[PATCH 2/2] LSM: SafeSetID: Add setgroups() security policy handling
kernel test robot
lkp at intel.com
Tue Jun 14 07:50:21 UTC 2022
Hi Micah,
I love your patch! Yet something to improve:
[auto build test ERROR on linus/master]
[also build test ERROR on jmorris-security/next-testing kees/for-next/pstore v5.19-rc2 next-20220610]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/intel-lab-lkp/linux/commits/Micah-Morton/security-Add-LSM-hook-to-setgroups-syscall/20220614-050341
base: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git b13baccc3850ca8b8cccbf8ed9912dbaa0fdf7f3
config: x86_64-randconfig-a001-20220613 (https://download.01.org/0day-ci/archive/20220614/202206141555.zswTLROZ-lkp@intel.com/config)
compiler: clang version 15.0.0 (https://github.com/llvm/llvm-project c97436f8b6e2718286e8496faf53a2c800e281cf)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/248aa1aeef5c49d4af78b9c3d09e896413258c76
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Micah-Morton/security-Add-LSM-hook-to-setgroups-syscall/20220614-050341
git checkout 248aa1aeef5c49d4af78b9c3d09e896413258c76
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=x86_64 SHELL=/bin/bash
If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <lkp at intel.com>
All errors (new ones prefixed by >>):
>> security/safesetid/lsm.c:248:50: error: use of undeclared identifier 'group_info'
if (!id_permitted_for_cred(old, (kid_t){.gid = group_info->gid[i]}, GID)) {
^
1 error generated.
vim +/group_info +248 security/safesetid/lsm.c
237
238 static int safesetid_task_fix_setgroups(struct cred *new, const struct cred *old)
239 {
240 int i;
241
242 /* Do nothing if there are no setgid restrictions for our old RGID. */
243 if (setid_policy_lookup((kid_t){.gid = old->gid}, INVALID_ID, GID) == SIDPOL_DEFAULT)
244 return 0;
245
246 get_group_info(new->group_info);
247 for (i = 0; i < new->group_info->ngroups; i++) {
> 248 if (!id_permitted_for_cred(old, (kid_t){.gid = group_info->gid[i]}, GID)) {
249 put_group_info(new->group_info);
250 /*
251 * Kill this process to avoid potential security vulnerabilities
252 * that could arise from a missing allowlist entry preventing a
253 * privileged process from dropping to a lesser-privileged one.
254 */
255 force_sig(SIGKILL);
256 return -EACCES;
257 }
258 }
259
260 put_group_info(new->group_info);
261 return 0;
262 }
263
--
0-DAY CI Kernel Test Service
https://01.org/lkp
More information about the Linux-security-module-archive
mailing list