* [PATCH] samples/seccomp: Add standalone config option
@ 2016-07-06 6:53 Olof Johansson
2016-07-06 17:55 ` Kees Cook
2016-07-07 17:54 ` Kees Cook
0 siblings, 2 replies; 4+ messages in thread
From: Olof Johansson @ 2016-07-06 6:53 UTC (permalink / raw)
To: keescook; +Cc: wad, luto, linux-kernel, Olof Johansson
Add a separate Kconfig option for SAMPLES_SECCOMP.
Main reason for this is that, just like other samples, it's forced to be a module.
Without this, since the sample is a target only controlled by
CONFIG_SECCOMP_FILTER, the samples will be built before include files are
put in place properly. For example, from an arm64 allmodconfig built with
"make -sk -j 32" (without specific target), the following happens:
samples/seccomp/bpf-fancy.c:13:27: fatal error: linux/seccomp.h: No such file or directory
samples/seccomp/bpf-helper.h:20:50: fatal error: linux/seccomp.h: No such file or directory
samples/seccomp/dropper.c:20:27: fatal error: linux/seccomp.h: No such file or directory
samples/seccomp/bpf-direct.c:21:27: fatal error: linux/seccomp.h: No such file or directory
So, just stick to the same format as other samples.
Signed-off-by: Olof Johansson <olof@lixom.net>
---
samples/Kconfig | 7 +++++++
samples/seccomp/Makefile | 2 +-
2 files changed, 8 insertions(+), 1 deletion(-)
Hi Kees,
This has been showing up for a while on my builder, and I finally had
a bit of time to sit down and look at it.
It'd be nice to see this in 4.7, but please consider for 4.8 at the least.
Thanks!
-Olof
diff --git a/samples/Kconfig b/samples/Kconfig
index 559a58b..ccc50be 100644
--- a/samples/Kconfig
+++ b/samples/Kconfig
@@ -85,4 +85,11 @@ config SAMPLE_CONNECTOR
with it.
See also Documentation/connector/connector.txt
+config SAMPLE_SECCOMP
+ tristate "Build seccomp sample code -- loadable modules only"
+ depends on SECCOMP_FILTER && m
+ help
+ Build samples of seccomp filters using various methods of
+ BPF filter construction.
+
endif # SAMPLES
diff --git a/samples/seccomp/Makefile b/samples/seccomp/Makefile
index 1b4e4b8..ae7ff6f 100644
--- a/samples/seccomp/Makefile
+++ b/samples/seccomp/Makefile
@@ -1,7 +1,7 @@
# kbuild trick to avoid linker error. Can be omitted if a module is built.
obj- := dummy.o
-hostprogs-$(CONFIG_SECCOMP_FILTER) := bpf-fancy dropper bpf-direct
+hostprogs-$(CONFIG_SAMPLE_SECCOMP) := bpf-fancy dropper bpf-direct
HOSTCFLAGS_bpf-fancy.o += -I$(objtree)/usr/include
HOSTCFLAGS_bpf-fancy.o += -idirafter $(objtree)/include
--
2.8.0.rc3.29.gb552ff8
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] samples/seccomp: Add standalone config option
2016-07-06 6:53 [PATCH] samples/seccomp: Add standalone config option Olof Johansson
@ 2016-07-06 17:55 ` Kees Cook
2016-07-07 17:14 ` Olof Johansson
2016-07-07 17:54 ` Kees Cook
1 sibling, 1 reply; 4+ messages in thread
From: Kees Cook @ 2016-07-06 17:55 UTC (permalink / raw)
To: Olof Johansson; +Cc: Will Drewry, Andy Lutomirski, LKML
On Wed, Jul 6, 2016 at 2:53 AM, Olof Johansson <olof@lixom.net> wrote:
> Add a separate Kconfig option for SAMPLES_SECCOMP.
>
> Main reason for this is that, just like other samples, it's forced to be a module.
>
> Without this, since the sample is a target only controlled by
> CONFIG_SECCOMP_FILTER, the samples will be built before include files are
> put in place properly. For example, from an arm64 allmodconfig built with
> "make -sk -j 32" (without specific target), the following happens:
>
> samples/seccomp/bpf-fancy.c:13:27: fatal error: linux/seccomp.h: No such file or directory
> samples/seccomp/bpf-helper.h:20:50: fatal error: linux/seccomp.h: No such file or directory
> samples/seccomp/dropper.c:20:27: fatal error: linux/seccomp.h: No such file or directory
> samples/seccomp/bpf-direct.c:21:27: fatal error: linux/seccomp.h: No such file or directory
Ah-ha! Yes, that's ugly.
> So, just stick to the same format as other samples.
Agreed, that makes sense to me.
>
> Signed-off-by: Olof Johansson <olof@lixom.net>
> ---
> samples/Kconfig | 7 +++++++
> samples/seccomp/Makefile | 2 +-
> 2 files changed, 8 insertions(+), 1 deletion(-)
>
>
> Hi Kees,
>
> This has been showing up for a while on my builder, and I finally had
> a bit of time to sit down and look at it.
>
> It'd be nice to see this in 4.7, but please consider for 4.8 at the least.
>
>
> Thanks!
>
> -Olof
>
> diff --git a/samples/Kconfig b/samples/Kconfig
> index 559a58b..ccc50be 100644
> --- a/samples/Kconfig
> +++ b/samples/Kconfig
> @@ -85,4 +85,11 @@ config SAMPLE_CONNECTOR
> with it.
> See also Documentation/connector/connector.txt
>
> +config SAMPLE_SECCOMP
> + tristate "Build seccomp sample code -- loadable modules only"
> + depends on SECCOMP_FILTER && m
> + help
> + Build samples of seccomp filters using various methods of
> + BPF filter construction.
> +
> endif # SAMPLES
> diff --git a/samples/seccomp/Makefile b/samples/seccomp/Makefile
> index 1b4e4b8..ae7ff6f 100644
> --- a/samples/seccomp/Makefile
> +++ b/samples/seccomp/Makefile
> @@ -1,7 +1,7 @@
> # kbuild trick to avoid linker error. Can be omitted if a module is built.
> obj- := dummy.o
Can the above two lines be dropped now since it'll always be a module?
>
> -hostprogs-$(CONFIG_SECCOMP_FILTER) := bpf-fancy dropper bpf-direct
> +hostprogs-$(CONFIG_SAMPLE_SECCOMP) := bpf-fancy dropper bpf-direct
>
> HOSTCFLAGS_bpf-fancy.o += -I$(objtree)/usr/include
> HOSTCFLAGS_bpf-fancy.o += -idirafter $(objtree)/include
> --
> 2.8.0.rc3.29.gb552ff8
>
-Kees
--
Kees Cook
Chrome OS & Brillo Security
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] samples/seccomp: Add standalone config option
2016-07-06 17:55 ` Kees Cook
@ 2016-07-07 17:14 ` Olof Johansson
0 siblings, 0 replies; 4+ messages in thread
From: Olof Johansson @ 2016-07-07 17:14 UTC (permalink / raw)
To: Kees Cook; +Cc: Will Drewry, Andy Lutomirski, LKML
Hi,
On Wed, Jul 6, 2016 at 10:55 AM, Kees Cook <keescook@chromium.org> wrote:
> On Wed, Jul 6, 2016 at 2:53 AM, Olof Johansson <olof@lixom.net> wrote:
>> Add a separate Kconfig option for SAMPLES_SECCOMP.
>>
>> Main reason for this is that, just like other samples, it's forced to be a module.
>>
>> Without this, since the sample is a target only controlled by
>> CONFIG_SECCOMP_FILTER, the samples will be built before include files are
>> put in place properly. For example, from an arm64 allmodconfig built with
>> "make -sk -j 32" (without specific target), the following happens:
>>
>> samples/seccomp/bpf-fancy.c:13:27: fatal error: linux/seccomp.h: No such file or directory
>> samples/seccomp/bpf-helper.h:20:50: fatal error: linux/seccomp.h: No such file or directory
>> samples/seccomp/dropper.c:20:27: fatal error: linux/seccomp.h: No such file or directory
>> samples/seccomp/bpf-direct.c:21:27: fatal error: linux/seccomp.h: No such file or directory
>
> Ah-ha! Yes, that's ugly.
>
>> So, just stick to the same format as other samples.
>
> Agreed, that makes sense to me.
>
>>
>> Signed-off-by: Olof Johansson <olof@lixom.net>
>> ---
>> samples/Kconfig | 7 +++++++
>> samples/seccomp/Makefile | 2 +-
>> 2 files changed, 8 insertions(+), 1 deletion(-)
>>
>>
>> Hi Kees,
>>
>> This has been showing up for a while on my builder, and I finally had
>> a bit of time to sit down and look at it.
>>
>> It'd be nice to see this in 4.7, but please consider for 4.8 at the least.
>>
>>
>> Thanks!
>>
>> -Olof
>>
>> diff --git a/samples/Kconfig b/samples/Kconfig
>> index 559a58b..ccc50be 100644
>> --- a/samples/Kconfig
>> +++ b/samples/Kconfig
>> @@ -85,4 +85,11 @@ config SAMPLE_CONNECTOR
>> with it.
>> See also Documentation/connector/connector.txt
>>
>> +config SAMPLE_SECCOMP
>> + tristate "Build seccomp sample code -- loadable modules only"
>> + depends on SECCOMP_FILTER && m
>> + help
>> + Build samples of seccomp filters using various methods of
>> + BPF filter construction.
>> +
>> endif # SAMPLES
>> diff --git a/samples/seccomp/Makefile b/samples/seccomp/Makefile
>> index 1b4e4b8..ae7ff6f 100644
>> --- a/samples/seccomp/Makefile
>> +++ b/samples/seccomp/Makefile
>> @@ -1,7 +1,7 @@
>> # kbuild trick to avoid linker error. Can be omitted if a module is built.
>> obj- := dummy.o
>
> Can the above two lines be dropped now since it'll always be a module?
Actually, they can't, since the only other target is a hostprogs one.
Still needs a dummy module object file.
-Olof
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] samples/seccomp: Add standalone config option
2016-07-06 6:53 [PATCH] samples/seccomp: Add standalone config option Olof Johansson
2016-07-06 17:55 ` Kees Cook
@ 2016-07-07 17:54 ` Kees Cook
1 sibling, 0 replies; 4+ messages in thread
From: Kees Cook @ 2016-07-07 17:54 UTC (permalink / raw)
To: Olof Johansson; +Cc: Will Drewry, Andy Lutomirski, LKML
On Wed, Jul 6, 2016 at 2:53 AM, Olof Johansson <olof@lixom.net> wrote:
> Add a separate Kconfig option for SAMPLES_SECCOMP.
>
> Main reason for this is that, just like other samples, it's forced to be a module.
>
> Without this, since the sample is a target only controlled by
> CONFIG_SECCOMP_FILTER, the samples will be built before include files are
> put in place properly. For example, from an arm64 allmodconfig built with
> "make -sk -j 32" (without specific target), the following happens:
>
> samples/seccomp/bpf-fancy.c:13:27: fatal error: linux/seccomp.h: No such file or directory
> samples/seccomp/bpf-helper.h:20:50: fatal error: linux/seccomp.h: No such file or directory
> samples/seccomp/dropper.c:20:27: fatal error: linux/seccomp.h: No such file or directory
> samples/seccomp/bpf-direct.c:21:27: fatal error: linux/seccomp.h: No such file or directory
>
> So, just stick to the same format as other samples.
>
> Signed-off-by: Olof Johansson <olof@lixom.net>
> ---
> samples/Kconfig | 7 +++++++
> samples/seccomp/Makefile | 2 +-
> 2 files changed, 8 insertions(+), 1 deletion(-)
>
>
> Hi Kees,
>
> This has been showing up for a while on my builder, and I finally had
> a bit of time to sit down and look at it.
>
> It'd be nice to see this in 4.7, but please consider for 4.8 at the least.
I feel like we're too late in 4.7, but I've applied this for 4.8.
Thanks for tracking it down!
-Kees
>
>
> Thanks!
>
> -Olof
>
> diff --git a/samples/Kconfig b/samples/Kconfig
> index 559a58b..ccc50be 100644
> --- a/samples/Kconfig
> +++ b/samples/Kconfig
> @@ -85,4 +85,11 @@ config SAMPLE_CONNECTOR
> with it.
> See also Documentation/connector/connector.txt
>
> +config SAMPLE_SECCOMP
> + tristate "Build seccomp sample code -- loadable modules only"
> + depends on SECCOMP_FILTER && m
> + help
> + Build samples of seccomp filters using various methods of
> + BPF filter construction.
> +
> endif # SAMPLES
> diff --git a/samples/seccomp/Makefile b/samples/seccomp/Makefile
> index 1b4e4b8..ae7ff6f 100644
> --- a/samples/seccomp/Makefile
> +++ b/samples/seccomp/Makefile
> @@ -1,7 +1,7 @@
> # kbuild trick to avoid linker error. Can be omitted if a module is built.
> obj- := dummy.o
>
> -hostprogs-$(CONFIG_SECCOMP_FILTER) := bpf-fancy dropper bpf-direct
> +hostprogs-$(CONFIG_SAMPLE_SECCOMP) := bpf-fancy dropper bpf-direct
>
> HOSTCFLAGS_bpf-fancy.o += -I$(objtree)/usr/include
> HOSTCFLAGS_bpf-fancy.o += -idirafter $(objtree)/include
> --
> 2.8.0.rc3.29.gb552ff8
>
--
Kees Cook
Chrome OS & Brillo Security
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-07-07 17:54 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-07-06 6:53 [PATCH] samples/seccomp: Add standalone config option Olof Johansson
2016-07-06 17:55 ` Kees Cook
2016-07-07 17:14 ` Olof Johansson
2016-07-07 17:54 ` Kees Cook
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).