| Message ID | 20250429-lsm-v4-7-602b7097e722@suse.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | LSM testing suite | expand |
| Context | Check | Description |
|---|---|---|
| ltpci/debian_stable_s390x-linux-gnu-gcc_s390x | success | success |
| ltpci/debian_stable_powerpc64le-linux-gnu-gcc_ppc64el | success | success |
| ltpci/debian_stable_aarch64-linux-gnu-gcc_arm64 | success | success |
| ltpci/debian_stable_gcc | success | success |
| ltpci/debian_stable_gcc | success | success |
| ltpci/ubuntu_jammy_gcc | success | success |
| ltpci/ubuntu_bionic_gcc | success | success |
| ltpci/debian_oldstable_clang | success | success |
| ltpci/debian_testing_gcc | success | success |
| ltpci/fedora_latest_clang | success | success |
| ltpci/alpine_latest_gcc | success | success |
| ltpci/quay-io-centos-centos_stream9_gcc | success | success |
| ltpci/opensuse-archive_42-2_gcc | success | success |
| ltpci/debian_oldstable_gcc | success | success |
| ltpci/opensuse-leap_latest_gcc | success | success |
| ltpci/debian_testing_clang | success | success |
Hi!
Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
Hi Andrea, all, > Verify that lsm_set_self_attr syscall is raising errors when invalid > data is provided. ... > diff --git a/testcases/kernel/syscalls/lsm/lsm_set_self_attr01.c b/testcases/kernel/syscalls/lsm/lsm_set_self_attr01.c > new file mode 100644 > index 0000000000000000000000000000000000000000..caccdda7ecf2edaac1fa8e2dc2ccdd0aff020804 > --- /dev/null > +++ b/testcases/kernel/syscalls/lsm/lsm_set_self_attr01.c > @@ -0,0 +1,110 @@ > +// SPDX-License-Identifier: GPL-2.0-or-later > +/* > + * Copyright (C) 2024 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com> > + */ > + > +/*\ > + * Verify that lsm_set_self_attr syscall is raising errors when invalid data is > + * provided. > + */ > + > +#include "lsm_common.h" > + > +static struct lsm_ctx *ctx; > +static struct lsm_ctx *ctx_orig; > +static struct lsm_ctx *ctx_null; > +static uint32_t ctx_size; > +static uint32_t ctx_size_small; > +static uint32_t ctx_size_big; > +static uint32_t page_size; > + > +static struct tcase { > + uint32_t attr; > + struct lsm_ctx **ctx; > + uint32_t *size; > + uint32_t flags; > + int exp_errno; > + char *msg; > +} tcases[] = { > + { > + .attr = LSM_ATTR_CURRENT, > + .ctx = &ctx_null, > + .size = &ctx_size, > + .exp_errno = EFAULT, > + .msg = "ctx is NULL", > + }, > + { > + .attr = LSM_ATTR_CURRENT, > + .ctx = &ctx, > + .size = &ctx_size_small, > + .exp_errno = EINVAL, > + .msg = "size is too small", > + }, > + { > + .attr = LSM_ATTR_CURRENT, > + .ctx = &ctx, > + .size = &ctx_size_big, > + .exp_errno = E2BIG, > + .msg = "size is too big", > + }, > + { > + .attr = LSM_ATTR_CURRENT, > + .ctx = &ctx, > + .size = &ctx_size, > + .flags = 1, > + .exp_errno = EINVAL, > + .msg = "flags must be zero", > + }, > + { > + .attr = LSM_ATTR_CURRENT | LSM_ATTR_EXEC, > + .ctx = &ctx, > + .size = &ctx_size, > + .exp_errno = EINVAL, > + .msg = "attr is overset", FYI The test fails on this check on current Tumbleweed with new 6.15.0-1-default. It worked on 6.14. Looking at 6.15 landlock related changes (added Landlock audit support and Landlock signal scope fixes) test might needs to be updated. https://kernelnewbies.org/Linux_6.15#Security @Andrea could you please have a look? Kind regards, Petr
> Hi Andrea, all, > > Verify that lsm_set_self_attr syscall is raising errors when invalid > > data is provided. > ... > > diff --git a/testcases/kernel/syscalls/lsm/lsm_set_self_attr01.c b/testcases/kernel/syscalls/lsm/lsm_set_self_attr01.c > > new file mode 100644 > > index 0000000000000000000000000000000000000000..caccdda7ecf2edaac1fa8e2dc2ccdd0aff020804 > > --- /dev/null > > +++ b/testcases/kernel/syscalls/lsm/lsm_set_self_attr01.c > > @@ -0,0 +1,110 @@ > > +// SPDX-License-Identifier: GPL-2.0-or-later > > +/* > > + * Copyright (C) 2024 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com> > > + */ > > + > > +/*\ > > + * Verify that lsm_set_self_attr syscall is raising errors when invalid data is > > + * provided. > > + */ > > + > > +#include "lsm_common.h" > > + > > +static struct lsm_ctx *ctx; > > +static struct lsm_ctx *ctx_orig; > > +static struct lsm_ctx *ctx_null; > > +static uint32_t ctx_size; > > +static uint32_t ctx_size_small; > > +static uint32_t ctx_size_big; > > +static uint32_t page_size; > > + > > +static struct tcase { > > + uint32_t attr; > > + struct lsm_ctx **ctx; > > + uint32_t *size; > > + uint32_t flags; > > + int exp_errno; > > + char *msg; > > +} tcases[] = { > > + { > > + .attr = LSM_ATTR_CURRENT, > > + .ctx = &ctx_null, > > + .size = &ctx_size, > > + .exp_errno = EFAULT, > > + .msg = "ctx is NULL", > > + }, > > + { > > + .attr = LSM_ATTR_CURRENT, > > + .ctx = &ctx, > > + .size = &ctx_size_small, > > + .exp_errno = EINVAL, > > + .msg = "size is too small", > > + }, > > + { > > + .attr = LSM_ATTR_CURRENT, > > + .ctx = &ctx, > > + .size = &ctx_size_big, > > + .exp_errno = E2BIG, > > + .msg = "size is too big", > > + }, > > + { > > + .attr = LSM_ATTR_CURRENT, > > + .ctx = &ctx, > > + .size = &ctx_size, > > + .flags = 1, > > + .exp_errno = EINVAL, > > + .msg = "flags must be zero", > > + }, > > + { > > + .attr = LSM_ATTR_CURRENT | LSM_ATTR_EXEC, > > + .ctx = &ctx, > > + .size = &ctx_size, > > + .exp_errno = EINVAL, > > + .msg = "attr is overset", > FYI The test fails on this check on current Tumbleweed with new > 6.15.0-1-default. It worked on 6.14. > Looking at 6.15 landlock related changes (added Landlock audit support and > Landlock signal scope fixes) test might needs to be updated. > https://kernelnewbies.org/Linux_6.15#Security @Mickaël @Günther I'm sorry, replying to wrong people. This is not a landlock related, the syscall is lsm_set_self_attr(). Kind regards, Petr > @Andrea could you please have a look? > Kind regards, > Petr
> FYI The test fails on this check on current Tumbleweed with new > 6.15.0-1-default. It worked on 6.14. > > Looking at 6.15 landlock related changes (added Landlock audit support and > Landlock signal scope fixes) test might needs to be updated. > https://kernelnewbies.org/Linux_6.15#Security > > @Andrea could you please have a look? > > Kind regards, > Petr There's already a patch in queue fixing the way we are checking errors. About Tumbleweed: I'm already working on it. - Andrea
diff --git a/runtest/syscalls b/runtest/syscalls index 91709634b70686e7e7e1e2233d8205ae99c14f19..b082a79f3e833b3e4868a34885d17fec7385f86f 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -764,6 +764,7 @@ lsm_get_self_attr02 lsm_get_self_attr02 lsm_get_self_attr03 lsm_get_self_attr03 lsm_list_modules01 lsm_list_modules01 lsm_list_modules02 lsm_list_modules02 +lsm_set_self_attr01 lsm_set_self_attr01 lstat01 lstat01 lstat01_64 lstat01_64 diff --git a/testcases/kernel/syscalls/lsm/.gitignore b/testcases/kernel/syscalls/lsm/.gitignore index 766f81fd1c74a10001862f142c02ba251e666ef2..467f07cec5443393d231bbb98880b7183635dd9d 100644 --- a/testcases/kernel/syscalls/lsm/.gitignore +++ b/testcases/kernel/syscalls/lsm/.gitignore @@ -3,3 +3,4 @@ lsm_get_self_attr02 lsm_get_self_attr03 lsm_list_modules01 lsm_list_modules02 +lsm_set_self_attr01 diff --git a/testcases/kernel/syscalls/lsm/lsm_set_self_attr01.c b/testcases/kernel/syscalls/lsm/lsm_set_self_attr01.c new file mode 100644 index 0000000000000000000000000000000000000000..caccdda7ecf2edaac1fa8e2dc2ccdd0aff020804 --- /dev/null +++ b/testcases/kernel/syscalls/lsm/lsm_set_self_attr01.c @@ -0,0 +1,110 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com> + */ + +/*\ + * Verify that lsm_set_self_attr syscall is raising errors when invalid data is + * provided. + */ + +#include "lsm_common.h" + +static struct lsm_ctx *ctx; +static struct lsm_ctx *ctx_orig; +static struct lsm_ctx *ctx_null; +static uint32_t ctx_size; +static uint32_t ctx_size_small; +static uint32_t ctx_size_big; +static uint32_t page_size; + +static struct tcase { + uint32_t attr; + struct lsm_ctx **ctx; + uint32_t *size; + uint32_t flags; + int exp_errno; + char *msg; +} tcases[] = { + { + .attr = LSM_ATTR_CURRENT, + .ctx = &ctx_null, + .size = &ctx_size, + .exp_errno = EFAULT, + .msg = "ctx is NULL", + }, + { + .attr = LSM_ATTR_CURRENT, + .ctx = &ctx, + .size = &ctx_size_small, + .exp_errno = EINVAL, + .msg = "size is too small", + }, + { + .attr = LSM_ATTR_CURRENT, + .ctx = &ctx, + .size = &ctx_size_big, + .exp_errno = E2BIG, + .msg = "size is too big", + }, + { + .attr = LSM_ATTR_CURRENT, + .ctx = &ctx, + .size = &ctx_size, + .flags = 1, + .exp_errno = EINVAL, + .msg = "flags must be zero", + }, + { + .attr = LSM_ATTR_CURRENT | LSM_ATTR_EXEC, + .ctx = &ctx, + .size = &ctx_size, + .exp_errno = EINVAL, + .msg = "attr is overset", + } +}; + +static void run(unsigned int n) +{ + struct tcase *tc = &tcases[n]; + + /* just in case lsm_set_self_attr() pass , we won't change + * LSM configuration for the following process + */ + memcpy(ctx, ctx_orig, LSM_CTX_SIZE_DEFAULT); + + ctx_size = page_size; + ctx_size_small = 1; + ctx_size_big = ctx_size + 1; + + TST_EXP_FAIL(lsm_set_self_attr(tc->attr, *tc->ctx, *tc->size, tc->flags), + tc->exp_errno, + "%s", tc->msg); +} + +static void setup(void) +{ + int ret; + uint32_t size; + + verify_supported_attr_current(); + + page_size = SAFE_SYSCONF(_SC_PAGESIZE); + size = page_size; + + ret = lsm_get_self_attr(LSM_ATTR_CURRENT, ctx_orig, &size, 0); + if (ret < 0) + tst_brk(TBROK, "Can't read LSM current attribute"); +} + +static struct tst_test test = { + .test = run, + .setup = setup, + .tcnt = ARRAY_SIZE(tcases), + .min_kver = "6.8", + .bufs = (struct tst_buffers[]) { + {&ctx, .size = LSM_CTX_SIZE_DEFAULT}, + {&ctx_orig, .size = LSM_CTX_SIZE_DEFAULT}, + {} + }, +};