Message ID | 20240906172934.1317830-1-masahiroy@kernel.org (mailing list archive) |
---|---|
State | New |
Headers | show |
Series | [v2,1/2] selinux: do not include <linux/*.h> headers from host programs | expand |
On Fri, Sep 6, 2024 at 1:29 PM Masahiro Yamada <masahiroy@kernel.org> wrote: > > The header, security/selinux/include/classmap.h, is included not only > from kernel space but also from host programs. > > It includes <linux/capability.h> and <linux/socket.h>, which pull in > more <linux/*.h> headers. This makes the host programs less portable, > specifically causing build errors on macOS. > > Those headers are included for the following purposes: > > - <linux/capability.h> for checking CAP_LAST_CAP > - <linux/socket.h> for checking PF_MAX > > These checks can be guarded by __KERNEL__ so they are skipped when > building host programs. Testing them when building the kernel should > be sufficient. > > The header, security/selinux/include/initial_sid_to_string.h, includes > <linux/stddef.h> for the NULL definition, but this is not portable > either. Instead, <stddef.h> should be included for host programs. > > Reported-by: Daniel Gomez <da.gomez@samsung.com> > Closes: https://lore.kernel.org/lkml/20240807-macos-build-support-v1-6-4cd1ded85694@samsung.com/ > Closes: https://lore.kernel.org/lkml/20240807-macos-build-support-v1-7-4cd1ded85694@samsung.com/ > Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> > --- > > Changes in v2: > - Reword the commit description > - Keep the location of CAP_LAST_CAP > - Include <stddef.h> for host programs > > scripts/selinux/genheaders/Makefile | 4 +--- > scripts/selinux/genheaders/genheaders.c | 3 --- > scripts/selinux/mdp/Makefile | 2 +- > scripts/selinux/mdp/mdp.c | 4 ---- > security/selinux/include/classmap.h | 11 ++++++++--- > security/selinux/include/initial_sid_to_string.h | 4 ++++ > 6 files changed, 14 insertions(+), 14 deletions(-) This looks much better, thank you. We're currently at -rc6 which is later than I would like to merge patches like this (I try to stick to bug fixes or trivial changes at this point in the development cycle), so I'm going to hold on to this until after the upcoming merge window where I'll merge it into selinux/dev. See the below doc for more information on how the SELinux tree is managed: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/tree/README.md
On Fri, Sep 6, 2024 at 2:37 PM Paul Moore <paul@paul-moore.com> wrote: > On Fri, Sep 6, 2024 at 1:29 PM Masahiro Yamada <masahiroy@kernel.org> wrote: > > > > The header, security/selinux/include/classmap.h, is included not only > > from kernel space but also from host programs. > > > > It includes <linux/capability.h> and <linux/socket.h>, which pull in > > more <linux/*.h> headers. This makes the host programs less portable, > > specifically causing build errors on macOS. > > > > Those headers are included for the following purposes: > > > > - <linux/capability.h> for checking CAP_LAST_CAP > > - <linux/socket.h> for checking PF_MAX > > > > These checks can be guarded by __KERNEL__ so they are skipped when > > building host programs. Testing them when building the kernel should > > be sufficient. > > > > The header, security/selinux/include/initial_sid_to_string.h, includes > > <linux/stddef.h> for the NULL definition, but this is not portable > > either. Instead, <stddef.h> should be included for host programs. > > > > Reported-by: Daniel Gomez <da.gomez@samsung.com> > > Closes: https://lore.kernel.org/lkml/20240807-macos-build-support-v1-6-4cd1ded85694@samsung.com/ > > Closes: https://lore.kernel.org/lkml/20240807-macos-build-support-v1-7-4cd1ded85694@samsung.com/ > > Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> > > --- > > > > Changes in v2: > > - Reword the commit description > > - Keep the location of CAP_LAST_CAP > > - Include <stddef.h> for host programs > > > > scripts/selinux/genheaders/Makefile | 4 +--- > > scripts/selinux/genheaders/genheaders.c | 3 --- > > scripts/selinux/mdp/Makefile | 2 +- > > scripts/selinux/mdp/mdp.c | 4 ---- > > security/selinux/include/classmap.h | 11 ++++++++--- > > security/selinux/include/initial_sid_to_string.h | 4 ++++ > > 6 files changed, 14 insertions(+), 14 deletions(-) > > This looks much better, thank you. We're currently at -rc6 which is > later than I would like to merge patches like this (I try to stick to > bug fixes or trivial changes at this point in the development cycle), > so I'm going to hold on to this until after the upcoming merge window > where I'll merge it into selinux/dev. See the below doc for more > information on how the SELinux tree is managed: > > https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/tree/README.md I just merged this into selinux/dev, you should see it reflected in the kernel.org shortly.
diff --git a/scripts/selinux/genheaders/Makefile b/scripts/selinux/genheaders/Makefile index 1faf7f07e8db..866f60e78882 100644 --- a/scripts/selinux/genheaders/Makefile +++ b/scripts/selinux/genheaders/Makefile @@ -1,5 +1,3 @@ # SPDX-License-Identifier: GPL-2.0 hostprogs-always-y += genheaders -HOST_EXTRACFLAGS += \ - -I$(srctree)/include/uapi -I$(srctree)/include \ - -I$(srctree)/security/selinux/include +HOST_EXTRACFLAGS += -I$(srctree)/security/selinux/include diff --git a/scripts/selinux/genheaders/genheaders.c b/scripts/selinux/genheaders/genheaders.c index 15520806889e..3834d7eb0af6 100644 --- a/scripts/selinux/genheaders/genheaders.c +++ b/scripts/selinux/genheaders/genheaders.c @@ -1,8 +1,5 @@ // SPDX-License-Identifier: GPL-2.0 -/* NOTE: we really do want to use the kernel headers here */ -#define __EXPORTED_HEADERS__ - #include <stdio.h> #include <stdlib.h> #include <unistd.h> diff --git a/scripts/selinux/mdp/Makefile b/scripts/selinux/mdp/Makefile index d61058ddd15c..673782e3212f 100644 --- a/scripts/selinux/mdp/Makefile +++ b/scripts/selinux/mdp/Makefile @@ -1,7 +1,7 @@ # SPDX-License-Identifier: GPL-2.0 hostprogs-always-y += mdp HOST_EXTRACFLAGS += \ - -I$(srctree)/include/uapi -I$(srctree)/include \ + -I$(srctree)/include \ -I$(srctree)/security/selinux/include -I$(objtree)/include clean-files := policy.* file_contexts diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c index 1415604c3d24..52365921c043 100644 --- a/scripts/selinux/mdp/mdp.c +++ b/scripts/selinux/mdp/mdp.c @@ -11,10 +11,6 @@ * Authors: Serge E. Hallyn <serue@us.ibm.com> */ - -/* NOTE: we really do want to use the kernel headers here */ -#define __EXPORTED_HEADERS__ - #include <stdio.h> #include <stdlib.h> #include <unistd.h> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 7229c9bf6c27..5e2b0eaa73c4 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -1,8 +1,5 @@ /* SPDX-License-Identifier: GPL-2.0 */ -#include <linux/capability.h> -#include <linux/socket.h> - #define COMMON_FILE_SOCK_PERMS \ "ioctl", "read", "write", "create", "getattr", "setattr", "lock", \ "relabelfrom", "relabelto", "append", "map" @@ -36,9 +33,13 @@ "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend", \ "audit_read", "perfmon", "bpf", "checkpoint_restore" +#ifdef __KERNEL__ /* avoid this check when building host programs */ +#include <linux/capability.h> + #if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE #error New capability defined, please update COMMON_CAP2_PERMS. #endif +#endif /* * Note: The name for any socket class should be suffixed by "socket", @@ -181,6 +182,10 @@ const struct security_class_mapping secclass_map[] = { { NULL } }; +#ifdef __KERNEL__ /* avoid this check when building host programs */ +#include <linux/socket.h> + #if PF_MAX > 46 #error New address family defined, please update secclass_map. #endif +#endif diff --git a/security/selinux/include/initial_sid_to_string.h b/security/selinux/include/initial_sid_to_string.h index 99b353b2abb4..d7ba60b62491 100644 --- a/security/selinux/include/initial_sid_to_string.h +++ b/security/selinux/include/initial_sid_to_string.h @@ -1,6 +1,10 @@ /* SPDX-License-Identifier: GPL-2.0 */ +#ifdef __KERNEL__ #include <linux/stddef.h> +#else +#include <stddef.h> +#endif static const char *const initial_sid_to_string[] = { NULL, /* zero placeholder, not used */
The header, security/selinux/include/classmap.h, is included not only from kernel space but also from host programs. It includes <linux/capability.h> and <linux/socket.h>, which pull in more <linux/*.h> headers. This makes the host programs less portable, specifically causing build errors on macOS. Those headers are included for the following purposes: - <linux/capability.h> for checking CAP_LAST_CAP - <linux/socket.h> for checking PF_MAX These checks can be guarded by __KERNEL__ so they are skipped when building host programs. Testing them when building the kernel should be sufficient. The header, security/selinux/include/initial_sid_to_string.h, includes <linux/stddef.h> for the NULL definition, but this is not portable either. Instead, <stddef.h> should be included for host programs. Reported-by: Daniel Gomez <da.gomez@samsung.com> Closes: https://lore.kernel.org/lkml/20240807-macos-build-support-v1-6-4cd1ded85694@samsung.com/ Closes: https://lore.kernel.org/lkml/20240807-macos-build-support-v1-7-4cd1ded85694@samsung.com/ Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> --- Changes in v2: - Reword the commit description - Keep the location of CAP_LAST_CAP - Include <stddef.h> for host programs scripts/selinux/genheaders/Makefile | 4 +--- scripts/selinux/genheaders/genheaders.c | 3 --- scripts/selinux/mdp/Makefile | 2 +- scripts/selinux/mdp/mdp.c | 4 ---- security/selinux/include/classmap.h | 11 ++++++++--- security/selinux/include/initial_sid_to_string.h | 4 ++++ 6 files changed, 14 insertions(+), 14 deletions(-)