From: kernel test robot <lkp@intel.com>
To: Stefan Berger <stefanb@linux.ibm.com>, linux-integrity@vger.kernel.org
Cc: llvm@lists.linux.dev, kbuild-all@lists.01.org,
zohar@linux.ibm.com, serge@hallyn.com,
christian.brauner@ubuntu.com, containers@lists.linux.dev,
dmitry.kasatkin@gmail.com, ebiederm@xmission.com,
krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com,
mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com,
puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com,
linux-kernel@vger.kernel.org, paul@paul-moore.com,
rgb@redhat.com, linux-security-module@vger.kernel.org,
jmorris@namei.org, Stefan Berger <stefanb@linux.ibm.com>
Subject: Re: [PATCH v11 23/27] ima: Introduce securityfs file to activate an IMA namespace
Date: Thu, 3 Mar 2022 03:16:45 +0800 [thread overview]
Message-ID: <202203030340.kolQS5ma-lkp@intel.com> (raw)
In-Reply-To: <20220302134703.1273041-24-stefanb@linux.ibm.com>
Hi Stefan,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on linus/master]
[also build test WARNING on v5.17-rc6]
[cannot apply to zohar-integrity/next-integrity linux/master jmorris-security/next-testing next-20220302]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Stefan-Berger/ima-Namespace-IMA-with-audit-support-in-IMA-ns/20220302-215707
base: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fb184c4af9b9f4563e7a126219389986a71d5b5b
config: arm64-randconfig-r006-20220302 (https://download.01.org/0day-ci/archive/20220303/202203030340.kolQS5ma-lkp@intel.com/config)
compiler: clang version 15.0.0 (https://github.com/llvm/llvm-project d271fc04d5b97b12e6b797c6067d3c96a8d7470e)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install arm64 cross compiling tool for clang build
# apt-get install binutils-aarch64-linux-gnu
# https://github.com/0day-ci/linux/commit/59a9ba1130510d6693a61c6eb84c29983fa696df
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Stefan-Berger/ima-Namespace-IMA-with-audit-support-in-IMA-ns/20220302-215707
git checkout 59a9ba1130510d6693a61c6eb84c29983fa696df
# save the config file to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=arm64 SHELL=/bin/bash security/integrity/ima/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
>> security/integrity/ima/ima_fs.c:591:3: warning: variable 'ret' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized]
if (IS_ERR(active))
^~~~~~~~~~~~~~~~~~~
include/linux/compiler.h:56:28: note: expanded from macro 'if'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/compiler.h:58:30: note: expanded from macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
security/integrity/ima/ima_fs.c:608:9: note: uninitialized use occurs here
return ret;
^~~
security/integrity/ima/ima_fs.c:591:3: note: remove the 'if' if its condition is always false
if (IS_ERR(active))
^~~~~~~~~~~~~~~~~~~
include/linux/compiler.h:56:23: note: expanded from macro 'if'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
^
security/integrity/ima/ima_fs.c:516:9: note: initialize the variable 'ret' to silence this warning
int ret;
^
= 0
1 warning generated.
vim +591 security/integrity/ima/ima_fs.c
504
505 int ima_fs_ns_init(struct user_namespace *user_ns, struct dentry *root)
506 {
507 struct ima_namespace *ns = ima_ns_from_user_ns(user_ns);
508 struct dentry *int_dir;
509 struct dentry *ima_dir = NULL;
510 struct dentry *ima_symlink = NULL;
511 struct dentry *binary_runtime_measurements = NULL;
512 struct dentry *ascii_runtime_measurements = NULL;
513 struct dentry *runtime_measurements_count = NULL;
514 struct dentry *violations = NULL;
515 struct dentry *active = NULL;
516 int ret;
517
518 /* FIXME: update when evm and integrity are namespaced */
519 if (user_ns != &init_user_ns) {
520 int_dir = securityfs_create_dir("integrity", root);
521 if (IS_ERR(int_dir))
522 return PTR_ERR(int_dir);
523 } else {
524 int_dir = integrity_dir;
525 }
526
527 ima_dir = securityfs_create_dir("ima", int_dir);
528 if (IS_ERR(ima_dir)) {
529 ret = PTR_ERR(ima_dir);
530 goto out;
531 }
532
533 ima_symlink = securityfs_create_symlink("ima", root, "integrity/ima",
534 NULL);
535 if (IS_ERR(ima_symlink)) {
536 ret = PTR_ERR(ima_symlink);
537 goto out;
538 }
539
540 binary_runtime_measurements =
541 securityfs_create_file("binary_runtime_measurements",
542 S_IRUSR | S_IRGRP, ima_dir, NULL,
543 &ima_measurements_ops);
544 if (IS_ERR(binary_runtime_measurements)) {
545 ret = PTR_ERR(binary_runtime_measurements);
546 goto out;
547 }
548
549 ascii_runtime_measurements =
550 securityfs_create_file("ascii_runtime_measurements",
551 S_IRUSR | S_IRGRP, ima_dir, NULL,
552 &ima_ascii_measurements_ops);
553 if (IS_ERR(ascii_runtime_measurements)) {
554 ret = PTR_ERR(ascii_runtime_measurements);
555 goto out;
556 }
557
558 runtime_measurements_count =
559 securityfs_create_file("runtime_measurements_count",
560 S_IRUSR | S_IRGRP, ima_dir, NULL,
561 &ima_measurements_count_ops);
562 if (IS_ERR(runtime_measurements_count)) {
563 ret = PTR_ERR(runtime_measurements_count);
564 goto out;
565 }
566
567 violations =
568 securityfs_create_file("violations", S_IRUSR | S_IRGRP,
569 ima_dir, NULL, &ima_htable_violations_ops);
570 if (IS_ERR(violations)) {
571 ret = PTR_ERR(violations);
572 goto out;
573 }
574
575 if (!ns->ima_policy_removed) {
576 ns->ima_policy =
577 securityfs_create_file("policy", POLICY_FILE_FLAGS,
578 ima_dir, NULL,
579 &ima_measure_policy_ops);
580 if (IS_ERR(ns->ima_policy)) {
581 ret = PTR_ERR(ns->ima_policy);
582 goto out;
583 }
584 }
585
586 if (ns != &init_ima_ns) {
587 active =
588 securityfs_create_file("active",
589 S_IRUSR | S_IWUSR | S_IRGRP, ima_dir,
590 NULL, &ima_active_ops);
> 591 if (IS_ERR(active))
592 goto out;
593 }
594
595 return 0;
596 out:
597 securityfs_remove(active);
598 securityfs_remove(ns->ima_policy);
599 securityfs_remove(violations);
600 securityfs_remove(runtime_measurements_count);
601 securityfs_remove(ascii_runtime_measurements);
602 securityfs_remove(binary_runtime_measurements);
603 securityfs_remove(ima_symlink);
604 securityfs_remove(ima_dir);
605 if (user_ns != &init_user_ns)
606 securityfs_remove(int_dir);
607
608 return ret;
609 }
610
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
next prev parent reply other threads:[~2022-03-02 19:18 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-02 13:46 [PATCH v11 00/27] ima: Namespace IMA with audit support in IMA-ns Stefan Berger
2022-03-02 13:46 ` [PATCH v11 01/27] ima: Return error code obtained from securityfs functions Stefan Berger
2022-03-02 13:46 ` [PATCH v11 02/27] securityfs: rework dentry creation Stefan Berger
2022-03-02 13:46 ` [PATCH v11 03/27] securityfs: Extend securityfs with namespacing support Stefan Berger
2022-03-02 13:46 ` [PATCH v11 04/27] ima: Define ima_namespace struct and start moving variables into it Stefan Berger
2022-03-02 13:46 ` [PATCH v11 05/27] ima: Move arch_policy_entry into ima_namespace Stefan Berger
2022-03-02 13:46 ` [PATCH v11 06/27] ima: Move ima_htable " Stefan Berger
2022-03-02 13:46 ` [PATCH v11 07/27] ima: Move measurement list related variables " Stefan Berger
2022-03-02 13:46 ` [PATCH v11 08/27] ima: Move some IMA policy and filesystem " Stefan Berger
2022-03-02 13:46 ` [PATCH v11 09/27] ima: Move IMA securityfs files into ima_namespace or onto stack Stefan Berger
2022-03-02 13:46 ` [PATCH v11 10/27] ima: Move ima_lsm_policy_notifier into ima_namespace Stefan Berger
2022-03-02 13:46 ` [PATCH v11 11/27] ima: Switch to lazy lsm policy updates for better performance Stefan Berger
2022-03-02 13:46 ` [PATCH v11 12/27] ima: Define mac_admin_ns_capable() as a wrapper for ns_capable() Stefan Berger
2022-03-02 13:46 ` [PATCH v11 13/27] ima: Only accept AUDIT rules for non-init_ima_ns namespaces for now Stefan Berger
2022-03-02 13:46 ` [PATCH v11 14/27] userns: Add pointer to ima_namespace to user_namespace Stefan Berger
2022-03-02 13:46 ` [PATCH v11 15/27] ima: Implement hierarchical processing of file accesses Stefan Berger
2022-03-02 13:46 ` [PATCH v11 16/27] ima: Implement ima_free_policy_rules() for freeing of an ima_namespace Stefan Berger
2022-03-02 13:46 ` [PATCH v11 17/27] ima: Add functions for creating and " Stefan Berger
2022-03-02 13:46 ` [PATCH v11 18/27] integrity/ima: Define ns_status for storing namespaced iint data Stefan Berger
2022-03-02 13:46 ` [PATCH v11 19/27] integrity: Add optional callback function to integrity_inode_free() Stefan Berger
2022-03-02 13:46 ` [PATCH v11 20/27] ima: Namespace audit status flags Stefan Berger
2022-03-02 13:46 ` [PATCH v11 21/27] ima: Remove unused iints from the integrity_iint_cache Stefan Berger
2022-03-02 13:46 ` [PATCH v11 22/27] ima: Setup securityfs for IMA namespace Stefan Berger
2022-03-02 13:46 ` [PATCH v11 23/27] ima: Introduce securityfs file to activate an " Stefan Berger
2022-03-02 19:16 ` kernel test robot [this message]
2022-03-02 13:46 ` [PATCH v11 24/27] ima: Show owning user namespace's uid and gid when displaying policy Stefan Berger
2022-03-02 13:47 ` [PATCH v11 25/27] ima: Limit number of policy rules in non-init_ima_ns Stefan Berger
2022-03-02 13:47 ` [PATCH v11 26/27] ima: Restrict informational audit messages to init_ima_ns Stefan Berger
2022-03-02 23:11 ` kernel test robot
2022-03-02 13:47 ` [PATCH v11 27/27] ima: Enable IMA namespaces Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202203030340.kolQS5ma-lkp@intel.com \
--to=lkp@intel.com \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux.dev \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=jamjoom@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=kbuild-all@lists.01.org \
--cc=krzysztof.struczynski@huawei.com \
--cc=lhinds@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=lsturman@redhat.com \
--cc=mpeters@redhat.com \
--cc=paul@paul-moore.com \
--cc=puiterwi@redhat.com \
--cc=rgb@redhat.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=stefanb@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).