| Message ID | 20230515161339.631577-1-konstantin.meskhidze@huawei.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Network support for Landlock | expand |
Hi Konstantin, The kernel code looks good. I found some issues in tests and documentation, and I'm still reviewing the whole patches. In the meantime, I've pushed it in -next, we'll see how it goes. We need to have this new code covered by syzkaller. I'll work on that unless you want to. Regards, Mickaël On 15/05/2023 18:13, Konstantin Meskhidze wrote: > Hi, > This is a new V11 patch related to Landlock LSM network confinement. > It is based on the landlock's -next branch on top of v6.2-rc3+ kernel version: > https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/log/?h=next > > It brings refactoring of previous patch version V10. > Mostly there are fixes of logic and typos, refactoring some selftests. > > All test were run in QEMU evironment and compiled with > -static flag. > 1. network_test: 36/36 tests passed. > 2. base_test: 7/7 tests passed. > 3. fs_test: 78/78 tests passed. > 4. ptrace_test: 8/8 tests passed. > > Previous versions: > v10: https://lore.kernel.org/linux-security-module/20230323085226.1432550-1-konstantin.meskhidze@huawei.com/ > v9: https://lore.kernel.org/linux-security-module/20230116085818.165539-1-konstantin.meskhidze@huawei.com/ > v8: https://lore.kernel.org/linux-security-module/20221021152644.155136-1-konstantin.meskhidze@huawei.com/ > v7: https://lore.kernel.org/linux-security-module/20220829170401.834298-1-konstantin.meskhidze@huawei.com/ > v6: https://lore.kernel.org/linux-security-module/20220621082313.3330667-1-konstantin.meskhidze@huawei.com/ > v5: https://lore.kernel.org/linux-security-module/20220516152038.39594-1-konstantin.meskhidze@huawei.com > v4: https://lore.kernel.org/linux-security-module/20220309134459.6448-1-konstantin.meskhidze@huawei.com/ > v3: https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@huawei.com/ > v2: https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@huawei.com/ > v1: https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@huawei.com/ > > Konstantin Meskhidze (11): > landlock: Make ruleset's access masks more generic > landlock: Refactor landlock_find_rule/insert_rule > landlock: Refactor merge/inherit_ruleset functions > landlock: Move and rename layer helpers > landlock: Refactor layer helpers > landlock: Refactor landlock_add_rule() syscall > landlock: Add network rules and TCP hooks support > selftests/landlock: Share enforce_ruleset() > selftests/landlock: Add 11 new test suites dedicated to network > samples/landlock: Add network demo > landlock: Document Landlock's network support > > Mickaël Salaün (1): > landlock: Allow filesystem layout changes for domains without such > rule type > > Documentation/userspace-api/landlock.rst | 89 +- > include/uapi/linux/landlock.h | 48 + > samples/landlock/sandboxer.c | 128 +- > security/landlock/Kconfig | 1 + > security/landlock/Makefile | 2 + > security/landlock/fs.c | 232 +-- > security/landlock/limits.h | 7 +- > security/landlock/net.c | 174 +++ > security/landlock/net.h | 26 + > security/landlock/ruleset.c | 405 +++++- > security/landlock/ruleset.h | 185 ++- > security/landlock/setup.c | 2 + > security/landlock/syscalls.c | 163 ++- > tools/testing/selftests/landlock/base_test.c | 2 +- > tools/testing/selftests/landlock/common.h | 10 + > tools/testing/selftests/landlock/config | 4 + > tools/testing/selftests/landlock/fs_test.c | 74 +- > tools/testing/selftests/landlock/net_test.c | 1317 ++++++++++++++++++ > 18 files changed, 2520 insertions(+), 349 deletions(-) > create mode 100644 security/landlock/net.c > create mode 100644 security/landlock/net.h > create mode 100644 tools/testing/selftests/landlock/net_test.c > > -- > 2.25.1 >
6/5/2023 6:02 PM, Mickaël Salaün пишет: > Hi Konstantin, > > The kernel code looks good. I found some issues in tests and > documentation, and I'm still reviewing the whole patches. In the > meantime, I've pushed it in -next, we'll see how it goes. > > We need to have this new code covered by syzkaller. I'll work on that > unless you want to. > > Regards, > Mickaël > Hi, Mickaël! I have never set up syzkaller. Do you have a syzkaller scenario for Landlock code? I need some hints. I will give it a shot. Regards, Konstantin. > > On 15/05/2023 18:13, Konstantin Meskhidze wrote: >> Hi, >> This is a new V11 patch related to Landlock LSM network confinement. >> It is based on the landlock's -next branch on top of v6.2-rc3+ kernel version: >> https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/log/?h=next >> >> It brings refactoring of previous patch version V10. >> Mostly there are fixes of logic and typos, refactoring some selftests. >> >> All test were run in QEMU evironment and compiled with >> -static flag. >> 1. network_test: 36/36 tests passed. >> 2. base_test: 7/7 tests passed. >> 3. fs_test: 78/78 tests passed. >> 4. ptrace_test: 8/8 tests passed. >> >> Previous versions: >> v10: https://lore.kernel.org/linux-security-module/20230323085226.1432550-1-konstantin.meskhidze@huawei.com/ >> v9: https://lore.kernel.org/linux-security-module/20230116085818.165539-1-konstantin.meskhidze@huawei.com/ >> v8: https://lore.kernel.org/linux-security-module/20221021152644.155136-1-konstantin.meskhidze@huawei.com/ >> v7: https://lore.kernel.org/linux-security-module/20220829170401.834298-1-konstantin.meskhidze@huawei.com/ >> v6: https://lore.kernel.org/linux-security-module/20220621082313.3330667-1-konstantin.meskhidze@huawei.com/ >> v5: https://lore.kernel.org/linux-security-module/20220516152038.39594-1-konstantin.meskhidze@huawei.com >> v4: https://lore.kernel.org/linux-security-module/20220309134459.6448-1-konstantin.meskhidze@huawei.com/ >> v3: https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@huawei.com/ >> v2: https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@huawei.com/ >> v1: https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@huawei.com/ >> >> Konstantin Meskhidze (11): >> landlock: Make ruleset's access masks more generic >> landlock: Refactor landlock_find_rule/insert_rule >> landlock: Refactor merge/inherit_ruleset functions >> landlock: Move and rename layer helpers >> landlock: Refactor layer helpers >> landlock: Refactor landlock_add_rule() syscall >> landlock: Add network rules and TCP hooks support >> selftests/landlock: Share enforce_ruleset() >> selftests/landlock: Add 11 new test suites dedicated to network >> samples/landlock: Add network demo >> landlock: Document Landlock's network support >> >> Mickaël Salaün (1): >> landlock: Allow filesystem layout changes for domains without such >> rule type >> >> Documentation/userspace-api/landlock.rst | 89 +- >> include/uapi/linux/landlock.h | 48 + >> samples/landlock/sandboxer.c | 128 +- >> security/landlock/Kconfig | 1 + >> security/landlock/Makefile | 2 + >> security/landlock/fs.c | 232 +-- >> security/landlock/limits.h | 7 +- >> security/landlock/net.c | 174 +++ >> security/landlock/net.h | 26 + >> security/landlock/ruleset.c | 405 +++++- >> security/landlock/ruleset.h | 185 ++- >> security/landlock/setup.c | 2 + >> security/landlock/syscalls.c | 163 ++- >> tools/testing/selftests/landlock/base_test.c | 2 +- >> tools/testing/selftests/landlock/common.h | 10 + >> tools/testing/selftests/landlock/config | 4 + >> tools/testing/selftests/landlock/fs_test.c | 74 +- >> tools/testing/selftests/landlock/net_test.c | 1317 ++++++++++++++++++ >> 18 files changed, 2520 insertions(+), 349 deletions(-) >> create mode 100644 security/landlock/net.c >> create mode 100644 security/landlock/net.h >> create mode 100644 tools/testing/selftests/landlock/net_test.c >> >> -- >> 2.25.1 >> > .
On 06/06/2023 11:10, Konstantin Meskhidze (A) wrote: > > > 6/5/2023 6:02 PM, Mickaël Salaün пишет: >> Hi Konstantin, >> >> The kernel code looks good. I found some issues in tests and >> documentation, and I'm still reviewing the whole patches. In the >> meantime, I've pushed it in -next, we'll see how it goes. >> >> We need to have this new code covered by syzkaller. I'll work on that >> unless you want to. >> >> Regards, >> Mickaël >> > Hi, Mickaël! > I have never set up syzkaller. Do you have a syzkaller scenario for > Landlock code? I need some hints. I will give it a shot. You can get a look at https://github.com/google/syzkaller/pull/3423 or other Landlock-related PR. The setup might be a bit challenging though, but it will be a good investment for future kernel changes. > > Regards, > Konstantin. >> >> On 15/05/2023 18:13, Konstantin Meskhidze wrote: >>> Hi, >>> This is a new V11 patch related to Landlock LSM network confinement. >>> It is based on the landlock's -next branch on top of v6.2-rc3+ kernel version: >>> https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/log/?h=next >>> >>> It brings refactoring of previous patch version V10. >>> Mostly there are fixes of logic and typos, refactoring some selftests. >>> >>> All test were run in QEMU evironment and compiled with >>> -static flag. >>> 1. network_test: 36/36 tests passed. >>> 2. base_test: 7/7 tests passed. >>> 3. fs_test: 78/78 tests passed. >>> 4. ptrace_test: 8/8 tests passed. >>> >>> Previous versions: >>> v10: https://lore.kernel.org/linux-security-module/20230323085226.1432550-1-konstantin.meskhidze@huawei.com/ >>> v9: https://lore.kernel.org/linux-security-module/20230116085818.165539-1-konstantin.meskhidze@huawei.com/ >>> v8: https://lore.kernel.org/linux-security-module/20221021152644.155136-1-konstantin.meskhidze@huawei.com/ >>> v7: https://lore.kernel.org/linux-security-module/20220829170401.834298-1-konstantin.meskhidze@huawei.com/ >>> v6: https://lore.kernel.org/linux-security-module/20220621082313.3330667-1-konstantin.meskhidze@huawei.com/ >>> v5: https://lore.kernel.org/linux-security-module/20220516152038.39594-1-konstantin.meskhidze@huawei.com >>> v4: https://lore.kernel.org/linux-security-module/20220309134459.6448-1-konstantin.meskhidze@huawei.com/ >>> v3: https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@huawei.com/ >>> v2: https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@huawei.com/ >>> v1: https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@huawei.com/ >>> >>> Konstantin Meskhidze (11): >>> landlock: Make ruleset's access masks more generic >>> landlock: Refactor landlock_find_rule/insert_rule >>> landlock: Refactor merge/inherit_ruleset functions >>> landlock: Move and rename layer helpers >>> landlock: Refactor layer helpers >>> landlock: Refactor landlock_add_rule() syscall >>> landlock: Add network rules and TCP hooks support >>> selftests/landlock: Share enforce_ruleset() >>> selftests/landlock: Add 11 new test suites dedicated to network >>> samples/landlock: Add network demo >>> landlock: Document Landlock's network support >>> >>> Mickaël Salaün (1): >>> landlock: Allow filesystem layout changes for domains without such >>> rule type >>> >>> Documentation/userspace-api/landlock.rst | 89 +- >>> include/uapi/linux/landlock.h | 48 + >>> samples/landlock/sandboxer.c | 128 +- >>> security/landlock/Kconfig | 1 + >>> security/landlock/Makefile | 2 + >>> security/landlock/fs.c | 232 +-- >>> security/landlock/limits.h | 7 +- >>> security/landlock/net.c | 174 +++ >>> security/landlock/net.h | 26 + >>> security/landlock/ruleset.c | 405 +++++- >>> security/landlock/ruleset.h | 185 ++- >>> security/landlock/setup.c | 2 + >>> security/landlock/syscalls.c | 163 ++- >>> tools/testing/selftests/landlock/base_test.c | 2 +- >>> tools/testing/selftests/landlock/common.h | 10 + >>> tools/testing/selftests/landlock/config | 4 + >>> tools/testing/selftests/landlock/fs_test.c | 74 +- >>> tools/testing/selftests/landlock/net_test.c | 1317 ++++++++++++++++++ >>> 18 files changed, 2520 insertions(+), 349 deletions(-) >>> create mode 100644 security/landlock/net.c >>> create mode 100644 security/landlock/net.h >>> create mode 100644 tools/testing/selftests/landlock/net_test.c >>> >>> -- >>> 2.25.1 >>> >> .
6/6/2023 12:40 PM, Mickaël Salaün пишет: > > On 06/06/2023 11:10, Konstantin Meskhidze (A) wrote: >> >> >> 6/5/2023 6:02 PM, Mickaël Salaün пишет: >>> Hi Konstantin, >>> >>> The kernel code looks good. I found some issues in tests and >>> documentation, and I'm still reviewing the whole patches. In the >>> meantime, I've pushed it in -next, we'll see how it goes. >>> >>> We need to have this new code covered by syzkaller. I'll work on that >>> unless you want to. >>> >>> Regards, >>> Mickaël >>> >> Hi, Mickaël! >> I have never set up syzkaller. Do you have a syzkaller scenario for >> Landlock code? I need some hints. I will give it a shot. > > You can get a look at https://github.com/google/syzkaller/pull/3423 or > other Landlock-related PR. > > The setup might be a bit challenging though, but it will be a good > investment for future kernel changes. Thanks. I will handle it. Can you give me a hand with some tips if I have issues with syzkaller setup? > > >> >> Regards, >> Konstantin. >>> >>> On 15/05/2023 18:13, Konstantin Meskhidze wrote: >>>> Hi, >>>> This is a new V11 patch related to Landlock LSM network confinement. >>>> It is based on the landlock's -next branch on top of v6.2-rc3+ kernel version: >>>> https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/log/?h=next >>>> >>>> It brings refactoring of previous patch version V10. >>>> Mostly there are fixes of logic and typos, refactoring some selftests. >>>> >>>> All test were run in QEMU evironment and compiled with >>>> -static flag. >>>> 1. network_test: 36/36 tests passed. >>>> 2. base_test: 7/7 tests passed. >>>> 3. fs_test: 78/78 tests passed. >>>> 4. ptrace_test: 8/8 tests passed. >>>> >>>> Previous versions: >>>> v10: https://lore.kernel.org/linux-security-module/20230323085226.1432550-1-konstantin.meskhidze@huawei.com/ >>>> v9: https://lore.kernel.org/linux-security-module/20230116085818.165539-1-konstantin.meskhidze@huawei.com/ >>>> v8: https://lore.kernel.org/linux-security-module/20221021152644.155136-1-konstantin.meskhidze@huawei.com/ >>>> v7: https://lore.kernel.org/linux-security-module/20220829170401.834298-1-konstantin.meskhidze@huawei.com/ >>>> v6: https://lore.kernel.org/linux-security-module/20220621082313.3330667-1-konstantin.meskhidze@huawei.com/ >>>> v5: https://lore.kernel.org/linux-security-module/20220516152038.39594-1-konstantin.meskhidze@huawei.com >>>> v4: https://lore.kernel.org/linux-security-module/20220309134459.6448-1-konstantin.meskhidze@huawei.com/ >>>> v3: https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@huawei.com/ >>>> v2: https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@huawei.com/ >>>> v1: https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@huawei.com/ >>>> >>>> Konstantin Meskhidze (11): >>>> landlock: Make ruleset's access masks more generic >>>> landlock: Refactor landlock_find_rule/insert_rule >>>> landlock: Refactor merge/inherit_ruleset functions >>>> landlock: Move and rename layer helpers >>>> landlock: Refactor layer helpers >>>> landlock: Refactor landlock_add_rule() syscall >>>> landlock: Add network rules and TCP hooks support >>>> selftests/landlock: Share enforce_ruleset() >>>> selftests/landlock: Add 11 new test suites dedicated to network >>>> samples/landlock: Add network demo >>>> landlock: Document Landlock's network support >>>> >>>> Mickaël Salaün (1): >>>> landlock: Allow filesystem layout changes for domains without such >>>> rule type >>>> >>>> Documentation/userspace-api/landlock.rst | 89 +- >>>> include/uapi/linux/landlock.h | 48 + >>>> samples/landlock/sandboxer.c | 128 +- >>>> security/landlock/Kconfig | 1 + >>>> security/landlock/Makefile | 2 + >>>> security/landlock/fs.c | 232 +-- >>>> security/landlock/limits.h | 7 +- >>>> security/landlock/net.c | 174 +++ >>>> security/landlock/net.h | 26 + >>>> security/landlock/ruleset.c | 405 +++++- >>>> security/landlock/ruleset.h | 185 ++- >>>> security/landlock/setup.c | 2 + >>>> security/landlock/syscalls.c | 163 ++- >>>> tools/testing/selftests/landlock/base_test.c | 2 +- >>>> tools/testing/selftests/landlock/common.h | 10 + >>>> tools/testing/selftests/landlock/config | 4 + >>>> tools/testing/selftests/landlock/fs_test.c | 74 +- >>>> tools/testing/selftests/landlock/net_test.c | 1317 ++++++++++++++++++ >>>> 18 files changed, 2520 insertions(+), 349 deletions(-) >>>> create mode 100644 security/landlock/net.c >>>> create mode 100644 security/landlock/net.h >>>> create mode 100644 tools/testing/selftests/landlock/net_test.c >>>> >>>> -- >>>> 2.25.1 >>>> >>> . > .
On 19/06/2023 16:28, Konstantin Meskhidze (A) wrote: > > > 6/6/2023 12:40 PM, Mickaël Salaün пишет: >> >> On 06/06/2023 11:10, Konstantin Meskhidze (A) wrote: >>> >>> >>> 6/5/2023 6:02 PM, Mickaël Salaün пишет: >>>> Hi Konstantin, >>>> >>>> The kernel code looks good. I found some issues in tests and >>>> documentation, and I'm still reviewing the whole patches. In the >>>> meantime, I've pushed it in -next, we'll see how it goes. >>>> >>>> We need to have this new code covered by syzkaller. I'll work on that >>>> unless you want to. >>>> >>>> Regards, >>>> Mickaël >>>> >>> Hi, Mickaël! >>> I have never set up syzkaller. Do you have a syzkaller scenario for >>> Landlock code? I need some hints. I will give it a shot. >> >> You can get a look at https://github.com/google/syzkaller/pull/3423 or >> other Landlock-related PR. >> >> The setup might be a bit challenging though, but it will be a good >> investment for future kernel changes. > > Thanks. I will handle it. Can you give me a hand with some tips if I > have issues with syzkaller setup? Yes, you can Cc me and send emails to syzkaller@googlegroups.com: https://groups.google.com/g/syzkaller >> >> >>> >>> Regards, >>> Konstantin. >>>> >>>> On 15/05/2023 18:13, Konstantin Meskhidze wrote: >>>>> Hi, >>>>> This is a new V11 patch related to Landlock LSM network confinement. >>>>> It is based on the landlock's -next branch on top of v6.2-rc3+ kernel version: >>>>> https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/log/?h=next >>>>> >>>>> It brings refactoring of previous patch version V10. >>>>> Mostly there are fixes of logic and typos, refactoring some selftests. >>>>> >>>>> All test were run in QEMU evironment and compiled with >>>>> -static flag. >>>>> 1. network_test: 36/36 tests passed. >>>>> 2. base_test: 7/7 tests passed. >>>>> 3. fs_test: 78/78 tests passed. >>>>> 4. ptrace_test: 8/8 tests passed. >>>>> >>>>> Previous versions: >>>>> v10: https://lore.kernel.org/linux-security-module/20230323085226.1432550-1-konstantin.meskhidze@huawei.com/ >>>>> v9: https://lore.kernel.org/linux-security-module/20230116085818.165539-1-konstantin.meskhidze@huawei.com/ >>>>> v8: https://lore.kernel.org/linux-security-module/20221021152644.155136-1-konstantin.meskhidze@huawei.com/ >>>>> v7: https://lore.kernel.org/linux-security-module/20220829170401.834298-1-konstantin.meskhidze@huawei.com/ >>>>> v6: https://lore.kernel.org/linux-security-module/20220621082313.3330667-1-konstantin.meskhidze@huawei.com/ >>>>> v5: https://lore.kernel.org/linux-security-module/20220516152038.39594-1-konstantin.meskhidze@huawei.com >>>>> v4: https://lore.kernel.org/linux-security-module/20220309134459.6448-1-konstantin.meskhidze@huawei.com/ >>>>> v3: https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@huawei.com/ >>>>> v2: https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@huawei.com/ >>>>> v1: https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@huawei.com/ >>>>> >>>>> Konstantin Meskhidze (11): >>>>> landlock: Make ruleset's access masks more generic >>>>> landlock: Refactor landlock_find_rule/insert_rule >>>>> landlock: Refactor merge/inherit_ruleset functions >>>>> landlock: Move and rename layer helpers >>>>> landlock: Refactor layer helpers >>>>> landlock: Refactor landlock_add_rule() syscall >>>>> landlock: Add network rules and TCP hooks support >>>>> selftests/landlock: Share enforce_ruleset() >>>>> selftests/landlock: Add 11 new test suites dedicated to network >>>>> samples/landlock: Add network demo >>>>> landlock: Document Landlock's network support >>>>> >>>>> Mickaël Salaün (1): >>>>> landlock: Allow filesystem layout changes for domains without such >>>>> rule type >>>>> >>>>> Documentation/userspace-api/landlock.rst | 89 +- >>>>> include/uapi/linux/landlock.h | 48 + >>>>> samples/landlock/sandboxer.c | 128 +- >>>>> security/landlock/Kconfig | 1 + >>>>> security/landlock/Makefile | 2 + >>>>> security/landlock/fs.c | 232 +-- >>>>> security/landlock/limits.h | 7 +- >>>>> security/landlock/net.c | 174 +++ >>>>> security/landlock/net.h | 26 + >>>>> security/landlock/ruleset.c | 405 +++++- >>>>> security/landlock/ruleset.h | 185 ++- >>>>> security/landlock/setup.c | 2 + >>>>> security/landlock/syscalls.c | 163 ++- >>>>> tools/testing/selftests/landlock/base_test.c | 2 +- >>>>> tools/testing/selftests/landlock/common.h | 10 + >>>>> tools/testing/selftests/landlock/config | 4 + >>>>> tools/testing/selftests/landlock/fs_test.c | 74 +- >>>>> tools/testing/selftests/landlock/net_test.c | 1317 ++++++++++++++++++ >>>>> 18 files changed, 2520 insertions(+), 349 deletions(-) >>>>> create mode 100644 security/landlock/net.c >>>>> create mode 100644 security/landlock/net.h >>>>> create mode 100644 tools/testing/selftests/landlock/net_test.c >>>>> >>>>> -- >>>>> 2.25.1 >>>>> >>>> . >> .
Hi, This is a new V11 patch related to Landlock LSM network confinement. It is based on the landlock's -next branch on top of v6.2-rc3+ kernel version: https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/log/?h=next It brings refactoring of previous patch version V10. Mostly there are fixes of logic and typos, refactoring some selftests. All test were run in QEMU evironment and compiled with -static flag. 1. network_test: 36/36 tests passed. 2. base_test: 7/7 tests passed. 3. fs_test: 78/78 tests passed. 4. ptrace_test: 8/8 tests passed. Previous versions: v10: https://lore.kernel.org/linux-security-module/20230323085226.1432550-1-konstantin.meskhidze@huawei.com/ v9: https://lore.kernel.org/linux-security-module/20230116085818.165539-1-konstantin.meskhidze@huawei.com/ v8: https://lore.kernel.org/linux-security-module/20221021152644.155136-1-konstantin.meskhidze@huawei.com/ v7: https://lore.kernel.org/linux-security-module/20220829170401.834298-1-konstantin.meskhidze@huawei.com/ v6: https://lore.kernel.org/linux-security-module/20220621082313.3330667-1-konstantin.meskhidze@huawei.com/ v5: https://lore.kernel.org/linux-security-module/20220516152038.39594-1-konstantin.meskhidze@huawei.com v4: https://lore.kernel.org/linux-security-module/20220309134459.6448-1-konstantin.meskhidze@huawei.com/ v3: https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@huawei.com/ v2: https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@huawei.com/ v1: https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@huawei.com/ Konstantin Meskhidze (11): landlock: Make ruleset's access masks more generic landlock: Refactor landlock_find_rule/insert_rule landlock: Refactor merge/inherit_ruleset functions landlock: Move and rename layer helpers landlock: Refactor layer helpers landlock: Refactor landlock_add_rule() syscall landlock: Add network rules and TCP hooks support selftests/landlock: Share enforce_ruleset() selftests/landlock: Add 11 new test suites dedicated to network samples/landlock: Add network demo landlock: Document Landlock's network support Mickaël Salaün (1): landlock: Allow filesystem layout changes for domains without such rule type Documentation/userspace-api/landlock.rst | 89 +- include/uapi/linux/landlock.h | 48 + samples/landlock/sandboxer.c | 128 +- security/landlock/Kconfig | 1 + security/landlock/Makefile | 2 + security/landlock/fs.c | 232 +-- security/landlock/limits.h | 7 +- security/landlock/net.c | 174 +++ security/landlock/net.h | 26 + security/landlock/ruleset.c | 405 +++++- security/landlock/ruleset.h | 185 ++- security/landlock/setup.c | 2 + security/landlock/syscalls.c | 163 ++- tools/testing/selftests/landlock/base_test.c | 2 +- tools/testing/selftests/landlock/common.h | 10 + tools/testing/selftests/landlock/config | 4 + tools/testing/selftests/landlock/fs_test.c | 74 +- tools/testing/selftests/landlock/net_test.c | 1317 ++++++++++++++++++ 18 files changed, 2520 insertions(+), 349 deletions(-) create mode 100644 security/landlock/net.c create mode 100644 security/landlock/net.h create mode 100644 tools/testing/selftests/landlock/net_test.c -- 2.25.1