From patchwork Fri Sep 6 17:29:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahiro Yamada X-Patchwork-Id: 13794477 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BB3BFE55B; Fri, 6 Sep 2024 17:29:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725643782; cv=none; b=R9G1hEmtxQxA4n+LVJjCGaybtK0vyYTNhYTPGpltmFInsd/pD3HNAcujqU2wkZ1foebQ1Jo3cLdRGnY0jNG/TNT6EkNN/bg44kuL1bztEL8bcMhK70P8Uz2bENEIX+flU+vtnYCBMtk/jD/Ex3KH/ruWfUDzG6HCPqE+A1JqJes= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725643782; c=relaxed/simple; bh=9MgJgQjUEHtHHW21vLfHte658h6JmHBOSgfbbxrJ2b4=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=qRd2SKEhisuK/ByOHP4OH3NZozCsQQ2RwYu8Qr3BqJavfGEpAyDhxO8KtWHJjTaaDAmdAwV+6eZkZnN/FupLwJbHJj6Fuo4sC5bdShpRHKkEoNCuJ79CxdfAYz0OFSd+/hzz0i5xo8JeM0B6hJfJ05tu0kjQbfCybLMVrsFHafw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=r2EXMHJR; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="r2EXMHJR" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 855D5C4CEC7; Fri, 6 Sep 2024 17:29:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1725643782; bh=9MgJgQjUEHtHHW21vLfHte658h6JmHBOSgfbbxrJ2b4=; h=From:To:Cc:Subject:Date:From; b=r2EXMHJRVxyWSXlwgVW8lEOrnXa6Kh/8EWxJ0DZfHSDvucNpQtUeEfPeb1F5RBizC njF4guKTdQl2mMeSydf7CmQS7x9DIyH2OOmqEPOTSu4ZLjk7s/VrKRJxt3+VJueshG 0VumgPutzl4a8GVHHoTEF0bhN5MQkuSi6PsmSSOx4gzqYMe5dqtxei+MrxR9t205OT +ysKleEZXyxG0F+FXFMrfJd4qaehs0R94jOaOvbunE09z2AYAiNjyGmFkJpj0ekDeb vt8OIKwmEm0pGIKYV2B7AmHCHNI0NyumATgHe2VeZItazXOuQF4QbvTLAgKfwmI+rb yTj+i4Rb0GiSA== From: Masahiro Yamada To: Paul Moore , Stephen Smalley , Ondrej Mosnacek , selinux@vger.kernel.org Cc: linux-kbuild@vger.kernel.org, Daniel Gomez , linux-kernel@vger.kernel.org, Masahiro Yamada Subject: [PATCH v2 1/2] selinux: do not include headers from host programs Date: Sat, 7 Sep 2024 02:29:13 +0900 Message-ID: <20240906172934.1317830-1-masahiroy@kernel.org> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kbuild@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The header, security/selinux/include/classmap.h, is included not only from kernel space but also from host programs. It includes and , which pull in more headers. This makes the host programs less portable, specifically causing build errors on macOS. Those headers are included for the following purposes: - for checking CAP_LAST_CAP - for checking PF_MAX These checks can be guarded by __KERNEL__ so they are skipped when building host programs. Testing them when building the kernel should be sufficient. The header, security/selinux/include/initial_sid_to_string.h, includes for the NULL definition, but this is not portable either. Instead, should be included for host programs. Reported-by: Daniel Gomez Closes: https://lore.kernel.org/lkml/20240807-macos-build-support-v1-6-4cd1ded85694@samsung.com/ Closes: https://lore.kernel.org/lkml/20240807-macos-build-support-v1-7-4cd1ded85694@samsung.com/ Signed-off-by: Masahiro Yamada --- Changes in v2: - Reword the commit description - Keep the location of CAP_LAST_CAP - Include for host programs scripts/selinux/genheaders/Makefile | 4 +--- scripts/selinux/genheaders/genheaders.c | 3 --- scripts/selinux/mdp/Makefile | 2 +- scripts/selinux/mdp/mdp.c | 4 ---- security/selinux/include/classmap.h | 11 ++++++++--- security/selinux/include/initial_sid_to_string.h | 4 ++++ 6 files changed, 14 insertions(+), 14 deletions(-) diff --git a/scripts/selinux/genheaders/Makefile b/scripts/selinux/genheaders/Makefile index 1faf7f07e8db..866f60e78882 100644 --- a/scripts/selinux/genheaders/Makefile +++ b/scripts/selinux/genheaders/Makefile @@ -1,5 +1,3 @@ # SPDX-License-Identifier: GPL-2.0 hostprogs-always-y += genheaders -HOST_EXTRACFLAGS += \ - -I$(srctree)/include/uapi -I$(srctree)/include \ - -I$(srctree)/security/selinux/include +HOST_EXTRACFLAGS += -I$(srctree)/security/selinux/include diff --git a/scripts/selinux/genheaders/genheaders.c b/scripts/selinux/genheaders/genheaders.c index 15520806889e..3834d7eb0af6 100644 --- a/scripts/selinux/genheaders/genheaders.c +++ b/scripts/selinux/genheaders/genheaders.c @@ -1,8 +1,5 @@ // SPDX-License-Identifier: GPL-2.0 -/* NOTE: we really do want to use the kernel headers here */ -#define __EXPORTED_HEADERS__ - #include #include #include diff --git a/scripts/selinux/mdp/Makefile b/scripts/selinux/mdp/Makefile index d61058ddd15c..673782e3212f 100644 --- a/scripts/selinux/mdp/Makefile +++ b/scripts/selinux/mdp/Makefile @@ -1,7 +1,7 @@ # SPDX-License-Identifier: GPL-2.0 hostprogs-always-y += mdp HOST_EXTRACFLAGS += \ - -I$(srctree)/include/uapi -I$(srctree)/include \ + -I$(srctree)/include \ -I$(srctree)/security/selinux/include -I$(objtree)/include clean-files := policy.* file_contexts diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c index 1415604c3d24..52365921c043 100644 --- a/scripts/selinux/mdp/mdp.c +++ b/scripts/selinux/mdp/mdp.c @@ -11,10 +11,6 @@ * Authors: Serge E. Hallyn */ - -/* NOTE: we really do want to use the kernel headers here */ -#define __EXPORTED_HEADERS__ - #include #include #include diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 7229c9bf6c27..5e2b0eaa73c4 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -1,8 +1,5 @@ /* SPDX-License-Identifier: GPL-2.0 */ -#include -#include - #define COMMON_FILE_SOCK_PERMS \ "ioctl", "read", "write", "create", "getattr", "setattr", "lock", \ "relabelfrom", "relabelto", "append", "map" @@ -36,9 +33,13 @@ "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend", \ "audit_read", "perfmon", "bpf", "checkpoint_restore" +#ifdef __KERNEL__ /* avoid this check when building host programs */ +#include + #if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE #error New capability defined, please update COMMON_CAP2_PERMS. #endif +#endif /* * Note: The name for any socket class should be suffixed by "socket", @@ -181,6 +182,10 @@ const struct security_class_mapping secclass_map[] = { { NULL } }; +#ifdef __KERNEL__ /* avoid this check when building host programs */ +#include + #if PF_MAX > 46 #error New address family defined, please update secclass_map. #endif +#endif diff --git a/security/selinux/include/initial_sid_to_string.h b/security/selinux/include/initial_sid_to_string.h index 99b353b2abb4..d7ba60b62491 100644 --- a/security/selinux/include/initial_sid_to_string.h +++ b/security/selinux/include/initial_sid_to_string.h @@ -1,6 +1,10 @@ /* SPDX-License-Identifier: GPL-2.0 */ +#ifdef __KERNEL__ #include +#else +#include +#endif static const char *const initial_sid_to_string[] = { NULL, /* zero placeholder, not used */ From patchwork Fri Sep 6 17:29:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahiro Yamada X-Patchwork-Id: 13794478 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D86B11D7985; Fri, 6 Sep 2024 17:29:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725643785; cv=none; b=EvG6NjmXZe3cICw/SLI1l7rQQrzlqn4OzgSzwUhg4oTe4wcV6eQykN3hdO2ebhIjoihHtvZrKzhGEltnwX4la5tqFbyY50DU1Dn1oWs3dPlbGXq0dLNELK0u0tqnuAFXDHDSTRUrnCk62eMrl3yjYsS8BpEaiCHcfnIPStG+mPg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725643785; c=relaxed/simple; bh=bqxbf2UbdchPA3++K/VLWumlvgK77qHdYxBCz+Szp1Y=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=p1sQPoQva6HjIGZMS8dYIUhBW0fITy2exJ3X+VZTn7478xN+CJcbI7lqWY064NfVqw3BKFplZfwca1x2n8UeM+cN1cb15+BgM89s/Zm1QV66ECYmqw+xzfhpwzeQY/VeNq2R+G2K9Ny90XrFLn0jVJhT5raC8v1gTJoi8bF61xo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ir2sDJkj; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ir2sDJkj" Received: by smtp.kernel.org (Postfix) with ESMTPSA id BDE06C4CEC8; Fri, 6 Sep 2024 17:29:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1725643784; bh=bqxbf2UbdchPA3++K/VLWumlvgK77qHdYxBCz+Szp1Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ir2sDJkjTsFWXT9O7My2H5Ux2kNduLI/YKJSh41g2NyNFn2e+SLXDUgOuENf7QN6b Lc3AcvdLiqN7rui8pD5hl9dGPO25kAExe+Uc2b0KGIqI5sksRSMX+vc78T0CGReCNd Zbpd2YiqBCD6rOwqi6w3D5XrAAmGChxvo4U+oNUXK4YYm8ZLzKYxYMJtNWjyNsJseh 9t5RO7amFA5Za6LIi90cnpvaQ5uSbffHXHy1svqtOm4y4Lrgrhs8ZqhA5HSP4EiFvC ryqkxobgoc2J76tAv//p1Mpi6uVkDiepe9qJNxJzsxafC9Tpc2iM52a0fU7DcArWit hq6ocAR79LGSw== From: Masahiro Yamada To: Paul Moore , Stephen Smalley , Ondrej Mosnacek , selinux@vger.kernel.org Cc: linux-kbuild@vger.kernel.org, Daniel Gomez , linux-kernel@vger.kernel.org, Masahiro Yamada Subject: [PATCH v2 2/2] selinux: move genheaders to security/selinux/ Date: Sat, 7 Sep 2024 02:29:14 +0900 Message-ID: <20240906172934.1317830-2-masahiroy@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240906172934.1317830-1-masahiroy@kernel.org> References: <20240906172934.1317830-1-masahiroy@kernel.org> Precedence: bulk X-Mailing-List: linux-kbuild@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This tool is only used in security/selinux/Makefile. Move it to security/selinux/ so that 'make clean' can clean it up. Please note 'make clean' does not clean scripts/ because tools under scripts/ are often used for external module builds. Obviously, genheaders is not the case here. Signed-off-by: Masahiro Yamada --- Changes in v2: - Add more reason to move genheaders to security/selinux/ scripts/remove-stale-files | 3 +++ scripts/selinux/Makefile | 2 +- scripts/selinux/genheaders/.gitignore | 2 -- scripts/selinux/genheaders/Makefile | 3 --- security/selinux/.gitignore | 1 + security/selinux/Makefile | 7 +++++-- .../selinux/genheaders => security/selinux}/genheaders.c | 0 7 files changed, 10 insertions(+), 8 deletions(-) delete mode 100644 scripts/selinux/genheaders/.gitignore delete mode 100644 scripts/selinux/genheaders/Makefile rename {scripts/selinux/genheaders => security/selinux}/genheaders.c (100%) diff --git a/scripts/remove-stale-files b/scripts/remove-stale-files index f38d26b78c2a..4e7d25668a98 100755 --- a/scripts/remove-stale-files +++ b/scripts/remove-stale-files @@ -20,4 +20,7 @@ set -e # yard. Stale files stay in this file for a while (for some release cycles?), # then will be really dead and removed from the code base entirely. +# moved to security/selinux/genheaders +rm -f scripts/selinux/genheaders/genheaders + rm -f *.spec diff --git a/scripts/selinux/Makefile b/scripts/selinux/Makefile index 59494e14989b..4b1308fa5732 100644 --- a/scripts/selinux/Makefile +++ b/scripts/selinux/Makefile @@ -1,2 +1,2 @@ # SPDX-License-Identifier: GPL-2.0-only -subdir-y := mdp genheaders +subdir-y := mdp diff --git a/scripts/selinux/genheaders/.gitignore b/scripts/selinux/genheaders/.gitignore deleted file mode 100644 index 5fcadd307908..000000000000 --- a/scripts/selinux/genheaders/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -# SPDX-License-Identifier: GPL-2.0-only -genheaders diff --git a/scripts/selinux/genheaders/Makefile b/scripts/selinux/genheaders/Makefile deleted file mode 100644 index 866f60e78882..000000000000 --- a/scripts/selinux/genheaders/Makefile +++ /dev/null @@ -1,3 +0,0 @@ -# SPDX-License-Identifier: GPL-2.0 -hostprogs-always-y += genheaders -HOST_EXTRACFLAGS += -I$(srctree)/security/selinux/include diff --git a/security/selinux/.gitignore b/security/selinux/.gitignore index 168fae13ca5a..01c0df8ab009 100644 --- a/security/selinux/.gitignore +++ b/security/selinux/.gitignore @@ -1,3 +1,4 @@ # SPDX-License-Identifier: GPL-2.0-only av_permissions.h flask.h +/genheaders diff --git a/security/selinux/Makefile b/security/selinux/Makefile index c47519ed8156..86f0575f670d 100644 --- a/security/selinux/Makefile +++ b/security/selinux/Makefile @@ -36,7 +36,10 @@ quiet_cmd_genhdrs = GEN $(addprefix $(obj)/,$(genhdrs)) # see the note above, replace the $targets and 'flask.h' rule with the lines # below: # targets += $(genhdrs) -# $(addprefix $(obj)/,$(genhdrs)) &: scripts/selinux/... +# $(addprefix $(obj)/,$(genhdrs)) &: $(obj)/genheaders FORCE targets += flask.h -$(obj)/flask.h: scripts/selinux/genheaders/genheaders FORCE +$(obj)/flask.h: $(obj)/genheaders FORCE $(call if_changed,genhdrs) + +hostprogs := genheaders +HOST_EXTRACFLAGS += -I$(srctree)/security/selinux/include diff --git a/scripts/selinux/genheaders/genheaders.c b/security/selinux/genheaders.c similarity index 100% rename from scripts/selinux/genheaders/genheaders.c rename to security/selinux/genheaders.c