From patchwork Tue Nov 5 09:34:25 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 2006779 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=YRkxMdfr; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=YAmpREv1; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=YRkxMdfr; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=YAmpREv1; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XjNVw578Cz1xxN for ; Tue, 5 Nov 2024 20:35:52 +1100 (AEDT) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 93C643D1F4E for ; Tue, 5 Nov 2024 10:35:50 +0100 (CET) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-6.smtp.seeweb.it (in-6.smtp.seeweb.it [217.194.8.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 47B2E3D1F2D for ; Tue, 5 Nov 2024 10:34:35 +0100 (CET) Authentication-Results: in-6.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=2a07:de40:b251:101:10:150:64:2; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2a07:de40:b251:101:10:150:64:2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-6.smtp.seeweb.it (Postfix) with ESMTPS id 8E7851420363 for ; Tue, 5 Nov 2024 10:34:30 +0100 (CET) Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 88C5C1FE13 for ; Tue, 5 Nov 2024 09:34:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1730799268; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=QtpGncQXbjbUlIGomZKZjK5/UpevnvgG8MsYnBoymnM=; b=YRkxMdfrY3tj6AJGtFZ1sU0ssWOlVD7BOT/O4X9OKdRSyVonkfyXvamSRg6PUGVnZ5c0We YScYVyuM6Q6K2qj9YaXvimh8U34QBQeha3w5Ostf6Pd+0NL/N3mYHgHNVi+fWHNo+pwwz8 CuQ2DgEWNfRLVBhinatv4pi7O2dgnfU= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1730799268; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=QtpGncQXbjbUlIGomZKZjK5/UpevnvgG8MsYnBoymnM=; b=YAmpREv18m6rBZD+D9/konTkThz5wJyFr/YLbspXUSRIc0tukLHwZIltuEbtdL8HGEAuxW +cyrqvGMkIj4txDw== Authentication-Results: smtp-out2.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=YRkxMdfr; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=YAmpREv1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1730799268; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=QtpGncQXbjbUlIGomZKZjK5/UpevnvgG8MsYnBoymnM=; b=YRkxMdfrY3tj6AJGtFZ1sU0ssWOlVD7BOT/O4X9OKdRSyVonkfyXvamSRg6PUGVnZ5c0We YScYVyuM6Q6K2qj9YaXvimh8U34QBQeha3w5Ostf6Pd+0NL/N3mYHgHNVi+fWHNo+pwwz8 CuQ2DgEWNfRLVBhinatv4pi7O2dgnfU= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1730799268; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=QtpGncQXbjbUlIGomZKZjK5/UpevnvgG8MsYnBoymnM=; b=YAmpREv18m6rBZD+D9/konTkThz5wJyFr/YLbspXUSRIc0tukLHwZIltuEbtdL8HGEAuxW +cyrqvGMkIj4txDw== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 3661213A39 for ; Tue, 5 Nov 2024 09:34:28 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id sKkrB6TmKWeAPwAAD6G6ig (envelope-from ) for ; Tue, 05 Nov 2024 09:34:28 +0000 From: Andrea Cervesato Date: Tue, 05 Nov 2024 10:34:25 +0100 MIME-Version: 1.0 Message-Id: <20241105-landlock_network-v2-1-d58791487919@suse.com> References: <20241105-landlock_network-v2-0-d58791487919@suse.com> In-Reply-To: <20241105-landlock_network-v2-0-d58791487919@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1730799267; l=16487; i=andrea.cervesato@suse.com; s=20240812; h=from:subject:message-id; bh=oE4ik91HL3diHXFRWnahOkX1LS6eZ+bfEL5Zyt8YRGY=; b=gkphp9xEtW6G6kSWJRCsdLoLM1kXcOPNS65PDBHerGTyNozZV/zZBgUd/D0QGVJtX6e8anWzG 41xs2S4QEGUB9w77FyQoJyZ4xkn/j7p3eDRF//aSLJEKdGcdmzhbiJD X-Developer-Key: i=andrea.cervesato@suse.com; a=ed25519; pk=RG/nLJ5snb1tLKGwSORQXBJ5XA4juT0WF2Pc/lq9meo= X-Rspamd-Queue-Id: 88C5C1FE13 X-Spam-Level: X-Spamd-Result: default: False [-4.51 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.20)[-1.000]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; RECEIVED_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:106:10:150:64:167:received]; FUZZY_BLOCKED(0.00)[rspamd.com]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; RBL_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:104:10:150:64:97:from]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_ONE(0.00)[1]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns,suse.com:email,suse.com:mid,suse.de:dkim]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; SPAMHAUS_XBL(0.00)[2a07:de40:b281:104:10:150:64:97:from]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[ltp@lists.linux.it]; DKIM_TRACE(0.00)[suse.de:+] X-Rspamd-Server: rspamd2.dmz-prg2.suse.org X-Rspamd-Action: no action X-Spam-Score: -4.51 X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-6.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-6.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v2 1/4] Fallback landlock network support X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato Landlock network support has been added in the ABI v4, adding features for bind() and connect() syscalls. It also defined one more member in the landlock_ruleset_attr struct, breaking our LTP fallbacks, used to build landlock testing suite. For this reason, we introduce tst_landlock_ruleset_attr_abi[14] struct(s) which fallback ABI v1 and v4 ruleset_attr definitions. Signed-off-by: Andrea Cervesato Reviewed-by: Cyril Hrubis Reviewed-by: Li Wang --- configure.ac | 3 ++- include/lapi/capability.h | 4 ++++ include/lapi/landlock.h | 28 ++++++++++++---------- testcases/kernel/syscalls/landlock/landlock01.c | 15 ++++-------- testcases/kernel/syscalls/landlock/landlock02.c | 8 +++---- testcases/kernel/syscalls/landlock/landlock03.c | 6 ++--- testcases/kernel/syscalls/landlock/landlock04.c | 6 ++--- testcases/kernel/syscalls/landlock/landlock05.c | 10 ++++---- testcases/kernel/syscalls/landlock/landlock06.c | 14 ++++------- testcases/kernel/syscalls/landlock/landlock07.c | 6 ++--- .../kernel/syscalls/landlock/landlock_common.h | 12 ++++------ 11 files changed, 53 insertions(+), 59 deletions(-) diff --git a/configure.ac b/configure.ac index d327974efa71f263d7f7f5aec9d2c5831d53dd0e..e2e4fd18daa54dbf2034fa9bcc4f2383b53392f4 100644 --- a/configure.ac +++ b/configure.ac @@ -34,6 +34,8 @@ m4_ifndef([PKG_CHECK_EXISTS], AC_PREFIX_DEFAULT(/opt/ltp) AC_CHECK_DECLS([IFLA_NET_NS_PID],,,[#include ]) +AC_CHECK_DECLS([LANDLOCK_RULE_PATH_BENEATH],,,[#include ]) +AC_CHECK_DECLS([LANDLOCK_RULE_NET_PORT],,,[#include ]) AC_CHECK_DECLS([MADV_MERGEABLE],,,[#include ]) AC_CHECK_DECLS([NFTA_CHAIN_ID, NFTA_VERDICT_CHAIN_ID],,,[#include ]) AC_CHECK_DECLS([PR_CAPBSET_DROP, PR_CAPBSET_READ],,,[#include ]) @@ -172,7 +174,6 @@ AC_CHECK_MEMBERS([struct utsname.domainname],,,[ ]) AC_CHECK_TYPES([enum kcmp_type],,,[#include ]) -AC_CHECK_TYPES([enum landlock_rule_type],,,[#include ]) AC_CHECK_TYPES([struct acct_v3],,,[#include ]) AC_CHECK_TYPES([struct af_alg_iv, struct sockaddr_alg],,,[# include ]) AC_CHECK_TYPES([struct fanotify_event_info_fid, struct fanotify_event_info_error, diff --git a/include/lapi/capability.h b/include/lapi/capability.h index 0f317d6d770e86b399f0fed2de04c1dce6723eae..14d2d3c12c051006875f1f864ec58a88a3870ec0 100644 --- a/include/lapi/capability.h +++ b/include/lapi/capability.h @@ -20,6 +20,10 @@ # endif #endif +#ifndef CAP_NET_BIND_SERVICE +# define CAP_NET_BIND_SERVICE 10 +#endif + #ifndef CAP_NET_RAW # define CAP_NET_RAW 13 #endif diff --git a/include/lapi/landlock.h b/include/lapi/landlock.h index 211d171ebecd92d75224369dc7f1d5c5903c9ce7..b3c8c548e661680541cdf6e4a8fb68a3f5029fec 100644 --- a/include/lapi/landlock.h +++ b/include/lapi/landlock.h @@ -7,6 +7,7 @@ #define LAPI_LANDLOCK_H__ #include "config.h" +#include #ifdef HAVE_LINUX_LANDLOCK_H # include @@ -14,13 +15,16 @@ #include "lapi/syscalls.h" -#ifndef HAVE_STRUCT_LANDLOCK_RULESET_ATTR -struct landlock_ruleset_attr +struct tst_landlock_ruleset_attr_abi1 +{ + uint64_t handled_access_fs; +}; + +struct tst_landlock_ruleset_attr_abi4 { uint64_t handled_access_fs; uint64_t handled_access_net; }; -#endif #ifndef HAVE_STRUCT_LANDLOCK_PATH_BENEATH_ATTR struct landlock_path_beneath_attr @@ -30,12 +34,12 @@ struct landlock_path_beneath_attr } __attribute__((packed)); #endif -#ifndef HAVE_ENUM_LANDLOCK_RULE_TYPE -enum landlock_rule_type -{ - LANDLOCK_RULE_PATH_BENEATH = 1, - LANDLOCK_RULE_NET_PORT, -}; +#if !HAVE_DECL_LANDLOCK_RULE_PATH_BENEATH +# define LANDLOCK_RULE_PATH_BENEATH 1 +#endif + +#if !HAVE_DECL_LANDLOCK_RULE_NET_PORT +# define LANDLOCK_RULE_NET_PORT 2 #endif #ifndef HAVE_STRUCT_LANDLOCK_NET_PORT_ATTR @@ -123,8 +127,7 @@ struct landlock_net_port_attr #endif static inline int safe_landlock_create_ruleset(const char *file, const int lineno, - const struct landlock_ruleset_attr *attr, - size_t size , uint32_t flags) + const void *attr, size_t size , uint32_t flags) { int rval; @@ -143,8 +146,7 @@ static inline int safe_landlock_create_ruleset(const char *file, const int linen } static inline int safe_landlock_add_rule(const char *file, const int lineno, - int ruleset_fd, enum landlock_rule_type rule_type, - const void *rule_attr, uint32_t flags) + int ruleset_fd, int rule_type, const void *rule_attr, uint32_t flags) { int rval; diff --git a/testcases/kernel/syscalls/landlock/landlock01.c b/testcases/kernel/syscalls/landlock/landlock01.c index 083685c64fa6d1c0caab887ee03594ea1426f62f..bd3a37153449b8d75b9671f5c3b3838c701b05ae 100644 --- a/testcases/kernel/syscalls/landlock/landlock01.c +++ b/testcases/kernel/syscalls/landlock/landlock01.c @@ -17,14 +17,14 @@ #include "landlock_common.h" -static struct landlock_ruleset_attr *ruleset_attr; -static struct landlock_ruleset_attr *null_attr; +static struct tst_landlock_ruleset_attr_abi4 *ruleset_attr; +static struct tst_landlock_ruleset_attr_abi4 *null_attr; static size_t rule_size; static size_t rule_small_size; static size_t rule_big_size; static struct tcase { - struct landlock_ruleset_attr **attr; + struct tst_landlock_ruleset_attr_abi4 **attr; uint64_t access_fs; size_t *size; uint32_t flags; @@ -60,13 +60,8 @@ static void setup(void) { verify_landlock_is_enabled(); - rule_size = sizeof(struct landlock_ruleset_attr); - -#ifdef HAVE_STRUCT_LANDLOCK_RULESET_ATTR_HANDLED_ACCESS_NET + rule_size = sizeof(struct tst_landlock_ruleset_attr_abi4); rule_small_size = rule_size - sizeof(uint64_t) - 1; -#else - rule_small_size = rule_size - 1; -#endif rule_big_size = SAFE_SYSCONF(_SC_PAGESIZE) + 1; } @@ -77,7 +72,7 @@ static struct tst_test test = { .setup = setup, .needs_root = 1, .bufs = (struct tst_buffers []) { - {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi4)}, {}, }, .caps = (struct tst_cap []) { diff --git a/testcases/kernel/syscalls/landlock/landlock02.c b/testcases/kernel/syscalls/landlock/landlock02.c index 1a3df69c9cc3eda98e28cfbfd1e12c57e26d0128..8566d407f6d17ab367695125f07d0a80cf4130e5 100644 --- a/testcases/kernel/syscalls/landlock/landlock02.c +++ b/testcases/kernel/syscalls/landlock/landlock02.c @@ -20,7 +20,7 @@ #include "landlock_common.h" -static struct landlock_ruleset_attr *ruleset_attr; +static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr; static struct landlock_path_beneath_attr *path_beneath_attr; static struct landlock_path_beneath_attr *rule_null; static int ruleset_fd; @@ -93,7 +93,7 @@ static void run(unsigned int n) } TST_EXP_FAIL(tst_syscall(__NR_landlock_add_rule, - *tc->fd, tc->rule_type, *tc->attr, tc->flags), + *tc->fd, tc->rule_type, *tc->attr, tc->flags), tc->exp_errno, "%s", tc->msg); @@ -106,7 +106,7 @@ static void setup(void) ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE; ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset, - ruleset_attr, sizeof(struct landlock_ruleset_attr), 0)); + ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi1), 0)); } static void cleanup(void) @@ -122,7 +122,7 @@ static struct tst_test test = { .cleanup = cleanup, .needs_root = 1, .bufs = (struct tst_buffers []) { - {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi1)}, {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)}, {}, }, diff --git a/testcases/kernel/syscalls/landlock/landlock03.c b/testcases/kernel/syscalls/landlock/landlock03.c index 224482255b287cef64f579b5707a92a6b5908f8b..150c8cc4e50ee1b41af3c8c01771c51a8715746f 100644 --- a/testcases/kernel/syscalls/landlock/landlock03.c +++ b/testcases/kernel/syscalls/landlock/landlock03.c @@ -21,7 +21,7 @@ #define MAX_STACKED_RULESETS 16 -static struct landlock_ruleset_attr *ruleset_attr; +static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr; static int ruleset_fd = -1; static int ruleset_invalid = -1; static int file_fd = -1; @@ -89,7 +89,7 @@ static void setup(void) ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE; ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset, - ruleset_attr, sizeof(struct landlock_ruleset_attr), 0)); + ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi1), 0)); file_fd = SAFE_OPEN("junk.bin", O_CREAT, 0777); } @@ -112,7 +112,7 @@ static struct tst_test test = { .needs_root = 1, .forks_child = 1, .bufs = (struct tst_buffers []) { - {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi1)}, {}, }, .caps = (struct tst_cap []) { diff --git a/testcases/kernel/syscalls/landlock/landlock04.c b/testcases/kernel/syscalls/landlock/landlock04.c index e9dedd45091ecd15cdce2fa7227bbfceb14abb5e..2485591e2196072f81708fc10cebd382e536e2a9 100644 --- a/testcases/kernel/syscalls/landlock/landlock04.c +++ b/testcases/kernel/syscalls/landlock/landlock04.c @@ -15,7 +15,7 @@ #include "landlock_tester.h" #include "tst_safe_stdio.h" -static struct landlock_ruleset_attr *ruleset_attr; +static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr; static struct landlock_path_beneath_attr *path_beneath_attr; static int ruleset_fd = -1; @@ -153,7 +153,7 @@ static void setup(void) ruleset_attr->handled_access_fs = tester_get_all_fs_rules(); ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET( - ruleset_attr, sizeof(struct landlock_ruleset_attr), 0); + ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi1), 0); /* since our binary is dynamically linked, we need to enable dependences * to be read and executed @@ -192,7 +192,7 @@ static struct tst_test test = { NULL, }, .bufs = (struct tst_buffers []) { - {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi1)}, {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)}, {}, }, diff --git a/testcases/kernel/syscalls/landlock/landlock05.c b/testcases/kernel/syscalls/landlock/landlock05.c index 703f7d81c336907f360acbe45b42720dc12bac23..3d5048f0ab51b2d7c3eedc82ef80c04935ac5d86 100644 --- a/testcases/kernel/syscalls/landlock/landlock05.c +++ b/testcases/kernel/syscalls/landlock/landlock05.c @@ -28,7 +28,7 @@ #define FILENAME2 DIR2"/file" #define FILENAME3 DIR3"/file" -static struct landlock_ruleset_attr *ruleset_attr; +static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr; static struct landlock_path_beneath_attr *path_beneath_attr; static void run(void) @@ -68,15 +68,15 @@ static void setup(void) LANDLOCK_ACCESS_FS_REFER; ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET( - ruleset_attr, sizeof(struct landlock_ruleset_attr), 0); + ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi1), 0); - apply_landlock_rule( + apply_landlock_fs_rule( path_beneath_attr, ruleset_fd, LANDLOCK_ACCESS_FS_REFER, DIR1); - apply_landlock_rule( + apply_landlock_fs_rule( path_beneath_attr, ruleset_fd, LANDLOCK_ACCESS_FS_REFER, @@ -93,7 +93,7 @@ static struct tst_test test = { .needs_root = 1, .forks_child = 1, .bufs = (struct tst_buffers []) { - {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi1)}, {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)}, {}, }, diff --git a/testcases/kernel/syscalls/landlock/landlock06.c b/testcases/kernel/syscalls/landlock/landlock06.c index 1a6e59241557db23b23beabf9863a9c51353757a..74237d11657054985f06431467fbb161ded0c1b6 100644 --- a/testcases/kernel/syscalls/landlock/landlock06.c +++ b/testcases/kernel/syscalls/landlock/landlock06.c @@ -18,7 +18,7 @@ #define MNTPOINT "sandbox" #define FILENAME MNTPOINT"/fifo" -static struct landlock_ruleset_attr *ruleset_attr; +static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr; static struct landlock_path_beneath_attr *path_beneath_attr; static int file_fd = -1; static int dev_fd = -1; @@ -42,8 +42,6 @@ static void run(void) static void setup(void) { - int ruleset_fd; - if (verify_landlock_is_enabled() < 5) tst_brk(TCONF, "LANDLOCK_ACCESS_FS_IOCTL_DEV is not supported"); @@ -56,17 +54,13 @@ static void setup(void) ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV; - ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET( - ruleset_attr, sizeof(struct landlock_ruleset_attr), 0); - - apply_landlock_layer( + apply_landlock_fs_layer( ruleset_attr, + sizeof(struct tst_landlock_ruleset_attr_abi1), path_beneath_attr, MNTPOINT, LANDLOCK_ACCESS_FS_IOCTL_DEV ); - - SAFE_CLOSE(ruleset_fd); } static void cleanup(void) @@ -85,7 +79,7 @@ static struct tst_test test = { .needs_root = 1, .forks_child = 1, .bufs = (struct tst_buffers []) { - {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi1)}, {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)}, {}, }, diff --git a/testcases/kernel/syscalls/landlock/landlock07.c b/testcases/kernel/syscalls/landlock/landlock07.c index 6115ad53876209051952873679eb96014b4dd805..8ee614856312d55e573e18f88a6690b50497ee8b 100644 --- a/testcases/kernel/syscalls/landlock/landlock07.c +++ b/testcases/kernel/syscalls/landlock/landlock07.c @@ -25,7 +25,7 @@ #include "lapi/prctl.h" #include "landlock_common.h" -static struct landlock_ruleset_attr *ruleset_attr; +static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr; static int ruleset_fd; static pid_t spawn_houdini(void) @@ -77,7 +77,7 @@ static void setup(void) ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_WRITE_FILE; ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET( ruleset_attr, - sizeof(struct landlock_ruleset_attr), + sizeof(struct tst_landlock_ruleset_attr_abi1), 0); } @@ -93,7 +93,7 @@ static struct tst_test test = { .cleanup = cleanup, .forks_child = 1, .bufs = (struct tst_buffers []) { - {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi1)}, {}, }, .caps = (struct tst_cap []) { diff --git a/testcases/kernel/syscalls/landlock/landlock_common.h b/testcases/kernel/syscalls/landlock/landlock_common.h index da91daeab7b3def7184f611a90273419e4cfa6f2..f3096f4bf15f155f2a00b39c461d0805a76306e5 100644 --- a/testcases/kernel/syscalls/landlock/landlock_common.h +++ b/testcases/kernel/syscalls/landlock/landlock_common.h @@ -33,7 +33,7 @@ static inline int verify_landlock_is_enabled(void) return abi; } -static inline void apply_landlock_rule( +static inline void apply_landlock_fs_rule( struct landlock_path_beneath_attr *path_beneath_attr, const int ruleset_fd, const int access, @@ -57,21 +57,19 @@ static inline void enforce_ruleset(const int ruleset_fd) SAFE_LANDLOCK_RESTRICT_SELF(ruleset_fd, 0); } -static inline void apply_landlock_layer( - struct landlock_ruleset_attr *ruleset_attr, +static inline void apply_landlock_fs_layer( + void *ruleset_attr, size_t attr_size, struct landlock_path_beneath_attr *path_beneath_attr, const char *path, const int access) { int ruleset_fd; - ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET( - ruleset_attr, sizeof(struct landlock_ruleset_attr), 0); + ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(ruleset_attr, attr_size, 0); - apply_landlock_rule(path_beneath_attr, ruleset_fd, access, path); + apply_landlock_fs_rule(path_beneath_attr, ruleset_fd, access, path); enforce_ruleset(ruleset_fd); SAFE_CLOSE(ruleset_fd); } - #endif /* LANDLOCK_COMMON_H__ */ From patchwork Tue Nov 5 09:34:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 2006777 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=OgJN3dTF; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=q3C0TN1h; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=OgJN3dTF; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=q3C0TN1h; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XjNV90CHfz1xxN for ; Tue, 5 Nov 2024 20:35:13 +1100 (AEDT) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id E19953D1F14 for ; Tue, 5 Nov 2024 10:35:10 +0100 (CET) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-7.smtp.seeweb.it (in-7.smtp.seeweb.it [217.194.8.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 3F7D83D1F10 for ; Tue, 5 Nov 2024 10:34:32 +0100 (CET) Authentication-Results: in-7.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=2a07:de40:b251:101:10:150:64:2; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2a07:de40:b251:101:10:150:64:2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-7.smtp.seeweb.it (Postfix) with ESMTPS id 9273E222FBB for ; Tue, 5 Nov 2024 10:34:30 +0100 (CET) Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 020011FE1A for ; Tue, 5 Nov 2024 09:34:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1730799269; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XmFx+ZoGKaF8JcZ0SEs7vMOYAGoAp4of9O1OLpWp3Ww=; b=OgJN3dTFrK4LTs5/jxflPIshRmF0wHYdQk9oMWXRS47CvbXOpnsLxrffGDkFvhEEDwL1XY vAUGCdqlXE5AApopvuRozAkIsDC9e3e9dgloyDI62H1ebOKQIft32qyvcgF7Qwz9nvyLj8 N2qemAqV46URG9xTypLrrKwoU/Mile0= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1730799269; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XmFx+ZoGKaF8JcZ0SEs7vMOYAGoAp4of9O1OLpWp3Ww=; b=q3C0TN1hRDXFoFfRq+1IoHWCgW7E4oaFCYZU9/SPo4BIcPPBzK5A3up02ct0qBrrsHUeyu EeK+fwo/JkCcZuBQ== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1730799269; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XmFx+ZoGKaF8JcZ0SEs7vMOYAGoAp4of9O1OLpWp3Ww=; b=OgJN3dTFrK4LTs5/jxflPIshRmF0wHYdQk9oMWXRS47CvbXOpnsLxrffGDkFvhEEDwL1XY vAUGCdqlXE5AApopvuRozAkIsDC9e3e9dgloyDI62H1ebOKQIft32qyvcgF7Qwz9nvyLj8 N2qemAqV46URG9xTypLrrKwoU/Mile0= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1730799269; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XmFx+ZoGKaF8JcZ0SEs7vMOYAGoAp4of9O1OLpWp3Ww=; b=q3C0TN1hRDXFoFfRq+1IoHWCgW7E4oaFCYZU9/SPo4BIcPPBzK5A3up02ct0qBrrsHUeyu EeK+fwo/JkCcZuBQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id B4BC01394A for ; Tue, 5 Nov 2024 09:34:28 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id cNucJqTmKWeAPwAAD6G6ig (envelope-from ) for ; Tue, 05 Nov 2024 09:34:28 +0000 From: Andrea Cervesato Date: Tue, 05 Nov 2024 10:34:26 +0100 MIME-Version: 1.0 Message-Id: <20241105-landlock_network-v2-2-d58791487919@suse.com> References: <20241105-landlock_network-v2-0-d58791487919@suse.com> In-Reply-To: <20241105-landlock_network-v2-0-d58791487919@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1730799267; l=4182; i=andrea.cervesato@suse.com; s=20240812; h=from:subject:message-id; bh=bb0mNcabNfgo6eO8im6I/sIqAGiaCsEwkXF0hpOJhQE=; b=hwc7pmH/AeiiKx7CUkQmFiJDmlUCRodWvF/bQOd0V6sYLNQ2BuaI36K4tMSVqEkev6r4U8rlR rqKWW55zXr1Dvs88Z75QhjeIe2ZbdmnFlcaULKIB7t+kqnqvR/6IFnp X-Developer-Key: i=andrea.cervesato@suse.com; a=ed25519; pk=RG/nLJ5snb1tLKGwSORQXBJ5XA4juT0WF2Pc/lq9meo= X-Spam-Level: X-Spamd-Result: default: False [-4.30 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; PREVIOUSLY_DELIVERED(0.00)[ltp@lists.linux.it]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo, suse.com:email, suse.com:mid] X-Spam-Score: -4.30 X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-7.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-7.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v2 2/4] Network helpers in landlock suite common functions X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato Landlock suite helpers functions don't support network features. This patch adds apply_landlock_net_layer() helper that can be used to apply a network landlock rule in the current sandbox. Signed-off-by: Andrea Cervesato Reviewed-by: Cyril Hrubis --- .../kernel/syscalls/landlock/landlock_common.h | 124 +++++++++++++++++++++ 1 file changed, 124 insertions(+) diff --git a/testcases/kernel/syscalls/landlock/landlock_common.h b/testcases/kernel/syscalls/landlock/landlock_common.h index f3096f4bf15f155f2a00b39c461d0805a76306e5..d55f2a2576968a89fbeca6bb2a56c6c2700729fa 100644 --- a/testcases/kernel/syscalls/landlock/landlock_common.h +++ b/testcases/kernel/syscalls/landlock/landlock_common.h @@ -11,6 +11,16 @@ #include "lapi/fcntl.h" #include "lapi/landlock.h" +#define IPV4_ADDRESS "127.0.0.1" +#define IPV6_ADDRESS "::1" + +struct socket_data { + struct sockaddr_in addr_ipv4; + struct sockaddr_in6 addr_ipv6; + size_t address_size; + int fd; +}; + static inline int verify_landlock_is_enabled(void) { int abi; @@ -51,6 +61,22 @@ static inline void apply_landlock_fs_rule( SAFE_CLOSE(path_beneath_attr->parent_fd); } +static inline void apply_landlock_net_rule( + struct landlock_net_port_attr *net_attr, + const int ruleset_fd, + const uint64_t port, + const uint64_t access) +{ + net_attr->port = port; + net_attr->allowed_access = access; + + SAFE_LANDLOCK_ADD_RULE( + ruleset_fd, + LANDLOCK_RULE_NET_PORT, + net_attr, + 0); +} + static inline void enforce_ruleset(const int ruleset_fd) { SAFE_PRCTL(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); @@ -72,4 +98,102 @@ static inline void apply_landlock_fs_layer( SAFE_CLOSE(ruleset_fd); } + +static inline void apply_landlock_net_layer( + void *ruleset_attr, size_t attr_size, + struct landlock_net_port_attr *net_port_attr, + const in_port_t port, + const uint64_t access) +{ + int ruleset_fd; + + ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(ruleset_attr, attr_size, 0); + + apply_landlock_net_rule(net_port_attr, ruleset_fd, port, access); + enforce_ruleset(ruleset_fd); + + SAFE_CLOSE(ruleset_fd); +} + +static inline in_port_t getsocket_port(struct socket_data *socket, + const int addr_family) +{ + struct sockaddr_in addr_ipv4; + struct sockaddr_in6 addr_ipv6; + socklen_t len; + in_port_t port = 0; + + switch (addr_family) { + case AF_INET: + len = sizeof(addr_ipv4); + memset(&addr_ipv4, 0, len); + + SAFE_GETSOCKNAME(socket->fd, (struct sockaddr *)&addr_ipv4, &len); + port = ntohs(addr_ipv4.sin_port); + break; + case AF_INET6: + len = sizeof(addr_ipv6); + memset(&addr_ipv6, 0, len); + + SAFE_GETSOCKNAME(socket->fd, (struct sockaddr *)&addr_ipv6, &len); + port = ntohs(addr_ipv6.sin6_port); + break; + default: + tst_brk(TBROK, "Unsupported protocol"); + break; + }; + + return port; +} + +static inline void create_socket(struct socket_data *socket, + const int addr_family, const in_port_t port) +{ + memset(socket, 0, sizeof(struct socket_data)); + + switch (addr_family) { + case AF_INET: + if (!port) { + tst_init_sockaddr_inet_bin(&socket->addr_ipv4, + INADDR_ANY, 0); + } else { + tst_init_sockaddr_inet(&socket->addr_ipv4, + IPV4_ADDRESS, port); + } + + socket->address_size = sizeof(struct sockaddr_in); + break; + case AF_INET6: + if (!port) { + tst_init_sockaddr_inet6_bin(&socket->addr_ipv6, + &in6addr_any, 0); + } else { + tst_init_sockaddr_inet6(&socket->addr_ipv6, + IPV6_ADDRESS, port); + } + + socket->address_size = sizeof(struct sockaddr_in6); + break; + default: + tst_brk(TBROK, "Unsupported protocol"); + return; + }; + + socket->fd = SAFE_SOCKET(addr_family, SOCK_STREAM | SOCK_CLOEXEC, 0); +} + +static inline void getsocket_addr(struct socket_data *socket, + const int addr_family, struct sockaddr **addr) +{ + switch (addr_family) { + case AF_INET: + *addr = (struct sockaddr *)&socket->addr_ipv4; + break; + case AF_INET6: + *addr = (struct sockaddr *)&socket->addr_ipv6; + break; + default: + break; + }; +} #endif /* LANDLOCK_COMMON_H__ */ From patchwork Tue Nov 5 09:34:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 2006778 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=r33KN/RU; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=eDPC1IlS; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=r33KN/RU; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=eDPC1IlS; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XjNVV2sMKz1xxN for ; Tue, 5 Nov 2024 20:35:30 +1100 (AEDT) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 6B72F3D1F2D for ; Tue, 5 Nov 2024 10:35:28 +0100 (CET) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-6.smtp.seeweb.it (in-6.smtp.seeweb.it [217.194.8.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 6876C3D1BF4 for ; Tue, 5 Nov 2024 10:34:32 +0100 (CET) Authentication-Results: in-6.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=2a07:de40:b251:101:10:150:64:1; helo=smtp-out1.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out1.suse.de (smtp-out1.suse.de [IPv6:2a07:de40:b251:101:10:150:64:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-6.smtp.seeweb.it (Postfix) with ESMTPS id DB65C142AA6F for ; Tue, 5 Nov 2024 10:34:30 +0100 (CET) Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 5DBD121CB5 for ; Tue, 5 Nov 2024 09:34:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1730799269; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3rX+3FX6p2L5EzNTS6LcQE2s063+JhhP78mdN+sxQdw=; b=r33KN/RUjJYVecREvYxC9+Sy9t5maVs6hsE+e9YQmvMzczI8iKmy1DlTJia99KKgWFR14+ iHbSgY5X98JhxVJ8w5AqpWJS2L5FhLwGIA4ApeakUtXaqJ2R4+Jw1i/rcEncAIZ4bg8UXM ffud+6eEVqj7zIehqfnRZe3bJDdEZAk= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1730799269; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3rX+3FX6p2L5EzNTS6LcQE2s063+JhhP78mdN+sxQdw=; b=eDPC1IlSMeyOUIJSvJenOdClmslWK4BpRN0v54YBknlz+SNLnjtNNj0O69Q6QgCzCAW6c/ 8ro1AkMaGtQBVwCw== Authentication-Results: smtp-out1.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b="r33KN/RU"; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=eDPC1IlS DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1730799269; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3rX+3FX6p2L5EzNTS6LcQE2s063+JhhP78mdN+sxQdw=; b=r33KN/RUjJYVecREvYxC9+Sy9t5maVs6hsE+e9YQmvMzczI8iKmy1DlTJia99KKgWFR14+ iHbSgY5X98JhxVJ8w5AqpWJS2L5FhLwGIA4ApeakUtXaqJ2R4+Jw1i/rcEncAIZ4bg8UXM ffud+6eEVqj7zIehqfnRZe3bJDdEZAk= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1730799269; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3rX+3FX6p2L5EzNTS6LcQE2s063+JhhP78mdN+sxQdw=; b=eDPC1IlSMeyOUIJSvJenOdClmslWK4BpRN0v54YBknlz+SNLnjtNNj0O69Q6QgCzCAW6c/ 8ro1AkMaGtQBVwCw== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 260731394A for ; Tue, 5 Nov 2024 09:34:29 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id qETeAqXmKWeAPwAAD6G6ig (envelope-from ) for ; Tue, 05 Nov 2024 09:34:29 +0000 From: Andrea Cervesato Date: Tue, 05 Nov 2024 10:34:27 +0100 MIME-Version: 1.0 Message-Id: <20241105-landlock_network-v2-3-d58791487919@suse.com> References: <20241105-landlock_network-v2-0-d58791487919@suse.com> In-Reply-To: <20241105-landlock_network-v2-0-d58791487919@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1730799267; l=7307; i=andrea.cervesato@suse.com; s=20240812; h=from:subject:message-id; bh=APGj9KTDQlhJDDDUwl/LYRNryenyerCOFoNPbAoi62E=; b=AoBGhUg2MydKfgl+OP/11uvf6Awsqf5jdzlz0KHcZNbFnUD0uwXFbJZz9xnOtbNXrr5aixO/j kTvGFNtJT5BCW02b3NZscc0Cewnlfk7hpR0wtvUNo2OSy+/v8VBQRzC X-Developer-Key: i=andrea.cervesato@suse.com; a=ed25519; pk=RG/nLJ5snb1tLKGwSORQXBJ5XA4juT0WF2Pc/lq9meo= X-Rspamd-Queue-Id: 5DBD121CB5 X-Spam-Score: -4.51 X-Rspamd-Action: no action X-Spamd-Result: default: False [-4.51 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; RBL_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:104:10:150:64:97:from]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_ONE(0.00)[1]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_ALL(0.00)[]; DKIM_TRACE(0.00)[suse.de:+]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; SPAMHAUS_XBL(0.00)[2a07:de40:b281:104:10:150:64:97:from]; TO_DN_NONE(0.00)[]; RECEIVED_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:106:10:150:64:167:received]; PREVIOUSLY_DELIVERED(0.00)[ltp@lists.linux.it]; RCVD_VIA_SMTP_AUTH(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:mid, suse.com:email, suse.de:dkim, imap1.dmz-prg2.suse.org:rdns, imap1.dmz-prg2.suse.org:helo] X-Rspamd-Server: rspamd1.dmz-prg2.suse.org X-Spam-Level: X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-6.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-6.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v2 3/4] Add landlock08 test X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato Verify the landlock support for bind()/connect() syscalls in IPV4 and IPV6 protocols. In particular, check that bind() is assigning the address only on the TCP port enforced by LANDLOCK_ACCESS_NET_BIND_TCP and check that connect() is connecting only to a specific TCP port enforced by LANDLOCK_ACCESS_NET_CONNECT_TCP. Signed-off-by: Andrea Cervesato Reviewed-by: Cyril Hrubis --- runtest/syscalls | 1 + testcases/kernel/syscalls/landlock/.gitignore | 1 + testcases/kernel/syscalls/landlock/landlock08.c | 208 ++++++++++++++++++++++++ 3 files changed, 210 insertions(+) diff --git a/runtest/syscalls b/runtest/syscalls index 7dc308fa88486b9ace80ef0d906201dd407dcf3e..5fd62617df1a116b1d94c57ff30f74693320a2ab 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -708,6 +708,7 @@ landlock04 landlock04 landlock05 landlock05 landlock06 landlock06 landlock07 landlock07 +landlock08 landlock08 lchown01 lchown01 lchown01_16 lchown01_16 diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore index db11bff2fe245d462e5b7e5691a9eb2ee2305aab..fc7317394948c4ac20cd14c3cd7ba7a47282b2bf 100644 --- a/testcases/kernel/syscalls/landlock/.gitignore +++ b/testcases/kernel/syscalls/landlock/.gitignore @@ -6,3 +6,4 @@ landlock04 landlock05 landlock06 landlock07 +landlock08 diff --git a/testcases/kernel/syscalls/landlock/landlock08.c b/testcases/kernel/syscalls/landlock/landlock08.c new file mode 100644 index 0000000000000000000000000000000000000000..7bc3f0f8d81730659a66c268fdad1981ae90aea6 --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock08.c @@ -0,0 +1,208 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +/*\ + * [Description] + * + * Verify the landlock support for bind()/connect() syscalls in IPV4 and IPV6 + * protocols. In particular, check that bind() is assigning the address only on + * the TCP port enforced by LANDLOCK_ACCESS_NET_BIND_TCP and check that + * connect() is connecting only to a specific TCP port enforced by + * LANDLOCK_ACCESS_NET_CONNECT_TCP. + * + * [Algorithm] + * + * Repeat the following procedure for IPV4 and IPV6: + * + * - create a socket on PORT1, bind() it and check if it passes + * - enforce the current sandbox with LANDLOCK_ACCESS_NET_BIND_TCP on PORT1 + * - create a socket on PORT1, bind() it and check if it passes + * - create a socket on PORT2, bind() it and check if it fails + * + * - create a server listening on PORT1 + * - create a socket on PORT1, connect() to it and check if it passes + * - enforce the current sandbox with LANDLOCK_ACCESS_NET_CONNECT_TCP on PORT1 + * - create a socket on PORT1, connect() to it and check if it passes + * - create a socket on PORT2, connect() to it and check if it fails + */ + +#include "landlock_common.h" + +#define ADDRESS_PORT 0x7c90 + +static int variants[] = { + AF_INET, + AF_INET6, +}; + +static struct tst_landlock_ruleset_attr_abi4 *ruleset_attr; +static struct landlock_net_port_attr *net_port_attr; +static in_port_t *server_port; + +static void create_server(const int addr_family) +{ + struct socket_data socket; + struct sockaddr *addr = NULL; + + create_socket(&socket, addr_family, 0); + getsocket_addr(&socket, addr_family, &addr); + + SAFE_BIND(socket.fd, addr, socket.address_size); + SAFE_LISTEN(socket.fd, 1); + + *server_port = getsocket_port(&socket, addr_family); + + tst_res(TDEBUG, "Server listening on port %u", *server_port); + + TST_CHECKPOINT_WAKE_AND_WAIT(0); + + SAFE_CLOSE(socket.fd); +} + +static void test_bind(const int addr_family, const in_port_t port, + const int exp_err) +{ + struct socket_data socket; + struct sockaddr *addr = NULL; + + create_socket(&socket, addr_family, port); + getsocket_addr(&socket, addr_family, &addr); + + if (exp_err) { + TST_EXP_FAIL( + bind(socket.fd, addr, socket.address_size), + exp_err, "bind() access on port %u", port); + } else { + TST_EXP_PASS( + bind(socket.fd, addr, socket.address_size), + "bind() access on port %u", port); + } + + SAFE_CLOSE(socket.fd); +} + +static void test_connect(const int addr_family, const in_port_t port, + const int exp_err) +{ + struct socket_data socket; + struct sockaddr *addr = NULL; + + create_socket(&socket, addr_family, port); + getsocket_addr(&socket, addr_family, &addr); + + if (exp_err) { + TST_EXP_FAIL( + connect(socket.fd, addr, socket.address_size), + exp_err, "connect() on port %u", port); + } else { + TST_EXP_PASS( + connect(socket.fd, addr, socket.address_size), + "connect() on port %u", port); + } + + SAFE_CLOSE(socket.fd); +} + +static void run(void) +{ + int addr_family = variants[tst_variant]; + + tst_res(TINFO, "Using %s protocol", + addr_family == AF_INET ? "IPV4" : "IPV6"); + + if (!SAFE_FORK()) { + create_server(addr_family); + exit(0); + } + + TST_CHECKPOINT_WAIT(0); + + /* verify bind() syscall accessibility */ + if (!SAFE_FORK()) { + ruleset_attr->handled_access_net = + LANDLOCK_ACCESS_NET_BIND_TCP; + + test_bind(addr_family, ADDRESS_PORT, 0); + + tst_res(TINFO, "Enable bind() access only for port %u", + ADDRESS_PORT); + + apply_landlock_net_layer( + ruleset_attr, + sizeof(struct tst_landlock_ruleset_attr_abi4), + net_port_attr, + ADDRESS_PORT, + LANDLOCK_ACCESS_NET_BIND_TCP); + + test_bind(addr_family, ADDRESS_PORT, 0); + test_bind(addr_family, ADDRESS_PORT + 0x80, EACCES); + + exit(0); + } + + /* verify connect() syscall accessibility */ + if (!SAFE_FORK()) { + ruleset_attr->handled_access_net = + LANDLOCK_ACCESS_NET_CONNECT_TCP; + + test_connect(addr_family, *server_port, 0); + + tst_res(TINFO, "Enable connect() access only on port %u", + *server_port); + + apply_landlock_net_layer( + ruleset_attr, + sizeof(struct tst_landlock_ruleset_attr_abi4), + net_port_attr, + *server_port, + LANDLOCK_ACCESS_NET_CONNECT_TCP); + + test_connect(addr_family, *server_port, 0); + test_connect(addr_family, *server_port + 0x80, EACCES); + + TST_CHECKPOINT_WAKE(0); + + exit(0); + } +} + +static void setup(void) +{ + if (verify_landlock_is_enabled() < 4) + tst_brk(TCONF, "Landlock network is not supported"); + + server_port = SAFE_MMAP(NULL, sizeof(in_port_t), PROT_READ | PROT_WRITE, + MAP_SHARED | MAP_ANONYMOUS, -1, 0); +} + +static void cleanup(void) +{ + if (server_port) + SAFE_MUNMAP(server_port, sizeof(in_port_t)); +} + +static struct tst_test test = { + .test_all = run, + .setup = setup, + .cleanup = cleanup, + .needs_root = 1, + .needs_checkpoints = 1, + .forks_child = 1, + .test_variants = ARRAY_SIZE(variants), + .bufs = (struct tst_buffers[]) { + {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi4)}, + {&net_port_attr, .size = sizeof(struct landlock_net_port_attr)}, + {}, + }, + .caps = (struct tst_cap []) { + TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN), + TST_CAP(TST_CAP_REQ, CAP_NET_BIND_SERVICE), + {} + }, + .needs_kconfigs = (const char *[]) { + "CONFIG_INET=y", + NULL + }, +}; From patchwork Tue Nov 5 09:34:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 2006776 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=A+FSlhO0; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=AIlpAkm8; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=A+FSlhO0; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=AIlpAkm8; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XjNTp6M4tz1xyM for ; Tue, 5 Nov 2024 20:34:54 +1100 (AEDT) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id DDC2A3D1F40 for ; Tue, 5 Nov 2024 10:34:52 +0100 (CET) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-4.smtp.seeweb.it (in-4.smtp.seeweb.it [IPv6:2001:4b78:1:20::4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 2B41B3D1F0F for ; Tue, 5 Nov 2024 10:34:32 +0100 (CET) Authentication-Results: in-4.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.130; helo=smtp-out1.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-4.smtp.seeweb.it (Postfix) with ESMTPS id 3219B11E49D3 for ; Tue, 5 Nov 2024 10:34:31 +0100 (CET) Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id C5EBF21CE6 for ; Tue, 5 Nov 2024 09:34:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1730799269; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xYQUxFzPNXm+U3UFeLFZgxpRVzy00XD0Xvy/mjTn9UU=; b=A+FSlhO00QVWxfLSJmytgfbWvlTdiSdP6yv44C0GykdaOJovZDHkdd2Dd6v8hidy0z2Z3O dgtBXg84BMg6feJ9BpuLaZv9b3bkC9vV9xoRrA7Y79O0JSz+OMPhi/M3nkOLKtBM2e1LoX e6G8K+B35nYy16S2+W1jSyhFM3kg1SE= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1730799269; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xYQUxFzPNXm+U3UFeLFZgxpRVzy00XD0Xvy/mjTn9UU=; b=AIlpAkm8ldIfaEkW4niyWKFpQD2GiPmHryjZW1Yb07m8havN2JEIMyrZUGaq6Bv18E5y1j LNukqew0R0Lr3fBA== Authentication-Results: smtp-out1.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=A+FSlhO0; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=AIlpAkm8 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1730799269; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xYQUxFzPNXm+U3UFeLFZgxpRVzy00XD0Xvy/mjTn9UU=; b=A+FSlhO00QVWxfLSJmytgfbWvlTdiSdP6yv44C0GykdaOJovZDHkdd2Dd6v8hidy0z2Z3O dgtBXg84BMg6feJ9BpuLaZv9b3bkC9vV9xoRrA7Y79O0JSz+OMPhi/M3nkOLKtBM2e1LoX e6G8K+B35nYy16S2+W1jSyhFM3kg1SE= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1730799269; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xYQUxFzPNXm+U3UFeLFZgxpRVzy00XD0Xvy/mjTn9UU=; b=AIlpAkm8ldIfaEkW4niyWKFpQD2GiPmHryjZW1Yb07m8havN2JEIMyrZUGaq6Bv18E5y1j LNukqew0R0Lr3fBA== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 8F7651394A for ; Tue, 5 Nov 2024 09:34:29 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id qM1YGKXmKWeAPwAAD6G6ig (envelope-from ) for ; Tue, 05 Nov 2024 09:34:29 +0000 From: Andrea Cervesato Date: Tue, 05 Nov 2024 10:34:28 +0100 MIME-Version: 1.0 Message-Id: <20241105-landlock_network-v2-4-d58791487919@suse.com> References: <20241105-landlock_network-v2-0-d58791487919@suse.com> In-Reply-To: <20241105-landlock_network-v2-0-d58791487919@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1730799267; l=5623; i=andrea.cervesato@suse.com; s=20240812; h=from:subject:message-id; bh=N2vJqOuSsOM8voWJqH/WPlb8Qs5LvIFvaQ2Aafq7bd0=; b=bmgFGgHsm4tZdey9vNJP+ObUp90mKVT3ivGHqkR2QH2QEEvjNuiPYHYeilxVCDAqHn5UlOUyz tR3Dx2UsG0WA2MCBOAygPSnn1eMMXuXQCtl/V6QVxyxiCm15Ml9wlaR X-Developer-Key: i=andrea.cervesato@suse.com; a=ed25519; pk=RG/nLJ5snb1tLKGwSORQXBJ5XA4juT0WF2Pc/lq9meo= X-Rspamd-Queue-Id: C5EBF21CE6 X-Spam-Level: X-Spamd-Result: default: False [-4.51 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; RBL_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:104:10:150:64:97:from]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; RECEIVED_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:106:10:150:64:167:received]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_ONE(0.00)[1]; FUZZY_BLOCKED(0.00)[rspamd.com]; RCVD_TLS_ALL(0.00)[]; SPAMHAUS_XBL(0.00)[2a07:de40:b281:104:10:150:64:97:from]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email,suse.com:mid,imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns,suse.de:dkim]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[ltp@lists.linux.it]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; DKIM_TRACE(0.00)[suse.de:+] X-Rspamd-Server: rspamd2.dmz-prg2.suse.org X-Rspamd-Action: no action X-Spam-Score: -4.51 X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-4.smtp.seeweb.it Subject: [LTP] [PATCH v2 4/4] Add error coverage for landlock network support X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato Add two more errors checks inside the landlock02 which is testing landlock_add_rule syscall. In particular, test now verifies when the syscall is raising EINVAL due to invalid network attributes. Signed-off-by: Andrea Cervesato Reviewed-by: Cyril Hrubis --- testcases/kernel/syscalls/landlock/landlock02.c | 94 +++++++++++++++++++------ 1 file changed, 74 insertions(+), 20 deletions(-) diff --git a/testcases/kernel/syscalls/landlock/landlock02.c b/testcases/kernel/syscalls/landlock/landlock02.c index 8566d407f6d17ab367695125f07d0a80cf4130e5..dbc405a8a01ac58e0d22f952f57bd603c62ab8be 100644 --- a/testcases/kernel/syscalls/landlock/landlock02.c +++ b/testcases/kernel/syscalls/landlock/landlock02.c @@ -20,93 +20,146 @@ #include "landlock_common.h" -static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr; +static struct tst_landlock_ruleset_attr_abi4 *ruleset_attr; static struct landlock_path_beneath_attr *path_beneath_attr; static struct landlock_path_beneath_attr *rule_null; +static struct landlock_net_port_attr *net_port_attr; static int ruleset_fd; static int invalid_fd = -1; +static int abi_current; static struct tcase { int *fd; - enum landlock_rule_type rule_type; - struct landlock_path_beneath_attr **attr; + int rule_type; + struct landlock_path_beneath_attr **path_attr; + struct landlock_net_port_attr **net_attr; int access; int parent_fd; + int net_port; uint32_t flags; int exp_errno; + int abi_ver; char *msg; } tcases[] = { { .fd = &ruleset_fd, - .attr = &path_beneath_attr, + .path_attr = &path_beneath_attr, + .net_attr = NULL, .access = LANDLOCK_ACCESS_FS_EXECUTE, .flags = 1, .exp_errno = EINVAL, + .abi_ver = 1, .msg = "Invalid flags" }, { .fd = &ruleset_fd, - .attr = &path_beneath_attr, + .path_attr = &path_beneath_attr, + .net_attr = NULL, .access = LANDLOCK_ACCESS_FS_EXECUTE, .exp_errno = EINVAL, + .abi_ver = 1, .msg = "Invalid rule type" }, { .fd = &ruleset_fd, .rule_type = LANDLOCK_RULE_PATH_BENEATH, - .attr = &path_beneath_attr, + .path_attr = &path_beneath_attr, + .net_attr = NULL, .exp_errno = ENOMSG, + .abi_ver = 1, .msg = "Empty accesses" }, { .fd = &invalid_fd, - .attr = &path_beneath_attr, + .path_attr = &path_beneath_attr, + .net_attr = NULL, .access = LANDLOCK_ACCESS_FS_EXECUTE, .exp_errno = EBADF, + .abi_ver = 1, .msg = "Invalid file descriptor" }, { .fd = &ruleset_fd, .rule_type = LANDLOCK_RULE_PATH_BENEATH, - .attr = &path_beneath_attr, + .path_attr = &path_beneath_attr, + .net_attr = NULL, .access = LANDLOCK_ACCESS_FS_EXECUTE, .parent_fd = -1, .exp_errno = EBADF, + .abi_ver = 1, .msg = "Invalid parent fd" }, { .fd = &ruleset_fd, .rule_type = LANDLOCK_RULE_PATH_BENEATH, - .attr = &rule_null, + .path_attr = &rule_null, + .net_attr = NULL, .exp_errno = EFAULT, + .abi_ver = 1, .msg = "Invalid rule attr" }, + { + .fd = &ruleset_fd, + .rule_type = LANDLOCK_RULE_NET_PORT, + .path_attr = NULL, + .net_attr = &net_port_attr, + .access = LANDLOCK_ACCESS_FS_EXECUTE, + .net_port = 448, + .exp_errno = EINVAL, + .abi_ver = 4, + .msg = "Invalid access rule for network type" + }, + { + .fd = &ruleset_fd, + .rule_type = LANDLOCK_RULE_NET_PORT, + .path_attr = NULL, + .net_attr = &net_port_attr, + .access = LANDLOCK_ACCESS_NET_BIND_TCP, + .net_port = INT16_MAX + 1, + .exp_errno = EINVAL, + .abi_ver = 4, + .msg = "Socket port greater than 65535" + }, }; static void run(unsigned int n) { struct tcase *tc = &tcases[n]; - if (*tc->attr) { - (*tc->attr)->allowed_access = tc->access; - (*tc->attr)->parent_fd = tc->parent_fd; + if (tc->abi_ver > abi_current) { + tst_res(TCONF, "Minimum ABI required: %d", tc->abi_ver); + return; } - TST_EXP_FAIL(tst_syscall(__NR_landlock_add_rule, - *tc->fd, tc->rule_type, *tc->attr, tc->flags), - tc->exp_errno, - "%s", - tc->msg); + if (tc->path_attr) { + if (*tc->path_attr) { + (*tc->path_attr)->allowed_access = tc->access; + (*tc->path_attr)->parent_fd = tc->parent_fd; + } + + TST_EXP_FAIL(tst_syscall(__NR_landlock_add_rule, + *tc->fd, tc->rule_type, *tc->path_attr, tc->flags), + tc->exp_errno, "%s", tc->msg); + } else if (tc->net_attr) { + if (*tc->net_attr) { + (*tc->net_attr)->allowed_access = tc->access; + (*tc->net_attr)->port = tc->net_port; + } + + TST_EXP_FAIL(tst_syscall(__NR_landlock_add_rule, + *tc->fd, tc->rule_type, *tc->net_attr, tc->flags), + tc->exp_errno, "%s", tc->msg); + } } static void setup(void) { - verify_landlock_is_enabled(); + abi_current = verify_landlock_is_enabled(); ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE; ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset, - ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi1), 0)); + ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi4), 0)); } static void cleanup(void) @@ -122,8 +175,9 @@ static struct tst_test test = { .cleanup = cleanup, .needs_root = 1, .bufs = (struct tst_buffers []) { - {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi1)}, + {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi4)}, {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)}, + {&net_port_attr, .size = sizeof(struct landlock_net_port_attr)}, {}, }, .caps = (struct tst_cap []) {