[10/10] Add landlock06 test

Message ID	20240701-landlock-v1-10-58e9af649a72@suse.com
State	Superseded
Headers	show Return-Path: <ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it> From: Andrea Cervesato <andrea.cervesato@suse.de> Date: Mon, 01 Jul 2024 17:42:15 +0200 MIME-Version: 1.0 Message-Id: <20240701-landlock-v1-10-58e9af649a72@suse.com> References: <20240701-landlock-v1-0-58e9af649a72@suse.com> In-Reply-To: <20240701-landlock-v1-0-58e9af649a72@suse.com> To: ltp@lists.linux.it default: False [-4.30 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.20)[-0.999]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email,imap1.dmz-prg2.suse.org:helo] Subject: [LTP] [PATCH 10/10] Add landlock06 test Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" <ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it>
Series	landlock testing suite \| expand [00/10] landlock testing suite [01/10] Add landlock syscalls definitions [02/10] Add lapi/landlock.h fallback [03/10] Add landlock SAFE_* macros [04/10] Add SAFE_PRCTL macro [05/10] Add landlock01 test [06/10] Add landlock02 test [07/10] Add landlock03 test [08/10] Add landlock04 test [09/10] Add landlock05 test [10/10] Add landlock06 test

Message ID

20240701-landlock-v1-10-58e9af649a72@suse.com

State

Superseded

Headers

From: Andrea Cervesato <andrea.cervesato@suse.de>
Date: Mon, 01 Jul 2024 17:42:15 +0200
MIME-Version: 1.0
Message-Id: <20240701-landlock-v1-10-58e9af649a72@suse.com>
References: <20240701-landlock-v1-0-58e9af649a72@suse.com>
In-Reply-To: <20240701-landlock-v1-0-58e9af649a72@suse.com>
To: ltp@lists.linux.it
Subject: [LTP] [PATCH 10/10] Add landlock06 test
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it
Sender: "ltp" <ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it>

Series

landlock testing suite | expand

Commit Message

Andrea Cervesato July 1, 2024, 3:42 p.m. UTC

From: Andrea Cervesato <andrea.cervesato@suse.com>

This test verifies LANDLOCK_ACCESS_FS_IOCTL_DEV access in the
landlock sandbox by creating a pipe and testing that ioctl() can
be executed on it. The test is also verifying that some of the I/O
operations can be always executed no matter the sandbox rules.
This feature is available since kernel 6.10.

Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
 runtest/syscalls                                |   1 +
 testcases/kernel/syscalls/landlock/.gitignore   |   1 +
 testcases/kernel/syscalls/landlock/landlock06.c | 110 ++++++++++++++++++++++++
 3 files changed, 112 insertions(+)

Comments

Li Wang July 3, 2024, 1:29 p.m. UTC | #1

Nice work on those landlock syscalls test.

Reviewed-by: Li Wang <liwang@redhat.com>

On Mon, Jul 1, 2024 at 11:45 PM Andrea Cervesato <andrea.cervesato@suse.de>
wrote:

> From: Andrea Cervesato <andrea.cervesato@suse.com>
>
> This test verifies LANDLOCK_ACCESS_FS_IOCTL_DEV access in the
> landlock sandbox by creating a pipe and testing that ioctl() can
> be executed on it. The test is also verifying that some of the I/O
> operations can be always executed no matter the sandbox rules.
> This feature is available since kernel 6.10.
>
> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> ---
>  runtest/syscalls                                |   1 +
>  testcases/kernel/syscalls/landlock/.gitignore   |   1 +
>  testcases/kernel/syscalls/landlock/landlock06.c | 110
> ++++++++++++++++++++++++
>  3 files changed, 112 insertions(+)
>
> diff --git a/runtest/syscalls b/runtest/syscalls
> index a3ade6dc1..ebaf8dea4 100644
> --- a/runtest/syscalls
> +++ b/runtest/syscalls
> @@ -689,6 +689,7 @@ landlock02 landlock02
>  landlock03 landlock03
>  landlock04 landlock04
>  landlock05 landlock05
> +landlock06 landlock06
>
>  lchown01 lchown01
>  lchown01_16 lchown01_16
> diff --git a/testcases/kernel/syscalls/landlock/.gitignore
> b/testcases/kernel/syscalls/landlock/.gitignore
> index a7ea6be2e..315ac1dca 100644
> --- a/testcases/kernel/syscalls/landlock/.gitignore
> +++ b/testcases/kernel/syscalls/landlock/.gitignore
> @@ -4,3 +4,4 @@ landlock02
>  landlock03
>  landlock04
>  landlock05
> +landlock06
> diff --git a/testcases/kernel/syscalls/landlock/landlock06.c
> b/testcases/kernel/syscalls/landlock/landlock06.c
> new file mode 100644
> index 000000000..3281c2d2d
> --- /dev/null
> +++ b/testcases/kernel/syscalls/landlock/landlock06.c
> @@ -0,0 +1,110 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (C) 2024 SUSE LLC Andrea Cervesato <
> andrea.cervesato@suse.com>
> + */
> +
> +/*\
> + * [Description]
> + *
> + * This test verifies LANDLOCK_ACCESS_FS_IOCTL_DEV access in the
> + * landlock sandbox by creating a pipe and testing that ioctl() can be
> executed
> + * on it. The test is also verifying that some of the I/O operations can
> be
> + * always executed no matter the sandbox rules.
> + */
> +
> +#include "landlock_common.h"
> +#include <sys/ioctl.h>
> +
> +#define MNTPOINT "sandbox"
> +#define FILENAME MNTPOINT"/fifo"
> +
> +static struct landlock_ruleset_attr *ruleset_attr;
> +static struct landlock_path_beneath_attr *path_beneath_attr;
> +static int file_fd;
> +static int dev_fd;
> +
> +static void run(void)
> +{
> +       if (!SAFE_FORK()) {
> +               int flag;
> +               size_t sz = 0;
> +
> +               TST_EXP_PASS(ioctl(file_fd, FIONREAD, &sz));
> +
> +               /* check unrestrictable commands */
> +               TST_EXP_PASS(ioctl(dev_fd, FIOCLEX));
> +               TST_EXP_PASS(ioctl(dev_fd, FIONCLEX));
> +               TST_EXP_PASS(ioctl(dev_fd, FIONBIO, &flag));
> +               TST_EXP_PASS(ioctl(dev_fd, FIOASYNC, &flag));
> +
> +               _exit(0);
> +       }
> +}
> +
> +static void setup(void)
> +{
> +       int ruleset_fd;
> +
> +       verify_landlock_is_enabled();
> +
> +       SAFE_MKFIFO(FILENAME, 0640);
> +
> +       file_fd = SAFE_OPEN(FILENAME, O_RDONLY | O_NONBLOCK, 0640);
> +       dev_fd = SAFE_OPEN("/dev/zero", O_RDONLY | O_NONBLOCK, 0640);
> +
> +       tst_res(TINFO, "Applying LANDLOCK_ACCESS_FS_IOCTL_DEV");
> +
> +       ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV;
> +
> +       ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
> +               ruleset_attr, sizeof(struct landlock_ruleset_attr), 0);
> +
> +       apply_landlock_layer(
> +               ruleset_attr,
> +               path_beneath_attr,
> +               MNTPOINT,
> +               LANDLOCK_ACCESS_FS_IOCTL_DEV
> +       );
> +
> +       SAFE_CLOSE(ruleset_fd);
> +}
> +
> +static void cleanup(void)
> +{
> +       if (dev_fd != -1)
> +               SAFE_CLOSE(dev_fd);
> +
> +       if (file_fd != -1)
> +               SAFE_CLOSE(file_fd);
> +}
> +
> +static struct tst_test test = {
> +       .test_all = run,
> +       .setup = setup,
> +       .cleanup = cleanup,
> +       .min_kver = "6.10",
> +       .needs_tmpdir = 1,
> +       .needs_root = 1,
> +       .forks_child = 1,
> +       .needs_kconfigs = (const char *[]) {
> +               "CONFIG_SECURITY_LANDLOCK=y",
> +               NULL
> +       },
> +       .bufs = (struct tst_buffers []) {
> +               {&ruleset_attr, .size = sizeof(struct
> landlock_ruleset_attr)},
> +               {&path_beneath_attr, .size = sizeof(struct
> landlock_path_beneath_attr)},
> +               {},
> +       },
> +       .caps = (struct tst_cap []) {
> +               TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN),
> +               {}
> +       },
> +       .format_device = 1,
> +       .mount_device = 1,
> +       .mntpoint = MNTPOINT,
> +       .all_filesystems = 1,
> +       .skip_filesystems = (const char *[]) {
> +               "vfat",
> +               NULL
> +       },
> +};
>
> --
> 2.43.0
>
>
> --
> Mailing list info: https://lists.linux.it/listinfo/ltp
>
>

diff --git a/runtest/syscalls b/runtest/syscalls
index a3ade6dc1..ebaf8dea4 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -689,6 +689,7 @@  landlock02 landlock02
 landlock03 landlock03
 landlock04 landlock04
 landlock05 landlock05
+landlock06 landlock06
 
 lchown01 lchown01
 lchown01_16 lchown01_16
diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore
index a7ea6be2e..315ac1dca 100644
--- a/testcases/kernel/syscalls/landlock/.gitignore
+++ b/testcases/kernel/syscalls/landlock/.gitignore
@@ -4,3 +4,4 @@  landlock02
 landlock03
 landlock04
 landlock05
+landlock06
diff --git a/testcases/kernel/syscalls/landlock/landlock06.c b/testcases/kernel/syscalls/landlock/landlock06.c
new file mode 100644
index 000000000..3281c2d2d
--- /dev/null
+++ b/testcases/kernel/syscalls/landlock/landlock06.c
@@ -0,0 +1,110 @@ 
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2024 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com>
+ */
+
+/*\
+ * [Description]
+ *
+ * This test verifies LANDLOCK_ACCESS_FS_IOCTL_DEV access in the
+ * landlock sandbox by creating a pipe and testing that ioctl() can be executed
+ * on it. The test is also verifying that some of the I/O operations can be
+ * always executed no matter the sandbox rules.
+ */
+
+#include "landlock_common.h"
+#include <sys/ioctl.h>
+
+#define MNTPOINT "sandbox"
+#define FILENAME MNTPOINT"/fifo"
+
+static struct landlock_ruleset_attr *ruleset_attr;
+static struct landlock_path_beneath_attr *path_beneath_attr;
+static int file_fd;
+static int dev_fd;
+
+static void run(void)
+{
+	if (!SAFE_FORK()) {
+		int flag;
+		size_t sz = 0;
+
+		TST_EXP_PASS(ioctl(file_fd, FIONREAD, &sz));
+
+		/* check unrestrictable commands */
+		TST_EXP_PASS(ioctl(dev_fd, FIOCLEX));
+		TST_EXP_PASS(ioctl(dev_fd, FIONCLEX));
+		TST_EXP_PASS(ioctl(dev_fd, FIONBIO, &flag));
+		TST_EXP_PASS(ioctl(dev_fd, FIOASYNC, &flag));
+
+		_exit(0);
+	}
+}
+
+static void setup(void)
+{
+	int ruleset_fd;
+
+	verify_landlock_is_enabled();
+
+	SAFE_MKFIFO(FILENAME, 0640);
+
+	file_fd = SAFE_OPEN(FILENAME, O_RDONLY | O_NONBLOCK, 0640);
+	dev_fd = SAFE_OPEN("/dev/zero", O_RDONLY | O_NONBLOCK, 0640);
+
+	tst_res(TINFO, "Applying LANDLOCK_ACCESS_FS_IOCTL_DEV");
+
+	ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV;
+
+	ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
+		ruleset_attr, sizeof(struct landlock_ruleset_attr), 0);
+
+	apply_landlock_layer(
+		ruleset_attr,
+		path_beneath_attr,
+		MNTPOINT,
+		LANDLOCK_ACCESS_FS_IOCTL_DEV
+	);
+
+	SAFE_CLOSE(ruleset_fd);
+}
+
+static void cleanup(void)
+{
+	if (dev_fd != -1)
+		SAFE_CLOSE(dev_fd);
+
+	if (file_fd != -1)
+		SAFE_CLOSE(file_fd);
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.setup = setup,
+	.cleanup = cleanup,
+	.min_kver = "6.10",
+	.needs_tmpdir = 1,
+	.needs_root = 1,
+	.forks_child = 1,
+	.needs_kconfigs = (const char *[]) {
+		"CONFIG_SECURITY_LANDLOCK=y",
+		NULL
+	},
+	.bufs = (struct tst_buffers []) {
+		{&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)},
+		{&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)},
+		{},
+	},
+	.caps = (struct tst_cap []) {
+		TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN),
+		{}
+	},
+	.format_device = 1,
+	.mount_device = 1,
+	.mntpoint = MNTPOINT,
+	.all_filesystems = 1,
+	.skip_filesystems = (const char *[]) {
+		"vfat",
+		NULL
+	},
+};

[10/10] Add landlock06 test

Commit Message

Comments

Patch