[PATCH v5 00/15] Network support for Landlock

Konstantin Meskhidze konstantin.meskhidze at huawei.com
Mon May 16 15:20:23 UTC 2022 

Hi,
This is a new V5 patch related to Landlock LSM network confinement.
It is based on the latest landlock-wip branch on top of v5.18-rc5:
https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/log/?h=landlock-wip

It brings refactoring of previous patch version V4.
Added additional selftests for IP6 network families and network namespace.
Added TCP sockets confinement support in sandboxer demo.

All test were run in QEMU evironment and compiled with
 -static flag.
 1. network_test: 13/13 tests passed.
 2. base_test: 7/7 tests passed.
 3. fs_test: 59/59 tests passed.
 4. ptrace_test: 8/8 tests passed.

Still have issue with base_test were compiled without -static flag
(landlock-wip branch without network support)
1. base_test: 6/7 tests passed.
 Error:
 #  RUN           global.inconsistent_attr ...
 # base_test.c:54:inconsistent_attr:Expected ENOMSG (42) == errno (22)
 # inconsistent_attr: Test terminated by assertion
 #          FAIL  global.inconsistent_attr
not ok 1 global.inconsistent_attr

LCOV - code coverage report:
            Hit  Total  Coverage
Lines:      952  1010    94.3 %
Functions:  79   82      96.3 %

Previous versions:
v4: https://lore.kernel.org/linux-security-module/20220309134459.6448-1-konstantin.meskhidze@huawei.com/
v3: https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@huawei.com/
v2: https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@huawei.com/
v1: https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@huawei.com/

Konstantin Meskhidze (15):
  landlock: access mask renaming
  landlock: landlock_find/insert_rule refactoring
  landlock: merge and inherit function refactoring
  landlock: helper functions refactoring
  landlock: landlock_add_rule syscall refactoring
  landlock: user space API network support
  landlock: add support network rules
  landlock: TCP network hooks implementation
  seltests/landlock: add tests for bind() hooks
  seltests/landlock: add tests for connect() hooks
  seltests/landlock: connect() with AF_UNSPEC tests
  seltests/landlock: rules overlapping test
  seltests/landlock: ruleset expanding test
  seltests/landlock: invalid user input data test
  samples/landlock: adds network demo

 include/uapi/linux/landlock.h                |  48 +
 samples/landlock/sandboxer.c                 | 105 ++-
 security/landlock/Kconfig                    |   1 +
 security/landlock/Makefile                   |   2 +
 security/landlock/fs.c                       | 169 +---
 security/landlock/limits.h                   |   8 +-
 security/landlock/net.c                      | 159 ++++
 security/landlock/net.h                      |  25 +
 security/landlock/ruleset.c                  | 481 ++++++++--
 security/landlock/ruleset.h                  | 102 +-
 security/landlock/setup.c                    |   2 +
 security/landlock/syscalls.c                 | 173 ++--
 tools/testing/selftests/landlock/base_test.c |   4 +-
 tools/testing/selftests/landlock/common.h    |   9 +
 tools/testing/selftests/landlock/config      |   5 +-
 tools/testing/selftests/landlock/fs_test.c   |  10 -
 tools/testing/selftests/landlock/net_test.c  | 935 +++++++++++++++++++
 17 files changed, 1925 insertions(+), 313 deletions(-)
 create mode 100644 security/landlock/net.c
 create mode 100644 security/landlock/net.h
 create mode 100644 tools/testing/selftests/landlock/net_test.c

--
2.25.1

More information about the Linux-security-module-archive mailing list