Re: [PATCH v7 01/18] landlock: rename access mask

[PATCH v7 00/18] Network support for Landlock · Konstantin Meskhidze <hidden> · 2022-08-29
[PATCH v7 01/18] landlock: rename access mask · Konstantin Meskhidze <hidden> · 2022-08-29
Re: [PATCH v7 01/18] landlock: rename access mask · Mickaël Salaün <mic@digikod.net> · 2022-09-06
Re: [PATCH v7 01/18] landlock: rename access mask · Konstantin Meskhidze (A) <hidden> · 2022-09-09
Re: [PATCH v7 01/18] landlock: rename access mask · Mickaël Salaün <mic@digikod.net> · 2022-09-12
[PATCH v7 02/18] landlock: refactor landlock_find_rule/insert_rule · Konstantin Meskhidze <hidden> · 2022-08-29
Re: [PATCH v7 02/18] landlock: refactor landlock_find_rule/insert_rule · Mickaël Salaün <mic@digikod.net> · 2022-09-06
Re: [PATCH v7 02/18] landlock: refactor landlock_find_rule/insert_rule · Konstantin Meskhidze (A) <hidden> · 2022-09-09
Re: [PATCH v7 02/18] landlock: refactor landlock_find_rule/insert_rule · Mickaël Salaün <mic@digikod.net> · 2022-09-12
Re: [PATCH v7 02/18] landlock: refactor landlock_find_rule/insert_rule · Konstantin Meskhidze (A) <hidden> · 2022-10-12
Re: [PATCH v7 02/18] landlock: refactor landlock_find_rule/insert_rule · Mickaël Salaün <mic@digikod.net> · 2022-10-12
Re: [PATCH v7 02/18] landlock: refactor landlock_find_rule/insert_rule · Konstantin Meskhidze (A) <hidden> · 2022-10-12
[PATCH v7 04/18] landlock: move helper functions · Konstantin Meskhidze <hidden> · 2022-08-29
Re: [PATCH v7 04/18] landlock: move helper functions · Mickaël Salaün <mic@digikod.net> · 2022-09-06
Re: [PATCH v7 04/18] landlock: move helper functions · Konstantin Meskhidze (A) <hidden> · 2022-09-10
[PATCH v7 03/18] landlock: refactor merge/inherit_ruleset functions · Konstantin Meskhidze <hidden> · 2022-08-29
Re: [PATCH v7 03/18] landlock: refactor merge/inherit_ruleset functions · Mickaël Salaün <mic@digikod.net> · 2022-09-06
Re: [PATCH v7 03/18] landlock: refactor merge/inherit_ruleset functions · Konstantin Meskhidze (A) <hidden> · 2022-09-09
Re: [PATCH v7 03/18] landlock: refactor merge/inherit_ruleset functions · Mickaël Salaün <mic@digikod.net> · 2022-09-12
[PATCH v7 05/18] landlock: refactor helper functions · Konstantin Meskhidze <hidden> · 2022-08-29
Re: [PATCH v7 05/18] landlock: refactor helper functions · Mickaël Salaün <mic@digikod.net> · 2022-09-06
Re: [PATCH v7 05/18] landlock: refactor helper functions · Konstantin Meskhidze (A) <hidden> · 2022-09-10
Re: [PATCH v7 05/18] landlock: refactor helper functions · Mickaël Salaün <mic@digikod.net> · 2022-09-12
[PATCH v7 06/18] landlock: refactor landlock_add_rule syscall · Konstantin Meskhidze <hidden> · 2022-08-29
[PATCH v7 07/18] landlock: user space API network support · Konstantin Meskhidze <hidden> · 2022-08-29
Re: [PATCH v7 07/18] landlock: user space API network support · Mickaël Salaün <mic@digikod.net> · 2022-09-06
Re: [PATCH v7 07/18] landlock: user space API network support · Konstantin Meskhidze (A) <hidden> · 2022-09-10
[PATCH v7 09/18] landlock: implement TCP network hooks · Konstantin Meskhidze <hidden> · 2022-08-29
Re: [PATCH v7 09/18] landlock: implement TCP network hooks · Mickaël Salaün <mic@digikod.net> · 2022-09-06
Re: [PATCH v7 09/18] landlock: implement TCP network hooks · Konstantin Meskhidze (A) <hidden> · 2022-09-10
Re: [PATCH v7 09/18] landlock: implement TCP network hooks · Mickaël Salaün <mic@digikod.net> · 2022-09-12
[PATCH v7 08/18] landlock: add network rules support · Konstantin Meskhidze <hidden> · 2022-08-29
Re: [PATCH v7 08/18] landlock: add network rules support · Mickaël Salaün <mic@digikod.net> · 2022-09-06
Re: [PATCH v7 08/18] landlock: add network rules support · Konstantin Meskhidze (A) <hidden> · 2022-09-10
Re: [PATCH v7 08/18] landlock: add network rules support · Mickaël Salaün <mic@digikod.net> · 2022-09-12
[PATCH v7 11/18] seltests/landlock: add tests for bind() hooks · Konstantin Meskhidze <hidden> · 2022-08-29
Re: [PATCH v7 11/18] seltests/landlock: add tests for bind() hooks · Mickaël Salaün <mic@digikod.net> · 2022-09-06
Re: [PATCH v7 11/18] seltests/landlock: add tests for bind() hooks · Konstantin Meskhidze (A) <hidden> · 2022-09-10
[PATCH v7 10/18] seltests/landlock: move helper function · Konstantin Meskhidze <hidden> · 2022-08-29
Re: [PATCH v7 10/18] seltests/landlock: move helper function · Mickaël Salaün <mic@digikod.net> · 2022-09-06
Re: [PATCH v7 10/18] seltests/landlock: move helper function · Konstantin Meskhidze (A) <hidden> · 2022-09-10
[PATCH v7 12/18] seltests/landlock: add tests for connect() hooks · Konstantin Meskhidze <hidden> · 2022-08-29
[PATCH v7 14/18] seltests/landlock: add rules overlapping test · Konstantin Meskhidze <hidden> · 2022-08-29
Re: [PATCH v7 14/18] seltests/landlock: add rules overlapping test · Mickaël Salaün <mic@digikod.net> · 2022-09-06
Re: [PATCH v7 14/18] seltests/landlock: add rules overlapping test · Konstantin Meskhidze (A) <hidden> · 2022-09-10
[PATCH v7 13/18] seltests/landlock: add AF_UNSPEC family test · Konstantin Meskhidze <hidden> · 2022-08-29
Re: [PATCH v7 13/18] seltests/landlock: add AF_UNSPEC family test · Mickaël Salaün <mic@digikod.net> · 2022-09-06
Re: [PATCH v7 13/18] seltests/landlock: add AF_UNSPEC family test · Konstantin Meskhidze (A) <hidden> · 2022-09-10
[PATCH v7 17/18] samples/landlock: add network demo · Konstantin Meskhidze <hidden> · 2022-08-29
Re: [PATCH v7 17/18] samples/landlock: add network demo · Mickaël Salaün <mic@digikod.net> · 2022-09-06
Re: [PATCH v7 17/18] samples/landlock: add network demo · Konstantin Meskhidze (A) <hidden> · 2022-09-10
Re: [PATCH v7 17/18] samples/landlock: add network demo · Mickaël Salaün <mic@digikod.net> · 2022-09-12
[PATCH v7 15/18] seltests/landlock: add ruleset expanding test · Konstantin Meskhidze <hidden> · 2022-08-29
[PATCH v7 18/18] landlock: Document Landlock's network support · Konstantin Meskhidze <hidden> · 2022-08-29
Re: [PATCH v7 18/18] landlock: Document Landlock's network support · Mickaël Salaün <mic@digikod.net> · 2022-09-06
Re: [PATCH v7 18/18] landlock: Document Landlock's network support · Konstantin Meskhidze (A) <hidden> · 2022-09-10
Re: [PATCH v7 18/18] landlock: Document Landlock's network support · Mickaël Salaün <mic@digikod.net> · 2022-09-12
[PATCH v7 16/18] seltests/landlock: add invalid input data test · Konstantin Meskhidze <hidden> · 2022-08-29
Re: [PATCH v7 16/18] seltests/landlock: add invalid input data test · Mickaël Salaün <mic@digikod.net> · 2022-09-06
Re: [PATCH v7 16/18] seltests/landlock: add invalid input data test · Konstantin Meskhidze (A) <hidden> · 2022-09-10
Re: [PATCH v7 16/18] seltests/landlock: add invalid input data test · Mickaël Salaün <mic@digikod.net> · 2022-09-12
Re: [PATCH v7 16/18] seltests/landlock: add invalid input data test · Mickaël Salaün <mic@digikod.net> · 2022-10-10
Re: [PATCH v7 16/18] seltests/landlock: add invalid input data test · Konstantin Meskhidze (A) <hidden> · 2022-10-11
Re: [PATCH v7 16/18] seltests/landlock: add invalid input data test · Mickaël Salaün <mic@digikod.net> · 2022-10-11

From: Mickaël Salaün <mic@digikod.net>
Date: 2022-09-12 17:17:08
Also in: netdev, netfilter-devel

On 09/09/2022 12:42, Konstantin Meskhidze (A) wrote:


9/6/2022 11:06 AM, Mickaël Salaün пишет:

quoted

You can improve the subject with "landlock: Make ruleset's access masks
more generic".
Please capitalize all subjects this way.

On 29/08/2022 19:03, Konstantin Meskhidze wrote:

quoted

To support network type rules, this modification renames ruleset's
access masks and modifies it's type to access_masks_t. This patch
adds filesystem helper functions to add and get filesystem mask.

Signed-off-by: Konstantin Meskhidze <redacted>
---

Changes since v6:
* Adds a new access_masks_t for struct ruleset.
* Renames landlock_set_fs_access_mask() to landlock_add_fs_access_mask()
    because it OR values.
* Makes landlock_add_fs_access_mask() more resilient incorrect values.
* Refactors landlock_get_fs_access_mask().

Changes since v5:
* Changes access_mask_t to u32.
* Formats code with clang-format-14.

Changes since v4:
* Deletes struct landlock_access_mask.

Changes since v3:
* Splits commit.
* Adds get_mask, set_mask helpers for filesystem.
* Adds new struct landlock_access_mask.

---
   security/landlock/fs.c       |  7 ++++---
   security/landlock/limits.h   |  1 +
   security/landlock/ruleset.c  | 17 +++++++++--------
   security/landlock/ruleset.h  | 37 ++++++++++++++++++++++++++++++++----
   security/landlock/syscalls.c |  7 ++++---
   5 files changed, 51 insertions(+), 18 deletions(-)

[...]

quoted

@@ -177,4 +182,28 @@ static inline void landlock_get_ruleset(struct landlock_ruleset *const ruleset)
   		refcount_inc(&ruleset->usage);
   }

+/* A helper function to set a filesystem mask. */
+static inline void
+landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset,
+			    const access_mask_t fs_access_mask,
+			    const u16 layer_level)
+{
+	access_mask_t fs_mask = fs_access_mask & LANDLOCK_MASK_ACCESS_FS;
+
+	/* Should already be checked in sys_landlock_create_ruleset(). */
+	WARN_ON_ONCE(fs_access_mask != fs_mask);
+	// TODO: Add tests to check "|=" and not "="

Please add tests as I explained in a previous email.

    Do you mean to add this test into TEST_F_FORK(layout1, inval) in
fs_test.c ???

This is unrelated to the layout1.inval tests. You can create a new 
TEST_F_FORK(layout1, with_net) that also handles TCP_BIND/CONNECT and 
checks a simple subset of TEST_F_FORK(layout1, effective_access) (e.g. 
only read access to dir_s1d2, but not to dir_s2d2). To test the 
complement, you can create a TEST_F_FORK(socket, with_fs) to check that 
bind() works as expected.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help