| Message ID | 20220309134459.6448-1-konstantin.meskhidze@huawei.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Landlock LSM | expand |
Hi Konstantin, This series looks good! Thanks for the split in multiple patches. On 09/03/2022 14:44, Konstantin Meskhidze wrote: > Hi, > This is a new V4 bunch of RFC patches related to Landlock LSM network confinement. > It brings deep refactirong and commit splitting of previous version V3. > Also added additional selftests. > > This patch series can be applied on top of v5.17-rc3. > > All test were run in QEMU evironment and compiled with > -static flag. > 1. network_test: 9/9 tests passed. I get a kernel warning running the network tests. > 2. base_test: 8/8 tests passed. > 3. fs_test: 46/46 tests passed. > 4. ptrace_test: 4/8 tests passed. Does your test machine use Yama? That would explain the 4/8. You can disable it with the appropriate sysctl. > > Tests were also launched for Landlock version without > v4 patch: > 1. base_test: 8/8 tests passed. > 2. fs_test: 46/46 tests passed. > 3. ptrace_test: 4/8 tests passed. > > Could not provide test coverage cause had problems with tests > on VM (no -static flag the tests compiling, no v4 patch applied): You can build statically-linked tests with: make -C tools/testing/selftests/landlock CFLAGS=-static > 1. base_test: 7/8 tests passed. > Error: > # Starting 8 tests from 1 test cases. > # RUN global.inconsistent_attr ... > # base_test.c:51:inconsistent_attr:Expected ENOMSG (42) == errno (22) This looks like a bug in the syscall argument checks. > # inconsistent_attr: Test terminated by assertion > 2. fs_test: 0 / 46 tests passed > Error for all tests: > # common.h:126:no_restriction:Expected -1 (-1) != cap_set_proc(cap_p) (-1) > # common.h:127:no_restriction:Failed to cap_set_proc: Operation not permitted > # fs_test.c:106:no_restriction:Expected 0 (0) == mkdir(path, 0700) (-1) > # fs_test.c:107:no_restriction:Failed to create directory "tmp": File exists You need to run these tests as root. > 3. ptrace_test: 4 / 8 tests passed. > > Previous versions: > v3: https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@huawei.com/ > v2: https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@huawei.com/ > v1: https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@huawei.com/ Nice to have this history! > > Konstantin Meskhidze (15): > landlock: access mask renaming > landlock: filesystem access mask helpers > landlock: landlock_find/insert_rule refactoring > landlock: merge and inherit function refactoring > landlock: unmask_layers() function refactoring > landlock: landlock_add_rule syscall refactoring > landlock: user space API network support > landlock: add support network rules > landlock: TCP network hooks implementation > seltest/landlock: add tests for bind() hooks > seltest/landlock: add tests for connect() hooks > seltest/landlock: connect() with AF_UNSPEC tests > seltest/landlock: rules overlapping test > seltest/landlock: ruleset expanding test > seltest/landlock: invalid user input data test > > include/uapi/linux/landlock.h | 48 ++ > security/landlock/Kconfig | 1 + > security/landlock/Makefile | 2 +- > security/landlock/fs.c | 72 +- > security/landlock/limits.h | 6 + > security/landlock/net.c | 180 +++++ > security/landlock/net.h | 22 + > security/landlock/ruleset.c | 383 ++++++++-- > security/landlock/ruleset.h | 72 +- > security/landlock/setup.c | 2 + > security/landlock/syscalls.c | 176 +++-- > .../testing/selftests/landlock/network_test.c | 665 ++++++++++++++++++ > 12 files changed, 1434 insertions(+), 195 deletions(-) > create mode 100644 security/landlock/net.c > create mode 100644 security/landlock/net.h > create mode 100644 tools/testing/selftests/landlock/network_test.c > > -- > 2.25.1 >
3/15/2022 8:02 PM, Mickaël Salaün пишет: > Hi Konstantin, > > This series looks good! Thanks for the split in multiple patches. > Thanks. I follow your recommendations. > > On 09/03/2022 14:44, Konstantin Meskhidze wrote: >> Hi, >> This is a new V4 bunch of RFC patches related to Landlock LSM network >> confinement. >> It brings deep refactirong and commit splitting of previous version V3. >> Also added additional selftests. >> >> This patch series can be applied on top of v5.17-rc3. >> >> All test were run in QEMU evironment and compiled with >> -static flag. >> 1. network_test: 9/9 tests passed. > > I get a kernel warning running the network tests. What kind of warning? Can you provide it please? > >> 2. base_test: 8/8 tests passed. >> 3. fs_test: 46/46 tests passed. >> 4. ptrace_test: 4/8 tests passed. > > Does your test machine use Yama? That would explain the 4/8. You can > disable it with the appropriate sysctl. > >> >> Tests were also launched for Landlock version without >> v4 patch: >> 1. base_test: 8/8 tests passed. >> 2. fs_test: 46/46 tests passed. >> 3. ptrace_test: 4/8 tests passed. >> >> Could not provide test coverage cause had problems with tests >> on VM (no -static flag the tests compiling, no v4 patch applied): > > You can build statically-linked tests with: > make -C tools/testing/selftests/landlock CFLAGS=-static Ok. I will try. Thanks. > >> 1. base_test: 7/8 tests passed. >> Error: >> # Starting 8 tests from 1 test cases. >> # RUN global.inconsistent_attr ... >> # base_test.c:51:inconsistent_attr:Expected ENOMSG (42) == errno (22) > > This looks like a bug in the syscall argument checks. This bug I just get when don't use -static option. With -static base test passes 8/8. > >> # inconsistent_attr: Test terminated by assertion >> 2. fs_test: 0 / 46 tests passed >> Error for all tests: >> # common.h:126:no_restriction:Expected -1 (-1) != >> cap_set_proc(cap_p) (-1) >> # common.h:127:no_restriction:Failed to cap_set_proc: Operation not >> permitted >> # fs_test.c:106:no_restriction:Expected 0 (0) == mkdir(path, 0700) (-1) >> # fs_test.c:107:no_restriction:Failed to create directory "tmp": >> File exists > > You need to run these tests as root. OK. I will try. > >> 3. ptrace_test: 4 / 8 tests passed. >> >> Previous versions: >> v3: >> https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@huawei.com/ >> >> v2: >> https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@huawei.com/ >> >> v1: >> https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@huawei.com/ >> > > Nice to have this history! > >> >> Konstantin Meskhidze (15): >> landlock: access mask renaming >> landlock: filesystem access mask helpers >> landlock: landlock_find/insert_rule refactoring >> landlock: merge and inherit function refactoring >> landlock: unmask_layers() function refactoring >> landlock: landlock_add_rule syscall refactoring >> landlock: user space API network support >> landlock: add support network rules >> landlock: TCP network hooks implementation >> seltest/landlock: add tests for bind() hooks >> seltest/landlock: add tests for connect() hooks >> seltest/landlock: connect() with AF_UNSPEC tests >> seltest/landlock: rules overlapping test >> seltest/landlock: ruleset expanding test >> seltest/landlock: invalid user input data test >> >> include/uapi/linux/landlock.h | 48 ++ >> security/landlock/Kconfig | 1 + >> security/landlock/Makefile | 2 +- >> security/landlock/fs.c | 72 +- >> security/landlock/limits.h | 6 + >> security/landlock/net.c | 180 +++++ >> security/landlock/net.h | 22 + >> security/landlock/ruleset.c | 383 ++++++++-- >> security/landlock/ruleset.h | 72 +- >> security/landlock/setup.c | 2 + >> security/landlock/syscalls.c | 176 +++-- >> .../testing/selftests/landlock/network_test.c | 665 ++++++++++++++++++ >> 12 files changed, 1434 insertions(+), 195 deletions(-) >> create mode 100644 security/landlock/net.c >> create mode 100644 security/landlock/net.h >> create mode 100644 tools/testing/selftests/landlock/network_test.c >> >> -- >> 2.25.1 >> > .
On 17/03/2022 14:01, Konstantin Meskhidze wrote: > > > 3/15/2022 8:02 PM, Mickaël Salaün пишет: >> Hi Konstantin, >> >> This series looks good! Thanks for the split in multiple patches. >> > Thanks. I follow your recommendations. >> >> On 09/03/2022 14:44, Konstantin Meskhidze wrote: >>> Hi, >>> This is a new V4 bunch of RFC patches related to Landlock LSM network >>> confinement. >>> It brings deep refactirong and commit splitting of previous version V3. >>> Also added additional selftests. >>> >>> This patch series can be applied on top of v5.17-rc3. >>> >>> All test were run in QEMU evironment and compiled with >>> -static flag. >>> 1. network_test: 9/9 tests passed. >> >> I get a kernel warning running the network tests. > > What kind of warning? Can you provide it please? You really need to get a setup that gives you such kernel warning. When running network_test you should get: WARNING: CPU: 3 PID: 742 at security/landlock/ruleset.c:218 insert_rule+0x220/0x270 Before sending new patches, please make sure you're able to catch such issues. >> >>> 2. base_test: 8/8 tests passed. >>> 3. fs_test: 46/46 tests passed. >>> 4. ptrace_test: 4/8 tests passed. >> >> Does your test machine use Yama? That would explain the 4/8. You can >> disable it with the appropriate sysctl. Can you answer this question? >> >>> >>> Tests were also launched for Landlock version without >>> v4 patch: >>> 1. base_test: 8/8 tests passed. >>> 2. fs_test: 46/46 tests passed. >>> 3. ptrace_test: 4/8 tests passed. >>> >>> Could not provide test coverage cause had problems with tests >>> on VM (no -static flag the tests compiling, no v4 patch applied): >> >> You can build statically-linked tests with: >> make -C tools/testing/selftests/landlock CFLAGS=-static > > Ok. I will try. Thanks. >> >>> 1. base_test: 7/8 tests passed. >>> Error: >>> # Starting 8 tests from 1 test cases. >>> # RUN global.inconsistent_attr ... >>> # base_test.c:51:inconsistent_attr:Expected ENOMSG (42) == errno (22) >> >> This looks like a bug in the syscall argument checks. > > This bug I just get when don't use -static option. With -static base > test passes 8/8. Weird, I'd like to know what is the cause of this issue. What disto and version do you use as host and guest VM? Do you have some warning when compiling?
3/17/2022 8:26 PM, Mickaël Salaün пишет: > > On 17/03/2022 14:01, Konstantin Meskhidze wrote: >> >> >> 3/15/2022 8:02 PM, Mickaël Salaün пишет: >>> Hi Konstantin, >>> >>> This series looks good! Thanks for the split in multiple patches. >>> >> Thanks. I follow your recommendations. >>> >>> On 09/03/2022 14:44, Konstantin Meskhidze wrote: >>>> Hi, >>>> This is a new V4 bunch of RFC patches related to Landlock LSM >>>> network confinement. >>>> It brings deep refactirong and commit splitting of previous version V3. >>>> Also added additional selftests. >>>> >>>> This patch series can be applied on top of v5.17-rc3. >>>> >>>> All test were run in QEMU evironment and compiled with >>>> -static flag. >>>> 1. network_test: 9/9 tests passed. >>> >>> I get a kernel warning running the network tests. >> >> What kind of warning? Can you provide it please? > > You really need to get a setup that gives you such kernel warning. When > running network_test you should get: > WARNING: CPU: 3 PID: 742 at security/landlock/ruleset.c:218 > insert_rule+0x220/0x270 > > Before sending new patches, please make sure you're able to catch such > issues. > Thanks. I will check it. > >>> >>>> 2. base_test: 8/8 tests passed. >>>> 3. fs_test: 46/46 tests passed. >>>> 4. ptrace_test: 4/8 tests passed. >>> >>> Does your test machine use Yama? That would explain the 4/8. You can >>> disable it with the appropriate sysctl. > > Can you answer this question? Sorry. I missed it. I checked config - Yama is supported now. I will disable it. Thanks for advice. > > >>> >>>> >>>> Tests were also launched for Landlock version without >>>> v4 patch: >>>> 1. base_test: 8/8 tests passed. >>>> 2. fs_test: 46/46 tests passed. >>>> 3. ptrace_test: 4/8 tests passed. >>>> >>>> Could not provide test coverage cause had problems with tests >>>> on VM (no -static flag the tests compiling, no v4 patch applied): >>> >>> You can build statically-linked tests with: >>> make -C tools/testing/selftests/landlock CFLAGS=-static >> >> Ok. I will try. Thanks. >>> >>>> 1. base_test: 7/8 tests passed. >>>> Error: >>>> # Starting 8 tests from 1 test cases. >>>> # RUN global.inconsistent_attr ... >>>> # base_test.c:51:inconsistent_attr:Expected ENOMSG (42) == errno (22) >>> >>> This looks like a bug in the syscall argument checks. >> >> This bug I just get when don't use -static option. With -static >> base test passes 8/8. > > Weird, I'd like to know what is the cause of this issue. What disto and > version do you use as host and guest VM? Do you have some warning when > compiling? I run tests on host Ubuntu 20.04.3 LTS, kernel version v5.17. I will check more carefuly for compiling warnings. > .
3/17/2022 8:26 PM, Mickaël Salaün пишет: > > On 17/03/2022 14:01, Konstantin Meskhidze wrote: >> >> >> 3/15/2022 8:02 PM, Mickaël Salaün пишет: >>> Hi Konstantin, >>> >>> This series looks good! Thanks for the split in multiple patches. >>> >> Thanks. I follow your recommendations. >>> >>> On 09/03/2022 14:44, Konstantin Meskhidze wrote: >>>> Hi, >>>> This is a new V4 bunch of RFC patches related to Landlock LSM >>>> network confinement. >>>> It brings deep refactirong and commit splitting of previous version V3. >>>> Also added additional selftests. >>>> >>>> This patch series can be applied on top of v5.17-rc3. >>>> >>>> All test were run in QEMU evironment and compiled with >>>> -static flag. >>>> 1. network_test: 9/9 tests passed. >>> >>> I get a kernel warning running the network tests. >> >> What kind of warning? Can you provide it please? > > You really need to get a setup that gives you such kernel warning. When > running network_test you should get: > WARNING: CPU: 3 PID: 742 at security/landlock/ruleset.c:218 > insert_rule+0x220/0x270 > > Before sending new patches, please make sure you're able to catch such > issues. > > >>> >>>> 2. base_test: 8/8 tests passed. >>>> 3. fs_test: 46/46 tests passed. >>>> 4. ptrace_test: 4/8 tests passed. >>> >>> Does your test machine use Yama? That would explain the 4/8. You can >>> disable it with the appropriate sysctl. > > Can you answer this question? > > >>> >>>> >>>> Tests were also launched for Landlock version without >>>> v4 patch: >>>> 1. base_test: 8/8 tests passed. >>>> 2. fs_test: 46/46 tests passed. >>>> 3. ptrace_test: 4/8 tests passed. >>>> >>>> Could not provide test coverage cause had problems with tests >>>> on VM (no -static flag the tests compiling, no v4 patch applied): >>> Hi, Mickaёl! I tried to get base test coverage without v4 patch applied. 1. Kernel configuration : - CONFIG_DEBUG_FS=y - CONFIG_GCOV_KERNEL=y - CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y 2. Added GCOV_PROFILE := y in security/landlock/Makefile 3. Compiled kernel and rebooted VM with the new one. 4. Run landlock selftests as root user: $ cd tools/testing/selftests/landlock $ ./base_test $ ./fs_test $ ./ptrace_test 5. Copied GCOV data to some folder : $ cp -r /sys/kernel/debug/gcov/<source-dir>/linux/security/landlock/ /gcov-before $ cd /gcov-before $ lcov -c -d ./landlock -o lcov.info && genhtml -o html lcov.info I got the next result: " Capturing coverage data from ./landlock Found gcov version: 9.4.0 Using intermediate gcov format Scanning ./landlock for .gcda files ... Found 7 data files in ./landlock Processing landlock/setup.gcda /home/kmeskhidze/work/src/gcov_before/landlock/setup.gcda:cannot open data file, assuming not executed Processing landlock/object.gcda /home/kmeskhidze/work/src/gcov_before/landlock/object.gcda:cannot open data file, assuming not executed Processing landlock/cred.gcda /home/kmeskhidze/work/src/gcov_before/landlock/cred.gcda:cannot open data file, assuming not executed Processing landlock/ruleset.gcda /home/kmeskhidze/work/src/gcov_before/landlock/ruleset.gcda:cannot open data file, assuming not executed Processing landlock/syscalls.gcda /home/kmeskhidze/work/src/gcov_before/landlock/syscalls.gcda:cannot open data file, assuming not executed Processing landlock/fs.gcda /home/kmeskhidze/work/src/gcov_before/landlock/fs.gcda:cannot open data file, assuming not executed Processing landlock/ptrace.gcda /home/kmeskhidze/work/src/gcov_before/landlock/ptrace.gcda:cannot open data file, assuming not executed Finished .info-file creation Reading data file lcov.info Found 38 entries. Found common filename prefix "/home/kmeskhidze/work/src/linux_5.13_landlock" Writing .css and .png files. Generating output. Processing file arch/x86/include/asm/atomic64_64.h Processing file arch/x86/include/asm/bitops.h Processing file arch/x86/include/asm/atomic.h Processing file arch/x86/include/asm/current.h Processing file include/asm-generic/getorder.h Processing file include/asm-generic/bitops/instrumented-non-atomic.h Processing file include/linux/fs.h Processing file include/linux/refcount.h Processing file include/linux/kernel.h Processing file include/linux/list.h Processing file include/linux/sched.h Processing file include/linux/overflow.h Processing file include/linux/dcache.h Processing file include/linux/spinlock.h Processing file include/linux/file.h Processing file include/linux/rcupdate.h Processing file include/linux/err.h Processing file include/linux/workqueue.h Processing file include/linux/fortify-string.h Processing file include/linux/slab.h Processing file include/linux/instrumented.h Processing file include/linux/uaccess.h Processing file include/linux/thread_info.h Processing file include/linux/rbtree.h Processing file include/linux/log2.h Processing file include/linux/atomic/atomic-instrumented.h Processing file include/linux/atomic/atomic-long.h Processing file security/landlock/fs.c Processing file security/landlock/ruleset.h Processing file security/landlock/ruleset.c Processing file security/landlock/ptrace.c Processing file security/landlock/object.h Processing file security/landlock/syscalls.c Processing file security/landlock/setup.c Processing file security/landlock/cred.c Processing file security/landlock/object.c Processing file security/landlock/fs.h Processing file security/landlock/cred.h Writing directory view page. Overall coverage rate: lines......: 0.0% (0 of 937 lines) functions..: 0.0% (0 of 67 functions) " Looks like .gcda files were not executed. Maybe I did miss something. Any thoughts? >>> You can build statically-linked tests with: >>> make -C tools/testing/selftests/landlock CFLAGS=-static >> >> Ok. I will try. Thanks. >>> >>>> 1. base_test: 7/8 tests passed. >>>> Error: >>>> # Starting 8 tests from 1 test cases. >>>> # RUN global.inconsistent_attr ... >>>> # base_test.c:51:inconsistent_attr:Expected ENOMSG (42) == errno (22) >>> >>> This looks like a bug in the syscall argument checks. >> >> This bug I just get when don't use -static option. With -static >> base test passes 8/8. > > Weird, I'd like to know what is the cause of this issue. What disto and > version do you use as host and guest VM? Do you have some warning when > compiling? > .
On 23/03/2022 17:30, Konstantin Meskhidze wrote: > > > 3/17/2022 8:26 PM, Mickaël Salaün пишет: >> >> On 17/03/2022 14:01, Konstantin Meskhidze wrote: >>> >>> >>> 3/15/2022 8:02 PM, Mickaël Salaün пишет: >>>> Hi Konstantin, >>>> >>>> This series looks good! Thanks for the split in multiple patches. >>>> >>> Thanks. I follow your recommendations. >>>> >>>> On 09/03/2022 14:44, Konstantin Meskhidze wrote: >>>>> Hi, >>>>> This is a new V4 bunch of RFC patches related to Landlock LSM >>>>> network confinement. >>>>> It brings deep refactirong and commit splitting of previous version >>>>> V3. >>>>> Also added additional selftests. >>>>> >>>>> This patch series can be applied on top of v5.17-rc3. >>>>> >>>>> All test were run in QEMU evironment and compiled with >>>>> -static flag. >>>>> 1. network_test: 9/9 tests passed. >>>> >>>> I get a kernel warning running the network tests. >>> >>> What kind of warning? Can you provide it please? >> >> You really need to get a setup that gives you such kernel warning. >> When running network_test you should get: >> WARNING: CPU: 3 PID: 742 at security/landlock/ruleset.c:218 >> insert_rule+0x220/0x270 >> >> Before sending new patches, please make sure you're able to catch such >> issues. >> >> >>>> >>>>> 2. base_test: 8/8 tests passed. >>>>> 3. fs_test: 46/46 tests passed. >>>>> 4. ptrace_test: 4/8 tests passed. >>>> >>>> Does your test machine use Yama? That would explain the 4/8. You can >>>> disable it with the appropriate sysctl. >> >> Can you answer this question? >> >> >>>> >>>>> >>>>> Tests were also launched for Landlock version without >>>>> v4 patch: >>>>> 1. base_test: 8/8 tests passed. >>>>> 2. fs_test: 46/46 tests passed. >>>>> 3. ptrace_test: 4/8 tests passed. >>>>> >>>>> Could not provide test coverage cause had problems with tests >>>>> on VM (no -static flag the tests compiling, no v4 patch applied): >>>> > Hi, Mickaёl! > I tried to get base test coverage without v4 patch applied. > > 1. Kernel configuration : > - CONFIG_DEBUG_FS=y > - CONFIG_GCOV_KERNEL=y > - CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y > 2. Added GCOV_PROFILE := y in security/landlock/Makefile I think this is useless because of CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y. I don't add GCOV_PROFILE anyway. > 3. Compiled kernel and rebooted VM with the new one. > 4. Run landlock selftests as root user: > $ cd tools/testing/selftests/landlock > $ ./base_test > $ ./fs_test > $ ./ptrace_test > 5. Copied GCOV data to some folder : > $ cp -r > /sys/kernel/debug/gcov/<source-dir>/linux/security/landlock/ /gcov-before > $ cd /gcov-before > $ lcov -c -d ./landlock -o lcov.info && genhtml -o html lcov.info I do this step on my host but that should work as long as you have the kernel sources in the same directory. I guess this is not the case. I think you also need GCC >= 4.8 . > > I got the next result: > " Capturing coverage data from ./landlock > Found gcov version: 9.4.0 > Using intermediate gcov format > Scanning ./landlock for .gcda files ... > Found 7 data files in ./landlock > Processing landlock/setup.gcda > /home/kmeskhidze/work/src/gcov_before/landlock/setup.gcda:cannot open > data file, assuming not executed > Processing landlock/object.gcda > /home/kmeskhidze/work/src/gcov_before/landlock/object.gcda:cannot open > data file, assuming not executed > Processing landlock/cred.gcda > /home/kmeskhidze/work/src/gcov_before/landlock/cred.gcda:cannot open > data file, assuming not executed > Processing landlock/ruleset.gcda > /home/kmeskhidze/work/src/gcov_before/landlock/ruleset.gcda:cannot open > data file, assuming not executed > Processing landlock/syscalls.gcda > /home/kmeskhidze/work/src/gcov_before/landlock/syscalls.gcda:cannot open > data file, assuming not executed > Processing landlock/fs.gcda > /home/kmeskhidze/work/src/gcov_before/landlock/fs.gcda:cannot open data > file, assuming not executed > Processing landlock/ptrace.gcda > /home/kmeskhidze/work/src/gcov_before/landlock/ptrace.gcda:cannot open > data file, assuming not executed > Finished .info-file creation > Reading data file lcov.info > Found 38 entries. > Found common filename prefix > "/home/kmeskhidze/work/src/linux_5.13_landlock" > Writing .css and .png files. > Generating output. > Processing file arch/x86/include/asm/atomic64_64.h > Processing file arch/x86/include/asm/bitops.h > Processing file arch/x86/include/asm/atomic.h > Processing file arch/x86/include/asm/current.h > Processing file include/asm-generic/getorder.h > Processing file include/asm-generic/bitops/instrumented-non-atomic.h > Processing file include/linux/fs.h > Processing file include/linux/refcount.h > Processing file include/linux/kernel.h > Processing file include/linux/list.h > Processing file include/linux/sched.h > Processing file include/linux/overflow.h > Processing file include/linux/dcache.h > Processing file include/linux/spinlock.h > Processing file include/linux/file.h > Processing file include/linux/rcupdate.h > Processing file include/linux/err.h > Processing file include/linux/workqueue.h > Processing file include/linux/fortify-string.h > Processing file include/linux/slab.h > Processing file include/linux/instrumented.h > Processing file include/linux/uaccess.h > Processing file include/linux/thread_info.h > Processing file include/linux/rbtree.h > Processing file include/linux/log2.h > Processing file include/linux/atomic/atomic-instrumented.h > Processing file include/linux/atomic/atomic-long.h > Processing file security/landlock/fs.c > Processing file security/landlock/ruleset.h > Processing file security/landlock/ruleset.c > Processing file security/landlock/ptrace.c > Processing file security/landlock/object.h > Processing file security/landlock/syscalls.c > Processing file security/landlock/setup.c > Processing file security/landlock/cred.c > Processing file security/landlock/object.c > Processing file security/landlock/fs.h > Processing file security/landlock/cred.h > Writing directory view page. > Overall coverage rate: > lines......: 0.0% (0 of 937 lines) > functions..: 0.0% (0 of 67 functions) " > > Looks like .gcda files were not executed. > Maybe I did miss something. Any thoughts?
3/24/2022 3:27 PM, Mickaël Salaün пишет: > > On 23/03/2022 17:30, Konstantin Meskhidze wrote: >> >> >> 3/17/2022 8:26 PM, Mickaël Salaün пишет: >>> >>> On 17/03/2022 14:01, Konstantin Meskhidze wrote: >>>> >>>> >>>> 3/15/2022 8:02 PM, Mickaël Salaün пишет: >>>>> Hi Konstantin, >>>>> >>>>> This series looks good! Thanks for the split in multiple patches. >>>>> >>>> Thanks. I follow your recommendations. >>>>> >>>>> On 09/03/2022 14:44, Konstantin Meskhidze wrote: >>>>>> Hi, >>>>>> This is a new V4 bunch of RFC patches related to Landlock LSM >>>>>> network confinement. >>>>>> It brings deep refactirong and commit splitting of previous >>>>>> version V3. >>>>>> Also added additional selftests. >>>>>> >>>>>> This patch series can be applied on top of v5.17-rc3. >>>>>> >>>>>> All test were run in QEMU evironment and compiled with >>>>>> -static flag. >>>>>> 1. network_test: 9/9 tests passed. >>>>> >>>>> I get a kernel warning running the network tests. >>>> >>>> What kind of warning? Can you provide it please? >>> >>> You really need to get a setup that gives you such kernel warning. >>> When running network_test you should get: >>> WARNING: CPU: 3 PID: 742 at security/landlock/ruleset.c:218 >>> insert_rule+0x220/0x270 >>> >>> Before sending new patches, please make sure you're able to catch >>> such issues. >>> >>> >>>>> >>>>>> 2. base_test: 8/8 tests passed. >>>>>> 3. fs_test: 46/46 tests passed. >>>>>> 4. ptrace_test: 4/8 tests passed. >>>>> >>>>> Does your test machine use Yama? That would explain the 4/8. You >>>>> can disable it with the appropriate sysctl. >>> >>> Can you answer this question? >>> >>> >>>>> >>>>>> >>>>>> Tests were also launched for Landlock version without >>>>>> v4 patch: >>>>>> 1. base_test: 8/8 tests passed. >>>>>> 2. fs_test: 46/46 tests passed. >>>>>> 3. ptrace_test: 4/8 tests passed. >>>>>> >>>>>> Could not provide test coverage cause had problems with tests >>>>>> on VM (no -static flag the tests compiling, no v4 patch applied): >>>>> >> Hi, Mickaёl! >> I tried to get base test coverage without v4 patch applied. >> >> 1. Kernel configuration : >> - CONFIG_DEBUG_FS=y >> - CONFIG_GCOV_KERNEL=y >> - CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y >> 2. Added GCOV_PROFILE := y in security/landlock/Makefile > > I think this is useless because of CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y. I > don't add GCOV_PROFILE anyway. > > >> 3. Compiled kernel and rebooted VM with the new one. >> 4. Run landlock selftests as root user: >> $ cd tools/testing/selftests/landlock >> $ ./base_test >> $ ./fs_test >> $ ./ptrace_test >> 5. Copied GCOV data to some folder : >> $ cp -r >> /sys/kernel/debug/gcov/<source-dir>/linux/security/landlock/ /gcov-before >> $ cd /gcov-before >> $ lcov -c -d ./landlock -o lcov.info && genhtml -o html lcov.info > > I do this step on my host but that should work as long as you have the > kernel sources in the same directory. I guess this is not the case. I > think you also need GCC >= 4.8 . > I found the reason why .gcda files were not executed : "lcov -c -d ./landlock -o lcov.info && genhtml -o html lcov.info" was run not under ROOT user. Running lcov by ROOT one solved the issue. I will provide network test coverage in RFC patch V5. Thanks for help anyway. >> >> I got the next result: >> " Capturing coverage data from ./landlock >> Found gcov version: 9.4.0 >> Using intermediate gcov format >> Scanning ./landlock for .gcda files ... >> Found 7 data files in ./landlock >> Processing landlock/setup.gcda >> /home/kmeskhidze/work/src/gcov_before/landlock/setup.gcda:cannot open >> data file, assuming not executed >> Processing landlock/object.gcda >> /home/kmeskhidze/work/src/gcov_before/landlock/object.gcda:cannot open >> data file, assuming not executed >> Processing landlock/cred.gcda >> /home/kmeskhidze/work/src/gcov_before/landlock/cred.gcda:cannot open >> data file, assuming not executed >> Processing landlock/ruleset.gcda >> /home/kmeskhidze/work/src/gcov_before/landlock/ruleset.gcda:cannot >> open data file, assuming not executed >> Processing landlock/syscalls.gcda >> /home/kmeskhidze/work/src/gcov_before/landlock/syscalls.gcda:cannot >> open data file, assuming not executed >> Processing landlock/fs.gcda >> /home/kmeskhidze/work/src/gcov_before/landlock/fs.gcda:cannot open >> data file, assuming not executed >> Processing landlock/ptrace.gcda >> /home/kmeskhidze/work/src/gcov_before/landlock/ptrace.gcda:cannot open >> data file, assuming not executed >> Finished .info-file creation >> Reading data file lcov.info >> Found 38 entries. >> Found common filename prefix >> "/home/kmeskhidze/work/src/linux_5.13_landlock" >> Writing .css and .png files. >> Generating output. >> Processing file arch/x86/include/asm/atomic64_64.h >> Processing file arch/x86/include/asm/bitops.h >> Processing file arch/x86/include/asm/atomic.h >> Processing file arch/x86/include/asm/current.h >> Processing file include/asm-generic/getorder.h >> Processing file include/asm-generic/bitops/instrumented-non-atomic.h >> Processing file include/linux/fs.h >> Processing file include/linux/refcount.h >> Processing file include/linux/kernel.h >> Processing file include/linux/list.h >> Processing file include/linux/sched.h >> Processing file include/linux/overflow.h >> Processing file include/linux/dcache.h >> Processing file include/linux/spinlock.h >> Processing file include/linux/file.h >> Processing file include/linux/rcupdate.h >> Processing file include/linux/err.h >> Processing file include/linux/workqueue.h >> Processing file include/linux/fortify-string.h >> Processing file include/linux/slab.h >> Processing file include/linux/instrumented.h >> Processing file include/linux/uaccess.h >> Processing file include/linux/thread_info.h >> Processing file include/linux/rbtree.h >> Processing file include/linux/log2.h >> Processing file include/linux/atomic/atomic-instrumented.h >> Processing file include/linux/atomic/atomic-long.h >> Processing file security/landlock/fs.c >> Processing file security/landlock/ruleset.h >> Processing file security/landlock/ruleset.c >> Processing file security/landlock/ptrace.c >> Processing file security/landlock/object.h >> Processing file security/landlock/syscalls.c >> Processing file security/landlock/setup.c >> Processing file security/landlock/cred.c >> Processing file security/landlock/object.c >> Processing file security/landlock/fs.h >> Processing file security/landlock/cred.h >> Writing directory view page. >> Overall coverage rate: >> lines......: 0.0% (0 of 937 lines) >> functions..: 0.0% (0 of 67 functions) " >> >> Looks like .gcda files were not executed. >> Maybe I did miss something. Any thoughts? > .
On 24/03/2022 14:34, Konstantin Meskhidze wrote: > > > 3/24/2022 3:27 PM, Mickaël Salaün пишет: >> >> On 23/03/2022 17:30, Konstantin Meskhidze wrote: >>> >>> >>> 3/17/2022 8:26 PM, Mickaël Salaün пишет: >>>> >>>> On 17/03/2022 14:01, Konstantin Meskhidze wrote: >>>>> >>>>> >>>>> 3/15/2022 8:02 PM, Mickaël Salaün пишет: >>>>>> Hi Konstantin, >>>>>> >>>>>> This series looks good! Thanks for the split in multiple patches. >>>>>> >>>>> Thanks. I follow your recommendations. >>>>>> >>>>>> On 09/03/2022 14:44, Konstantin Meskhidze wrote: >>>>>>> Hi, >>>>>>> This is a new V4 bunch of RFC patches related to Landlock LSM >>>>>>> network confinement. >>>>>>> It brings deep refactirong and commit splitting of previous >>>>>>> version V3. >>>>>>> Also added additional selftests. >>>>>>> >>>>>>> This patch series can be applied on top of v5.17-rc3. >>>>>>> >>>>>>> All test were run in QEMU evironment and compiled with >>>>>>> -static flag. >>>>>>> 1. network_test: 9/9 tests passed. >>>>>> >>>>>> I get a kernel warning running the network tests. >>>>> >>>>> What kind of warning? Can you provide it please? >>>> >>>> You really need to get a setup that gives you such kernel warning. >>>> When running network_test you should get: >>>> WARNING: CPU: 3 PID: 742 at security/landlock/ruleset.c:218 >>>> insert_rule+0x220/0x270 >>>> >>>> Before sending new patches, please make sure you're able to catch >>>> such issues. >>>> >>>> >>>>>> >>>>>>> 2. base_test: 8/8 tests passed. >>>>>>> 3. fs_test: 46/46 tests passed. >>>>>>> 4. ptrace_test: 4/8 tests passed. >>>>>> >>>>>> Does your test machine use Yama? That would explain the 4/8. You >>>>>> can disable it with the appropriate sysctl. >>>> >>>> Can you answer this question? >>>> >>>> >>>>>> >>>>>>> >>>>>>> Tests were also launched for Landlock version without >>>>>>> v4 patch: >>>>>>> 1. base_test: 8/8 tests passed. >>>>>>> 2. fs_test: 46/46 tests passed. >>>>>>> 3. ptrace_test: 4/8 tests passed. >>>>>>> >>>>>>> Could not provide test coverage cause had problems with tests >>>>>>> on VM (no -static flag the tests compiling, no v4 patch applied): >>>>>> >>> Hi, Mickaёl! >>> I tried to get base test coverage without v4 patch applied. >>> >>> 1. Kernel configuration : >>> - CONFIG_DEBUG_FS=y >>> - CONFIG_GCOV_KERNEL=y >>> - CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y >>> 2. Added GCOV_PROFILE := y in security/landlock/Makefile >> >> I think this is useless because of CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y. >> I don't add GCOV_PROFILE anyway. >> >> >>> 3. Compiled kernel and rebooted VM with the new one. >>> 4. Run landlock selftests as root user: >>> $ cd tools/testing/selftests/landlock >>> $ ./base_test >>> $ ./fs_test >>> $ ./ptrace_test >>> 5. Copied GCOV data to some folder : >>> $ cp -r >>> /sys/kernel/debug/gcov/<source-dir>/linux/security/landlock/ >>> /gcov-before >>> $ cd /gcov-before >>> $ lcov -c -d ./landlock -o lcov.info && genhtml -o html lcov.info >> >> I do this step on my host but that should work as long as you have the >> kernel sources in the same directory. I guess this is not the case. I >> think you also need GCC >= 4.8 . >> I found the reason why .gcda files were not executed : > "lcov -c -d ./landlock -o lcov.info && genhtml -o html lcov.info" > was run not under ROOT user. > Running lcov by ROOT one solved the issue. I will provide network test > coverage in RFC patch V5. > Thanks for help anyway. I run lcov as a normal user with kernel source access. I'll review the other patches soon. But for the next series, please don't reuse "Landlock LSM" as a cover letter subject, something like "Network support for Landlock" would fit better. ;)
3/24/2022 6:30 PM, Mickaël Salaün пишет: > > > On 24/03/2022 14:34, Konstantin Meskhidze wrote: >> >> >> 3/24/2022 3:27 PM, Mickaël Salaün пишет: >>> >>> On 23/03/2022 17:30, Konstantin Meskhidze wrote: >>>> >>>> >>>> 3/17/2022 8:26 PM, Mickaël Salaün пишет: >>>>> >>>>> On 17/03/2022 14:01, Konstantin Meskhidze wrote: >>>>>> >>>>>> >>>>>> 3/15/2022 8:02 PM, Mickaël Salaün пишет: >>>>>>> Hi Konstantin, >>>>>>> >>>>>>> This series looks good! Thanks for the split in multiple patches. >>>>>>> >>>>>> Thanks. I follow your recommendations. >>>>>>> >>>>>>> On 09/03/2022 14:44, Konstantin Meskhidze wrote: >>>>>>>> Hi, >>>>>>>> This is a new V4 bunch of RFC patches related to Landlock LSM >>>>>>>> network confinement. >>>>>>>> It brings deep refactirong and commit splitting of previous >>>>>>>> version V3. >>>>>>>> Also added additional selftests. >>>>>>>> >>>>>>>> This patch series can be applied on top of v5.17-rc3. >>>>>>>> >>>>>>>> All test were run in QEMU evironment and compiled with >>>>>>>> -static flag. >>>>>>>> 1. network_test: 9/9 tests passed. >>>>>>> >>>>>>> I get a kernel warning running the network tests. >>>>>> >>>>>> What kind of warning? Can you provide it please? >>>>> >>>>> You really need to get a setup that gives you such kernel warning. >>>>> When running network_test you should get: >>>>> WARNING: CPU: 3 PID: 742 at security/landlock/ruleset.c:218 >>>>> insert_rule+0x220/0x270 >>>>> >>>>> Before sending new patches, please make sure you're able to catch >>>>> such issues. >>>>> >>>>> >>>>>>> >>>>>>>> 2. base_test: 8/8 tests passed. >>>>>>>> 3. fs_test: 46/46 tests passed. >>>>>>>> 4. ptrace_test: 4/8 tests passed. >>>>>>> >>>>>>> Does your test machine use Yama? That would explain the 4/8. You >>>>>>> can disable it with the appropriate sysctl. >>>>> >>>>> Can you answer this question? >>>>> >>>>> >>>>>>> >>>>>>>> >>>>>>>> Tests were also launched for Landlock version without >>>>>>>> v4 patch: >>>>>>>> 1. base_test: 8/8 tests passed. >>>>>>>> 2. fs_test: 46/46 tests passed. >>>>>>>> 3. ptrace_test: 4/8 tests passed. >>>>>>>> >>>>>>>> Could not provide test coverage cause had problems with tests >>>>>>>> on VM (no -static flag the tests compiling, no v4 patch applied): >>>>>>> >>>> Hi, Mickaёl! >>>> I tried to get base test coverage without v4 patch applied. >>>> >>>> 1. Kernel configuration : >>>> - CONFIG_DEBUG_FS=y >>>> - CONFIG_GCOV_KERNEL=y >>>> - CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y >>>> 2. Added GCOV_PROFILE := y in security/landlock/Makefile >>> >>> I think this is useless because of >>> CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y. I don't add GCOV_PROFILE anyway. >>> >>> >>>> 3. Compiled kernel and rebooted VM with the new one. >>>> 4. Run landlock selftests as root user: >>>> $ cd tools/testing/selftests/landlock >>>> $ ./base_test >>>> $ ./fs_test >>>> $ ./ptrace_test >>>> 5. Copied GCOV data to some folder : >>>> $ cp -r >>>> /sys/kernel/debug/gcov/<source-dir>/linux/security/landlock/ >>>> /gcov-before >>>> $ cd /gcov-before >>>> $ lcov -c -d ./landlock -o lcov.info && genhtml -o html >>>> lcov.info >>> >>> I do this step on my host but that should work as long as you have >>> the kernel sources in the same directory. I guess this is not the >>> case. I think you also need GCC >= 4.8 . >>> I found the reason why .gcda files were not executed : >> "lcov -c -d ./landlock -o lcov.info && genhtml -o html >> lcov.info" was run not under ROOT user. >> Running lcov by ROOT one solved the issue. I will provide network test >> coverage in RFC patch V5. >> Thanks for help anyway. > > I run lcov as a normal user with kernel source access. > > I'll review the other patches soon. But for the next series, please > don't reuse "Landlock LSM" as a cover letter subject, something like > "Network support for Landlock" would fit better. ;) > . No problem. Thanks.