From: kernel test robot <lkp@intel.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: oe-kbuild-all@lists.linux.dev
Subject: [mic:next 25/36] security/landlock/syscalls.c:482:22: warning: variable 'log_new_exec' set but not used
Date: Sat, 22 Mar 2025 06:39:28 +0800 [thread overview]
Message-ID: <202503220604.1FlfJaWA-lkp@intel.com> (raw)
tree: https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git next
head: b93810652d504e23b545dceefe1513bb70858737
commit: 161686d8d3ec0029fc4dd6d36fe4cdf318d72158 [25/36] landlock: Add LANDLOCK_RESTRICT_SELF_LOG_*_EXEC_* flags
config: arc-randconfig-001-20250322 (https://download.01.org/0day-ci/archive/20250322/202503220604.1FlfJaWA-lkp@intel.com/config)
compiler: arc-linux-gcc (GCC) 10.5.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250322/202503220604.1FlfJaWA-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202503220604.1FlfJaWA-lkp@intel.com/
All warnings (new ones prefixed by >>):
security/landlock/syscalls.c: In function '__do_sys_landlock_restrict_self':
>> security/landlock/syscalls.c:482:22: warning: variable 'log_new_exec' set but not used [-Wunused-but-set-variable]
482 | bool log_same_exec, log_new_exec;
| ^~~~~~~~~~~~
security/landlock/syscalls.c:482:7: warning: variable 'log_same_exec' set but not used [-Wunused-but-set-variable]
482 | bool log_same_exec, log_new_exec;
| ^~~~~~~~~~~~~
vim +/log_new_exec +482 security/landlock/syscalls.c
448
449 /**
450 * sys_landlock_restrict_self - Enforce a ruleset on the calling thread
451 *
452 * @ruleset_fd: File descriptor tied to the ruleset to merge with the target.
453 * @flags: Supported values:
454 *
455 * - %LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF
456 * - %LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON
457 *
458 * This system call enables to enforce a Landlock ruleset on the current
459 * thread. Enforcing a ruleset requires that the task has %CAP_SYS_ADMIN in its
460 * namespace or is running with no_new_privs. This avoids scenarios where
461 * unprivileged tasks can affect the behavior of privileged children.
462 *
463 * Possible returned errors are:
464 *
465 * - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
466 * - %EINVAL: @flags contains an unknown bit.
467 * - %EBADF: @ruleset_fd is not a file descriptor for the current thread;
468 * - %EBADFD: @ruleset_fd is not a ruleset file descriptor;
469 * - %EPERM: @ruleset_fd has no read access to the underlying ruleset, or the
470 * current thread is not running with no_new_privs, or it doesn't have
471 * %CAP_SYS_ADMIN in its namespace.
472 * - %E2BIG: The maximum number of stacked rulesets is reached for the current
473 * thread.
474 */
475 SYSCALL_DEFINE2(landlock_restrict_self, const int, ruleset_fd, const __u32,
476 flags)
477 {
478 struct landlock_ruleset *new_dom,
479 *ruleset __free(landlock_put_ruleset) = NULL;
480 struct cred *new_cred;
481 struct landlock_cred_security *new_llcred;
> 482 bool log_same_exec, log_new_exec;
483
484 if (!is_initialized())
485 return -EOPNOTSUPP;
486
487 /*
488 * Similar checks as for seccomp(2), except that an -EPERM may be
489 * returned.
490 */
491 if (!task_no_new_privs(current) &&
492 !ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN))
493 return -EPERM;
494
495 if ((flags | LANDLOCK_MASK_RESTRICT_SELF) !=
496 LANDLOCK_MASK_RESTRICT_SELF)
497 return -EINVAL;
498
499 /* Translates "off" flag to boolean. */
500 log_same_exec = !(flags & LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF);
501 /* Translates "on" flag to boolean. */
502 log_new_exec = !!(flags & LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON);
503
504 /* Gets and checks the ruleset. */
505 ruleset = get_ruleset_from_fd(ruleset_fd, FMODE_CAN_READ);
506 if (IS_ERR(ruleset))
507 return PTR_ERR(ruleset);
508
509 /* Prepares new credentials. */
510 new_cred = prepare_creds();
511 if (!new_cred)
512 return -ENOMEM;
513
514 new_llcred = landlock_cred(new_cred);
515
516 /*
517 * There is no possible race condition while copying and manipulating
518 * the current credentials because they are dedicated per thread.
519 */
520 new_dom = landlock_merge_ruleset(new_llcred->domain, ruleset);
521 if (IS_ERR(new_dom)) {
522 abort_creds(new_cred);
523 return PTR_ERR(new_dom);
524 }
525
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
reply other threads:[~2025-03-21 22:40 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202503220604.1FlfJaWA-lkp@intel.com \
--to=lkp@intel.com \
--cc=mic@digikod.net \
--cc=oe-kbuild-all@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.