[PATCH v5 3/3] AppArmor: add support for lsm_config_self_policy and lsm_config_system_policy

kernel test robot lkp at intel.com
Mon Jul 14 18:07:38 UTC 2025 

Hi Maxime,

kernel test robot noticed the following build warnings:

[auto build test WARNING on 9c32cda43eb78f78c73aee4aa344b777714e259b]

url:    https://github.com/intel-lab-lkp/linux/commits/Maxime-B-lair/Wire-up-lsm_config_self_policy-and-lsm_config_system_policy-syscalls/20250709-160720
base:   9c32cda43eb78f78c73aee4aa344b777714e259b
patch link:    https://lore.kernel.org/r/20250709080220.110947-4-maxime.belair%40canonical.com
patch subject: [PATCH v5 3/3] AppArmor: add support for lsm_config_self_policy and lsm_config_system_policy
config: hexagon-randconfig-r072-20250714 (https://download.01.org/0day-ci/archive/20250715/202507150132.xWRFcZgf-lkp@intel.com/config)
compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp at intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202507150132.xWRFcZgf-lkp@intel.com/

smatch warnings:
security/apparmor/lsm.c:1348 apparmor_lsm_config_system_policy() warn: unsigned 'ns_size' is never less than zero.

vim +/ns_size +1348 security/apparmor/lsm.c

  1319	
  1320	/**
  1321	 * apparmor_lsm_config_system_policy - Load or replace a system policy
  1322	 * @lsm_id: AppArmor ID (LSM_ID_APPARMOR). Unused here
  1323	 * @op: operation to perform. Currently, only LSM_POLICY_LOAD is supported
  1324	 * @buf: user-supplied buffer in the form "<ns>\0<policy>"
  1325	 *        <ns> is the namespace to load the policy into (empty string for root)
  1326	 *        <policy> is the policy to load
  1327	 * @size: size of @buf
  1328	 * @flags: reserved for future uses; must be zero
  1329	 *
  1330	 * Returns: 0 on success, negative value on error
  1331	 */
  1332	static int apparmor_lsm_config_system_policy(u32 lsm_id, u32 op, void __user *buf,
  1333					      size_t size, u32 flags)
  1334	{
  1335		loff_t pos = 0; // Partial writing is not currently supported
  1336		char ns_name[AA_PROFILE_NAME_MAX_SIZE];
  1337		size_t ns_size;
  1338		size_t max_ns_size = min(size, AA_PROFILE_NAME_MAX_SIZE);
  1339	
  1340		if (op != LSM_POLICY_LOAD || flags)
  1341			return -EOPNOTSUPP;
  1342		if (size < 2)
  1343			return -EINVAL;
  1344		if (size > AA_PROFILE_MAX_SIZE)
  1345			return -E2BIG;
  1346	
  1347		ns_size = strncpy_from_user(ns_name, buf, max_ns_size);
> 1348		if (ns_size < 0)
  1349			return ns_size;
  1350		if (ns_size == max_ns_size)
  1351			return -E2BIG;
  1352	
  1353		return aa_profile_load_ns_name(ns_name, ns_size, buf + ns_size + 1,
  1354					       size - ns_size - 1, &pos);
  1355	}
  1356	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

More information about the Linux-security-module-archive mailing list