Commit 541b57e3 authored by Masahiro Yamada's avatar Masahiro Yamada Committed by Paul Moore
Browse files

selinux: do not include <linux/*.h> headers from host programs 



The header, security/selinux/include/classmap.h, is included not only
from kernel space but also from host programs.

It includes <linux/capability.h> and <linux/socket.h>, which pull in
more <linux/*.h> headers. This makes the host programs less portable,
specifically causing build errors on macOS.

Those headers are included for the following purposes:

 - <linux/capability.h> for checking CAP_LAST_CAP
 - <linux/socket.h> for checking PF_MAX

These checks can be guarded by __KERNEL__ so they are skipped when
building host programs. Testing them when building the kernel should
be sufficient.

The header, security/selinux/include/initial_sid_to_string.h, includes
<linux/stddef.h> for the NULL definition, but this is not portable
either. Instead, <stddef.h> should be included for host programs.

Reported-by: default avatarDaniel Gomez <da.gomez@samsung.com>
Closes: https://lore.kernel.org/lkml/20240807-macos-build-support-v1-6-4cd1ded85694@samsung.com/
Closes: https://lore.kernel.org/lkml/20240807-macos-build-support-v1-7-4cd1ded85694@samsung.com/


Signed-off-by: default avatarMasahiro Yamada <masahiroy@kernel.org>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 9852d85e

scripts/selinux/genheaders/Makefile

+1 −3
Original line number Diff line number Diff line 
# SPDX-License-Identifier: GPL-2.0

hostprogs-always-y += genheaders

HOST_EXTRACFLAGS += \

	-I$(srctree)/include/uapi -I$(srctree)/include \

	-I$(srctree)/security/selinux/include
 
HOST_EXTRACFLAGS += -I$(srctree)/security/selinux/include

scripts/selinux/genheaders/genheaders.c

+0 −3
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0



/* NOTE: we really do want to use the kernel headers here */

#define __EXPORTED_HEADERS__



#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

scripts/selinux/mdp/Makefile

+1 −1
Original line number Diff line number Diff line 
# SPDX-License-Identifier: GPL-2.0

hostprogs-always-y += mdp

HOST_EXTRACFLAGS += \

	-I$(srctree)/include/uapi -I$(srctree)/include \

	-I$(srctree)/include \

	-I$(srctree)/security/selinux/include -I$(objtree)/include



clean-files	:= policy.* file_contexts

scripts/selinux/mdp/mdp.c

+0 −4
Original line number Diff line number Diff line
@@ -11,10 +11,6 @@ 
 * Authors: Serge E. Hallyn <serue@us.ibm.com>

 */





/* NOTE: we really do want to use the kernel headers here */

#define __EXPORTED_HEADERS__



#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

security/selinux/include/classmap.h

+8 −3
Original line number Diff line number Diff line 
/* SPDX-License-Identifier: GPL-2.0 */



#include <linux/capability.h>

#include <linux/socket.h>



#define COMMON_FILE_SOCK_PERMS                                            \

	"ioctl", "read", "write", "create", "getattr", "setattr", "lock", \

		"relabelfrom", "relabelto", "append", "map"
@@ -36,9 +33,13 @@ 
	"mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend", \

		"audit_read", "perfmon", "bpf", "checkpoint_restore"



#ifdef __KERNEL__ /* avoid this check when building host programs */

#include <linux/capability.h>



#if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE

#error New capability defined, please update COMMON_CAP2_PERMS.

#endif

#endif



/*

 * Note: The name for any socket class should be suffixed by "socket",
@@ -181,6 +182,10 @@ const struct security_class_mapping secclass_map[] = { 
	{ NULL }

};



#ifdef __KERNEL__ /* avoid this check when building host programs */

#include <linux/socket.h>



#if PF_MAX > 46

#error New address family defined, please update secclass_map.

#endif

#endif