From: kernel test robot <lkp@intel.com>
To: Stefan Berger <stefanb@linux.ibm.com>, linux-integrity@vger.kernel.org
Cc: llvm@lists.linux.dev, kbuild-all@lists.01.org,
zohar@linux.ibm.com, serge@hallyn.com,
christian.brauner@ubuntu.com, containers@lists.linux.dev,
dmitry.kasatkin@gmail.com, ebiederm@xmission.com,
krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com,
mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com,
puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com,
linux-kernel@vger.kernel.org, paul@paul-moore.com,
rgb@redhat.com, linux-security-module@vger.kernel.org,
jmorris@namei.org, Stefan Berger <stefanb@linux.ibm.com>
Subject: Re: [PATCH v11 23/27] ima: Introduce securityfs file to activate an IMA namespace
Date: Thu, 3 Mar 2022 03:16:45 +0800 [thread overview]
Message-ID: <202203030340.kolQS5ma-lkp@intel.com> (raw)
In-Reply-To: <20220302134703.1273041-24-stefanb@linux.ibm.com>
Hi Stefan,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on linus/master]
[also build test WARNING on v5.17-rc6]
[cannot apply to zohar-integrity/next-integrity linux/master jmorris-security/next-testing next-20220302]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Stefan-Berger/ima-Namespace-IMA-with-audit-support-in-IMA-ns/20220302-215707
base: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fb184c4af9b9f4563e7a126219389986a71d5b5b
config: arm64-randconfig-r006-20220302 (https://download.01.org/0day-ci/archive/20220303/202203030340.kolQS5ma-lkp@intel.com/config)
compiler: clang version 15.0.0 (https://github.com/llvm/llvm-project d271fc04d5b97b12e6b797c6067d3c96a8d7470e)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install arm64 cross compiling tool for clang build
# apt-get install binutils-aarch64-linux-gnu
# https://github.com/0day-ci/linux/commit/59a9ba1130510d6693a61c6eb84c29983fa696df
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Stefan-Berger/ima-Namespace-IMA-with-audit-support-in-IMA-ns/20220302-215707
git checkout 59a9ba1130510d6693a61c6eb84c29983fa696df
# save the config file to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=arm64 SHELL=/bin/bash security/integrity/ima/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
>> security/integrity/ima/ima_fs.c:591:3: warning: variable 'ret' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized]
if (IS_ERR(active))
^~~~~~~~~~~~~~~~~~~
include/linux/compiler.h:56:28: note: expanded from macro 'if'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/compiler.h:58:30: note: expanded from macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
security/integrity/ima/ima_fs.c:608:9: note: uninitialized use occurs here
return ret;
^~~
security/integrity/ima/ima_fs.c:591:3: note: remove the 'if' if its condition is always false
if (IS_ERR(active))
^~~~~~~~~~~~~~~~~~~
include/linux/compiler.h:56:23: note: expanded from macro 'if'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
^
security/integrity/ima/ima_fs.c:516:9: note: initialize the variable 'ret' to silence this warning
int ret;
^
= 0
1 warning generated.
vim +591 security/integrity/ima/ima_fs.c
504
505 int ima_fs_ns_init(struct user_namespace *user_ns, struct dentry *root)
506 {
507 struct ima_namespace *ns = ima_ns_from_user_ns(user_ns);
508 struct dentry *int_dir;
509 struct dentry *ima_dir = NULL;
510 struct dentry *ima_symlink = NULL;
511 struct dentry *binary_runtime_measurements = NULL;
512 struct dentry *ascii_runtime_measurements = NULL;
513 struct dentry *runtime_measurements_count = NULL;
514 struct dentry *violations = NULL;
515 struct dentry *active = NULL;
516 int ret;
517
518 /* FIXME: update when evm and integrity are namespaced */
519 if (user_ns != &init_user_ns) {
520 int_dir = securityfs_create_dir("integrity", root);
521 if (IS_ERR(int_dir))
522 return PTR_ERR(int_dir);
523 } else {
524 int_dir = integrity_dir;
525 }
526
527 ima_dir = securityfs_create_dir("ima", int_dir);
528 if (IS_ERR(ima_dir)) {
529 ret = PTR_ERR(ima_dir);
530 goto out;
531 }
532
533 ima_symlink = securityfs_create_symlink("ima", root, "integrity/ima",
534 NULL);
535 if (IS_ERR(ima_symlink)) {
536 ret = PTR_ERR(ima_symlink);
537 goto out;
538 }
539
540 binary_runtime_measurements =
541 securityfs_create_file("binary_runtime_measurements",
542 S_IRUSR | S_IRGRP, ima_dir, NULL,
543 &ima_measurements_ops);
544 if (IS_ERR(binary_runtime_measurements)) {
545 ret = PTR_ERR(binary_runtime_measurements);
546 goto out;
547 }
548
549 ascii_runtime_measurements =
550 securityfs_create_file("ascii_runtime_measurements",
551 S_IRUSR | S_IRGRP, ima_dir, NULL,
552 &ima_ascii_measurements_ops);
553 if (IS_ERR(ascii_runtime_measurements)) {
554 ret = PTR_ERR(ascii_runtime_measurements);
555 goto out;
556 }
557
558 runtime_measurements_count =
559 securityfs_create_file("runtime_measurements_count",
560 S_IRUSR | S_IRGRP, ima_dir, NULL,
561 &ima_measurements_count_ops);
562 if (IS_ERR(runtime_measurements_count)) {
563 ret = PTR_ERR(runtime_measurements_count);
564 goto out;
565 }
566
567 violations =
568 securityfs_create_file("violations", S_IRUSR | S_IRGRP,
569 ima_dir, NULL, &ima_htable_violations_ops);
570 if (IS_ERR(violations)) {
571 ret = PTR_ERR(violations);
572 goto out;
573 }
574
575 if (!ns->ima_policy_removed) {
576 ns->ima_policy =
577 securityfs_create_file("policy", POLICY_FILE_FLAGS,
578 ima_dir, NULL,
579 &ima_measure_policy_ops);
580 if (IS_ERR(ns->ima_policy)) {
581 ret = PTR_ERR(ns->ima_policy);
582 goto out;
583 }
584 }
585
586 if (ns != &init_ima_ns) {
587 active =
588 securityfs_create_file("active",
589 S_IRUSR | S_IWUSR | S_IRGRP, ima_dir,
590 NULL, &ima_active_ops);
> 591 if (IS_ERR(active))
592 goto out;
593 }
594
595 return 0;
596 out:
597 securityfs_remove(active);
598 securityfs_remove(ns->ima_policy);
599 securityfs_remove(violations);
600 securityfs_remove(runtime_measurements_count);
601 securityfs_remove(ascii_runtime_measurements);
602 securityfs_remove(binary_runtime_measurements);
603 securityfs_remove(ima_symlink);
604 securityfs_remove(ima_dir);
605 if (user_ns != &init_user_ns)
606 securityfs_remove(int_dir);
607
608 return ret;
609 }
610
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
next prev parent reply other threads:[~2022-03-02 19:17 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-02 13:46 [PATCH v11 00/27] ima: Namespace IMA with audit support in IMA-ns Stefan Berger
2022-03-02 13:46 ` [PATCH v11 01/27] ima: Return error code obtained from securityfs functions Stefan Berger
2022-03-02 13:46 ` [PATCH v11 02/27] securityfs: rework dentry creation Stefan Berger
2022-03-02 13:46 ` [PATCH v11 03/27] securityfs: Extend securityfs with namespacing support Stefan Berger
2022-03-02 13:46 ` [PATCH v11 04/27] ima: Define ima_namespace struct and start moving variables into it Stefan Berger
2022-03-02 13:46 ` [PATCH v11 05/27] ima: Move arch_policy_entry into ima_namespace Stefan Berger
2022-03-02 13:46 ` [PATCH v11 06/27] ima: Move ima_htable " Stefan Berger
2022-03-02 13:46 ` [PATCH v11 07/27] ima: Move measurement list related variables " Stefan Berger
2022-03-02 13:46 ` [PATCH v11 08/27] ima: Move some IMA policy and filesystem " Stefan Berger
2022-03-02 13:46 ` [PATCH v11 09/27] ima: Move IMA securityfs files into ima_namespace or onto stack Stefan Berger
2022-03-02 13:46 ` [PATCH v11 10/27] ima: Move ima_lsm_policy_notifier into ima_namespace Stefan Berger
2022-03-02 13:46 ` [PATCH v11 11/27] ima: Switch to lazy lsm policy updates for better performance Stefan Berger
2022-03-02 13:46 ` [PATCH v11 12/27] ima: Define mac_admin_ns_capable() as a wrapper for ns_capable() Stefan Berger
2022-03-02 13:46 ` [PATCH v11 13/27] ima: Only accept AUDIT rules for non-init_ima_ns namespaces for now Stefan Berger
2022-03-02 13:46 ` [PATCH v11 14/27] userns: Add pointer to ima_namespace to user_namespace Stefan Berger
2022-03-02 13:46 ` [PATCH v11 15/27] ima: Implement hierarchical processing of file accesses Stefan Berger
2022-03-02 13:46 ` [PATCH v11 16/27] ima: Implement ima_free_policy_rules() for freeing of an ima_namespace Stefan Berger
2022-03-02 13:46 ` [PATCH v11 17/27] ima: Add functions for creating and " Stefan Berger
2022-03-02 13:46 ` [PATCH v11 18/27] integrity/ima: Define ns_status for storing namespaced iint data Stefan Berger
2022-03-02 13:46 ` [PATCH v11 19/27] integrity: Add optional callback function to integrity_inode_free() Stefan Berger
2022-03-02 13:46 ` [PATCH v11 20/27] ima: Namespace audit status flags Stefan Berger
2022-03-02 13:46 ` [PATCH v11 21/27] ima: Remove unused iints from the integrity_iint_cache Stefan Berger
2022-03-02 13:46 ` [PATCH v11 22/27] ima: Setup securityfs for IMA namespace Stefan Berger
2022-03-02 13:46 ` [PATCH v11 23/27] ima: Introduce securityfs file to activate an " Stefan Berger
2022-03-02 19:16 ` kernel test robot [this message]
2022-03-02 13:46 ` [PATCH v11 24/27] ima: Show owning user namespace's uid and gid when displaying policy Stefan Berger
2022-03-02 13:47 ` [PATCH v11 25/27] ima: Limit number of policy rules in non-init_ima_ns Stefan Berger
2022-03-02 13:47 ` [PATCH v11 26/27] ima: Restrict informational audit messages to init_ima_ns Stefan Berger
2022-03-02 23:11 ` kernel test robot
2022-03-02 13:47 ` [PATCH v11 27/27] ima: Enable IMA namespaces Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202203030340.kolQS5ma-lkp@intel.com \
--to=lkp@intel.com \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux.dev \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=jamjoom@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=kbuild-all@lists.01.org \
--cc=krzysztof.struczynski@huawei.com \
--cc=lhinds@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=lsturman@redhat.com \
--cc=mpeters@redhat.com \
--cc=paul@paul-moore.com \
--cc=puiterwi@redhat.com \
--cc=rgb@redhat.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=stefanb@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.