[PATCH v9 10/12] selftests/landlock: Add 10 new test suites dedicated to network
Mickaël Salaün
mic at digikod.net
Mon Mar 6 16:00:45 UTC 2023
On 06/03/2023 13:03, Konstantin Meskhidze (A) wrote:
>
>
> 2/21/2023 9:05 PM, Mickaël Salaün пишет:
>>
>> On 16/01/2023 09:58, Konstantin Meskhidze wrote:
>>> These test suites try to check edge cases for TCP sockets
>>> bind() and connect() actions.
>>>
>>> socket:
>>> * bind: Tests with non-landlocked/landlocked ipv4 and ipv6 sockets.
>>> * connect: Tests with non-landlocked/landlocked ipv4 and ipv6 sockets.
>>> * bind_afunspec: Tests with non-landlocked/landlocked restrictions
>>> for bind action with AF_UNSPEC socket family.
>>> * connect_afunspec: Tests with non-landlocked/landlocked restrictions
>>> for connect action with AF_UNSPEC socket family.
>>> * ruleset_overlap: Tests with overlapping rules for one port.
>>> * ruleset_expanding: Tests with expanding rulesets in which rules are
>>> gradually added one by one, restricting sockets' connections.
>>> * inval: Tests with invalid user space supplied data:
>>> - out of range ruleset attribute;
>>> - unhandled allowed access;
>>> - zero port value;
>>> - zero access value;
>>> - legitimate access values;
>>> * bind_connect_inval_addrlen: Tests with invalid address length
>>> for ipv4/ipv6 sockets.
>>> * inval_port_format: Tests with wrong port format for ipv4/ipv6 sockets.
>>>
>>> layout1:
>>> * with_net: Tests with network bind() socket action within
>>> filesystem directory access test.
>>>
>>> Test coverage for security/landlock is 94.1% of 946 lines according
>>> to gcc/gcov-11.
>>>
>>> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze at huawei.com>
>>> ---
>>>
>>> Changes since v8:
>>> * Adds is_sandboxed const for FIXTURE_VARIANT(socket).
>>> * Refactors AF_UNSPEC tests.
>>> * Adds address length checking tests.
>>> * Convert ports in all tests to __be16.
>>> * Adds invalid port values tests.
>>> * Minor fixes.
>>>
>>> Changes since v7:
>>> * Squashes all selftest commits.
>>> * Adds fs test with network bind() socket action.
>>> * Minor fixes.
>>>
>>> ---
>>> tools/testing/selftests/landlock/config | 4 +
>>> tools/testing/selftests/landlock/fs_test.c | 65 ++
>>> tools/testing/selftests/landlock/net_test.c | 1157 +++++++++++++++++++
>>> 3 files changed, 1226 insertions(+)
>>> create mode 100644 tools/testing/selftests/landlock/net_test.c
>>>
>>> diff --git a/tools/testing/selftests/landlock/config b/tools/testing/selftests/landlock/config
>>> index 0f0a65287bac..71f7e9a8a64c 100644
>>> --- a/tools/testing/selftests/landlock/config
>>> +++ b/tools/testing/selftests/landlock/config
[...]
>>> +static int bind_variant(const struct _fixture_variant_socket *const variant,
>>> + const int sockfd,
>>> + const struct _test_data_socket *const self,
>>> + const size_t index, const bool zero_size)
>>> +
>>
>> Extra new line.
>
> Will be deleted. Thanks. >>
>>> +{
>>> + if (variant->is_ipv4)
>>> + return bind(sockfd, &self->addr4[index],
>>> + (zero_size ? 0 : sizeof(self->addr4[index])));
>>
>> Is the zero_size really useful? Do calling bind and connect with this
>> argument reaches the Landlock code (check_addrlen) or is it caught by
>> the network code beforehand?
>
> In __sys_bind() syscall security_socket_bind() function goes before
> sock->ops->bind() method. Selinux and Smacks provide such checks in
> bind()/connect() hooks, so I think Landlock should do the same.
> What do you think?
Yes, we should keep these checks. However, we should have a
bind_variant() without the zero_size argument because it is only set to
true once (in bind_connect_inval_addrlen). You can explicitly call
bind() with a zero size in bind_connect_inval_addrlen().
Same for connect_variant().
>>
>>
>>> + else
>>> + return bind(sockfd, &self->addr6[index],
>>> + (zero_size ? 0 : sizeof(self->addr6[index])));
>>> +}
>>> +
>>> +static int connect_variant(const struct _fixture_variant_socket *const variant,
>>> + const int sockfd,
>>> + const struct _test_data_socket *const self,
>>> + const size_t index, const bool zero_size)
>>> +{
>>> + if (variant->is_ipv4)
>>> + return connect(sockfd, &self->addr4[index],
>>> + (zero_size ? 0 : sizeof(self->addr4[index])));
>>> + else
>>> + return connect(sockfd, &self->addr6[index],
>>> + (zero_size ? 0 : sizeof(self->addr6[index])));
>>> +}
More information about the Linux-security-module-archive
mailing list