[RFC PATCH v4 00/15] Landlock LSM

Konstantin Meskhidze konstantin.meskhidze at huawei.com
Wed Mar 9 13:44:44 UTC 2022


Hi,
This is a new V4 bunch of RFC patches related to Landlock LSM network confinement.
It brings deep refactirong and commit splitting of previous version V3.
Also added additional selftests.

This patch series can be applied on top of v5.17-rc3.

All test were run in QEMU evironment and compiled with
 -static flag.
 1. network_test: 9/9 tests passed.
 2. base_test: 8/8 tests passed.
 3. fs_test: 46/46 tests passed.
 4. ptrace_test: 4/8 tests passed.

Tests were also launched for Landlock version without
v4 patch:
 1. base_test: 8/8 tests passed.
 2. fs_test: 46/46 tests passed.
 3. ptrace_test: 4/8 tests passed.

Could not provide test coverage cause had problems with tests
on VM (no -static flag the tests compiling, no v4 patch applied):
1. base_test: 7/8 tests passed.
 Error:
 # Starting 8 tests from 1 test cases.
 #  RUN           global.inconsistent_attr ...
 # base_test.c:51:inconsistent_attr:Expected ENOMSG (42) == errno (22)
 # inconsistent_attr: Test terminated by assertion
2. fs_test: 0 / 46 tests passed
 Error for all tests:
 # common.h:126:no_restriction:Expected -1 (-1) != cap_set_proc(cap_p) (-1)
 # common.h:127:no_restriction:Failed to cap_set_proc: Operation not permitted
 # fs_test.c:106:no_restriction:Expected 0 (0) == mkdir(path, 0700) (-1)
 # fs_test.c:107:no_restriction:Failed to create directory "tmp": File exists
3. ptrace_test: 4 / 8 tests passed.

Previous versions:
v3: https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@huawei.com/
v2: https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@huawei.com/
v1: https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@huawei.com/

Konstantin Meskhidze (15):
  landlock: access mask renaming
  landlock: filesystem access mask helpers
  landlock: landlock_find/insert_rule refactoring
  landlock: merge and inherit function refactoring
  landlock: unmask_layers() function refactoring
  landlock: landlock_add_rule syscall refactoring
  landlock: user space API network support
  landlock: add support network rules
  landlock: TCP network hooks implementation
  seltest/landlock: add tests for bind() hooks
  seltest/landlock: add tests for connect() hooks
  seltest/landlock: connect() with AF_UNSPEC tests
  seltest/landlock: rules overlapping test
  seltest/landlock: ruleset expanding test
  seltest/landlock: invalid user input data test

 include/uapi/linux/landlock.h                 |  48 ++
 security/landlock/Kconfig                     |   1 +
 security/landlock/Makefile                    |   2 +-
 security/landlock/fs.c                        |  72 +-
 security/landlock/limits.h                    |   6 +
 security/landlock/net.c                       | 180 +++++
 security/landlock/net.h                       |  22 +
 security/landlock/ruleset.c                   | 383 ++++++++--
 security/landlock/ruleset.h                   |  72 +-
 security/landlock/setup.c                     |   2 +
 security/landlock/syscalls.c                  | 176 +++--
 .../testing/selftests/landlock/network_test.c | 665 ++++++++++++++++++
 12 files changed, 1434 insertions(+), 195 deletions(-)
 create mode 100644 security/landlock/net.c
 create mode 100644 security/landlock/net.h
 create mode 100644 tools/testing/selftests/landlock/network_test.c

--
2.25.1



More information about the Linux-security-module-archive mailing list