Hi Konstantin, This series looks good! Thanks for the split in multiple patches. On 09/03/2022 14:44, Konstantin Meskhidze wrote:
Hi, This is a new V4 bunch of RFC patches related to Landlock LSM network confinement. It brings deep refactirong and commit splitting of previous version V3. Also added additional selftests. This patch series can be applied on top of v5.17-rc3. All test were run in QEMU evironment and compiled with -static flag. 1. network_test: 9/9 tests passed.
I get a kernel warning running the network tests.
2. base_test: 8/8 tests passed. 3. fs_test: 46/46 tests passed. 4. ptrace_test: 4/8 tests passed.
Does your test machine use Yama? That would explain the 4/8. You can disable it with the appropriate sysctl.
Tests were also launched for Landlock version without v4 patch: 1. base_test: 8/8 tests passed. 2. fs_test: 46/46 tests passed. 3. ptrace_test: 4/8 tests passed. Could not provide test coverage cause had problems with tests on VM (no -static flag the tests compiling, no v4 patch applied):
You can build statically-linked tests with: make -C tools/testing/selftests/landlock CFLAGS=-static
1. base_test: 7/8 tests passed. Error: # Starting 8 tests from 1 test cases. # RUN global.inconsistent_attr ... # base_test.c:51:inconsistent_attr:Expected ENOMSG (42) == errno (22)
This looks like a bug in the syscall argument checks.
# inconsistent_attr: Test terminated by assertion 2. fs_test: 0 / 46 tests passed Error for all tests: # common.h:126:no_restriction:Expected -1 (-1) != cap_set_proc(cap_p) (-1) # common.h:127:no_restriction:Failed to cap_set_proc: Operation not permitted # fs_test.c:106:no_restriction:Expected 0 (0) == mkdir(path, 0700) (-1) # fs_test.c:107:no_restriction:Failed to create directory "tmp": File exists
You need to run these tests as root.
3. ptrace_test: 4 / 8 tests passed. Previous versions: v3: https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@xxxxxxxxxx/ v2: https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@xxxxxxxxxx/ v1: https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@xxxxxxxxxx/
Nice to have this history!
Konstantin Meskhidze (15): landlock: access mask renaming landlock: filesystem access mask helpers landlock: landlock_find/insert_rule refactoring landlock: merge and inherit function refactoring landlock: unmask_layers() function refactoring landlock: landlock_add_rule syscall refactoring landlock: user space API network support landlock: add support network rules landlock: TCP network hooks implementation seltest/landlock: add tests for bind() hooks seltest/landlock: add tests for connect() hooks seltest/landlock: connect() with AF_UNSPEC tests seltest/landlock: rules overlapping test seltest/landlock: ruleset expanding test seltest/landlock: invalid user input data test include/uapi/linux/landlock.h | 48 ++ security/landlock/Kconfig | 1 + security/landlock/Makefile | 2 +- security/landlock/fs.c | 72 +- security/landlock/limits.h | 6 + security/landlock/net.c | 180 +++++ security/landlock/net.h | 22 + security/landlock/ruleset.c | 383 ++++++++-- security/landlock/ruleset.h | 72 +- security/landlock/setup.c | 2 + security/landlock/syscalls.c | 176 +++-- .../testing/selftests/landlock/network_test.c | 665 ++++++++++++++++++ 12 files changed, 1434 insertions(+), 195 deletions(-) create mode 100644 security/landlock/net.c create mode 100644 security/landlock/net.h create mode 100644 tools/testing/selftests/landlock/network_test.c -- 2.25.1