Re: [RFC PATCH v4 00/15] Landlock LSM

From: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: <willemdebruijn.kernel@gmail.com>,
	<linux-security-module@vger.kernel.org>, <netdev@vger.kernel.org>,
	<netfilter-devel@vger.kernel.org>, <yusongping@huawei.com>,
	<artem.kuzin@huawei.com>, <anton.sirazetdinov@huawei.com>
Subject: Re: [RFC PATCH v4 00/15] Landlock LSM
Date: Fri, 18 Mar 2022 18:55:46 +0300	[thread overview]
Message-ID: <27876286-b52a-d2e3-cd62-34bafeb990ba@huawei.com> (raw)
In-Reply-To: <ef128eed-65a3-1617-d630-275f3cfa8220@digikod.net>


3/17/2022 8:26 PM, Mickaël Salaün пишет:
> 
> On 17/03/2022 14:01, Konstantin Meskhidze wrote:
>>
>>
>> 3/15/2022 8:02 PM, Mickaël Salaün пишет:
>>> Hi Konstantin,
>>>
>>> This series looks good! Thanks for the split in multiple patches.
>>>
>>   Thanks. I follow your recommendations.
>>>
>>> On 09/03/2022 14:44, Konstantin Meskhidze wrote:
>>>> Hi,
>>>> This is a new V4 bunch of RFC patches related to Landlock LSM 
>>>> network confinement.
>>>> It brings deep refactirong and commit splitting of previous version V3.
>>>> Also added additional selftests.
>>>>
>>>> This patch series can be applied on top of v5.17-rc3.
>>>>
>>>> All test were run in QEMU evironment and compiled with
>>>>   -static flag.
>>>>   1. network_test: 9/9 tests passed.
>>>
>>> I get a kernel warning running the network tests.
>>
>>    What kind of warning? Can you provide it please?
> 
> You really need to get a setup that gives you such kernel warning. When 
> running network_test you should get:
> WARNING: CPU: 3 PID: 742 at security/landlock/ruleset.c:218 
> insert_rule+0x220/0x270
> 
> Before sending new patches, please make sure you're able to catch such 
> issues.
> 
   Thanks. I will check it.
> 
>>>
>>>>   2. base_test: 8/8 tests passed.
>>>>   3. fs_test: 46/46 tests passed.
>>>>   4. ptrace_test: 4/8 tests passed.
>>>
>>> Does your test machine use Yama? That would explain the 4/8. You can 
>>> disable it with the appropriate sysctl.
> 
> Can you answer this question?

   Sorry. I missed it.
   I checked config - Yama is supported now. I will disable it.
   Thanks for advice.
> 
> 
>>>
>>>>
>>>> Tests were also launched for Landlock version without
>>>> v4 patch:
>>>>   1. base_test: 8/8 tests passed.
>>>>   2. fs_test: 46/46 tests passed.
>>>>   3. ptrace_test: 4/8 tests passed.
>>>>
>>>> Could not provide test coverage cause had problems with tests
>>>> on VM (no -static flag the tests compiling, no v4 patch applied):
>>>
>>> You can build statically-linked tests with:
>>> make -C tools/testing/selftests/landlock CFLAGS=-static
>>
>>   Ok. I will try. Thanks.
>>>
>>>> 1. base_test: 7/8 tests passed.
>>>>   Error:
>>>>   # Starting 8 tests from 1 test cases.
>>>>   #  RUN           global.inconsistent_attr ...
>>>>   # base_test.c:51:inconsistent_attr:Expected ENOMSG (42) == errno (22)
>>>
>>> This looks like a bug in the syscall argument checks.
>>
>>    This bug I just get when don't use -static option. With -static 
>> base test passes 8/8.
> 
> Weird, I'd like to know what is the cause of this issue. What disto and 
> version do you use as host and guest VM? Do you have some warning when 
> compiling?
   I run tests on host Ubuntu 20.04.3 LTS, kernel version  v5.17. I will 
check more carefuly for compiling warnings.
> .