All of lore.kernel.org
 help / color / mirror / Atom feed
From: kernel test robot <lkp@intel.com>
To: kbuild-all@lists.01.org
Subject: Re: [RFC PATCH 1/5] keys: Move permissions checking decisions into the checking code
Date: Sun, 19 Jul 2020 04:34:02 +0800	[thread overview]
Message-ID: <202007190454.q984BPKG%lkp@intel.com> (raw)
In-Reply-To: <159493169007.3249370.10683196450124512236.stgit@warthog.procyon.org.uk>

[-- Attachment #1: Type: text/plain, Size: 5445 bytes --]

Hi David,

[FYI, it's a private test report for your RFC patch.]
[auto build test ERROR on cifs/for-next]
[also build test ERROR on dm/for-next linus/master v5.8-rc5 next-20200717]
[cannot apply to security/next-testing pcmoore-selinux/next ecryptfs/next]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/David-Howells/keys-Security-changes-ACLs-and-Container-keyring/20200717-043801
base:   git://git.samba.org/sfrench/cifs-2.6.git for-next
config: microblaze-randconfig-r011-20200717 (attached as .config)
compiler: microblaze-linux-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross ARCH=microblaze 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

   security/smack/smack_lsm.c: In function 'smack_key_permission':
>> security/smack/smack_lsm.c:4258:3: error: 'auth_can_override' undeclared (first use in this function)
    4258 |   auth_can_override = true;
         |   ^~~~~~~~~~~~~~~~~
   security/smack/smack_lsm.c:4258:3: note: each undeclared identifier is reported only once for each function it appears in
>> security/smack/smack_lsm.c:4309:10: error: dereferencing pointer to incomplete type 'struct request_key_auth'
    4309 |   if (rka->target_key == key)
         |          ^~
>> security/smack/smack_lsm.c:4309:26: error: 'key' undeclared (first use in this function)
    4309 |   if (rka->target_key == key)
         |                          ^~~
>> security/smack/smack_lsm.c:4310:5: error: '_perm' undeclared (first use in this function)
    4310 |    *_perm = 0;
         |     ^~~~~

vim +/auth_can_override +4258 security/smack/smack_lsm.c

  4212	
  4213	/**
  4214	 * smack_key_permission - Smack access on a key
  4215	 * @key_ref: gets to the object
  4216	 * @cred: the credentials to use
  4217	 * @need_perm: requested key permission
  4218	 *
  4219	 * Return 0 if the task has read and write to the object,
  4220	 * an error code otherwise
  4221	 */
  4222	static int smack_key_permission(key_ref_t key_ref,
  4223					const struct cred *cred,
  4224					enum key_need_perm need_perm,
  4225					unsigned int flags)
  4226	{
  4227		struct key *keyp;
  4228		struct smk_audit_info ad;
  4229		struct smack_known *tkp = smk_of_task(smack_cred(cred));
  4230		int request = 0;
  4231		int rc;
  4232	
  4233		keyp = key_ref_to_ptr(key_ref);
  4234		if (keyp == NULL)
  4235			return -EINVAL;
  4236		/*
  4237		 * If the key hasn't been initialized give it access so that
  4238		 * it may do so.
  4239		 */
  4240		if (keyp->security == NULL)
  4241			return 0;
  4242		/*
  4243		 * This should not occur
  4244		 */
  4245		if (tkp == NULL)
  4246			return -EACCES;
  4247	
  4248		/*
  4249		 * Validate requested permissions
  4250		 */
  4251		switch (need_perm) {
  4252		case KEY_NEED_ASSUME_AUTHORITY:
  4253			return 0;
  4254	
  4255		case KEY_NEED_DESCRIBE:
  4256		case KEY_NEED_GET_SECURITY:
  4257			request |= MAY_READ;
> 4258			auth_can_override = true;
  4259			break;
  4260	
  4261		case KEY_NEED_CHOWN:
  4262		case KEY_NEED_INVALIDATE:
  4263		case KEY_NEED_JOIN:
  4264		case KEY_NEED_LINK:
  4265		case KEY_NEED_KEYRING_ADD:
  4266		case KEY_NEED_KEYRING_CLEAR:
  4267		case KEY_NEED_KEYRING_DELETE:
  4268		case KEY_NEED_REVOKE:
  4269		case KEY_NEED_SETPERM:
  4270		case KEY_NEED_SET_RESTRICTION:
  4271		case KEY_NEED_UPDATE:
  4272			request |= MAY_WRITE;
  4273			break;
  4274	
  4275		case KEY_NEED_INSTANTIATE:
  4276			auth_can_override = true;
  4277			break;
  4278	
  4279		case KEY_NEED_READ:
  4280		case KEY_NEED_SEARCH:
  4281		case KEY_NEED_USE:
  4282		case KEY_NEED_WATCH:
  4283			request |= MAY_READ;
  4284			break;
  4285	
  4286		case KEY_NEED_SET_TIMEOUT:
  4287			request |= MAY_WRITE;
  4288			auth_can_override = true;
  4289			break;
  4290	
  4291		case KEY_NEED_UNLINK:
  4292			return 0; /* Mustn't prevent this; KEY_FLAG_KEEP is already
  4293				   * dealt with. */
  4294	
  4295		default:
  4296			WARN_ON(1);
  4297			return -EINVAL;
  4298		}
  4299	
  4300		/* Just allow the operation if the process has an authorisation token.
  4301		 * The presence of the token means that the kernel delegated
  4302		 * instantiation of a key to the process - which is problematic if we
  4303		 * then say that the process isn't allowed to get the description of
  4304		 * the key or actually instantiate it.
  4305		 */
  4306		if (auth_can_override && cred->request_key_auth) {
  4307			struct request_key_auth *rka =
  4308				cred->request_key_auth->payload.data[0];
> 4309			if (rka->target_key == key)
> 4310				*_perm = 0;
  4311		}
  4312	
  4313		if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred))
  4314			return 0;
  4315	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org

[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 24526 bytes --]

  parent reply	other threads:[~2020-07-18 20:34 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-16 20:34 [RFC PATCH 0/5] keys: Security changes, ACLs and Container keyring David Howells
2020-07-16 20:34 ` David Howells
2020-07-16 20:34 ` [RFC PATCH 1/5] keys: Move permissions checking decisions into the checking code David Howells
2020-07-16 20:34   ` David Howells
2020-07-17  5:02   ` kernel test robot
2020-07-18 20:34   ` kernel test robot [this message]
2020-07-16 20:35 ` [RFC PATCH 2/5] keys: Replace uid/gid/perm permissions checking with an ACL David Howells
2020-07-16 20:35 ` [RFC PATCH 3/5] keys: Provide KEYCTL_GRANT_PERMISSION David Howells
2020-07-16 20:35 ` [RFC PATCH 4/5] keys: Split the search perms between KEY_NEED_USE and KEY_NEED_SEARCH David Howells
2020-07-16 20:35 ` [RFC PATCH 5/5] keys: Implement a 'container' keyring David Howells
2020-07-18 18:09   ` kernel test robot
2020-07-19 18:10 ` [RFC PATCH 0/5] keys: Security changes, ACLs and Container keyring Eric W. Biederman
2020-07-19 18:10   ` Eric W. Biederman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202007190454.q984BPKG%lkp@intel.com \
    --to=lkp@intel.com \
    --cc=kbuild-all@lists.01.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.