From: "Günther Noack" <gnoack@google.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: linux-security-module@vger.kernel.org,
Jeff Xu <jeffxu@google.com>, Arnd Bergmann <arnd@arndb.de>,
Jorge Lucangeli Obes <jorgelo@chromium.org>,
Allen Webb <allenwebb@google.com>,
Dmitry Torokhov <dtor@google.com>,
Paul Moore <paul@paul-moore.com>,
Konstantin Meskhidze <konstantin.meskhidze@huawei.com>,
Matt Bobrowski <repnop@google.com>,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH v14 08/12] selftests/landlock: Exhaustive test for the IOCTL allow-list
Date: Thu, 18 Apr 2024 14:21:49 +0200 [thread overview]
Message-ID: <ZiEQXXXJnSiHrK1R@google.com> (raw)
In-Reply-To: <20240412.soo4theeseeY@digikod.net>
On Fri, Apr 12, 2024 at 05:18:06PM +0200, Mickaël Salaün wrote:
> On Fri, Apr 05, 2024 at 09:40:36PM +0000, Günther Noack wrote:
> > +static int ioctl_error(int fd, unsigned int cmd)
> > +{
> > + char buf[1024]; /* sufficiently large */
>
> Could we shrink a bit this buffer?
Shrunk to 128.
I'm also zeroing the buffer now, which was missing before,
to make the behaviour deterministic.
> > + int res = ioctl(fd, cmd, &buf);
> > +
> > + if (res < 0)
> > + return errno;
> > +
> > + return 0;
> > +}
> > +TEST_F_FORK(layout1, blanket_permitted_ioctls)
> > +{
> > + [...]
> > + /*
> > + * Checks permitted commands.
> > + * These ones may return errors, but should not be blocked by Landlock.
> > + */
> > + EXPECT_NE(EACCES, ioctl_error(fd, FIOCLEX));
> > + EXPECT_NE(EACCES, ioctl_error(fd, FIONCLEX));
> > + EXPECT_NE(EACCES, ioctl_error(fd, FIONBIO));
> > + EXPECT_NE(EACCES, ioctl_error(fd, FIOASYNC));
> > + EXPECT_NE(EACCES, ioctl_error(fd, FIOQSIZE));
> > + EXPECT_NE(EACCES, ioctl_error(fd, FIFREEZE));
> > + EXPECT_NE(EACCES, ioctl_error(fd, FITHAW));
> > + EXPECT_NE(EACCES, ioctl_error(fd, FS_IOC_FIEMAP));
> > + EXPECT_NE(EACCES, ioctl_error(fd, FIGETBSZ));
> > + EXPECT_NE(EACCES, ioctl_error(fd, FICLONE));
> > + EXPECT_NE(EACCES, ioctl_error(fd, FICLONERANGE));
> > + EXPECT_NE(EACCES, ioctl_error(fd, FIDEDUPERANGE));
> > + EXPECT_NE(EACCES, ioctl_error(fd, FS_IOC_GETFSUUID));
> > + EXPECT_NE(EACCES, ioctl_error(fd, FS_IOC_GETFSSYSFSPATH));
>
> Could we check for ENOTTY instead of !EACCES? /dev/null should be pretty
> stable.
The expected results are all over the place, unfortunately.
When I tried it, I got this:
EXPECT_EQ(0, ioctl_error(fd, FIOCLEX));
EXPECT_EQ(0, ioctl_error(fd, FIONCLEX));
EXPECT_EQ(0, ioctl_error(fd, FIONBIO));
EXPECT_EQ(0, ioctl_error(fd, FIOASYNC));
EXPECT_EQ(ENOTTY, ioctl_error(fd, FIOQSIZE));
EXPECT_EQ(EPERM, ioctl_error(fd, FIFREEZE));
EXPECT_EQ(EPERM, ioctl_error(fd, FITHAW));
EXPECT_EQ(EOPNOTSUPP, ioctl_error(fd, FS_IOC_FIEMAP));
EXPECT_EQ(0, ioctl_error(fd, FIGETBSZ));
EXPECT_EQ(EBADF, ioctl_error(fd, FICLONE));
EXPECT_EQ(EXDEV, ioctl_error(fd, FICLONERANGE)); // <----
EXPECT_EQ(EINVAL, ioctl_error(fd, FIDEDUPERANGE));
EXPECT_EQ(0, ioctl_error(fd, FS_IOC_GETFSUUID));
EXPECT_EQ(ENOTTY, ioctl_error(fd, FS_IOC_GETFSSYSFSPATH));
I find this difficult to read and it distracts from the main point, which
is that we got past the Landlock check which would have returned an EACCES.
I spotted an additional problem with FICLONERANGE -- when we pass a
zero-initialized buffer to that IOCTL, it'll interpret some of these zeros
to refer to file descriptor 0 (stdin)... and what that means is not
controlled by the test - the error code can change depending on what that
FD is. (I don't want to start filling in all these structs individually.)
The only thing that really matters to us is that the result is not EACCES
(==> we have gotten past the Landlock policy check). Testing the exact
behaviour of all of these IOCTLs is maybe stepping too much on the turf of
these IOCTL implementations and making the test more brittle towards
cahnges unrelated to Landlock than they need to be [1].
So, if you are OK with that, I would prefer to keep these checks using
EXPECT_NE(EACCES, ...).
—Günther
[1] https://abseil.io/resources/swe-book/html/ch12.html has a discussion on
why to avoid brittle tests (written about Google, but applicable here
as well, IMHO)
next prev parent reply other threads:[~2024-04-18 12:21 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-05 21:40 [PATCH v14 00/12] Landlock: IOCTL support Günther Noack
2024-04-05 21:40 ` [PATCH v14 01/12] fs: Return ENOTTY directly if FS_IOC_GETUUID or FS_IOC_GETFSSYSFSPATH fail Günther Noack
2024-04-05 21:54 ` Kent Overstreet
2024-04-09 10:08 ` (subset) " Christian Brauner
2024-04-09 12:11 ` Mickaël Salaün
2024-04-12 15:17 ` Mickaël Salaün
2024-04-05 21:40 ` [PATCH v14 02/12] landlock: Add IOCTL access right for character and block devices Günther Noack
2024-04-12 15:16 ` Mickaël Salaün
2024-04-18 9:28 ` Günther Noack
2024-04-19 5:43 ` Mickaël Salaün
2024-04-05 21:40 ` [PATCH v14 03/12] selftests/landlock: Test IOCTL support Günther Noack
2024-04-12 15:17 ` Mickaël Salaün
2024-04-18 11:10 ` Günther Noack
2024-04-19 5:44 ` Mickaël Salaün
2024-04-19 14:06 ` Günther Noack
2024-04-05 21:40 ` [PATCH v14 04/12] selftests/landlock: Test IOCTL with memfds Günther Noack
2024-04-05 21:40 ` [PATCH v14 05/12] selftests/landlock: Test ioctl(2) and ftruncate(2) with open(O_PATH) Günther Noack
2024-04-05 21:40 ` [PATCH v14 06/12] selftests/landlock: Test IOCTLs on named pipes Günther Noack
2024-04-05 21:40 ` [PATCH v14 07/12] selftests/landlock: Check IOCTL restrictions for named UNIX domain sockets Günther Noack
2024-04-12 15:17 ` Mickaël Salaün
2024-04-18 11:24 ` Günther Noack
2024-04-05 21:40 ` [PATCH v14 08/12] selftests/landlock: Exhaustive test for the IOCTL allow-list Günther Noack
2024-04-12 15:18 ` Mickaël Salaün
2024-04-18 12:21 ` Günther Noack [this message]
2024-04-19 5:44 ` Mickaël Salaün
2024-04-19 14:49 ` Günther Noack
2024-04-05 21:40 ` [PATCH v14 09/12] samples/landlock: Add support for LANDLOCK_ACCESS_FS_IOCTL_DEV Günther Noack
2024-04-05 21:40 ` [PATCH v14 10/12] landlock: Document IOCTL support Günther Noack
2024-04-05 21:40 ` [PATCH v14 11/12] MAINTAINERS: Notify Landlock maintainers about changes to fs/ioctl.c Günther Noack
2024-04-05 21:40 ` [PATCH v14 12/12] fs/ioctl: Add a comment to keep the logic in sync with LSM policies Günther Noack
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZiEQXXXJnSiHrK1R@google.com \
--to=gnoack@google.com \
--cc=allenwebb@google.com \
--cc=arnd@arndb.de \
--cc=dtor@google.com \
--cc=jeffxu@google.com \
--cc=jorgelo@chromium.org \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=repnop@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.