tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
1/* SPDX-License-Identifier: GPL-2.0 */
2/*
3 * Landlock scoped_domains variants
4 *
5 * See the hierarchy variants from ptrace_test.c
6 *
7 * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
8 * Copyright © 2019-2020 ANSSI
9 * Copyright © 2024 Tahera Fahimi <fahimitahera@gmail.com>
10 */
11
12/* clang-format on */
13FIXTURE_VARIANT(scoped_domains)
14{
15 bool domain_both;
16 bool domain_parent;
17 bool domain_child;
18};
19
20/*
21 * No domain
22 *
23 * P1-. P1 -> P2 : allow
24 * \ P2 -> P1 : allow
25 * 'P2
26 */
27/* clang-format off */
28FIXTURE_VARIANT_ADD(scoped_domains, without_domain) {
29 /* clang-format on */
30 .domain_both = false,
31 .domain_parent = false,
32 .domain_child = false,
33};
34
35/*
36 * Child domain
37 *
38 * P1--. P1 -> P2 : allow
39 * \ P2 -> P1 : deny
40 * .'-----.
41 * | P2 |
42 * '------'
43 */
44/* clang-format off */
45FIXTURE_VARIANT_ADD(scoped_domains, child_domain) {
46 /* clang-format on */
47 .domain_both = false,
48 .domain_parent = false,
49 .domain_child = true,
50};
51
52/*
53 * Parent domain
54 * .------.
55 * | P1 --. P1 -> P2 : deny
56 * '------' \ P2 -> P1 : allow
57 * '
58 * P2
59 */
60/* clang-format off */
61FIXTURE_VARIANT_ADD(scoped_domains, parent_domain) {
62 /* clang-format on */
63 .domain_both = false,
64 .domain_parent = true,
65 .domain_child = false,
66};
67
68/*
69 * Parent + child domain (siblings)
70 * .------.
71 * | P1 ---. P1 -> P2 : deny
72 * '------' \ P2 -> P1 : deny
73 * .---'--.
74 * | P2 |
75 * '------'
76 */
77/* clang-format off */
78FIXTURE_VARIANT_ADD(scoped_domains, sibling_domain) {
79 /* clang-format on */
80 .domain_both = false,
81 .domain_parent = true,
82 .domain_child = true,
83};
84
85/*
86 * Same domain (inherited)
87 * .-------------.
88 * | P1----. | P1 -> P2 : allow
89 * | \ | P2 -> P1 : allow
90 * | ' |
91 * | P2 |
92 * '-------------'
93 */
94/* clang-format off */
95FIXTURE_VARIANT_ADD(scoped_domains, inherited_domain) {
96 /* clang-format on */
97 .domain_both = true,
98 .domain_parent = false,
99 .domain_child = false,
100};
101
102/*
103 * Inherited + child domain
104 * .-----------------.
105 * | P1----. | P1 -> P2 : allow
106 * | \ | P2 -> P1 : deny
107 * | .-'----. |
108 * | | P2 | |
109 * | '------' |
110 * '-----------------'
111 */
112/* clang-format off */
113FIXTURE_VARIANT_ADD(scoped_domains, nested_domain) {
114 /* clang-format on */
115 .domain_both = true,
116 .domain_parent = false,
117 .domain_child = true,
118};
119
120/*
121 * Inherited + parent domain
122 * .-----------------.
123 * |.------. | P1 -> P2 : deny
124 * || P1 ----. | P2 -> P1 : allow
125 * |'------' \ |
126 * | ' |
127 * | P2 |
128 * '-----------------'
129 */
130/* clang-format off */
131FIXTURE_VARIANT_ADD(scoped_domains, nested_and_parent_domain) {
132 /* clang-format on */
133 .domain_both = true,
134 .domain_parent = true,
135 .domain_child = false,
136};
137
138/*
139 * Inherited + parent and child domain (siblings)
140 * .-----------------.
141 * | .------. | P1 -> P2 : deny
142 * | | P1 . | P2 -> P1 : deny
143 * | '------'\ |
144 * | \ |
145 * | .--'---. |
146 * | | P2 | |
147 * | '------' |
148 * '-----------------'
149 */
150/* clang-format off */
151FIXTURE_VARIANT_ADD(scoped_domains, forked_domains) {
152 /* clang-format on */
153 .domain_both = true,
154 .domain_parent = true,
155 .domain_child = true,
156};