mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-12-26 04:25:27 +08:00
fec7b66905
The idea here is just to give a demonstration of how one could safely use the SECCOMP_RET_USER_NOTIF feature to do mount policies. This particular policy is (as noted in the comment) not very interesting, but it serves to illustrate how one might apply a policy dodging the various TOCTOU issues. Signed-off-by: Tycho Andersen <tycho@tycho.ws> CC: Kees Cook <keescook@chromium.org> CC: Andy Lutomirski <luto@amacapital.net> CC: Oleg Nesterov <oleg@redhat.com> CC: Eric W. Biederman <ebiederm@xmission.com> CC: "Serge E. Hallyn" <serge@hallyn.com> CC: Christian Brauner <christian@brauner.io> CC: Tyler Hicks <tyhicks@canonical.com> CC: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> Signed-off-by: Kees Cook <keescook@chromium.org>
44 lines
1.2 KiB
Makefile
44 lines
1.2 KiB
Makefile
# SPDX-License-Identifier: GPL-2.0
|
|
ifndef CROSS_COMPILE
|
|
hostprogs-$(CONFIG_SAMPLE_SECCOMP) := bpf-fancy dropper bpf-direct user-trap
|
|
|
|
HOSTCFLAGS_bpf-fancy.o += -I$(objtree)/usr/include
|
|
HOSTCFLAGS_bpf-fancy.o += -idirafter $(objtree)/include
|
|
HOSTCFLAGS_bpf-helper.o += -I$(objtree)/usr/include
|
|
HOSTCFLAGS_bpf-helper.o += -idirafter $(objtree)/include
|
|
bpf-fancy-objs := bpf-fancy.o bpf-helper.o
|
|
|
|
HOSTCFLAGS_dropper.o += -I$(objtree)/usr/include
|
|
HOSTCFLAGS_dropper.o += -idirafter $(objtree)/include
|
|
dropper-objs := dropper.o
|
|
|
|
HOSTCFLAGS_bpf-direct.o += -I$(objtree)/usr/include
|
|
HOSTCFLAGS_bpf-direct.o += -idirafter $(objtree)/include
|
|
bpf-direct-objs := bpf-direct.o
|
|
|
|
HOSTCFLAGS_user-trap.o += -I$(objtree)/usr/include
|
|
HOSTCFLAGS_user-trap.o += -idirafter $(objtree)/include
|
|
user-trap-objs := user-trap.o
|
|
|
|
# Try to match the kernel target.
|
|
ifndef CONFIG_64BIT
|
|
|
|
# s390 has -m31 flag to build 31 bit binaries
|
|
ifndef CONFIG_S390
|
|
MFLAG = -m32
|
|
else
|
|
MFLAG = -m31
|
|
endif
|
|
|
|
HOSTCFLAGS_bpf-direct.o += $(MFLAG)
|
|
HOSTCFLAGS_dropper.o += $(MFLAG)
|
|
HOSTCFLAGS_bpf-helper.o += $(MFLAG)
|
|
HOSTCFLAGS_bpf-fancy.o += $(MFLAG)
|
|
HOSTLDLIBS_bpf-direct += $(MFLAG)
|
|
HOSTLDLIBS_bpf-fancy += $(MFLAG)
|
|
HOSTLDLIBS_dropper += $(MFLAG)
|
|
HOSTLDLIBS_user-trap += $(MFLAG)
|
|
endif
|
|
always := $(hostprogs-m)
|
|
endif
|