Re: [RFC PATCH v4 00/15] Landlock LSM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Konstantin,

This series looks good! Thanks for the split in multiple patches.


On 09/03/2022 14:44, Konstantin Meskhidze wrote:
Hi,
This is a new V4 bunch of RFC patches related to Landlock LSM network confinement.
It brings deep refactirong and commit splitting of previous version V3.
Also added additional selftests.

This patch series can be applied on top of v5.17-rc3.

All test were run in QEMU evironment and compiled with
  -static flag.
  1. network_test: 9/9 tests passed.

I get a kernel warning running the network tests.

  2. base_test: 8/8 tests passed.
  3. fs_test: 46/46 tests passed.
  4. ptrace_test: 4/8 tests passed.

Does your test machine use Yama? That would explain the 4/8. You can disable it with the appropriate sysctl.


Tests were also launched for Landlock version without
v4 patch:
  1. base_test: 8/8 tests passed.
  2. fs_test: 46/46 tests passed.
  3. ptrace_test: 4/8 tests passed.

Could not provide test coverage cause had problems with tests
on VM (no -static flag the tests compiling, no v4 patch applied):

You can build statically-linked tests with:
make -C tools/testing/selftests/landlock CFLAGS=-static

1. base_test: 7/8 tests passed.
  Error:
  # Starting 8 tests from 1 test cases.
  #  RUN           global.inconsistent_attr ...
  # base_test.c:51:inconsistent_attr:Expected ENOMSG (42) == errno (22)

This looks like a bug in the syscall argument checks.

  # inconsistent_attr: Test terminated by assertion
2. fs_test: 0 / 46 tests passed
  Error for all tests:
  # common.h:126:no_restriction:Expected -1 (-1) != cap_set_proc(cap_p) (-1)
  # common.h:127:no_restriction:Failed to cap_set_proc: Operation not permitted
  # fs_test.c:106:no_restriction:Expected 0 (0) == mkdir(path, 0700) (-1)
  # fs_test.c:107:no_restriction:Failed to create directory "tmp": File exists

You need to run these tests as root.

3. ptrace_test: 4 / 8 tests passed.

Previous versions:
v3: https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@xxxxxxxxxx/
v2: https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@xxxxxxxxxx/
v1: https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@xxxxxxxxxx/

Nice to have this history!


Konstantin Meskhidze (15):
   landlock: access mask renaming
   landlock: filesystem access mask helpers
   landlock: landlock_find/insert_rule refactoring
   landlock: merge and inherit function refactoring
   landlock: unmask_layers() function refactoring
   landlock: landlock_add_rule syscall refactoring
   landlock: user space API network support
   landlock: add support network rules
   landlock: TCP network hooks implementation
   seltest/landlock: add tests for bind() hooks
   seltest/landlock: add tests for connect() hooks
   seltest/landlock: connect() with AF_UNSPEC tests
   seltest/landlock: rules overlapping test
   seltest/landlock: ruleset expanding test
   seltest/landlock: invalid user input data test

  include/uapi/linux/landlock.h                 |  48 ++
  security/landlock/Kconfig                     |   1 +
  security/landlock/Makefile                    |   2 +-
  security/landlock/fs.c                        |  72 +-
  security/landlock/limits.h                    |   6 +
  security/landlock/net.c                       | 180 +++++
  security/landlock/net.h                       |  22 +
  security/landlock/ruleset.c                   | 383 ++++++++--
  security/landlock/ruleset.h                   |  72 +-
  security/landlock/setup.c                     |   2 +
  security/landlock/syscalls.c                  | 176 +++--
  .../testing/selftests/landlock/network_test.c | 665 ++++++++++++++++++
  12 files changed, 1434 insertions(+), 195 deletions(-)
  create mode 100644 security/landlock/net.c
  create mode 100644 security/landlock/net.h
  create mode 100644 tools/testing/selftests/landlock/network_test.c

--
2.25.1




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux