Hello! This patchset provides two general fixes for TCP Landlock hooks: First one fixes incorrect restriction of non-TCP bind/connect actions. There is two commits related to testing MPTCP and SCTP protocols which were incorrectly restricted. SCTP implementation has invalid check for minimal address length in bind(2) call [1], therefore commit with SCTP testing can be applied later after necessary SCTP fixes. [1] https://lore.kernel.org/all/20241004.Hohpheipieh2@xxxxxxxxxxx/ Closes: https://github.com/landlock-lsm/linux/issues/40 Second one fixes inconsistency of errors in bind and connect hooks for TCP sockets. It provides per-operation helpers, which consist of a set of checks from the TCP network stack. Due to TCP connect(2) implementation it's not possible to obtain full consistency, but the unhandled cases are rather special scenarios that should almost should not normally appear. Two new tests were implemented to validate errors consistency. Diffs of second and third commits were unreadable, so I've decided to rewrite net.c file to simplify reviewing process. Code coverage ============= Code coverage(gcov) report with the launch of net_test selftest: * security/landlock/net.c: lines......: 98.8% (79 of 80 lines) functions..: 100% (8 of 8 functions) One uncovered line is documented in check_tcp_connect_consistency_and_get_port(). General changes =============== * Rebases on current linux-mic/next (based on Linux v6.12-rc3) * Fixes inconsistency of TCP actions errors and implements two related tests. * Removes SMC test suits. * Adds separate commit for SCTP test suits. * Adds test suits of protocol fixture for sockets created with protocol=IPPROTO_TCP (C.f. socket(2)). Previous versions ================= v1: https://lore.kernel.org/all/20241003143932.2431249-1-ivanov.mikhail1@xxxxxxxxxxxxxxxxxxx/ Mikhail Ivanov (8): landlock: Fix non-TCP sockets restriction landlock: Make network stack layer checks explicit for each TCP action landlock: Fix inconsistency of errors for TCP actions selftests/landlock: Test TCP accesses with protocol=IPPROTO_TCP selftests/landlock: Test that MPTCP actions are not restricted selftests/landlock: Test consistency of errors for TCP actions landlock: Add note about errors consistency in documentation selftests/landlock: Test that SCTP actions are not restricted Documentation/userspace-api/landlock.rst | 3 +- security/landlock/net.c | 501 +++++++++++------- tools/testing/selftests/landlock/common.h | 1 + tools/testing/selftests/landlock/config | 4 + tools/testing/selftests/landlock/net_test.c | 532 ++++++++++++++++++-- 5 files changed, 825 insertions(+), 216 deletions(-) rewrite security/landlock/net.c (36%) base-commit: fe76bd133024aaef12d12a7d58fa3e8d138d3bf3 -- 2.34.1
