Hi Casey, kernel test robot noticed the following build warnings: [auto build test WARNING on pcmoore-audit/next] [also build test WARNING on pcmoore-selinux/next zohar-integrity/next-integrity linus/master v6.11-rc5 next-20240830] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information] url: https://github.com/intel-lab-lkp/linux/commits/Casey-Schaufler/LSM-Add-the-lsmblob-data-structure/20240830-085050 base: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next patch link: https://lore.kernel.org/r/20240830003411.16818-3-casey%40schaufler-ca.com patch subject: [PATCH v2 02/13] LSM: Use lsmblob in security_audit_rule_match config: i386-randconfig-061-20240830 (https://download.01.org/0day-ci/archive/20240831/202408310649.X413mMQP-lkp@xxxxxxxxx/config) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240831/202408310649.X413mMQP-lkp@xxxxxxxxx/reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp@xxxxxxxxx> | Closes: https://lore.kernel.org/oe-kbuild-all/202408310649.X413mMQP-lkp@xxxxxxxxx/ sparse warnings: (new ones prefixed by >>) >> security/integrity/ima/ima_policy.c:654:53: sparse: sparse: incorrect type in argument 1 (different base types) @@ expected unsigned int [usertype] secid @@ got struct lsmblob * @@ security/integrity/ima/ima_policy.c:654:53: sparse: expected unsigned int [usertype] secid security/integrity/ima/ima_policy.c:654:53: sparse: got struct lsmblob * security/integrity/ima/ima_policy.c:663:53: sparse: sparse: incorrect type in argument 1 (different base types) @@ expected unsigned int [usertype] secid @@ got struct lsmblob * @@ security/integrity/ima/ima_policy.c:663:53: sparse: expected unsigned int [usertype] secid security/integrity/ima/ima_policy.c:663:53: sparse: got struct lsmblob * security/integrity/ima/ima_policy.c: note: in included file: include/linux/list.h:83:21: sparse: sparse: self-comparison always evaluates to true include/linux/list.h:83:21: sparse: sparse: self-comparison always evaluates to true security/integrity/ima/ima_policy.c:1666:52: sparse: sparse: self-comparison always evaluates to false security/integrity/ima/ima_policy.c:1701:55: sparse: sparse: self-comparison always evaluates to false security/integrity/ima/ima_policy.c:1728:55: sparse: sparse: self-comparison always evaluates to false security/integrity/ima/ima_policy.c:1754:55: sparse: sparse: self-comparison always evaluates to false include/linux/list.h:83:21: sparse: sparse: self-comparison always evaluates to true vim +654 security/integrity/ima/ima_policy.c 553 554 /** 555 * ima_match_rules - determine whether an inode matches the policy rule. 556 * @rule: a pointer to a rule 557 * @idmap: idmap of the mount the inode was found from 558 * @inode: a pointer to an inode 559 * @cred: a pointer to a credentials structure for user validation 560 * @secid: the secid of the task to be validated 561 * @func: LIM hook identifier 562 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 563 * @func_data: func specific data, may be NULL 564 * 565 * Returns true on rule match, false on failure. 566 */ 567 static bool ima_match_rules(struct ima_rule_entry *rule, 568 struct mnt_idmap *idmap, 569 struct inode *inode, const struct cred *cred, 570 u32 secid, enum ima_hooks func, int mask, 571 const char *func_data) 572 { 573 int i; 574 bool result = false; 575 struct ima_rule_entry *lsm_rule = rule; 576 bool rule_reinitialized = false; 577 578 if ((rule->flags & IMA_FUNC) && 579 (rule->func != func && func != POST_SETATTR)) 580 return false; 581 582 switch (func) { 583 case KEY_CHECK: 584 case CRITICAL_DATA: 585 return ((rule->func == func) && 586 ima_match_rule_data(rule, func_data, cred)); 587 default: 588 break; 589 } 590 591 if ((rule->flags & IMA_MASK) && 592 (rule->mask != mask && func != POST_SETATTR)) 593 return false; 594 if ((rule->flags & IMA_INMASK) && 595 (!(rule->mask & mask) && func != POST_SETATTR)) 596 return false; 597 if ((rule->flags & IMA_FSMAGIC) 598 && rule->fsmagic != inode->i_sb->s_magic) 599 return false; 600 if ((rule->flags & IMA_FSNAME) 601 && strcmp(rule->fsname, inode->i_sb->s_type->name)) 602 return false; 603 if ((rule->flags & IMA_FSUUID) && 604 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) 605 return false; 606 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) 607 return false; 608 if (rule->flags & IMA_EUID) { 609 if (has_capability_noaudit(current, CAP_SETUID)) { 610 if (!rule->uid_op(cred->euid, rule->uid) 611 && !rule->uid_op(cred->suid, rule->uid) 612 && !rule->uid_op(cred->uid, rule->uid)) 613 return false; 614 } else if (!rule->uid_op(cred->euid, rule->uid)) 615 return false; 616 } 617 if ((rule->flags & IMA_GID) && !rule->gid_op(cred->gid, rule->gid)) 618 return false; 619 if (rule->flags & IMA_EGID) { 620 if (has_capability_noaudit(current, CAP_SETGID)) { 621 if (!rule->gid_op(cred->egid, rule->gid) 622 && !rule->gid_op(cred->sgid, rule->gid) 623 && !rule->gid_op(cred->gid, rule->gid)) 624 return false; 625 } else if (!rule->gid_op(cred->egid, rule->gid)) 626 return false; 627 } 628 if ((rule->flags & IMA_FOWNER) && 629 !rule->fowner_op(i_uid_into_vfsuid(idmap, inode), 630 rule->fowner)) 631 return false; 632 if ((rule->flags & IMA_FGROUP) && 633 !rule->fgroup_op(i_gid_into_vfsgid(idmap, inode), 634 rule->fgroup)) 635 return false; 636 for (i = 0; i < MAX_LSM_RULES; i++) { 637 int rc = 0; 638 struct lsmblob blob = { }; 639 640 if (!lsm_rule->lsm[i].rule) { 641 if (!lsm_rule->lsm[i].args_p) 642 continue; 643 else 644 return false; 645 } 646 647 retry: 648 switch (i) { 649 case LSM_OBJ_USER: 650 case LSM_OBJ_ROLE: 651 case LSM_OBJ_TYPE: 652 /* scaffolding */ 653 security_inode_getsecid(inode, &blob.scaffold.secid); > 654 rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type, 655 Audit_equal, 656 lsm_rule->lsm[i].rule); 657 break; 658 case LSM_SUBJ_USER: 659 case LSM_SUBJ_ROLE: 660 case LSM_SUBJ_TYPE: 661 /* scaffolding */ 662 blob.scaffold.secid = secid; 663 rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type, 664 Audit_equal, 665 lsm_rule->lsm[i].rule); 666 break; 667 default: 668 break; 669 } 670 671 if (rc == -ESTALE && !rule_reinitialized) { 672 lsm_rule = ima_lsm_copy_rule(rule, GFP_ATOMIC); 673 if (lsm_rule) { 674 rule_reinitialized = true; 675 goto retry; 676 } 677 } 678 if (!rc) { 679 result = false; 680 goto out; 681 } 682 } 683 result = true; 684 685 out: 686 if (rule_reinitialized) { 687 for (i = 0; i < MAX_LSM_RULES; i++) 688 ima_filter_rule_free(lsm_rule->lsm[i].rule); 689 kfree(lsm_rule); 690 } 691 return result; 692 } 693 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki
