Hi, This is a new V5 patch related to Landlock LSM network confinement. It is based on the latest landlock-wip branch on top of v5.18-rc5: https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/log/?h=landlock-wip It brings refactoring of previous patch version V4. Added additional selftests for IP6 network families and network namespace. Added TCP sockets confinement support in sandboxer demo. All test were run in QEMU evironment and compiled with -static flag. 1. network_test: 13/13 tests passed. 2. base_test: 7/7 tests passed. 3. fs_test: 59/59 tests passed. 4. ptrace_test: 8/8 tests passed. Still have issue with base_test were compiled without -static flag (landlock-wip branch without network support) 1. base_test: 6/7 tests passed. Error: # RUN global.inconsistent_attr ... # base_test.c:54:inconsistent_attr:Expected ENOMSG (42) == errno (22) # inconsistent_attr: Test terminated by assertion # FAIL global.inconsistent_attr not ok 1 global.inconsistent_attr LCOV - code coverage report: Hit Total Coverage Lines: 952 1010 94.3 % Functions: 79 82 96.3 % Previous versions: v4: https://lore.kernel.org/linux-security-module/20220309134459.6448-1-konstantin.meskhidze@xxxxxxxxxx/ v3: https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@xxxxxxxxxx/ v2: https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@xxxxxxxxxx/ v1: https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@xxxxxxxxxx/ Konstantin Meskhidze (15): landlock: access mask renaming landlock: landlock_find/insert_rule refactoring landlock: merge and inherit function refactoring landlock: helper functions refactoring landlock: landlock_add_rule syscall refactoring landlock: user space API network support landlock: add support network rules landlock: TCP network hooks implementation seltests/landlock: add tests for bind() hooks seltests/landlock: add tests for connect() hooks seltests/landlock: connect() with AF_UNSPEC tests seltests/landlock: rules overlapping test seltests/landlock: ruleset expanding test seltests/landlock: invalid user input data test samples/landlock: adds network demo include/uapi/linux/landlock.h | 48 + samples/landlock/sandboxer.c | 105 ++- security/landlock/Kconfig | 1 + security/landlock/Makefile | 2 + security/landlock/fs.c | 169 +--- security/landlock/limits.h | 8 +- security/landlock/net.c | 159 ++++ security/landlock/net.h | 25 + security/landlock/ruleset.c | 481 ++++++++-- security/landlock/ruleset.h | 102 +- security/landlock/setup.c | 2 + security/landlock/syscalls.c | 173 ++-- tools/testing/selftests/landlock/base_test.c | 4 +- tools/testing/selftests/landlock/common.h | 9 + tools/testing/selftests/landlock/config | 5 +- tools/testing/selftests/landlock/fs_test.c | 10 - tools/testing/selftests/landlock/net_test.c | 935 +++++++++++++++++++ 17 files changed, 1925 insertions(+), 313 deletions(-) create mode 100644 security/landlock/net.c create mode 100644 security/landlock/net.h create mode 100644 tools/testing/selftests/landlock/net_test.c -- 2.25.1
