tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
selftests/landlock: Extend tests for landlock_restrict_self(2)'s flags
Add the base_test's restrict_self_fd_flags tests to align with previous
restrict_self_fd tests but with the new
LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF flag.
Add the restrict_self_flags tests to check that
LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF,
LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON, and
LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF are valid but not the next
bit. Some checks are similar to restrict_self_checks_ordering's ones.
Cc: Günther Noack <gnoack@google.com>
Cc: Paul Moore <paul@paul-moore.com>
Link: https://lore.kernel.org/r/20250320190717.2287696-22-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>
+71
+71
tools/testing/selftests/landlock/base_test.c
+71
tools/testing/selftests/landlock/base_test.c
···
288
288
EXPECT_EQ(EBADFD, errno);
289
289
}
290
290
291
+
TEST(restrict_self_fd_flags)
292
+
{
293
+
int fd;
294
+
295
+
fd = open("/dev/null", O_RDONLY | O_CLOEXEC);
296
+
ASSERT_LE(0, fd);
297
+
298
+
/*
299
+
* LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF accepts -1 but not any file
300
+
* descriptor.
301
+
*/
302
+
EXPECT_EQ(-1, landlock_restrict_self(
303
+
fd, LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF));
304
+
EXPECT_EQ(EBADFD, errno);
305
+
}
306
+
307
+
TEST(restrict_self_flags)
308
+
{
309
+
const __u32 last_flag = LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF;
310
+
311
+
/* Tests invalid flag combinations. */
312
+
313
+
EXPECT_EQ(-1, landlock_restrict_self(-1, last_flag << 1));
314
+
EXPECT_EQ(EINVAL, errno);
315
+
316
+
EXPECT_EQ(-1, landlock_restrict_self(-1, -1));
317
+
EXPECT_EQ(EINVAL, errno);
318
+
319
+
/* Tests valid flag combinations. */
320
+
321
+
EXPECT_EQ(-1, landlock_restrict_self(-1, 0));
322
+
EXPECT_EQ(EBADF, errno);
323
+
324
+
EXPECT_EQ(-1, landlock_restrict_self(
325
+
-1, LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF));
326
+
EXPECT_EQ(EBADF, errno);
327
+
328
+
EXPECT_EQ(-1,
329
+
landlock_restrict_self(
330
+
-1,
331
+
LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF |
332
+
LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF));
333
+
EXPECT_EQ(EBADF, errno);
334
+
335
+
EXPECT_EQ(-1,
336
+
landlock_restrict_self(
337
+
-1,
338
+
LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
339
+
LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF));
340
+
EXPECT_EQ(EBADF, errno);
341
+
342
+
EXPECT_EQ(-1, landlock_restrict_self(
343
+
-1, LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON));
344
+
EXPECT_EQ(EBADF, errno);
345
+
346
+
EXPECT_EQ(-1,
347
+
landlock_restrict_self(
348
+
-1, LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF |
349
+
LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON));
350
+
EXPECT_EQ(EBADF, errno);
351
+
352
+
/* Tests with an invalid ruleset_fd. */
353
+
354
+
EXPECT_EQ(-1, landlock_restrict_self(
355
+
-2, LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF));
356
+
EXPECT_EQ(EBADF, errno);
357
+
358
+
EXPECT_EQ(0, landlock_restrict_self(
359
+
-1, LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF));
360
+
}
361
+
291
362
TEST(ruleset_fd_io)
292
363
{
293
364
struct landlock_ruleset_attr ruleset_attr = {