selinux: do not include <linux/*.h> headers from host programs

The header, security/selinux/include/classmap.h, is included not only
from kernel space but also from host programs.

It includes <linux/capability.h> and <linux/socket.h>, which pull in
more <linux/*.h> headers. This makes the host programs less portable,
specifically causing build errors on macOS.

Those headers are included for the following purposes:

 - <linux/capability.h> for checking CAP_LAST_CAP
 - <linux/socket.h> for checking PF_MAX

These checks can be guarded by __KERNEL__ so they are skipped when
building host programs. Testing them when building the kernel should
be sufficient.

The header, security/selinux/include/initial_sid_to_string.h, includes
<linux/stddef.h> for the NULL definition, but this is not portable
either. Instead, <stddef.h> should be included for host programs.

Reported-by: Daniel Gomez <da.gomez@samsung.com>
Closes: https://lore.kernel.org/lkml/20240807-macos-build-support-v1-6-4cd1ded85694@samsung.com/
Closes: https://lore.kernel.org/lkml/20240807-macos-build-support-v1-7-4cd1ded85694@samsung.com/
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Masahiro Yamada 2024-09-07 02:29:13 +09:00 committed by Paul Moore
parent 9852d85ec9
commit 541b57e313
6 changed files with 14 additions and 14 deletions

View File

@ -1,5 +1,3 @@
# SPDX-License-Identifier: GPL-2.0 # SPDX-License-Identifier: GPL-2.0
hostprogs-always-y += genheaders hostprogs-always-y += genheaders
HOST_EXTRACFLAGS += \ HOST_EXTRACFLAGS += -I$(srctree)/security/selinux/include
-I$(srctree)/include/uapi -I$(srctree)/include \
-I$(srctree)/security/selinux/include

View File

@ -1,8 +1,5 @@
// SPDX-License-Identifier: GPL-2.0 // SPDX-License-Identifier: GPL-2.0
/* NOTE: we really do want to use the kernel headers here */
#define __EXPORTED_HEADERS__
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <unistd.h> #include <unistd.h>

View File

@ -1,7 +1,7 @@
# SPDX-License-Identifier: GPL-2.0 # SPDX-License-Identifier: GPL-2.0
hostprogs-always-y += mdp hostprogs-always-y += mdp
HOST_EXTRACFLAGS += \ HOST_EXTRACFLAGS += \
-I$(srctree)/include/uapi -I$(srctree)/include \ -I$(srctree)/include \
-I$(srctree)/security/selinux/include -I$(objtree)/include -I$(srctree)/security/selinux/include -I$(objtree)/include
clean-files := policy.* file_contexts clean-files := policy.* file_contexts

View File

@ -11,10 +11,6 @@
* Authors: Serge E. Hallyn <serue@us.ibm.com> * Authors: Serge E. Hallyn <serue@us.ibm.com>
*/ */
/* NOTE: we really do want to use the kernel headers here */
#define __EXPORTED_HEADERS__
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <unistd.h> #include <unistd.h>

View File

@ -1,8 +1,5 @@
/* SPDX-License-Identifier: GPL-2.0 */ /* SPDX-License-Identifier: GPL-2.0 */
#include <linux/capability.h>
#include <linux/socket.h>
#define COMMON_FILE_SOCK_PERMS \ #define COMMON_FILE_SOCK_PERMS \
"ioctl", "read", "write", "create", "getattr", "setattr", "lock", \ "ioctl", "read", "write", "create", "getattr", "setattr", "lock", \
"relabelfrom", "relabelto", "append", "map" "relabelfrom", "relabelto", "append", "map"
@ -36,9 +33,13 @@
"mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend", \ "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend", \
"audit_read", "perfmon", "bpf", "checkpoint_restore" "audit_read", "perfmon", "bpf", "checkpoint_restore"
#ifdef __KERNEL__ /* avoid this check when building host programs */
#include <linux/capability.h>
#if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE #if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE
#error New capability defined, please update COMMON_CAP2_PERMS. #error New capability defined, please update COMMON_CAP2_PERMS.
#endif #endif
#endif
/* /*
* Note: The name for any socket class should be suffixed by "socket", * Note: The name for any socket class should be suffixed by "socket",
@ -181,6 +182,10 @@ const struct security_class_mapping secclass_map[] = {
{ NULL } { NULL }
}; };
#ifdef __KERNEL__ /* avoid this check when building host programs */
#include <linux/socket.h>
#if PF_MAX > 46 #if PF_MAX > 46
#error New address family defined, please update secclass_map. #error New address family defined, please update secclass_map.
#endif #endif
#endif

View File

@ -1,6 +1,10 @@
/* SPDX-License-Identifier: GPL-2.0 */ /* SPDX-License-Identifier: GPL-2.0 */
#ifdef __KERNEL__
#include <linux/stddef.h> #include <linux/stddef.h>
#else
#include <stddef.h>
#endif
static const char *const initial_sid_to_string[] = { static const char *const initial_sid_to_string[] = {
NULL, /* zero placeholder, not used */ NULL, /* zero placeholder, not used */