[RFC PATCH v4 00/15] Landlock LSM
Konstantin Meskhidze
konstantin.meskhidze at huawei.com
Wed Mar 9 13:44:44 UTC 2022
Hi,
This is a new V4 bunch of RFC patches related to Landlock LSM network confinement.
It brings deep refactirong and commit splitting of previous version V3.
Also added additional selftests.
This patch series can be applied on top of v5.17-rc3.
All test were run in QEMU evironment and compiled with
-static flag.
1. network_test: 9/9 tests passed.
2. base_test: 8/8 tests passed.
3. fs_test: 46/46 tests passed.
4. ptrace_test: 4/8 tests passed.
Tests were also launched for Landlock version without
v4 patch:
1. base_test: 8/8 tests passed.
2. fs_test: 46/46 tests passed.
3. ptrace_test: 4/8 tests passed.
Could not provide test coverage cause had problems with tests
on VM (no -static flag the tests compiling, no v4 patch applied):
1. base_test: 7/8 tests passed.
Error:
# Starting 8 tests from 1 test cases.
# RUN global.inconsistent_attr ...
# base_test.c:51:inconsistent_attr:Expected ENOMSG (42) == errno (22)
# inconsistent_attr: Test terminated by assertion
2. fs_test: 0 / 46 tests passed
Error for all tests:
# common.h:126:no_restriction:Expected -1 (-1) != cap_set_proc(cap_p) (-1)
# common.h:127:no_restriction:Failed to cap_set_proc: Operation not permitted
# fs_test.c:106:no_restriction:Expected 0 (0) == mkdir(path, 0700) (-1)
# fs_test.c:107:no_restriction:Failed to create directory "tmp": File exists
3. ptrace_test: 4 / 8 tests passed.
Previous versions:
v3: https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@huawei.com/
v2: https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@huawei.com/
v1: https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@huawei.com/
Konstantin Meskhidze (15):
landlock: access mask renaming
landlock: filesystem access mask helpers
landlock: landlock_find/insert_rule refactoring
landlock: merge and inherit function refactoring
landlock: unmask_layers() function refactoring
landlock: landlock_add_rule syscall refactoring
landlock: user space API network support
landlock: add support network rules
landlock: TCP network hooks implementation
seltest/landlock: add tests for bind() hooks
seltest/landlock: add tests for connect() hooks
seltest/landlock: connect() with AF_UNSPEC tests
seltest/landlock: rules overlapping test
seltest/landlock: ruleset expanding test
seltest/landlock: invalid user input data test
include/uapi/linux/landlock.h | 48 ++
security/landlock/Kconfig | 1 +
security/landlock/Makefile | 2 +-
security/landlock/fs.c | 72 +-
security/landlock/limits.h | 6 +
security/landlock/net.c | 180 +++++
security/landlock/net.h | 22 +
security/landlock/ruleset.c | 383 ++++++++--
security/landlock/ruleset.h | 72 +-
security/landlock/setup.c | 2 +
security/landlock/syscalls.c | 176 +++--
.../testing/selftests/landlock/network_test.c | 665 ++++++++++++++++++
12 files changed, 1434 insertions(+), 195 deletions(-)
create mode 100644 security/landlock/net.c
create mode 100644 security/landlock/net.h
create mode 100644 tools/testing/selftests/landlock/network_test.c
--
2.25.1
More information about the Linux-security-module-archive
mailing list