From: kernel test robot <lkp@intel.com>
To: Casey Schaufler <casey@schaufler-ca.com>,
paul@paul-moore.com, linux-security-module@vger.kernel.org
Cc: oe-kbuild-all@lists.linux.dev, jmorris@namei.org,
serge@hallyn.com, keescook@chromium.org,
john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org,
selinux@vger.kernel.org, mic@digikod.net
Subject: Re: [PATCH v2 02/13] LSM: Use lsmblob in security_audit_rule_match
Date: Sat, 31 Aug 2024 06:48:48 +0800 [thread overview]
Message-ID: <202408310649.X413mMQP-lkp@intel.com> (raw)
In-Reply-To: <20240830003411.16818-3-casey@schaufler-ca.com>
Hi Casey,
kernel test robot noticed the following build warnings:
[auto build test WARNING on pcmoore-audit/next]
[also build test WARNING on pcmoore-selinux/next zohar-integrity/next-integrity linus/master v6.11-rc5 next-20240830]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Casey-Schaufler/LSM-Add-the-lsmblob-data-structure/20240830-085050
base: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next
patch link: https://lore.kernel.org/r/20240830003411.16818-3-casey%40schaufler-ca.com
patch subject: [PATCH v2 02/13] LSM: Use lsmblob in security_audit_rule_match
config: i386-randconfig-061-20240830 (https://download.01.org/0day-ci/archive/20240831/202408310649.X413mMQP-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240831/202408310649.X413mMQP-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202408310649.X413mMQP-lkp@intel.com/
sparse warnings: (new ones prefixed by >>)
>> security/integrity/ima/ima_policy.c:654:53: sparse: sparse: incorrect type in argument 1 (different base types) @@ expected unsigned int [usertype] secid @@ got struct lsmblob * @@
security/integrity/ima/ima_policy.c:654:53: sparse: expected unsigned int [usertype] secid
security/integrity/ima/ima_policy.c:654:53: sparse: got struct lsmblob *
security/integrity/ima/ima_policy.c:663:53: sparse: sparse: incorrect type in argument 1 (different base types) @@ expected unsigned int [usertype] secid @@ got struct lsmblob * @@
security/integrity/ima/ima_policy.c:663:53: sparse: expected unsigned int [usertype] secid
security/integrity/ima/ima_policy.c:663:53: sparse: got struct lsmblob *
security/integrity/ima/ima_policy.c: note: in included file:
include/linux/list.h:83:21: sparse: sparse: self-comparison always evaluates to true
include/linux/list.h:83:21: sparse: sparse: self-comparison always evaluates to true
security/integrity/ima/ima_policy.c:1666:52: sparse: sparse: self-comparison always evaluates to false
security/integrity/ima/ima_policy.c:1701:55: sparse: sparse: self-comparison always evaluates to false
security/integrity/ima/ima_policy.c:1728:55: sparse: sparse: self-comparison always evaluates to false
security/integrity/ima/ima_policy.c:1754:55: sparse: sparse: self-comparison always evaluates to false
include/linux/list.h:83:21: sparse: sparse: self-comparison always evaluates to true
vim +654 security/integrity/ima/ima_policy.c
553
554 /**
555 * ima_match_rules - determine whether an inode matches the policy rule.
556 * @rule: a pointer to a rule
557 * @idmap: idmap of the mount the inode was found from
558 * @inode: a pointer to an inode
559 * @cred: a pointer to a credentials structure for user validation
560 * @secid: the secid of the task to be validated
561 * @func: LIM hook identifier
562 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
563 * @func_data: func specific data, may be NULL
564 *
565 * Returns true on rule match, false on failure.
566 */
567 static bool ima_match_rules(struct ima_rule_entry *rule,
568 struct mnt_idmap *idmap,
569 struct inode *inode, const struct cred *cred,
570 u32 secid, enum ima_hooks func, int mask,
571 const char *func_data)
572 {
573 int i;
574 bool result = false;
575 struct ima_rule_entry *lsm_rule = rule;
576 bool rule_reinitialized = false;
577
578 if ((rule->flags & IMA_FUNC) &&
579 (rule->func != func && func != POST_SETATTR))
580 return false;
581
582 switch (func) {
583 case KEY_CHECK:
584 case CRITICAL_DATA:
585 return ((rule->func == func) &&
586 ima_match_rule_data(rule, func_data, cred));
587 default:
588 break;
589 }
590
591 if ((rule->flags & IMA_MASK) &&
592 (rule->mask != mask && func != POST_SETATTR))
593 return false;
594 if ((rule->flags & IMA_INMASK) &&
595 (!(rule->mask & mask) && func != POST_SETATTR))
596 return false;
597 if ((rule->flags & IMA_FSMAGIC)
598 && rule->fsmagic != inode->i_sb->s_magic)
599 return false;
600 if ((rule->flags & IMA_FSNAME)
601 && strcmp(rule->fsname, inode->i_sb->s_type->name))
602 return false;
603 if ((rule->flags & IMA_FSUUID) &&
604 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid))
605 return false;
606 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
607 return false;
608 if (rule->flags & IMA_EUID) {
609 if (has_capability_noaudit(current, CAP_SETUID)) {
610 if (!rule->uid_op(cred->euid, rule->uid)
611 && !rule->uid_op(cred->suid, rule->uid)
612 && !rule->uid_op(cred->uid, rule->uid))
613 return false;
614 } else if (!rule->uid_op(cred->euid, rule->uid))
615 return false;
616 }
617 if ((rule->flags & IMA_GID) && !rule->gid_op(cred->gid, rule->gid))
618 return false;
619 if (rule->flags & IMA_EGID) {
620 if (has_capability_noaudit(current, CAP_SETGID)) {
621 if (!rule->gid_op(cred->egid, rule->gid)
622 && !rule->gid_op(cred->sgid, rule->gid)
623 && !rule->gid_op(cred->gid, rule->gid))
624 return false;
625 } else if (!rule->gid_op(cred->egid, rule->gid))
626 return false;
627 }
628 if ((rule->flags & IMA_FOWNER) &&
629 !rule->fowner_op(i_uid_into_vfsuid(idmap, inode),
630 rule->fowner))
631 return false;
632 if ((rule->flags & IMA_FGROUP) &&
633 !rule->fgroup_op(i_gid_into_vfsgid(idmap, inode),
634 rule->fgroup))
635 return false;
636 for (i = 0; i < MAX_LSM_RULES; i++) {
637 int rc = 0;
638 struct lsmblob blob = { };
639
640 if (!lsm_rule->lsm[i].rule) {
641 if (!lsm_rule->lsm[i].args_p)
642 continue;
643 else
644 return false;
645 }
646
647 retry:
648 switch (i) {
649 case LSM_OBJ_USER:
650 case LSM_OBJ_ROLE:
651 case LSM_OBJ_TYPE:
652 /* scaffolding */
653 security_inode_getsecid(inode, &blob.scaffold.secid);
> 654 rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type,
655 Audit_equal,
656 lsm_rule->lsm[i].rule);
657 break;
658 case LSM_SUBJ_USER:
659 case LSM_SUBJ_ROLE:
660 case LSM_SUBJ_TYPE:
661 /* scaffolding */
662 blob.scaffold.secid = secid;
663 rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type,
664 Audit_equal,
665 lsm_rule->lsm[i].rule);
666 break;
667 default:
668 break;
669 }
670
671 if (rc == -ESTALE && !rule_reinitialized) {
672 lsm_rule = ima_lsm_copy_rule(rule, GFP_ATOMIC);
673 if (lsm_rule) {
674 rule_reinitialized = true;
675 goto retry;
676 }
677 }
678 if (!rc) {
679 result = false;
680 goto out;
681 }
682 }
683 result = true;
684
685 out:
686 if (rule_reinitialized) {
687 for (i = 0; i < MAX_LSM_RULES; i++)
688 ima_filter_rule_free(lsm_rule->lsm[i].rule);
689 kfree(lsm_rule);
690 }
691 return result;
692 }
693
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next prev parent reply other threads:[~2024-08-30 22:49 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20240830003411.16818-1-casey.ref@schaufler-ca.com>
2024-08-30 0:33 ` [PATCH v2 00/13] LSM: Move away from secids Casey Schaufler
2024-08-30 0:33 ` [PATCH v2 01/13] LSM: Add the lsmblob data structure Casey Schaufler
2024-09-04 0:18 ` [PATCH v2 1/13] " Paul Moore
2024-09-04 0:53 ` Casey Schaufler
2024-09-04 20:00 ` Paul Moore
2024-09-04 20:28 ` Casey Schaufler
2024-09-04 20:36 ` Paul Moore
2024-08-30 0:34 ` [PATCH v2 02/13] LSM: Use lsmblob in security_audit_rule_match Casey Schaufler
2024-08-30 22:48 ` kernel test robot [this message]
2024-08-30 0:34 ` [PATCH v2 03/13] LSM: Add lsmblob_to_secctx hook Casey Schaufler
2024-09-04 0:18 ` [PATCH v2 3/13] " Paul Moore
2024-09-04 1:15 ` Casey Schaufler
2024-08-30 0:34 ` [PATCH v2 04/13] Audit: maintain an lsmblob in audit_context Casey Schaufler
2024-09-04 0:18 ` [PATCH v2 4/13] " Paul Moore
2024-09-04 1:18 ` Casey Schaufler
2024-08-30 0:34 ` [PATCH v2 05/13] LSM: Use lsmblob in security_ipc_getsecid Casey Schaufler
2024-09-04 0:18 ` [PATCH v2 5/13] " Paul Moore
2024-09-04 1:24 ` Casey Schaufler
2024-08-30 0:34 ` [PATCH v2 06/13] Audit: Update shutdown LSM data Casey Schaufler
2024-08-30 0:34 ` [PATCH v2 07/13] LSM: Use lsmblob in security_current_getsecid Casey Schaufler
2024-08-30 0:34 ` [PATCH v2 08/13] LSM: Use lsmblob in security_inode_getsecid Casey Schaufler
2024-08-30 0:34 ` [PATCH v2 09/13] Audit: use an lsmblob in audit_names Casey Schaufler
2024-08-30 0:34 ` [PATCH v2 10/13] LSM: Create new security_cred_getlsmblob LSM hook Casey Schaufler
2024-08-30 15:26 ` kernel test robot
2024-08-30 15:26 ` kernel test robot
2024-08-30 0:34 ` [PATCH v2 11/13] Audit: Change context data from secid to lsmblob Casey Schaufler
2024-08-30 0:34 ` [PATCH v2 12/13] Netlabel: Use lsmblob for audit data Casey Schaufler
2024-08-30 0:34 ` [PATCH v2 13/13] LSM: Remove lsmblob scaffolding Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202408310649.X413mMQP-lkp@intel.com \
--to=lkp@intel.com \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=oe-kbuild-all@lists.linux.dev \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.