lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAHC9VhS=5ohpS18kkXUKaE4QR5HfGZ-ADbR14WPQPor3jeFSuw@mail.gmail.com>
Date: Fri, 6 Sep 2024 14:37:29 -0400
From: Paul Moore <paul@...l-moore.com>
To: Masahiro Yamada <masahiroy@...nel.org>
Cc: Stephen Smalley <stephen.smalley.work@...il.com>, Ondrej Mosnacek <omosnace@...hat.com>, 
	selinux@...r.kernel.org, linux-kbuild@...r.kernel.org, 
	Daniel Gomez <da.gomez@...sung.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 1/2] selinux: do not include <linux/*.h> headers from
 host programs

On Fri, Sep 6, 2024 at 1:29 PM Masahiro Yamada <masahiroy@...nel.org> wrote:
>
> The header, security/selinux/include/classmap.h, is included not only
> from kernel space but also from host programs.
>
> It includes <linux/capability.h> and <linux/socket.h>, which pull in
> more <linux/*.h> headers. This makes the host programs less portable,
> specifically causing build errors on macOS.
>
> Those headers are included for the following purposes:
>
>  - <linux/capability.h> for checking CAP_LAST_CAP
>  - <linux/socket.h> for checking PF_MAX
>
> These checks can be guarded by __KERNEL__ so they are skipped when
> building host programs. Testing them when building the kernel should
> be sufficient.
>
> The header, security/selinux/include/initial_sid_to_string.h, includes
> <linux/stddef.h> for the NULL definition, but this is not portable
> either. Instead, <stddef.h> should be included for host programs.
>
> Reported-by: Daniel Gomez <da.gomez@...sung.com>
> Closes: https://lore.kernel.org/lkml/20240807-macos-build-support-v1-6-4cd1ded85694@samsung.com/
> Closes: https://lore.kernel.org/lkml/20240807-macos-build-support-v1-7-4cd1ded85694@samsung.com/
> Signed-off-by: Masahiro Yamada <masahiroy@...nel.org>
> ---
>
> Changes in v2:
>   - Reword the commit description
>   - Keep the location of CAP_LAST_CAP
>   - Include <stddef.h> for host programs
>
>  scripts/selinux/genheaders/Makefile              |  4 +---
>  scripts/selinux/genheaders/genheaders.c          |  3 ---
>  scripts/selinux/mdp/Makefile                     |  2 +-
>  scripts/selinux/mdp/mdp.c                        |  4 ----
>  security/selinux/include/classmap.h              | 11 ++++++++---
>  security/selinux/include/initial_sid_to_string.h |  4 ++++
>  6 files changed, 14 insertions(+), 14 deletions(-)

This looks much better, thank you.  We're currently at -rc6 which is
later than I would like to merge patches like this (I try to stick to
bug fixes or trivial changes at this point in the development cycle),
so I'm going to hold on to this until after the upcoming merge window
where I'll merge it into selinux/dev.  See the below doc for more
information on how the SELinux tree is managed:

https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/tree/README.md

-- 
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ