From: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
To: <mic@digikod.net>
Cc: <willemdebruijn.kernel@gmail.com>,
<linux-security-module@vger.kernel.org>, <netdev@vger.kernel.org>,
<netfilter-devel@vger.kernel.org>, <yusongping@huawei.com>,
<artem.kuzin@huawei.com>, <anton.sirazetdinov@huawei.com>
Subject: [RFC PATCH v4 11/15] seltest/landlock: add tests for connect() hooks
Date: Wed, 9 Mar 2022 21:44:55 +0800 [thread overview]
Message-ID: <20220309134459.6448-12-konstantin.meskhidze@huawei.com> (raw)
In-Reply-To: <20220309134459.6448-1-konstantin.meskhidze@huawei.com>
Adds two selftests for connect socket action.
The one is with no landlock restrictions:
- connect_no_restrictions;
The second one is with mixed landlock rules:
- connect_with_restrictions;
Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
---
Changes since v3:
* Split commit.
---
.../testing/selftests/landlock/network_test.c | 162 ++++++++++++++++++
1 file changed, 162 insertions(+)
diff --git a/tools/testing/selftests/landlock/network_test.c b/tools/testing/selftests/landlock/network_test.c
index 4c60f6d973a8..20f2d94d6d85 100644
--- a/tools/testing/selftests/landlock/network_test.c
+++ b/tools/testing/selftests/landlock/network_test.c
@@ -150,4 +150,166 @@ TEST_F_FORK(socket, bind_with_restrictions) {
ASSERT_EQ(-1, bind(sockfd_3, (struct sockaddr *)&addr[2], sizeof(addr[2])));
ASSERT_EQ(EACCES, errno);
}
+
+TEST_F_FORK(socket, connect_no_restrictions) {
+
+ int sockfd, new_fd;
+ pid_t child;
+ int status;
+
+ /* Creates a server socket */
+ sockfd = create_socket(_metadata);
+ ASSERT_LE(0, sockfd);
+
+ /* Binds a socket to port[0] */
+ ASSERT_EQ(0, bind(sockfd, (struct sockaddr *)&addr[0], sizeof(addr[0])));
+
+ /* Makes listening socket */
+ ASSERT_EQ(0, listen(sockfd, BACKLOG));
+
+ child = fork();
+ ASSERT_LE(0, child);
+ if (child == 0) {
+ int child_sockfd;
+
+ /* Closes listening socket for the child */
+ ASSERT_EQ(0, close(sockfd));
+ /* Create a stream client socket */
+ child_sockfd = create_socket(_metadata);
+ ASSERT_LE(0, child_sockfd);
+
+ /* Makes connection to the listening socket */
+ ASSERT_EQ(0, connect(child_sockfd, (struct sockaddr *)&addr[0],
+ sizeof(addr[0])));
+ _exit(_metadata->passed ? EXIT_SUCCESS : EXIT_FAILURE);
+ return;
+ }
+ /* Accepts connection from the child */
+ new_fd = accept(sockfd, NULL, 0);
+ ASSERT_LE(0, new_fd);
+
+ /* Closes connection */
+ ASSERT_EQ(0, close(new_fd));
+
+ /* Closes listening socket for the parent*/
+ ASSERT_EQ(0, close(sockfd));
+
+ ASSERT_EQ(child, waitpid(child, &status, 0));
+ ASSERT_EQ(1, WIFEXITED(status));
+ ASSERT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
+}
+
+TEST_F_FORK(socket, connect_with_restrictions) {
+
+ int new_fd;
+ int sockfd_1, sockfd_2;
+ pid_t child_1, child_2;
+ int status;
+
+ struct landlock_ruleset_attr ruleset_attr = {
+ .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
+ LANDLOCK_ACCESS_NET_CONNECT_TCP,
+ };
+ struct landlock_net_service_attr net_service_1 = {
+ .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP |
+ LANDLOCK_ACCESS_NET_CONNECT_TCP,
+ .port = port[0],
+ };
+ struct landlock_net_service_attr net_service_2 = {
+ .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
+ .port = port[1],
+ };
+
+ const int ruleset_fd = landlock_create_ruleset(&ruleset_attr,
+ sizeof(ruleset_attr), 0);
+ ASSERT_LE(0, ruleset_fd);
+
+ /* Allows connect and bind operations to the port[0] socket */
+ ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE,
+ &net_service_1, 0));
+ /* Allows connect and deny bind operations to the port[1] socket */
+ ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE,
+ &net_service_2, 0));
+
+ /* Enforces the ruleset. */
+ enforce_ruleset(_metadata, ruleset_fd);
+
+ /* Creates a server socket 1 */
+ sockfd_1 = create_socket(_metadata);
+ ASSERT_LE(0, sockfd_1);
+
+ /* Binds the socket 1 to address with port[0] */
+ ASSERT_EQ(0, bind(sockfd_1, (struct sockaddr *)&addr[0], sizeof(addr[0])));
+
+ /* Makes listening socket 1 */
+ ASSERT_EQ(0, listen(sockfd_1, BACKLOG));
+
+ child_1 = fork();
+ ASSERT_LE(0, child_1);
+ if (child_1 == 0) {
+ int child_sockfd;
+
+ /* Closes listening socket for the child */
+ ASSERT_EQ(0, close(sockfd_1));
+ /* Creates a stream client socket */
+ child_sockfd = create_socket(_metadata);
+ ASSERT_LE(0, child_sockfd);
+
+ /* Makes connection to the listening socket */
+ ASSERT_EQ(0, connect(child_sockfd, (struct sockaddr *)&addr[0],
+ sizeof(addr[0])));
+ _exit(_metadata->passed ? EXIT_SUCCESS : EXIT_FAILURE);
+ return;
+ }
+ /* Accepts connection from the child 1 */
+ new_fd = accept(sockfd_1, NULL, 0);
+ ASSERT_LE(0, new_fd);
+
+ /* Closes connection */
+ ASSERT_EQ(0, close(new_fd));
+
+ /* Closes listening socket 1 for the parent*/
+ ASSERT_EQ(0, close(sockfd_1));
+
+ ASSERT_EQ(child_1, waitpid(child_1, &status, 0));
+ ASSERT_EQ(1, WIFEXITED(status));
+ ASSERT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
+
+ /* Creates a server socket 2 */
+ sockfd_2 = create_socket(_metadata);
+ ASSERT_LE(0, sockfd_2);
+
+ /* Binds the socket 2 to address with port[1] */
+ ASSERT_EQ(0, bind(sockfd_2, (struct sockaddr *)&addr[1], sizeof(addr[1])));
+
+ /* Makes listening socket 2 */
+ ASSERT_EQ(0, listen(sockfd_2, BACKLOG));
+
+ child_2 = fork();
+ ASSERT_LE(0, child_2);
+ if (child_2 == 0) {
+ int child_sockfd;
+
+ /* Closes listening socket for the child */
+ ASSERT_EQ(0, close(sockfd_2));
+ /* Creates a stream client socket */
+ child_sockfd = create_socket(_metadata);
+ ASSERT_LE(0, child_sockfd);
+
+ /* Makes connection to the listening socket */
+ ASSERT_EQ(-1, connect(child_sockfd, (struct sockaddr *)&addr[1],
+ sizeof(addr[1])));
+ ASSERT_EQ(EACCES, errno);
+ _exit(_metadata->passed ? EXIT_SUCCESS : EXIT_FAILURE);
+ return;
+ }
+
+ /* Closes listening socket 2 for the parent*/
+ ASSERT_EQ(0, close(sockfd_2));
+
+ ASSERT_EQ(child_2, waitpid(child_2, &status, 0));
+ ASSERT_EQ(1, WIFEXITED(status));
+ ASSERT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
+}
+
TEST_HARNESS_MAIN
--
2.25.1
next prev parent reply other threads:[~2022-03-09 13:46 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-09 13:44 [RFC PATCH v4 00/15] Landlock LSM Konstantin Meskhidze
2022-03-09 13:44 ` [RFC PATCH v4 01/15] landlock: access mask renaming Konstantin Meskhidze
2022-04-01 16:47 ` Mickaël Salaün
2022-04-04 8:17 ` Konstantin Meskhidze
2022-03-09 13:44 ` [RFC PATCH v4 02/15] landlock: filesystem access mask helpers Konstantin Meskhidze
2022-03-15 17:48 ` Mickaël Salaün
2022-03-17 13:25 ` Konstantin Meskhidze
2022-03-17 18:03 ` Mickaël Salaün
2022-03-18 11:36 ` Konstantin Meskhidze
2022-03-09 13:44 ` [RFC PATCH v4 03/15] landlock: landlock_find/insert_rule refactoring Konstantin Meskhidze
2022-03-16 8:27 ` Mickaël Salaün
2022-03-17 14:29 ` Konstantin Meskhidze
2022-03-18 18:33 ` Mickaël Salaün
2022-03-22 12:33 ` Konstantin Meskhidze
2022-03-22 13:24 ` Mickaël Salaün
2022-03-23 8:41 ` Konstantin Meskhidze
2022-04-12 11:07 ` [RFC PATCH v4 03/15] landlock: landlock_find/insert_rule refactoring (TCP port 0) Mickaël Salaün
2022-04-26 9:15 ` Konstantin Meskhidze
2022-03-09 13:44 ` [RFC PATCH v4 04/15] landlock: merge and inherit function refactoring Konstantin Meskhidze
2022-03-09 13:44 ` [RFC PATCH v4 05/15] landlock: unmask_layers() " Konstantin Meskhidze
2022-03-09 13:44 ` [RFC PATCH v4 06/15] landlock: landlock_add_rule syscall refactoring Konstantin Meskhidze
2022-04-12 11:12 ` Mickaël Salaün
2022-04-26 8:30 ` Konstantin Meskhidze
2022-03-09 13:44 ` [RFC PATCH v4 07/15] landlock: user space API network support Konstantin Meskhidze
2022-04-12 11:21 ` Mickaël Salaün
2022-04-12 13:48 ` Mickaël Salaün
2022-04-12 14:05 ` Konstantin Meskhidze
2022-04-12 16:10 ` Mickaël Salaün
2022-04-26 10:17 ` Konstantin Meskhidze
2022-04-25 14:29 ` Konstantin Meskhidze
2022-03-09 13:44 ` [RFC PATCH v4 08/15] landlock: add support network rules Konstantin Meskhidze
2022-04-08 16:30 ` Mickaël Salaün
2022-04-11 13:44 ` Konstantin Meskhidze
2022-04-11 16:20 ` Mickaël Salaün
2022-04-12 8:38 ` Konstantin Meskhidze
2022-03-09 13:44 ` [RFC PATCH v4 09/15] landlock: TCP network hooks implementation Konstantin Meskhidze
2022-04-11 16:24 ` Mickaël Salaün
2022-04-26 8:36 ` Konstantin Meskhidze
2022-03-09 13:44 ` [RFC PATCH v4 10/15] seltest/landlock: add tests for bind() hooks Konstantin Meskhidze
2022-04-01 16:52 ` Mickaël Salaün
2022-04-04 8:28 ` Konstantin Meskhidze
2022-04-04 9:44 ` Mickaël Salaün
2022-04-06 14:12 ` Konstantin Meskhidze
2022-04-08 16:41 ` Mickaël Salaün
2022-04-26 9:35 ` Konstantin Meskhidze
2022-05-16 10:10 ` Mickaël Salaün
2022-05-16 10:22 ` Konstantin Meskhidze
2022-04-04 18:32 ` Mickaël Salaün
2022-04-06 14:17 ` Konstantin Meskhidze
2022-03-09 13:44 ` Konstantin Meskhidze [this message]
2022-03-09 13:44 ` [RFC PATCH v4 12/15] seltest/landlock: connect() with AF_UNSPEC tests Konstantin Meskhidze
2022-03-09 13:44 ` [RFC PATCH v4 13/15] seltest/landlock: rules overlapping test Konstantin Meskhidze
2022-03-09 13:44 ` [RFC PATCH v4 14/15] seltest/landlock: ruleset expanding test Konstantin Meskhidze
2022-03-09 13:44 ` [RFC PATCH v4 15/15] seltest/landlock: invalid user input data test Konstantin Meskhidze
2022-03-15 17:02 ` [RFC PATCH v4 00/15] Landlock LSM Mickaël Salaün
2022-03-17 13:01 ` Konstantin Meskhidze
2022-03-17 17:26 ` Mickaël Salaün
2022-03-18 15:55 ` Konstantin Meskhidze
2022-03-23 16:30 ` Konstantin Meskhidze
2022-03-24 12:27 ` Mickaël Salaün
2022-03-24 13:34 ` Konstantin Meskhidze
2022-03-24 15:30 ` Mickaël Salaün
2022-03-24 16:19 ` Konstantin Meskhidze
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220309134459.6448-12-konstantin.meskhidze@huawei.com \
--to=konstantin.meskhidze@huawei.com \
--cc=anton.sirazetdinov@huawei.com \
--cc=artem.kuzin@huawei.com \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=willemdebruijn.kernel@gmail.com \
--cc=yusongping@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).