Define two new LSM hooks: security_lsm_config_self_policy and
security_lsm_config_system_policy and wire them into the corresponding
lsm_config_*_policy() syscalls so that LSMs can register a unified
interface for policy management. This initial, minimal implementation
only supports the LSM_POLICY_LOAD operation to limit changes.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
---
include/linux/lsm_hook_defs.h | 4 ++
include/linux/security.h | 16 ++++++++
include/uapi/linux/lsm.h | 8 ++++
security/Kconfig | 22 +++++++++++
security/lsm_syscalls.c | 17 ++++++++-
security/security.c | 69 +++++++++++++++++++++++++++++++++++
6 files changed, 134 insertions(+), 2 deletions(-)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index bf3bbac4e02a..fca490444643 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -464,3 +464,7 @@ LSM_HOOK(int, 0, bdev_alloc_security, struct block_device *bdev)
LSM_HOOK(void, LSM_RET_VOID, bdev_free_security, struct block_device *bdev)
LSM_HOOK(int, 0, bdev_setintegrity, struct block_device *bdev,
enum lsm_integrity_type type, const void *value, size_t size)
+LSM_HOOK(int, -EINVAL, lsm_config_self_policy, u32 lsm_id, u32 op,
+ void __user *buf, size_t size, u32 flags)
+LSM_HOOK(int, -EINVAL, lsm_config_system_policy, u32 lsm_id, u32 op,
+ void __user *buf, size_t size, u32 flags)
diff --git a/include/linux/security.h b/include/linux/security.h
index cc9b54d95d22..c2158f2656fd 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -581,6 +581,11 @@ void security_bdev_free(struct block_device *bdev);
int security_bdev_setintegrity(struct block_device *bdev,
enum lsm_integrity_type type, const void *value,
size_t size);
+int security_lsm_config_self_policy(u32 lsm_id, u32 op, void __user *buf,
+ size_t size, u32 flags);
+int security_lsm_config_system_policy(u32 lsm_id, u32 op, void __user *buf,
+ size_t size, u32 flags);
+
#else /* CONFIG_SECURITY */
/**
@@ -1603,6 +1608,17 @@ static inline int security_bdev_setintegrity(struct block_device *bdev,
return 0;
}
+static int security_lsm_config_self_policy(u32 lsm_id, u32 op, void __user *buf,
+ size_t size, u32 flags)
+
+ return -EOPNOTSUPP;
+}
+
+static int security_lsm_config_system_policy(u32 lsm_id, u32 op, void __user *buf,
+ size_t size, u32 flags)
+
+ return -EOPNOTSUPP;
+}
#endif /* CONFIG_SECURITY */
#if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
index 938593dfd5da..844279f819ce 100644
--- a/include/uapi/linux/lsm.h
+++ b/include/uapi/linux/lsm.h
@@ -90,4 +90,12 @@ struct lsm_ctx {
*/
#define LSM_FLAG_SINGLE 0x0001
+/*
+ * LSM_POLICY_XXX definitions identify the different operations
+ * configure lsm policies
+ */
+
+#define LSM_POLICY_UNDEF 0
+#define LSM_POLICY_LOAD 100
+
#endif /* _UAPI_LINUX_LSM_H */
diff --git a/security/Kconfig b/security/Kconfig
index 4816fc74f81e..958be7b49a9e 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -220,6 +220,28 @@ config STATIC_USERMODEHELPER_PATH
If you wish for all usermode helper programs to be disabled,
specify an empty string here (i.e. "").
+config LSM_CONFIG_SELF_POLICY_MAX_BUFFER_SIZE
+ int "Maximum buffer size for lsm_manage_policy"
+ range 16384 1073741824
+ depends on SECURITY
+ default 4194304
+ help
+ The maximum size of the buffer argument of lsm_config_self_policy.
+
+ The default value of 4194304 (4MiB) is reasonable and should be large
+ enough to fit policies in for most cases.
+
+config LSM_CONFIG_SYSTEM_POLICY_MAX_BUFFER_SIZE
+ int "Maximum buffer size for lsm_manage_policy"
+ range 16384 1073741824
+ depends on SECURITY
+ default 4194304
+ help
+ The maximum size of the buffer argument of lsm_config_system_policy.
+
+ The default value of 4194304 (4MiB) is reasonable and should be large
+ enough to fit policies in for most cases
+
source "security/selinux/Kconfig"
source "security/smack/Kconfig"
source "security/tomoyo/Kconfig"
diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c
index a3cb6dab8102..dd016ba6976c 100644
--- a/security/lsm_syscalls.c
+++ b/security/lsm_syscalls.c
@@ -122,11 +122,24 @@ SYSCALL_DEFINE3(lsm_list_modules, u64 __user *, ids, u32 __user *, size,
SYSCALL_DEFINE5(lsm_config_self_policy, u32, lsm_id, u32, op, void __user *,
buf, u32 __user *, size, u32, flags)
{
- return 0;
+ size_t usize;
+
+ if (get_user(usize, size))
+ return -EFAULT;
+
+ return security_lsm_config_self_policy(lsm_id, op, buf, usize, flags);
}
SYSCALL_DEFINE5(lsm_config_system_policy, u32, lsm_id, u32, op, void __user *,
buf, u32 __user *, size, u32, flags)
{
- return 0;
+ size_t usize;
+
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+
+ if (get_user(usize, size))
+ return -EFAULT;
+
+ return security_lsm_config_system_policy(lsm_id, op, buf, usize, flags);
}
diff --git a/security/security.c b/security/security.c
index fb57e8fddd91..8efea2b6e967 100644
--- a/security/security.c
+++ b/security/security.c
@@ -5883,6 +5883,75 @@ int security_bdev_setintegrity(struct block_device *bdev,
}
EXPORT_SYMBOL(security_bdev_setintegrity);
+/**
+ * security_lsm_config_self_policy() - Manage caller's LSM policies
+ * @lsm_id: id of the LSM to target
+ * @op: Operation to perform (one of the LSM_POLICY_XXX values)
+ * @buf: userspace pointer to policy data
+ * @size: size of @buf
+ * @flags: lsm policy management flags
+ *
+ * Manage the policies of a LSM for the current domain/user. This notably allows
+ * to update them even when the lsmfs is unavailable is restricted. Currently,
+ * only LSM_POLICY_LOAD is supported.
+ *
+ * Return: Returns 0 on success, error on failure.
+ */
+int security_lsm_config_self_policy(u32 lsm_id, u32 op, void __user *buf,
+ size_t size, u32 flags)
+{
+ int rc = LSM_RET_DEFAULT(lsm_config_self_policy);
+ struct lsm_static_call *scall;
+
+ if (size > (CONFIG_LSM_CONFIG_SELF_POLICY_MAX_BUFFER_SIZE))
+ return -E2BIG;
+
+ lsm_for_each_hook(scall, lsm_config_self_policy) {
+ if ((scall->hl->lsmid->id) == lsm_id) {
+ rc = scall->hl->hook.lsm_config_self_policy(lsm_id, op, buf, size, flags);
+ break;
+ }
+ }
+
+ return rc;
+}
+EXPORT_SYMBOL(security_lsm_config_self_policy);
+
+/**
+ * security_lsm_config_system_policy() - Manage system LSM policies
+ * @lsm_id: id of the lsm to target
+ * @op: Operation to perform (one of the LSM_POLICY_XXX values)
+ * @buf: userspace pointer to policy data
+ * @size: size of @buf
+ * @flags: lsm policy management flags
+ *
+ * Manage the policies of a LSM for the whole system. This notably allows
+ * to update them even when the lsmfs is unavailable is restricted. Currently,
+ * only LSM_POLICY_LOAD is supported.
+ *
+ * Return: Returns 0 on success, error on failure.
+ */
+int security_lsm_config_system_policy(u32 lsm_id, u32 op, void __user *buf,
+ size_t size, u32 flags)
+{
+ int rc = LSM_RET_DEFAULT(lsm_config_system_policy);
+ struct lsm_static_call *scall;
+
+ if (size > (CONFIG_LSM_CONFIG_SYSTEM_POLICY_MAX_BUFFER_SIZE))
+ return -E2BIG;
+
+ lsm_for_each_hook(scall, lsm_config_system_policy) {
+ if ((scall->hl->lsmid->id) == lsm_id) {
+ rc = scall->hl->hook.lsm_config_system_policy(lsm_id, op, buf, size, flags);
+ break;
+ }
+ }
+
+ return rc;
+}
+EXPORT_SYMBOL(security_lsm_config_system_policy);
+
+
#ifdef CONFIG_PERF_EVENTS
/**
* security_perf_event_open() - Check if a perf event open is allowed
--
2.48.1
Hi Maxime,
kernel test robot noticed the following build warnings:
[auto build test WARNING on 9c32cda43eb78f78c73aee4aa344b777714e259b]
url: https://github.com/intel-lab-lkp/linux/commits/Maxime-B-lair/Wire-up-lsm_config_self_policy-and-lsm_config_system_policy-syscalls/20250620-022714
base: 9c32cda43eb78f78c73aee4aa344b777714e259b
patch link: https://lore.kernel.org/r/20250619181600.478038-3-maxime.belair%40canonical.com
patch subject: [PATCH v2 2/3] lsm: introduce security_lsm_config_*_policy hooks
config: i386-buildonly-randconfig-006-20250620 (https://download.01.org/0day-ci/archive/20250620/202506201824.SlorGLXM-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250620/202506201824.SlorGLXM-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202506201824.SlorGLXM-lkp@intel.com/
All warnings (new ones prefixed by >>):
| ^~~~~~~~~~~~~~~
include/linux/trace_events.h:869:13: error: storage class specified for parameter 'perf_trace_destroy'
869 | extern void perf_trace_destroy(struct perf_event *event);
| ^~~~~~~~~~~~~~~~~~
include/linux/trace_events.h:870:13: error: storage class specified for parameter 'perf_trace_add'
870 | extern int perf_trace_add(struct perf_event *event, int flags);
| ^~~~~~~~~~~~~~
include/linux/trace_events.h:871:13: error: storage class specified for parameter 'perf_trace_del'
871 | extern void perf_trace_del(struct perf_event *event, int flags);
| ^~~~~~~~~~~~~~
include/linux/trace_events.h:890:13: error: storage class specified for parameter 'ftrace_profile_set_filter'
890 | extern int ftrace_profile_set_filter(struct perf_event *event, int event_id,
| ^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/trace_events.h:892:13: error: storage class specified for parameter 'ftrace_profile_free_filter'
892 | extern void ftrace_profile_free_filter(struct perf_event *event);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/trace_events.h:935:1: error: expected '=', ',', ';', 'asm' or '__attribute__' before '{' token
935 | {
| ^
include/trace/syscall.h:25:1: warning: empty declaration
25 | struct syscall_metadata {
| ^~~~~~
include/trace/syscall.h:47:1: error: expected '=', ',', ';', 'asm' or '__attribute__' before '{' token
47 | {
| ^
In file included from include/linux/syscalls.h:104:
arch/x86/include/asm/syscall_wrapper.h:11:13: error: storage class specified for parameter '__x64_sys_ni_syscall'
11 | extern long __x64_sys_ni_syscall(const struct pt_regs *regs);
| ^~~~~~~~~~~~~~~~~~~~
arch/x86/include/asm/syscall_wrapper.h:12:13: error: storage class specified for parameter '__ia32_sys_ni_syscall'
12 | extern long __ia32_sys_ni_syscall(const struct pt_regs *regs);
| ^~~~~~~~~~~~~~~~~~~~~
include/linux/syscalls.h:211:1: error: expected '=', ',', ';', 'asm' or '__attribute__' before '{' token
211 | {
| ^
In file included from include/linux/linkage.h:8,
from include/linux/preempt.h:10:
arch/x86/include/asm/linkage.h:20:35: error: expected declaration specifiers before '__attribute__'
20 | #define asmlinkage CPP_ASMLINKAGE __attribute__((regparm(0)))
| ^~~~~~~~~~~~~
include/linux/syscalls.h:1220:1: note: in expansion of macro 'asmlinkage'
1220 | asmlinkage long sys_ni_posix_timers(void);
| ^~~~~~~~~~
include/linux/syscalls.h:1262:12: error: storage class specified for parameter 'do_fchownat'
1262 | extern int do_fchownat(int dfd, const char __user *filename, uid_t user,
| ^~~~~~~~~~~
include/linux/syscalls.h:1267:1: error: expected '=', ',', ';', 'asm' or '__attribute__' before '{' token
1267 | {
| ^
include/linux/syscalls.h:1273:1: error: expected '=', ',', ';', 'asm' or '__attribute__' before '{' token
1273 | {
| ^
include/linux/syscalls.h:1281:1: error: expected '=', ',', ';', 'asm' or '__attribute__' before '{' token
1281 | {
| ^
include/linux/syscalls.h:1288:1: error: expected '=', ',', ';', 'asm' or '__attribute__' before '{' token
1288 | {
| ^
include/linux/syscalls.h:1293:1: error: expected '=', ',', ';', 'asm' or '__attribute__' before '{' token
1293 | {
| ^
block/ioprio.c:34:1: error: expected '=', ',', ';', 'asm' or '__attribute__' before '{' token
34 | {
| ^
arch/x86/include/asm/syscall_wrapper.h:224:21: error: storage class specified for parameter '__se_sys_ioprio_set'
224 | static long __se_sys##name(__MAP(x,__SC_LONG,__VA_ARGS__)); \
| ^~~~~~~~
include/linux/syscalls.h:235:9: note: in expansion of macro '__SYSCALL_DEFINEx'
235 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
| ^~~~~~~~~~~~~~~~~
include/linux/syscalls.h:226:36: note: in expansion of macro 'SYSCALL_DEFINEx'
226 | #define SYSCALL_DEFINE3(name, ...) SYSCALL_DEFINEx(3, _##name, __VA_ARGS__)
| ^~~~~~~~~~~~~~~
block/ioprio.c:69:1: note: in expansion of macro 'SYSCALL_DEFINE3'
69 | SYSCALL_DEFINE3(ioprio_set, int, which, int, who, int, ioprio)
| ^~~~~~~~~~~~~~~
arch/x86/include/asm/syscall_wrapper.h:225:28: error: storage class specified for parameter '__do_sys_ioprio_set'
225 | static inline long __do_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__));\
| ^~~~~~~~
include/linux/syscalls.h:235:9: note: in expansion of macro '__SYSCALL_DEFINEx'
235 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
| ^~~~~~~~~~~~~~~~~
include/linux/syscalls.h:226:36: note: in expansion of macro 'SYSCALL_DEFINEx'
226 | #define SYSCALL_DEFINE3(name, ...) SYSCALL_DEFINEx(3, _##name, __VA_ARGS__)
| ^~~~~~~~~~~~~~~
block/ioprio.c:69:1: note: in expansion of macro 'SYSCALL_DEFINE3'
69 | SYSCALL_DEFINE3(ioprio_set, int, which, int, who, int, ioprio)
| ^~~~~~~~~~~~~~~
arch/x86/include/asm/syscall_wrapper.h:225:28: warning: parameter '__do_sys_ioprio_set' declared 'inline'
225 | static inline long __do_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__));\
| ^~~~~~~~
include/linux/syscalls.h:235:9: note: in expansion of macro '__SYSCALL_DEFINEx'
235 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
| ^~~~~~~~~~~~~~~~~
include/linux/syscalls.h:226:36: note: in expansion of macro 'SYSCALL_DEFINEx'
226 | #define SYSCALL_DEFINE3(name, ...) SYSCALL_DEFINEx(3, _##name, __VA_ARGS__)
| ^~~~~~~~~~~~~~~
block/ioprio.c:69:1: note: in expansion of macro 'SYSCALL_DEFINE3'
69 | SYSCALL_DEFINE3(ioprio_set, int, which, int, who, int, ioprio)
| ^~~~~~~~~~~~~~~
>> block/ioprio.c:69:1: warning: 'gnu_inline' attribute ignored [-Wattributes]
arch/x86/include/asm/syscall_wrapper.h:225:28: error: 'no_instrument_function' attribute applies only to functions
225 | static inline long __do_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__));\
| ^~~~~~~~
include/linux/syscalls.h:235:9: note: in expansion of macro '__SYSCALL_DEFINEx'
235 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
| ^~~~~~~~~~~~~~~~~
include/linux/syscalls.h:226:36: note: in expansion of macro 'SYSCALL_DEFINEx'
226 | #define SYSCALL_DEFINE3(name, ...) SYSCALL_DEFINEx(3, _##name, __VA_ARGS__)
| ^~~~~~~~~~~~~~~
block/ioprio.c:69:1: note: in expansion of macro 'SYSCALL_DEFINE3'
69 | SYSCALL_DEFINE3(ioprio_set, int, which, int, who, int, ioprio)
| ^~~~~~~~~~~~~~~
arch/x86/include/asm/syscall_wrapper.h:93:55: error: expected declaration specifiers before ';' token
93 | ALLOW_ERROR_INJECTION(__##abi##_##name, ERRNO); \
| ^
arch/x86/include/asm/syscall_wrapper.h:128:9: note: in expansion of macro '__SYS_STUBx'
128 | __SYS_STUBx(ia32, sys##name, \
| ^~~~~~~~~~~
arch/x86/include/asm/syscall_wrapper.h:227:9: note: in expansion of macro '__IA32_SYS_STUBx'
227 | __IA32_SYS_STUBx(x, name, __VA_ARGS__) \
| ^~~~~~~~~~~~~~~~
include/linux/syscalls.h:235:9: note: in expansion of macro '__SYSCALL_DEFINEx'
235 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
| ^~~~~~~~~~~~~~~~~
include/linux/syscalls.h:226:36: note: in expansion of macro 'SYSCALL_DEFINEx'
226 | #define SYSCALL_DEFINE3(name, ...) SYSCALL_DEFINEx(3, _##name, __VA_ARGS__)
| ^~~~~~~~~~~~~~~
block/ioprio.c:69:1: note: in expansion of macro 'SYSCALL_DEFINE3'
69 | SYSCALL_DEFINE3(ioprio_set, int, which, int, who, int, ioprio)
| ^~~~~~~~~~~~~~~
arch/x86/include/asm/syscall_wrapper.h:95:9: error: expected '=', ',', ';', 'asm' or '__attribute__' before '{' token
95 | { \
| ^
arch/x86/include/asm/syscall_wrapper.h:128:9: note: in expansion of macro '__SYS_STUBx'
128 | __SYS_STUBx(ia32, sys##name, \
| ^~~~~~~~~~~
arch/x86/include/asm/syscall_wrapper.h:227:9: note: in expansion of macro '__IA32_SYS_STUBx'
227 | __IA32_SYS_STUBx(x, name, __VA_ARGS__) \
| ^~~~~~~~~~~~~~~~
include/linux/syscalls.h:235:9: note: in expansion of macro '__SYSCALL_DEFINEx'
235 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
| ^~~~~~~~~~~~~~~~~
include/linux/syscalls.h:226:36: note: in expansion of macro 'SYSCALL_DEFINEx'
226 | #define SYSCALL_DEFINE3(name, ...) SYSCALL_DEFINEx(3, _##name, __VA_ARGS__)
| ^~~~~~~~~~~~~~~
block/ioprio.c:69:1: note: in expansion of macro 'SYSCALL_DEFINE3'
69 | SYSCALL_DEFINE3(ioprio_set, int, which, int, who, int, ioprio)
| ^~~~~~~~~~~~~~~
arch/x86/include/asm/syscall_wrapper.h:229:9: error: expected '=', ',', ';', 'asm' or '__attribute__' before '{' token
229 | { \
| ^
include/linux/syscalls.h:235:9: note: in expansion of macro '__SYSCALL_DEFINEx'
235 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
| ^~~~~~~~~~~~~~~~~
include/linux/syscalls.h:226:36: note: in expansion of macro 'SYSCALL_DEFINEx'
226 | #define SYSCALL_DEFINE3(name, ...) SYSCALL_DEFINEx(3, _##name, __VA_ARGS__)
| ^~~~~~~~~~~~~~~
block/ioprio.c:69:1: note: in expansion of macro 'SYSCALL_DEFINE3'
69 | SYSCALL_DEFINE3(ioprio_set, int, which, int, who, int, ioprio)
| ^~~~~~~~~~~~~~~
block/ioprio.c:70:1: error: expected '=', ',', ';', 'asm' or '__attribute__' before '{' token
70 | {
| ^
block/ioprio.c:143:1: error: expected '=', ',', ';', 'asm' or '__attribute__' before '{' token
143 | {
| ^
block/ioprio.c:163:1: error: expected '=', ',', ';', 'asm' or '__attribute__' before '{' token
163 | {
| ^
block/ioprio.c:180:1: error: expected '=', ',', ';', 'asm' or '__attribute__' before '{' token
180 | {
| ^
arch/x86/include/asm/syscall_wrapper.h:224:21: error: storage class specified for parameter '__se_sys_ioprio_get'
224 | static long __se_sys##name(__MAP(x,__SC_LONG,__VA_ARGS__)); \
| ^~~~~~~~
include/linux/syscalls.h:235:9: note: in expansion of macro '__SYSCALL_DEFINEx'
235 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
| ^~~~~~~~~~~~~~~~~
include/linux/syscalls.h:225:36: note: in expansion of macro 'SYSCALL_DEFINEx'
225 | #define SYSCALL_DEFINE2(name, ...) SYSCALL_DEFINEx(2, _##name, __VA_ARGS__)
| ^~~~~~~~~~~~~~~
block/ioprio.c:184:1: note: in expansion of macro 'SYSCALL_DEFINE2'
184 | SYSCALL_DEFINE2(ioprio_get, int, which, int, who)
| ^~~~~~~~~~~~~~~
arch/x86/include/asm/syscall_wrapper.h:225:28: error: storage class specified for parameter '__do_sys_ioprio_get'
225 | static inline long __do_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__));\
| ^~~~~~~~
include/linux/syscalls.h:235:9: note: in expansion of macro '__SYSCALL_DEFINEx'
235 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
| ^~~~~~~~~~~~~~~~~
include/linux/syscalls.h:225:36: note: in expansion of macro 'SYSCALL_DEFINEx'
225 | #define SYSCALL_DEFINE2(name, ...) SYSCALL_DEFINEx(2, _##name, __VA_ARGS__)
| ^~~~~~~~~~~~~~~
block/ioprio.c:184:1: note: in expansion of macro 'SYSCALL_DEFINE2'
184 | SYSCALL_DEFINE2(ioprio_get, int, which, int, who)
| ^~~~~~~~~~~~~~~
arch/x86/include/asm/syscall_wrapper.h:225:28: warning: parameter '__do_sys_ioprio_get' declared 'inline'
225 | static inline long __do_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__));\
| ^~~~~~~~
include/linux/syscalls.h:235:9: note: in expansion of macro '__SYSCALL_DEFINEx'
--
include/linux/init_syscalls.h:7:12: error: section attribute not allowed for 'init_chroot'
7 | int __init init_chroot(const char *filename);
| ^~~~~~~~~~~
include/linux/init_syscalls.h:8:12: error: section attribute not allowed for 'init_chown'
8 | int __init init_chown(const char *filename, uid_t user, gid_t group, int flags);
| ^~~~~~~~~~
include/linux/init_syscalls.h:9:12: error: section attribute not allowed for 'init_chmod'
9 | int __init init_chmod(const char *filename, umode_t mode);
| ^~~~~~~~~~
include/linux/init_syscalls.h:10:12: error: section attribute not allowed for 'init_eaccess'
10 | int __init init_eaccess(const char *filename);
| ^~~~~~~~~~~~
include/linux/init_syscalls.h:11:12: error: section attribute not allowed for 'init_stat'
11 | int __init init_stat(const char *filename, struct kstat *stat, int flags);
| ^~~~~~~~~
include/linux/init_syscalls.h:12:12: error: section attribute not allowed for 'init_mknod'
12 | int __init init_mknod(const char *filename, umode_t mode, unsigned int dev);
| ^~~~~~~~~~
include/linux/init_syscalls.h:13:12: error: section attribute not allowed for 'init_link'
13 | int __init init_link(const char *oldname, const char *newname);
| ^~~~~~~~~
include/linux/init_syscalls.h:14:12: error: section attribute not allowed for 'init_symlink'
14 | int __init init_symlink(const char *oldname, const char *newname);
| ^~~~~~~~~~~~
include/linux/init_syscalls.h:15:12: error: section attribute not allowed for 'init_unlink'
15 | int __init init_unlink(const char *pathname);
| ^~~~~~~~~~~
include/linux/init_syscalls.h:16:12: error: section attribute not allowed for 'init_mkdir'
16 | int __init init_mkdir(const char *pathname, umode_t mode);
| ^~~~~~~~~~
include/linux/init_syscalls.h:17:12: error: section attribute not allowed for 'init_rmdir'
17 | int __init init_rmdir(const char *pathname);
| ^~~~~~~~~~
include/linux/init_syscalls.h:18:12: error: section attribute not allowed for 'init_utimes'
18 | int __init init_utimes(char *filename, struct timespec64 *ts);
| ^~~~~~~~~~~
include/linux/init_syscalls.h:19:12: error: section attribute not allowed for 'init_dup'
19 | int __init init_dup(struct file *file);
| ^~~~~~~~
In file included from init/do_mounts.h:12:
include/linux/task_work.h:8:16: error: storage class specified for parameter 'task_work_func_t'
8 | typedef void (*task_work_func_t)(struct callback_head *);
| ^~~~~~~~~~~~~~~~
include/linux/task_work.h:11:45: error: expected declaration specifiers or '...' before 'task_work_func_t'
11 | init_task_work(struct callback_head *twork, task_work_func_t func)
| ^~~~~~~~~~~~~~~~
include/linux/task_work.h:16:1: warning: empty declaration
16 | enum task_work_notify_mode {
| ^~~~
include/linux/task_work.h:25:1: error: expected '=', ',', ';', 'asm' or '__attribute__' before '{' token
25 | {
| ^
include/linux/task_work.h:34:67: error: expected declaration specifiers or '...' before 'task_work_func_t'
34 | struct callback_head *task_work_cancel_func(struct task_struct *, task_work_func_t);
| ^~~~~~~~~~~~~~~~
include/linux/task_work.h:39:1: error: expected '=', ',', ';', 'asm' or '__attribute__' before '{' token
39 | {
| ^
init/do_mounts.h:17:12: error: storage class specified for parameter 'root_mountflags'
17 | extern int root_mountflags;
| ^~~~~~~~~~~~~~~
init/do_mounts.h:20:1: error: expected '=', ',', ';', 'asm' or '__attribute__' before '{' token
20 | {
| ^
init/do_mounts.h:32:39: error: expected '=', ',', ';', 'asm' or '__attribute__' before '{' token
32 | static inline int rd_load_disk(int n) { return 0; }
| ^
init/do_mounts.h:33:45: error: expected '=', ',', ';', 'asm' or '__attribute__' before '{' token
33 | static inline int rd_load_image(char *from) { return 0; }
| ^
init/do_mounts.h:38:13: error: section attribute not allowed for 'initrd_load'
38 | bool __init initrd_load(char *root_device_name);
| ^~~~~~~~~~~
init/do_mounts.h:49:1: error: expected '=', ',', ';', 'asm' or '__attribute__' before '{' token
49 | {
| ^
init/do_mounts_initrd.c:17:21: error: storage class specified for parameter 'real_root_dev'
17 | static unsigned int real_root_dev; /* do_proc_dointvec cannot handle kdev_t */
| ^~~~~~~~~~~~~
init/do_mounts_initrd.c:18:23: error: storage class specified for parameter 'mount_initrd'
18 | static int __initdata mount_initrd = 1;
| ^~~~~~~~~~~~
init/do_mounts_initrd.c:18:1: error: parameter 'mount_initrd' is initialized
18 | static int __initdata mount_initrd = 1;
| ^~~~~~
init/do_mounts_initrd.c:18:23: error: section attribute not allowed for 'mount_initrd'
18 | static int __initdata mount_initrd = 1;
| ^~~~~~~~~~~~
init/do_mounts_initrd.c:20:13: error: section attribute not allowed for 'phys_initrd_start'
20 | phys_addr_t phys_initrd_start __initdata;
| ^~~~~~~~~~~~~~~~~
init/do_mounts_initrd.c:21:15: error: section attribute not allowed for 'phys_initrd_size'
21 | unsigned long phys_initrd_size __initdata;
| ^~~~~~~~~~~~~~~~
init/do_mounts_initrd.c:24:31: error: storage class specified for parameter 'kern_do_mounts_initrd_table'
24 | static const struct ctl_table kern_do_mounts_initrd_table[] = {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
init/do_mounts_initrd.c:24:21: error: parameter 'kern_do_mounts_initrd_table' is initialized
24 | static const struct ctl_table kern_do_mounts_initrd_table[] = {
| ^~~~~~~~~
>> init/do_mounts_initrd.c:25:9: warning: braces around scalar initializer
25 | {
| ^
init/do_mounts_initrd.c:25:9: note: (near initialization for 'kern_do_mounts_initrd_table')
init/do_mounts_initrd.c:26:17: error: field name not in record or union initializer
26 | .procname = "real-root-dev",
| ^
init/do_mounts_initrd.c:26:17: note: (near initialization for 'kern_do_mounts_initrd_table')
init/do_mounts_initrd.c:26:35: error: initialization of 'const struct ctl_table *' from incompatible pointer type 'char *' [-Werror=incompatible-pointer-types]
26 | .procname = "real-root-dev",
| ^~~~~~~~~~~~~~~
init/do_mounts_initrd.c:26:35: note: (near initialization for 'kern_do_mounts_initrd_table')
init/do_mounts_initrd.c:27:17: error: field name not in record or union initializer
27 | .data = &real_root_dev,
| ^
init/do_mounts_initrd.c:27:17: note: (near initialization for 'kern_do_mounts_initrd_table')
>> init/do_mounts_initrd.c:27:35: warning: excess elements in scalar initializer
27 | .data = &real_root_dev,
| ^
init/do_mounts_initrd.c:27:35: note: (near initialization for 'kern_do_mounts_initrd_table')
init/do_mounts_initrd.c:28:17: error: field name not in record or union initializer
28 | .maxlen = sizeof(int),
| ^
init/do_mounts_initrd.c:28:17: note: (near initialization for 'kern_do_mounts_initrd_table')
init/do_mounts_initrd.c:28:35: warning: excess elements in scalar initializer
28 | .maxlen = sizeof(int),
| ^~~~~~
init/do_mounts_initrd.c:28:35: note: (near initialization for 'kern_do_mounts_initrd_table')
init/do_mounts_initrd.c:29:17: error: field name not in record or union initializer
29 | .mode = 0644,
| ^
init/do_mounts_initrd.c:29:17: note: (near initialization for 'kern_do_mounts_initrd_table')
init/do_mounts_initrd.c:29:35: warning: excess elements in scalar initializer
29 | .mode = 0644,
| ^~~~
init/do_mounts_initrd.c:29:35: note: (near initialization for 'kern_do_mounts_initrd_table')
init/do_mounts_initrd.c:30:17: error: field name not in record or union initializer
30 | .proc_handler = proc_dointvec,
| ^
init/do_mounts_initrd.c:30:17: note: (near initialization for 'kern_do_mounts_initrd_table')
init/do_mounts_initrd.c:30:35: warning: excess elements in scalar initializer
30 | .proc_handler = proc_dointvec,
| ^~~~~~~~~~~~~
init/do_mounts_initrd.c:30:35: note: (near initialization for 'kern_do_mounts_initrd_table')
init/do_mounts_initrd.c:35:1: error: expected '=', ',', ';', 'asm' or '__attribute__' before '{' token
35 | {
| ^
include/linux/compiler.h:166:45: error: storage class specified for parameter '__UNIQUE_ID___addressable_kernel_do_mounts_initrd_sysctls_init369'
166 | #define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__)
| ^~~~~~~~~~~~
include/linux/compiler_types.h:83:23: note: in definition of macro '___PASTE'
83 | #define ___PASTE(a,b) a##b
| ^
include/linux/compiler.h:166:29: note: in expansion of macro '__PASTE'
166 | #define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__)
| ^~~~~~~
include/linux/compiler_types.h:84:22: note: in expansion of macro '___PASTE'
84 | #define __PASTE(a,b) ___PASTE(a,b)
| ^~~~~~~~
include/linux/compiler.h:166:37: note: in expansion of macro '__PASTE'
166 | #define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__)
| ^~~~~~~
include/linux/compiler.h:286:9: note: in expansion of macro '__UNIQUE_ID'
286 | __UNIQUE_ID(__PASTE(__addressable_,sym)) = (void *)(uintptr_t)&sym;
| ^~~~~~~~~~~
include/linux/compiler.h:289:9: note: in expansion of macro '___ADDRESSABLE'
289 | ___ADDRESSABLE(sym, __section(".discard.addressable"))
| ^~~~~~~~~~~~~~
include/linux/init.h:256:9: note: in expansion of macro '__ADDRESSABLE'
256 | __ADDRESSABLE(fn)
| ^~~~~~~~~~~~~
include/linux/init.h:261:9: note: in expansion of macro '__define_initcall_stub'
261 | __define_initcall_stub(__stub, fn) \
| ^~~~~~~~~~~~~~~~~~~~~~
include/linux/init.h:274:9: note: in expansion of macro '____define_initcall'
274 | ____define_initcall(fn, \
| ^~~~~~~~~~~~~~~~~~~
include/linux/init.h:280:9: note: in expansion of macro '__unique_initcall'
280 | __unique_initcall(fn, id, __sec, __initcall_id(fn))
| ^~~~~~~~~~~~~~~~~
include/linux/init.h:282:35: note: in expansion of macro '___define_initcall'
282 | #define __define_initcall(fn, id) ___define_initcall(fn, id, .initcall##id)
| ^~~~~~~~~~~~~~~~~~
include/linux/init.h:313:41: note: in expansion of macro '__define_initcall'
313 | #define late_initcall(fn) __define_initcall(fn, 7)
| ^~~~~~~~~~~~~~~~~
init/do_mounts_initrd.c:39:1: note: in expansion of macro 'late_initcall'
39 | late_initcall(kernel_do_mounts_initrd_sysctls_init);
| ^~~~~~~~~~~~~
init/do_mounts_initrd.c:39:1: error: parameter '__UNIQUE_ID___addressable_kernel_do_mounts_initrd_sysctls_init369' is initialized
>> init/do_mounts_initrd.c:39:1: warning: 'used' attribute ignored [-Wattributes]
include/linux/compiler.h:166:45: error: section attribute not allowed for '__UNIQUE_ID___addressable_kernel_do_mounts_initrd_sysctls_init369'
166 | #define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__)
| ^~~~~~~~~~~~
include/linux/compiler_types.h:83:23: note: in definition of macro '___PASTE'
83 | #define ___PASTE(a,b) a##b
| ^
include/linux/compiler.h:166:29: note: in expansion of macro '__PASTE'
166 | #define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__)
| ^~~~~~~
include/linux/compiler_types.h:84:22: note: in expansion of macro '___PASTE'
84 | #define __PASTE(a,b) ___PASTE(a,b)
| ^~~~~~~~
include/linux/compiler.h:166:37: note: in expansion of macro '__PASTE'
166 | #define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__)
| ^~~~~~~
include/linux/compiler.h:286:9: note: in expansion of macro '__UNIQUE_ID'
286 | __UNIQUE_ID(__PASTE(__addressable_,sym)) = (void *)(uintptr_t)&sym;
| ^~~~~~~~~~~
include/linux/compiler.h:289:9: note: in expansion of macro '___ADDRESSABLE'
289 | ___ADDRESSABLE(sym, __section(".discard.addressable"))
| ^~~~~~~~~~~~~~
include/linux/init.h:256:9: note: in expansion of macro '__ADDRESSABLE'
256 | __ADDRESSABLE(fn)
| ^~~~~~~~~~~~~
include/linux/init.h:261:9: note: in expansion of macro '__define_initcall_stub'
261 | __define_initcall_stub(__stub, fn) \
| ^~~~~~~~~~~~~~~~~~~~~~
include/linux/init.h:274:9: note: in expansion of macro '____define_initcall'
274 | ____define_initcall(fn, \
| ^~~~~~~~~~~~~~~~~~~
include/linux/init.h:280:9: note: in expansion of macro '__unique_initcall'
280 | __unique_initcall(fn, id, __sec, __initcall_id(fn))
| ^~~~~~~~~~~~~~~~~
include/linux/init.h:282:35: note: in expansion of macro '___define_initcall'
282 | #define __define_initcall(fn, id) ___define_initcall(fn, id, .initcall##id)
| ^~~~~~~~~~~~~~~~~~
include/linux/init.h:313:41: note: in expansion of macro '__define_initcall'
313 | #define late_initcall(fn) __define_initcall(fn, 7)
| ^~~~~~~~~~~~~~~~~
init/do_mounts_initrd.c:39:1: note: in expansion of macro 'late_initcall'
39 | late_initcall(kernel_do_mounts_initrd_sysctls_init);
| ^~~~~~~~~~~~~
In file included from include/linux/array_size.h:5,
from include/linux/kernel.h:16:
init/do_mounts_initrd.c:39:15: error: 'kernel_do_mounts_initrd_sysctls_init' undeclared (first use in this function)
39 | late_initcall(kernel_do_mounts_initrd_sysctls_init);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/compiler.h:286:72: note: in definition of macro '___ADDRESSABLE'
286 | __UNIQUE_ID(__PASTE(__addressable_,sym)) = (void *)(uintptr_t)&sym;
| ^~~
include/linux/init.h:256:9: note: in expansion of macro '__ADDRESSABLE'
256 | __ADDRESSABLE(fn)
| ^~~~~~~~~~~~~
include/linux/init.h:261:9: note: in expansion of macro '__define_initcall_stub'
261 | __define_initcall_stub(__stub, fn) \
| ^~~~~~~~~~~~~~~~~~~~~~
include/linux/init.h:274:9: note: in expansion of macro '____define_initcall'
274 | ____define_initcall(fn, \
| ^~~~~~~~~~~~~~~~~~~
include/linux/init.h:280:9: note: in expansion of macro '__unique_initcall'
280 | __unique_initcall(fn, id, __sec, __initcall_id(fn))
| ^~~~~~~~~~~~~~~~~
include/linux/init.h:282:35: note: in expansion of macro '___define_initcall'
282 | #define __define_initcall(fn, id) ___define_initcall(fn, id, .initcall##id)
| ^~~~~~~~~~~~~~~~~~
include/linux/init.h:313:41: note: in expansion of macro '__define_initcall'
313 | #define late_initcall(fn) __define_initcall(fn, 7)
| ^~~~~~~~~~~~~~~~~
init/do_mounts_initrd.c:39:1: note: in expansion of macro 'late_initcall'
39 | late_initcall(kernel_do_mounts_initrd_sysctls_init);
| ^~~~~~~~~~~~~
init/do_mounts_initrd.c:39:15: note: each undeclared identifier is reported only once for each function it appears in
39 | late_initcall(kernel_do_mounts_initrd_sysctls_init);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/compiler.h:286:72: note: in definition of macro '___ADDRESSABLE'
286 | __UNIQUE_ID(__PASTE(__addressable_,sym)) = (void *)(uintptr_t)&sym;
| ^~~
include/linux/init.h:256:9: note: in expansion of macro '__ADDRESSABLE'
256 | __ADDRESSABLE(fn)
| ^~~~~~~~~~~~~
include/linux/init.h:261:9: note: in expansion of macro '__define_initcall_stub'
261 | __define_initcall_stub(__stub, fn) \
| ^~~~~~~~~~~~~~~~~~~~~~
include/linux/init.h:274:9: note: in expansion of macro '____define_initcall'
274 | ____define_initcall(fn, \
| ^~~~~~~~~~~~~~~~~~~
include/linux/init.h:280:9: note: in expansion of macro '__unique_initcall'
280 | __unique_initcall(fn, id, __sec, __initcall_id(fn))
| ^~~~~~~~~~~~~~~~~
include/linux/init.h:282:35: note: in expansion of macro '___define_initcall'
282 | #define __define_initcall(fn, id) ___define_initcall(fn, id, .initcall##id)
| ^~~~~~~~~~~~~~~~~~
include/linux/init.h:313:41: note: in expansion of macro '__define_initcall'
313 | #define late_initcall(fn) __define_initcall(fn, 7)
| ^~~~~~~~~~~~~~~~~
init/do_mounts_initrd.c:39:1: note: in expansion of macro 'late_initcall'
39 | late_initcall(kernel_do_mounts_initrd_sysctls_init);
| ^~~~~~~~~~~~~
In file included from include/linux/printk.h:6,
from include/linux/kernel.h:31:
..
vim +16 include/linux/stddef.h
6e218287432472 Richard Knutsson 2006-09-30 14
^1da177e4c3f41 Linus Torvalds 2005-04-16 15 #undef offsetof
14e83077d55ff4 Rasmus Villemoes 2022-03-23 @16 #define offsetof(TYPE, MEMBER) __builtin_offsetof(TYPE, MEMBER)
3876488444e712 Denys Vlasenko 2015-03-09 17
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Hi Maxime,
kernel test robot noticed the following build errors:
[auto build test ERROR on 9c32cda43eb78f78c73aee4aa344b777714e259b]
url: https://github.com/intel-lab-lkp/linux/commits/Maxime-B-lair/Wire-up-lsm_config_self_policy-and-lsm_config_system_policy-syscalls/20250620-022714
base: 9c32cda43eb78f78c73aee4aa344b777714e259b
patch link: https://lore.kernel.org/r/20250619181600.478038-3-maxime.belair%40canonical.com
patch subject: [PATCH v2 2/3] lsm: introduce security_lsm_config_*_policy hooks
config: x86_64-buildonly-randconfig-003-20250620 (https://download.01.org/0day-ci/archive/20250620/202506201415.KiEs36AG-lkp@intel.com/config)
compiler: clang version 20.1.2 (https://github.com/llvm/llvm-project 58df0ef89dd64126512e4ee27b4ac3fd8ddf6247)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250620/202506201415.KiEs36AG-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202506201415.KiEs36AG-lkp@intel.com/
All errors (new ones prefixed by >>):
In file included from kernel/fork.c:52:
>> include/linux/security.h:1614:2: error: expected function body after function declarator
1614 | return -EOPNOTSUPP;
| ^
>> include/linux/security.h:1615:1: error: extraneous closing brace ('}')
1615 | }
| ^
include/linux/security.h:1620:2: error: expected function body after function declarator
1620 | return -EOPNOTSUPP;
| ^
include/linux/security.h:1621:1: error: extraneous closing brace ('}')
1621 | }
| ^
4 errors generated.
--
In file included from kernel/sysctl.c:29:
>> include/linux/security.h:1614:2: error: expected function body after function declarator
1614 | return -EOPNOTSUPP;
| ^
>> include/linux/security.h:1615:1: error: extraneous closing brace ('}')
1615 | }
| ^
include/linux/security.h:1620:2: error: expected function body after function declarator
1620 | return -EOPNOTSUPP;
| ^
include/linux/security.h:1621:1: error: extraneous closing brace ('}')
1621 | }
| ^
In file included from kernel/sysctl.c:46:
In file included from include/linux/nfs_fs.h:31:
In file included from include/linux/sunrpc/auth.h:13:
In file included from include/linux/sunrpc/sched.h:19:
include/linux/sunrpc/xdr.h:803:46: warning: result of comparison of constant 4611686018427387903 with expression of type '__u32' (aka 'unsigned int') is always false [-Wtautological-constant-out-of-range-compare]
803 | if (U32_MAX >= SIZE_MAX / sizeof(*p) && len > SIZE_MAX / sizeof(*p))
| ~~~ ^ ~~~~~~~~~~~~~~~~~~~~~
1 warning and 4 errors generated.
--
In file included from kernel/signal.c:30:
>> include/linux/security.h:1614:2: error: expected function body after function declarator
1614 | return -EOPNOTSUPP;
| ^
>> include/linux/security.h:1615:1: error: extraneous closing brace ('}')
1615 | }
| ^
include/linux/security.h:1620:2: error: expected function body after function declarator
1620 | return -EOPNOTSUPP;
| ^
include/linux/security.h:1621:1: error: extraneous closing brace ('}')
1621 | }
| ^
kernel/signal.c:142:37: warning: array index 3 is past the end of the array (that has type 'unsigned long[1]') [-Warray-bounds]
142 | case 4: ready = signal->sig[3] &~ blocked->sig[3];
| ^ ~
arch/x86/include/asm/signal.h:24:2: note: array 'sig' declared here
24 | unsigned long sig[_NSIG_WORDS];
| ^
kernel/signal.c:142:19: warning: array index 3 is past the end of the array (that has type 'unsigned long[1]') [-Warray-bounds]
142 | case 4: ready = signal->sig[3] &~ blocked->sig[3];
| ^ ~
arch/x86/include/asm/signal.h:24:2: note: array 'sig' declared here
24 | unsigned long sig[_NSIG_WORDS];
| ^
kernel/signal.c:143:30: warning: array index 2 is past the end of the array (that has type 'unsigned long[1]') [-Warray-bounds]
143 | ready |= signal->sig[2] &~ blocked->sig[2];
| ^ ~
arch/x86/include/asm/signal.h:24:2: note: array 'sig' declared here
24 | unsigned long sig[_NSIG_WORDS];
| ^
kernel/signal.c:143:12: warning: array index 2 is past the end of the array (that has type 'unsigned long[1]') [-Warray-bounds]
143 | ready |= signal->sig[2] &~ blocked->sig[2];
| ^ ~
arch/x86/include/asm/signal.h:24:2: note: array 'sig' declared here
24 | unsigned long sig[_NSIG_WORDS];
| ^
kernel/signal.c:144:30: warning: array index 1 is past the end of the array (that has type 'unsigned long[1]') [-Warray-bounds]
144 | ready |= signal->sig[1] &~ blocked->sig[1];
| ^ ~
arch/x86/include/asm/signal.h:24:2: note: array 'sig' declared here
24 | unsigned long sig[_NSIG_WORDS];
| ^
kernel/signal.c:144:12: warning: array index 1 is past the end of the array (that has type 'unsigned long[1]') [-Warray-bounds]
144 | ready |= signal->sig[1] &~ blocked->sig[1];
| ^ ~
arch/x86/include/asm/signal.h:24:2: note: array 'sig' declared here
24 | unsigned long sig[_NSIG_WORDS];
| ^
kernel/signal.c:148:37: warning: array index 1 is past the end of the array (that has type 'unsigned long[1]') [-Warray-bounds]
148 | case 2: ready = signal->sig[1] &~ blocked->sig[1];
| ^ ~
arch/x86/include/asm/signal.h:24:2: note: array 'sig' declared here
24 | unsigned long sig[_NSIG_WORDS];
| ^
kernel/signal.c:148:19: warning: array index 1 is past the end of the array (that has type 'unsigned long[1]') [-Warray-bounds]
148 | case 2: ready = signal->sig[1] &~ blocked->sig[1];
| ^ ~
arch/x86/include/asm/signal.h:24:2: note: array 'sig' declared here
24 | unsigned long sig[_NSIG_WORDS];
| ^
8 warnings and 4 errors generated.
--
In file included from kernel/dma/swiotlb.c:53:
In file included from include/trace/events/swiotlb.h:41:
In file included from include/trace/define_trace.h:119:
In file included from include/trace/trace_events.h:21:
In file included from include/linux/trace_events.h:10:
In file included from include/linux/perf_event.h:62:
>> include/linux/security.h:1614:2: error: expected function body after function declarator
1614 | return -EOPNOTSUPP;
| ^
>> include/linux/security.h:1615:1: error: extraneous closing brace ('}')
1615 | }
| ^
include/linux/security.h:1620:2: error: expected function body after function declarator
1620 | return -EOPNOTSUPP;
| ^
include/linux/security.h:1621:1: error: extraneous closing brace ('}')
1621 | }
| ^
kernel/dma/swiotlb.c:639:20: warning: shift count >= width of type [-Wshift-count-overflow]
639 | phys_limit < DMA_BIT_MASK(64) &&
| ^~~~~~~~~~~~~~~~
include/linux/dma-mapping.h:73:54: note: expanded from macro 'DMA_BIT_MASK'
73 | #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
| ^ ~~~
1 warning and 4 errors generated.
--
In file included from kernel/events/core.c:34:
In file included from include/linux/syscalls.h:94:
In file included from include/trace/syscall.h:7:
In file included from include/linux/trace_events.h:10:
In file included from include/linux/perf_event.h:62:
>> include/linux/security.h:1614:2: error: expected function body after function declarator
1614 | return -EOPNOTSUPP;
| ^
>> include/linux/security.h:1615:1: error: extraneous closing brace ('}')
1615 | }
| ^
include/linux/security.h:1620:2: error: expected function body after function declarator
1620 | return -EOPNOTSUPP;
| ^
include/linux/security.h:1621:1: error: extraneous closing brace ('}')
1621 | }
| ^
In file included from kernel/events/core.c:43:
include/linux/mman.h:157:9: warning: division by zero is undefined [-Wdivision-by-zero]
157 | _calc_vm_trans(flags, MAP_SYNC, VM_SYNC ) |
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/mman.h:135:21: note: expanded from macro '_calc_vm_trans'
135 | : ((x) & (bit1)) / ((bit1) / (bit2))))
| ^ ~~~~~~~~~~~~~~~~~
include/linux/mman.h:158:9: warning: division by zero is undefined [-Wdivision-by-zero]
158 | _calc_vm_trans(flags, MAP_STACK, VM_NOHUGEPAGE) |
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/mman.h:135:21: note: expanded from macro '_calc_vm_trans'
135 | : ((x) & (bit1)) / ((bit1) / (bit2))))
| ^ ~~~~~~~~~~~~~~~~~
2 warnings and 4 errors generated.
vim +1614 include/linux/security.h
1610
1611 static int security_lsm_config_self_policy(u32 lsm_id, u32 op, void __user *buf,
1612 size_t size, u32 flags)
1613
> 1614 return -EOPNOTSUPP;
> 1615 }
1616
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
On 6/19/25 11:15 AM, Maxime Bélair wrote:
> Define two new LSM hooks: security_lsm_config_self_policy and
> security_lsm_config_system_policy and wire them into the corresponding
> lsm_config_*_policy() syscalls so that LSMs can register a unified
> interface for policy management. This initial, minimal implementation
> only supports the LSM_POLICY_LOAD operation to limit changes.
>
> Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
> ---
> include/linux/lsm_hook_defs.h | 4 ++
> include/linux/security.h | 16 ++++++++
> include/uapi/linux/lsm.h | 8 ++++
> security/Kconfig | 22 +++++++++++
> security/lsm_syscalls.c | 17 ++++++++-
> security/security.c | 69 +++++++++++++++++++++++++++++++++++
> 6 files changed, 134 insertions(+), 2 deletions(-)
>
> diff --git a/security/Kconfig b/security/Kconfig
> index 4816fc74f81e..958be7b49a9e 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -220,6 +220,28 @@ config STATIC_USERMODEHELPER_PATH
> If you wish for all usermode helper programs to be disabled,
> specify an empty string here (i.e. "").
>
> +config LSM_CONFIG_SELF_POLICY_MAX_BUFFER_SIZE
> + int "Maximum buffer size for lsm_manage_policy"
Update function name.
> + range 16384 1073741824
> + depends on SECURITY
> + default 4194304
> + help
> + The maximum size of the buffer argument of lsm_config_self_policy.
> +
> + The default value of 4194304 (4MiB) is reasonable and should be large
> + enough to fit policies in for most cases.
> +
> +config LSM_CONFIG_SYSTEM_POLICY_MAX_BUFFER_SIZE
> + int "Maximum buffer size for lsm_manage_policy"
same here.
> + range 16384 1073741824
> + depends on SECURITY
> + default 4194304
> + help
> + The maximum size of the buffer argument of lsm_config_system_policy.
> +
> + The default value of 4194304 (4MiB) is reasonable and should be large
> + enough to fit policies in for most cases
> +
> source "security/selinux/Kconfig"
> source "security/smack/Kconfig"
> source "security/tomoyo/Kconfig"
> diff --git a/security/security.c b/security/security.c
> index fb57e8fddd91..8efea2b6e967 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -5883,6 +5883,75 @@ int security_bdev_setintegrity(struct block_device *bdev,
> }
> EXPORT_SYMBOL(security_bdev_setintegrity);
>
> +/**
> + * security_lsm_config_self_policy() - Manage caller's LSM policies
> + * @lsm_id: id of the LSM to target
> + * @op: Operation to perform (one of the LSM_POLICY_XXX values)
> + * @buf: userspace pointer to policy data
> + * @size: size of @buf
> + * @flags: lsm policy management flags
> + *
> + * Manage the policies of a LSM for the current domain/user. This notably allows
> + * to update them even when the lsmfs is unavailable is restricted. Currently,
or
?
> + * only LSM_POLICY_LOAD is supported.
> + *
> + * Return: Returns 0 on success, error on failure.
> + */
> +int security_lsm_config_self_policy(u32 lsm_id, u32 op, void __user *buf,
> + size_t size, u32 flags)
> +{
> + int rc = LSM_RET_DEFAULT(lsm_config_self_policy);
> + struct lsm_static_call *scall;
> +
> + if (size > (CONFIG_LSM_CONFIG_SELF_POLICY_MAX_BUFFER_SIZE))
> + return -E2BIG;
> +
> + lsm_for_each_hook(scall, lsm_config_self_policy) {
> + if ((scall->hl->lsmid->id) == lsm_id) {
> + rc = scall->hl->hook.lsm_config_self_policy(lsm_id, op, buf, size, flags);
> + break;
> + }
> + }
> +
> + return rc;
> +}
> +EXPORT_SYMBOL(security_lsm_config_self_policy);
> +
> +/**
> + * security_lsm_config_system_policy() - Manage system LSM policies
> + * @lsm_id: id of the lsm to target
> + * @op: Operation to perform (one of the LSM_POLICY_XXX values)
> + * @buf: userspace pointer to policy data
> + * @size: size of @buf
> + * @flags: lsm policy management flags
> + *
> + * Manage the policies of a LSM for the whole system. This notably allows
> + * to update them even when the lsmfs is unavailable is restricted. Currently,
or
?
> + * only LSM_POLICY_LOAD is supported.
> + *
> + * Return: Returns 0 on success, error on failure.
> + */
> +int security_lsm_config_system_policy(u32 lsm_id, u32 op, void __user *buf,
> + size_t size, u32 flags)
> +{
[snip]
--
~Randy
© 2016 - 2025 Red Hat, Inc.