diff mbox series

[v5,12/15] seltests/landlock: rules overlapping test

Message ID 20220516152038.39594-13-konstantin.meskhidze@huawei.com (mailing list archive)
State New
Headers show
Series Network support for Landlock | expand

Commit Message

Konstantin Meskhidze (A) May 16, 2022, 3:20 p.m. UTC
This patch adds overlapping rules for one port.
First rule adds just bind() access right for a port.
The second one adds both bind() and connect()
access rights for the same port.

Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
---

Changes since v3:
* Add ruleset_overlap test.

Changes since v4:
* Refactoring code with self->port, self->addr4 variables.

---
 tools/testing/selftests/landlock/net_test.c | 51 +++++++++++++++++++++
 1 file changed, 51 insertions(+)

--
2.25.1

Comments

Mickaël Salaün May 16, 2022, 5:41 p.m. UTC | #1
Please fix these kind of subjects (selftests). I'd also like the subject 
description to (quickly) describe what is done (with a verb), to start 
with a capital (like a title), and to contain "network", something like 
this:
selftests/landlock: Add test for overlapping network rules

This is a good test though.


On 16/05/2022 17:20, Konstantin Meskhidze wrote:
> This patch adds overlapping rules for one port.
> First rule adds just bind() access right for a port.
> The second one adds both bind() and connect()
> access rights for the same port.
> 
> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
> ---
> 
> Changes since v3:
> * Add ruleset_overlap test.
> 
> Changes since v4:
> * Refactoring code with self->port, self->addr4 variables.
> 
> ---
>   tools/testing/selftests/landlock/net_test.c | 51 +++++++++++++++++++++
>   1 file changed, 51 insertions(+)
> 
> diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c
> index bf8e49466d1d..1d8c9dfdbd48 100644
> --- a/tools/testing/selftests/landlock/net_test.c
> +++ b/tools/testing/selftests/landlock/net_test.c
> @@ -677,4 +677,55 @@ TEST_F_FORK(socket_test, connect_afunspec_with_restictions) {
>   	ASSERT_EQ(1, WIFEXITED(status));
>   	ASSERT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
>   }
> +
> +TEST_F_FORK(socket_test, ruleset_overlap) {

Please run clang-format-14 on all files (and all commits).

> +
> +	int sockfd;
> +
> +	struct landlock_ruleset_attr ruleset_attr = {
> +		.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
> +				      LANDLOCK_ACCESS_NET_CONNECT_TCP,
> +	};
> +	struct landlock_net_service_attr net_service_1 = {
> +		.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
> +
> +		.port = self->port[0],
> +	};
> +
> +		struct landlock_net_service_attr net_service_2 = {
> +		.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP |
> +				  LANDLOCK_ACCESS_NET_CONNECT_TCP,
> +
> +		.port = self->port[0],
> +	};
> +
> +	const int ruleset_fd = landlock_create_ruleset(&ruleset_attr,
> +					sizeof(ruleset_attr), 0);
> +	ASSERT_LE(0, ruleset_fd);
> +
> +	/* Allows bind operations to the port[0] socket */

Please ends this kind of comments with a final dot (all files/commits).

> +	ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE,
> +				       &net_service_1, 0));
> +	/* Allows connect and bind operations to the port[0] socket */
> +	ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE,
> +				       &net_service_2, 0));
> +
> +	/* Enforces the ruleset. */
> +	enforce_ruleset(_metadata, ruleset_fd);
> +
> +	/* Creates a server socket */
> +	sockfd = create_socket(_metadata, false, false);
> +	ASSERT_LE(0, sockfd);
> +
> +	/* Binds the socket to address with port[0] */
> +	ASSERT_EQ(0, bind(sockfd, (struct sockaddr *)&self->addr4[0], sizeof(self->addr4[0])));
> +
> +	/* Makes connection to socket with port[0] */
> +	ASSERT_EQ(0, connect(sockfd, (struct sockaddr *)&self->addr4[0],

Can you please get rid of this (struct sockaddr *) type casting please 
(without compiler warning)?

> +						   sizeof(self->addr4[0])));

Here, you can enforce a new ruleset with net_service_1 and check that 
bind() is still allowed but not connect().

> +
> +	/* Closes socket */
> +	ASSERT_EQ(0, close(sockfd));
> +}
> +
>   TEST_HARNESS_MAIN
> --
> 2.25.1
>
Konstantin Meskhidze (A) May 19, 2022, 12:24 p.m. UTC | #2
5/16/2022 8:41 PM, Mickaël Salaün пишет:
> Please fix these kind of subjects (selftests). I'd also like the subject 
> description to (quickly) describe what is done (with a verb), to start 
> with a capital (like a title), and to contain "network", something like 
> this:
> selftests/landlock: Add test for overlapping network rules
> 
> This is a good test though.
> 
> 
> On 16/05/2022 17:20, Konstantin Meskhidze wrote:
>> This patch adds overlapping rules for one port.
>> First rule adds just bind() access right for a port.
>> The second one adds both bind() and connect()
>> access rights for the same port.
>>
>> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
>> ---
>>
>> Changes since v3:
>> * Add ruleset_overlap test.
>>
>> Changes since v4:
>> * Refactoring code with self->port, self->addr4 variables.
>>
>> ---
>>   tools/testing/selftests/landlock/net_test.c | 51 +++++++++++++++++++++
>>   1 file changed, 51 insertions(+)
>>
>> diff --git a/tools/testing/selftests/landlock/net_test.c 
>> b/tools/testing/selftests/landlock/net_test.c
>> index bf8e49466d1d..1d8c9dfdbd48 100644
>> --- a/tools/testing/selftests/landlock/net_test.c
>> +++ b/tools/testing/selftests/landlock/net_test.c
>> @@ -677,4 +677,55 @@ TEST_F_FORK(socket_test, 
>> connect_afunspec_with_restictions) {
>>       ASSERT_EQ(1, WIFEXITED(status));
>>       ASSERT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
>>   }
>> +
>> +TEST_F_FORK(socket_test, ruleset_overlap) {
> 
> Please run clang-format-14 on all files (and all commits).
> 
   Yep. I already have updated clang-format executable on my Ubuntu and
setup Vscode to use .clang-format file.
>> +
>> +    int sockfd;
>> +
>> +    struct landlock_ruleset_attr ruleset_attr = {
>> +        .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
>> +                      LANDLOCK_ACCESS_NET_CONNECT_TCP,
>> +    };
>> +    struct landlock_net_service_attr net_service_1 = {
>> +        .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
>> +
>> +        .port = self->port[0],
>> +    };
>> +
>> +        struct landlock_net_service_attr net_service_2 = {
>> +        .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP |
>> +                  LANDLOCK_ACCESS_NET_CONNECT_TCP,
>> +
>> +        .port = self->port[0],
>> +    };
>> +
>> +    const int ruleset_fd = landlock_create_ruleset(&ruleset_attr,
>> +                    sizeof(ruleset_attr), 0);
>> +    ASSERT_LE(0, ruleset_fd);
>> +
>> +    /* Allows bind operations to the port[0] socket */
> 
> Please ends this kind of comments with a final dot (all files/commits).
> 
   Ok. I will.
>> +    ASSERT_EQ(0, landlock_add_rule(ruleset_fd, 
>> LANDLOCK_RULE_NET_SERVICE,
>> +                       &net_service_1, 0));
>> +    /* Allows connect and bind operations to the port[0] socket */
>> +    ASSERT_EQ(0, landlock_add_rule(ruleset_fd, 
>> LANDLOCK_RULE_NET_SERVICE,
>> +                       &net_service_2, 0));
>> +
>> +    /* Enforces the ruleset. */
>> +    enforce_ruleset(_metadata, ruleset_fd);
>> +
>> +    /* Creates a server socket */
>> +    sockfd = create_socket(_metadata, false, false);
>> +    ASSERT_LE(0, sockfd);
>> +
>> +    /* Binds the socket to address with port[0] */
>> +    ASSERT_EQ(0, bind(sockfd, (struct sockaddr *)&self->addr4[0], 
>> sizeof(self->addr4[0])));
>> +
>> +    /* Makes connection to socket with port[0] */
>> +    ASSERT_EQ(0, connect(sockfd, (struct sockaddr *)&self->addr4[0],
> 
> Can you please get rid of this (struct sockaddr *) type casting please 
> (without compiler warning)?
> 
   Do you have a warning here? Cause I don't.
>> +                           sizeof(self->addr4[0])));
> 
> Here, you can enforce a new ruleset with net_service_1 and check that 
> bind() is still allowed but not connect().
> 
  Ok. Thank you for advice.
>> +
>> +    /* Closes socket */
>> +    ASSERT_EQ(0, close(sockfd));
>> +}
>> +
>>   TEST_HARNESS_MAIN
>> -- 
>> 2.25.1
>>
> .
Mickaël Salaün May 19, 2022, 3:04 p.m. UTC | #3
On 19/05/2022 14:24, Konstantin Meskhidze wrote:
> 
> 
> 5/16/2022 8:41 PM, Mickaël Salaün пишет:

[...]

>>> +
>>> +    /* Makes connection to socket with port[0] */
>>> +    ASSERT_EQ(0, connect(sockfd, (struct sockaddr *)&self->addr4[0],
>>
>> Can you please get rid of this (struct sockaddr *) type casting please 
>> (without compiler warning)?
>>
>    Do you have a warning here? Cause I don't.

There is no warning but this kind of cast is useless.
Konstantin Meskhidze (A) May 24, 2022, 8:55 a.m. UTC | #4
5/19/2022 6:04 PM, Mickaël Salaün пишет:
> 
> 
> On 19/05/2022 14:24, Konstantin Meskhidze wrote:
>>
>>
>> 5/16/2022 8:41 PM, Mickaël Salaün пишет:
> 
> [...]
> 
>>>> +
>>>> +    /* Makes connection to socket with port[0] */
>>>> +    ASSERT_EQ(0, connect(sockfd, (struct sockaddr *)&self->addr4[0],
>>>
>>> Can you please get rid of this (struct sockaddr *) type casting 
>>> please (without compiler warning)?
>>>
>>    Do you have a warning here? Cause I don't.
> 
> There is no warning but this kind of cast is useless.

   But addr4 is struct sockaddr_in type and connect/bind use struct 
sockaddr type. That's why casting is needed here.

> .
diff mbox series

Patch

diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c
index bf8e49466d1d..1d8c9dfdbd48 100644
--- a/tools/testing/selftests/landlock/net_test.c
+++ b/tools/testing/selftests/landlock/net_test.c
@@ -677,4 +677,55 @@  TEST_F_FORK(socket_test, connect_afunspec_with_restictions) {
 	ASSERT_EQ(1, WIFEXITED(status));
 	ASSERT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
 }
+
+TEST_F_FORK(socket_test, ruleset_overlap) {
+
+	int sockfd;
+
+	struct landlock_ruleset_attr ruleset_attr = {
+		.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
+				      LANDLOCK_ACCESS_NET_CONNECT_TCP,
+	};
+	struct landlock_net_service_attr net_service_1 = {
+		.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
+
+		.port = self->port[0],
+	};
+
+		struct landlock_net_service_attr net_service_2 = {
+		.allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP |
+				  LANDLOCK_ACCESS_NET_CONNECT_TCP,
+
+		.port = self->port[0],
+	};
+
+	const int ruleset_fd = landlock_create_ruleset(&ruleset_attr,
+					sizeof(ruleset_attr), 0);
+	ASSERT_LE(0, ruleset_fd);
+
+	/* Allows bind operations to the port[0] socket */
+	ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE,
+				       &net_service_1, 0));
+	/* Allows connect and bind operations to the port[0] socket */
+	ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE,
+				       &net_service_2, 0));
+
+	/* Enforces the ruleset. */
+	enforce_ruleset(_metadata, ruleset_fd);
+
+	/* Creates a server socket */
+	sockfd = create_socket(_metadata, false, false);
+	ASSERT_LE(0, sockfd);
+
+	/* Binds the socket to address with port[0] */
+	ASSERT_EQ(0, bind(sockfd, (struct sockaddr *)&self->addr4[0], sizeof(self->addr4[0])));
+
+	/* Makes connection to socket with port[0] */
+	ASSERT_EQ(0, connect(sockfd, (struct sockaddr *)&self->addr4[0],
+						   sizeof(self->addr4[0])));
+
+	/* Closes socket */
+	ASSERT_EQ(0, close(sockfd));
+}
+
 TEST_HARNESS_MAIN