Thanks for the report and the test Muhammad, the fix is now merged: https://git.kernel.org/torvalds/c/bbf5a1d0e5d0fb3bdf90205aa872636122692a50 See https://lore.kernel.org/all/20240103163415.304358-1-mic@xxxxxxxxxxx/ On Wed, Dec 20, 2023 at 04:19:44PM +0500, Muhammad Usama Anjum wrote: > On 12/20/23 2:17 PM, Mickaël Salaün wrote: > > Hi Muhammad, > > > > Thanks for the report. > > > > On Tue, Dec 19, 2023 at 03:38:55PM +0500, Muhammad Usama Anjum wrote: > >> Hi Konstantin, > >> > >> There are some errors being reported in KernelCI: > >> https://linux.kernelci.org/test/plan/id/657ab2240c761c0bd1e134ee/ > >> > >> The following sub-tests are failing: > >> landlock_net_test_protocol_no_sandbox_with_ipv6_tcp_bind_unspec > >> landlock_net_test_protocol_no_sandbox_with_ipv6_udp_bind_unspec > >> landlock_net_test_protocol_tcp_sandbox_with_ipv6_udp_bind_unspec > >> > >> From my initial investigation, I can see that these failures are coming > >> from just finding the wrong return error code (-97 instead of -22). It may > >> be test's issue or the kernel's, not sure yet. > > > > I cannot reproduce these errors (with the same kernel commit), the > > Defconfig URL is broken. Could you please share the config used for > > tests? > I've also attached the config. I'm generated the config by following: > make defconfig && make kvm_guest.config > scripts/kconfig/merge_config.sh .config tools/testing/selftests/landlock/config > > > > > According to the failing tests, it looks like the network stack returns > > EAFNOSUPPORT instead of EINVAL, which should happen because addr_len < > > SIN6_LEN_RFC2133 (cf. inet6_bind_sk). I then think that the issue comes > > from an inconsistent error priority with the prot->bind() call in > > inet6_bind_sk() that may return EAFNOSUPPORT when uaddr contains > > AF_UNSPEC. I didn't find such bind() implementations though. > > > > Could you please validate this theory by removing this call in > > inet6_bind_sk() and run the tests again? > I'll have a look if I can find anything. > > > > > Eric, do you know where are such struct proto bind() implementations and > > why they may return EAFNOSUPPORT? > > > > Regards, > > Mickaël > > > > > >> > >> Thanks, > >> Usama > >> > >> On 10/26/23 6:47 AM, Konstantin Meskhidze wrote: > >>> Add 82 test suites to check edge cases related to bind() and connect() > >>> actions. They are defined with 6 fixtures and their variants: > >>> > >>> The "protocol" fixture is extended with 12 variants defined as a matrix > >>> of: sandboxed/not-sandboxed, IPv4/IPv6/unix network domain, and > >>> stream/datagram socket. 4 related tests suites are defined: > >>> * bind: Tests with non-landlocked/landlocked ipv4, ipv6 and unix sockets. > >>> * connect: Tests with non-landlocked/landlocked ipv4, ipv6 and unix > >>> sockets. > >>> * bind_unspec: Tests with non-landlocked/landlocked restrictions > >>> for bind action with AF_UNSPEC socket family. > >>> * connect_unspec: Tests with non-landlocked/landlocked restrictions > >>> for connect action with AF_UNSPEC socket family. > >>> > >>> The "ipv4" fixture is extended with 4 variants defined as a matrix > >>> of: sandboxed/not-sandboxed, IPv4/unix network domain, and > >>> stream/datagram socket. 1 related test suite is defined: > >>> * from_unix_to_inet: Tests to make sure unix sockets' actions are not > >>> restricted by Landlock rules applied to TCP ones. > >>> > >>> The "tcp_layers" fixture is extended with 8 variants defined as a matrix > >>> of: IPv4/IPv6 network domain, and different number of landlock rule layers. > >>> 2 related tests suites are defined: > >>> * ruleset_overlap. > >>> * ruleset_expand. > >>> > >>> In the "mini" fixture 4 tests suites are defined: > >>> * network_access_rights: Tests with legitimate access values. > >>> * unknown_access_rights: Tests with invalid attributes, out of access > >>> range. > >>> * inval: > >>> - unhandled allowed access. > >>> - zero access value. > >>> * tcp_port_overflow: Tests with wrong port values more than U16_MAX. > >>> > >>> In the "ipv4_tcp" fixture supports IPv4 network domain, stream socket. > >>> 2 tests suites are defined: > >>> * port_endianness: Tests with big/little endian port formats. > >>> * with_fs: Tests with network bind() socket action within > >>> filesystem directory access test. > >>> > >>> The "port_specific" fixture is extended with 4 variants defined > >>> as a matrix of: sandboxed/not-sandboxed, IPv4/IPv6 network domain, > >>> and stream socket. 2 related tests suites are defined: > >>> * bind_connect_zero: Tests with port 0 value. > >>> * bind_connect_1023: Tests with port 1023 value. > >>> > >>> Test coverage for security/landlock is 94.5% of 932 lines according to > >>> gcc/gcov-9. > >>> > >>> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@xxxxxxxxxx> > >>> Co-developed-by: Mickaël Salaün <mic@xxxxxxxxxxx> > >>> Signed-off-by: Mickaël Salaün <mic@xxxxxxxxxxx> > >>> ---
