[RFC PATCH v4 00/15] Landlock LSM
Konstantin Meskhidze
konstantin.meskhidze at huawei.com
Thu Mar 17 13:01:49 UTC 2022
3/15/2022 8:02 PM, Mickaël Salaün пишет:
> Hi Konstantin,
>
> This series looks good! Thanks for the split in multiple patches.
>
Thanks. I follow your recommendations.
>
> On 09/03/2022 14:44, Konstantin Meskhidze wrote:
>> Hi,
>> This is a new V4 bunch of RFC patches related to Landlock LSM network
>> confinement.
>> It brings deep refactirong and commit splitting of previous version V3.
>> Also added additional selftests.
>>
>> This patch series can be applied on top of v5.17-rc3.
>>
>> All test were run in QEMU evironment and compiled with
>> -static flag.
>> 1. network_test: 9/9 tests passed.
>
> I get a kernel warning running the network tests.
What kind of warning? Can you provide it please?
>
>> 2. base_test: 8/8 tests passed.
>> 3. fs_test: 46/46 tests passed.
>> 4. ptrace_test: 4/8 tests passed.
>
> Does your test machine use Yama? That would explain the 4/8. You can
> disable it with the appropriate sysctl.
>
>>
>> Tests were also launched for Landlock version without
>> v4 patch:
>> 1. base_test: 8/8 tests passed.
>> 2. fs_test: 46/46 tests passed.
>> 3. ptrace_test: 4/8 tests passed.
>>
>> Could not provide test coverage cause had problems with tests
>> on VM (no -static flag the tests compiling, no v4 patch applied):
>
> You can build statically-linked tests with:
> make -C tools/testing/selftests/landlock CFLAGS=-static
Ok. I will try. Thanks.
>
>> 1. base_test: 7/8 tests passed.
>> Error:
>> # Starting 8 tests from 1 test cases.
>> # RUN global.inconsistent_attr ...
>> # base_test.c:51:inconsistent_attr:Expected ENOMSG (42) == errno (22)
>
> This looks like a bug in the syscall argument checks.
This bug I just get when don't use -static option. With -static base
test passes 8/8.
>
>> # inconsistent_attr: Test terminated by assertion
>> 2. fs_test: 0 / 46 tests passed
>> Error for all tests:
>> # common.h:126:no_restriction:Expected -1 (-1) !=
>> cap_set_proc(cap_p) (-1)
>> # common.h:127:no_restriction:Failed to cap_set_proc: Operation not
>> permitted
>> # fs_test.c:106:no_restriction:Expected 0 (0) == mkdir(path, 0700) (-1)
>> # fs_test.c:107:no_restriction:Failed to create directory "tmp":
>> File exists
>
> You need to run these tests as root.
OK. I will try.
>
>> 3. ptrace_test: 4 / 8 tests passed.
>>
>> Previous versions:
>> v3:
>> https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@huawei.com/
>>
>> v2:
>> https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@huawei.com/
>>
>> v1:
>> https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@huawei.com/
>>
>
> Nice to have this history!
>
>>
>> Konstantin Meskhidze (15):
>> landlock: access mask renaming
>> landlock: filesystem access mask helpers
>> landlock: landlock_find/insert_rule refactoring
>> landlock: merge and inherit function refactoring
>> landlock: unmask_layers() function refactoring
>> landlock: landlock_add_rule syscall refactoring
>> landlock: user space API network support
>> landlock: add support network rules
>> landlock: TCP network hooks implementation
>> seltest/landlock: add tests for bind() hooks
>> seltest/landlock: add tests for connect() hooks
>> seltest/landlock: connect() with AF_UNSPEC tests
>> seltest/landlock: rules overlapping test
>> seltest/landlock: ruleset expanding test
>> seltest/landlock: invalid user input data test
>>
>> include/uapi/linux/landlock.h | 48 ++
>> security/landlock/Kconfig | 1 +
>> security/landlock/Makefile | 2 +-
>> security/landlock/fs.c | 72 +-
>> security/landlock/limits.h | 6 +
>> security/landlock/net.c | 180 +++++
>> security/landlock/net.h | 22 +
>> security/landlock/ruleset.c | 383 ++++++++--
>> security/landlock/ruleset.h | 72 +-
>> security/landlock/setup.c | 2 +
>> security/landlock/syscalls.c | 176 +++--
>> .../testing/selftests/landlock/network_test.c | 665 ++++++++++++++++++
>> 12 files changed, 1434 insertions(+), 195 deletions(-)
>> create mode 100644 security/landlock/net.c
>> create mode 100644 security/landlock/net.h
>> create mode 100644 tools/testing/selftests/landlock/network_test.c
>>
>> --
>> 2.25.1
>>
> .
More information about the Linux-security-module-archive
mailing list