| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 9 Mar 2022 21:44:59 +0800
From: Konstantin Meskhidze <konstantin.meskhidze@...wei.com>
To: <mic@...ikod.net>
CC: <willemdebruijn.kernel@...il.com>,
<linux-security-module@...r.kernel.org>, <netdev@...r.kernel.org>,
<netfilter-devel@...r.kernel.org>, <yusongping@...wei.com>,
<artem.kuzin@...wei.com>, <anton.sirazetdinov@...wei.com>
Subject: [RFC PATCH v4 15/15] seltest/landlock: invalid user input data test
This patch adds rules with invalid user space
supplied data:
- unhandled allowed access;
- zero port value;
- zero access value;
Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@...wei.com>
---
Changes since v3:
* Add inval test.
---
.../testing/selftests/landlock/network_test.c | 52 +++++++++++++++++++
1 file changed, 52 insertions(+)
diff --git a/tools/testing/selftests/landlock/network_test.c b/tools/testing/selftests/landlock/network_test.c
index 8fa2a349329c..f06b9d02128a 100644
--- a/tools/testing/selftests/landlock/network_test.c
+++ b/tools/testing/selftests/landlock/network_test.c
@@ -610,4 +610,56 @@ TEST_F_FORK(socket, ruleset_expanding) {
ASSERT_EQ(0, close(sockfd_1));
}
+TEST_F_FORK(socket, inval) {
+
+ struct landlock_ruleset_attr ruleset_attr = {
+ .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP
+ };
+ struct landlock_net_service_attr net_service_1 = {
+ .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP |
+ LANDLOCK_ACCESS_NET_CONNECT_TCP,
+ .port = port[0],
+ };
+ struct landlock_net_service_attr net_service_2 = {
+ .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
+ .port = 0,
+ };
+ struct landlock_net_service_attr net_service_3 = {
+ .allowed_access = 0,
+ .port = port[1],
+ };
+ struct landlock_net_service_attr net_service_4 = {
+ .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
+ .port = port[2],
+ };
+
+ /* Gets ruleset. */
+ const int ruleset_fd = landlock_create_ruleset(&ruleset_attr,
+ sizeof(ruleset_attr), 0);
+ ASSERT_LE(0, ruleset_fd);
+
+ /* Checks unhandled allowed_access. */
+ ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE,
+ &net_service_1, 0));
+ ASSERT_EQ(EINVAL, errno);
+
+ /* Checks zero port value. */
+ ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE,
+ &net_service_2, 0));
+ ASSERT_EQ(ENOENT, errno);
+
+ /* Checks zero access value. */
+ ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE,
+ &net_service_3, 0));
+ ASSERT_EQ(ENOMSG, errno);
+
+ /* Adds with legitimate values. */
+ ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE,
+ &net_service_4, 0));
+
+ /* Enforces the ruleset. */
+ enforce_ruleset(_metadata, ruleset_fd);
+ ASSERT_EQ(0, close(ruleset_fd));
+}
+
TEST_HARNESS_MAIN
--
2.25.1
Powered by blists - more mailing lists