[PATCH v8 07/12] landlock: Add network rules support
Konstantin Meskhidze (A)
konstantin.meskhidze at huawei.com
Mon Jan 9 07:59:43 UTC 2023
1/6/2023 10:22 PM, Mickaël Salaün пишет:
>
> On 04/01/2023 12:41, Konstantin Meskhidze (A) wrote:
>>
>>
>> 11/17/2022 9:43 PM, Mickaël Salaün пишет:
>
> [...]
>
>>>> /**
>>>> @@ -79,6 +91,24 @@ struct landlock_path_beneath_attr {
>>>> */
>>>> } __attribute__((packed));
>>>>
>>>> +/**
>>>> + * struct landlock_net_service_attr - TCP subnet definition
>>>> + *
>>>> + * Argument of sys_landlock_add_rule().
>>>> + */
>>>> +struct landlock_net_service_attr {
>>>> + /**
>>>> + * @allowed_access: Bitmask of allowed access network for services
>>>> + * (cf. `Network flags`_).
>>>> + */
>>>> + __u64 allowed_access;
>>>> + /**
>>>> + * @port: Network port.
>>>> + */
>>>> + __u16 port;
>>>
>>> From an UAPI point of view, I think the port field should be __be16, as
>>> for sockaddr_in->port and other network-related APIs. This will require
>>> some kernel changes to please sparse: make C=2 security/landlock/ must
>>> not print any warning.
>>
>> I have this errors trying to launch sparse checking:
>>
>> DESCEND objtool
>> DESCEND bpf/resolve_btfids
>> CALL scripts/checksyscalls.sh
>> CHK kernel/kheaders_data.tar.xz
>> CC security/landlock/setup.o
>> CHECK security/landlock/setup.c
>> ./include/asm-generic/rwonce.h:67:16: error: typename in expression
>> ./include/asm-generic/rwonce.h:67:16: error: Expected ) in function call
>> ./include/asm-generic/rwonce.h:67:16: error: got :
>> ./include/linux/list.h:292:16: error: typename in expression
>> ./include/linux/list.h:292:16: error: Expected ) in function call
>> ./include/linux/list.h:292:16: error: got :
>>
>> ....
>>
>> ./include/linux/seqlock.h:682:16: error: Expected ) in function call
>> ./include/linux/seqlock.h:682:16: error: got :
>> ./include/linux/seqlock.h:695:16: error: typename in expression
>> ./include/linux/seqlock.h:695:16: error: Expected ) in function call
>> ./include/linux/seqlock.h:695:16: error: too many errors
>> Segmentation fault (core dumped)
>> make[3]: *** [scripts/Makefile.build:250: security/landlock/setup.o]
>> Error 139
>> make[3]: *** Deleting file 'security/landlock/setup.o'
>> make[3]: *** Waiting for unfinished jobs....
>> Segmentation fault (core dumped)
>> make[3]: *** [scripts/Makefile.build:250: security/landlock/syscalls.o]
>> Error 139
>> make[3]: *** Deleting file 'security/landlock/syscalls.o'
>> make[2]: *** [scripts/Makefile.build:502: security/landlock] Error 2
>> make[1]: *** [scripts/Makefile.build:502: security] Error 2
>> make[1]: *** Waiting for unfinished jobs....
>> make: *** [Makefile:1994: .] Error 2
>
> I don't know about this error. Did you follow the documentation?
> https://docs.kernel.org/dev-tools/sparse.html#getting-sparse
>
Yes, I did as in the documentation. that's strange.
If you dont mind can you please check it when I sent a new patch?
>
>
>>>
>>> Using big-endian values as keys (casted to uintptr_t, not strictly
>>> __be16) in the rb-tree should not be an issue because there is no port
>>> range ordering (for now).
>>>
>>> A dedicated test should check that endianness is correct, e.g. by using
>>> different port encoding. This should include passing and failing tests,
>>> but they should work on all architectures (i.e. big or little endian).
> .
More information about the Linux-security-module-archive
mailing list