From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C76FFD18159 for ; Mon, 14 Oct 2024 23:53:25 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 5A6FD6B008C; Mon, 14 Oct 2024 19:53:25 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 557B66B0092; Mon, 14 Oct 2024 19:53:25 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3F7D26B0093; Mon, 14 Oct 2024 19:53:25 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 1F59E6B008C for ; Mon, 14 Oct 2024 19:53:25 -0400 (EDT) Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id EFFF5C0C3C for ; Mon, 14 Oct 2024 23:53:15 +0000 (UTC) X-FDA: 82673861886.29.AD40D3A Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.16]) by imf14.hostedemail.com (Postfix) with ESMTP id BB74E100010 for ; Mon, 14 Oct 2024 23:53:14 +0000 (UTC) Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b="nyQ/ozrd"; spf=pass (imf14.hostedemail.com: domain of lkp@intel.com designates 198.175.65.16 as permitted sender) smtp.mailfrom=lkp@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1728949813; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=8+dUNW6ccLNjbklP+2a8X91ec1P1wfs5hCielvWm8uE=; b=tgLNMI+NqsBTXCgaPsGxYLP3N0CFMtWoZtxeFgezTv8ao4wmbcqNFCOTwmTALEYMiuF/Er G2NDIefI/CcrvK5+QJQ/HUJGbLlmlhYeyWLkZ22DRwZ7z9o+783NqHY+pLf2Ez5nyljmtv QH8lPkA5qk1TunpthTCst1WvCcAaBVg= ARC-Authentication-Results: i=1; imf14.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b="nyQ/ozrd"; spf=pass (imf14.hostedemail.com: domain of lkp@intel.com designates 198.175.65.16 as permitted sender) smtp.mailfrom=lkp@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1728949813; a=rsa-sha256; cv=none; b=BqG43wMKY7uVQwwjebl2pbfL7sn0kxRNByeHWIwczsUPz6wpsVgos/v8GvLkvARTmCBBmF mnSoq8tSCbCRypwtl0LG0ebmQIKDdqzOsvHrghJglXMtb1bnFnX6Nf77COVzSnvpiwXBbV AVGQRQX5/ol4iXrP36D1epQSYTFT7y8= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1728950003; x=1760486003; h=date:from:to:cc:subject:message-id:references: mime-version:content-transfer-encoding:in-reply-to; bh=XerAkngai8u+DuuprsMQt/pVzZ3XZC5gXNaTekETm9k=; b=nyQ/ozrdTXu0uzoi257OqD18C/MqjkShk2rpsVkq+D0jcXiUZJqLkl4e F+Jztoe3IcsP8GOtMmwPetSaZCJTAqR8+5kWmnLjJiKqBixBcA6EbMLCX QsjhmEarwsXOEvv7NOUOKPlQXa49liv9o0+KIeQGhhTrpMIooCVnkUnrk IP4ObDGqG/1cZyJbrDF3XQbFkc0qSEEPRk5w3VURFzVY7YC8BHP2BwL2u t1cOsqHy6TK/6c/be+47ixtKYgNK84B5Vn3tcKlLhJISwDmkKrgj8C/lk RkFk5Lokr0C+yjegEP2OtEE75g6P9Ec90xutj0JKOgffUQehVQpVXHT+X w==; X-CSE-ConnectionGUID: vXYuSn+oTWmb7qiQrN451w== X-CSE-MsgGUID: eJMSLGUvSeuX1dnbV/DFqA== X-IronPort-AV: E=McAfee;i="6700,10204,11222"; a="28408303" X-IronPort-AV: E=Sophos;i="6.11,199,1725346800"; d="scan'208";a="28408303" Received: from orviesa009.jf.intel.com ([10.64.159.149]) by orvoesa108.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Oct 2024 16:53:21 -0700 X-CSE-ConnectionGUID: 86hYXFeaQmmPgp4Ydmcztw== X-CSE-MsgGUID: JzPgZJZPQGGQDS1K1Drjrw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.11,203,1725346800"; d="scan'208";a="77590266" Received: from lkp-server01.sh.intel.com (HELO a48cf1aa22e8) ([10.239.97.150]) by orviesa009.jf.intel.com with ESMTP; 14 Oct 2024 16:53:14 -0700 Received: from kbuild by a48cf1aa22e8 with local (Exim 4.96) (envelope-from ) id 1t0UsB-000HL5-1w; Mon, 14 Oct 2024 23:53:11 +0000 Date: Tue, 15 Oct 2024 07:52:49 +0800 From: kernel test robot To: =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= , Al Viro , Christian Brauner , Kees Cook , Linus Torvalds , Paul Moore , Serge Hallyn , Theodore Ts'o Cc: llvm@lists.linux.dev, oe-kbuild-all@lists.linux.dev, LKML , =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= , Adhemerval Zanella Netto , Alejandro Colomar , Aleksa Sarai , Andrew Morton , Linux Memory Management List , Andy Lutomirski , Arnd Bergmann , Casey Schaufler , Christian Heimes , Dmitry Vyukov , Elliott Hughes , Eric Biggers , Eric Chiang , Fan Wu , Florian Weimer , Geert Uytterhoeven , James Morris , Jan Kara , Jann Horn , Jeff Xu , Jonathan Corbet Subject: Re: [PATCH v20 2/6] security: Add EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits Message-ID: <202410150756.KOkRl5oz-lkp@intel.com> References: <20241011184422.977903-3-mic@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20241011184422.977903-3-mic@digikod.net> X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: BB74E100010 X-Stat-Signature: ypf9m8kgr77gm5bed3cp4wa15yfq5ofb X-Rspam-User: X-HE-Tag: 1728949994-785862 X-HE-Meta: U2FsdGVkX1+abQfKP1gEf/7NY/wyhqZ6APStk4GWAGIssRNJkG+0daAMWzrYJ8avct/mTuLaW8+D8r6kvr8zh62tz5K1fe76hcMhz4jreeMp+zL1cNPoWr1+vIZtty8uQb0ocBKDOc/zGYcMExfZfZkkhfkegaK1SFHrqsiSOHF2QRPdeKJNUJg59q++/FWgr+wp2SX2QliJhp3teDGC9KqyCVfF67VaeWFYvjnVZkUfen/tD39gqUMkZa6zUgwT7h4WJocd7NsXMoANW9XkzaqLrSe+J0Zrc4AvzfLNH93yLo8tOXg3rr5zVR0ZNdlbDk7XQaJ6wnOtvcI6wuJp2hwVWoC7hKdNbf0GDljc/k9U02aYh7m2Vtu86ypynRZJzqsxl1ZuPPfiBZbJc2JA87TgubWk0JvLWc5B4ZQT0zKMZPcrvS7U6rBuxuOu97hsibMeYN5qsml+mMgxgnjKafJE+UUWh8yEPRzJ8ZQp+KFz8i+bhUEJG5YliQXxI9CKfpG2kpYOKET/NdNwUsfq/ulU/FXDZNJKn3/66j1ZJBGr3O7pKKkM+vF9y3cn/jWkJdRzROp7F11/MYwLNDLWdO7mr8PdY5CC1S8gYI21vaF/5IeIaj7XnMcq/MDrq4OHXw8W8/J1j2FZ/lD9bOLtjdwYfInnonoH52Jcb6bLgBEHYkIp6FimRLKKDnlvdVWY8MhLTKvQe78++vX7Q0m9v82SnVIfAC19riJaKJZUiKTX+41QkZw6JYhouAjcJt54pQgAJS0B0pVna7EAOSPTowH3mt0mXn8XSDECH6UwUSmRvjjWvrUT5TXIweWldEm+Z1VbUu8tyFi9ExpiTN/aF4m+Dmywf/KQsk6mVUJfOy5tew2nHxJDVv/nWmcgGyTn3U+iiHtrIMK7JnxXB1GOst6jSEO6x9Kqf1iqk2CuDBLgDqZcHIHeoXBvmH8ZwRMx212sBBdSNNh4BMVCpEj RAaIniY+ zUb7fvKqLGDJ7N1w0HP8hSQuZX++dMDd8nlesZ1Of4X1B4YWXipeUWikT5d1Ua3Y/SrF3z4gIIm0mze7hQ11Zw8y37qe0Uaztn86cEgbW05Doyc7BN7KhRQYevXQN8inhzfP3YT34/SZjN76nFPNamOjV5TFb2aGQcHAMPgegOpwdAZTORjHaGphOkd036VYE6Sf7Yx8Oiy4VFyh5U0eG8mxy3B7QOCrcD0AuUa1jCzERP774NNvKftly0L4LHsasPeXjQMFA1ZDShLuBfa79miLZZ9KLEGsjfasXtIXQwTacbJ296p3Lm1sHJZ2DlgkXWlq84ZnjBmto7PvuK3uejws6U0VzV4R2sfFvIFmfAPzWClU44fpM2I48m60leT6+PVLNQxYVS1aA1Uoy6AP6pvRLw0F0IlJJynOnDlEKV4+zUZIBYPx1FGl3TqTWKUi5ss2QRSqp9X3/VpDtNYsm7Wz5NA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hi Mickaël, kernel test robot noticed the following build warnings: [auto build test WARNING on 8cf0b93919e13d1e8d4466eb4080a4c4d9d66d7b] url: https://github.com/intel-lab-lkp/linux/commits/Micka-l-Sala-n/exec-Add-a-new-AT_CHECK-flag-to-execveat-2/20241012-024801 base: 8cf0b93919e13d1e8d4466eb4080a4c4d9d66d7b patch link: https://lore.kernel.org/r/20241011184422.977903-3-mic%40digikod.net patch subject: [PATCH v20 2/6] security: Add EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits config: arm-allnoconfig (https://download.01.org/0day-ci/archive/20241015/202410150756.KOkRl5oz-lkp@intel.com/config) compiler: clang version 20.0.0git (https://github.com/llvm/llvm-project 70e0a7e7e6a8541bcc46908c592eed561850e416) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241015/202410150756.KOkRl5oz-lkp@intel.com/reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot | Closes: https://lore.kernel.org/oe-kbuild-all/202410150756.KOkRl5oz-lkp@intel.com/ All warnings (new ones prefixed by >>): In file included from init/init_task.c:2: In file included from include/linux/init_task.h:9: In file included from include/linux/ftrace.h:13: In file included from include/linux/kallsyms.h:13: In file included from include/linux/mm.h:2213: include/linux/vmstat.h:518:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 518 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_" | ~~~~~~~~~~~ ^ ~~~ In file included from init/init_task.c:2: In file included from include/linux/init_task.h:13: In file included from include/linux/securebits.h:5: >> include/uapi/linux/securebits.h:135:23: warning: '/*' within block comment [-Wcomment] 135 | * (e.g. sh /tmp/*.sh). This makes sense for (semi-restricted) user | ^ 2 warnings generated. vim +135 include/uapi/linux/securebits.h 97 98 #define SECBIT_EXEC_RESTRICT_FILE (issecure_mask(SECURE_EXEC_RESTRICT_FILE)) 99 #define SECBIT_EXEC_RESTRICT_FILE_LOCKED \ 100 (issecure_mask(SECURE_EXEC_RESTRICT_FILE_LOCKED)) 101 102 /* 103 * When SECBIT_EXEC_DENY_INTERACTIVE is set, a process should never interpret 104 * interactive user commands (e.g. scripts). However, if such commands are 105 * passed through a file descriptor (e.g. stdin), its content should be 106 * interpreted if a call to execveat(2) with the related file descriptor and 107 * the AT_CHECK flag succeed. 108 * 109 * For instance, script interpreters called with a script snippet as argument 110 * should always deny such execution if SECBIT_EXEC_DENY_INTERACTIVE is set. 111 * 112 * This secure bit may be set by user session managers, service managers, 113 * container runtimes, sandboxer tools... Except for test environments, the 114 * related SECBIT_EXEC_DENY_INTERACTIVE_LOCKED bit should also be set. 115 * 116 * See the SECBIT_EXEC_RESTRICT_FILE documentation. 117 * 118 * Here is the expected behavior for a script interpreter according to 119 * combination of any exec securebits: 120 * 121 * 1. SECURE_EXEC_RESTRICT_FILE=0 SECURE_EXEC_DENY_INTERACTIVE=0 (default) 122 * Always interpret scripts, and allow arbitrary user commands. 123 * => No threat, everyone and everything is trusted, but we can get ahead of 124 * potential issues thanks to the call to execveat with AT_CHECK which 125 * should always be performed but ignored by the script interpreter. 126 * Indeed, this check is still important to enable systems administrators 127 * to verify requests (e.g. with audit) and prepare for migration to a 128 * secure mode. 129 * 130 * 2. SECURE_EXEC_RESTRICT_FILE=1 SECURE_EXEC_DENY_INTERACTIVE=0 131 * Deny script interpretation if they are not executable, but allow 132 * arbitrary user commands. 133 * => The threat is (potential) malicious scripts run by trusted (and not 134 * fooled) users. That can protect against unintended script executions > 135 * (e.g. sh /tmp/*.sh). This makes sense for (semi-restricted) user 136 * sessions. 137 * 138 * 3. SECURE_EXEC_RESTRICT_FILE=0 SECURE_EXEC_DENY_INTERACTIVE=1 139 * Always interpret scripts, but deny arbitrary user commands. 140 * => This use case may be useful for secure services (i.e. without 141 * interactive user session) where scripts' integrity is verified (e.g. 142 * with IMA/EVM or dm-verity/IPE) but where access rights might not be 143 * ready yet. Indeed, arbitrary interactive commands would be much more 144 * difficult to check. 145 * 146 * 4. SECURE_EXEC_RESTRICT_FILE=1 SECURE_EXEC_DENY_INTERACTIVE=1 147 * Deny script interpretation if they are not executable, and also deny 148 * any arbitrary user commands. 149 * => The threat is malicious scripts run by untrusted users (but trusted 150 * code). This makes sense for system services that may only execute 151 * trusted scripts. 152 */ 153 #define SECURE_EXEC_DENY_INTERACTIVE 10 154 #define SECURE_EXEC_DENY_INTERACTIVE_LOCKED 11 /* make bit-10 immutable */ 155 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki