All of lore.kernel.org
 help / color / mirror / Atom feed
* [linux-next:master 13681/14117] security/safesetid/lsm.c:119:42: sparse: sparse: cast to non-scalar
@ 2020-08-08  2:19 kernel test robot
  0 siblings, 0 replies; only message in thread
From: kernel test robot @ 2020-08-08  2:19 UTC (permalink / raw)
  To: kbuild-all

[-- Attachment #1: Type: text/plain, Size: 6797 bytes --]

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
head:   471e638c4c5df4c0035a76a561ada4d28228e5fd
commit: 02e316b088df08dcd88439961f888145df68dcf5 [13681/14117] LSM: SafeSetID: Add GID security policy handling
config: i386-randconfig-s002-20200808 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
reproduce:
        # apt-get install sparse
        # sparse version: v0.6.2-118-ge1578773-dirty
        git checkout 02e316b088df08dcd88439961f888145df68dcf5
        # save the attached .config to linux build tree
        make W=1 C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' ARCH=i386 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>


sparse warnings: (new ones prefixed by >>)

>> security/safesetid/lsm.c:119:42: sparse: sparse: cast to non-scalar
>> security/safesetid/lsm.c:119:42: sparse: sparse: cast from non-scalar
   security/safesetid/lsm.c:134:42: sparse: sparse: cast to non-scalar
   security/safesetid/lsm.c:134:42: sparse: sparse: cast from non-scalar
   security/safesetid/lsm.c:177:34: sparse: sparse: cast to non-scalar
   security/safesetid/lsm.c:177:34: sparse: sparse: cast from non-scalar
   security/safesetid/lsm.c:205:34: sparse: sparse: cast to non-scalar
   security/safesetid/lsm.c:205:34: sparse: sparse: cast from non-scalar
   security/safesetid/lsm.c:208:41: sparse: sparse: cast to non-scalar
   security/safesetid/lsm.c:208:41: sparse: sparse: cast from non-scalar
   security/safesetid/lsm.c:209:41: sparse: sparse: cast to non-scalar
   security/safesetid/lsm.c:209:41: sparse: sparse: cast from non-scalar
   security/safesetid/lsm.c:210:41: sparse: sparse: cast to non-scalar
   security/safesetid/lsm.c:210:41: sparse: sparse: cast from non-scalar
   security/safesetid/lsm.c:211:41: sparse: sparse: cast to non-scalar
   security/safesetid/lsm.c:211:41: sparse: sparse: cast from non-scalar
   security/safesetid/lsm.c:229:34: sparse: sparse: cast to non-scalar
   security/safesetid/lsm.c:229:34: sparse: sparse: cast from non-scalar
   security/safesetid/lsm.c:232:41: sparse: sparse: cast to non-scalar
   security/safesetid/lsm.c:232:41: sparse: sparse: cast from non-scalar
   security/safesetid/lsm.c:233:41: sparse: sparse: cast to non-scalar
   security/safesetid/lsm.c:233:41: sparse: sparse: cast from non-scalar
   security/safesetid/lsm.c:234:41: sparse: sparse: cast to non-scalar
   security/safesetid/lsm.c:234:41: sparse: sparse: cast from non-scalar
   security/safesetid/lsm.c:235:41: sparse: sparse: cast to non-scalar
   security/safesetid/lsm.c:235:41: sparse: sparse: cast from non-scalar
--
>> security/safesetid/securityfs.c:271:15: sparse: sparse: incompatible types in comparison expression (different address spaces):
>> security/safesetid/securityfs.c:271:15: sparse:    struct setid_ruleset [noderef] __rcu *
>> security/safesetid/securityfs.c:271:15: sparse:    struct setid_ruleset *
>> security/safesetid/securityfs.c:286:61: sparse: sparse: incorrect type in argument 6 (different address spaces) @@     expected struct setid_ruleset *ruleset @@     got struct setid_ruleset [noderef] __rcu *extern [addressable] [assigned] [toplevel] safesetid_setuid_rules @@
>> security/safesetid/securityfs.c:286:61: sparse:     expected struct setid_ruleset *ruleset
>> security/safesetid/securityfs.c:286:61: sparse:     got struct setid_ruleset [noderef] __rcu *extern [addressable] [assigned] [toplevel] safesetid_setuid_rules
   security/safesetid/securityfs.c:293:61: sparse: sparse: incorrect type in argument 6 (different address spaces) @@     expected struct setid_ruleset *ruleset @@     got struct setid_ruleset [noderef] __rcu *extern [addressable] [assigned] [toplevel] safesetid_setgid_rules @@
   security/safesetid/securityfs.c:293:61: sparse:     expected struct setid_ruleset *ruleset
>> security/safesetid/securityfs.c:293:61: sparse:     got struct setid_ruleset [noderef] __rcu *extern [addressable] [assigned] [toplevel] safesetid_setgid_rules

vim +119 security/safesetid/lsm.c

    89	
    90	static int safesetid_security_capable(const struct cred *cred,
    91					      struct user_namespace *ns,
    92					      int cap,
    93					      unsigned int opts)
    94	{
    95		/* We're only interested in CAP_SETUID and CAP_SETGID. */
    96		if (cap != CAP_SETUID && cap != CAP_SETGID)
    97			return 0;
    98	
    99		/*
   100		 * If CAP_SET{U/G}ID is currently used for a setid() syscall, we want to
   101		 * let it go through here; the real security check happens later, in the
   102		 * task_fix_set{u/g}id hook.
   103	         *
   104	         * NOTE:
   105	         * Until we add support for restricting setgroups() calls, GID security
   106	         * policies offer no meaningful security since we always return 0 here
   107	         * when called from within the setgroups() syscall and there is no
   108	         * additional hook later on to enforce security policies for setgroups().
   109		 */
   110		if ((opts & CAP_OPT_INSETID) != 0)
   111			return 0;
   112	
   113		switch (cap) {
   114		case CAP_SETUID:
   115			/*
   116			* If no policy applies to this task, allow the use of CAP_SETUID for
   117			* other purposes.
   118			*/
 > 119			if (setid_policy_lookup((kid_t)cred->uid, INVALID_ID, UID) == SIDPOL_DEFAULT)
   120				return 0;
   121			/*
   122			 * Reject use of CAP_SETUID for functionality other than calling
   123			 * set*uid() (e.g. setting up userns uid mappings).
   124			 */
   125			pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions\n",
   126				__kuid_val(cred->uid));
   127			return -EPERM;
   128			break;
   129		case CAP_SETGID:
   130			/*
   131			* If no policy applies to this task, allow the use of CAP_SETGID for
   132			* other purposes.
   133			*/
   134			if (setid_policy_lookup((kid_t)cred->gid, INVALID_ID, GID) == SIDPOL_DEFAULT)
   135				return 0;
   136			/*
   137			 * Reject use of CAP_SETUID for functionality other than calling
   138			 * set*gid() (e.g. setting up userns gid mappings).
   139			 */
   140			pr_warn("Operation requires CAP_SETGID, which is not available to GID %u for operations besides approved set*gid transitions\n",
   141				__kuid_val(cred->uid));
   142			return -EPERM;
   143			break;
   144		default:
   145			/* Error, the only capabilities were checking for is CAP_SETUID/GID */
   146			return 0;
   147			break;
   148		}
   149		return 0;
   150	}
   151	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org

[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 34491 bytes --]

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2020-08-08  2:19 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-08  2:19 [linux-next:master 13681/14117] security/safesetid/lsm.c:119:42: sparse: sparse: cast to non-scalar kernel test robot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.