From: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
To: <mic@digikod.net>
Cc: <willemdebruijn.kernel@gmail.com>,
<linux-security-module@vger.kernel.org>, <netdev@vger.kernel.org>,
<netfilter-devel@vger.kernel.org>, <yusongping@huawei.com>,
<anton.sirazetdinov@huawei.com>
Subject: [PATCH v6 15/17] seltests/landlock: adds ruleset expanding test
Date: Tue, 21 Jun 2022 16:23:11 +0800 [thread overview]
Message-ID: <20220621082313.3330667-16-konstantin.meskhidze@huawei.com> (raw)
In-Reply-To: <20220621082313.3330667-1-konstantin.meskhidze@huawei.com>
This patch adds expanding rulesets in which
rules are gradually added one by one, restricting
sockets' connections.
Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
---
Changes since v5:
* Formats code with clang-format-14.
Changes since v4:
* Refactors code with self->port, self->addr4 variables.
Changes since v3:
* Adds ruleset_expanding test.
---
tools/testing/selftests/landlock/net_test.c | 166 ++++++++++++++++++++
1 file changed, 166 insertions(+)
diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c
index 18ffd36f959c..a9cb47836a21 100644
--- a/tools/testing/selftests/landlock/net_test.c
+++ b/tools/testing/selftests/landlock/net_test.c
@@ -553,4 +553,170 @@ TEST_F(socket, ruleset_overlap)
ASSERT_EQ(0, close(sockfd));
}
+TEST_F(socket, ruleset_expanding)
+{
+ int sockfd_1, sockfd_2;
+ int one = 1;
+
+ struct landlock_ruleset_attr ruleset_attr_1 = {
+ .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP,
+ };
+ struct landlock_net_service_attr net_service_1 = {
+ .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
+
+ .port = self->port[0],
+ };
+
+ const int ruleset_fd_1 = landlock_create_ruleset(
+ &ruleset_attr_1, sizeof(ruleset_attr_1), 0);
+ ASSERT_LE(0, ruleset_fd_1);
+
+ /* Adds rule to port[0] socket. */
+ ASSERT_EQ(0, landlock_add_rule(ruleset_fd_1, LANDLOCK_RULE_NET_SERVICE,
+ &net_service_1, 0));
+
+ /* Enforces the ruleset. */
+ enforce_ruleset(_metadata, ruleset_fd_1);
+ ASSERT_EQ(0, close(ruleset_fd_1));
+
+ /* Creates a socket 1. */
+ sockfd_1 = create_socket_variant(variant, SOCK_STREAM);
+ ASSERT_LE(0, sockfd_1);
+ /* Allows to reuse of local address. */
+ ASSERT_EQ(0, setsockopt(sockfd_1, SOL_SOCKET, SO_REUSEADDR, &one,
+ sizeof(one)));
+
+ /* Binds the socket 1 to address with port[0]. */
+ ASSERT_EQ(0, bind_variant(variant, sockfd_1, self, 0));
+
+ /* Makes connection to socket 1 with port[0]. */
+ ASSERT_EQ(0, connect_variant(variant, sockfd_1, self, 0));
+
+ /* Closes socket 1. */
+ ASSERT_EQ(0, close(sockfd_1));
+
+ /* Creates a socket 2. */
+ sockfd_2 = create_socket_variant(variant, SOCK_STREAM);
+ ASSERT_LE(0, sockfd_2);
+ /* Allows to reuse of local address. */
+ ASSERT_EQ(0, setsockopt(sockfd_2, SOL_SOCKET, SO_REUSEADDR, &one,
+ sizeof(one)));
+
+ /*
+ * Forbids to bind the socket 2 to address with port[1],
+ * cause there is no rule with bind() access for port[1].
+ */
+ ASSERT_EQ(-1, bind_variant(variant, sockfd_2, self, 1));
+ ASSERT_EQ(EACCES, errno);
+
+ /* Expands network mask. */
+ struct landlock_ruleset_attr ruleset_attr_2 = {
+ .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
+ LANDLOCK_ACCESS_NET_CONNECT_TCP,
+ };
+
+ /* Adds connect() access to port[0]. */
+ struct landlock_net_service_attr net_service_2 = {
+ .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP |
+ LANDLOCK_ACCESS_NET_CONNECT_TCP,
+
+ .port = self->port[0],
+ };
+ /* Adds bind() access to port[1]. */
+ struct landlock_net_service_attr net_service_3 = {
+ .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
+
+ .port = self->port[1],
+ };
+
+ const int ruleset_fd_2 = landlock_create_ruleset(
+ &ruleset_attr_2, sizeof(ruleset_attr_2), 0);
+ ASSERT_LE(0, ruleset_fd_2);
+
+ /* Adds rule to port[0] socket. */
+ ASSERT_EQ(0, landlock_add_rule(ruleset_fd_2, LANDLOCK_RULE_NET_SERVICE,
+ &net_service_2, 0));
+ /* Adds rule to port[1] socket. */
+ ASSERT_EQ(0, landlock_add_rule(ruleset_fd_2, LANDLOCK_RULE_NET_SERVICE,
+ &net_service_3, 0));
+
+ /* Enforces the ruleset. */
+ enforce_ruleset(_metadata, ruleset_fd_2);
+ ASSERT_EQ(0, close(ruleset_fd_2));
+
+ /* Creates a socket 1. */
+ sockfd_1 = create_socket_variant(variant, SOCK_STREAM);
+ ASSERT_LE(0, sockfd_1);
+ /* Allows to reuse of local address. */
+ ASSERT_EQ(0, setsockopt(sockfd_1, SOL_SOCKET, SO_REUSEADDR, &one,
+ sizeof(one)));
+
+ /* Binds the socket 1 to address with port[0]. */
+ ASSERT_EQ(0, bind_variant(variant, sockfd_1, self, 0));
+
+ /* Makes connection to socket 1 with port[0]. */
+ ASSERT_EQ(0, connect_variant(variant, sockfd_1, self, 0));
+
+ /* Closes socket 1. */
+ ASSERT_EQ(0, close(sockfd_1));
+
+ /* Creates a socket 2. */
+ sockfd_2 = create_socket_variant(variant, SOCK_STREAM);
+ ASSERT_LE(0, sockfd_2);
+ /* Allows to reuse of local address. */
+ ASSERT_EQ(0, setsockopt(sockfd_2, SOL_SOCKET, SO_REUSEADDR, &one,
+ sizeof(one)));
+
+ /*
+ * Forbids to bind the socket 2 to address with port[1],
+ * cause just one layer has bind() access rule.
+ */
+ ASSERT_EQ(-1, bind_variant(variant, sockfd_1, self, 1));
+ ASSERT_EQ(EACCES, errno);
+
+ /* Expands network mask. */
+ struct landlock_ruleset_attr ruleset_attr_3 = {
+ .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
+ LANDLOCK_ACCESS_NET_CONNECT_TCP,
+ };
+
+ /* Restricts connect() access to port[0]. */
+ struct landlock_net_service_attr net_service_4 = {
+ .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
+
+ .port = self->port[0],
+ };
+
+ const int ruleset_fd_3 = landlock_create_ruleset(
+ &ruleset_attr_3, sizeof(ruleset_attr_3), 0);
+ ASSERT_LE(0, ruleset_fd_3);
+
+ /* Adds rule to port[0] socket. */
+ ASSERT_EQ(0, landlock_add_rule(ruleset_fd_3, LANDLOCK_RULE_NET_SERVICE,
+ &net_service_4, 0));
+
+ /* Enforces the ruleset. */
+ enforce_ruleset(_metadata, ruleset_fd_3);
+ ASSERT_EQ(0, close(ruleset_fd_3));
+
+ /* Creates a socket 1. */
+ sockfd_1 = create_socket_variant(variant, SOCK_STREAM);
+ ASSERT_LE(0, sockfd_1);
+ /* Allows to reuse of local address. */
+ ASSERT_EQ(0, setsockopt(sockfd_1, SOL_SOCKET, SO_REUSEADDR, &one,
+ sizeof(one)));
+
+ /* Binds the socket 1 to address with port[0]. */
+ ASSERT_EQ(0, bind_variant(variant, sockfd_1, self, 0));
+
+ /*
+ * Forbids to connect the socket 1 to address with port[0],
+ * cause just one layer has connect() access rule.
+ */
+ ASSERT_EQ(-1, connect_variant(variant, sockfd_1, self, 0));
+ ASSERT_EQ(EACCES, errno);
+
+ /* Closes socket 1. */
+ ASSERT_EQ(0, close(sockfd_1));
+}
TEST_HARNESS_MAIN
--
2.25.1
next prev parent reply other threads:[~2022-06-21 8:24 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-21 8:22 [PATCH v6 00/17] Network support for Landlock Konstantin Meskhidze
2022-06-21 8:22 ` [PATCH v6 01/17] landlock: renames access mask Konstantin Meskhidze
2022-07-01 17:08 ` Mickaël Salaün
2022-07-04 9:23 ` Konstantin Meskhidze (A)
2022-07-05 11:29 ` Konstantin Meskhidze (A)
2022-07-05 13:26 ` Mickaël Salaün
2022-07-08 12:56 ` Konstantin Meskhidze (A)
2022-06-21 8:22 ` [PATCH v6 02/17] landlock: refactors landlock_find/insert_rule Konstantin Meskhidze
2022-07-07 16:44 ` Mickaël Salaün
2022-07-08 12:53 ` Konstantin Meskhidze (A)
2022-07-08 13:56 ` Mickaël Salaün
2022-07-08 14:14 ` Konstantin Meskhidze (A)
2022-07-08 14:20 ` Konstantin Meskhidze (A)
2022-07-08 16:57 ` Mickaël Salaün
2022-07-11 8:16 ` Konstantin Meskhidze (A)
2022-07-08 13:10 ` Konstantin Meskhidze (A)
2022-07-08 13:59 ` Mickaël Salaün
2022-07-08 14:14 ` Konstantin Meskhidze (A)
2022-07-08 14:35 ` Mickaël Salaün
2022-07-11 14:05 ` Konstantin Meskhidze (A)
2022-07-28 14:48 ` Mickaël Salaün
2022-07-07 16:46 ` Mickaël Salaün
2022-07-08 12:54 ` Konstantin Meskhidze (A)
2022-06-21 8:22 ` [PATCH v6 03/17] landlock: refactors merge and inherit functions Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 04/17] landlock: moves helper functions Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 05/17] landlock: refactors " Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 06/17] landlock: refactors landlock_add_rule syscall Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 07/17] landlock: user space API network support Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 08/17] landlock: adds support network rules Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 09/17] landlock: implements TCP network hooks Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 10/17] seltests/landlock: moves helper function Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 11/17] seltests/landlock: adds tests for bind() hooks Konstantin Meskhidze
2022-07-28 13:24 ` Mickaël Salaün
2022-06-21 8:23 ` [PATCH v6 12/17] seltests/landlock: adds tests for connect() hooks Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 13/17] seltests/landlock: adds AF_UNSPEC family test Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 14/17] seltests/landlock: adds rules overlapping test Konstantin Meskhidze
2022-06-21 8:23 ` Konstantin Meskhidze [this message]
2022-06-21 8:23 ` [PATCH v6 16/17] seltests/landlock: adds invalid input data test Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 17/17] samples/landlock: adds network demo Konstantin Meskhidze
2022-07-27 20:26 ` Mickaël Salaün
2022-07-28 9:21 ` Konstantin Meskhidze (A)
2022-07-26 17:43 ` [PATCH v6 00/17] Network support for Landlock Mickaël Salaün
2022-07-27 19:54 ` Mickaël Salaün
2022-07-28 9:19 ` Konstantin Meskhidze (A)
2022-07-28 9:25 ` Konstantin Meskhidze (A)
2022-07-28 10:12 ` Mickaël Salaün
2022-07-28 11:27 ` Konstantin Meskhidze (A)
2022-07-28 13:17 ` Mickaël Salaün
2022-08-23 9:10 ` Konstantin Meskhidze (A)
2022-08-27 13:30 ` Konstantin Meskhidze (A)
2022-08-29 13:10 ` Mickaël Salaün
2022-07-27 20:21 ` Mickaël Salaün
2022-07-28 9:20 ` Konstantin Meskhidze (A)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220621082313.3330667-16-konstantin.meskhidze@huawei.com \
--to=konstantin.meskhidze@huawei.com \
--cc=anton.sirazetdinov@huawei.com \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=willemdebruijn.kernel@gmail.com \
--cc=yusongping@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.