[PATCH 2/2] ima: add policy support for the new file open MAY_OPENEXEC flag

kbuild test robot lkp at intel.com
Wed Apr 29 21:24:15 UTC 2020

Hi Mimi,

I love your patch! Yet something to improve:

[auto build test ERROR on integrity/next-integrity]
[also build test ERROR on linus/master v5.7-rc3 next-20200429]
[cannot apply to security/next-testing]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system. BTW, we also suggest to use '--base' option to specify the
base tree in git format-patch, please see https://stackoverflow.com/a/37406982]

url:    https://github.com/0day-ci/linux/commits/Mimi-Zohar/ima-extending-IMA-policy-to-support-interpreters/20200430-030608
base:   https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity
config: arc-allyesconfig (attached as .config)
compiler: arc-elf-gcc (GCC) 9.3.0
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day GCC_VERSION=9.3.0 make.cross ARCH=arc 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kbuild test robot <lkp at intel.com>

All error/warnings (new ones prefixed by >>):

   security/integrity/ima/ima_main.c: In function 'ima_file_check':
>> security/integrity/ima/ima_main.c:442:20: error: 'MAY_OPENEXEC' undeclared (first use in this function); did you mean 'MAY_OPEN'?
     442 |         MAY_EXEC | MAY_OPENEXEC |
         |                    ^~~~~~~~~~~~
         |                    MAY_OPEN
   security/integrity/ima/ima_main.c:442:20: note: each undeclared identifier is reported only once for each function it appears in
>> security/integrity/ima/ima_main.c:444:1: warning: control reaches end of non-void function [-Wreturn-type]
     444 | }
         | ^
   security/integrity/ima/ima_policy.c: In function 'ima_parse_rule':
>> security/integrity/ima/ima_policy.c:1100:19: error: 'MAY_OPENEXEC' undeclared (first use in this function); did you mean 'MAY_OPEN'?
    1100 |     entry->mask = MAY_OPENEXEC;
         |                   ^~~~~~~~~~~~
         |                   MAY_OPEN
   security/integrity/ima/ima_policy.c:1100:19: note: each undeclared identifier is reported only once for each function it appears in
   security/integrity/ima/ima_policy.c: In function 'ima_policy_show':
   security/integrity/ima/ima_policy.c:1535:21: error: 'MAY_OPENEXEC' undeclared (first use in this function); did you mean 'MAY_OPEN'?
    1535 |   if (entry->mask & MAY_OPENEXEC)
         |                     ^~~~~~~~~~~~
         |                     MAY_OPEN

vim +442 security/integrity/ima/ima_main.c

   425	/**
   426	 * ima_path_check - based on policy, collect/store measurement.
   427	 * @file: pointer to the file to be measured
   428	 * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND
   429	 *
   430	 * Measure files based on the ima_must_measure() policy decision.
   431	 *
   432	 * On success return 0.  On integrity appraisal error, assuming the file
   433	 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
   434	 */
   435	int ima_file_check(struct file *file, int mask)
   436	{
   437		u32 secid;
   439		security_task_getsecid(current, &secid);
   440		return process_measurement(file, current_cred(), secid, NULL, 0,
   441					   mask & (MAY_READ | MAY_WRITE |
 > 442						   MAY_EXEC | MAY_OPENEXEC |
   443						   MAY_APPEND), FILE_CHECK);
 > 444	}
   445	EXPORT_SYMBOL_GPL(ima_file_check);

0-DAY CI Kernel Test Service, Intel Corporation

More information about the Linux-security-module-archive mailing list