From patchwork Thu Jul 11 11:18:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1959243 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=JR+Qaifp; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=139xTbkX; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=JR+Qaifp; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=139xTbkX; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WKXPR2MQBz1xpd for ; Thu, 11 Jul 2024 21:22:03 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 0D2333CF78D for ; Thu, 11 Jul 2024 13:22:01 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-5.smtp.seeweb.it (in-5.smtp.seeweb.it [217.194.8.5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id D0F8E3CDE69 for ; Thu, 11 Jul 2024 13:18:41 +0200 (CEST) Authentication-Results: in-5.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.131; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-5.smtp.seeweb.it (Postfix) with ESMTPS id 4F2C36008EC for ; Thu, 11 Jul 2024 13:18:38 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 6D0041F802; Thu, 11 Jul 2024 11:18:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720696717; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=As8ay3HIm5emxm7z55JrjZ4UHlYQ0h3j0G6QPGOqSPg=; b=JR+QaifpVIZwpPM7G+bPVKgXWC2i+BmO07qCqD8zDycUW1Bm7fCbADYV4280cx2VMnU0sB CSjIq/czkix5wVq5cxcEGMUz4fQgZx9lhNzCld8zmTh+/18SQ193TwbLFMjx/Ms8ULLb8c H7f9sWyA+IeUPkwhZt+73QNFnB30yng= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720696717; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=As8ay3HIm5emxm7z55JrjZ4UHlYQ0h3j0G6QPGOqSPg=; b=139xTbkXIeyPjv94ihi8elvyQuzDJnnS/FctIVUiYJhTz+qKd0gi30cTuZ+EMNUz90YGUZ mXyo04oOUyPtPtDA== Authentication-Results: smtp-out2.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=JR+Qaifp; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=139xTbkX DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720696717; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=As8ay3HIm5emxm7z55JrjZ4UHlYQ0h3j0G6QPGOqSPg=; b=JR+QaifpVIZwpPM7G+bPVKgXWC2i+BmO07qCqD8zDycUW1Bm7fCbADYV4280cx2VMnU0sB CSjIq/czkix5wVq5cxcEGMUz4fQgZx9lhNzCld8zmTh+/18SQ193TwbLFMjx/Ms8ULLb8c H7f9sWyA+IeUPkwhZt+73QNFnB30yng= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720696717; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=As8ay3HIm5emxm7z55JrjZ4UHlYQ0h3j0G6QPGOqSPg=; b=139xTbkXIeyPjv94ihi8elvyQuzDJnnS/FctIVUiYJhTz+qKd0gi30cTuZ+EMNUz90YGUZ mXyo04oOUyPtPtDA== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 46C54139E7; Thu, 11 Jul 2024 11:18:37 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id GGA8D42/j2bBVAAAD6G6ig (envelope-from ); Thu, 11 Jul 2024 11:18:37 +0000 From: Andrea Cervesato Date: Thu, 11 Jul 2024 13:18:12 +0200 MIME-Version: 1.0 Message-Id: <20240711-landlock-v3-1-c7b0e9edf9b0@suse.com> References: <20240711-landlock-v3-0-c7b0e9edf9b0@suse.com> In-Reply-To: <20240711-landlock-v3-0-c7b0e9edf9b0@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=7662; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=U0omUv1OaYCChlqTr9cV14UoTcJ6DOVonEFFqTckFbA=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmj79+gRdex9BTgZTKLAgTvHtZADiN7FoD9jzhu P7wfxBxGSeJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZo+/fgAKCRDLzBqyILPm Rl9PDAC0IAJT5vqrEmMjBlTPMBAtUjbjnt7rPagfb/nhLHeBN8A9StHcd1f1+xaB38uskPGCOnN tJXIRdkD/BVo5dpkuLulkVcOP7TN2FhCnQozSCa/YQ/4GxuWBsrtDBpGll3u6ViKC0+FsZzJOgI bfM+xKhbYwc4jA9bCcE10q44ZEXK/Qn/ACwDCzaEZxPvoaVnY3DLxk1ImfdvO6ff6zK+eSopg07 PgORbSgXk9zsAVTgWKiFMyGhzZbASh4qGlnmoHPLHDbQUXUDKl/BokLDbdPbm9DRGPOSGrb5peM NsmLzcz1O3YyaxvZ08WM8EA5PfU7+EzXo6Mc5kEWPOgxRuti0knPteYS2Cu4FfhWz6S4J4A9W8L IXrzthu7oZfSzagSeBS/lIXJzQKjHvbWVOoaBAwU2Xd0YEZp1zgcE6YgKaI6y9ODT71MWLopEvR VjSxAn2G9xhrCFH5DKuZcwkn30OAzkO1QHDpSDPwGZ7aVUVGVRz55cWlhxl2LVXpX/bpg= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spamd-Result: default: False [-5.51 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; DWL_DNSWL_LOW(-1.00)[suse.de:dkim]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email,suse.de:dkim]; DKIM_TRACE(0.00)[suse.de:+] X-Rspamd-Server: rspamd1.dmz-prg2.suse.org X-Rspamd-Action: no action X-Spam-Score: -5.51 X-Spam-Level: X-Rspamd-Queue-Id: 6D0041F802 X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-5.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-5.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v3 01/11] Add landlock syscalls definitions X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato Signed-off-by: Andrea Cervesato --- include/lapi/syscalls/aarch64.in | 3 +++ include/lapi/syscalls/arc.in | 3 +++ include/lapi/syscalls/arm.in | 3 +++ include/lapi/syscalls/hppa.in | 3 +++ include/lapi/syscalls/i386.in | 3 +++ include/lapi/syscalls/ia64.in | 3 +++ include/lapi/syscalls/mips_n32.in | 3 +++ include/lapi/syscalls/mips_n64.in | 3 +++ include/lapi/syscalls/mips_o32.in | 3 +++ include/lapi/syscalls/powerpc.in | 3 +++ include/lapi/syscalls/powerpc64.in | 3 +++ include/lapi/syscalls/s390.in | 3 +++ include/lapi/syscalls/s390x.in | 3 +++ include/lapi/syscalls/sh.in | 3 +++ include/lapi/syscalls/sparc.in | 3 +++ include/lapi/syscalls/sparc64.in | 3 +++ include/lapi/syscalls/x86_64.in | 3 +++ 17 files changed, 51 insertions(+) diff --git a/include/lapi/syscalls/aarch64.in b/include/lapi/syscalls/aarch64.in index 2cb6c2d87..3e7797718 100644 --- a/include/lapi/syscalls/aarch64.in +++ b/include/lapi/syscalls/aarch64.in @@ -296,5 +296,8 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 _sysctl 1078 diff --git a/include/lapi/syscalls/arc.in b/include/lapi/syscalls/arc.in index 3e2ee9061..7fde1d263 100644 --- a/include/lapi/syscalls/arc.in +++ b/include/lapi/syscalls/arc.in @@ -316,4 +316,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/arm.in b/include/lapi/syscalls/arm.in index 7bdbca533..693644f83 100644 --- a/include/lapi/syscalls/arm.in +++ b/include/lapi/syscalls/arm.in @@ -394,4 +394,7 @@ pidfd_getfd (__NR_SYSCALL_BASE+438) faccessat2 (__NR_SYSCALL_BASE+439) epoll_pwait2 (__NR_SYSCALL_BASE+441) quotactl_fd (__NR_SYSCALL_BASE+443) +landlock_create_ruleset (__NR_SYSCALL_BASE+444) +landlock_add_rule (__NR_SYSCALL_BASE+445) +landlock_restrict_self (__NR_SYSCALL_BASE+446) futex_waitv (__NR_SYSCALL_BASE+449) diff --git a/include/lapi/syscalls/hppa.in b/include/lapi/syscalls/hppa.in index 8ebdafafb..60c02aff2 100644 --- a/include/lapi/syscalls/hppa.in +++ b/include/lapi/syscalls/hppa.in @@ -43,4 +43,7 @@ close_range 436 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/i386.in b/include/lapi/syscalls/i386.in index 1472631c4..31ec1ecb2 100644 --- a/include/lapi/syscalls/i386.in +++ b/include/lapi/syscalls/i386.in @@ -430,4 +430,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/ia64.in b/include/lapi/syscalls/ia64.in index 0ea6e9722..2e56da7f9 100644 --- a/include/lapi/syscalls/ia64.in +++ b/include/lapi/syscalls/ia64.in @@ -343,4 +343,7 @@ pidfd_getfd 1462 faccessat2 1463 epoll_pwait2 1465 quotactl_fd 1467 +landlock_create_ruleset 1468 +landlock_add_rule 1469 +landlock_restrict_self 1470 futex_waitv 1473 diff --git a/include/lapi/syscalls/mips_n32.in b/include/lapi/syscalls/mips_n32.in index e818c9d92..5f0fe65eb 100644 --- a/include/lapi/syscalls/mips_n32.in +++ b/include/lapi/syscalls/mips_n32.in @@ -370,4 +370,7 @@ process_madvise 6440 epoll_pwait2 6441 mount_setattr 6442 quotactl_fd 6443 +landlock_create_ruleset 6444 +landlock_add_rule 6445 +landlock_restrict_self 6446 futex_waitv 6449 diff --git a/include/lapi/syscalls/mips_n64.in b/include/lapi/syscalls/mips_n64.in index 6e15f43b3..f81c60e66 100644 --- a/include/lapi/syscalls/mips_n64.in +++ b/include/lapi/syscalls/mips_n64.in @@ -346,4 +346,7 @@ process_madvise 5440 epoll_pwait2 5441 mount_setattr 5442 quotactl_fd 5443 +landlock_create_ruleset 5444 +landlock_add_rule 5445 +landlock_restrict_self 5446 futex_waitv 5449 diff --git a/include/lapi/syscalls/mips_o32.in b/include/lapi/syscalls/mips_o32.in index 921d5d331..c2beffb75 100644 --- a/include/lapi/syscalls/mips_o32.in +++ b/include/lapi/syscalls/mips_o32.in @@ -416,4 +416,7 @@ process_madvise 4440 epoll_pwait2 4441 mount_setattr 4442 quotactl_fd 4443 +landlock_create_ruleset 4444 +landlock_add_rule 4445 +landlock_restrict_self 4446 futex_waitv 4449 diff --git a/include/lapi/syscalls/powerpc.in b/include/lapi/syscalls/powerpc.in index 545d9d3d6..5460e4197 100644 --- a/include/lapi/syscalls/powerpc.in +++ b/include/lapi/syscalls/powerpc.in @@ -423,4 +423,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/powerpc64.in b/include/lapi/syscalls/powerpc64.in index 545d9d3d6..5460e4197 100644 --- a/include/lapi/syscalls/powerpc64.in +++ b/include/lapi/syscalls/powerpc64.in @@ -423,4 +423,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/s390.in b/include/lapi/syscalls/s390.in index 7213ac5f8..275b27f47 100644 --- a/include/lapi/syscalls/s390.in +++ b/include/lapi/syscalls/s390.in @@ -410,4 +410,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/s390x.in b/include/lapi/syscalls/s390x.in index 879012e2b..c200d02b2 100644 --- a/include/lapi/syscalls/s390x.in +++ b/include/lapi/syscalls/s390x.in @@ -358,4 +358,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/sh.in b/include/lapi/syscalls/sh.in index 7d5192a27..6f482a77b 100644 --- a/include/lapi/syscalls/sh.in +++ b/include/lapi/syscalls/sh.in @@ -404,4 +404,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/sparc.in b/include/lapi/syscalls/sparc.in index 91d2fb1c2..7181e80a0 100644 --- a/include/lapi/syscalls/sparc.in +++ b/include/lapi/syscalls/sparc.in @@ -409,4 +409,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/sparc64.in b/include/lapi/syscalls/sparc64.in index 1f2fc59b7..c96ab2021 100644 --- a/include/lapi/syscalls/sparc64.in +++ b/include/lapi/syscalls/sparc64.in @@ -374,4 +374,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/x86_64.in b/include/lapi/syscalls/x86_64.in index dc61aa56e..3082ca110 100644 --- a/include/lapi/syscalls/x86_64.in +++ b/include/lapi/syscalls/x86_64.in @@ -351,6 +351,9 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 rt_sigaction 512 rt_sigreturn 513 From patchwork Thu Jul 11 11:18:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1959235 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=fRf/+1Lz; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=Ak6RNAsB; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=fRf/+1Lz; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=Ak6RNAsB; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WKXLH1rmDz1xqj for ; Thu, 11 Jul 2024 21:19:19 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 17DAB3CDE6C for ; Thu, 11 Jul 2024 13:19:17 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-6.smtp.seeweb.it (in-6.smtp.seeweb.it [217.194.8.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 623EB3C81C3 for ; Thu, 11 Jul 2024 13:18:39 +0200 (CEST) Authentication-Results: in-6.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=2a07:de40:b251:101:10:150:64:2; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2a07:de40:b251:101:10:150:64:2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-6.smtp.seeweb.it (Postfix) with ESMTPS id A4FDF1400E49 for ; Thu, 11 Jul 2024 13:18:38 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 949221F8C3; Thu, 11 Jul 2024 11:18:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720696717; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vm2AJvkraYOL74Iwtnjcb+jGQdkRSLGhlPZebJXMEhY=; b=fRf/+1Lzga/fyfE6tCnSEAdq8p/aG/qQ2zlWHwFEWm1PF6S8P9wKYGGSbdO9HSCL/23zoO gUM0ti5SUcflWJxbFi1pbp4vQK1XnpqktuR/5VlzwqUNxEOCGwwahDIitRT8J0CRlnQld3 MQ/teXhcr8/5h9gceh4qB7XVStm1quw= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720696717; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vm2AJvkraYOL74Iwtnjcb+jGQdkRSLGhlPZebJXMEhY=; b=Ak6RNAsBOg731yUWhtg6fsufAqqrOuMXCqGDBwKpzcDa2I5BTvhhsmckiECuugCeZ7ORmq ZzcVaeusejHmPsCg== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720696717; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vm2AJvkraYOL74Iwtnjcb+jGQdkRSLGhlPZebJXMEhY=; b=fRf/+1Lzga/fyfE6tCnSEAdq8p/aG/qQ2zlWHwFEWm1PF6S8P9wKYGGSbdO9HSCL/23zoO gUM0ti5SUcflWJxbFi1pbp4vQK1XnpqktuR/5VlzwqUNxEOCGwwahDIitRT8J0CRlnQld3 MQ/teXhcr8/5h9gceh4qB7XVStm1quw= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720696717; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vm2AJvkraYOL74Iwtnjcb+jGQdkRSLGhlPZebJXMEhY=; b=Ak6RNAsBOg731yUWhtg6fsufAqqrOuMXCqGDBwKpzcDa2I5BTvhhsmckiECuugCeZ7ORmq ZzcVaeusejHmPsCg== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 7062B13A63; Thu, 11 Jul 2024 11:18:37 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id ODd8GY2/j2bBVAAAD6G6ig (envelope-from ); Thu, 11 Jul 2024 11:18:37 +0000 From: Andrea Cervesato Date: Thu, 11 Jul 2024 13:18:13 +0200 MIME-Version: 1.0 Message-Id: <20240711-landlock-v3-2-c7b0e9edf9b0@suse.com> References: <20240711-landlock-v3-0-c7b0e9edf9b0@suse.com> In-Reply-To: <20240711-landlock-v3-0-c7b0e9edf9b0@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=5266; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=PIlr3YNUI4JK/TLFWWC7ua6B3VDbex9F79cx4cd/XY8=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmj79/7InOVsgqABk2QUbCXP4hTPXcTDqwtkEb6 GzBjQH+iXiJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZo+/fwAKCRDLzBqyILPm RnhLDACYT9XHmRQwiE4sttymaTH3CWaUgDJmUpSM4MiTZp48uZ3KauUWF9SB82V+rbURoC7fXSH LAOOtq0WIsXxVve3ng8ll/IQWHjGrtZG2GwtstsHdg7z/RF83G4TxKvRxNn8mOeM8Jidvx/0hm7 lGbtw/wEZbgU6YpUDxNTTNw3oWC7Ip5I4Dw4ninwazRBOebgcRpXovXD5n3/u+yzGSuUceGb72Y 0AW1M0GNhcq4V73Y7eNotah1QLGcbFhutNofwFEX3iCTVAc14CMvotPXI20JkCnFwd1SfPxrkAG 08mASN9LPafyJQe0OMeJn/NYpWvuvYEDM/DyV9X4pplClQyzBvIsOqzZZibYlK97yqbZPnwR+yb 0aXQYHc3vMAONYZb2VXAPM71Z9m2xWSFc6aGJ0C/twRyJhr6mj5zgld3i4SaAS6YVJKXBBISQtL 8MvvaISmP+DShtU486R9Iwu+9/qlT8l/J2ZOUHpijrq7f8OHg8DlZsCxWutev3ltysmBw= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spam-Score: -0.30 X-Spamd-Result: default: False [-0.30 / 50.00]; NEURAL_HAM_SHORT(-0.20)[-0.998]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_HAS_DN(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email] X-Spam-Level: X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-6.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-6.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v3 02/11] Add lapi/landlock.h fallback X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato Signed-off-by: Andrea Cervesato --- configure.ac | 6 +++ include/lapi/landlock.h | 123 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 129 insertions(+) diff --git a/configure.ac b/configure.ac index 82969b8d3..1f8796c87 100644 --- a/configure.ac +++ b/configure.ac @@ -60,6 +60,7 @@ AC_CHECK_HEADERS_ONCE([ \ linux/io_uring.h \ linux/ioprio.h \ linux/keyctl.h \ + linux/landlock.h \ linux/mempolicy.h \ linux/module.h \ linux/mount.h \ @@ -157,6 +158,7 @@ AC_CHECK_FUNCS_ONCE([ \ AC_CHECK_FUNCS(mkdtemp,[],AC_MSG_ERROR(mkdtemp() not found!)) AC_CHECK_MEMBERS([struct fanotify_event_info_fid.fsid.__val],,,[#include ]) +AC_CHECK_MEMBERS([struct landlock_ruleset_attr.handled_access_net],,,[#include ]) AC_CHECK_MEMBERS([struct perf_event_mmap_page.aux_head],,,[#include ]) AC_CHECK_MEMBERS([struct sigaction.sa_sigaction],[],[],[#include ]) AC_CHECK_MEMBERS([struct statx.stx_mnt_id, struct statx.stx_dio_mem_align],,,[ @@ -170,6 +172,7 @@ AC_CHECK_MEMBERS([struct utsname.domainname],,,[ ]) AC_CHECK_TYPES([enum kcmp_type],,,[#include ]) +AC_CHECK_TYPES([enum landlock_rule_type],,,[#include ]) AC_CHECK_TYPES([struct acct_v3],,,[#include ]) AC_CHECK_TYPES([struct af_alg_iv, struct sockaddr_alg],,,[# include ]) AC_CHECK_TYPES([struct fanotify_event_info_fid, struct fanotify_event_info_error, @@ -190,6 +193,9 @@ AC_CHECK_TYPES([struct if_nextdqblk],,,[#include ]) AC_CHECK_TYPES([struct iovec],,,[#include ]) AC_CHECK_TYPES([struct ipc64_perm],,,[#include ]) AC_CHECK_TYPES([struct loop_config],,,[#include ]) +AC_CHECK_TYPES([struct landlock_ruleset_attr],,,[#include ]) +AC_CHECK_TYPES([struct landlock_path_beneath_attr],,,[#include ]) +AC_CHECK_TYPES([struct landlock_net_port_attr],,,[#include ]) AC_CHECK_TYPES([struct mmsghdr],,,[ #define _GNU_SOURCE diff --git a/include/lapi/landlock.h b/include/lapi/landlock.h new file mode 100644 index 000000000..2ee51b340 --- /dev/null +++ b/include/lapi/landlock.h @@ -0,0 +1,123 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +#ifndef LAPI_LANDLOCK_H__ +#define LAPI_LANDLOCK_H__ + +#include "config.h" + +#ifdef HAVE_LINUX_LANDLOCK_H +# include +#endif + +#ifndef HAVE_STRUCT_LANDLOCK_RULESET_ATTR +struct landlock_ruleset_attr +{ + uint64_t handled_access_fs; + uint64_t handled_access_net; +}; +#endif + +#ifndef HAVE_STRUCT_LANDLOCK_PATH_BENEATH_ATTR +struct landlock_path_beneath_attr +{ + uint64_t allowed_access; + int32_t parent_fd; +} __attribute__((packed)); +#endif + +#ifndef HAVE_ENUM_LANDLOCK_RULE_TYPE +enum landlock_rule_type +{ + LANDLOCK_RULE_PATH_BENEATH = 1, + LANDLOCK_RULE_NET_PORT, +}; +#endif + +#ifndef HAVE_STRUCT_LANDLOCK_NET_PORT_ATTR +struct landlock_net_port_attr +{ + uint64_t allowed_access; + uint64_t port; +}; +#endif + +#ifndef LANDLOCK_CREATE_RULESET_VERSION +# define LANDLOCK_CREATE_RULESET_VERSION (1U << 0) +#endif + +#ifndef LANDLOCK_ACCESS_FS_EXECUTE +# define LANDLOCK_ACCESS_FS_EXECUTE (1ULL << 0) +#endif + +#ifndef LANDLOCK_ACCESS_FS_WRITE_FILE +# define LANDLOCK_ACCESS_FS_WRITE_FILE (1ULL << 1) +#endif + +#ifndef LANDLOCK_ACCESS_FS_READ_FILE +# define LANDLOCK_ACCESS_FS_READ_FILE (1ULL << 2) +#endif + +#ifndef LANDLOCK_ACCESS_FS_READ_DIR +# define LANDLOCK_ACCESS_FS_READ_DIR (1ULL << 3) +#endif + +#ifndef LANDLOCK_ACCESS_FS_REMOVE_DIR +# define LANDLOCK_ACCESS_FS_REMOVE_DIR (1ULL << 4) +#endif + +#ifndef LANDLOCK_ACCESS_FS_REMOVE_FILE +# define LANDLOCK_ACCESS_FS_REMOVE_FILE (1ULL << 5) +#endif + +#ifndef LANDLOCK_ACCESS_FS_MAKE_CHAR +# define LANDLOCK_ACCESS_FS_MAKE_CHAR (1ULL << 6) +#endif + +#ifndef LANDLOCK_ACCESS_FS_MAKE_DIR +# define LANDLOCK_ACCESS_FS_MAKE_DIR (1ULL << 7) +#endif + +#ifndef LANDLOCK_ACCESS_FS_MAKE_REG +# define LANDLOCK_ACCESS_FS_MAKE_REG (1ULL << 8) +#endif + +#ifndef LANDLOCK_ACCESS_FS_MAKE_SOCK +# define LANDLOCK_ACCESS_FS_MAKE_SOCK (1ULL << 9) +#endif + +#ifndef LANDLOCK_ACCESS_FS_MAKE_FIFO +# define LANDLOCK_ACCESS_FS_MAKE_FIFO (1ULL << 10) +#endif + +#ifndef LANDLOCK_ACCESS_FS_MAKE_BLOCK +# define LANDLOCK_ACCESS_FS_MAKE_BLOCK (1ULL << 11) +#endif + +#ifndef LANDLOCK_ACCESS_FS_MAKE_SYM +# define LANDLOCK_ACCESS_FS_MAKE_SYM (1ULL << 12) +#endif + +#ifndef LANDLOCK_ACCESS_FS_REFER +# define LANDLOCK_ACCESS_FS_REFER (1ULL << 13) +#endif + +#ifndef LANDLOCK_ACCESS_FS_TRUNCATE +# define LANDLOCK_ACCESS_FS_TRUNCATE (1ULL << 14) +#endif + +#ifndef LANDLOCK_ACCESS_FS_IOCTL_DEV +# define LANDLOCK_ACCESS_FS_IOCTL_DEV (1ULL << 15) +#endif + +#ifndef LANDLOCK_ACCESS_NET_BIND_TCP +# define LANDLOCK_ACCESS_NET_BIND_TCP (1ULL << 0) +#endif + +#ifndef LANDLOCK_ACCESS_NET_CONNECT_TCP +# define LANDLOCK_ACCESS_NET_CONNECT_TCP (1ULL << 1) +#endif + +#endif From patchwork Thu Jul 11 11:18:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1959233 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=fsYiFtYq; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=hGFjp73e; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=fsYiFtYq; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=hGFjp73e; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WKXKc4dG5z1xqj for ; Thu, 11 Jul 2024 21:18:44 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id C928E3CDE6D for ; Thu, 11 Jul 2024 13:18:41 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-2.smtp.seeweb.it (in-2.smtp.seeweb.it [217.194.8.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id EE22E3C0FBE for ; Thu, 11 Jul 2024 13:18:38 +0200 (CEST) Authentication-Results: in-2.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.131; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-2.smtp.seeweb.it (Postfix) with ESMTPS id 509276035F6 for ; Thu, 11 Jul 2024 13:18:38 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id BBA841F8C4; Thu, 11 Jul 2024 11:18:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720696717; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xzrWvInCh61FwiyZVot96/S93WEOFLlda4g1a8Rvbtg=; b=fsYiFtYqYhSgOdczse/b+vCtZQLpNKMWynwiiAr4+y2RW6iS9thTvKXTqjIsWaCi8IVQrT 2zixz8ZFjUK7l8awLuxcmQoiGWbQlh7+0cqGwHkQ1d3B1aONFto19Qdhn5aZd3ASXedjvM hKk1sUYLKn0pXuxwgppzfaMkQw3TJE4= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720696717; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xzrWvInCh61FwiyZVot96/S93WEOFLlda4g1a8Rvbtg=; b=hGFjp73ehruOT/obe9p5ga19QBRqu1bvI6a5ES3u4sh/Mat2g60TH8UiWXZJjuVZBnfmZy XCH7/bnWh7I2UJDw== Authentication-Results: smtp-out2.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=fsYiFtYq; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=hGFjp73e DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720696717; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xzrWvInCh61FwiyZVot96/S93WEOFLlda4g1a8Rvbtg=; b=fsYiFtYqYhSgOdczse/b+vCtZQLpNKMWynwiiAr4+y2RW6iS9thTvKXTqjIsWaCi8IVQrT 2zixz8ZFjUK7l8awLuxcmQoiGWbQlh7+0cqGwHkQ1d3B1aONFto19Qdhn5aZd3ASXedjvM hKk1sUYLKn0pXuxwgppzfaMkQw3TJE4= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720696717; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xzrWvInCh61FwiyZVot96/S93WEOFLlda4g1a8Rvbtg=; b=hGFjp73ehruOT/obe9p5ga19QBRqu1bvI6a5ES3u4sh/Mat2g60TH8UiWXZJjuVZBnfmZy XCH7/bnWh7I2UJDw== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 9A7B4139E0; Thu, 11 Jul 2024 11:18:37 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id oECII42/j2bBVAAAD6G6ig (envelope-from ); Thu, 11 Jul 2024 11:18:37 +0000 From: Andrea Cervesato Date: Thu, 11 Jul 2024 13:18:14 +0200 MIME-Version: 1.0 Message-Id: <20240711-landlock-v3-3-c7b0e9edf9b0@suse.com> References: <20240711-landlock-v3-0-c7b0e9edf9b0@suse.com> In-Reply-To: <20240711-landlock-v3-0-c7b0e9edf9b0@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2466; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=ykWuBdEgfNf7D56fkwQsx2Fd28bSbk9Xmt+WjsB/+7Q=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmj79/E5CZUEG8zPKU6LFYRnojehgF8mVjp+1Mi ZJY5eYvuMGJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZo+/fwAKCRDLzBqyILPm RrcYDACuyCADTZlIGPDzEb65oiHS1n8APHybgPQhTRrxN+R4fXovS5Y6kjKZ+GMPYZCLb7uYCdF AoUPKjUiBo70qIfTSSiE6Q8/vV/ndslWnDLR03j1tlWq2ieVT6GMqYL4qI2Ode6u/zdz7l/d/II WE0fj32WF9WUmClz/spadYuWfSqO+LM48+0H1+mngsl4Z4imJ7zLL4bS4c6kYrv2sSUmnNcnz0m 3QI8kBsJRl2uuUsStr3ykGEbwlBizqJdM0BG9bP7dnAMvnrI9qPQJwml9KBv9g6tCcu9nvGOrnu SoC9STLjHz+OX/GORx4T2RvHPs6d40zlMpjSmcS0iKWFIVFcdQpSpmhVEuI9O1xC+ezs7DEB3gF nn/6wfq2A8yIOeFcNX7wlKeCeW0D/RFjr5HPUZ2DC9MZeuvhNM4A8CPdmcjHNhX3IQTrtGwiRl+ ORt2PwnXaAdRBGYRM/Bv4gWqpAJIdxN20a178l6WEu/ddMH1S3e+5DJwKfU4EoWsmJR2U= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spamd-Result: default: False [-5.51 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; DWL_DNSWL_LOW(-1.00)[suse.de:dkim]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:dkim,suse.com:email]; DKIM_TRACE(0.00)[suse.de:+] X-Rspamd-Server: rspamd1.dmz-prg2.suse.org X-Rspamd-Action: no action X-Spam-Score: -5.51 X-Spam-Level: X-Rspamd-Queue-Id: BBA841F8C4 X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-2.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-2.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v3 03/11] Added three more SAFE_* macros for landlock sandbox: X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato - SAFE_LANDLOCK_CREATE_RULESET - SAFE_LANDLOCK_ADD_RULE - SAFE_LANDLOCK_RESTRICT_SELF Signed-off-by: Andrea Cervesato --- include/lapi/landlock.h | 61 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/include/lapi/landlock.h b/include/lapi/landlock.h index 2ee51b340..6d85eb12e 100644 --- a/include/lapi/landlock.h +++ b/include/lapi/landlock.h @@ -12,6 +12,8 @@ # include #endif +#include "lapi/syscalls.h" + #ifndef HAVE_STRUCT_LANDLOCK_RULESET_ATTR struct landlock_ruleset_attr { @@ -120,4 +122,63 @@ struct landlock_net_port_attr # define LANDLOCK_ACCESS_NET_CONNECT_TCP (1ULL << 1) #endif +static inline int safe_landlock_create_ruleset(const char *file, const int lineno, + const struct landlock_ruleset_attr *attr, + size_t size , uint32_t flags) +{ + int rval; + + rval = tst_syscall(__NR_landlock_create_ruleset, attr, size, flags); + if (rval == -1) { + tst_brk_(file, lineno, TBROK | TERRNO, + "landlock_create_ruleset(%p, %lu, %u)", + attr, size, flags); + } + + return rval; +} + +static inline int safe_landlock_add_rule(const char *file, const int lineno, + int ruleset_fd, enum landlock_rule_type rule_type, + const void *rule_attr, uint32_t flags) +{ + int rval; + + rval = tst_syscall(__NR_landlock_add_rule, + ruleset_fd, rule_type, rule_attr, flags); + + if (rval == -1) { + tst_brk_(file, lineno, TBROK | TERRNO, + "landlock_add_rule(%d, %d, %p, %u)", + ruleset_fd, rule_type, rule_attr, flags); + } + + return rval; +} + +static inline int safe_landlock_restrict_self(const char *file, const int lineno, + int ruleset_fd, int flags) +{ + int rval; + + rval = tst_syscall(__NR_landlock_restrict_self, ruleset_fd, flags); + if (rval == -1) { + tst_brk_(file, lineno, TBROK | TERRNO, + "landlock_restrict_self(%d, %u)", + ruleset_fd, flags); + } + + return rval; +} + +#define SAFE_LANDLOCK_CREATE_RULESET(attr, size, flags) \ + safe_landlock_create_ruleset(__FILE__, __LINE__, (attr), (size), (flags)) + +#define SAFE_LANDLOCK_ADD_RULE(ruleset_fd, rule_type, rule_attr, flags) \ + safe_landlock_add_rule(__FILE__, __LINE__, \ + (ruleset_fd), (rule_type), (rule_attr), (flags)) + +#define SAFE_LANDLOCK_RESTRICT_SELF(ruleset_fd, flags) \ + safe_landlock_restrict_self(__FILE__, __LINE__, (ruleset_fd), (flags)) + #endif From patchwork Thu Jul 11 11:18:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1959234 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=Ujk1CZvo; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=GvokH12N; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=Ujk1CZvo; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=GvokH12N; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WKXKx42Pzz1xqj for ; Thu, 11 Jul 2024 21:19:01 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 4E2533CDE6F for ; Thu, 11 Jul 2024 13:18:59 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-7.smtp.seeweb.it (in-7.smtp.seeweb.it [IPv6:2001:4b78:1:20::7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 4A0E43C0FBE for ; Thu, 11 Jul 2024 13:18:39 +0200 (CEST) Authentication-Results: in-7.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.130; helo=smtp-out1.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-7.smtp.seeweb.it (Postfix) with ESMTPS id 8B55C20B653 for ; Thu, 11 Jul 2024 13:18:38 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id E609E21A89; Thu, 11 Jul 2024 11:18:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720696717; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=r9BvmrVXMCyppbaf5Wn62XLNZV3L5BR1kKs2XDBWFfs=; b=Ujk1CZvoeZtTnWbY9TJqDmVphf/bNdOApTzA0/nkGgkGB2ahpSzHGjHCRF6gcee398L89h a+NQ9EARp1czzH/qFcFyUl667IrCi4eYqHpERsDSvKzr/aSvSmxIv8mJWJTOTvk9ZXa0Zf je89uY0nzCDvyuhFMNM0I0SXv+ZKess= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720696717; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=r9BvmrVXMCyppbaf5Wn62XLNZV3L5BR1kKs2XDBWFfs=; b=GvokH12N+FgQL7S2wBKWQmRsek/zP5d5UAPOAm0m9O6ojtgHBn0BV4BoGQFUjWSITLX70/ gtRMBL9cMvpFXRAg== Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720696717; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=r9BvmrVXMCyppbaf5Wn62XLNZV3L5BR1kKs2XDBWFfs=; b=Ujk1CZvoeZtTnWbY9TJqDmVphf/bNdOApTzA0/nkGgkGB2ahpSzHGjHCRF6gcee398L89h a+NQ9EARp1czzH/qFcFyUl667IrCi4eYqHpERsDSvKzr/aSvSmxIv8mJWJTOTvk9ZXa0Zf je89uY0nzCDvyuhFMNM0I0SXv+ZKess= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720696717; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=r9BvmrVXMCyppbaf5Wn62XLNZV3L5BR1kKs2XDBWFfs=; b=GvokH12N+FgQL7S2wBKWQmRsek/zP5d5UAPOAm0m9O6ojtgHBn0BV4BoGQFUjWSITLX70/ gtRMBL9cMvpFXRAg== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id C69DA139E7; Thu, 11 Jul 2024 11:18:37 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id ADmYLo2/j2bBVAAAD6G6ig (envelope-from ); Thu, 11 Jul 2024 11:18:37 +0000 From: Andrea Cervesato Date: Thu, 11 Jul 2024 13:18:15 +0200 MIME-Version: 1.0 Message-Id: <20240711-landlock-v3-4-c7b0e9edf9b0@suse.com> References: <20240711-landlock-v3-0-c7b0e9edf9b0@suse.com> In-Reply-To: <20240711-landlock-v3-0-c7b0e9edf9b0@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1756; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=T7tHaRlEgGRHiBMGbKNiyTpuc+0hqp/7GV5XapEXOls=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmj79/PGgszJV1erbwgD7pbGS7R8us9XROB6fjH H4XJDaixeCJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZo+/fwAKCRDLzBqyILPm Ri5VC/wKcaw6Yxeh/1XuquHgEzJPIimR+7LI8rMxUWNafHmYrZmXpLZGFBePSm46/eCuPv4uYoi WgMtQf+hYA7dDQSUFnG8LBWPiJQvp4icbAownr92QpOreDOnURezRex5Tl8GxBbUXw/rm0uaCQv JtCUzeO+RfQXYscQEAzpNBCRa3g6+m4F3pid7P/+iLzYxmsOkAM5O6scuLnFB2PxIDgQbA5n34Q qYnQDZagddSWo5YWhJxS+E255Y0r2RmGmeuO/wt0Z6TyZBSAxdUN+G7QFYceWNHaZvHED0Rg9j5 kj88o/Ef/USY54b0JcO5reomaoXCv24N9lnpKSTh9SizDhdMp2uL4ASN9Snznvi/+5TryjWsLv3 YeLuejYS+t+OA7eTUjfAohnwirnzK7jsbBZ4x3youPgYiJmxMUlATYXQNYhaJ6syZMFoz3XPwhd MmV0xIJGIpoO+AwaqlxMdZn9gmqaDG4kQEIeBioCFXwVtNPcQfzr4vrYPJCYmVdSV+spY= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spam-Score: -0.30 X-Spamd-Result: default: False [-0.30 / 50.00]; NEURAL_HAM_SHORT(-0.20)[-0.998]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_HAS_DN(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email] X-Spam-Level: X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-7.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-7.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v3 04/11] Add SAFE_PRCTL macro X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato Signed-off-by: Andrea Cervesato --- include/tst_safe_macros.h | 6 ++++++ lib/tst_safe_macros.c | 17 +++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/include/tst_safe_macros.h b/include/tst_safe_macros.h index 08b8e930a..92b9bc119 100644 --- a/include/tst_safe_macros.h +++ b/include/tst_safe_macros.h @@ -503,4 +503,10 @@ int safe_sscanf(const char *file, const int lineno, const char *restrict buffer, #define SAFE_SSCANF(buffer, format, ...) \ safe_sscanf(__FILE__, __LINE__, (buffer), (format), ##__VA_ARGS__) +int safe_prctl(const char *file, const int lineno, + int option, unsigned long arg2, unsigned long arg3, + unsigned long arg4, unsigned long arg5); +#define SAFE_PRCTL(option, arg2, arg3, arg4, arg5) \ + safe_prctl(__FILE__, __LINE__, (option), (arg2), (arg3), (arg4), (arg5)) + #endif /* TST_SAFE_MACROS_H__ */ diff --git a/lib/tst_safe_macros.c b/lib/tst_safe_macros.c index 4e48c427b..9301f3dd2 100644 --- a/lib/tst_safe_macros.c +++ b/lib/tst_safe_macros.c @@ -10,6 +10,7 @@ #include #include #include +#include #include "config.h" #ifdef HAVE_SYS_FANOTIFY_H # include @@ -710,3 +711,19 @@ int safe_mprotect(const char *file, const int lineno, return rval; } + +int safe_prctl(const char *file, const int lineno, + int option, unsigned long arg2, unsigned long arg3, + unsigned long arg4, unsigned long arg5) +{ + int rval; + + rval = prctl(option, arg2, arg3, arg4, arg5); + if (rval == -1) { + tst_brk_(file, lineno, TBROK | TERRNO, + "prctl(%d, %lu, %lu, %lu, %lu)", + option, arg2, arg3, arg4, arg5); + } + + return rval; +} From patchwork Thu Jul 11 11:18:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1959237 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=e5d7NQru; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=6vA9hxR2; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=e5d7NQru; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=6vA9hxR2; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WKXLy15t7z1xqj for ; Thu, 11 Jul 2024 21:19:54 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 587A03CF478 for ; Thu, 11 Jul 2024 13:19:51 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-7.smtp.seeweb.it (in-7.smtp.seeweb.it [IPv6:2001:4b78:1:20::7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 75F403CC2E8 for ; Thu, 11 Jul 2024 13:18:39 +0200 (CEST) Authentication-Results: in-7.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.131; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-7.smtp.seeweb.it (Postfix) with ESMTPS id 9A5F220B654 for ; Thu, 11 Jul 2024 13:18:38 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 21BAF1F8C5; Thu, 11 Jul 2024 11:18:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720696718; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=d+cuinXgHFggqHlQXuAc2GuMGoTKTibR4+SCDobX1qk=; b=e5d7NQrukWxb75yM8F9vaCiK76j2jm+pwvGgs8vf15F22vuvrRddDYNrpV8MRNg01Qw3oc 5KQ6TId2dbFq+5WaOihe0mb9bMhZRu6ipefoTdkJ3rQafnTq0F8tdgFtugDQGY46mmVBmK ZcIuKHsD0IWZ3qqda+YBwMsqPKDLQVE= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720696718; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=d+cuinXgHFggqHlQXuAc2GuMGoTKTibR4+SCDobX1qk=; b=6vA9hxR2DeJfdfgGytpZdXXZUpv6bxgsWV0gO/y94EbAlvrY/pVbnUUojgx6/atltKdYpN DCty/VxmVGhu9NCQ== Authentication-Results: smtp-out2.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=e5d7NQru; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=6vA9hxR2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720696718; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=d+cuinXgHFggqHlQXuAc2GuMGoTKTibR4+SCDobX1qk=; b=e5d7NQrukWxb75yM8F9vaCiK76j2jm+pwvGgs8vf15F22vuvrRddDYNrpV8MRNg01Qw3oc 5KQ6TId2dbFq+5WaOihe0mb9bMhZRu6ipefoTdkJ3rQafnTq0F8tdgFtugDQGY46mmVBmK ZcIuKHsD0IWZ3qqda+YBwMsqPKDLQVE= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720696718; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=d+cuinXgHFggqHlQXuAc2GuMGoTKTibR4+SCDobX1qk=; b=6vA9hxR2DeJfdfgGytpZdXXZUpv6bxgsWV0gO/y94EbAlvrY/pVbnUUojgx6/atltKdYpN DCty/VxmVGhu9NCQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id F0F30139E0; Thu, 11 Jul 2024 11:18:37 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id SP+2OI2/j2bBVAAAD6G6ig (envelope-from ); Thu, 11 Jul 2024 11:18:37 +0000 From: Andrea Cervesato Date: Thu, 11 Jul 2024 13:18:16 +0200 MIME-Version: 1.0 Message-Id: <20240711-landlock-v3-5-c7b0e9edf9b0@suse.com> References: <20240711-landlock-v3-0-c7b0e9edf9b0@suse.com> In-Reply-To: <20240711-landlock-v3-0-c7b0e9edf9b0@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=6654; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=A40ZY9XRdAlb1c22HtmyYfLP/zWVcDJtvmVqq+Fjfzo=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmj79/4gJ5OMMrJblWO7C8s1JU9fVBrEenztJv4 iwhHJKon/OJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZo+/fwAKCRDLzBqyILPm RlMXDAC2ZQr4ESX/kO/KkQyQKt9WsjBNC2/jKdCxx0Vv1HZmIbs63bTFOVaJsjQOUBXdWHqI7rg RhyyWk5Hb45S+fvHdeV3KaIeWe0/+wnoO8hYpj+nW4gVg0AlFzzQIBejozw+lFQf43IN13iUQow e8TUJWCD2CF92D0bOtRt2rvPNqoZzHcGsg7PYWDMrKSdf54H1kf4d00Tq1aIoBBC17KqRW6/3wz Yk9hzdI8dWitjExc/lTx5R19EpnyssGHO699j8c0ZY5bw7VC7IUx6c5asK7xESParm6LEZLm+Bj isSEw7wqG2HvJk496r3Pi0eEb8ojv06+TXLHCZTByHPvrp8FJFr9L2pmoyNd6bXSe6zNGWdkDhb fnpfysPN3CmOCaiFouoXw1l3+URMlBiT/fL2TvEnRs6w+3JtNtDu+MXrSC+oycij4jOFOjCFedt kOAxsaZiCO+ymFG1biuuM48DiQED/+qbKaEa0lO91c+LpuNRQfUd6fYHFDWmETMmD3LGI= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spamd-Result: default: False [-5.51 / 50.00]; BAYES_HAM(-3.00)[100.00%]; DWL_DNSWL_LOW(-1.00)[suse.de:dkim]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:dkim,suse.com:email]; DKIM_TRACE(0.00)[suse.de:+] X-Rspamd-Server: rspamd1.dmz-prg2.suse.org X-Rspamd-Action: no action X-Spam-Score: -5.51 X-Spam-Level: X-Rspamd-Queue-Id: 21BAF1F8C5 X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-7.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-7.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v3 05/11] Add landlock01 test X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato This test verifies that landlock_create_ruleset syscall fails with the right error codes: - EINVAL Unknown flags, or unknown access, or too small size - E2BIG size is too big - EFAULT attr was not a valid address - ENOMSG Empty accesses (i.e., attr->handled_access_fs is 0) Reviewed-by: Li Wang Signed-off-by: Andrea Cervesato --- runtest/syscalls | 2 + testcases/kernel/syscalls/landlock/.gitignore | 1 + testcases/kernel/syscalls/landlock/Makefile | 7 ++ testcases/kernel/syscalls/landlock/landlock01.c | 92 ++++++++++++++++++++++ .../kernel/syscalls/landlock/landlock_common.h | 74 +++++++++++++++++ 5 files changed, 176 insertions(+) diff --git a/runtest/syscalls b/runtest/syscalls index a7cf296a9..d0a9bd14e 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -685,6 +685,8 @@ kill11 kill11 kill12 kill12 kill13 kill13 +landlock01 landlock01 + lchown01 lchown01 lchown01_16 lchown01_16 lchown02 lchown02 diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore new file mode 100644 index 000000000..b69f9b94a --- /dev/null +++ b/testcases/kernel/syscalls/landlock/.gitignore @@ -0,0 +1 @@ +landlock01 diff --git a/testcases/kernel/syscalls/landlock/Makefile b/testcases/kernel/syscalls/landlock/Makefile new file mode 100644 index 000000000..8cf1b9024 --- /dev/null +++ b/testcases/kernel/syscalls/landlock/Makefile @@ -0,0 +1,7 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (C) 2024 SUSE LLC Andrea Cervesato + +top_srcdir ?= ../../../.. + +include $(top_srcdir)/include/mk/testcases.mk +include $(top_srcdir)/include/mk/generic_leaf_target.mk diff --git a/testcases/kernel/syscalls/landlock/landlock01.c b/testcases/kernel/syscalls/landlock/landlock01.c new file mode 100644 index 000000000..0c50b55d8 --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock01.c @@ -0,0 +1,92 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +/*\ + * [Description] + * + * This test verifies that landlock_create_ruleset syscall fails with the right + * error codes: + * + * - EINVAL Unknown flags, or unknown access, or too small size + * - E2BIG size is too big + * - EFAULT attr was not a valid address + * - ENOMSG Empty accesses (i.e., attr->handled_access_fs is 0) + */ + +#include "landlock_common.h" + +static struct landlock_ruleset_attr *ruleset_attr; +static struct landlock_ruleset_attr *null_attr; +static size_t rule_size; +static size_t rule_small_size; +static size_t rule_big_size; + +static struct tcase { + struct landlock_ruleset_attr **attr; + uint64_t access_fs; + size_t *size; + uint32_t flags; + int exp_errno; + char *msg; +} tcases[] = { + {&ruleset_attr, -1, &rule_size, 0, EINVAL, "Unknown access"}, + {&ruleset_attr, 0, &rule_small_size, 0, EINVAL, "Size is too small"}, + {&ruleset_attr, 0, &rule_size, -1, EINVAL, "Unknown flags"}, + {&ruleset_attr, 0, &rule_big_size, 0, E2BIG, "Size is too big"}, + {&null_attr, 0, &rule_size, 0, EFAULT, "Invalid attr address"}, + {&ruleset_attr, 0, &rule_size, 0, ENOMSG, "Empty accesses"}, +}; + +static void run(unsigned int n) +{ + struct tcase *tc = &tcases[n]; + + if (*tc->attr) + (*tc->attr)->handled_access_fs = tc->access_fs; + + TST_EXP_FAIL(tst_syscall(__NR_landlock_create_ruleset, + *tc->attr, *tc->size, tc->flags), + tc->exp_errno, + "%s", + tc->msg); + + if (TST_RET >= 0) + SAFE_CLOSE(TST_RET); +} + +static void setup(void) +{ + verify_landlock_is_enabled(); + + rule_size = sizeof(struct landlock_ruleset_attr); + +#ifdef HAVE_STRUCT_LANDLOCK_RULESET_ATTR_HANDLED_ACCESS_NET + rule_small_size = rule_size - sizeof(uint64_t) - 1; +#else + rule_small_size = rule_size - 1; +#endif + + rule_big_size = SAFE_SYSCONF(_SC_PAGESIZE) + 1; +} + +static struct tst_test test = { + .test = run, + .tcnt = ARRAY_SIZE(tcases), + .setup = setup, + .min_kver = "5.13", + .needs_root = 1, + .needs_kconfigs = (const char *[]) { + "CONFIG_SECURITY_LANDLOCK=y", + NULL + }, + .bufs = (struct tst_buffers []) { + {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {}, + }, + .caps = (struct tst_cap []) { + TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN), + {} + }, +}; diff --git a/testcases/kernel/syscalls/landlock/landlock_common.h b/testcases/kernel/syscalls/landlock/landlock_common.h new file mode 100644 index 000000000..66f8fd19a --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock_common.h @@ -0,0 +1,74 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +#ifndef LANDLOCK_COMMON_H + +#include "tst_test.h" +#include "lapi/prctl.h" +#include "lapi/fcntl.h" +#include "lapi/landlock.h" + +static inline void verify_landlock_is_enabled(void) +{ + int abi; + + abi = tst_syscall(__NR_landlock_create_ruleset, + NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); + + if (abi < 0) { + if (errno == EOPNOTSUPP) { + tst_brk(TCONF, "Landlock is currently disabled. " + "Please enable it either via CONFIG_LSM or " + "'lsm' kernel parameter."); + } + + tst_brk(TBROK | TERRNO, "landlock_create_ruleset error"); + } + + tst_res(TINFO, "Landlock ABI v%d", abi); +} + +static inline void apply_landlock_rule( + struct landlock_path_beneath_attr *path_beneath_attr, + const int ruleset_fd, + const int access, + const char *path) +{ + path_beneath_attr->allowed_access = access; + path_beneath_attr->parent_fd = SAFE_OPEN(path, O_PATH | O_CLOEXEC); + + SAFE_LANDLOCK_ADD_RULE( + ruleset_fd, + LANDLOCK_RULE_PATH_BENEATH, + path_beneath_attr, + 0); + + SAFE_CLOSE(path_beneath_attr->parent_fd); +} + +static inline void enforce_ruleset(const int ruleset_fd) +{ + SAFE_PRCTL(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + SAFE_LANDLOCK_RESTRICT_SELF(ruleset_fd, 0); +} + +static inline void apply_landlock_layer( + struct landlock_ruleset_attr *ruleset_attr, + struct landlock_path_beneath_attr *path_beneath_attr, + const char *path, + const int access) +{ + int ruleset_fd; + + ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET( + ruleset_attr, sizeof(struct landlock_ruleset_attr), 0); + + apply_landlock_rule(path_beneath_attr, ruleset_fd, access, path); + enforce_ruleset(ruleset_fd); + + SAFE_CLOSE(ruleset_fd); +} + +#endif From patchwork Thu Jul 11 11:18:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1959236 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=p2akn3B0; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=Zk5YQiAo; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=p2akn3B0; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=Zk5YQiAo; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WKXLc1f3Vz1xqj for ; Thu, 11 Jul 2024 21:19:36 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id EF8DF3CDE6A for ; Thu, 11 Jul 2024 13:19:33 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-3.smtp.seeweb.it (in-3.smtp.seeweb.it [217.194.8.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 734213C0FBE for ; Thu, 11 Jul 2024 13:18:39 +0200 (CEST) Authentication-Results: in-3.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.130; helo=smtp-out1.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-3.smtp.seeweb.it (Postfix) with ESMTPS id BE5881A000B1 for ; Thu, 11 Jul 2024 13:18:38 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 5282A21A90; Thu, 11 Jul 2024 11:18:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720696718; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/Vqi3wLbZ/Ezc84nFNqMydz/P7eNp2D/leKanjEaXd4=; b=p2akn3B08QeXC8cMCGYkEvhWfwYT6ukN9W32FsYALhuMv1fBoFwHMwR3NzLxScYsvFwOvd j71p0Q8wf5FsfgyRPNai+0kus8PgmlDpckzlij/pBhDBy9pLOV9rDBn5KrTffCHksiO3XC u5KwufA5C5TMCqkJ/XlLRh+0VOCeXAY= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720696718; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/Vqi3wLbZ/Ezc84nFNqMydz/P7eNp2D/leKanjEaXd4=; b=Zk5YQiAo4d56EIIFu1Fuh6ul5uP2+Gce8ap0HU5bdzHWA//lTv1LHOe72se4xi5RU4g/cB UXvQ6AIwZbU1XjCQ== Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720696718; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/Vqi3wLbZ/Ezc84nFNqMydz/P7eNp2D/leKanjEaXd4=; b=p2akn3B08QeXC8cMCGYkEvhWfwYT6ukN9W32FsYALhuMv1fBoFwHMwR3NzLxScYsvFwOvd j71p0Q8wf5FsfgyRPNai+0kus8PgmlDpckzlij/pBhDBy9pLOV9rDBn5KrTffCHksiO3XC u5KwufA5C5TMCqkJ/XlLRh+0VOCeXAY= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720696718; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/Vqi3wLbZ/Ezc84nFNqMydz/P7eNp2D/leKanjEaXd4=; b=Zk5YQiAo4d56EIIFu1Fuh6ul5uP2+Gce8ap0HU5bdzHWA//lTv1LHOe72se4xi5RU4g/cB UXvQ6AIwZbU1XjCQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 2CA18139E7; Thu, 11 Jul 2024 11:18:38 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id oNH9CI6/j2bBVAAAD6G6ig (envelope-from ); Thu, 11 Jul 2024 11:18:38 +0000 From: Andrea Cervesato Date: Thu, 11 Jul 2024 13:18:17 +0200 MIME-Version: 1.0 Message-Id: <20240711-landlock-v3-6-c7b0e9edf9b0@suse.com> References: <20240711-landlock-v3-0-c7b0e9edf9b0@suse.com> In-Reply-To: <20240711-landlock-v3-0-c7b0e9edf9b0@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=5070; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=+FzAmi9oToyv+XG8VhpKKxVj4PNNm3MoBaPpzK2T7Es=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmj79/a/RiMsO+mBUsdzKkCrrox5glAhA0DaX3K thSggelNN2JAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZo+/fwAKCRDLzBqyILPm RuGkDAC0iVQsF2grQtuUuuPr88yogDq9HLXOSBxC1cYwvPWihWpJqVgCcvRlLm9ODB6smz8R8Uu gRv+azPX5awYugF0bBGGiTZ3aildMA0WsTtYOS0lXABt1JU1Bc3Fd8uJ2shJH+N+/dXXThZOJSQ OD9VKM2raKbK+imQt6Yls3rFJ1u1Cj0TzjRpojo5BSHjL2TQ5Lr31PKLJqvyAbupB7biZQxZ3ig VQYbaf7LCTTK33CdNsG+fwEN+1wOdOHp4EljMafLZQ6yzknCY5fSfWJ1B4gkB3BBhGWF5fl5qPb 3feGTM5Ir3Aq39ZvkCvBTSKUKulYaMJ/bayIxSOrlqZE0zGA/llGwoF9iwZuy3DquOtZVi7dKOJ NFtibezIdYXdgymnyNXUVAFJNpLc3S8MC5E/kfLkzdacKNHM1yrjqr/dH1iVd6F5Q4DSQbNkMsL 65lATko9/PTkpvdyagI0ZJ2WARproxzTsZ+6VcnbpTzTGVpdIfgSNnijdNauMEvvMA3Sg= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spamd-Result: default: False [-4.30 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.20)[-0.999]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email] X-Spam-Score: -4.30 X-Spam-Level: X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-3.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-3.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v3 06/11] Add landlock02 test X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato This test verifies that landlock_add_rule syscall fails with the right error codes: - EINVAL flags is not 0, or the rule accesses are inconsistent - ENOMSG Empty accesses (i.e., rule_attr->allowed_access is 0) - EBADF ruleset_fd is not a file descriptor for the current thread, or a member of rule_attr is not a file descriptor as expected - EBADFD ruleset_fd is not a ruleset file descriptor, or a member of rule_attr is not the expected file descriptor type - EFAULT rule_attr was not a valid address Reviewed-by: Li Wang Signed-off-by: Andrea Cervesato Reviewed-by: Petr Vorel Reviewed-by: Li Wang --- runtest/syscalls | 1 + testcases/kernel/syscalls/landlock/.gitignore | 1 + testcases/kernel/syscalls/landlock/landlock02.c | 153 ++++++++++++++++++++++++ 3 files changed, 155 insertions(+) diff --git a/runtest/syscalls b/runtest/syscalls index d0a9bd14e..3930abc92 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -686,6 +686,7 @@ kill12 kill12 kill13 kill13 landlock01 landlock01 +landlock02 landlock02 lchown01 lchown01 lchown01_16 lchown01_16 diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore index b69f9b94a..ffed4abd2 100644 --- a/testcases/kernel/syscalls/landlock/.gitignore +++ b/testcases/kernel/syscalls/landlock/.gitignore @@ -1 +1,2 @@ landlock01 +landlock02 diff --git a/testcases/kernel/syscalls/landlock/landlock02.c b/testcases/kernel/syscalls/landlock/landlock02.c new file mode 100644 index 000000000..0e2da7ef5 --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock02.c @@ -0,0 +1,153 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +/*\ + * [Description] + * + * This test verifies that landlock_add_rule syscall fails with the right + * error codes: + * + * - EINVAL flags is not 0, or the rule accesses are inconsistent + * - ENOMSG Empty accesses (i.e., rule_attr->allowed_access is 0) + * - EBADF ruleset_fd is not a file descriptor for the current thread, + * or a member of rule_attr is not a file descriptor as expected + * - EBADFD ruleset_fd is not a ruleset file descriptor, or a member of + * rule_attr is not the expected file descriptor type + * - EFAULT rule_attr was not a valid address + */ + +#include "landlock_common.h" + +static struct landlock_ruleset_attr *ruleset_attr; +static struct landlock_path_beneath_attr *path_beneath_attr; +static struct landlock_path_beneath_attr *rule_null; +static int ruleset_fd; +static int invalid_fd = -1; + +static struct tcase { + int *fd; + enum landlock_rule_type rule_type; + struct landlock_path_beneath_attr **attr; + int access; + int parent_fd; + uint32_t flags; + int exp_errno; + char *msg; +} tcases[] = { + { + &ruleset_fd, + 0, + &path_beneath_attr, + LANDLOCK_ACCESS_FS_EXECUTE, + 0, + 1, + EINVAL, + "Invalid flags" + }, + { + &ruleset_fd, + 0, + &path_beneath_attr, + LANDLOCK_ACCESS_FS_EXECUTE, + 0, + 0, + EINVAL, + "Invalid rule type" + }, + { + &ruleset_fd, + LANDLOCK_RULE_PATH_BENEATH, + &path_beneath_attr, + 0, + 0, + 0, + ENOMSG, + "Empty accesses" + }, + { + &invalid_fd, + 0, + &path_beneath_attr, + LANDLOCK_ACCESS_FS_EXECUTE, + 0, + 0, + EBADF, + "Invalid file descriptor" + }, + { + &ruleset_fd, + LANDLOCK_RULE_PATH_BENEATH, + &path_beneath_attr, + LANDLOCK_ACCESS_FS_EXECUTE, + -1, + 0, + EBADF, + "Invalid parent fd" + }, + { + &ruleset_fd, + LANDLOCK_RULE_PATH_BENEATH, + &rule_null, + 0, + 0, + 0, + EFAULT, + "Invalid rule attr" + }, +}; + +static void run(unsigned int n) +{ + struct tcase *tc = &tcases[n]; + + if (*tc->attr) { + (*tc->attr)->allowed_access = tc->access; + (*tc->attr)->parent_fd = tc->parent_fd; + } + + TST_EXP_FAIL(tst_syscall(__NR_landlock_add_rule, + *tc->fd, tc->rule_type, *tc->attr, tc->flags), + tc->exp_errno, + "%s", + tc->msg); +} + +static void setup(void) +{ + verify_landlock_is_enabled(); + + ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE; + + ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset, + ruleset_attr, sizeof(struct landlock_ruleset_attr), 0)); +} + +static void cleanup(void) +{ + if (ruleset_fd != -1) + SAFE_CLOSE(ruleset_fd); +} + +static struct tst_test test = { + .test = run, + .tcnt = ARRAY_SIZE(tcases), + .setup = setup, + .cleanup = cleanup, + .min_kver = "5.13", + .needs_root = 1, + .needs_kconfigs = (const char *[]) { + "CONFIG_SECURITY_LANDLOCK=y", + NULL + }, + .bufs = (struct tst_buffers []) { + {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)}, + {}, + }, + .caps = (struct tst_cap []) { + TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN), + {} + }, +}; From patchwork Thu Jul 11 11:18:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1959238 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=ZG3kK6LF; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=F7zTya1l; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=ZG3kK6LF; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=F7zTya1l; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WKXMH4kQxz1xpd for ; Thu, 11 Jul 2024 21:20:11 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 7910E3C0625 for ; Thu, 11 Jul 2024 13:20:09 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-7.smtp.seeweb.it (in-7.smtp.seeweb.it [217.194.8.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 803F83CDE63 for ; Thu, 11 Jul 2024 13:18:39 +0200 (CEST) Authentication-Results: in-7.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.130; helo=smtp-out1.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-7.smtp.seeweb.it (Postfix) with ESMTPS id 0898320B64B for ; Thu, 11 Jul 2024 13:18:39 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 828CA21AA9; Thu, 11 Jul 2024 11:18:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720696718; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ADvYMECHdbN5oR771yGBndkcmdLDFx9a/2zyHZZe30g=; b=ZG3kK6LFy92O1bHeadzeIWbD3mFRI6qniBVA8JqY6spxH6jyPZxo3Sa5Z3qToLif4NDt1O ibIxnopewOgSjyjDLhvK8CFSKeXO3mD4p/dj88uFEHmWUAUB2uCZyNAOh2ZixoHwWxpIsb rbB1aSnr8OY1nmkWtlkT6A1h57QnEAA= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720696718; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ADvYMECHdbN5oR771yGBndkcmdLDFx9a/2zyHZZe30g=; b=F7zTya1lZ8DbQJW4oyFGhiGuH9j94zp2HebDyOJDtUq3QYLplAyi2ceJmuynwa+72CJe0n 1tsYCUSiioKFccCw== Authentication-Results: smtp-out1.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=ZG3kK6LF; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=F7zTya1l DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720696718; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ADvYMECHdbN5oR771yGBndkcmdLDFx9a/2zyHZZe30g=; b=ZG3kK6LFy92O1bHeadzeIWbD3mFRI6qniBVA8JqY6spxH6jyPZxo3Sa5Z3qToLif4NDt1O ibIxnopewOgSjyjDLhvK8CFSKeXO3mD4p/dj88uFEHmWUAUB2uCZyNAOh2ZixoHwWxpIsb rbB1aSnr8OY1nmkWtlkT6A1h57QnEAA= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720696718; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ADvYMECHdbN5oR771yGBndkcmdLDFx9a/2zyHZZe30g=; b=F7zTya1lZ8DbQJW4oyFGhiGuH9j94zp2HebDyOJDtUq3QYLplAyi2ceJmuynwa+72CJe0n 1tsYCUSiioKFccCw== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 5D53E139E0; Thu, 11 Jul 2024 11:18:38 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id eBfjFI6/j2bBVAAAD6G6ig (envelope-from ); Thu, 11 Jul 2024 11:18:38 +0000 From: Andrea Cervesato Date: Thu, 11 Jul 2024 13:18:18 +0200 MIME-Version: 1.0 Message-Id: <20240711-landlock-v3-7-c7b0e9edf9b0@suse.com> References: <20240711-landlock-v3-0-c7b0e9edf9b0@suse.com> In-Reply-To: <20240711-landlock-v3-0-c7b0e9edf9b0@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4615; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=HspuO1xZfOPuBXF08x8aCR10nKab24FOJV6YazByiyQ=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmj79/CM1HyPDX73eGWU36T1K3in3qF4nttuuT8 LawiYYhK+aJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZo+/fwAKCRDLzBqyILPm Rj9qC/46KILVp/yTABrET0693cUfxBX86mxmD36C7CQABKZO7+ttodBA/W9HGOU/ekTGdlNw0Z5 qh6vu6j2yrNYSYlnBFFGww3yxiP1Ert+dRMsg2vDM2G2ACxC208yAX7yNLt8XVbQ9s75JLi465t oDOmsak40+RTfnT5D9j6Xf5PnRHE1ktdsCfeLbxRkCbXxe89ypXR+2VOUWHvr0KMzLsll/RS0FA LKgrjseg4zK+PiLLWU2/fvxBbjvCXc9Kt5YrjFGm0Ry1JLrVQyY6TzCvVcCP7o8ubrm4bEweGqs UwWcMUs3q8fle48xgu6QJKGfcJ57NpYziBEjaPTFahO3yVorZUs3fa+nhArbOCvYB8gQ/YxqEuO LnYtwWNgfJgFeZAVH6fsbSWs8T9V5vfauaIyoUTY5cD3wk/X35dD4w1BMnQ3Rrp7Q9jew/FyP4e IPtu3OgFNl9O7IVZIoz0Lg0SkZALwqEm7cj2oNDpikhfmfyntamH2KDxGfuxhZq9YbQsg= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spamd-Result: default: False [-5.51 / 50.00]; BAYES_HAM(-3.00)[100.00%]; DWL_DNSWL_LOW(-1.00)[suse.de:dkim]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:dkim,suse.com:email]; DKIM_TRACE(0.00)[suse.de:+] X-Rspamd-Server: rspamd1.dmz-prg2.suse.org X-Rspamd-Action: no action X-Spam-Score: -5.51 X-Spam-Level: X-Rspamd-Queue-Id: 828CA21AA9 X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-7.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-7.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v3 07/11] Add landlock03 test X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato This test verifies that landlock_restrict_self syscall fails with the right error codes: - EINVAL flags is not 0 - EBADF ruleset_fd is not a file descriptor for the current thread - EBADFD ruleset_fd is not a ruleset file descriptor - EPERM ruleset doesn't have CAP_SYS_ADMIN in its namespace - E2BIG The maximum number of stacked rulesets is reached for the current thread Reviewed-by: Li Wang Signed-off-by: Andrea Cervesato --- runtest/syscalls | 1 + testcases/kernel/syscalls/landlock/.gitignore | 1 + testcases/kernel/syscalls/landlock/landlock03.c | 119 ++++++++++++++++++++++++ 3 files changed, 121 insertions(+) diff --git a/runtest/syscalls b/runtest/syscalls index 3930abc92..f2b64c0df 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -687,6 +687,7 @@ kill13 kill13 landlock01 landlock01 landlock02 landlock02 +landlock03 landlock03 lchown01 lchown01 lchown01_16 lchown01_16 diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore index ffed4abd2..f79cd090b 100644 --- a/testcases/kernel/syscalls/landlock/.gitignore +++ b/testcases/kernel/syscalls/landlock/.gitignore @@ -1,2 +1,3 @@ landlock01 landlock02 +landlock03 diff --git a/testcases/kernel/syscalls/landlock/landlock03.c b/testcases/kernel/syscalls/landlock/landlock03.c new file mode 100644 index 000000000..6511e24a7 --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock03.c @@ -0,0 +1,119 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +/*\ + * [Description] + * + * This test verifies that landlock_restrict_self syscall fails with the right + * error codes: + * + * - EINVAL flags is not 0 + * - EBADF ruleset_fd is not a file descriptor for the current thread + * - EBADFD ruleset_fd is not a ruleset file descriptor + * - EPERM ruleset doesn't have CAP_SYS_ADMIN in its namespace + * - E2BIG The maximum number of stacked rulesets is reached for the current + * thread + */ + +#include "landlock_common.h" + +#define MAX_STACKED_RULESETS 16 + +static struct landlock_ruleset_attr *ruleset_attr; +static int ruleset_fd = -1; +static int ruleset_invalid = -1; +static int file_fd = -1; + +static struct tst_cap dropadmin = { + .action = TST_CAP_DROP, + .id = CAP_SYS_ADMIN, + .name = "CAP_SYS_ADMIN", +}; + +static struct tst_cap needadmin = { + .action = TST_CAP_REQ, + .id = CAP_SYS_ADMIN, + .name = "CAP_SYS_ADMIN", +}; + +static struct tcase { + int *fd; + uint32_t flags; + int exp_errno; + char *msg; +} tcases[] = { + {&ruleset_fd, -1, EINVAL, "Invalid flags"}, + {&ruleset_invalid, 0, EBADF, "Invalid file descriptor"}, + {&file_fd, 0, EBADFD, "Not a ruleset file descriptor"}, + {&ruleset_fd, 0, EPERM, "File descriptor doesn't have CAP_SYS_ADMIN"}, + {&ruleset_fd, 0, E2BIG, "Maximum number of stacked rulesets is reached"}, +}; + +static void run(unsigned int n) +{ + struct tcase *tc = &tcases[n]; + + if (tc->exp_errno == EPERM) + tst_cap_action(&dropadmin); + + if (tc->exp_errno == E2BIG) { + for (int i = 0; i < MAX_STACKED_RULESETS; i++) { + TST_EXP_PASS_SILENT(tst_syscall(__NR_landlock_restrict_self, + *tc->fd, tc->flags)); + if (TST_RET == -1) + return; + } + } + + TST_EXP_FAIL(tst_syscall(__NR_landlock_restrict_self, *tc->fd, tc->flags), + tc->exp_errno, + "%s", tc->msg); + + if (tc->exp_errno == EPERM) + tst_cap_action(&needadmin); +} + +static void setup(void) +{ + verify_landlock_is_enabled(); + + ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE; + + ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset, + ruleset_attr, sizeof(struct landlock_ruleset_attr), 0)); + + file_fd = SAFE_OPEN("junk.bin", O_CREAT, 0777); +} + +static void cleanup(void) +{ + if (ruleset_fd != -1) + SAFE_CLOSE(ruleset_fd); + + if (file_fd != -1) + SAFE_CLOSE(file_fd); +} + +static struct tst_test test = { + .test = run, + .tcnt = ARRAY_SIZE(tcases), + .setup = setup, + .cleanup = cleanup, + .min_kver = "5.13", + .needs_tmpdir = 1, + .needs_root = 1, + .needs_kconfigs = (const char *[]) { + "CONFIG_SECURITY_LANDLOCK=y", + NULL + }, + .bufs = (struct tst_buffers []) { + {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {}, + }, + .caps = (struct tst_cap []) { + TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN), + {} + }, +}; From patchwork Thu Jul 11 11:18:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1959239 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=HBRTYM6w; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=saaQmR10; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=HBRTYM6w; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=saaQmR10; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WKXMt2f7kz1xpd for ; Thu, 11 Jul 2024 21:20:42 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id F39EE3CF46D for ; Thu, 11 Jul 2024 13:20:39 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-2.smtp.seeweb.it (in-2.smtp.seeweb.it [217.194.8.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 0DE053C0FBE for ; Thu, 11 Jul 2024 13:18:39 +0200 (CEST) Authentication-Results: in-2.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.131; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-2.smtp.seeweb.it (Postfix) with ESMTPS id 22EC96035F6 for ; Thu, 11 Jul 2024 13:18:39 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id AC8EE1F8C8; Thu, 11 Jul 2024 11:18:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720696718; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LL3MUfjhU5KoBwQO1eFr+3tB6DL+se9OifpN+0svvkw=; b=HBRTYM6wTYFLFWFKlSRLDr1na5Y0w3t0dBn4vc0y+w2rqMYBqwgkvWLD0SN6IaHx8IKVul mKve/1/Lb9DRwO1HqxWGEGsYTQ5JKVEahHKVBV+Uok9qCSxc/n6jUIfqfXSr5c391gE4UK PRYkzILDAKT43q6EfF38NHV5GLWN8Ag= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720696718; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LL3MUfjhU5KoBwQO1eFr+3tB6DL+se9OifpN+0svvkw=; b=saaQmR10kAZSvNt7N0PDB+w5TEjIBnpnT/GdFagSnV0ui1LYZ6ftai6cQbzWGDYa16SHRp kFMk8i97eQ/Qj7Cg== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720696718; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LL3MUfjhU5KoBwQO1eFr+3tB6DL+se9OifpN+0svvkw=; b=HBRTYM6wTYFLFWFKlSRLDr1na5Y0w3t0dBn4vc0y+w2rqMYBqwgkvWLD0SN6IaHx8IKVul mKve/1/Lb9DRwO1HqxWGEGsYTQ5JKVEahHKVBV+Uok9qCSxc/n6jUIfqfXSr5c391gE4UK PRYkzILDAKT43q6EfF38NHV5GLWN8Ag= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720696718; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LL3MUfjhU5KoBwQO1eFr+3tB6DL+se9OifpN+0svvkw=; b=saaQmR10kAZSvNt7N0PDB+w5TEjIBnpnT/GdFagSnV0ui1LYZ6ftai6cQbzWGDYa16SHRp kFMk8i97eQ/Qj7Cg== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 8F347139E7; Thu, 11 Jul 2024 11:18:38 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id GG8MIY6/j2bBVAAAD6G6ig (envelope-from ); Thu, 11 Jul 2024 11:18:38 +0000 From: Andrea Cervesato Date: Thu, 11 Jul 2024 13:18:19 +0200 MIME-Version: 1.0 Message-Id: <20240711-landlock-v3-8-c7b0e9edf9b0@suse.com> References: <20240711-landlock-v3-0-c7b0e9edf9b0@suse.com> In-Reply-To: <20240711-landlock-v3-0-c7b0e9edf9b0@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=763; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=4dBf0txYyHkxBTNlYjHZpRF7TwNuDuKi/1tKq5F+cQ4=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmj79/btEawNhpsQRoQ80xtyDjQw1rqg0yte3T0 M0pORj7mF+JAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZo+/fwAKCRDLzBqyILPm RktmC/9L5YdInFaSL7lJpXB8jolOvCLdOyV/lw5j4G6zwhA2SZiAD/HjRDNSBXNBllbO4nlJDf/ 9HJBubs6JB5S3QZaVl2WwHK4oP9A+fqpJYKskLs8UVaecF0WHiLFTFTxey/crOcZcjZ3aRhXPSb QuhMrQQCZfW69T87rpnydxXyM8RWgiPfuCTkjoL1ukQ/SG3rJqVyDRk3uaKupiOHVInCLq2xgz+ Sj7j0Dt7B8YTNNEaR54fn+gUvixUvOZTDjYZqo0FJnTP04axzITFx6ZbTccVQ/3qeSJ4iYSH46i uCDBd6EQHthChup2NKN/iZiw+Pby7ByBg9uLeX+77gi5rMTYaClGGFS8TeYSXr7OlpCShnJku8l KRPLU7zE4+8U0vp/AgPOzU2OxRzVB4LNTZFevx+nf8iLAm91mwejXxHdJ3BallzNF1B+Kb3IzzJ nV4Tzu57Ikxi4ffSlY9ns7wnIiidkJ9bqomH8tjbFFOBlEvdzsIsy6drUCtShO6pJDKdc= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spam-Score: -0.30 X-Spamd-Result: default: False [-0.30 / 50.00]; NEURAL_HAM_SHORT(-0.20)[-0.998]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_HAS_DN(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email] X-Spam-Level: X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-2.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-2.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v3 08/11] Add CAP_MKNOD fallback in lapi/capability.h X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato Signed-off-by: Andrea Cervesato Reviewed-by: Li Wang --- include/lapi/capability.h | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/include/lapi/capability.h b/include/lapi/capability.h index 2b593797c..0f317d6d7 100644 --- a/include/lapi/capability.h +++ b/include/lapi/capability.h @@ -44,14 +44,18 @@ # define CAP_SYS_TIME 25 #endif -#ifndef CAP_AUDIT_READ -# define CAP_AUDIT_READ 37 -#endif - #ifndef CAP_SYS_RESOURCE # define CAP_SYS_RESOURCE 24 #endif +#ifndef CAP_MKNOD +# define CAP_MKNOD 27 +#endif + +#ifndef CAP_AUDIT_READ +# define CAP_AUDIT_READ 37 +#endif + #ifndef CAP_BPF # define CAP_BPF 39 #endif From patchwork Thu Jul 11 11:18:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1959240 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=fP87YEcV; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=RdU50mLN; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=tLgyy1Xh; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=rzsfsRAQ; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WKXNC2tkKz1xpd for ; Thu, 11 Jul 2024 21:20:59 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 266763CF482 for ; Thu, 11 Jul 2024 13:20:57 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-7.smtp.seeweb.it (in-7.smtp.seeweb.it [IPv6:2001:4b78:1:20::7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 335593CC2E8 for ; Thu, 11 Jul 2024 13:18:40 +0200 (CEST) Authentication-Results: in-7.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.130; helo=smtp-out1.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-7.smtp.seeweb.it (Postfix) with ESMTPS id 6F1E720B650 for ; Thu, 11 Jul 2024 13:18:39 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id DE69A21A89; Thu, 11 Jul 2024 11:18:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720696719; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=uIKkm99TyZwgSs1sN003dUi+z6kcEtEWj1owAz6E+ts=; b=fP87YEcVofYOP5q1puQv9j0RnCnLkLoYZcnahnNVpKkPsKe+V/QqDQMy9cXfJNh/Q2C4SF 9ruW70vZqh/Rxd/4jTxtbkiRbOuBtbgRDtXqBaYuk2LfWgeN3b2wwCniqYmB3VdNI92BKm Hq/N2cEsNMOOpgQzUOpQGVsmZbujyfE= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720696719; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=uIKkm99TyZwgSs1sN003dUi+z6kcEtEWj1owAz6E+ts=; b=RdU50mLNYhSlJPt/UJ0ZYKvtGIu1G5jcyglLDT9y6zJgrvVzyDqn4MyMMzAOcq1Vk1NaKz HOv+6yZljgiTsvCQ== Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720696718; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=uIKkm99TyZwgSs1sN003dUi+z6kcEtEWj1owAz6E+ts=; b=tLgyy1Xh8thwpknWyexR353cj0hZbatA8VvQXLUlugSTPzVPZVqZthiDwfwyKGGvCWl+ul wO3XHiSGiL+ly9q+tHVCAoD6t2SEBtGeFQp5LDwXefL1wU2F5GhjgvRKBQf4V5ep4BEIZV tPZBj+oiBIaBPQMxPxDbPFlImBuosSY= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720696718; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=uIKkm99TyZwgSs1sN003dUi+z6kcEtEWj1owAz6E+ts=; b=rzsfsRAQr2NU/PKBBJYUMylIFs8F72SsUG14EznLEq0Ze69iPN622r2nT27ZvQMD0mtLx+ y7si9h3ETXbvSHBw== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id B9679139E0; Thu, 11 Jul 2024 11:18:38 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id QLtbK46/j2bBVAAAD6G6ig (envelope-from ); Thu, 11 Jul 2024 11:18:38 +0000 From: Andrea Cervesato Date: Thu, 11 Jul 2024 13:18:20 +0200 MIME-Version: 1.0 Message-Id: <20240711-landlock-v3-9-c7b0e9edf9b0@suse.com> References: <20240711-landlock-v3-0-c7b0e9edf9b0@suse.com> In-Reply-To: <20240711-landlock-v3-0-c7b0e9edf9b0@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=16120; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=BuxUqUKr54jURi5C0R+J/NPTb8PhefkLVYvF9crqAz4=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmj79/Ebp2j98q8suvBuU2Q9wxu5W7uSuxAGwDQ TWZhynnpWaJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZo+/fwAKCRDLzBqyILPm RkhPC/4s2cYGVhXPmEDBMoIDkouvHw+BtrPvrjLSF8Hp5LUQUhrtTeHM/xvkMJA3+ZgpcukMeT/ /ljzPsl+x/dA3TH4lpBrUwIONvQq3fekaIiSTUtT5w+1eocb0AMs6P5Ibc9YaFEG2jibbmDUj6e msYPrqZFOA1AH9p7UMMo1Ps5ftb2yrQymKShTu+qtxDZ2NB0m8qm5mtGYBEuuqbs7762XDSdb5T FguVX88nteq5iGVyMYFPDxVebg+OacHRPHwXV6egqXEpr36SMan1PflpPq7P2xu5+Hb20feMHc5 4vauOB1Y8PVONlWIirI1YcpQ6pMdw6GWgra6dSEAxG/WOyNA0CHwRVTOG0oxOFq3/zU5VZcEeiw YdCJJCVE7gR1FJB4ZleUfT8c6t4AtKX3FRkNTaOsM4NZ6rpUXeTHRHqPPhokb4JVsFh5c5CF5GA rC5e1yysSsVVNdh9okh/MrLKW2pqFWtMaie6muC70D58v8Dh0T6Zy89Q+FPRYCu7vCu0U= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spamd-Result: default: False [-4.30 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.20)[-0.998]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email] X-Spam-Score: -4.30 X-Spam-Level: X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-7.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-7.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v3 09/11] Add landlock04 test X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato This test verifies that all landlock rules are working properly. The way we do it is to verify that all disabled syscalls are not working but the one we enabled via specifc landlock rules. Signed-off-by: Andrea Cervesato Reviewed-by: Li Wang --- runtest/syscalls | 1 + testcases/kernel/syscalls/landlock/.gitignore | 2 + testcases/kernel/syscalls/landlock/landlock04.c | 214 +++++++++++++ testcases/kernel/syscalls/landlock/landlock_exec.c | 9 + .../kernel/syscalls/landlock/landlock_tester.h | 350 +++++++++++++++++++++ 5 files changed, 576 insertions(+) diff --git a/runtest/syscalls b/runtest/syscalls index f2b64c0df..3c7cd66e2 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -688,6 +688,7 @@ kill13 kill13 landlock01 landlock01 landlock02 landlock02 landlock03 landlock03 +landlock04 landlock04 lchown01 lchown01 lchown01_16 lchown01_16 diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore index f79cd090b..4fe8d7cba 100644 --- a/testcases/kernel/syscalls/landlock/.gitignore +++ b/testcases/kernel/syscalls/landlock/.gitignore @@ -1,3 +1,5 @@ +landlock_exec landlock01 landlock02 landlock03 +landlock04 diff --git a/testcases/kernel/syscalls/landlock/landlock04.c b/testcases/kernel/syscalls/landlock/landlock04.c new file mode 100644 index 000000000..30fd9400f --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock04.c @@ -0,0 +1,214 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +/*\ + * [Description] + * + * This test verifies that all landlock rules are working properly. The way we + * do it is to verify that all disabled syscalls are not working but the one we + * enabled via specifc landlock rules. + */ + +#include "landlock_common.h" +#include "landlock_tester.h" +#include "tst_safe_stdio.h" + +#define ACCESS_NAME(x) #x + +static struct landlock_ruleset_attr *ruleset_attr; +static struct landlock_path_beneath_attr *path_beneath_attr; + +static struct tvariant { + int access; + char *desc; +} tvariants[] = { + { + LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_EXECUTE, + ACCESS_NAME(LANDLOCK_ACCESS_FS_EXECUTE) + }, + { + LANDLOCK_ACCESS_FS_WRITE_FILE, + ACCESS_NAME(LANDLOCK_ACCESS_FS_WRITE_FILE) + }, + { + LANDLOCK_ACCESS_FS_READ_FILE, + ACCESS_NAME(LANDLOCK_ACCESS_FS_READ_FILE) + }, + { + LANDLOCK_ACCESS_FS_READ_DIR, + ACCESS_NAME(LANDLOCK_ACCESS_FS_READ_DIR) + }, + { + LANDLOCK_ACCESS_FS_REMOVE_DIR, + ACCESS_NAME(LANDLOCK_ACCESS_FS_REMOVE_DIR) + }, + { + LANDLOCK_ACCESS_FS_REMOVE_FILE, + ACCESS_NAME(LANDLOCK_ACCESS_FS_REMOVE_FILE) + }, + { + LANDLOCK_ACCESS_FS_MAKE_CHAR, + ACCESS_NAME(LANDLOCK_ACCESS_FS_MAKE_CHAR) + }, + { + LANDLOCK_ACCESS_FS_MAKE_BLOCK, + ACCESS_NAME(LANDLOCK_ACCESS_FS_MAKE_BLOCK) + }, + { + LANDLOCK_ACCESS_FS_MAKE_REG, + ACCESS_NAME(LANDLOCK_ACCESS_FS_MAKE_REG) + }, + { + LANDLOCK_ACCESS_FS_MAKE_SOCK, + ACCESS_NAME(LANDLOCK_ACCESS_FS_MAKE_SOCK) + }, + { + LANDLOCK_ACCESS_FS_MAKE_FIFO, + ACCESS_NAME(LANDLOCK_ACCESS_FS_MAKE_FIFO) + }, + { + LANDLOCK_ACCESS_FS_MAKE_SYM, + ACCESS_NAME(LANDLOCK_ACCESS_FS_MAKE_SYM) + }, + { + LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE, + ACCESS_NAME(LANDLOCK_ACCESS_FS_TRUNCATE) + }, +}; + +static void run(void) +{ + if (!SAFE_FORK()) { + struct tvariant variant = tvariants[tst_variant]; + + tester_run_all_rules(variant.access); + _exit(0); + } +} + +static void enable_exec_libs(const int ruleset_fd) +{ + FILE *fp; + char line[1024]; + char path[PATH_MAX]; + char dependency[8][PATH_MAX]; + int count = 0; + int duplicate = 0; + + fp = SAFE_FOPEN("/proc/self/maps", "r"); + + while (fgets(line, sizeof(line), fp)) { + if (strstr(line, ".so") == NULL) + continue; + + SAFE_SSCANF(line, "%*x-%*x %*s %*x %*s %*d %s", path); + + for (int i = 0; i < count; i++) { + if (strcmp(path, dependency[i]) == 0) { + duplicate = 1; + break; + } + } + + if (duplicate) { + duplicate = 0; + continue; + } + + strncpy(dependency[count], path, PATH_MAX); + count++; + + tst_res(TINFO, "Enable read/exec permissions for %s", path); + + path_beneath_attr->allowed_access = + LANDLOCK_ACCESS_FS_READ_FILE | + LANDLOCK_ACCESS_FS_EXECUTE; + path_beneath_attr->parent_fd = SAFE_OPEN(path, O_PATH | O_CLOEXEC); + + SAFE_LANDLOCK_ADD_RULE( + ruleset_fd, + LANDLOCK_RULE_PATH_BENEATH, + path_beneath_attr, + 0); + + SAFE_CLOSE(path_beneath_attr->parent_fd); + } + + SAFE_FCLOSE(fp); +} + +static void setup(void) +{ + struct tvariant variant = tvariants[tst_variant]; + int ruleset_fd; + + verify_landlock_is_enabled(); + tester_create_tree(); + + tst_res(TINFO, "Testing %s", variant.desc); + + ruleset_attr->handled_access_fs = tester_get_all_rules(); + + ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET( + ruleset_attr, sizeof(struct landlock_ruleset_attr), 0); + + /* since our binary is dynamically linked, we need to enable dependences + * to be read and executed + */ + enable_exec_libs(ruleset_fd); + + path_beneath_attr->allowed_access = variant.access; + path_beneath_attr->parent_fd = SAFE_OPEN( + SANDBOX_FOLDER, O_PATH | O_CLOEXEC); + + SAFE_LANDLOCK_ADD_RULE( + ruleset_fd, + LANDLOCK_RULE_PATH_BENEATH, + path_beneath_attr, + 0); + + SAFE_CLOSE(path_beneath_attr->parent_fd); + + enforce_ruleset(ruleset_fd); + SAFE_CLOSE(ruleset_fd); +} + +static struct tst_test test = { + .test_all = run, + .setup = setup, + .min_kver = "5.13", + .forks_child = 1, + .needs_tmpdir = 1, + .needs_root = 1, + .test_variants = ARRAY_SIZE(tvariants), + .resource_files = (const char *[]) { + TESTAPP, + NULL, + }, + .needs_kconfigs = (const char *[]) { + "CONFIG_SECURITY_LANDLOCK=y", + NULL + }, + .bufs = (struct tst_buffers []) { + {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)}, + {}, + }, + .caps = (struct tst_cap []) { + TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN), + TST_CAP(TST_CAP_REQ, CAP_MKNOD), + {} + }, + .format_device = 1, + .mount_device = 1, + .mntpoint = SANDBOX_FOLDER, + .all_filesystems = 1, + .skip_filesystems = (const char *[]) { + "vfat", + "exfat", + NULL + }, + .max_runtime = 3600, +}; diff --git a/testcases/kernel/syscalls/landlock/landlock_exec.c b/testcases/kernel/syscalls/landlock/landlock_exec.c new file mode 100644 index 000000000..aae5c76b2 --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock_exec.c @@ -0,0 +1,9 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +int main(void) +{ + return 0; +} diff --git a/testcases/kernel/syscalls/landlock/landlock_tester.h b/testcases/kernel/syscalls/landlock/landlock_tester.h new file mode 100644 index 000000000..89ca085d7 --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock_tester.h @@ -0,0 +1,350 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +#ifndef LANDLOCK_TESTER_H + +#include "tst_test.h" +#include "lapi/landlock.h" +#include + +#define PERM_MODE 0700 + +#define SANDBOX_FOLDER "sandbox" +#define TESTAPP "landlock_exec" + +#define FILE_EXEC SANDBOX_FOLDER"/"TESTAPP +#define FILE_READ SANDBOX_FOLDER"/file_read" +#define FILE_WRITE SANDBOX_FOLDER"/file_write" +#define FILE_REMOVE SANDBOX_FOLDER"/file_remove" +#define FILE_UNLINK SANDBOX_FOLDER"/file_unlink" +#define FILE_UNLINKAT SANDBOX_FOLDER"/file_unlinkat" +#define FILE_TRUNCATE SANDBOX_FOLDER"/file_truncate" +#define FILE_REGULAR SANDBOX_FOLDER"/regular0" +#define FILE_SOCKET SANDBOX_FOLDER"/socket0" +#define FILE_FIFO SANDBOX_FOLDER"/fifo0" +#define FILE_SYM0 SANDBOX_FOLDER"/symbolic0" +#define FILE_SYM1 SANDBOX_FOLDER"/symbolic1" +#define DIR_READDIR SANDBOX_FOLDER"/dir_readdir" +#define DIR_RMDIR SANDBOX_FOLDER"/dir_rmdir" +#define DEV_CHAR0 SANDBOX_FOLDER"/chardev0" +#define DEV_BLK0 SANDBOX_FOLDER"/blkdev0" + +#define ALL_RULES (\ + LANDLOCK_ACCESS_FS_EXECUTE | \ + LANDLOCK_ACCESS_FS_WRITE_FILE | \ + LANDLOCK_ACCESS_FS_READ_FILE | \ + LANDLOCK_ACCESS_FS_READ_DIR | \ + LANDLOCK_ACCESS_FS_REMOVE_DIR | \ + LANDLOCK_ACCESS_FS_REMOVE_FILE | \ + LANDLOCK_ACCESS_FS_MAKE_CHAR | \ + LANDLOCK_ACCESS_FS_MAKE_DIR | \ + LANDLOCK_ACCESS_FS_MAKE_REG | \ + LANDLOCK_ACCESS_FS_MAKE_SOCK | \ + LANDLOCK_ACCESS_FS_MAKE_FIFO | \ + LANDLOCK_ACCESS_FS_MAKE_BLOCK | \ + LANDLOCK_ACCESS_FS_MAKE_SYM | \ + LANDLOCK_ACCESS_FS_REFER | \ + LANDLOCK_ACCESS_FS_TRUNCATE | \ + LANDLOCK_ACCESS_NET_BIND_TCP | \ + LANDLOCK_ACCESS_NET_CONNECT_TCP | \ + LANDLOCK_ACCESS_FS_IOCTL_DEV) + +static char *readdir_files[] = { + DIR_READDIR"/file0", + DIR_READDIR"/file1", + DIR_READDIR"/file2", +}; + +static int dev_chr; +static int dev_blk; + +static int tester_get_all_rules(void) +{ + int abi; + int all_rules = ALL_RULES; + + abi = SAFE_LANDLOCK_CREATE_RULESET( + NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); + + if (abi < 2) + all_rules &= ~LANDLOCK_ACCESS_FS_REFER; + + if (abi < 3) + all_rules &= ~LANDLOCK_ACCESS_FS_TRUNCATE; + + if (abi < 4) { + all_rules &= ~(LANDLOCK_ACCESS_NET_BIND_TCP | + LANDLOCK_ACCESS_NET_CONNECT_TCP); + } + + if (abi < 5) + all_rules &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV; + + return all_rules; +} + +static void tester_create_tree(void) +{ + if (access(SANDBOX_FOLDER, F_OK) == -1) + SAFE_MKDIR(SANDBOX_FOLDER, PERM_MODE); + + /* folders */ + SAFE_MKDIR(DIR_RMDIR, PERM_MODE); + SAFE_MKDIR(DIR_READDIR, PERM_MODE); + for (size_t i = 0; i < ARRAY_SIZE(readdir_files); i++) + SAFE_TOUCH(readdir_files[i], PERM_MODE, NULL); + + /* files */ + tst_fill_file(FILE_READ, 'a', getpagesize(), 1); + SAFE_TOUCH(FILE_WRITE, PERM_MODE, NULL); + SAFE_TOUCH(FILE_REMOVE, PERM_MODE, NULL); + SAFE_TOUCH(FILE_UNLINK, PERM_MODE, NULL); + SAFE_TOUCH(FILE_UNLINKAT, PERM_MODE, NULL); + SAFE_TOUCH(FILE_TRUNCATE, PERM_MODE, NULL); + SAFE_TOUCH(FILE_SYM0, PERM_MODE, NULL); + SAFE_CP(TESTAPP, FILE_EXEC); + + /* devices */ + dev_chr = makedev(1, 3); + dev_blk = makedev(7, 0); +} + +static void _test_exec(const int result) +{ + int status; + pid_t pid; + char *const args[] = {(char *)FILE_EXEC, NULL}; + + tst_res(TINFO, "Test binary execution"); + + pid = SAFE_FORK(); + if (!pid) { + int rval; + + if (result == TPASS) { + rval = execve(FILE_EXEC, args, NULL); + if (rval == -1) + tst_res(TFAIL | TERRNO, "Failed to execute test binary"); + } else { + TST_EXP_FAIL(execve(FILE_EXEC, args, NULL), EACCES); + } + + _exit(1); + } + + SAFE_WAITPID(pid, &status, 0); + if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) + return; + + tst_res(result, "Test binary has been executed"); +} + +static void _test_write(const int result) +{ + tst_res(TINFO, "Test writing file"); + + if (result == TPASS) + TST_EXP_FD(open(FILE_WRITE, O_WRONLY, PERM_MODE)); + else + TST_EXP_FAIL(open(FILE_WRITE, O_WRONLY, PERM_MODE), EACCES); + + if (TST_RET != -1) + SAFE_CLOSE(TST_RET); +} + +static void _test_read(const int result) +{ + tst_res(TINFO, "Test reading file"); + + if (result == TPASS) + TST_EXP_FD(open(FILE_READ, O_RDONLY, PERM_MODE)); + else + TST_EXP_FAIL(open(FILE_READ, O_RDONLY, PERM_MODE), EACCES); + + if (TST_RET != -1) + SAFE_CLOSE(TST_RET); +} + +static void _test_readdir(const int result) +{ + tst_res(TINFO, "Test reading directory"); + + DIR *dir; + struct dirent *de; + int files_counted = 0; + + dir = opendir(DIR_READDIR); + if (!dir) { + tst_res(result == TPASS ? TFAIL : TPASS, + "Can't read '%s' directory", DIR_READDIR); + + return; + } + + tst_res(result, "Can read '%s' directory", DIR_READDIR); + if (result == TFAIL) + return; + + while ((de = readdir(dir)) != NULL) { + if (de->d_type != DT_REG) + continue; + + for (size_t i = 0; i < ARRAY_SIZE(readdir_files); i++) { + if (readdir_files[i] == NULL) + continue; + + if (strstr(readdir_files[i], de->d_name) != NULL) + files_counted++; + } + } + + SAFE_CLOSEDIR(dir); + + TST_EXP_EQ_LI(files_counted, ARRAY_SIZE(readdir_files)); +} + +static void _test_rmdir(const int result) +{ + tst_res(TINFO, "Test removing directory"); + + if (result == TPASS) + TST_EXP_PASS(rmdir(DIR_RMDIR)); + else + TST_EXP_FAIL(rmdir(DIR_RMDIR), EACCES); +} + +static void _test_rmfile(const int result) +{ + tst_res(TINFO, "Test removing file"); + + if (result == TPASS) { + TST_EXP_PASS(unlink(FILE_UNLINK)); + TST_EXP_PASS(remove(FILE_REMOVE)); + } else { + TST_EXP_FAIL(unlink(FILE_UNLINK), EACCES); + TST_EXP_FAIL(remove(FILE_REMOVE), EACCES); + } +} + +static void _test_make( + const char *path, + const int type, + const int dev, + const int result) +{ + tst_res(TINFO, "Test normal or special files creation"); + + if (result == TPASS) + TST_EXP_PASS(mknod(path, type | 0400, dev)); + else + TST_EXP_FAIL(mknod(path, type | 0400, dev), EACCES); +} + +static void _test_symbolic(const int result) +{ + tst_res(TINFO, "Test symbolic links"); + + if (result == TPASS) + TST_EXP_PASS(symlink(FILE_SYM0, FILE_SYM1)); + else + TST_EXP_FAIL(symlink(FILE_SYM0, FILE_SYM1), EACCES); +} + +static void _test_truncate(const int result) +{ + int fd; + + tst_res(TINFO, "Test truncating file"); + + if (result == TPASS) { + TST_EXP_PASS(truncate(FILE_TRUNCATE, 10)); + + fd = TST_EXP_FD(open(FILE_TRUNCATE, O_WRONLY, PERM_MODE)); + if (fd != -1) { + TST_EXP_PASS(ftruncate(fd, 10)); + SAFE_CLOSE(fd); + } + + fd = TST_EXP_FD(open(FILE_TRUNCATE, O_WRONLY | O_TRUNC, PERM_MODE)); + if (fd != -1) + SAFE_CLOSE(fd); + } else { + TST_EXP_FAIL(truncate(FILE_TRUNCATE, 10), EACCES); + + fd = open(FILE_TRUNCATE, O_WRONLY, PERM_MODE); + if (fd != -1) { + TST_EXP_FAIL(ftruncate(fd, 10), EACCES); + SAFE_CLOSE(fd); + } + + TST_EXP_FAIL(open(FILE_TRUNCATE, O_WRONLY | O_TRUNC, PERM_MODE), + EACCES); + + if (TST_RET != -1) + SAFE_CLOSE(TST_RET); + } +} + +static void tester_run_rules(const int rules, const int result) +{ + if (rules & LANDLOCK_ACCESS_FS_EXECUTE) + _test_exec(result); + + if (rules & LANDLOCK_ACCESS_FS_WRITE_FILE) + _test_write(result); + + if (rules & LANDLOCK_ACCESS_FS_READ_FILE) + _test_read(result); + + if (rules & LANDLOCK_ACCESS_FS_READ_DIR) + _test_readdir(result); + + if (rules & LANDLOCK_ACCESS_FS_REMOVE_DIR) + _test_rmdir(result); + + if (rules & LANDLOCK_ACCESS_FS_REMOVE_FILE) + _test_rmfile(result); + + if (rules & LANDLOCK_ACCESS_FS_MAKE_CHAR) + _test_make(DEV_CHAR0, S_IFCHR, dev_chr, result); + + if (rules & LANDLOCK_ACCESS_FS_MAKE_BLOCK) + _test_make(DEV_BLK0, S_IFBLK, dev_blk, result); + + if (rules & LANDLOCK_ACCESS_FS_MAKE_REG) + _test_make(FILE_REGULAR, S_IFREG, 0, result); + + if (rules & LANDLOCK_ACCESS_FS_MAKE_SOCK) + _test_make(FILE_SOCKET, S_IFSOCK, 0, result); + + if (rules & LANDLOCK_ACCESS_FS_MAKE_FIFO) + _test_make(FILE_FIFO, S_IFIFO, 0, result); + + if (rules & LANDLOCK_ACCESS_FS_MAKE_SYM) + _test_symbolic(result); + + if (rules & LANDLOCK_ACCESS_FS_TRUNCATE) { + if ((tst_kvercmp(6, 2, 0)) < 0) { + tst_res(TINFO, "Skip truncate test. Minimum kernel version is 6.2"); + return; + } + + _test_truncate(result); + } +} + +static inline void tester_run_all_rules(const int pass_rules) +{ + int fail_rules; + int all_rules; + + all_rules = tester_get_all_rules(); + fail_rules = all_rules & ~pass_rules; + + tester_run_rules(pass_rules, TPASS); + tester_run_rules(fail_rules, TFAIL); +} + +#endif From patchwork Thu Jul 11 11:18:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1959242 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=wN30Mp10; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=+9IHRY1b; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=wN30Mp10; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=+9IHRY1b; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WKXNt3sc5z1xpd for ; Thu, 11 Jul 2024 21:21:34 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 32F933CF47A for ; Thu, 11 Jul 2024 13:21:32 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-7.smtp.seeweb.it (in-7.smtp.seeweb.it [217.194.8.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id E92DE3CDE6A for ; Thu, 11 Jul 2024 13:18:40 +0200 (CEST) Authentication-Results: in-7.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=2a07:de40:b251:101:10:150:64:2; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2a07:de40:b251:101:10:150:64:2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-7.smtp.seeweb.it (Postfix) with ESMTPS id 42CEA20B64B for ; Thu, 11 Jul 2024 13:18:40 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 1BCB51F8C4; Thu, 11 Jul 2024 11:18:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720696719; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=g0d7gLNWhmfw35gIziEtlG6VcYGminwYYIXtnjxLnPE=; b=wN30Mp10KfBVFXRdG5efwUIhOJcV5/E0odeVHjpFFTY9Dw21ZMyxYCA+8bftPjzgwUPKAS BYeY6TUqqGxGKLka5/6Qx+vIKGgx49eDuMVSLhe5TLgEmNZaXi1oNY5G2nf9Hm4YkErSem Pq8E4FHxncDUby+7qAUG8VAxHpq2Lu0= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720696719; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=g0d7gLNWhmfw35gIziEtlG6VcYGminwYYIXtnjxLnPE=; b=+9IHRY1bFy0edkmAEtRcVRkXtZz8cX/JzTjfdQuJC2ngAgkeA5GwqewKRLQND4FoP+XjG8 Nli3ebH5F2brUaDg== Authentication-Results: smtp-out2.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=wN30Mp10; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=+9IHRY1b DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720696719; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=g0d7gLNWhmfw35gIziEtlG6VcYGminwYYIXtnjxLnPE=; b=wN30Mp10KfBVFXRdG5efwUIhOJcV5/E0odeVHjpFFTY9Dw21ZMyxYCA+8bftPjzgwUPKAS BYeY6TUqqGxGKLka5/6Qx+vIKGgx49eDuMVSLhe5TLgEmNZaXi1oNY5G2nf9Hm4YkErSem Pq8E4FHxncDUby+7qAUG8VAxHpq2Lu0= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720696719; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=g0d7gLNWhmfw35gIziEtlG6VcYGminwYYIXtnjxLnPE=; b=+9IHRY1bFy0edkmAEtRcVRkXtZz8cX/JzTjfdQuJC2ngAgkeA5GwqewKRLQND4FoP+XjG8 Nli3ebH5F2brUaDg== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id EB0E6139E7; Thu, 11 Jul 2024 11:18:38 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id AExKN46/j2bBVAAAD6G6ig (envelope-from ); Thu, 11 Jul 2024 11:18:38 +0000 From: Andrea Cervesato Date: Thu, 11 Jul 2024 13:18:21 +0200 MIME-Version: 1.0 Message-Id: <20240711-landlock-v3-10-c7b0e9edf9b0@suse.com> References: <20240711-landlock-v3-0-c7b0e9edf9b0@suse.com> In-Reply-To: <20240711-landlock-v3-0-c7b0e9edf9b0@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4095; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=PWu2txBiVv7del6ZugPbcsxjJq7n9zmvhI5Q3QppYD8=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmj79/EBh6df9k2fU4YG50VeiEBww2qLr2XQvMa 300hctcsNeJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZo+/fwAKCRDLzBqyILPm RuZVDAC0xzHWBVV0Ud4W0XOVj2tfE3H7Evkh79/v7ud2JClJhx9ooZS5E6t3wnaM7HGCVkaIH2g M3YqvD5Gm7975070b0p7FpLKAp+XcqYxQVyLMVBgyh3PE2trux0i8uT3OR+5yUjVV5aML8gL2MI irvIYeqtPSavLMRek5ji7taekgM2e1iqm5oliCAyA2u1LxxpBxV3obI9uhxqAfjV9kJzvyU8aqH w5IRH3sYUMfTYRbTmc61rtbDXKcUBS2O46aRccA2WHaOu+YYPLE9yH+DJ4WqOpHYs8Tho7E4f/u Ex/ZHXZ73tj0E8e3le1M6mM3Jc8nSBw4B58oB0Re+vqzMxgVnDv/G4QXUqAiVdoURRndwcDkiuj wrl/nVM+m++BMfGStxMv7+91g+MA4SU+VWaTWMkdq7roADz5u3+zZ76mpwPj3xPzz7AcvhFGUCD HupT6tsK8+59Wf+OOsgPbFr5k3zqAh6okzHMXmDC/bb2NlkqD7ilVCYB8cYkTWGxxMt3o= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spamd-Result: default: False [-5.51 / 50.00]; BAYES_HAM(-3.00)[100.00%]; DWL_DNSWL_LOW(-1.00)[suse.de:dkim]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:dkim,suse.com:email]; DKIM_TRACE(0.00)[suse.de:+] X-Rspamd-Server: rspamd1.dmz-prg2.suse.org X-Rspamd-Action: no action X-Spam-Score: -5.51 X-Spam-Level: X-Rspamd-Queue-Id: 1BCB51F8C4 X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-7.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-7.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v3 10/11] Add landlock05 test X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato This test verifies LANDLOCK_ACCESS_FS_REFER access in the landlock sandbox. The feature is available since kernel 5.19. Reviewed-by: Li Wang Signed-off-by: Andrea Cervesato --- runtest/syscalls | 1 + testcases/kernel/syscalls/landlock/.gitignore | 1 + testcases/kernel/syscalls/landlock/landlock05.c | 116 ++++++++++++++++++++++++ 3 files changed, 118 insertions(+) diff --git a/runtest/syscalls b/runtest/syscalls index 3c7cd66e2..a31ca3bc3 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -689,6 +689,7 @@ landlock01 landlock01 landlock02 landlock02 landlock03 landlock03 landlock04 landlock04 +landlock05 landlock05 lchown01 lchown01 lchown01_16 lchown01_16 diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore index 4fe8d7cba..a7ea6be2e 100644 --- a/testcases/kernel/syscalls/landlock/.gitignore +++ b/testcases/kernel/syscalls/landlock/.gitignore @@ -3,3 +3,4 @@ landlock01 landlock02 landlock03 landlock04 +landlock05 diff --git a/testcases/kernel/syscalls/landlock/landlock05.c b/testcases/kernel/syscalls/landlock/landlock05.c new file mode 100644 index 000000000..6ad1fdb79 --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock05.c @@ -0,0 +1,116 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +/*\ + * [Description] + * + * This test verifies LANDLOCK_ACCESS_FS_REFER access in the + * landlock sandbox. + * + * [Algorithm] + * + * - apply LANDLOCK_ACCESS_FS_REFER in the folder1 + * - apply LANDLOCK_ACCESS_FS_REFER in the folder2 + * - create folder3 + * - verify that file can be moved from folder1 to folder2 + * - verify that file can't be moved from folder1 to folder3 + */ + +#include "landlock_common.h" + +#define MNTPOINT "sandbox" +#define DIR1 MNTPOINT"/folder1" +#define DIR2 MNTPOINT"/folder2" +#define DIR3 MNTPOINT"/folder3" +#define FILENAME1 DIR1"/file" +#define FILENAME2 DIR2"/file" +#define FILENAME3 DIR3"/file" + +static struct landlock_ruleset_attr *ruleset_attr; +static struct landlock_path_beneath_attr *path_beneath_attr; + +static void run(void) +{ + if (SAFE_FORK()) + return; + + TST_EXP_PASS(rename(FILENAME1, FILENAME2)); + if (TST_RET == -1) + return; + + TST_EXP_FAIL(rename(FILENAME2, FILENAME3), EXDEV); + TST_EXP_PASS(rename(FILENAME2, FILENAME1)); + + _exit(0); +} + +static void setup(void) +{ + int ruleset_fd; + + verify_landlock_is_enabled(); + + SAFE_MKDIR(DIR1, 0640); + SAFE_MKDIR(DIR2, 0640); + SAFE_MKDIR(DIR3, 0640); + SAFE_TOUCH(FILENAME1, 0640, NULL); + + tst_res(TINFO, "Applying LANDLOCK_ACCESS_FS_REFER"); + + ruleset_attr->handled_access_fs = + LANDLOCK_ACCESS_FS_READ_FILE | + LANDLOCK_ACCESS_FS_WRITE_FILE | + LANDLOCK_ACCESS_FS_REFER; + + ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET( + ruleset_attr, sizeof(struct landlock_ruleset_attr), 0); + + apply_landlock_rule( + path_beneath_attr, + ruleset_fd, + LANDLOCK_ACCESS_FS_REFER, + DIR1); + + apply_landlock_rule( + path_beneath_attr, + ruleset_fd, + LANDLOCK_ACCESS_FS_REFER, + DIR2); + + enforce_ruleset(ruleset_fd); + + SAFE_CLOSE(ruleset_fd); +} + +static struct tst_test test = { + .test_all = run, + .setup = setup, + .min_kver = "5.19", + .needs_tmpdir = 1, + .needs_root = 1, + .forks_child = 1, + .needs_kconfigs = (const char *[]) { + "CONFIG_SECURITY_LANDLOCK=y", + NULL + }, + .bufs = (struct tst_buffers []) { + {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)}, + {}, + }, + .caps = (struct tst_cap []) { + TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN), + {} + }, + .format_device = 1, + .mount_device = 1, + .mntpoint = MNTPOINT, + .all_filesystems = 1, + .skip_filesystems = (const char *[]) { + "vfat", + "exfat", + NULL + }, +}; From patchwork Thu Jul 11 11:18:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1959241 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=hQz2Q09/; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=wf3qGKFG; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=hQz2Q09/; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=wf3qGKFG; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WKXNY4CXrz1xpd for ; Thu, 11 Jul 2024 21:21:17 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 698F93CF471 for ; Thu, 11 Jul 2024 13:21:15 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-4.smtp.seeweb.it (in-4.smtp.seeweb.it [217.194.8.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 50A423CDE64 for ; Thu, 11 Jul 2024 13:18:40 +0200 (CEST) Authentication-Results: in-4.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.131; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-4.smtp.seeweb.it (Postfix) with ESMTPS id BABFE1000A52 for ; Thu, 11 Jul 2024 13:18:39 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 4DD451F8C3; Thu, 11 Jul 2024 11:18:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720696719; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=n0acMllWiwLr6S1S/MHQcyeff1nvJAK73ZL2nwMY0go=; b=hQz2Q09/6P5Ce6mE2oD8J+R1sIkEx9OCjCzVTXUfl2ZN/pC4ymcQAvtsa7sr8BvAfrskNV VeG+OcQxMB+47GHBreur4ftItfKR2HJpPNw8/IbxPewsj+vYgmrZr3mBxi6qrOArYD+192 j7SbnT1t56o5vkKz9nU6/0paC61A2ek= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720696719; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=n0acMllWiwLr6S1S/MHQcyeff1nvJAK73ZL2nwMY0go=; b=wf3qGKFG9pB7nQcP8Y6BsT3Ohy3TMOT1h1pMNZUixAP7j0ub+w9x7D/VhcsZS/9eLpBkiq 2UZRcOu9kWVHJ+BQ== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720696719; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=n0acMllWiwLr6S1S/MHQcyeff1nvJAK73ZL2nwMY0go=; b=hQz2Q09/6P5Ce6mE2oD8J+R1sIkEx9OCjCzVTXUfl2ZN/pC4ymcQAvtsa7sr8BvAfrskNV VeG+OcQxMB+47GHBreur4ftItfKR2HJpPNw8/IbxPewsj+vYgmrZr3mBxi6qrOArYD+192 j7SbnT1t56o5vkKz9nU6/0paC61A2ek= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720696719; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=n0acMllWiwLr6S1S/MHQcyeff1nvJAK73ZL2nwMY0go=; b=wf3qGKFG9pB7nQcP8Y6BsT3Ohy3TMOT1h1pMNZUixAP7j0ub+w9x7D/VhcsZS/9eLpBkiq 2UZRcOu9kWVHJ+BQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 28821139E0; Thu, 11 Jul 2024 11:18:39 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id mP7ZB4+/j2bBVAAAD6G6ig (envelope-from ); Thu, 11 Jul 2024 11:18:39 +0000 From: Andrea Cervesato Date: Thu, 11 Jul 2024 13:18:22 +0200 MIME-Version: 1.0 Message-Id: <20240711-landlock-v3-11-c7b0e9edf9b0@suse.com> References: <20240711-landlock-v3-0-c7b0e9edf9b0@suse.com> In-Reply-To: <20240711-landlock-v3-0-c7b0e9edf9b0@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4223; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=STre4AsQPfPdITbi0p14qsLPISxNynOyTLrkmZTC8IY=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmj79/ilVFvdgb2OEAEXsImygWktfWx8TZCyOvR 3wQN3wB1cKJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZo+/fwAKCRDLzBqyILPm RsBGDAC1XfX8dvJlQmyT+fw+9JvPvXQsZii4RPSwJ9kXSpikp1+QP55umZuQYICjs2Lmmn6Cphr jk1Q1nshFUTOJvcQaO0NVtA0Bwj2dFj9+MWQVVXnrqtt3XgIB4/uyOtvlyqUzpuLVyWshfFFSAf VpDSW55h0syYCmW3k0eQWxFXiVUSDkYHQC72jVrFAl7nDIfPwTg5M0/fWf64u1wqivrl5G0DGYU MDejOPZEqrCeM58QgGe1tu7nSU25zgsIJOoXA3YMVpX51FznYIFVuugbVydRkr+MLu1WFx+1Sxo /1B/9AGd1G+7DVMq/6fvW4SQV0jV8iXA8RXNM8kk0llxHLLwUpxd3MVkCH+ZOaFBIbVkWjmgixJ i2aCqSllbcMY6nXPIX97/h5M9RLtBW9qJ5Tobc88pOlIWCuxMp3M6iTIr73iDKGTMv4ORHdShVc ZoAYJ0TpsQKaCAjgv8BTdflwwswM58InlWEBhndYrBhgXl39D9Q/Xy1WwHKzKQeCl+xg8= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spam-Score: -0.30 X-Spamd-Result: default: False [-0.30 / 50.00]; NEURAL_HAM_SHORT(-0.20)[-0.999]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; RCVD_TLS_ALL(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_HAS_DN(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email] X-Spam-Level: X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-4.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-4.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v3 11/11] Add landlock06 test X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato This test verifies LANDLOCK_ACCESS_FS_IOCTL_DEV access in the landlock sandbox by creating a pipe and testing that ioctl() can be executed on it. The test is also verifying that some of the I/O operations can be always executed no matter the sandbox rules. This feature is available since kernel 6.10. Reviewed-by: Li Wang Signed-off-by: Andrea Cervesato --- runtest/syscalls | 1 + testcases/kernel/syscalls/landlock/.gitignore | 1 + testcases/kernel/syscalls/landlock/landlock06.c | 112 ++++++++++++++++++++++++ 3 files changed, 114 insertions(+) diff --git a/runtest/syscalls b/runtest/syscalls index a31ca3bc3..35d28679a 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -690,6 +690,7 @@ landlock02 landlock02 landlock03 landlock03 landlock04 landlock04 landlock05 landlock05 +landlock06 landlock06 lchown01 lchown01 lchown01_16 lchown01_16 diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore index a7ea6be2e..315ac1dca 100644 --- a/testcases/kernel/syscalls/landlock/.gitignore +++ b/testcases/kernel/syscalls/landlock/.gitignore @@ -4,3 +4,4 @@ landlock02 landlock03 landlock04 landlock05 +landlock06 diff --git a/testcases/kernel/syscalls/landlock/landlock06.c b/testcases/kernel/syscalls/landlock/landlock06.c new file mode 100644 index 000000000..647ebbe48 --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock06.c @@ -0,0 +1,112 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +/*\ + * [Description] + * + * This test verifies LANDLOCK_ACCESS_FS_IOCTL_DEV access in the + * landlock sandbox by creating a pipe and testing that ioctl() can be executed + * on it. The test is also verifying that some of the I/O operations can be + * always executed no matter the sandbox rules. + */ + +#include "landlock_common.h" +#include + +#define MNTPOINT "sandbox" +#define FILENAME MNTPOINT"/fifo" + +static struct landlock_ruleset_attr *ruleset_attr; +static struct landlock_path_beneath_attr *path_beneath_attr; +static int file_fd; +static int dev_fd; + +static void run(void) +{ + if (SAFE_FORK()) + return; + + int flag; + size_t sz = 0; + + TST_EXP_PASS(ioctl(file_fd, FIONREAD, &sz)); + + /* check unrestrictable commands */ + TST_EXP_PASS(ioctl(dev_fd, FIOCLEX)); + TST_EXP_PASS(ioctl(dev_fd, FIONCLEX)); + TST_EXP_PASS(ioctl(dev_fd, FIONBIO, &flag)); + TST_EXP_PASS(ioctl(dev_fd, FIOASYNC, &flag)); + + _exit(0); +} + +static void setup(void) +{ + int ruleset_fd; + + verify_landlock_is_enabled(); + + SAFE_MKFIFO(FILENAME, 0640); + + file_fd = SAFE_OPEN(FILENAME, O_RDONLY | O_NONBLOCK, 0640); + dev_fd = SAFE_OPEN("/dev/zero", O_RDONLY | O_NONBLOCK, 0640); + + tst_res(TINFO, "Applying LANDLOCK_ACCESS_FS_IOCTL_DEV"); + + ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV; + + ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET( + ruleset_attr, sizeof(struct landlock_ruleset_attr), 0); + + apply_landlock_layer( + ruleset_attr, + path_beneath_attr, + MNTPOINT, + LANDLOCK_ACCESS_FS_IOCTL_DEV + ); + + SAFE_CLOSE(ruleset_fd); +} + +static void cleanup(void) +{ + if (dev_fd != -1) + SAFE_CLOSE(dev_fd); + + if (file_fd != -1) + SAFE_CLOSE(file_fd); +} + +static struct tst_test test = { + .test_all = run, + .setup = setup, + .cleanup = cleanup, + .min_kver = "6.10", + .needs_tmpdir = 1, + .needs_root = 1, + .forks_child = 1, + .needs_kconfigs = (const char *[]) { + "CONFIG_SECURITY_LANDLOCK=y", + NULL + }, + .bufs = (struct tst_buffers []) { + {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)}, + {}, + }, + .caps = (struct tst_cap []) { + TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN), + {} + }, + .format_device = 1, + .mount_device = 1, + .mntpoint = MNTPOINT, + .all_filesystems = 1, + .skip_filesystems = (const char *[]) { + "vfat", + "exfat", + NULL + }, +};