selftests/landlock: Add test to check rule tied to covered mount point

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This test checks that a rule on a directory used as a mount point does
not grant access to the mount covering it. It is a generalization of
the bind mount case in layout3_fs.hostfs.release_inodes [1] that tests
hidden mount points.

Cc: Günther Noack <gnoack@google.com>
Cc: Song Liu <song@kernel.org>
Cc: Tingmao Wang <m@maowtm.org>
Link: https://lore.kernel.org/r/20250606.zo5aekae6Da6@digikod.net [1]
Link: https://lore.kernel.org/r/20250606110811.211297-1-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>

Mickaël Salaün 9 months ago dae01387 dc58130b

+40

1 changed file

expand all

tools

testing

selftests

landlock

fs_test.c

+40

tools/testing/selftests/landlock/fs_test.c

··· 1832 1832 ASSERT_EQ(ENOENT, test_open(dir_s3d3, O_RDONLY)); 1833 1833 } 1834 1834 1835 + /* 1836 + * This test checks that a rule on a directory used as a mount point does not 1837 + * grant access to the mount covering it. It is a generalization of the bind 1838 + * mount case in layout3_fs.hostfs.release_inodes that tests hidden mount points. 1839 + */ 1840 + TEST_F_FORK(layout1, covered_rule) 1841 + { 1842 + const struct rule layer1[] = { 1843 + { 1844 + .path = dir_s3d2, 1845 + .access = LANDLOCK_ACCESS_FS_READ_DIR, 1846 + }, 1847 + {}, 1848 + }; 1849 + int ruleset_fd; 1850 + 1851 + /* Unmount to simplify FIXTURE_TEARDOWN. */ 1852 + set_cap(_metadata, CAP_SYS_ADMIN); 1853 + ASSERT_EQ(0, umount(dir_s3d2)); 1854 + clear_cap(_metadata, CAP_SYS_ADMIN); 1855 + 1856 + /* Creates a ruleset with the future hidden directory. */ 1857 + ruleset_fd = 1858 + create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_DIR, layer1); 1859 + ASSERT_LE(0, ruleset_fd); 1860 + 1861 + /* Covers with a new mount point. */ 1862 + set_cap(_metadata, CAP_SYS_ADMIN); 1863 + ASSERT_EQ(0, mount_opt(&mnt_tmp, dir_s3d2)); 1864 + clear_cap(_metadata, CAP_SYS_ADMIN); 1865 + 1866 + ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY)); 1867 + 1868 + enforce_ruleset(_metadata, ruleset_fd); 1869 + ASSERT_EQ(0, close(ruleset_fd)); 1870 + 1871 + /* Checks that access to the new mount point is denied. */ 1872 + ASSERT_EQ(EACCES, test_open(dir_s3d2, O_RDONLY)); 1873 + } 1874 + 1835 1875 enum relative_access { 1836 1876 REL_OPEN, 1837 1877 REL_CHDIR,