From: kernel test robot <lkp@intel.com>
To: Casey Schaufler <casey@schaufler-ca.com>,
casey.schaufler@intel.com, jmorris@namei.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: kbuild-all@lists.01.org, casey@schaufler-ca.com,
linux-audit@redhat.com, keescook@chromium.org,
john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
paul@paul-moore.com, stephen.smalley.work@gmail.com,
linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org,
netdev@vger.kernel.org
Subject: Re: [PATCH v34 11/29] LSM: Use lsmblob in security_current_getsecid
Date: Fri, 8 Apr 2022 12:44:29 +0800 [thread overview]
Message-ID: <202204081233.FUUgdt5c-lkp@intel.com> (raw)
In-Reply-To: <20220407212230.12893-12-casey@schaufler-ca.com>
Hi Casey,
I love your patch! Perhaps something to improve:
[auto build test WARNING on pcmoore-selinux/next]
[also build test WARNING on linus/master v5.18-rc1 next-20220407]
[cannot apply to pcmoore-audit/next jmorris-security/next-testing]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/intel-lab-lkp/linux/commits/Casey-Schaufler/integrity-disassociate-ima_filter_rule-from-security_audit_rule/20220408-062243
base: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git next
config: mips-randconfig-r002-20220408 (https://download.01.org/0day-ci/archive/20220408/202204081233.FUUgdt5c-lkp@intel.com/config)
compiler: mips64el-linux-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/0d4df6ae86e123057cb18eeb5ba1b1eff2641fe4
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Casey-Schaufler/integrity-disassociate-ima_filter_rule-from-security_audit_rule/20220408-062243
git checkout 0d4df6ae86e123057cb18eeb5ba1b1eff2641fe4
# save the config file to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=mips SHELL=/bin/bash security/integrity/ima/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
security/integrity/ima/ima_main.c: In function 'ima_file_check':
>> security/integrity/ima/ima_main.c:521:16: warning: array subscript 0 is outside array bounds of 'u32[0]' {aka 'unsigned int[]'} [-Warray-bounds]
521 | return process_measurement(file, current_cred(), blob.secid[0], NULL, 0,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
522 | mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
523 | MAY_APPEND), FILE_CHECK);
| ~~~~~~~~~~~~~~~~~~~~~~~~
In file included from include/linux/ima.h:12,
from security/integrity/ima/ima_main.c:26:
include/linux/security.h:150:17: note: while referencing 'secid'
150 | u32 secid[LSMBLOB_ENTRIES];
| ^~~~~
security/integrity/ima/ima_main.c:517:24: note: defined here 'blob'
517 | struct lsmblob blob;
| ^~~~
security/integrity/ima/ima_main.c: In function 'ima_file_mmap':
security/integrity/ima/ima_main.c:413:24: warning: array subscript 0 is outside array bounds of 'u32[0]' {aka 'unsigned int[]'} [-Warray-bounds]
413 | return process_measurement(file, current_cred(), blob.secid[0],
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
414 | NULL, 0, MAY_EXEC, MMAP_CHECK);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from include/linux/ima.h:12,
from security/integrity/ima/ima_main.c:26:
include/linux/security.h:150:17: note: while referencing 'secid'
150 | u32 secid[LSMBLOB_ENTRIES];
| ^~~~~
security/integrity/ima/ima_main.c:408:24: note: defined here 'blob'
408 | struct lsmblob blob;
| ^~~~
security/integrity/ima/ima_main.c: In function 'ima_file_mprotect':
security/integrity/ima/ima_main.c:453:18: warning: array subscript 0 is outside array bounds of 'u32[0]' {aka 'unsigned int[]'} [-Warray-bounds]
453 | action = ima_get_action(file_mnt_user_ns(vma->vm_file), inode,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
454 | current_cred(), blob.secid[0], MAY_EXEC,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
455 | MMAP_CHECK, &pcr, &template, NULL, NULL);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from include/linux/ima.h:12,
from security/integrity/ima/ima_main.c:26:
include/linux/security.h:150:17: note: while referencing 'secid'
150 | u32 secid[LSMBLOB_ENTRIES];
| ^~~~~
security/integrity/ima/ima_main.c:441:24: note: defined here 'blob'
441 | struct lsmblob blob;
| ^~~~
security/integrity/ima/ima_main.c: In function 'ima_bprm_check':
security/integrity/ima/ima_main.c:495:15: warning: array subscript 0 is outside array bounds of 'u32[0]' {aka 'unsigned int[]'} [-Warray-bounds]
495 | ret = process_measurement(bprm->file, current_cred(), blob.secid[0],
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
496 | NULL, 0, MAY_EXEC, BPRM_CHECK);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from include/linux/ima.h:12,
from security/integrity/ima/ima_main.c:26:
include/linux/security.h:150:17: note: while referencing 'secid'
150 | u32 secid[LSMBLOB_ENTRIES];
| ^~~~~
security/integrity/ima/ima_main.c:491:24: note: defined here 'blob'
491 | struct lsmblob blob;
| ^~~~
security/integrity/ima/ima_main.c: In function 'ima_read_file':
security/integrity/ima/ima_main.c:739:16: warning: array subscript 0 is outside array bounds of 'u32[0]' {aka 'unsigned int[]'} [-Warray-bounds]
739 | return process_measurement(file, current_cred(), blob.secid[0], NULL,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
740 | 0, MAY_READ, func);
| ~~~~~~~~~~~~~~~~~~
In file included from include/linux/ima.h:12,
from security/integrity/ima/ima_main.c:26:
include/linux/security.h:150:17: note: while referencing 'secid'
150 | u32 secid[LSMBLOB_ENTRIES];
| ^~~~~
security/integrity/ima/ima_main.c:717:24: note: defined here 'blob'
717 | struct lsmblob blob;
| ^~~~
security/integrity/ima/ima_main.c: In function 'ima_post_read_file':
security/integrity/ima/ima_main.c:783:16: warning: array subscript 0 is outside array bounds of 'u32[0]' {aka 'unsigned int[]'} [-Warray-bounds]
783 | return process_measurement(file, current_cred(), blob.secid[0], buf,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
784 | size, MAY_READ, func);
| ~~~~~~~~~~~~~~~~~~~~~
In file included from include/linux/ima.h:12,
from security/integrity/ima/ima_main.c:26:
include/linux/security.h:150:17: note: while referencing 'secid'
150 | u32 secid[LSMBLOB_ENTRIES];
| ^~~~~
security/integrity/ima/ima_main.c:768:24: note: defined here 'blob'
768 | struct lsmblob blob;
| ^~~~
security/integrity/ima/ima_main.c: In function 'process_buffer_measurement':
security/integrity/ima/ima_main.c:934:26: warning: array subscript 0 is outside array bounds of 'u32[0]' {aka 'unsigned int[]'} [-Warray-bounds]
934 | action = ima_get_action(mnt_userns, inode, current_cred(),
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
935 | blob.secid[0], 0, func, &pcr, &template,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
936 | func_data, NULL);
| ~~~~~~~~~~~~~~~~
In file included from include/linux/ima.h:12,
from security/integrity/ima/ima_main.c:26:
include/linux/security.h:150:17: note: while referencing 'secid'
150 | u32 secid[LSMBLOB_ENTRIES];
| ^~~~~
security/integrity/ima/ima_main.c:909:24: note: defined here 'blob'
--
security/integrity/ima/ima_appraise.c: In function 'ima_must_appraise':
>> security/integrity/ima/ima_appraise.c:81:16: warning: array subscript 0 is outside array bounds of 'u32[0]' {aka 'unsigned int[]'} [-Warray-bounds]
81 | return ima_match_policy(mnt_userns, inode, current_cred(),
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
82 | blob.secid[0], func, mask,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~
83 | IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
84 | NULL);
| ~~~~~
In file included from include/linux/ima.h:12,
from security/integrity/ima/ima_appraise.c:14:
include/linux/security.h:150:17: note: while referencing 'secid'
150 | u32 secid[LSMBLOB_ENTRIES];
| ^~~~~
security/integrity/ima/ima_appraise.c:74:24: note: defined here 'blob'
74 | struct lsmblob blob;
| ^~~~
vim +521 security/integrity/ima/ima_main.c
504
505 /**
506 * ima_file_check - based on policy, collect/store measurement.
507 * @file: pointer to the file to be measured
508 * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND
509 *
510 * Measure files based on the ima_must_measure() policy decision.
511 *
512 * On success return 0. On integrity appraisal error, assuming the file
513 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
514 */
515 int ima_file_check(struct file *file, int mask)
516 {
517 struct lsmblob blob;
518
519 security_current_getsecid_subj(&blob);
520 /* scaffolding until process_measurement changes */
> 521 return process_measurement(file, current_cred(), blob.secid[0], NULL, 0,
522 mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
523 MAY_APPEND), FILE_CHECK);
524 }
525 EXPORT_SYMBOL_GPL(ima_file_check);
526
--
0-DAY CI Kernel Test Service
https://01.org/lkp
next prev parent reply other threads:[~2022-04-08 4:45 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20220407212230.12893-1-casey.ref@schaufler-ca.com>
2022-04-07 21:22 ` [PATCH v34 00/29] LSM: Module stacking for AppArmor Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 01/29] integrity: disassociate ima_filter_rule from security_audit_rule Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 02/29] LSM: Infrastructure management of the sock security Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 03/29] LSM: Add the lsmblob data structure Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 04/29] LSM: provide lsm name and id slot mappings Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 05/29] IMA: avoid label collisions with stacked LSMs Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 06/29] LSM: Use lsmblob in security_audit_rule_match Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 07/29] LSM: Use lsmblob in security_kernel_act_as Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 08/29] LSM: Use lsmblob in security_secctx_to_secid Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 09/29] LSM: Use lsmblob in security_secid_to_secctx Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 10/29] LSM: Use lsmblob in security_ipc_getsecid Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 11/29] LSM: Use lsmblob in security_current_getsecid Casey Schaufler
2022-04-08 3:43 ` kernel test robot
2022-04-08 4:44 ` kernel test robot [this message]
2022-04-07 21:22 ` [PATCH v34 12/29] LSM: Use lsmblob in security_inode_getsecid Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 13/29] LSM: Use lsmblob in security_cred_getsecid Casey Schaufler
2022-04-08 5:46 ` kernel test robot
2022-04-07 21:22 ` [PATCH v34 14/29] LSM: Specify which LSM to display Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 15/29] LSM: Ensure the correct LSM context releaser Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 16/29] LSM: Use lsmcontext in security_secid_to_secctx Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 17/29] LSM: Use lsmcontext in security_inode_getsecctx Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 18/29] LSM: security_secid_to_secctx in netlink netfilter Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 19/29] NET: Store LSM netlabel data in a lsmblob Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 20/29] binder: Pass LSM identifier for confirmation Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 21/29] LSM: Extend security_secid_to_secctx to include module selection Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 22/29] Audit: Keep multiple LSM data in audit_names Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 23/29] Audit: Create audit_stamp structure Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 24/29] LSM: Add a function to report multiple LSMs Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 25/29] Audit: Allow multiple records in an audit_buffer Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 26/29] Audit: Add record for multiple task security contexts Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 27/29] Audit: Add record for multiple object contexts Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 28/29] LSM: Add /proc attr entry for full LSM context Casey Schaufler
2022-04-07 21:22 ` [PATCH v34 29/29] AppArmor: Remove the exclusive flag Casey Schaufler
2022-04-15 21:17 [PATCH v34 00/29] LSM: Module stacking for AppArmor Casey Schaufler
2022-04-15 21:17 ` [PATCH v34 11/29] LSM: Use lsmblob in security_current_getsecid Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202204081233.FUUgdt5c-lkp@intel.com \
--to=lkp@intel.com \
--cc=casey.schaufler@intel.com \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=kbuild-all@lists.01.org \
--cc=keescook@chromium.org \
--cc=linux-audit@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).