Re: [RFC PATCH v4 00/15] Landlock LSM

[RFC PATCH v4 00/15] Landlock LSM · Konstantin Meskhidze <hidden> · 2022-03-09
[RFC PATCH v4 01/15] landlock: access mask renaming · Konstantin Meskhidze <hidden> · 2022-03-09
Re: [RFC PATCH v4 01/15] landlock: access mask renaming · Mickaël Salaün <mic@digikod.net> · 2022-04-01
Re: [RFC PATCH v4 01/15] landlock: access mask renaming · Konstantin Meskhidze <hidden> · 2022-04-04
[RFC PATCH v4 02/15] landlock: filesystem access mask helpers · Konstantin Meskhidze <hidden> · 2022-03-09
Re: [RFC PATCH v4 02/15] landlock: filesystem access mask helpers · Mickaël Salaün <mic@digikod.net> · 2022-03-15
Re: [RFC PATCH v4 02/15] landlock: filesystem access mask helpers · Konstantin Meskhidze <hidden> · 2022-03-17
Re: [RFC PATCH v4 02/15] landlock: filesystem access mask helpers · Mickaël Salaün <mic@digikod.net> · 2022-03-17
Re: [RFC PATCH v4 02/15] landlock: filesystem access mask helpers · Konstantin Meskhidze <hidden> · 2022-03-18
[RFC PATCH v4 03/15] landlock: landlock_find/insert_rule refactoring · Konstantin Meskhidze <hidden> · 2022-03-09
Re: [RFC PATCH v4 03/15] landlock: landlock_find/insert_rule refactoring · Mickaël Salaün <mic@digikod.net> · 2022-03-16
Re: [RFC PATCH v4 03/15] landlock: landlock_find/insert_rule refactoring · Konstantin Meskhidze <hidden> · 2022-03-17
Re: [RFC PATCH v4 03/15] landlock: landlock_find/insert_rule refactoring · Mickaël Salaün <mic@digikod.net> · 2022-03-18
Re: [RFC PATCH v4 03/15] landlock: landlock_find/insert_rule refactoring · Konstantin Meskhidze <hidden> · 2022-03-22
Re: [RFC PATCH v4 03/15] landlock: landlock_find/insert_rule refactoring · Mickaël Salaün <mic@digikod.net> · 2022-03-22
Re: [RFC PATCH v4 03/15] landlock: landlock_find/insert_rule refactoring · Konstantin Meskhidze <hidden> · 2022-03-23
Re: [RFC PATCH v4 03/15] landlock: landlock_find/insert_rule refactoring (TCP port 0) · Mickaël Salaün <mic@digikod.net> · 2022-04-12
Re: [RFC PATCH v4 03/15] landlock: landlock_find/insert_rule refactoring (TCP port 0) · Konstantin Meskhidze <hidden> · 2022-04-26
[RFC PATCH v4 04/15] landlock: merge and inherit function refactoring · Konstantin Meskhidze <hidden> · 2022-03-09
[RFC PATCH v4 06/15] landlock: landlock_add_rule syscall refactoring · Konstantin Meskhidze <hidden> · 2022-03-09
Re: [RFC PATCH v4 06/15] landlock: landlock_add_rule syscall refactoring · Mickaël Salaün <mic@digikod.net> · 2022-04-12
Re: [RFC PATCH v4 06/15] landlock: landlock_add_rule syscall refactoring · Konstantin Meskhidze <hidden> · 2022-04-26
[RFC PATCH v4 05/15] landlock: unmask_layers() function refactoring · Konstantin Meskhidze <hidden> · 2022-03-09
[RFC PATCH v4 08/15] landlock: add support network rules · Konstantin Meskhidze <hidden> · 2022-03-09
Re: [RFC PATCH v4 08/15] landlock: add support network rules · Mickaël Salaün <mic@digikod.net> · 2022-04-08
Re: [RFC PATCH v4 08/15] landlock: add support network rules · Konstantin Meskhidze <hidden> · 2022-04-11
Re: [RFC PATCH v4 08/15] landlock: add support network rules · Mickaël Salaün <mic@digikod.net> · 2022-04-11
Re: [RFC PATCH v4 08/15] landlock: add support network rules · Konstantin Meskhidze <hidden> · 2022-04-12
[RFC PATCH v4 09/15] landlock: TCP network hooks implementation · Konstantin Meskhidze <hidden> · 2022-03-09
Re: [RFC PATCH v4 09/15] landlock: TCP network hooks implementation · Mickaël Salaün <mic@digikod.net> · 2022-04-11
Re: [RFC PATCH v4 09/15] landlock: TCP network hooks implementation · Konstantin Meskhidze <hidden> · 2022-04-26
[RFC PATCH v4 07/15] landlock: user space API network support · Konstantin Meskhidze <hidden> · 2022-03-09
Re: [RFC PATCH v4 07/15] landlock: user space API network support · Mickaël Salaün <mic@digikod.net> · 2022-04-12
Re: [RFC PATCH v4 07/15] landlock: user space API network support · Mickaël Salaün <mic@digikod.net> · 2022-04-12
Re: [RFC PATCH v4 07/15] landlock: user space API network support · Konstantin Meskhidze <hidden> · 2022-04-12
Re: [RFC PATCH v4 07/15] landlock: user space API network support · Mickaël Salaün <mic@digikod.net> · 2022-04-12
Re: [RFC PATCH v4 07/15] landlock: user space API network support · Konstantin Meskhidze <hidden> · 2022-04-26
Re: [RFC PATCH v4 07/15] landlock: user space API network support · Konstantin Meskhidze <hidden> · 2022-04-25
[RFC PATCH v4 10/15] seltest/landlock: add tests for bind() hooks · Konstantin Meskhidze <hidden> · 2022-03-09
Re: [RFC PATCH v4 10/15] seltest/landlock: add tests for bind() hooks · Mickaël Salaün <mic@digikod.net> · 2022-04-01
Re: [RFC PATCH v4 10/15] seltest/landlock: add tests for bind() hooks · Konstantin Meskhidze <hidden> · 2022-04-04
Re: [RFC PATCH v4 10/15] seltest/landlock: add tests for bind() hooks · Mickaël Salaün <mic@digikod.net> · 2022-04-04
Re: [RFC PATCH v4 10/15] seltest/landlock: add tests for bind() hooks · Konstantin Meskhidze <hidden> · 2022-04-06
Re: [RFC PATCH v4 10/15] seltest/landlock: add tests for bind() hooks · Mickaël Salaün <mic@digikod.net> · 2022-04-08
Re: [RFC PATCH v4 10/15] seltest/landlock: add tests for bind() hooks · Konstantin Meskhidze <hidden> · 2022-04-26
Re: [RFC PATCH v4 10/15] seltest/landlock: add tests for bind() hooks · Mickaël Salaün <mic@digikod.net> · 2022-05-16
Re: [RFC PATCH v4 10/15] seltest/landlock: add tests for bind() hooks · Konstantin Meskhidze <hidden> · 2022-05-16
Re: [RFC PATCH v4 10/15] seltest/landlock: add tests for bind() hooks · Mickaël Salaün <mic@digikod.net> · 2022-04-04
Re: [RFC PATCH v4 10/15] seltest/landlock: add tests for bind() hooks · Konstantin Meskhidze <hidden> · 2022-04-06
[RFC PATCH v4 13/15] seltest/landlock: rules overlapping test · Konstantin Meskhidze <hidden> · 2022-03-09
[RFC PATCH v4 12/15] seltest/landlock: connect() with AF_UNSPEC tests · Konstantin Meskhidze <hidden> · 2022-03-09
[RFC PATCH v4 14/15] seltest/landlock: ruleset expanding test · Konstantin Meskhidze <hidden> · 2022-03-09
[RFC PATCH v4 11/15] seltest/landlock: add tests for connect() hooks · Konstantin Meskhidze <hidden> · 2022-03-09
[RFC PATCH v4 15/15] seltest/landlock: invalid user input data test · Konstantin Meskhidze <hidden> · 2022-03-09
Re: [RFC PATCH v4 00/15] Landlock LSM · Mickaël Salaün <mic@digikod.net> · 2022-03-15
Re: [RFC PATCH v4 00/15] Landlock LSM · Konstantin Meskhidze <hidden> · 2022-03-17
Re: [RFC PATCH v4 00/15] Landlock LSM · Mickaël Salaün <mic@digikod.net> · 2022-03-17
Re: [RFC PATCH v4 00/15] Landlock LSM · Konstantin Meskhidze <hidden> · 2022-03-18
Re: [RFC PATCH v4 00/15] Landlock LSM · Konstantin Meskhidze <hidden> · 2022-03-23
Re: [RFC PATCH v4 00/15] Landlock LSM · Mickaël Salaün <mic@digikod.net> · 2022-03-24
Re: [RFC PATCH v4 00/15] Landlock LSM · Konstantin Meskhidze <hidden> · 2022-03-24
Re: [RFC PATCH v4 00/15] Landlock LSM · Mickaël Salaün <mic@digikod.net> · 2022-03-24
Re: [RFC PATCH v4 00/15] Landlock LSM · Konstantin Meskhidze <hidden> · 2022-03-24

From: Konstantin Meskhidze <hidden>
Date: 2022-03-24 13:35:01
Also in: linux-security-module, netfilter-devel


3/24/2022 3:27 PM, Mickaël Salaün пишет:

On 23/03/2022 17:30, Konstantin Meskhidze wrote:

quoted


3/17/2022 8:26 PM, Mickaël Salaün пишет:

quoted

On 17/03/2022 14:01, Konstantin Meskhidze wrote:

quoted


3/15/2022 8:02 PM, Mickaël Salaün пишет:

quoted

Hi Konstantin,

This series looks good! Thanks for the split in multiple patches.

  Thanks. I follow your recommendations.

quoted

On 09/03/2022 14:44, Konstantin Meskhidze wrote:

quoted

Hi,
This is a new V4 bunch of RFC patches related to Landlock LSM 
network confinement.
It brings deep refactirong and commit splitting of previous 
version V3.
Also added additional selftests.

This patch series can be applied on top of v5.17-rc3.

All test were run in QEMU evironment and compiled with
  -static flag.
  1. network_test: 9/9 tests passed.

I get a kernel warning running the network tests.

   What kind of warning? Can you provide it please?

You really need to get a setup that gives you such kernel warning. 
When running network_test you should get:
WARNING: CPU: 3 PID: 742 at security/landlock/ruleset.c:218 
insert_rule+0x220/0x270

Before sending new patches, please make sure you're able to catch 
such issues.

quoted

  2. base_test: 8/8 tests passed.
  3. fs_test: 46/46 tests passed.
  4. ptrace_test: 4/8 tests passed.

Does your test machine use Yama? That would explain the 4/8. You 
can disable it with the appropriate sysctl.

Can you answer this question?

quoted

Tests were also launched for Landlock version without
v4 patch:
  1. base_test: 8/8 tests passed.
  2. fs_test: 46/46 tests passed.
  3. ptrace_test: 4/8 tests passed.

Could not provide test coverage cause had problems with tests
on VM (no -static flag the tests compiling, no v4 patch applied):

    Hi, Mickaёl!
    I tried to get base test coverage without v4 patch applied.

    1. Kernel configuration :
     - CONFIG_DEBUG_FS=y
     - CONFIG_GCOV_KERNEL=y
     - CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
    2. Added GCOV_PROFILE := y in security/landlock/Makefile

I think this is useless because of CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y. I 
don't add GCOV_PROFILE anyway.

quoted

    3. Compiled kernel  and rebooted VM with the new one.
    4. Run landlock selftests as root user:
     $ cd tools/testing/selftests/landlock
     $ ./base_test
     $ ./fs_test
     $ ./ptrace_test
    5. Copied GCOV data to some folder :
       $ cp -r 
/sys/kernel/debug/gcov/<source-dir>/linux/security/landlock/ /gcov-before
       $ cd /gcov-before
       $ lcov -c -d ./landlock -o lcov.info && genhtml -o html lcov.info

I do this step on my host but that should work as long as you have the 
kernel sources in the same directory. I guess this is not the case. I 
think you also need GCC >= 4.8 .
   I found the reason why .gcda files were not executed :

   	"lcov -c -d ./landlock -o lcov.info && genhtml -o html lcov.info" 
was run not under ROOT user.
   Running lcov by ROOT one solved the issue. I will provide network test
   coverage in RFC patch V5.
   Thanks for help anyway.

quoted

I got the next result:
" Capturing coverage data from ./landlock
Found gcov version: 9.4.0
Using intermediate gcov format
Scanning ./landlock for .gcda files ...
Found 7 data files in ./landlock
Processing landlock/setup.gcda
/home/kmeskhidze/work/src/gcov_before/landlock/setup.gcda:cannot open 
data file, assuming not executed
Processing landlock/object.gcda
/home/kmeskhidze/work/src/gcov_before/landlock/object.gcda:cannot open 
data file, assuming not executed
Processing landlock/cred.gcda
/home/kmeskhidze/work/src/gcov_before/landlock/cred.gcda:cannot open 
data file, assuming not executed
Processing landlock/ruleset.gcda
/home/kmeskhidze/work/src/gcov_before/landlock/ruleset.gcda:cannot 
open data file, assuming not executed
Processing landlock/syscalls.gcda
/home/kmeskhidze/work/src/gcov_before/landlock/syscalls.gcda:cannot 
open data file, assuming not executed
Processing landlock/fs.gcda
/home/kmeskhidze/work/src/gcov_before/landlock/fs.gcda:cannot open 
data file, assuming not executed
Processing landlock/ptrace.gcda
/home/kmeskhidze/work/src/gcov_before/landlock/ptrace.gcda:cannot open 
data file, assuming not executed
Finished .info-file creation
Reading data file lcov.info
Found 38 entries.
Found common filename prefix 
"/home/kmeskhidze/work/src/linux_5.13_landlock"
Writing .css and .png files.
Generating output.
Processing file arch/x86/include/asm/atomic64_64.h
Processing file arch/x86/include/asm/bitops.h
Processing file arch/x86/include/asm/atomic.h
Processing file arch/x86/include/asm/current.h
Processing file include/asm-generic/getorder.h
Processing file include/asm-generic/bitops/instrumented-non-atomic.h
Processing file include/linux/fs.h
Processing file include/linux/refcount.h
Processing file include/linux/kernel.h
Processing file include/linux/list.h
Processing file include/linux/sched.h
Processing file include/linux/overflow.h
Processing file include/linux/dcache.h
Processing file include/linux/spinlock.h
Processing file include/linux/file.h
Processing file include/linux/rcupdate.h
Processing file include/linux/err.h
Processing file include/linux/workqueue.h
Processing file include/linux/fortify-string.h
Processing file include/linux/slab.h
Processing file include/linux/instrumented.h
Processing file include/linux/uaccess.h
Processing file include/linux/thread_info.h
Processing file include/linux/rbtree.h
Processing file include/linux/log2.h
Processing file include/linux/atomic/atomic-instrumented.h
Processing file include/linux/atomic/atomic-long.h
Processing file security/landlock/fs.c
Processing file security/landlock/ruleset.h
Processing file security/landlock/ruleset.c
Processing file security/landlock/ptrace.c
Processing file security/landlock/object.h
Processing file security/landlock/syscalls.c
Processing file security/landlock/setup.c
Processing file security/landlock/cred.c
Processing file security/landlock/object.c
Processing file security/landlock/fs.h
Processing file security/landlock/cred.h
Writing directory view page.
Overall coverage rate:
   lines......: 0.0% (0 of 937 lines)
   functions..: 0.0% (0 of 67 functions) "

Looks like .gcda files were not executed.
Maybe I did miss something. Any thoughts?

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help