Re: [PATCH v6 00/17] Network support for Landlock

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 26/07/2022 19:43, Mickaël Salaün wrote:

On 21/06/2022 10:22, Konstantin Meskhidze wrote:
Hi,
This is a new V6 patch related to Landlock LSM network confinement.
It is based on the latest landlock-wip branch on top of v5.19-rc2:
https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/log/?h=landlock-wip

It brings refactoring of previous patch version V5:
     - Fixes some logic errors and typos.
     - Adds additional FIXTURE_VARIANT and FIXTURE_VARIANT_ADD helpers
     to support both ip4 and ip6 families and shorten seltests' code.
     - Makes TCP sockets confinement support optional in sandboxer demo.
     - Formats the code with clang-format-14

All test were run in QEMU evironment and compiled with
  -static flag.
  1. network_test: 18/18 tests passed.
  2. base_test: 7/7 tests passed.
  3. fs_test: 59/59 tests passed.
  4. ptrace_test: 8/8 tests passed.

Still have issue with base_test were compiled without -static flag
(landlock-wip branch without network support)
1. base_test: 6/7 tests passed.
  Error:
  #  RUN           global.inconsistent_attr ...
  # base_test.c:54:inconsistent_attr:Expected ENOMSG (42) == errno (22)
  # inconsistent_attr: Test terminated by assertion
  #          FAIL  global.inconsistent_attr
not ok 1 global.inconsistent_attr

LCOV - code coverage report:
             Hit  Total  Coverage
Lines:      952  1010    94.3 %
Functions:  79   82      96.3 %

Previous versions:
v5: https://lore.kernel.org/linux-security-module/20220516152038.39594-1-konstantin.meskhidze@xxxxxxxxxx v4: https://lore.kernel.org/linux-security-module/20220309134459.6448-1-konstantin.meskhidze@xxxxxxxxxx/ v3: https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@xxxxxxxxxx/ v2: https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@xxxxxxxxxx/ v1: https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@xxxxxxxxxx/

Konstantin Meskhidze (17):
   landlock: renames access mask
   landlock: refactors landlock_find/insert_rule
   landlock: refactors merge and inherit functions
   landlock: moves helper functions
   landlock: refactors helper functions
   landlock: refactors landlock_add_rule syscall
   landlock: user space API network support
   landlock: adds support network rules
   landlock: implements TCP network hooks
   seltests/landlock: moves helper function
   seltests/landlock: adds tests for bind() hooks
   seltests/landlock: adds tests for connect() hooks
   seltests/landlock: adds AF_UNSPEC family test
   seltests/landlock: adds rules overlapping test
   seltests/landlock: adds ruleset expanding test
   seltests/landlock: adds invalid input data test
   samples/landlock: adds network demo

  include/uapi/linux/landlock.h               |  49 ++
  samples/landlock/sandboxer.c                | 118 ++-
  security/landlock/Kconfig                   |   1 +
  security/landlock/Makefile                  |   2 +
  security/landlock/fs.c                      | 162 +---
  security/landlock/limits.h                  |   8 +-
  security/landlock/net.c                     | 155 ++++
  security/landlock/net.h                     |  26 +
  security/landlock/ruleset.c                 | 448 +++++++++--
  security/landlock/ruleset.h                 |  91 ++-
  security/landlock/setup.c                   |   2 +
  security/landlock/syscalls.c                | 168 +++--
  tools/testing/selftests/landlock/common.h   |  10 +
  tools/testing/selftests/landlock/config     |   4 +
  tools/testing/selftests/landlock/fs_test.c  |  10 -
  tools/testing/selftests/landlock/net_test.c | 774 ++++++++++++++++++++
  16 files changed, 1737 insertions(+), 291 deletions(-)
  create mode 100644 security/landlock/net.c
  create mode 100644 security/landlock/net.h
  create mode 100644 tools/testing/selftests/landlock/net_test.c

--
2.25.1


I did a thorough review of all the code. I found that the main issue with this version is that we stick to the layers limit whereas it is only relevant for filesystem hierarchies. You'll find in the following patch miscellaneous fixes and improvement, with some TODOs to get rid of this layer limit. We'll need a test to check that too. You'll need to integrate this diff into your patches though.



[...]

diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
index 469811a77675..e7555b16069a 100644
--- a/security/landlock/ruleset.c
+++ b/security/landlock/ruleset.c

[...]

@@ -719,15 +679,43 @@ bool unmask_layers(const struct landlock_rule *const rule,
      return false;
  }

+typedef access_mask_t
+get_access_mask_t(const struct landlock_ruleset *const ruleset,
+          const u16 layer_level);
+
+/*
+ * @layer_masks must contain LANDLOCK_NUM_ACCESS_FS or LANDLOCK_NUM_ACCESS_NET
+ * elements according to @key_type.
+ */
 access_mask_t init_layer_masks(const struct landlock_ruleset *const domain,
                     const access_mask_t access_request,
                     layer_mask_t (*const layer_masks)[],
-                   size_t masks_size, u16 rule_type)
+                   const enum landlock_key_type key_type)
  {
      access_mask_t handled_accesses = 0;
-    size_t layer_level;
+    size_t layer_level, num_access;
+    get_access_mask_t *get_access_mask;
+
+    switch (key_type) {
+    case LANDLOCK_KEY_INODE:
+        // XXX: landlock_get_fs_access_mask() should not be removed

There is an extra "not", it should be: "landlock_get_fs_access_mask() and landlock_get_net_access_mask() should be removed".


+        // once we use ruleset->net_access_mask, and we can then
+        // replace the @key_type argument with num_access to make the
+        // code simpler.
+        get_access_mask = landlock_get_fs_access_mask;
+        num_access = LANDLOCK_NUM_ACCESS_FS;
+        break;
+    case LANDLOCK_KEY_NET_PORT:
+        get_access_mask = landlock_get_net_access_mask;
+        num_access = LANDLOCK_NUM_ACCESS_NET;
+        break;
+    default:
+        WARN_ON_ONCE(1);
+        return 0;
+    }



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux