Re: Re: [PATCH v14 10/12] selftests/landlock: Add network tests
From: Mickaël Salaün <mic@digikod.net>
Date: 2024-01-11 17:06:11
Also in:
bpf, linux-kselftest, linux-security-module, netfilter-devel
Thanks for the report and the test Muhammad, the fix is now merged: https://git.kernel.org/torvalds/c/bbf5a1d0e5d0fb3bdf90205aa872636122692a50 See https://lore.kernel.org/all/20240103163415.304358-1-mic@digikod.net/ (local) On Wed, Dec 20, 2023 at 04:19:44PM +0500, Muhammad Usama Anjum wrote:
On 12/20/23 2:17 PM, Mickaël Salaün wrote:quoted
Hi Muhammad, Thanks for the report. On Tue, Dec 19, 2023 at 03:38:55PM +0500, Muhammad Usama Anjum wrote:quoted
Hi Konstantin, There are some errors being reported in KernelCI: https://linux.kernelci.org/test/plan/id/657ab2240c761c0bd1e134ee/ The following sub-tests are failing: landlock_net_test_protocol_no_sandbox_with_ipv6_tcp_bind_unspec landlock_net_test_protocol_no_sandbox_with_ipv6_udp_bind_unspec landlock_net_test_protocol_tcp_sandbox_with_ipv6_udp_bind_unspec From my initial investigation, I can see that these failures are coming from just finding the wrong return error code (-97 instead of -22). It may be test's issue or the kernel's, not sure yet.I cannot reproduce these errors (with the same kernel commit), the Defconfig URL is broken. Could you please share the config used for tests?I've also attached the config. I'm generated the config by following: make defconfig && make kvm_guest.config scripts/kconfig/merge_config.sh .config tools/testing/selftests/landlock/configquoted
According to the failing tests, it looks like the network stack returns EAFNOSUPPORT instead of EINVAL, which should happen because addr_len < SIN6_LEN_RFC2133 (cf. inet6_bind_sk). I then think that the issue comes from an inconsistent error priority with the prot->bind() call in inet6_bind_sk() that may return EAFNOSUPPORT when uaddr contains AF_UNSPEC. I didn't find such bind() implementations though. Could you please validate this theory by removing this call in inet6_bind_sk() and run the tests again?I'll have a look if I can find anything.quoted
Eric, do you know where are such struct proto bind() implementations and why they may return EAFNOSUPPORT? Regards, Mickaëlquoted
Thanks, Usama On 10/26/23 6:47 AM, Konstantin Meskhidze wrote:quoted
Add 82 test suites to check edge cases related to bind() and connect() actions. They are defined with 6 fixtures and their variants: The "protocol" fixture is extended with 12 variants defined as a matrix of: sandboxed/not-sandboxed, IPv4/IPv6/unix network domain, and stream/datagram socket. 4 related tests suites are defined: * bind: Tests with non-landlocked/landlocked ipv4, ipv6 and unix sockets. * connect: Tests with non-landlocked/landlocked ipv4, ipv6 and unix sockets. * bind_unspec: Tests with non-landlocked/landlocked restrictions for bind action with AF_UNSPEC socket family. * connect_unspec: Tests with non-landlocked/landlocked restrictions for connect action with AF_UNSPEC socket family. The "ipv4" fixture is extended with 4 variants defined as a matrix of: sandboxed/not-sandboxed, IPv4/unix network domain, and stream/datagram socket. 1 related test suite is defined: * from_unix_to_inet: Tests to make sure unix sockets' actions are not restricted by Landlock rules applied to TCP ones. The "tcp_layers" fixture is extended with 8 variants defined as a matrix of: IPv4/IPv6 network domain, and different number of landlock rule layers. 2 related tests suites are defined: * ruleset_overlap. * ruleset_expand. In the "mini" fixture 4 tests suites are defined: * network_access_rights: Tests with legitimate access values. * unknown_access_rights: Tests with invalid attributes, out of access range. * inval: - unhandled allowed access. - zero access value. * tcp_port_overflow: Tests with wrong port values more than U16_MAX. In the "ipv4_tcp" fixture supports IPv4 network domain, stream socket. 2 tests suites are defined: * port_endianness: Tests with big/little endian port formats. * with_fs: Tests with network bind() socket action within filesystem directory access test. The "port_specific" fixture is extended with 4 variants defined as a matrix of: sandboxed/not-sandboxed, IPv4/IPv6 network domain, and stream socket. 2 related tests suites are defined: * bind_connect_zero: Tests with port 0 value. * bind_connect_1023: Tests with port 1023 value. Test coverage for security/landlock is 94.5% of 932 lines according to gcc/gcov-9. Signed-off-by: Konstantin Meskhidze <redacted> Co-developed-by: Mickaël Salaün <mic@digikod.net> Signed-off-by: Mickaël Salaün <mic@digikod.net> ---