security/landlock/syscalls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
As kernel commit fff69fb03dde ("landlock: Support network rules with TCP bind and connect")
introducing a new field 'handled_access_net' in the structure landlock_ruleset_attr,
but in the landlock_create_ruleset() it still uses the first field 'handled_access_fs'
to calculate minimal size, so that made decrease 1 is useless in LTP landlock01.c to
test the too-small-size.
Test code:
rule_small_size = sizeof(struct landlock_ruleset_attr) - 1;
tst_syscall(__NR_landlock_create_ruleset, ..., rule_small_size, 0)
Result:
landlock01.c:49: TFAIL: Size is too small expected EINVAL: ENOMSG (42)
Signed-off-by: Li Wang <liwang@redhat.com>
Cc: Mickaël Salaün <mic@digikod.net>
Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
Cc: Paul Moore <paul@paul-moore.com>
---
Notes:
Hi Mickael,
I'm not quite sure if that is on purpose to use the first field or kernel
bug, can you take a look?
security/landlock/syscalls.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
index 03b470f5a85a..f3cd7def7624 100644
--- a/security/landlock/syscalls.c
+++ b/security/landlock/syscalls.c
@@ -198,7 +198,7 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
/* Copies raw user space buffer. */
err = copy_min_struct_from_user(&ruleset_attr, sizeof(ruleset_attr),
offsetofend(typeof(ruleset_attr),
- handled_access_fs),
+ handled_access_net),
attr, size);
if (err)
return err;
--
2.45.2
On Tue, Jul 02, 2024 at 05:47:45PM +0800, Li Wang wrote:
> As kernel commit fff69fb03dde ("landlock: Support network rules with TCP bind and connect")
> introducing a new field 'handled_access_net' in the structure landlock_ruleset_attr,
> but in the landlock_create_ruleset() it still uses the first field 'handled_access_fs'
> to calculate minimal size, so that made decrease 1 is useless in LTP landlock01.c to
> test the too-small-size.
>
> Test code:
> rule_small_size = sizeof(struct landlock_ruleset_attr) - 1;
> tst_syscall(__NR_landlock_create_ruleset, ..., rule_small_size, 0)
>
> Result:
> landlock01.c:49: TFAIL: Size is too small expected EINVAL: ENOMSG (42)
Interesting, this looks like a bug in these LTP tests.
>
> Signed-off-by: Li Wang <liwang@redhat.com>
> Cc: Mickaël Salaün <mic@digikod.net>
> Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
> Cc: Paul Moore <paul@paul-moore.com>
> ---
>
> Notes:
> Hi Mickael,
> I'm not quite sure if that is on purpose to use the first field or kernel
> bug, can you take a look?
Hi Li,
Yes this is on purpose. The handled_access_fs minimal size check should
never change for backward compatibility reason. User space built with
old headers must still work with new kernels. This is tested with the
"inconsistent_attr" test in tools/testing/selftests/landlock/base_test.c
>
> security/landlock/syscalls.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
> index 03b470f5a85a..f3cd7def7624 100644
> --- a/security/landlock/syscalls.c
> +++ b/security/landlock/syscalls.c
> @@ -198,7 +198,7 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
> /* Copies raw user space buffer. */
> err = copy_min_struct_from_user(&ruleset_attr, sizeof(ruleset_attr),
> offsetofend(typeof(ruleset_attr),
> - handled_access_fs),
> + handled_access_net),
> attr, size);
> if (err)
> return err;
> --
> 2.45.2
>
© 2016 - 2025 Red Hat, Inc.