[PATCH v6 00/17] Network support for Landlock
Mickaël Salaün
mic at digikod.net
Wed Jul 27 19:54:52 UTC 2022
On 26/07/2022 19:43, Mickaël Salaün wrote:
>
> On 21/06/2022 10:22, Konstantin Meskhidze wrote:
>> Hi,
>> This is a new V6 patch related to Landlock LSM network confinement.
>> It is based on the latest landlock-wip branch on top of v5.19-rc2:
>> https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/log/?h=landlock-wip
>>
>> It brings refactoring of previous patch version V5:
>> - Fixes some logic errors and typos.
>> - Adds additional FIXTURE_VARIANT and FIXTURE_VARIANT_ADD helpers
>> to support both ip4 and ip6 families and shorten seltests' code.
>> - Makes TCP sockets confinement support optional in sandboxer demo.
>> - Formats the code with clang-format-14
>>
>> All test were run in QEMU evironment and compiled with
>> -static flag.
>> 1. network_test: 18/18 tests passed.
>> 2. base_test: 7/7 tests passed.
>> 3. fs_test: 59/59 tests passed.
>> 4. ptrace_test: 8/8 tests passed.
>>
>> Still have issue with base_test were compiled without -static flag
>> (landlock-wip branch without network support)
>> 1. base_test: 6/7 tests passed.
>> Error:
>> # RUN global.inconsistent_attr ...
>> # base_test.c:54:inconsistent_attr:Expected ENOMSG (42) == errno (22)
>> # inconsistent_attr: Test terminated by assertion
>> # FAIL global.inconsistent_attr
>> not ok 1 global.inconsistent_attr
>>
>> LCOV - code coverage report:
>> Hit Total Coverage
>> Lines: 952 1010 94.3 %
>> Functions: 79 82 96.3 %
>>
>> Previous versions:
>> v5:
>> https://lore.kernel.org/linux-security-module/20220516152038.39594-1-konstantin.meskhidze@huawei.com
>> v4:
>> https://lore.kernel.org/linux-security-module/20220309134459.6448-1-konstantin.meskhidze@huawei.com/
>> v3:
>> https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@huawei.com/
>> v2:
>> https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@huawei.com/
>> v1:
>> https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@huawei.com/
>>
>> Konstantin Meskhidze (17):
>> landlock: renames access mask
>> landlock: refactors landlock_find/insert_rule
>> landlock: refactors merge and inherit functions
>> landlock: moves helper functions
>> landlock: refactors helper functions
>> landlock: refactors landlock_add_rule syscall
>> landlock: user space API network support
>> landlock: adds support network rules
>> landlock: implements TCP network hooks
>> seltests/landlock: moves helper function
>> seltests/landlock: adds tests for bind() hooks
>> seltests/landlock: adds tests for connect() hooks
>> seltests/landlock: adds AF_UNSPEC family test
>> seltests/landlock: adds rules overlapping test
>> seltests/landlock: adds ruleset expanding test
>> seltests/landlock: adds invalid input data test
>> samples/landlock: adds network demo
>>
>> include/uapi/linux/landlock.h | 49 ++
>> samples/landlock/sandboxer.c | 118 ++-
>> security/landlock/Kconfig | 1 +
>> security/landlock/Makefile | 2 +
>> security/landlock/fs.c | 162 +---
>> security/landlock/limits.h | 8 +-
>> security/landlock/net.c | 155 ++++
>> security/landlock/net.h | 26 +
>> security/landlock/ruleset.c | 448 +++++++++--
>> security/landlock/ruleset.h | 91 ++-
>> security/landlock/setup.c | 2 +
>> security/landlock/syscalls.c | 168 +++--
>> tools/testing/selftests/landlock/common.h | 10 +
>> tools/testing/selftests/landlock/config | 4 +
>> tools/testing/selftests/landlock/fs_test.c | 10 -
>> tools/testing/selftests/landlock/net_test.c | 774 ++++++++++++++++++++
>> 16 files changed, 1737 insertions(+), 291 deletions(-)
>> create mode 100644 security/landlock/net.c
>> create mode 100644 security/landlock/net.h
>> create mode 100644 tools/testing/selftests/landlock/net_test.c
>>
>> --
>> 2.25.1
>>
>
> I did a thorough review of all the code. I found that the main issue
> with this version is that we stick to the layers limit whereas it is
> only relevant for filesystem hierarchies. You'll find in the following
> patch miscellaneous fixes and improvement, with some TODOs to get rid of
> this layer limit. We'll need a test to check that too. You'll need to
> integrate this diff into your patches though.
You can find the related patch here:
https://git.kernel.org/mic/c/8f4104b3dc59e7f110c9b83cdf034d010a2d006f
More information about the Linux-security-module-archive
mailing list