| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202511071406.hU1UdCKh-lkp@intel.com>
Date: Fri, 7 Nov 2025 14:54:25 +0800
From: kernel test robot <lkp@...el.com>
To: Tahera Fahimi <taherafahimi@...ux.microsoft.com>, zohar@...ux.ibm.com,
roberto.sassu@...wei.com, dmitry.kasatkin@...il.com,
eric.snowberg@...cle.com, paul@...l-moore.com, jmorris@...ei.org,
serge@...lyn.com, linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org,
code@...icks.com
Cc: oe-kbuild-all@...ts.linux.dev,
Tahera Fahimi <taherafahimi@...ux.microsoft.com>
Subject: Re: [Patch V1] ima: avoid duplicate policy rules insertions
Hi Tahera,
kernel test robot noticed the following build warnings:
[auto build test WARNING on zohar-integrity/next-integrity]
[also build test WARNING on linus/master v6.18-rc4 next-20251107]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Tahera-Fahimi/ima-avoid-duplicate-policy-rules-insertions/20251107-021615
base: https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity
patch link: https://lore.kernel.org/r/20251106181404.3429710-1-taherafahimi%40linux.microsoft.com
patch subject: [Patch V1] ima: avoid duplicate policy rules insertions
config: alpha-allyesconfig (https://download.01.org/0day-ci/archive/20251107/202511071406.hU1UdCKh-lkp@intel.com/config)
compiler: alpha-linux-gcc (GCC) 15.1.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251107/202511071406.hU1UdCKh-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@...el.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202511071406.hU1UdCKh-lkp@intel.com/
All warnings (new ones prefixed by >>):
security/integrity/ima/ima_policy.c: In function 'template_has_field':
>> security/integrity/ima/ima_policy.c:1958:13: warning: unused variable 'j' [-Wunused-variable]
1958 | int j;
| ^
--
>> Warning: security/integrity/ima/ima_policy.c:2078 function parameter 'new_rule' not described in 'ima_rule_exists'
vim +/j +1958 security/integrity/ima/ima_policy.c
1955
1956 static bool template_has_field(const char *field_id, const struct ima_template_desc *template2)
1957 {
> 1958 int j;
1959
1960 for (int j = 0; j < template2->num_fields; j++)
1961 if (strcmp(field_id, template2->fields[j]->field_id) == 0)
1962 return true;
1963
1964 return false;
1965 }
1966
1967 static bool keyring_has_item(const char *item, const struct ima_rule_opt_list *keyrings)
1968 {
1969 int j;
1970
1971 for (j = 0; j < keyrings->count; j++) {
1972 if (strcmp(item, keyrings->items[j]) == 0)
1973 return true;
1974 }
1975 return false;
1976 }
1977
1978 static bool labels_has_item(const char *item, const struct ima_rule_opt_list *labels)
1979 {
1980 int j;
1981
1982 for (j = 0; j < labels->count; j++) {
1983 if (strcmp(item, labels->items[j]) == 0)
1984 return true;
1985 }
1986 return false;
1987 }
1988
1989 static bool ima_rules_equal(const struct ima_rule_entry *rule1, const struct ima_rule_entry *rule2)
1990 {
1991 int i;
1992
1993 if (rule1->flags != rule2->flags)
1994 return false;
1995
1996 if (rule1->action != rule2->action)
1997 return false;
1998
1999 if (((rule1->flags & IMA_FUNC) && rule1->func != rule2->func) ||
2000 ((rule1->flags & (IMA_MASK | IMA_INMASK)) && rule1->mask != rule2->mask) ||
2001 ((rule1->flags & IMA_FSMAGIC) && rule1->fsmagic != rule2->fsmagic) ||
2002 ((rule1->flags & IMA_FSUUID) && !uuid_equal(&rule1->fsuuid, &rule2->fsuuid)) ||
2003 ((rule1->flags & IMA_UID) && !uid_eq(rule1->uid, rule2->uid)) ||
2004 ((rule1->flags & IMA_GID) && !gid_eq(rule1->gid, rule2->gid)) ||
2005 ((rule1->flags & IMA_FOWNER) && !uid_eq(rule1->fowner, rule2->fowner)) ||
2006 ((rule1->flags & IMA_FGROUP) && !gid_eq(rule1->fgroup, rule2->fgroup)) ||
2007 ((rule1->flags & IMA_FSNAME) && (strcmp(rule1->fsname, rule2->fsname) != 0)) ||
2008 ((rule1->flags & IMA_PCR) && rule1->pcr != rule2->pcr) ||
2009 ((rule1->flags & IMA_VALIDATE_ALGOS) &&
2010 rule1->allowed_algos != rule2->allowed_algos) ||
2011 ((rule1->flags & IMA_EUID) && !uid_eq(rule1->uid, rule2->uid)) ||
2012 ((rule1->flags & IMA_EGID) && !gid_eq(rule1->gid, rule2->gid)))
2013 return false;
2014
2015 if (!rule1->template && !rule2->template) {
2016 ;
2017 } else if (!rule1->template || !rule2->template) {
2018 return false;
2019 } else if (rule1->template->num_fields != rule2->template->num_fields) {
2020 return false;
2021 } else if (rule1->template->num_fields != 0) {
2022 for (i = 0; i < rule1->template->num_fields; i++) {
2023 if (!template_has_field(rule1->template->fields[i]->field_id,
2024 rule2->template))
2025 return false;
2026 }
2027 }
2028
2029 if (rule1->flags & IMA_KEYRINGS) {
2030 if (!rule1->keyrings && !rule2->keyrings) {
2031 ;
2032 } else if (!rule1->keyrings || !rule2->keyrings) {
2033 return false;
2034 } else if (rule1->keyrings->count != rule2->keyrings->count) {
2035 return false;
2036 } else if (rule1->keyrings->count != 0) {
2037 for (i = 0; i < rule1->keyrings->count; i++) {
2038 if (!keyring_has_item(rule1->keyrings->items[i], rule2->keyrings))
2039 return false;
2040 }
2041 }
2042 }
2043
2044 if (rule1->flags & IMA_LABEL) {
2045 if (!rule1->label && !rule2->label) {
2046 ;
2047 } else if (!rule1->label || !rule2->label) {
2048 return false;
2049 } else if (rule1->label->count != rule2->label->count) {
2050 return false;
2051 } else if (rule1->label->count != 0) {
2052 for (i = 0; i < rule1->label->count; i++) {
2053 if (!labels_has_item(rule1->label->items[i], rule2->label))
2054 return false;
2055 }
2056 }
2057 }
2058
2059 for (i = 0; i < MAX_LSM_RULES; i++) {
2060 if (!rule1->lsm[i].rule && !rule2->lsm[i].rule)
2061 continue;
2062
2063 if (!rule1->lsm[i].rule || !rule2->lsm[i].rule)
2064 return false;
2065
2066 if (strcmp(rule1->lsm[i].args_p, rule2->lsm[i].args_p) != 0)
2067 return false;
2068 }
2069
2070 return true;
2071 }
2072
2073 /**
2074 * ima_rule_exists - check if a rule already exists in the policy
2075 *
2076 * Checking both the active policy and the temporary rules list.
2077 */
> 2078 static bool ima_rule_exists(struct ima_rule_entry *new_rule)
2079 {
2080 struct ima_rule_entry *entry;
2081 struct list_head *ima_rules_tmp;
2082
2083 if (!list_empty(&ima_temp_rules)) {
2084 list_for_each_entry(entry, &ima_temp_rules, list) {
2085 if (ima_rules_equal(entry, new_rule))
2086 return true;
2087 }
2088 }
2089
2090 rcu_read_lock();
2091 ima_rules_tmp = rcu_dereference(ima_rules);
2092 list_for_each_entry_rcu(entry, ima_rules_tmp, list) {
2093 if (ima_rules_equal(entry, new_rule)) {
2094 rcu_read_unlock();
2095 return true;
2096 }
2097 }
2098 rcu_read_unlock();
2099
2100 return false;
2101 }
2102
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Powered by blists - more mailing lists