| Message ID | 20200325130900.15047-1-richard_c_haines@btinternet.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | selinux-testsuite: Use native filesystem for tests | expand |
On Wed, Mar 25, 2020 at 9:09 AM Richard Haines <richard_c_haines@btinternet.com> wrote: > > If tested on the selinux-next kernel (that has the XFS patch [1]) with > the "NFS: Ensure security label is set for root inode" patch [2], then all > tests should pass. Anything else will give varying amounts of fails. > > The filesystem types tested are: ext4, xfs, vfat and nfs4. > > [1] https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/patch/security/selinux?id=e4cfa05e9bfe286457082477b32ecd17737bdbce > [2] https://lore.kernel.org/selinux/20200303225837.1557210-1-smayhew@redhat.com/ Thanks, with this version of the patches, make test and ./tools/nfs.sh pass for me on the selinux next branch. Still need to review all the changes and confirm that it is all functioning as expected (e.g. getting the expected permission denials). Ondrej, how does this fare on RHEL-8, both with respect to differences there in policy/userspace and with respect to default use of xfs instead of ext4?
On Wed, Mar 25, 2020 at 3:55 PM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > On Wed, Mar 25, 2020 at 9:09 AM Richard Haines > <richard_c_haines@btinternet.com> wrote: > > > > If tested on the selinux-next kernel (that has the XFS patch [1]) with > > the "NFS: Ensure security label is set for root inode" patch [2], then all > > tests should pass. Anything else will give varying amounts of fails. > > > > The filesystem types tested are: ext4, xfs, vfat and nfs4. > > > > [1] https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/patch/security/selinux?id=e4cfa05e9bfe286457082477b32ecd17737bdbce > > [2] https://lore.kernel.org/selinux/20200303225837.1557210-1-smayhew@redhat.com/ > > Thanks, with this version of the patches, make test and ./tools/nfs.sh > pass for me on the selinux next branch. > Still need to review all the changes and confirm that it is all > functioning as expected (e.g. getting the expected permission > denials). > Ondrej, how does this fare on RHEL-8, both with respect to differences > there in policy/userspace and with respect to default use of > xfs instead of ext4? Just checked - two of the filesystem tests fail there: filesystem/test ............. 25/65 # Failed test at filesystem/test line 524. # Failed test at filesystem/test line 572. filesystem/test ............. 46/65 # Looks like you failed 2 tests of 65. filesystem/test ............. Dubious, test returned 2 (wstat 512, 0x200) Failed 2/65 subtests [...] Test Summary Report ------------------- filesystem/test (Wstat: 512 Tests: 65 Failed: 2) Failed tests: 26, 29 Non-zero exit status: 2 In both cases the xfs_quotas_test program exits with 0, not with an error as expected.
On Wed, 2020-03-25 at 16:38 +0100, Ondrej Mosnacek wrote: > On Wed, Mar 25, 2020 at 3:55 PM Stephen Smalley > <stephen.smalley.work@gmail.com> wrote: > > On Wed, Mar 25, 2020 at 9:09 AM Richard Haines > > <richard_c_haines@btinternet.com> wrote: > > > If tested on the selinux-next kernel (that has the XFS patch [1]) > > > with > > > the "NFS: Ensure security label is set for root inode" patch [2], > > > then all > > > tests should pass. Anything else will give varying amounts of > > > fails. > > > > > > The filesystem types tested are: ext4, xfs, vfat and nfs4. > > > > > > [1] > > > https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/patch/security/selinux?id=e4cfa05e9bfe286457082477b32ecd17737bdbce > > > [2] > > > https://lore.kernel.org/selinux/20200303225837.1557210-1-smayhew@redhat.com/ > > > > Thanks, with this version of the patches, make test and > > ./tools/nfs.sh > > pass for me on the selinux next branch. > > Still need to review all the changes and confirm that it is all > > functioning as expected (e.g. getting the expected permission > > denials). > > Ondrej, how does this fare on RHEL-8, both with respect to > > differences > > there in policy/userspace and with respect to default use of > > xfs instead of ext4? > > Just checked - two of the filesystem tests fail there: > > filesystem/test ............. 25/65 > # Failed test at filesystem/test line 524. > > # Failed test at filesystem/test line 572. > filesystem/test ............. 46/65 # Looks like you failed 2 tests > of 65. > filesystem/test ............. Dubious, test returned 2 (wstat 512, > 0x200) > Failed 2/65 subtests > [...] > Test Summary Report > ------------------- > filesystem/test (Wstat: 512 Tests: 65 Failed: 2) > Failed tests: 26, 29 > Non-zero exit status: 2 > > In both cases the xfs_quotas_test program exits with 0, not with an > error as expected. I guess you don't have the XFS quota patch [1] installed. Best to use the selinux-next kernel as that also has the NFS patch as well. [1] https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/patch/security/selinux?id=e4cfa05e9bfe286457082477b32ecd17737bdbce >
On Wed, 2020-03-25 at 10:56 -0400, Stephen Smalley wrote: > On Wed, Mar 25, 2020 at 9:09 AM Richard Haines > <richard_c_haines@btinternet.com> wrote: > > If tested on the selinux-next kernel (that has the XFS patch [1]) > > with > > the "NFS: Ensure security label is set for root inode" patch [2], > > then all > > tests should pass. Anything else will give varying amounts of > > fails. > > > > The filesystem types tested are: ext4, xfs, vfat and nfs4. > > > > [1] > > https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/patch/security/selinux?id=e4cfa05e9bfe286457082477b32ecd17737bdbce > > [2] > > https://lore.kernel.org/selinux/20200303225837.1557210-1-smayhew@redhat.com/ > > Thanks, with this version of the patches, make test and > ./tools/nfs.sh > pass for me on the selinux next branch. > Still need to review all the changes and confirm that it is all > functioning as expected (e.g. getting the expected permission > denials). Attached are the (cleaned up) audit2allow entries for the fs test denials I've been using as a reference over the various updates. Watch is configured and using selinux-next kernel. > Ondrej, how does this fare on RHEL-8, both with respect to > differences > there in policy/userspace and with respect to default use of > xfs instead of ext4? tests/filesystem/test -f ext4 ======================== 83 tests ================== #============= test_file_no_quotaon_t ============== allow test_file_no_quotaon_t self:file quotaon; #============= test_filesystem_inode_relabel_no_associate_t ============== allow test_filesystem_inode_relabel_no_associate_t fs_t:filesystem associate; #============= test_filesystem_no_getattr_t ============== allow test_filesystem_no_getattr_t fs_t:filesystem getattr; #============= test_filesystem_no_inode_no_relabelfrom_t ============== allow test_filesystem_no_inode_no_relabelfrom_t fs_t:filesystem relabelfrom; #============= test_filesystem_no_mount_t ============== allow test_filesystem_no_mount_t fs_t:filesystem mount; #============= test_filesystem_no_quotaget_t ============== allow test_filesystem_no_quotaget_t self:filesystem quotaget; #============= test_filesystem_no_quotamod_t ============== allow test_filesystem_no_quotamod_t self:filesystem quotamod; #============= test_filesystem_no_remount_t ============== allow test_filesystem_no_remount_t fs_t:filesystem remount; #============= test_filesystem_no_unmount_t ============== allow test_filesystem_no_unmount_t fs_t:filesystem unmount; #============= test_filesystem_no_watch_mount_t ============== allow test_filesystem_no_watch_mount_t self:dir watch_mount; #============= test_filesystem_no_watch_sb_t ============== allow test_filesystem_no_watch_sb_t self:dir watch_sb; #============= test_filesystem_no_watch_t ============== allow test_filesystem_no_watch_t self:filesystem watch; #============= test_filesystem_sb_relabel_no_relabelfrom_t ============== allow test_filesystem_sb_relabel_no_relabelfrom_t fs_t:filesystem relabelfrom; #============= test_filesystem_sb_relabel_no_relabelto_t ============== allow test_filesystem_sb_relabel_no_relabelto_t self:filesystem relabelto; #============= test_no_setfscreatecon_t ============== allow test_no_setfscreatecon_t self:process setfscreate; #============= unconfined_t ============== allow unconfined_t test_filesystem_inode_setxattr_no_associate_t:filesystem associate; #============= unlabeled_t ============== allow unlabeled_t test_filesystem_may_create_no_associate_t:filesystem associate; ################################################################################ tests/filesystem/test -f xfs ======================== 76 tests ================== #============= test_filesystem_inode_relabel_no_associate_t ============== allow test_filesystem_inode_relabel_no_associate_t fs_t:filesystem associate; #============= test_filesystem_no_getattr_t ============== allow test_filesystem_no_getattr_t fs_t:filesystem getattr; #============= test_filesystem_no_inode_no_relabelfrom_t ============== allow test_filesystem_no_inode_no_relabelfrom_t fs_t:filesystem relabelfrom; #============= test_filesystem_no_mount_t ============== allow test_filesystem_no_mount_t fs_t:filesystem mount; #============= test_filesystem_no_quotaget_t ============== allow test_filesystem_no_quotaget_t self:filesystem quotaget; #============= test_filesystem_no_quotamod_t ============== allow test_filesystem_no_quotamod_t self:filesystem quotamod; #============= test_filesystem_no_remount_t ============== allow test_filesystem_no_remount_t fs_t:filesystem remount; #============= test_filesystem_no_unmount_t ============== allow test_filesystem_no_unmount_t fs_t:filesystem unmount; #============= test_filesystem_no_watch_mount_t ============== allow test_filesystem_no_watch_mount_t self:dir watch_mount; #============= test_filesystem_no_watch_sb_t ============== allow test_filesystem_no_watch_sb_t self:dir watch_sb; #============= test_filesystem_no_watch_t ============== allow test_filesystem_no_watch_t self:filesystem watch; #============= test_filesystem_sb_relabel_no_relabelfrom_t ============== allow test_filesystem_sb_relabel_no_relabelfrom_t fs_t:filesystem relabelfrom; #============= test_filesystem_sb_relabel_no_relabelto_t ============== allow test_filesystem_sb_relabel_no_relabelto_t self:filesystem relabelto; #============= test_no_setfscreatecon_t ============== allow test_no_setfscreatecon_t self:process setfscreate; #============= unconfined_t ============== allow unconfined_t test_filesystem_inode_setxattr_no_associate_t:filesystem associate; #============= unlabeled_t ============== allow unlabeled_t test_filesystem_may_create_no_associate_t:filesystem associate; ################################################################################ tests/filesystem/test -f vfat ======================== 54 tests ================== #============= test_filesystem_inode_relabel_no_associate_t ============== allow test_filesystem_inode_relabel_no_associate_t dosfs_t:filesystem associate; #============= test_filesystem_no_getattr_t ============== allow test_filesystem_no_getattr_t fs_t:filesystem getattr; #============= test_filesystem_no_inode_no_relabelfrom_t ============== allow test_filesystem_no_inode_no_relabelfrom_t dosfs_t:filesystem relabelfrom; #============= test_filesystem_no_mount_t ============== allow test_filesystem_no_mount_t dosfs_t:filesystem mount; #============= test_filesystem_no_remount_t ============== allow test_filesystem_no_remount_t dosfs_t:filesystem remount; #============= test_filesystem_no_unmount_t ============== allow test_filesystem_no_unmount_t dosfs_t:filesystem unmount; #============= test_filesystem_no_watch_mount_t ============== allow test_filesystem_no_watch_mount_t self:dir watch_mount; #============= test_filesystem_no_watch_sb_t ============== allow test_filesystem_no_watch_sb_t self:dir watch_sb; #============= test_filesystem_no_watch_t ============== allow test_filesystem_no_watch_t self:filesystem watch; #============= test_filesystem_sb_relabel_no_relabelfrom_t ============== allow test_filesystem_sb_relabel_no_relabelfrom_t dosfs_t:filesystem relabelfrom; #============= test_filesystem_sb_relabel_no_relabelto_t ============== allow test_filesystem_sb_relabel_no_relabelto_t self:filesystem relabelto; #============= test_no_setfscreatecon_t ============== allow test_no_setfscreatecon_t self:process setfscreate; tests/fs_filesystem/test -f ext4 ======================== 82 tests ================== #============= test_file_no_quotaon_t ============== allow test_file_no_quotaon_t self:file quotaon; #============= test_filesystem_inode_relabel_no_associate_t ============== allow test_filesystem_inode_relabel_no_associate_t fs_t:filesystem associate; #============= test_filesystem_no_getattr_t ============== allow test_filesystem_no_getattr_t fs_t:filesystem getattr; #============= test_filesystem_no_inode_no_relabelfrom_t ============== allow test_filesystem_no_inode_no_relabelfrom_t fs_t:filesystem relabelfrom; #============= test_filesystem_no_mount_t ============== allow test_filesystem_no_mount_t fs_t:filesystem mount; #============= test_filesystem_no_quotaget_t ============== allow test_filesystem_no_quotaget_t self:filesystem quotaget; #============= test_filesystem_no_quotamod_t ============== allow test_filesystem_no_quotamod_t self:filesystem quotamod; #============= test_filesystem_no_unmount_t ============== allow test_filesystem_no_unmount_t fs_t:filesystem unmount; #============= test_filesystem_no_watch_mount_t ============== allow test_filesystem_no_watch_mount_t self:dir watch_mount; #============= test_filesystem_no_watch_sb_t ============== allow test_filesystem_no_watch_sb_t self:dir watch_sb; #============= test_filesystem_no_watch_t ============== allow test_filesystem_no_watch_t self:filesystem watch; #============= test_filesystem_sb_relabel_no_relabelfrom_t ============== allow test_filesystem_sb_relabel_no_relabelfrom_t fs_t:filesystem relabelfrom; #============= test_filesystem_sb_relabel_no_relabelto_t ============== allow test_filesystem_sb_relabel_no_relabelto_t self:filesystem relabelto; #============= test_move_mount_no_mounton_t ============== allow test_move_mount_no_mounton_t test_file_t:dir mounton; #============= test_no_setfscreatecon_t ============== allow test_no_setfscreatecon_t self:process setfscreate; #============= unconfined_t ============== allow unconfined_t test_filesystem_inode_setxattr_no_associate_t:filesystem associate; #============= unlabeled_t ============== allow unlabeled_t test_filesystem_may_create_no_associate_t:filesystem associate; ################################################################################ tests/fs_filesystem/test -f xfs ======================== 75 tests ================== #============= test_filesystem_inode_relabel_no_associate_t ============== allow test_filesystem_inode_relabel_no_associate_t fs_t:filesystem associate; #============= test_filesystem_no_getattr_t ============== allow test_filesystem_no_getattr_t fs_t:filesystem getattr; #============= test_filesystem_no_inode_no_relabelfrom_t ============== allow test_filesystem_no_inode_no_relabelfrom_t fs_t:filesystem relabelfrom; #============= test_filesystem_no_mount_t ============== allow test_filesystem_no_mount_t fs_t:filesystem mount; #============= test_filesystem_no_quotaget_t ============== allow test_filesystem_no_quotaget_t self:filesystem quotaget; #============= test_filesystem_no_quotamod_t ============== allow test_filesystem_no_quotamod_t self:filesystem quotamod; #============= test_filesystem_no_unmount_t ============== allow test_filesystem_no_unmount_t fs_t:filesystem unmount; #============= test_filesystem_no_watch_mount_t ============== allow test_filesystem_no_watch_mount_t self:dir watch_mount; #============= test_filesystem_no_watch_sb_t ============== allow test_filesystem_no_watch_sb_t self:dir watch_sb; #============= test_filesystem_no_watch_t ============== allow test_filesystem_no_watch_t self:filesystem watch; #============= test_filesystem_sb_relabel_no_relabelfrom_t ============== allow test_filesystem_sb_relabel_no_relabelfrom_t fs_t:filesystem relabelfrom; #============= test_filesystem_sb_relabel_no_relabelto_t ============== allow test_filesystem_sb_relabel_no_relabelto_t self:filesystem relabelto; #============= test_move_mount_no_mounton_t ============== allow test_move_mount_no_mounton_t test_file_t:dir mounton; #============= test_no_setfscreatecon_t ============== allow test_no_setfscreatecon_t self:process setfscreate; #============= unconfined_t ============== allow unconfined_t test_filesystem_inode_setxattr_no_associate_t:filesystem associate; #============= unlabeled_t ============== allow unlabeled_t test_filesystem_may_create_no_associate_t:filesystem associate; ################################################################################ tests/fs_filesystem/test -f vfat ======================== 53 tests ================== #============= test_filesystem_inode_relabel_no_associate_t ============== allow test_filesystem_inode_relabel_no_associate_t dosfs_t:filesystem associate; #============= test_filesystem_no_getattr_t ============== allow test_filesystem_no_getattr_t fs_t:filesystem getattr; #============= test_filesystem_no_inode_no_relabelfrom_t ============== allow test_filesystem_no_inode_no_relabelfrom_t dosfs_t:filesystem relabelfrom; #============= test_filesystem_no_mount_t ============== allow test_filesystem_no_mount_t dosfs_t:filesystem mount; #============= test_filesystem_no_unmount_t ============== allow test_filesystem_no_unmount_t dosfs_t:filesystem unmount; #============= test_filesystem_no_watch_mount_t ============== allow test_filesystem_no_watch_mount_t self:dir watch_mount; #============= test_filesystem_no_watch_sb_t ============== allow test_filesystem_no_watch_sb_t self:dir watch_sb; #============= test_filesystem_no_watch_t ============== allow test_filesystem_no_watch_t self:filesystem watch; #============= test_filesystem_sb_relabel_no_relabelfrom_t ============== allow test_filesystem_sb_relabel_no_relabelfrom_t dosfs_t:filesystem relabelfrom; #============= test_filesystem_sb_relabel_no_relabelto_t ============== allow test_filesystem_sb_relabel_no_relabelto_t self:filesystem relabelto; #============= test_move_mount_no_mounton_t ============== allow test_move_mount_no_mounton_t test_file_t:dir mounton; #============= test_no_setfscreatecon_t ============== allow test_no_setfscreatecon_t self:process setfscreate; tools/nfs.sh nfs_filesystem ======================== 56 tests ================== #============= test_filesystem_inode_relabel_no_associate_t ============== allow test_filesystem_inode_relabel_no_associate_t self:filesystem associate; #============= test_filesystem_no_inode_no_relabelfrom_t ============== allow test_filesystem_no_inode_no_relabelfrom_t nfs_t:filesystem relabelfrom; #============= test_filesystem_sb_relabel_no_relabelfrom_t ============== allow test_filesystem_sb_relabel_no_relabelfrom_t nfs_t:filesystem relabelfrom; #============= test_filesystem_sb_relabel_no_relabelto_t ============== allow test_filesystem_sb_relabel_no_relabelto_t self:filesystem relabelto; #============= unconfined_t ============== allow unconfined_t test_filesystem_inode_setxattr_no_associate_t:filesystem associate; allow unconfined_t test_filesystem_may_create_no_associate_t:filesystem associate; ################################################################################ tools/nfs.sh fs_filesystem ======================== 37 tests ================== #============= test_filesystem_no_getattr_t ============== allow test_filesystem_no_getattr_t nfs_t:filesystem getattr; #============= test_filesystem_no_mount_t ============== allow test_filesystem_no_mount_t nfs_t:filesystem mount; #============= test_filesystem_no_unmount_t ============== allow test_filesystem_no_unmount_t nfs_t:filesystem unmount; #============= test_filesystem_no_watch_mount_t ============== allow test_filesystem_no_watch_mount_t test_file_t:dir watch_mount; #============= test_filesystem_no_watch_sb_t ============== allow test_filesystem_no_watch_sb_t test_file_t:dir watch_sb; #============= test_filesystem_no_watch_t ============== allow test_filesystem_no_watch_t nfs_t:filesystem watch; #============= test_move_mount_no_mounton_t ============== allow test_move_mount_no_mounton_t test_file_t:dir mounton; #============= test_no_setfscreatecon_t ============== allow test_no_setfscreatecon_t self:process setfscreate; ################################################################################ tools/nfs.sh filesystem ======================== 38 tests ================== #============= test_filesystem_no_getattr_t ============== allow test_filesystem_no_getattr_t nfs_t:filesystem getattr; #============= test_filesystem_no_mount_t ============== allow test_filesystem_no_mount_t nfs_t:filesystem mount; #============= test_filesystem_no_remount_t ============== allow test_filesystem_no_remount_t nfs_t:filesystem remount; #============= test_filesystem_no_unmount_t ============== allow test_filesystem_no_unmount_t nfs_t:filesystem unmount; #============= test_filesystem_no_watch_mount_t ============== allow test_filesystem_no_watch_mount_t test_file_t:dir watch_mount; #============= test_filesystem_no_watch_sb_t ============== allow test_filesystem_no_watch_sb_t test_file_t:dir watch_sb; #============= test_filesystem_no_watch_t ============== allow test_filesystem_no_watch_t nfs_t:filesystem watch; #============= test_no_setfscreatecon_t ============== allow test_no_setfscreatecon_t self:process setfscreate;
If tested on the selinux-next kernel (that has the XFS patch [1]) with the "NFS: Ensure security label is set for root inode" patch [2], then all tests should pass. Anything else will give varying amounts of fails. The filesystem types tested are: ext4, xfs, vfat and nfs4. [1] https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/patch/security/selinux?id=e4cfa05e9bfe286457082477b32ecd17737bdbce [2] https://lore.kernel.org/selinux/20200303225837.1557210-1-smayhew@redhat.com/ V2 Changes: 1) Add userdom_search_user_home_content(filesystemdomain) to policy 2) Add Makefile in nfs_filesystem for consistency. 3) Update nfs_filesystem/test text for kernel commit info. 4) Turn off -e flag once in 'function err_exit()' so each cmd completes. Changes from RFC V3: 1) Fixed question mark (?) as the total/planned number of tests (Fix: do not have print statements in BEGIN { }, or any subroutines that are called inside this). 2) nfs.sh now gives line number on all test fails. 3) Policy changes for NFS mnt_t and mounton 4) Added xfslibs-dev and uuid-dev for travis To test fanotify fs watch perms on 5.4+ (will also include tests/notify): 1) Extract the base module (base.cil): semodule -c -E base 2) Edit the following definitions in base.cil to add watch permissions: (common file (ioctl read write ....)) Add: watch watch_mount watch_sb watch_with_perm watch_reads (class filesystem (mount remount ....)) Add: watch 3) Insert modified base module (inserts with default priority 400): semodule -i base.cil 4) Backup, then edit the following definitions in: /usr/share/selinux/devel/include/support/all_perms.spt define(`all_file_perms',`{ ioctl read write .... Add: watch watch_mount watch_sb watch_with_perm watch_reads define(`all_dir_perms',`{ ioctl read write .... Add: watch watch_mount watch_sb watch_with_perm watch_reads define(`all_filesystem_perms',`{ mount remount .... Add: watch 5) 'make test' can now be run. NOTE: Do NOT leave the new base.cil active after tests, as the system may not reboot if in enforcing mode, as various watch permissions will be denied. Revert to the original (priority 100) as follows: semodule -r base make clean make -C policy unload Finally restore the original: /usr/share/selinux/devel/include/support/all_perms.spt Richard Haines (2): selinux-testsuite: Use native filesystem for tests - Part 1 selinux-testsuite: Use native filesystem for tests - Part 2 .travis.yml | 2 + README.md | 15 +- defconfig | 6 + policy/test_filesystem.te | 90 +- policy/test_filesystem_name_trans.te | 6 + policy/test_filesystem_notify.te | 41 +- tests/filesystem/.gitignore | 1 + tests/filesystem/Filesystem.pm | 111 ++- tests/filesystem/Makefile | 3 +- tests/filesystem/test | 1199 +++++++++++++++--------- tests/filesystem/xfs_quotas_test.c | 96 ++ tests/fs_filesystem/Makefile | 3 - tests/fs_filesystem/fsmount.c | 5 +- tests/fs_filesystem/test | 1300 ++++++++++++++++---------- tests/nfs_filesystem/Makefile | 2 + tests/nfs_filesystem/test | 362 +++++++ tests/nfsruntests.pl | 5 + tools/nfs.sh | 127 ++- 18 files changed, 2371 insertions(+), 1003 deletions(-) create mode 100644 tests/filesystem/xfs_quotas_test.c create mode 100644 tests/nfs_filesystem/Makefile create mode 100755 tests/nfs_filesystem/test create mode 100755 tests/nfsruntests.pl