From patchwork Mon Aug 29 17:03:59 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Konstantin Meskhidze (A)" X-Patchwork-Id: 12958255 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 34BFDC6FA82 for ; Mon, 29 Aug 2022 17:07:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231429AbiH2RHE (ORCPT ); Mon, 29 Aug 2022 13:07:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43030 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231331AbiH2RFg (ORCPT ); Mon, 29 Aug 2022 13:05:36 -0400 Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B99DB9C230; Mon, 29 Aug 2022 10:04:36 -0700 (PDT) Received: from fraeml702-chm.china.huawei.com (unknown [172.18.147.226]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4MGcGq0Xjgz688y7; Tue, 30 Aug 2022 01:04:03 +0800 (CST) Received: from lhrpeml500004.china.huawei.com (7.191.163.9) by fraeml702-chm.china.huawei.com (10.206.15.51) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2375.31; Mon, 29 Aug 2022 19:04:34 +0200 Received: from mscphis00759.huawei.com (10.123.66.134) by lhrpeml500004.china.huawei.com (7.191.163.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Mon, 29 Aug 2022 18:04:33 +0100 From: Konstantin Meskhidze To: CC: , , , , , , , Subject: [PATCH v7 16/18] seltests/landlock: add invalid input data test Date: Tue, 30 Aug 2022 01:03:59 +0800 Message-ID: <20220829170401.834298-17-konstantin.meskhidze@huawei.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220829170401.834298-1-konstantin.meskhidze@huawei.com> References: <20220829170401.834298-1-konstantin.meskhidze@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.123.66.134] X-ClientProxiedBy: mscpeml100002.china.huawei.com (7.188.26.75) To lhrpeml500004.china.huawei.com (7.191.163.9) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org This patch adds rules with invalid user space supplied data: - out of range ruleset attribute; - unhandled allowed access; - zero port value; - zero access value; Signed-off-by: Konstantin Meskhidze --- Changes since v6: * Adds invalid ruleset attribute test. Changes since v5: * Formats code with clang-format-14. Changes since v4: * Refactors code with self->port variable. Changes since v3: * Adds inval test. --- tools/testing/selftests/landlock/net_test.c | 66 ++++++++++++++++++++- 1 file changed, 65 insertions(+), 1 deletion(-) -- 2.25.1 diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c index a93224d1521b..067ba45f58a5 100644 --- a/tools/testing/selftests/landlock/net_test.c +++ b/tools/testing/selftests/landlock/net_test.c @@ -26,9 +26,12 @@ #define IP_ADDRESS "127.0.0.1" -/* Number pending connections queue to be hold */ +/* Number pending connections queue to be hold. */ #define BACKLOG 10 +/* Invalid attribute, out of landlock network access range. */ +#define LANDLOCK_INVAL_ATTR 7 + FIXTURE(socket) { uint port[MAX_SOCKET_NUM]; @@ -719,4 +722,65 @@ TEST_F(socket, ruleset_expanding) /* Closes socket 1. */ ASSERT_EQ(0, close(sockfd_1)); } + +TEST_F(socket, inval) +{ + struct landlock_ruleset_attr ruleset_attr = { + .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP + }; + struct landlock_ruleset_attr ruleset_attr_inval = { + .handled_access_net = LANDLOCK_INVAL_ATTR + }; + struct landlock_net_service_attr net_service_1 = { + .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP | + LANDLOCK_ACCESS_NET_CONNECT_TCP, + .port = self->port[0], + }; + struct landlock_net_service_attr net_service_2 = { + .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP, + .port = 0, + }; + struct landlock_net_service_attr net_service_3 = { + .allowed_access = 0, + .port = self->port[1], + }; + struct landlock_net_service_attr net_service_4 = { + .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP, + .port = self->port[2], + }; + + /* Checks invalid ruleset attribute. */ + const int ruleset_fd_inv = landlock_create_ruleset( + &ruleset_attr_inval, sizeof(ruleset_attr_inval), 0); + ASSERT_EQ(-1, ruleset_fd_inv); + ASSERT_EQ(EINVAL, errno); + + /* Gets ruleset. */ + const int ruleset_fd = + landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); + ASSERT_LE(0, ruleset_fd); + + /* Checks unhandled allowed_access. */ + ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE, + &net_service_1, 0)); + ASSERT_EQ(EINVAL, errno); + + /* Checks zero port value. */ + ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE, + &net_service_2, 0)); + ASSERT_EQ(EINVAL, errno); + + /* Checks zero access value. */ + ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE, + &net_service_3, 0)); + ASSERT_EQ(ENOMSG, errno); + + /* Adds with legitimate values. */ + ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE, + &net_service_4, 0)); + + /* Enforces the ruleset. */ + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); +} TEST_HARNESS_MAIN