[PATCH] apparmor: Add empty statement between label and declaration in profile_transition(()

Nathan Chancellor nathan at kernel.org
Mon Nov 11 14:49:43 UTC 2024 

Clang 18 and newer warns (or errors with CONFIG_WERROR=y):

  security/apparmor/domain.c:695:3: error: label followed by a declaration is a C23 extension [-Werror,-Wc23-extensions]
    695 |                 struct aa_profile *new_profile = NULL;
        |                 ^

With Clang 17 and older, this is just an unconditional hard error:

  security/apparmor/domain.c:695:3: error: expected expression
    695 |                 struct aa_profile *new_profile = NULL;
        |                 ^
  security/apparmor/domain.c:697:3: error: use of undeclared identifier 'new_profile'
    697 |                 new_profile = aa_new_learning_profile(profile, false, name,
        |                 ^
  security/apparmor/domain.c:699:8: error: use of undeclared identifier 'new_profile'
    699 |                 if (!new_profile) {
        |                      ^
  security/apparmor/domain.c:704:11: error: use of undeclared identifier 'new_profile'
    704 |                         new = &new_profile->label;
        |                                ^

Add a semicolon directly after the label to create an empty statement,
which keeps the original intent of the code while clearing up the
warning/error on all clang versions.

Fixes: ee650b3820f3 ("apparmor: properly handle cx/px lookup failure for complain")
Reported-by: kernel test robot <lkp at intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202411101808.AI8YG6cs-lkp@intel.com/
Signed-off-by: Nathan Chancellor <nathan at kernel.org>
---
 security/apparmor/domain.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 602d7a1bb44823a9b81e34d270b03c5f3aff3a34..eb0f222aa29442686b0a6751001c879f5b366c59 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -691,7 +691,7 @@ static struct aa_label *profile_transition(const struct cred *subj_cred,
 			error = -EACCES;
 		}
 	} else if (COMPLAIN_MODE(profile)) {
-create_learning_profile:
+create_learning_profile:;
 		/* no exec permission - learning mode */
 		struct aa_profile *new_profile = NULL;
 

---
base-commit: 8c4f7960ae8a7a03a43f814e4af471b8e6ea3391
change-id: 20241111-apparmor-fix-label-declaration-warning-fcd24ce2d447

Best regards,
-- 
Nathan Chancellor <nathan at kernel.org>

More information about the Linux-security-module-archive mailing list