Message ID | 20220609230146.319210-5-casey@schaufler-ca.com (mailing list archive) |
---|---|
State | Changes Requested |
Delegated to: | Paul Moore |
Headers | show |
Series | [v36,01/33] integrity: disassociate ima_filter_rule from security_audit_rule | expand |
Hi Casey, I love your patch! Perhaps something to improve: [auto build test WARNING on pcmoore-audit/next] [also build test WARNING on pcmoore-selinux/next linus/master v5.19-rc1 next-20220610] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch] url: https://github.com/intel-lab-lkp/linux/commits/Casey-Schaufler/integrity-disassociate-ima_filter_rule-from-security_audit_rule/20220610-080129 base: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next config: sparc-randconfig-r014-20220609 (https://download.01.org/0day-ci/archive/20220610/202206101543.IWAKe4Qx-lkp@intel.com/config) compiler: sparc-linux-gcc (GCC) 11.3.0 reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://github.com/intel-lab-lkp/linux/commit/767517968014af3744e00ba2c0c956b290a56ecb git remote add linux-review https://github.com/intel-lab-lkp/linux git fetch --no-tags linux-review Casey-Schaufler/integrity-disassociate-ima_filter_rule-from-security_audit_rule/20220610-080129 git checkout 767517968014af3744e00ba2c0c956b290a56ecb # save the config file mkdir build_dir && cp config build_dir/.config COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.3.0 make.cross W=1 O=build_dir ARCH=sparc SHELL=/bin/bash If you fix the issue, kindly add following tag where applicable Reported-by: kernel test robot <lkp@intel.com> All warnings (new ones prefixed by >>): security/security.c: In function 'lsm_name_to_slot': >> security/security.c:496:40: warning: array subscript i is outside array bounds of 'struct lsm_id *[0]' [-Warray-bounds] 496 | if (strcmp(lsm_slotlist[i]->lsm, name) == 0) | ~~~~~~~~~~~~^~~ security/security.c:481:23: note: while referencing 'lsm_slotlist' 481 | static struct lsm_id *lsm_slotlist[LSMBLOB_ENTRIES] __lsm_ro_after_init; | ^~~~~~~~~~~~ security/security.c: In function 'lsm_slot_to_name': >> security/security.c:521:25: warning: array subscript 0 is outside array bounds of 'struct lsm_id *[0]' [-Warray-bounds] 521 | if (lsm_slotlist[slot] == NULL) | ~~~~~~~~~~~~^~~~~~ security/security.c:481:23: note: while referencing 'lsm_slotlist' 481 | static struct lsm_id *lsm_slotlist[LSMBLOB_ENTRIES] __lsm_ro_after_init; | ^~~~~~~~~~~~ security/security.c: In function 'security_add_hooks': >> security/security.c:546:29: warning: array subscript <unknown> is outside array bounds of 'struct lsm_id *[0]' [-Warray-bounds] 546 | lsm_slotlist[lsm_slot] = lsmid; | ~~~~~~~~~~~~^~~~~~~~~~ security/security.c:481:23: note: while referencing 'lsm_slotlist' 481 | static struct lsm_id *lsm_slotlist[LSMBLOB_ENTRIES] __lsm_ro_after_init; | ^~~~~~~~~~~~ vim +496 security/security.c 482 483 /** 484 * lsm_name_to_slot - Report the slot number for a security module 485 * @name: name of the security module 486 * 487 * Look up the slot number for the named security module. 488 * Returns the slot number or LSMBLOB_INVALID if @name is not 489 * a registered security module name. 490 */ 491 int lsm_name_to_slot(char *name) 492 { 493 int i; 494 495 for (i = 0; i < lsm_slot; i++) > 496 if (strcmp(lsm_slotlist[i]->lsm, name) == 0) 497 return i; 498 499 return LSMBLOB_INVALID; 500 } 501 502 /** 503 * lsm_slot_to_name - Get the name of the security module in a slot 504 * @slot: index into the interface LSM slot list. 505 * 506 * Provide the name of the security module associated with 507 * a interface LSM slot. 508 * 509 * If @slot is LSMBLOB_INVALID return the value 510 * for slot 0 if it has been set, otherwise NULL. 511 * 512 * Returns a pointer to the name string or NULL. 513 */ 514 const char *lsm_slot_to_name(int slot) 515 { 516 if (slot == LSMBLOB_INVALID) 517 slot = 0; 518 else if (slot >= LSMBLOB_ENTRIES || slot < 0) 519 return NULL; 520 > 521 if (lsm_slotlist[slot] == NULL) 522 return NULL; 523 return lsm_slotlist[slot]->lsm; 524 } 525 526 /** 527 * security_add_hooks - Add a modules hooks to the hook lists. 528 * @hooks: the hooks to add 529 * @count: the number of hooks to add 530 * @lsmid: the identification information for the security module 531 * 532 * Each LSM has to register its hooks with the infrastructure. 533 * If the LSM is using hooks that export secids allocate a slot 534 * for it in the lsmblob. 535 */ 536 void __init security_add_hooks(struct security_hook_list *hooks, int count, 537 struct lsm_id *lsmid) 538 { 539 int i; 540 541 WARN_ON(!lsmid->slot || !lsmid->lsm); 542 543 if (lsmid->slot == LSMBLOB_NEEDED) { 544 if (lsm_slot >= LSMBLOB_ENTRIES) 545 panic("%s Too many LSMs registered.\n", __func__); > 546 lsm_slotlist[lsm_slot] = lsmid; 547 lsmid->slot = lsm_slot++; 548 init_debug("%s assigned lsmblob slot %d\n", lsmid->lsm, 549 lsmid->slot); 550 } 551 552 for (i = 0; i < count; i++) { 553 hooks[i].lsmid = lsmid; 554 hlist_add_tail_rcu(&hooks[i].list, hooks[i].head); 555 } 556 557 /* 558 * Don't try to append during early_security_init(), we'll come back 559 * and fix this up afterwards. 560 */ 561 if (slab_is_available()) { 562 if (lsm_append(lsmid->lsm, &lsm_names) < 0) 563 panic("%s - Cannot get early memory.\n", __func__); 564 } 565 } 566
diff --git a/include/linux/security.h b/include/linux/security.h index 835fbb86a2bc..5b7a21237fea 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -197,6 +197,10 @@ static inline bool lsmblob_equal(const struct lsmblob *bloba, return !memcmp(bloba, blobb, sizeof(*bloba)); } +/* Map lsm names to blob slot numbers */ +extern int lsm_name_to_slot(char *name); +extern const char *lsm_slot_to_name(int slot); + /* These functions are in security/commoncap.c */ extern int cap_capable(const struct cred *cred, struct user_namespace *ns, int cap, unsigned int opts); diff --git a/security/security.c b/security/security.c index 8fdf046fc749..37c14572501e 100644 --- a/security/security.c +++ b/security/security.c @@ -478,6 +478,50 @@ static int lsm_append(const char *new, char **result) * Current index to use while initializing the lsmblob secid list. */ static int lsm_slot __lsm_ro_after_init; +static struct lsm_id *lsm_slotlist[LSMBLOB_ENTRIES] __lsm_ro_after_init; + +/** + * lsm_name_to_slot - Report the slot number for a security module + * @name: name of the security module + * + * Look up the slot number for the named security module. + * Returns the slot number or LSMBLOB_INVALID if @name is not + * a registered security module name. + */ +int lsm_name_to_slot(char *name) +{ + int i; + + for (i = 0; i < lsm_slot; i++) + if (strcmp(lsm_slotlist[i]->lsm, name) == 0) + return i; + + return LSMBLOB_INVALID; +} + +/** + * lsm_slot_to_name - Get the name of the security module in a slot + * @slot: index into the interface LSM slot list. + * + * Provide the name of the security module associated with + * a interface LSM slot. + * + * If @slot is LSMBLOB_INVALID return the value + * for slot 0 if it has been set, otherwise NULL. + * + * Returns a pointer to the name string or NULL. + */ +const char *lsm_slot_to_name(int slot) +{ + if (slot == LSMBLOB_INVALID) + slot = 0; + else if (slot >= LSMBLOB_ENTRIES || slot < 0) + return NULL; + + if (lsm_slotlist[slot] == NULL) + return NULL; + return lsm_slotlist[slot]->lsm; +} /** * security_add_hooks - Add a modules hooks to the hook lists. @@ -499,6 +543,7 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count, if (lsmid->slot == LSMBLOB_NEEDED) { if (lsm_slot >= LSMBLOB_ENTRIES) panic("%s Too many LSMs registered.\n", __func__); + lsm_slotlist[lsm_slot] = lsmid; lsmid->slot = lsm_slot++; init_debug("%s assigned lsmblob slot %d\n", lsmid->lsm, lsmid->slot);