Re: [PATCH v34 11/29] LSM: Use lsmblob in security_current_getsecid
From: kernel test robot
Date: Thu Apr 07 2022 - 23:44:32 EST
Hi Casey,
I love your patch! Perhaps something to improve:
[auto build test WARNING on pcmoore-selinux/next]
[also build test WARNING on linus/master v5.18-rc1 next-20220407]
[cannot apply to pcmoore-audit/next jmorris-security/next-testing]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/intel-lab-lkp/linux/commits/Casey-Schaufler/integrity-disassociate-ima_filter_rule-from-security_audit_rule/20220408-062243
base: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git next
config: arm-randconfig-c002-20220408 (https://download.01.org/0day-ci/archive/20220408/202204081146.DPLvGqQ7-lkp@xxxxxxxxx/config)
compiler: arm-linux-gnueabi-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/0d4df6ae86e123057cb18eeb5ba1b1eff2641fe4
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Casey-Schaufler/integrity-disassociate-ima_filter_rule-from-security_audit_rule/20220408-062243
git checkout 0d4df6ae86e123057cb18eeb5ba1b1eff2641fe4
# save the config file to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=arm SHELL=/bin/bash security/integrity/ima/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@xxxxxxxxx>
All warnings (new ones prefixed by >>):
security/integrity/ima/ima_appraise.c: In function 'ima_must_appraise':
>> security/integrity/ima/ima_appraise.c:81:16: warning: array subscript 0 is outside array bounds of 'u32[0]' {aka 'unsigned int[]'} [-Warray-bounds]
81 | return ima_match_policy(mnt_userns, inode, current_cred(),
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
82 | blob.secid[0], func, mask,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~
83 | IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
84 | NULL);
| ~~~~~
In file included from include/linux/ima.h:12,
from security/integrity/ima/ima_appraise.c:14:
include/linux/security.h:150:17: note: while referencing 'secid'
150 | u32 secid[LSMBLOB_ENTRIES];
| ^~~~~
security/integrity/ima/ima_appraise.c:74:24: note: defined here 'blob'
74 | struct lsmblob blob;
| ^~~~
vim +81 security/integrity/ima/ima_appraise.c
65
66 /*
67 * ima_must_appraise - set appraise flag
68 *
69 * Return 1 to appraise or hash
70 */
71 int ima_must_appraise(struct user_namespace *mnt_userns, struct inode *inode,
72 int mask, enum ima_hooks func)
73 {
74 struct lsmblob blob;
75
76 if (!ima_appraise)
77 return 0;
78
79 security_current_getsecid_subj(&blob);
80 /* scaffolding the .secid[0] */
> 81 return ima_match_policy(mnt_userns, inode, current_cred(),
82 blob.secid[0], func, mask,
83 IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL,
84 NULL);
85 }
86
--
0-DAY CI Kernel Test Service
https://01.org/lkp