From: "Mickaël Salaün" <mic@digikod.net>
To: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
Cc: willemdebruijn.kernel@gmail.com, gnoack3000@gmail.com,
linux-security-module@vger.kernel.org, netdev@vger.kernel.org,
netfilter-devel@vger.kernel.org, yusongping@huawei.com,
artem.kuzin@huawei.com, Paul Moore <paul@paul-moore.com>
Subject: Re: [PATCH v14 00/12] Network support for Landlock
Date: Fri, 27 Oct 2023 15:06:34 +0200 [thread overview]
Message-ID: <20231027.weic8eidaiQu@digikod.net> (raw)
In-Reply-To: <20231026014751.414649-1-konstantin.meskhidze@huawei.com>
Thanks Konstantin!
I did some minor cosmetic changes, extended a bit the documentation and
improved the ipv4_tcp.with_fs test. You can see these changes in my
-next branch:
https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/log/?h=next
We have a very good test coverage and I think these patches are ready
for mainline. If it's OK with you, I plan to send a PR for v6.7-rc1 .
Regards,
Mickaël
On Thu, Oct 26, 2023 at 09:47:39AM +0800, Konstantin Meskhidze wrote:
> Hi,
> This is a new V14 patch related to Landlock LSM network confinement.
> It is based on v6.6-rc2 kernel version.
>
> It brings refactoring of previous patch version V13.
> Mostly there are fixes of logic and typos, refactoring some selftests.
>
> All test were run in QEMU evironment and compiled with
> -static flag.
> 1. network_test: 82/82 tests passed.
> 2. base_test: 7/7 tests passed.
> 3. fs_test: 107/107 tests passed.
> 4. ptrace_test: 8/8 tests passed.
>
> Previous versions:
> v13: https://lore.kernel.org/linux-security-module/20231016015030.1684504-1-konstantin.meskhidze@huawei.com/
> v12: https://lore.kernel.org/linux-security-module/20230920092641.832134-1-konstantin.meskhidze@huawei.com/
> v11: https://lore.kernel.org/linux-security-module/20230515161339.631577-1-konstantin.meskhidze@huawei.com/
> v10: https://lore.kernel.org/linux-security-module/20230323085226.1432550-1-konstantin.meskhidze@huawei.com/
> v9: https://lore.kernel.org/linux-security-module/20230116085818.165539-1-konstantin.meskhidze@huawei.com/
> v8: https://lore.kernel.org/linux-security-module/20221021152644.155136-1-konstantin.meskhidze@huawei.com/
> v7: https://lore.kernel.org/linux-security-module/20220829170401.834298-1-konstantin.meskhidze@huawei.com/
> v6: https://lore.kernel.org/linux-security-module/20220621082313.3330667-1-konstantin.meskhidze@huawei.com/
> v5: https://lore.kernel.org/linux-security-module/20220516152038.39594-1-konstantin.meskhidze@huawei.com
> v4: https://lore.kernel.org/linux-security-module/20220309134459.6448-1-konstantin.meskhidze@huawei.com/
> v3: https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@huawei.com/
> v2: https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@huawei.com/
> v1: https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@huawei.com/
>
> Konstantin Meskhidze (11):
> landlock: Make ruleset's access masks more generic
> landlock: Refactor landlock_find_rule/insert_rule
> landlock: Refactor merge/inherit_ruleset functions
> landlock: Move and rename layer helpers
> landlock: Refactor layer helpers
> landlock: Refactor landlock_add_rule() syscall
> landlock: Add network rules and TCP hooks support
> selftests/landlock: Share enforce_ruleset()
> selftests/landlock: Add network tests
> samples/landlock: Support TCP restrictions
> landlock: Document network support
>
> Mickaël Salaün (1):
> landlock: Allow FS topology changes for domains without such rule type
>
> Documentation/userspace-api/landlock.rst | 96 +-
> include/uapi/linux/landlock.h | 55 +
> samples/landlock/sandboxer.c | 115 +-
> security/landlock/Kconfig | 1 +
> security/landlock/Makefile | 2 +
> security/landlock/fs.c | 232 +--
> security/landlock/limits.h | 6 +
> security/landlock/net.c | 198 ++
> security/landlock/net.h | 33 +
> security/landlock/ruleset.c | 405 +++-
> security/landlock/ruleset.h | 183 +-
> security/landlock/setup.c | 2 +
> security/landlock/syscalls.c | 158 +-
> tools/testing/selftests/landlock/base_test.c | 2 +-
> tools/testing/selftests/landlock/common.h | 13 +
> tools/testing/selftests/landlock/config | 4 +
> tools/testing/selftests/landlock/fs_test.c | 10 -
> tools/testing/selftests/landlock/net_test.c | 1744 ++++++++++++++++++
> 18 files changed, 2908 insertions(+), 351 deletions(-)
> create mode 100644 security/landlock/net.c
> create mode 100644 security/landlock/net.h
> create mode 100644 tools/testing/selftests/landlock/net_test.c
>
> --
> 2.25.1
>
next prev parent reply other threads:[~2023-10-27 13:06 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-26 1:47 [PATCH v14 00/12] Network support for Landlock Konstantin Meskhidze
2023-10-26 1:47 ` [PATCH v14 01/12] landlock: Make ruleset's access masks more generic Konstantin Meskhidze
2023-10-26 1:47 ` [PATCH v14 02/12] landlock: Allow FS topology changes for domains without such rule type Konstantin Meskhidze
2023-10-26 1:47 ` [PATCH v14 03/12] landlock: Refactor landlock_find_rule/insert_rule Konstantin Meskhidze
2023-10-26 1:47 ` [PATCH v14 04/12] landlock: Refactor merge/inherit_ruleset functions Konstantin Meskhidze
2023-10-26 1:47 ` [PATCH v14 05/12] landlock: Move and rename layer helpers Konstantin Meskhidze
2023-10-26 1:47 ` [PATCH v14 06/12] landlock: Refactor " Konstantin Meskhidze
2023-10-26 1:47 ` [PATCH v14 07/12] landlock: Refactor landlock_add_rule() syscall Konstantin Meskhidze
2023-10-26 1:47 ` [PATCH v14 08/12] landlock: Add network rules and TCP hooks support Konstantin Meskhidze
2023-10-26 1:47 ` [PATCH v14 09/12] selftests/landlock: Share enforce_ruleset() Konstantin Meskhidze
2023-10-26 1:47 ` [PATCH v14 10/12] selftests/landlock: Add network tests Konstantin Meskhidze
2023-12-19 10:38 ` Muhammad Usama Anjum
2023-12-20 9:17 ` Mickaël Salaün
2023-12-20 11:19 ` Muhammad Usama Anjum
2024-01-11 17:06 ` Mickaël Salaün
2023-10-26 1:47 ` [PATCH v14 11/12] samples/landlock: Support TCP restrictions Konstantin Meskhidze
2023-10-26 1:47 ` [PATCH v14 12/12] landlock: Document network support Konstantin Meskhidze
2023-10-27 13:06 ` Mickaël Salaün [this message]
2023-10-28 2:07 ` [PATCH v14 00/12] Network support for Landlock Konstantin Meskhidze (A)
2023-10-27 15:46 ` [PATCH] selftests/landlock: Add tests for FS topology changes with network rules Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231027.weic8eidaiQu@digikod.net \
--to=mic@digikod.net \
--cc=artem.kuzin@huawei.com \
--cc=gnoack3000@gmail.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=willemdebruijn.kernel@gmail.com \
--cc=yusongping@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.