Hi David,
[FYI, it's a private test report for your RFC patch.]
[auto build test WARNING on cifs/for-next]
[also build test WARNING on dm/for-next linus/master v5.8-rc5 next-20200716]
[cannot apply to security/next-testing pcmoore-selinux/next ecryptfs/next]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url:
https://github.com/0day-ci/linux/commits/David-Howells/keys-Security-chan...
base:
git://git.samba.org/sfrench/cifs-2.6.git for-next
config: i386-randconfig-r013-20200717 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-14) 9.3.0
reproduce (this is a W=1 build):
# save the attached .config to linux build tree
make W=1 ARCH=i386
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp(a)intel.com>
All warnings (new ones prefixed by >>):
security/selinux/hooks.c: In function 'selinux_keyperm_to_av':
> security/selinux/hooks.c:6548:7: warning: variable
'sysadmin_can_override' set but not used [-Wunused-but-set-variable]
6548 | bool sysadmin_can_override = false;
| ^~~~~~~~~~~~~~~~~~~~~
vim +/sysadmin_can_override +6548 security/selinux/hooks.c
6532
6533 /*
6534 * Convert the requested KEY_NEED_* permit into an SELinux KEY__* permission.
6535 *
6536 * flags may also convey override flags such as
6537 * KEY_PERMISSION_USED_AUTH/SYSADMIN_OVERRIDE to indicate when the main
6538 * permission check overrode the permissions on the key.
6539 *
6540 * Returns the perms to check for in *_perm and *_perm2. If either perm is
6541 * present, then the operation is allowed.
6542 */
6543 static int selinux_keyperm_to_av(struct key *key, const struct cred *cred,
6544 unsigned int need_perm, unsigned int flags,
6545 u32 *_perm, u32 *_perm2)
6546 {
6547 bool auth_can_override = false; /* See KEYCTL_ASSUME_AUTHORITY */
6548 bool sysadmin_can_override = false;
6549
6550 switch (need_perm) {
6551 case KEY_NEED_ASSUME_AUTHORITY:
6552 return 0;
6553
6554 case KEY_NEED_DESCRIBE:
6555 case KEY_NEED_GET_SECURITY:
6556 *_perm = KEY__VIEW;
6557 auth_can_override = true;
6558 break;
6559
6560 case KEY_NEED_CHOWN:
6561 case KEY_NEED_SETPERM:
6562 case KEY_NEED_SET_RESTRICTION:
6563 *_perm = KEY__SETATTR;
6564 break;
6565
6566 case KEY_NEED_INSTANTIATE:
6567 auth_can_override = true;
6568 break;
6569
6570 case KEY_NEED_INVALIDATE:
6571 *_perm = KEY__SEARCH;
6572 if (test_bit(KEY_FLAG_ROOT_CAN_INVAL, &key->flags))
6573 sysadmin_can_override = true;
6574 break;
6575
6576 case KEY_NEED_JOIN:
6577 case KEY_NEED_LINK:
6578 *_perm = KEY__LINK;
6579 break;
6580
6581 case KEY_NEED_KEYRING_ADD:
6582 case KEY_NEED_KEYRING_DELETE:
6583 *_perm = KEY__WRITE;
6584 break;
6585
6586 case KEY_NEED_KEYRING_CLEAR:
6587 *_perm = KEY__WRITE;
6588 if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR, &key->flags))
6589 sysadmin_can_override = true;
6590 break;
6591
6592 case KEY_NEED_READ:
6593 *_perm = KEY__READ;
6594 break;
6595
6596 case KEY_NEED_REVOKE:
6597 *_perm = KEY__SETATTR;
6598 *_perm2 = KEY__WRITE;
6599 break;
6600
6601 case KEY_NEED_SEARCH:
6602 *_perm = KEY__SEARCH;
6603 break;
6604
6605 case KEY_NEED_SET_TIMEOUT:
6606 *_perm = KEY__SETATTR;
6607 auth_can_override = true;
6608 break;
6609
6610 case KEY_NEED_UNLINK:
6611 return 0; /* Mustn't prevent this; KEY_FLAG_KEEP is already
6612 * dealt with. */
6613
6614 case KEY_NEED_UPDATE:
6615 *_perm = KEY__WRITE;
6616 break;
6617
6618 case KEY_NEED_USE:
6619 *_perm = KEY__READ;
6620 *_perm2 = KEY__SEARCH;
6621 break;
6622
6623 case KEY_NEED_WATCH:
6624 *_perm = KEY__VIEW;
6625 break;
6626
6627 default:
6628 WARN_ON(1);
6629 return -EPERM;
6630 }
6631
6632 /* Just allow the operation if the process has an authorisation token.
6633 * The presence of the token means that the kernel delegated
6634 * instantiation of a key to the process - which is problematic if we
6635 * then say that the process isn't allowed to get the description of
6636 * the key or actually instantiate it.
6637 */
6638 if (auth_can_override && cred->request_key_auth) {
6639 struct request_key_auth *rka =
6640 cred->request_key_auth->payload.data[0];
6641 if (rka->target_key == key)
6642 *_perm = 0;
6643 }
6644
6645 return 0;
6646 }
6647
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org