tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

selinux: do not include <linux/*.h> headers from host programs

The header, security/selinux/include/classmap.h, is included not only
from kernel space but also from host programs.

It includes <linux/capability.h> and <linux/socket.h>, which pull in
more <linux/*.h> headers. This makes the host programs less portable,
specifically causing build errors on macOS.

Those headers are included for the following purposes:

- <linux/capability.h> for checking CAP_LAST_CAP
- <linux/socket.h> for checking PF_MAX

These checks can be guarded by __KERNEL__ so they are skipped when
building host programs. Testing them when building the kernel should
be sufficient.

The header, security/selinux/include/initial_sid_to_string.h, includes
<linux/stddef.h> for the NULL definition, but this is not portable
either. Instead, <stddef.h> should be included for host programs.

Reported-by: Daniel Gomez <da.gomez@samsung.com>
Closes: https://lore.kernel.org/lkml/20240807-macos-build-support-v1-6-4cd1ded85694@samsung.com/
Closes: https://lore.kernel.org/lkml/20240807-macos-build-support-v1-7-4cd1ded85694@samsung.com/
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>

authored by

Masahiro Yamada and committed by
Paul Moore 541b57e3 9852d85e

+14 -14
+1 -3
scripts/selinux/genheaders/Makefile
··· 1 1 # SPDX-License-Identifier: GPL-2.0 2 2 hostprogs-always-y += genheaders 3 - HOST_EXTRACFLAGS += \ 4 - -I$(srctree)/include/uapi -I$(srctree)/include \ 5 - -I$(srctree)/security/selinux/include 3 + HOST_EXTRACFLAGS += -I$(srctree)/security/selinux/include
-3
scripts/selinux/genheaders/genheaders.c
··· 1 1 // SPDX-License-Identifier: GPL-2.0 2 2 3 - /* NOTE: we really do want to use the kernel headers here */ 4 - #define __EXPORTED_HEADERS__ 5 - 6 3 #include <stdio.h> 7 4 #include <stdlib.h> 8 5 #include <unistd.h>
+1 -1
scripts/selinux/mdp/Makefile
··· 1 1 # SPDX-License-Identifier: GPL-2.0 2 2 hostprogs-always-y += mdp 3 3 HOST_EXTRACFLAGS += \ 4 - -I$(srctree)/include/uapi -I$(srctree)/include \ 4 + -I$(srctree)/include \ 5 5 -I$(srctree)/security/selinux/include -I$(objtree)/include 6 6 7 7 clean-files := policy.* file_contexts
-4
scripts/selinux/mdp/mdp.c
··· 11 11 * Authors: Serge E. Hallyn <serue@us.ibm.com> 12 12 */ 13 13 14 - 15 - /* NOTE: we really do want to use the kernel headers here */ 16 - #define __EXPORTED_HEADERS__ 17 - 18 14 #include <stdio.h> 19 15 #include <stdlib.h> 20 16 #include <unistd.h>
+8 -3
security/selinux/include/classmap.h
··· 1 1 /* SPDX-License-Identifier: GPL-2.0 */ 2 2 3 - #include <linux/capability.h> 4 - #include <linux/socket.h> 5 - 6 3 #define COMMON_FILE_SOCK_PERMS \ 7 4 "ioctl", "read", "write", "create", "getattr", "setattr", "lock", \ 8 5 "relabelfrom", "relabelto", "append", "map" ··· 33 36 "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend", \ 34 37 "audit_read", "perfmon", "bpf", "checkpoint_restore" 35 38 39 + #ifdef __KERNEL__ /* avoid this check when building host programs */ 40 + #include <linux/capability.h> 41 + 36 42 #if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE 37 43 #error New capability defined, please update COMMON_CAP2_PERMS. 44 + #endif 38 45 #endif 39 46 40 47 /* ··· 182 181 { NULL } 183 182 }; 184 183 184 + #ifdef __KERNEL__ /* avoid this check when building host programs */ 185 + #include <linux/socket.h> 186 + 185 187 #if PF_MAX > 46 186 188 #error New address family defined, please update secclass_map. 189 + #endif 187 190 #endif
+4
security/selinux/include/initial_sid_to_string.h
··· 1 1 /* SPDX-License-Identifier: GPL-2.0 */ 2 2 3 + #ifdef __KERNEL__ 3 4 #include <linux/stddef.h> 5 + #else 6 + #include <stddef.h> 7 + #endif 4 8 5 9 static const char *const initial_sid_to_string[] = { 6 10 NULL, /* zero placeholder, not used */