[PATCH 02/13] LSM: Use lsmblob in security_audit_rule_match
kernel test robot
lkp at intel.com
Mon Aug 26 19:31:34 UTC 2024
Hi Casey,
kernel test robot noticed the following build warnings:
[auto build test WARNING on pcmoore-selinux/next]
[also build test WARNING on zohar-integrity/next-integrity linus/master pcmoore-audit/next v6.11-rc5 next-20240826]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Casey-Schaufler/LSM-Add-the-lsmblob-data-structure/20240826-170520
base: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git next
patch link: https://lore.kernel.org/r/20240825190048.13289-3-casey%40schaufler-ca.com
patch subject: [PATCH 02/13] LSM: Use lsmblob in security_audit_rule_match
config: i386-buildonly-randconfig-006-20240827 (https://download.01.org/0day-ci/archive/20240827/202408270317.8wTE4P5l-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240827/202408270317.8wTE4P5l-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp at intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202408270317.8wTE4P5l-lkp@intel.com/
All warnings (new ones prefixed by >>):
security/integrity/ima/ima_policy.c: In function 'ima_match_rules':
>> security/integrity/ima/ima_policy.c:654:52: warning: passing argument 1 of 'ima_filter_rule_match' makes integer from pointer without a cast [-Wint-conversion]
654 | rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type,
| ^~~~~
| |
| struct lsmblob *
In file included from security/integrity/ima/ima_policy.c:22:
security/integrity/ima/ima.h:558:45: note: expected 'u32' {aka 'unsigned int'} but argument is of type 'struct lsmblob *'
558 | static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
| ~~~~^~~~~
security/integrity/ima/ima_policy.c:663:52: warning: passing argument 1 of 'ima_filter_rule_match' makes integer from pointer without a cast [-Wint-conversion]
663 | rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type,
| ^~~~~
| |
| struct lsmblob *
security/integrity/ima/ima.h:558:45: note: expected 'u32' {aka 'unsigned int'} but argument is of type 'struct lsmblob *'
558 | static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
| ~~~~^~~~~
vim +/ima_filter_rule_match +654 security/integrity/ima/ima_policy.c
553
554 /**
555 * ima_match_rules - determine whether an inode matches the policy rule.
556 * @rule: a pointer to a rule
557 * @idmap: idmap of the mount the inode was found from
558 * @inode: a pointer to an inode
559 * @cred: a pointer to a credentials structure for user validation
560 * @secid: the secid of the task to be validated
561 * @func: LIM hook identifier
562 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
563 * @func_data: func specific data, may be NULL
564 *
565 * Returns true on rule match, false on failure.
566 */
567 static bool ima_match_rules(struct ima_rule_entry *rule,
568 struct mnt_idmap *idmap,
569 struct inode *inode, const struct cred *cred,
570 u32 secid, enum ima_hooks func, int mask,
571 const char *func_data)
572 {
573 int i;
574 bool result = false;
575 struct ima_rule_entry *lsm_rule = rule;
576 bool rule_reinitialized = false;
577
578 if ((rule->flags & IMA_FUNC) &&
579 (rule->func != func && func != POST_SETATTR))
580 return false;
581
582 switch (func) {
583 case KEY_CHECK:
584 case CRITICAL_DATA:
585 return ((rule->func == func) &&
586 ima_match_rule_data(rule, func_data, cred));
587 default:
588 break;
589 }
590
591 if ((rule->flags & IMA_MASK) &&
592 (rule->mask != mask && func != POST_SETATTR))
593 return false;
594 if ((rule->flags & IMA_INMASK) &&
595 (!(rule->mask & mask) && func != POST_SETATTR))
596 return false;
597 if ((rule->flags & IMA_FSMAGIC)
598 && rule->fsmagic != inode->i_sb->s_magic)
599 return false;
600 if ((rule->flags & IMA_FSNAME)
601 && strcmp(rule->fsname, inode->i_sb->s_type->name))
602 return false;
603 if ((rule->flags & IMA_FSUUID) &&
604 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid))
605 return false;
606 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
607 return false;
608 if (rule->flags & IMA_EUID) {
609 if (has_capability_noaudit(current, CAP_SETUID)) {
610 if (!rule->uid_op(cred->euid, rule->uid)
611 && !rule->uid_op(cred->suid, rule->uid)
612 && !rule->uid_op(cred->uid, rule->uid))
613 return false;
614 } else if (!rule->uid_op(cred->euid, rule->uid))
615 return false;
616 }
617 if ((rule->flags & IMA_GID) && !rule->gid_op(cred->gid, rule->gid))
618 return false;
619 if (rule->flags & IMA_EGID) {
620 if (has_capability_noaudit(current, CAP_SETGID)) {
621 if (!rule->gid_op(cred->egid, rule->gid)
622 && !rule->gid_op(cred->sgid, rule->gid)
623 && !rule->gid_op(cred->gid, rule->gid))
624 return false;
625 } else if (!rule->gid_op(cred->egid, rule->gid))
626 return false;
627 }
628 if ((rule->flags & IMA_FOWNER) &&
629 !rule->fowner_op(i_uid_into_vfsuid(idmap, inode),
630 rule->fowner))
631 return false;
632 if ((rule->flags & IMA_FGROUP) &&
633 !rule->fgroup_op(i_gid_into_vfsgid(idmap, inode),
634 rule->fgroup))
635 return false;
636 for (i = 0; i < MAX_LSM_RULES; i++) {
637 int rc = 0;
638 struct lsmblob blob = { };
639
640 if (!lsm_rule->lsm[i].rule) {
641 if (!lsm_rule->lsm[i].args_p)
642 continue;
643 else
644 return false;
645 }
646
647 retry:
648 switch (i) {
649 case LSM_OBJ_USER:
650 case LSM_OBJ_ROLE:
651 case LSM_OBJ_TYPE:
652 /* scaffolding */
653 security_inode_getsecid(inode, &blob.scaffold.secid);
> 654 rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type,
655 Audit_equal,
656 lsm_rule->lsm[i].rule);
657 break;
658 case LSM_SUBJ_USER:
659 case LSM_SUBJ_ROLE:
660 case LSM_SUBJ_TYPE:
661 /* scaffolding */
662 blob.scaffold.secid = secid;
663 rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type,
664 Audit_equal,
665 lsm_rule->lsm[i].rule);
666 break;
667 default:
668 break;
669 }
670
671 if (rc == -ESTALE && !rule_reinitialized) {
672 lsm_rule = ima_lsm_copy_rule(rule, GFP_ATOMIC);
673 if (lsm_rule) {
674 rule_reinitialized = true;
675 goto retry;
676 }
677 }
678 if (!rc) {
679 result = false;
680 goto out;
681 }
682 }
683 result = true;
684
685 out:
686 if (rule_reinitialized) {
687 for (i = 0; i < MAX_LSM_RULES; i++)
688 ima_filter_rule_free(lsm_rule->lsm[i].rule);
689 kfree(lsm_rule);
690 }
691 return result;
692 }
693
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
More information about the Linux-security-module-archive
mailing list