All of lore.kernel.org
 help / color / mirror / Atom feed
From: kernel test robot <lkp@intel.com>
To: Tahera Fahimi <taherafahimi@linux.microsoft.com>,
	zohar@linux.ibm.com, roberto.sassu@huawei.com,
	dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com,
	paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com,
	linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, code@tyhicks.com
Cc: oe-kbuild-all@lists.linux.dev,
	Tahera Fahimi <taherafahimi@linux.microsoft.com>
Subject: Re: [Patch V1] ima: avoid duplicate policy rules insertions
Date: Fri, 7 Nov 2025 14:54:25 +0800	[thread overview]
Message-ID: <202511071406.hU1UdCKh-lkp@intel.com> (raw)
In-Reply-To: <20251106181404.3429710-1-taherafahimi@linux.microsoft.com>

Hi Tahera,

kernel test robot noticed the following build warnings:

[auto build test WARNING on zohar-integrity/next-integrity]
[also build test WARNING on linus/master v6.18-rc4 next-20251107]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Tahera-Fahimi/ima-avoid-duplicate-policy-rules-insertions/20251107-021615
base:   https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity
patch link:    https://lore.kernel.org/r/20251106181404.3429710-1-taherafahimi%40linux.microsoft.com
patch subject: [Patch V1] ima: avoid duplicate policy rules insertions
config: alpha-allyesconfig (https://download.01.org/0day-ci/archive/20251107/202511071406.hU1UdCKh-lkp@intel.com/config)
compiler: alpha-linux-gcc (GCC) 15.1.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251107/202511071406.hU1UdCKh-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202511071406.hU1UdCKh-lkp@intel.com/

All warnings (new ones prefixed by >>):

   security/integrity/ima/ima_policy.c: In function 'template_has_field':
>> security/integrity/ima/ima_policy.c:1958:13: warning: unused variable 'j' [-Wunused-variable]
    1958 |         int j;
         |             ^
--
>> Warning: security/integrity/ima/ima_policy.c:2078 function parameter 'new_rule' not described in 'ima_rule_exists'


vim +/j +1958 security/integrity/ima/ima_policy.c

  1955	
  1956	static bool template_has_field(const char *field_id, const struct ima_template_desc *template2)
  1957	{
> 1958		int j;
  1959	
  1960		for (int j = 0; j < template2->num_fields; j++)
  1961			if (strcmp(field_id, template2->fields[j]->field_id) == 0)
  1962				return true;
  1963	
  1964		return false;
  1965	}
  1966	
  1967	static bool keyring_has_item(const char *item, const struct ima_rule_opt_list *keyrings)
  1968	{
  1969		int j;
  1970	
  1971		for (j = 0; j < keyrings->count; j++) {
  1972			if (strcmp(item, keyrings->items[j]) == 0)
  1973				return true;
  1974		}
  1975		return false;
  1976	}
  1977	
  1978	static bool labels_has_item(const char *item, const struct ima_rule_opt_list *labels)
  1979	{
  1980		int j;
  1981	
  1982		for (j = 0; j < labels->count; j++) {
  1983			if (strcmp(item, labels->items[j]) == 0)
  1984				return true;
  1985		}
  1986		return false;
  1987	}
  1988	
  1989	static bool ima_rules_equal(const struct ima_rule_entry *rule1, const struct ima_rule_entry *rule2)
  1990	{
  1991		int i;
  1992	
  1993		if (rule1->flags != rule2->flags)
  1994			return false;
  1995	
  1996		if (rule1->action != rule2->action)
  1997			return false;
  1998	
  1999		if (((rule1->flags & IMA_FUNC) && rule1->func != rule2->func) ||
  2000		    ((rule1->flags & (IMA_MASK | IMA_INMASK)) && rule1->mask != rule2->mask) ||
  2001		    ((rule1->flags & IMA_FSMAGIC) && rule1->fsmagic != rule2->fsmagic) ||
  2002		    ((rule1->flags & IMA_FSUUID) && !uuid_equal(&rule1->fsuuid, &rule2->fsuuid)) ||
  2003		    ((rule1->flags & IMA_UID) && !uid_eq(rule1->uid, rule2->uid)) ||
  2004		    ((rule1->flags & IMA_GID) && !gid_eq(rule1->gid, rule2->gid)) ||
  2005		    ((rule1->flags & IMA_FOWNER) && !uid_eq(rule1->fowner, rule2->fowner)) ||
  2006		    ((rule1->flags & IMA_FGROUP) && !gid_eq(rule1->fgroup, rule2->fgroup)) ||
  2007		    ((rule1->flags & IMA_FSNAME) && (strcmp(rule1->fsname, rule2->fsname) != 0)) ||
  2008		    ((rule1->flags & IMA_PCR) && rule1->pcr != rule2->pcr) ||
  2009		    ((rule1->flags & IMA_VALIDATE_ALGOS) &&
  2010		      rule1->allowed_algos != rule2->allowed_algos) ||
  2011		    ((rule1->flags & IMA_EUID) && !uid_eq(rule1->uid, rule2->uid)) ||
  2012		    ((rule1->flags & IMA_EGID) && !gid_eq(rule1->gid, rule2->gid)))
  2013			return false;
  2014	
  2015		if (!rule1->template && !rule2->template) {
  2016			;
  2017		} else if (!rule1->template || !rule2->template) {
  2018			return false;
  2019		} else if (rule1->template->num_fields != rule2->template->num_fields) {
  2020			return false;
  2021		} else if (rule1->template->num_fields != 0) {
  2022			for (i = 0; i < rule1->template->num_fields; i++) {
  2023				if (!template_has_field(rule1->template->fields[i]->field_id,
  2024							rule2->template))
  2025					return false;
  2026			}
  2027		}
  2028	
  2029		if (rule1->flags & IMA_KEYRINGS) {
  2030			if (!rule1->keyrings && !rule2->keyrings) {
  2031				;
  2032			} else if (!rule1->keyrings || !rule2->keyrings) {
  2033				return false;
  2034			} else if (rule1->keyrings->count != rule2->keyrings->count) {
  2035				return false;
  2036			} else if (rule1->keyrings->count != 0) {
  2037				for (i = 0; i < rule1->keyrings->count; i++) {
  2038					if (!keyring_has_item(rule1->keyrings->items[i], rule2->keyrings))
  2039						return false;
  2040				}
  2041			}
  2042		}
  2043	
  2044		if (rule1->flags & IMA_LABEL) {
  2045			if (!rule1->label && !rule2->label) {
  2046				;
  2047			} else if (!rule1->label || !rule2->label) {
  2048				return false;
  2049			} else if (rule1->label->count != rule2->label->count) {
  2050				return false;
  2051			} else if (rule1->label->count != 0) {
  2052				for (i = 0; i < rule1->label->count; i++) {
  2053					if (!labels_has_item(rule1->label->items[i], rule2->label))
  2054						return false;
  2055				}
  2056			}
  2057		}
  2058	
  2059		for (i = 0; i < MAX_LSM_RULES; i++) {
  2060			if (!rule1->lsm[i].rule && !rule2->lsm[i].rule)
  2061				continue;
  2062	
  2063			if (!rule1->lsm[i].rule || !rule2->lsm[i].rule)
  2064				return false;
  2065	
  2066			if (strcmp(rule1->lsm[i].args_p, rule2->lsm[i].args_p) != 0)
  2067				return false;
  2068		}
  2069	
  2070		return true;
  2071	}
  2072	
  2073	/**
  2074	 * ima_rule_exists - check if a rule already exists in the policy
  2075	 *
  2076	 * Checking both the active policy and the temporary rules list.
  2077	 */
> 2078	static bool ima_rule_exists(struct ima_rule_entry *new_rule)
  2079	{
  2080		struct ima_rule_entry *entry;
  2081		struct list_head *ima_rules_tmp;
  2082	
  2083		if (!list_empty(&ima_temp_rules)) {
  2084			list_for_each_entry(entry, &ima_temp_rules, list) {
  2085				if (ima_rules_equal(entry, new_rule))
  2086					return true;
  2087			}
  2088		}
  2089	
  2090		rcu_read_lock();
  2091		ima_rules_tmp = rcu_dereference(ima_rules);
  2092		list_for_each_entry_rcu(entry, ima_rules_tmp, list) {
  2093			if (ima_rules_equal(entry, new_rule)) {
  2094				rcu_read_unlock();
  2095				return true;
  2096			}
  2097		}
  2098		rcu_read_unlock();
  2099	
  2100		return false;
  2101	}
  2102	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

  parent reply	other threads:[~2025-11-07  6:54 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-06 18:14 [Patch V1] ima: avoid duplicate policy rules insertions Tahera Fahimi
2025-11-06 20:32 ` Anirudh Venkataramanan
2025-11-10 19:06   ` Tahera Fahimi
2025-11-11  9:46     ` Roberto Sassu
2025-11-07  6:54 ` kernel test robot [this message]
2025-11-07  9:44 ` Roberto Sassu
2025-11-07 10:56   ` Lennart Poettering
2025-11-07 11:56     ` Roberto Sassu
2025-11-11 11:40 ` Mimi Zohar
2025-11-20 15:39   ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202511071406.hU1UdCKh-lkp@intel.com \
    --to=lkp@intel.com \
    --cc=code@tyhicks.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=eric.snowberg@oracle.com \
    --cc=jmorris@namei.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=oe-kbuild-all@lists.linux.dev \
    --cc=paul@paul-moore.com \
    --cc=roberto.sassu@huawei.com \
    --cc=serge@hallyn.com \
    --cc=taherafahimi@linux.microsoft.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.