Re: [PATCH v8 07/12] landlock: Add network rules support
From: Mickaël Salaün <mic@digikod.net>
Date: 2023-01-06 19:22:47
Also in:
linux-security-module, netdev, netfilter-devel
On 04/01/2023 12:41, Konstantin Meskhidze (A) wrote:
11/17/2022 9:43 PM, Mickaël Salaün пишет:
[...]
quoted
quoted
/**@@ -79,6 +91,24 @@ struct landlock_path_beneath_attr { */ } __attribute__((packed)); +/** + * struct landlock_net_service_attr - TCP subnet definition + * + * Argument of sys_landlock_add_rule(). + */ +struct landlock_net_service_attr { + /** + * @allowed_access: Bitmask of allowed access network for services + * (cf. `Network flags`_). + */ + __u64 allowed_access; + /** + * @port: Network port. + */ + __u16 port;From an UAPI point of view, I think the port field should be __be16, as for sockaddr_in->port and other network-related APIs. This will require some kernel changes to please sparse: make C=2 security/landlock/ must not print any warning.I have this errors trying to launch sparse checking: DESCEND objtool DESCEND bpf/resolve_btfids CALL scripts/checksyscalls.sh CHK kernel/kheaders_data.tar.xz CC security/landlock/setup.o CHECK security/landlock/setup.c ./include/asm-generic/rwonce.h:67:16: error: typename in expression ./include/asm-generic/rwonce.h:67:16: error: Expected ) in function call ./include/asm-generic/rwonce.h:67:16: error: got : ./include/linux/list.h:292:16: error: typename in expression ./include/linux/list.h:292:16: error: Expected ) in function call ./include/linux/list.h:292:16: error: got : .... ./include/linux/seqlock.h:682:16: error: Expected ) in function call ./include/linux/seqlock.h:682:16: error: got : ./include/linux/seqlock.h:695:16: error: typename in expression ./include/linux/seqlock.h:695:16: error: Expected ) in function call ./include/linux/seqlock.h:695:16: error: too many errors Segmentation fault (core dumped) make[3]: *** [scripts/Makefile.build:250: security/landlock/setup.o] Error 139 make[3]: *** Deleting file 'security/landlock/setup.o' make[3]: *** Waiting for unfinished jobs.... Segmentation fault (core dumped) make[3]: *** [scripts/Makefile.build:250: security/landlock/syscalls.o] Error 139 make[3]: *** Deleting file 'security/landlock/syscalls.o' make[2]: *** [scripts/Makefile.build:502: security/landlock] Error 2 make[1]: *** [scripts/Makefile.build:502: security] Error 2 make[1]: *** Waiting for unfinished jobs.... make: *** [Makefile:1994: .] Error 2
I don't know about this error. Did you follow the documentation? https://docs.kernel.org/dev-tools/sparse.html#getting-sparse
quoted
Using big-endian values as keys (casted to uintptr_t, not strictly __be16) in the rb-tree should not be an issue because there is no port range ordering (for now). A dedicated test should check that endianness is correct, e.g. by using different port encoding. This should include passing and failing tests, but they should work on all architectures (i.e. big or little endian).