[RFC PATCH v4 00/15] Landlock LSM

Konstantin Meskhidze konstantin.meskhidze at huawei.com
Thu Mar 24 16:19:50 UTC 2022



3/24/2022 6:30 PM, Mickaël Salaün пишет:
> 
> 
> On 24/03/2022 14:34, Konstantin Meskhidze wrote:
>>
>>
>> 3/24/2022 3:27 PM, Mickaël Salaün пишет:
>>>
>>> On 23/03/2022 17:30, Konstantin Meskhidze wrote:
>>>>
>>>>
>>>> 3/17/2022 8:26 PM, Mickaël Salaün пишет:
>>>>>
>>>>> On 17/03/2022 14:01, Konstantin Meskhidze wrote:
>>>>>>
>>>>>>
>>>>>> 3/15/2022 8:02 PM, Mickaël Salaün пишет:
>>>>>>> Hi Konstantin,
>>>>>>>
>>>>>>> This series looks good! Thanks for the split in multiple patches.
>>>>>>>
>>>>>>   Thanks. I follow your recommendations.
>>>>>>>
>>>>>>> On 09/03/2022 14:44, Konstantin Meskhidze wrote:
>>>>>>>> Hi,
>>>>>>>> This is a new V4 bunch of RFC patches related to Landlock LSM 
>>>>>>>> network confinement.
>>>>>>>> It brings deep refactirong and commit splitting of previous 
>>>>>>>> version V3.
>>>>>>>> Also added additional selftests.
>>>>>>>>
>>>>>>>> This patch series can be applied on top of v5.17-rc3.
>>>>>>>>
>>>>>>>> All test were run in QEMU evironment and compiled with
>>>>>>>>   -static flag.
>>>>>>>>   1. network_test: 9/9 tests passed.
>>>>>>>
>>>>>>> I get a kernel warning running the network tests.
>>>>>>
>>>>>>    What kind of warning? Can you provide it please?
>>>>>
>>>>> You really need to get a setup that gives you such kernel warning. 
>>>>> When running network_test you should get:
>>>>> WARNING: CPU: 3 PID: 742 at security/landlock/ruleset.c:218 
>>>>> insert_rule+0x220/0x270
>>>>>
>>>>> Before sending new patches, please make sure you're able to catch 
>>>>> such issues.
>>>>>
>>>>>
>>>>>>>
>>>>>>>>   2. base_test: 8/8 tests passed.
>>>>>>>>   3. fs_test: 46/46 tests passed.
>>>>>>>>   4. ptrace_test: 4/8 tests passed.
>>>>>>>
>>>>>>> Does your test machine use Yama? That would explain the 4/8. You 
>>>>>>> can disable it with the appropriate sysctl.
>>>>>
>>>>> Can you answer this question?
>>>>>
>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> Tests were also launched for Landlock version without
>>>>>>>> v4 patch:
>>>>>>>>   1. base_test: 8/8 tests passed.
>>>>>>>>   2. fs_test: 46/46 tests passed.
>>>>>>>>   3. ptrace_test: 4/8 tests passed.
>>>>>>>>
>>>>>>>> Could not provide test coverage cause had problems with tests
>>>>>>>> on VM (no -static flag the tests compiling, no v4 patch applied):
>>>>>>>
>>>>     Hi, Mickaёl!
>>>>     I tried to get base test coverage without v4 patch applied.
>>>>
>>>>     1. Kernel configuration :
>>>>      - CONFIG_DEBUG_FS=y
>>>>      - CONFIG_GCOV_KERNEL=y
>>>>      - CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
>>>>     2. Added GCOV_PROFILE := y in security/landlock/Makefile
>>>
>>> I think this is useless because of 
>>> CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y. I don't add GCOV_PROFILE anyway.
>>>
>>>
>>>>     3. Compiled kernel  and rebooted VM with the new one.
>>>>     4. Run landlock selftests as root user:
>>>>      $ cd tools/testing/selftests/landlock
>>>>      $ ./base_test
>>>>      $ ./fs_test
>>>>      $ ./ptrace_test
>>>>     5. Copied GCOV data to some folder :
>>>>        $ cp -r 
>>>> /sys/kernel/debug/gcov/<source-dir>/linux/security/landlock/ 
>>>> /gcov-before
>>>>        $ cd /gcov-before
>>>>        $ lcov -c -d ./landlock -o lcov.info && genhtml -o html 
>>>> lcov.info
>>>
>>> I do this step on my host but that should work as long as you have 
>>> the kernel sources in the same directory. I guess this is not the 
>>> case. I think you also need GCC >= 4.8 .
>>>    I found the reason why .gcda files were not executed :
>>        "lcov -c -d ./landlock -o lcov.info && genhtml -o html 
>> lcov.info" was run not under ROOT user.
>>    Running lcov by ROOT one solved the issue. I will provide network test
>>    coverage in RFC patch V5.
>>    Thanks for help anyway.
> 
> I run lcov as a normal user with kernel source access.
> 
> I'll review the other patches soon. But for the next series, please 
> don't reuse "Landlock LSM" as a cover letter subject, something like 
> "Network support for Landlock" would fit better. ;)
> .
   No problem. Thanks.



More information about the Linux-security-module-archive mailing list