* [linux-next:master 13681/14117] security/safesetid/lsm.c:119:42: sparse: sparse: cast to non-scalar
@ 2020-08-08 2:19 kernel test robot
0 siblings, 0 replies; only message in thread
From: kernel test robot @ 2020-08-08 2:19 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 6797 bytes --]
tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
head: 471e638c4c5df4c0035a76a561ada4d28228e5fd
commit: 02e316b088df08dcd88439961f888145df68dcf5 [13681/14117] LSM: SafeSetID: Add GID security policy handling
config: i386-randconfig-s002-20200808 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
reproduce:
# apt-get install sparse
# sparse version: v0.6.2-118-ge1578773-dirty
git checkout 02e316b088df08dcd88439961f888145df68dcf5
# save the attached .config to linux build tree
make W=1 C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' ARCH=i386
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
sparse warnings: (new ones prefixed by >>)
>> security/safesetid/lsm.c:119:42: sparse: sparse: cast to non-scalar
>> security/safesetid/lsm.c:119:42: sparse: sparse: cast from non-scalar
security/safesetid/lsm.c:134:42: sparse: sparse: cast to non-scalar
security/safesetid/lsm.c:134:42: sparse: sparse: cast from non-scalar
security/safesetid/lsm.c:177:34: sparse: sparse: cast to non-scalar
security/safesetid/lsm.c:177:34: sparse: sparse: cast from non-scalar
security/safesetid/lsm.c:205:34: sparse: sparse: cast to non-scalar
security/safesetid/lsm.c:205:34: sparse: sparse: cast from non-scalar
security/safesetid/lsm.c:208:41: sparse: sparse: cast to non-scalar
security/safesetid/lsm.c:208:41: sparse: sparse: cast from non-scalar
security/safesetid/lsm.c:209:41: sparse: sparse: cast to non-scalar
security/safesetid/lsm.c:209:41: sparse: sparse: cast from non-scalar
security/safesetid/lsm.c:210:41: sparse: sparse: cast to non-scalar
security/safesetid/lsm.c:210:41: sparse: sparse: cast from non-scalar
security/safesetid/lsm.c:211:41: sparse: sparse: cast to non-scalar
security/safesetid/lsm.c:211:41: sparse: sparse: cast from non-scalar
security/safesetid/lsm.c:229:34: sparse: sparse: cast to non-scalar
security/safesetid/lsm.c:229:34: sparse: sparse: cast from non-scalar
security/safesetid/lsm.c:232:41: sparse: sparse: cast to non-scalar
security/safesetid/lsm.c:232:41: sparse: sparse: cast from non-scalar
security/safesetid/lsm.c:233:41: sparse: sparse: cast to non-scalar
security/safesetid/lsm.c:233:41: sparse: sparse: cast from non-scalar
security/safesetid/lsm.c:234:41: sparse: sparse: cast to non-scalar
security/safesetid/lsm.c:234:41: sparse: sparse: cast from non-scalar
security/safesetid/lsm.c:235:41: sparse: sparse: cast to non-scalar
security/safesetid/lsm.c:235:41: sparse: sparse: cast from non-scalar
--
>> security/safesetid/securityfs.c:271:15: sparse: sparse: incompatible types in comparison expression (different address spaces):
>> security/safesetid/securityfs.c:271:15: sparse: struct setid_ruleset [noderef] __rcu *
>> security/safesetid/securityfs.c:271:15: sparse: struct setid_ruleset *
>> security/safesetid/securityfs.c:286:61: sparse: sparse: incorrect type in argument 6 (different address spaces) @@ expected struct setid_ruleset *ruleset @@ got struct setid_ruleset [noderef] __rcu *extern [addressable] [assigned] [toplevel] safesetid_setuid_rules @@
>> security/safesetid/securityfs.c:286:61: sparse: expected struct setid_ruleset *ruleset
>> security/safesetid/securityfs.c:286:61: sparse: got struct setid_ruleset [noderef] __rcu *extern [addressable] [assigned] [toplevel] safesetid_setuid_rules
security/safesetid/securityfs.c:293:61: sparse: sparse: incorrect type in argument 6 (different address spaces) @@ expected struct setid_ruleset *ruleset @@ got struct setid_ruleset [noderef] __rcu *extern [addressable] [assigned] [toplevel] safesetid_setgid_rules @@
security/safesetid/securityfs.c:293:61: sparse: expected struct setid_ruleset *ruleset
>> security/safesetid/securityfs.c:293:61: sparse: got struct setid_ruleset [noderef] __rcu *extern [addressable] [assigned] [toplevel] safesetid_setgid_rules
vim +119 security/safesetid/lsm.c
89
90 static int safesetid_security_capable(const struct cred *cred,
91 struct user_namespace *ns,
92 int cap,
93 unsigned int opts)
94 {
95 /* We're only interested in CAP_SETUID and CAP_SETGID. */
96 if (cap != CAP_SETUID && cap != CAP_SETGID)
97 return 0;
98
99 /*
100 * If CAP_SET{U/G}ID is currently used for a setid() syscall, we want to
101 * let it go through here; the real security check happens later, in the
102 * task_fix_set{u/g}id hook.
103 *
104 * NOTE:
105 * Until we add support for restricting setgroups() calls, GID security
106 * policies offer no meaningful security since we always return 0 here
107 * when called from within the setgroups() syscall and there is no
108 * additional hook later on to enforce security policies for setgroups().
109 */
110 if ((opts & CAP_OPT_INSETID) != 0)
111 return 0;
112
113 switch (cap) {
114 case CAP_SETUID:
115 /*
116 * If no policy applies to this task, allow the use of CAP_SETUID for
117 * other purposes.
118 */
> 119 if (setid_policy_lookup((kid_t)cred->uid, INVALID_ID, UID) == SIDPOL_DEFAULT)
120 return 0;
121 /*
122 * Reject use of CAP_SETUID for functionality other than calling
123 * set*uid() (e.g. setting up userns uid mappings).
124 */
125 pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions\n",
126 __kuid_val(cred->uid));
127 return -EPERM;
128 break;
129 case CAP_SETGID:
130 /*
131 * If no policy applies to this task, allow the use of CAP_SETGID for
132 * other purposes.
133 */
134 if (setid_policy_lookup((kid_t)cred->gid, INVALID_ID, GID) == SIDPOL_DEFAULT)
135 return 0;
136 /*
137 * Reject use of CAP_SETUID for functionality other than calling
138 * set*gid() (e.g. setting up userns gid mappings).
139 */
140 pr_warn("Operation requires CAP_SETGID, which is not available to GID %u for operations besides approved set*gid transitions\n",
141 __kuid_val(cred->uid));
142 return -EPERM;
143 break;
144 default:
145 /* Error, the only capabilities were checking for is CAP_SETUID/GID */
146 return 0;
147 break;
148 }
149 return 0;
150 }
151
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 34491 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-08-08 2:19 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-08 2:19 [linux-next:master 13681/14117] security/safesetid/lsm.c:119:42: sparse: sparse: cast to non-scalar kernel test robot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.