[RFC PATCH v4 00/15] Landlock LSM
Mickaël Salaün
mic at digikod.net
Tue Mar 15 17:02:49 UTC 2022
Hi Konstantin,
This series looks good! Thanks for the split in multiple patches.
On 09/03/2022 14:44, Konstantin Meskhidze wrote:
> Hi,
> This is a new V4 bunch of RFC patches related to Landlock LSM network confinement.
> It brings deep refactirong and commit splitting of previous version V3.
> Also added additional selftests.
>
> This patch series can be applied on top of v5.17-rc3.
>
> All test were run in QEMU evironment and compiled with
> -static flag.
> 1. network_test: 9/9 tests passed.
I get a kernel warning running the network tests.
> 2. base_test: 8/8 tests passed.
> 3. fs_test: 46/46 tests passed.
> 4. ptrace_test: 4/8 tests passed.
Does your test machine use Yama? That would explain the 4/8. You can
disable it with the appropriate sysctl.
>
> Tests were also launched for Landlock version without
> v4 patch:
> 1. base_test: 8/8 tests passed.
> 2. fs_test: 46/46 tests passed.
> 3. ptrace_test: 4/8 tests passed.
>
> Could not provide test coverage cause had problems with tests
> on VM (no -static flag the tests compiling, no v4 patch applied):
You can build statically-linked tests with:
make -C tools/testing/selftests/landlock CFLAGS=-static
> 1. base_test: 7/8 tests passed.
> Error:
> # Starting 8 tests from 1 test cases.
> # RUN global.inconsistent_attr ...
> # base_test.c:51:inconsistent_attr:Expected ENOMSG (42) == errno (22)
This looks like a bug in the syscall argument checks.
> # inconsistent_attr: Test terminated by assertion
> 2. fs_test: 0 / 46 tests passed
> Error for all tests:
> # common.h:126:no_restriction:Expected -1 (-1) != cap_set_proc(cap_p) (-1)
> # common.h:127:no_restriction:Failed to cap_set_proc: Operation not permitted
> # fs_test.c:106:no_restriction:Expected 0 (0) == mkdir(path, 0700) (-1)
> # fs_test.c:107:no_restriction:Failed to create directory "tmp": File exists
You need to run these tests as root.
> 3. ptrace_test: 4 / 8 tests passed.
>
> Previous versions:
> v3: https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@huawei.com/
> v2: https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@huawei.com/
> v1: https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@huawei.com/
Nice to have this history!
>
> Konstantin Meskhidze (15):
> landlock: access mask renaming
> landlock: filesystem access mask helpers
> landlock: landlock_find/insert_rule refactoring
> landlock: merge and inherit function refactoring
> landlock: unmask_layers() function refactoring
> landlock: landlock_add_rule syscall refactoring
> landlock: user space API network support
> landlock: add support network rules
> landlock: TCP network hooks implementation
> seltest/landlock: add tests for bind() hooks
> seltest/landlock: add tests for connect() hooks
> seltest/landlock: connect() with AF_UNSPEC tests
> seltest/landlock: rules overlapping test
> seltest/landlock: ruleset expanding test
> seltest/landlock: invalid user input data test
>
> include/uapi/linux/landlock.h | 48 ++
> security/landlock/Kconfig | 1 +
> security/landlock/Makefile | 2 +-
> security/landlock/fs.c | 72 +-
> security/landlock/limits.h | 6 +
> security/landlock/net.c | 180 +++++
> security/landlock/net.h | 22 +
> security/landlock/ruleset.c | 383 ++++++++--
> security/landlock/ruleset.h | 72 +-
> security/landlock/setup.c | 2 +
> security/landlock/syscalls.c | 176 +++--
> .../testing/selftests/landlock/network_test.c | 665 ++++++++++++++++++
> 12 files changed, 1434 insertions(+), 195 deletions(-)
> create mode 100644 security/landlock/net.c
> create mode 100644 security/landlock/net.h
> create mode 100644 tools/testing/selftests/landlock/network_test.c
>
> --
> 2.25.1
>
More information about the Linux-security-module-archive
mailing list