mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-16 05:26:07 +00:00
selinux: do not include <linux/*.h> headers from host programs
The header, security/selinux/include/classmap.h, is included not only from kernel space but also from host programs. It includes <linux/capability.h> and <linux/socket.h>, which pull in more <linux/*.h> headers. This makes the host programs less portable, specifically causing build errors on macOS. Those headers are included for the following purposes: - <linux/capability.h> for checking CAP_LAST_CAP - <linux/socket.h> for checking PF_MAX These checks can be guarded by __KERNEL__ so they are skipped when building host programs. Testing them when building the kernel should be sufficient. The header, security/selinux/include/initial_sid_to_string.h, includes <linux/stddef.h> for the NULL definition, but this is not portable either. Instead, <stddef.h> should be included for host programs. Reported-by: Daniel Gomez <da.gomez@samsung.com> Closes: https://lore.kernel.org/lkml/20240807-macos-build-support-v1-6-4cd1ded85694@samsung.com/ Closes: https://lore.kernel.org/lkml/20240807-macos-build-support-v1-7-4cd1ded85694@samsung.com/ Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
parent
9852d85ec9
commit
541b57e313
@ -1,5 +1,3 @@
|
||||
# SPDX-License-Identifier: GPL-2.0
|
||||
hostprogs-always-y += genheaders
|
||||
HOST_EXTRACFLAGS += \
|
||||
-I$(srctree)/include/uapi -I$(srctree)/include \
|
||||
-I$(srctree)/security/selinux/include
|
||||
HOST_EXTRACFLAGS += -I$(srctree)/security/selinux/include
|
||||
|
@ -1,8 +1,5 @@
|
||||
// SPDX-License-Identifier: GPL-2.0
|
||||
|
||||
/* NOTE: we really do want to use the kernel headers here */
|
||||
#define __EXPORTED_HEADERS__
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
|
@ -1,7 +1,7 @@
|
||||
# SPDX-License-Identifier: GPL-2.0
|
||||
hostprogs-always-y += mdp
|
||||
HOST_EXTRACFLAGS += \
|
||||
-I$(srctree)/include/uapi -I$(srctree)/include \
|
||||
-I$(srctree)/include \
|
||||
-I$(srctree)/security/selinux/include -I$(objtree)/include
|
||||
|
||||
clean-files := policy.* file_contexts
|
||||
|
@ -11,10 +11,6 @@
|
||||
* Authors: Serge E. Hallyn <serue@us.ibm.com>
|
||||
*/
|
||||
|
||||
|
||||
/* NOTE: we really do want to use the kernel headers here */
|
||||
#define __EXPORTED_HEADERS__
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
|
@ -1,8 +1,5 @@
|
||||
/* SPDX-License-Identifier: GPL-2.0 */
|
||||
|
||||
#include <linux/capability.h>
|
||||
#include <linux/socket.h>
|
||||
|
||||
#define COMMON_FILE_SOCK_PERMS \
|
||||
"ioctl", "read", "write", "create", "getattr", "setattr", "lock", \
|
||||
"relabelfrom", "relabelto", "append", "map"
|
||||
@ -36,9 +33,13 @@
|
||||
"mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend", \
|
||||
"audit_read", "perfmon", "bpf", "checkpoint_restore"
|
||||
|
||||
#ifdef __KERNEL__ /* avoid this check when building host programs */
|
||||
#include <linux/capability.h>
|
||||
|
||||
#if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE
|
||||
#error New capability defined, please update COMMON_CAP2_PERMS.
|
||||
#endif
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Note: The name for any socket class should be suffixed by "socket",
|
||||
@ -181,6 +182,10 @@ const struct security_class_mapping secclass_map[] = {
|
||||
{ NULL }
|
||||
};
|
||||
|
||||
#ifdef __KERNEL__ /* avoid this check when building host programs */
|
||||
#include <linux/socket.h>
|
||||
|
||||
#if PF_MAX > 46
|
||||
#error New address family defined, please update secclass_map.
|
||||
#endif
|
||||
#endif
|
||||
|
@ -1,6 +1,10 @@
|
||||
/* SPDX-License-Identifier: GPL-2.0 */
|
||||
|
||||
#ifdef __KERNEL__
|
||||
#include <linux/stddef.h>
|
||||
#else
|
||||
#include <stddef.h>
|
||||
#endif
|
||||
|
||||
static const char *const initial_sid_to_string[] = {
|
||||
NULL, /* zero placeholder, not used */
|
||||
|
Loading…
x
Reference in New Issue
Block a user