene going forward.

The second functionality is replaced by compiler option
-fno-semantic-interposition

Note that clang has this enabled by default, and thus doesn't need it.

See:
  - https://stackoverflow.com/questions/35745543/new-option-in-gcc-5-3-fno-semantic-interposition

[PATCH v4 1/4] dso: drop hidden_proto and hidden_def
[PATCH v4 2/4] Makefile: add -fno-semantic-interposition
[PATCH v4 3/4] Makefile: add linker script to minimize exports
[PATCH v4 4/4] libselinux: drop symbols from map


^ permalink raw reply	[flat|nested] 37+ messages in thread

* [PATCH v4 1/4] dso: drop hidden_proto and hidden_def
  2020-03-02 16:41         ` [V4] libselinux: drop dso.h bill.c.roberts
@ 2020-03-02 16:41           ` bill.c.roberts
  2020-03-02 16:41           ` [PATCH v4 2/4] Makefile: add -fno-semantic-interposition bill.c.roberts
                             ` (3 subsequent siblings)
  4 siblings, 0 replies; 37+ messages in thread
From: bill.c.roberts @ 2020-03-02 16:41 UTC (permalink / raw)
  To: nicolas.iooss
  Cc: bill.c.roberts, drepper, omosnace, plautrba, selinux,
	stephen.smalley.work, william.c.roberts

From: William Roberts <william.c.roberts@intel.com>

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/avc.c                          |   5 -
 libselinux/src/avc_internal.h                 |  52 ++++----
 libselinux/src/avc_sidtab.h                   |  11 +-
 libselinux/src/booleans.c                     |   5 -
 libselinux/src/callbacks.h                    |  11 +-
 libselinux/src/canonicalize_context.c         |   2 -
 libselinux/src/checkAccess.c                  |   1 -
 libselinux/src/check_context.c                |   2 -
 libselinux/src/checkreqprot.c                 |   1 -
 libselinux/src/compute_av.c                   |   4 -
 libselinux/src/compute_create.c               |   4 -
 libselinux/src/compute_member.c               |   1 -
 libselinux/src/compute_relabel.c              |   1 -
 libselinux/src/compute_user.c                 |   2 -
 libselinux/src/context.c                      |   9 +-
 libselinux/src/context_internal.h             |  12 --
 libselinux/src/deny_unknown.c                 |   1 -
 libselinux/src/disable.c                      |   1 -
 libselinux/src/dso.h                          |  23 ----
 libselinux/src/enabled.c                      |   2 -
 libselinux/src/fgetfilecon.c                  |   1 -
 libselinux/src/freecon.c                      |   1 -
 libselinux/src/freeconary.c                   |   1 -
 libselinux/src/fsetfilecon.c                  |   1 -
 libselinux/src/get_context_list.c             |   3 -
 libselinux/src/get_context_list_internal.h    |   4 -
 libselinux/src/get_default_type_internal.h    |   2 -
 libselinux/src/get_initial_context.c          |   2 -
 libselinux/src/getenforce.c                   |   1 -
 libselinux/src/getfilecon.c                   |   2 -
 libselinux/src/getpeercon.c                   |   1 -
 libselinux/src/init.c                         |   4 -
 libselinux/src/label_internal.h               |  19 ++-
 libselinux/src/label_support.c                |   6 +-
 libselinux/src/lgetfilecon.c                  |   1 -
 libselinux/src/load_policy.c                  |   2 -
 libselinux/src/lsetfilecon.c                  |   1 -
 libselinux/src/matchpathcon.c                 |   3 +-
 libselinux/src/policyvers.c                   |   2 -
 libselinux/src/procattr.c                     |  21 +---
 libselinux/src/regex.h                        |  21 ++--
 libselinux/src/reject_unknown.c               |   1 -
 .../src/selinux_check_securetty_context.c     |   1 -
 libselinux/src/selinux_config.c               |  36 ------
 libselinux/src/selinux_internal.h             | 117 +-----------------
 libselinux/src/setenforce.c                   |   1 -
 libselinux/src/setfilecon.c                   |   1 -
 libselinux/src/setrans_client.c               |   8 +-
 libselinux/src/seusers.c                      |   2 +-
 libselinux/src/sha1.c                         |   7 +-
 libselinux/src/stringrep.c                    |   1 -
 libselinux/src/validatetrans.c                |   2 -
 52 files changed, 69 insertions(+), 357 deletions(-)
 delete mode 100644 libselinux/src/dso.h

diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
index 5230efd2323a..ab10b0f9f1cb 100644
--- a/libselinux/src/avc.c
+++ b/libselinux/src/avc.c
@@ -294,7 +294,6 @@ void avc_av_stats(void)
 		slots_used, AVC_CACHE_SLOTS, max_chain_len);
 }
 
-hidden_def(avc_av_stats)
 
 static inline struct avc_node *avc_reclaim_node(void)
 {
@@ -494,7 +493,6 @@ void avc_cleanup(void)
 {
 }
 
-hidden_def(avc_cleanup)
 
 int avc_reset(void)
 {
@@ -539,7 +537,6 @@ int avc_reset(void)
 	return rc;
 }
 
-hidden_def(avc_reset)
 
 void avc_destroy(void)
 {
@@ -733,7 +730,6 @@ void avc_audit(security_id_t ssid, security_id_t tsid,
 	avc_release_lock(avc_log_lock);
 }
 
-hidden_def(avc_audit)
 
 
 static void avd_init(struct av_decision *avd)
@@ -825,7 +821,6 @@ int avc_has_perm_noaudit(security_id_t ssid,
 	return rc;
 }
 
-hidden_def(avc_has_perm_noaudit)
 
 int avc_has_perm(security_id_t ssid, security_id_t tsid,
 		 security_class_t tclass, access_vector_t requested,
diff --git a/libselinux/src/avc_internal.h b/libselinux/src/avc_internal.h
index f8516590bd75..3f8a6bb1cf84 100644
--- a/libselinux/src/avc_internal.h
+++ b/libselinux/src/avc_internal.h
@@ -14,24 +14,23 @@
 #include <string.h>
 #include <selinux/avc.h>
 #include "callbacks.h"
-#include "dso.h"
 
 /* callback pointers */
-extern void *(*avc_func_malloc) (size_t) hidden;
-extern void (*avc_func_free) (void *)hidden;
+extern void *(*avc_func_malloc) (size_t) ;
+extern void (*avc_func_free) (void *);
 
-extern void (*avc_func_log) (const char *, ...) __attribute__((__format__(printf,1,2))) hidden;
-extern void (*avc_func_audit) (void *, security_class_t, char *, size_t)hidden;
+extern void (*avc_func_log) (const char *, ...) __attribute__((__format__(printf,1,2))) ;
+extern void (*avc_func_audit) (void *, security_class_t, char *, size_t);
 
-extern int avc_using_threads hidden;
-extern int avc_app_main_loop hidden;
-extern void *(*avc_func_create_thread) (void (*)(void))hidden;
-extern void (*avc_func_stop_thread) (void *)hidden;
+extern int avc_using_threads ;
+extern int avc_app_main_loop ;
+extern void *(*avc_func_create_thread) (void (*)(void));
+extern void (*avc_func_stop_thread) (void *);
 
-extern void *(*avc_func_alloc_lock) (void)hidden;
-extern void (*avc_func_get_lock) (void *)hidden;
-extern void (*avc_func_release_lock) (void *)hidden;
-extern void (*avc_func_free_lock) (void *)hidden;
+extern void *(*avc_func_alloc_lock) (void);
+extern void (*avc_func_get_lock) (void *);
+extern void (*avc_func_release_lock) (void *);
+extern void (*avc_func_free_lock) (void *);
 
 static inline void set_callbacks(const struct avc_memory_callback *mem_cb,
 				 const struct avc_log_callback *log_cb,
@@ -61,10 +60,10 @@ static inline void set_callbacks(const struct avc_memory_callback *mem_cb,
 
 /* message prefix and enforcing mode*/
 #define AVC_PREFIX_SIZE 16
-extern char avc_prefix[AVC_PREFIX_SIZE] hidden;
-extern int avc_running hidden;
-extern int avc_enforcing hidden;
-extern int avc_setenforce hidden;
+extern char avc_prefix[AVC_PREFIX_SIZE] ;
+extern int avc_running ;
+extern int avc_enforcing ;
+extern int avc_setenforce ;
 
 /* user-supplied callback interface for avc */
 static inline void *avc_malloc(size_t size)
@@ -155,28 +154,23 @@ static inline void avc_free_lock(void *lock)
 /* internal callbacks */
 int avc_ss_grant(security_id_t ssid, security_id_t tsid,
 		 security_class_t tclass, access_vector_t perms,
-		 uint32_t seqno) hidden;
+		 uint32_t seqno) ;
 int avc_ss_try_revoke(security_id_t ssid, security_id_t tsid,
 		      security_class_t tclass,
 		      access_vector_t perms, uint32_t seqno,
-		      access_vector_t * out_retained) hidden;
+		      access_vector_t * out_retained) ;
 int avc_ss_revoke(security_id_t ssid, security_id_t tsid,
 		  security_class_t tclass, access_vector_t perms,
-		  uint32_t seqno) hidden;
-int avc_ss_reset(uint32_t seqno) hidden;
+		  uint32_t seqno) ;
+int avc_ss_reset(uint32_t seqno) ;
 int avc_ss_set_auditallow(security_id_t ssid, security_id_t tsid,
 			  security_class_t tclass, access_vector_t perms,
-			  uint32_t seqno, uint32_t enable) hidden;
+			  uint32_t seqno, uint32_t enable) ;
 int avc_ss_set_auditdeny(security_id_t ssid, security_id_t tsid,
 			 security_class_t tclass, access_vector_t perms,
-			 uint32_t seqno, uint32_t enable) hidden;
+			 uint32_t seqno, uint32_t enable) ;
 
 /* netlink kernel message code */
-extern int avc_netlink_trouble hidden;
+extern int avc_netlink_trouble ;
 
-hidden_proto(avc_av_stats)
-    hidden_proto(avc_cleanup)
-    hidden_proto(avc_reset)
-    hidden_proto(avc_audit)
-    hidden_proto(avc_has_perm_noaudit)
 #endif				/* _SELINUX_AVC_INTERNAL_H_ */
diff --git a/libselinux/src/avc_sidtab.h b/libselinux/src/avc_sidtab.h
index bce9b877ae79..cc5abe354a01 100644
--- a/libselinux/src/avc_sidtab.h
+++ b/libselinux/src/avc_sidtab.h
@@ -7,7 +7,6 @@
 
 #include <selinux/selinux.h>
 #include <selinux/avc.h>
-#include "dso.h"
 
 struct sidtab_node {
 	struct security_id sid_s;
@@ -24,13 +23,13 @@ struct sidtab {
 	unsigned nel;
 };
 
-int sidtab_init(struct sidtab *s) hidden;
-int sidtab_insert(struct sidtab *s, const char * ctx) hidden;
+int sidtab_init(struct sidtab *s) ;
+int sidtab_insert(struct sidtab *s, const char * ctx) ;
 
 int sidtab_context_to_sid(struct sidtab *s,
-			  const char * ctx, security_id_t * sid) hidden;
+			  const char * ctx, security_id_t * sid) ;
 
-void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen) hidden;
-void sidtab_destroy(struct sidtab *s) hidden;
+void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen) ;
+void sidtab_destroy(struct sidtab *s) ;
 
 #endif				/* _SELINUX_AVC_SIDTAB_H_ */
diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c
index ffa8d26b0f3a..ef1f64a05d84 100644
--- a/libselinux/src/booleans.c
+++ b/libselinux/src/booleans.c
@@ -414,8 +414,3 @@ char *selinux_boolean_sub(const char *name __attribute__((unused)))
 }
 #endif
 
-hidden_def(security_get_boolean_names)
-hidden_def(selinux_boolean_sub)
-hidden_def(security_get_boolean_active)
-hidden_def(security_set_boolean)
-hidden_def(security_commit_booleans)
diff --git a/libselinux/src/callbacks.h b/libselinux/src/callbacks.h
index 2a572e08d534..03d87f0cbdfe 100644
--- a/libselinux/src/callbacks.h
+++ b/libselinux/src/callbacks.h
@@ -9,22 +9,21 @@
 #include <stdlib.h>
 #include <string.h>
 #include <selinux/selinux.h>
-#include "dso.h"
 
 /* callback pointers */
 extern int __attribute__ ((format(printf, 2, 3)))
-(*selinux_log) (int type, const char *, ...) hidden;
+(*selinux_log) (int type, const char *, ...) ;
 
 extern int
-(*selinux_audit) (void *, security_class_t, char *, size_t) hidden;
+(*selinux_audit) (void *, security_class_t, char *, size_t) ;
 
 extern int
-(*selinux_validate)(char **ctx) hidden;
+(*selinux_validate)(char **ctx) ;
 
 extern int
-(*selinux_netlink_setenforce) (int enforcing) hidden;
+(*selinux_netlink_setenforce) (int enforcing) ;
 
 extern int
-(*selinux_netlink_policyload) (int seqno) hidden;
+(*selinux_netlink_policyload) (int seqno) ;
 
 #endif				/* _SELINUX_CALLBACKS_H_ */
diff --git a/libselinux/src/canonicalize_context.c b/libselinux/src/canonicalize_context.c
index ba4c9a2c7d46..faab730592c2 100644
--- a/libselinux/src/canonicalize_context.c
+++ b/libselinux/src/canonicalize_context.c
@@ -60,7 +60,6 @@ int security_canonicalize_context_raw(const char * con,
 	return ret;
 }
 
-hidden_def(security_canonicalize_context_raw)
 
 int security_canonicalize_context(const char * con,
 				      char ** canoncon)
@@ -83,4 +82,3 @@ int security_canonicalize_context(const char * con,
 	return ret;
 }
 
-hidden_def(security_canonicalize_context)
diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
index 7227ffe51eac..677e2ecd7df4 100644
--- a/libselinux/src/checkAccess.c
+++ b/libselinux/src/checkAccess.c
@@ -99,7 +99,6 @@ int selinux_check_passwd_access(access_vector_t requested)
 	return status;
 }
 
-hidden_def(selinux_check_passwd_access)
 
 int checkPasswdAccess(access_vector_t requested)
 {
diff --git a/libselinux/src/check_context.c b/libselinux/src/check_context.c
index 8a7997f03598..5096a2c40993 100644
--- a/libselinux/src/check_context.c
+++ b/libselinux/src/check_context.c
@@ -31,7 +31,6 @@ int security_check_context_raw(const char * con)
 	return 0;
 }
 
-hidden_def(security_check_context_raw)
 
 int security_check_context(const char * con)
 {
@@ -48,4 +47,3 @@ int security_check_context(const char * con)
 	return ret;
 }
 
-hidden_def(security_check_context)
diff --git a/libselinux/src/checkreqprot.c b/libselinux/src/checkreqprot.c
index 9b4b12d75021..3dc79d9719c5 100644
--- a/libselinux/src/checkreqprot.c
+++ b/libselinux/src/checkreqprot.c
@@ -37,4 +37,3 @@ int security_get_checkreqprot(void)
 	return checkreqprot;
 }
 
-hidden_def(security_get_checkreqprot);
diff --git a/libselinux/src/compute_av.c b/libselinux/src/compute_av.c
index a47cffe98662..9d17339d1a32 100644
--- a/libselinux/src/compute_av.c
+++ b/libselinux/src/compute_av.c
@@ -80,7 +80,6 @@ int security_compute_av_flags_raw(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_av_flags_raw)
 
 int security_compute_av_raw(const char * scon,
 			    const char * tcon,
@@ -107,7 +106,6 @@ int security_compute_av_raw(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_av_raw)
 
 int security_compute_av_flags(const char * scon,
 			      const char * tcon,
@@ -134,7 +132,6 @@ int security_compute_av_flags(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_av_flags)
 
 int security_compute_av(const char * scon,
 			const char * tcon,
@@ -162,4 +159,3 @@ int security_compute_av(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_av)
diff --git a/libselinux/src/compute_create.c b/libselinux/src/compute_create.c
index 0975aeac2224..1d75714d852d 100644
--- a/libselinux/src/compute_create.c
+++ b/libselinux/src/compute_create.c
@@ -105,7 +105,6 @@ int security_compute_create_name_raw(const char * scon,
 	close(fd);
 	return ret;
 }
-hidden_def(security_compute_create_name_raw)
 
 int security_compute_create_raw(const char * scon,
 				const char * tcon,
@@ -115,7 +114,6 @@ int security_compute_create_raw(const char * scon,
 	return security_compute_create_name_raw(scon, tcon, tclass,
 						NULL, newcon);
 }
-hidden_def(security_compute_create_raw)
 
 int security_compute_create_name(const char * scon,
 				 const char * tcon,
@@ -146,7 +144,6 @@ int security_compute_create_name(const char * scon,
 
 	return ret;
 }
-hidden_def(security_compute_create_name)
 
 int security_compute_create(const char * scon,
 				const char * tcon,
@@ -155,4 +152,3 @@ int security_compute_create(const char * scon,
 {
 	return security_compute_create_name(scon, tcon, tclass, NULL, newcon);
 }
-hidden_def(security_compute_create)
diff --git a/libselinux/src/compute_member.c b/libselinux/src/compute_member.c
index 4e2d221ef9ea..16234b7908f2 100644
--- a/libselinux/src/compute_member.c
+++ b/libselinux/src/compute_member.c
@@ -60,7 +60,6 @@ int security_compute_member_raw(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_member_raw)
 
 int security_compute_member(const char * scon,
 			    const char * tcon,
diff --git a/libselinux/src/compute_relabel.c b/libselinux/src/compute_relabel.c
index 49f77ef3344c..dd20d6525993 100644
--- a/libselinux/src/compute_relabel.c
+++ b/libselinux/src/compute_relabel.c
@@ -60,7 +60,6 @@ int security_compute_relabel_raw(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_relabel_raw)
 
 int security_compute_relabel(const char * scon,
 			     const char * tcon,
diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c
index e7da964ff46d..ae5e7b4a8f68 100644
--- a/libselinux/src/compute_user.c
+++ b/libselinux/src/compute_user.c
@@ -80,7 +80,6 @@ int security_compute_user_raw(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_user_raw)
 
 int security_compute_user(const char * scon,
 			  const char *user, char *** con)
@@ -110,4 +109,3 @@ int security_compute_user(const char * scon,
 	return ret;
 }
 
-hidden_def(security_compute_user)
diff --git a/libselinux/src/context.c b/libselinux/src/context.c
index b673733e1f48..090264a49eb1 100644
--- a/libselinux/src/context.c
+++ b/libselinux/src/context.c
@@ -82,7 +82,6 @@ context_t context_new(const char *str)
 	return 0;
 }
 
-hidden_def(context_new)
 
 static void conditional_free(char **v)
 {
@@ -113,7 +112,6 @@ void context_free(context_t context)
 	}
 }
 
-hidden_def(context_free)
 
 /*
  * Return a pointer to the string value of the context.
@@ -144,7 +142,6 @@ char *context_str(context_t context)
 	return n->current_str;
 }
 
-hidden_def(context_str)
 
 /* Returns nonzero iff failed */
 static int set_comp(context_private_t * n, int idx, const char *str)
@@ -176,8 +173,7 @@ const char * context_ ## name ## _get(context_t context) \
 { \
         context_private_t *n = context->ptr; \
         return n->component[tag]; \
-} \
-hidden_def(context_ ## name ## _get)
+}
 
 def_get(type, COMP_TYPE)
     def_get(user, COMP_USER)
@@ -187,8 +183,7 @@ def_get(type, COMP_TYPE)
 int context_ ## name ## _set(context_t context, const char* str) \
 { \
         return set_comp(context->ptr,tag,str);\
-} \
-hidden_def(context_ ## name ## _set)
+}
     def_set(type, COMP_TYPE)
     def_set(role, COMP_ROLE)
     def_set(user, COMP_USER)
diff --git a/libselinux/src/context_internal.h b/libselinux/src/context_internal.h
index 3c71e8027080..a7698106923e 100644
--- a/libselinux/src/context_internal.h
+++ b/libselinux/src/context_internal.h
@@ -1,14 +1,2 @@
 #include <selinux/context.h>
-#include "dso.h"
 
-hidden_proto(context_new)
-    hidden_proto(context_free)
-    hidden_proto(context_str)
-    hidden_proto(context_type_set)
-    hidden_proto(context_type_get)
-    hidden_proto(context_role_set)
-    hidden_proto(context_role_get)
-    hidden_proto(context_user_set)
-    hidden_proto(context_user_get)
-    hidden_proto(context_range_set)
-    hidden_proto(context_range_get)
diff --git a/libselinux/src/deny_unknown.c b/libselinux/src/deny_unknown.c
index 77d04e370f30..fdd32b50a246 100644
--- a/libselinux/src/deny_unknown.c
+++ b/libselinux/src/deny_unknown.c
@@ -37,4 +37,3 @@ int security_deny_unknown(void)
 	return deny_unknown;
 }
 
-hidden_def(security_deny_unknown);
diff --git a/libselinux/src/disable.c b/libselinux/src/disable.c
index 8d66262aff03..1a5ae4172a8d 100644
--- a/libselinux/src/disable.c
+++ b/libselinux/src/disable.c
@@ -35,4 +35,3 @@ int security_disable(void)
 	return 0;
 }
 
-hidden_def(security_disable)
diff --git a/libselinux/src/dso.h b/libselinux/src/dso.h
deleted file mode 100644
index 12c3d1160fb0..000000000000
--- a/libselinux/src/dso.h
+++ /dev/null
@@ -1,23 +0,0 @@
-#ifndef _SELINUX_DSO_H
-#define _SELINUX_DSO_H	1
-
-#ifdef SHARED
-# define hidden __attribute__ ((visibility ("hidden")))
-# define hidden_proto(fct) __hidden_proto (fct, fct##_internal)
-# define __hidden_proto(fct, internal)	\
-     extern __typeof (fct) internal;	\
-     extern __typeof (fct) fct __asm (#internal) hidden;
-# if defined(__alpha__) || defined(__mips__)
-#  define hidden_def(fct) \
-     asm (".globl " #fct "\n" #fct " = " #fct "_internal");
-# else
-#  define hidden_def(fct) \
-     asm (".globl " #fct "\n.set " #fct ", " #fct "_internal");
-#endif
-#else
-# define hidden
-# define hidden_proto(fct)
-# define hidden_def(fct)
-#endif
-
-#endif
diff --git a/libselinux/src/enabled.c b/libselinux/src/enabled.c
index dd628fba86a8..fefb0bd9ae02 100644
--- a/libselinux/src/enabled.c
+++ b/libselinux/src/enabled.c
@@ -20,7 +20,6 @@ int is_selinux_enabled(void)
 #endif
 }
 
-hidden_def(is_selinux_enabled)
 
 /*
  * Function: is_selinux_mls_enabled()
@@ -55,4 +54,3 @@ int is_selinux_mls_enabled(void)
 	return enabled;
 }
 
-hidden_def(is_selinux_mls_enabled)
diff --git a/libselinux/src/fgetfilecon.c b/libselinux/src/fgetfilecon.c
index 5522ac16e385..8c748f8a2e64 100644
--- a/libselinux/src/fgetfilecon.c
+++ b/libselinux/src/fgetfilecon.c
@@ -49,7 +49,6 @@ int fgetfilecon_raw(int fd, char ** context)
 	return ret;
 }
 
-hidden_def(fgetfilecon_raw)
 
 int fgetfilecon(int fd, char ** context)
 {
diff --git a/libselinux/src/freecon.c b/libselinux/src/freecon.c
index 5290dfa13bc4..df2d7e2827ea 100644
--- a/libselinux/src/freecon.c
+++ b/libselinux/src/freecon.c
@@ -8,4 +8,3 @@ void freecon(char * con)
 	free(con);
 }
 
-hidden_def(freecon)
diff --git a/libselinux/src/freeconary.c b/libselinux/src/freeconary.c
index 8d07718ed5f9..fd2dbaabfbcf 100644
--- a/libselinux/src/freeconary.c
+++ b/libselinux/src/freeconary.c
@@ -16,4 +16,3 @@ void freeconary(char ** con)
 	free(con);
 }
 
-hidden_def(freeconary)
diff --git a/libselinux/src/fsetfilecon.c b/libselinux/src/fsetfilecon.c
index 52707d05ddd4..5cf34e3fa5d0 100644
--- a/libselinux/src/fsetfilecon.c
+++ b/libselinux/src/fsetfilecon.c
@@ -25,7 +25,6 @@ int fsetfilecon_raw(int fd, const char * context)
 	return rc;
 }
 
-hidden_def(fsetfilecon_raw)
 
 int fsetfilecon(int fd, const char *context)
 {
diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
index 26d7b3b98e75..b43652ffd28c 100644
--- a/libselinux/src/get_context_list.c
+++ b/libselinux/src/get_context_list.c
@@ -52,7 +52,6 @@ int get_default_context_with_role(const char *user,
 	return rc;
 }
 
-hidden_def(get_default_context_with_role)
 
 int get_default_context_with_rolelevel(const char *user,
 				       const char *role,
@@ -385,7 +384,6 @@ int get_ordered_context_list_with_level(const char *user,
 	return rc;
 }
 
-hidden_def(get_ordered_context_list_with_level)
 
 int get_default_context_with_level(const char *user,
 				   const char *level,
@@ -497,4 +495,3 @@ int get_ordered_context_list(const char *user,
 	goto out;
 }
 
-hidden_def(get_ordered_context_list)
diff --git a/libselinux/src/get_context_list_internal.h b/libselinux/src/get_context_list_internal.h
index c224834ebfb4..a7c1d41ba07f 100644
--- a/libselinux/src/get_context_list_internal.h
+++ b/libselinux/src/get_context_list_internal.h
@@ -1,6 +1,2 @@
 #include <selinux/get_context_list.h>
-#include "dso.h"
 
-hidden_proto(get_ordered_context_list)
-    hidden_proto(get_ordered_context_list_with_level)
-    hidden_proto(get_default_context_with_role)
diff --git a/libselinux/src/get_default_type_internal.h b/libselinux/src/get_default_type_internal.h
index 0da3c512d6fb..deb5d2963211 100644
--- a/libselinux/src/get_default_type_internal.h
+++ b/libselinux/src/get_default_type_internal.h
@@ -1,4 +1,2 @@
 #include <selinux/get_default_type.h>
-#include "dso.h"
 
-hidden_proto(selinux_default_type_path)
diff --git a/libselinux/src/get_initial_context.c b/libselinux/src/get_initial_context.c
index 5e919f478b63..97ae3dcfb5a6 100644
--- a/libselinux/src/get_initial_context.c
+++ b/libselinux/src/get_initial_context.c
@@ -53,7 +53,6 @@ int security_get_initial_context_raw(const char * name, char ** con)
 	return ret;
 }
 
-hidden_def(security_get_initial_context_raw)
 
 int security_get_initial_context(const char * name, char ** con)
 {
@@ -69,4 +68,3 @@ int security_get_initial_context(const char * name, char ** con)
 	return ret;
 }
 
-hidden_def(security_get_initial_context)
diff --git a/libselinux/src/getenforce.c b/libselinux/src/getenforce.c
index d909dced73c6..3f1e20021a4e 100644
--- a/libselinux/src/getenforce.c
+++ b/libselinux/src/getenforce.c
@@ -37,4 +37,3 @@ int security_getenforce(void)
 	return !!enforce;
 }
 
-hidden_def(security_getenforce)
diff --git a/libselinux/src/getfilecon.c b/libselinux/src/getfilecon.c
index 20bee8abdbfc..4bee31372172 100644
--- a/libselinux/src/getfilecon.c
+++ b/libselinux/src/getfilecon.c
@@ -49,7 +49,6 @@ int getfilecon_raw(const char *path, char ** context)
 	return ret;
 }
 
-hidden_def(getfilecon_raw)
 
 int getfilecon(const char *path, char ** context)
 {
@@ -70,4 +69,3 @@ int getfilecon(const char *path, char ** context)
 	return ret;
 }
 
-hidden_def(getfilecon)
diff --git a/libselinux/src/getpeercon.c b/libselinux/src/getpeercon.c
index 3a77a2de2c95..a9dca73e438a 100644
--- a/libselinux/src/getpeercon.c
+++ b/libselinux/src/getpeercon.c
@@ -43,7 +43,6 @@ int getpeercon_raw(int fd, char ** context)
 	return ret;
 }
 
-hidden_def(getpeercon_raw)
 
 int getpeercon(int fd, char ** context)
 {
diff --git a/libselinux/src/init.c b/libselinux/src/init.c
index 083638c47fbf..542c979b9da6 100644
--- a/libselinux/src/init.c
+++ b/libselinux/src/init.c
@@ -12,7 +12,6 @@
 #include <stdint.h>
 #include <limits.h>
 
-#include "dso.h"
 #include "policy.h"
 #include "selinux_internal.h"
 #include "setrans_internal.h"
@@ -79,7 +78,6 @@ int selinuxfs_exists(void)
 	fclose(fp);
 	return exists;
 }
-hidden_def(selinuxfs_exists)
 
 static void init_selinuxmnt(void)
 {
@@ -138,14 +136,12 @@ void fini_selinuxmnt(void)
 	selinux_mnt = NULL;
 }
 
-hidden_def(fini_selinuxmnt)
 
 void set_selinuxmnt(const char *mnt)
 {
 	selinux_mnt = strdup(mnt);
 }
 
-hidden_def(set_selinuxmnt)
 
 static void init_lib(void) __attribute__ ((constructor));
 static void init_lib(void)
diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
index 7ed2a43770a7..361b443cb9c4 100644
--- a/libselinux/src/label_internal.h
+++ b/libselinux/src/label_internal.h
@@ -13,7 +13,6 @@
 #include <stdio.h>
 #include <selinux/selinux.h>
 #include <selinux/label.h>
-#include "dso.h"
 #include "sha1.h"
 
 #if defined(ANDROID) || defined(__APPLE__)
@@ -26,22 +25,22 @@
  */
 int selabel_file_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) hidden;
+			    unsigned nopts) ;
 int selabel_media_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) hidden;
+			    unsigned nopts) ;
 int selabel_x_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) hidden;
+			    unsigned nopts) ;
 int selabel_db_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) hidden;
+			    unsigned nopts) ;
 int selabel_property_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) hidden;
+			    unsigned nopts) ;
 int selabel_service_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) hidden;
+			    unsigned nopts) ;
 
 /*
  * Labeling internal structures
@@ -120,14 +119,14 @@ struct selabel_handle {
  */
 extern int
 selabel_validate(struct selabel_handle *rec,
-		 struct selabel_lookup_rec *contexts) hidden;
+		 struct selabel_lookup_rec *contexts) ;
 
 /*
  * Compatibility support
  */
 extern int myprintf_compat;
 extern void __attribute__ ((format(printf, 1, 2)))
-(*myprintf) (const char *fmt, ...) hidden;
+(*myprintf) (const char *fmt, ...) ;
 
 #define COMPAT_LOG(type, fmt...) if (myprintf_compat)	  \
 		myprintf(fmt);				  \
@@ -137,7 +136,7 @@ extern void __attribute__ ((format(printf, 1, 2)))
 extern int
 compat_validate(struct selabel_handle *rec,
 		struct selabel_lookup_rec *contexts,
-		const char *path, unsigned lineno) hidden;
+		const char *path, unsigned lineno) ;
 
 /*
  * The read_spec_entries function may be used to
diff --git a/libselinux/src/label_support.c b/libselinux/src/label_support.c
index 26f9ef155dcf..94ed6e4273cb 100644
--- a/libselinux/src/label_support.c
+++ b/libselinux/src/label_support.c
@@ -63,7 +63,7 @@ static inline int read_spec_entry(char **entry, char **ptr, int *len, const char
  * This function calls read_spec_entry() to do the actual string processing.
  * As such, can return anything from that function as well.
  */
-int hidden read_spec_entries(char *line_buf, const char **errbuf, int num_args, ...)
+int  read_spec_entries(char *line_buf, const char **errbuf, int num_args, ...)
 {
 	char **spec_entry, *buf_p;
 	int len, rc, items, entry_len = 0;
@@ -113,7 +113,7 @@ int hidden read_spec_entries(char *line_buf, const char **errbuf, int num_args,
 }
 
 /* Once all the specfiles are in the hash_buf, generate the hash. */
-void hidden digest_gen_hash(struct selabel_digest *digest)
+void  digest_gen_hash(struct selabel_digest *digest)
 {
 	Sha1Context context;
 
@@ -141,7 +141,7 @@ void hidden digest_gen_hash(struct selabel_digest *digest)
  *
  * Return %0 on success, -%1 with @errno set on failure.
  */
-int hidden digest_add_specfile(struct selabel_digest *digest, FILE *fp,
+int  digest_add_specfile(struct selabel_digest *digest, FILE *fp,
 				    char *from_addr, size_t buf_len,
 				    const char *path)
 {
diff --git a/libselinux/src/lgetfilecon.c b/libselinux/src/lgetfilecon.c
index db67bc60ffe6..d1fb821b23ef 100644
--- a/libselinux/src/lgetfilecon.c
+++ b/libselinux/src/lgetfilecon.c
@@ -49,7 +49,6 @@ int lgetfilecon_raw(const char *path, char ** context)
 	return ret;
 }
 
-hidden_def(lgetfilecon_raw)
 
 int lgetfilecon(const char *path, char ** context)
 {
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index 9e75292d2528..fa1a3bf1f441 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -45,7 +45,6 @@ int security_load_policy(void *data, size_t len)
 	return 0;
 }
 
-hidden_def(security_load_policy)
 
 #ifndef ANDROID
 #undef max
@@ -213,7 +212,6 @@ int selinux_mkload_policy(int preservebools __attribute__((unused)))
 	return rc;
 }
 
-hidden_def(selinux_mkload_policy)
 
 /*
  * Mount point for selinuxfs. 
diff --git a/libselinux/src/lsetfilecon.c b/libselinux/src/lsetfilecon.c
index 1d3b28a1c5fc..213fb684fc66 100644
--- a/libselinux/src/lsetfilecon.c
+++ b/libselinux/src/lsetfilecon.c
@@ -25,7 +25,6 @@ int lsetfilecon_raw(const char *path, const char * context)
 	return rc;
 }
 
-hidden_def(lsetfilecon_raw)
 
 int lsetfilecon(const char *path, const char *context)
 {
diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
index 05a5cfa4cfd5..bddf77a49ce1 100644
--- a/libselinux/src/matchpathcon.c
+++ b/libselinux/src/matchpathcon.c
@@ -322,7 +322,7 @@ static void matchpathcon_thread_destructor(void __attribute__((unused)) *ptr)
 
 void __attribute__((destructor)) matchpathcon_lib_destructor(void);
 
-void hidden __attribute__((destructor)) matchpathcon_lib_destructor(void)
+void  __attribute__((destructor)) matchpathcon_lib_destructor(void)
 {
 	if (destructor_key_initialized)
 		__selinux_key_delete(destructor_key);
@@ -351,7 +351,6 @@ int matchpathcon_init_prefix(const char *path, const char *subset)
 	return hnd ? 0 : -1;
 }
 
-hidden_def(matchpathcon_init_prefix)
 
 int matchpathcon_init(const char *path)
 {
diff --git a/libselinux/src/policyvers.c b/libselinux/src/policyvers.c
index c97dd9df7a8a..e5aa2f3f2d55 100644
--- a/libselinux/src/policyvers.c
+++ b/libselinux/src/policyvers.c
@@ -7,7 +7,6 @@
 #include "selinux_internal.h"
 #include <stdio.h>
 #include "policy.h"
-#include "dso.h"
 #include <limits.h>
 
 int security_policyvers(void)
@@ -42,4 +41,3 @@ int security_policyvers(void)
 	return vers;
 }
 
-hidden_def(security_policyvers)
diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c
index c6799ef27533..1aa67ac53f39 100644
--- a/libselinux/src/procattr.c
+++ b/libselinux/src/procattr.c
@@ -57,7 +57,7 @@ static void procattr_thread_destructor(void __attribute__((unused)) *unused)
 
 void __attribute__((destructor)) procattr_destructor(void);
 
-void hidden __attribute__((destructor)) procattr_destructor(void)
+void  __attribute__((destructor)) procattr_destructor(void)
 {
 	if (destructor_key_initialized)
 		__selinux_key_delete(destructor_key);
@@ -345,22 +345,3 @@ all_selfattr_def(con, current)
     all_selfattr_def(sockcreatecon, sockcreate)
     all_selfattr_def(keycreatecon, keycreate)
 
-    hidden_def(getcon_raw)
-    hidden_def(getcon)
-    hidden_def(getexeccon_raw)
-    hidden_def(getfilecon_raw)
-    hidden_def(getfilecon)
-    hidden_def(getfscreatecon_raw)
-    hidden_def(getkeycreatecon_raw)
-    hidden_def(getpeercon_raw)
-    hidden_def(getpidcon_raw)
-    hidden_def(getprevcon_raw)
-    hidden_def(getprevcon)
-    hidden_def(getsockcreatecon_raw)
-    hidden_def(setcon_raw)
-    hidden_def(setexeccon_raw)
-    hidden_def(setexeccon)
-    hidden_def(setfilecon_raw)
-    hidden_def(setfscreatecon_raw)
-    hidden_def(setkeycreatecon_raw)
-    hidden_def(setsockcreatecon_raw)
diff --git a/libselinux/src/regex.h b/libselinux/src/regex.h
index 6732b349984c..10c3df7856e1 100644
--- a/libselinux/src/regex.h
+++ b/libselinux/src/regex.h
@@ -10,7 +10,6 @@
 #include <pcre.h>
 #endif
 
-#include "dso.h"
 
 enum { REGEX_MATCH,
        REGEX_MATCH_PARTIAL,
@@ -42,7 +41,7 @@ struct mmap_area;
  * expressions are not portable across architectures that do not have a
  * matching arch-string.
  */
-char const *regex_arch_string(void) hidden;
+char const *regex_arch_string(void) ;
 
 /**
  * regex_verison returns the version string of the underlying regular
@@ -55,12 +54,12 @@ char const *regex_arch_string(void) hidden;
  *
  * It may return NULL on error.
  */
-char const *regex_version(void) hidden;
+char const *regex_version(void) ;
 /**
  * This constructor function allocates a buffer for a regex_data structure.
  * The buffer is being initialized with zeroes.
  */
-struct regex_data *regex_data_create(void) hidden;
+struct regex_data *regex_data_create(void) ;
 /**
  * This complementary destructor function frees the a given regex_data buffer.
  * It also frees any non NULL member pointers with the appropriate pcreX_X_free
@@ -68,7 +67,7 @@ struct regex_data *regex_data_create(void) hidden;
  * the pcre_extra data conditionally. Calling this function on a NULL pointer is
  * save.
  */
-void regex_data_free(struct regex_data *regex) hidden;
+void regex_data_free(struct regex_data *regex) ;
 /**
  * This function compiles the regular expression. Additionally, it prepares
  * data structures required by the different underlying engines. For PCRE
@@ -88,7 +87,7 @@ void regex_data_free(struct regex_data *regex) hidden;
  * @retval -1 on error
  */
 int regex_prepare_data(struct regex_data **regex, char const *pattern_string,
-		       struct regex_error_data *errordata) hidden;
+		       struct regex_error_data *errordata) ;
 /**
  * This function loads a serialized precompiled pattern from a contiguous
  * data region given by map_area.
@@ -109,7 +108,7 @@ int regex_prepare_data(struct regex_data **regex, char const *pattern_string,
 int regex_load_mmap(struct mmap_area *map_area,
 		    struct regex_data **regex,
 		    int do_load_precompregex,
-		    bool *regex_compiled) hidden;
+		    bool *regex_compiled) ;
 /**
  * This function stores a precompiled regular expression to a file.
  * In the case of PCRE, it just dumps the binary representation of the
@@ -122,7 +121,7 @@ int regex_load_mmap(struct mmap_area *map_area,
  *			      the output file (ignored by PCRE1 back-end).
  */
 int regex_writef(struct regex_data *regex, FILE *fp,
-		 int do_write_precompregex) hidden;
+		 int do_write_precompregex) ;
 /**
  * This function applies a precompiled pattern to a subject string and
  * returns whether or not a match was found.
@@ -139,7 +138,7 @@ int regex_writef(struct regex_data *regex, FILE *fp,
  *                     regular expression
  */
 int regex_match(struct regex_data *regex, char const *subject,
-		int partial) hidden;
+		int partial) ;
 /**
  * This function compares two compiled regular expressions (regex1 and regex2).
  * It compares the binary representations of the compiled patterns. It is a very
@@ -150,7 +149,7 @@ int regex_match(struct regex_data *regex, char const *subject,
  *                       the same
  * @retval SELABEL_INCOMPARABLE otherwise
  */
-int regex_cmp(struct regex_data *regex1, struct regex_data *regex2) hidden;
+int regex_cmp(struct regex_data *regex1, struct regex_data *regex2) ;
 /**
  * This function takes the error data returned by regex_prepare_data and turns
  * it in to a human readable error message.
@@ -163,5 +162,5 @@ int regex_cmp(struct regex_data *regex1, struct regex_data *regex2) hidden;
  * @arg buf_size Total size of the given buffer in bytes.
  */
 void regex_format_error(struct regex_error_data const *error_data, char *buffer,
-			size_t buf_size) hidden;
+			size_t buf_size) ;
 #endif /* SRC_REGEX_H_ */
diff --git a/libselinux/src/reject_unknown.c b/libselinux/src/reject_unknown.c
index 5c1d36053812..96e60be396ea 100644
--- a/libselinux/src/reject_unknown.c
+++ b/libselinux/src/reject_unknown.c
@@ -37,4 +37,3 @@ int security_reject_unknown(void)
 	return reject_unknown;
 }
 
-hidden_def(security_reject_unknown);
diff --git a/libselinux/src/selinux_check_securetty_context.c b/libselinux/src/selinux_check_securetty_context.c
index 55d4e039ea41..c5c557fd3492 100644
--- a/libselinux/src/selinux_check_securetty_context.c
+++ b/libselinux/src/selinux_check_securetty_context.c
@@ -50,4 +50,3 @@ int selinux_check_securetty_context(const char * tty_context)
 	return found;
 }
 
-hidden_def(selinux_check_securetty_context)
diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
index b16a3851ad4a..6c5238953cb1 100644
--- a/libselinux/src/selinux_config.c
+++ b/libselinux/src/selinux_config.c
@@ -128,7 +128,6 @@ int selinux_getenforcemode(int *enforce)
 	return ret;
 }
 
-hidden_def(selinux_getenforcemode)
 
 static char *selinux_policytype;
 
@@ -141,7 +140,6 @@ int selinux_getpolicytype(char **type)
 	return *type ? 0 : -1;
 }
 
-hidden_def(selinux_getpolicytype)
 
 static int setpolicytype(const char *type)
 {
@@ -249,7 +247,6 @@ void selinux_reset_config(void)
 	init_selinux_config();
 }
 
-hidden_def(selinux_reset_config)
 
 static const char *get_path(int idx)
 {
@@ -262,7 +259,6 @@ const char *selinux_default_type_path(void)
 	return get_path(DEFAULT_TYPE);
 }
 
-hidden_def(selinux_default_type_path)
 
 const char *selinux_policy_root(void)
 {
@@ -305,42 +301,36 @@ const char *selinux_path(void)
 	return selinux_rootpath;
 }
 
-hidden_def(selinux_path)
 
 const char *selinux_default_context_path(void)
 {
 	return get_path(DEFAULT_CONTEXTS);
 }
 
-hidden_def(selinux_default_context_path)
 
 const char *selinux_securetty_types_path(void)
 {
 	return get_path(SECURETTY_TYPES);
 }
 
-hidden_def(selinux_securetty_types_path)
 
 const char *selinux_failsafe_context_path(void)
 {
 	return get_path(FAILSAFE_CONTEXT);
 }
 
-hidden_def(selinux_failsafe_context_path)
 
 const char *selinux_removable_context_path(void)
 {
 	return get_path(REMOVABLE_CONTEXT);
 }
 
-hidden_def(selinux_removable_context_path)
 
 const char *selinux_binary_policy_path(void)
 {
 	return get_path(BINPOLICY);
 }
 
-hidden_def(selinux_binary_policy_path)
 
 const char *selinux_current_policy_path(void)
 {
@@ -365,35 +355,30 @@ const char *selinux_current_policy_path(void)
 	return policy_path;
 }
 
-hidden_def(selinux_current_policy_path)
 
 const char *selinux_file_context_path(void)
 {
 	return get_path(FILE_CONTEXTS);
 }
 
-hidden_def(selinux_file_context_path)
 
 const char *selinux_homedir_context_path(void)
 {
 	return get_path(HOMEDIR_CONTEXTS);
 }
 
-hidden_def(selinux_homedir_context_path)
 
 const char *selinux_media_context_path(void)
 {
 	return get_path(MEDIA_CONTEXTS);
 }
 
-hidden_def(selinux_media_context_path)
 
 const char *selinux_customizable_types_path(void)
 {
 	return get_path(CUSTOMIZABLE_TYPES);
 }
 
-hidden_def(selinux_customizable_types_path)
 
 const char *selinux_contexts_path(void)
 {
@@ -405,7 +390,6 @@ const char *selinux_user_contexts_path(void)
 	return get_path(USER_CONTEXTS);
 }
 
-hidden_def(selinux_user_contexts_path)
 
 /* Deprecated as local policy booleans no longer supported. */
 const char *selinux_booleans_path(void)
@@ -413,7 +397,6 @@ const char *selinux_booleans_path(void)
 	return get_path(BOOLEANS);
 }
 
-hidden_def(selinux_booleans_path)
 
 /* Deprecated as no longer supported. */
 const char *selinux_users_path(void)
@@ -421,127 +404,108 @@ const char *selinux_users_path(void)
 	return get_path(USERS_DIR);
 }
 
-hidden_def(selinux_users_path)
 
 const char *selinux_usersconf_path(void)
 {
 	return get_path(SEUSERS);
 }
 
-hidden_def(selinux_usersconf_path)
 
 const char *selinux_translations_path(void)
 {
 	return get_path(TRANSLATIONS);
 }
 
-hidden_def(selinux_translations_path)
 
 const char *selinux_colors_path(void)
 {
 	return get_path(COLORS);
 }
 
-hidden_def(selinux_colors_path)
 
 const char *selinux_netfilter_context_path(void)
 {
 	return get_path(NETFILTER_CONTEXTS);
 }
 
-hidden_def(selinux_netfilter_context_path)
 
 const char *selinux_file_context_homedir_path(void)
 {
 	return get_path(FILE_CONTEXTS_HOMEDIR);
 }
 
-hidden_def(selinux_file_context_homedir_path)
 
 const char *selinux_file_context_local_path(void)
 {
 	return get_path(FILE_CONTEXTS_LOCAL);
 }
 
-hidden_def(selinux_file_context_local_path)
 
 const char *selinux_x_context_path(void)
 {
 	return get_path(X_CONTEXTS);
 }
 
-hidden_def(selinux_x_context_path)
 
 const char *selinux_virtual_domain_context_path(void)
 {
 	return get_path(VIRTUAL_DOMAIN);
 }
 
-hidden_def(selinux_virtual_domain_context_path)
 
 const char *selinux_virtual_image_context_path(void)
 {
 	return get_path(VIRTUAL_IMAGE);
 }
 
-hidden_def(selinux_virtual_image_context_path)
 
 const char *selinux_lxc_contexts_path(void)
 {
 	return get_path(LXC_CONTEXTS);
 }
 
-hidden_def(selinux_lxc_contexts_path)
 
 const char *selinux_openrc_contexts_path(void)
 {
     return get_path(OPENRC_CONTEXTS);
 }
 
-hidden_def(selinux_openrc_contexts_path)
 
 const char *selinux_openssh_contexts_path(void)
 {
     return get_path(OPENSSH_CONTEXTS);
 }
 
-hidden_def(selinux_openssh_contexts_path)
 
 const char *selinux_snapperd_contexts_path(void)
 {
     return get_path(SNAPPERD_CONTEXTS);
 }
 
-hidden_def(selinux_snapperd_contexts_path)
 
 const char *selinux_systemd_contexts_path(void)
 {
 	return get_path(SYSTEMD_CONTEXTS);
 }
 
-hidden_def(selinux_systemd_contexts_path)
 
 const char * selinux_booleans_subs_path(void) {
 	return get_path(BOOLEAN_SUBS);
 }
 
-hidden_def(selinux_booleans_subs_path)
 
 const char * selinux_file_context_subs_path(void) {
 	return get_path(FILE_CONTEXT_SUBS);
 }
 
-hidden_def(selinux_file_context_subs_path)
 
 const char * selinux_file_context_subs_dist_path(void) {
 	return get_path(FILE_CONTEXT_SUBS_DIST);
 }
 
-hidden_def(selinux_file_context_subs_dist_path)
 
 const char *selinux_sepgsql_context_path(void)
 {
 	return get_path(SEPGSQL_CONTEXTS);
 }
 
-hidden_def(selinux_sepgsql_context_path)
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index 61b78aaa7c10..27e9ac532c3f 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -1,116 +1,9 @@
 #include <selinux/selinux.h>
 #include <pthread.h>
-#include "dso.h"
-
-hidden_proto(selinux_mkload_policy)
-    hidden_proto(fini_selinuxmnt)
-    hidden_proto(set_selinuxmnt)
-    hidden_proto(selinuxfs_exists)
-    hidden_proto(security_disable)
-    hidden_proto(security_policyvers)
-    hidden_proto(security_load_policy)
-    hidden_proto(security_get_boolean_active)
-    hidden_proto(security_get_boolean_names)
-    hidden_proto(security_set_boolean)
-    hidden_proto(security_commit_booleans)
-    hidden_proto(security_check_context)
-    hidden_proto(security_check_context_raw)
-    hidden_proto(security_canonicalize_context)
-    hidden_proto(security_canonicalize_context_raw)
-    hidden_proto(security_compute_av)
-    hidden_proto(security_compute_av_raw)
-    hidden_proto(security_compute_av_flags)
-    hidden_proto(security_compute_av_flags_raw)
-    hidden_proto(security_compute_user)
-    hidden_proto(security_compute_user_raw)
-    hidden_proto(security_compute_create)
-    hidden_proto(security_compute_create_raw)
-    hidden_proto(security_compute_create_name)
-    hidden_proto(security_compute_create_name_raw)
-    hidden_proto(security_compute_member_raw)
-    hidden_proto(security_compute_relabel_raw)
-    hidden_proto(security_validatetrans)
-    hidden_proto(security_validatetrans_raw)
-    hidden_proto(is_selinux_enabled)
-    hidden_proto(is_selinux_mls_enabled)
-    hidden_proto(freecon)
-    hidden_proto(freeconary)
-    hidden_proto(getprevcon)
-    hidden_proto(getprevcon_raw)
-    hidden_proto(getcon)
-    hidden_proto(getcon_raw)
-    hidden_proto(setcon_raw)
-    hidden_proto(getpeercon_raw)
-    hidden_proto(getpidcon_raw)
-    hidden_proto(getexeccon_raw)
-    hidden_proto(getfilecon)
-    hidden_proto(getfilecon_raw)
-    hidden_proto(lgetfilecon_raw)
-    hidden_proto(fgetfilecon_raw)
-    hidden_proto(setfilecon_raw)
-    hidden_proto(lsetfilecon_raw)
-    hidden_proto(fsetfilecon_raw)
-    hidden_proto(setexeccon)
-    hidden_proto(setexeccon_raw)
-    hidden_proto(getfscreatecon_raw)
-    hidden_proto(getkeycreatecon_raw)
-    hidden_proto(getsockcreatecon_raw)
-    hidden_proto(setfscreatecon_raw)
-    hidden_proto(setkeycreatecon_raw)
-    hidden_proto(setsockcreatecon_raw)
-    hidden_proto(security_getenforce)
-    hidden_proto(security_setenforce)
-    hidden_proto(security_deny_unknown)
-    hidden_proto(security_reject_unknown)
-    hidden_proto(security_get_checkreqprot)
-    hidden_proto(selinux_boolean_sub)
-    hidden_proto(selinux_current_policy_path)
-    hidden_proto(selinux_binary_policy_path)
-    hidden_proto(selinux_booleans_subs_path)
-    hidden_proto(selinux_default_context_path)
-    hidden_proto(selinux_securetty_types_path)
-    hidden_proto(selinux_failsafe_context_path)
-    hidden_proto(selinux_removable_context_path)
-    hidden_proto(selinux_virtual_domain_context_path)
-    hidden_proto(selinux_virtual_image_context_path)
-    hidden_proto(selinux_lxc_contexts_path)
-    hidden_proto(selinux_file_context_path)
-    hidden_proto(selinux_file_context_homedir_path)
-    hidden_proto(selinux_file_context_local_path)
-    hidden_proto(selinux_file_context_subs_dist_path)
-    hidden_proto(selinux_file_context_subs_path)
-    hidden_proto(selinux_netfilter_context_path)
-    hidden_proto(selinux_homedir_context_path)
-    hidden_proto(selinux_user_contexts_path)
-    hidden_proto(selinux_booleans_path)
-    hidden_proto(selinux_customizable_types_path)
-    hidden_proto(selinux_media_context_path)
-    hidden_proto(selinux_x_context_path)
-    hidden_proto(selinux_sepgsql_context_path)
-    hidden_proto(selinux_openrc_contexts_path)
-    hidden_proto(selinux_openssh_contexts_path)
-    hidden_proto(selinux_snapperd_contexts_path)
-    hidden_proto(selinux_systemd_contexts_path)
-    hidden_proto(selinux_path)
-    hidden_proto(selinux_check_passwd_access)
-    hidden_proto(selinux_check_securetty_context)
-    hidden_proto(matchpathcon_init_prefix)
-    hidden_proto(selinux_users_path)
-    hidden_proto(selinux_usersconf_path);
-hidden_proto(selinux_translations_path);
-hidden_proto(selinux_colors_path);
-hidden_proto(selinux_getenforcemode);
-hidden_proto(selinux_getpolicytype);
-hidden_proto(selinux_raw_to_trans_context);
-hidden_proto(selinux_trans_to_raw_context);
-    hidden_proto(selinux_raw_context_to_color);
-hidden_proto(security_get_initial_context);
-hidden_proto(security_get_initial_context_raw);
-hidden_proto(selinux_reset_config);
-hidden_proto(selinux_flush_class_cache);
-
-extern int require_seusers hidden;
-extern int selinux_page_size hidden;
+
+
+extern int require_seusers ;
+extern int selinux_page_size ;
 
 /* Make pthread_once optional */
 #pragma weak pthread_once
@@ -180,4 +73,4 @@ extern int selinux_page_size hidden;
 #define SELINUXDIR "/etc/selinux/"
 #define SELINUXCONFIG SELINUXDIR "config"
 
-extern int has_selinux_config hidden;
+extern int has_selinux_config ;
diff --git a/libselinux/src/setenforce.c b/libselinux/src/setenforce.c
index 09cad3ceaf9d..a87ff2d08e30 100644
--- a/libselinux/src/setenforce.c
+++ b/libselinux/src/setenforce.c
@@ -34,4 +34,3 @@ int security_setenforce(int value)
 	return 0;
 }
 
-hidden_def(security_setenforce)
diff --git a/libselinux/src/setfilecon.c b/libselinux/src/setfilecon.c
index d05969c6c2f3..bd45f12cf707 100644
--- a/libselinux/src/setfilecon.c
+++ b/libselinux/src/setfilecon.c
@@ -25,7 +25,6 @@ int setfilecon_raw(const char *path, const char * context)
 	return rc;
 }
 
-hidden_def(setfilecon_raw)
 
 int setfilecon(const char *path, const char *context)
 {
diff --git a/libselinux/src/setrans_client.c b/libselinux/src/setrans_client.c
index fa188a824f78..52a8ba78b2ad 100644
--- a/libselinux/src/setrans_client.c
+++ b/libselinux/src/setrans_client.c
@@ -19,7 +19,6 @@
 #include <ctype.h>
 #include <unistd.h>
 #include <sys/uio.h>
-#include "dso.h"
 #include "selinux_internal.h"
 #include "setrans_internal.h"
 
@@ -260,7 +259,7 @@ static void setrans_thread_destructor(void __attribute__((unused)) *unused)
 
 void __attribute__((destructor)) setrans_lib_destructor(void);
 
-void hidden __attribute__((destructor)) setrans_lib_destructor(void)
+void  __attribute__((destructor)) setrans_lib_destructor(void)
 {
 	if (!has_setrans)
 		return;
@@ -327,7 +326,6 @@ int selinux_trans_to_raw_context(const char * trans,
 	return *rawp ? 0 : -1;
 }
 
-hidden_def(selinux_trans_to_raw_context)
 
 int selinux_raw_to_trans_context(const char * raw,
 				 char ** transp)
@@ -369,7 +367,6 @@ int selinux_raw_to_trans_context(const char * raw,
 	return *transp ? 0 : -1;
 }
 
-hidden_def(selinux_raw_to_trans_context)
 
 int selinux_raw_context_to_color(const char * raw, char **transp)
 {
@@ -410,7 +407,6 @@ int selinux_raw_context_to_color(const char * raw, char **transp)
 	return *transp ? 0 : -1;
 }
 
-hidden_def(selinux_raw_context_to_color)
 #else /*DISABLE_SETRANS*/
 
 int selinux_trans_to_raw_context(const char * trans,
@@ -426,7 +422,6 @@ int selinux_trans_to_raw_context(const char * trans,
 	return *rawp ? 0 : -1;
 }
 
-hidden_def(selinux_trans_to_raw_context)
 
 int selinux_raw_to_trans_context(const char * raw,
 				 char ** transp)
@@ -440,5 +435,4 @@ int selinux_raw_to_trans_context(const char * raw,
 	return *transp ? 0 : -1;
 }
 
-hidden_def(selinux_raw_to_trans_context)
 #endif /*DISABLE_SETRANS*/
diff --git a/libselinux/src/seusers.c b/libselinux/src/seusers.c
index 7ec7d12c4546..fff80c1ad47b 100644
--- a/libselinux/src/seusers.c
+++ b/libselinux/src/seusers.c
@@ -88,7 +88,7 @@ static int process_seusers(const char *buffer,
 	return -2;		/* error */
 }
 
-int require_seusers hidden = 0;
+int require_seusers  = 0;
 
 #include <pwd.h>
 #include <grp.h>
diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c
index 004fcd3b28c0..9a8ce01dceda 100644
--- a/libselinux/src/sha1.c
+++ b/libselinux/src/sha1.c
@@ -23,7 +23,6 @@
 ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 
 #include "sha1.h"
-#include "dso.h"
 #include <memory.h>
 
 ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@@ -126,7 +125,7 @@ void
 //
 //  Initialises an SHA1 Context. Use this to initialise/reset a context.
 ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void hidden
+void 
     Sha1Initialise
     (
         Sha1Context*                Context
@@ -148,7 +147,7 @@ void hidden
 //  Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on
 //  calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash.
 ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void hidden
+void 
     Sha1Update
     (
         Sha1Context*        Context,
@@ -191,7 +190,7 @@ void hidden
 //  Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After
 //  calling this, Sha1Initialised must be used to reuse the context.
 ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void hidden
+void 
     Sha1Finalise
     (
         Sha1Context*                Context,
diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c
index 29757b750878..012a740a622e 100644
--- a/libselinux/src/stringrep.c
+++ b/libselinux/src/stringrep.c
@@ -180,7 +180,6 @@ void selinux_flush_class_cache(void)
 	discover_class_cache = NULL;
 }
 
-hidden_def(selinux_flush_class_cache)
 
 security_class_t string_to_security_class(const char *s)
 {
diff --git a/libselinux/src/validatetrans.c b/libselinux/src/validatetrans.c
index 2aa300cfd90a..66ac7405baac 100644
--- a/libselinux/src/validatetrans.c
+++ b/libselinux/src/validatetrans.c
@@ -57,7 +57,6 @@ out:
 	return ret;
 }
 
-hidden_def(security_validatetrans_raw)
 
 int security_validatetrans(const char *scon,
 			   const char *tcon,
@@ -91,4 +90,3 @@ out:
 	return ret;
 }
 
-hidden_def(security_validatetrans)
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 37+ messages in thread

* [PATCH v4 2/4] Makefile: add -fno-semantic-interposition
  2020-03-02 16:41         ` [V4] libselinux: drop dso.h bill.c.roberts
  2020-03-02 16:41           ` [PATCH v4 1/4] dso: drop hidden_proto and hidden_def bill.c.roberts
@ 2020-03-02 16:41           ` bill.c.roberts
  2020-03-02 16:41           ` [PATCH v4 3/4] Makefile: add linker script to minimize exports bill.c.roberts
                             ` (2 subsequent siblings)
  4 siblings, 0 replies; 37+ messages in thread
From: bill.c.roberts @ 2020-03-02 16:41 UTC (permalink / raw)
  To: nicolas.iooss
  Cc: bill.c.roberts, drepper, omosnace, plautrba, selinux,
	stephen.smalley.work, william.c.roberts

From: William Roberts <william.c.roberts@intel.com>

Add -fno-semantic-interposition to CFLAGS. This will restore
the DSO infrastructures protections to insure internal callers
of exported symbols call into libselinux and not something laoding first
in the library list.

Clang has this enabled by default.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 7f5a5d7418e9..c76110fbc650 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -65,7 +65,7 @@ EXTRA_CFLAGS = -fipa-pure-const -Wlogical-op -Wpacked-bitfield-compat -Wsync-nan
 	-Wcoverage-mismatch -Wcpp -Wformat-contains-nul -Wnormalized=nfc -Wsuggest-attribute=const \
 	-Wsuggest-attribute=noreturn -Wsuggest-attribute=pure -Wtrampolines -Wjump-misses-init \
 	-Wno-suggest-attribute=pure -Wno-suggest-attribute=const -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 \
-	-Wstrict-overflow=5
+	-Wstrict-overflow=5 -fno-semantic-interposition
 else
 EXTRA_CFLAGS = -Wunused-command-line-argument
 endif
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 37+ messages in thread

* [PATCH v4 3/4] Makefile: add linker script to minimize exports
  2020-03-02 16:41         ` [V4] libselinux: drop dso.h bill.c.roberts
  2020-03-02 16:41           ` [PATCH v4 1/4] dso: drop hidden_proto and hidden_def bill.c.roberts
  2020-03-02 16:41           ` [PATCH v4 2/4] Makefile: add -fno-semantic-interposition bill.c.roberts
@ 2020-03-02 16:41           ` bill.c.roberts
  2020-03-02 16:41           ` [PATCH v4 4/4] libselinux: drop symbols from map bill.c.roberts
  2020-03-03 18:58           ` [V4] libselinux: drop dso.h Stephen Smalley
  4 siblings, 0 replies; 37+ messages in thread
From: bill.c.roberts @ 2020-03-02 16:41 UTC (permalink / raw)
  To: nicolas.iooss
  Cc: bill.c.roberts, drepper, omosnace, plautrba, selinux,
	stephen.smalley.work, william.c.roberts

From: William Roberts <william.c.roberts@intel.com>

Add a linker script that exports only what was previosly exported by
libselinux.

This was checked by generating an old export map (from master):
nm --defined-only -g ./src/libselinux.so | cut -d' ' -f 3-3 | grep -v '^_' > old.map

Then creating a new one for this library after this patch is applied:
nm --defined-only -g ./src/libselinux.so | cut -d' ' -f 3-3 | grep -v '^_' > new.map

And diffing them:
diff old.map new.map

Fixes: #179

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/Makefile       |   2 +-
 libselinux/src/libselinux.map | 249 ++++++++++++++++++++++++++++++++++
 2 files changed, 250 insertions(+), 1 deletion(-)
 create mode 100644 libselinux/src/libselinux.map

diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index c76110fbc650..2d1c654ee24d 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -90,7 +90,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi
           -Werror -Wno-aggregate-return -Wno-redundant-decls \
           $(EXTRA_CFLAGS)
 
-LD_SONAME_FLAGS=-soname,$(LIBSO),-z,defs,-z,relro
+LD_SONAME_FLAGS=-soname,$(LIBSO),--version-script=libselinux.map,-z,defs,-z,relro
 
 ifeq ($(OS), Darwin)
 override CFLAGS += -I/opt/local/include
diff --git a/libselinux/src/libselinux.map b/libselinux/src/libselinux.map
new file mode 100644
index 000000000000..73f4c072af02
--- /dev/null
+++ b/libselinux/src/libselinux.map
@@ -0,0 +1,249 @@
+LIBSELINUX_1.0 {
+  global:
+    avc_add_callback;
+    avc_audit;
+    avc_av_stats;
+    avc_cache_stats;
+    avc_cleanup;
+    avc_compute_create;
+    avc_compute_member;
+    avc_context_to_sid;
+    avc_context_to_sid_raw;
+    avc_destroy;
+    avc_get_initial_sid;
+    avc_has_perm;
+    avc_has_perm_noaudit;
+    avc_init;
+    avc_netlink_acquire_fd;
+    avc_netlink_check_nb;
+    avc_netlink_close;
+    avc_netlink_loop;
+    avc_netlink_open;
+    avc_netlink_release_fd;
+    avc_open;
+    avc_reset;
+    avc_sid_stats;
+    avc_sid_to_context;
+    avc_sid_to_context_raw;
+    checkPasswdAccess;
+    context_free;
+    context_new;
+    context_range_get;
+    context_range_set;
+    context_role_get;
+    context_role_set;
+    context_str;
+    context_type_get;
+    context_type_set;
+    context_user_get;
+    context_user_set;
+    dir_xattr_list;
+    fgetfilecon;
+    fgetfilecon_raw;
+    fini_selinuxmnt;
+    freecon;
+    freeconary;
+    fsetfilecon;
+    fsetfilecon_raw;
+    getcon;
+    getcon_raw;
+    get_default_context;
+    get_default_context_with_level;
+    get_default_context_with_role;
+    get_default_context_with_rolelevel;
+    get_default_type;
+    getexeccon;
+    getexeccon_raw;
+    getfilecon;
+    getfilecon_raw;
+    getfscreatecon;
+    getfscreatecon_raw;
+    getkeycreatecon;
+    getkeycreatecon_raw;
+    get_ordered_context_list;
+    get_ordered_context_list_with_level;
+    getpeercon;
+    getpeercon_raw;
+    getpidcon;
+    getpidcon_raw;
+    getprevcon;
+    getprevcon_raw;
+    getseuser;
+    getseuserbyname;
+    getsockcreatecon;
+    getsockcreatecon_raw;
+    is_context_customizable;
+    is_selinux_enabled;
+    is_selinux_mls_enabled;
+    lgetfilecon;
+    lgetfilecon_raw;
+    lsetfilecon;
+    lsetfilecon_raw;
+    manual_user_enter_context;
+    map_class;
+    map_decision;
+    map_perm;
+    matchmediacon;
+    matchpathcon;
+    matchpathcon_checkmatches;
+    matchpathcon_filespec_add;
+    matchpathcon_filespec_destroy;
+    matchpathcon_filespec_eval;
+    matchpathcon_fini;
+    matchpathcon_index;
+    matchpathcon_init;
+    matchpathcon_init_prefix;
+    mode_to_security_class;
+    myprintf_compat;
+    print_access_vector;
+    query_user_context;
+    realpath_not_final;
+    rpm_execcon;
+    security_av_perm_to_string;
+    security_av_string;
+    security_canonicalize_context;
+    security_canonicalize_context_raw;
+    security_check_context;
+    security_check_context_raw;
+    security_class_to_string;
+    security_commit_booleans;
+    security_compute_av;
+    security_compute_av_flags;
+    security_compute_av_flags_raw;
+    security_compute_av_raw;
+    security_compute_create;
+    security_compute_create_name;
+    security_compute_create_name_raw;
+    security_compute_create_raw;
+    security_compute_member;
+    security_compute_member_raw;
+    security_compute_relabel;
+    security_compute_relabel_raw;
+    security_compute_user;
+    security_compute_user_raw;
+    security_deny_unknown;
+    security_disable;
+    security_get_boolean_active;
+    security_get_boolean_names;
+    security_get_boolean_pending;
+    security_get_checkreqprot;
+    security_getenforce;
+    security_get_initial_context;
+    security_get_initial_context_raw;
+    security_load_booleans;
+    security_load_policy;
+    security_policyvers;
+    security_reject_unknown;
+    security_set_boolean;
+    security_set_boolean_list;
+    security_setenforce;
+    security_validatetrans;
+    security_validatetrans_raw;
+    selabel_close;
+    selabel_cmp;
+    selabel_digest;
+    selabel_get_digests_all_partial_matches;
+    selabel_hash_all_partial_matches;
+    selabel_lookup;
+    selabel_lookup_best_match;
+    selabel_lookup_best_match_raw;
+    selabel_lookup_raw;
+    selabel_open;
+    selabel_partial_match;
+    selabel_stats;
+    selinux_binary_policy_path;
+    selinux_booleans_path;
+    selinux_booleans_subs_path;
+    selinux_boolean_sub;
+    selinux_check_access;
+    selinux_check_passwd_access;
+    selinux_check_securetty_context;
+    selinux_colors_path;
+    selinux_contexts_path;
+    selinux_current_policy_path;
+    selinux_customizable_types_path;
+    selinux_default_context_path;
+    selinux_default_type_path;
+    selinux_failsafe_context_path;
+    selinux_file_context_cmp;
+    selinux_file_context_homedir_path;
+    selinux_file_context_local_path;
+    selinux_file_context_path;
+    selinux_file_context_subs_dist_path;
+    selinux_file_context_subs_path;
+    selinux_file_context_verify;
+    selinux_flush_class_cache;
+    selinuxfs_exists;
+    selinux_get_callback;
+    selinux_getenforcemode;
+    selinux_getpolicytype;
+    selinux_homedir_context_path;
+    selinux_init_load_policy;
+    selinux_lsetfilecon_default;
+    selinux_lxc_contexts_path;
+    selinux_media_context_path;
+    selinux_mkload_policy;
+    selinux_mnt;
+    selinux_netfilter_context_path;
+    selinux_openrc_contexts_path;
+    selinux_openssh_contexts_path;
+    selinux_path;
+    selinux_policy_root;
+    selinux_raw_context_to_color;
+    selinux_raw_to_trans_context;
+    selinux_removable_context_path;
+    selinux_reset_config;
+    selinux_restorecon;
+    selinux_restorecon_default_handle;
+    selinux_restorecon_set_alt_rootpath;
+    selinux_restorecon_set_exclude_list;
+    selinux_restorecon_set_sehandle;
+    selinux_restorecon_xattr;
+    selinux_securetty_types_path;
+    selinux_sepgsql_context_path;
+    selinux_set_callback;
+    selinux_set_mapping;
+    selinux_set_policy_root;
+    selinux_snapperd_contexts_path;
+    selinux_status_close;
+    selinux_status_deny_unknown;
+    selinux_status_getenforce;
+    selinux_status_open;
+    selinux_status_policyload;
+    selinux_status_updated;
+    selinux_systemd_contexts_path;
+    selinux_translations_path;
+    selinux_trans_to_raw_context;
+    selinux_user_contexts_path;
+    selinux_usersconf_path;
+    selinux_users_path;
+    selinux_virtual_domain_context_path;
+    selinux_virtual_image_context_path;
+    selinux_x_context_path;
+    setcon;
+    setcon_raw;
+    setexeccon;
+    setexeccon_raw;
+    setexecfilecon;
+    setfilecon;
+    setfilecon_raw;
+    setfscreatecon;
+    setfscreatecon_raw;
+    setkeycreatecon;
+    setkeycreatecon_raw;
+    set_matchpathcon_canoncon;
+    set_matchpathcon_flags;
+    set_matchpathcon_invalidcon;
+    set_matchpathcon_printf;
+    set_selinuxmnt;
+    setsockcreatecon;
+    setsockcreatecon_raw;
+    sidget;
+    sidput;
+    string_to_av_perm;
+    string_to_security_class;
+    unmap_class;
+    unmap_perm;
+  local:
+    *;
+};
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 37+ messages in thread

* [PATCH v4 4/4] libselinux: drop symbols from map
  2020-03-02 16:41         ` [V4] libselinux: drop dso.h bill.c.roberts
                             ` (2 preceding siblings ...)
  2020-03-02 16:41           ` [PATCH v4 3/4] Makefile: add linker script to minimize exports bill.c.roberts
@ 2020-03-02 16:41           ` bill.c.roberts
  2020-03-03 18:58           ` [V4] libselinux: drop dso.h Stephen Smalley
  4 siblings, 0 replies; 37+ messages in thread
From: bill.c.roberts @ 2020-03-02 16:41 UTC (permalink / raw)
  To: nicolas.iooss
  Cc: bill.c.roberts, drepper, omosnace, plautrba, selinux,
	stephen.smalley.work, william.c.roberts

From: William Roberts <william.c.roberts@intel.com>

Previously, libselinux was exporting the following symbols:
  - dir_xattr_list;
  - map_class;
  - map_decision;
  - map_perm;
  - myprintf_compat;
  - unmap_class;
  - unmap_perm;

However, these appear to be unused and can safely be dropped.

This is done as a seperate commit to so it can easily be reverted
seperately for any reasons.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libselinux/src/libselinux.map | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/libselinux/src/libselinux.map b/libselinux/src/libselinux.map
index 73f4c072af02..2a368e93f9fd 100644
--- a/libselinux/src/libselinux.map
+++ b/libselinux/src/libselinux.map
@@ -37,7 +37,6 @@ LIBSELINUX_1.0 {
     context_type_set;
     context_user_get;
     context_user_set;
-    dir_xattr_list;
     fgetfilecon;
     fgetfilecon_raw;
     fini_selinuxmnt;
@@ -80,9 +79,6 @@ LIBSELINUX_1.0 {
     lsetfilecon;
     lsetfilecon_raw;
     manual_user_enter_context;
-    map_class;
-    map_decision;
-    map_perm;
     matchmediacon;
     matchpathcon;
     matchpathcon_checkmatches;
@@ -94,7 +90,6 @@ LIBSELINUX_1.0 {
     matchpathcon_init;
     matchpathcon_init_prefix;
     mode_to_security_class;
-    myprintf_compat;
     print_access_vector;
     query_user_context;
     realpath_not_final;
@@ -242,8 +237,6 @@ LIBSELINUX_1.0 {
     sidput;
     string_to_av_perm;
     string_to_security_class;
-    unmap_class;
-    unmap_perm;
   local:
     *;
 };
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 37+ messages in thread

* Re: [V4] libselinux: drop dso.h
  2020-03-02 16:41         ` [V4] libselinux: drop dso.h bill.c.roberts
                             ` (3 preceding siblings ...)
  2020-03-02 16:41           ` [PATCH v4 4/4] libselinux: drop symbols from map bill.c.roberts
@ 2020-03-03 18:58           ` Stephen Smalley
  2020-03-04 12:26             ` Ondrej Mosnacek
                               ` (2 more replies)
  4 siblings, 3 replies; 37+ messages in thread
From: Stephen Smalley @ 2020-03-03 18:58 UTC (permalink / raw)
  To: William Roberts
  Cc: Nicolas Iooss, Ulrich Drepper, Ondrej Mosnacek, Petr Lautrbach,
	SElinux list, William Roberts

On Mon, Mar 2, 2020 at 11:41 AM <bill.c.roberts@gmail.com> wrote:
>
> Version 4:
>   - Fix linker option warnings.
>   - Move map file to begining of options.
>
> Version 3:
>   - Add more symbols that should be dropped from the dso:
>     - map_class;
>     - map_decision;
>     - map_perm;
>
> Version 2:
>   - adds a version to the linker script LIBSELINUX_1.0
>   - Adds a patch to drop some additional symbols from the dso:
>     - dir_xattr_list
>     - myprintf_compat
>     - unmap_class
>     - unmap_perm
>
> This four part patch series drops the dso.h and hidden_*
> macros.
>
> The old dso.h functionality provided libselinux with both control over
> external exported symbols as well as ensuring internal callers call into
> libselinux and not a symbol with the same name loaded by the linker
> earlier in the library list.
>
> The functionality is replaced by a linker script that requires public
> API to explicitly be opt-in. The old method required that internal API
> be explicitly annotated, and everything else is public. This should help
> make it easier to control libselinux DSO hygene going forward.
>
> The second functionality is replaced by compiler option
> -fno-semantic-interposition
>
> Note that clang has this enabled by default, and thus doesn't need it.
>
> See:
>   - https://stackoverflow.com/questions/35745543/new-option-in-gcc-5-3-fno-semantic-interposition
>
> [PATCH v4 1/4] dso: drop hidden_proto and hidden_def
> [PATCH v4 2/4] Makefile: add -fno-semantic-interposition
> [PATCH v4 3/4] Makefile: add linker script to minimize exports
> [PATCH v4 4/4] libselinux: drop symbols from map

This looks fine to me but I'd like at least one of the distro
maintainers to ack it (especially the last one).

^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [V4] libselinux: drop dso.h
  2020-03-03 18:58           ` [V4] libselinux: drop dso.h Stephen Smalley
@ 2020-03-04 12:26             ` Ondrej Mosnacek
  2020-03-04 13:48               ` William Roberts
  2020-03-04 13:15             ` Petr Lautrbach
  2020-03-05 12:42             ` Petr Lautrbach
  2 siblings, 1 reply; 37+ messages in thread
From: Ondrej Mosnacek @ 2020-03-04 12:26 UTC (permalink / raw)
  To: Stephen Smalley
  Cc: William Roberts, Nicolas Iooss, Ulrich Drepper, Petr Lautrbach,
	SElinux list, William Roberts

On Tue, Mar 3, 2020 at 7:57 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
> On Mon, Mar 2, 2020 at 11:41 AM <bill.c.roberts@gmail.com> wrote:
> >
> > Version 4:
> >   - Fix linker option warnings.
> >   - Move map file to begining of options.
> >
> > Version 3:
> >   - Add more symbols that should be dropped from the dso:
> >     - map_class;
> >     - map_decision;
> >     - map_perm;
> >
> > Version 2:
> >   - adds a version to the linker script LIBSELINUX_1.0
> >   - Adds a patch to drop some additional symbols from the dso:
> >     - dir_xattr_list
> >     - myprintf_compat
> >     - unmap_class
> >     - unmap_perm
> >
> > This four part patch series drops the dso.h and hidden_*
> > macros.
> >
> > The old dso.h functionality provided libselinux with both control over
> > external exported symbols as well as ensuring internal callers call into
> > libselinux and not a symbol with the same name loaded by the linker
> > earlier in the library list.
> >
> > The functionality is replaced by a linker script that requires public
> > API to explicitly be opt-in. The old method required that internal API
> > be explicitly annotated, and everything else is public. This should help
> > make it easier to control libselinux DSO hygene going forward.
> >
> > The second functionality is replaced by compiler option
> > -fno-semantic-interposition
> >
> > Note that clang has this enabled by default, and thus doesn't need it.
> >
> > See:
> >   - https://stackoverflow.com/questions/35745543/new-option-in-gcc-5-3-fno-semantic-interposition
> >
> > [PATCH v4 1/4] dso: drop hidden_proto and hidden_def
> > [PATCH v4 2/4] Makefile: add -fno-semantic-interposition
> > [PATCH v4 3/4] Makefile: add linker script to minimize exports
> > [PATCH v4 4/4] libselinux: drop symbols from map
>
> This looks fine to me but I'd like at least one of the distro
> maintainers to ack it (especially the last one).

FWIW, I scanned all Fedora (32) packages that Require: libselinux
using this script and it seems that nothing is using the symbols
mentioned in patch 4/4 on Fedora:

https://gitlab.com/omos/selinux-misc/-/blob/master/scan_imports.sh

BTW, the same dso.h infrastructure is used also in libsepol and
libsemanage - are there plans to do the same thing for those two?

--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.


^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [V4] libselinux: drop dso.h
  2020-03-03 18:58           ` [V4] libselinux: drop dso.h Stephen Smalley
  2020-03-04 12:26             ` Ondrej Mosnacek
@ 2020-03-04 13:15             ` Petr Lautrbach
  2020-03-05 12:42             ` Petr Lautrbach
  2 siblings, 0 replies; 37+ messages in thread
From: Petr Lautrbach @ 2020-03-04 13:15 UTC (permalink / raw)
  To: Stephen Smalley
  Cc: William Roberts, Nicolas Iooss, Ulrich Drepper, Ondrej Mosnacek,
	Petr Lautrbach, SElinux list, William Roberts


Stephen Smalley <stephen.smalley.work@gmail.com> writes:

> On Mon, Mar 2, 2020 at 11:41 AM <bill.c.roberts@gmail.com> wrote:
>>
>> Version 4:
>>   - Fix linker option warnings.
>>   - Move map file to begining of options.
>>
>> Version 3:
>>   - Add more symbols that should be dropped from the dso:
>>     - map_class;
>>     - map_decision;
>>     - map_perm;
>>
>> Version 2:
>>   - adds a version to the linker script LIBSELINUX_1.0
>>   - Adds a patch to drop some additional symbols from the dso:
>>     - dir_xattr_list
>>     - myprintf_compat
>>     - unmap_class
>>     - unmap_perm
>>
>> This four part patch series drops the dso.h and hidden_*
>> macros.
>>
>> The old dso.h functionality provided libselinux with both control over
>> external exported symbols as well as ensuring internal callers call into
>> libselinux and not a symbol with the same name loaded by the linker
>> earlier in the library list.
>>
>> The functionality is replaced by a linker script that requires public
>> API to explicitly be opt-in. The old method required that internal API
>> be explicitly annotated, and everything else is public. This should help
>> make it easier to control libselinux DSO hygene going forward.
>>
>> The second functionality is replaced by compiler option
>> -fno-semantic-interposition
>>
>> Note that clang has this enabled by default, and thus doesn't need it.
>>
>> See:
>>   - https://stackoverflow.com/questions/35745543/new-option-in-gcc-5-3-fno-semantic-interposition
>>
>> [PATCH v4 1/4] dso: drop hidden_proto and hidden_def
>> [PATCH v4 2/4] Makefile: add -fno-semantic-interposition
>> [PATCH v4 3/4] Makefile: add linker script to minimize exports
>> [PATCH v4 4/4] libselinux: drop symbols from map
>
> This looks fine to me but I'd like at least one of the distro
> maintainers to ack it (especially the last one).

On it. I'll provide a feedback later today or tomorrow.


^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [V4] libselinux: drop dso.h
  2020-03-04 12:26             ` Ondrej Mosnacek
@ 2020-03-04 13:48               ` William Roberts
  0 siblings, 0 replies; 37+ messages in thread
From: William Roberts @ 2020-03-04 13:48 UTC (permalink / raw)
  To: Ondrej Mosnacek
  Cc: Stephen Smalley, Nicolas Iooss, Ulrich Drepper, Petr Lautrbach,
	SElinux list, William Roberts

<snip>

> > This looks fine to me but I'd like at least one of the distro
> > maintainers to ack it (especially the last one).
>
> FWIW, I scanned all Fedora (32) packages that Require: libselinux
> using this script and it seems that nothing is using the symbols
> mentioned in patch 4/4 on Fedora:
>
> https://gitlab.com/omos/selinux-misc/-/blob/master/scan_imports.sh
>
> BTW, the same dso.h infrastructure is used also in libsepol and
> libsemanage - are there plans to do the same thing for those two?

Yes I can queue that up. I'd like to get through some of the other
updates first.

^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [V4] libselinux: drop dso.h
  2020-03-03 18:58           ` [V4] libselinux: drop dso.h Stephen Smalley
  2020-03-04 12:26             ` Ondrej Mosnacek
  2020-03-04 13:15             ` Petr Lautrbach
@ 2020-03-05 12:42             ` Petr Lautrbach
  2020-03-05 16:12               ` William Roberts
  2 siblings, 1 reply; 37+ messages in thread
From: Petr Lautrbach @ 2020-03-05 12:42 UTC (permalink / raw)
  To: Stephen Smalley
  Cc: William Roberts, Nicolas Iooss, Ulrich Drepper, Ondrej Mosnacek,
	Petr Lautrbach, SElinux list, William Roberts


Stephen Smalley <stephen.smalley.work@gmail.com> writes:

> On Mon, Mar 2, 2020 at 11:41 AM <bill.c.roberts@gmail.com> wrote:
>>
>> Version 4:
>>   - Fix linker option warnings.
>>   - Move map file to begining of options.
>>
>> Version 3:
>>   - Add more symbols that should be dropped from the dso:
>>     - map_class;
>>     - map_decision;
>>     - map_perm;
>>
>> Version 2:
>>   - adds a version to the linker script LIBSELINUX_1.0
>>   - Adds a patch to drop some additional symbols from the dso:
>>     - dir_xattr_list
>>     - myprintf_compat
>>     - unmap_class
>>     - unmap_perm
>>
>> This four part patch series drops the dso.h and hidden_*
>> macros.
>>
>> The old dso.h functionality provided libselinux with both control over
>> external exported symbols as well as ensuring internal callers call into
>> libselinux and not a symbol with the same name loaded by the linker
>> earlier in the library list.
>>
>> The functionality is replaced by a linker script that requires public
>> API to explicitly be opt-in. The old method required that internal API
>> be explicitly annotated, and everything else is public. This should help
>> make it easier to control libselinux DSO hygene going forward.
>>
>> The second functionality is replaced by compiler option
>> -fno-semantic-interposition
>>
>> Note that clang has this enabled by default, and thus doesn't need it.
>>
>> See:
>>   - https://stackoverflow.com/questions/35745543/new-option-in-gcc-5-3-fno-semantic-interposition
>>
>> [PATCH v4 1/4] dso: drop hidden_proto and hidden_def
>> [PATCH v4 2/4] Makefile: add -fno-semantic-interposition
>> [PATCH v4 3/4] Makefile: add linker script to minimize exports
>> [PATCH v4 4/4] libselinux: drop symbols from map
>
> This looks fine to me but I'd like at least one of the distro
> maintainers to ack it (especially the last one).

Acked-by: Petr Lautrbach <plautrba@redhat.com>


^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [V4] libselinux: drop dso.h
  2020-03-05 12:42             ` Petr Lautrbach
@ 2020-03-05 16:12               ` William Roberts
  2020-03-05 19:09                 ` William Roberts
  0 siblings, 1 reply; 37+ messages in thread
From: William Roberts @ 2020-03-05 16:12 UTC (permalink / raw)
  To: Petr Lautrbach
  Cc: Stephen Smalley, Nicolas Iooss, Ulrich Drepper, Ondrej Mosnacek,
	SElinux list, William Roberts

On Thu, Mar 5, 2020 at 6:42 AM Petr Lautrbach <plautrba@redhat.com> wrote:
>
>
> Stephen Smalley <stephen.smalley.work@gmail.com> writes:
>
> > On Mon, Mar 2, 2020 at 11:41 AM <bill.c.roberts@gmail.com> wrote:
> >>
> >> Version 4:
> >>   - Fix linker option warnings.
> >>   - Move map file to begining of options.
> >>
> >> Version 3:
> >>   - Add more symbols that should be dropped from the dso:
> >>     - map_class;
> >>     - map_decision;
> >>     - map_perm;
> >>
> >> Version 2:
> >>   - adds a version to the linker script LIBSELINUX_1.0
> >>   - Adds a patch to drop some additional symbols from the dso:
> >>     - dir_xattr_list
> >>     - myprintf_compat
> >>     - unmap_class
> >>     - unmap_perm
> >>
> >> This four part patch series drops the dso.h and hidden_*
> >> macros.
> >>
> >> The old dso.h functionality provided libselinux with both control over
> >> external exported symbols as well as ensuring internal callers call into
> >> libselinux and not a symbol with the same name loaded by the linker
> >> earlier in the library list.
> >>
> >> The functionality is replaced by a linker script that requires public
> >> API to explicitly be opt-in. The old method required that internal API
> >> be explicitly annotated, and everything else is public. This should help
> >> make it easier to control libselinux DSO hygene going forward.
> >>
> >> The second functionality is replaced by compiler option
> >> -fno-semantic-interposition
> >>
> >> Note that clang has this enabled by default, and thus doesn't need it.
> >>
> >> See:
> >>   - https://stackoverflow.com/questions/35745543/new-option-in-gcc-5-3-fno-semantic-interposition
> >>
> >> [PATCH v4 1/4] dso: drop hidden_proto and hidden_def
> >> [PATCH v4 2/4] Makefile: add -fno-semantic-interposition
> >> [PATCH v4 3/4] Makefile: add linker script to minimize exports
> >> [PATCH v4 4/4] libselinux: drop symbols from map
> >
> > This looks fine to me but I'd like at least one of the distro
> > maintainers to ack it (especially the last one).
>
> Acked-by: Petr Lautrbach <plautrba@redhat.com>
>

Thanks staged:
https://github.com/SELinuxProject/selinux/pull/205

^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [V4] libselinux: drop dso.h
  2020-03-05 16:12               ` William Roberts
@ 2020-03-05 19:09                 ` William Roberts
  2020-03-11 18:14                   ` Stephen Smalley
  0 siblings, 1 reply; 37+ messages in thread
From: William Roberts @ 2020-03-05 19:09 UTC (permalink / raw)
  To: Petr Lautrbach
  Cc: Stephen Smalley, Nicolas Iooss, Ulrich Drepper, Ondrej Mosnacek,
	SElinux list, William Roberts

On Thu, Mar 5, 2020 at 10:12 AM William Roberts
<bill.c.roberts@gmail.com> wrote:
>
> On Thu, Mar 5, 2020 at 6:42 AM Petr Lautrbach <plautrba@redhat.com> wrote:
> >
> >
> > Stephen Smalley <stephen.smalley.work@gmail.com> writes:
> >
> > > On Mon, Mar 2, 2020 at 11:41 AM <bill.c.roberts@gmail.com> wrote:
> > >>
> > >> Version 4:
> > >>   - Fix linker option warnings.
> > >>   - Move map file to begining of options.
> > >>
> > >> Version 3:
> > >>   - Add more symbols that should be dropped from the dso:
> > >>     - map_class;
> > >>     - map_decision;
> > >>     - map_perm;
> > >>
> > >> Version 2:
> > >>   - adds a version to the linker script LIBSELINUX_1.0
> > >>   - Adds a patch to drop some additional symbols from the dso:
> > >>     - dir_xattr_list
> > >>     - myprintf_compat
> > >>     - unmap_class
> > >>     - unmap_perm
> > >>
> > >> This four part patch series drops the dso.h and hidden_*
> > >> macros.
> > >>
> > >> The old dso.h functionality provided libselinux with both control over
> > >> external exported symbols as well as ensuring internal callers call into
> > >> libselinux and not a symbol with the same name loaded by the linker
> > >> earlier in the library list.
> > >>
> > >> The functionality is replaced by a linker script that requires public
> > >> API to explicitly be opt-in. The old method required that internal API
> > >> be explicitly annotated, and everything else is public. This should help
> > >> make it easier to control libselinux DSO hygene going forward.
> > >>
> > >> The second functionality is replaced by compiler option
> > >> -fno-semantic-interposition
> > >>
> > >> Note that clang has this enabled by default, and thus doesn't need it.
> > >>
> > >> See:
> > >>   - https://stackoverflow.com/questions/35745543/new-option-in-gcc-5-3-fno-semantic-interposition
> > >>
> > >> [PATCH v4 1/4] dso: drop hidden_proto and hidden_def
> > >> [PATCH v4 2/4] Makefile: add -fno-semantic-interposition
> > >> [PATCH v4 3/4] Makefile: add linker script to minimize exports
> > >> [PATCH v4 4/4] libselinux: drop symbols from map
> > >
> > > This looks fine to me but I'd like at least one of the distro
> > > maintainers to ack it (especially the last one).
> >
> > Acked-by: Petr Lautrbach <plautrba@redhat.com>
> >
>
> Thanks staged:
> https://github.com/SELinuxProject/selinux/pull/205

merged.

Since folks have interest in doing the same for libsepol and
libsemanage, im going to roll those before updating the attribute
deprecated patches.

Thanks,
Bill

^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [V4] libselinux: drop dso.h
  2020-03-05 19:09                 ` William Roberts
@ 2020-03-11 18:14                   ` Stephen Smalley
  2020-03-12 14:05                     ` William Roberts
  0 siblings, 1 reply; 37+ messages in thread
From: Stephen Smalley @ 2020-03-11 18:14 UTC (permalink / raw)
  To: William Roberts
  Cc: Petr Lautrbach, Nicolas Iooss, Ulrich Drepper, Ondrej Mosnacek,
	SElinux list, William Roberts

On Thu, Mar 5, 2020 at 2:09 PM William Roberts <bill.c.roberts@gmail.com> wrote:
>
> On Thu, Mar 5, 2020 at 10:12 AM William Roberts
> <bill.c.roberts@gmail.com> wrote:
> >
> > On Thu, Mar 5, 2020 at 6:42 AM Petr Lautrbach <plautrba@redhat.com> wrote:
> > >
> > >
> > > Stephen Smalley <stephen.smalley.work@gmail.com> writes:
> > >
> > > > On Mon, Mar 2, 2020 at 11:41 AM <bill.c.roberts@gmail.com> wrote:
> > > >> [PATCH v4 1/4] dso: drop hidden_proto and hidden_def
> > > >> [PATCH v4 2/4] Makefile: add -fno-semantic-interposition
> > > >> [PATCH v4 3/4] Makefile: add linker script to minimize exports
> > > >> [PATCH v4 4/4] libselinux: drop symbols from map
> > > >
> > > > This looks fine to me but I'd like at least one of the distro
> > > > maintainers to ack it (especially the last one).
> > >
> > > Acked-by: Petr Lautrbach <plautrba@redhat.com>
> > >
> >
> > Thanks staged:
> > https://github.com/SELinuxProject/selinux/pull/205
>
> merged.

I've noticed a change since this was applied; if I build userspace
against the updated libselinux, the dynamic loader will
print a warning if it is run on a system with the older libselinux, ala:
$ /sbin/restorecon -v /etc
/sbin/restorecon: /lib64/libselinux.so.1: no version information
available (required by /sbin/restorecon)
It still works since there was no real change in the ABI but I don't
know if this is a concern for distros.

^ permalink raw reply	[flat|nested] 37+ messages in thread

* Re: [V4] libselinux: drop dso.h
  2020-03-11 18:14                   ` Stephen Smalley
@ 2020-03-12 14:05                     ` William Roberts
  0 siblings, 0 replies; 37+ messages in thread
From: William Roberts @ 2020-03-12 14:05 UTC (permalink / raw)
  To: Stephen Smalley
  Cc: Petr Lautrbach, Nicolas Iooss, Ulrich Drepper, Ondrej Mosnacek,
	SElinux list, William Roberts

On Wed, Mar 11, 2020 at 1:14 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Thu, Mar 5, 2020 at 2:09 PM William Roberts <bill.c.roberts@gmail.com> wrote:
> >
> > On Thu, Mar 5, 2020 at 10:12 AM William Roberts
> > <bill.c.roberts@gmail.com> wrote:
> > >
> > > On Thu, Mar 5, 2020 at 6:42 AM Petr Lautrbach <plautrba@redhat.com> wrote:
> > > >
> > > >
> > > > Stephen Smalley <stephen.smalley.work@gmail.com> writes:
> > > >
> > > > > On Mon, Mar 2, 2020 at 11:41 AM <bill.c.roberts@gmail.com> wrote:
> > > > >> [PATCH v4 1/4] dso: drop hidden_proto and hidden_def
> > > > >> [PATCH v4 2/4] Makefile: add -fno-semantic-interposition
> > > > >> [PATCH v4 3/4] Makefile: add linker script to minimize exports
> > > > >> [PATCH v4 4/4] libselinux: drop symbols from map
> > > > >
> > > > > This looks fine to me but I'd like at least one of the distro
> > > > > maintainers to ack it (especially the last one).
> > > >
> > > > Acked-by: Petr Lautrbach <plautrba@redhat.com>
> > > >
> > >
> > > Thanks staged:
> > > https://github.com/SELinuxProject/selinux/pull/205
> >
> > merged.
>
> I've noticed a change since this was applied; if I build userspace
> against the updated libselinux, the dynamic loader will
> print a warning if it is run on a system with the older libselinux, ala:
> $ /sbin/restorecon -v /etc
> /sbin/restorecon: /lib64/libselinux.so.1: no version information
> available (required by /sbin/restorecon)
> It still works since there was no real change in the ABI but I don't
> know if this is a concern for distros.

I replicated this and looked into it, AFAICT its relatively harmless since,
as you point out, we're not breaking ABI.

But If I understand your comment (paraphrasing), "userspace should all
be updated together"
from:
  - https://lore.kernel.org/selinux/CAEjxPJ4UPBWSP0E4pjR+F6uKMZNHK9J7LTL1gVznpwyJh9UWNA@mail.gmail.com/

Then it really shouldn't be an issue.

A lot of what I read on the version stuff was written by Urlich, so he
might weigh in with more
information and perhaps a way to correct this.

^ permalink raw reply	[flat|nested] 37+ messages in thread

end of thread, other threads:[~2020-03-12 14:05 UTC | newest]

Thread overview: 37+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-27 23:01 libselinux: drop dso.h bill.c.roberts
2020-02-27 23:01 ` [PATCH 1/3] dso: drop hidden_proto and hidden_def bill.c.roberts
2020-02-27 23:01 ` [PATCH 2/3] Makefile: add -fno-semantic-interposition bill.c.roberts
2020-02-28 13:51   ` Stephen Smalley
2020-02-28 13:59     ` William Roberts
2020-03-01 20:32       ` Nicolas Iooss
2020-03-02 16:41         ` [V4] libselinux: drop dso.h bill.c.roberts
2020-03-02 16:41           ` [PATCH v4 1/4] dso: drop hidden_proto and hidden_def bill.c.roberts
2020-03-02 16:41           ` [PATCH v4 2/4] Makefile: add -fno-semantic-interposition bill.c.roberts
2020-03-02 16:41           ` [PATCH v4 3/4] Makefile: add linker script to minimize exports bill.c.roberts
2020-03-02 16:41           ` [PATCH v4 4/4] libselinux: drop symbols from map bill.c.roberts
2020-03-03 18:58           ` [V4] libselinux: drop dso.h Stephen Smalley
2020-03-04 12:26             ` Ondrej Mosnacek
2020-03-04 13:48               ` William Roberts
2020-03-04 13:15             ` Petr Lautrbach
2020-03-05 12:42             ` Petr Lautrbach
2020-03-05 16:12               ` William Roberts
2020-03-05 19:09                 ` William Roberts
2020-03-11 18:14                   ` Stephen Smalley
2020-03-12 14:05                     ` William Roberts
2020-02-27 23:01 ` [PATCH 3/3] Makefile: add linker script to minimize exports bill.c.roberts
2020-02-28 13:36   ` Stephen Smalley
2020-02-28 13:38     ` William Roberts
2020-02-28 14:05     ` [V2] libselinux: drop dso.h bill.c.roberts
2020-02-28 14:05       ` [PATCH v2 1/4] dso: drop hidden_proto and hidden_def bill.c.roberts
2020-02-28 14:05       ` [PATCH v2 2/4] Makefile: add -fno-semantic-interposition bill.c.roberts
2020-02-28 14:05       ` [PATCH v2 3/4] Makefile: add linker script to minimize exports bill.c.roberts
2020-02-28 14:05       ` [PATCH v2 4/4] libselinux: drop symbols from map bill.c.roberts
2020-02-28 15:39         ` Stephen Smalley
2020-02-28 15:40           ` William Roberts
2020-02-28 15:48 ` [V3] libselinux: drop dso.h bill.c.roberts
2020-02-28 15:48   ` [PATCH v3 1/4] dso: drop hidden_proto and hidden_def bill.c.roberts
2020-02-28 15:48   ` [PATCH v3 2/4] Makefile: add -fno-semantic-interposition bill.c.roberts
2020-02-28 15:48   ` [PATCH v3 3/4] Makefile: add linker script to minimize exports bill.c.roberts
     [not found]     ` <CAEjxPJ7CuMf5QeW_jjEonRN=kfcpTV8c4UnUMyEjyb2hee1YXg@mail.gmail.com>
     [not found]       ` <CAFftDdpeP39qvXNTe06EWkc3Kp_TMu5bGOf8WN6Q-k2Cehn_3w@mail.gmail.com>
2020-02-28 19:05         ` Stephen Smalley
2020-03-01 20:04           ` Nicolas Iooss
2020-02-28 15:48   ` [PATCH v3 4/4] libselinux: drop symbols from map bill.c.roberts

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).