[RFC PATCH v2 0/8] Fix non-TCP restriction and inconsistency of TCP errors

Mikhail Ivanov ivanov.mikhail1 at huawei-partners.com
Thu Oct 17 11:04:46 UTC 2024


Hello!
This patchset provides two general fixes for TCP Landlock hooks:

First one fixes incorrect restriction of non-TCP bind/connect actions.
There is two commits related to testing MPTCP and SCTP protocols which were
incorrectly restricted. SCTP implementation has invalid check for minimal
address length in bind(2) call [1], therefore commit with SCTP testing can be
applied later after necessary SCTP fixes.

[1] https://lore.kernel.org/all/20241004.Hohpheipieh2@digikod.net/
Closes: https://github.com/landlock-lsm/linux/issues/40

Second one fixes inconsistency of errors in bind and connect hooks for
TCP sockets. It provides per-operation helpers, which consist of a set
of checks from the TCP network stack. Due to TCP connect(2) implementation
it's not possible to obtain full consistency, but the unhandled cases are
rather special scenarios that should almost should not normally appear.
Two new tests were implemented to validate errors consistency.

Diffs of second and third commits were unreadable, so I've decided to
rewrite net.c file to simplify reviewing process.

Code coverage
=============
Code coverage(gcov) report with the launch of net_test selftest:
 * security/landlock/net.c:
lines......: 98.8% (79 of 80 lines)
functions..: 100% (8 of 8 functions)

One uncovered line is documented in check_tcp_connect_consistency_and_get_port().

General changes
===============
 * Rebases on current linux-mic/next (based on Linux v6.12-rc3)
 * Fixes inconsistency of TCP actions errors and implements two related
   tests.
 * Removes SMC test suits.
 * Adds separate commit for SCTP test suits.
 * Adds test suits of protocol fixture for sockets created with
   protocol=IPPROTO_TCP (C.f. socket(2)).

Previous versions
=================
v1: https://lore.kernel.org/all/20241003143932.2431249-1-ivanov.mikhail1@huawei-partners.com/

Mikhail Ivanov (8):
  landlock: Fix non-TCP sockets restriction
  landlock: Make network stack layer checks explicit for each TCP action
  landlock: Fix inconsistency of errors for TCP actions
  selftests/landlock: Test TCP accesses with protocol=IPPROTO_TCP
  selftests/landlock: Test that MPTCP actions are not restricted
  selftests/landlock: Test consistency of errors for TCP actions
  landlock: Add note about errors consistency in documentation
  selftests/landlock: Test that SCTP actions are not restricted

 Documentation/userspace-api/landlock.rst    |   3 +-
 security/landlock/net.c                     | 501 +++++++++++-------
 tools/testing/selftests/landlock/common.h   |   1 +
 tools/testing/selftests/landlock/config     |   4 +
 tools/testing/selftests/landlock/net_test.c | 532 ++++++++++++++++++--
 5 files changed, 825 insertions(+), 216 deletions(-)
 rewrite security/landlock/net.c (36%)


base-commit: fe76bd133024aaef12d12a7d58fa3e8d138d3bf3
-- 
2.34.1




More information about the Linux-security-module-archive mailing list