[PATCH v5 12/15] seltests/landlock: rules overlapping test

Konstantin Meskhidze konstantin.meskhidze at huawei.com
Thu May 19 12:24:54 UTC 2022



5/16/2022 8:41 PM, Mickaël Salaün пишет:
> Please fix these kind of subjects (selftests). I'd also like the subject 
> description to (quickly) describe what is done (with a verb), to start 
> with a capital (like a title), and to contain "network", something like 
> this:
> selftests/landlock: Add test for overlapping network rules
> 
> This is a good test though.
> 
> 
> On 16/05/2022 17:20, Konstantin Meskhidze wrote:
>> This patch adds overlapping rules for one port.
>> First rule adds just bind() access right for a port.
>> The second one adds both bind() and connect()
>> access rights for the same port.
>>
>> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze at huawei.com>
>> ---
>>
>> Changes since v3:
>> * Add ruleset_overlap test.
>>
>> Changes since v4:
>> * Refactoring code with self->port, self->addr4 variables.
>>
>> ---
>>   tools/testing/selftests/landlock/net_test.c | 51 +++++++++++++++++++++
>>   1 file changed, 51 insertions(+)
>>
>> diff --git a/tools/testing/selftests/landlock/net_test.c 
>> b/tools/testing/selftests/landlock/net_test.c
>> index bf8e49466d1d..1d8c9dfdbd48 100644
>> --- a/tools/testing/selftests/landlock/net_test.c
>> +++ b/tools/testing/selftests/landlock/net_test.c
>> @@ -677,4 +677,55 @@ TEST_F_FORK(socket_test, 
>> connect_afunspec_with_restictions) {
>>       ASSERT_EQ(1, WIFEXITED(status));
>>       ASSERT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
>>   }
>> +
>> +TEST_F_FORK(socket_test, ruleset_overlap) {
> 
> Please run clang-format-14 on all files (and all commits).
> 
   Yep. I already have updated clang-format executable on my Ubuntu and
setup Vscode to use .clang-format file.
>> +
>> +    int sockfd;
>> +
>> +    struct landlock_ruleset_attr ruleset_attr = {
>> +        .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
>> +                      LANDLOCK_ACCESS_NET_CONNECT_TCP,
>> +    };
>> +    struct landlock_net_service_attr net_service_1 = {
>> +        .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
>> +
>> +        .port = self->port[0],
>> +    };
>> +
>> +        struct landlock_net_service_attr net_service_2 = {
>> +        .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP |
>> +                  LANDLOCK_ACCESS_NET_CONNECT_TCP,
>> +
>> +        .port = self->port[0],
>> +    };
>> +
>> +    const int ruleset_fd = landlock_create_ruleset(&ruleset_attr,
>> +                    sizeof(ruleset_attr), 0);
>> +    ASSERT_LE(0, ruleset_fd);
>> +
>> +    /* Allows bind operations to the port[0] socket */
> 
> Please ends this kind of comments with a final dot (all files/commits).
> 
   Ok. I will.
>> +    ASSERT_EQ(0, landlock_add_rule(ruleset_fd, 
>> LANDLOCK_RULE_NET_SERVICE,
>> +                       &net_service_1, 0));
>> +    /* Allows connect and bind operations to the port[0] socket */
>> +    ASSERT_EQ(0, landlock_add_rule(ruleset_fd, 
>> LANDLOCK_RULE_NET_SERVICE,
>> +                       &net_service_2, 0));
>> +
>> +    /* Enforces the ruleset. */
>> +    enforce_ruleset(_metadata, ruleset_fd);
>> +
>> +    /* Creates a server socket */
>> +    sockfd = create_socket(_metadata, false, false);
>> +    ASSERT_LE(0, sockfd);
>> +
>> +    /* Binds the socket to address with port[0] */
>> +    ASSERT_EQ(0, bind(sockfd, (struct sockaddr *)&self->addr4[0], 
>> sizeof(self->addr4[0])));
>> +
>> +    /* Makes connection to socket with port[0] */
>> +    ASSERT_EQ(0, connect(sockfd, (struct sockaddr *)&self->addr4[0],
> 
> Can you please get rid of this (struct sockaddr *) type casting please 
> (without compiler warning)?
> 
   Do you have a warning here? Cause I don't.
>> +                           sizeof(self->addr4[0])));
> 
> Here, you can enforce a new ruleset with net_service_1 and check that 
> bind() is still allowed but not connect().
> 
  Ok. Thank you for advice.
>> +
>> +    /* Closes socket */
>> +    ASSERT_EQ(0, close(sockfd));
>> +}
>> +
>>   TEST_HARNESS_MAIN
>> -- 
>> 2.25.1
>>
> .



More information about the Linux-security-module-archive mailing list