[PATCH] selinux: use kernel linux/socket.h definitions for PF_MAX

[PATCH] selinux: use kernel linux/socket.h definitions for PF_MAX

[Paulo Alcantara]

When compiling genheaders and mdp from a newer host kernel, the
following error happens:

    In file included from scripts/selinux/genheaders/genheaders.c:18:
    ./security/selinux/include/classmap.h:238:2: error: #error New
    address family defined, please update secclass_map.  #error New
    address family defined, please update secclass_map.  ^~~~~
    make[3]: *** [scripts/Makefile.host:107:
    scripts/selinux/genheaders/genheaders] Error 1 make[2]: ***
    [scripts/Makefile.build:599: scripts/selinux/genheaders] Error 2
    make[1]: *** [scripts/Makefile.build:599: scripts/selinux] Error 2
    make[1]: *** Waiting for unfinished jobs....

Instead of relying on the host definition, include linux/socket.h in
classmap.h to have PF_MAX.

Signed-off-by: Paulo Alcantara <paulo@paulo.ac>
---
 scripts/selinux/genheaders/genheaders.c | 1 -
 scripts/selinux/mdp/mdp.c               | 1 -
 security/selinux/include/classmap.h     | 1 +
 3 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/scripts/selinux/genheaders/genheaders.c b/scripts/selinux/genheaders/genheaders.c
index 1ceedea847dd..544ca126a8a8 100644
--- a/scripts/selinux/genheaders/genheaders.c
+++ b/scripts/selinux/genheaders/genheaders.c
@@ -9,7 +9,6 @@
 #include <string.h>
 #include <errno.h>
 #include <ctype.h>
-#include <sys/socket.h>
 
 struct security_class_mapping {
 	const char *name;
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
index 073fe7537f6c..6d51b74bc679 100644
--- a/scripts/selinux/mdp/mdp.c
+++ b/scripts/selinux/mdp/mdp.c
@@ -32,7 +32,6 @@
 #include <stdlib.h>
 #include <unistd.h>
 #include <string.h>
-#include <sys/socket.h>
 
 static void usage(char *name)
 {
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index bd5fe0d3204a..201f7e588a29 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -1,5 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0 */
 #include <linux/capability.h>
+#include <linux/socket.h>
 
 #define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \
     "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append", "map"
-- 
2.20.1

Re: [PATCH] selinux: use kernel linux/socket.h definitions for PF_MAX

[Paulo Alcantara]

Paulo Alcantara <paulo@paulo.ac> writes:

> When compiling genheaders and mdp from a newer host kernel, the
> following error happens:
>
>     In file included from scripts/selinux/genheaders/genheaders.c:18:
>     ./security/selinux/include/classmap.h:238:2: error: #error New
>     address family defined, please update secclass_map.  #error New
>     address family defined, please update secclass_map.  ^~~~~
>     make[3]: *** [scripts/Makefile.host:107:
>     scripts/selinux/genheaders/genheaders] Error 1 make[2]: ***
>     [scripts/Makefile.build:599: scripts/selinux/genheaders] Error 2
>     make[1]: *** [scripts/Makefile.build:599: scripts/selinux] Error 2
>     make[1]: *** Waiting for unfinished jobs....
>
> Instead of relying on the host definition, include linux/socket.h in
> classmap.h to have PF_MAX.
>
> Signed-off-by: Paulo Alcantara <paulo@paulo.ac>
> ---
>  scripts/selinux/genheaders/genheaders.c | 1 -
>  scripts/selinux/mdp/mdp.c               | 1 -
>  security/selinux/include/classmap.h     | 1 +
>  3 files changed, 1 insertion(+), 2 deletions(-)

Ping?

Could someone please take a look at this issue?

It's quite easy to reproduce on my host (4.20+) when building an
unpatched 4.14 kernel[1]:

    $ make defconfig
    *** Default configuration is based on 'x86_64_defconfig'
    #
    # configuration written to .config
    #
    $ make scripts
    scripts/kconfig/conf  --silentoldconfig Kconfig
      WRAP    arch/x86/include/generated/asm/clkdev.h
      WRAP    arch/x86/include/generated/asm/dma-contiguous.h
      WRAP    arch/x86/include/generated/asm/early_ioremap.h
      WRAP    arch/x86/include/generated/asm/mcs_spinlock.h
      WRAP    arch/x86/include/generated/asm/mm-arch-hooks.h
      CC      scripts/mod/empty.o
      HOSTCC  scripts/mod/mk_elfconfig
      MKELF   scripts/mod/elfconfig.h
      HOSTCC  scripts/mod/modpost.o
      CC      scripts/mod/devicetable-offsets.s
      CHK     scripts/mod/devicetable-offsets.h
      UPD     scripts/mod/devicetable-offsets.h
      HOSTCC  scripts/mod/file2alias.o
      HOSTCC  scripts/mod/sumversion.o
      HOSTLD  scripts/mod/modpost
      HOSTCC  scripts/selinux/genheaders/genheaders
    In file included from scripts/selinux/genheaders/genheaders.c:19:
    ./security/selinux/include/classmap.h:245:2: error: #error New address family defined, please update secclass_map.
     #error New address family defined, please update secclass_map.
      ^~~~~
    make[3]: *** [scripts/Makefile.host:102: scripts/selinux/genheaders/genheaders] Error 1
    make[2]: *** [scripts/Makefile.build:585: scripts/selinux/genheaders] Error 2
    make[1]: *** [scripts/Makefile.build:585: scripts/selinux] Error 2
    make: *** [Makefile:572: scripts] Error 2

Thanks
Paulo

[1] https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.14.104.tar.xz

>
> diff --git a/scripts/selinux/genheaders/genheaders.c b/scripts/selinux/genheaders/genheaders.c
> index 1ceedea847dd..544ca126a8a8 100644
> --- a/scripts/selinux/genheaders/genheaders.c
> +++ b/scripts/selinux/genheaders/genheaders.c
> @@ -9,7 +9,6 @@
>  #include <string.h>
>  #include <errno.h>
>  #include <ctype.h>
> -#include <sys/socket.h>
>  
>  struct security_class_mapping {
>  	const char *name;
> diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
> index 073fe7537f6c..6d51b74bc679 100644
> --- a/scripts/selinux/mdp/mdp.c
> +++ b/scripts/selinux/mdp/mdp.c
> @@ -32,7 +32,6 @@
>  #include <stdlib.h>
>  #include <unistd.h>
>  #include <string.h>
> -#include <sys/socket.h>
>  
>  static void usage(char *name)
>  {
> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> index bd5fe0d3204a..201f7e588a29 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -1,5 +1,6 @@
>  /* SPDX-License-Identifier: GPL-2.0 */
>  #include <linux/capability.h>
> +#include <linux/socket.h>
>  
>  #define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \
>      "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append", "map"
> -- 
> 2.20.1

Re: [PATCH] selinux: use kernel linux/socket.h definitions for PF_MAX

[Stephen Smalley]

On 2/24/19 7:55 PM, Paulo Alcantara wrote:
> When compiling genheaders and mdp from a newer host kernel, the
> following error happens:
> 
>      In file included from scripts/selinux/genheaders/genheaders.c:18:
>      ./security/selinux/include/classmap.h:238:2: error: #error New
>      address family defined, please update secclass_map.  #error New
>      address family defined, please update secclass_map.  ^~~~~
>      make[3]: *** [scripts/Makefile.host:107:
>      scripts/selinux/genheaders/genheaders] Error 1 make[2]: ***
>      [scripts/Makefile.build:599: scripts/selinux/genheaders] Error 2
>      make[1]: *** [scripts/Makefile.build:599: scripts/selinux] Error 2
>      make[1]: *** Waiting for unfinished jobs....
> 
> Instead of relying on the host definition, include linux/socket.h in
> classmap.h to have PF_MAX.
> 
> Signed-off-by: Paulo Alcantara <paulo@paulo.ac>

Acked-by: Stephen Smalley <sds@tycho.nsa.gov>

> ---
>   scripts/selinux/genheaders/genheaders.c | 1 -
>   scripts/selinux/mdp/mdp.c               | 1 -
>   security/selinux/include/classmap.h     | 1 +
>   3 files changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/scripts/selinux/genheaders/genheaders.c b/scripts/selinux/genheaders/genheaders.c
> index 1ceedea847dd..544ca126a8a8 100644
> --- a/scripts/selinux/genheaders/genheaders.c
> +++ b/scripts/selinux/genheaders/genheaders.c
> @@ -9,7 +9,6 @@
>   #include <string.h>
>   #include <errno.h>
>   #include <ctype.h>
> -#include <sys/socket.h>
>   
>   struct security_class_mapping {
>   	const char *name;
> diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
> index 073fe7537f6c..6d51b74bc679 100644
> --- a/scripts/selinux/mdp/mdp.c
> +++ b/scripts/selinux/mdp/mdp.c
> @@ -32,7 +32,6 @@
>   #include <stdlib.h>
>   #include <unistd.h>
>   #include <string.h>
> -#include <sys/socket.h>
>   
>   static void usage(char *name)
>   {
> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> index bd5fe0d3204a..201f7e588a29 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -1,5 +1,6 @@
>   /* SPDX-License-Identifier: GPL-2.0 */
>   #include <linux/capability.h>
> +#include <linux/socket.h>
>   
>   #define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \
>       "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append", "map"
> 

Re: [PATCH] selinux: use kernel linux/socket.h definitions for PF_MAX

[Paul Moore]

On Wed, Feb 27, 2019 at 12:07 PM Paulo Alcantara <paulo@paulo.ac> wrote:
> Paulo Alcantara <paulo@paulo.ac> writes:
> > When compiling genheaders and mdp from a newer host kernel, the
> > following error happens:
> >
> >     In file included from scripts/selinux/genheaders/genheaders.c:18:
> >     ./security/selinux/include/classmap.h:238:2: error: #error New
> >     address family defined, please update secclass_map.  #error New
> >     address family defined, please update secclass_map.  ^~~~~
> >     make[3]: *** [scripts/Makefile.host:107:
> >     scripts/selinux/genheaders/genheaders] Error 1 make[2]: ***
> >     [scripts/Makefile.build:599: scripts/selinux/genheaders] Error 2
> >     make[1]: *** [scripts/Makefile.build:599: scripts/selinux] Error 2
> >     make[1]: *** Waiting for unfinished jobs....
> >
> > Instead of relying on the host definition, include linux/socket.h in
> > classmap.h to have PF_MAX.
> >
> > Signed-off-by: Paulo Alcantara <paulo@paulo.ac>
> > ---
> >  scripts/selinux/genheaders/genheaders.c | 1 -
> >  scripts/selinux/mdp/mdp.c               | 1 -
> >  security/selinux/include/classmap.h     | 1 +
> >  3 files changed, 1 insertion(+), 2 deletions(-)
>
> Ping?
>
> Could someone please take a look at this issue?

It looks fine to me, but I typically don't merge patches this late in
the development window (we are at -rc8), unless it is a serious bug
fix.

> It's quite easy to reproduce on my host (4.20+) when building an
> unpatched 4.14 kernel ...

While this is a good patch that does fix a real but, the fact that it
has been broken for several releases tells me this is not a serious
bug and not likely worth the risk for the upcoming merge window
(however small it may be).  There has been a lot of good work put into
mdp very recently, and I expect to merge that, as well as your fix,
once the upcoming merge window closes.

-- 
paul moore
www.paul-moore.com

Re: [PATCH] selinux: use kernel linux/socket.h definitions for PF_MAX

[Paulo Alcantara]

Paul Moore <paul@paul-moore.com> writes:

> On Wed, Feb 27, 2019 at 12:07 PM Paulo Alcantara <paulo@paulo.ac> wrote:
>> Paulo Alcantara <paulo@paulo.ac> writes:
>> > When compiling genheaders and mdp from a newer host kernel, the
>> > following error happens:
>> >
>> >     In file included from scripts/selinux/genheaders/genheaders.c:18:
>> >     ./security/selinux/include/classmap.h:238:2: error: #error New
>> >     address family defined, please update secclass_map.  #error New
>> >     address family defined, please update secclass_map.  ^~~~~
>> >     make[3]: *** [scripts/Makefile.host:107:
>> >     scripts/selinux/genheaders/genheaders] Error 1 make[2]: ***
>> >     [scripts/Makefile.build:599: scripts/selinux/genheaders] Error 2
>> >     make[1]: *** [scripts/Makefile.build:599: scripts/selinux] Error 2
>> >     make[1]: *** Waiting for unfinished jobs....
>> >
>> > Instead of relying on the host definition, include linux/socket.h in
>> > classmap.h to have PF_MAX.
>> >
>> > Signed-off-by: Paulo Alcantara <paulo@paulo.ac>
>> > ---
>> >  scripts/selinux/genheaders/genheaders.c | 1 -
>> >  scripts/selinux/mdp/mdp.c               | 1 -
>> >  security/selinux/include/classmap.h     | 1 +
>> >  3 files changed, 1 insertion(+), 2 deletions(-)
>>
>> Ping?
>>
>> Could someone please take a look at this issue?
>
> It looks fine to me, but I typically don't merge patches this late in
> the development window (we are at -rc8), unless it is a serious bug
> fix.

Fair enough.

>> It's quite easy to reproduce on my host (4.20+) when building an
>> unpatched 4.14 kernel ...
>
> While this is a good patch that does fix a real but, the fact that it
> has been broken for several releases tells me this is not a serious
> bug and not likely worth the risk for the upcoming merge window
> (however small it may be).  There has been a lot of good work put into
> mdp very recently, and I expect to merge that, as well as your fix,
> once the upcoming merge window closes.

Looks good to me. Thanks!

Paulo

Re: [PATCH] selinux: use kernel linux/socket.h definitions for PF_MAX

[Paul Moore]

On Wed, Feb 27, 2019 at 12:46 PM Paulo Alcantara <paulo@paulo.ac> wrote:
> Paul Moore <paul@paul-moore.com> writes:
>
> > On Wed, Feb 27, 2019 at 12:07 PM Paulo Alcantara <paulo@paulo.ac> wrote:
> >> Paulo Alcantara <paulo@paulo.ac> writes:
> >> > When compiling genheaders and mdp from a newer host kernel, the
> >> > following error happens:
> >> >
> >> >     In file included from scripts/selinux/genheaders/genheaders.c:18:
> >> >     ./security/selinux/include/classmap.h:238:2: error: #error New
> >> >     address family defined, please update secclass_map.  #error New
> >> >     address family defined, please update secclass_map.  ^~~~~
> >> >     make[3]: *** [scripts/Makefile.host:107:
> >> >     scripts/selinux/genheaders/genheaders] Error 1 make[2]: ***
> >> >     [scripts/Makefile.build:599: scripts/selinux/genheaders] Error 2
> >> >     make[1]: *** [scripts/Makefile.build:599: scripts/selinux] Error 2
> >> >     make[1]: *** Waiting for unfinished jobs....
> >> >
> >> > Instead of relying on the host definition, include linux/socket.h in
> >> > classmap.h to have PF_MAX.
> >> >
> >> > Signed-off-by: Paulo Alcantara <paulo@paulo.ac>
> >> > ---
> >> >  scripts/selinux/genheaders/genheaders.c | 1 -
> >> >  scripts/selinux/mdp/mdp.c               | 1 -
> >> >  security/selinux/include/classmap.h     | 1 +
> >> >  3 files changed, 1 insertion(+), 2 deletions(-)
> >>
> >> Ping?
> >>
> >> Could someone please take a look at this issue?
> >
> > It looks fine to me, but I typically don't merge patches this late in
> > the development window (we are at -rc8), unless it is a serious bug
> > fix.
>
> Fair enough.
>
> >> It's quite easy to reproduce on my host (4.20+) when building an
> >> unpatched 4.14 kernel ...
> >
> > While this is a good patch that does fix a real but, the fact that it
> > has been broken for several releases tells me this is not a serious
> > bug and not likely worth the risk for the upcoming merge window
> > (however small it may be).  There has been a lot of good work put into
> > mdp very recently, and I expect to merge that, as well as your fix,
> > once the upcoming merge window closes.
>
> Looks good to me. Thanks!

Merged into selinux/next, thanks for the patch and your patience.

-- 
paul moore
www.paul-moore.com