lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220829170401.834298-17-konstantin.meskhidze@huawei.com> Date: Tue, 30 Aug 2022 01:03:59 +0800 From: Konstantin Meskhidze <konstantin.meskhidze@...wei.com> To: <mic@...ikod.net> CC: <willemdebruijn.kernel@...il.com>, <gnoack3000@...il.com>, <linux-security-module@...r.kernel.org>, <netdev@...r.kernel.org>, <netfilter-devel@...r.kernel.org>, <yusongping@...wei.com>, <hukeping@...wei.com>, <anton.sirazetdinov@...wei.com> Subject: [PATCH v7 16/18] seltests/landlock: add invalid input data test This patch adds rules with invalid user space supplied data: - out of range ruleset attribute; - unhandled allowed access; - zero port value; - zero access value; Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@...wei.com> --- Changes since v6: * Adds invalid ruleset attribute test. Changes since v5: * Formats code with clang-format-14. Changes since v4: * Refactors code with self->port variable. Changes since v3: * Adds inval test. --- tools/testing/selftests/landlock/net_test.c | 66 ++++++++++++++++++++- 1 file changed, 65 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c index a93224d1521b..067ba45f58a5 100644 --- a/tools/testing/selftests/landlock/net_test.c +++ b/tools/testing/selftests/landlock/net_test.c @@ -26,9 +26,12 @@ #define IP_ADDRESS "127.0.0.1" -/* Number pending connections queue to be hold */ +/* Number pending connections queue to be hold. */ #define BACKLOG 10 +/* Invalid attribute, out of landlock network access range. */ +#define LANDLOCK_INVAL_ATTR 7 + FIXTURE(socket) { uint port[MAX_SOCKET_NUM]; @@ -719,4 +722,65 @@ TEST_F(socket, ruleset_expanding) /* Closes socket 1. */ ASSERT_EQ(0, close(sockfd_1)); } + +TEST_F(socket, inval) +{ + struct landlock_ruleset_attr ruleset_attr = { + .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP + }; + struct landlock_ruleset_attr ruleset_attr_inval = { + .handled_access_net = LANDLOCK_INVAL_ATTR + }; + struct landlock_net_service_attr net_service_1 = { + .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP | + LANDLOCK_ACCESS_NET_CONNECT_TCP, + .port = self->port[0], + }; + struct landlock_net_service_attr net_service_2 = { + .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP, + .port = 0, + }; + struct landlock_net_service_attr net_service_3 = { + .allowed_access = 0, + .port = self->port[1], + }; + struct landlock_net_service_attr net_service_4 = { + .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP, + .port = self->port[2], + }; + + /* Checks invalid ruleset attribute. */ + const int ruleset_fd_inv = landlock_create_ruleset( + &ruleset_attr_inval, sizeof(ruleset_attr_inval), 0); + ASSERT_EQ(-1, ruleset_fd_inv); + ASSERT_EQ(EINVAL, errno); + + /* Gets ruleset. */ + const int ruleset_fd = + landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); + ASSERT_LE(0, ruleset_fd); + + /* Checks unhandled allowed_access. */ + ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE, + &net_service_1, 0)); + ASSERT_EQ(EINVAL, errno); + + /* Checks zero port value. */ + ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE, + &net_service_2, 0)); + ASSERT_EQ(EINVAL, errno); + + /* Checks zero access value. */ + ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE, + &net_service_3, 0)); + ASSERT_EQ(ENOMSG, errno); + + /* Adds with legitimate values. */ + ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE, + &net_service_4, 0)); + + /* Enforces the ruleset. */ + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); +} TEST_HARNESS_MAIN -- 2.25.1
Powered by blists - more mailing lists