From: "Mickaël Salaün" <mic@digikod.net>
To: Tingmao Wang <m@maowtm.org>,
Brendan Higgins <brendan.higgins@linux.dev>,
David Gow <davidgow@google.com>, Rae Moar <rmoar@google.com>,
Alessandro Carminati <acarmina@redhat.com>,
Guenter Roeck <linux@roeck-us.net>,
Andrew Morton <akpm@linux-foundation.org>
Cc: audit@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kselftest@vger.kernel.org, kunit-dev@googlegroups.com,
"Günther Noack" <gnoack@google.com>
Subject: Re: [PATCH v7 09/28] landlock: Add AUDIT_LANDLOCK_ACCESS and log ptrace denials
Date: Fri, 28 Mar 2025 11:33:21 +0100 [thread overview]
Message-ID: <20250328.Ahc0thi6CaiJ@digikod.net> (raw)
In-Reply-To: <20250327213807.12964-1-m@maowtm.org>
On Thu, Mar 27, 2025 at 09:38:05PM +0000, Tingmao Wang wrote:
> Hi Mickaël,
Hi, thanks for the report.
>
> On 3/20/25 19:06, Mickaël Salaün wrote:
> [...]
> > +static struct landlock_hierarchy *
> > +get_hierarchy(const struct landlock_ruleset *const domain, const size_t layer)
> > +{
> > + struct landlock_hierarchy *hierarchy = domain->hierarchy;
> > + ssize_t i;
> > +
> > + if (WARN_ON_ONCE(layer >= domain->num_layers))
> > + return hierarchy;
> > +
> > + for (i = domain->num_layers - 1; i > layer; i--) {
> > + if (WARN_ON_ONCE(!hierarchy->parent))
> > + break;
> > +
> > + hierarchy = hierarchy->parent;
> > + }
> > +
> > + return hierarchy;
> > +}
> > +
> > +#ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST
> > +
> > +static void test_get_hierarchy(struct kunit *const test)
> > +{
> > + struct landlock_hierarchy dom0_hierarchy = {
> > + .id = 10,
> > + };
> > + struct landlock_hierarchy dom1_hierarchy = {
> > + .parent = &dom0_hierarchy,
> > + .id = 20,
> > + };
> > + struct landlock_hierarchy dom2_hierarchy = {
> > + .parent = &dom1_hierarchy,
> > + .id = 30,
> > + };
> > + struct landlock_ruleset dom2 = {
> > + .hierarchy = &dom2_hierarchy,
> > + .num_layers = 3,
> > + };
> > +
> > + KUNIT_EXPECT_EQ(test, 10, get_hierarchy(&dom2, 0)->id);
> > + KUNIT_EXPECT_EQ(test, 20, get_hierarchy(&dom2, 1)->id);
> > + KUNIT_EXPECT_EQ(test, 30, get_hierarchy(&dom2, 2)->id);
> > + KUNIT_EXPECT_EQ(test, 30, get_hierarchy(&dom2, -1)->id);
>
> This causes a warning from WARN_ON_ONCE(layer >= domain->num_layers)
> when running this test, I guess because layer is unsigned.
Interestingly this doesn't make the test to fail (because the result is
still correct), nor to show up when using tools/testing/kunit/kunit.py,
which is why I didn't see that.
> Should it
> be ssize_t, if this is an expected usage?
The get_hierarchy() code is correct, and the KUnit test is correct too.
Using a ssize_t would introduce a bug.
The issue is that I wanted to test a case that should never happen,
hence the WARN_ON_ONCE().
I guess the best "fix" for now would be to remove the KUnit test with
-1, but there is a new KUnit feature to hide this kind of warning:
https://lore.kernel.org/linux-kselftest/20250313114329.284104-1-acarmina@redhat.com/
It is currently in linux-next, but I'm not sure it will be merged in
Linux 6.15 .
For now I'll keep this commit but I'll send a fix/update to either
remove the test or use the new DEFINE_SUPPRESSED_WARNING macros
depending on its merge status.
>
> ------------[ cut here ]------------
> WARNING: CPU: 7 PID: 145 at security/landlock/audit.c:142 get_hierarchy (security/landlock/audit.c:142)
> Modules linked in:
> CPU: 7 UID: 0 PID: 145 Comm: kunit_try_catch Tainted: G N 6.14.0-next-20250326-dev-00004-g4e57edc3e062-dirty #5 PREEMPT(undef)
> Tainted: [N]=TEST
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> RIP: 0010:get_hierarchy (security/landlock/audit.c:142)
> Code: 83 e8 02 e8 18 00 84 c0 75 02 0f 0b 48 83 c4 08 48 89 d8 5b 41 5c 41 5e 5d c3 48 c7 c7 00 f3 21 83 e8 e2 e7 18 00 84 c0 75 e2 <0f> 0b eb de 48 89 75 e0 e8 a1 a9 a7 ff 48 8b 75 e0 e9 76 ff ff ff
> // snip //
> Call Trace:
> <TASK>
> test_get_hierarchy (security/landlock/audit.c:178 (discriminator 5))
> ? test_get_denied_layer (security/landlock/audit.c:158)
> ? lock_repin_lock (kernel/locking/lockdep.c:5649 kernel/locking/lockdep.c:5978)
> ? __lock_acquire (kernel/locking/lockdep.c:4675 kernel/locking/lockdep.c:5189)
> ? _raw_spin_unlock_irqrestore (./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194)
> ? find_held_lock (kernel/locking/lockdep.c:5348)
> ? trace_irq_enable (./include/trace/events/preemptirq.h:40 (discriminator 17))
> ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:80)
> ? kvm_clock_get_cycles (./arch/x86/include/asm/preempt.h:95 arch/x86/kernel/kvmclock.c:80 arch/x86/kernel/kvmclock.c:86)
> ? ktime_get_ts64 (kernel/time/timekeeping.c:318 (discriminator 4) kernel/time/timekeeping.c:335 (discriminator 4) kernel/time/timekeeping.c:907 (discriminator 4))
> kunit_try_run_case (lib/kunit/test.c:400 lib/kunit/test.c:443)
> ? kunit_try_run_case_cleanup (lib/kunit/test.c:430)
>
>
next prev parent reply other threads:[~2025-03-28 10:40 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-20 19:06 [PATCH v7 00/28] Landlock audit support Mickaël Salaün
2025-03-20 19:06 ` [PATCH v7 01/28] lsm: Add audit_log_lsm_data() helper Mickaël Salaün
2025-03-25 19:35 ` Günther Noack
2025-03-20 19:06 ` [PATCH v7 02/28] landlock: Add unique ID generator Mickaël Salaün
2025-03-20 19:06 ` [PATCH v7 03/28] landlock: Move domain hierarchy management Mickaël Salaün
2025-03-25 19:37 ` Günther Noack
2025-03-20 19:06 ` [PATCH v7 04/28] landlock: Prepare to use credential instead of domain for filesystem Mickaël Salaün
2025-03-20 19:06 ` [PATCH v7 05/28] landlock: Prepare to use credential instead of domain for network Mickaël Salaün
2025-03-20 19:06 ` [PATCH v7 06/28] landlock: Prepare to use credential instead of domain for scope Mickaël Salaün
2025-03-20 19:06 ` [PATCH v7 07/28] landlock: Prepare to use credential instead of domain for fowner Mickaël Salaün
2025-03-20 19:06 ` [PATCH v7 08/28] landlock: Identify domain execution crossing Mickaël Salaün
2025-03-20 19:06 ` [PATCH v7 09/28] landlock: Add AUDIT_LANDLOCK_ACCESS and log ptrace denials Mickaël Salaün
2025-03-27 21:38 ` Tingmao Wang
2025-03-28 10:33 ` Mickaël Salaün [this message]
2025-03-20 19:06 ` [PATCH v7 10/28] landlock: Add AUDIT_LANDLOCK_DOMAIN and log domain status Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 11/28] landlock: Log mount-related denials Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 12/28] landlock: Log file-related denials Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 13/28] landlock: Factor out IOCTL hooks Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 14/28] landlock: Log truncate and IOCTL denials Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 15/28] landlock: Log TCP bind and connect denials Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 16/28] landlock: Log scoped denials Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 17/28] landlock: Add LANDLOCK_RESTRICT_SELF_LOG_*_EXEC_* flags Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 18/28] landlock: Add LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 19/28] samples/landlock: Enable users to log sandbox denials Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 20/28] selftests/landlock: Add test for invalid ruleset file descriptor Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 21/28] selftests/landlock: Extend tests for landlock_restrict_self(2)'s flags Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 22/28] selftests/landlock: Add tests for audit flags and domain IDs Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 23/28] selftests/landlock: Test audit with restrict flags Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 24/28] selftests/landlock: Add audit tests for ptrace Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 25/28] selftests/landlock: Add audit tests for abstract UNIX socket scoping Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 26/28] selftests/landlock: Add audit tests for filesystem Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 27/28] selftests/landlock: Add audit tests for network Mickaël Salaün
2025-03-20 19:07 ` [PATCH v7 28/28] landlock: Add audit documentation Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250328.Ahc0thi6CaiJ@digikod.net \
--to=mic@digikod.net \
--cc=acarmina@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=audit@vger.kernel.org \
--cc=brendan.higgins@linux.dev \
--cc=davidgow@google.com \
--cc=gnoack@google.com \
--cc=kunit-dev@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=m@maowtm.org \
--cc=rmoar@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox