Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp1095740iog; Mon, 13 Jun 2022 21:42:09 -0700 (PDT) X-Google-Smtp-Source: AGRyM1s1tndUrYMyTqtiTEmCMxQQfAdTdEHJJSl0IprWP8qB3+ePCP8OZIumQ9vvC7/c+wG6dCwQ X-Received: by 2002:a05:6402:430d:b0:42e:199a:4eb8 with SMTP id m13-20020a056402430d00b0042e199a4eb8mr3620361edc.411.1655181729539; Mon, 13 Jun 2022 21:42:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1655181729; cv=none; d=google.com; s=arc-20160816; b=H+xh/m25ReocEhqO5SG1mURNKh0B6JJkSpi3n9a08jGLKsGktnKtYnlkypWU32oFCF rb1qdKCmXE6hlRd2SZaQx6TLCB4s2YQSL7EvanHS9I/jUS4mCOBBPlSmffBaIPZktEmR b1oemFs/b8qV8KNIFCQjeag+3424CvjUNBvXpC6qQ1MQtK6RC6ub9j2b8/DwExTzA1iY ZWYeyD0da7SZrVmxK9Gr24/d4RltTpIxanLGNUy8XwgFjUf8Ygvduw3QFezH9hGYWbec lTzpmkcwyP5T4KOqEs5PUYmom5vi9G0SioWFr20v5JU/UnnXI/atokq1aicweCQuab1e Q19A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=8r14eLF9/DKqrA3QtudQHu+yb3m5OTufTMJ111w3uNw=; b=wfdrdu9L1oYvjTcMV/3xD48HiZzjvQDadB3qZ805uG+D5xSVSigLVIMPTVo8QgUqYp gtHFtXMSBCtCTzKoXui7/O/GMDnXqKfhNUi+gUPHe2DTcXzihqcokxTxCXdPTp5lL9x8 5pi4VKqfLDY62db1gmK11GD9z+I3qZuWjX+fI4XMELANhRTxbBz+ZkW3ewptPUjRJceL WMRhrnP8WrQNIBsQlNnQZcPqBBMy5op5/6m4EmbJOOwfd/VZDM6H4lAU+6XLdO0NVbsd sMu8WEuFPzE5IxJfWbM2Y9W2FyI8yPUVENqAiw4+LdSS4At7UiX6m5f+R5uo1GHJ9kZY BGjg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="Am33z/Of"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f20-20020aa7d854000000b0042dca73c675si9777350eds.269.2022.06.13.21.41.44; Mon, 13 Jun 2022 21:42:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="Am33z/Of"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351314AbiFNEg1 (ORCPT + 99 others); Tue, 14 Jun 2022 00:36:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50888 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237159AbiFNEgR (ORCPT ); Tue, 14 Jun 2022 00:36:17 -0400 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5FA402E9E1; Mon, 13 Jun 2022 21:36:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1655181376; x=1686717376; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=9Ot4topfx5yxNsrBgGLnNX047qT6axEWuCSJUvYIVWM=; b=Am33z/OfTEMD6ZEUcJL61ecqVdewqyC7W0Xs9bhjmm5iHQxPElU6qoOe vsrJoZGx3DclmrKkUthNOmu2pgGU4D5EEu9QUMZAzgyCrWkSubWZnDHi0 SZYrikhay2HhgBKo20QvVn/6AgvERBLnVGfyReLUu7ZJqSqIheooJDchM +zQaWtyIklqix2FVrNGzZPmfWR/Ozj37h7vDBTgw0wvdPNXpXmmbMlsDH 7LYdgk/g/x8Axkn012fyAS7eaEcOMa8reiV6Uj4wLMaPlI2iOc0yg71l9 xbjwe6JalUECfGSbA2B2fWsqm5Wr+bRSOnXKyCaQE8Xn/eMwu6HuPOrlX g==; X-IronPort-AV: E=McAfee;i="6400,9594,10377"; a="303906186" X-IronPort-AV: E=Sophos;i="5.91,299,1647327600"; d="scan'208";a="303906186" Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Jun 2022 21:36:15 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.91,299,1647327600"; d="scan'208";a="830176512" Received: from lkp-server01.sh.intel.com (HELO 60dabacc1df6) ([10.239.97.150]) by fmsmga006.fm.intel.com with ESMTP; 13 Jun 2022 21:36:14 -0700 Received: from kbuild by 60dabacc1df6 with local (Exim 4.95) (envelope-from ) id 1o0yHl-000LTl-Bg; Tue, 14 Jun 2022 04:36:13 +0000 Date: Tue, 14 Jun 2022 12:35:22 +0800 From: kernel test robot To: Micah Morton , linux-security-module@vger.kernel.org Cc: kbuild-all@lists.01.org, keescook@chromium.org, jmorris@namei.org, serge@hallyn.com, linux-kernel@vger.kernel.org, Micah Morton Subject: Re: [PATCH 2/2] LSM: SafeSetID: Add setgroups() security policy handling Message-ID: <202206141217.8YUKCl5p-lkp@intel.com> References: <20220613202852.447738-1-mortonm@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220613202852.447738-1-mortonm@chromium.org> X-Spam-Status: No, score=-8.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Micah, I love your patch! Yet something to improve: [auto build test ERROR on linus/master] [also build test ERROR on jmorris-security/next-testing kees/for-next/pstore v5.19-rc2 next-20220610] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch] url: https://github.com/intel-lab-lkp/linux/commits/Micah-Morton/security-Add-LSM-hook-to-setgroups-syscall/20220614-050341 base: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git b13baccc3850ca8b8cccbf8ed9912dbaa0fdf7f3 config: arc-randconfig-r043-20220613 (https://download.01.org/0day-ci/archive/20220614/202206141217.8YUKCl5p-lkp@intel.com/config) compiler: arc-elf-gcc (GCC) 11.3.0 reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://github.com/intel-lab-lkp/linux/commit/248aa1aeef5c49d4af78b9c3d09e896413258c76 git remote add linux-review https://github.com/intel-lab-lkp/linux git fetch --no-tags linux-review Micah-Morton/security-Add-LSM-hook-to-setgroups-syscall/20220614-050341 git checkout 248aa1aeef5c49d4af78b9c3d09e896413258c76 # save the config file mkdir build_dir && cp config build_dir/.config COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.3.0 make.cross W=1 O=build_dir ARCH=arc SHELL=/bin/bash If you fix the issue, kindly add following tag where applicable Reported-by: kernel test robot All errors (new ones prefixed by >>): security/safesetid/lsm.c: In function 'safesetid_task_fix_setgroups': >> security/safesetid/lsm.c:248:64: error: 'group_info' undeclared (first use in this function) 248 | if (!id_permitted_for_cred(old, (kid_t){.gid = group_info->gid[i]}, GID)) { | ^~~~~~~~~~ security/safesetid/lsm.c:248:64: note: each undeclared identifier is reported only once for each function it appears in vim +/group_info +248 security/safesetid/lsm.c 237 238 static int safesetid_task_fix_setgroups(struct cred *new, const struct cred *old) 239 { 240 int i; 241 242 /* Do nothing if there are no setgid restrictions for our old RGID. */ 243 if (setid_policy_lookup((kid_t){.gid = old->gid}, INVALID_ID, GID) == SIDPOL_DEFAULT) 244 return 0; 245 246 get_group_info(new->group_info); 247 for (i = 0; i < new->group_info->ngroups; i++) { > 248 if (!id_permitted_for_cred(old, (kid_t){.gid = group_info->gid[i]}, GID)) { 249 put_group_info(new->group_info); 250 /* 251 * Kill this process to avoid potential security vulnerabilities 252 * that could arise from a missing allowlist entry preventing a 253 * privileged process from dropping to a lesser-privileged one. 254 */ 255 force_sig(SIGKILL); 256 return -EACCES; 257 } 258 } 259 260 put_group_info(new->group_info); 261 return 0; 262 } 263 -- 0-DAY CI Kernel Test Service https://01.org/lkp