lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAKtyLkG75o=+9UtskB6Qn2ZvzDrzQPi6gBoAYXvio__46Mds8Q@mail.gmail.com>
Date: Wed, 22 Jan 2025 10:41:07 -0800
From: Fan Wu <wufan@...nel.org>
To: Tyler Hicks <code@...icks.com>
Cc: Fan Wu <wufan@...nel.org>, Paul Moore <paul@...l-moore.com>, 
	James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, 
	Deven Bowers <deven.desai@...ux.microsoft.com>, 
	Shyam Saini <shyamsaini@...ux.microsoft.com>, linux-security-module@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ipe: Search for the boot policy file in the source tree

Thanks for the fix.

My only concern here is the use of wildcard. I'm not sure but if
$(CONFIG_IPE_BOOT_POLICY) is a glob pattern it could match multiple
files?

Other than that I think the doc of security/ipe/Kconfig needs to be
updated as well to reflect the makefile change.

-Fan

On Tue, Jan 21, 2025 at 10:58 PM Tyler Hicks <code@...icks.com> wrote:
>
> Resolve CONFIG_IPE_BOOT_POLICY relative file paths in the source tree if
> the file was not found within the object tree and is not an absolute path.
>
> This fixes an IPE build failure that occurs when using an output directory,
> such as with the `O=/tmp/build` make option, during a build with the
> CONFIG_IPE_BOOT_POLICY option set to a path that's relative to the kernel
> source tree. For example,
>
>   $ grep CONFIG_IPE_BOOT_POLICY /tmp/build/.config
>   CONFIG_IPE_BOOT_POLICY="ipe-boot-policy"
>   $ touch ipe-boot-policy
>   $ make O=/tmp/build
>   make[1]: Entering directory '/tmp/build'
>     GEN     Makefile
>     UPD     include/config/kernel.release
>     UPD     include/generated/utsrelease.h
>     CALL    scripts/checksyscalls.sh
>     CC      init/version.o
>     AR      init/built-in.a
>     CC      kernel/sys.o
>     AR      kernel/built-in.a
>     IPE_POL ipe-boot-policy
>   An error occurred during policy conversion: : No such file or directory
>   make[5]: *** [security/ipe/Makefile:14: security/ipe/boot_policy.c] Error 2
>   make[4]: *** [scripts/Makefile.build:440: security/ipe] Error 2
>   make[3]: *** [scripts/Makefile.build:440: security] Error 2
>   make[2]: *** [Makefile:1989: .] Error 2
>   make[1]: *** [Makefile:251: __sub-make] Error 2
>   make[1]: Leaving directory '/tmp/build'
>   make: *** [Makefile:251: __sub-make] Error 2
>
> Fixes: ba199dc909a2 ("scripts: add boot policy generation program")
> Cc: stable@...r.kernel.org
> Signed-off-by: Tyler Hicks <code@...icks.com>
> ---
>  security/ipe/Makefile | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/security/ipe/Makefile b/security/ipe/Makefile
> index 2ffabfa63fe9..b54d7b7c9e6d 100644
> --- a/security/ipe/Makefile
> +++ b/security/ipe/Makefile
> @@ -10,8 +10,10 @@ quiet_cmd_polgen = IPE_POL $(2)
>
>  targets += boot_policy.c
>
> -$(obj)/boot_policy.c: scripts/ipe/polgen/polgen $(CONFIG_IPE_BOOT_POLICY) FORCE
> -       $(call if_changed,polgen,$(CONFIG_IPE_BOOT_POLICY))
> +boot-pol := $(if $(wildcard $(CONFIG_IPE_BOOT_POLICY)),,$(srctree)/)$(CONFIG_IPE_BOOT_POLICY)
> +
> +$(obj)/boot_policy.c: scripts/ipe/polgen/polgen $(boot-pol) FORCE
> +       $(call if_changed,polgen,$(boot-pol))
>
>  obj-$(CONFIG_SECURITY_IPE) += \
>         boot_policy.o \
> --
> 2.34.1
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ