Changes in Makefile

faabed29 - kbuild: introduce hostprogs-always-y and userprogs-always-y

Sat, 01 Aug 2020 12:27:18 +0000

kbuild: introduce hostprogs-always-y and userprogs-always-yTo build host programs, you need to add the program names to 'hostprogs'to use the necessary build rule, but it is not enough to build thembecause there is no dependency.There are two types of host programs: built as the prerequisite ofanother (e.g. gen_crc32table in lib/Makefile), or always built whenKbuild visits the Makefile (e.g. genksyms in scripts/genksyms/Makefile).The latter is typical in Makefiles under scripts/, which contains hostprograms globally used during the kernel build. To build them, you needto add them to both 'hostprogs' and 'always-y'.This commit adds hostprogs-always-y as a shorthand.The same applies to user programs. net/bpfilter/Makefile buildsbpfilter_umh on demand, hence always-y is unneeded. In contrast,programs under samples/ are added to both 'userprogs' and 'always-y'so they are always built when Kbuild visits the Makefiles.userprogs-always-y works as a shorthand.Signed-off-by: Masahiro Yamada Acked-by: Miguel Ojeda List of files: /linux-6.15/samples/seccomp/Makefile

f59e7668 - samples: seccomp: build sample programs for target architecture

Wed, 29 Apr 2020 03:45:16 +0000

samples: seccomp: build sample programs for target architectureThese userspace programs include UAPI headers exported to usr/include/.'make headers' always works for the target architecture (i.e. the samearchitecture as the kernel), so the sample programs should be built forthe target as well. Kbuild now supports 'userprogs' for that.I also guarded the CONFIG option by 'depends on CC_CAN_LINK' because$(CC) may not provide libc.The 'ifndef CROSS_COMPILE' is no longer needed.BTW, the -m31 for s390 is left-over code. Commit 5a79859ae0f3 ("s390:remove 31 bit support") killed it.Signed-off-by: Masahiro Yamada Acked-by: Sam Ravnborg List of files: /linux-6.15/samples/seccomp/Makefile

5f2fb52f - kbuild: rename hostprogs-y/always to hostprogs/always-y

Sat, 01 Feb 2020 16:49:24 +0000

kbuild: rename hostprogs-y/always to hostprogs/always-yIn old days, the "host-progs" syntax was used for specifying hostprograms. It was renamed to the current "hostprogs-y" in 2004.It is typically useful in scripts/Makefile because it allows Kbuild toselectively compile host programs based on the kernel configuration.This commit renames like follows: always -> always-y hostprogs-y -> hostprogsSo, scripts/Makefile will look like this: always-$(CONFIG_BUILD_BIN2C) += ... always-$(CONFIG_KALLSYMS) += ... ... hostprogs := $(always-y) $(always-m)I think this makes more sense because a host program is always a hostprogram, irrespective of the kernel configuration. We want to specifywhich ones to compile by CONFIG options, so always-y will be handier.The "always", "hostprogs-y", "hostprogs-m" will be kept for backwardcompatibility for a while.Signed-off-by: Masahiro Yamada List of files: /linux-6.15/samples/seccomp/Makefile

6944a06d - samples: guard sub-directories with CONFIG options

Thu, 09 May 2019 01:00:19 +0000

samples: guard sub-directories with CONFIG optionsDo not descend to sub-directories when unneeded.I used subdir-$(CONFIG_...) for hidraw, seccomp, and vfs becausethey only contain host programs.While we are here, let's add SPDX License tag, and sort the directoriesalphabetically.Signed-off-by: Masahiro Yamada List of files: /linux-6.15/samples/seccomp/Makefile

7206c124 - samples: seccomp: turn CONFIG_SAMPLE_SECCOMP into a bool option

Sat, 27 Apr 2019 03:33:39 +0000

samples: seccomp: turn CONFIG_SAMPLE_SECCOMP into a bool optionThe prompt of CONFIG_SAMPLE_SECCOMP claims this is "loadable moduleonly", which is invalid.samples/seccomp/ only contains host programs, so having it tristateis pointless.Signed-off-by: Masahiro Yamada List of files: /linux-6.15/samples/seccomp/Makefile

a77d1d19 - samples/seccomp: Fix 32-bit build

Mon, 07 Jan 2019 23:16:31 +0000

samples/seccomp: Fix 32-bit buildBoth the .o and the actual executable need to be built with -m32 in orderto link correctly.Reported-by: Ingo Molnar Signed-off-by: Tycho Andersen Reviewed-by: Kees Cook Cc: Borislav Petkov Cc: James Morris Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: fec7b6690541 ("samples: add an example of seccomp user trap")Link: http://lkml.kernel.org/r/20190107231631.1849-1-tycho@tycho.wsSigned-off-by: Ingo Molnar List of files: /linux-6.15/samples/seccomp/Makefile

fec7b669 - samples: add an example of seccomp user trap

Sun, 09 Dec 2018 18:24:14 +0000

samples: add an example of seccomp user trapThe idea here is just to give a demonstration of how one could safely usethe SECCOMP_RET_USER_NOTIF feature to do mount policies. This particularpolicy is (as noted in the comment) not very interesting, but it serves toillustrate how one might apply a policy dodging the various TOCTOU issues.Signed-off-by: Tycho Andersen CC: Kees Cook CC: Andy Lutomirski CC: Oleg Nesterov CC: Eric W. Biederman CC: "Serge E. Hallyn" CC: Christian Brauner CC: Tyler Hicks CC: Akihiro Suda Signed-off-by: Kees Cook List of files: /linux-6.15/samples/seccomp/Makefile

8377bd2b - kbuild: Rename HOST_LOADLIBES to KBUILD_HOSTLDLIBS

Tue, 10 Jul 2018 00:46:01 +0000

kbuild: Rename HOST_LOADLIBES to KBUILD_HOSTLDLIBSIn preparation for enabling command line LDLIBS, re-name HOST_LOADLIBESto KBUILD_HOSTLDLIBS as the internal use only flags. Also renameexisting usage to HOSTLDLIBS for consistency. This should not have anyvisible effects.Signed-off-by: Laura Abbott Signed-off-by: Masahiro Yamada List of files: /linux-6.15/samples/seccomp/Makefile

6275ecbc - samples/seccomp: do not compile when cross compiled

Wed, 14 Feb 2018 09:15:12 +0000

samples/seccomp: do not compile when cross compiledsamples/seccomp relies on the host setting which is not suitable forcrosscompilation and it actually fails when crosscompiling s390 andpowerpc all{yes,mod}config on x86_64 withsamples/seccomp/bpf-helper.h:135:2: error: #error __BITS_PER_LONG value unusable. #error __BITS_PER_LONG value unusable. ^In file included from samples/seccomp/bpf-fancy.c:13:0:samples/seccomp/bpf-fancy.c: In function ‘main’:samples/seccomp/bpf-fancy.c:38:11: error: ‘__NR_exit’ undeclared (first use in this function) SYSCALL(__NR_exit, ALLOW),and many others. I am doing these for compile testing and it's beenquite useful to catch issues. Crosscompiling sample code on the otherhand doesn't seem all that important so it seems like the easiest way tosimply disable samples/seccomp when crosscompiling.Fixing this properly is not that easy as Kees explains:: IIRC, one of the problems is with build ordering problems: the kernel: headers used by the samples aren't available when cross compiling.Signed-off-by: Michal Hocko Signed-off-by: Kees Cook List of files: /linux-6.15/samples/seccomp/Makefile

bf070bb0 - kbuild: remove all dummy assignments to obj-

Tue, 07 Nov 2017 16:31:47 +0000

kbuild: remove all dummy assignments to obj-Now kbuild core scripts create empty built-in.o where necessary.Remove "obj- := dummy.o" tricks.Signed-off-by: Masahiro Yamada List of files: /linux-6.15/samples/seccomp/Makefile

b2441318 - License cleanup: add SPDX GPL-2.0 license identifier to files with no license

Wed, 01 Nov 2017 14:07:57 +0000

License cleanup: add SPDX GPL-2.0 license identifier to files with no licenseMany source files in the tree are missing licensing information, whichmakes it harder for compliance tools to determine the correct license.By default all files without license information are under the defaultlicense of the kernel, which is GPL version 2.Update the files which contain no license information with the 'GPL-2.0'SPDX license identifier. The SPDX identifier is a legally bindingshorthand, which can be used instead of the full boiler plate text.This patch is based on work done by Thomas Gleixner and Kate Stewart andPhilippe Ombredanne.How this work was done:Patches were generated and checked against linux-4.14-rc6 for a subset ofthe use cases: - file had no licensing information it it. - file was a */uapi/* one with no licensing information in it, - file was a */uapi/* one with existing licensing information,Further patches will be generated in subsequent months to fix up caseswhere non-standard license headers were used, and references to licensehad to be inferred by heuristics based on keywords.The analysis to determine which SPDX License Identifier to be applied toa file was done in a spreadsheet of side by side results from of theoutput of two independent scanners (ScanCode & Windriver) producing SPDXtag:value files created by Philippe Ombredanne. Philippe prepared thebase worksheet, and did an initial spot review of a few 1000 files.The 4.13 kernel was the starting point of the analysis with 60,537 filesassessed. Kate Stewart did a file by file comparison of the scannerresults in the spreadsheet to determine which SPDX license identifier(s)to be applied to the file. She confirmed any determination that was notimmediately clear with lawyers working with the Linux Foundation.Criteria used to select files for SPDX license identifier tagging was: - Files considered eligible had to be source code files. - Make and config files were included as candidates if they contained >5 lines of source - File already had some variant of a license header in it (even if <5 lines).All documentation files were explicitly excluded.The following heuristics were used to determine which SPDX licenseidentifiers to apply. - when both scanners couldn't find any license traces, file was considered to have no license information in it, and the top level COPYING file license applied. For non */uapi/* files that summary was: SPDX license identifier # files ---------------------------------------------------|------- GPL-2.0 11139 and resulted in the first patch in this series. If that file was a */uapi/* path one, it was "GPL-2.0 WITH Linux-syscall-note" otherwise it was "GPL-2.0". Results of that was: SPDX license identifier # files ---------------------------------------------------|------- GPL-2.0 WITH Linux-syscall-note 930 and resulted in the second patch in this series. - if a file had some form of licensing information in it, and was one of the */uapi/* ones, it was denoted with the Linux-syscall-note if any GPL family license was found in the file or had no licensing in it (per prior point). Results summary: SPDX license identifier # files ---------------------------------------------------|------ GPL-2.0 WITH Linux-syscall-note 270 GPL-2.0+ WITH Linux-syscall-note 169 ((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) 21 ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 17 LGPL-2.1+ WITH Linux-syscall-note 15 GPL-1.0+ WITH Linux-syscall-note 14 ((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) 5 LGPL-2.0+ WITH Linux-syscall-note 4 LGPL-2.1 WITH Linux-syscall-note 3 ((GPL-2.0 WITH Linux-syscall-note) OR MIT) 3 ((GPL-2.0 WITH Linux-syscall-note) AND MIT) 1 and that resulted in the third patch in this series. - when the two scanners agreed on the detected license(s), that became the concluded license(s). - when there was disagreement between the two scanners (one detected a license but the other didn't, or they both detected different licenses) a manual inspection of the file occurred. - In most cases a manual inspection of the information in the file resulted in a clear resolution of the license that should apply (and which scanner probably needed to revisit its heuristics). - When it was not immediately clear, the license identifier was confirmed with lawyers working with the Linux Foundation. - If there was any question as to the appropriate license identifier, the file was flagged for further research and to be revisited later in time.In total, over 70 hours of logged manual review was done on thespreadsheet to determine the SPDX license identifiers to apply to thesource files by Kate, Philippe, Thomas and, in some cases, confirmationby lawyers working with the Linux Foundation.Kate also obtained a third independent scan of the 4.13 code base fromFOSSology, and compared selected files where the other two scannersdisagreed against that SPDX file, to see if there was new insights. TheWindriver scanner is based on an older version of FOSSology in part, sothey are related.Thomas did random spot checks in about 500 files from the spreadsheetsfor the uapi headers and agreed with SPDX license identifier in thefiles he inspected. For the non-uapi files Thomas did random spot checksin about 15000 files.In initial set of patches against 4.14-rc6, 3 files were found to havecopy/paste license identifier errors, and have been fixed to reflect thecorrect identifier.Additionally Philippe spent 10 hours this week doing a detailed manualinspection and review of the 12,461 patched files from the initial patchversion early this week with: - a full scancode scan run, collecting the matched texts, detected license ids and scores - reviewing anything where there was a license detected (about 500+ files) to ensure that the applied SPDX license was correct - reviewing anything where there was no detection but the patch license was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied SPDX license was correctThis produced a worksheet with 20 files needing minor correction. Thisworksheet was then exported into 3 different .csv files for thedifferent types of files to be modified.These .csv files were then reviewed by Greg. Thomas wrote a script toparse the csv files and add the proper SPDX tag to the file, in theformat that the file expected. This script was further refined by Gregbased on the output to detect more types of files automatically and todistinguish between header and source .c files (which need differentcomment types.) Finally Greg ran the script using the .csv files togenerate the patches.Reviewed-by: Kate Stewart Reviewed-by: Philippe Ombredanne Reviewed-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman List of files: /linux-6.15/samples/seccomp/Makefile

0af04ba5 - samples/seccomp: Fix hostprogs variable

Thu, 13 Oct 2016 17:29:14 +0000

samples/seccomp: Fix hostprogs variableIn f6041c1d, a separate SAMPLES_SECCOMP option was added. This changedhostprogs-y to hostprogs-m, so adjust it.Signed-off-by: Ricky Zhou Signed-off-by: Kees Cook List of files: /linux-6.15/samples/seccomp/Makefile

f6041c1d - samples/seccomp: Add standalone config option

Wed, 06 Jul 2016 06:53:19 +0000

samples/seccomp: Add standalone config optionAdd a separate Kconfig option for SAMPLES_SECCOMP.Main reason for this is that, just like other samples, it's forced tobe a module.Without this, since the sample is a target only controlled byCONFIG_SECCOMP_FILTER, the samples will be built before include files areput in place properly. For example, from an arm64 allmodconfig built with"make -sk -j 32" (without specific target), the following happens: samples/seccomp/bpf-fancy.c:13:27: fatal error: linux/seccomp.h: No such file or directory samples/seccomp/bpf-helper.h:20:50: fatal error: linux/seccomp.h: No such file or directory samples/seccomp/dropper.c:20:27: fatal error: linux/seccomp.h: No such file or directory samples/seccomp/bpf-direct.c:21:27: fatal error: linux/seccomp.h: No such file or directorySo, just stick to the same format as other samples.Signed-off-by: Olof Johansson Signed-off-by: Kees Cook List of files: /linux-6.15/samples/seccomp/Makefile

e9107f88 - samples/seccomp/Makefile: do not build tests if cross-compiling for MIPS

Thu, 03 Apr 2014 21:48:32 +0000

samples/seccomp/Makefile: do not build tests if cross-compiling for MIPSThe Makefile is designed to use the host toolchain so it may be unsafeto build the tests if the kernel has been configured and built foranother architecture. This fixes a build problem when the kernel hasbeen configured and built for the MIPS architecture but the host is notMIPS (cross-compiled). The MIPS syscalls are only defined if one of thefollowing is true: 1) _MIPS_SIM == _MIPS_SIM_ABI64 2) _MIPS_SIM == _MIPS_SIM_ABI32 3) _MIPS_SIM == _MIPS_SIM_NABI32Of course, none of these make sense on a non-MIPS toolchain and thefollowing build problem occurs when building on a non-MIPS host. linux/usr/include/linux/kexec.h:50: userspace cannot reference function or variable defined in the kernel samples/seccomp/bpf-direct.c: In function `emulator': samples/seccomp/bpf-direct.c:76:17: error: `__NR_write' undeclared (first use in this function)Signed-off-by: Markos Chandras Reported-by: Paul Gortmaker Cc: Ralf Baechle Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds List of files: /linux-6.15/samples/seccomp/Makefile

275aaa68 - samples/seccomp: be less stupid about cross compiling

Mon, 04 Feb 2013 22:28:52 +0000

samples/seccomp: be less stupid about cross compilingThe seccomp filters are currently built for the build host, not for themachine that they are going to run on, but they are also built for withthe -m32 flag if the kernel is built for a 32 bit machine, both of whichseems rather odd.It broke allyesconfig on my machine, which is x86-64, but building for32 bit ARM, with this error message: In file included from /usr/include/stdio.h:28:0, from samples/seccomp/bpf-fancy.c:15: /usr/include/features.h:324:26: fatal error: bits/predefs.h: No such file or directorybecause there are no 32 bit libc headers installed on this machine. Weshould really be building all the samples for the target machine ratherthan the build host, but since the infrastructure for that appears to bemissing right now, let's be a little bit smarter and not pass the '-m32'flag to the HOSTCC when cross- compiling.Signed-off-by: Arnd Bergmann Acked-by: Kees Cook Cc: Heiko Carstens Cc: James Morris Acked-by: Will Drewry Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds List of files: /linux-6.15/samples/seccomp/Makefile

b25b09ec - samples/seccomp: fix 31 bit build on s390

Sat, 08 Sep 2012 08:23:42 +0000

samples/seccomp: fix 31 bit build on s390On s390 the flag to force 31 builds is -m31 instead of -m32 unlikeon all (?) other architectures.Fixes this compile error: HOSTCC samples/seccomp/bpf-direct.occ1: error: unrecognized command line option "-m32"make[2]: *** [samples/seccomp/bpf-direct.o] Error 1Signed-off-by: Heiko Carstens Acked-by: Kees Cook Signed-off-by: James Morris List of files: /linux-6.15/samples/seccomp/Makefile

561381a1 - samples/seccomp: fix dependencies on arch macros

Thu, 19 Apr 2012 00:50:25 +0000

samples/seccomp: fix dependencies on arch macrosThis change fixes the compilation error triggered here fori386 allmodconfig in linux-next: http://kisskb.ellerman.id.au/kisskb/buildresult/6123842/Logic attempting to predict the host architecture has beenremoved from the Makefile. Instead, the bpf-direct sampleshould now compile on any architecture, but if the architectureis not supported, it will compile a minimal main() function.This change also ensures the samples are not compiled whenthere is no seccomp filter support.(Note, I wasn't able to reproduce the error locally, but the existing approach was clearly flawed. This tweak should resolve your issue and avoid other future weirdness.)Reported-by: Paul Gortmaker Suggested-by: Kees Cook Signed-off-by: Will Drewry Signed-off-by: James Morris List of files: /linux-6.15/samples/seccomp/Makefile

8ac270d1 - Documentation: prctl/seccomp_filter

Thu, 12 Apr 2012 21:48:04 +0000

Documentation: prctl/seccomp_filterDocuments how system call filtering using Berkeley PacketFilter programs works and how it may be used.Includes an example for x86 and a semi-genericexample using a macro-based code generator.Acked-by: Eric Paris Signed-off-by: Will Drewry Acked-by: Kees Cook v18: - added acked by - update no new privs numbersv17: - remove @compat note and add Pitfalls section for arch checking (keescook@chromium.org)v16: -v15: -v14: - rebase/nochangesv13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdcv12: - comment on the ptrace_event use - update arch support comment - note the behavior of SECCOMP_RET_DATA when there are multiple filters (keescook@chromium.org) - lots of samples/ clean up incl 64-bit bpf-direct support (markus@chromium.org) - rebase to linux-nextv11: - overhaul return value language, updates (keescook@chromium.org) - comment on do_exit(SIGSYS)v10: - update for SIGSYS - update for new seccomp_data layout - update for ptrace option usev9: - updated bpf-direct.c for SIGILLv8: - add PR_SET_NO_NEW_PRIVS to the samples.v7: - updated for all the new stuff in v7: TRAP, TRACE - only talk about PR_SET_SECCOMP now - fixed bad JLE32 check (coreyb@linux.vnet.ibm.com) - adds dropper.c: a simple system call disablerv6: - tweak the language to note the requirement of PR_SET_NO_NEW_PRIVS being called prior to use. (luto@mit.edu)v5: - update sample to use system call arguments - adds a "fancy" example using a macro-based generator - cleaned up bpf in the sample - update docs to mention arguments - fix prctl value (eparis@redhat.com) - language cleanup (rdunlap@xenotime.net)v4: - update for no_new_privs use - minor tweaksv3: - call out BPF <-> Berkeley Packet Filter (rdunlap@xenotime.net) - document use of tentative always-unprivileged - guard sample compilation for i386 and x86_64v2: - move code to samples (corbet@lwn.net)Signed-off-by: James Morris List of files: /linux-6.15/samples/seccomp/Makefile