Message ID | 8a1157bafa09bbcfc42fb3617fb8512b364cd51c.1671054577.git.pabeni@redhat.com (mailing list archive) |
---|---|
State | Changes Requested |
Delegated to: | Paul Moore |
Headers | show |
Series | lsm: introduce and use security_mptcp_add_subflow() | expand |
Hi Paolo, I love your patch! Yet something to improve: [auto build test ERROR on linus/master] [also build test ERROR on v6.1 next-20221214] [cannot apply to pcmoore-selinux/next pcmoore-audit/next] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information] url: https://github.com/intel-lab-lkp/linux/commits/Paolo-Abeni/lsm-introduce-and-use-security_mptcp_add_subflow/20221215-060410 patch link: https://lore.kernel.org/r/8a1157bafa09bbcfc42fb3617fb8512b364cd51c.1671054577.git.pabeni%40redhat.com patch subject: [PATCH 1/2] security, lsm: Introduce security_mptcp_add_subflow() config: um-x86_64_defconfig compiler: gcc-11 (Debian 11.3.0-8) 11.3.0 reproduce (this is a W=1 build): # https://github.com/intel-lab-lkp/linux/commit/2ea8d6290cdc3578eac223edf852b283ca486e6b git remote add linux-review https://github.com/intel-lab-lkp/linux git fetch --no-tags linux-review Paolo-Abeni/lsm-introduce-and-use-security_mptcp_add_subflow/20221215-060410 git checkout 2ea8d6290cdc3578eac223edf852b283ca486e6b # save the config file mkdir build_dir && cp config build_dir/.config make W=1 O=build_dir ARCH=um SUBARCH=x86_64 SHELL=/bin/bash If you fix the issue, kindly add following tag where applicable | Reported-by: kernel test robot <lkp@intel.com> All error/warnings (new ones prefixed by >>): In file included from include/net/scm.h:8, from include/linux/netlink.h:9, from include/uapi/linux/neighbour.h:6, from include/linux/netdevice.h:46, from include/linux/if_vlan.h:10, from include/linux/filter.h:20, from net/unix/af_unix.c:92: >> include/linux/security.h:1711:5: warning: no previous prototype for 'security_mptcp_add_subflow' [-Wmissing-prototypes] 1711 | int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ -- In file included from include/linux/perf_event.h:62, from include/linux/trace_events.h:10, from include/trace/syscall.h:7, from include/linux/syscalls.h:88, from init/main.c:21: >> include/linux/security.h:1711:5: warning: no previous prototype for 'security_mptcp_add_subflow' [-Wmissing-prototypes] 1711 | int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ init/main.c:775:20: warning: no previous prototype for 'arch_post_acpi_subsys_init' [-Wmissing-prototypes] 775 | void __init __weak arch_post_acpi_subsys_init(void) { } | ^~~~~~~~~~~~~~~~~~~~~~~~~~ init/main.c:787:20: warning: no previous prototype for 'mem_encrypt_init' [-Wmissing-prototypes] 787 | void __init __weak mem_encrypt_init(void) { } | ^~~~~~~~~~~~~~~~ init/main.c:789:20: warning: no previous prototype for 'poking_init' [-Wmissing-prototypes] 789 | void __init __weak poking_init(void) { } | ^~~~~~~~~~~ -- In file included from include/net/scm.h:8, from include/linux/netlink.h:9, from include/uapi/linux/neighbour.h:6, from include/linux/netdevice.h:46, from include/uapi/linux/if_arp.h:27, from include/linux/if_arp.h:23, from arch/um/drivers/slirp_kern.c:6: >> include/linux/security.h:1711:5: warning: no previous prototype for 'security_mptcp_add_subflow' [-Wmissing-prototypes] 1711 | int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ arch/um/drivers/slirp_kern.c:18:6: warning: no previous prototype for 'slirp_init' [-Wmissing-prototypes] 18 | void slirp_init(struct net_device *dev, void *data) | ^~~~~~~~~~ -- In file included from include/linux/perf_event.h:62, from include/linux/trace_events.h:10, from include/trace/syscall.h:7, from include/linux/syscalls.h:88, from arch/x86/um/syscalls_64.c:10: >> include/linux/security.h:1711:5: warning: no previous prototype for 'security_mptcp_add_subflow' [-Wmissing-prototypes] 1711 | int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ arch/x86/um/syscalls_64.c:84:6: warning: no previous prototype for 'arch_switch_to' [-Wmissing-prototypes] 84 | void arch_switch_to(struct task_struct *to) | ^~~~~~~~~~~~~~ -- In file included from include/net/scm.h:8, from include/linux/netlink.h:9, from include/uapi/linux/neighbour.h:6, from include/linux/netdevice.h:46, from include/linux/if_vlan.h:10, from include/linux/filter.h:20, from kernel/kallsyms.c:25: >> include/linux/security.h:1711:5: warning: no previous prototype for 'security_mptcp_add_subflow' [-Wmissing-prototypes] 1711 | int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ kernel/kallsyms.c:663:12: warning: no previous prototype for 'arch_get_kallsym' [-Wmissing-prototypes] 663 | int __weak arch_get_kallsym(unsigned int symnum, unsigned long *value, | ^~~~~~~~~~~~~~~~ -- In file included from kernel/fork.c:51: >> include/linux/security.h:1711:5: warning: no previous prototype for 'security_mptcp_add_subflow' [-Wmissing-prototypes] 1711 | int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ kernel/fork.c:162:13: warning: no previous prototype for 'arch_release_task_struct' [-Wmissing-prototypes] 162 | void __weak arch_release_task_struct(struct task_struct *tsk) | ^~~~~~~~~~~~~~~~~~~~~~~~ kernel/fork.c:862:20: warning: no previous prototype for 'arch_task_cache_init' [-Wmissing-prototypes] 862 | void __init __weak arch_task_cache_init(void) { } | ^~~~~~~~~~~~~~~~~~~~ kernel/fork.c:957:12: warning: no previous prototype for 'arch_dup_task_struct' [-Wmissing-prototypes] 957 | int __weak arch_dup_task_struct(struct task_struct *dst, | ^~~~~~~~~~~~~~~~~~~~ -- In file included from include/linux/perf_event.h:62, from include/linux/trace_events.h:10, from include/trace/syscall.h:7, from include/linux/syscalls.h:88, from kernel/exit.c:42: >> include/linux/security.h:1711:5: warning: no previous prototype for 'security_mptcp_add_subflow' [-Wmissing-prototypes] 1711 | int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ kernel/exit.c:1899:13: warning: no previous prototype for 'abort' [-Wmissing-prototypes] 1899 | __weak void abort(void) | ^~~~~ -- In file included from include/linux/fs_context.h:14, from include/linux/pseudo_fs.h:4, from fs/pipe.c:17: >> include/linux/security.h:1711:5: warning: no previous prototype for 'security_mptcp_add_subflow' [-Wmissing-prototypes] 1711 | int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ fs/pipe.c:757:15: warning: no previous prototype for 'account_pipe_buffers' [-Wmissing-prototypes] 757 | unsigned long account_pipe_buffers(struct user_struct *user, | ^~~~~~~~~~~~~~~~~~~~ fs/pipe.c:763:6: warning: no previous prototype for 'too_many_pipe_buffers_soft' [-Wmissing-prototypes] 763 | bool too_many_pipe_buffers_soft(unsigned long user_bufs) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ fs/pipe.c:770:6: warning: no previous prototype for 'too_many_pipe_buffers_hard' [-Wmissing-prototypes] 770 | bool too_many_pipe_buffers_hard(unsigned long user_bufs) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ fs/pipe.c:777:6: warning: no previous prototype for 'pipe_is_unprivileged_user' [-Wmissing-prototypes] 777 | bool pipe_is_unprivileged_user(void) | ^~~~~~~~~~~~~~~~~~~~~~~~~ fs/pipe.c:1253:5: warning: no previous prototype for 'pipe_resize_ring' [-Wmissing-prototypes] 1253 | int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots) | ^~~~~~~~~~~~~~~~ -- In file included from include/linux/perf_event.h:62, from include/linux/trace_events.h:10, from include/trace/syscall.h:7, from include/linux/syscalls.h:88, from fs/d_path.c:2: >> include/linux/security.h:1711:5: warning: no previous prototype for 'security_mptcp_add_subflow' [-Wmissing-prototypes] 1711 | int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ fs/d_path.c:317:7: warning: no previous prototype for 'simple_dname' [-Wmissing-prototypes] 317 | char *simple_dname(struct dentry *dentry, char *buffer, int buflen) | ^~~~~~~~~~~~ -- In file included from include/net/scm.h:8, from include/linux/netlink.h:9, from include/uapi/linux/neighbour.h:6, from include/linux/netdevice.h:46, from arch/um/os-Linux/drivers/ethertap_kern.c:10: >> include/linux/security.h:1711:5: warning: no previous prototype for 'security_mptcp_add_subflow' [-Wmissing-prototypes] 1711 | int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ arch/um/os-Linux/drivers/ethertap_kern.c:66:5: warning: no previous prototype for 'ethertap_setup' [-Wmissing-prototypes] 66 | int ethertap_setup(char *str, char **mac_out, void *data) | ^~~~~~~~~~~~~~ -- In file included from include/net/scm.h:8, from include/linux/netlink.h:9, from include/uapi/linux/neighbour.h:6, from include/linux/netdevice.h:46, from arch/um/os-Linux/drivers/tuntap_kern.c:6: >> include/linux/security.h:1711:5: warning: no previous prototype for 'security_mptcp_add_subflow' [-Wmissing-prototypes] 1711 | int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ arch/um/os-Linux/drivers/tuntap_kern.c:56:5: warning: no previous prototype for 'tuntap_setup' [-Wmissing-prototypes] 56 | int tuntap_setup(char *str, char **mac_out, void *data) | ^~~~~~~~~~~~ .. vim +1714 include/linux/security.h 1710 > 1711 int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk) 1712 { 1713 return 0; > 1714 } 1715 #endif /* CONFIG_SECURITY_NETWORK */ 1716
Hi Paolo,
I love your patch! Yet something to improve:
[auto build test ERROR on linus/master]
[also build test ERROR on v6.1 next-20221214]
[cannot apply to pcmoore-selinux/next pcmoore-audit/next]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Paolo-Abeni/lsm-introduce-and-use-security_mptcp_add_subflow/20221215-060410
patch link: https://lore.kernel.org/r/8a1157bafa09bbcfc42fb3617fb8512b364cd51c.1671054577.git.pabeni%40redhat.com
patch subject: [PATCH 1/2] security, lsm: Introduce security_mptcp_add_subflow()
config: arc-defconfig
compiler: arc-elf-gcc (GCC) 12.1.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/2ea8d6290cdc3578eac223edf852b283ca486e6b
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Paolo-Abeni/lsm-introduce-and-use-security_mptcp_add_subflow/20221215-060410
git checkout 2ea8d6290cdc3578eac223edf852b283ca486e6b
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=arc SHELL=/bin/bash
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
arc-elf-ld: init/do_mounts.o: in function `security_mptcp_add_subflow':
>> do_mounts.c:(.text+0x38c): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: init/do_mounts_initrd.o: in function `security_mptcp_add_subflow':
do_mounts_initrd.c:(.text+0x0): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: init/initramfs.o: in function `security_mptcp_add_subflow':
initramfs.c:(.text+0x44): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: arch/arc/kernel/ptrace.o: in function `security_mptcp_add_subflow':
ptrace.c:(.text+0x1400): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: arch/arc/kernel/process.o: in function `security_mptcp_add_subflow':
process.c:(.text+0x1e0): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: arch/arc/kernel/signal.o: in function `security_mptcp_add_subflow':
signal.c:(.text+0x4dc): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: arch/arc/kernel/sys.o: in function `security_mptcp_add_subflow':
sys.c:(.text+0x0): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: arch/arc/kernel/perf_event.o: in function `security_mptcp_add_subflow':
perf_event.c:(.text+0xba0): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: arch/arc/mm/fault.o: in function `security_mptcp_add_subflow':
fault.c:(.text+0x28): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: arch/arc/mm/cache.o: in function `security_mptcp_add_subflow':
cache.c:(.text+0x1cc): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/fork.o: in function `security_mptcp_add_subflow':
fork.c:(.text+0xef4): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/exec_domain.o: in function `security_mptcp_add_subflow':
exec_domain.c:(.text+0x14): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/cpu.o: in function `security_mptcp_add_subflow':
cpu.c:(.text+0x17a8): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/exit.o: in function `security_mptcp_add_subflow':
exit.c:(.text+0x940): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/softirq.o: in function `security_mptcp_add_subflow':
softirq.c:(.text+0x82c): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/resource.o: in function `security_mptcp_add_subflow':
resource.c:(.text+0xcb4): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/sysctl.o: in function `security_mptcp_add_subflow':
sysctl.c:(.text+0x14c4): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/capability.o: in function `security_mptcp_add_subflow':
capability.c:(.text+0x7fc): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/ptrace.o: in function `security_mptcp_add_subflow':
ptrace.c:(.text+0x634): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/signal.o: in function `security_mptcp_add_subflow':
signal.c:(.text+0x11a0): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/sys.o: in function `security_mptcp_add_subflow':
sys.c:(.text+0x1088): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/umh.o: in function `security_mptcp_add_subflow':
umh.c:(.text+0x690): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/workqueue.o: in function `security_mptcp_add_subflow':
workqueue.c:(.text+0x3d90): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/pid.o: in function `security_mptcp_add_subflow':
pid.c:(.text+0x390): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/extable.o: in function `security_mptcp_add_subflow':
extable.c:(.text+0x0): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/params.o: in function `security_mptcp_add_subflow':
params.c:(.text+0x91c): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/nsproxy.o: in function `security_mptcp_add_subflow':
nsproxy.c:(.text+0x1c4): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/cred.o: in function `security_mptcp_add_subflow':
cred.c:(.text+0x734): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/reboot.o: in function `security_mptcp_add_subflow':
reboot.c:(.text+0x72c): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/kmod.o: in function `security_mptcp_add_subflow':
kmod.c:(.text+0x3c0): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/groups.o: in function `security_mptcp_add_subflow':
groups.c:(.text+0x1a8): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/sched/core.o: in function `security_mptcp_add_subflow':
core.c:(.text+0x2fac): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/sched/fair.o: in function `security_mptcp_add_subflow':
fair.c:(.text+0x40a8): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/sched/build_policy.o: in function `security_mptcp_add_subflow':
build_policy.c:(.text+0x43c0): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/sched/build_utility.o: in function `security_mptcp_add_subflow':
build_utility.c:(.text+0x2790): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/locking/mutex.o: in function `security_mptcp_add_subflow':
mutex.c:(.text+0x570): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/power/qos.o: in function `security_mptcp_add_subflow':
qos.c:(.text+0xe8): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/printk/printk.o: in function `security_mptcp_add_subflow':
printk.c:(.text+0x25f0): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/rcu/update.o: in function `security_mptcp_add_subflow':
update.c:(.text+0x373c): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/rcu/tree.o: in function `security_mptcp_add_subflow':
tree.c:(.text+0x7164): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/module/main.o: in function `security_mptcp_add_subflow':
main.c:(.text+0x11d8): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/time/time.o: in function `security_mptcp_add_subflow':
time.c:(.text+0x81c): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/time/timer.o: in function `security_mptcp_add_subflow':
timer.c:(.text+0x24c0): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/time/hrtimer.o: in function `security_mptcp_add_subflow':
hrtimer.c:(.text+0x129c): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/time/alarmtimer.o: in function `security_mptcp_add_subflow':
alarmtimer.c:(.text+0xb38): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/time/posix-timers.o: in function `security_mptcp_add_subflow':
posix-timers.c:(.text+0xfa8): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/time/posix-clock.o: in function `security_mptcp_add_subflow':
posix-clock.c:(.text+0x494): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/time/itimer.o: in function `security_mptcp_add_subflow':
itimer.c:(.text+0x634): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/time/tick-common.o: in function `security_mptcp_add_subflow':
tick-common.c:(.text+0x130): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/futex/syscalls.o: in function `security_mptcp_add_subflow':
syscalls.c:(.text+0x74): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
arc-elf-ld: kernel/kallsyms.o: in function `security_mptcp_add_subflow':
kallsyms.c:(.text+0x500): multiple definition of `security_mptcp_add_subflow'; init/main.o:main.c:(.text+0x5dc): first defined here
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index ed6cb2ac55fa..860e11e3a26b 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -343,6 +343,7 @@ LSM_HOOK(void, LSM_RET_VOID, sctp_sk_clone, struct sctp_association *asoc, struct sock *sk, struct sock *newsk) LSM_HOOK(int, 0, sctp_assoc_established, struct sctp_association *asoc, struct sk_buff *skb) +LSM_HOOK(int, 0, mptcp_add_subflow, struct sock *sk, struct sock *ssk) #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_INFINIBAND diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 0a5ba81f7367..84c9c4d4341e 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1096,6 +1096,15 @@ * @skb pointer to skbuff of association packet. * Return 0 if permission is granted. * + * Security hooks for MPTCP + * + * @mptcp_add_subflow + * Update the labeling for the given MPTCP subflow, to match to + * owning MPTCP socket. + * @sk: the owning MPTCP socket + * @ssk: the new subflow + * Return 0 if successful, otherwise < 0 error code. + * * Security hooks for Infiniband * * @ib_pkey_access: diff --git a/include/linux/security.h b/include/linux/security.h index 5b67f208f7de..137a440e8e10 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1479,6 +1479,7 @@ void security_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk, struct sock *newsk); int security_sctp_assoc_established(struct sctp_association *asoc, struct sk_buff *skb); +int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk); #else /* CONFIG_SECURITY_NETWORK */ static inline int security_unix_stream_connect(struct sock *sock, @@ -1706,6 +1707,11 @@ static inline int security_sctp_assoc_established(struct sctp_association *asoc, { return 0; } + +int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk) +{ + return 0; +} #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_INFINIBAND diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index bd387d4b5a38..43b90784d914 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -1680,6 +1680,10 @@ int mptcp_subflow_create_socket(struct sock *sk, struct socket **new_sock) lock_sock(sf->sk); + err = security_mptcp_add_subflow(sk, sf->sk); + if (err) + goto release_ssk; + /* the newly created socket has to be in the same cgroup as its parent */ mptcp_attach_cgroup(sk, sf->sk); @@ -1692,6 +1696,8 @@ int mptcp_subflow_create_socket(struct sock *sk, struct socket **new_sock) get_net_track(net, &sf->sk->ns_tracker, GFP_KERNEL); sock_inuse_add(net, 1); err = tcp_set_ulp(sf->sk, "mptcp"); + +release_ssk: release_sock(sf->sk); if (err) { diff --git a/security/security.c b/security/security.c index d1571900a8c7..3491a4fc2b1f 100644 --- a/security/security.c +++ b/security/security.c @@ -2493,6 +2493,11 @@ int security_sctp_assoc_established(struct sctp_association *asoc, } EXPORT_SYMBOL(security_sctp_assoc_established); +int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk) +{ + return call_int_hook(mptcp_add_subflow, 0, sk, ssk); +} + #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_INFINIBAND
MPTCP can create subflows in kernel context, and later indirectly expose them to user-space, via the owning mptcp socket. As discussed in the reported link, the above causes unexpected failures for server, MPTCP-enabled applications. Let's introduce a new LSM hook to allow the security module to relabel the subflow according to the owing process. Link: https://lore.kernel.org/mptcp/CAHC9VhTNh-YwiyTds=P1e3rixEDqbRTFj22bpya=+qJqfcaMfg@mail.gmail.com/ Signed-off-by: Paolo Abeni <pabeni@redhat.com> --- include/linux/lsm_hook_defs.h | 1 + include/linux/lsm_hooks.h | 9 +++++++++ include/linux/security.h | 6 ++++++ net/mptcp/subflow.c | 6 ++++++ security/security.c | 5 +++++ 5 files changed, 27 insertions(+)