Hi David, [FYI, it's a private test report for your RFC patch.] [auto build test WARNING on cifs/for-next] [also build test WARNING on dm/for-next linus/master v5.8-rc5 next-20200716] [cannot apply to security/next-testing pcmoore-selinux/next ecryptfs/next] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch] url: https://github.com/0day-ci/linux/commits/David-Howells/keys-Security-chan... base: git://git.samba.org/sfrench/cifs-2.6.git for-next config: i386-randconfig-r013-20200717 (attached as .config) compiler: gcc-9 (Debian 9.3.0-14) 9.3.0 reproduce (this is a W=1 build): # save the attached .config to linux build tree make W=1 ARCH=i386 If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <lkp(a)intel.com&gt; All warnings (new ones prefixed by >>): security/selinux/hooks.c: In function 'selinux_keyperm_to_av': 6548 | bool sysadmin_can_override = false; | ^~~~~~~~~~~~~~~~~~~~~ vim +/sysadmin_can_override +6548 security/selinux/hooks.c 6532 6533 /* 6534 * Convert the requested KEY_NEED_* permit into an SELinux KEY__* permission. 6535 * 6536 * flags may also convey override flags such as 6537 * KEY_PERMISSION_USED_AUTH/SYSADMIN_OVERRIDE to indicate when the main 6538 * permission check overrode the permissions on the key. 6539 * 6540 * Returns the perms to check for in *_perm and *_perm2. If either perm is 6541 * present, then the operation is allowed. 6542 */ 6543 static int selinux_keyperm_to_av(struct key *key, const struct cred *cred, 6544 unsigned int need_perm, unsigned int flags, 6545 u32 *_perm, u32 *_perm2) 6546 { 6547 bool auth_can_override = false; /* See KEYCTL_ASSUME_AUTHORITY */ 6549 6550 switch (need_perm) { 6551 case KEY_NEED_ASSUME_AUTHORITY: 6552 return 0; 6553 6554 case KEY_NEED_DESCRIBE: 6555 case KEY_NEED_GET_SECURITY: 6556 *_perm = KEY__VIEW; 6557 auth_can_override = true; 6558 break; 6559 6560 case KEY_NEED_CHOWN: 6561 case KEY_NEED_SETPERM: 6562 case KEY_NEED_SET_RESTRICTION: 6563 *_perm = KEY__SETATTR; 6564 break; 6565 6566 case KEY_NEED_INSTANTIATE: 6567 auth_can_override = true; 6568 break; 6569 6570 case KEY_NEED_INVALIDATE: 6571 *_perm = KEY__SEARCH; 6572 if (test_bit(KEY_FLAG_ROOT_CAN_INVAL, &key->flags)) 6573 sysadmin_can_override = true; 6574 break; 6575 6576 case KEY_NEED_JOIN: 6577 case KEY_NEED_LINK: 6578 *_perm = KEY__LINK; 6579 break; 6580 6581 case KEY_NEED_KEYRING_ADD: 6582 case KEY_NEED_KEYRING_DELETE: 6583 *_perm = KEY__WRITE; 6584 break; 6585 6586 case KEY_NEED_KEYRING_CLEAR: 6587 *_perm = KEY__WRITE; 6588 if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR, &key->flags)) 6589 sysadmin_can_override = true; 6590 break; 6591 6592 case KEY_NEED_READ: 6593 *_perm = KEY__READ; 6594 break; 6595 6596 case KEY_NEED_REVOKE: 6597 *_perm = KEY__SETATTR; 6598 *_perm2 = KEY__WRITE; 6599 break; 6600 6601 case KEY_NEED_SEARCH: 6602 *_perm = KEY__SEARCH; 6603 break; 6604 6605 case KEY_NEED_SET_TIMEOUT: 6606 *_perm = KEY__SETATTR; 6607 auth_can_override = true; 6608 break; 6609 6610 case KEY_NEED_UNLINK: 6611 return 0; /* Mustn't prevent this; KEY_FLAG_KEEP is already 6612 * dealt with. */ 6613 6614 case KEY_NEED_UPDATE: 6615 *_perm = KEY__WRITE; 6616 break; 6617 6618 case KEY_NEED_USE: 6619 *_perm = KEY__READ; 6620 *_perm2 = KEY__SEARCH; 6621 break; 6622 6623 case KEY_NEED_WATCH: 6624 *_perm = KEY__VIEW; 6625 break; 6626 6627 default: 6628 WARN_ON(1); 6629 return -EPERM; 6630 } 6631 6632 /* Just allow the operation if the process has an authorisation token. 6633 * The presence of the token means that the kernel delegated 6634 * instantiation of a key to the process - which is problematic if we 6635 * then say that the process isn't allowed to get the description of 6636 * the key or actually instantiate it. 6637 */ 6638 if (auth_can_override && cred->request_key_auth) { 6639 struct request_key_auth *rka = 6640 cred->request_key_auth->payload.data[0]; 6641 if (rka->target_key == key) 6642 *_perm = 0; 6643 } 6644 6645 return 0; 6646 } 6647 --- 0-DAY CI Kernel Test Service, Intel Corporation https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org