From: "Mickaël Salaün" <mic@digikod.net>
To: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
Cc: willemdebruijn.kernel@gmail.com,
linux-security-module@vger.kernel.org, netdev@vger.kernel.org,
netfilter-devel@vger.kernel.org, yusongping@huawei.com,
anton.sirazetdinov@huawei.com
Subject: Re: [PATCH v6 00/17] Network support for Landlock
Date: Wed, 27 Jul 2022 21:54:52 +0200 [thread overview]
Message-ID: <6691d91f-c03b-30fa-2fa0-d062b3b234b9@digikod.net> (raw)
In-Reply-To: <4c57a0c2-e207-10d6-c73d-bcda66bf3963@digikod.net>
On 26/07/2022 19:43, Mickaël Salaün wrote:
>
> On 21/06/2022 10:22, Konstantin Meskhidze wrote:
>> Hi,
>> This is a new V6 patch related to Landlock LSM network confinement.
>> It is based on the latest landlock-wip branch on top of v5.19-rc2:
>> https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/log/?h=landlock-wip
>>
>> It brings refactoring of previous patch version V5:
>> - Fixes some logic errors and typos.
>> - Adds additional FIXTURE_VARIANT and FIXTURE_VARIANT_ADD helpers
>> to support both ip4 and ip6 families and shorten seltests' code.
>> - Makes TCP sockets confinement support optional in sandboxer demo.
>> - Formats the code with clang-format-14
>>
>> All test were run in QEMU evironment and compiled with
>> -static flag.
>> 1. network_test: 18/18 tests passed.
>> 2. base_test: 7/7 tests passed.
>> 3. fs_test: 59/59 tests passed.
>> 4. ptrace_test: 8/8 tests passed.
>>
>> Still have issue with base_test were compiled without -static flag
>> (landlock-wip branch without network support)
>> 1. base_test: 6/7 tests passed.
>> Error:
>> # RUN global.inconsistent_attr ...
>> # base_test.c:54:inconsistent_attr:Expected ENOMSG (42) == errno (22)
>> # inconsistent_attr: Test terminated by assertion
>> # FAIL global.inconsistent_attr
>> not ok 1 global.inconsistent_attr
>>
>> LCOV - code coverage report:
>> Hit Total Coverage
>> Lines: 952 1010 94.3 %
>> Functions: 79 82 96.3 %
>>
>> Previous versions:
>> v5:
>> https://lore.kernel.org/linux-security-module/20220516152038.39594-1-konstantin.meskhidze@huawei.com
>> v4:
>> https://lore.kernel.org/linux-security-module/20220309134459.6448-1-konstantin.meskhidze@huawei.com/
>> v3:
>> https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@huawei.com/
>> v2:
>> https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@huawei.com/
>> v1:
>> https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@huawei.com/
>>
>> Konstantin Meskhidze (17):
>> landlock: renames access mask
>> landlock: refactors landlock_find/insert_rule
>> landlock: refactors merge and inherit functions
>> landlock: moves helper functions
>> landlock: refactors helper functions
>> landlock: refactors landlock_add_rule syscall
>> landlock: user space API network support
>> landlock: adds support network rules
>> landlock: implements TCP network hooks
>> seltests/landlock: moves helper function
>> seltests/landlock: adds tests for bind() hooks
>> seltests/landlock: adds tests for connect() hooks
>> seltests/landlock: adds AF_UNSPEC family test
>> seltests/landlock: adds rules overlapping test
>> seltests/landlock: adds ruleset expanding test
>> seltests/landlock: adds invalid input data test
>> samples/landlock: adds network demo
>>
>> include/uapi/linux/landlock.h | 49 ++
>> samples/landlock/sandboxer.c | 118 ++-
>> security/landlock/Kconfig | 1 +
>> security/landlock/Makefile | 2 +
>> security/landlock/fs.c | 162 +---
>> security/landlock/limits.h | 8 +-
>> security/landlock/net.c | 155 ++++
>> security/landlock/net.h | 26 +
>> security/landlock/ruleset.c | 448 +++++++++--
>> security/landlock/ruleset.h | 91 ++-
>> security/landlock/setup.c | 2 +
>> security/landlock/syscalls.c | 168 +++--
>> tools/testing/selftests/landlock/common.h | 10 +
>> tools/testing/selftests/landlock/config | 4 +
>> tools/testing/selftests/landlock/fs_test.c | 10 -
>> tools/testing/selftests/landlock/net_test.c | 774 ++++++++++++++++++++
>> 16 files changed, 1737 insertions(+), 291 deletions(-)
>> create mode 100644 security/landlock/net.c
>> create mode 100644 security/landlock/net.h
>> create mode 100644 tools/testing/selftests/landlock/net_test.c
>>
>> --
>> 2.25.1
>>
>
> I did a thorough review of all the code. I found that the main issue
> with this version is that we stick to the layers limit whereas it is
> only relevant for filesystem hierarchies. You'll find in the following
> patch miscellaneous fixes and improvement, with some TODOs to get rid of
> this layer limit. We'll need a test to check that too. You'll need to
> integrate this diff into your patches though.
You can find the related patch here:
https://git.kernel.org/mic/c/8f4104b3dc59e7f110c9b83cdf034d010a2d006f
next prev parent reply other threads:[~2022-07-27 19:55 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-21 8:22 [PATCH v6 00/17] Network support for Landlock Konstantin Meskhidze
2022-06-21 8:22 ` [PATCH v6 01/17] landlock: renames access mask Konstantin Meskhidze
2022-07-01 17:08 ` Mickaël Salaün
2022-07-04 9:23 ` Konstantin Meskhidze (A)
2022-07-05 11:29 ` Konstantin Meskhidze (A)
2022-07-05 13:26 ` Mickaël Salaün
2022-07-08 12:56 ` Konstantin Meskhidze (A)
2022-06-21 8:22 ` [PATCH v6 02/17] landlock: refactors landlock_find/insert_rule Konstantin Meskhidze
2022-07-07 16:44 ` Mickaël Salaün
2022-07-08 12:53 ` Konstantin Meskhidze (A)
2022-07-08 13:56 ` Mickaël Salaün
2022-07-08 14:14 ` Konstantin Meskhidze (A)
2022-07-08 14:20 ` Konstantin Meskhidze (A)
2022-07-08 16:57 ` Mickaël Salaün
2022-07-11 8:16 ` Konstantin Meskhidze (A)
2022-07-08 13:10 ` Konstantin Meskhidze (A)
2022-07-08 13:59 ` Mickaël Salaün
2022-07-08 14:14 ` Konstantin Meskhidze (A)
2022-07-08 14:35 ` Mickaël Salaün
2022-07-11 14:05 ` Konstantin Meskhidze (A)
2022-07-28 14:48 ` Mickaël Salaün
2022-07-07 16:46 ` Mickaël Salaün
2022-07-08 12:54 ` Konstantin Meskhidze (A)
2022-06-21 8:22 ` [PATCH v6 03/17] landlock: refactors merge and inherit functions Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 04/17] landlock: moves helper functions Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 05/17] landlock: refactors " Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 06/17] landlock: refactors landlock_add_rule syscall Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 07/17] landlock: user space API network support Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 08/17] landlock: adds support network rules Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 09/17] landlock: implements TCP network hooks Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 10/17] seltests/landlock: moves helper function Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 11/17] seltests/landlock: adds tests for bind() hooks Konstantin Meskhidze
2022-07-28 13:24 ` Mickaël Salaün
2022-06-21 8:23 ` [PATCH v6 12/17] seltests/landlock: adds tests for connect() hooks Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 13/17] seltests/landlock: adds AF_UNSPEC family test Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 14/17] seltests/landlock: adds rules overlapping test Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 15/17] seltests/landlock: adds ruleset expanding test Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 16/17] seltests/landlock: adds invalid input data test Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 17/17] samples/landlock: adds network demo Konstantin Meskhidze
2022-07-27 20:26 ` Mickaël Salaün
2022-07-28 9:21 ` Konstantin Meskhidze (A)
2022-07-26 17:43 ` [PATCH v6 00/17] Network support for Landlock Mickaël Salaün
2022-07-27 19:54 ` Mickaël Salaün [this message]
2022-07-28 9:19 ` Konstantin Meskhidze (A)
2022-07-28 9:25 ` Konstantin Meskhidze (A)
2022-07-28 10:12 ` Mickaël Salaün
2022-07-28 11:27 ` Konstantin Meskhidze (A)
2022-07-28 13:17 ` Mickaël Salaün
2022-08-23 9:10 ` Konstantin Meskhidze (A)
2022-08-27 13:30 ` Konstantin Meskhidze (A)
2022-08-29 13:10 ` Mickaël Salaün
2022-07-27 20:21 ` Mickaël Salaün
2022-07-28 9:20 ` Konstantin Meskhidze (A)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6691d91f-c03b-30fa-2fa0-d062b3b234b9@digikod.net \
--to=mic@digikod.net \
--cc=anton.sirazetdinov@huawei.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=willemdebruijn.kernel@gmail.com \
--cc=yusongping@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.