[RFC PATCH v4 00/15] Landlock LSM

Konstantin Meskhidze konstantin.meskhidze at huawei.com
Thu Mar 17 13:01:49 UTC 2022



3/15/2022 8:02 PM, Mickaël Salaün пишет:
> Hi Konstantin,
> 
> This series looks good! Thanks for the split in multiple patches.
> 
  Thanks. I follow your recommendations.
> 
> On 09/03/2022 14:44, Konstantin Meskhidze wrote:
>> Hi,
>> This is a new V4 bunch of RFC patches related to Landlock LSM network 
>> confinement.
>> It brings deep refactirong and commit splitting of previous version V3.
>> Also added additional selftests.
>>
>> This patch series can be applied on top of v5.17-rc3.
>>
>> All test were run in QEMU evironment and compiled with
>>   -static flag.
>>   1. network_test: 9/9 tests passed.
> 
> I get a kernel warning running the network tests.

   What kind of warning? Can you provide it please?
> 
>>   2. base_test: 8/8 tests passed.
>>   3. fs_test: 46/46 tests passed.
>>   4. ptrace_test: 4/8 tests passed.
> 
> Does your test machine use Yama? That would explain the 4/8. You can 
> disable it with the appropriate sysctl.
> 
>>
>> Tests were also launched for Landlock version without
>> v4 patch:
>>   1. base_test: 8/8 tests passed.
>>   2. fs_test: 46/46 tests passed.
>>   3. ptrace_test: 4/8 tests passed.
>>
>> Could not provide test coverage cause had problems with tests
>> on VM (no -static flag the tests compiling, no v4 patch applied):
> 
> You can build statically-linked tests with:
> make -C tools/testing/selftests/landlock CFLAGS=-static

  Ok. I will try. Thanks.
> 
>> 1. base_test: 7/8 tests passed.
>>   Error:
>>   # Starting 8 tests from 1 test cases.
>>   #  RUN           global.inconsistent_attr ...
>>   # base_test.c:51:inconsistent_attr:Expected ENOMSG (42) == errno (22)
> 
> This looks like a bug in the syscall argument checks.

   This bug I just get when don't use -static option. With -static base 
test passes 8/8.
> 
>>   # inconsistent_attr: Test terminated by assertion
>> 2. fs_test: 0 / 46 tests passed
>>   Error for all tests:
>>   # common.h:126:no_restriction:Expected -1 (-1) != 
>> cap_set_proc(cap_p) (-1)
>>   # common.h:127:no_restriction:Failed to cap_set_proc: Operation not 
>> permitted
>>   # fs_test.c:106:no_restriction:Expected 0 (0) == mkdir(path, 0700) (-1)
>>   # fs_test.c:107:no_restriction:Failed to create directory "tmp": 
>> File exists
> 
> You need to run these tests as root.

   OK. I will try.
> 
>> 3. ptrace_test: 4 / 8 tests passed.
>>
>> Previous versions:
>> v3: 
>> https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@huawei.com/ 
>>
>> v2: 
>> https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@huawei.com/ 
>>
>> v1: 
>> https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@huawei.com/ 
>>
> 
> Nice to have this history!
> 
>>
>> Konstantin Meskhidze (15):
>>    landlock: access mask renaming
>>    landlock: filesystem access mask helpers
>>    landlock: landlock_find/insert_rule refactoring
>>    landlock: merge and inherit function refactoring
>>    landlock: unmask_layers() function refactoring
>>    landlock: landlock_add_rule syscall refactoring
>>    landlock: user space API network support
>>    landlock: add support network rules
>>    landlock: TCP network hooks implementation
>>    seltest/landlock: add tests for bind() hooks
>>    seltest/landlock: add tests for connect() hooks
>>    seltest/landlock: connect() with AF_UNSPEC tests
>>    seltest/landlock: rules overlapping test
>>    seltest/landlock: ruleset expanding test
>>    seltest/landlock: invalid user input data test
>>
>>   include/uapi/linux/landlock.h                 |  48 ++
>>   security/landlock/Kconfig                     |   1 +
>>   security/landlock/Makefile                    |   2 +-
>>   security/landlock/fs.c                        |  72 +-
>>   security/landlock/limits.h                    |   6 +
>>   security/landlock/net.c                       | 180 +++++
>>   security/landlock/net.h                       |  22 +
>>   security/landlock/ruleset.c                   | 383 ++++++++--
>>   security/landlock/ruleset.h                   |  72 +-
>>   security/landlock/setup.c                     |   2 +
>>   security/landlock/syscalls.c                  | 176 +++--
>>   .../testing/selftests/landlock/network_test.c | 665 ++++++++++++++++++
>>   12 files changed, 1434 insertions(+), 195 deletions(-)
>>   create mode 100644 security/landlock/net.c
>>   create mode 100644 security/landlock/net.h
>>   create mode 100644 tools/testing/selftests/landlock/network_test.c
>>
>> -- 
>> 2.25.1
>>
> .



More information about the Linux-security-module-archive mailing list