Thanks for the report and the test Muhammad, the fix is now merged: https://git.kernel.org/torvalds/c/bbf5a1d0e5d0fb3bdf90205aa872636122692a50
See https://lore.kernel.org/all/20240103163415.304358-1-mic@digikod.net/
On Wed, Dec 20, 2023 at 04:19:44PM +0500, Muhammad Usama Anjum wrote:
On 12/20/23 2:17 PM, Mickaël Salaün wrote:
Hi Muhammad,
Thanks for the report.
On Tue, Dec 19, 2023 at 03:38:55PM +0500, Muhammad Usama Anjum wrote:
Hi Konstantin,
There are some errors being reported in KernelCI: https://linux.kernelci.org/test/plan/id/657ab2240c761c0bd1e134ee/
The following sub-tests are failing: landlock_net_test_protocol_no_sandbox_with_ipv6_tcp_bind_unspec landlock_net_test_protocol_no_sandbox_with_ipv6_udp_bind_unspec landlock_net_test_protocol_tcp_sandbox_with_ipv6_udp_bind_unspec
From my initial investigation, I can see that these failures are coming from just finding the wrong return error code (-97 instead of -22). It may be test's issue or the kernel's, not sure yet.
I cannot reproduce these errors (with the same kernel commit), the Defconfig URL is broken. Could you please share the config used for tests?
I've also attached the config. I'm generated the config by following: make defconfig && make kvm_guest.config scripts/kconfig/merge_config.sh .config tools/testing/selftests/landlock/config
According to the failing tests, it looks like the network stack returns EAFNOSUPPORT instead of EINVAL, which should happen because addr_len < SIN6_LEN_RFC2133 (cf. inet6_bind_sk). I then think that the issue comes from an inconsistent error priority with the prot->bind() call in inet6_bind_sk() that may return EAFNOSUPPORT when uaddr contains AF_UNSPEC. I didn't find such bind() implementations though.
Could you please validate this theory by removing this call in inet6_bind_sk() and run the tests again?
I'll have a look if I can find anything.
Eric, do you know where are such struct proto bind() implementations and why they may return EAFNOSUPPORT?
Regards, Mickaël
Thanks, Usama
On 10/26/23 6:47 AM, Konstantin Meskhidze wrote:
Add 82 test suites to check edge cases related to bind() and connect() actions. They are defined with 6 fixtures and their variants:
The "protocol" fixture is extended with 12 variants defined as a matrix of: sandboxed/not-sandboxed, IPv4/IPv6/unix network domain, and stream/datagram socket. 4 related tests suites are defined:
- bind: Tests with non-landlocked/landlocked ipv4, ipv6 and unix sockets.
- connect: Tests with non-landlocked/landlocked ipv4, ipv6 and unix
sockets.
- bind_unspec: Tests with non-landlocked/landlocked restrictions
for bind action with AF_UNSPEC socket family.
- connect_unspec: Tests with non-landlocked/landlocked restrictions
for connect action with AF_UNSPEC socket family.
The "ipv4" fixture is extended with 4 variants defined as a matrix of: sandboxed/not-sandboxed, IPv4/unix network domain, and stream/datagram socket. 1 related test suite is defined:
- from_unix_to_inet: Tests to make sure unix sockets' actions are not
restricted by Landlock rules applied to TCP ones.
The "tcp_layers" fixture is extended with 8 variants defined as a matrix of: IPv4/IPv6 network domain, and different number of landlock rule layers. 2 related tests suites are defined:
- ruleset_overlap.
- ruleset_expand.
In the "mini" fixture 4 tests suites are defined:
- network_access_rights: Tests with legitimate access values.
- unknown_access_rights: Tests with invalid attributes, out of access range.
- inval:
- unhandled allowed access.
- zero access value.
- tcp_port_overflow: Tests with wrong port values more than U16_MAX.
In the "ipv4_tcp" fixture supports IPv4 network domain, stream socket. 2 tests suites are defined:
- port_endianness: Tests with big/little endian port formats.
- with_fs: Tests with network bind() socket action within
filesystem directory access test.
The "port_specific" fixture is extended with 4 variants defined as a matrix of: sandboxed/not-sandboxed, IPv4/IPv6 network domain, and stream socket. 2 related tests suites are defined:
- bind_connect_zero: Tests with port 0 value.
- bind_connect_1023: Tests with port 1023 value.
Test coverage for security/landlock is 94.5% of 932 lines according to gcc/gcov-9.
Signed-off-by: Konstantin Meskhidze konstantin.meskhidze@huawei.com Co-developed-by: Mickaël Salaün mic@digikod.net Signed-off-by: Mickaël Salaün mic@digikod.net