| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 May 2022 15:24:54 +0300
From: Konstantin Meskhidze <konstantin.meskhidze@...wei.com>
To: Mickaël Salaün <mic@...ikod.net>
CC: <willemdebruijn.kernel@...il.com>,
<linux-security-module@...r.kernel.org>, <netdev@...r.kernel.org>,
<netfilter-devel@...r.kernel.org>, <yusongping@...wei.com>,
<anton.sirazetdinov@...wei.com>
Subject: Re: [PATCH v5 12/15] seltests/landlock: rules overlapping test
5/16/2022 8:41 PM, Mickaël Salaün пишет:
> Please fix these kind of subjects (selftests). I'd also like the subject
> description to (quickly) describe what is done (with a verb), to start
> with a capital (like a title), and to contain "network", something like
> this:
> selftests/landlock: Add test for overlapping network rules
>
> This is a good test though.
>
>
> On 16/05/2022 17:20, Konstantin Meskhidze wrote:
>> This patch adds overlapping rules for one port.
>> First rule adds just bind() access right for a port.
>> The second one adds both bind() and connect()
>> access rights for the same port.
>>
>> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@...wei.com>
>> ---
>>
>> Changes since v3:
>> * Add ruleset_overlap test.
>>
>> Changes since v4:
>> * Refactoring code with self->port, self->addr4 variables.
>>
>> ---
>> tools/testing/selftests/landlock/net_test.c | 51 +++++++++++++++++++++
>> 1 file changed, 51 insertions(+)
>>
>> diff --git a/tools/testing/selftests/landlock/net_test.c
>> b/tools/testing/selftests/landlock/net_test.c
>> index bf8e49466d1d..1d8c9dfdbd48 100644
>> --- a/tools/testing/selftests/landlock/net_test.c
>> +++ b/tools/testing/selftests/landlock/net_test.c
>> @@ -677,4 +677,55 @@ TEST_F_FORK(socket_test,
>> connect_afunspec_with_restictions) {
>> ASSERT_EQ(1, WIFEXITED(status));
>> ASSERT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
>> }
>> +
>> +TEST_F_FORK(socket_test, ruleset_overlap) {
>
> Please run clang-format-14 on all files (and all commits).
>
Yep. I already have updated clang-format executable on my Ubuntu and
setup Vscode to use .clang-format file.
>> +
>> + int sockfd;
>> +
>> + struct landlock_ruleset_attr ruleset_attr = {
>> + .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
>> + LANDLOCK_ACCESS_NET_CONNECT_TCP,
>> + };
>> + struct landlock_net_service_attr net_service_1 = {
>> + .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
>> +
>> + .port = self->port[0],
>> + };
>> +
>> + struct landlock_net_service_attr net_service_2 = {
>> + .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP |
>> + LANDLOCK_ACCESS_NET_CONNECT_TCP,
>> +
>> + .port = self->port[0],
>> + };
>> +
>> + const int ruleset_fd = landlock_create_ruleset(&ruleset_attr,
>> + sizeof(ruleset_attr), 0);
>> + ASSERT_LE(0, ruleset_fd);
>> +
>> + /* Allows bind operations to the port[0] socket */
>
> Please ends this kind of comments with a final dot (all files/commits).
>
Ok. I will.
>> + ASSERT_EQ(0, landlock_add_rule(ruleset_fd,
>> LANDLOCK_RULE_NET_SERVICE,
>> + &net_service_1, 0));
>> + /* Allows connect and bind operations to the port[0] socket */
>> + ASSERT_EQ(0, landlock_add_rule(ruleset_fd,
>> LANDLOCK_RULE_NET_SERVICE,
>> + &net_service_2, 0));
>> +
>> + /* Enforces the ruleset. */
>> + enforce_ruleset(_metadata, ruleset_fd);
>> +
>> + /* Creates a server socket */
>> + sockfd = create_socket(_metadata, false, false);
>> + ASSERT_LE(0, sockfd);
>> +
>> + /* Binds the socket to address with port[0] */
>> + ASSERT_EQ(0, bind(sockfd, (struct sockaddr *)&self->addr4[0],
>> sizeof(self->addr4[0])));
>> +
>> + /* Makes connection to socket with port[0] */
>> + ASSERT_EQ(0, connect(sockfd, (struct sockaddr *)&self->addr4[0],
>
> Can you please get rid of this (struct sockaddr *) type casting please
> (without compiler warning)?
>
Do you have a warning here? Cause I don't.
>> + sizeof(self->addr4[0])));
>
> Here, you can enforce a new ruleset with net_service_1 and check that
> bind() is still allowed but not connect().
>
Ok. Thank you for advice.
>> +
>> + /* Closes socket */
>> + ASSERT_EQ(0, close(sockfd));
>> +}
>> +
>> TEST_HARNESS_MAIN
>> --
>> 2.25.1
>>
> .
Powered by blists - more mailing lists