Add versioned symbol support

configure.ac

@@ -58,6 +58,11 @@ dnl libtool configuration
 dnl ####
 LT_INIT([shared pic-only])
 
+dnl ####
+dnl linker version script support
+dnl ####
+gl_LD_VERSION_SCRIPT
+
 dnl ####
 dnl enable silent builds by default
 dnl ####

m4/ld-version-script.m4

@@ -0,0 +1,50 @@
+# ld-version-script.m4
+# serial 7
+dnl Copyright (C) 2008-2026 Free Software Foundation, Inc.
+dnl This file is free software; the Free Software Foundation
+dnl gives unlimited permission to copy and/or distribute it,
+dnl with or without modifications, as long as this notice is preserved.
+dnl This file is offered as-is, without any warranty.
+
+dnl From Simon Josefsson
+
+# FIXME: The test below returns a false positive for mingw
+# cross-compiles, 'local:' statements does not reduce number of
+# exported symbols in a DLL.  Use --disable-ld-version-script to work
+# around the problem.
+
+# gl_LD_VERSION_SCRIPT
+# --------------------
+# Check if LD supports linker scripts, and define automake conditional
+# HAVE_LD_VERSION_SCRIPT if so.
+AC_DEFUN([gl_LD_VERSION_SCRIPT],
+[
+  AC_ARG_ENABLE([ld-version-script],
+    [AS_HELP_STRING([[--enable-ld-version-script]],
+       [enable linker version script (default is enabled when possible)])],
+    [have_ld_version_script=$enableval],
+    [AC_CACHE_CHECK([if LD -Wl,--version-script works],
+       [gl_cv_sys_ld_version_script],
+       [gl_cv_sys_ld_version_script=no
+        saved_LDFLAGS=$LDFLAGS
+        LDFLAGS="$LDFLAGS -Wl,--version-script=conftest.map"
+        echo foo >conftest.map
+        AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+          [],
+          [cat > conftest.map <<EOF
+VERS_1 {
+        global: sym;
+};
+
+VERS_2 {
+        global: sym;
+} VERS_1;
+EOF
+           AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+             [gl_cv_sys_ld_version_script=yes])])
+        rm -f conftest.map
+        LDFLAGS=$saved_LDFLAGS])
+     have_ld_version_script=$gl_cv_sys_ld_version_script])
+  AM_CONDITIONAL([HAVE_LD_VERSION_SCRIPT],
+    [test "$have_ld_version_script" = yes])
+])

src/Makefile.am

@@ -49,7 +49,8 @@ SOURCES_ALL = \
 
 EXTRA_DIST = \
 	arch-syscall-validate arch-syscall-check \
-	arch-gperf-generate syscalls.csv syscalls.perf.template
+	arch-gperf-generate syscalls.csv syscalls.perf.template \
+	libseccomp.map
 
 TESTS = arch-syscall-check
 
@@ -65,6 +66,9 @@ libseccomp_la_CFLAGS = ${AM_CFLAGS} ${CODE_COVERAGE_CFLAGS} ${CFLAGS} \
 	-fPIC -DPIC -fvisibility=hidden
 libseccomp_la_LDFLAGS = ${AM_LDFLAGS} ${CODE_COVERAGE_LDFLAGS} ${LDFLAGS} \
 	-version-number ${VERSION_MAJOR}:${VERSION_MINOR}:${VERSION_MICRO}
+if HAVE_LD_VERSION_SCRIPT
+libseccomp_la_LDFLAGS += -Wl,--version-script=$(srcdir)/libseccomp.map
+endif
 
 EXTRA_DIST += syscalls.perf.c syscalls.perf
 CLEANFILES = syscalls.perf.c syscalls.perf

src/libseccomp.map

@@ -0,0 +1,43 @@
+# Avoid modifying a symbol set after it has been released
+# When adding features in a new release, add a new set
+# Removing features is a breaking change
+LIBSECCOMP_1.0 {
+  global:
+    seccomp_api_get;
+    seccomp_api_set;
+    seccomp_arch_add;
+    seccomp_arch_exist;
+    seccomp_arch_native;
+    seccomp_arch_remove;
+    seccomp_arch_resolve_name;
+    seccomp_attr_get;
+    seccomp_attr_set;
+    seccomp_export_bpf;
+    seccomp_export_bpf_mem;
+    seccomp_export_pfc;
+    seccomp_init;
+    seccomp_load;
+    seccomp_merge;
+    seccomp_notify_alloc;
+    seccomp_notify_fd;
+    seccomp_notify_free;
+    seccomp_notify_id_valid;
+    seccomp_notify_receive;
+    seccomp_notify_respond;
+    seccomp_precompute;
+    seccomp_release;
+    seccomp_reset;
+    seccomp_rule_add;
+    seccomp_rule_add_array;
+    seccomp_rule_add_exact;
+    seccomp_rule_add_exact_array;
+    seccomp_syscall_priority;
+    seccomp_syscall_resolve_name;
+    seccomp_syscall_resolve_name_arch;
+    seccomp_syscall_resolve_name_rewrite;
+    seccomp_syscall_resolve_num_arch;
+    seccomp_transaction_commit;
+    seccomp_transaction_reject;
+    seccomp_transaction_start;
+    seccomp_version;
+}