From patchwork Thu Oct 17 11:04:47 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikhail Ivanov X-Patchwork-Id: 13839850 Received: from szxga06-in.huawei.com (szxga06-in.huawei.com [45.249.212.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 69D121D31A8; Thu, 17 Oct 2024 11:05:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.32 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729163134; cv=none; b=c4A84NXi6c0WLlA+p+h1GFyeJPzfCN/RfE9Kj5spV/3s7GwQXtt6HlV1KNDQEKJsb0iYmVz5k6NulKx0dI2OhYwKVgflhNdlth8cgoJhLABh/Rlo8acNJXZMEuqAFRy2xpd+bh9igXFJAWt+UOT/jgD9sHjeTtDUdSWxh2HOq90= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729163134; c=relaxed/simple; bh=GYAQ/AAExQ+JQsOxqy/LCiWPZr5UqpIYvsBQuLBlPZE=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Y+gvFYnYRN/j47olCmj5osz8AWX19xUpHDuM+WxDjFsplU6l7iQhBqeI2O9C1/uDMynFDXK1OxnbJ0bXJK4YrUPiZ4n38lGrApgaEv+cO5gNHplJsBE9BGd83xwh6jKC9cBWXMMy1HvgDodhoq3lO7mnPsNFwBzDavomZVA4vzc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei-partners.com; spf=pass smtp.mailfrom=huawei-partners.com; arc=none smtp.client-ip=45.249.212.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei-partners.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei-partners.com Received: from mail.maildlp.com (unknown [172.19.88.234]) by szxga06-in.huawei.com (SkyGuard) with ESMTP id 4XTlP25FHHz1yn45; Thu, 17 Oct 2024 19:05:26 +0800 (CST) Received: from kwepemj200016.china.huawei.com (unknown [7.202.194.28]) by mail.maildlp.com (Postfix) with ESMTPS id 9F58D1402C6; Thu, 17 Oct 2024 19:05:20 +0800 (CST) Received: from mscphis02103.huawei.com (10.123.65.215) by kwepemj200016.china.huawei.com (7.202.194.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Thu, 17 Oct 2024 19:05:18 +0800 From: Mikhail Ivanov To: , CC: , , , , , , , Subject: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction Date: Thu, 17 Oct 2024 19:04:47 +0800 Message-ID: <20241017110454.265818-2-ivanov.mikhail1@huawei-partners.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20241017110454.265818-1-ivanov.mikhail1@huawei-partners.com> References: <20241017110454.265818-1-ivanov.mikhail1@huawei-partners.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: mscpeml500003.china.huawei.com (7.188.49.51) To kwepemj200016.china.huawei.com (7.202.194.28) X-Patchwork-State: RFC Do not check TCP access right if socket protocol is not IPPROTO_TCP. LANDLOCK_ACCESS_NET_BIND_TCP and LANDLOCK_ACCESS_NET_CONNECT_TCP should not restrict bind(2) and connect(2) for non-TCP protocols (SCTP, MPTCP, SMC). sk_is_tcp() is used for this to check address family of the socket before doing INET-specific address length validation. This is required for error consistency. Closes: https://github.com/landlock-lsm/linux/issues/40 Fixes: fff69fb03dde ("landlock: Support network rules with TCP bind and connect") Signed-off-by: Mikhail Ivanov --- Changes since v1: * Validate socket family (=INET{,6}) before any other checks with sk_is_tcp(). --- security/landlock/net.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/landlock/net.c b/security/landlock/net.c index fdc1bb0a9c5d..1e80782ba239 100644 --- a/security/landlock/net.c +++ b/security/landlock/net.c @@ -66,8 +66,8 @@ static int current_check_access_socket(struct socket *const sock, if (WARN_ON_ONCE(dom->num_layers < 1)) return -EACCES; - /* Checks if it's a (potential) TCP socket. */ - if (sock->type != SOCK_STREAM) + /* Do not restrict non-TCP sockets. */ + if (!sk_is_tcp(sock->sk)) return 0; /* Checks for minimal header length to safely read sa_family. */ From patchwork Thu Oct 17 11:04:48 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Mikhail Ivanov X-Patchwork-Id: 13839857 Received: from szxga07-in.huawei.com (szxga07-in.huawei.com [45.249.212.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B0EFC1DC18B; Thu, 17 Oct 2024 11:06:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.35 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729163172; cv=none; b=kUcFKUaEECOQykftKMUsjFbYZ/OQzedcBeiSQQVKVUvlWG5+kUevXMyi+WK4KS1485PD4X4WfZm/PAh8LA9UgP4cE88ge0CTf1anwP66XR3K3z1ezoQ9AVSTu00fi/0ii1Fw6eDFwEJ9TyUh1/yxctyKZKbQXZZUUMGtNLoVeu0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729163172; c=relaxed/simple; bh=CNy4tFk/oJMe69u+X5tvMuo8DdxjVbr73T+cNCTyB4E=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=pNYi5vk2d9Ebe/eDz36qKTq20LaK/9ORRzuGAjUhgSvBLc5/U4HVz8FaxKgRYtzFxtTybrNFYHoATmnszn5k1Ed5CmL7ID4xyxSxJSiI60JEToQCKzl4JkH2aAfaJ9wjlCeZDikWg9QDd5HemCLp8NCrNW4pbHp07RMELVLwb6I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei-partners.com; spf=pass smtp.mailfrom=huawei-partners.com; arc=none smtp.client-ip=45.249.212.35 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei-partners.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei-partners.com Received: from mail.maildlp.com (unknown [172.19.162.112]) by szxga07-in.huawei.com (SkyGuard) with ESMTP id 4XTlMV4hwnz1SCq8; Thu, 17 Oct 2024 19:04:06 +0800 (CST) Received: from kwepemj200016.china.huawei.com (unknown [7.202.194.28]) by mail.maildlp.com (Postfix) with ESMTPS id B644F140109; Thu, 17 Oct 2024 19:05:22 +0800 (CST) Received: from mscphis02103.huawei.com (10.123.65.215) by kwepemj200016.china.huawei.com (7.202.194.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Thu, 17 Oct 2024 19:05:20 +0800 From: Mikhail Ivanov To: , CC: , , , , , , , Subject: [RFC PATCH v2 2/8] landlock: Make network stack layer checks explicit for each TCP action Date: Thu, 17 Oct 2024 19:04:48 +0800 Message-ID: <20241017110454.265818-3-ivanov.mikhail1@huawei-partners.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20241017110454.265818-1-ivanov.mikhail1@huawei-partners.com> References: <20241017110454.265818-1-ivanov.mikhail1@huawei-partners.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: mscpeml500003.china.huawei.com (7.188.49.51) To kwepemj200016.china.huawei.com (7.202.194.28) X-Patchwork-State: RFC Move port extraction and TCP checks required for errors consistency to hook_socket_bind() and hook_socket_connect(). This separation simplifies the comparison with the order of network stack layer errors for each controlled operation. Replace current_check_access_socket() with check_access_port(). Use sk->sk_family instead of sk->__sk_common.skc_family. Signed-off-by: Mikhail Ivanov --- security/landlock/net.c | 414 ++++++++++++++++++++++------------------ 1 file changed, 228 insertions(+), 186 deletions(-) rewrite security/landlock/net.c (22%) diff --git a/security/landlock/net.c b/security/landlock/net.c dissimilarity index 22% index 1e80782ba239..a3142f9b15ee 100644 --- a/security/landlock/net.c +++ b/security/landlock/net.c @@ -1,186 +1,228 @@ -// SPDX-License-Identifier: GPL-2.0-only -/* - * Landlock LSM - Network management and hooks - * - * Copyright © 2022-2023 Huawei Tech. Co., Ltd. - * Copyright © 2022-2023 Microsoft Corporation - */ - -#include -#include -#include -#include - -#include "common.h" -#include "cred.h" -#include "limits.h" -#include "net.h" -#include "ruleset.h" - -int landlock_append_net_rule(struct landlock_ruleset *const ruleset, - const u16 port, access_mask_t access_rights) -{ - int err; - const struct landlock_id id = { - .key.data = (__force uintptr_t)htons(port), - .type = LANDLOCK_KEY_NET_PORT, - }; - - BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data)); - - /* Transforms relative access rights to absolute ones. */ - access_rights |= LANDLOCK_MASK_ACCESS_NET & - ~landlock_get_net_access_mask(ruleset, 0); - - mutex_lock(&ruleset->lock); - err = landlock_insert_rule(ruleset, id, access_rights); - mutex_unlock(&ruleset->lock); - - return err; -} - -static const struct landlock_ruleset *get_current_net_domain(void) -{ - const union access_masks any_net = { - .net = ~0, - }; - - return landlock_match_ruleset(landlock_get_current_domain(), any_net); -} - -static int current_check_access_socket(struct socket *const sock, - struct sockaddr *const address, - const int addrlen, - access_mask_t access_request) -{ - __be16 port; - layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_NET] = {}; - const struct landlock_rule *rule; - struct landlock_id id = { - .type = LANDLOCK_KEY_NET_PORT, - }; - const struct landlock_ruleset *const dom = get_current_net_domain(); - - if (!dom) - return 0; - if (WARN_ON_ONCE(dom->num_layers < 1)) - return -EACCES; - - /* Do not restrict non-TCP sockets. */ - if (!sk_is_tcp(sock->sk)) - return 0; - - /* Checks for minimal header length to safely read sa_family. */ - if (addrlen < offsetofend(typeof(*address), sa_family)) - return -EINVAL; - - switch (address->sa_family) { - case AF_UNSPEC: - case AF_INET: - if (addrlen < sizeof(struct sockaddr_in)) - return -EINVAL; - port = ((struct sockaddr_in *)address)->sin_port; - break; - -#if IS_ENABLED(CONFIG_IPV6) - case AF_INET6: - if (addrlen < SIN6_LEN_RFC2133) - return -EINVAL; - port = ((struct sockaddr_in6 *)address)->sin6_port; - break; -#endif /* IS_ENABLED(CONFIG_IPV6) */ - - default: - return 0; - } - - /* Specific AF_UNSPEC handling. */ - if (address->sa_family == AF_UNSPEC) { - /* - * Connecting to an address with AF_UNSPEC dissolves the TCP - * association, which have the same effect as closing the - * connection while retaining the socket object (i.e., the file - * descriptor). As for dropping privileges, closing - * connections is always allowed. - * - * For a TCP access control system, this request is legitimate. - * Let the network stack handle potential inconsistencies and - * return -EINVAL if needed. - */ - if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP) - return 0; - - /* - * For compatibility reason, accept AF_UNSPEC for bind - * accesses (mapped to AF_INET) only if the address is - * INADDR_ANY (cf. __inet_bind). Checking the address is - * required to not wrongfully return -EACCES instead of - * -EAFNOSUPPORT. - * - * We could return 0 and let the network stack handle these - * checks, but it is safer to return a proper error and test - * consistency thanks to kselftest. - */ - if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) { - /* addrlen has already been checked for AF_UNSPEC. */ - const struct sockaddr_in *const sockaddr = - (struct sockaddr_in *)address; - - if (sock->sk->__sk_common.skc_family != AF_INET) - return -EINVAL; - - if (sockaddr->sin_addr.s_addr != htonl(INADDR_ANY)) - return -EAFNOSUPPORT; - } - } else { - /* - * Checks sa_family consistency to not wrongfully return - * -EACCES instead of -EINVAL. Valid sa_family changes are - * only (from AF_INET or AF_INET6) to AF_UNSPEC. - * - * We could return 0 and let the network stack handle this - * check, but it is safer to return a proper error and test - * consistency thanks to kselftest. - */ - if (address->sa_family != sock->sk->__sk_common.skc_family) - return -EINVAL; - } - - id.key.data = (__force uintptr_t)port; - BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data)); - - rule = landlock_find_rule(dom, id); - access_request = landlock_init_layer_masks( - dom, access_request, &layer_masks, LANDLOCK_KEY_NET_PORT); - if (landlock_unmask_layers(rule, access_request, &layer_masks, - ARRAY_SIZE(layer_masks))) - return 0; - - return -EACCES; -} - -static int hook_socket_bind(struct socket *const sock, - struct sockaddr *const address, const int addrlen) -{ - return current_check_access_socket(sock, address, addrlen, - LANDLOCK_ACCESS_NET_BIND_TCP); -} - -static int hook_socket_connect(struct socket *const sock, - struct sockaddr *const address, - const int addrlen) -{ - return current_check_access_socket(sock, address, addrlen, - LANDLOCK_ACCESS_NET_CONNECT_TCP); -} - -static struct security_hook_list landlock_hooks[] __ro_after_init = { - LSM_HOOK_INIT(socket_bind, hook_socket_bind), - LSM_HOOK_INIT(socket_connect, hook_socket_connect), -}; - -__init void landlock_add_net_hooks(void) -{ - security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks), - &landlock_lsmid); -} +// SPDX-License-Identifier: GPL-2.0-only +/* + * Landlock LSM - Network management and hooks + * + * Copyright © 2022-2023 Huawei Tech. Co., Ltd. + * Copyright © 2022-2023 Microsoft Corporation + */ + +#include +#include +#include +#include + +#include "common.h" +#include "cred.h" +#include "limits.h" +#include "net.h" +#include "ruleset.h" + +int landlock_append_net_rule(struct landlock_ruleset *const ruleset, + const u16 port, access_mask_t access_rights) +{ + int err; + const struct landlock_id id = { + .key.data = (__force uintptr_t)htons(port), + .type = LANDLOCK_KEY_NET_PORT, + }; + + BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data)); + + /* Transforms relative access rights to absolute ones. */ + access_rights |= LANDLOCK_MASK_ACCESS_NET & + ~landlock_get_net_access_mask(ruleset, 0); + + mutex_lock(&ruleset->lock); + err = landlock_insert_rule(ruleset, id, access_rights); + mutex_unlock(&ruleset->lock); + + return err; +} + +static const struct landlock_ruleset *get_current_net_domain(void) +{ + const union access_masks any_net = { + .net = ~0, + }; + + return landlock_match_ruleset(landlock_get_current_domain(), any_net); +} + +static int check_access_port(const struct landlock_ruleset *const dom, + __be16 port, access_mask_t access_request) +{ + layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_NET] = {}; + const struct landlock_rule *rule; + struct landlock_id id = { + .type = LANDLOCK_KEY_NET_PORT, + }; + + id.key.data = (__force uintptr_t)port; + BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data)); + + rule = landlock_find_rule(dom, id); + access_request = landlock_init_layer_masks( + dom, access_request, &layer_masks, LANDLOCK_KEY_NET_PORT); + if (landlock_unmask_layers(rule, access_request, &layer_masks, + ARRAY_SIZE(layer_masks))) + return 0; + + return -EACCES; +} + +static int hook_socket_bind(struct socket *const sock, + struct sockaddr *const address, const int addrlen) +{ + __be16 port; + struct sock *const sk = sock->sk; + const struct landlock_ruleset *const dom = get_current_net_domain(); + + if (!dom) + return 0; + if (WARN_ON_ONCE(dom->num_layers < 1)) + return -EACCES; + + if (sk_is_tcp(sk)) { + /* Checks for minimal header length to safely read sa_family. */ + if (addrlen < offsetofend(typeof(*address), sa_family)) + return -EINVAL; + + switch (address->sa_family) { + case AF_UNSPEC: + case AF_INET: + if (addrlen < sizeof(struct sockaddr_in)) + return -EINVAL; + port = ((struct sockaddr_in *)address)->sin_port; + break; + +#if IS_ENABLED(CONFIG_IPV6) + case AF_INET6: + if (addrlen < SIN6_LEN_RFC2133) + return -EINVAL; + port = ((struct sockaddr_in6 *)address)->sin6_port; + break; +#endif /* IS_ENABLED(CONFIG_IPV6) */ + + default: + return 0; + } + + /* + * For compatibility reason, accept AF_UNSPEC for bind + * accesses (mapped to AF_INET) only if the address is + * INADDR_ANY (cf. __inet_bind). Checking the address is + * required to not wrongfully return -EACCES instead of + * -EAFNOSUPPORT. + * + * We could return 0 and let the network stack handle these + * checks, but it is safer to return a proper error and test + * consistency thanks to kselftest. + */ + if (address->sa_family == AF_UNSPEC) { + /* addrlen has already been checked for AF_UNSPEC. */ + const struct sockaddr_in *const sockaddr = + (struct sockaddr_in *)address; + + if (sk->sk_family != AF_INET) + return -EINVAL; + + if (sockaddr->sin_addr.s_addr != htonl(INADDR_ANY)) + return -EAFNOSUPPORT; + } else { + /* + * Checks sa_family consistency to not wrongfully return + * -EACCES instead of -EINVAL. Valid sa_family changes are + * only (from AF_INET or AF_INET6) to AF_UNSPEC. + * + * We could return 0 and let the network stack handle this + * check, but it is safer to return a proper error and test + * consistency thanks to kselftest. + */ + if (address->sa_family != sk->sk_family) + return -EINVAL; + } + return check_access_port(dom, port, + LANDLOCK_ACCESS_NET_BIND_TCP); + } + return 0; +} + +static int hook_socket_connect(struct socket *const sock, + struct sockaddr *const address, + const int addrlen) +{ + __be16 port; + struct sock *const sk = sock->sk; + const struct landlock_ruleset *const dom = get_current_net_domain(); + + if (!dom) + return 0; + if (WARN_ON_ONCE(dom->num_layers < 1)) + return -EACCES; + + if (sk_is_tcp(sk)) { + /* Checks for minimal header length to safely read sa_family. */ + if (addrlen < offsetofend(typeof(*address), sa_family)) + return -EINVAL; + + switch (address->sa_family) { + case AF_UNSPEC: + case AF_INET: + if (addrlen < sizeof(struct sockaddr_in)) + return -EINVAL; + port = ((struct sockaddr_in *)address)->sin_port; + break; + +#if IS_ENABLED(CONFIG_IPV6) + case AF_INET6: + if (addrlen < SIN6_LEN_RFC2133) + return -EINVAL; + port = ((struct sockaddr_in6 *)address)->sin6_port; + break; +#endif /* IS_ENABLED(CONFIG_IPV6) */ + + default: + return 0; + } + + /* + * Connecting to an address with AF_UNSPEC dissolves the TCP + * association, which have the same effect as closing the + * connection while retaining the socket object (i.e., the file + * descriptor). As for dropping privileges, closing + * connections is always allowed. + * + * For a TCP access control system, this request is legitimate. + * Let the network stack handle potential inconsistencies and + * return -EINVAL if needed. + */ + if (address->sa_family == AF_UNSPEC) + return 0; + /* + * Checks sa_family consistency to not wrongfully return + * -EACCES instead of -EINVAL. Valid sa_family changes are + * only (from AF_INET or AF_INET6) to AF_UNSPEC. + * + * We could return 0 and let the network stack handle this + * check, but it is safer to return a proper error and test + * consistency thanks to kselftest. + */ + if (address->sa_family != sk->sk_family) + return -EINVAL; + + return check_access_port(dom, port, + LANDLOCK_ACCESS_NET_CONNECT_TCP); + } + return 0; +} + +static struct security_hook_list landlock_hooks[] __ro_after_init = { + LSM_HOOK_INIT(socket_bind, hook_socket_bind), + LSM_HOOK_INIT(socket_connect, hook_socket_connect), +}; + +__init void landlock_add_net_hooks(void) +{ + security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks), + &landlock_lsmid); +} From patchwork Thu Oct 17 11:04:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Mikhail Ivanov X-Patchwork-Id: 13839849 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E79251DB375; Thu, 17 Oct 2024 11:05:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.188 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729163132; cv=none; b=G71N6IzIh8MDBWgaTGjNinWyFtODKDvAjCLXba51Wl0F+nS+LwHokcI+N7hpFNr8mSelAxO0jWoUvWB3O+Elzmd0gRqzGxHp+MOP85qZk1JHAfJiExls3GHtvXtUUeoPbNBqrRTUKUTVUogsSYurMmPVHNxLkujFbw9K/2sNHds= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729163132; c=relaxed/simple; bh=t7H/Rq6n7uB1I3Xia70uPuWVPgSiLz0kxBTxCTdy7GA=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=tw19oUO98cCte23Jqg2mOOZzTinqbFGvdz9xBbmC9z9YzJ4wwu9yPXj8/C8ODvQx/XNF2BcuxXSOGT/3AUhK0F1jagVrNikCEvjlCwQv0kEBPs1JKDGaRMERpsbb0T7EbAyAEKFK7ntSV8DR6mqv8P41VAM/o86bbdgWpePMo7E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei-partners.com; spf=pass smtp.mailfrom=huawei-partners.com; arc=none smtp.client-ip=45.249.212.188 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei-partners.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei-partners.com Received: from mail.maildlp.com (unknown [172.19.163.48]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4XTlL92GbdzfdH4; Thu, 17 Oct 2024 19:02:57 +0800 (CST) Received: from kwepemj200016.china.huawei.com (unknown [7.202.194.28]) by mail.maildlp.com (Postfix) with ESMTPS id CEE7A18007C; Thu, 17 Oct 2024 19:05:24 +0800 (CST) Received: from mscphis02103.huawei.com (10.123.65.215) by kwepemj200016.china.huawei.com (7.202.194.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Thu, 17 Oct 2024 19:05:22 +0800 From: Mikhail Ivanov To: , CC: , , , , , , , Subject: [RFC PATCH v2 3/8] landlock: Fix inconsistency of errors for TCP actions Date: Thu, 17 Oct 2024 19:04:49 +0800 Message-ID: <20241017110454.265818-4-ivanov.mikhail1@huawei-partners.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20241017110454.265818-1-ivanov.mikhail1@huawei-partners.com> References: <20241017110454.265818-1-ivanov.mikhail1@huawei-partners.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: mscpeml500003.china.huawei.com (7.188.49.51) To kwepemj200016.china.huawei.com (7.202.194.28) X-Patchwork-State: RFC Add two helpers for TCP bind/connect accesses, which will serve to perform action-specific network stack level checks and safely extract the port from the address. Return -EAFNOSUPPORT instead of -EINVAL in sin_family checks. Check socket state before validating address for TCP connect access. This is necessary to follow the error order of network stack. Read sk_family value from socket structure with READ_ONCE to safely handle IPV6_ADDRFORM case (see [1]). [1] https://lore.kernel.org/all/20240202095404.183274-1-edumazet@google.com/ Fixes: fff69fb03dde ("landlock: Support network rules with TCP bind and connect") Signed-off-by: Mikhail Ivanov --- security/landlock/net.c | 543 +++++++++++++++++++++++----------------- 1 file changed, 315 insertions(+), 228 deletions(-) rewrite security/landlock/net.c (37%) diff --git a/security/landlock/net.c b/security/landlock/net.c dissimilarity index 37% index a3142f9b15ee..06791aba9196 100644 --- a/security/landlock/net.c +++ b/security/landlock/net.c @@ -1,228 +1,315 @@ -// SPDX-License-Identifier: GPL-2.0-only -/* - * Landlock LSM - Network management and hooks - * - * Copyright © 2022-2023 Huawei Tech. Co., Ltd. - * Copyright © 2022-2023 Microsoft Corporation - */ - -#include -#include -#include -#include - -#include "common.h" -#include "cred.h" -#include "limits.h" -#include "net.h" -#include "ruleset.h" - -int landlock_append_net_rule(struct landlock_ruleset *const ruleset, - const u16 port, access_mask_t access_rights) -{ - int err; - const struct landlock_id id = { - .key.data = (__force uintptr_t)htons(port), - .type = LANDLOCK_KEY_NET_PORT, - }; - - BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data)); - - /* Transforms relative access rights to absolute ones. */ - access_rights |= LANDLOCK_MASK_ACCESS_NET & - ~landlock_get_net_access_mask(ruleset, 0); - - mutex_lock(&ruleset->lock); - err = landlock_insert_rule(ruleset, id, access_rights); - mutex_unlock(&ruleset->lock); - - return err; -} - -static const struct landlock_ruleset *get_current_net_domain(void) -{ - const union access_masks any_net = { - .net = ~0, - }; - - return landlock_match_ruleset(landlock_get_current_domain(), any_net); -} - -static int check_access_port(const struct landlock_ruleset *const dom, - __be16 port, access_mask_t access_request) -{ - layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_NET] = {}; - const struct landlock_rule *rule; - struct landlock_id id = { - .type = LANDLOCK_KEY_NET_PORT, - }; - - id.key.data = (__force uintptr_t)port; - BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data)); - - rule = landlock_find_rule(dom, id); - access_request = landlock_init_layer_masks( - dom, access_request, &layer_masks, LANDLOCK_KEY_NET_PORT); - if (landlock_unmask_layers(rule, access_request, &layer_masks, - ARRAY_SIZE(layer_masks))) - return 0; - - return -EACCES; -} - -static int hook_socket_bind(struct socket *const sock, - struct sockaddr *const address, const int addrlen) -{ - __be16 port; - struct sock *const sk = sock->sk; - const struct landlock_ruleset *const dom = get_current_net_domain(); - - if (!dom) - return 0; - if (WARN_ON_ONCE(dom->num_layers < 1)) - return -EACCES; - - if (sk_is_tcp(sk)) { - /* Checks for minimal header length to safely read sa_family. */ - if (addrlen < offsetofend(typeof(*address), sa_family)) - return -EINVAL; - - switch (address->sa_family) { - case AF_UNSPEC: - case AF_INET: - if (addrlen < sizeof(struct sockaddr_in)) - return -EINVAL; - port = ((struct sockaddr_in *)address)->sin_port; - break; - -#if IS_ENABLED(CONFIG_IPV6) - case AF_INET6: - if (addrlen < SIN6_LEN_RFC2133) - return -EINVAL; - port = ((struct sockaddr_in6 *)address)->sin6_port; - break; -#endif /* IS_ENABLED(CONFIG_IPV6) */ - - default: - return 0; - } - - /* - * For compatibility reason, accept AF_UNSPEC for bind - * accesses (mapped to AF_INET) only if the address is - * INADDR_ANY (cf. __inet_bind). Checking the address is - * required to not wrongfully return -EACCES instead of - * -EAFNOSUPPORT. - * - * We could return 0 and let the network stack handle these - * checks, but it is safer to return a proper error and test - * consistency thanks to kselftest. - */ - if (address->sa_family == AF_UNSPEC) { - /* addrlen has already been checked for AF_UNSPEC. */ - const struct sockaddr_in *const sockaddr = - (struct sockaddr_in *)address; - - if (sk->sk_family != AF_INET) - return -EINVAL; - - if (sockaddr->sin_addr.s_addr != htonl(INADDR_ANY)) - return -EAFNOSUPPORT; - } else { - /* - * Checks sa_family consistency to not wrongfully return - * -EACCES instead of -EINVAL. Valid sa_family changes are - * only (from AF_INET or AF_INET6) to AF_UNSPEC. - * - * We could return 0 and let the network stack handle this - * check, but it is safer to return a proper error and test - * consistency thanks to kselftest. - */ - if (address->sa_family != sk->sk_family) - return -EINVAL; - } - return check_access_port(dom, port, - LANDLOCK_ACCESS_NET_BIND_TCP); - } - return 0; -} - -static int hook_socket_connect(struct socket *const sock, - struct sockaddr *const address, - const int addrlen) -{ - __be16 port; - struct sock *const sk = sock->sk; - const struct landlock_ruleset *const dom = get_current_net_domain(); - - if (!dom) - return 0; - if (WARN_ON_ONCE(dom->num_layers < 1)) - return -EACCES; - - if (sk_is_tcp(sk)) { - /* Checks for minimal header length to safely read sa_family. */ - if (addrlen < offsetofend(typeof(*address), sa_family)) - return -EINVAL; - - switch (address->sa_family) { - case AF_UNSPEC: - case AF_INET: - if (addrlen < sizeof(struct sockaddr_in)) - return -EINVAL; - port = ((struct sockaddr_in *)address)->sin_port; - break; - -#if IS_ENABLED(CONFIG_IPV6) - case AF_INET6: - if (addrlen < SIN6_LEN_RFC2133) - return -EINVAL; - port = ((struct sockaddr_in6 *)address)->sin6_port; - break; -#endif /* IS_ENABLED(CONFIG_IPV6) */ - - default: - return 0; - } - - /* - * Connecting to an address with AF_UNSPEC dissolves the TCP - * association, which have the same effect as closing the - * connection while retaining the socket object (i.e., the file - * descriptor). As for dropping privileges, closing - * connections is always allowed. - * - * For a TCP access control system, this request is legitimate. - * Let the network stack handle potential inconsistencies and - * return -EINVAL if needed. - */ - if (address->sa_family == AF_UNSPEC) - return 0; - /* - * Checks sa_family consistency to not wrongfully return - * -EACCES instead of -EINVAL. Valid sa_family changes are - * only (from AF_INET or AF_INET6) to AF_UNSPEC. - * - * We could return 0 and let the network stack handle this - * check, but it is safer to return a proper error and test - * consistency thanks to kselftest. - */ - if (address->sa_family != sk->sk_family) - return -EINVAL; - - return check_access_port(dom, port, - LANDLOCK_ACCESS_NET_CONNECT_TCP); - } - return 0; -} - -static struct security_hook_list landlock_hooks[] __ro_after_init = { - LSM_HOOK_INIT(socket_bind, hook_socket_bind), - LSM_HOOK_INIT(socket_connect, hook_socket_connect), -}; - -__init void landlock_add_net_hooks(void) -{ - security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks), - &landlock_lsmid); -} +// SPDX-License-Identifier: GPL-2.0-only +/* + * Landlock LSM - Network management and hooks + * + * Copyright © 2022-2023 Huawei Tech. Co., Ltd. + * Copyright © 2022-2023 Microsoft Corporation + */ + +#include +#include +#include +#include + +#include "common.h" +#include "cred.h" +#include "limits.h" +#include "net.h" +#include "ruleset.h" + +int landlock_append_net_rule(struct landlock_ruleset *const ruleset, + const u16 port, access_mask_t access_rights) +{ + int err; + const struct landlock_id id = { + .key.data = (__force uintptr_t)htons(port), + .type = LANDLOCK_KEY_NET_PORT, + }; + + BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data)); + + /* Transforms relative access rights to absolute ones. */ + access_rights |= LANDLOCK_MASK_ACCESS_NET & + ~landlock_get_net_access_mask(ruleset, 0); + + mutex_lock(&ruleset->lock); + err = landlock_insert_rule(ruleset, id, access_rights); + mutex_unlock(&ruleset->lock); + + return err; +} + +static const struct landlock_ruleset *get_current_net_domain(void) +{ + const union access_masks any_net = { + .net = ~0, + }; + + return landlock_match_ruleset(landlock_get_current_domain(), any_net); +} + +static int check_access_port(const struct landlock_ruleset *const dom, + __be16 port, access_mask_t access_request) +{ + layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_NET] = {}; + const struct landlock_rule *rule; + struct landlock_id id = { + .type = LANDLOCK_KEY_NET_PORT, + }; + + id.key.data = (__force uintptr_t)port; + BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data)); + + rule = landlock_find_rule(dom, id); + access_request = landlock_init_layer_masks( + dom, access_request, &layer_masks, LANDLOCK_KEY_NET_PORT); + if (landlock_unmask_layers(rule, access_request, &layer_masks, + ARRAY_SIZE(layer_masks))) + return 0; + + return -EACCES; +} + +/* + * Checks that TCP @sock and @address attributes are correct for bind(2). + * + * On success, extracts port from @address in @port and returns 0. + * + * This validation is consistent with network stack and returns the error + * in the order corresponding to the order of errors from the network stack. + * It's required to not wrongfully return -EACCES instead of meaningful network + * stack level errors. Consistency is tested with kselftest. + * + * This helper does not provide consistency of error codes for BPF filter + * (if any). + */ +static int +check_tcp_bind_consistency_and_get_port(struct socket *const sock, + struct sockaddr *const address, + const int addrlen, __be16 *port) +{ + /* IPV6_ADDRFORM can change sk->sk_family under us. */ + switch (READ_ONCE(sock->sk->sk_family)) { + case AF_INET: + const struct sockaddr_in *const addr = + (struct sockaddr_in *)address; + + /* Cf. inet_bind_sk(). */ + if (addrlen < sizeof(struct sockaddr_in)) + return -EINVAL; + /* + * For compatibility reason, accept AF_UNSPEC for bind + * accesses (mapped to AF_INET) only if the address is + * INADDR_ANY (cf. __inet_bind). + */ + if (addr->sin_family != AF_INET) { + if (addr->sin_family != AF_UNSPEC || + addr->sin_addr.s_addr != htonl(INADDR_ANY)) + return -EAFNOSUPPORT; + } + *port = ((struct sockaddr_in *)address)->sin_port; + break; +#if IS_ENABLED(CONFIG_IPV6) + case AF_INET6: + /* Cf. inet6_bind_sk(). */ + if (addrlen < SIN6_LEN_RFC2133) + return -EINVAL; + /* Cf. __inet6_bind(). */ + if (address->sa_family != AF_INET6) + return -EAFNOSUPPORT; + *port = ((struct sockaddr_in6 *)address)->sin6_port; + break; +#endif /* IS_ENABLED(CONFIG_IPV6) */ + default: + WARN_ON_ONCE(0); + return -EACCES; + } + return 0; +} + +/* + * Checks that TCP @sock and @address attributes are correct for connect(2). + * + * On success, extracts port from @address in @port and returns 0. + * + * This validation is consistent with network stack and returns the error + * in the order corresponding to the order of errors from the network stack. + * It's required to not wrongfully return -EACCES instead of meaningful network + * stack level error. Consistency is partially tested with kselftest. + * + * This helper does not provide consistency of error codes for BPF filter + * (if any). + * + * The function holds socket lock while checking the socket state. + */ +static int +check_tcp_connect_consistency_and_get_port(struct socket *const sock, + struct sockaddr *const address, + const int addrlen, __be16 *port) +{ + int err = 0; + struct sock *const sk = sock->sk; + + /* Cf. __inet_stream_connect(). */ + lock_sock(sk); + switch (sock->state) { + default: + err = -EINVAL; + break; + case SS_CONNECTED: + err = -EISCONN; + break; + case SS_CONNECTING: + /* + * Calling connect(2) on nonblocking socket with SYN_SENT or SYN_RECV + * state immediately returns -EISCONN and -EALREADY (Cf. __inet_stream_connect()). + * + * This check is not tested with kselftests. + */ + if ((sock->file->f_flags & O_NONBLOCK) && + ((1 << sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV))) { + if (inet_test_bit(DEFER_CONNECT, sk)) + err = -EISCONN; + else + err = -EALREADY; + break; + } + + /* + * Current state is possible in two cases: + * 1. connect(2) is called upon nonblocking socket and previous + * connection attempt was closed by RST packet (therefore socket is + * in TCP_CLOSE state). In this case connect(2) calls + * sk_prot->disconnect(), changes socket state and increases number + * of disconnects. + * 2. connect(2) is called twice upon socket with TCP_FASTOPEN_CONNECT + * option set. If socket state is TCP_CLOSE connect(2) does the + * same logic as in point 1 case. Otherwise connect(2) may freeze + * after inet_wait_for_connect() call since SYN was never sent. + * + * For both this cases Landlock cannot provide error consistency since + * 1. Both cases involve executing some network stack logic and changing + * the socket state. + * 2. It cannot omit access check and allow network stack handle error + * consistency since socket can change its state to SS_UNCONNECTED + * before it will be locked again in inet_stream_connect(). + * + * Therefore it is only possible to return 0 and check access right with + * check_access_port() helper. + */ + release_sock(sk); + return 0; + case SS_UNCONNECTED: + if (sk->sk_state != TCP_CLOSE) + err = -EISCONN; + break; + } + release_sock(sk); + + if (err) + return err; + + /* IPV6_ADDRFORM can change sk->sk_family under us. */ + switch (READ_ONCE(sk->sk_family)) { + case AF_INET: + /* Cf. tcp_v4_connect(). */ + if (addrlen < sizeof(struct sockaddr_in)) + return -EINVAL; + if (address->sa_family != AF_INET) + return -EAFNOSUPPORT; + + *port = ((struct sockaddr_in *)address)->sin_port; + break; +#if IS_ENABLED(CONFIG_IPV6) + case AF_INET6: + /* Cf. tcp_v6_connect(). */ + if (addrlen < SIN6_LEN_RFC2133) + return -EINVAL; + if (address->sa_family != AF_INET6) + return -EAFNOSUPPORT; + + *port = ((struct sockaddr_in6 *)address)->sin6_port; + break; +#endif /* IS_ENABLED(CONFIG_IPV6) */ + default: + WARN_ON_ONCE(0); + return -EACCES; + } + + return 0; +} + +static int hook_socket_bind(struct socket *const sock, + struct sockaddr *const address, const int addrlen) +{ + int err; + __be16 port; + const struct landlock_ruleset *const dom = get_current_net_domain(); + + if (!dom) + return 0; + if (WARN_ON_ONCE(dom->num_layers < 1)) + return -EACCES; + + if (sk_is_tcp(sock->sk)) { + err = check_tcp_bind_consistency_and_get_port(sock, address, + addrlen, &port); + if (err) + return err; + return check_access_port(dom, port, + LANDLOCK_ACCESS_NET_BIND_TCP); + } + return 0; +} + +static int hook_socket_connect(struct socket *const sock, + struct sockaddr *const address, + const int addrlen) +{ + int err; + __be16 port; + const struct landlock_ruleset *const dom = get_current_net_domain(); + + if (!dom) + return 0; + if (WARN_ON_ONCE(dom->num_layers < 1)) + return -EACCES; + + if (sk_is_tcp(sock->sk)) { + /* Checks for minimal header length to safely read sa_family. */ + if (addrlen < sizeof(address->sa_family)) + return -EINVAL; + /* + * Connecting to an address with AF_UNSPEC dissolves the TCP + * association, which have the same effect as closing the + * connection while retaining the socket object (i.e., the file + * descriptor). As for dropping privileges, closing + * connections is always allowed. + * + * For a TCP access control system, this request is legitimate. + * Let the network stack handle potential inconsistencies and + * return -EINVAL if needed. + */ + if (address->sa_family == AF_UNSPEC) + return 0; + + err = check_tcp_connect_consistency_and_get_port( + sock, address, addrlen, &port); + if (err) + return err; + return check_access_port(dom, port, + LANDLOCK_ACCESS_NET_CONNECT_TCP); + } + return 0; +} + +static struct security_hook_list landlock_hooks[] __ro_after_init = { + LSM_HOOK_INIT(socket_bind, hook_socket_bind), + LSM_HOOK_INIT(socket_connect, hook_socket_connect), +}; + +__init void landlock_add_net_hooks(void) +{ + security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks), + &landlock_lsmid); +} From patchwork Thu Oct 17 11:04:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikhail Ivanov X-Patchwork-Id: 13839852 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 233BD1D9A6A; Thu, 17 Oct 2024 11:05:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.188 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729163142; cv=none; b=pHBCn/V8SMTZ2UQXS8/x72aJR7p7v6iN8TIhXWuBGKrnO/SILcEPN/lPx5dtXEwf9MgsT9XYxiUqbKP0AEg72Gs7fRf5oVh7CHDkT5MGuN+2VLDfcJNHa/FRgmDnnB2n6rbgfzn2eMChDsIBV5kIfOQZaydARNJXYEWyuYDIM6Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729163142; c=relaxed/simple; bh=SFo/qf1jlxlSrQNRtYJ8JeTCBUfpYjPZjkJTwlvtWCc=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=DeKmZB67fZ90vVPtMptY9NHY7BzXLy/5jG4bqP0ycYpmfLBdC8KsBItXm2XfY9UimhjBY2EU863MeA2OLaeVJnpvGgi03R+D4QvlpqnFrF3fjB9CS6COTk0sAeCPFD3eiGZLNEdhbJiXHwh5fPpI/I8HJNKk8Kd5IQh3/yxr4ls= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei-partners.com; spf=pass smtp.mailfrom=huawei-partners.com; arc=none smtp.client-ip=45.249.212.188 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei-partners.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei-partners.com Received: from mail.maildlp.com (unknown [172.19.163.48]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4XTlLm6MXMzcpSD; Thu, 17 Oct 2024 19:03:28 +0800 (CST) Received: from kwepemj200016.china.huawei.com (unknown [7.202.194.28]) by mail.maildlp.com (Postfix) with ESMTPS id 1328018007C; Thu, 17 Oct 2024 19:05:27 +0800 (CST) Received: from mscphis02103.huawei.com (10.123.65.215) by kwepemj200016.china.huawei.com (7.202.194.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Thu, 17 Oct 2024 19:05:24 +0800 From: Mikhail Ivanov To: , CC: , , , , , , , Subject: [RFC PATCH v2 4/8] selftests/landlock: Test TCP accesses with protocol=IPPROTO_TCP Date: Thu, 17 Oct 2024 19:04:50 +0800 Message-ID: <20241017110454.265818-5-ivanov.mikhail1@huawei-partners.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20241017110454.265818-1-ivanov.mikhail1@huawei-partners.com> References: <20241017110454.265818-1-ivanov.mikhail1@huawei-partners.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: mscpeml500003.china.huawei.com (7.188.49.51) To kwepemj200016.china.huawei.com (7.202.194.28) X-Patchwork-State: RFC Extend protocol_variant structure with protocol field (Cf. socket(2)). Extend protocol fixture with TCP test suits with protocol=IPPROTO_TCP which can be used as an alias for IPPROTO_IP (=0) in socket(2). Signed-off-by: Mikhail Ivanov --- tools/testing/selftests/landlock/common.h | 1 + tools/testing/selftests/landlock/net_test.c | 80 +++++++++++++++++---- 2 files changed, 67 insertions(+), 14 deletions(-) diff --git a/tools/testing/selftests/landlock/common.h b/tools/testing/selftests/landlock/common.h index 61056fa074bb..40a2def50b83 100644 --- a/tools/testing/selftests/landlock/common.h +++ b/tools/testing/selftests/landlock/common.h @@ -234,6 +234,7 @@ enforce_ruleset(struct __test_metadata *const _metadata, const int ruleset_fd) struct protocol_variant { int domain; int type; + int protocol; }; struct service_fixture { diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c index 4e0aeb53b225..333263780fae 100644 --- a/tools/testing/selftests/landlock/net_test.c +++ b/tools/testing/selftests/landlock/net_test.c @@ -85,18 +85,18 @@ static void setup_loopback(struct __test_metadata *const _metadata) clear_ambient_cap(_metadata, CAP_NET_ADMIN); } +static bool prot_is_tcp(const struct protocol_variant *const prot) +{ + return (prot->domain == AF_INET || prot->domain == AF_INET6) && + prot->type == SOCK_STREAM && + (prot->protocol == IPPROTO_TCP || prot->protocol == IPPROTO_IP); +} + static bool is_restricted(const struct protocol_variant *const prot, const enum sandbox_type sandbox) { - switch (prot->domain) { - case AF_INET: - case AF_INET6: - switch (prot->type) { - case SOCK_STREAM: - return sandbox == TCP_SANDBOX; - } - break; - } + if (sandbox == TCP_SANDBOX) + return prot_is_tcp(prot); return false; } @@ -105,7 +105,7 @@ static int socket_variant(const struct service_fixture *const srv) int ret; ret = socket(srv->protocol.domain, srv->protocol.type | SOCK_CLOEXEC, - 0); + srv->protocol.protocol); if (ret < 0) return -errno; return ret; @@ -290,22 +290,48 @@ FIXTURE_TEARDOWN(protocol) } /* clang-format off */ -FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_tcp) { +FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_tcp1) { /* clang-format on */ .sandbox = NO_SANDBOX, .prot = { .domain = AF_INET, .type = SOCK_STREAM, + /* IPPROTO_IP == 0 */ + .protocol = IPPROTO_IP, }, }; /* clang-format off */ -FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_tcp) { +FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_tcp2) { + /* clang-format on */ + .sandbox = NO_SANDBOX, + .prot = { + .domain = AF_INET, + .type = SOCK_STREAM, + .protocol = IPPROTO_TCP, + }, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_tcp1) { /* clang-format on */ .sandbox = NO_SANDBOX, .prot = { .domain = AF_INET6, .type = SOCK_STREAM, + /* IPPROTO_IP == 0 */ + .protocol = IPPROTO_IP, + }, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_tcp2) { + /* clang-format on */ + .sandbox = NO_SANDBOX, + .prot = { + .domain = AF_INET6, + .type = SOCK_STREAM, + .protocol = IPPROTO_TCP, }, }; @@ -350,22 +376,48 @@ FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_unix_datagram) { }; /* clang-format off */ -FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_tcp) { +FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_tcp1) { + /* clang-format on */ + .sandbox = TCP_SANDBOX, + .prot = { + .domain = AF_INET, + .type = SOCK_STREAM, + /* IPPROTO_IP == 0 */ + .protocol = IPPROTO_IP, + }, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_tcp2) { /* clang-format on */ .sandbox = TCP_SANDBOX, .prot = { .domain = AF_INET, .type = SOCK_STREAM, + .protocol = IPPROTO_TCP, + }, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_tcp1) { + /* clang-format on */ + .sandbox = TCP_SANDBOX, + .prot = { + .domain = AF_INET6, + .type = SOCK_STREAM, + /* IPPROTO_IP == 0 */ + .protocol = IPPROTO_IP, }, }; /* clang-format off */ -FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_tcp) { +FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_tcp2) { /* clang-format on */ .sandbox = TCP_SANDBOX, .prot = { .domain = AF_INET6, .type = SOCK_STREAM, + .protocol = IPPROTO_TCP, }, }; From patchwork Thu Oct 17 11:04:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikhail Ivanov X-Patchwork-Id: 13839855 Received: from szxga07-in.huawei.com (szxga07-in.huawei.com [45.249.212.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B0F531DC1A7; Thu, 17 Oct 2024 11:06:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.35 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729163170; cv=none; b=W6MAdm2Jwylj10w+ehcNSmGCWg+Y5wCamMVuBbsSwZmEBFKJIabygC9IbZuAKAv33OowmRv40sSrK4otCrHyHMhi+mBQ1G0F9aecTPQqO/2mDpIps8shppb/ZzRulCuLJ/yInzuDu44iDQycDmIQVEn9n8mF2KMUPGWsKizhKxE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729163170; c=relaxed/simple; bh=A7+g72QjPlUQUIWPTKMLnaCm8tb54u9e4q8eS9BE0lU=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=dOVXRKfHogHi33jhOP1iCAH327Hw6wOkljoYp2ZMVGgmavP2Zi72D5MrxOVzXz2N957JiQQ32uOcVatt2r3nuOpwvzlP9SWnL+LR+gsqmBuoSnEQDhjcFG3VcjS0r5CPBpUg753WYWwGkVcAth6A05EJT3d36qKDh8/TQUpEv48= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei-partners.com; spf=pass smtp.mailfrom=huawei-partners.com; arc=none smtp.client-ip=45.249.212.35 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei-partners.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei-partners.com Received: from mail.maildlp.com (unknown [172.19.162.112]) by szxga07-in.huawei.com (SkyGuard) with ESMTP id 4XTlMd0HgQz1SCqZ; Thu, 17 Oct 2024 19:04:13 +0800 (CST) Received: from kwepemj200016.china.huawei.com (unknown [7.202.194.28]) by mail.maildlp.com (Postfix) with ESMTPS id 226F4140109; Thu, 17 Oct 2024 19:05:29 +0800 (CST) Received: from mscphis02103.huawei.com (10.123.65.215) by kwepemj200016.china.huawei.com (7.202.194.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Thu, 17 Oct 2024 19:05:26 +0800 From: Mikhail Ivanov To: , CC: , , , , , , , Subject: [RFC PATCH v2 5/8] selftests/landlock: Test that MPTCP actions are not restricted Date: Thu, 17 Oct 2024 19:04:51 +0800 Message-ID: <20241017110454.265818-6-ivanov.mikhail1@huawei-partners.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20241017110454.265818-1-ivanov.mikhail1@huawei-partners.com> References: <20241017110454.265818-1-ivanov.mikhail1@huawei-partners.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: mscpeml500003.china.huawei.com (7.188.49.51) To kwepemj200016.china.huawei.com (7.202.194.28) X-Patchwork-State: RFC Extend protocol fixture with test suits for MPTCP protocol. Add CONFIG_MPTCP and CONFIG_MPTCP_IPV6 options in config. Signed-off-by: Mikhail Ivanov --- Changes since v1: * Removes SMC test suits and puts SCTP test suits in a separate commit. --- tools/testing/selftests/landlock/config | 2 + tools/testing/selftests/landlock/net_test.c | 44 +++++++++++++++++++++ 2 files changed, 46 insertions(+) diff --git a/tools/testing/selftests/landlock/config b/tools/testing/selftests/landlock/config index 29af19c4e9f9..a8982da4acbd 100644 --- a/tools/testing/selftests/landlock/config +++ b/tools/testing/selftests/landlock/config @@ -3,6 +3,8 @@ CONFIG_CGROUP_SCHED=y CONFIG_INET=y CONFIG_IPV6=y CONFIG_KEYS=y +CONFIG_MPTCP=y +CONFIG_MPTCP_IPV6=y CONFIG_NET=y CONFIG_NET_NS=y CONFIG_OVERLAY_FS=y diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c index 333263780fae..d9de0ee49ebc 100644 --- a/tools/testing/selftests/landlock/net_test.c +++ b/tools/testing/selftests/landlock/net_test.c @@ -312,6 +312,17 @@ FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_tcp2) { }, }; +/* clang-format off */ +FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_mptcp) { + /* clang-format on */ + .sandbox = NO_SANDBOX, + .prot = { + .domain = AF_INET, + .type = SOCK_STREAM, + .protocol = IPPROTO_MPTCP, + }, +}; + /* clang-format off */ FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_tcp1) { /* clang-format on */ @@ -335,6 +346,17 @@ FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_tcp2) { }, }; +/* clang-format off */ +FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_mptcp) { + /* clang-format on */ + .sandbox = NO_SANDBOX, + .prot = { + .domain = AF_INET6, + .type = SOCK_STREAM, + .protocol = IPPROTO_MPTCP, + }, +}; + /* clang-format off */ FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_udp) { /* clang-format on */ @@ -398,6 +420,17 @@ FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_tcp2) { }, }; +/* clang-format off */ +FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_mptcp) { + /* clang-format on */ + .sandbox = TCP_SANDBOX, + .prot = { + .domain = AF_INET, + .type = SOCK_STREAM, + .protocol = IPPROTO_MPTCP, + }, +}; + /* clang-format off */ FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_tcp1) { /* clang-format on */ @@ -421,6 +454,17 @@ FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_tcp2) { }, }; +/* clang-format off */ +FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_mptcp) { + /* clang-format on */ + .sandbox = TCP_SANDBOX, + .prot = { + .domain = AF_INET6, + .type = SOCK_STREAM, + .protocol = IPPROTO_MPTCP, + }, +}; + /* clang-format off */ FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_udp) { /* clang-format on */ From patchwork Thu Oct 17 11:04:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikhail Ivanov X-Patchwork-Id: 13839856 Received: from szxga07-in.huawei.com (szxga07-in.huawei.com [45.249.212.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B0EA71DBB36; Thu, 17 Oct 2024 11:06:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.35 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729163171; cv=none; b=SvtI4BWoMs+CSstz5kQN7NMiPGJpOufRVffN0aTUkbJjpImwBI/748AcTpEyrauI+0guFhUPe/GcomWeAZgAzvwDZLNg1xQyiVXnHfwTytNjz8/j+EgNk1DZ7GikCIN5e2L0m7UXhDdue4oYw/hsKYlIWwbIa8hASK41jT2FFIA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729163171; c=relaxed/simple; bh=ST8lfecc4XJ/eNvY9TM4EO18+LjOekzZkyLZFZ1zOgY=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=RkiSEn5/VPn8fDZLh0A0fXzckTWGHRhkOrJr5VRxQEbRedlKsmuZYGmqBMa7UWmqJt16NzXQ2a/L7qqf0b+ucmarPP3hHxQW1EHaTrZ3+HucC5mccSAaz791vG3TlL9yK8HJqtyfHqU0eJxw9NbI+R8VfYhHrWIx+AiNZT+IbM4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei-partners.com; spf=pass smtp.mailfrom=huawei-partners.com; arc=none smtp.client-ip=45.249.212.35 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei-partners.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei-partners.com Received: from mail.maildlp.com (unknown [172.19.163.44]) by szxga07-in.huawei.com (SkyGuard) with ESMTP id 4XTlMg1zkTz1SCrt; Thu, 17 Oct 2024 19:04:15 +0800 (CST) Received: from kwepemj200016.china.huawei.com (unknown [7.202.194.28]) by mail.maildlp.com (Postfix) with ESMTPS id 5CDC6140360; Thu, 17 Oct 2024 19:05:31 +0800 (CST) Received: from mscphis02103.huawei.com (10.123.65.215) by kwepemj200016.china.huawei.com (7.202.194.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Thu, 17 Oct 2024 19:05:29 +0800 From: Mikhail Ivanov To: , CC: , , , , , , , Subject: [RFC PATCH v2 6/8] selftests/landlock: Test consistency of errors for TCP actions Date: Thu, 17 Oct 2024 19:04:52 +0800 Message-ID: <20241017110454.265818-7-ivanov.mikhail1@huawei-partners.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20241017110454.265818-1-ivanov.mikhail1@huawei-partners.com> References: <20241017110454.265818-1-ivanov.mikhail1@huawei-partners.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: mscpeml500003.china.huawei.com (7.188.49.51) To kwepemj200016.china.huawei.com (7.202.194.28) X-Patchwork-State: RFC Add tcp_errors_consistency fixture for TCP errors consistency tests. Add 6 test suits for this fixture to configure tested address family of socket (ipv4 or ipv6), sandboxed mode and whether TCP action is allowed in a sandboxed mode. Add tests which validate errors consistency provided by Landlock for bind(2) and connect(2) restrictable TCP actions. Add sys_bind(), sys_connect() helpers for convenient checks of bind(2) and connect(2). Add set_ipv4_tcp_address(), set_ipv6_tcp_address() helpers. Add CONFIG_LSM="landlock" option in config. Some LSMs (e.g. SElinux) can be loaded before Landlock and return inconsistent error code for bind(2) and connect(2) calls. Signed-off-by: Mikhail Ivanov --- tools/testing/selftests/landlock/config | 1 + tools/testing/selftests/landlock/net_test.c | 329 +++++++++++++++++++- 2 files changed, 324 insertions(+), 6 deletions(-) diff --git a/tools/testing/selftests/landlock/config b/tools/testing/selftests/landlock/config index a8982da4acbd..52988e8a56cc 100644 --- a/tools/testing/selftests/landlock/config +++ b/tools/testing/selftests/landlock/config @@ -3,6 +3,7 @@ CONFIG_CGROUP_SCHED=y CONFIG_INET=y CONFIG_IPV6=y CONFIG_KEYS=y +CONFIG_LSM="landlock" CONFIG_MPTCP=y CONFIG_MPTCP_IPV6=y CONFIG_NET=y diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c index d9de0ee49ebc..30b29bf10bdc 100644 --- a/tools/testing/selftests/landlock/net_test.c +++ b/tools/testing/selftests/landlock/net_test.c @@ -36,6 +36,22 @@ enum sandbox_type { TCP_SANDBOX, }; +static void set_ipv4_tcp_address(const struct service_fixture *const srv, + struct sockaddr_in *ipv4_addr) +{ + ipv4_addr->sin_family = srv->protocol.domain; + ipv4_addr->sin_port = htons(srv->port); + ipv4_addr->sin_addr.s_addr = inet_addr(loopback_ipv4); +} + +static void set_ipv6_tcp_address(const struct service_fixture *const srv, + struct sockaddr_in6 *ipv6_addr) +{ + ipv6_addr->sin6_family = srv->protocol.domain; + ipv6_addr->sin6_port = htons(srv->port); + inet_pton(AF_INET6, loopback_ipv6, &ipv6_addr->sin6_addr); +} + static int set_service(struct service_fixture *const srv, const struct protocol_variant prot, const unsigned short index) @@ -56,15 +72,11 @@ static int set_service(struct service_fixture *const srv, switch (prot.domain) { case AF_UNSPEC: case AF_INET: - srv->ipv4_addr.sin_family = prot.domain; - srv->ipv4_addr.sin_port = htons(srv->port); - srv->ipv4_addr.sin_addr.s_addr = inet_addr(loopback_ipv4); + set_ipv4_tcp_address(srv, &srv->ipv4_addr); return 0; case AF_INET6: - srv->ipv6_addr.sin6_family = prot.domain; - srv->ipv6_addr.sin6_port = htons(srv->port); - inet_pton(AF_INET6, loopback_ipv6, &srv->ipv6_addr.sin6_addr); + set_ipv6_tcp_address(srv, &srv->ipv6_addr); return 0; case AF_UNIX: @@ -181,6 +193,17 @@ static uint16_t get_binded_port(int socket_fd, } } +static int sys_bind(const int sock_fd, const struct sockaddr *addr, + socklen_t addrlen) +{ + int ret; + + ret = bind(sock_fd, addr, addrlen); + if (ret < 0) + return -errno; + return 0; +} + static int bind_variant_addrlen(const int sock_fd, const struct service_fixture *const srv, const socklen_t addrlen) @@ -217,6 +240,17 @@ static int bind_variant(const int sock_fd, return bind_variant_addrlen(sock_fd, srv, get_addrlen(srv, false)); } +static int sys_connect(const int sock_fd, const struct sockaddr *addr, + socklen_t addrlen) +{ + int ret; + + ret = connect(sock_fd, addr, addrlen); + if (ret < 0) + return -errno; + return 0; +} + static int connect_variant_addrlen(const int sock_fd, const struct service_fixture *const srv, const socklen_t addrlen) @@ -923,6 +957,289 @@ TEST_F(protocol, connect_unspec) EXPECT_EQ(0, close(bind_fd)); } +FIXTURE(tcp_errors_consistency) +{ + struct service_fixture srv0, srv1; + struct sockaddr *inval_addr_p0; + socklen_t addrlen_min; + + struct sockaddr_in inval_ipv4_addr; + struct sockaddr_in6 inval_ipv6_addr; +}; + +FIXTURE_VARIANT(tcp_errors_consistency) +{ + const enum sandbox_type sandbox; + const int domain; + bool allowed; +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(tcp_errors_consistency, no_sandbox_with_ipv4) { + /* clang-format on */ + .sandbox = NO_SANDBOX, + .domain = AF_INET, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(tcp_errors_consistency, no_sandbox_with_ipv6) { + /* clang-format on */ + .sandbox = NO_SANDBOX, + .domain = AF_INET6, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(tcp_errors_consistency, denied_with_ipv4) { + /* clang-format on */ + .sandbox = TCP_SANDBOX, + .domain = AF_INET, + .allowed = false, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(tcp_errors_consistency, allowed_with_ipv4) { + /* clang-format on */ + .sandbox = TCP_SANDBOX, + .domain = AF_INET, + .allowed = true, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(tcp_errors_consistency, denied_with_ipv6) { + /* clang-format on */ + .sandbox = TCP_SANDBOX, + .domain = AF_INET6, + .allowed = false, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(tcp_errors_consistency, allowed_with_ipv6) { + /* clang-format on */ + .sandbox = TCP_SANDBOX, + .domain = AF_INET6, + .allowed = true, +}; + +FIXTURE_SETUP(tcp_errors_consistency) +{ + const struct protocol_variant tcp_prot = { + .domain = variant->domain, + .type = SOCK_STREAM, + }; + + disable_caps(_metadata); + + set_service(&self->srv0, tcp_prot, 0); + set_service(&self->srv1, tcp_prot, 1); + + if (variant->domain == AF_INET) { + set_ipv4_tcp_address(&self->srv0, &self->inval_ipv4_addr); + self->inval_ipv4_addr.sin_family = AF_INET6; + + self->inval_addr_p0 = (struct sockaddr *)&self->inval_ipv4_addr; + self->addrlen_min = sizeof(struct sockaddr_in); + } else { + set_ipv6_tcp_address(&self->srv0, &self->inval_ipv6_addr); + self->inval_ipv6_addr.sin6_family = AF_INET; + + self->inval_addr_p0 = (struct sockaddr *)&self->inval_ipv6_addr; + self->addrlen_min = SIN6_LEN_RFC2133; + } + + setup_loopback(_metadata); +}; + +FIXTURE_TEARDOWN(tcp_errors_consistency) +{ +} + +/* + * Validates that Landlock provides errors consistency for bind(2) operation + * (not restricted, allowed and denied). + * + * Error consistency implies that in sandboxed process, bind(2) returns the same + * errors and in the same order (assuming multiple errors) as during normal + * execution. + */ +TEST_F(tcp_errors_consistency, bind) +{ + if (variant->sandbox == TCP_SANDBOX) { + const struct landlock_ruleset_attr ruleset_attr = { + .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP, + }; + int ruleset_fd; + + ruleset_fd = landlock_create_ruleset(&ruleset_attr, + sizeof(ruleset_attr), 0); + ASSERT_LE(0, ruleset_fd); + + if (variant->allowed) { + const struct landlock_net_port_attr tcp_bind_p0 = { + .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP, + .port = self->srv0.port, + }; + + /* Allows bind for the first port. */ + ASSERT_EQ(0, landlock_add_rule(ruleset_fd, + LANDLOCK_RULE_NET_PORT, + &tcp_bind_p0, 0)); + } + + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + } + int sock_fd; + + sock_fd = socket_variant(&self->srv0); + ASSERT_LE(0, sock_fd); + + /* + * Tries to bind socket to address with invalid sa_family value + * (AF_INET for ipv6 socket and AF_INET6 for ipv4 socket). + */ + EXPECT_EQ(-EAFNOSUPPORT, + sys_bind(sock_fd, self->inval_addr_p0, self->addrlen_min)); + + if (variant->domain == AF_INET) { + struct sockaddr_in ipv4_unspec_addr; + + set_ipv4_tcp_address(&self->srv0, &ipv4_unspec_addr); + ipv4_unspec_addr.sin_family = AF_UNSPEC; + /* + * Ipv4 bind(2) accepts AF_UNSPEC family in address only if address is + * INADDR_ANY. Otherwise, returns -EAFNOSUPPORT. + */ + EXPECT_EQ(-EAFNOSUPPORT, + sys_bind(sock_fd, + (struct sockaddr *)&ipv4_unspec_addr, + self->addrlen_min)); + } + + /* Tries to bind with too small addrlen (Cf. inet_bind_sk). */ + EXPECT_EQ(-EINVAL, sys_bind(sock_fd, self->inval_addr_p0, + self->addrlen_min - 1)); + + ASSERT_EQ(0, close(sock_fd)); +} + +/* + * Validates that Landlock provides errors consistency for connect(2) operation + * (not restricted, allowed and denied). + * + * Error consistency implies that in sandboxed process, connect(2) returns the + * same errors and in the same order (assuming multiple errors) as during normal + * execution. + */ +TEST_F(tcp_errors_consistency, connect) +{ + int nonblock_p0_fd; + + nonblock_p0_fd = socket(variant->domain, + SOCK_STREAM | SOCK_CLOEXEC | SOCK_NONBLOCK, 0); + ASSERT_LE(0, nonblock_p0_fd); + + /* Tries to connect nonblocking socket before establishing ruleset. */ + ASSERT_EQ(-EINPROGRESS, connect_variant(nonblock_p0_fd, &self->srv0)); + + if (variant->sandbox == TCP_SANDBOX) { + const struct landlock_ruleset_attr ruleset_attr = { + .handled_access_net = LANDLOCK_ACCESS_NET_CONNECT_TCP, + }; + const struct landlock_net_port_attr tcp_connect_p1 = { + .allowed_access = LANDLOCK_ACCESS_NET_CONNECT_TCP, + .port = self->srv1.port, + }; + int ruleset_fd; + + ruleset_fd = landlock_create_ruleset(&ruleset_attr, + sizeof(ruleset_attr), 0); + ASSERT_LE(0, ruleset_fd); + + /* Allows connect for the second port. */ + ASSERT_EQ(0, + landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, + &tcp_connect_p1, 0)); + + if (variant->allowed) { + const struct landlock_net_port_attr tcp_connect_p0 = { + .allowed_access = + LANDLOCK_ACCESS_NET_CONNECT_TCP, + .port = self->srv0.port, + }; + + /* Allows connect for the first port. */ + ASSERT_EQ(0, landlock_add_rule(ruleset_fd, + LANDLOCK_RULE_NET_PORT, + &tcp_connect_p0, 0)); + } + + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + } + int client_p0_fd, client_p1_fd, server_p0_fd, server_p1_fd; + + client_p0_fd = socket_variant(&self->srv0); + ASSERT_LE(0, client_p0_fd); + /* + * Tries to connect socket to address with invalid sa_family value + * (AF_INET for ipv6 socket and AF_INET6 for ipv4 socket). + */ + EXPECT_EQ(-EAFNOSUPPORT, sys_connect(client_p0_fd, self->inval_addr_p0, + self->addrlen_min)); + + /* Tries to connect with too small addrlen. */ + EXPECT_EQ(-EINVAL, sys_connect(client_p0_fd, self->inval_addr_p0, + self->addrlen_min - 1)); + + /* Creates socket listening on zero port. */ + server_p0_fd = socket_variant(&self->srv0); + ASSERT_LE(0, server_p0_fd); + + ASSERT_EQ(0, bind_variant(server_p0_fd, &self->srv0)); + ASSERT_EQ(0, listen(server_p0_fd, backlog)); + /* Tries to connect listening socket. */ + EXPECT_EQ(-EISCONN, sys_connect(server_p0_fd, self->inval_addr_p0, + self->addrlen_min - 1)); + + /* Creates socket listening on first port. */ + server_p1_fd = socket_variant(&self->srv1); + ASSERT_LE(0, server_p1_fd); + + ASSERT_EQ(0, bind_variant(server_p1_fd, &self->srv1)); + ASSERT_EQ(0, listen(server_p1_fd, backlog)); + + client_p1_fd = socket_variant(&self->srv1); + ASSERT_LE(0, client_p1_fd); + + /* Connects to server_p1_fd. */ + ASSERT_EQ(0, connect_variant(client_p1_fd, &self->srv1)); + /* Tries to connect already connected socket. */ + EXPECT_EQ(-EISCONN, sys_connect(client_p1_fd, self->inval_addr_p0, + self->addrlen_min - 1)); + + /* + * connect(2) is called upon nonblocking socket and previous connection + * attempt was closed by RST packet. Landlock cannot provide error + * consistency in this case (Cf. check_tcp_connect_consistency_and_get_port()). + */ + if (variant->sandbox == TCP_SANDBOX) { + EXPECT_EQ(-EACCES, + connect_variant(nonblock_p0_fd, &self->srv0)); + } else { + EXPECT_EQ(-ECONNREFUSED, + connect_variant(nonblock_p0_fd, &self->srv0)); + } + + /* Tries to connect with zero as addrlen. */ + EXPECT_EQ(-EINVAL, sys_connect(client_p0_fd, self->inval_addr_p0, 0)); + + ASSERT_EQ(0, close(client_p1_fd)); + ASSERT_EQ(0, close(server_p1_fd)); + ASSERT_EQ(0, close(server_p0_fd)); + ASSERT_EQ(0, close(client_p0_fd)); + ASSERT_EQ(0, close(nonblock_p0_fd)); +} + FIXTURE(ipv4) { struct service_fixture srv0, srv1; From patchwork Thu Oct 17 11:04:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikhail Ivanov X-Patchwork-Id: 13839851 Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F36191DC1B2; Thu, 17 Oct 2024 11:05:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.189 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729163140; cv=none; b=Zt+jk/4NuPVc3GmRMu5P8bCZS7nVKZbUzbgVWDMilYfCW5g4D51RbQ8eFiN1CFh6uSucEprVYo+ioME6g8fwgB4vFdhjXet8O0CuOWAOcJVkWYHJEFoq1Uc2hMtTtE+y76CdwRKjbLk9aanmke80U/MmtZDTSqtAv7cjF1bUqXQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729163140; c=relaxed/simple; bh=aiZUdN9CrJgffhvAzeA9go8XeX4Cx1wM9+TSjIIY92M=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=gEFOepOKLG90FxetEfL8+NkSXxbpvGm0D6uTvjPh3pthNERREaYNMrEajcWpIANgh85jaPuq5UAz+UDB44RvdkJFXRuq9n2Ypz2XOW9YDZfiv0chaJvre+WzbSN8TLsLpGuKpu8/lrmlVptBg9wWqeHsdGOtAVpuEomIuqwGfhU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei-partners.com; spf=pass smtp.mailfrom=huawei-partners.com; arc=none smtp.client-ip=45.249.212.189 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei-partners.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei-partners.com Received: from mail.maildlp.com (unknown [172.19.163.252]) by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4XTlNJ1BHvzQrmG; Thu, 17 Oct 2024 19:04:48 +0800 (CST) Received: from kwepemj200016.china.huawei.com (unknown [7.202.194.28]) by mail.maildlp.com (Postfix) with ESMTPS id 9B6591800D2; Thu, 17 Oct 2024 19:05:33 +0800 (CST) Received: from mscphis02103.huawei.com (10.123.65.215) by kwepemj200016.china.huawei.com (7.202.194.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Thu, 17 Oct 2024 19:05:31 +0800 From: Mikhail Ivanov To: , CC: , , , , , , , Subject: [RFC PATCH v2 7/8] landlock: Add note about errors consistency in documentation Date: Thu, 17 Oct 2024 19:04:53 +0800 Message-ID: <20241017110454.265818-8-ivanov.mikhail1@huawei-partners.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20241017110454.265818-1-ivanov.mikhail1@huawei-partners.com> References: <20241017110454.265818-1-ivanov.mikhail1@huawei-partners.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: mscpeml500003.china.huawei.com (7.188.49.51) To kwepemj200016.china.huawei.com (7.202.194.28) X-Patchwork-State: RFC Add recommendation to specify Landlock first in CONFIG_LSM list, so user can have better LSM errors consistency provided by Landlock. Signed-off-by: Mikhail Ivanov --- Documentation/userspace-api/landlock.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst index bb7480a05e2c..0db5eee9bffa 100644 --- a/Documentation/userspace-api/landlock.rst +++ b/Documentation/userspace-api/landlock.rst @@ -610,7 +610,8 @@ time as the other security modules. The list of security modules enabled by default is set with ``CONFIG_LSM``. The kernel configuration should then contains ``CONFIG_LSM=landlock,[...]`` with ``[...]`` as the list of other potentially useful security modules for the running system (see the -``CONFIG_LSM`` help). +``CONFIG_LSM`` help). It is recommended to specify Landlock first of all other +modules in CONFIG_LSM list since it provides better errors consistency. Boot time configuration ----------------------- From patchwork Thu Oct 17 11:04:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikhail Ivanov X-Patchwork-Id: 13839854 Received: from szxga04-in.huawei.com (szxga04-in.huawei.com [45.249.212.190]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3312F1D88C7; Thu, 17 Oct 2024 11:06:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.190 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729163164; cv=none; b=ovsLIkHhBdPLiVPwxO3y3rnSccVJGq1eV87lsm5h7jSkTzW0BBB5MAuYC5TDAuBp9Qssv5RV7AE7g1QdM/rHXNRuZ2sBIF8q0pvXfecgRr4SCehUejNFhRH48/EmMjSOXlhV8Gl0IFV2wsmOa2j7RxLLg09qiaZeyQY8QcvQMg8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729163164; c=relaxed/simple; bh=7hy/y+njkQ+wmUrDxXAkntJvM3F5c3M0E/VMN2VyrZw=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=q52ka64rtLHokMTdMoyPOsClpXfllbvA+hs56MtNS7/IVQ9CU7kJ+6xSI3E1RS1zOczOqftBbi/UKH4Yxt1NLhBHjGone4FRMFmfDNy7tObZWR5XkiPh7NSV+3S+Ye4PUzic5i1FflfI5GnZB8yj9Kw3Ah3xjVq8RFIrcZITOgM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei-partners.com; spf=pass smtp.mailfrom=huawei-partners.com; arc=none smtp.client-ip=45.249.212.190 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei-partners.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei-partners.com Received: from mail.maildlp.com (unknown [172.19.163.44]) by szxga04-in.huawei.com (SkyGuard) with ESMTP id 4XTlMm19kQz2DdqL; Thu, 17 Oct 2024 19:04:20 +0800 (CST) Received: from kwepemj200016.china.huawei.com (unknown [7.202.194.28]) by mail.maildlp.com (Postfix) with ESMTPS id A7297140360; Thu, 17 Oct 2024 19:05:35 +0800 (CST) Received: from mscphis02103.huawei.com (10.123.65.215) by kwepemj200016.china.huawei.com (7.202.194.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Thu, 17 Oct 2024 19:05:33 +0800 From: Mikhail Ivanov To: , CC: , , , , , , , Subject: [RFC PATCH v2 8/8] selftests/landlock: Test that SCTP actions are not restricted Date: Thu, 17 Oct 2024 19:04:54 +0800 Message-ID: <20241017110454.265818-9-ivanov.mikhail1@huawei-partners.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20241017110454.265818-1-ivanov.mikhail1@huawei-partners.com> References: <20241017110454.265818-1-ivanov.mikhail1@huawei-partners.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: mscpeml500003.china.huawei.com (7.188.49.51) To kwepemj200016.china.huawei.com (7.202.194.28) X-Patchwork-State: RFC Extend protocol fixture with test suits for SCTP protocol. Add CONFIG_IP_SCTP option in config. Signed-off-by: Mikhail Ivanov --- tools/testing/selftests/landlock/config | 1 + tools/testing/selftests/landlock/net_test.c | 83 ++++++++++++++++++--- 2 files changed, 73 insertions(+), 11 deletions(-) diff --git a/tools/testing/selftests/landlock/config b/tools/testing/selftests/landlock/config index 52988e8a56cc..a96d42dc850d 100644 --- a/tools/testing/selftests/landlock/config +++ b/tools/testing/selftests/landlock/config @@ -1,6 +1,7 @@ CONFIG_CGROUPS=y CONFIG_CGROUP_SCHED=y CONFIG_INET=y +CONFIG_IP_SCTP=y CONFIG_IPV6=y CONFIG_KEYS=y CONFIG_LSM="landlock" diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c index 30b29bf10bdc..fa382a2e3b58 100644 --- a/tools/testing/selftests/landlock/net_test.c +++ b/tools/testing/selftests/landlock/net_test.c @@ -97,13 +97,28 @@ static void setup_loopback(struct __test_metadata *const _metadata) clear_ambient_cap(_metadata, CAP_NET_ADMIN); } -static bool prot_is_tcp(const struct protocol_variant *const prot) +static bool prot_is_inet_stream(const struct protocol_variant *const prot) { return (prot->domain == AF_INET || prot->domain == AF_INET6) && - prot->type == SOCK_STREAM && + prot->type == SOCK_STREAM; +} + +static bool prot_is_tcp(const struct protocol_variant *const prot) +{ + return prot_is_inet_stream(prot) && (prot->protocol == IPPROTO_TCP || prot->protocol == IPPROTO_IP); } +static bool prot_is_sctp(const struct protocol_variant *const prot) +{ + return prot_is_inet_stream(prot) && prot->protocol == IPPROTO_SCTP; +} + +static bool prot_is_unix_stream(const struct protocol_variant *const prot) +{ + return prot->domain == AF_UNIX && prot->type == SOCK_STREAM; +} + static bool is_restricted(const struct protocol_variant *const prot, const enum sandbox_type sandbox) { @@ -357,6 +372,17 @@ FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_mptcp) { }, }; +/* clang-format off */ +FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_sctp) { + /* clang-format on */ + .sandbox = NO_SANDBOX, + .prot = { + .domain = AF_INET, + .type = SOCK_STREAM, + .protocol = IPPROTO_SCTP, + }, +}; + /* clang-format off */ FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_tcp1) { /* clang-format on */ @@ -391,6 +417,17 @@ FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_mptcp) { }, }; +/* clang-format off */ +FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv6_sctp) { + /* clang-format on */ + .sandbox = NO_SANDBOX, + .prot = { + .domain = AF_INET6, + .type = SOCK_STREAM, + .protocol = IPPROTO_SCTP, + }, +}; + /* clang-format off */ FIXTURE_VARIANT_ADD(protocol, no_sandbox_with_ipv4_udp) { /* clang-format on */ @@ -465,6 +502,17 @@ FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_mptcp) { }, }; +/* clang-format off */ +FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_sctp) { + /* clang-format on */ + .sandbox = TCP_SANDBOX, + .prot = { + .domain = AF_INET, + .type = SOCK_STREAM, + .protocol = IPPROTO_SCTP, + }, +}; + /* clang-format off */ FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_tcp1) { /* clang-format on */ @@ -499,6 +547,17 @@ FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_mptcp) { }, }; +/* clang-format off */ +FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv6_sctp) { + /* clang-format on */ + .sandbox = TCP_SANDBOX, + .prot = { + .domain = AF_INET6, + .type = SOCK_STREAM, + .protocol = IPPROTO_SCTP, + }, +}; + /* clang-format off */ FIXTURE_VARIANT_ADD(protocol, tcp_sandbox_with_ipv4_udp) { /* clang-format on */ @@ -793,7 +852,7 @@ TEST_F(protocol, bind_unspec) /* Allowed bind on AF_UNSPEC/INADDR_ANY. */ ret = bind_variant(bind_fd, &self->unspec_any0); - if (variant->prot.domain == AF_INET) { + if (variant->prot.domain == AF_INET && !prot_is_sctp(&variant->prot)) { EXPECT_EQ(0, ret) { TH_LOG("Failed to bind to unspec/any socket: %s", @@ -819,7 +878,7 @@ TEST_F(protocol, bind_unspec) /* Denied bind on AF_UNSPEC/INADDR_ANY. */ ret = bind_variant(bind_fd, &self->unspec_any0); - if (variant->prot.domain == AF_INET) { + if (variant->prot.domain == AF_INET && !prot_is_sctp(&variant->prot)) { if (is_restricted(&variant->prot, variant->sandbox)) { EXPECT_EQ(-EACCES, ret); } else { @@ -834,7 +893,7 @@ TEST_F(protocol, bind_unspec) bind_fd = socket_variant(&self->srv0); ASSERT_LE(0, bind_fd); ret = bind_variant(bind_fd, &self->unspec_srv0); - if (variant->prot.domain == AF_INET) { + if (variant->prot.domain == AF_INET && !prot_is_sctp(&variant->prot)) { EXPECT_EQ(-EAFNOSUPPORT, ret); } else { EXPECT_EQ(-EINVAL, ret) @@ -899,17 +958,18 @@ TEST_F(protocol, connect_unspec) /* Disconnects already connected socket, or set peer. */ ret = connect_variant(connect_fd, &self->unspec_any0); - if (self->srv0.protocol.domain == AF_UNIX && - self->srv0.protocol.type == SOCK_STREAM) { + if (prot_is_unix_stream(&variant->prot)) { EXPECT_EQ(-EINVAL, ret); + } else if (prot_is_sctp(&variant->prot)) { + EXPECT_EQ(-EOPNOTSUPP, ret); } else { EXPECT_EQ(0, ret); } /* Tries to reconnect, or set peer. */ ret = connect_variant(connect_fd, &self->srv0); - if (self->srv0.protocol.domain == AF_UNIX && - self->srv0.protocol.type == SOCK_STREAM) { + if (prot_is_unix_stream(&variant->prot) || + prot_is_sctp(&variant->prot)) { EXPECT_EQ(-EISCONN, ret); } else { EXPECT_EQ(0, ret); @@ -926,9 +986,10 @@ TEST_F(protocol, connect_unspec) } ret = connect_variant(connect_fd, &self->unspec_any0); - if (self->srv0.protocol.domain == AF_UNIX && - self->srv0.protocol.type == SOCK_STREAM) { + if (prot_is_unix_stream(&variant->prot)) { EXPECT_EQ(-EINVAL, ret); + } else if (prot_is_sctp(&variant->prot)) { + EXPECT_EQ(-EOPNOTSUPP, ret); } else { /* Always allowed to disconnect. */ EXPECT_EQ(0, ret);