7/27/2022 10:54 PM, Mickaël Salaün пишет:
On 26/07/2022 19:43, Mickaël Salaün wrote:
On 21/06/2022 10:22, Konstantin Meskhidze wrote:
Hi,
This is a new V6 patch related to Landlock LSM network confinement.
It is based on the latest landlock-wip branch on top of v5.19-rc2:
https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/log/?h=landlock-wip
It brings refactoring of previous patch version V5:
- Fixes some logic errors and typos.
- Adds additional FIXTURE_VARIANT and FIXTURE_VARIANT_ADD helpers
to support both ip4 and ip6 families and shorten seltests' code.
- Makes TCP sockets confinement support optional in sandboxer demo.
- Formats the code with clang-format-14
All test were run in QEMU evironment and compiled with
-static flag.
1. network_test: 18/18 tests passed.
2. base_test: 7/7 tests passed.
3. fs_test: 59/59 tests passed.
4. ptrace_test: 8/8 tests passed.
Still have issue with base_test were compiled without -static flag
(landlock-wip branch without network support)
1. base_test: 6/7 tests passed.
Error:
# RUN global.inconsistent_attr ...
# base_test.c:54:inconsistent_attr:Expected ENOMSG (42) == errno (22)
# inconsistent_attr: Test terminated by assertion
# FAIL global.inconsistent_attr
not ok 1 global.inconsistent_attr
LCOV - code coverage report:
Hit Total Coverage
Lines: 952 1010 94.3 %
Functions: 79 82 96.3 %
Previous versions:
v5:
https://lore.kernel.org/linux-security-module/20220516152038.39594-1-konstantin.meskhidze@xxxxxxxxxx
v4:
https://lore.kernel.org/linux-security-module/20220309134459.6448-1-konstantin.meskhidze@xxxxxxxxxx/
v3:
https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@xxxxxxxxxx/
v2:
https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@xxxxxxxxxx/
v1:
https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@xxxxxxxxxx/
Konstantin Meskhidze (17):
landlock: renames access mask
landlock: refactors landlock_find/insert_rule
landlock: refactors merge and inherit functions
landlock: moves helper functions
landlock: refactors helper functions
landlock: refactors landlock_add_rule syscall
landlock: user space API network support
landlock: adds support network rules
landlock: implements TCP network hooks
seltests/landlock: moves helper function
seltests/landlock: adds tests for bind() hooks
seltests/landlock: adds tests for connect() hooks
seltests/landlock: adds AF_UNSPEC family test
seltests/landlock: adds rules overlapping test
seltests/landlock: adds ruleset expanding test
seltests/landlock: adds invalid input data test
samples/landlock: adds network demo
include/uapi/linux/landlock.h | 49 ++
samples/landlock/sandboxer.c | 118 ++-
security/landlock/Kconfig | 1 +
security/landlock/Makefile | 2 +
security/landlock/fs.c | 162 +---
security/landlock/limits.h | 8 +-
security/landlock/net.c | 155 ++++
security/landlock/net.h | 26 +
security/landlock/ruleset.c | 448 +++++++++--
security/landlock/ruleset.h | 91 ++-
security/landlock/setup.c | 2 +
security/landlock/syscalls.c | 168 +++--
tools/testing/selftests/landlock/common.h | 10 +
tools/testing/selftests/landlock/config | 4 +
tools/testing/selftests/landlock/fs_test.c | 10 -
tools/testing/selftests/landlock/net_test.c | 774 ++++++++++++++++++++
16 files changed, 1737 insertions(+), 291 deletions(-)
create mode 100644 security/landlock/net.c
create mode 100644 security/landlock/net.h
create mode 100644 tools/testing/selftests/landlock/net_test.c
--
2.25.1
I did a thorough review of all the code. I found that the main issue
with this version is that we stick to the layers limit whereas it is
only relevant for filesystem hierarchies. You'll find in the following
patch miscellaneous fixes and improvement, with some TODOs to get rid of
this layer limit. We'll need a test to check that too. You'll need to
integrate this diff into your patches though.
You can find the related patch here:
https://git.kernel.org/mic/c/8f4104b3dc59e7f110c9b83cdf034d010a2d006f
Ok. Thank you.
I will split your patch among my next V7 version.
.