From patchwork Wed Nov 6 11:13:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 2007413 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=e7p1hJ+s; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=Qxvef5hR; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=e7p1hJ+s; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=Qxvef5hR; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Xk2fJ0tRWz1xyD for ; Wed, 6 Nov 2024 22:14:32 +1100 (AEDT) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id C5F783D3199 for ; Wed, 6 Nov 2024 12:14:29 +0100 (CET) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-6.smtp.seeweb.it (in-6.smtp.seeweb.it [IPv6:2001:4b78:1:20::6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id B83173CBEF3 for ; Wed, 6 Nov 2024 12:13:29 +0100 (CET) Authentication-Results: in-6.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.131; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-6.smtp.seeweb.it (Postfix) with ESMTPS id DF2C31400970 for ; Wed, 6 Nov 2024 12:13:27 +0100 (CET) Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 612ED1F8B0; Wed, 6 Nov 2024 11:13:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1730891607; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=O72kbPdLiwZtHo/s+2hSrT2JpLy8B7LkWEq0kfv+xeQ=; b=e7p1hJ+sRl/yDvWJmNUj6+quMIsWAQlWwbFVNLkgHqxifdY5j68O9n+1+PiJNaBlnO26M6 eaJt0y6u1HGOvKpuYleK1uWw9RcvTXH/HhjfiCJEU49WR0cOr4m/yNcRfJWphWHrnHYtyM DS6djrq2ZHNIii3HZG5DgWJe6Zs1I5Q= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1730891607; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=O72kbPdLiwZtHo/s+2hSrT2JpLy8B7LkWEq0kfv+xeQ=; b=Qxvef5hRHOtaMDl926xxnRplhFQCF/EWCEOYYtlIhBVgqnTRBYpLtNyaZme0TmMzIDxO7w dIlt+m5KpZJYNdBQ== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1730891607; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=O72kbPdLiwZtHo/s+2hSrT2JpLy8B7LkWEq0kfv+xeQ=; b=e7p1hJ+sRl/yDvWJmNUj6+quMIsWAQlWwbFVNLkgHqxifdY5j68O9n+1+PiJNaBlnO26M6 eaJt0y6u1HGOvKpuYleK1uWw9RcvTXH/HhjfiCJEU49WR0cOr4m/yNcRfJWphWHrnHYtyM DS6djrq2ZHNIii3HZG5DgWJe6Zs1I5Q= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1730891607; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=O72kbPdLiwZtHo/s+2hSrT2JpLy8B7LkWEq0kfv+xeQ=; b=Qxvef5hRHOtaMDl926xxnRplhFQCF/EWCEOYYtlIhBVgqnTRBYpLtNyaZme0TmMzIDxO7w dIlt+m5KpZJYNdBQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 32D2613980; Wed, 6 Nov 2024 11:13:27 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id iLF6CldPK2eFdQAAD6G6ig (envelope-from ); Wed, 06 Nov 2024 11:13:27 +0000 From: Andrea Cervesato Date: Wed, 06 Nov 2024 12:13:15 +0100 MIME-Version: 1.0 Message-Id: <20241106-landlock_network-v3-1-855b14df63c6@suse.com> References: <20241106-landlock_network-v3-0-855b14df63c6@suse.com> In-Reply-To: <20241106-landlock_network-v3-0-855b14df63c6@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1730891606; l=17668; i=andrea.cervesato@suse.com; s=20240812; h=from:subject:message-id; bh=DE/oUnbOZCszwO2AhnSP4/1zCNR53BqfHktVdDfCCTE=; b=WH8TyuU0UX7u3QBQxr6S2hkAq3R2lsKD645a7t1h0Qd1rqOQdst446FNrVtb/eyPKRUvfgTSX x3ZAqprMUxmDWWwg6XE09ZG0eq7GVVQIp0EwCrpsoWV3+SoIu5Z8ypt X-Developer-Key: i=andrea.cervesato@suse.com; a=ed25519; pk=RG/nLJ5snb1tLKGwSORQXBJ5XA4juT0WF2Pc/lq9meo= X-Spam-Score: -4.30 X-Spamd-Result: default: False [-4.30 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:mid, suse.com:email, suse.cz:email, imap1.dmz-prg2.suse.org:helo] X-Spam-Level: X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-6.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-6.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v3 1/4] Fallback landlock network support X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato Landlock network support has been added in the ABI v4, adding features for bind() and connect() syscalls. It also defined one more member in the landlock_ruleset_attr struct, breaking our LTP fallbacks, used to build landlock testing suite. For this reason, we introduce tst_landlock_ruleset_attr_abi[14] struct(s) which fallback ABI v1 and v4 ruleset_attr definitions. Reviewed-by: Cyril Hrubis Reviewed-by: Li Wang Signed-off-by: Andrea Cervesato --- configure.ac | 5 ++-- include/lapi/capability.h | 4 ++++ include/lapi/landlock.h | 28 ++++++++++++---------- testcases/kernel/syscalls/landlock/landlock01.c | 15 ++++-------- testcases/kernel/syscalls/landlock/landlock02.c | 8 +++---- testcases/kernel/syscalls/landlock/landlock03.c | 6 ++--- testcases/kernel/syscalls/landlock/landlock04.c | 6 ++--- testcases/kernel/syscalls/landlock/landlock05.c | 10 ++++---- testcases/kernel/syscalls/landlock/landlock06.c | 14 ++++------- testcases/kernel/syscalls/landlock/landlock07.c | 6 ++--- .../kernel/syscalls/landlock/landlock_common.h | 12 ++++------ 11 files changed, 53 insertions(+), 61 deletions(-) diff --git a/configure.ac b/configure.ac index cd1233d19fad376973fc880d6689859845613fb0..6992d75ca300ccc4cc21a45a916f6b3be1a3b8fe 100644 --- a/configure.ac +++ b/configure.ac @@ -34,6 +34,8 @@ m4_ifndef([PKG_CHECK_EXISTS], AC_PREFIX_DEFAULT(/opt/ltp) AC_CHECK_DECLS([IFLA_NET_NS_PID],,,[#include ]) +AC_CHECK_DECLS([LANDLOCK_RULE_PATH_BENEATH],,,[#include ]) +AC_CHECK_DECLS([LANDLOCK_RULE_NET_PORT],,,[#include ]) AC_CHECK_DECLS([MADV_MERGEABLE],,,[#include ]) AC_CHECK_DECLS([NFTA_CHAIN_ID, NFTA_VERDICT_CHAIN_ID],,,[#include ]) AC_CHECK_DECLS([PR_CAPBSET_DROP, PR_CAPBSET_READ],,,[#include ]) @@ -158,7 +160,6 @@ AC_CHECK_FUNCS_ONCE([ \ AC_CHECK_FUNCS(mkdtemp,[],AC_MSG_ERROR(mkdtemp() not found!)) AC_CHECK_MEMBERS([struct fanotify_event_info_fid.fsid.__val],,,[#include ]) -AC_CHECK_MEMBERS([struct landlock_ruleset_attr.handled_access_net],,,[#include ]) AC_CHECK_MEMBERS([struct perf_event_mmap_page.aux_head],,,[#include ]) AC_CHECK_MEMBERS([struct sigaction.sa_sigaction],[],[],[#include ]) AC_CHECK_MEMBERS([struct statx.stx_mnt_id, struct statx.stx_dio_mem_align],,,[ @@ -172,7 +173,6 @@ AC_CHECK_MEMBERS([struct utsname.domainname],,,[ ]) AC_CHECK_TYPES([enum kcmp_type],,,[#include ]) -AC_CHECK_TYPES([enum landlock_rule_type],,,[#include ]) AC_CHECK_TYPES([struct acct_v3],,,[#include ]) AC_CHECK_TYPES([struct af_alg_iv, struct sockaddr_alg],,,[# include ]) AC_CHECK_TYPES([struct fanotify_event_info_fid, struct fanotify_event_info_error, @@ -194,7 +194,6 @@ AC_CHECK_TYPES([struct if_nextdqblk],,,[#include ]) AC_CHECK_TYPES([struct iovec],,,[#include ]) AC_CHECK_TYPES([struct ipc64_perm],,,[#include ]) AC_CHECK_TYPES([struct loop_config],,,[#include ]) -AC_CHECK_TYPES([struct landlock_ruleset_attr],,,[#include ]) AC_CHECK_TYPES([struct landlock_path_beneath_attr],,,[#include ]) AC_CHECK_TYPES([struct landlock_net_port_attr],,,[#include ]) diff --git a/include/lapi/capability.h b/include/lapi/capability.h index 0f317d6d770e86b399f0fed2de04c1dce6723eae..14d2d3c12c051006875f1f864ec58a88a3870ec0 100644 --- a/include/lapi/capability.h +++ b/include/lapi/capability.h @@ -20,6 +20,10 @@ # endif #endif +#ifndef CAP_NET_BIND_SERVICE +# define CAP_NET_BIND_SERVICE 10 +#endif + #ifndef CAP_NET_RAW # define CAP_NET_RAW 13 #endif diff --git a/include/lapi/landlock.h b/include/lapi/landlock.h index 211d171ebecd92d75224369dc7f1d5c5903c9ce7..b3c8c548e661680541cdf6e4a8fb68a3f5029fec 100644 --- a/include/lapi/landlock.h +++ b/include/lapi/landlock.h @@ -7,6 +7,7 @@ #define LAPI_LANDLOCK_H__ #include "config.h" +#include #ifdef HAVE_LINUX_LANDLOCK_H # include @@ -14,13 +15,16 @@ #include "lapi/syscalls.h" -#ifndef HAVE_STRUCT_LANDLOCK_RULESET_ATTR -struct landlock_ruleset_attr +struct tst_landlock_ruleset_attr_abi1 +{ + uint64_t handled_access_fs; +}; + +struct tst_landlock_ruleset_attr_abi4 { uint64_t handled_access_fs; uint64_t handled_access_net; }; -#endif #ifndef HAVE_STRUCT_LANDLOCK_PATH_BENEATH_ATTR struct landlock_path_beneath_attr @@ -30,12 +34,12 @@ struct landlock_path_beneath_attr } __attribute__((packed)); #endif -#ifndef HAVE_ENUM_LANDLOCK_RULE_TYPE -enum landlock_rule_type -{ - LANDLOCK_RULE_PATH_BENEATH = 1, - LANDLOCK_RULE_NET_PORT, -}; +#if !HAVE_DECL_LANDLOCK_RULE_PATH_BENEATH +# define LANDLOCK_RULE_PATH_BENEATH 1 +#endif + +#if !HAVE_DECL_LANDLOCK_RULE_NET_PORT +# define LANDLOCK_RULE_NET_PORT 2 #endif #ifndef HAVE_STRUCT_LANDLOCK_NET_PORT_ATTR @@ -123,8 +127,7 @@ struct landlock_net_port_attr #endif static inline int safe_landlock_create_ruleset(const char *file, const int lineno, - const struct landlock_ruleset_attr *attr, - size_t size , uint32_t flags) + const void *attr, size_t size , uint32_t flags) { int rval; @@ -143,8 +146,7 @@ static inline int safe_landlock_create_ruleset(const char *file, const int linen } static inline int safe_landlock_add_rule(const char *file, const int lineno, - int ruleset_fd, enum landlock_rule_type rule_type, - const void *rule_attr, uint32_t flags) + int ruleset_fd, int rule_type, const void *rule_attr, uint32_t flags) { int rval; diff --git a/testcases/kernel/syscalls/landlock/landlock01.c b/testcases/kernel/syscalls/landlock/landlock01.c index 083685c64fa6d1c0caab887ee03594ea1426f62f..d0d68c8e4d905b8991527cc0c225d747601919a4 100644 --- a/testcases/kernel/syscalls/landlock/landlock01.c +++ b/testcases/kernel/syscalls/landlock/landlock01.c @@ -17,14 +17,14 @@ #include "landlock_common.h" -static struct landlock_ruleset_attr *ruleset_attr; -static struct landlock_ruleset_attr *null_attr; +static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr; +static struct tst_landlock_ruleset_attr_abi1 *null_attr; static size_t rule_size; static size_t rule_small_size; static size_t rule_big_size; static struct tcase { - struct landlock_ruleset_attr **attr; + struct tst_landlock_ruleset_attr_abi1 **attr; uint64_t access_fs; size_t *size; uint32_t flags; @@ -60,13 +60,8 @@ static void setup(void) { verify_landlock_is_enabled(); - rule_size = sizeof(struct landlock_ruleset_attr); - -#ifdef HAVE_STRUCT_LANDLOCK_RULESET_ATTR_HANDLED_ACCESS_NET - rule_small_size = rule_size - sizeof(uint64_t) - 1; -#else + rule_size = sizeof(struct tst_landlock_ruleset_attr_abi1); rule_small_size = rule_size - 1; -#endif rule_big_size = SAFE_SYSCONF(_SC_PAGESIZE) + 1; } @@ -77,7 +72,7 @@ static struct tst_test test = { .setup = setup, .needs_root = 1, .bufs = (struct tst_buffers []) { - {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi1)}, {}, }, .caps = (struct tst_cap []) { diff --git a/testcases/kernel/syscalls/landlock/landlock02.c b/testcases/kernel/syscalls/landlock/landlock02.c index 1a3df69c9cc3eda98e28cfbfd1e12c57e26d0128..8566d407f6d17ab367695125f07d0a80cf4130e5 100644 --- a/testcases/kernel/syscalls/landlock/landlock02.c +++ b/testcases/kernel/syscalls/landlock/landlock02.c @@ -20,7 +20,7 @@ #include "landlock_common.h" -static struct landlock_ruleset_attr *ruleset_attr; +static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr; static struct landlock_path_beneath_attr *path_beneath_attr; static struct landlock_path_beneath_attr *rule_null; static int ruleset_fd; @@ -93,7 +93,7 @@ static void run(unsigned int n) } TST_EXP_FAIL(tst_syscall(__NR_landlock_add_rule, - *tc->fd, tc->rule_type, *tc->attr, tc->flags), + *tc->fd, tc->rule_type, *tc->attr, tc->flags), tc->exp_errno, "%s", tc->msg); @@ -106,7 +106,7 @@ static void setup(void) ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE; ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset, - ruleset_attr, sizeof(struct landlock_ruleset_attr), 0)); + ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi1), 0)); } static void cleanup(void) @@ -122,7 +122,7 @@ static struct tst_test test = { .cleanup = cleanup, .needs_root = 1, .bufs = (struct tst_buffers []) { - {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi1)}, {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)}, {}, }, diff --git a/testcases/kernel/syscalls/landlock/landlock03.c b/testcases/kernel/syscalls/landlock/landlock03.c index 224482255b287cef64f579b5707a92a6b5908f8b..150c8cc4e50ee1b41af3c8c01771c51a8715746f 100644 --- a/testcases/kernel/syscalls/landlock/landlock03.c +++ b/testcases/kernel/syscalls/landlock/landlock03.c @@ -21,7 +21,7 @@ #define MAX_STACKED_RULESETS 16 -static struct landlock_ruleset_attr *ruleset_attr; +static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr; static int ruleset_fd = -1; static int ruleset_invalid = -1; static int file_fd = -1; @@ -89,7 +89,7 @@ static void setup(void) ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE; ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset, - ruleset_attr, sizeof(struct landlock_ruleset_attr), 0)); + ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi1), 0)); file_fd = SAFE_OPEN("junk.bin", O_CREAT, 0777); } @@ -112,7 +112,7 @@ static struct tst_test test = { .needs_root = 1, .forks_child = 1, .bufs = (struct tst_buffers []) { - {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi1)}, {}, }, .caps = (struct tst_cap []) { diff --git a/testcases/kernel/syscalls/landlock/landlock04.c b/testcases/kernel/syscalls/landlock/landlock04.c index e9dedd45091ecd15cdce2fa7227bbfceb14abb5e..2485591e2196072f81708fc10cebd382e536e2a9 100644 --- a/testcases/kernel/syscalls/landlock/landlock04.c +++ b/testcases/kernel/syscalls/landlock/landlock04.c @@ -15,7 +15,7 @@ #include "landlock_tester.h" #include "tst_safe_stdio.h" -static struct landlock_ruleset_attr *ruleset_attr; +static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr; static struct landlock_path_beneath_attr *path_beneath_attr; static int ruleset_fd = -1; @@ -153,7 +153,7 @@ static void setup(void) ruleset_attr->handled_access_fs = tester_get_all_fs_rules(); ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET( - ruleset_attr, sizeof(struct landlock_ruleset_attr), 0); + ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi1), 0); /* since our binary is dynamically linked, we need to enable dependences * to be read and executed @@ -192,7 +192,7 @@ static struct tst_test test = { NULL, }, .bufs = (struct tst_buffers []) { - {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi1)}, {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)}, {}, }, diff --git a/testcases/kernel/syscalls/landlock/landlock05.c b/testcases/kernel/syscalls/landlock/landlock05.c index 703f7d81c336907f360acbe45b42720dc12bac23..3d5048f0ab51b2d7c3eedc82ef80c04935ac5d86 100644 --- a/testcases/kernel/syscalls/landlock/landlock05.c +++ b/testcases/kernel/syscalls/landlock/landlock05.c @@ -28,7 +28,7 @@ #define FILENAME2 DIR2"/file" #define FILENAME3 DIR3"/file" -static struct landlock_ruleset_attr *ruleset_attr; +static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr; static struct landlock_path_beneath_attr *path_beneath_attr; static void run(void) @@ -68,15 +68,15 @@ static void setup(void) LANDLOCK_ACCESS_FS_REFER; ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET( - ruleset_attr, sizeof(struct landlock_ruleset_attr), 0); + ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi1), 0); - apply_landlock_rule( + apply_landlock_fs_rule( path_beneath_attr, ruleset_fd, LANDLOCK_ACCESS_FS_REFER, DIR1); - apply_landlock_rule( + apply_landlock_fs_rule( path_beneath_attr, ruleset_fd, LANDLOCK_ACCESS_FS_REFER, @@ -93,7 +93,7 @@ static struct tst_test test = { .needs_root = 1, .forks_child = 1, .bufs = (struct tst_buffers []) { - {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi1)}, {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)}, {}, }, diff --git a/testcases/kernel/syscalls/landlock/landlock06.c b/testcases/kernel/syscalls/landlock/landlock06.c index 1a6e59241557db23b23beabf9863a9c51353757a..74237d11657054985f06431467fbb161ded0c1b6 100644 --- a/testcases/kernel/syscalls/landlock/landlock06.c +++ b/testcases/kernel/syscalls/landlock/landlock06.c @@ -18,7 +18,7 @@ #define MNTPOINT "sandbox" #define FILENAME MNTPOINT"/fifo" -static struct landlock_ruleset_attr *ruleset_attr; +static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr; static struct landlock_path_beneath_attr *path_beneath_attr; static int file_fd = -1; static int dev_fd = -1; @@ -42,8 +42,6 @@ static void run(void) static void setup(void) { - int ruleset_fd; - if (verify_landlock_is_enabled() < 5) tst_brk(TCONF, "LANDLOCK_ACCESS_FS_IOCTL_DEV is not supported"); @@ -56,17 +54,13 @@ static void setup(void) ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV; - ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET( - ruleset_attr, sizeof(struct landlock_ruleset_attr), 0); - - apply_landlock_layer( + apply_landlock_fs_layer( ruleset_attr, + sizeof(struct tst_landlock_ruleset_attr_abi1), path_beneath_attr, MNTPOINT, LANDLOCK_ACCESS_FS_IOCTL_DEV ); - - SAFE_CLOSE(ruleset_fd); } static void cleanup(void) @@ -85,7 +79,7 @@ static struct tst_test test = { .needs_root = 1, .forks_child = 1, .bufs = (struct tst_buffers []) { - {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi1)}, {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)}, {}, }, diff --git a/testcases/kernel/syscalls/landlock/landlock07.c b/testcases/kernel/syscalls/landlock/landlock07.c index 6115ad53876209051952873679eb96014b4dd805..8ee614856312d55e573e18f88a6690b50497ee8b 100644 --- a/testcases/kernel/syscalls/landlock/landlock07.c +++ b/testcases/kernel/syscalls/landlock/landlock07.c @@ -25,7 +25,7 @@ #include "lapi/prctl.h" #include "landlock_common.h" -static struct landlock_ruleset_attr *ruleset_attr; +static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr; static int ruleset_fd; static pid_t spawn_houdini(void) @@ -77,7 +77,7 @@ static void setup(void) ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_WRITE_FILE; ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET( ruleset_attr, - sizeof(struct landlock_ruleset_attr), + sizeof(struct tst_landlock_ruleset_attr_abi1), 0); } @@ -93,7 +93,7 @@ static struct tst_test test = { .cleanup = cleanup, .forks_child = 1, .bufs = (struct tst_buffers []) { - {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi1)}, {}, }, .caps = (struct tst_cap []) { diff --git a/testcases/kernel/syscalls/landlock/landlock_common.h b/testcases/kernel/syscalls/landlock/landlock_common.h index da91daeab7b3def7184f611a90273419e4cfa6f2..f3096f4bf15f155f2a00b39c461d0805a76306e5 100644 --- a/testcases/kernel/syscalls/landlock/landlock_common.h +++ b/testcases/kernel/syscalls/landlock/landlock_common.h @@ -33,7 +33,7 @@ static inline int verify_landlock_is_enabled(void) return abi; } -static inline void apply_landlock_rule( +static inline void apply_landlock_fs_rule( struct landlock_path_beneath_attr *path_beneath_attr, const int ruleset_fd, const int access, @@ -57,21 +57,19 @@ static inline void enforce_ruleset(const int ruleset_fd) SAFE_LANDLOCK_RESTRICT_SELF(ruleset_fd, 0); } -static inline void apply_landlock_layer( - struct landlock_ruleset_attr *ruleset_attr, +static inline void apply_landlock_fs_layer( + void *ruleset_attr, size_t attr_size, struct landlock_path_beneath_attr *path_beneath_attr, const char *path, const int access) { int ruleset_fd; - ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET( - ruleset_attr, sizeof(struct landlock_ruleset_attr), 0); + ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(ruleset_attr, attr_size, 0); - apply_landlock_rule(path_beneath_attr, ruleset_fd, access, path); + apply_landlock_fs_rule(path_beneath_attr, ruleset_fd, access, path); enforce_ruleset(ruleset_fd); SAFE_CLOSE(ruleset_fd); } - #endif /* LANDLOCK_COMMON_H__ */ From patchwork Wed Nov 6 11:13:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 2007415 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=o3qpfsGe; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=EKrdN5Xm; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=o3qpfsGe; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=EKrdN5Xm; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Xk2fd5tfFz1xyD for ; Wed, 6 Nov 2024 22:14:49 +1100 (AEDT) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id DF7433D319F for ; Wed, 6 Nov 2024 12:14:47 +0100 (CET) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-2.smtp.seeweb.it (in-2.smtp.seeweb.it [IPv6:2001:4b78:1:20::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 769453D3190 for ; Wed, 6 Nov 2024 12:13:29 +0100 (CET) Authentication-Results: in-2.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.131; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-2.smtp.seeweb.it (Postfix) with ESMTPS id 2824A600655 for ; Wed, 6 Nov 2024 12:13:28 +0100 (CET) Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 85E251FE8A; Wed, 6 Nov 2024 11:13:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1730891607; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=2QJQau/TM4m/+ORGFQrJncoEtP2E44r4lKgwLy5Omu8=; b=o3qpfsGezQ+PKqm7UTNdPNLCldQP9u8bXKq6mDR8NdLU2rWZEM/d/NkFhPibxW7uJvv5oL 917ATfZ27HuFqVuLP1RQx8KziAP112MV2RNZIlBkzU+0/tesCAI6LcMijeBzKcBZLQ5XWS Q1QerTPJwwH7RSDCvKyR8koK8jZI0+I= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1730891607; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=2QJQau/TM4m/+ORGFQrJncoEtP2E44r4lKgwLy5Omu8=; b=EKrdN5XmqS5rnejEXWXiZ/5slREHmxtHzN+BngCNrHMPbra3P+D48gn5IJwiR6gA/JuGFA luEL+cQh7BMIh9BA== Authentication-Results: smtp-out2.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=o3qpfsGe; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=EKrdN5Xm DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1730891607; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=2QJQau/TM4m/+ORGFQrJncoEtP2E44r4lKgwLy5Omu8=; b=o3qpfsGezQ+PKqm7UTNdPNLCldQP9u8bXKq6mDR8NdLU2rWZEM/d/NkFhPibxW7uJvv5oL 917ATfZ27HuFqVuLP1RQx8KziAP112MV2RNZIlBkzU+0/tesCAI6LcMijeBzKcBZLQ5XWS Q1QerTPJwwH7RSDCvKyR8koK8jZI0+I= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1730891607; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=2QJQau/TM4m/+ORGFQrJncoEtP2E44r4lKgwLy5Omu8=; b=EKrdN5XmqS5rnejEXWXiZ/5slREHmxtHzN+BngCNrHMPbra3P+D48gn5IJwiR6gA/JuGFA luEL+cQh7BMIh9BA== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 69BD713736; Wed, 6 Nov 2024 11:13:27 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id sHf3F1dPK2eFdQAAD6G6ig (envelope-from ); Wed, 06 Nov 2024 11:13:27 +0000 From: Andrea Cervesato Date: Wed, 06 Nov 2024 12:13:16 +0100 MIME-Version: 1.0 Message-Id: <20241106-landlock_network-v3-2-855b14df63c6@suse.com> References: <20241106-landlock_network-v3-0-855b14df63c6@suse.com> In-Reply-To: <20241106-landlock_network-v3-0-855b14df63c6@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1730891606; l=4235; i=andrea.cervesato@suse.com; s=20240812; h=from:subject:message-id; bh=OJVBsNaJYZRKh/gYhLqXjVqgKGcCoRhfHUO4iqG4Jz8=; b=8y/auIeLhVGENlZLjSYgVhu4ns6crNBMmCDom1dS7vNIf8Wz7HV5J9rBYeDnGQKS37iH1Z1DZ mFQPXqk48hHB2/fp5MM8pQdgdLRbH0N+Y+jyaLTO6IHefarsdHzpv3L X-Developer-Key: i=andrea.cervesato@suse.com; a=ed25519; pk=RG/nLJ5snb1tLKGwSORQXBJ5XA4juT0WF2Pc/lq9meo= X-Rspamd-Queue-Id: 85E251FE8A X-Spam-Level: X-Spamd-Result: default: False [-4.51 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_TWO(0.00)[2]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns,suse.cz:email,suse.com:email,suse.com:mid,suse.de:dkim]; RCVD_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[suse.de:+] X-Rspamd-Server: rspamd2.dmz-prg2.suse.org X-Rspamd-Action: no action X-Spam-Score: -4.51 X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-2.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-2.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v3 2/4] Network helpers in landlock suite common functions X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato Landlock suite helpers functions don't support network features. This patch adds apply_landlock_net_layer() helper that can be used to apply a network landlock rule in the current sandbox. Reviewed-by: Cyril Hrubis Signed-off-by: Andrea Cervesato --- .../kernel/syscalls/landlock/landlock_common.h | 124 +++++++++++++++++++++ 1 file changed, 124 insertions(+) diff --git a/testcases/kernel/syscalls/landlock/landlock_common.h b/testcases/kernel/syscalls/landlock/landlock_common.h index f3096f4bf15f155f2a00b39c461d0805a76306e5..4aa11b7d2ad46915cd1ce1592bdaa2fb6ad77628 100644 --- a/testcases/kernel/syscalls/landlock/landlock_common.h +++ b/testcases/kernel/syscalls/landlock/landlock_common.h @@ -11,6 +11,16 @@ #include "lapi/fcntl.h" #include "lapi/landlock.h" +#define IPV4_LOCALHOST "127.0.0.1" +#define IPV6_LOCALHOST "::1" + +struct socket_data { + struct sockaddr_in addr_ipv4; + struct sockaddr_in6 addr_ipv6; + size_t address_size; + int fd; +}; + static inline int verify_landlock_is_enabled(void) { int abi; @@ -51,6 +61,22 @@ static inline void apply_landlock_fs_rule( SAFE_CLOSE(path_beneath_attr->parent_fd); } +static inline void apply_landlock_net_rule( + struct landlock_net_port_attr *net_attr, + const int ruleset_fd, + const uint64_t port, + const uint64_t access) +{ + net_attr->port = port; + net_attr->allowed_access = access; + + SAFE_LANDLOCK_ADD_RULE( + ruleset_fd, + LANDLOCK_RULE_NET_PORT, + net_attr, + 0); +} + static inline void enforce_ruleset(const int ruleset_fd) { SAFE_PRCTL(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); @@ -72,4 +98,102 @@ static inline void apply_landlock_fs_layer( SAFE_CLOSE(ruleset_fd); } + +static inline void apply_landlock_net_layer( + void *ruleset_attr, size_t attr_size, + struct landlock_net_port_attr *net_port_attr, + const in_port_t port, + const uint64_t access) +{ + int ruleset_fd; + + ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(ruleset_attr, attr_size, 0); + + apply_landlock_net_rule(net_port_attr, ruleset_fd, port, access); + enforce_ruleset(ruleset_fd); + + SAFE_CLOSE(ruleset_fd); +} + +static inline in_port_t getsocket_port(struct socket_data *socket, + const int addr_family) +{ + struct sockaddr_in addr_ipv4; + struct sockaddr_in6 addr_ipv6; + socklen_t len; + in_port_t port = 0; + + switch (addr_family) { + case AF_INET: + len = sizeof(addr_ipv4); + memset(&addr_ipv4, 0, len); + + SAFE_GETSOCKNAME(socket->fd, (struct sockaddr *)&addr_ipv4, &len); + port = ntohs(addr_ipv4.sin_port); + break; + case AF_INET6: + len = sizeof(addr_ipv6); + memset(&addr_ipv6, 0, len); + + SAFE_GETSOCKNAME(socket->fd, (struct sockaddr *)&addr_ipv6, &len); + port = ntohs(addr_ipv6.sin6_port); + break; + default: + tst_brk(TBROK, "Unsupported protocol"); + break; + }; + + return port; +} + +static inline void create_socket(struct socket_data *socket, + const int addr_family, const in_port_t port) +{ + memset(socket, 0, sizeof(struct socket_data)); + + switch (addr_family) { + case AF_INET: + if (!port) { + tst_init_sockaddr_inet_bin(&socket->addr_ipv4, + INADDR_ANY, 0); + } else { + tst_init_sockaddr_inet(&socket->addr_ipv4, + IPV4_LOCALHOST, port); + } + + socket->address_size = sizeof(struct sockaddr_in); + break; + case AF_INET6: + if (!port) { + tst_init_sockaddr_inet6_bin(&socket->addr_ipv6, + &in6addr_any, 0); + } else { + tst_init_sockaddr_inet6(&socket->addr_ipv6, + IPV6_LOCALHOST, port); + } + + socket->address_size = sizeof(struct sockaddr_in6); + break; + default: + tst_brk(TBROK, "Unsupported protocol"); + return; + }; + + socket->fd = SAFE_SOCKET(addr_family, SOCK_STREAM | SOCK_CLOEXEC, 0); +} + +static inline void getsocket_addr(struct socket_data *socket, + const int addr_family, struct sockaddr **addr) +{ + switch (addr_family) { + case AF_INET: + *addr = (struct sockaddr *)&socket->addr_ipv4; + break; + case AF_INET6: + *addr = (struct sockaddr *)&socket->addr_ipv6; + break; + default: + break; + }; +} #endif /* LANDLOCK_COMMON_H__ */ From patchwork Wed Nov 6 11:13:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 2007410 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=fvoGpLDp; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=EL0QSHkV; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=fvoGpLDp; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=EL0QSHkV; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Xk2d955ZWz1xyD for ; Wed, 6 Nov 2024 22:13:33 +1100 (AEDT) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 6E0123D3192 for ; Wed, 6 Nov 2024 12:13:31 +0100 (CET) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-7.smtp.seeweb.it (in-7.smtp.seeweb.it [IPv6:2001:4b78:1:20::7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id C1EE03CBEF3 for ; Wed, 6 Nov 2024 12:13:28 +0100 (CET) Authentication-Results: in-7.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.131; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-7.smtp.seeweb.it (Postfix) with ESMTPS id 2941220099F for ; Wed, 6 Nov 2024 12:13:28 +0100 (CET) Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id B82EA1FE90; Wed, 6 Nov 2024 11:13:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1730891607; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fO+RBE6AG/kq88it8LmSqQKqUghDf0V6H1FlIw/nLsk=; b=fvoGpLDp2YxrFyo3h3l/GFfYJOkawd23SLRmMRr0YmoAOF7LZOIKq/mvu/BCPy5p6miOcr HKUwRBCv9aKpAohsAciP9uBANnfPdM+18gwzPJxWGzKiMnxheZuGQ8bKX0KujCdLdktAuU vh2QetOuh4CIIwaaM42FtH1XXxOvJ6k= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1730891607; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fO+RBE6AG/kq88it8LmSqQKqUghDf0V6H1FlIw/nLsk=; b=EL0QSHkVg/h2LfW0/00Hyqkjdal61QGWXItu4zhwYDvwMt44XWf52Ke/rJfTxChoFFC1p7 jqnsjSwjBHje8rBQ== Authentication-Results: smtp-out2.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=fvoGpLDp; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=EL0QSHkV DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1730891607; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fO+RBE6AG/kq88it8LmSqQKqUghDf0V6H1FlIw/nLsk=; b=fvoGpLDp2YxrFyo3h3l/GFfYJOkawd23SLRmMRr0YmoAOF7LZOIKq/mvu/BCPy5p6miOcr HKUwRBCv9aKpAohsAciP9uBANnfPdM+18gwzPJxWGzKiMnxheZuGQ8bKX0KujCdLdktAuU vh2QetOuh4CIIwaaM42FtH1XXxOvJ6k= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1730891607; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fO+RBE6AG/kq88it8LmSqQKqUghDf0V6H1FlIw/nLsk=; b=EL0QSHkVg/h2LfW0/00Hyqkjdal61QGWXItu4zhwYDvwMt44XWf52Ke/rJfTxChoFFC1p7 jqnsjSwjBHje8rBQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 909D913980; Wed, 6 Nov 2024 11:13:27 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id MMV6IVdPK2eFdQAAD6G6ig (envelope-from ); Wed, 06 Nov 2024 11:13:27 +0000 From: Andrea Cervesato Date: Wed, 06 Nov 2024 12:13:17 +0100 MIME-Version: 1.0 Message-Id: <20241106-landlock_network-v3-3-855b14df63c6@suse.com> References: <20241106-landlock_network-v3-0-855b14df63c6@suse.com> In-Reply-To: <20241106-landlock_network-v3-0-855b14df63c6@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1730891606; l=7389; i=andrea.cervesato@suse.com; s=20240812; h=from:subject:message-id; bh=/mt4+61nujj/CClFGIRoxfEpOJAYYsnCOQzCzTuSAqQ=; b=o0E2KxXSiv/mSe5iGJO5rFWWiEmwtwuEJy39zVM8/w6Nx2z0wCLtMBnnt9+OklIvF9qTk/mzT QwOqgCKR4rbBoFIQXIrL7sqFQ/HFaky0kergOOtmCemLqIqHylfONMz X-Developer-Key: i=andrea.cervesato@suse.com; a=ed25519; pk=RG/nLJ5snb1tLKGwSORQXBJ5XA4juT0WF2Pc/lq9meo= X-Rspamd-Queue-Id: B82EA1FE90 X-Spam-Score: -4.51 X-Rspamd-Action: no action X-Spamd-Result: default: False [-4.51 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_TWO(0.00)[2]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.cz:email,suse.com:mid,suse.com:email,suse.de:dkim,imap1.dmz-prg2.suse.org:rdns,imap1.dmz-prg2.suse.org:helo]; RCVD_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[suse.de:+] X-Rspamd-Server: rspamd1.dmz-prg2.suse.org X-Spam-Level: X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-7.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-7.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v3 3/4] Add landlock08 test X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato Verify the landlock support for bind()/connect() syscalls in IPV4 and IPV6 protocols. In particular, check that bind() is assigning the address only on the TCP port enforced by LANDLOCK_ACCESS_NET_BIND_TCP and check that connect() is connecting only to a specific TCP port enforced by LANDLOCK_ACCESS_NET_CONNECT_TCP. Reviewed-by: Cyril Hrubis Signed-off-by: Andrea Cervesato --- runtest/syscalls | 1 + testcases/kernel/syscalls/landlock/.gitignore | 1 + testcases/kernel/syscalls/landlock/landlock08.c | 209 ++++++++++++++++++++++++ 3 files changed, 211 insertions(+) diff --git a/runtest/syscalls b/runtest/syscalls index 7dc308fa88486b9ace80ef0d906201dd407dcf3e..5fd62617df1a116b1d94c57ff30f74693320a2ab 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -708,6 +708,7 @@ landlock04 landlock04 landlock05 landlock05 landlock06 landlock06 landlock07 landlock07 +landlock08 landlock08 lchown01 lchown01 lchown01_16 lchown01_16 diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore index db11bff2fe245d462e5b7e5691a9eb2ee2305aab..fc7317394948c4ac20cd14c3cd7ba7a47282b2bf 100644 --- a/testcases/kernel/syscalls/landlock/.gitignore +++ b/testcases/kernel/syscalls/landlock/.gitignore @@ -6,3 +6,4 @@ landlock04 landlock05 landlock06 landlock07 +landlock08 diff --git a/testcases/kernel/syscalls/landlock/landlock08.c b/testcases/kernel/syscalls/landlock/landlock08.c new file mode 100644 index 0000000000000000000000000000000000000000..c3c320c340355b6b910079c1bf31984dcf2c906b --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock08.c @@ -0,0 +1,209 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +/*\ + * [Description] + * + * Verify the landlock support for bind()/connect() syscalls in IPV4 and IPV6 + * protocols. In particular, check that bind() is assigning the address only on + * the TCP port enforced by LANDLOCK_ACCESS_NET_BIND_TCP and check that + * connect() is connecting only to a specific TCP port enforced by + * LANDLOCK_ACCESS_NET_CONNECT_TCP. + * + * [Algorithm] + * + * Repeat the following procedure for IPV4 and IPV6: + * + * - create a socket on PORT1, bind() it and check if it passes + * - enforce the current sandbox with LANDLOCK_ACCESS_NET_BIND_TCP on PORT1 + * - create a socket on PORT1, bind() it and check if it passes + * - create a socket on PORT2, bind() it and check if it fails + * + * - create a server listening on PORT1 + * - create a socket on PORT1, connect() to it and check if it passes + * - enforce the current sandbox with LANDLOCK_ACCESS_NET_CONNECT_TCP on PORT1 + * - create a socket on PORT1, connect() to it and check if it passes + * - create a socket on PORT2, connect() to it and check if it fails + */ + +#include "landlock_common.h" + +static int variants[] = { + AF_INET, + AF_INET6, +}; + +static struct tst_landlock_ruleset_attr_abi4 *ruleset_attr; +static struct landlock_net_port_attr *net_port_attr; +static in_port_t *server_port; +static int addr_port; + +static void create_server(const int addr_family) +{ + struct socket_data socket; + struct sockaddr *addr = NULL; + + create_socket(&socket, addr_family, 0); + getsocket_addr(&socket, addr_family, &addr); + + SAFE_BIND(socket.fd, addr, socket.address_size); + SAFE_LISTEN(socket.fd, 1); + + *server_port = getsocket_port(&socket, addr_family); + + tst_res(TDEBUG, "Server listening on port %u", *server_port); + + TST_CHECKPOINT_WAKE_AND_WAIT(0); + + SAFE_CLOSE(socket.fd); +} + +static void test_bind(const int addr_family, const in_port_t port, + const int exp_err) +{ + struct socket_data socket; + struct sockaddr *addr = NULL; + + create_socket(&socket, addr_family, port); + getsocket_addr(&socket, addr_family, &addr); + + if (exp_err) { + TST_EXP_FAIL( + bind(socket.fd, addr, socket.address_size), + exp_err, "bind() access on port %u", port); + } else { + TST_EXP_PASS( + bind(socket.fd, addr, socket.address_size), + "bind() access on port %u", port); + } + + SAFE_CLOSE(socket.fd); +} + +static void test_connect(const int addr_family, const in_port_t port, + const int exp_err) +{ + struct socket_data socket; + struct sockaddr *addr = NULL; + + create_socket(&socket, addr_family, port); + getsocket_addr(&socket, addr_family, &addr); + + if (exp_err) { + TST_EXP_FAIL( + connect(socket.fd, addr, socket.address_size), + exp_err, "connect() on port %u", port); + } else { + TST_EXP_PASS( + connect(socket.fd, addr, socket.address_size), + "connect() on port %u", port); + } + + SAFE_CLOSE(socket.fd); +} + +static void run(void) +{ + int addr_family = variants[tst_variant]; + + tst_res(TINFO, "Using %s protocol", + addr_family == AF_INET ? "IPV4" : "IPV6"); + + if (!SAFE_FORK()) { + create_server(addr_family); + exit(0); + } + + TST_CHECKPOINT_WAIT(0); + + /* verify bind() syscall accessibility */ + if (!SAFE_FORK()) { + ruleset_attr->handled_access_net = + LANDLOCK_ACCESS_NET_BIND_TCP; + + test_bind(addr_family, addr_port, 0); + + tst_res(TINFO, "Enable bind() access only for port %u", + addr_port); + + apply_landlock_net_layer( + ruleset_attr, + sizeof(struct tst_landlock_ruleset_attr_abi4), + net_port_attr, + addr_port, + LANDLOCK_ACCESS_NET_BIND_TCP); + + test_bind(addr_family, addr_port, 0); + test_bind(addr_family, addr_port + 0x80, EACCES); + + exit(0); + } + + /* verify connect() syscall accessibility */ + if (!SAFE_FORK()) { + ruleset_attr->handled_access_net = + LANDLOCK_ACCESS_NET_CONNECT_TCP; + + test_connect(addr_family, *server_port, 0); + + tst_res(TINFO, "Enable connect() access only on port %u", + *server_port); + + apply_landlock_net_layer( + ruleset_attr, + sizeof(struct tst_landlock_ruleset_attr_abi4), + net_port_attr, + *server_port, + LANDLOCK_ACCESS_NET_CONNECT_TCP); + + test_connect(addr_family, *server_port, 0); + test_connect(addr_family, *server_port + 0x80, EACCES); + + TST_CHECKPOINT_WAKE(0); + + exit(0); + } +} + +static void setup(void) +{ + if (verify_landlock_is_enabled() < 4) + tst_brk(TCONF, "Landlock network is not supported"); + + addr_port = TST_GET_UNUSED_PORT(AF_INET, SOCK_STREAM); + + server_port = SAFE_MMAP(NULL, sizeof(in_port_t), PROT_READ | PROT_WRITE, + MAP_SHARED | MAP_ANONYMOUS, -1, 0); +} + +static void cleanup(void) +{ + if (server_port) + SAFE_MUNMAP(server_port, sizeof(in_port_t)); +} + +static struct tst_test test = { + .test_all = run, + .setup = setup, + .cleanup = cleanup, + .needs_root = 1, + .needs_checkpoints = 1, + .forks_child = 1, + .test_variants = ARRAY_SIZE(variants), + .bufs = (struct tst_buffers[]) { + {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi4)}, + {&net_port_attr, .size = sizeof(struct landlock_net_port_attr)}, + {}, + }, + .caps = (struct tst_cap []) { + TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN), + TST_CAP(TST_CAP_REQ, CAP_NET_BIND_SERVICE), + {} + }, + .needs_kconfigs = (const char *[]) { + "CONFIG_INET=y", + NULL + }, +}; From patchwork Wed Nov 6 11:13:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 2007411 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=JbU0DEFq; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=p0Q2aC9W; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=JbU0DEFq; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=p0Q2aC9W; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Xk2dZ3vLTz1xyD for ; Wed, 6 Nov 2024 22:13:54 +1100 (AEDT) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 6F8603D3191 for ; Wed, 6 Nov 2024 12:13:49 +0100 (CET) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-7.smtp.seeweb.it (in-7.smtp.seeweb.it [217.194.8.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id ECD393CBEF3 for ; Wed, 6 Nov 2024 12:13:28 +0100 (CET) Authentication-Results: in-7.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.130; helo=smtp-out1.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-7.smtp.seeweb.it (Postfix) with ESMTPS id 62AAE2009AB for ; Wed, 6 Nov 2024 12:13:28 +0100 (CET) Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id D5BB821B75; Wed, 6 Nov 2024 11:13:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1730891607; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5zfUkyGXqoiuLMb8PDG5orxJGhDcGt1u86g+6eEJBEw=; b=JbU0DEFqkY0YQihaH2ujdTU/5hvD26aNaM6nJqABEW8JlCye/ukFhPyyph4wZz6EDvp/Fw KpXm8kXKhlC+tlGjnZqtYF9m+bpRYy5XEmGSzlY7v3hw2ZhY/BgHsYeFtmqS2NHocm4nNd 1QRRdbO10dadYtyQ8Kc6Fpjt0SvFfeE= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1730891607; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5zfUkyGXqoiuLMb8PDG5orxJGhDcGt1u86g+6eEJBEw=; b=p0Q2aC9WbQJQDNH1ehF576h0KY49Uuo3QFhHhFPsM1uEGhrmFTGOMiffvn71Lb/88jNedC YFnI3g8UF1V1n/CQ== Authentication-Results: smtp-out1.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=JbU0DEFq; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=p0Q2aC9W DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1730891607; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5zfUkyGXqoiuLMb8PDG5orxJGhDcGt1u86g+6eEJBEw=; b=JbU0DEFqkY0YQihaH2ujdTU/5hvD26aNaM6nJqABEW8JlCye/ukFhPyyph4wZz6EDvp/Fw KpXm8kXKhlC+tlGjnZqtYF9m+bpRYy5XEmGSzlY7v3hw2ZhY/BgHsYeFtmqS2NHocm4nNd 1QRRdbO10dadYtyQ8Kc6Fpjt0SvFfeE= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1730891607; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5zfUkyGXqoiuLMb8PDG5orxJGhDcGt1u86g+6eEJBEw=; b=p0Q2aC9WbQJQDNH1ehF576h0KY49Uuo3QFhHhFPsM1uEGhrmFTGOMiffvn71Lb/88jNedC YFnI3g8UF1V1n/CQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id B7BDD13A3B; Wed, 6 Nov 2024 11:13:27 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id 4EsIK1dPK2eFdQAAD6G6ig (envelope-from ); Wed, 06 Nov 2024 11:13:27 +0000 From: Andrea Cervesato Date: Wed, 06 Nov 2024 12:13:18 +0100 MIME-Version: 1.0 Message-Id: <20241106-landlock_network-v3-4-855b14df63c6@suse.com> References: <20241106-landlock_network-v3-0-855b14df63c6@suse.com> In-Reply-To: <20241106-landlock_network-v3-0-855b14df63c6@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1730891606; l=5813; i=andrea.cervesato@suse.com; s=20240812; h=from:subject:message-id; bh=RweA8gvUc8/AyfYDOwJRmZt3oIQQLfVBR4NqA0rs5Yg=; b=c2pLsie61+eMNql3Ti0/3rLNheKA3yA7D0rf7yxWxavljyGp8odPdDOYwrl12ytL8zHuPNtyF 2i3vXwa4vj6DMA1DL2GsgX6EcBgu0ciDHB1+mGlin44cjVpsh/ZeBe/ X-Developer-Key: i=andrea.cervesato@suse.com; a=ed25519; pk=RG/nLJ5snb1tLKGwSORQXBJ5XA4juT0WF2Pc/lq9meo= X-Rspamd-Queue-Id: D5BB821B75 X-Spam-Level: X-Spamd-Result: default: False [-4.51 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_TWO(0.00)[2]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns,suse.de:dkim,suse.com:email,suse.com:mid,suse.cz:email]; RCVD_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[suse.de:+] X-Rspamd-Server: rspamd2.dmz-prg2.suse.org X-Rspamd-Action: no action X-Spam-Score: -4.51 X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-7.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-7.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v3 4/4] Add error coverage for landlock network support X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato Add two more errors checks inside the landlock02 which is testing landlock_add_rule syscall. In particular, test now verifies when the syscall is raising EINVAL due to invalid network attributes. Reviewed-by: Cyril Hrubis Signed-off-by: Andrea Cervesato --- testcases/kernel/syscalls/landlock/landlock02.c | 93 +++++++++++++++++++------ 1 file changed, 72 insertions(+), 21 deletions(-) diff --git a/testcases/kernel/syscalls/landlock/landlock02.c b/testcases/kernel/syscalls/landlock/landlock02.c index 8566d407f6d17ab367695125f07d0a80cf4130e5..e1e3228b54f3fdb10774cb333ccc5646c7c4e37b 100644 --- a/testcases/kernel/syscalls/landlock/landlock02.c +++ b/testcases/kernel/syscalls/landlock/landlock02.c @@ -20,93 +20,142 @@ #include "landlock_common.h" -static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr; +static struct tst_landlock_ruleset_attr_abi1 *attr_abi1; +static struct tst_landlock_ruleset_attr_abi4 *attr_abi4; static struct landlock_path_beneath_attr *path_beneath_attr; static struct landlock_path_beneath_attr *rule_null; +static struct landlock_net_port_attr *net_port_attr; static int ruleset_fd; static int invalid_fd = -1; +static int abi_current; static struct tcase { int *fd; - enum landlock_rule_type rule_type; - struct landlock_path_beneath_attr **attr; + int rule_type; + struct landlock_path_beneath_attr **path_attr; + struct landlock_net_port_attr **net_attr; int access; int parent_fd; + int net_port; uint32_t flags; int exp_errno; + int abi_ver; char *msg; } tcases[] = { { .fd = &ruleset_fd, - .attr = &path_beneath_attr, + .path_attr = &path_beneath_attr, .access = LANDLOCK_ACCESS_FS_EXECUTE, .flags = 1, .exp_errno = EINVAL, + .abi_ver = 1, .msg = "Invalid flags" }, { .fd = &ruleset_fd, - .attr = &path_beneath_attr, + .path_attr = &path_beneath_attr, .access = LANDLOCK_ACCESS_FS_EXECUTE, .exp_errno = EINVAL, + .abi_ver = 1, .msg = "Invalid rule type" }, { .fd = &ruleset_fd, .rule_type = LANDLOCK_RULE_PATH_BENEATH, - .attr = &path_beneath_attr, + .path_attr = &path_beneath_attr, .exp_errno = ENOMSG, + .abi_ver = 1, .msg = "Empty accesses" }, { .fd = &invalid_fd, - .attr = &path_beneath_attr, + .path_attr = &path_beneath_attr, .access = LANDLOCK_ACCESS_FS_EXECUTE, .exp_errno = EBADF, + .abi_ver = 1, .msg = "Invalid file descriptor" }, { .fd = &ruleset_fd, .rule_type = LANDLOCK_RULE_PATH_BENEATH, - .attr = &path_beneath_attr, + .path_attr = &path_beneath_attr, .access = LANDLOCK_ACCESS_FS_EXECUTE, .parent_fd = -1, .exp_errno = EBADF, + .abi_ver = 1, .msg = "Invalid parent fd" }, { .fd = &ruleset_fd, .rule_type = LANDLOCK_RULE_PATH_BENEATH, - .attr = &rule_null, + .path_attr = &rule_null, .exp_errno = EFAULT, + .abi_ver = 1, .msg = "Invalid rule attr" }, + { + .fd = &ruleset_fd, + .rule_type = LANDLOCK_RULE_NET_PORT, + .net_attr = &net_port_attr, + .access = LANDLOCK_ACCESS_FS_EXECUTE, + .net_port = 448, + .exp_errno = EINVAL, + .abi_ver = 4, + .msg = "Invalid access rule for network type" + }, + { + .fd = &ruleset_fd, + .rule_type = LANDLOCK_RULE_NET_PORT, + .net_attr = &net_port_attr, + .access = LANDLOCK_ACCESS_NET_BIND_TCP, + .net_port = INT16_MAX + 1, + .exp_errno = EINVAL, + .abi_ver = 4, + .msg = "Socket port greater than 65535" + }, }; static void run(unsigned int n) { struct tcase *tc = &tcases[n]; + void *attr = NULL; - if (*tc->attr) { - (*tc->attr)->allowed_access = tc->access; - (*tc->attr)->parent_fd = tc->parent_fd; + if (tc->abi_ver > abi_current) { + tst_res(TCONF, "Minimum ABI required: %d", tc->abi_ver); + return; + } + + if (tc->path_attr && *tc->path_attr) { + (*tc->path_attr)->allowed_access = tc->access; + (*tc->path_attr)->parent_fd = tc->parent_fd; + + attr = *tc->path_attr; + } else if (tc->net_attr && *tc->net_attr) { + (*tc->net_attr)->allowed_access = tc->access; + (*tc->net_attr)->port = tc->net_port; + + attr = *tc->net_attr; } TST_EXP_FAIL(tst_syscall(__NR_landlock_add_rule, - *tc->fd, tc->rule_type, *tc->attr, tc->flags), - tc->exp_errno, - "%s", - tc->msg); + *tc->fd, tc->rule_type, attr, tc->flags), + tc->exp_errno, "%s", tc->msg); } static void setup(void) { - verify_landlock_is_enabled(); + abi_current = verify_landlock_is_enabled(); - ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE; + attr_abi1->handled_access_fs = + attr_abi4->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE; - ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset, - ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi1), 0)); + if (abi_current < 4) { + ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset, + attr_abi1, sizeof(struct tst_landlock_ruleset_attr_abi1), 0)); + } else { + ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset, + attr_abi4, sizeof(struct tst_landlock_ruleset_attr_abi4), 0)); + } } static void cleanup(void) @@ -122,8 +171,10 @@ static struct tst_test test = { .cleanup = cleanup, .needs_root = 1, .bufs = (struct tst_buffers []) { - {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi1)}, + {&attr_abi1, .size = sizeof(struct tst_landlock_ruleset_attr_abi1)}, + {&attr_abi4, .size = sizeof(struct tst_landlock_ruleset_attr_abi4)}, {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)}, + {&net_port_attr, .size = sizeof(struct landlock_net_port_attr)}, {}, }, .caps = (struct tst_cap []) {