Hi Mickaël, kernel test robot noticed the following build warnings:
[auto build test WARNING on 69e858e0b8b2ea07759e995aa383e8780d9d140c] url: https://github.com/intel-lab-lkp/linux/commits/Micka-l-Sala-n/lsm-Add-audit_log_lsm_data-helper/20250201-004434 base: 69e858e0b8b2ea07759e995aa383e8780d9d140c patch link: https://lore.kernel.org/r/20250131163059.1139617-18-mic%40digikod.net patch subject: [PATCH v5 17/24] landlock: Add LANDLOCK_RESTRICT_SELF_QUIET_SUBDOMAINS config: x86_64-buildonly-randconfig-002-20250201 (https://download.01.org/0day-ci/archive/20250201/[email protected]/config) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250201/[email protected]/reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <[email protected]> | Closes: https://lore.kernel.org/oe-kbuild-all/[email protected]/ All warnings (new ones prefixed by >>): security/landlock/syscalls.c: In function '__do_sys_landlock_restrict_self': >> security/landlock/syscalls.c:469:24: warning: variable 'is_quiet_subdomains' >> set but not used [-Wunused-but-set-variable] 469 | bool is_quiet, is_quiet_subdomains, | ^~~~~~~~~~~~~~~~~~~ security/landlock/syscalls.c:469:14: warning: variable 'is_quiet' set but not used [-Wunused-but-set-variable] 469 | bool is_quiet, is_quiet_subdomains, | ^~~~~~~~ vim +/is_quiet_subdomains +469 security/landlock/syscalls.c 435 436 /** 437 * sys_landlock_restrict_self - Enforce a ruleset on the calling thread 438 * 439 * @ruleset_fd: File descriptor tied to the ruleset to merge with the target. 440 * @flags: Supported values: 441 * 442 * - %LANDLOCK_RESTRICT_SELF_QUIET 443 * - %LANDLOCK_RESTRICT_SELF_QUIET_SUBDOMAINS 444 * 445 * This system call enables to enforce a Landlock ruleset on the current 446 * thread. Enforcing a ruleset requires that the task has %CAP_SYS_ADMIN in its 447 * namespace or is running with no_new_privs. This avoids scenarios where 448 * unprivileged tasks can affect the behavior of privileged children. 449 * 450 * Possible returned errors are: 451 * 452 * - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time; 453 * - %EINVAL: @flags contains an unknown bit. 454 * - %EBADF: @ruleset_fd is not a file descriptor for the current thread; 455 * - %EBADFD: @ruleset_fd is not a ruleset file descriptor; 456 * - %EPERM: @ruleset_fd has no read access to the underlying ruleset, or the 457 * current thread is not running with no_new_privs, or it doesn't have 458 * %CAP_SYS_ADMIN in its namespace. 459 * - %E2BIG: The maximum number of stacked rulesets is reached for the current 460 * thread. 461 */ 462 SYSCALL_DEFINE2(landlock_restrict_self, const int, ruleset_fd, const __u32, 463 flags) 464 { 465 struct landlock_ruleset *new_dom, 466 *ruleset __free(landlock_put_ruleset) = NULL; 467 struct cred *new_cred; 468 struct landlock_cred_security *new_llcred; > 469 bool is_quiet, is_quiet_subdomains, 470 __maybe_unused inherits_quiet_subdomains; 471 472 if (!is_initialized()) 473 return -EOPNOTSUPP; 474 475 /* 476 * Similar checks as for seccomp(2), except that an -EPERM may be 477 * returned. 478 */ 479 if (!task_no_new_privs(current) && 480 !ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN)) 481 return -EPERM; 482 483 if ((flags | LANDLOCK_MASK_RESTRICT_SELF) != 484 LANDLOCK_MASK_RESTRICT_SELF) 485 return -EINVAL; 486 487 is_quiet = !!(flags & LANDLOCK_RESTRICT_SELF_QUIET); 488 is_quiet_subdomains = 489 !!(flags & LANDLOCK_RESTRICT_SELF_QUIET_SUBDOMAINS); 490 491 /* Gets and checks the ruleset. */ 492 ruleset = get_ruleset_from_fd(ruleset_fd, FMODE_CAN_READ); 493 if (IS_ERR(ruleset)) 494 return PTR_ERR(ruleset); 495 496 /* Prepares new credentials. */ 497 new_cred = prepare_creds(); 498 if (!new_cred) 499 return -ENOMEM; 500 501 new_llcred = landlock_cred(new_cred); 502 503 /* 504 * There is no possible race condition while copying and manipulating 505 * the current credentials because they are dedicated per thread. 506 */ 507 new_dom = landlock_merge_ruleset(new_llcred->domain, ruleset); 508 if (IS_ERR(new_dom)) { 509 abort_creds(new_cred); 510 return PTR_ERR(new_dom); 511 } 512 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki
