From: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: <willemdebruijn.kernel@gmail.com>,
<linux-security-module@vger.kernel.org>, <netdev@vger.kernel.org>,
<netfilter-devel@vger.kernel.org>, <yusongping@huawei.com>,
<anton.sirazetdinov@huawei.com>
Subject: Re: [PATCH v5 11/15] seltests/landlock: connect() with AF_UNSPEC tests
Date: Thu, 19 May 2022 15:31:33 +0300 [thread overview]
Message-ID: <1297f02f-5c2c-bebd-da58-eed9b8ee97cc@huawei.com> (raw)
In-Reply-To: <e2c67180-3ec5-f710-710a-0c2644bfa54e@digikod.net>
5/17/2022 11:55 AM, Mickaël Salaün пишет:
> I guess these tests would also work with IPv6. You can then use the
> "alternative" tests I explained.
>
Do you mean adding new helpers such as bind_variant() and
connect_variant()??
> On 16/05/2022 17:20, Konstantin Meskhidze wrote:
>> Adds two selftests for connect() action with
>> AF_UNSPEC family flag.
>> The one is with no landlock restrictions
>> allows to disconnect already conneted socket
>> with connect(..., AF_UNSPEC, ...):
>> - connect_afunspec_no_restictions;
>> The second one refuses landlocked process
>> to disconnect already connected socket:
>> - connect_afunspec_with_restictions;
>>
>> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
>> ---
>>
>> Changes since v3:
>> * Add connect_afunspec_no_restictions test.
>> * Add connect_afunspec_with_restictions test.
>>
>> Changes since v4:
>> * Refactoring code with self->port, self->addr4 variables.
>> * Adds bind() hook check for with AF_UNSPEC family.
>>
>> ---
>> tools/testing/selftests/landlock/net_test.c | 121 ++++++++++++++++++++
>> 1 file changed, 121 insertions(+)
>>
>> diff --git a/tools/testing/selftests/landlock/net_test.c
>> b/tools/testing/selftests/landlock/net_test.c
>> index cf914d311eb3..bf8e49466d1d 100644
>> --- a/tools/testing/selftests/landlock/net_test.c
>> +++ b/tools/testing/selftests/landlock/net_test.c
>> @@ -449,6 +449,7 @@ TEST_F_FORK(socket_test,
>> connect_with_restrictions_ip6) {
>> int new_fd;
>> int sockfd_1, sockfd_2;
>> pid_t child_1, child_2;
>> +
>> int status;
>>
>> struct landlock_ruleset_attr ruleset_attr = {
>> @@ -467,10 +468,12 @@ TEST_F_FORK(socket_test,
>> connect_with_restrictions_ip6) {
>>
>> const int ruleset_fd = landlock_create_ruleset(&ruleset_attr,
>> sizeof(ruleset_attr), 0);
>> +
>
> Please no…
>
Sorry for that. I will apply clang-format-14.
>
>> ASSERT_LE(0, ruleset_fd);
>>
>> /* Allows connect and bind operations to the port[0] socket */
>> ASSERT_EQ(0, landlock_add_rule(ruleset_fd,
>> LANDLOCK_RULE_NET_SERVICE,
>> +
>
> ditto
Ditto. Will be fixed with clang-format.
>
>> &net_service_1, 0));
>> /* Allows connect and deny bind operations to the port[1] socket */
>> ASSERT_EQ(0, landlock_add_rule(ruleset_fd,
>> LANDLOCK_RULE_NET_SERVICE,
>> @@ -480,6 +483,7 @@ TEST_F_FORK(socket_test,
>> connect_with_restrictions_ip6) {
>> enforce_ruleset(_metadata, ruleset_fd);
>>
>> /* Creates a server socket 1 */
>> +
>> sockfd_1 = create_socket(_metadata, true, false);
>> ASSERT_LE(0, sockfd_1);
>>
>> @@ -556,4 +560,121 @@ TEST_F_FORK(socket_test,
>> connect_with_restrictions_ip6) {
>> ASSERT_EQ(1, WIFEXITED(status));
>> ASSERT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
>> }
>> +
>> +TEST_F_FORK(socket_test, connect_afunspec_no_restictions) {
>> +
>> + int sockfd;
>> + pid_t child;
>> + int status;
>> +
>> + /* Creates a server socket 1 */
>> + sockfd = create_socket(_metadata, false, false);
>> + ASSERT_LE(0, sockfd);
>> +
>> + /* Binds the socket 1 to address with port[0] with AF_UNSPEC
>> family */
>> + self->addr4[0].sin_family = AF_UNSPEC;
>> + ASSERT_EQ(0, bind(sockfd, (struct sockaddr *)&self->addr4[0],
>> sizeof(self->addr4[0])));
>> +
>> + /* Makes connection to socket with port[0] */
>> + ASSERT_EQ(0, connect(sockfd, (struct sockaddr *)&self->addr4[0],
>> + sizeof(self->addr4[0])));
>> +
>> + child = fork();
>> + ASSERT_LE(0, child);
>> + if (child == 0) {
>> + struct sockaddr addr_unspec = {.sa_family = AF_UNSPEC};
>> +
>> + /* Child tries to disconnect already connected socket */
>> + ASSERT_EQ(0, connect(sockfd, (struct sockaddr *)&addr_unspec,
>> + sizeof(addr_unspec)));
>> + _exit(_metadata->passed ? EXIT_SUCCESS : EXIT_FAILURE);
>> + return;
>> + }
>> + /* Closes listening socket 1 for the parent*/
>> + ASSERT_EQ(0, close(sockfd));
>> +
>> + ASSERT_EQ(child, waitpid(child, &status, 0));
>> + ASSERT_EQ(1, WIFEXITED(status));
>> + ASSERT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
>> +}
>> +
>> +TEST_F_FORK(socket_test, connect_afunspec_with_restictions) {
>> +
>> + int sockfd;
>> + pid_t child;
>> + int status;
>> +
>> + struct landlock_ruleset_attr ruleset_attr_1 = {
>> + .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP,
>> + };
>> + struct landlock_net_service_attr net_service_1 = {
>> + .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
>> +
>> + .port = self->port[0],
>> + };
>> +
>> + struct landlock_ruleset_attr ruleset_attr_2 = {
>> + .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
>> + LANDLOCK_ACCESS_NET_CONNECT_TCP,
>> + };
>> + struct landlock_net_service_attr net_service_2 = {
>> + .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP |
>> + LANDLOCK_ACCESS_NET_CONNECT_TCP,
>> +
>> + .port = self->port[0],
>> + };
>> +
>> + const int ruleset_fd_1 = landlock_create_ruleset(&ruleset_attr_1,
>> + sizeof(ruleset_attr_1), 0);
>> + ASSERT_LE(0, ruleset_fd_1);
>> +
>> + /* Allows bind operations to the port[0] socket */
>> + ASSERT_EQ(0, landlock_add_rule(ruleset_fd_1,
>> LANDLOCK_RULE_NET_SERVICE,
>> + &net_service_1, 0));
>> +
>> + /* Enforces the ruleset. */
>> + enforce_ruleset(_metadata, ruleset_fd_1);
>> +
>> + /* Creates a server socket 1 */
>> + sockfd = create_socket(_metadata, false, false);
>> + ASSERT_LE(0, sockfd);
>> +
>> + /* Binds the socket 1 to address with port[0] with AF_UNSPEC
>> family */
>> + self->addr4[0].sin_family = AF_UNSPEC;
>> + ASSERT_EQ(0, bind(sockfd, (struct sockaddr *)&self->addr4[0],
>> sizeof(self->addr4[0])));
>> +
>> + /* Makes connection to socket with port[0] */
>> + ASSERT_EQ(0, connect(sockfd, (struct sockaddr *)&self->addr4[0],
>> + sizeof(self->addr4[0])));
>> +
>> + const int ruleset_fd_2 = landlock_create_ruleset(&ruleset_attr_2,
>> + sizeof(ruleset_attr_2), 0);
>> + ASSERT_LE(0, ruleset_fd_2);
>> +
>> + /* Allows connect and bind operations to the port[0] socket */
>> + ASSERT_EQ(0, landlock_add_rule(ruleset_fd_2,
>> LANDLOCK_RULE_NET_SERVICE,
>> + &net_service_2, 0));
>> +
>> + /* Enforces the ruleset. */
>> + enforce_ruleset(_metadata, ruleset_fd_2);
>> +
>> + child = fork();
>> + ASSERT_LE(0, child);
>> + if (child == 0) {
>> + struct sockaddr addr_unspec = {.sa_family = AF_UNSPEC};
>> +
>> + /* Child tries to disconnect already connected socket */
>> + ASSERT_EQ(-1, connect(sockfd, (struct sockaddr *)&addr_unspec,
>> + sizeof(addr_unspec)));
>> + ASSERT_EQ(EACCES, errno);
>> + _exit(_metadata->passed ? EXIT_SUCCESS : EXIT_FAILURE);
>> + return;
>> + }
>> + /* Closes listening socket 1 for the parent*/
>> + ASSERT_EQ(0, close(sockfd));
>> +
>> + ASSERT_EQ(child, waitpid(child, &status, 0));
>> + ASSERT_EQ(1, WIFEXITED(status));
>> + ASSERT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
>> +}
>> TEST_HARNESS_MAIN
>> --
>> 2.25.1
>>
> .
next prev parent reply other threads:[~2022-05-19 12:31 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-16 15:20 [PATCH v5 00/15] Network support for Landlock Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 01/15] landlock: access mask renaming Konstantin Meskhidze
2022-05-17 8:12 ` Mickaël Salaün
2022-05-18 9:16 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 02/15] landlock: landlock_find/insert_rule refactoring Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 03/15] landlock: merge and inherit function refactoring Konstantin Meskhidze
2022-05-17 8:14 ` Mickaël Salaün
2022-05-18 9:18 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 04/15] landlock: helper functions refactoring Konstantin Meskhidze
2022-05-16 17:14 ` Mickaël Salaün
2022-05-16 17:43 ` Konstantin Meskhidze
2022-05-16 18:28 ` Mickaël Salaün
2022-05-18 9:14 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 05/15] landlock: landlock_add_rule syscall refactoring Konstantin Meskhidze
2022-05-17 8:04 ` Mickaël Salaün
2022-05-17 8:10 ` Mickaël Salaün
2022-05-19 9:24 ` Konstantin Meskhidze
2022-05-19 9:23 ` Konstantin Meskhidze
2022-05-19 14:37 ` Mickaël Salaün
2022-05-24 8:35 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 06/15] landlock: user space API network support Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 07/15] landlock: add support network rules Konstantin Meskhidze
2022-05-17 8:27 ` Mickaël Salaün
2022-05-19 9:27 ` Konstantin Meskhidze
2022-05-19 14:42 ` Mickaël Salaün
2022-05-24 8:36 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 08/15] landlock: TCP network hooks implementation Konstantin Meskhidze
2022-05-17 8:51 ` Mickaël Salaün
2022-05-19 11:40 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 09/15] seltests/landlock: add tests for bind() hooks Konstantin Meskhidze
2022-05-16 21:11 ` Mickaël Salaün
2022-05-19 12:10 ` Konstantin Meskhidze
2022-05-19 14:29 ` Mickaël Salaün
2022-05-24 8:34 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 10/15] seltests/landlock: add tests for connect() hooks Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 11/15] seltests/landlock: connect() with AF_UNSPEC tests Konstantin Meskhidze
2022-05-17 8:55 ` Mickaël Salaün
2022-05-19 12:31 ` Konstantin Meskhidze [this message]
2022-05-19 15:00 ` Mickaël Salaün
2022-05-24 8:40 ` Konstantin Meskhidze
2022-05-19 15:02 ` Mickaël Salaün
2022-05-24 8:42 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 12/15] seltests/landlock: rules overlapping test Konstantin Meskhidze
2022-05-16 17:41 ` Mickaël Salaün
2022-05-19 12:24 ` Konstantin Meskhidze
2022-05-19 15:04 ` Mickaël Salaün
2022-05-24 8:55 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 13/15] seltests/landlock: ruleset expanding test Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 14/15] seltests/landlock: invalid user input data test Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 15/15] samples/landlock: adds network demo Konstantin Meskhidze
2022-05-17 9:19 ` Mickaël Salaün
2022-05-19 13:33 ` Konstantin Meskhidze
2022-05-19 15:09 ` Mickaël Salaün
2022-05-24 8:41 ` Konstantin Meskhidze
2022-05-20 10:48 ` [PATCH v5 00/15] Network support for Landlock - UDP discussion Mickaël Salaün
2022-05-25 9:41 ` Konstantin Meskhidze
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1297f02f-5c2c-bebd-da58-eed9b8ee97cc@huawei.com \
--to=konstantin.meskhidze@huawei.com \
--cc=anton.sirazetdinov@huawei.com \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=willemdebruijn.kernel@gmail.com \
--cc=yusongping@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.