From: kernel test robot <lkp@intel.com>
To: Ryan Lee <ryan.lee@canonical.com>
Cc: llvm@lists.linux.dev, oe-kbuild-all@lists.linux.dev,
John Johansen <john.johansen@canonical.com>
Subject: [jj-apparmor:apparmor-next 2/16] security/apparmor/domain.c:696:3: warning: label followed by a declaration is a C23 extension
Date: Sun, 10 Nov 2024 18:53:27 +0800 [thread overview]
Message-ID: <202411101808.AI8YG6cs-lkp@intel.com> (raw)
tree: https://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor.git apparmor-next
head: 8c4f7960ae8a7a03a43f814e4af471b8e6ea3391
commit: ee650b3820f3d127a31c589101b60fbb28e53989 [2/16] apparmor: properly handle cx/px lookup failure for complain
config: hexagon-allmodconfig (https://download.01.org/0day-ci/archive/20241110/202411101808.AI8YG6cs-lkp@intel.com/config)
compiler: clang version 20.0.0git (https://github.com/llvm/llvm-project 592c0fe55f6d9a811028b5f3507be91458ab2713)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241110/202411101808.AI8YG6cs-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202411101808.AI8YG6cs-lkp@intel.com/
All warnings (new ones prefixed by >>):
In file included from security/apparmor/domain.c:16:
In file included from include/linux/syscalls.h:93:
In file included from include/trace/syscall.h:7:
In file included from include/linux/trace_events.h:6:
In file included from include/linux/ring_buffer.h:5:
In file included from include/linux/mm.h:2213:
include/linux/vmstat.h:518:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion]
518 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_"
| ~~~~~~~~~~~ ^ ~~~
In file included from security/apparmor/domain.c:16:
In file included from include/linux/syscalls.h:93:
In file included from include/trace/syscall.h:7:
In file included from include/linux/trace_events.h:9:
In file included from include/linux/hardirq.h:11:
In file included from ./arch/hexagon/include/generated/asm/hardirq.h:1:
In file included from include/asm-generic/hardirq.h:17:
In file included from include/linux/irq.h:20:
In file included from include/linux/io.h:14:
In file included from arch/hexagon/include/asm/io.h:328:
include/asm-generic/io.h:548:31: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
548 | val = __raw_readb(PCI_IOBASE + addr);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:561:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
561 | val = __le16_to_cpu((__le16 __force)__raw_readw(PCI_IOBASE + addr));
| ~~~~~~~~~~ ^
include/uapi/linux/byteorder/little_endian.h:37:51: note: expanded from macro '__le16_to_cpu'
37 | #define __le16_to_cpu(x) ((__force __u16)(__le16)(x))
| ^
In file included from security/apparmor/domain.c:16:
In file included from include/linux/syscalls.h:93:
In file included from include/trace/syscall.h:7:
In file included from include/linux/trace_events.h:9:
In file included from include/linux/hardirq.h:11:
In file included from ./arch/hexagon/include/generated/asm/hardirq.h:1:
In file included from include/asm-generic/hardirq.h:17:
In file included from include/linux/irq.h:20:
In file included from include/linux/io.h:14:
In file included from arch/hexagon/include/asm/io.h:328:
include/asm-generic/io.h:574:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
574 | val = __le32_to_cpu((__le32 __force)__raw_readl(PCI_IOBASE + addr));
| ~~~~~~~~~~ ^
include/uapi/linux/byteorder/little_endian.h:35:51: note: expanded from macro '__le32_to_cpu'
35 | #define __le32_to_cpu(x) ((__force __u32)(__le32)(x))
| ^
In file included from security/apparmor/domain.c:16:
In file included from include/linux/syscalls.h:93:
In file included from include/trace/syscall.h:7:
In file included from include/linux/trace_events.h:9:
In file included from include/linux/hardirq.h:11:
In file included from ./arch/hexagon/include/generated/asm/hardirq.h:1:
In file included from include/asm-generic/hardirq.h:17:
In file included from include/linux/irq.h:20:
In file included from include/linux/io.h:14:
In file included from arch/hexagon/include/asm/io.h:328:
include/asm-generic/io.h:585:33: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
585 | __raw_writeb(value, PCI_IOBASE + addr);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:595:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
595 | __raw_writew((u16 __force)cpu_to_le16(value), PCI_IOBASE + addr);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:605:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
605 | __raw_writel((u32 __force)cpu_to_le32(value), PCI_IOBASE + addr);
| ~~~~~~~~~~ ^
>> security/apparmor/domain.c:696:3: warning: label followed by a declaration is a C23 extension [-Wc23-extensions]
696 | struct aa_profile *new_profile = NULL;
| ^
8 warnings generated.
Kconfig warnings: (for reference only)
WARNING: unmet direct dependencies detected for MODVERSIONS
Depends on [n]: MODULES [=y] && !COMPILE_TEST [=y]
Selected by [y]:
- RANDSTRUCT_FULL [=y] && (CC_HAS_RANDSTRUCT [=y] || GCC_PLUGINS [=n]) && MODULES [=y]
WARNING: unmet direct dependencies detected for GET_FREE_REGION
Depends on [n]: SPARSEMEM [=n]
Selected by [m]:
- RESOURCE_KUNIT_TEST [=m] && RUNTIME_TESTING_MENU [=y] && KUNIT [=m]
vim +696 security/apparmor/domain.c
898127c34ec032 John Johansen 2010-07-29 630
90c436a64a6e20 John Johansen 2022-09-19 631 static struct aa_label *profile_transition(const struct cred *subj_cred,
90c436a64a6e20 John Johansen 2022-09-19 632 struct aa_profile *profile,
93c98a484c4900 John Johansen 2017-06-09 633 const struct linux_binprm *bprm,
93c98a484c4900 John Johansen 2017-06-09 634 char *buffer, struct path_cond *cond,
93c98a484c4900 John Johansen 2017-06-09 635 bool *secure_exec)
898127c34ec032 John Johansen 2010-07-29 636 {
1ad22fcc4d0d2f John Johansen 2022-09-05 637 struct aa_ruleset *rules = list_first_entry(&profile->rules,
1ad22fcc4d0d2f John Johansen 2022-09-05 638 typeof(*rules), list);
93c98a484c4900 John Johansen 2017-06-09 639 struct aa_label *new = NULL;
93c98a484c4900 John Johansen 2017-06-09 640 const char *info = NULL, *name = NULL, *target = NULL;
98b824ff8984fd John Johansen 2023-04-28 641 aa_state_t state = rules->file->start[AA_CLASS_FILE];
2d679f3cb0eaa6 John Johansen 2017-05-29 642 struct aa_perms perms = {};
93c98a484c4900 John Johansen 2017-06-09 643 bool nonewprivs = false;
b1d9e6b0646d0e Casey Schaufler 2015-05-02 644 int error = 0;
898127c34ec032 John Johansen 2010-07-29 645
93c98a484c4900 John Johansen 2017-06-09 646 AA_BUG(!profile);
93c98a484c4900 John Johansen 2017-06-09 647 AA_BUG(!bprm);
93c98a484c4900 John Johansen 2017-06-09 648 AA_BUG(!buffer);
898127c34ec032 John Johansen 2010-07-29 649
4227c333f65cdd John Johansen 2017-05-23 650 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer,
72c8a768641dc6 John Johansen 2017-05-22 651 &name, &info, profile->disconnected);
898127c34ec032 John Johansen 2010-07-29 652 if (error) {
637f688dc3dc30 John Johansen 2017-06-09 653 if (profile_unconfined(profile) ||
93c98a484c4900 John Johansen 2017-06-09 654 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) {
93c98a484c4900 John Johansen 2017-06-09 655 AA_DEBUG("name lookup ix on error");
898127c34ec032 John Johansen 2010-07-29 656 error = 0;
93c98a484c4900 John Johansen 2017-06-09 657 new = aa_get_newest_label(&profile->label);
93c98a484c4900 John Johansen 2017-06-09 658 }
898127c34ec032 John Johansen 2010-07-29 659 name = bprm->filename;
898127c34ec032 John Johansen 2010-07-29 660 goto audit;
898127c34ec032 John Johansen 2010-07-29 661 }
898127c34ec032 John Johansen 2010-07-29 662
637f688dc3dc30 John Johansen 2017-06-09 663 if (profile_unconfined(profile)) {
8e51f9087f4024 Matthew Garrett 2018-02-08 664 new = find_attach(bprm, profile->ns,
8e51f9087f4024 Matthew Garrett 2018-02-08 665 &profile->ns->base.profiles, name, &info);
93c98a484c4900 John Johansen 2017-06-09 666 if (new) {
93c98a484c4900 John Johansen 2017-06-09 667 AA_DEBUG("unconfined attached to new label");
93c98a484c4900 John Johansen 2017-06-09 668 return new;
898127c34ec032 John Johansen 2010-07-29 669 }
93c98a484c4900 John Johansen 2017-06-09 670 AA_DEBUG("unconfined exec no attachment");
93c98a484c4900 John Johansen 2017-06-09 671 return aa_get_newest_label(&profile->label);
898127c34ec032 John Johansen 2010-07-29 672 }
898127c34ec032 John Johansen 2010-07-29 673
93c98a484c4900 John Johansen 2017-06-09 674 /* find exec permissions for name */
98b824ff8984fd John Johansen 2023-04-28 675 state = aa_str_perms(rules->file, state, name, cond, &perms);
898127c34ec032 John Johansen 2010-07-29 676 if (perms.allow & MAY_EXEC) {
898127c34ec032 John Johansen 2010-07-29 677 /* exec permission determine how to transition */
8e51f9087f4024 Matthew Garrett 2018-02-08 678 new = x_to_label(profile, bprm, name, perms.xindex, &target,
8e51f9087f4024 Matthew Garrett 2018-02-08 679 &info);
93c98a484c4900 John Johansen 2017-06-09 680 if (new && new->proxy == profile->label.proxy && info) {
93c98a484c4900 John Johansen 2017-06-09 681 /* hack ix fallback - improve how this is detected */
93c98a484c4900 John Johansen 2017-06-09 682 goto audit;
93c98a484c4900 John Johansen 2017-06-09 683 } else if (!new) {
93c98a484c4900 John Johansen 2017-06-09 684 info = "profile transition not found";
ee650b3820f3d1 Ryan Lee 2024-08-23 685 /* remove MAY_EXEC to audit as failure or complaint */
17322cc3f9ba57 John Johansen 2013-02-18 686 perms.allow &= ~MAY_EXEC;
ee650b3820f3d1 Ryan Lee 2024-08-23 687 if (COMPLAIN_MODE(profile)) {
ee650b3820f3d1 Ryan Lee 2024-08-23 688 /* create null profile instead of failing */
ee650b3820f3d1 Ryan Lee 2024-08-23 689 goto create_learning_profile;
ee650b3820f3d1 Ryan Lee 2024-08-23 690 }
ee650b3820f3d1 Ryan Lee 2024-08-23 691 error = -EACCES;
898127c34ec032 John Johansen 2010-07-29 692 }
898127c34ec032 John Johansen 2010-07-29 693 } else if (COMPLAIN_MODE(profile)) {
ee650b3820f3d1 Ryan Lee 2024-08-23 694 create_learning_profile:
93c98a484c4900 John Johansen 2017-06-09 695 /* no exec permission - learning mode */
5d7c44ef5e4f01 John Johansen 2017-11-20 @696 struct aa_profile *new_profile = NULL;
df323337e507a0 Sebastian Andrzej Siewior 2019-05-03 697
58f89ce58bb4f5 John Johansen 2022-10-03 698 new_profile = aa_new_learning_profile(profile, false, name,
5d7c44ef5e4f01 John Johansen 2017-11-20 699 GFP_KERNEL);
898127c34ec032 John Johansen 2010-07-29 700 if (!new_profile) {
898127c34ec032 John Johansen 2010-07-29 701 error = -ENOMEM;
898127c34ec032 John Johansen 2010-07-29 702 info = "could not create null profile";
93c98a484c4900 John Johansen 2017-06-09 703 } else {
898127c34ec032 John Johansen 2010-07-29 704 error = -EACCES;
93c98a484c4900 John Johansen 2017-06-09 705 new = &new_profile->label;
93c98a484c4900 John Johansen 2017-06-09 706 }
898127c34ec032 John Johansen 2010-07-29 707 perms.xindex |= AA_X_UNSAFE;
898127c34ec032 John Johansen 2010-07-29 708 } else
898127c34ec032 John Johansen 2010-07-29 709 /* fail exec */
898127c34ec032 John Johansen 2010-07-29 710 error = -EACCES;
898127c34ec032 John Johansen 2010-07-29 711
93c98a484c4900 John Johansen 2017-06-09 712 if (!new)
93c98a484c4900 John Johansen 2017-06-09 713 goto audit;
93c98a484c4900 John Johansen 2017-06-09 714
c29bceb3967398 John Johansen 2012-04-12 715
93c98a484c4900 John Johansen 2017-06-09 716 if (!(perms.xindex & AA_X_UNSAFE)) {
93c98a484c4900 John Johansen 2017-06-09 717 if (DEBUG_ON) {
93c98a484c4900 John Johansen 2017-06-09 718 dbg_printk("apparmor: scrubbing environment variables"
93c98a484c4900 John Johansen 2017-06-09 719 " for %s profile=", name);
8ac2ca328ec935 Sebastian Andrzej Siewior 2019-04-05 720 aa_label_printk(new, GFP_KERNEL);
93c98a484c4900 John Johansen 2017-06-09 721 dbg_printk("\n");
93c98a484c4900 John Johansen 2017-06-09 722 }
93c98a484c4900 John Johansen 2017-06-09 723 *secure_exec = true;
93c98a484c4900 John Johansen 2017-06-09 724 }
93c98a484c4900 John Johansen 2017-06-09 725
93c98a484c4900 John Johansen 2017-06-09 726 audit:
90c436a64a6e20 John Johansen 2022-09-19 727 aa_audit_file(subj_cred, profile, &perms, OP_EXEC, MAY_EXEC, name,
90c436a64a6e20 John Johansen 2022-09-19 728 target, new,
93c98a484c4900 John Johansen 2017-06-09 729 cond->uid, info, error);
93c98a484c4900 John Johansen 2017-06-09 730 if (!new || nonewprivs) {
93c98a484c4900 John Johansen 2017-06-09 731 aa_put_label(new);
93c98a484c4900 John Johansen 2017-06-09 732 return ERR_PTR(error);
93c98a484c4900 John Johansen 2017-06-09 733 }
93c98a484c4900 John Johansen 2017-06-09 734
93c98a484c4900 John Johansen 2017-06-09 735 return new;
93c98a484c4900 John Johansen 2017-06-09 736 }
93c98a484c4900 John Johansen 2017-06-09 737
:::::: The code at line 696 was first introduced by commit
:::::: 5d7c44ef5e4f0149c9fb99faeae41e930485a1ec apparmor: fix locking when creating a new complain profile.
:::::: TO: John Johansen <john.johansen@canonical.com>
:::::: CC: John Johansen <john.johansen@canonical.com>
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
reply other threads:[~2024-11-10 10:53 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202411101808.AI8YG6cs-lkp@intel.com \
--to=lkp@intel.com \
--cc=john.johansen@canonical.com \
--cc=llvm@lists.linux.dev \
--cc=oe-kbuild-all@lists.linux.dev \
--cc=ryan.lee@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox