| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
| |
Split out deprecated descriptions from socket_netlink_route_sched.txt.
Adjust outdated descriptions.
|
| |
|
|
| |
Descriptions are used in addition to dev_bifrost ioctls.
|
| | |
|
| |
|
|
|
| |
Double tagging is used in 802.1ad, which is identified by TPID=0x88a8.
We were using an incorrect const.
|
| |
|
|
|
|
|
|
|
|
|
| |
This kernel interface provides access to fds of other processes, which
is readily abused by the fuzzer to mangle parent syz-executor fds.
Pid=1 is the parent syz-executor process when PID namespace is created.
Sanitize it in the new syz_pidfd_open() pseudo-syscall.
We could not patch the argument in sys/linux/init.go because the first
argument is a resource.
|
| |
|
|
|
|
|
| |
This test covers regular file IOCTL checks handled in
security/landlock/fs.c
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
|
|
| |
Add the new LANDLOCK_ACCESS_FS_IOCTL right.
Sort access rights according to their value to ease tracking of new
access rights.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
| |
Add new pseudo-syscall for creating a socket in init netns and connecting to
NVMe-oF/TCP server on 127.0.0.1:4420. Also add descriptions for NVMe-oF/TCP.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All flags that are subset of other flags were identified with the
following Bash script [1]. Only a small set of flags identified by the
script were rewritten to use nested flag definitions, after manually
checking if it makes sense (based on syzkaller context and man pages).
For example, msgget_flags was rewritten as follows:
-msgget_flags = IPC_CREAT, IPC_EXCL, S_IRUSR, S_IWUSR, S_IXUSR, S_IRGRP, S_IWGRP, S_IXGRP, S_IROTH, S_IWOTH, S_IXOTH
+msgget_flags = IPC_CREAT, IPC_EXCL, open_mode
According to the msgget(2) man page:
Upon creation, the least significant bits of the argument msgflg
define the permissions of the message queue. These permission bits
have the same format and semantics as the permissions specified for
the mode argument of open(2).
So it is correct to use open_mode directly in the definition of the
flags for msgget(2).
1 -
#!/bin/bash
regexp_flags="^(\w+)\s*=\s+([a-zA-Z\"][^=]*)$"
is_subset() {
local -n subset=$1
local -n superset=$2
for element in "${subset[@]}"; do
if [[ ! " ${superset[@]} " =~ " $element " ]]; then
return 1
fi
done
return 0
}
declare -A parsed_lines
while IFS= read -r line; do
if [[ ! "$line" =~ $regexp_flags ]]; then
continue
fi
list_name="${BASH_REMATCH[1]}"
values="${BASH_REMATCH[2]}"
IFS=',' read -r -a values_array <<< "$(echo "$values" | sed 's/ //g' | tr ',' '\n' | sort | tr '\n' ',')"
# Skip flags with too few value.
if [ "${#values_array[@]}" -lt 3 ]; then
continue
fi
# Skip the syz0, syz1, etc. lists.
if [ "${values_array[0]}" = "\"syz0\"" ]; then
continue
fi
parsed_lines["${list_name}"]="${values_array[@]}"
done
for list_name in "${!parsed_lines[@]}"; do
values_array=(${parsed_lines["$list_name"]})
for other_list_name in "${!parsed_lines[@]}"; do
other_values_array=(${parsed_lines["$other_list_name"]})
if [ "$list_name" = "$other_list_name" ]; then
continue
fi
if is_subset values_array other_values_array; then
if [ "${#values_array[@]}" -eq "${#other_values_array[@]}" ]; then
echo "$list_name EQUALS $other_list_name"
else
echo "$list_name is a SUBET of $other_list_name"
fi
fi
done
done
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
On the Linux, Darwin, and FreeBSD targets,
sockopt_opt_ip_group_source_req and sockopt_opt_ipv6_group_source_req
are equal. This commit consolidates those flag definitions to use a
single one and renames it to sockopt_opt_group_source_req.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
| |
The two string flags are the same.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Our test programs with BPF helper calls are used to verify that the
syzkaller descriptions for BPF helpers are correct. We don't really need
to run those BPF programs to check that the descriptions are correct;
the real test is to pass the verifier, which happens at load time.
This commit therefore removes syscalls to run the BPF programs. We are
limited in how many syscalls we can have per syzkaller programs so we
might as well make the most of it.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The bpf.txt file is becoming huge as it contains the descriptions for
all the bpf(2) commands. The most complex command to describe is
currently BPF_PROG_LOAD has it contains the whole BPF program
description. Those descriptions are also likely to grow significantly as
we add more BPF helper descriptions.
This commit therefore moves the descriptions pertaining to BPF programs
(attributes for BPF_PROG_LOAD, eBPF instructions, and BPF helpers) to
their own file, bpf_prog.txt.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
This commit adds more complex format modifiers for the bpf_snprintf BPF
helper. Those correspond to a bunch of cases that are uncovered in
syzbot's coverage of bpf_bprintf_prepare.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
The bpf_trace_printk helper supports a limited set of format specifiers
[1]. This commit ensures they are all covered in the union.
1 - https://man7.org/linux/man-pages/man7/bpf-helpers.7.html
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
| |
The comments for the two strings in bpf_insn_mov_printk_str_hex are
inverted. "%p" is 0x257000 in hexa.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
These occurences were found with the command:
git grep -lP "{(AUTO,\s)*AUTO}"
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
| |
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
BPF helpers bpf_ringbuf_{discard,submit,output} take a set of flags.
This commit describes those flags.
The default is a zero value, but the kernel doesn't have a macro for
that. Thus, "0" is simply added to the flag definition.
Note bpf_ringbuf_reserve also has a flags argument, but it is currently
unused on the kernel side.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This helper has the prototype:
bpf_ringbuf_output(void *ringbuf, void *data, u64 size, u64 flags)
We need to prepare the second argument (R2) on the stack. We use an
8 bytes data value initialized to some random value on the stack and
pointed to by R2. The third argument therefore needs to be 8 (for 8
bytes).
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
This BPF helper has the prototype:
bpf_ringbuf_query(void *ringbuf, u64 flags)
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
Including this helper call in our descriptions is trivial since it takes
the same arguments and returns the same (void) as the already described
bpf_ringbuf_submit helper call.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds a new struct with two BPF instructions to perform a
null check on a given pointer. It is then used to update our small ringbuf
program to null check the ringbuf reserved data pointer as follows.
u64 *e;
e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
if (!e) return 0;
[...]
bpf_ringbuf_submit(e, 0);
return 0;
With this null check, our test case corresponding to this program now
passes the verifier and is successfully loaded.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This helper has the verifier prototype:
.ret_type = RET_VOID,
.arg1_type = ARG_PTR_TO_RINGBUF_MEM | OBJ_RELEASE,
.arg2_type = ARG_ANYTHING,
We therefore need to pass the pointer retrieved with bpf_ringbuf_reserve
via R2. We saved that pointer to R9 so we can retrieve it from there.
Since bpf_ringbuf_submit doesn't return anything, we need to write
something in R0 before we exit the program.
Our BPF program now looks like:
u64 *e;
e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
[...]
bpf_ringbuf_submit(e, 0);
return 0;
It will still fail, but with EACCES instead of EINVAL, due to the
following verifier error:
0: R1=ctx(off=0,imm=0) R10=fp0
0: (18) r0 = 0x0 ; R0_w=0
2: (18) r1 = 0xffff984f66f93600 ; R1_w=map_ptr(off=0,ks=0,vs=0,imm=0)
4: (b7) r2 = 20 ; R2_w=20
5: (b7) r3 = 0 ; R3_w=0
6: (85) call bpf_ringbuf_reserve#131 ; R0_w=ringbuf_mem_or_null(id=2,ref_obj_id=2,off=0,imm=0) refs=2
7: (bf) r9 = r0 ; R0_w=ringbuf_mem_or_null(id=2,ref_obj_id=2,off=0,imm=0)
R9_w=ringbuf_mem_or_null(id=2,ref_obj_id=2,off=0,imm=0) refs=2
8: (bf) r1 = r9 ; R1_w=ringbuf_mem_or_null(id=2,ref_obj_id=2,off=0,imm=0)
R9_w=ringbuf_mem_or_null(id=2,ref_obj_id=2,off=0,imm=0) refs=2
9: (b7) r2 = 0 ; R2_w=0 refs=2
10: (85) call bpf_ringbuf_submit#132
R1 type=ringbuf_mem_or_null expected=ringbuf_mem
In short, we didn't check that the pointer returned by
bpf_ringbug_reserve isn't null.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Describe a full call to bpf_ringbuf_reserve, using the map type created
in the previous commit. The test corresponds to this simple line:
u64 *e;
e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
[...]
return e;
The pointer returned by bpf_ringbuf_reserve is kept in R9. The goal is
to keep it around so we can use it in other instructions later; several
other helpers take a pointer to ringbuf data as argument. There's of
course a risk that some instruction in between will clobber R9, but I
don't know another way. R9 is at least safe for calls (only R1--R5 get
clobbered).
We expect the program loading to fail with EINVAL because we never
release the reference to the ringbuf data. The verifier will therefore
reject the program with:
0: R1=ctx(off=0,imm=0) R10=fp0
0: (18) r0 = 0x0 ; R0_w=0
2: (18) r1 = 0xffff984e4b55da00 ; R1_w=map_ptr(off=0,ks=0,vs=0,imm=0)
4: (b7) r2 = 20 ; R2_w=20
5: (b7) r3 = 0 ; R3_w=0
6: (85) call bpf_ringbuf_reserve#131 ; R0_w=ringbuf_mem_or_null(id=2,ref_obj_id=2,off=0,imm=0) refs=2
7: (bf) r9 = r0 ; R0_w=ringbuf_mem_or_null(id=2,ref_obj_id=2,off=0,imm=0)
R9_w=ringbuf_mem_or_null(id=2,ref_obj_id=2,off=0,imm=0) refs=2
8: (95) exit
Unreleased reference id=2 alloc_insn=6
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The corresponding test does the same as this map declaration:
struct {
__uint(type, BPF_MAP_TYPE_RINGBUF);
__uint(max_entries, 256 * 1024);
} rb SEC(".maps");
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This test case corresponds to the BPF program below (bcc syntax for the
map).
BPF_PROG_ARRAY(prog_array, 10);
int tail_call_prog(void *ctx) {
char str[8] = {0};
u64 data = 0x1234;
bpf_snprintf(str, sizeof(str), "%d ", &data, sizeof(data));
return 0;
}
int do_tail_call(void *ctx) {
prog_array.call(ctx, 0);
return 0;
}
It reuses the program defined to test bpf_snprintf, as the target of the
tail call.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The bpf_tail_call helper has the following prototype.
bpf_tail_call(void *ctx, struct bpf_map *prog_array_map, u32 index)
R2 should therefore hold a pointer to a tail call map (aka, prog array
map). That tail call map should be updated such that index points to
another BPF program. In our case, index is hardcoded to 0.
Finally, R1 should hold a pointer to the context. That is always true at
the start of BPF programs so we don't change R1. If syzkaller generates
other BPF instructions between the start of the program and the
bpf_tail_call helper call, they might clobber the R1 register. That
seems unlikely to happen in practice and it's also hard to prevent it
anyway.
To load the map fd into R2, we need to templatize bpf_insn_map_fd such
that we can use it with a specific register and map fd.
There's one special case here: we need to explicitly set R0 to 0 after
the helper call because this helper has the following verifier
prototype:
.ret_type = RET_VOID,
.arg1_type = ARG_PTR_TO_CTX,
.arg2_type = ARG_CONST_MAP_PTR,
.arg3_type = ARG_ANYTHING,
Given the return verifier type is RET_VOID, if R0 isn't set explicitly,
the verifier will complain with "R0 !read_ok" when we exit.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit updates the BPF description to be able to prepare a tail
call map referencing one BPF program. Tail call maps are called to jump
from one program (caller) to another (called, referenced in the map).
To that end, we must first create a map of the specific type and then
update it with a BPF program fd. We follow the same approach as
93789af44b9a ("sys/linux: describe map holding constant string") to
specialize the resource outputed by the map update and therefore ensure
we can refer specifically to an updated tail call map.
This new map will be used in a subsequent commit to perform a tail call.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
| |
These new fields were introduced upstream in commit [1].
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=35dfaad7188cd
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
| |
These new constants were introduced in commits [1, 2] upstream.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=859051dd165ec
2 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=35dfaad7188cd
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
| |
Based on v6.6-rc6 and upstream-usb.config.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit [1] upstream added support for new sign-extended load
instructions. Those instructions rely on a new mode, BPF_MEMSX, for the
opcode. This commit adds that mode to the BPF description.
Note that several other instructions were defined at the same type, but
our BPF instruction descriptions are currently generic enough that no
other changes are needed. In the future, we may want to make those
descriptions more specific to avoid wasting fuzzing time on unsupported
instruction formats.
1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1f9a1ea821ff
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds a new test case for the bpf_snprintf description
introduced in the previous commit. It corresponds to the BPF code:
char str[8] = {0};
u64 data = 0x1234;
bpf_snprintf(str, sizeof(str), "%d ", &data, sizeof(data));
exit 0;
The fmt (3rd) argument must be stored in a read-only array map which is
prepared with the first three syscalls. Once loaded, the program is
executed with BPF_PROG_TEST_RUN.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit describes the full snippet of BPF bytecode required to
successfully call the bpf_snprintf helper.
That helper has the following prototype:
long bpf_snprintf(char *str, u32 str_size, const char *fmt, u64 *data, u32 data_len)
with the following verifier types:
.arg1_type = ARG_PTR_TO_MEM_OR_NULL,
.arg2_type = ARG_CONST_SIZE_OR_ZERO,
.arg3_type = ARG_PTR_TO_CONST_STR,
.arg4_type = ARG_PTR_TO_MEM | PTR_MAYBE_NULL | MEM_RDONLY,
.arg5_type = ARG_CONST_SIZE_OR_ZERO,
The first and fourth arguments can point to nulled buffers on the stack.
The second and fifth arguments contain the sizes of those buffers.
Finally, the third argument must point to a map holding a constant
string; we can use the type introduced in the previous commit for that.
The corresponding eBPF bytecode is kept in comment as that is much
easier to parse for anyone familiar with the bytecode.
In addition to the test case introduced in the next commit, this
description was tested by running syzkaller with a focus on the
necessary bpf syscalls. Specifically, syscalls bpf$MAP_CREATE_CONST_STR,
bpf$MAP_UPDATE_CONST_STR, bpf$BPF_MAP_CONST_STR_FREEZE, bpf$PROG_LOAD,
and bpf$BPF_PROG_TEST_RUN were executed on 16 VMs (with two logical
cores each). Syzkaller was then able to reach the formatter parsing
logic of function bpf_bprintf_prepare [1], which bpf_snprintf calls.
1 - https://github.com/torvalds/linux/blob/v6.5/kernel/bpf/helpers.c#L875
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This goal of this commit is to prepare a map whose value will be of type
ARG_PTR_TO_CONST_STR when seen by the BPF verifier [1]. To that end, the
map must be read-only, of a type that allows direct map value access
(only array maps), and frozen. In addition, it must contains a
zero-terminated string as its value.
This commit therefore defines a new bpf$MAP_CREATE_CONST_STR syscall
description to create a read-only array map of fixed size. A new
bpf$MAP_UPDATE_CONST_STR syscall description then updates the map with
a zero-terminated string. Finally, bpf$BPF_MAP_CONST_STR_FREEZE freezes
the map to prevent any other updates from the syscall side (BPF side
updates are already prevented since the map is read-only).
As a result, we want to end up with an fd to a map that has been
created, updated, and frozen. To guarantee that all operations have been
carried out (in the correct order) on the map, we change the map fd
after each operation with the following example syntax:
map_bpf_const_str {
in fd_bpf_const_str_map
out fd_bpf_const_str (out_overlay)
}
The 'in' fd is passed on entry to bpf$MAP_UPDATE_CONST_STR and the 'out'
fd is returned. In practice, the fd value will not be changed, but this
description allows us to reference the fd_bpf_const_str type in
subsequent operations, thus ensuring we're using an fd to an updated
map.
1 - https://github.com/torvalds/linux/blob/8a749fd1a8720d4619c91c8b6e7528c0a355c0aa/kernel/bpf/verifier.c#L8334
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commit adds a new test case for the bpf_trace_printk description
introduced in the previous commit. It corresponds to the code:
bpf_trace_printk("%d ", 8, 0x1234);
exit 0;
in a BPF program that is then executed via BPF_PROG_TEST_RUN.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit describes the full snippet of BPF bytecode necessary to
successfully call the bpf_trace_printk helper.
That helper has the following prototype:
long bpf_trace_printk(const char *fmt, u32 fmt_size, ...)
We thus need to initialize the fmt string on the stack, then prepare the
arguments (pointer to the stack & size), before actually calling the
helper.
To that end, we rely on previously defined templates to express the
specific instructions we need (e.g., init register with imm, perform ALU
operation on register with imm).
The corresponding eBPF bytecode is kept in comment as that is much
easier to parse for anyone familiar with the bytecode.
In addition to the test case introduced in the next commit, this new
description was tested by focusing fuzzing on bpf_trace_printk. That is,
a new syscall description PROG_LOAD_FOCUS was added to cover only
programs with bpf_trace_printk. Syzkaller was then executed on 16 VMs (2
logical cores each) with only the bpf$PROG_LOAD_FOCUS and
bpf$BPF_PROG_TEST_RUN syscalls enabled. It was able to reach the
definition of this helper [1] within a few minutes.
1 - https://github.com/torvalds/linux/blob/v6.5/kernel/trace/bpf_trace.c#L375
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit templatizes the bpf_insn_ldst, bpf_insn_alu,
bpf_insn_call_helper, bpf_insn_map_value BPF instruction descriptions.
This will allow subsequent commits to define new, more specific
descriptions of those instructions in addition to the existing generic
descriptions. For example, a subsequent commit will use the new
bpf_insn_call_helper_t template to define a call to helper bpf_snprintf
specifically.
This commit doesn't have any functional changes.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This templatization of bpf_map_create_arg_base enables a less verbose
way to define map type-specific arguments. It can already be used for
maps of type BPF_MAP_TYPE_BLOOM_FILTER and will be used for maps holding
constant strings in a subsequent commit.
This commit doesn't have any functional changes.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add the new lanlock_net_port_attr struct and related
LANDLOCK_ACCESS_NET_{BIND,CONNECT}_TCP flags for TCP access control.
Add landlock_ruleset_attr's handled_access_net field and fix
handled_access_fs name.
Update tests with the new landlock_ruleset_attr's handled_access_net
field.
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
| |
|
|
|
|
|
| |
func_info and line_info are both optional and should be marked as such.
Fixes: 934bb8cadebb57 ("modify")
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
|
| | |
|
| |
|
|
|
| |
Remove/replace obsolete consts and run `make extract` on the latest
Linux mainline.
|
| |
|
|
| |
Some includes got obsolete over time.
|
| |
|
|
|
|
|
|
| |
Added IOMMU_TEST_OP_MOCK_DOMAIN_REPLACE and IOMMU_TEST_OP_ACCESS_REPLACE_IOAS
ioctl syscall descriptions and let syzkaller hit these ioctls easily and
quickly.
Signed-off-by: Pengfei Xu <pengfei.xu@intel.com>
|
| |
|
|
|
|
|
|
| |
Based on Linux kernel iommufd_test.h line 68 struct check_refs:
https://github.com/torvalds/linux/blob/master/drivers/iommu/iommufd/iommufd_test.h
correct the md_check_refs variable length and uptr in correct position.
Signed-off-by: Pengfei Xu <pengfei.xu@intel.com>
|
