All of lore.kernel.org
 help / color / mirror / Atom feed
From: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
To: <mic@digikod.net>
Cc: <willemdebruijn.kernel@gmail.com>,
	<linux-security-module@vger.kernel.org>, <netdev@vger.kernel.org>,
	<netfilter-devel@vger.kernel.org>, <yusongping@huawei.com>,
	<anton.sirazetdinov@huawei.com>
Subject: [PATCH v6 00/17] Network support for Landlock
Date: Tue, 21 Jun 2022 16:22:56 +0800	[thread overview]
Message-ID: <20220621082313.3330667-1-konstantin.meskhidze@huawei.com> (raw)

Hi,
This is a new V6 patch related to Landlock LSM network confinement.
It is based on the latest landlock-wip branch on top of v5.19-rc2:
https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/log/?h=landlock-wip

It brings refactoring of previous patch version V5:
    - Fixes some logic errors and typos.
    - Adds additional FIXTURE_VARIANT and FIXTURE_VARIANT_ADD helpers
    to support both ip4 and ip6 families and shorten seltests' code.
    - Makes TCP sockets confinement support optional in sandboxer demo.
    - Formats the code with clang-format-14

All test were run in QEMU evironment and compiled with
 -static flag.
 1. network_test: 18/18 tests passed.
 2. base_test: 7/7 tests passed.
 3. fs_test: 59/59 tests passed.
 4. ptrace_test: 8/8 tests passed.

Still have issue with base_test were compiled without -static flag
(landlock-wip branch without network support)
1. base_test: 6/7 tests passed.
 Error:
 #  RUN           global.inconsistent_attr ...
 # base_test.c:54:inconsistent_attr:Expected ENOMSG (42) == errno (22)
 # inconsistent_attr: Test terminated by assertion
 #          FAIL  global.inconsistent_attr
not ok 1 global.inconsistent_attr

LCOV - code coverage report:
            Hit  Total  Coverage
Lines:      952  1010    94.3 %
Functions:  79   82      96.3 %

Previous versions:
v5: https://lore.kernel.org/linux-security-module/20220516152038.39594-1-konstantin.meskhidze@huawei.com
v4: https://lore.kernel.org/linux-security-module/20220309134459.6448-1-konstantin.meskhidze@huawei.com/
v3: https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@huawei.com/
v2: https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@huawei.com/
v1: https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@huawei.com/

Konstantin Meskhidze (17):
  landlock: renames access mask
  landlock: refactors landlock_find/insert_rule
  landlock: refactors merge and inherit functions
  landlock: moves helper functions
  landlock: refactors helper functions
  landlock: refactors landlock_add_rule syscall
  landlock: user space API network support
  landlock: adds support network rules
  landlock: implements TCP network hooks
  seltests/landlock: moves helper function
  seltests/landlock: adds tests for bind() hooks
  seltests/landlock: adds tests for connect() hooks
  seltests/landlock: adds AF_UNSPEC family test
  seltests/landlock: adds rules overlapping test
  seltests/landlock: adds ruleset expanding test
  seltests/landlock: adds invalid input data test
  samples/landlock: adds network demo

 include/uapi/linux/landlock.h               |  49 ++
 samples/landlock/sandboxer.c                | 118 ++-
 security/landlock/Kconfig                   |   1 +
 security/landlock/Makefile                  |   2 +
 security/landlock/fs.c                      | 162 +---
 security/landlock/limits.h                  |   8 +-
 security/landlock/net.c                     | 155 ++++
 security/landlock/net.h                     |  26 +
 security/landlock/ruleset.c                 | 448 +++++++++--
 security/landlock/ruleset.h                 |  91 ++-
 security/landlock/setup.c                   |   2 +
 security/landlock/syscalls.c                | 168 +++--
 tools/testing/selftests/landlock/common.h   |  10 +
 tools/testing/selftests/landlock/config     |   4 +
 tools/testing/selftests/landlock/fs_test.c  |  10 -
 tools/testing/selftests/landlock/net_test.c | 774 ++++++++++++++++++++
 16 files changed, 1737 insertions(+), 291 deletions(-)
 create mode 100644 security/landlock/net.c
 create mode 100644 security/landlock/net.h
 create mode 100644 tools/testing/selftests/landlock/net_test.c

--
2.25.1


             reply	other threads:[~2022-06-21  8:23 UTC|newest]

Thread overview: 53+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-06-21  8:22 Konstantin Meskhidze [this message]
2022-06-21  8:22 ` [PATCH v6 01/17] landlock: renames access mask Konstantin Meskhidze
2022-07-01 17:08   ` Mickaël Salaün
2022-07-04  9:23     ` Konstantin Meskhidze (A)
2022-07-05 11:29     ` Konstantin Meskhidze (A)
2022-07-05 13:26       ` Mickaël Salaün
2022-07-08 12:56         ` Konstantin Meskhidze (A)
2022-06-21  8:22 ` [PATCH v6 02/17] landlock: refactors landlock_find/insert_rule Konstantin Meskhidze
2022-07-07 16:44   ` Mickaël Salaün
2022-07-08 12:53     ` Konstantin Meskhidze (A)
2022-07-08 13:56       ` Mickaël Salaün
2022-07-08 14:14         ` Konstantin Meskhidze (A)
2022-07-08 14:20         ` Konstantin Meskhidze (A)
2022-07-08 16:57           ` Mickaël Salaün
2022-07-11  8:16             ` Konstantin Meskhidze (A)
2022-07-08 13:10     ` Konstantin Meskhidze (A)
2022-07-08 13:59       ` Mickaël Salaün
2022-07-08 14:14         ` Konstantin Meskhidze (A)
2022-07-08 14:35           ` Mickaël Salaün
2022-07-11 14:05             ` Konstantin Meskhidze (A)
2022-07-28 14:48               ` Mickaël Salaün
2022-07-07 16:46   ` Mickaël Salaün
2022-07-08 12:54     ` Konstantin Meskhidze (A)
2022-06-21  8:22 ` [PATCH v6 03/17] landlock: refactors merge and inherit functions Konstantin Meskhidze
2022-06-21  8:23 ` [PATCH v6 04/17] landlock: moves helper functions Konstantin Meskhidze
2022-06-21  8:23 ` [PATCH v6 05/17] landlock: refactors " Konstantin Meskhidze
2022-06-21  8:23 ` [PATCH v6 06/17] landlock: refactors landlock_add_rule syscall Konstantin Meskhidze
2022-06-21  8:23 ` [PATCH v6 07/17] landlock: user space API network support Konstantin Meskhidze
2022-06-21  8:23 ` [PATCH v6 08/17] landlock: adds support network rules Konstantin Meskhidze
2022-06-21  8:23 ` [PATCH v6 09/17] landlock: implements TCP network hooks Konstantin Meskhidze
2022-06-21  8:23 ` [PATCH v6 10/17] seltests/landlock: moves helper function Konstantin Meskhidze
2022-06-21  8:23 ` [PATCH v6 11/17] seltests/landlock: adds tests for bind() hooks Konstantin Meskhidze
2022-07-28 13:24   ` Mickaël Salaün
2022-06-21  8:23 ` [PATCH v6 12/17] seltests/landlock: adds tests for connect() hooks Konstantin Meskhidze
2022-06-21  8:23 ` [PATCH v6 13/17] seltests/landlock: adds AF_UNSPEC family test Konstantin Meskhidze
2022-06-21  8:23 ` [PATCH v6 14/17] seltests/landlock: adds rules overlapping test Konstantin Meskhidze
2022-06-21  8:23 ` [PATCH v6 15/17] seltests/landlock: adds ruleset expanding test Konstantin Meskhidze
2022-06-21  8:23 ` [PATCH v6 16/17] seltests/landlock: adds invalid input data test Konstantin Meskhidze
2022-06-21  8:23 ` [PATCH v6 17/17] samples/landlock: adds network demo Konstantin Meskhidze
2022-07-27 20:26   ` Mickaël Salaün
2022-07-28  9:21     ` Konstantin Meskhidze (A)
2022-07-26 17:43 ` [PATCH v6 00/17] Network support for Landlock Mickaël Salaün
2022-07-27 19:54   ` Mickaël Salaün
2022-07-28  9:19     ` Konstantin Meskhidze (A)
2022-07-28  9:25     ` Konstantin Meskhidze (A)
2022-07-28 10:12       ` Mickaël Salaün
2022-07-28 11:27         ` Konstantin Meskhidze (A)
2022-07-28 13:17     ` Mickaël Salaün
2022-08-23  9:10       ` Konstantin Meskhidze (A)
2022-08-27 13:30       ` Konstantin Meskhidze (A)
2022-08-29 13:10         ` Mickaël Salaün
2022-07-27 20:21   ` Mickaël Salaün
2022-07-28  9:20     ` Konstantin Meskhidze (A)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220621082313.3330667-1-konstantin.meskhidze@huawei.com \
    --to=konstantin.meskhidze@huawei.com \
    --cc=anton.sirazetdinov@huawei.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mic@digikod.net \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=willemdebruijn.kernel@gmail.com \
    --cc=yusongping@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.