lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20231027.weic8eidaiQu@digikod.net>
Date: Fri, 27 Oct 2023 15:06:34 +0200
From: Mickaël Salaün <mic@...ikod.net>
To: Konstantin Meskhidze <konstantin.meskhidze@...wei.com>
Cc: willemdebruijn.kernel@...il.com, gnoack3000@...il.com, 
	linux-security-module@...r.kernel.org, netdev@...r.kernel.org, netfilter-devel@...r.kernel.org, 
	yusongping@...wei.com, artem.kuzin@...wei.com, Paul Moore <paul@...l-moore.com>
Subject: Re: [PATCH v14 00/12] Network support for Landlock

Thanks Konstantin!

I did some minor cosmetic changes, extended a bit the documentation and
improved the ipv4_tcp.with_fs test. You can see these changes in my
-next branch:
https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/log/?h=next

We have a very good test coverage and I think these patches are ready
for mainline.  If it's OK with you, I plan to send a PR for v6.7-rc1 .

Regards,
 Mickaël

On Thu, Oct 26, 2023 at 09:47:39AM +0800, Konstantin Meskhidze wrote:
> Hi,
> This is a new V14 patch related to Landlock LSM network confinement.
> It is based on v6.6-rc2 kernel version.
> 
> It brings refactoring of previous patch version V13.
> Mostly there are fixes of logic and typos, refactoring some selftests.
> 
> All test were run in QEMU evironment and compiled with
>  -static flag.
>  1. network_test: 82/82 tests passed.
>  2. base_test: 7/7 tests passed.
>  3. fs_test: 107/107 tests passed.
>  4. ptrace_test: 8/8 tests passed.
> 
> Previous versions:
> v13: https://lore.kernel.org/linux-security-module/20231016015030.1684504-1-konstantin.meskhidze@huawei.com/
> v12: https://lore.kernel.org/linux-security-module/20230920092641.832134-1-konstantin.meskhidze@huawei.com/
> v11: https://lore.kernel.org/linux-security-module/20230515161339.631577-1-konstantin.meskhidze@huawei.com/
> v10: https://lore.kernel.org/linux-security-module/20230323085226.1432550-1-konstantin.meskhidze@huawei.com/
> v9: https://lore.kernel.org/linux-security-module/20230116085818.165539-1-konstantin.meskhidze@huawei.com/
> v8: https://lore.kernel.org/linux-security-module/20221021152644.155136-1-konstantin.meskhidze@huawei.com/
> v7: https://lore.kernel.org/linux-security-module/20220829170401.834298-1-konstantin.meskhidze@huawei.com/
> v6: https://lore.kernel.org/linux-security-module/20220621082313.3330667-1-konstantin.meskhidze@huawei.com/
> v5: https://lore.kernel.org/linux-security-module/20220516152038.39594-1-konstantin.meskhidze@huawei.com
> v4: https://lore.kernel.org/linux-security-module/20220309134459.6448-1-konstantin.meskhidze@huawei.com/
> v3: https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@huawei.com/
> v2: https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@huawei.com/
> v1: https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@huawei.com/
> 
> Konstantin Meskhidze (11):
>   landlock: Make ruleset's access masks more generic
>   landlock: Refactor landlock_find_rule/insert_rule
>   landlock: Refactor merge/inherit_ruleset functions
>   landlock: Move and rename layer helpers
>   landlock: Refactor layer helpers
>   landlock: Refactor landlock_add_rule() syscall
>   landlock: Add network rules and TCP hooks support
>   selftests/landlock: Share enforce_ruleset()
>   selftests/landlock: Add network tests
>   samples/landlock: Support TCP restrictions
>   landlock: Document network support
> 
> Mickaël Salaün (1):
>   landlock: Allow FS topology changes for domains without such rule type
> 
>  Documentation/userspace-api/landlock.rst     |   96 +-
>  include/uapi/linux/landlock.h                |   55 +
>  samples/landlock/sandboxer.c                 |  115 +-
>  security/landlock/Kconfig                    |    1 +
>  security/landlock/Makefile                   |    2 +
>  security/landlock/fs.c                       |  232 +--
>  security/landlock/limits.h                   |    6 +
>  security/landlock/net.c                      |  198 ++
>  security/landlock/net.h                      |   33 +
>  security/landlock/ruleset.c                  |  405 +++-
>  security/landlock/ruleset.h                  |  183 +-
>  security/landlock/setup.c                    |    2 +
>  security/landlock/syscalls.c                 |  158 +-
>  tools/testing/selftests/landlock/base_test.c |    2 +-
>  tools/testing/selftests/landlock/common.h    |   13 +
>  tools/testing/selftests/landlock/config      |    4 +
>  tools/testing/selftests/landlock/fs_test.c   |   10 -
>  tools/testing/selftests/landlock/net_test.c  | 1744 ++++++++++++++++++
>  18 files changed, 2908 insertions(+), 351 deletions(-)
>  create mode 100644 security/landlock/net.c
>  create mode 100644 security/landlock/net.h
>  create mode 100644 tools/testing/selftests/landlock/net_test.c
> 
> --
> 2.25.1
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ