#
69fe8ec4 |
|
28-Feb-2024 |
Jakub Kicinski <kuba@kernel.org> |
selftests: kselftest_harness: save full exit code in metadata Instead of tracking passed = 0/1 rename the field to exit_code and invert the values so that they match the KSFT_* exit codes. This will allow us to fold SKIP / XFAIL into the same value. Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
bb6f4dbe |
|
25-Jan-2024 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Fix capability for net_test CAP_NET_ADMIN allows to configure network interfaces, not CAP_SYS_ADMIN which only allows to call unshare(2). Without this change, running network tests as a non-root user but with all capabilities would fail at the setup_loopback() step with "RTNETLINK answers: Operation not permitted". The issue is only visible when running tests with non-root users (i.e. only relying on ambient capabilities). Indeed, when configuring the network interface, the "ip" command is called, which may lead to the special handling of capabilities for the root user by execve(2). If root is the caller, then the inherited, permitted and effective capabilities are all reset, which then includes CAP_NET_ADMIN. However, if a non-root user is the caller, then ambient capabilities are masked by the inherited ones, which were explicitly dropped. To make execution deterministic whatever users are running the tests, set the noroot secure bit for each test, and set the inheritable and ambient capabilities to CAP_NET_ADMIN, the only capability that may be required after an execve(2). Factor out _effective_cap() into _change_cap(), and use it to manage ambient capabilities with the new set_ambient_cap() and clear_ambient_cap() helpers. This makes it possible to run all Landlock tests with check-linux.sh from https://github.com/landlock-lsm/landlock-test-tools Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> Fixes: a549d055a22e ("selftests/landlock: Add network tests") Link: https://lore.kernel.org/r/20240125153230.3817165-2-mic@digikod.net [mic: Make sure SECBIT_NOROOT_LOCKED is set] Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
116099ed |
|
22-Jan-2024 |
Hu Yadi <hu.yadi@h3c.com> |
selftests/landlock: Fix net_test build with old libc One issue comes up while building selftest/landlock/net_test on my side (gcc 7.3/glibc-2.28/kernel-4.19). net_test.c: In function ‘set_service’: net_test.c:91:45: warning: implicit declaration of function ‘gettid’; [-Wimplicit-function-declaration] "_selftests-landlock-net-tid%d-index%d", gettid(), ^~~~~~ getgid net_test.c:(.text+0x4e0): undefined reference to `gettid' Signed-off-by: Hu Yadi <hu.yadi@h3c.com> Suggested-by: Jiao <jiaoxupo@h3c.com> Reviewed-by: Berlin <berlin@h3c.com> Fixes: a549d055a22e ("selftests/landlock: Add network tests") Link: https://lore.kernel.org/r/20240123062621.25082-1-hu.yadi@h3c.com [mic: Cosmetic fixes] Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
e2780a0b |
|
30-Nov-2023 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Add tests to check unhandled rule's access rights Add two tests to make sure that we cannot add a rule to a ruleset if the rule's access rights that are not handled by the ruleset: * fs: layout1.rule_with_unhandled_access * net: mini.rule_with_unhandled_access Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> Reviewed-by: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20231130093616.67340-3-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
6471c9c4 |
|
30-Nov-2023 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Add tests to check unknown rule's access rights Add two tests to make sure that we cannot add a rule with access rights that are unknown: * fs: layout0.rule_with_unknown_access * net: mini.rule_with_unknown_access Rename unknown_access_rights tests to ruleset_with_unknown_access . Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> Reviewed-by: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20231130093616.67340-2-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
a549d055 |
|
25-Oct-2023 |
Konstantin Meskhidze <konstantin.meskhidze@huawei.com> |
selftests/landlock: Add network tests Add 82 test suites to check edge cases related to bind() and connect() actions. They are defined with 6 fixtures and their variants: The "protocol" fixture is extended with 12 variants defined as a matrix of: sandboxed/not-sandboxed, IPv4/IPv6/unix network domain, and stream/datagram socket. 4 related tests suites are defined: * bind: Tests bind action. * connect: Tests connect action. * bind_unspec: Tests bind action with the AF_UNSPEC socket family. * connect_unspec: Tests connect action with the AF_UNSPEC socket family. The "ipv4" fixture is extended with 4 variants defined as a matrix of: sandboxed/not-sandboxed, and stream/datagram socket. 1 related test suite is defined: * from_unix_to_inet: Tests to make sure unix sockets' actions are not restricted by Landlock rules applied to TCP ones. The "tcp_layers" fixture is extended with 8 variants defined as a matrix of: IPv4/IPv6 network domain, and different number of landlock rule layers. 2 related tests suites are defined: * ruleset_overlap: Tests nested layers with less constraints. * ruleset_expand: Tests nested layers with more constraints. In the "mini" fixture 4 tests suites are defined: * network_access_rights: Tests handling of known access rights. * unknown_access_rights: Tests handling of unknown access rights. * inval: Tests unhandled allowed access and zero access value. * tcp_port_overflow: Tests with port values greater than 65535. The "ipv4_tcp" fixture supports IPv4 network domain with stream socket. 2 tests suites are defined: * port_endianness: Tests with big/little endian port formats. * with_fs: Tests a ruleset with both filesystem and network restrictions. The "port_specific" fixture is extended with 4 variants defined as a matrix of: sandboxed/not-sandboxed, IPv4/IPv6 network domain, and stream socket. 2 related tests suites are defined: * bind_connect_zero: Tests with port 0. * bind_connect_1023: Tests with port 1023. Test coverage for security/landlock is 92.4% of 710 lines according to gcc/gcov-13. Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> Link: https://lore.kernel.org/r/20231026014751.414649-11-konstantin.meskhidze@huawei.com [mic: Extend commit message, update test coverage, clean up capability use, fix useless TEST_F_FORK, and improve ipv4_tcp.with_fs] Co-developed-by: Mickaël Salaün <mic@digikod.net> Signed-off-by: Mickaël Salaün <mic@digikod.net>
|