Hi David,

[FYI, it's a private test report for your RFC patch.]
[auto build test WARNING on cifs/for-next]
[also build test WARNING on dm/for-next linus/master v5.8-rc5 next-20200716]
[cannot apply to security/next-testing pcmoore-selinux/next ecryptfs/next]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/David-Howells/keys-Security-changes-ACLs-and-Container-keyring/20200717-043801
base:   git://git.samba.org/sfrench/cifs-2.6.git for-next
config: i386-randconfig-r013-20200717 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-14) 9.3.0
reproduce (this is a W=1 build):
        # save the attached .config to linux build tree
        make W=1 ARCH=i386 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All warnings (new ones prefixed by >>):

   security/selinux/hooks.c: In function 'selinux_keyperm_to_av':
>> security/selinux/hooks.c:6548:7: warning: variable 'sysadmin_can_override' set but not used [-Wunused-but-set-variable]
    6548 |  bool sysadmin_can_override = false;
         |       ^~~~~~~~~~~~~~~~~~~~~

vim +/sysadmin_can_override +6548 security/selinux/hooks.c

  6532	
  6533	/*
  6534	 * Convert the requested KEY_NEED_* permit into an SELinux KEY__* permission.
  6535	 *
  6536	 * flags may also convey override flags such as
  6537	 * KEY_PERMISSION_USED_AUTH/SYSADMIN_OVERRIDE to indicate when the main
  6538	 * permission check overrode the permissions on the key.
  6539	 *
  6540	 * Returns the perms to check for in *_perm and *_perm2.  If either perm is
  6541	 * present, then the operation is allowed.
  6542	 */
  6543	static int selinux_keyperm_to_av(struct key *key, const struct cred *cred,
  6544					 unsigned int need_perm, unsigned int flags,
  6545					 u32 *_perm, u32 *_perm2)
  6546	{
  6547		bool auth_can_override = false; /* See KEYCTL_ASSUME_AUTHORITY */
> 6548		bool sysadmin_can_override = false;
  6549	
  6550		switch (need_perm) {
  6551		case KEY_NEED_ASSUME_AUTHORITY:
  6552			return 0;
  6553	
  6554		case KEY_NEED_DESCRIBE:
  6555		case KEY_NEED_GET_SECURITY:
  6556			*_perm = KEY__VIEW;
  6557			auth_can_override = true;
  6558			break;
  6559	
  6560		case KEY_NEED_CHOWN:
  6561		case KEY_NEED_SETPERM:
  6562		case KEY_NEED_SET_RESTRICTION:
  6563			*_perm = KEY__SETATTR;
  6564			break;
  6565	
  6566		case KEY_NEED_INSTANTIATE:
  6567			auth_can_override = true;
  6568			break;
  6569	
  6570		case KEY_NEED_INVALIDATE:
  6571			*_perm = KEY__SEARCH;
  6572			if (test_bit(KEY_FLAG_ROOT_CAN_INVAL, &key->flags))
  6573				sysadmin_can_override = true;
  6574			break;
  6575	
  6576		case KEY_NEED_JOIN:
  6577		case KEY_NEED_LINK:
  6578			*_perm = KEY__LINK;
  6579			break;
  6580	
  6581		case KEY_NEED_KEYRING_ADD:
  6582		case KEY_NEED_KEYRING_DELETE:
  6583			*_perm = KEY__WRITE;
  6584			break;
  6585	
  6586		case KEY_NEED_KEYRING_CLEAR:
  6587			*_perm = KEY__WRITE;
  6588			if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR, &key->flags))
  6589				sysadmin_can_override = true;
  6590			break;
  6591	
  6592		case KEY_NEED_READ:
  6593			*_perm = KEY__READ;
  6594			break;
  6595	
  6596		case KEY_NEED_REVOKE:
  6597			*_perm = KEY__SETATTR;
  6598			*_perm2 = KEY__WRITE;
  6599			break;
  6600	
  6601		case KEY_NEED_SEARCH:
  6602			*_perm = KEY__SEARCH;
  6603			break;
  6604	
  6605		case KEY_NEED_SET_TIMEOUT:
  6606			*_perm = KEY__SETATTR;
  6607			auth_can_override = true;
  6608			break;
  6609	
  6610		case KEY_NEED_UNLINK:
  6611			return 0; /* Mustn't prevent this; KEY_FLAG_KEEP is already
  6612				   * dealt with. */
  6613	
  6614		case KEY_NEED_UPDATE:
  6615			*_perm = KEY__WRITE;
  6616			break;
  6617	
  6618		case KEY_NEED_USE:
  6619			*_perm = KEY__READ;
  6620			*_perm2 = KEY__SEARCH;
  6621			break;
  6622	
  6623		case KEY_NEED_WATCH:
  6624			*_perm = KEY__VIEW;
  6625			break;
  6626	
  6627		default:
  6628			WARN_ON(1);
  6629			return -EPERM;
  6630		}
  6631	
  6632		/* Just allow the operation if the process has an authorisation token.
  6633		 * The presence of the token means that the kernel delegated
  6634		 * instantiation of a key to the process - which is problematic if we
  6635		 * then say that the process isn't allowed to get the description of
  6636		 * the key or actually instantiate it.
  6637		 */
  6638		if (auth_can_override && cred->request_key_auth) {
  6639			struct request_key_auth *rka =
  6640				cred->request_key_auth->payload.data[0];
  6641			if (rka->target_key == key)
  6642				*_perm = 0;
  6643		}
  6644	
  6645		return 0;
  6646	}
  6647	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org