| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202203011657.jvIKXd3v-lkp@intel.com>
Date: Tue, 1 Mar 2022 16:52:40 +0800
From: kernel test robot <lkp@...el.com>
To: Aaron Tomlin <atomlin@...hat.com>
Cc: kbuild-all@...ts.01.org, linux-kernel@...r.kernel.org,
Luis Chamberlain <mcgrof@...nel.org>,
Christophe Leroy <christophe.leroy@...roup.eu>
Subject: [mcgrof:modules-testing 7/14] security/integrity/ima/ima_main.c:799:
undefined reference to `is_module_sig_enforced'
tree: https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux.git modules-testing
head: 8ca5e1dab7c3e51c63f07cd86e004a4df9ac7e76
commit: 6fbb12ccf3a340cf8bbd224e36106d1eccfcc54c [7/14] module: Move extra signature support out of core code
config: i386-randconfig-c001 (https://download.01.org/0day-ci/archive/20220301/202203011657.jvIKXd3v-lkp@intel.com/config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
reproduce (this is a W=1 build):
# https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux.git/commit/?id=6fbb12ccf3a340cf8bbd224e36106d1eccfcc54c
git remote add mcgrof https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux.git
git fetch --no-tags mcgrof modules-testing
git checkout 6fbb12ccf3a340cf8bbd224e36106d1eccfcc54c
# save the config file to linux build tree
mkdir build_dir
make W=1 O=build_dir ARCH=i386 SHELL=/bin/bash
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>
All errors (new ones prefixed by >>):
ld: security/integrity/ima/ima_main.o: in function `ima_load_data':
>> security/integrity/ima/ima_main.c:799: undefined reference to `is_module_sig_enforced'
vim +799 security/integrity/ima/ima_main.c
5a9196d715607f Mimi Zohar 2014-07-22 759
16c267aac86b46 Mimi Zohar 2018-07-13 760 /**
16c267aac86b46 Mimi Zohar 2018-07-13 761 * ima_load_data - appraise decision based on policy
16c267aac86b46 Mimi Zohar 2018-07-13 762 * @id: kernel load data caller identifier
b64fcae74b6d69 Kees Cook 2020-10-02 763 * @contents: whether the full contents will be available in a later
b64fcae74b6d69 Kees Cook 2020-10-02 764 * call to ima_post_load_data().
16c267aac86b46 Mimi Zohar 2018-07-13 765 *
16c267aac86b46 Mimi Zohar 2018-07-13 766 * Callers of this LSM hook can not measure, appraise, or audit the
16c267aac86b46 Mimi Zohar 2018-07-13 767 * data provided by userspace. Enforce policy rules requring a file
16c267aac86b46 Mimi Zohar 2018-07-13 768 * signature (eg. kexec'ed kernel image).
16c267aac86b46 Mimi Zohar 2018-07-13 769 *
16c267aac86b46 Mimi Zohar 2018-07-13 770 * For permission return 0, otherwise return -EACCES.
16c267aac86b46 Mimi Zohar 2018-07-13 771 */
b64fcae74b6d69 Kees Cook 2020-10-02 772 int ima_load_data(enum kernel_load_data_id id, bool contents)
16c267aac86b46 Mimi Zohar 2018-07-13 773 {
b5ca117365d960 Nayna Jain 2018-10-09 774 bool ima_enforce, sig_enforce;
c77b8cdf745d91 Mimi Zohar 2018-07-13 775
b5ca117365d960 Nayna Jain 2018-10-09 776 ima_enforce =
b5ca117365d960 Nayna Jain 2018-10-09 777 (ima_appraise & IMA_APPRAISE_ENFORCE) == IMA_APPRAISE_ENFORCE;
16c267aac86b46 Mimi Zohar 2018-07-13 778
16c267aac86b46 Mimi Zohar 2018-07-13 779 switch (id) {
16c267aac86b46 Mimi Zohar 2018-07-13 780 case LOADING_KEXEC_IMAGE:
99d5cadfde2b1a Jiri Bohac 2019-08-19 781 if (IS_ENABLED(CONFIG_KEXEC_SIG)
b5ca117365d960 Nayna Jain 2018-10-09 782 && arch_ima_get_secureboot()) {
b5ca117365d960 Nayna Jain 2018-10-09 783 pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
b5ca117365d960 Nayna Jain 2018-10-09 784 return -EACCES;
b5ca117365d960 Nayna Jain 2018-10-09 785 }
b5ca117365d960 Nayna Jain 2018-10-09 786
b5ca117365d960 Nayna Jain 2018-10-09 787 if (ima_enforce && (ima_appraise & IMA_APPRAISE_KEXEC)) {
16c267aac86b46 Mimi Zohar 2018-07-13 788 pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
16c267aac86b46 Mimi Zohar 2018-07-13 789 return -EACCES; /* INTEGRITY_UNKNOWN */
16c267aac86b46 Mimi Zohar 2018-07-13 790 }
fed2512a7ccc8f Mimi Zohar 2018-07-13 791 break;
fed2512a7ccc8f Mimi Zohar 2018-07-13 792 case LOADING_FIRMWARE:
4f2d99b06b7380 Kees Cook 2020-10-02 793 if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE) && !contents) {
fed2512a7ccc8f Mimi Zohar 2018-07-13 794 pr_err("Prevent firmware sysfs fallback loading.\n");
fed2512a7ccc8f Mimi Zohar 2018-07-13 795 return -EACCES; /* INTEGRITY_UNKNOWN */
fed2512a7ccc8f Mimi Zohar 2018-07-13 796 }
c77b8cdf745d91 Mimi Zohar 2018-07-13 797 break;
c77b8cdf745d91 Mimi Zohar 2018-07-13 798 case LOADING_MODULE:
c77b8cdf745d91 Mimi Zohar 2018-07-13 @799 sig_enforce = is_module_sig_enforced();
c77b8cdf745d91 Mimi Zohar 2018-07-13 800
b5ca117365d960 Nayna Jain 2018-10-09 801 if (ima_enforce && (!sig_enforce
b5ca117365d960 Nayna Jain 2018-10-09 802 && (ima_appraise & IMA_APPRAISE_MODULES))) {
c77b8cdf745d91 Mimi Zohar 2018-07-13 803 pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");
c77b8cdf745d91 Mimi Zohar 2018-07-13 804 return -EACCES; /* INTEGRITY_UNKNOWN */
c77b8cdf745d91 Mimi Zohar 2018-07-13 805 }
28073eb09c5aa2 Gustavo A. R. Silva 2020-11-20 806 break;
16c267aac86b46 Mimi Zohar 2018-07-13 807 default:
16c267aac86b46 Mimi Zohar 2018-07-13 808 break;
16c267aac86b46 Mimi Zohar 2018-07-13 809 }
16c267aac86b46 Mimi Zohar 2018-07-13 810 return 0;
16c267aac86b46 Mimi Zohar 2018-07-13 811 }
16c267aac86b46 Mimi Zohar 2018-07-13 812
:::::: The code at line 799 was first introduced by commit
:::::: c77b8cdf745d91eca138e7bfa430dc6640b604a0 module: replace the existing LSM hook in init_module
:::::: TO: Mimi Zohar <zohar@...ux.vnet.ibm.com>
:::::: CC: James Morris <james.morris@...rosoft.com>
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
Powered by blists - more mailing lists