Re: [PATCH v2 6/8] selinux: do not include <linux/*.h> headers from host programs
From: Daniel Gomez (Samsung)
Date: Fri Sep 06 2024 - 11:08:29 EST
On Fri, Sep 6, 2024 at 4:56 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
>
> On Fri, Sep 6, 2024 at 7:01 AM Daniel Gomez via B4 Relay
> <devnull+da.gomez.samsung.com@xxxxxxxxxx> wrote:
> >
> > From: Masahiro Yamada <masahiroy@xxxxxxxxxx>
> >
> > Commit bfc5e3a6af39 ("selinux: use the kernel headers when building
> > scripts/selinux") is not the right thing to do.
> >
> > It is clear from the warning in include/uapi/linux/types.h:
> >
> > #ifndef __EXPORTED_HEADERS__
> > #warning "Attempt to use kernel headers from user space, see https://kernelnewbies.org/KernelHeaders"
> > #endif /* __EXPORTED_HEADERS__ */
> >
> > If you are inclined to define __EXPORTED_HEADERS__, you are likely doing
> > wrong.
> >
> > Adding the comment:
> >
> > /* NOTE: we really do want to use the kernel headers here */
> >
> > does not justify the hack in any way.
> >
> > Currently, <linux/*.h> headers are included for the following purposes:
> >
> > - <linux/capability.h> is included to check CAP_LAST_CAP
> > - <linux/socket.h> in included to check PF_MAX
> >
> > We can skip these checks when building host programs, as they will
> > be eventually tested when building the kernel space.
> >
> > I got rid of <linux/stddef.h> from initial_sid_to_string.h because
> > it is likely that NULL is already defined. If you insist on making
> > it self-contained, you can add the following:
> >
> > #ifdef __KERNEL__
> > #include <linux/stddef.h>
> > #else
> > #include <stddef.h>
> > #endif
> >
> > scripts/selinux/mdp/mdp.c still includes <linux/kconfig.h>, which is
> > also discouraged and should be fixed by a follow-up refactoring.
> >
> > Signed-off-by: Masahiro Yamada <masahiroy@xxxxxxxxxx>
> > ---
> > scripts/selinux/genheaders/Makefile | 4 +---
> > scripts/selinux/genheaders/genheaders.c | 3 ---
> > scripts/selinux/mdp/Makefile | 2 +-
> > scripts/selinux/mdp/mdp.c | 4 ----
> > security/selinux/include/classmap.h | 19 ++++++++++++-------
> > security/selinux/include/initial_sid_to_string.h | 2 --
> > 6 files changed, 14 insertions(+), 20 deletions(-)
>
> Similar to patch 7/8, please read my comments on your previous posting
> of this patch, it doesn't appear that you've made any of the changes I
> asked for in your previous posting.
Sorry for the noise, Paul. I’ll review this one as well.
>
> https://lore.kernel.org/selinux/317c7d20ab8a72975571cb554589522b@xxxxxxxxxxxxxx
>
> --
> paul-moore.com