Re: Re: [PATCH v14 10/12] selftests/landlock: Add network tests

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks for the report and the test Muhammad, the fix is now merged:
https://git.kernel.org/torvalds/c/bbf5a1d0e5d0fb3bdf90205aa872636122692a50

See https://lore.kernel.org/all/20240103163415.304358-1-mic@xxxxxxxxxxx/

On Wed, Dec 20, 2023 at 04:19:44PM +0500, Muhammad Usama Anjum wrote:
> On 12/20/23 2:17 PM, Mickaël Salaün wrote:
> > Hi Muhammad,
> > 
> > Thanks for the report.
> > 
> > On Tue, Dec 19, 2023 at 03:38:55PM +0500, Muhammad Usama Anjum wrote:
> >> Hi Konstantin,
> >>
> >> There are some errors being reported in KernelCI:
> >> https://linux.kernelci.org/test/plan/id/657ab2240c761c0bd1e134ee/
> >>
> >> The following sub-tests are failing:
> >> landlock_net_test_protocol_no_sandbox_with_ipv6_tcp_bind_unspec
> >> landlock_net_test_protocol_no_sandbox_with_ipv6_udp_bind_unspec
> >> landlock_net_test_protocol_tcp_sandbox_with_ipv6_udp_bind_unspec
> >>
> >> From my initial investigation, I can see that these failures are coming
> >> from just finding the wrong return error code (-97 instead of -22). It may
> >> be test's issue or the kernel's, not sure yet.
> > 
> > I cannot reproduce these errors (with the same kernel commit), the
> > Defconfig URL is broken. Could you please share the config used for
> > tests?
> I've also attached the config. I'm generated the config by following:
> make defconfig && make kvm_guest.config
> scripts/kconfig/merge_config.sh .config tools/testing/selftests/landlock/config
> 
> > 
> > According to the failing tests, it looks like the network stack returns
> > EAFNOSUPPORT instead of EINVAL, which should happen because addr_len <
> > SIN6_LEN_RFC2133 (cf. inet6_bind_sk).  I then think that the issue comes
> > from an inconsistent error priority with the prot->bind() call in
> > inet6_bind_sk() that may return EAFNOSUPPORT when uaddr contains
> > AF_UNSPEC. I didn't find such bind() implementations though.
> > 
> > Could you please validate this theory by removing this call in
> > inet6_bind_sk() and run the tests again?
> I'll have a look if I can find anything.
> 
> > 
> > Eric, do you know where are such struct proto bind() implementations and
> > why they may return EAFNOSUPPORT?
> > 
> > Regards,
> >  Mickaël
> > 
> > 
> >>
> >> Thanks,
> >> Usama
> >>
> >> On 10/26/23 6:47 AM, Konstantin Meskhidze wrote:
> >>> Add 82 test suites to check edge cases related to bind() and connect()
> >>> actions. They are defined with 6 fixtures and their variants:
> >>>
> >>> The "protocol" fixture is extended with 12 variants defined as a matrix
> >>> of: sandboxed/not-sandboxed, IPv4/IPv6/unix network domain, and
> >>> stream/datagram socket. 4 related tests suites are defined:
> >>> * bind: Tests with non-landlocked/landlocked ipv4, ipv6 and unix sockets.
> >>> * connect: Tests with non-landlocked/landlocked ipv4, ipv6 and unix
> >>> sockets.
> >>> * bind_unspec: Tests with non-landlocked/landlocked restrictions
> >>> for bind action with AF_UNSPEC socket family.
> >>> * connect_unspec: Tests with non-landlocked/landlocked restrictions
> >>> for connect action with AF_UNSPEC socket family.
> >>>
> >>> The "ipv4" fixture is extended with 4 variants defined as a matrix
> >>> of: sandboxed/not-sandboxed, IPv4/unix network domain, and
> >>> stream/datagram socket. 1 related test suite is defined:
> >>> * from_unix_to_inet: Tests to make sure unix sockets' actions are not
> >>> restricted by Landlock rules applied to TCP ones.
> >>>
> >>> The "tcp_layers" fixture is extended with 8 variants defined as a matrix
> >>> of: IPv4/IPv6 network domain, and different number of landlock rule layers.
> >>> 2 related tests suites are defined:
> >>> * ruleset_overlap.
> >>> * ruleset_expand.
> >>>
> >>> In the "mini" fixture 4 tests suites are defined:
> >>> * network_access_rights: Tests with legitimate access values.
> >>> * unknown_access_rights: Tests with invalid attributes, out of access
> >>>   range.
> >>> * inval:
> >>>   - unhandled allowed access.
> >>>   - zero access value.
> >>> * tcp_port_overflow: Tests with wrong port values more than U16_MAX.
> >>>
> >>> In the "ipv4_tcp" fixture supports IPv4 network domain, stream socket.
> >>> 2 tests suites are defined:
> >>> * port_endianness: Tests with big/little endian port formats.
> >>> * with_fs: Tests with network bind() socket action within
> >>> filesystem directory access test.
> >>>
> >>> The "port_specific" fixture is extended with 4 variants defined
> >>> as a matrix of: sandboxed/not-sandboxed, IPv4/IPv6 network domain,
> >>> and stream socket. 2 related tests suites are defined:
> >>> * bind_connect_zero: Tests with port 0 value.
> >>> * bind_connect_1023: Tests with port 1023 value.
> >>>
> >>> Test coverage for security/landlock is 94.5% of 932 lines according to
> >>> gcc/gcov-9.
> >>>
> >>> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@xxxxxxxxxx>
> >>> Co-developed-by: Mickaël Salaün <mic@xxxxxxxxxxx>
> >>> Signed-off-by: Mickaël Salaün <mic@xxxxxxxxxxx>
> >>> ---




[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux