From: kernel test robot <lkp@intel.com>
To: kbuild-all@lists.01.org
Subject: Re: [RFC PATCH 1/5] keys: Move permissions checking decisions into the checking code
Date: Sun, 19 Jul 2020 04:34:02 +0800 [thread overview]
Message-ID: <202007190454.q984BPKG%lkp@intel.com> (raw)
In-Reply-To: <159493169007.3249370.10683196450124512236.stgit@warthog.procyon.org.uk>
[-- Attachment #1: Type: text/plain, Size: 5445 bytes --]
Hi David,
[FYI, it's a private test report for your RFC patch.]
[auto build test ERROR on cifs/for-next]
[also build test ERROR on dm/for-next linus/master v5.8-rc5 next-20200717]
[cannot apply to security/next-testing pcmoore-selinux/next ecryptfs/next]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/David-Howells/keys-Security-changes-ACLs-and-Container-keyring/20200717-043801
base: git://git.samba.org/sfrench/cifs-2.6.git for-next
config: microblaze-randconfig-r011-20200717 (attached as .config)
compiler: microblaze-linux-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross ARCH=microblaze
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
security/smack/smack_lsm.c: In function 'smack_key_permission':
>> security/smack/smack_lsm.c:4258:3: error: 'auth_can_override' undeclared (first use in this function)
4258 | auth_can_override = true;
| ^~~~~~~~~~~~~~~~~
security/smack/smack_lsm.c:4258:3: note: each undeclared identifier is reported only once for each function it appears in
>> security/smack/smack_lsm.c:4309:10: error: dereferencing pointer to incomplete type 'struct request_key_auth'
4309 | if (rka->target_key == key)
| ^~
>> security/smack/smack_lsm.c:4309:26: error: 'key' undeclared (first use in this function)
4309 | if (rka->target_key == key)
| ^~~
>> security/smack/smack_lsm.c:4310:5: error: '_perm' undeclared (first use in this function)
4310 | *_perm = 0;
| ^~~~~
vim +/auth_can_override +4258 security/smack/smack_lsm.c
4212
4213 /**
4214 * smack_key_permission - Smack access on a key
4215 * @key_ref: gets to the object
4216 * @cred: the credentials to use
4217 * @need_perm: requested key permission
4218 *
4219 * Return 0 if the task has read and write to the object,
4220 * an error code otherwise
4221 */
4222 static int smack_key_permission(key_ref_t key_ref,
4223 const struct cred *cred,
4224 enum key_need_perm need_perm,
4225 unsigned int flags)
4226 {
4227 struct key *keyp;
4228 struct smk_audit_info ad;
4229 struct smack_known *tkp = smk_of_task(smack_cred(cred));
4230 int request = 0;
4231 int rc;
4232
4233 keyp = key_ref_to_ptr(key_ref);
4234 if (keyp == NULL)
4235 return -EINVAL;
4236 /*
4237 * If the key hasn't been initialized give it access so that
4238 * it may do so.
4239 */
4240 if (keyp->security == NULL)
4241 return 0;
4242 /*
4243 * This should not occur
4244 */
4245 if (tkp == NULL)
4246 return -EACCES;
4247
4248 /*
4249 * Validate requested permissions
4250 */
4251 switch (need_perm) {
4252 case KEY_NEED_ASSUME_AUTHORITY:
4253 return 0;
4254
4255 case KEY_NEED_DESCRIBE:
4256 case KEY_NEED_GET_SECURITY:
4257 request |= MAY_READ;
> 4258 auth_can_override = true;
4259 break;
4260
4261 case KEY_NEED_CHOWN:
4262 case KEY_NEED_INVALIDATE:
4263 case KEY_NEED_JOIN:
4264 case KEY_NEED_LINK:
4265 case KEY_NEED_KEYRING_ADD:
4266 case KEY_NEED_KEYRING_CLEAR:
4267 case KEY_NEED_KEYRING_DELETE:
4268 case KEY_NEED_REVOKE:
4269 case KEY_NEED_SETPERM:
4270 case KEY_NEED_SET_RESTRICTION:
4271 case KEY_NEED_UPDATE:
4272 request |= MAY_WRITE;
4273 break;
4274
4275 case KEY_NEED_INSTANTIATE:
4276 auth_can_override = true;
4277 break;
4278
4279 case KEY_NEED_READ:
4280 case KEY_NEED_SEARCH:
4281 case KEY_NEED_USE:
4282 case KEY_NEED_WATCH:
4283 request |= MAY_READ;
4284 break;
4285
4286 case KEY_NEED_SET_TIMEOUT:
4287 request |= MAY_WRITE;
4288 auth_can_override = true;
4289 break;
4290
4291 case KEY_NEED_UNLINK:
4292 return 0; /* Mustn't prevent this; KEY_FLAG_KEEP is already
4293 * dealt with. */
4294
4295 default:
4296 WARN_ON(1);
4297 return -EINVAL;
4298 }
4299
4300 /* Just allow the operation if the process has an authorisation token.
4301 * The presence of the token means that the kernel delegated
4302 * instantiation of a key to the process - which is problematic if we
4303 * then say that the process isn't allowed to get the description of
4304 * the key or actually instantiate it.
4305 */
4306 if (auth_can_override && cred->request_key_auth) {
4307 struct request_key_auth *rka =
4308 cred->request_key_auth->payload.data[0];
> 4309 if (rka->target_key == key)
> 4310 *_perm = 0;
4311 }
4312
4313 if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred))
4314 return 0;
4315
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 24526 bytes --]
next prev parent reply other threads:[~2020-07-18 20:34 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-16 20:34 [RFC PATCH 0/5] keys: Security changes, ACLs and Container keyring David Howells
2020-07-16 20:34 ` David Howells
2020-07-16 20:34 ` [RFC PATCH 1/5] keys: Move permissions checking decisions into the checking code David Howells
2020-07-16 20:34 ` David Howells
2020-07-17 5:02 ` kernel test robot
2020-07-18 20:34 ` kernel test robot [this message]
2020-07-16 20:35 ` [RFC PATCH 2/5] keys: Replace uid/gid/perm permissions checking with an ACL David Howells
2020-07-16 20:35 ` [RFC PATCH 3/5] keys: Provide KEYCTL_GRANT_PERMISSION David Howells
2020-07-16 20:35 ` [RFC PATCH 4/5] keys: Split the search perms between KEY_NEED_USE and KEY_NEED_SEARCH David Howells
2020-07-16 20:35 ` [RFC PATCH 5/5] keys: Implement a 'container' keyring David Howells
2020-07-18 18:09 ` kernel test robot
2020-07-19 18:10 ` [RFC PATCH 0/5] keys: Security changes, ACLs and Container keyring Eric W. Biederman
2020-07-19 18:10 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202007190454.q984BPKG%lkp@intel.com \
--to=lkp@intel.com \
--cc=kbuild-all@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.