[PATCH v14 10/12] selftests/landlock: Add network tests
Mickaël Salaün
mic at digikod.net
Thu Jan 11 17:06:07 UTC 2024
Thanks for the report and the test Muhammad, the fix is now merged:
https://git.kernel.org/torvalds/c/bbf5a1d0e5d0fb3bdf90205aa872636122692a50
See https://lore.kernel.org/all/20240103163415.304358-1-mic@digikod.net/
On Wed, Dec 20, 2023 at 04:19:44PM +0500, Muhammad Usama Anjum wrote:
> On 12/20/23 2:17 PM, Mickaël Salaün wrote:
> > Hi Muhammad,
> >
> > Thanks for the report.
> >
> > On Tue, Dec 19, 2023 at 03:38:55PM +0500, Muhammad Usama Anjum wrote:
> >> Hi Konstantin,
> >>
> >> There are some errors being reported in KernelCI:
> >> https://linux.kernelci.org/test/plan/id/657ab2240c761c0bd1e134ee/
> >>
> >> The following sub-tests are failing:
> >> landlock_net_test_protocol_no_sandbox_with_ipv6_tcp_bind_unspec
> >> landlock_net_test_protocol_no_sandbox_with_ipv6_udp_bind_unspec
> >> landlock_net_test_protocol_tcp_sandbox_with_ipv6_udp_bind_unspec
> >>
> >> From my initial investigation, I can see that these failures are coming
> >> from just finding the wrong return error code (-97 instead of -22). It may
> >> be test's issue or the kernel's, not sure yet.
> >
> > I cannot reproduce these errors (with the same kernel commit), the
> > Defconfig URL is broken. Could you please share the config used for
> > tests?
> I've also attached the config. I'm generated the config by following:
> make defconfig && make kvm_guest.config
> scripts/kconfig/merge_config.sh .config tools/testing/selftests/landlock/config
>
> >
> > According to the failing tests, it looks like the network stack returns
> > EAFNOSUPPORT instead of EINVAL, which should happen because addr_len <
> > SIN6_LEN_RFC2133 (cf. inet6_bind_sk). I then think that the issue comes
> > from an inconsistent error priority with the prot->bind() call in
> > inet6_bind_sk() that may return EAFNOSUPPORT when uaddr contains
> > AF_UNSPEC. I didn't find such bind() implementations though.
> >
> > Could you please validate this theory by removing this call in
> > inet6_bind_sk() and run the tests again?
> I'll have a look if I can find anything.
>
> >
> > Eric, do you know where are such struct proto bind() implementations and
> > why they may return EAFNOSUPPORT?
> >
> > Regards,
> > Mickaël
> >
> >
> >>
> >> Thanks,
> >> Usama
> >>
> >> On 10/26/23 6:47 AM, Konstantin Meskhidze wrote:
> >>> Add 82 test suites to check edge cases related to bind() and connect()
> >>> actions. They are defined with 6 fixtures and their variants:
> >>>
> >>> The "protocol" fixture is extended with 12 variants defined as a matrix
> >>> of: sandboxed/not-sandboxed, IPv4/IPv6/unix network domain, and
> >>> stream/datagram socket. 4 related tests suites are defined:
> >>> * bind: Tests with non-landlocked/landlocked ipv4, ipv6 and unix sockets.
> >>> * connect: Tests with non-landlocked/landlocked ipv4, ipv6 and unix
> >>> sockets.
> >>> * bind_unspec: Tests with non-landlocked/landlocked restrictions
> >>> for bind action with AF_UNSPEC socket family.
> >>> * connect_unspec: Tests with non-landlocked/landlocked restrictions
> >>> for connect action with AF_UNSPEC socket family.
> >>>
> >>> The "ipv4" fixture is extended with 4 variants defined as a matrix
> >>> of: sandboxed/not-sandboxed, IPv4/unix network domain, and
> >>> stream/datagram socket. 1 related test suite is defined:
> >>> * from_unix_to_inet: Tests to make sure unix sockets' actions are not
> >>> restricted by Landlock rules applied to TCP ones.
> >>>
> >>> The "tcp_layers" fixture is extended with 8 variants defined as a matrix
> >>> of: IPv4/IPv6 network domain, and different number of landlock rule layers.
> >>> 2 related tests suites are defined:
> >>> * ruleset_overlap.
> >>> * ruleset_expand.
> >>>
> >>> In the "mini" fixture 4 tests suites are defined:
> >>> * network_access_rights: Tests with legitimate access values.
> >>> * unknown_access_rights: Tests with invalid attributes, out of access
> >>> range.
> >>> * inval:
> >>> - unhandled allowed access.
> >>> - zero access value.
> >>> * tcp_port_overflow: Tests with wrong port values more than U16_MAX.
> >>>
> >>> In the "ipv4_tcp" fixture supports IPv4 network domain, stream socket.
> >>> 2 tests suites are defined:
> >>> * port_endianness: Tests with big/little endian port formats.
> >>> * with_fs: Tests with network bind() socket action within
> >>> filesystem directory access test.
> >>>
> >>> The "port_specific" fixture is extended with 4 variants defined
> >>> as a matrix of: sandboxed/not-sandboxed, IPv4/IPv6 network domain,
> >>> and stream socket. 2 related tests suites are defined:
> >>> * bind_connect_zero: Tests with port 0 value.
> >>> * bind_connect_1023: Tests with port 1023 value.
> >>>
> >>> Test coverage for security/landlock is 94.5% of 932 lines according to
> >>> gcc/gcov-9.
> >>>
> >>> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze at huawei.com>
> >>> Co-developed-by: Mickaël Salaün <mic at digikod.net>
> >>> Signed-off-by: Mickaël Salaün <mic at digikod.net>
> >>> ---
More information about the Linux-security-module-archive
mailing list