selftests/landlock: Add network tests

Add 82 test suites to check edge cases related to bind() and connect() actions. They are defined with 6 fixtures and their variants: The "protocol" fixture is extended with 12 variants defined as a matrix of: sandboxed/not-sandboxed, IPv4/IPv6/unix network domain, and stream/datagram socket. 4 related tests suites are defined: * bind: Tests bind action. * connect: Tests connect action. * bind_unspec: Tests bind action with the AF_UNSPEC socket family. * connect_unspec: Tests connect action with the AF_UNSPEC socket family. The "ipv4" fixture is extended with 4 variants defined as a matrix of: sandboxed/not-sandboxed, and stream/datagram socket. 1 related test suite is defined: * from_unix_to_inet: Tests to make sure unix sockets' actions are not restricted by Landlock rules applied to TCP ones. The "tcp_layers" fixture is extended with 8 variants defined as a matrix of: IPv4/IPv6 network domain, and different number of landlock rule layers. 2 related tests suites are defined: * ruleset_overlap: Tests nested layers with less constraints. * ruleset_expand: Tests nested layers with more constraints. In the "mini" fixture 4 tests suites are defined: * network_access_rights: Tests handling of known access rights. * unknown_access_rights: Tests handling of unknown access rights. * inval: Tests unhandled allowed access and zero access value. * tcp_port_overflow: Tests with port values greater than 65535. The "ipv4_tcp" fixture supports IPv4 network domain with stream socket. 2 tests suites are defined: * port_endianness: Tests with big/little endian port formats. * with_fs: Tests a ruleset with both filesystem and network restrictions. The "port_specific" fixture is extended with 4 variants defined as a matrix of: sandboxed/not-sandboxed, IPv4/IPv6 network domain, and stream socket. 2 related tests suites are defined: * bind_connect_zero: Tests with port 0. * bind_connect_1023: Tests with port 1023. Test coverage for security/landlock is 92.4% of 710 lines according to gcc/gcov-13. Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> Link: https://lore.kernel.org/r/20231026014751.414649-11-konstantin.meskhidze@huawei.com [mic: Extend commit message, update test coverage, clean up capability use, fix useless TEST_F_FORK, and improve ipv4_tcp.with_fs] Co-developed-by: Mickaël Salaün <mic@digikod.net> Signed-off-by: Mickaël Salaün <mic@digikod.net>
2024-11-15 00:21:59 +00:00 · 2023-10-26 09:47:49 +08:00 · 2023-10-26 09:47:49 +08:00 · a549d055a2
commit a549d055a2
parent 1fa335209f
3 changed files with 1745 additions and 0 deletions
--- a/tools/testing/selftests/landlock/common.h
+++ b/tools/testing/selftests/landlock/common.h
@ -112,10 +112,13 @@ static void _init_caps(struct __test_metadata *const _metadata, bool drop_all)
 	cap_t cap_p;
 	/* Only these three capabilities are useful for the tests. */
 	const cap_value_t caps[] = {
 		/* clang-format off */
 		CAP_DAC_OVERRIDE,
 		CAP_MKNOD,
 		CAP_SYS_ADMIN,
 		CAP_SYS_CHROOT,
 		CAP_NET_BIND_SERVICE,
 		/* clang-format on */
 	};
 	cap_p = cap_get_proc();
--- a/tools/testing/selftests/landlock/config
+++ b/tools/testing/selftests/landlock/config
@ -1,5 +1,9 @@
 CONFIG_CGROUPS=y
 CONFIG_CGROUP_SCHED=y
 CONFIG_INET=y
 CONFIG_IPV6=y
 CONFIG_NET=y
 CONFIG_NET_NS=y
 CONFIG_OVERLAY_FS=y
 CONFIG_PROC_FS=y
 CONFIG_SECURITY=y
--- a/tools/testing/selftests/landlock/net_test.c
+++ b/tools/testing/selftests/landlock/net_test.c