[RFC PATCH 0/2] landlock network implementation cover letter
Konstantin Meskhidze
konstantin.meskhidze at huawei.com
Mon Feb 7 13:18:47 UTC 2022
2/1/2022 8:53 PM, Mickaël Salaün пишет:
>
> On 24/01/2022 09:02, Konstantin Meskhidze wrote:
>> Hi, all!
>>
>> This is a new bunch of RFC patches related to Landlock LSM network
>> confinement.
>> Here are previous discussions:
>> 1.
>> https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@huawei.com/
>>
>> 2.
>> https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@huawei.com/
>>
>>
>> As in previous RFCs, 2 hooks are supported:
>> - hook_socket_bind()
>> - hook_socket_connect()
>>
>> Selftest are provided in tools/testing/selftests/landlock/network_test.c;
>> Implementation was tested in QEMU invironment with 5.13 kernel version:
>
> Again, you need to base your work on the latest kernel version.
>
Is it because there are new Landlock features in a latest kernel
version?
I thought 5.13 kernel version and the latest one have the same
Landlock functionality and there will not be rebasing problems in
future. But anyway I will base the work on the latest kernel.
Which kernel version do you work on now?
>
>> 1. base_test - passed all tests
>> 2. fs_test - passed 44/46 tests. 2 tests related to overlayfs failed.
>> Probably, I have wrong config options for overlayfs.
>
> The minimal required configuration is listed in the "config" file. You
> need to update it for the network tests as well. You missed the
> ptrace_test. To test everything you can run:
> fakeroot make -C tools/testing/selftests TARGETS=landlock gen_tar
> and then extract
> tools/testing/selftests/kselftest_install/kselftest-packages/kselftest.tar.gz
> and execute run_kselftest.sh on your VM.
Thank you. I missed config file in landlock selftests.
I will launch all landlock tests.
>
>
>> 3. network_test - passed all tests.
>> Please give your suggestions about test cover in network_test.c
>>
>> Implementation related issues
>> =============================
>
> It is more a changelog than issues. ;)
Ok. Thanks. I will add a changelog into the next patches.
>
>
>>
>> 1. Access masks array refactored into 1D one and changed
>> to 32 bits. Filesystem masks occupy 16 lower bits and network
>> masks reside in 16 upper bits.
>>
>> struct landlock_ruleset {
>> ...
>> ...
>> u32 access_masks[];
>> }
>>
>> 2. Refactor API functions in ruleset.c:
>> 1. Add (void *)object argument.
>> 2. Add u16 rule_type argument.
>>
>> - In filesystem case the "object" is defined by underlying inode.
>> In network case the "object" is defined by a port. There is
>> a union containing either a struct landlock_object pointer or a
>> raw data (here a u16 port):
>> union {
>> struct landlock_object *ptr;
>> uintptr_t data;
>> } object;
>>
>> - Everytime when a rule is inserted it's needed to provide a rule
>> type:
>>
>> landlock_insert_rule(ruleset, (void *)object, access, rule_type)
>> 1. A rule_type could be or LANDLOCK_RULE_NET_SERVICE or
>> LANDLOCK_RULE_PATH_BENEATH;
>> 2. (void *) object - is either landlock_object *ptr or port value;
>>
>> 3. Use two rb_trees in ruleset structure:
>> 1. root_inode - for filesystem objects (inodes).
>> 2. root_net_port - for network port objects.
>
> Thanks for these explanations!
Thanks for the review!!!
>
>
>>
>> Konstantin Meskhidze (2):
>> landlock: TCP network hooks implementation
>> landlock: selftests for bind and connect hooks
>>
>> include/uapi/linux/landlock.h | 52 +++
>> security/landlock/Makefile | 2 +-
>> security/landlock/fs.c | 12 +-
>> security/landlock/limits.h | 6 +
>> security/landlock/net.c | 175 +++++++++
>> security/landlock/net.h | 21 ++
>> security/landlock/ruleset.c | 167 ++++++---
>> security/landlock/ruleset.h | 40 +-
>> security/landlock/setup.c | 3 +
>> security/landlock/syscalls.c | 142 ++++---
>> .../testing/selftests/landlock/network_test.c | 346 ++++++++++++++++++
>> 11 files changed, 860 insertions(+), 106 deletions(-)
>> create mode 100644 security/landlock/net.c
>> create mode 100644 security/landlock/net.h
>> create mode 100644 tools/testing/selftests/landlock/network_test.c
>>
>> --
>> 2.25.1
>>
> .
More information about the Linux-security-module-archive
mailing list