[v7,13/18] seltests/landlock: add AF_UNSPEC family test

Message ID	20220829170401.834298-14-konstantin.meskhidze@huawei.com (mailing list archive)
State	Handled Elsewhere
Headers	show Return-Path: <linux-security-module-owner@kernel.org> From: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> To: <mic@digikod.net> CC: <willemdebruijn.kernel@gmail.com>, <gnoack3000@gmail.com>, <linux-security-module@vger.kernel.org>, <netdev@vger.kernel.org>, <netfilter-devel@vger.kernel.org>, <yusongping@huawei.com>, <hukeping@huawei.com>, <anton.sirazetdinov@huawei.com> Subject: [PATCH v7 13/18] seltests/landlock: add AF_UNSPEC family test Date: Tue, 30 Aug 2022 01:03:56 +0800 Message-ID: <20220829170401.834298-14-konstantin.meskhidze@huawei.com> In-Reply-To: <20220829170401.834298-1-konstantin.meskhidze@huawei.com> References: <20220829170401.834298-1-konstantin.meskhidze@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII Precedence: bulk
Series	Network support for Landlock \| expand [v7,00/18] Network support for Landlock [v7,01/18] landlock: rename access mask [v7,02/18] landlock: refactor landlock_find_rule/insert_rule [v7,03/18] landlock: refactor merge/inherit_ruleset functions [v7,04/18] landlock: move helper functions [v7,05/18] landlock: refactor helper functions [v7,06/18] landlock: refactor landlock_add_rule syscall [v7,07/18] landlock: user space API network support [v7,08/18] landlock: add network rules support [v7,09/18] landlock: implement TCP network hooks [v7,10/18] seltests/landlock: move helper function [v7,11/18] seltests/landlock: add tests for bind() hooks [v7,12/18] seltests/landlock: add tests for connect() hooks [v7,13/18] seltests/landlock: add AF_UNSPEC family test [v7,14/18] seltests/landlock: add rules overlapping test [v7,15/18] seltests/landlock: add ruleset expanding test [v7,16/18] seltests/landlock: add invalid input data test [v7,17/18] samples/landlock: add network demo [v7,18/18] landlock: Document Landlock's network support

Message ID

20220829170401.834298-14-konstantin.meskhidze@huawei.com (mailing list archive)

State

Handled Elsewhere

Headers

From: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
To: <mic@digikod.net>
CC: <willemdebruijn.kernel@gmail.com>, <gnoack3000@gmail.com>,
        <linux-security-module@vger.kernel.org>, <netdev@vger.kernel.org>,
        <netfilter-devel@vger.kernel.org>, <yusongping@huawei.com>,
        <hukeping@huawei.com>, <anton.sirazetdinov@huawei.com>
Subject: [PATCH v7 13/18] seltests/landlock: add AF_UNSPEC family test
Date: Tue, 30 Aug 2022 01:03:56 +0800
Message-ID: <20220829170401.834298-14-konstantin.meskhidze@huawei.com>
In-Reply-To: <20220829170401.834298-1-konstantin.meskhidze@huawei.com>
References: <20220829170401.834298-1-konstantin.meskhidze@huawei.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type: text/plain; charset=US-ASCII
Precedence: bulk

Series

Network support for Landlock | expand

Commit Message

Konstantin Meskhidze (A) Aug. 29, 2022, 5:03 p.m. UTC

Adds two selftests for connect() action with AF_UNSPEC family flag.
The one is with no landlock restrictions allows to disconnect already
connected socket with connect(..., AF_UNSPEC, ...):
    - connect_afunspec_no_restictions;
The second one refuses landlocked process to disconnect already
connected socket:
    - connect_afunspec_with_restictions;

Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
---

Changes since v6:
* None.

Changes since v5:
* Formats code with clang-format-14.

Changes since v4:
* Refactors code with self->port, self->addr4 variables.
* Adds bind() hook check for with AF_UNSPEC family.

Changes since v3:
* Adds connect_afunspec_no_restictions test.
* Adds connect_afunspec_with_restictions test.

---
 tools/testing/selftests/landlock/net_test.c | 113 ++++++++++++++++++++
 1 file changed, 113 insertions(+)

--
2.25.1

Comments

Mickaël Salaün Sept. 6, 2022, 8:09 a.m. UTC | #1

On 29/08/2022 19:03, Konstantin Meskhidze wrote:
> Adds two selftests for connect() action with AF_UNSPEC family flag.
> The one is with no landlock restrictions allows to disconnect already
> connected socket with connect(..., AF_UNSPEC, ...):
>      - connect_afunspec_no_restictions;

Typo: "restrictions" (everywhere)


> The second one refuses landlocked process to disconnect already
> connected socket:
>      - connect_afunspec_with_restictions;
> 
> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
> ---
> 
> Changes since v6:
> * None.
> 
> Changes since v5:
> * Formats code with clang-format-14.
> 
> Changes since v4:
> * Refactors code with self->port, self->addr4 variables.
> * Adds bind() hook check for with AF_UNSPEC family.
> 
> Changes since v3:
> * Adds connect_afunspec_no_restictions test.
> * Adds connect_afunspec_with_restictions test.
> 
> ---
>   tools/testing/selftests/landlock/net_test.c | 113 ++++++++++++++++++++
>   1 file changed, 113 insertions(+)
> 
> diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c
> index 9c3d1e425439..40aef7c683af 100644
> --- a/tools/testing/selftests/landlock/net_test.c
> +++ b/tools/testing/selftests/landlock/net_test.c
> @@ -351,4 +351,117 @@ TEST_F(socket, connect_with_restrictions)
>   	ASSERT_EQ(1, WIFEXITED(status));
>   	ASSERT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
>   }
> +
> +TEST_F(socket, connect_afunspec_no_restictions)
> +{
> +	int sockfd;
> +	pid_t child;
> +	int status;
> +
> +	/* Creates a server socket 1. */
> +	sockfd = create_socket_variant(variant, SOCK_STREAM);
> +	ASSERT_LE(0, sockfd);
> +
> +	/* Binds the socket 1 to address with port[0]. */
> +	ASSERT_EQ(0, bind_variant(variant, sockfd, self, 0));
> +
> +	/* Makes connection to the socket with port[0]. */
> +	ASSERT_EQ(0, connect_variant(variant, sockfd, self, 0));
> +
> +	child = fork();
> +	ASSERT_LE(0, child);
> +	if (child == 0) {
> +		struct sockaddr addr_unspec = { .sa_family = AF_UNSPEC };

You can constify several variable like this one (in all tests).

Konstantin Meskhidze (A) Sept. 10, 2022, 8:48 p.m. UTC | #2

9/6/2022 11:09 AM, Mickaël Salaün пишет:
> 
> On 29/08/2022 19:03, Konstantin Meskhidze wrote:
>> Adds two selftests for connect() action with AF_UNSPEC family flag.
>> The one is with no landlock restrictions allows to disconnect already
>> connected socket with connect(..., AF_UNSPEC, ...):
>>      - connect_afunspec_no_restictions;
> 
> Typo: "restrictions" (everywhere)
> 
   My mistake. Thanks.
> 
>> The second one refuses landlocked process to disconnect already
>> connected socket:
>>      - connect_afunspec_with_restictions;
>> 
>> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
>> ---
>> 
>> Changes since v6:
>> * None.
>> 
>> Changes since v5:
>> * Formats code with clang-format-14.
>> 
>> Changes since v4:
>> * Refactors code with self->port, self->addr4 variables.
>> * Adds bind() hook check for with AF_UNSPEC family.
>> 
>> Changes since v3:
>> * Adds connect_afunspec_no_restictions test.
>> * Adds connect_afunspec_with_restictions test.
>> 
>> ---
>>   tools/testing/selftests/landlock/net_test.c | 113 ++++++++++++++++++++
>>   1 file changed, 113 insertions(+)
>> 
>> diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c
>> index 9c3d1e425439..40aef7c683af 100644
>> --- a/tools/testing/selftests/landlock/net_test.c
>> +++ b/tools/testing/selftests/landlock/net_test.c
>> @@ -351,4 +351,117 @@ TEST_F(socket, connect_with_restrictions)
>>   	ASSERT_EQ(1, WIFEXITED(status));
>>   	ASSERT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
>>   }
>> +
>> +TEST_F(socket, connect_afunspec_no_restictions)
>> +{
>> +	int sockfd;
>> +	pid_t child;
>> +	int status;
>> +
>> +	/* Creates a server socket 1. */
>> +	sockfd = create_socket_variant(variant, SOCK_STREAM);
>> +	ASSERT_LE(0, sockfd);
>> +
>> +	/* Binds the socket 1 to address with port[0]. */
>> +	ASSERT_EQ(0, bind_variant(variant, sockfd, self, 0));
>> +
>> +	/* Makes connection to the socket with port[0]. */
>> +	ASSERT_EQ(0, connect_variant(variant, sockfd, self, 0));
>> +
>> +	child = fork();
>> +	ASSERT_LE(0, child);
>> +	if (child == 0) {
>> +		struct sockaddr addr_unspec = { .sa_family = AF_UNSPEC };
> 
> You can constify several variable like this one (in all tests).

   Got it. thanks.
> 
> .

diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c
index 9c3d1e425439..40aef7c683af 100644
--- a/tools/testing/selftests/landlock/net_test.c
+++ b/tools/testing/selftests/landlock/net_test.c
@@ -351,4 +351,117 @@  TEST_F(socket, connect_with_restrictions)
 	ASSERT_EQ(1, WIFEXITED(status));
 	ASSERT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
 }
+
+TEST_F(socket, connect_afunspec_no_restictions)
+{
+	int sockfd;
+	pid_t child;
+	int status;
+
+	/* Creates a server socket 1. */
+	sockfd = create_socket_variant(variant, SOCK_STREAM);
+	ASSERT_LE(0, sockfd);
+
+	/* Binds the socket 1 to address with port[0]. */
+	ASSERT_EQ(0, bind_variant(variant, sockfd, self, 0));
+
+	/* Makes connection to the socket with port[0]. */
+	ASSERT_EQ(0, connect_variant(variant, sockfd, self, 0));
+
+	child = fork();
+	ASSERT_LE(0, child);
+	if (child == 0) {
+		struct sockaddr addr_unspec = { .sa_family = AF_UNSPEC };
+
+		/* Child tries to disconnect already connected socket. */
+		ASSERT_EQ(0, connect(sockfd, (struct sockaddr *)&addr_unspec,
+				     sizeof(addr_unspec)));
+		_exit(_metadata->passed ? EXIT_SUCCESS : EXIT_FAILURE);
+		return;
+	}
+	/* Closes listening socket 1 for the parent. */
+	ASSERT_EQ(0, close(sockfd));
+
+	ASSERT_EQ(child, waitpid(child, &status, 0));
+	ASSERT_EQ(1, WIFEXITED(status));
+	ASSERT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
+}
+
+TEST_F(socket, connect_afunspec_with_restictions)
+{
+	int sockfd;
+	pid_t child;
+	int status;
+
+	struct landlock_ruleset_attr ruleset_attr_1 = {
+		.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP,
+	};
+	struct landlock_net_service_attr net_service_1 = {
+		.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
+
+		.port = self->port[0],
+	};
+
+	struct landlock_ruleset_attr ruleset_attr_2 = {
+		.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
+				      LANDLOCK_ACCESS_NET_CONNECT_TCP,
+	};
+	struct landlock_net_service_attr net_service_2 = {
+		.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP |
+				  LANDLOCK_ACCESS_NET_CONNECT_TCP,
+
+		.port = self->port[0],
+	};
+
+	const int ruleset_fd_1 = landlock_create_ruleset(
+		&ruleset_attr_1, sizeof(ruleset_attr_1), 0);
+	ASSERT_LE(0, ruleset_fd_1);
+
+	/* Allows bind operations to the port[0] socket. */
+	ASSERT_EQ(0, landlock_add_rule(ruleset_fd_1, LANDLOCK_RULE_NET_SERVICE,
+				       &net_service_1, 0));
+
+	/* Enforces the ruleset. */
+	enforce_ruleset(_metadata, ruleset_fd_1);
+
+	/* Creates a server socket 1. */
+	sockfd = create_socket_variant(variant, SOCK_STREAM);
+	ASSERT_LE(0, sockfd);
+
+	/* Binds the socket 1 to address with port[0]. */
+	ASSERT_EQ(0, bind_variant(variant, sockfd, self, 0));
+
+	/* Makes connection to socket with port[0]. */
+	ASSERT_EQ(0, connect_variant(variant, sockfd, self, 0));
+
+	const int ruleset_fd_2 = landlock_create_ruleset(
+		&ruleset_attr_2, sizeof(ruleset_attr_2), 0);
+	ASSERT_LE(0, ruleset_fd_2);
+
+	/* Allows connect and bind operations to the port[0] socket. */
+	ASSERT_EQ(0, landlock_add_rule(ruleset_fd_2, LANDLOCK_RULE_NET_SERVICE,
+				       &net_service_2, 0));
+
+	/* Enforces the ruleset. */
+	enforce_ruleset(_metadata, ruleset_fd_2);
+
+	child = fork();
+	ASSERT_LE(0, child);
+	if (child == 0) {
+		struct sockaddr addr_unspec = { .sa_family = AF_UNSPEC };
+
+		/* Child tries to disconnect already connected socket. */
+		ASSERT_EQ(-1, connect(sockfd, (struct sockaddr *)&addr_unspec,
+				      sizeof(addr_unspec)));
+		ASSERT_EQ(EACCES, errno);
+		_exit(_metadata->passed ? EXIT_SUCCESS : EXIT_FAILURE);
+		return;
+	}
+	/* Closes listening socket 1 for the parent. */
+	ASSERT_EQ(0, close(sockfd));
+
+	ASSERT_EQ(child, waitpid(child, &status, 0));
+	ASSERT_EQ(1, WIFEXITED(status));
+	ASSERT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
+}
 TEST_HARNESS_MAIN

[v7,13/18] seltests/landlock: add AF_UNSPEC family test

Commit Message

Comments

Patch