* [LTP] [PATCH v2 0/4] landlock network coverage support
@ 2024-11-05 9:34 Andrea Cervesato
2024-11-05 9:34 ` [LTP] [PATCH v2 1/4] Fallback landlock network support Andrea Cervesato
` (3 more replies)
0 siblings, 4 replies; 21+ messages in thread
From: Andrea Cervesato @ 2024-11-05 9:34 UTC (permalink / raw)
To: ltp
This testing suite is meant to test the landlock network support.
The landlock fallback had to be modified in order to support ABI v4
which changed the landlock rules structures. Also, a new test has been
added in landlock08, testing bind() and connect() syscalls support.
A few error checks have been added in the landlock02 test.
Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
Changes in v2:
- check for LANDLOCK_RULE_NET_PORT symbol via autoconf
- split landlock_ruleset_attr for abi1 and abi4
- Link to v1: https://lore.kernel.org/r/20240919-landlock_network-v1-0-9c997f03bd0a@suse.com
---
Andrea Cervesato (4):
Fallback landlock network support
Network helpers in landlock suite common functions
Add landlock08 test
Add error coverage for landlock network support
configure.ac | 3 +-
include/lapi/capability.h | 4 +
include/lapi/landlock.h | 28 +--
runtest/syscalls | 1 +
testcases/kernel/syscalls/landlock/.gitignore | 1 +
testcases/kernel/syscalls/landlock/landlock01.c | 15 +-
testcases/kernel/syscalls/landlock/landlock02.c | 94 ++++++++--
testcases/kernel/syscalls/landlock/landlock03.c | 6 +-
testcases/kernel/syscalls/landlock/landlock04.c | 6 +-
testcases/kernel/syscalls/landlock/landlock05.c | 10 +-
testcases/kernel/syscalls/landlock/landlock06.c | 14 +-
testcases/kernel/syscalls/landlock/landlock07.c | 6 +-
testcases/kernel/syscalls/landlock/landlock08.c | 208 +++++++++++++++++++++
.../kernel/syscalls/landlock/landlock_common.h | 134 ++++++++++++-
14 files changed, 456 insertions(+), 74 deletions(-)
---
base-commit: 5746e25935a81043d7971d54038636b26355cd0f
change-id: 20240916-landlock_network-b4bb45fde72b
Best regards,
--
Andrea Cervesato <andrea.cervesato@suse.com>
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 21+ messages in thread
* [LTP] [PATCH v2 1/4] Fallback landlock network support
2024-11-05 9:34 [LTP] [PATCH v2 0/4] landlock network coverage support Andrea Cervesato
@ 2024-11-05 9:34 ` Andrea Cervesato
2024-11-05 12:31 ` Li Wang
2024-11-05 13:08 ` Cyril Hrubis
2024-11-05 9:34 ` [LTP] [PATCH v2 2/4] Network helpers in landlock suite common functions Andrea Cervesato
` (2 subsequent siblings)
3 siblings, 2 replies; 21+ messages in thread
From: Andrea Cervesato @ 2024-11-05 9:34 UTC (permalink / raw)
To: ltp
From: Andrea Cervesato <andrea.cervesato@suse.com>
Landlock network support has been added in the ABI v4, adding features
for bind() and connect() syscalls. It also defined one more member in
the landlock_ruleset_attr struct, breaking our LTP fallbacks, used to
build landlock testing suite. For this reason, we introduce
tst_landlock_ruleset_attr_abi[14] struct(s) which fallback ABI v1 and v4
ruleset_attr definitions.
Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
configure.ac | 3 ++-
include/lapi/capability.h | 4 ++++
include/lapi/landlock.h | 28 ++++++++++++----------
testcases/kernel/syscalls/landlock/landlock01.c | 15 ++++--------
testcases/kernel/syscalls/landlock/landlock02.c | 8 +++----
testcases/kernel/syscalls/landlock/landlock03.c | 6 ++---
testcases/kernel/syscalls/landlock/landlock04.c | 6 ++---
testcases/kernel/syscalls/landlock/landlock05.c | 10 ++++----
testcases/kernel/syscalls/landlock/landlock06.c | 14 ++++-------
testcases/kernel/syscalls/landlock/landlock07.c | 6 ++---
.../kernel/syscalls/landlock/landlock_common.h | 12 ++++------
11 files changed, 53 insertions(+), 59 deletions(-)
diff --git a/configure.ac b/configure.ac
index d327974efa71f263d7f7f5aec9d2c5831d53dd0e..e2e4fd18daa54dbf2034fa9bcc4f2383b53392f4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -34,6 +34,8 @@ m4_ifndef([PKG_CHECK_EXISTS],
AC_PREFIX_DEFAULT(/opt/ltp)
AC_CHECK_DECLS([IFLA_NET_NS_PID],,,[#include <linux/if_link.h>])
+AC_CHECK_DECLS([LANDLOCK_RULE_PATH_BENEATH],,,[#include <linux/landlock.h>])
+AC_CHECK_DECLS([LANDLOCK_RULE_NET_PORT],,,[#include <linux/landlock.h>])
AC_CHECK_DECLS([MADV_MERGEABLE],,,[#include <sys/mman.h>])
AC_CHECK_DECLS([NFTA_CHAIN_ID, NFTA_VERDICT_CHAIN_ID],,,[#include <linux/netfilter/nf_tables.h>])
AC_CHECK_DECLS([PR_CAPBSET_DROP, PR_CAPBSET_READ],,,[#include <sys/prctl.h>])
@@ -172,7 +174,6 @@ AC_CHECK_MEMBERS([struct utsname.domainname],,,[
])
AC_CHECK_TYPES([enum kcmp_type],,,[#include <linux/kcmp.h>])
-AC_CHECK_TYPES([enum landlock_rule_type],,,[#include <linux/landlock.h>])
AC_CHECK_TYPES([struct acct_v3],,,[#include <sys/acct.h>])
AC_CHECK_TYPES([struct af_alg_iv, struct sockaddr_alg],,,[# include <linux/if_alg.h>])
AC_CHECK_TYPES([struct fanotify_event_info_fid, struct fanotify_event_info_error,
diff --git a/include/lapi/capability.h b/include/lapi/capability.h
index 0f317d6d770e86b399f0fed2de04c1dce6723eae..14d2d3c12c051006875f1f864ec58a88a3870ec0 100644
--- a/include/lapi/capability.h
+++ b/include/lapi/capability.h
@@ -20,6 +20,10 @@
# endif
#endif
+#ifndef CAP_NET_BIND_SERVICE
+# define CAP_NET_BIND_SERVICE 10
+#endif
+
#ifndef CAP_NET_RAW
# define CAP_NET_RAW 13
#endif
diff --git a/include/lapi/landlock.h b/include/lapi/landlock.h
index 211d171ebecd92d75224369dc7f1d5c5903c9ce7..b3c8c548e661680541cdf6e4a8fb68a3f5029fec 100644
--- a/include/lapi/landlock.h
+++ b/include/lapi/landlock.h
@@ -7,6 +7,7 @@
#define LAPI_LANDLOCK_H__
#include "config.h"
+#include <stdint.h>
#ifdef HAVE_LINUX_LANDLOCK_H
# include <linux/landlock.h>
@@ -14,13 +15,16 @@
#include "lapi/syscalls.h"
-#ifndef HAVE_STRUCT_LANDLOCK_RULESET_ATTR
-struct landlock_ruleset_attr
+struct tst_landlock_ruleset_attr_abi1
+{
+ uint64_t handled_access_fs;
+};
+
+struct tst_landlock_ruleset_attr_abi4
{
uint64_t handled_access_fs;
uint64_t handled_access_net;
};
-#endif
#ifndef HAVE_STRUCT_LANDLOCK_PATH_BENEATH_ATTR
struct landlock_path_beneath_attr
@@ -30,12 +34,12 @@ struct landlock_path_beneath_attr
} __attribute__((packed));
#endif
-#ifndef HAVE_ENUM_LANDLOCK_RULE_TYPE
-enum landlock_rule_type
-{
- LANDLOCK_RULE_PATH_BENEATH = 1,
- LANDLOCK_RULE_NET_PORT,
-};
+#if !HAVE_DECL_LANDLOCK_RULE_PATH_BENEATH
+# define LANDLOCK_RULE_PATH_BENEATH 1
+#endif
+
+#if !HAVE_DECL_LANDLOCK_RULE_NET_PORT
+# define LANDLOCK_RULE_NET_PORT 2
#endif
#ifndef HAVE_STRUCT_LANDLOCK_NET_PORT_ATTR
@@ -123,8 +127,7 @@ struct landlock_net_port_attr
#endif
static inline int safe_landlock_create_ruleset(const char *file, const int lineno,
- const struct landlock_ruleset_attr *attr,
- size_t size , uint32_t flags)
+ const void *attr, size_t size , uint32_t flags)
{
int rval;
@@ -143,8 +146,7 @@ static inline int safe_landlock_create_ruleset(const char *file, const int linen
}
static inline int safe_landlock_add_rule(const char *file, const int lineno,
- int ruleset_fd, enum landlock_rule_type rule_type,
- const void *rule_attr, uint32_t flags)
+ int ruleset_fd, int rule_type, const void *rule_attr, uint32_t flags)
{
int rval;
diff --git a/testcases/kernel/syscalls/landlock/landlock01.c b/testcases/kernel/syscalls/landlock/landlock01.c
index 083685c64fa6d1c0caab887ee03594ea1426f62f..bd3a37153449b8d75b9671f5c3b3838c701b05ae 100644
--- a/testcases/kernel/syscalls/landlock/landlock01.c
+++ b/testcases/kernel/syscalls/landlock/landlock01.c
@@ -17,14 +17,14 @@
#include "landlock_common.h"
-static struct landlock_ruleset_attr *ruleset_attr;
-static struct landlock_ruleset_attr *null_attr;
+static struct tst_landlock_ruleset_attr_abi4 *ruleset_attr;
+static struct tst_landlock_ruleset_attr_abi4 *null_attr;
static size_t rule_size;
static size_t rule_small_size;
static size_t rule_big_size;
static struct tcase {
- struct landlock_ruleset_attr **attr;
+ struct tst_landlock_ruleset_attr_abi4 **attr;
uint64_t access_fs;
size_t *size;
uint32_t flags;
@@ -60,13 +60,8 @@ static void setup(void)
{
verify_landlock_is_enabled();
- rule_size = sizeof(struct landlock_ruleset_attr);
-
-#ifdef HAVE_STRUCT_LANDLOCK_RULESET_ATTR_HANDLED_ACCESS_NET
+ rule_size = sizeof(struct tst_landlock_ruleset_attr_abi4);
rule_small_size = rule_size - sizeof(uint64_t) - 1;
-#else
- rule_small_size = rule_size - 1;
-#endif
rule_big_size = SAFE_SYSCONF(_SC_PAGESIZE) + 1;
}
@@ -77,7 +72,7 @@ static struct tst_test test = {
.setup = setup,
.needs_root = 1,
.bufs = (struct tst_buffers []) {
- {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)},
+ {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi4)},
{},
},
.caps = (struct tst_cap []) {
diff --git a/testcases/kernel/syscalls/landlock/landlock02.c b/testcases/kernel/syscalls/landlock/landlock02.c
index 1a3df69c9cc3eda98e28cfbfd1e12c57e26d0128..8566d407f6d17ab367695125f07d0a80cf4130e5 100644
--- a/testcases/kernel/syscalls/landlock/landlock02.c
+++ b/testcases/kernel/syscalls/landlock/landlock02.c
@@ -20,7 +20,7 @@
#include "landlock_common.h"
-static struct landlock_ruleset_attr *ruleset_attr;
+static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr;
static struct landlock_path_beneath_attr *path_beneath_attr;
static struct landlock_path_beneath_attr *rule_null;
static int ruleset_fd;
@@ -93,7 +93,7 @@ static void run(unsigned int n)
}
TST_EXP_FAIL(tst_syscall(__NR_landlock_add_rule,
- *tc->fd, tc->rule_type, *tc->attr, tc->flags),
+ *tc->fd, tc->rule_type, *tc->attr, tc->flags),
tc->exp_errno,
"%s",
tc->msg);
@@ -106,7 +106,7 @@ static void setup(void)
ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE;
ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset,
- ruleset_attr, sizeof(struct landlock_ruleset_attr), 0));
+ ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi1), 0));
}
static void cleanup(void)
@@ -122,7 +122,7 @@ static struct tst_test test = {
.cleanup = cleanup,
.needs_root = 1,
.bufs = (struct tst_buffers []) {
- {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)},
+ {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi1)},
{&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)},
{},
},
diff --git a/testcases/kernel/syscalls/landlock/landlock03.c b/testcases/kernel/syscalls/landlock/landlock03.c
index 224482255b287cef64f579b5707a92a6b5908f8b..150c8cc4e50ee1b41af3c8c01771c51a8715746f 100644
--- a/testcases/kernel/syscalls/landlock/landlock03.c
+++ b/testcases/kernel/syscalls/landlock/landlock03.c
@@ -21,7 +21,7 @@
#define MAX_STACKED_RULESETS 16
-static struct landlock_ruleset_attr *ruleset_attr;
+static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr;
static int ruleset_fd = -1;
static int ruleset_invalid = -1;
static int file_fd = -1;
@@ -89,7 +89,7 @@ static void setup(void)
ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE;
ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset,
- ruleset_attr, sizeof(struct landlock_ruleset_attr), 0));
+ ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi1), 0));
file_fd = SAFE_OPEN("junk.bin", O_CREAT, 0777);
}
@@ -112,7 +112,7 @@ static struct tst_test test = {
.needs_root = 1,
.forks_child = 1,
.bufs = (struct tst_buffers []) {
- {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)},
+ {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi1)},
{},
},
.caps = (struct tst_cap []) {
diff --git a/testcases/kernel/syscalls/landlock/landlock04.c b/testcases/kernel/syscalls/landlock/landlock04.c
index e9dedd45091ecd15cdce2fa7227bbfceb14abb5e..2485591e2196072f81708fc10cebd382e536e2a9 100644
--- a/testcases/kernel/syscalls/landlock/landlock04.c
+++ b/testcases/kernel/syscalls/landlock/landlock04.c
@@ -15,7 +15,7 @@
#include "landlock_tester.h"
#include "tst_safe_stdio.h"
-static struct landlock_ruleset_attr *ruleset_attr;
+static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr;
static struct landlock_path_beneath_attr *path_beneath_attr;
static int ruleset_fd = -1;
@@ -153,7 +153,7 @@ static void setup(void)
ruleset_attr->handled_access_fs = tester_get_all_fs_rules();
ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
- ruleset_attr, sizeof(struct landlock_ruleset_attr), 0);
+ ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi1), 0);
/* since our binary is dynamically linked, we need to enable dependences
* to be read and executed
@@ -192,7 +192,7 @@ static struct tst_test test = {
NULL,
},
.bufs = (struct tst_buffers []) {
- {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)},
+ {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi1)},
{&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)},
{},
},
diff --git a/testcases/kernel/syscalls/landlock/landlock05.c b/testcases/kernel/syscalls/landlock/landlock05.c
index 703f7d81c336907f360acbe45b42720dc12bac23..3d5048f0ab51b2d7c3eedc82ef80c04935ac5d86 100644
--- a/testcases/kernel/syscalls/landlock/landlock05.c
+++ b/testcases/kernel/syscalls/landlock/landlock05.c
@@ -28,7 +28,7 @@
#define FILENAME2 DIR2"/file"
#define FILENAME3 DIR3"/file"
-static struct landlock_ruleset_attr *ruleset_attr;
+static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr;
static struct landlock_path_beneath_attr *path_beneath_attr;
static void run(void)
@@ -68,15 +68,15 @@ static void setup(void)
LANDLOCK_ACCESS_FS_REFER;
ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
- ruleset_attr, sizeof(struct landlock_ruleset_attr), 0);
+ ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi1), 0);
- apply_landlock_rule(
+ apply_landlock_fs_rule(
path_beneath_attr,
ruleset_fd,
LANDLOCK_ACCESS_FS_REFER,
DIR1);
- apply_landlock_rule(
+ apply_landlock_fs_rule(
path_beneath_attr,
ruleset_fd,
LANDLOCK_ACCESS_FS_REFER,
@@ -93,7 +93,7 @@ static struct tst_test test = {
.needs_root = 1,
.forks_child = 1,
.bufs = (struct tst_buffers []) {
- {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)},
+ {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi1)},
{&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)},
{},
},
diff --git a/testcases/kernel/syscalls/landlock/landlock06.c b/testcases/kernel/syscalls/landlock/landlock06.c
index 1a6e59241557db23b23beabf9863a9c51353757a..74237d11657054985f06431467fbb161ded0c1b6 100644
--- a/testcases/kernel/syscalls/landlock/landlock06.c
+++ b/testcases/kernel/syscalls/landlock/landlock06.c
@@ -18,7 +18,7 @@
#define MNTPOINT "sandbox"
#define FILENAME MNTPOINT"/fifo"
-static struct landlock_ruleset_attr *ruleset_attr;
+static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr;
static struct landlock_path_beneath_attr *path_beneath_attr;
static int file_fd = -1;
static int dev_fd = -1;
@@ -42,8 +42,6 @@ static void run(void)
static void setup(void)
{
- int ruleset_fd;
-
if (verify_landlock_is_enabled() < 5)
tst_brk(TCONF, "LANDLOCK_ACCESS_FS_IOCTL_DEV is not supported");
@@ -56,17 +54,13 @@ static void setup(void)
ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV;
- ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
- ruleset_attr, sizeof(struct landlock_ruleset_attr), 0);
-
- apply_landlock_layer(
+ apply_landlock_fs_layer(
ruleset_attr,
+ sizeof(struct tst_landlock_ruleset_attr_abi1),
path_beneath_attr,
MNTPOINT,
LANDLOCK_ACCESS_FS_IOCTL_DEV
);
-
- SAFE_CLOSE(ruleset_fd);
}
static void cleanup(void)
@@ -85,7 +79,7 @@ static struct tst_test test = {
.needs_root = 1,
.forks_child = 1,
.bufs = (struct tst_buffers []) {
- {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)},
+ {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi1)},
{&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)},
{},
},
diff --git a/testcases/kernel/syscalls/landlock/landlock07.c b/testcases/kernel/syscalls/landlock/landlock07.c
index 6115ad53876209051952873679eb96014b4dd805..8ee614856312d55e573e18f88a6690b50497ee8b 100644
--- a/testcases/kernel/syscalls/landlock/landlock07.c
+++ b/testcases/kernel/syscalls/landlock/landlock07.c
@@ -25,7 +25,7 @@
#include "lapi/prctl.h"
#include "landlock_common.h"
-static struct landlock_ruleset_attr *ruleset_attr;
+static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr;
static int ruleset_fd;
static pid_t spawn_houdini(void)
@@ -77,7 +77,7 @@ static void setup(void)
ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_WRITE_FILE;
ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
ruleset_attr,
- sizeof(struct landlock_ruleset_attr),
+ sizeof(struct tst_landlock_ruleset_attr_abi1),
0);
}
@@ -93,7 +93,7 @@ static struct tst_test test = {
.cleanup = cleanup,
.forks_child = 1,
.bufs = (struct tst_buffers []) {
- {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)},
+ {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi1)},
{},
},
.caps = (struct tst_cap []) {
diff --git a/testcases/kernel/syscalls/landlock/landlock_common.h b/testcases/kernel/syscalls/landlock/landlock_common.h
index da91daeab7b3def7184f611a90273419e4cfa6f2..f3096f4bf15f155f2a00b39c461d0805a76306e5 100644
--- a/testcases/kernel/syscalls/landlock/landlock_common.h
+++ b/testcases/kernel/syscalls/landlock/landlock_common.h
@@ -33,7 +33,7 @@ static inline int verify_landlock_is_enabled(void)
return abi;
}
-static inline void apply_landlock_rule(
+static inline void apply_landlock_fs_rule(
struct landlock_path_beneath_attr *path_beneath_attr,
const int ruleset_fd,
const int access,
@@ -57,21 +57,19 @@ static inline void enforce_ruleset(const int ruleset_fd)
SAFE_LANDLOCK_RESTRICT_SELF(ruleset_fd, 0);
}
-static inline void apply_landlock_layer(
- struct landlock_ruleset_attr *ruleset_attr,
+static inline void apply_landlock_fs_layer(
+ void *ruleset_attr, size_t attr_size,
struct landlock_path_beneath_attr *path_beneath_attr,
const char *path,
const int access)
{
int ruleset_fd;
- ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
- ruleset_attr, sizeof(struct landlock_ruleset_attr), 0);
+ ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(ruleset_attr, attr_size, 0);
- apply_landlock_rule(path_beneath_attr, ruleset_fd, access, path);
+ apply_landlock_fs_rule(path_beneath_attr, ruleset_fd, access, path);
enforce_ruleset(ruleset_fd);
SAFE_CLOSE(ruleset_fd);
}
-
#endif /* LANDLOCK_COMMON_H__ */
--
2.43.0
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [LTP] [PATCH v2 2/4] Network helpers in landlock suite common functions
2024-11-05 9:34 [LTP] [PATCH v2 0/4] landlock network coverage support Andrea Cervesato
2024-11-05 9:34 ` [LTP] [PATCH v2 1/4] Fallback landlock network support Andrea Cervesato
@ 2024-11-05 9:34 ` Andrea Cervesato
2024-11-05 15:27 ` Cyril Hrubis
2024-11-05 9:34 ` [LTP] [PATCH v2 3/4] Add landlock08 test Andrea Cervesato
2024-11-05 9:34 ` [LTP] [PATCH v2 4/4] Add error coverage for landlock network support Andrea Cervesato
3 siblings, 1 reply; 21+ messages in thread
From: Andrea Cervesato @ 2024-11-05 9:34 UTC (permalink / raw)
To: ltp
From: Andrea Cervesato <andrea.cervesato@suse.com>
Landlock suite helpers functions don't support network features. This
patch adds apply_landlock_net_layer() helper that can be used to apply a
network landlock rule in the current sandbox.
Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
.../kernel/syscalls/landlock/landlock_common.h | 124 +++++++++++++++++++++
1 file changed, 124 insertions(+)
diff --git a/testcases/kernel/syscalls/landlock/landlock_common.h b/testcases/kernel/syscalls/landlock/landlock_common.h
index f3096f4bf15f155f2a00b39c461d0805a76306e5..d55f2a2576968a89fbeca6bb2a56c6c2700729fa 100644
--- a/testcases/kernel/syscalls/landlock/landlock_common.h
+++ b/testcases/kernel/syscalls/landlock/landlock_common.h
@@ -11,6 +11,16 @@
#include "lapi/fcntl.h"
#include "lapi/landlock.h"
+#define IPV4_ADDRESS "127.0.0.1"
+#define IPV6_ADDRESS "::1"
+
+struct socket_data {
+ struct sockaddr_in addr_ipv4;
+ struct sockaddr_in6 addr_ipv6;
+ size_t address_size;
+ int fd;
+};
+
static inline int verify_landlock_is_enabled(void)
{
int abi;
@@ -51,6 +61,22 @@ static inline void apply_landlock_fs_rule(
SAFE_CLOSE(path_beneath_attr->parent_fd);
}
+static inline void apply_landlock_net_rule(
+ struct landlock_net_port_attr *net_attr,
+ const int ruleset_fd,
+ const uint64_t port,
+ const uint64_t access)
+{
+ net_attr->port = port;
+ net_attr->allowed_access = access;
+
+ SAFE_LANDLOCK_ADD_RULE(
+ ruleset_fd,
+ LANDLOCK_RULE_NET_PORT,
+ net_attr,
+ 0);
+}
+
static inline void enforce_ruleset(const int ruleset_fd)
{
SAFE_PRCTL(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
@@ -72,4 +98,102 @@ static inline void apply_landlock_fs_layer(
SAFE_CLOSE(ruleset_fd);
}
+
+static inline void apply_landlock_net_layer(
+ void *ruleset_attr, size_t attr_size,
+ struct landlock_net_port_attr *net_port_attr,
+ const in_port_t port,
+ const uint64_t access)
+{
+ int ruleset_fd;
+
+ ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(ruleset_attr, attr_size, 0);
+
+ apply_landlock_net_rule(net_port_attr, ruleset_fd, port, access);
+ enforce_ruleset(ruleset_fd);
+
+ SAFE_CLOSE(ruleset_fd);
+}
+
+static inline in_port_t getsocket_port(struct socket_data *socket,
+ const int addr_family)
+{
+ struct sockaddr_in addr_ipv4;
+ struct sockaddr_in6 addr_ipv6;
+ socklen_t len;
+ in_port_t port = 0;
+
+ switch (addr_family) {
+ case AF_INET:
+ len = sizeof(addr_ipv4);
+ memset(&addr_ipv4, 0, len);
+
+ SAFE_GETSOCKNAME(socket->fd, (struct sockaddr *)&addr_ipv4, &len);
+ port = ntohs(addr_ipv4.sin_port);
+ break;
+ case AF_INET6:
+ len = sizeof(addr_ipv6);
+ memset(&addr_ipv6, 0, len);
+
+ SAFE_GETSOCKNAME(socket->fd, (struct sockaddr *)&addr_ipv6, &len);
+ port = ntohs(addr_ipv6.sin6_port);
+ break;
+ default:
+ tst_brk(TBROK, "Unsupported protocol");
+ break;
+ };
+
+ return port;
+}
+
+static inline void create_socket(struct socket_data *socket,
+ const int addr_family, const in_port_t port)
+{
+ memset(socket, 0, sizeof(struct socket_data));
+
+ switch (addr_family) {
+ case AF_INET:
+ if (!port) {
+ tst_init_sockaddr_inet_bin(&socket->addr_ipv4,
+ INADDR_ANY, 0);
+ } else {
+ tst_init_sockaddr_inet(&socket->addr_ipv4,
+ IPV4_ADDRESS, port);
+ }
+
+ socket->address_size = sizeof(struct sockaddr_in);
+ break;
+ case AF_INET6:
+ if (!port) {
+ tst_init_sockaddr_inet6_bin(&socket->addr_ipv6,
+ &in6addr_any, 0);
+ } else {
+ tst_init_sockaddr_inet6(&socket->addr_ipv6,
+ IPV6_ADDRESS, port);
+ }
+
+ socket->address_size = sizeof(struct sockaddr_in6);
+ break;
+ default:
+ tst_brk(TBROK, "Unsupported protocol");
+ return;
+ };
+
+ socket->fd = SAFE_SOCKET(addr_family, SOCK_STREAM | SOCK_CLOEXEC, 0);
+}
+
+static inline void getsocket_addr(struct socket_data *socket,
+ const int addr_family, struct sockaddr **addr)
+{
+ switch (addr_family) {
+ case AF_INET:
+ *addr = (struct sockaddr *)&socket->addr_ipv4;
+ break;
+ case AF_INET6:
+ *addr = (struct sockaddr *)&socket->addr_ipv6;
+ break;
+ default:
+ break;
+ };
+}
#endif /* LANDLOCK_COMMON_H__ */
--
2.43.0
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [LTP] [PATCH v2 3/4] Add landlock08 test
2024-11-05 9:34 [LTP] [PATCH v2 0/4] landlock network coverage support Andrea Cervesato
2024-11-05 9:34 ` [LTP] [PATCH v2 1/4] Fallback landlock network support Andrea Cervesato
2024-11-05 9:34 ` [LTP] [PATCH v2 2/4] Network helpers in landlock suite common functions Andrea Cervesato
@ 2024-11-05 9:34 ` Andrea Cervesato
2024-11-05 15:26 ` Cyril Hrubis
2024-11-05 9:34 ` [LTP] [PATCH v2 4/4] Add error coverage for landlock network support Andrea Cervesato
3 siblings, 1 reply; 21+ messages in thread
From: Andrea Cervesato @ 2024-11-05 9:34 UTC (permalink / raw)
To: ltp
From: Andrea Cervesato <andrea.cervesato@suse.com>
Verify the landlock support for bind()/connect() syscalls in IPV4
and IPV6 protocols. In particular, check that bind() is assigning
the address only on the TCP port enforced by
LANDLOCK_ACCESS_NET_BIND_TCP and check that connect() is connecting
only to a specific TCP port enforced by
LANDLOCK_ACCESS_NET_CONNECT_TCP.
Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
runtest/syscalls | 1 +
testcases/kernel/syscalls/landlock/.gitignore | 1 +
testcases/kernel/syscalls/landlock/landlock08.c | 208 ++++++++++++++++++++++++
3 files changed, 210 insertions(+)
diff --git a/runtest/syscalls b/runtest/syscalls
index 7dc308fa88486b9ace80ef0d906201dd407dcf3e..5fd62617df1a116b1d94c57ff30f74693320a2ab 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -708,6 +708,7 @@ landlock04 landlock04
landlock05 landlock05
landlock06 landlock06
landlock07 landlock07
+landlock08 landlock08
lchown01 lchown01
lchown01_16 lchown01_16
diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore
index db11bff2fe245d462e5b7e5691a9eb2ee2305aab..fc7317394948c4ac20cd14c3cd7ba7a47282b2bf 100644
--- a/testcases/kernel/syscalls/landlock/.gitignore
+++ b/testcases/kernel/syscalls/landlock/.gitignore
@@ -6,3 +6,4 @@ landlock04
landlock05
landlock06
landlock07
+landlock08
diff --git a/testcases/kernel/syscalls/landlock/landlock08.c b/testcases/kernel/syscalls/landlock/landlock08.c
new file mode 100644
index 0000000000000000000000000000000000000000..7bc3f0f8d81730659a66c268fdad1981ae90aea6
--- /dev/null
+++ b/testcases/kernel/syscalls/landlock/landlock08.c
@@ -0,0 +1,208 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2024 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com>
+ */
+
+/*\
+ * [Description]
+ *
+ * Verify the landlock support for bind()/connect() syscalls in IPV4 and IPV6
+ * protocols. In particular, check that bind() is assigning the address only on
+ * the TCP port enforced by LANDLOCK_ACCESS_NET_BIND_TCP and check that
+ * connect() is connecting only to a specific TCP port enforced by
+ * LANDLOCK_ACCESS_NET_CONNECT_TCP.
+ *
+ * [Algorithm]
+ *
+ * Repeat the following procedure for IPV4 and IPV6:
+ *
+ * - create a socket on PORT1, bind() it and check if it passes
+ * - enforce the current sandbox with LANDLOCK_ACCESS_NET_BIND_TCP on PORT1
+ * - create a socket on PORT1, bind() it and check if it passes
+ * - create a socket on PORT2, bind() it and check if it fails
+ *
+ * - create a server listening on PORT1
+ * - create a socket on PORT1, connect() to it and check if it passes
+ * - enforce the current sandbox with LANDLOCK_ACCESS_NET_CONNECT_TCP on PORT1
+ * - create a socket on PORT1, connect() to it and check if it passes
+ * - create a socket on PORT2, connect() to it and check if it fails
+ */
+
+#include "landlock_common.h"
+
+#define ADDRESS_PORT 0x7c90
+
+static int variants[] = {
+ AF_INET,
+ AF_INET6,
+};
+
+static struct tst_landlock_ruleset_attr_abi4 *ruleset_attr;
+static struct landlock_net_port_attr *net_port_attr;
+static in_port_t *server_port;
+
+static void create_server(const int addr_family)
+{
+ struct socket_data socket;
+ struct sockaddr *addr = NULL;
+
+ create_socket(&socket, addr_family, 0);
+ getsocket_addr(&socket, addr_family, &addr);
+
+ SAFE_BIND(socket.fd, addr, socket.address_size);
+ SAFE_LISTEN(socket.fd, 1);
+
+ *server_port = getsocket_port(&socket, addr_family);
+
+ tst_res(TDEBUG, "Server listening on port %u", *server_port);
+
+ TST_CHECKPOINT_WAKE_AND_WAIT(0);
+
+ SAFE_CLOSE(socket.fd);
+}
+
+static void test_bind(const int addr_family, const in_port_t port,
+ const int exp_err)
+{
+ struct socket_data socket;
+ struct sockaddr *addr = NULL;
+
+ create_socket(&socket, addr_family, port);
+ getsocket_addr(&socket, addr_family, &addr);
+
+ if (exp_err) {
+ TST_EXP_FAIL(
+ bind(socket.fd, addr, socket.address_size),
+ exp_err, "bind() access on port %u", port);
+ } else {
+ TST_EXP_PASS(
+ bind(socket.fd, addr, socket.address_size),
+ "bind() access on port %u", port);
+ }
+
+ SAFE_CLOSE(socket.fd);
+}
+
+static void test_connect(const int addr_family, const in_port_t port,
+ const int exp_err)
+{
+ struct socket_data socket;
+ struct sockaddr *addr = NULL;
+
+ create_socket(&socket, addr_family, port);
+ getsocket_addr(&socket, addr_family, &addr);
+
+ if (exp_err) {
+ TST_EXP_FAIL(
+ connect(socket.fd, addr, socket.address_size),
+ exp_err, "connect() on port %u", port);
+ } else {
+ TST_EXP_PASS(
+ connect(socket.fd, addr, socket.address_size),
+ "connect() on port %u", port);
+ }
+
+ SAFE_CLOSE(socket.fd);
+}
+
+static void run(void)
+{
+ int addr_family = variants[tst_variant];
+
+ tst_res(TINFO, "Using %s protocol",
+ addr_family == AF_INET ? "IPV4" : "IPV6");
+
+ if (!SAFE_FORK()) {
+ create_server(addr_family);
+ exit(0);
+ }
+
+ TST_CHECKPOINT_WAIT(0);
+
+ /* verify bind() syscall accessibility */
+ if (!SAFE_FORK()) {
+ ruleset_attr->handled_access_net =
+ LANDLOCK_ACCESS_NET_BIND_TCP;
+
+ test_bind(addr_family, ADDRESS_PORT, 0);
+
+ tst_res(TINFO, "Enable bind() access only for port %u",
+ ADDRESS_PORT);
+
+ apply_landlock_net_layer(
+ ruleset_attr,
+ sizeof(struct tst_landlock_ruleset_attr_abi4),
+ net_port_attr,
+ ADDRESS_PORT,
+ LANDLOCK_ACCESS_NET_BIND_TCP);
+
+ test_bind(addr_family, ADDRESS_PORT, 0);
+ test_bind(addr_family, ADDRESS_PORT + 0x80, EACCES);
+
+ exit(0);
+ }
+
+ /* verify connect() syscall accessibility */
+ if (!SAFE_FORK()) {
+ ruleset_attr->handled_access_net =
+ LANDLOCK_ACCESS_NET_CONNECT_TCP;
+
+ test_connect(addr_family, *server_port, 0);
+
+ tst_res(TINFO, "Enable connect() access only on port %u",
+ *server_port);
+
+ apply_landlock_net_layer(
+ ruleset_attr,
+ sizeof(struct tst_landlock_ruleset_attr_abi4),
+ net_port_attr,
+ *server_port,
+ LANDLOCK_ACCESS_NET_CONNECT_TCP);
+
+ test_connect(addr_family, *server_port, 0);
+ test_connect(addr_family, *server_port + 0x80, EACCES);
+
+ TST_CHECKPOINT_WAKE(0);
+
+ exit(0);
+ }
+}
+
+static void setup(void)
+{
+ if (verify_landlock_is_enabled() < 4)
+ tst_brk(TCONF, "Landlock network is not supported");
+
+ server_port = SAFE_MMAP(NULL, sizeof(in_port_t), PROT_READ | PROT_WRITE,
+ MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+}
+
+static void cleanup(void)
+{
+ if (server_port)
+ SAFE_MUNMAP(server_port, sizeof(in_port_t));
+}
+
+static struct tst_test test = {
+ .test_all = run,
+ .setup = setup,
+ .cleanup = cleanup,
+ .needs_root = 1,
+ .needs_checkpoints = 1,
+ .forks_child = 1,
+ .test_variants = ARRAY_SIZE(variants),
+ .bufs = (struct tst_buffers[]) {
+ {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi4)},
+ {&net_port_attr, .size = sizeof(struct landlock_net_port_attr)},
+ {},
+ },
+ .caps = (struct tst_cap []) {
+ TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN),
+ TST_CAP(TST_CAP_REQ, CAP_NET_BIND_SERVICE),
+ {}
+ },
+ .needs_kconfigs = (const char *[]) {
+ "CONFIG_INET=y",
+ NULL
+ },
+};
--
2.43.0
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [LTP] [PATCH v2 4/4] Add error coverage for landlock network support
2024-11-05 9:34 [LTP] [PATCH v2 0/4] landlock network coverage support Andrea Cervesato
` (2 preceding siblings ...)
2024-11-05 9:34 ` [LTP] [PATCH v2 3/4] Add landlock08 test Andrea Cervesato
@ 2024-11-05 9:34 ` Andrea Cervesato
2024-11-05 15:39 ` Cyril Hrubis
3 siblings, 1 reply; 21+ messages in thread
From: Andrea Cervesato @ 2024-11-05 9:34 UTC (permalink / raw)
To: ltp
From: Andrea Cervesato <andrea.cervesato@suse.com>
Add two more errors checks inside the landlock02 which is testing
landlock_add_rule syscall. In particular, test now verifies when the
syscall is raising EINVAL due to invalid network attributes.
Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
testcases/kernel/syscalls/landlock/landlock02.c | 94 +++++++++++++++++++------
1 file changed, 74 insertions(+), 20 deletions(-)
diff --git a/testcases/kernel/syscalls/landlock/landlock02.c b/testcases/kernel/syscalls/landlock/landlock02.c
index 8566d407f6d17ab367695125f07d0a80cf4130e5..dbc405a8a01ac58e0d22f952f57bd603c62ab8be 100644
--- a/testcases/kernel/syscalls/landlock/landlock02.c
+++ b/testcases/kernel/syscalls/landlock/landlock02.c
@@ -20,93 +20,146 @@
#include "landlock_common.h"
-static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr;
+static struct tst_landlock_ruleset_attr_abi4 *ruleset_attr;
static struct landlock_path_beneath_attr *path_beneath_attr;
static struct landlock_path_beneath_attr *rule_null;
+static struct landlock_net_port_attr *net_port_attr;
static int ruleset_fd;
static int invalid_fd = -1;
+static int abi_current;
static struct tcase {
int *fd;
- enum landlock_rule_type rule_type;
- struct landlock_path_beneath_attr **attr;
+ int rule_type;
+ struct landlock_path_beneath_attr **path_attr;
+ struct landlock_net_port_attr **net_attr;
int access;
int parent_fd;
+ int net_port;
uint32_t flags;
int exp_errno;
+ int abi_ver;
char *msg;
} tcases[] = {
{
.fd = &ruleset_fd,
- .attr = &path_beneath_attr,
+ .path_attr = &path_beneath_attr,
+ .net_attr = NULL,
.access = LANDLOCK_ACCESS_FS_EXECUTE,
.flags = 1,
.exp_errno = EINVAL,
+ .abi_ver = 1,
.msg = "Invalid flags"
},
{
.fd = &ruleset_fd,
- .attr = &path_beneath_attr,
+ .path_attr = &path_beneath_attr,
+ .net_attr = NULL,
.access = LANDLOCK_ACCESS_FS_EXECUTE,
.exp_errno = EINVAL,
+ .abi_ver = 1,
.msg = "Invalid rule type"
},
{
.fd = &ruleset_fd,
.rule_type = LANDLOCK_RULE_PATH_BENEATH,
- .attr = &path_beneath_attr,
+ .path_attr = &path_beneath_attr,
+ .net_attr = NULL,
.exp_errno = ENOMSG,
+ .abi_ver = 1,
.msg = "Empty accesses"
},
{
.fd = &invalid_fd,
- .attr = &path_beneath_attr,
+ .path_attr = &path_beneath_attr,
+ .net_attr = NULL,
.access = LANDLOCK_ACCESS_FS_EXECUTE,
.exp_errno = EBADF,
+ .abi_ver = 1,
.msg = "Invalid file descriptor"
},
{
.fd = &ruleset_fd,
.rule_type = LANDLOCK_RULE_PATH_BENEATH,
- .attr = &path_beneath_attr,
+ .path_attr = &path_beneath_attr,
+ .net_attr = NULL,
.access = LANDLOCK_ACCESS_FS_EXECUTE,
.parent_fd = -1,
.exp_errno = EBADF,
+ .abi_ver = 1,
.msg = "Invalid parent fd"
},
{
.fd = &ruleset_fd,
.rule_type = LANDLOCK_RULE_PATH_BENEATH,
- .attr = &rule_null,
+ .path_attr = &rule_null,
+ .net_attr = NULL,
.exp_errno = EFAULT,
+ .abi_ver = 1,
.msg = "Invalid rule attr"
},
+ {
+ .fd = &ruleset_fd,
+ .rule_type = LANDLOCK_RULE_NET_PORT,
+ .path_attr = NULL,
+ .net_attr = &net_port_attr,
+ .access = LANDLOCK_ACCESS_FS_EXECUTE,
+ .net_port = 448,
+ .exp_errno = EINVAL,
+ .abi_ver = 4,
+ .msg = "Invalid access rule for network type"
+ },
+ {
+ .fd = &ruleset_fd,
+ .rule_type = LANDLOCK_RULE_NET_PORT,
+ .path_attr = NULL,
+ .net_attr = &net_port_attr,
+ .access = LANDLOCK_ACCESS_NET_BIND_TCP,
+ .net_port = INT16_MAX + 1,
+ .exp_errno = EINVAL,
+ .abi_ver = 4,
+ .msg = "Socket port greater than 65535"
+ },
};
static void run(unsigned int n)
{
struct tcase *tc = &tcases[n];
- if (*tc->attr) {
- (*tc->attr)->allowed_access = tc->access;
- (*tc->attr)->parent_fd = tc->parent_fd;
+ if (tc->abi_ver > abi_current) {
+ tst_res(TCONF, "Minimum ABI required: %d", tc->abi_ver);
+ return;
}
- TST_EXP_FAIL(tst_syscall(__NR_landlock_add_rule,
- *tc->fd, tc->rule_type, *tc->attr, tc->flags),
- tc->exp_errno,
- "%s",
- tc->msg);
+ if (tc->path_attr) {
+ if (*tc->path_attr) {
+ (*tc->path_attr)->allowed_access = tc->access;
+ (*tc->path_attr)->parent_fd = tc->parent_fd;
+ }
+
+ TST_EXP_FAIL(tst_syscall(__NR_landlock_add_rule,
+ *tc->fd, tc->rule_type, *tc->path_attr, tc->flags),
+ tc->exp_errno, "%s", tc->msg);
+ } else if (tc->net_attr) {
+ if (*tc->net_attr) {
+ (*tc->net_attr)->allowed_access = tc->access;
+ (*tc->net_attr)->port = tc->net_port;
+ }
+
+ TST_EXP_FAIL(tst_syscall(__NR_landlock_add_rule,
+ *tc->fd, tc->rule_type, *tc->net_attr, tc->flags),
+ tc->exp_errno, "%s", tc->msg);
+ }
}
static void setup(void)
{
- verify_landlock_is_enabled();
+ abi_current = verify_landlock_is_enabled();
ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE;
ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset,
- ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi1), 0));
+ ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi4), 0));
}
static void cleanup(void)
@@ -122,8 +175,9 @@ static struct tst_test test = {
.cleanup = cleanup,
.needs_root = 1,
.bufs = (struct tst_buffers []) {
- {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi1)},
+ {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi4)},
{&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)},
+ {&net_port_attr, .size = sizeof(struct landlock_net_port_attr)},
{},
},
.caps = (struct tst_cap []) {
--
2.43.0
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply related [flat|nested] 21+ messages in thread
* Re: [LTP] [PATCH v2 1/4] Fallback landlock network support
2024-11-05 9:34 ` [LTP] [PATCH v2 1/4] Fallback landlock network support Andrea Cervesato
@ 2024-11-05 12:31 ` Li Wang
2024-11-05 12:42 ` Li Wang
2024-11-05 12:47 ` Andrea Cervesato via ltp
2024-11-05 13:08 ` Cyril Hrubis
1 sibling, 2 replies; 21+ messages in thread
From: Li Wang @ 2024-11-05 12:31 UTC (permalink / raw)
To: Andrea Cervesato; +Cc: ltp
Hi Andrea,
On Tue, Nov 5, 2024 at 5:36 PM Andrea Cervesato <andrea.cervesato@suse.de>
wrote:
> From: Andrea Cervesato <andrea.cervesato@suse.com>
>
> Landlock network support has been added in the ABI v4, adding features
> for bind() and connect() syscalls. It also defined one more member in
> the landlock_ruleset_attr struct, breaking our LTP fallbacks, used to
> build landlock testing suite. For this reason, we introduce
> tst_landlock_ruleset_attr_abi[14] struct(s) which fallback ABI v1 and v4
> ruleset_attr definitions.
>
> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> ---
> configure.ac | 3 ++-
> include/lapi/capability.h | 4 ++++
> include/lapi/landlock.h | 28
> ++++++++++++----------
> testcases/kernel/syscalls/landlock/landlock01.c | 15 ++++--------
> testcases/kernel/syscalls/landlock/landlock02.c | 8 +++----
> testcases/kernel/syscalls/landlock/landlock03.c | 6 ++---
> testcases/kernel/syscalls/landlock/landlock04.c | 6 ++---
> testcases/kernel/syscalls/landlock/landlock05.c | 10 ++++----
> testcases/kernel/syscalls/landlock/landlock06.c | 14 ++++-------
> testcases/kernel/syscalls/landlock/landlock07.c | 6 ++---
> .../kernel/syscalls/landlock/landlock_common.h | 12 ++++------
> 11 files changed, 53 insertions(+), 59 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index
> d327974efa71f263d7f7f5aec9d2c5831d53dd0e..e2e4fd18daa54dbf2034fa9bcc4f2383b53392f4
> 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -34,6 +34,8 @@ m4_ifndef([PKG_CHECK_EXISTS],
> AC_PREFIX_DEFAULT(/opt/ltp)
>
> AC_CHECK_DECLS([IFLA_NET_NS_PID],,,[#include <linux/if_link.h>])
> +AC_CHECK_DECLS([LANDLOCK_RULE_PATH_BENEATH],,,[#include
> <linux/landlock.h>])
> +AC_CHECK_DECLS([LANDLOCK_RULE_NET_PORT],,,[#include <linux/landlock.h>])
> AC_CHECK_DECLS([MADV_MERGEABLE],,,[#include <sys/mman.h>])
> AC_CHECK_DECLS([NFTA_CHAIN_ID, NFTA_VERDICT_CHAIN_ID],,,[#include
> <linux/netfilter/nf_tables.h>])
> AC_CHECK_DECLS([PR_CAPBSET_DROP, PR_CAPBSET_READ],,,[#include
> <sys/prctl.h>])
> @@ -172,7 +174,6 @@ AC_CHECK_MEMBERS([struct utsname.domainname],,,[
> ])
>
> AC_CHECK_TYPES([enum kcmp_type],,,[#include <linux/kcmp.h>])
> -AC_CHECK_TYPES([enum landlock_rule_type],,,[#include <linux/landlock.h>])
> AC_CHECK_TYPES([struct acct_v3],,,[#include <sys/acct.h>])
> AC_CHECK_TYPES([struct af_alg_iv, struct sockaddr_alg],,,[# include
> <linux/if_alg.h>])
> AC_CHECK_TYPES([struct fanotify_event_info_fid, struct
> fanotify_event_info_error,
> diff --git a/include/lapi/capability.h b/include/lapi/capability.h
> index
> 0f317d6d770e86b399f0fed2de04c1dce6723eae..14d2d3c12c051006875f1f864ec58a88a3870ec0
> 100644
> --- a/include/lapi/capability.h
> +++ b/include/lapi/capability.h
> @@ -20,6 +20,10 @@
> # endif
> #endif
>
> +#ifndef CAP_NET_BIND_SERVICE
> +# define CAP_NET_BIND_SERVICE 10
> +#endif
> +
> #ifndef CAP_NET_RAW
> # define CAP_NET_RAW 13
> #endif
> diff --git a/include/lapi/landlock.h b/include/lapi/landlock.h
> index
> 211d171ebecd92d75224369dc7f1d5c5903c9ce7..b3c8c548e661680541cdf6e4a8fb68a3f5029fec
> 100644
> --- a/include/lapi/landlock.h
> +++ b/include/lapi/landlock.h
> @@ -7,6 +7,7 @@
> #define LAPI_LANDLOCK_H__
>
> #include "config.h"
> +#include <stdint.h>
>
> #ifdef HAVE_LINUX_LANDLOCK_H
> # include <linux/landlock.h>
> @@ -14,13 +15,16 @@
>
> #include "lapi/syscalls.h"
>
> -#ifndef HAVE_STRUCT_LANDLOCK_RULESET_ATTR
> -struct landlock_ruleset_attr
> +struct tst_landlock_ruleset_attr_abi1
> +{
> + uint64_t handled_access_fs;
> +};
> +
> +struct tst_landlock_ruleset_attr_abi4
>
Ok, here you achieve two ABI versions for landlock_ruleset_attr,
but with mainline kernel introducing[1] a new field 'scoped' what will
you do next, add one more ABI version 5 if needed? What if the mainline
kernel adds more new fields in the future?
and why _abi1 and _abi4, but not _abi2?
[1] commit 21d52e295 ("landlock: Add abstract UNIX socket scoping")
> {
> uint64_t handled_access_fs;
> uint64_t handled_access_net;
> };
> -#endif
>
> #ifndef HAVE_STRUCT_LANDLOCK_PATH_BENEATH_ATTR
> struct landlock_path_beneath_attr
> @@ -30,12 +34,12 @@ struct landlock_path_beneath_attr
> } __attribute__((packed));
> #endif
>
> -#ifndef HAVE_ENUM_LANDLOCK_RULE_TYPE
> -enum landlock_rule_type
> -{
> - LANDLOCK_RULE_PATH_BENEATH = 1,
> - LANDLOCK_RULE_NET_PORT,
> -};
> +#if !HAVE_DECL_LANDLOCK_RULE_PATH_BENEATH
> +# define LANDLOCK_RULE_PATH_BENEATH 1
> +#endif
> +
> +#if !HAVE_DECL_LANDLOCK_RULE_NET_PORT
> +# define LANDLOCK_RULE_NET_PORT 2
> #endif
>
> #ifndef HAVE_STRUCT_LANDLOCK_NET_PORT_ATTR
> @@ -123,8 +127,7 @@ struct landlock_net_port_attr
> #endif
>
> static inline int safe_landlock_create_ruleset(const char *file, const
> int lineno,
> - const struct landlock_ruleset_attr *attr,
> - size_t size , uint32_t flags)
> + const void *attr, size_t size , uint32_t flags)
> {
> int rval;
>
> @@ -143,8 +146,7 @@ static inline int safe_landlock_create_ruleset(const
> char *file, const int linen
> }
>
> static inline int safe_landlock_add_rule(const char *file, const int
> lineno,
> - int ruleset_fd, enum landlock_rule_type rule_type,
> - const void *rule_attr, uint32_t flags)
> + int ruleset_fd, int rule_type, const void *rule_attr, uint32_t
> flags)
> {
> int rval;
>
> diff --git a/testcases/kernel/syscalls/landlock/landlock01.c
> b/testcases/kernel/syscalls/landlock/landlock01.c
> index
> 083685c64fa6d1c0caab887ee03594ea1426f62f..bd3a37153449b8d75b9671f5c3b3838c701b05ae
> 100644
> --- a/testcases/kernel/syscalls/landlock/landlock01.c
> +++ b/testcases/kernel/syscalls/landlock/landlock01.c
> @@ -17,14 +17,14 @@
>
> #include "landlock_common.h"
>
> -static struct landlock_ruleset_attr *ruleset_attr;
> -static struct landlock_ruleset_attr *null_attr;
> +static struct tst_landlock_ruleset_attr_abi4 *ruleset_attr;
> +static struct tst_landlock_ruleset_attr_abi4 *null_attr;
> static size_t rule_size;
> static size_t rule_small_size;
> static size_t rule_big_size;
>
> static struct tcase {
> - struct landlock_ruleset_attr **attr;
> + struct tst_landlock_ruleset_attr_abi4 **attr;
> uint64_t access_fs;
> size_t *size;
> uint32_t flags;
> @@ -60,13 +60,8 @@ static void setup(void)
> {
> verify_landlock_is_enabled();
>
> - rule_size = sizeof(struct landlock_ruleset_attr);
> -
> -#ifdef HAVE_STRUCT_LANDLOCK_RULESET_ATTR_HANDLED_ACCESS_NET
> + rule_size = sizeof(struct tst_landlock_ruleset_attr_abi4);
> rule_small_size = rule_size - sizeof(uint64_t) - 1;
> -#else
> - rule_small_size = rule_size - 1;
> -#endif
>
> rule_big_size = SAFE_SYSCONF(_SC_PAGESIZE) + 1;
> }
> @@ -77,7 +72,7 @@ static struct tst_test test = {
> .setup = setup,
> .needs_root = 1,
> .bufs = (struct tst_buffers []) {
> - {&ruleset_attr, .size = sizeof(struct
> landlock_ruleset_attr)},
> + {&ruleset_attr, .size = sizeof(struct
> tst_landlock_ruleset_attr_abi4)},
> {},
> },
> .caps = (struct tst_cap []) {
> diff --git a/testcases/kernel/syscalls/landlock/landlock02.c
> b/testcases/kernel/syscalls/landlock/landlock02.c
> index
> 1a3df69c9cc3eda98e28cfbfd1e12c57e26d0128..8566d407f6d17ab367695125f07d0a80cf4130e5
> 100644
> --- a/testcases/kernel/syscalls/landlock/landlock02.c
> +++ b/testcases/kernel/syscalls/landlock/landlock02.c
> @@ -20,7 +20,7 @@
>
> #include "landlock_common.h"
>
> -static struct landlock_ruleset_attr *ruleset_attr;
> +static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr;
> static struct landlock_path_beneath_attr *path_beneath_attr;
> static struct landlock_path_beneath_attr *rule_null;
> static int ruleset_fd;
> @@ -93,7 +93,7 @@ static void run(unsigned int n)
> }
>
> TST_EXP_FAIL(tst_syscall(__NR_landlock_add_rule,
> - *tc->fd, tc->rule_type, *tc->attr, tc->flags),
> + *tc->fd, tc->rule_type, *tc->attr, tc->flags),
> tc->exp_errno,
> "%s",
> tc->msg);
> @@ -106,7 +106,7 @@ static void setup(void)
> ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE;
>
> ruleset_fd =
> TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset,
> - ruleset_attr, sizeof(struct landlock_ruleset_attr), 0));
> + ruleset_attr, sizeof(struct
> tst_landlock_ruleset_attr_abi1), 0));
> }
>
> static void cleanup(void)
> @@ -122,7 +122,7 @@ static struct tst_test test = {
> .cleanup = cleanup,
> .needs_root = 1,
> .bufs = (struct tst_buffers []) {
> - {&ruleset_attr, .size = sizeof(struct
> landlock_ruleset_attr)},
> + {&ruleset_attr, .size = sizeof(struct
> tst_landlock_ruleset_attr_abi1)},
> {&path_beneath_attr, .size = sizeof(struct
> landlock_path_beneath_attr)},
> {},
> },
> diff --git a/testcases/kernel/syscalls/landlock/landlock03.c
> b/testcases/kernel/syscalls/landlock/landlock03.c
> index
> 224482255b287cef64f579b5707a92a6b5908f8b..150c8cc4e50ee1b41af3c8c01771c51a8715746f
> 100644
> --- a/testcases/kernel/syscalls/landlock/landlock03.c
> +++ b/testcases/kernel/syscalls/landlock/landlock03.c
> @@ -21,7 +21,7 @@
>
> #define MAX_STACKED_RULESETS 16
>
> -static struct landlock_ruleset_attr *ruleset_attr;
> +static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr;
> static int ruleset_fd = -1;
> static int ruleset_invalid = -1;
> static int file_fd = -1;
> @@ -89,7 +89,7 @@ static void setup(void)
> ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE;
>
> ruleset_fd =
> TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset,
> - ruleset_attr, sizeof(struct landlock_ruleset_attr), 0));
> + ruleset_attr, sizeof(struct
> tst_landlock_ruleset_attr_abi1), 0));
>
> file_fd = SAFE_OPEN("junk.bin", O_CREAT, 0777);
> }
> @@ -112,7 +112,7 @@ static struct tst_test test = {
> .needs_root = 1,
> .forks_child = 1,
> .bufs = (struct tst_buffers []) {
> - {&ruleset_attr, .size = sizeof(struct
> landlock_ruleset_attr)},
> + {&ruleset_attr, .size = sizeof(struct
> tst_landlock_ruleset_attr_abi1)},
> {},
> },
> .caps = (struct tst_cap []) {
> diff --git a/testcases/kernel/syscalls/landlock/landlock04.c
> b/testcases/kernel/syscalls/landlock/landlock04.c
> index
> e9dedd45091ecd15cdce2fa7227bbfceb14abb5e..2485591e2196072f81708fc10cebd382e536e2a9
> 100644
> --- a/testcases/kernel/syscalls/landlock/landlock04.c
> +++ b/testcases/kernel/syscalls/landlock/landlock04.c
> @@ -15,7 +15,7 @@
> #include "landlock_tester.h"
> #include "tst_safe_stdio.h"
>
> -static struct landlock_ruleset_attr *ruleset_attr;
> +static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr;
> static struct landlock_path_beneath_attr *path_beneath_attr;
> static int ruleset_fd = -1;
>
> @@ -153,7 +153,7 @@ static void setup(void)
> ruleset_attr->handled_access_fs = tester_get_all_fs_rules();
>
> ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
> - ruleset_attr, sizeof(struct landlock_ruleset_attr), 0);
> + ruleset_attr, sizeof(struct
> tst_landlock_ruleset_attr_abi1), 0);
>
> /* since our binary is dynamically linked, we need to enable
> dependences
> * to be read and executed
> @@ -192,7 +192,7 @@ static struct tst_test test = {
> NULL,
> },
> .bufs = (struct tst_buffers []) {
> - {&ruleset_attr, .size = sizeof(struct
> landlock_ruleset_attr)},
> + {&ruleset_attr, .size = sizeof(struct
> tst_landlock_ruleset_attr_abi1)},
> {&path_beneath_attr, .size = sizeof(struct
> landlock_path_beneath_attr)},
> {},
> },
> diff --git a/testcases/kernel/syscalls/landlock/landlock05.c
> b/testcases/kernel/syscalls/landlock/landlock05.c
> index
> 703f7d81c336907f360acbe45b42720dc12bac23..3d5048f0ab51b2d7c3eedc82ef80c04935ac5d86
> 100644
> --- a/testcases/kernel/syscalls/landlock/landlock05.c
> +++ b/testcases/kernel/syscalls/landlock/landlock05.c
> @@ -28,7 +28,7 @@
> #define FILENAME2 DIR2"/file"
> #define FILENAME3 DIR3"/file"
>
> -static struct landlock_ruleset_attr *ruleset_attr;
> +static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr;
> static struct landlock_path_beneath_attr *path_beneath_attr;
>
> static void run(void)
> @@ -68,15 +68,15 @@ static void setup(void)
> LANDLOCK_ACCESS_FS_REFER;
>
> ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
> - ruleset_attr, sizeof(struct landlock_ruleset_attr), 0);
> + ruleset_attr, sizeof(struct
> tst_landlock_ruleset_attr_abi1), 0);
>
> - apply_landlock_rule(
> + apply_landlock_fs_rule(
> path_beneath_attr,
> ruleset_fd,
> LANDLOCK_ACCESS_FS_REFER,
> DIR1);
>
> - apply_landlock_rule(
> + apply_landlock_fs_rule(
> path_beneath_attr,
> ruleset_fd,
> LANDLOCK_ACCESS_FS_REFER,
> @@ -93,7 +93,7 @@ static struct tst_test test = {
> .needs_root = 1,
> .forks_child = 1,
> .bufs = (struct tst_buffers []) {
> - {&ruleset_attr, .size = sizeof(struct
> landlock_ruleset_attr)},
> + {&ruleset_attr, .size = sizeof(struct
> tst_landlock_ruleset_attr_abi1)},
> {&path_beneath_attr, .size = sizeof(struct
> landlock_path_beneath_attr)},
> {},
> },
> diff --git a/testcases/kernel/syscalls/landlock/landlock06.c
> b/testcases/kernel/syscalls/landlock/landlock06.c
> index
> 1a6e59241557db23b23beabf9863a9c51353757a..74237d11657054985f06431467fbb161ded0c1b6
> 100644
> --- a/testcases/kernel/syscalls/landlock/landlock06.c
> +++ b/testcases/kernel/syscalls/landlock/landlock06.c
> @@ -18,7 +18,7 @@
> #define MNTPOINT "sandbox"
> #define FILENAME MNTPOINT"/fifo"
>
> -static struct landlock_ruleset_attr *ruleset_attr;
> +static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr;
> static struct landlock_path_beneath_attr *path_beneath_attr;
> static int file_fd = -1;
> static int dev_fd = -1;
> @@ -42,8 +42,6 @@ static void run(void)
>
> static void setup(void)
> {
> - int ruleset_fd;
> -
> if (verify_landlock_is_enabled() < 5)
> tst_brk(TCONF, "LANDLOCK_ACCESS_FS_IOCTL_DEV is not
> supported");
>
> @@ -56,17 +54,13 @@ static void setup(void)
>
> ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV;
>
> - ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
> - ruleset_attr, sizeof(struct landlock_ruleset_attr), 0);
> -
> - apply_landlock_layer(
> + apply_landlock_fs_layer(
> ruleset_attr,
> + sizeof(struct tst_landlock_ruleset_attr_abi1),
> path_beneath_attr,
> MNTPOINT,
> LANDLOCK_ACCESS_FS_IOCTL_DEV
> );
> -
> - SAFE_CLOSE(ruleset_fd);
> }
>
> static void cleanup(void)
> @@ -85,7 +79,7 @@ static struct tst_test test = {
> .needs_root = 1,
> .forks_child = 1,
> .bufs = (struct tst_buffers []) {
> - {&ruleset_attr, .size = sizeof(struct
> landlock_ruleset_attr)},
> + {&ruleset_attr, .size = sizeof(struct
> tst_landlock_ruleset_attr_abi1)},
> {&path_beneath_attr, .size = sizeof(struct
> landlock_path_beneath_attr)},
> {},
> },
> diff --git a/testcases/kernel/syscalls/landlock/landlock07.c
> b/testcases/kernel/syscalls/landlock/landlock07.c
> index
> 6115ad53876209051952873679eb96014b4dd805..8ee614856312d55e573e18f88a6690b50497ee8b
> 100644
> --- a/testcases/kernel/syscalls/landlock/landlock07.c
> +++ b/testcases/kernel/syscalls/landlock/landlock07.c
> @@ -25,7 +25,7 @@
> #include "lapi/prctl.h"
> #include "landlock_common.h"
>
> -static struct landlock_ruleset_attr *ruleset_attr;
> +static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr;
> static int ruleset_fd;
>
> static pid_t spawn_houdini(void)
> @@ -77,7 +77,7 @@ static void setup(void)
> ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_WRITE_FILE;
> ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
> ruleset_attr,
> - sizeof(struct landlock_ruleset_attr),
> + sizeof(struct tst_landlock_ruleset_attr_abi1),
> 0);
> }
>
> @@ -93,7 +93,7 @@ static struct tst_test test = {
> .cleanup = cleanup,
> .forks_child = 1,
> .bufs = (struct tst_buffers []) {
> - {&ruleset_attr, .size = sizeof(struct
> landlock_ruleset_attr)},
> + {&ruleset_attr, .size = sizeof(struct
> tst_landlock_ruleset_attr_abi1)},
> {},
> },
> .caps = (struct tst_cap []) {
> diff --git a/testcases/kernel/syscalls/landlock/landlock_common.h
> b/testcases/kernel/syscalls/landlock/landlock_common.h
> index
> da91daeab7b3def7184f611a90273419e4cfa6f2..f3096f4bf15f155f2a00b39c461d0805a76306e5
> 100644
> --- a/testcases/kernel/syscalls/landlock/landlock_common.h
> +++ b/testcases/kernel/syscalls/landlock/landlock_common.h
> @@ -33,7 +33,7 @@ static inline int verify_landlock_is_enabled(void)
> return abi;
> }
>
> -static inline void apply_landlock_rule(
> +static inline void apply_landlock_fs_rule(
> struct landlock_path_beneath_attr *path_beneath_attr,
> const int ruleset_fd,
> const int access,
> @@ -57,21 +57,19 @@ static inline void enforce_ruleset(const int
> ruleset_fd)
> SAFE_LANDLOCK_RESTRICT_SELF(ruleset_fd, 0);
> }
>
> -static inline void apply_landlock_layer(
> - struct landlock_ruleset_attr *ruleset_attr,
> +static inline void apply_landlock_fs_layer(
> + void *ruleset_attr, size_t attr_size,
> struct landlock_path_beneath_attr *path_beneath_attr,
> const char *path,
> const int access)
> {
> int ruleset_fd;
>
> - ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
> - ruleset_attr, sizeof(struct landlock_ruleset_attr), 0);
> + ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(ruleset_attr, attr_size,
> 0);
>
> - apply_landlock_rule(path_beneath_attr, ruleset_fd, access, path);
> + apply_landlock_fs_rule(path_beneath_attr, ruleset_fd, access,
> path);
> enforce_ruleset(ruleset_fd);
>
> SAFE_CLOSE(ruleset_fd);
> }
> -
> #endif /* LANDLOCK_COMMON_H__ */
>
> --
> 2.43.0
>
>
> --
> Mailing list info: https://lists.linux.it/listinfo/ltp
>
>
--
Regards,
Li Wang
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [LTP] [PATCH v2 1/4] Fallback landlock network support
2024-11-05 12:31 ` Li Wang
@ 2024-11-05 12:42 ` Li Wang
2024-11-05 12:59 ` Andrea Cervesato via ltp
2024-11-05 12:47 ` Andrea Cervesato via ltp
1 sibling, 1 reply; 21+ messages in thread
From: Li Wang @ 2024-11-05 12:42 UTC (permalink / raw)
To: Andrea Cervesato; +Cc: ltp
On Tue, Nov 5, 2024 at 8:31 PM Li Wang <liwang@redhat.com> wrote:
> Hi Andrea,
>
> On Tue, Nov 5, 2024 at 5:36 PM Andrea Cervesato <andrea.cervesato@suse.de>
> wrote:
>
>> From: Andrea Cervesato <andrea.cervesato@suse.com>
>>
>> Landlock network support has been added in the ABI v4, adding features
>> for bind() and connect() syscalls. It also defined one more member in
>> the landlock_ruleset_attr struct, breaking our LTP fallbacks, used to
>> build landlock testing suite. For this reason, we introduce
>> tst_landlock_ruleset_attr_abi[14] struct(s) which fallback ABI v1 and v4
>> ruleset_attr definitions.
>>
>> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
>> ---
>> configure.ac | 3 ++-
>> include/lapi/capability.h | 4 ++++
>> include/lapi/landlock.h | 28
>> ++++++++++++----------
>> testcases/kernel/syscalls/landlock/landlock01.c | 15 ++++--------
>> testcases/kernel/syscalls/landlock/landlock02.c | 8 +++----
>> testcases/kernel/syscalls/landlock/landlock03.c | 6 ++---
>> testcases/kernel/syscalls/landlock/landlock04.c | 6 ++---
>> testcases/kernel/syscalls/landlock/landlock05.c | 10 ++++----
>> testcases/kernel/syscalls/landlock/landlock06.c | 14 ++++-------
>> testcases/kernel/syscalls/landlock/landlock07.c | 6 ++---
>> .../kernel/syscalls/landlock/landlock_common.h | 12 ++++------
>> 11 files changed, 53 insertions(+), 59 deletions(-)
>>
>> diff --git a/configure.ac b/configure.ac
>> index
>> d327974efa71f263d7f7f5aec9d2c5831d53dd0e..e2e4fd18daa54dbf2034fa9bcc4f2383b53392f4
>> 100644
>> --- a/configure.ac
>> +++ b/configure.ac
>> @@ -34,6 +34,8 @@ m4_ifndef([PKG_CHECK_EXISTS],
>> AC_PREFIX_DEFAULT(/opt/ltp)
>>
>> AC_CHECK_DECLS([IFLA_NET_NS_PID],,,[#include <linux/if_link.h>])
>> +AC_CHECK_DECLS([LANDLOCK_RULE_PATH_BENEATH],,,[#include
>> <linux/landlock.h>])
>> +AC_CHECK_DECLS([LANDLOCK_RULE_NET_PORT],,,[#include <linux/landlock.h>])
>> AC_CHECK_DECLS([MADV_MERGEABLE],,,[#include <sys/mman.h>])
>> AC_CHECK_DECLS([NFTA_CHAIN_ID, NFTA_VERDICT_CHAIN_ID],,,[#include
>> <linux/netfilter/nf_tables.h>])
>> AC_CHECK_DECLS([PR_CAPBSET_DROP, PR_CAPBSET_READ],,,[#include
>> <sys/prctl.h>])
>> @@ -172,7 +174,6 @@ AC_CHECK_MEMBERS([struct utsname.domainname],,,[
>> ])
>>
>> AC_CHECK_TYPES([enum kcmp_type],,,[#include <linux/kcmp.h>])
>> -AC_CHECK_TYPES([enum landlock_rule_type],,,[#include <linux/landlock.h>])
>> AC_CHECK_TYPES([struct acct_v3],,,[#include <sys/acct.h>])
>> AC_CHECK_TYPES([struct af_alg_iv, struct sockaddr_alg],,,[# include
>> <linux/if_alg.h>])
>> AC_CHECK_TYPES([struct fanotify_event_info_fid, struct
>> fanotify_event_info_error,
>> diff --git a/include/lapi/capability.h b/include/lapi/capability.h
>> index
>> 0f317d6d770e86b399f0fed2de04c1dce6723eae..14d2d3c12c051006875f1f864ec58a88a3870ec0
>> 100644
>> --- a/include/lapi/capability.h
>> +++ b/include/lapi/capability.h
>> @@ -20,6 +20,10 @@
>> # endif
>> #endif
>>
>> +#ifndef CAP_NET_BIND_SERVICE
>> +# define CAP_NET_BIND_SERVICE 10
>> +#endif
>> +
>> #ifndef CAP_NET_RAW
>> # define CAP_NET_RAW 13
>> #endif
>> diff --git a/include/lapi/landlock.h b/include/lapi/landlock.h
>> index
>> 211d171ebecd92d75224369dc7f1d5c5903c9ce7..b3c8c548e661680541cdf6e4a8fb68a3f5029fec
>> 100644
>> --- a/include/lapi/landlock.h
>> +++ b/include/lapi/landlock.h
>> @@ -7,6 +7,7 @@
>> #define LAPI_LANDLOCK_H__
>>
>> #include "config.h"
>> +#include <stdint.h>
>>
>> #ifdef HAVE_LINUX_LANDLOCK_H
>> # include <linux/landlock.h>
>> @@ -14,13 +15,16 @@
>>
>> #include "lapi/syscalls.h"
>>
>> -#ifndef HAVE_STRUCT_LANDLOCK_RULESET_ATTR
>> -struct landlock_ruleset_attr
>> +struct tst_landlock_ruleset_attr_abi1
>> +{
>> + uint64_t handled_access_fs;
>> +};
>> +
>> +struct tst_landlock_ruleset_attr_abi4
>>
>
> Ok, here you achieve two ABI versions for landlock_ruleset_attr,
> but with mainline kernel introducing[1] a new field 'scoped' what will
> you do next, add one more ABI version 5 if needed? What if the mainline
> kernel adds more new fields in the future?
>
> and why _abi1 and _abi4, but not _abi2?
>
> [1] commit 21d52e295 ("landlock: Add abstract UNIX socket scoping")
>
Or, another way is just to define the latest ABI version in lapi/landlock.h,
but only define the tested ABI version in a single test, e.g.
landlock01.c used landlock_ruleset_attr_abi1, so this won't make people
confused when reading the test code, they knows the landlock01 is only
test abi1 and don't need to care about things in 'lapi/landlock.h', WDYT?
--
Regards,
Li Wang
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [LTP] [PATCH v2 1/4] Fallback landlock network support
2024-11-05 12:31 ` Li Wang
2024-11-05 12:42 ` Li Wang
@ 2024-11-05 12:47 ` Andrea Cervesato via ltp
1 sibling, 0 replies; 21+ messages in thread
From: Andrea Cervesato via ltp @ 2024-11-05 12:47 UTC (permalink / raw)
To: Li Wang, Andrea Cervesato; +Cc: ltp
Hi Li,
On 11/5/24 13:31, Li Wang wrote:
> Hi Andrea,
>
> On Tue, Nov 5, 2024 at 5:36 PM Andrea Cervesato
> <andrea.cervesato@suse.de> wrote:
>
> From: Andrea Cervesato <andrea.cervesato@suse.com>
>
> Landlock network support has been added in the ABI v4, adding features
> for bind() and connect() syscalls. It also defined one more member in
> the landlock_ruleset_attr struct, breaking our LTP fallbacks, used to
> build landlock testing suite. For this reason, we introduce
> tst_landlock_ruleset_attr_abi[14] struct(s) which fallback ABI v1
> and v4
> ruleset_attr definitions.
>
> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> ---
> configure.ac <http://configure.ac>
> | 3 ++-
> include/lapi/capability.h | 4 ++++
> include/lapi/landlock.h | 28
> ++++++++++++----------
> testcases/kernel/syscalls/landlock/landlock01.c | 15 ++++--------
> testcases/kernel/syscalls/landlock/landlock02.c | 8 +++----
> testcases/kernel/syscalls/landlock/landlock03.c | 6 ++---
> testcases/kernel/syscalls/landlock/landlock04.c | 6 ++---
> testcases/kernel/syscalls/landlock/landlock05.c | 10 ++++----
> testcases/kernel/syscalls/landlock/landlock06.c | 14 ++++-------
> testcases/kernel/syscalls/landlock/landlock07.c | 6 ++---
> .../kernel/syscalls/landlock/landlock_common.h | 12 ++++------
> 11 files changed, 53 insertions(+), 59 deletions(-)
>
> diff --git a/configure.ac <http://configure.ac> b/configure.ac
> <http://configure.ac>
> index
> d327974efa71f263d7f7f5aec9d2c5831d53dd0e..e2e4fd18daa54dbf2034fa9bcc4f2383b53392f4
> 100644
> --- a/configure.ac <http://configure.ac>
> +++ b/configure.ac <http://configure.ac>
> @@ -34,6 +34,8 @@ m4_ifndef([PKG_CHECK_EXISTS],
> AC_PREFIX_DEFAULT(/opt/ltp)
>
> AC_CHECK_DECLS([IFLA_NET_NS_PID],,,[#include <linux/if_link.h>])
> +AC_CHECK_DECLS([LANDLOCK_RULE_PATH_BENEATH],,,[#include
> <linux/landlock.h>])
> +AC_CHECK_DECLS([LANDLOCK_RULE_NET_PORT],,,[#include
> <linux/landlock.h>])
> AC_CHECK_DECLS([MADV_MERGEABLE],,,[#include <sys/mman.h>])
> AC_CHECK_DECLS([NFTA_CHAIN_ID, NFTA_VERDICT_CHAIN_ID],,,[#include
> <linux/netfilter/nf_tables.h>])
> AC_CHECK_DECLS([PR_CAPBSET_DROP, PR_CAPBSET_READ],,,[#include
> <sys/prctl.h>])
> @@ -172,7 +174,6 @@ AC_CHECK_MEMBERS([struct utsname.domainname],,,[
> ])
>
> AC_CHECK_TYPES([enum kcmp_type],,,[#include <linux/kcmp.h>])
> -AC_CHECK_TYPES([enum landlock_rule_type],,,[#include
> <linux/landlock.h>])
> AC_CHECK_TYPES([struct acct_v3],,,[#include <sys/acct.h>])
> AC_CHECK_TYPES([struct af_alg_iv, struct sockaddr_alg],,,[#
> include <linux/if_alg.h>])
> AC_CHECK_TYPES([struct fanotify_event_info_fid, struct
> fanotify_event_info_error,
> diff --git a/include/lapi/capability.h b/include/lapi/capability.h
> index
> 0f317d6d770e86b399f0fed2de04c1dce6723eae..14d2d3c12c051006875f1f864ec58a88a3870ec0
> 100644
> --- a/include/lapi/capability.h
> +++ b/include/lapi/capability.h
> @@ -20,6 +20,10 @@
> # endif
> #endif
>
> +#ifndef CAP_NET_BIND_SERVICE
> +# define CAP_NET_BIND_SERVICE 10
> +#endif
> +
> #ifndef CAP_NET_RAW
> # define CAP_NET_RAW 13
> #endif
> diff --git a/include/lapi/landlock.h b/include/lapi/landlock.h
> index
> 211d171ebecd92d75224369dc7f1d5c5903c9ce7..b3c8c548e661680541cdf6e4a8fb68a3f5029fec
> 100644
> --- a/include/lapi/landlock.h
> +++ b/include/lapi/landlock.h
> @@ -7,6 +7,7 @@
> #define LAPI_LANDLOCK_H__
>
> #include "config.h"
> +#include <stdint.h>
>
> #ifdef HAVE_LINUX_LANDLOCK_H
> # include <linux/landlock.h>
> @@ -14,13 +15,16 @@
>
> #include "lapi/syscalls.h"
>
> -#ifndef HAVE_STRUCT_LANDLOCK_RULESET_ATTR
> -struct landlock_ruleset_attr
> +struct tst_landlock_ruleset_attr_abi1
> +{
> + uint64_t handled_access_fs;
> +};
> +
> +struct tst_landlock_ruleset_attr_abi4
>
>
> Ok, here you achieve two ABI versions for landlock_ruleset_attr,
> but with mainline kernel introducing[1] a new field 'scoped' what will
> you do next, add one more ABI version 5 if needed? What if the mainline
> kernel adds more new fields in the future?
>
> and why _abi1 and _abi4, but not _abi2?
>
> [1] commit 21d52e295 ("landlock: Add abstract UNIX socket scoping")
>
Yes, the idea is that we create an `*_abiN` for specific ABI version
when it's needed. And then we only use the struct which is needed for
landlock_create_ruleset.
I guess `scoped` will be in `_abi6`.
Andrea
> {
> uint64_t handled_access_fs;
> uint64_t handled_access_net;
> };
> -#endif
>
> #ifndef HAVE_STRUCT_LANDLOCK_PATH_BENEATH_ATTR
> struct landlock_path_beneath_attr
> @@ -30,12 +34,12 @@ struct landlock_path_beneath_attr
> } __attribute__((packed));
> #endif
>
> -#ifndef HAVE_ENUM_LANDLOCK_RULE_TYPE
> -enum landlock_rule_type
> -{
> - LANDLOCK_RULE_PATH_BENEATH = 1,
> - LANDLOCK_RULE_NET_PORT,
> -};
> +#if !HAVE_DECL_LANDLOCK_RULE_PATH_BENEATH
> +# define LANDLOCK_RULE_PATH_BENEATH 1
> +#endif
> +
> +#if !HAVE_DECL_LANDLOCK_RULE_NET_PORT
> +# define LANDLOCK_RULE_NET_PORT 2
> #endif
>
> #ifndef HAVE_STRUCT_LANDLOCK_NET_PORT_ATTR
> @@ -123,8 +127,7 @@ struct landlock_net_port_attr
> #endif
>
> static inline int safe_landlock_create_ruleset(const char *file,
> const int lineno,
> - const struct landlock_ruleset_attr *attr,
> - size_t size , uint32_t flags)
> + const void *attr, size_t size , uint32_t flags)
> {
> int rval;
>
> @@ -143,8 +146,7 @@ static inline int
> safe_landlock_create_ruleset(const char *file, const int linen
> }
>
> static inline int safe_landlock_add_rule(const char *file, const
> int lineno,
> - int ruleset_fd, enum landlock_rule_type rule_type,
> - const void *rule_attr, uint32_t flags)
> + int ruleset_fd, int rule_type, const void *rule_attr,
> uint32_t flags)
> {
> int rval;
>
> diff --git a/testcases/kernel/syscalls/landlock/landlock01.c
> b/testcases/kernel/syscalls/landlock/landlock01.c
> index
> 083685c64fa6d1c0caab887ee03594ea1426f62f..bd3a37153449b8d75b9671f5c3b3838c701b05ae
> 100644
> --- a/testcases/kernel/syscalls/landlock/landlock01.c
> +++ b/testcases/kernel/syscalls/landlock/landlock01.c
> @@ -17,14 +17,14 @@
>
> #include "landlock_common.h"
>
> -static struct landlock_ruleset_attr *ruleset_attr;
> -static struct landlock_ruleset_attr *null_attr;
> +static struct tst_landlock_ruleset_attr_abi4 *ruleset_attr;
> +static struct tst_landlock_ruleset_attr_abi4 *null_attr;
> static size_t rule_size;
> static size_t rule_small_size;
> static size_t rule_big_size;
>
> static struct tcase {
> - struct landlock_ruleset_attr **attr;
> + struct tst_landlock_ruleset_attr_abi4 **attr;
> uint64_t access_fs;
> size_t *size;
> uint32_t flags;
> @@ -60,13 +60,8 @@ static void setup(void)
> {
> verify_landlock_is_enabled();
>
> - rule_size = sizeof(struct landlock_ruleset_attr);
> -
> -#ifdef HAVE_STRUCT_LANDLOCK_RULESET_ATTR_HANDLED_ACCESS_NET
> + rule_size = sizeof(struct tst_landlock_ruleset_attr_abi4);
> rule_small_size = rule_size - sizeof(uint64_t) - 1;
> -#else
> - rule_small_size = rule_size - 1;
> -#endif
>
> rule_big_size = SAFE_SYSCONF(_SC_PAGESIZE) + 1;
> }
> @@ -77,7 +72,7 @@ static struct tst_test test = {
> .setup = setup,
> .needs_root = 1,
> .bufs = (struct tst_buffers []) {
> - {&ruleset_attr, .size = sizeof(struct
> landlock_ruleset_attr)},
> + {&ruleset_attr, .size = sizeof(struct
> tst_landlock_ruleset_attr_abi4)},
> {},
> },
> .caps = (struct tst_cap []) {
> diff --git a/testcases/kernel/syscalls/landlock/landlock02.c
> b/testcases/kernel/syscalls/landlock/landlock02.c
> index
> 1a3df69c9cc3eda98e28cfbfd1e12c57e26d0128..8566d407f6d17ab367695125f07d0a80cf4130e5
> 100644
> --- a/testcases/kernel/syscalls/landlock/landlock02.c
> +++ b/testcases/kernel/syscalls/landlock/landlock02.c
> @@ -20,7 +20,7 @@
>
> #include "landlock_common.h"
>
> -static struct landlock_ruleset_attr *ruleset_attr;
> +static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr;
> static struct landlock_path_beneath_attr *path_beneath_attr;
> static struct landlock_path_beneath_attr *rule_null;
> static int ruleset_fd;
> @@ -93,7 +93,7 @@ static void run(unsigned int n)
> }
>
> TST_EXP_FAIL(tst_syscall(__NR_landlock_add_rule,
> - *tc->fd, tc->rule_type, *tc->attr, tc->flags),
> + *tc->fd, tc->rule_type, *tc->attr, tc->flags),
> tc->exp_errno,
> "%s",
> tc->msg);
> @@ -106,7 +106,7 @@ static void setup(void)
> ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE;
>
> ruleset_fd =
> TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset,
> - ruleset_attr, sizeof(struct
> landlock_ruleset_attr), 0));
> + ruleset_attr, sizeof(struct
> tst_landlock_ruleset_attr_abi1), 0));
> }
>
> static void cleanup(void)
> @@ -122,7 +122,7 @@ static struct tst_test test = {
> .cleanup = cleanup,
> .needs_root = 1,
> .bufs = (struct tst_buffers []) {
> - {&ruleset_attr, .size = sizeof(struct
> landlock_ruleset_attr)},
> + {&ruleset_attr, .size = sizeof(struct
> tst_landlock_ruleset_attr_abi1)},
> {&path_beneath_attr, .size = sizeof(struct
> landlock_path_beneath_attr)},
> {},
> },
> diff --git a/testcases/kernel/syscalls/landlock/landlock03.c
> b/testcases/kernel/syscalls/landlock/landlock03.c
> index
> 224482255b287cef64f579b5707a92a6b5908f8b..150c8cc4e50ee1b41af3c8c01771c51a8715746f
> 100644
> --- a/testcases/kernel/syscalls/landlock/landlock03.c
> +++ b/testcases/kernel/syscalls/landlock/landlock03.c
> @@ -21,7 +21,7 @@
>
> #define MAX_STACKED_RULESETS 16
>
> -static struct landlock_ruleset_attr *ruleset_attr;
> +static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr;
> static int ruleset_fd = -1;
> static int ruleset_invalid = -1;
> static int file_fd = -1;
> @@ -89,7 +89,7 @@ static void setup(void)
> ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE;
>
> ruleset_fd =
> TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset,
> - ruleset_attr, sizeof(struct
> landlock_ruleset_attr), 0));
> + ruleset_attr, sizeof(struct
> tst_landlock_ruleset_attr_abi1), 0));
>
> file_fd = SAFE_OPEN("junk.bin", O_CREAT, 0777);
> }
> @@ -112,7 +112,7 @@ static struct tst_test test = {
> .needs_root = 1,
> .forks_child = 1,
> .bufs = (struct tst_buffers []) {
> - {&ruleset_attr, .size = sizeof(struct
> landlock_ruleset_attr)},
> + {&ruleset_attr, .size = sizeof(struct
> tst_landlock_ruleset_attr_abi1)},
> {},
> },
> .caps = (struct tst_cap []) {
> diff --git a/testcases/kernel/syscalls/landlock/landlock04.c
> b/testcases/kernel/syscalls/landlock/landlock04.c
> index
> e9dedd45091ecd15cdce2fa7227bbfceb14abb5e..2485591e2196072f81708fc10cebd382e536e2a9
> 100644
> --- a/testcases/kernel/syscalls/landlock/landlock04.c
> +++ b/testcases/kernel/syscalls/landlock/landlock04.c
> @@ -15,7 +15,7 @@
> #include "landlock_tester.h"
> #include "tst_safe_stdio.h"
>
> -static struct landlock_ruleset_attr *ruleset_attr;
> +static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr;
> static struct landlock_path_beneath_attr *path_beneath_attr;
> static int ruleset_fd = -1;
>
> @@ -153,7 +153,7 @@ static void setup(void)
> ruleset_attr->handled_access_fs = tester_get_all_fs_rules();
>
> ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
> - ruleset_attr, sizeof(struct
> landlock_ruleset_attr), 0);
> + ruleset_attr, sizeof(struct
> tst_landlock_ruleset_attr_abi1), 0);
>
> /* since our binary is dynamically linked, we need to
> enable dependences
> * to be read and executed
> @@ -192,7 +192,7 @@ static struct tst_test test = {
> NULL,
> },
> .bufs = (struct tst_buffers []) {
> - {&ruleset_attr, .size = sizeof(struct
> landlock_ruleset_attr)},
> + {&ruleset_attr, .size = sizeof(struct
> tst_landlock_ruleset_attr_abi1)},
> {&path_beneath_attr, .size = sizeof(struct
> landlock_path_beneath_attr)},
> {},
> },
> diff --git a/testcases/kernel/syscalls/landlock/landlock05.c
> b/testcases/kernel/syscalls/landlock/landlock05.c
> index
> 703f7d81c336907f360acbe45b42720dc12bac23..3d5048f0ab51b2d7c3eedc82ef80c04935ac5d86
> 100644
> --- a/testcases/kernel/syscalls/landlock/landlock05.c
> +++ b/testcases/kernel/syscalls/landlock/landlock05.c
> @@ -28,7 +28,7 @@
> #define FILENAME2 DIR2"/file"
> #define FILENAME3 DIR3"/file"
>
> -static struct landlock_ruleset_attr *ruleset_attr;
> +static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr;
> static struct landlock_path_beneath_attr *path_beneath_attr;
>
> static void run(void)
> @@ -68,15 +68,15 @@ static void setup(void)
> LANDLOCK_ACCESS_FS_REFER;
>
> ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
> - ruleset_attr, sizeof(struct
> landlock_ruleset_attr), 0);
> + ruleset_attr, sizeof(struct
> tst_landlock_ruleset_attr_abi1), 0);
>
> - apply_landlock_rule(
> + apply_landlock_fs_rule(
> path_beneath_attr,
> ruleset_fd,
> LANDLOCK_ACCESS_FS_REFER,
> DIR1);
>
> - apply_landlock_rule(
> + apply_landlock_fs_rule(
> path_beneath_attr,
> ruleset_fd,
> LANDLOCK_ACCESS_FS_REFER,
> @@ -93,7 +93,7 @@ static struct tst_test test = {
> .needs_root = 1,
> .forks_child = 1,
> .bufs = (struct tst_buffers []) {
> - {&ruleset_attr, .size = sizeof(struct
> landlock_ruleset_attr)},
> + {&ruleset_attr, .size = sizeof(struct
> tst_landlock_ruleset_attr_abi1)},
> {&path_beneath_attr, .size = sizeof(struct
> landlock_path_beneath_attr)},
> {},
> },
> diff --git a/testcases/kernel/syscalls/landlock/landlock06.c
> b/testcases/kernel/syscalls/landlock/landlock06.c
> index
> 1a6e59241557db23b23beabf9863a9c51353757a..74237d11657054985f06431467fbb161ded0c1b6
> 100644
> --- a/testcases/kernel/syscalls/landlock/landlock06.c
> +++ b/testcases/kernel/syscalls/landlock/landlock06.c
> @@ -18,7 +18,7 @@
> #define MNTPOINT "sandbox"
> #define FILENAME MNTPOINT"/fifo"
>
> -static struct landlock_ruleset_attr *ruleset_attr;
> +static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr;
> static struct landlock_path_beneath_attr *path_beneath_attr;
> static int file_fd = -1;
> static int dev_fd = -1;
> @@ -42,8 +42,6 @@ static void run(void)
>
> static void setup(void)
> {
> - int ruleset_fd;
> -
> if (verify_landlock_is_enabled() < 5)
> tst_brk(TCONF, "LANDLOCK_ACCESS_FS_IOCTL_DEV is
> not supported");
>
> @@ -56,17 +54,13 @@ static void setup(void)
>
> ruleset_attr->handled_access_fs =
> LANDLOCK_ACCESS_FS_IOCTL_DEV;
>
> - ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
> - ruleset_attr, sizeof(struct
> landlock_ruleset_attr), 0);
> -
> - apply_landlock_layer(
> + apply_landlock_fs_layer(
> ruleset_attr,
> + sizeof(struct tst_landlock_ruleset_attr_abi1),
> path_beneath_attr,
> MNTPOINT,
> LANDLOCK_ACCESS_FS_IOCTL_DEV
> );
> -
> - SAFE_CLOSE(ruleset_fd);
> }
>
> static void cleanup(void)
> @@ -85,7 +79,7 @@ static struct tst_test test = {
> .needs_root = 1,
> .forks_child = 1,
> .bufs = (struct tst_buffers []) {
> - {&ruleset_attr, .size = sizeof(struct
> landlock_ruleset_attr)},
> + {&ruleset_attr, .size = sizeof(struct
> tst_landlock_ruleset_attr_abi1)},
> {&path_beneath_attr, .size = sizeof(struct
> landlock_path_beneath_attr)},
> {},
> },
> diff --git a/testcases/kernel/syscalls/landlock/landlock07.c
> b/testcases/kernel/syscalls/landlock/landlock07.c
> index
> 6115ad53876209051952873679eb96014b4dd805..8ee614856312d55e573e18f88a6690b50497ee8b
> 100644
> --- a/testcases/kernel/syscalls/landlock/landlock07.c
> +++ b/testcases/kernel/syscalls/landlock/landlock07.c
> @@ -25,7 +25,7 @@
> #include "lapi/prctl.h"
> #include "landlock_common.h"
>
> -static struct landlock_ruleset_attr *ruleset_attr;
> +static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr;
> static int ruleset_fd;
>
> static pid_t spawn_houdini(void)
> @@ -77,7 +77,7 @@ static void setup(void)
> ruleset_attr->handled_access_fs =
> LANDLOCK_ACCESS_FS_WRITE_FILE;
> ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
> ruleset_attr,
> - sizeof(struct landlock_ruleset_attr),
> + sizeof(struct tst_landlock_ruleset_attr_abi1),
> 0);
> }
>
> @@ -93,7 +93,7 @@ static struct tst_test test = {
> .cleanup = cleanup,
> .forks_child = 1,
> .bufs = (struct tst_buffers []) {
> - {&ruleset_attr, .size = sizeof(struct
> landlock_ruleset_attr)},
> + {&ruleset_attr, .size = sizeof(struct
> tst_landlock_ruleset_attr_abi1)},
> {},
> },
> .caps = (struct tst_cap []) {
> diff --git a/testcases/kernel/syscalls/landlock/landlock_common.h
> b/testcases/kernel/syscalls/landlock/landlock_common.h
> index
> da91daeab7b3def7184f611a90273419e4cfa6f2..f3096f4bf15f155f2a00b39c461d0805a76306e5
> 100644
> --- a/testcases/kernel/syscalls/landlock/landlock_common.h
> +++ b/testcases/kernel/syscalls/landlock/landlock_common.h
> @@ -33,7 +33,7 @@ static inline int verify_landlock_is_enabled(void)
> return abi;
> }
>
> -static inline void apply_landlock_rule(
> +static inline void apply_landlock_fs_rule(
> struct landlock_path_beneath_attr *path_beneath_attr,
> const int ruleset_fd,
> const int access,
> @@ -57,21 +57,19 @@ static inline void enforce_ruleset(const int
> ruleset_fd)
> SAFE_LANDLOCK_RESTRICT_SELF(ruleset_fd, 0);
> }
>
> -static inline void apply_landlock_layer(
> - struct landlock_ruleset_attr *ruleset_attr,
> +static inline void apply_landlock_fs_layer(
> + void *ruleset_attr, size_t attr_size,
> struct landlock_path_beneath_attr *path_beneath_attr,
> const char *path,
> const int access)
> {
> int ruleset_fd;
>
> - ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
> - ruleset_attr, sizeof(struct
> landlock_ruleset_attr), 0);
> + ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(ruleset_attr,
> attr_size, 0);
>
> - apply_landlock_rule(path_beneath_attr, ruleset_fd, access,
> path);
> + apply_landlock_fs_rule(path_beneath_attr, ruleset_fd,
> access, path);
> enforce_ruleset(ruleset_fd);
>
> SAFE_CLOSE(ruleset_fd);
> }
> -
> #endif /* LANDLOCK_COMMON_H__ */
>
> --
> 2.43.0
>
>
> --
> Mailing list info: https://lists.linux.it/listinfo/ltp
>
>
>
> --
> Regards,
> Li Wang
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [LTP] [PATCH v2 1/4] Fallback landlock network support
2024-11-05 12:42 ` Li Wang
@ 2024-11-05 12:59 ` Andrea Cervesato via ltp
2024-11-05 13:15 ` Cyril Hrubis
0 siblings, 1 reply; 21+ messages in thread
From: Andrea Cervesato via ltp @ 2024-11-05 12:59 UTC (permalink / raw)
To: Li Wang, Andrea Cervesato; +Cc: ltp
Hi Li,
On 11/5/24 13:42, Li Wang wrote:
> Or, another way is just to define the latest ABI version in
> lapi/landlock.h,
> but only define the tested ABI version in a single test, e.g.
> landlock01.c used landlock_ruleset_attr_abi1, so this won't make people
> confused when reading the test code, they knows the landlock01 is only
> test abi1 and don't need to care about things in 'lapi/landlock.h', WDYT?
>
Do you mean like having a complete struct which is passed to a helper,
taking `landlock_create_ruleset` + ABI version and generating out
ruleset ID ?
Something like:
struct tst_landlock_ruleset_attr {
uint64_t handled_access_fs;
uint64_t handled_access_net;
uint64_t scoped;
};
int tst_landlock_create_ruleset(int version, struct
tst_landlock_ruleset_attr *attr) {
struct landlock_ruleset_attr inner_attr;
copy_ruleset(attr, &inner_attr);
return landlock_create_ruleset(&inner_attr, sizeof(struct
landlock_ruleset_attr), 0);
}
In this way it could work, but we loose guarded buffers which are passed
to the syscall and might be useful during debugging. In this case we
should use tst_buffers_alloc(). @Cyril what do you think?
Andrea
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [LTP] [PATCH v2 1/4] Fallback landlock network support
2024-11-05 9:34 ` [LTP] [PATCH v2 1/4] Fallback landlock network support Andrea Cervesato
2024-11-05 12:31 ` Li Wang
@ 2024-11-05 13:08 ` Cyril Hrubis
2024-11-05 13:15 ` Andrea Cervesato via ltp
1 sibling, 1 reply; 21+ messages in thread
From: Cyril Hrubis @ 2024-11-05 13:08 UTC (permalink / raw)
To: Andrea Cervesato; +Cc: ltp
Hi!
> Landlock network support has been added in the ABI v4, adding features
> for bind() and connect() syscalls. It also defined one more member in
> the landlock_ruleset_attr struct, breaking our LTP fallbacks, used to
> build landlock testing suite. For this reason, we introduce
> tst_landlock_ruleset_attr_abi[14] struct(s) which fallback ABI v1 and v4
> ruleset_attr definitions.
>
> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> ---
> configure.ac | 3 ++-
> include/lapi/capability.h | 4 ++++
> include/lapi/landlock.h | 28 ++++++++++++----------
> testcases/kernel/syscalls/landlock/landlock01.c | 15 ++++--------
> testcases/kernel/syscalls/landlock/landlock02.c | 8 +++----
> testcases/kernel/syscalls/landlock/landlock03.c | 6 ++---
> testcases/kernel/syscalls/landlock/landlock04.c | 6 ++---
> testcases/kernel/syscalls/landlock/landlock05.c | 10 ++++----
> testcases/kernel/syscalls/landlock/landlock06.c | 14 ++++-------
> testcases/kernel/syscalls/landlock/landlock07.c | 6 ++---
> .../kernel/syscalls/landlock/landlock_common.h | 12 ++++------
> 11 files changed, 53 insertions(+), 59 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index d327974efa71f263d7f7f5aec9d2c5831d53dd0e..e2e4fd18daa54dbf2034fa9bcc4f2383b53392f4 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -34,6 +34,8 @@ m4_ifndef([PKG_CHECK_EXISTS],
> AC_PREFIX_DEFAULT(/opt/ltp)
>
> AC_CHECK_DECLS([IFLA_NET_NS_PID],,,[#include <linux/if_link.h>])
> +AC_CHECK_DECLS([LANDLOCK_RULE_PATH_BENEATH],,,[#include <linux/landlock.h>])
> +AC_CHECK_DECLS([LANDLOCK_RULE_NET_PORT],,,[#include <linux/landlock.h>])
> AC_CHECK_DECLS([MADV_MERGEABLE],,,[#include <sys/mman.h>])
> AC_CHECK_DECLS([NFTA_CHAIN_ID, NFTA_VERDICT_CHAIN_ID],,,[#include <linux/netfilter/nf_tables.h>])
> AC_CHECK_DECLS([PR_CAPBSET_DROP, PR_CAPBSET_READ],,,[#include <sys/prctl.h>])
> @@ -172,7 +174,6 @@ AC_CHECK_MEMBERS([struct utsname.domainname],,,[
> ])
>
> AC_CHECK_TYPES([enum kcmp_type],,,[#include <linux/kcmp.h>])
> -AC_CHECK_TYPES([enum landlock_rule_type],,,[#include <linux/landlock.h>])
> AC_CHECK_TYPES([struct acct_v3],,,[#include <sys/acct.h>])
> AC_CHECK_TYPES([struct af_alg_iv, struct sockaddr_alg],,,[# include <linux/if_alg.h>])
> AC_CHECK_TYPES([struct fanotify_event_info_fid, struct fanotify_event_info_error,
> diff --git a/include/lapi/capability.h b/include/lapi/capability.h
> index 0f317d6d770e86b399f0fed2de04c1dce6723eae..14d2d3c12c051006875f1f864ec58a88a3870ec0 100644
> --- a/include/lapi/capability.h
> +++ b/include/lapi/capability.h
> @@ -20,6 +20,10 @@
> # endif
> #endif
>
> +#ifndef CAP_NET_BIND_SERVICE
> +# define CAP_NET_BIND_SERVICE 10
> +#endif
> +
> #ifndef CAP_NET_RAW
> # define CAP_NET_RAW 13
> #endif
> diff --git a/include/lapi/landlock.h b/include/lapi/landlock.h
> index 211d171ebecd92d75224369dc7f1d5c5903c9ce7..b3c8c548e661680541cdf6e4a8fb68a3f5029fec 100644
> --- a/include/lapi/landlock.h
> +++ b/include/lapi/landlock.h
> @@ -7,6 +7,7 @@
> #define LAPI_LANDLOCK_H__
>
> #include "config.h"
> +#include <stdint.h>
>
> #ifdef HAVE_LINUX_LANDLOCK_H
> # include <linux/landlock.h>
> @@ -14,13 +15,16 @@
>
> #include "lapi/syscalls.h"
>
> -#ifndef HAVE_STRUCT_LANDLOCK_RULESET_ATTR
> -struct landlock_ruleset_attr
> +struct tst_landlock_ruleset_attr_abi1
> +{
> + uint64_t handled_access_fs;
> +};
> +
> +struct tst_landlock_ruleset_attr_abi4
> {
> uint64_t handled_access_fs;
> uint64_t handled_access_net;
> };
> -#endif
>
> #ifndef HAVE_STRUCT_LANDLOCK_PATH_BENEATH_ATTR
> struct landlock_path_beneath_attr
> @@ -30,12 +34,12 @@ struct landlock_path_beneath_attr
> } __attribute__((packed));
> #endif
>
> -#ifndef HAVE_ENUM_LANDLOCK_RULE_TYPE
> -enum landlock_rule_type
> -{
> - LANDLOCK_RULE_PATH_BENEATH = 1,
> - LANDLOCK_RULE_NET_PORT,
> -};
> +#if !HAVE_DECL_LANDLOCK_RULE_PATH_BENEATH
These are more usually ifndef at least it's more readable.
> +# define LANDLOCK_RULE_PATH_BENEATH 1
> +#endif
> +
> +#if !HAVE_DECL_LANDLOCK_RULE_NET_PORT
Here as well.
> +# define LANDLOCK_RULE_NET_PORT 2
> #endif
>
> #ifndef HAVE_STRUCT_LANDLOCK_NET_PORT_ATTR
> @@ -123,8 +127,7 @@ struct landlock_net_port_attr
> #endif
>
> static inline int safe_landlock_create_ruleset(const char *file, const int lineno,
> - const struct landlock_ruleset_attr *attr,
> - size_t size , uint32_t flags)
> + const void *attr, size_t size , uint32_t flags)
> {
> int rval;
>
> @@ -143,8 +146,7 @@ static inline int safe_landlock_create_ruleset(const char *file, const int linen
> }
>
> static inline int safe_landlock_add_rule(const char *file, const int lineno,
> - int ruleset_fd, enum landlock_rule_type rule_type,
> - const void *rule_attr, uint32_t flags)
> + int ruleset_fd, int rule_type, const void *rule_attr, uint32_t flags)
> {
> int rval;
>
> diff --git a/testcases/kernel/syscalls/landlock/landlock01.c b/testcases/kernel/syscalls/landlock/landlock01.c
> index 083685c64fa6d1c0caab887ee03594ea1426f62f..bd3a37153449b8d75b9671f5c3b3838c701b05ae 100644
> --- a/testcases/kernel/syscalls/landlock/landlock01.c
> +++ b/testcases/kernel/syscalls/landlock/landlock01.c
> @@ -17,14 +17,14 @@
>
> #include "landlock_common.h"
>
> -static struct landlock_ruleset_attr *ruleset_attr;
> -static struct landlock_ruleset_attr *null_attr;
> +static struct tst_landlock_ruleset_attr_abi4 *ruleset_attr;
> +static struct tst_landlock_ruleset_attr_abi4 *null_attr;
> static size_t rule_size;
> static size_t rule_small_size;
> static size_t rule_big_size;
>
> static struct tcase {
> - struct landlock_ruleset_attr **attr;
> + struct tst_landlock_ruleset_attr_abi4 **attr;
> uint64_t access_fs;
> size_t *size;
> uint32_t flags;
> @@ -60,13 +60,8 @@ static void setup(void)
> {
> verify_landlock_is_enabled();
>
> - rule_size = sizeof(struct landlock_ruleset_attr);
> -
> -#ifdef HAVE_STRUCT_LANDLOCK_RULESET_ATTR_HANDLED_ACCESS_NET
> + rule_size = sizeof(struct tst_landlock_ruleset_attr_abi4);
> rule_small_size = rule_size - sizeof(uint64_t) - 1;
I guess that the safest bet here would be:
sizeof(struct tst_landlock_ruleset_attr_abi1) - 1
That is by definition one byte less than the smallest size, this will
also in 99.99% cases evaluate to 7 since structure with single 64 bit
number will not need padding so hardcoding 7 should be safe as well.
Also I guess that we can use the v1 ABI for the whole invalid inputs
tests, all we need here is to pass a size that is valid in most cases,
which is v1 I suppose.
The rest looks fine to me:
Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
--
Cyril Hrubis
chrubis@suse.cz
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [LTP] [PATCH v2 1/4] Fallback landlock network support
2024-11-05 13:08 ` Cyril Hrubis
@ 2024-11-05 13:15 ` Andrea Cervesato via ltp
0 siblings, 0 replies; 21+ messages in thread
From: Andrea Cervesato via ltp @ 2024-11-05 13:15 UTC (permalink / raw)
To: Cyril Hrubis, Andrea Cervesato; +Cc: ltp
Hi Cyril,
On 11/5/24 14:08, Cyril Hrubis wrote:
> Hi!
>> Landlock network support has been added in the ABI v4, adding features
>> for bind() and connect() syscalls. It also defined one more member in
>> the landlock_ruleset_attr struct, breaking our LTP fallbacks, used to
>> build landlock testing suite. For this reason, we introduce
>> tst_landlock_ruleset_attr_abi[14] struct(s) which fallback ABI v1 and v4
>> ruleset_attr definitions.
>>
>> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
>> ---
>> configure.ac | 3 ++-
>> include/lapi/capability.h | 4 ++++
>> include/lapi/landlock.h | 28 ++++++++++++----------
>> testcases/kernel/syscalls/landlock/landlock01.c | 15 ++++--------
>> testcases/kernel/syscalls/landlock/landlock02.c | 8 +++----
>> testcases/kernel/syscalls/landlock/landlock03.c | 6 ++---
>> testcases/kernel/syscalls/landlock/landlock04.c | 6 ++---
>> testcases/kernel/syscalls/landlock/landlock05.c | 10 ++++----
>> testcases/kernel/syscalls/landlock/landlock06.c | 14 ++++-------
>> testcases/kernel/syscalls/landlock/landlock07.c | 6 ++---
>> .../kernel/syscalls/landlock/landlock_common.h | 12 ++++------
>> 11 files changed, 53 insertions(+), 59 deletions(-)
>>
>> diff --git a/configure.ac b/configure.ac
>> index d327974efa71f263d7f7f5aec9d2c5831d53dd0e..e2e4fd18daa54dbf2034fa9bcc4f2383b53392f4 100644
>> --- a/configure.ac
>> +++ b/configure.ac
>> @@ -34,6 +34,8 @@ m4_ifndef([PKG_CHECK_EXISTS],
>> AC_PREFIX_DEFAULT(/opt/ltp)
>>
>> AC_CHECK_DECLS([IFLA_NET_NS_PID],,,[#include <linux/if_link.h>])
>> +AC_CHECK_DECLS([LANDLOCK_RULE_PATH_BENEATH],,,[#include <linux/landlock.h>])
>> +AC_CHECK_DECLS([LANDLOCK_RULE_NET_PORT],,,[#include <linux/landlock.h>])
>> AC_CHECK_DECLS([MADV_MERGEABLE],,,[#include <sys/mman.h>])
>> AC_CHECK_DECLS([NFTA_CHAIN_ID, NFTA_VERDICT_CHAIN_ID],,,[#include <linux/netfilter/nf_tables.h>])
>> AC_CHECK_DECLS([PR_CAPBSET_DROP, PR_CAPBSET_READ],,,[#include <sys/prctl.h>])
>> @@ -172,7 +174,6 @@ AC_CHECK_MEMBERS([struct utsname.domainname],,,[
>> ])
>>
>> AC_CHECK_TYPES([enum kcmp_type],,,[#include <linux/kcmp.h>])
>> -AC_CHECK_TYPES([enum landlock_rule_type],,,[#include <linux/landlock.h>])
>> AC_CHECK_TYPES([struct acct_v3],,,[#include <sys/acct.h>])
>> AC_CHECK_TYPES([struct af_alg_iv, struct sockaddr_alg],,,[# include <linux/if_alg.h>])
>> AC_CHECK_TYPES([struct fanotify_event_info_fid, struct fanotify_event_info_error,
>> diff --git a/include/lapi/capability.h b/include/lapi/capability.h
>> index 0f317d6d770e86b399f0fed2de04c1dce6723eae..14d2d3c12c051006875f1f864ec58a88a3870ec0 100644
>> --- a/include/lapi/capability.h
>> +++ b/include/lapi/capability.h
>> @@ -20,6 +20,10 @@
>> # endif
>> #endif
>>
>> +#ifndef CAP_NET_BIND_SERVICE
>> +# define CAP_NET_BIND_SERVICE 10
>> +#endif
>> +
>> #ifndef CAP_NET_RAW
>> # define CAP_NET_RAW 13
>> #endif
>> diff --git a/include/lapi/landlock.h b/include/lapi/landlock.h
>> index 211d171ebecd92d75224369dc7f1d5c5903c9ce7..b3c8c548e661680541cdf6e4a8fb68a3f5029fec 100644
>> --- a/include/lapi/landlock.h
>> +++ b/include/lapi/landlock.h
>> @@ -7,6 +7,7 @@
>> #define LAPI_LANDLOCK_H__
>>
>> #include "config.h"
>> +#include <stdint.h>
>>
>> #ifdef HAVE_LINUX_LANDLOCK_H
>> # include <linux/landlock.h>
>> @@ -14,13 +15,16 @@
>>
>> #include "lapi/syscalls.h"
>>
>> -#ifndef HAVE_STRUCT_LANDLOCK_RULESET_ATTR
>> -struct landlock_ruleset_attr
>> +struct tst_landlock_ruleset_attr_abi1
>> +{
>> + uint64_t handled_access_fs;
>> +};
>> +
>> +struct tst_landlock_ruleset_attr_abi4
>> {
>> uint64_t handled_access_fs;
>> uint64_t handled_access_net;
>> };
>> -#endif
>>
>> #ifndef HAVE_STRUCT_LANDLOCK_PATH_BENEATH_ATTR
>> struct landlock_path_beneath_attr
>> @@ -30,12 +34,12 @@ struct landlock_path_beneath_attr
>> } __attribute__((packed));
>> #endif
>>
>> -#ifndef HAVE_ENUM_LANDLOCK_RULE_TYPE
>> -enum landlock_rule_type
>> -{
>> - LANDLOCK_RULE_PATH_BENEATH = 1,
>> - LANDLOCK_RULE_NET_PORT,
>> -};
>> +#if !HAVE_DECL_LANDLOCK_RULE_PATH_BENEATH
> These are more usually ifndef at least it's more readable.
>
We can't use #ifndef because HAVE_DECL_LANDLOCK_RULE_PATH_BENEATH is
always defined, but it can be 0 or 1 if it's present or not (this is
what I seen using autoconf). You can check in config.h as well.
Apparently this is how autoconf handles symbols.
>> +# define LANDLOCK_RULE_PATH_BENEATH 1
>> +#endif
>> +
>> +#if !HAVE_DECL_LANDLOCK_RULE_NET_PORT
> Here as well.
>
>> +# define LANDLOCK_RULE_NET_PORT 2
>> #endif
>>
>> #ifndef HAVE_STRUCT_LANDLOCK_NET_PORT_ATTR
>> @@ -123,8 +127,7 @@ struct landlock_net_port_attr
>> #endif
>>
>> static inline int safe_landlock_create_ruleset(const char *file, const int lineno,
>> - const struct landlock_ruleset_attr *attr,
>> - size_t size , uint32_t flags)
>> + const void *attr, size_t size , uint32_t flags)
>> {
>> int rval;
>>
>> @@ -143,8 +146,7 @@ static inline int safe_landlock_create_ruleset(const char *file, const int linen
>> }
>>
>> static inline int safe_landlock_add_rule(const char *file, const int lineno,
>> - int ruleset_fd, enum landlock_rule_type rule_type,
>> - const void *rule_attr, uint32_t flags)
>> + int ruleset_fd, int rule_type, const void *rule_attr, uint32_t flags)
>> {
>> int rval;
>>
>> diff --git a/testcases/kernel/syscalls/landlock/landlock01.c b/testcases/kernel/syscalls/landlock/landlock01.c
>> index 083685c64fa6d1c0caab887ee03594ea1426f62f..bd3a37153449b8d75b9671f5c3b3838c701b05ae 100644
>> --- a/testcases/kernel/syscalls/landlock/landlock01.c
>> +++ b/testcases/kernel/syscalls/landlock/landlock01.c
>> @@ -17,14 +17,14 @@
>>
>> #include "landlock_common.h"
>>
>> -static struct landlock_ruleset_attr *ruleset_attr;
>> -static struct landlock_ruleset_attr *null_attr;
>> +static struct tst_landlock_ruleset_attr_abi4 *ruleset_attr;
>> +static struct tst_landlock_ruleset_attr_abi4 *null_attr;
>> static size_t rule_size;
>> static size_t rule_small_size;
>> static size_t rule_big_size;
>>
>> static struct tcase {
>> - struct landlock_ruleset_attr **attr;
>> + struct tst_landlock_ruleset_attr_abi4 **attr;
>> uint64_t access_fs;
>> size_t *size;
>> uint32_t flags;
>> @@ -60,13 +60,8 @@ static void setup(void)
>> {
>> verify_landlock_is_enabled();
>>
>> - rule_size = sizeof(struct landlock_ruleset_attr);
>> -
>> -#ifdef HAVE_STRUCT_LANDLOCK_RULESET_ATTR_HANDLED_ACCESS_NET
>> + rule_size = sizeof(struct tst_landlock_ruleset_attr_abi4);
>> rule_small_size = rule_size - sizeof(uint64_t) - 1;
> I guess that the safest bet here would be:
>
> sizeof(struct tst_landlock_ruleset_attr_abi1) - 1
+1
>
> That is by definition one byte less than the smallest size, this will
> also in 99.99% cases evaluate to 7 since structure with single 64 bit
> number will not need padding so hardcoding 7 should be safe as well.
>
> Also I guess that we can use the v1 ABI for the whole invalid inputs
> tests, all we need here is to pass a size that is valid in most cases,
> which is v1 I suppose.
>
>
> The rest looks fine to me:
>
> Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
Andrea
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [LTP] [PATCH v2 1/4] Fallback landlock network support
2024-11-05 12:59 ` Andrea Cervesato via ltp
@ 2024-11-05 13:15 ` Cyril Hrubis
2024-11-05 15:13 ` Cyril Hrubis
2024-11-06 7:13 ` Li Wang
0 siblings, 2 replies; 21+ messages in thread
From: Cyril Hrubis @ 2024-11-05 13:15 UTC (permalink / raw)
To: Andrea Cervesato; +Cc: ltp
Hi!
> In this way it could work, but we loose guarded buffers which are passed
> to the syscall and might be useful during debugging. In this case we
> should use tst_buffers_alloc(). @Cyril what do you think?
That woudln't work either, since we cannot allocate "half a structure"
can we?
Unfortunatelly I think that having a per API version structures is the
cleanest solution. Because:
- our tests should run everywhere they can, that means that we have to
use the minimal ABI that is required for the test
- important part of the backward compatibilty testing is that there are
no accesses past the declared ruleset size, which can be easily done
by the guarded buffers provided that we allocate exactly the size
needed
And backward compatibility also means that we have to properly handle
the case when we need newer ABI than currently supported, so the
verify_landlock_enabled() needs a size parameter so that we can check
that the ABI is >= than the minimal ABI the test needs...
--
Cyril Hrubis
chrubis@suse.cz
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [LTP] [PATCH v2 1/4] Fallback landlock network support
2024-11-05 13:15 ` Cyril Hrubis
@ 2024-11-05 15:13 ` Cyril Hrubis
2024-11-06 7:13 ` Li Wang
1 sibling, 0 replies; 21+ messages in thread
From: Cyril Hrubis @ 2024-11-05 15:13 UTC (permalink / raw)
To: Andrea Cervesato; +Cc: ltp
Hi!
> And backward compatibility also means that we have to properly handle
> the case when we need newer ABI than currently supported, so the
> verify_landlock_enabled() needs a size parameter so that we can check
> that the ABI is >= than the minimal ABI the test needs...
Looking at verify_landlock_enabled() it does return the ABI already, so
this is covered as well.
--
Cyril Hrubis
chrubis@suse.cz
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [LTP] [PATCH v2 3/4] Add landlock08 test
2024-11-05 9:34 ` [LTP] [PATCH v2 3/4] Add landlock08 test Andrea Cervesato
@ 2024-11-05 15:26 ` Cyril Hrubis
0 siblings, 0 replies; 21+ messages in thread
From: Cyril Hrubis @ 2024-11-05 15:26 UTC (permalink / raw)
To: Andrea Cervesato; +Cc: ltp
Hi!
> +#include "landlock_common.h"
> +
> +#define ADDRESS_PORT 0x7c90
Hardcoding ports like this is frowned upon. We do have
TST_GET_UNUSED_PORT() function so that we can get unused port (per
family) in the test setup().
The rest of the code looks good to me.
Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
--
Cyril Hrubis
chrubis@suse.cz
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [LTP] [PATCH v2 2/4] Network helpers in landlock suite common functions
2024-11-05 9:34 ` [LTP] [PATCH v2 2/4] Network helpers in landlock suite common functions Andrea Cervesato
@ 2024-11-05 15:27 ` Cyril Hrubis
0 siblings, 0 replies; 21+ messages in thread
From: Cyril Hrubis @ 2024-11-05 15:27 UTC (permalink / raw)
To: Andrea Cervesato; +Cc: ltp
Hi!
> +#define IPV4_ADDRESS "127.0.0.1"
Maybe IPV4_LOCALHOST instead?
> +#define IPV6_ADDRESS "::1"
Here as well?
> +struct socket_data {
> + struct sockaddr_in addr_ipv4;
> + struct sockaddr_in6 addr_ipv6;
These two could be inside an anonymous union I suppose, but we hardly
optimize for size here.
> + size_t address_size;
Otherwise it looks good:
Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
--
Cyril Hrubis
chrubis@suse.cz
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [LTP] [PATCH v2 4/4] Add error coverage for landlock network support
2024-11-05 9:34 ` [LTP] [PATCH v2 4/4] Add error coverage for landlock network support Andrea Cervesato
@ 2024-11-05 15:39 ` Cyril Hrubis
2024-11-05 17:45 ` Cyril Hrubis
2024-11-06 10:29 ` Andrea Cervesato via ltp
0 siblings, 2 replies; 21+ messages in thread
From: Cyril Hrubis @ 2024-11-05 15:39 UTC (permalink / raw)
To: Andrea Cervesato; +Cc: ltp
Hi!
> diff --git a/testcases/kernel/syscalls/landlock/landlock02.c b/testcases/kernel/syscalls/landlock/landlock02.c
> index 8566d407f6d17ab367695125f07d0a80cf4130e5..dbc405a8a01ac58e0d22f952f57bd603c62ab8be 100644
> --- a/testcases/kernel/syscalls/landlock/landlock02.c
> +++ b/testcases/kernel/syscalls/landlock/landlock02.c
> @@ -20,93 +20,146 @@
>
> #include "landlock_common.h"
>
> -static struct tst_landlock_ruleset_attr_abi1 *ruleset_attr;
> +static struct tst_landlock_ruleset_attr_abi4 *ruleset_attr;
> static struct landlock_path_beneath_attr *path_beneath_attr;
> static struct landlock_path_beneath_attr *rule_null;
> +static struct landlock_net_port_attr *net_port_attr;
> static int ruleset_fd;
> static int invalid_fd = -1;
> +static int abi_current;
>
> static struct tcase {
> int *fd;
> - enum landlock_rule_type rule_type;
> - struct landlock_path_beneath_attr **attr;
> + int rule_type;
> + struct landlock_path_beneath_attr **path_attr;
> + struct landlock_net_port_attr **net_attr;
> int access;
> int parent_fd;
> + int net_port;
> uint32_t flags;
> int exp_errno;
> + int abi_ver;
> char *msg;
> } tcases[] = {
> {
> .fd = &ruleset_fd,
> - .attr = &path_beneath_attr,
> + .path_attr = &path_beneath_attr,
> + .net_attr = NULL,
This is a static structure, so anything that is not initialized will be
zeroed anyways, so I would just omit the explicit NULL initializations.
> .access = LANDLOCK_ACCESS_FS_EXECUTE,
> .flags = 1,
> .exp_errno = EINVAL,
> + .abi_ver = 1,
> .msg = "Invalid flags"
> },
> {
> .fd = &ruleset_fd,
> - .attr = &path_beneath_attr,
> + .path_attr = &path_beneath_attr,
> + .net_attr = NULL,
> .access = LANDLOCK_ACCESS_FS_EXECUTE,
> .exp_errno = EINVAL,
> + .abi_ver = 1,
> .msg = "Invalid rule type"
> },
> {
> .fd = &ruleset_fd,
> .rule_type = LANDLOCK_RULE_PATH_BENEATH,
> - .attr = &path_beneath_attr,
> + .path_attr = &path_beneath_attr,
> + .net_attr = NULL,
> .exp_errno = ENOMSG,
> + .abi_ver = 1,
> .msg = "Empty accesses"
> },
> {
> .fd = &invalid_fd,
> - .attr = &path_beneath_attr,
> + .path_attr = &path_beneath_attr,
> + .net_attr = NULL,
> .access = LANDLOCK_ACCESS_FS_EXECUTE,
> .exp_errno = EBADF,
> + .abi_ver = 1,
> .msg = "Invalid file descriptor"
> },
> {
> .fd = &ruleset_fd,
> .rule_type = LANDLOCK_RULE_PATH_BENEATH,
> - .attr = &path_beneath_attr,
> + .path_attr = &path_beneath_attr,
> + .net_attr = NULL,
> .access = LANDLOCK_ACCESS_FS_EXECUTE,
> .parent_fd = -1,
> .exp_errno = EBADF,
> + .abi_ver = 1,
> .msg = "Invalid parent fd"
> },
> {
> .fd = &ruleset_fd,
> .rule_type = LANDLOCK_RULE_PATH_BENEATH,
> - .attr = &rule_null,
> + .path_attr = &rule_null,
> + .net_attr = NULL,
> .exp_errno = EFAULT,
> + .abi_ver = 1,
> .msg = "Invalid rule attr"
> },
> + {
> + .fd = &ruleset_fd,
> + .rule_type = LANDLOCK_RULE_NET_PORT,
> + .path_attr = NULL,
> + .net_attr = &net_port_attr,
> + .access = LANDLOCK_ACCESS_FS_EXECUTE,
> + .net_port = 448,
> + .exp_errno = EINVAL,
> + .abi_ver = 4,
> + .msg = "Invalid access rule for network type"
> + },
> + {
> + .fd = &ruleset_fd,
> + .rule_type = LANDLOCK_RULE_NET_PORT,
> + .path_attr = NULL,
> + .net_attr = &net_port_attr,
> + .access = LANDLOCK_ACCESS_NET_BIND_TCP,
> + .net_port = INT16_MAX + 1,
> + .exp_errno = EINVAL,
> + .abi_ver = 4,
> + .msg = "Socket port greater than 65535"
> + },
> };
>
> static void run(unsigned int n)
> {
> struct tcase *tc = &tcases[n];
>
> - if (*tc->attr) {
> - (*tc->attr)->allowed_access = tc->access;
> - (*tc->attr)->parent_fd = tc->parent_fd;
> + if (tc->abi_ver > abi_current) {
> + tst_res(TCONF, "Minimum ABI required: %d", tc->abi_ver);
> + return;
> }
>
> - TST_EXP_FAIL(tst_syscall(__NR_landlock_add_rule,
> - *tc->fd, tc->rule_type, *tc->attr, tc->flags),
> - tc->exp_errno,
> - "%s",
> - tc->msg);
> + if (tc->path_attr) {
> + if (*tc->path_attr) {
> + (*tc->path_attr)->allowed_access = tc->access;
> + (*tc->path_attr)->parent_fd = tc->parent_fd;
> + }
> +
> + TST_EXP_FAIL(tst_syscall(__NR_landlock_add_rule,
> + *tc->fd, tc->rule_type, *tc->path_attr, tc->flags),
> + tc->exp_errno, "%s", tc->msg);
> + } else if (tc->net_attr) {
> + if (*tc->net_attr) {
> + (*tc->net_attr)->allowed_access = tc->access;
> + (*tc->net_attr)->port = tc->net_port;
> + }
> +
> + TST_EXP_FAIL(tst_syscall(__NR_landlock_add_rule,
> + *tc->fd, tc->rule_type, *tc->net_attr, tc->flags),
> + tc->exp_errno, "%s", tc->msg);
if we assing the attr into a pointer this TST_EPX_FAIL() can be outside
of the if as:
void *attr;
if (path_attr) {
...
attr = *path_attr;
} else {
...
attr = *net_attr;
}
TST_EXP_FAIL(..., attr, ...);
> + }
> }
>
> static void setup(void)
> {
> - verify_landlock_is_enabled();
> + abi_current = verify_landlock_is_enabled();
>
> ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE;
>
> ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset,
> - ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi1), 0));
> + ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi4), 0));
^
This should be abi_current otherwise we
will fail on v1 only system.
> }
>
> static void cleanup(void)
> @@ -122,8 +175,9 @@ static struct tst_test test = {
> .cleanup = cleanup,
> .needs_root = 1,
> .bufs = (struct tst_buffers []) {
> - {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi1)},
> + {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi4)},
> {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)},
> + {&net_port_attr, .size = sizeof(struct landlock_net_port_attr)},
> {},
> },
> .caps = (struct tst_cap []) {
The rest looks good to me, with the minor probles fixed:
Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
--
Cyril Hrubis
chrubis@suse.cz
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [LTP] [PATCH v2 4/4] Add error coverage for landlock network support
2024-11-05 15:39 ` Cyril Hrubis
@ 2024-11-05 17:45 ` Cyril Hrubis
2024-11-06 10:29 ` Andrea Cervesato via ltp
1 sibling, 0 replies; 21+ messages in thread
From: Cyril Hrubis @ 2024-11-05 17:45 UTC (permalink / raw)
To: Andrea Cervesato; +Cc: ltp
Hi!
> > ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset,
> > - ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi1), 0));
> > + ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi4), 0));
> ^
> This should be abi_current otherwise we
> will fail on v1 only system.
^
Not exactly right either.
We have to pass:
MIN(abi, sizeof(struct tst_landlock_ruleset_attr_abi4))
To make sure that we enable either v1 or v4.
--
Cyril Hrubis
chrubis@suse.cz
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [LTP] [PATCH v2 1/4] Fallback landlock network support
2024-11-05 13:15 ` Cyril Hrubis
2024-11-05 15:13 ` Cyril Hrubis
@ 2024-11-06 7:13 ` Li Wang
1 sibling, 0 replies; 21+ messages in thread
From: Li Wang @ 2024-11-06 7:13 UTC (permalink / raw)
To: Cyril Hrubis; +Cc: ltp
On Tue, Nov 5, 2024 at 9:15 PM Cyril Hrubis <chrubis@suse.cz> wrote:
> Hi!
> > In this way it could work, but we loose guarded buffers which are passed
> > to the syscall and might be useful during debugging. In this case we
> > should use tst_buffers_alloc(). @Cyril what do you think?
>
> That woudln't work either, since we cannot allocate "half a structure"
> can we?
>
> Unfortunatelly I think that having a per API version structures is the
> cleanest solution. Because:
>
Okay, I agree to go this way, unless we find a better solution, and it can
be replaced anytime if we have it in the future.
Andrea, feel free to fix the tiny problems and add my RBT.
Reviewed-by: Li Wang <liwang@redhat.com>
>
> - our tests should run everywhere they can, that means that we have to
> use the minimal ABI that is required for the test
>
> - important part of the backward compatibilty testing is that there are
> no accesses past the declared ruleset size, which can be easily done
> by the guarded buffers provided that we allocate exactly the size
> needed
>
> And backward compatibility also means that we have to properly handle
> the case when we need newer ABI than currently supported, so the
> verify_landlock_enabled() needs a size parameter so that we can check
> that the ABI is >= than the minimal ABI the test needs...
>
> --
> Cyril Hrubis
> chrubis@suse.cz
>
>
--
Regards,
Li Wang
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [LTP] [PATCH v2 4/4] Add error coverage for landlock network support
2024-11-05 15:39 ` Cyril Hrubis
2024-11-05 17:45 ` Cyril Hrubis
@ 2024-11-06 10:29 ` Andrea Cervesato via ltp
2024-11-06 10:38 ` Cyril Hrubis
1 sibling, 1 reply; 21+ messages in thread
From: Andrea Cervesato via ltp @ 2024-11-06 10:29 UTC (permalink / raw)
To: Cyril Hrubis, Andrea Cervesato; +Cc: ltp
Hi Cyril,
On 11/5/24 16:39, Cyril Hrubis wrote:
>> - verify_landlock_is_enabled();
>> + abi_current = verify_landlock_is_enabled();
>>
>> ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE;
>>
>> ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset,
>> - ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi1), 0));
>> + ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi4), 0));
> ^
> This should be abi_current otherwise we
> will fail on v1 only system.
>
>> }
>>
In what sense? abi4 is already the last one. At least the last supported
by LTP.
Andrea
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [LTP] [PATCH v2 4/4] Add error coverage for landlock network support
2024-11-06 10:29 ` Andrea Cervesato via ltp
@ 2024-11-06 10:38 ` Cyril Hrubis
2024-11-06 11:01 ` Andrea Cervesato via ltp
0 siblings, 1 reply; 21+ messages in thread
From: Cyril Hrubis @ 2024-11-06 10:38 UTC (permalink / raw)
To: Andrea Cervesato; +Cc: ltp
Hi!
> >> - verify_landlock_is_enabled();
> >> + abi_current = verify_landlock_is_enabled();
> >>
> >> ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE;
> >>
> >> ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset,
> >> - ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi1), 0));
> >> + ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi4), 0));
> > ^
> > This should be abi_current otherwise we
> > will fail on v1 only system.
> >
> >> }
> >>
>
> In what sense? abi4 is already the last one. At least the last supported
> by LTP.
Because if we request abi4 it will fail on kernels that only support
abi1. We try hard to skip the abi4 tests, but we wouldn't get there at
all on abi1 kernel because we would fail to create the ruleset_fd in the
test setup.
And we cannot initialize the abi to anything newer than abi4 either,
because we pass abi4 structure in the test. It's fine that we pass abi4
structure on abi1 system here, because the test only checks for invalid
cases and all we need here is to pass a valid attr and size so that we
get rejected by the kernel on the rest of the parameters.
--
Cyril Hrubis
chrubis@suse.cz
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [LTP] [PATCH v2 4/4] Add error coverage for landlock network support
2024-11-06 10:38 ` Cyril Hrubis
@ 2024-11-06 11:01 ` Andrea Cervesato via ltp
0 siblings, 0 replies; 21+ messages in thread
From: Andrea Cervesato via ltp @ 2024-11-06 11:01 UTC (permalink / raw)
To: Cyril Hrubis; +Cc: ltp
On 11/6/24 11:38, Cyril Hrubis wrote:
> Hi!
>>>> - verify_landlock_is_enabled();
>>>> + abi_current = verify_landlock_is_enabled();
>>>>
>>>> ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE;
>>>>
>>>> ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset,
>>>> - ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi1), 0));
>>>> + ruleset_attr, sizeof(struct tst_landlock_ruleset_attr_abi4), 0));
>>> ^
>>> This should be abi_current otherwise we
>>> will fail on v1 only system.
>>>
>>>> }
>>>>
>> In what sense? abi4 is already the last one. At least the last supported
>> by LTP.
> Because if we request abi4 it will fail on kernels that only support
> abi1. We try hard to skip the abi4 tests, but we wouldn't get there at
> all on abi1 kernel because we would fail to create the ruleset_fd in the
> test setup.
>
> And we cannot initialize the abi to anything newer than abi4 either,
> because we pass abi4 structure in the test. It's fine that we pass abi4
> structure on abi1 system here, because the test only checks for invalid
> cases and all we need here is to pass a valid attr and size so that we
> get rejected by the kernel on the rest of the parameters.
>
I can instantiate both ABI1 and ABI4 structs, then I pass it to the
tcase accordingly.
Andrea
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 21+ messages in thread
end of thread, other threads:[~2024-11-06 11:02 UTC | newest]
Thread overview: 21+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-11-05 9:34 [LTP] [PATCH v2 0/4] landlock network coverage support Andrea Cervesato
2024-11-05 9:34 ` [LTP] [PATCH v2 1/4] Fallback landlock network support Andrea Cervesato
2024-11-05 12:31 ` Li Wang
2024-11-05 12:42 ` Li Wang
2024-11-05 12:59 ` Andrea Cervesato via ltp
2024-11-05 13:15 ` Cyril Hrubis
2024-11-05 15:13 ` Cyril Hrubis
2024-11-06 7:13 ` Li Wang
2024-11-05 12:47 ` Andrea Cervesato via ltp
2024-11-05 13:08 ` Cyril Hrubis
2024-11-05 13:15 ` Andrea Cervesato via ltp
2024-11-05 9:34 ` [LTP] [PATCH v2 2/4] Network helpers in landlock suite common functions Andrea Cervesato
2024-11-05 15:27 ` Cyril Hrubis
2024-11-05 9:34 ` [LTP] [PATCH v2 3/4] Add landlock08 test Andrea Cervesato
2024-11-05 15:26 ` Cyril Hrubis
2024-11-05 9:34 ` [LTP] [PATCH v2 4/4] Add error coverage for landlock network support Andrea Cervesato
2024-11-05 15:39 ` Cyril Hrubis
2024-11-05 17:45 ` Cyril Hrubis
2024-11-06 10:29 ` Andrea Cervesato via ltp
2024-11-06 10:38 ` Cyril Hrubis
2024-11-06 11:01 ` Andrea Cervesato via ltp
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox