Re: [PATCH v6 00/17] Network support for Landlock

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





7/27/2022 10:54 PM, Mickaël Salaün пишет:


On 26/07/2022 19:43, Mickaël Salaün wrote:

On 21/06/2022 10:22, Konstantin Meskhidze wrote:
Hi,
This is a new V6 patch related to Landlock LSM network confinement.
It is based on the latest landlock-wip branch on top of v5.19-rc2:
https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/log/?h=landlock-wip

It brings refactoring of previous patch version V5:
     - Fixes some logic errors and typos.
     - Adds additional FIXTURE_VARIANT and FIXTURE_VARIANT_ADD helpers
     to support both ip4 and ip6 families and shorten seltests' code.
     - Makes TCP sockets confinement support optional in sandboxer demo.
     - Formats the code with clang-format-14

All test were run in QEMU evironment and compiled with
  -static flag.
  1. network_test: 18/18 tests passed.
  2. base_test: 7/7 tests passed.
  3. fs_test: 59/59 tests passed.
  4. ptrace_test: 8/8 tests passed.

Still have issue with base_test were compiled without -static flag
(landlock-wip branch without network support)
1. base_test: 6/7 tests passed.
  Error:
  #  RUN           global.inconsistent_attr ...
  # base_test.c:54:inconsistent_attr:Expected ENOMSG (42) == errno (22)
  # inconsistent_attr: Test terminated by assertion
  #          FAIL  global.inconsistent_attr
not ok 1 global.inconsistent_attr

LCOV - code coverage report:
             Hit  Total  Coverage
Lines:      952  1010    94.3 %
Functions:  79   82      96.3 %

Previous versions:
v5: https://lore.kernel.org/linux-security-module/20220516152038.39594-1-konstantin.meskhidze@xxxxxxxxxx v4: https://lore.kernel.org/linux-security-module/20220309134459.6448-1-konstantin.meskhidze@xxxxxxxxxx/ v3: https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@xxxxxxxxxx/ v2: https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@xxxxxxxxxx/ v1: https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@xxxxxxxxxx/

Konstantin Meskhidze (17):
   landlock: renames access mask
   landlock: refactors landlock_find/insert_rule
   landlock: refactors merge and inherit functions
   landlock: moves helper functions
   landlock: refactors helper functions
   landlock: refactors landlock_add_rule syscall
   landlock: user space API network support
   landlock: adds support network rules
   landlock: implements TCP network hooks
   seltests/landlock: moves helper function
   seltests/landlock: adds tests for bind() hooks
   seltests/landlock: adds tests for connect() hooks
   seltests/landlock: adds AF_UNSPEC family test
   seltests/landlock: adds rules overlapping test
   seltests/landlock: adds ruleset expanding test
   seltests/landlock: adds invalid input data test
   samples/landlock: adds network demo

  include/uapi/linux/landlock.h               |  49 ++
  samples/landlock/sandboxer.c                | 118 ++-
  security/landlock/Kconfig                   |   1 +
  security/landlock/Makefile                  |   2 +
  security/landlock/fs.c                      | 162 +---
  security/landlock/limits.h                  |   8 +-
  security/landlock/net.c                     | 155 ++++
  security/landlock/net.h                     |  26 +
  security/landlock/ruleset.c                 | 448 +++++++++--
  security/landlock/ruleset.h                 |  91 ++-
  security/landlock/setup.c                   |   2 +
  security/landlock/syscalls.c                | 168 +++--
  tools/testing/selftests/landlock/common.h   |  10 +
  tools/testing/selftests/landlock/config     |   4 +
  tools/testing/selftests/landlock/fs_test.c  |  10 -
  tools/testing/selftests/landlock/net_test.c | 774 ++++++++++++++++++++
  16 files changed, 1737 insertions(+), 291 deletions(-)
  create mode 100644 security/landlock/net.c
  create mode 100644 security/landlock/net.h
  create mode 100644 tools/testing/selftests/landlock/net_test.c

--
2.25.1


I did a thorough review of all the code. I found that the main issue with this version is that we stick to the layers limit whereas it is only relevant for filesystem hierarchies. You'll find in the following patch miscellaneous fixes and improvement, with some TODOs to get rid of this layer limit. We'll need a test to check that too. You'll need to integrate this diff into your patches though.

You can find the related patch here:
https://git.kernel.org/mic/c/8f4104b3dc59e7f110c9b83cdf034d010a2d006f

 Ok. Thank you.
 I will split your patch among my next V7 version.
.



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux