[PATCH v34 11/29] LSM: Use lsmblob in security_current_getsecid

kernel test robot lkp at intel.com
Fri Apr 8 03:43:33 UTC 2022


Hi Casey,

I love your patch! Perhaps something to improve:

[auto build test WARNING on pcmoore-selinux/next]
[also build test WARNING on linus/master v5.18-rc1 next-20220407]
[cannot apply to pcmoore-audit/next jmorris-security/next-testing]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/intel-lab-lkp/linux/commits/Casey-Schaufler/integrity-disassociate-ima_filter_rule-from-security_audit_rule/20220408-062243
base:   https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git next
config: arm-randconfig-c002-20220408 (https://download.01.org/0day-ci/archive/20220408/202204081146.DPLvGqQ7-lkp@intel.com/config)
compiler: arm-linux-gnueabi-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/intel-lab-lkp/linux/commit/0d4df6ae86e123057cb18eeb5ba1b1eff2641fe4
        git remote add linux-review https://github.com/intel-lab-lkp/linux
        git fetch --no-tags linux-review Casey-Schaufler/integrity-disassociate-ima_filter_rule-from-security_audit_rule/20220408-062243
        git checkout 0d4df6ae86e123057cb18eeb5ba1b1eff2641fe4
        # save the config file to linux build tree
        mkdir build_dir
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=arm SHELL=/bin/bash security/integrity/ima/

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp at intel.com>

All warnings (new ones prefixed by >>):

   security/integrity/ima/ima_appraise.c: In function 'ima_must_appraise':
>> security/integrity/ima/ima_appraise.c:81:16: warning: array subscript 0 is outside array bounds of 'u32[0]' {aka 'unsigned int[]'} [-Warray-bounds]
      81 |         return ima_match_policy(mnt_userns, inode, current_cred(),
         |                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      82 |                                 blob.secid[0], func, mask,
         |                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~
      83 |                                 IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL,
         |                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      84 |                                 NULL);
         |                                 ~~~~~
   In file included from include/linux/ima.h:12,
                    from security/integrity/ima/ima_appraise.c:14:
   include/linux/security.h:150:17: note: while referencing 'secid'
     150 |         u32     secid[LSMBLOB_ENTRIES];
         |                 ^~~~~
   security/integrity/ima/ima_appraise.c:74:24: note: defined here 'blob'
      74 |         struct lsmblob blob;
         |                        ^~~~


vim +81 security/integrity/ima/ima_appraise.c

    65	
    66	/*
    67	 * ima_must_appraise - set appraise flag
    68	 *
    69	 * Return 1 to appraise or hash
    70	 */
    71	int ima_must_appraise(struct user_namespace *mnt_userns, struct inode *inode,
    72			      int mask, enum ima_hooks func)
    73	{
    74		struct lsmblob blob;
    75	
    76		if (!ima_appraise)
    77			return 0;
    78	
    79		security_current_getsecid_subj(&blob);
    80		/* scaffolding the .secid[0] */
  > 81		return ima_match_policy(mnt_userns, inode, current_cred(),
    82					blob.secid[0], func, mask,
    83					IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL,
    84					NULL);
    85	}
    86	

-- 
0-DAY CI Kernel Test Service
https://01.org/lkp



More information about the Linux-security-module-archive mailing list