From: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
To: <mic@digikod.net>
Cc: <willemdebruijn.kernel@gmail.com>,
<linux-security-module@vger.kernel.org>, <netdev@vger.kernel.org>,
<netfilter-devel@vger.kernel.org>, <yusongping@huawei.com>,
<anton.sirazetdinov@huawei.com>
Subject: [PATCH v6 00/17] Network support for Landlock
Date: Tue, 21 Jun 2022 16:22:56 +0800 [thread overview]
Message-ID: <20220621082313.3330667-1-konstantin.meskhidze@huawei.com> (raw)
Hi,
This is a new V6 patch related to Landlock LSM network confinement.
It is based on the latest landlock-wip branch on top of v5.19-rc2:
https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/log/?h=landlock-wip
It brings refactoring of previous patch version V5:
- Fixes some logic errors and typos.
- Adds additional FIXTURE_VARIANT and FIXTURE_VARIANT_ADD helpers
to support both ip4 and ip6 families and shorten seltests' code.
- Makes TCP sockets confinement support optional in sandboxer demo.
- Formats the code with clang-format-14
All test were run in QEMU evironment and compiled with
-static flag.
1. network_test: 18/18 tests passed.
2. base_test: 7/7 tests passed.
3. fs_test: 59/59 tests passed.
4. ptrace_test: 8/8 tests passed.
Still have issue with base_test were compiled without -static flag
(landlock-wip branch without network support)
1. base_test: 6/7 tests passed.
Error:
# RUN global.inconsistent_attr ...
# base_test.c:54:inconsistent_attr:Expected ENOMSG (42) == errno (22)
# inconsistent_attr: Test terminated by assertion
# FAIL global.inconsistent_attr
not ok 1 global.inconsistent_attr
LCOV - code coverage report:
Hit Total Coverage
Lines: 952 1010 94.3 %
Functions: 79 82 96.3 %
Previous versions:
v5: https://lore.kernel.org/linux-security-module/20220516152038.39594-1-konstantin.meskhidze@huawei.com
v4: https://lore.kernel.org/linux-security-module/20220309134459.6448-1-konstantin.meskhidze@huawei.com/
v3: https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@huawei.com/
v2: https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@huawei.com/
v1: https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@huawei.com/
Konstantin Meskhidze (17):
landlock: renames access mask
landlock: refactors landlock_find/insert_rule
landlock: refactors merge and inherit functions
landlock: moves helper functions
landlock: refactors helper functions
landlock: refactors landlock_add_rule syscall
landlock: user space API network support
landlock: adds support network rules
landlock: implements TCP network hooks
seltests/landlock: moves helper function
seltests/landlock: adds tests for bind() hooks
seltests/landlock: adds tests for connect() hooks
seltests/landlock: adds AF_UNSPEC family test
seltests/landlock: adds rules overlapping test
seltests/landlock: adds ruleset expanding test
seltests/landlock: adds invalid input data test
samples/landlock: adds network demo
include/uapi/linux/landlock.h | 49 ++
samples/landlock/sandboxer.c | 118 ++-
security/landlock/Kconfig | 1 +
security/landlock/Makefile | 2 +
security/landlock/fs.c | 162 +---
security/landlock/limits.h | 8 +-
security/landlock/net.c | 155 ++++
security/landlock/net.h | 26 +
security/landlock/ruleset.c | 448 +++++++++--
security/landlock/ruleset.h | 91 ++-
security/landlock/setup.c | 2 +
security/landlock/syscalls.c | 168 +++--
tools/testing/selftests/landlock/common.h | 10 +
tools/testing/selftests/landlock/config | 4 +
tools/testing/selftests/landlock/fs_test.c | 10 -
tools/testing/selftests/landlock/net_test.c | 774 ++++++++++++++++++++
16 files changed, 1737 insertions(+), 291 deletions(-)
create mode 100644 security/landlock/net.c
create mode 100644 security/landlock/net.h
create mode 100644 tools/testing/selftests/landlock/net_test.c
--
2.25.1
next reply other threads:[~2022-06-21 8:23 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-21 8:22 Konstantin Meskhidze [this message]
2022-06-21 8:22 ` [PATCH v6 01/17] landlock: renames access mask Konstantin Meskhidze
2022-07-01 17:08 ` Mickaël Salaün
2022-07-04 9:23 ` Konstantin Meskhidze (A)
2022-07-05 11:29 ` Konstantin Meskhidze (A)
2022-07-05 13:26 ` Mickaël Salaün
2022-07-08 12:56 ` Konstantin Meskhidze (A)
2022-06-21 8:22 ` [PATCH v6 02/17] landlock: refactors landlock_find/insert_rule Konstantin Meskhidze
2022-07-07 16:44 ` Mickaël Salaün
2022-07-08 12:53 ` Konstantin Meskhidze (A)
2022-07-08 13:56 ` Mickaël Salaün
2022-07-08 14:14 ` Konstantin Meskhidze (A)
2022-07-08 14:20 ` Konstantin Meskhidze (A)
2022-07-08 16:57 ` Mickaël Salaün
2022-07-11 8:16 ` Konstantin Meskhidze (A)
2022-07-08 13:10 ` Konstantin Meskhidze (A)
2022-07-08 13:59 ` Mickaël Salaün
2022-07-08 14:14 ` Konstantin Meskhidze (A)
2022-07-08 14:35 ` Mickaël Salaün
2022-07-11 14:05 ` Konstantin Meskhidze (A)
2022-07-28 14:48 ` Mickaël Salaün
2022-07-07 16:46 ` Mickaël Salaün
2022-07-08 12:54 ` Konstantin Meskhidze (A)
2022-06-21 8:22 ` [PATCH v6 03/17] landlock: refactors merge and inherit functions Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 04/17] landlock: moves helper functions Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 05/17] landlock: refactors " Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 06/17] landlock: refactors landlock_add_rule syscall Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 07/17] landlock: user space API network support Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 08/17] landlock: adds support network rules Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 09/17] landlock: implements TCP network hooks Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 10/17] seltests/landlock: moves helper function Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 11/17] seltests/landlock: adds tests for bind() hooks Konstantin Meskhidze
2022-07-28 13:24 ` Mickaël Salaün
2022-06-21 8:23 ` [PATCH v6 12/17] seltests/landlock: adds tests for connect() hooks Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 13/17] seltests/landlock: adds AF_UNSPEC family test Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 14/17] seltests/landlock: adds rules overlapping test Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 15/17] seltests/landlock: adds ruleset expanding test Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 16/17] seltests/landlock: adds invalid input data test Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 17/17] samples/landlock: adds network demo Konstantin Meskhidze
2022-07-27 20:26 ` Mickaël Salaün
2022-07-28 9:21 ` Konstantin Meskhidze (A)
2022-07-26 17:43 ` [PATCH v6 00/17] Network support for Landlock Mickaël Salaün
2022-07-27 19:54 ` Mickaël Salaün
2022-07-28 9:19 ` Konstantin Meskhidze (A)
2022-07-28 9:25 ` Konstantin Meskhidze (A)
2022-07-28 10:12 ` Mickaël Salaün
2022-07-28 11:27 ` Konstantin Meskhidze (A)
2022-07-28 13:17 ` Mickaël Salaün
2022-08-23 9:10 ` Konstantin Meskhidze (A)
2022-08-27 13:30 ` Konstantin Meskhidze (A)
2022-08-29 13:10 ` Mickaël Salaün
2022-07-27 20:21 ` Mickaël Salaün
2022-07-28 9:20 ` Konstantin Meskhidze (A)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220621082313.3330667-1-konstantin.meskhidze@huawei.com \
--to=konstantin.meskhidze@huawei.com \
--cc=anton.sirazetdinov@huawei.com \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=willemdebruijn.kernel@gmail.com \
--cc=yusongping@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.