Hi Mickaël, kernel test robot noticed the following build warnings: [auto build test WARNING on 8cf0b93919e13d1e8d4466eb4080a4c4d9d66d7b] url: https://github.com/intel-lab-lkp/linux/commits/Micka-l-Sala-n/exec-Add-a-new-AT_CHECK-flag-to-execveat-2/20241012-024801 base: 8cf0b93919e13d1e8d4466eb4080a4c4d9d66d7b patch link: https://lore.kernel.org/r/20241011184422.977903-3-mic%40digikod.net patch subject: [PATCH v20 2/6] security: Add EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits config: arm-allnoconfig (https://download.01.org/0day-ci/archive/20241015/202410150756.KOkRl5oz-lkp@xxxxxxxxx/config) compiler: clang version 20.0.0git (https://github.com/llvm/llvm-project 70e0a7e7e6a8541bcc46908c592eed561850e416) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241015/202410150756.KOkRl5oz-lkp@xxxxxxxxx/reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp@xxxxxxxxx> | Closes: https://lore.kernel.org/oe-kbuild-all/202410150756.KOkRl5oz-lkp@xxxxxxxxx/ All warnings (new ones prefixed by >>): In file included from init/init_task.c:2: In file included from include/linux/init_task.h:9: In file included from include/linux/ftrace.h:13: In file included from include/linux/kallsyms.h:13: In file included from include/linux/mm.h:2213: include/linux/vmstat.h:518:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 518 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_" | ~~~~~~~~~~~ ^ ~~~ In file included from init/init_task.c:2: In file included from include/linux/init_task.h:13: In file included from include/linux/securebits.h:5: >> include/uapi/linux/securebits.h:135:23: warning: '/*' within block comment [-Wcomment] 135 | * (e.g. sh /tmp/*.sh). This makes sense for (semi-restricted) user | ^ 2 warnings generated. vim +135 include/uapi/linux/securebits.h 97 98 #define SECBIT_EXEC_RESTRICT_FILE (issecure_mask(SECURE_EXEC_RESTRICT_FILE)) 99 #define SECBIT_EXEC_RESTRICT_FILE_LOCKED \ 100 (issecure_mask(SECURE_EXEC_RESTRICT_FILE_LOCKED)) 101 102 /* 103 * When SECBIT_EXEC_DENY_INTERACTIVE is set, a process should never interpret 104 * interactive user commands (e.g. scripts). However, if such commands are 105 * passed through a file descriptor (e.g. stdin), its content should be 106 * interpreted if a call to execveat(2) with the related file descriptor and 107 * the AT_CHECK flag succeed. 108 * 109 * For instance, script interpreters called with a script snippet as argument 110 * should always deny such execution if SECBIT_EXEC_DENY_INTERACTIVE is set. 111 * 112 * This secure bit may be set by user session managers, service managers, 113 * container runtimes, sandboxer tools... Except for test environments, the 114 * related SECBIT_EXEC_DENY_INTERACTIVE_LOCKED bit should also be set. 115 * 116 * See the SECBIT_EXEC_RESTRICT_FILE documentation. 117 * 118 * Here is the expected behavior for a script interpreter according to 119 * combination of any exec securebits: 120 * 121 * 1. SECURE_EXEC_RESTRICT_FILE=0 SECURE_EXEC_DENY_INTERACTIVE=0 (default) 122 * Always interpret scripts, and allow arbitrary user commands. 123 * => No threat, everyone and everything is trusted, but we can get ahead of 124 * potential issues thanks to the call to execveat with AT_CHECK which 125 * should always be performed but ignored by the script interpreter. 126 * Indeed, this check is still important to enable systems administrators 127 * to verify requests (e.g. with audit) and prepare for migration to a 128 * secure mode. 129 * 130 * 2. SECURE_EXEC_RESTRICT_FILE=1 SECURE_EXEC_DENY_INTERACTIVE=0 131 * Deny script interpretation if they are not executable, but allow 132 * arbitrary user commands. 133 * => The threat is (potential) malicious scripts run by trusted (and not 134 * fooled) users. That can protect against unintended script executions > 135 * (e.g. sh /tmp/*.sh). This makes sense for (semi-restricted) user 136 * sessions. 137 * 138 * 3. SECURE_EXEC_RESTRICT_FILE=0 SECURE_EXEC_DENY_INTERACTIVE=1 139 * Always interpret scripts, but deny arbitrary user commands. 140 * => This use case may be useful for secure services (i.e. without 141 * interactive user session) where scripts' integrity is verified (e.g. 142 * with IMA/EVM or dm-verity/IPE) but where access rights might not be 143 * ready yet. Indeed, arbitrary interactive commands would be much more 144 * difficult to check. 145 * 146 * 4. SECURE_EXEC_RESTRICT_FILE=1 SECURE_EXEC_DENY_INTERACTIVE=1 147 * Deny script interpretation if they are not executable, and also deny 148 * any arbitrary user commands. 149 * => The threat is malicious scripts run by untrusted users (but trusted 150 * code). This makes sense for system services that may only execute 151 * trusted scripts. 152 */ 153 #define SECURE_EXEC_DENY_INTERACTIVE 10 154 #define SECURE_EXEC_DENY_INTERACTIVE_LOCKED 11 /* make bit-10 immutable */ 155 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki