[06/10] Add landlock02 test

Message ID	20240701-landlock-v1-6-58e9af649a72@suse.com
State	Superseded
Headers	show Return-Path: <ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it> From: Andrea Cervesato <andrea.cervesato@suse.de> Date: Mon, 01 Jul 2024 17:42:11 +0200 MIME-Version: 1.0 Message-Id: <20240701-landlock-v1-6-58e9af649a72@suse.com> References: <20240701-landlock-v1-0-58e9af649a72@suse.com> In-Reply-To: <20240701-landlock-v1-0-58e9af649a72@suse.com> To: ltp@lists.linux.it default: False [-4.51 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:dkim,suse.com:email,imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns]; RCVD_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[suse.de:+] Subject: [LTP] [PATCH 06/10] Add landlock02 test Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" <ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it>
Series	landlock testing suite \| expand [00/10] landlock testing suite [01/10] Add landlock syscalls definitions [02/10] Add lapi/landlock.h fallback [03/10] Add landlock SAFE_* macros [04/10] Add SAFE_PRCTL macro [05/10] Add landlock01 test [06/10] Add landlock02 test [07/10] Add landlock03 test [08/10] Add landlock04 test [09/10] Add landlock05 test [10/10] Add landlock06 test

Message ID

20240701-landlock-v1-6-58e9af649a72@suse.com

State

Superseded

Headers

From: Andrea Cervesato <andrea.cervesato@suse.de>
Date: Mon, 01 Jul 2024 17:42:11 +0200
MIME-Version: 1.0
Message-Id: <20240701-landlock-v1-6-58e9af649a72@suse.com>
References: <20240701-landlock-v1-0-58e9af649a72@suse.com>
In-Reply-To: <20240701-landlock-v1-0-58e9af649a72@suse.com>
To: ltp@lists.linux.it
Subject: [LTP] [PATCH 06/10] Add landlock02 test
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it
Sender: "ltp" <ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it>

Series

landlock testing suite | expand

Commit Message

Andrea Cervesato July 1, 2024, 3:42 p.m. UTC

From: Andrea Cervesato <andrea.cervesato@suse.com>

This test verifies that landlock_add_rule syscall fails with the
right error codes:

- EINVAL flags is not 0, or the rule accesses are inconsistent
- ENOMSG Empty accesses (i.e., rule_attr->allowed_access is 0)
- EBADF ruleset_fd  is  not  a  file  descriptor  for  the  current
  thread, or a member of rule_attr is not a file descriptor as
  expected
- EBADFD ruleset_fd is not a ruleset file descriptor, or a member of
  rule_attr is not the expected file descriptor type
- EFAULT rule_attr was not a valid address

Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
 runtest/syscalls                                |   1 +
 testcases/kernel/syscalls/landlock/.gitignore   |   1 +
 testcases/kernel/syscalls/landlock/landlock02.c | 153 ++++++++++++++++++++++++
 3 files changed, 155 insertions(+)

Comments

Li Wang July 2, 2024, 8:46 a.m. UTC | #1

On Mon, Jul 1, 2024 at 11:44 PM Andrea Cervesato <andrea.cervesato@suse.de>
wrote:

> From: Andrea Cervesato <andrea.cervesato@suse.com>
>
> This test verifies that landlock_add_rule syscall fails with the
> right error codes:
>
> - EINVAL flags is not 0, or the rule accesses are inconsistent
> - ENOMSG Empty accesses (i.e., rule_attr->allowed_access is 0)
> - EBADF ruleset_fd  is  not  a  file  descriptor  for  the  current
>   thread, or a member of rule_attr is not a file descriptor as
>   expected
> - EBADFD ruleset_fd is not a ruleset file descriptor, or a member of
>   rule_attr is not the expected file descriptor type
> - EFAULT rule_attr was not a valid address
>
> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
>

Reviewed-by: Li Wang <liwang@redhat.com>

---
>  runtest/syscalls                                |   1 +
>  testcases/kernel/syscalls/landlock/.gitignore   |   1 +
>  testcases/kernel/syscalls/landlock/landlock02.c | 153
> ++++++++++++++++++++++++
>  3 files changed, 155 insertions(+)
>
> diff --git a/runtest/syscalls b/runtest/syscalls
> index 4c566d95f..7f9c83292 100644
> --- a/runtest/syscalls
> +++ b/runtest/syscalls
> @@ -685,6 +685,7 @@ kill12 kill12
>  kill13 kill13
>
>  landlock01 landlock01
> +landlock02 landlock02
>
>  lchown01 lchown01
>  lchown01_16 lchown01_16
> diff --git a/testcases/kernel/syscalls/landlock/.gitignore
> b/testcases/kernel/syscalls/landlock/.gitignore
> index b69f9b94a..ffed4abd2 100644
> --- a/testcases/kernel/syscalls/landlock/.gitignore
> +++ b/testcases/kernel/syscalls/landlock/.gitignore
> @@ -1 +1,2 @@
>  landlock01
> +landlock02
> diff --git a/testcases/kernel/syscalls/landlock/landlock02.c
> b/testcases/kernel/syscalls/landlock/landlock02.c
> new file mode 100644
> index 000000000..0e2da7ef5
> --- /dev/null
> +++ b/testcases/kernel/syscalls/landlock/landlock02.c
> @@ -0,0 +1,153 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (C) 2024 SUSE LLC Andrea Cervesato <
> andrea.cervesato@suse.com>
> + */
> +
> +/*\
> + * [Description]
> + *
> + * This test verifies that landlock_add_rule syscall fails with the right
> + * error codes:
> + *
> + * - EINVAL flags is not 0, or the rule accesses are inconsistent
> + * - ENOMSG Empty accesses (i.e., rule_attr->allowed_access is 0)
> + * - EBADF ruleset_fd  is  not  a  file  descriptor  for  the  current
> thread,
> + *   or a member of rule_attr is not a file descriptor as expected
> + * - EBADFD ruleset_fd is not a ruleset file descriptor, or a member of
> + *   rule_attr is not the expected file descriptor type
> + * - EFAULT rule_attr was not a valid address
> + */
> +
> +#include "landlock_common.h"
> +
> +static struct landlock_ruleset_attr *ruleset_attr;
> +static struct landlock_path_beneath_attr *path_beneath_attr;
> +static struct landlock_path_beneath_attr *rule_null;
> +static int ruleset_fd;
> +static int invalid_fd = -1;
> +
> +static struct tcase {
> +       int *fd;
> +       enum landlock_rule_type rule_type;
> +       struct landlock_path_beneath_attr **attr;
> +       int access;
> +       int parent_fd;
> +       uint32_t flags;
> +       int exp_errno;
> +       char *msg;
> +} tcases[] = {
> +       {
> +               &ruleset_fd,
> +               0,
> +               &path_beneath_attr,
> +               LANDLOCK_ACCESS_FS_EXECUTE,
> +               0,
> +               1,
> +               EINVAL,
> +               "Invalid flags"
> +       },
> +       {
> +               &ruleset_fd,
> +               0,
> +               &path_beneath_attr,
> +               LANDLOCK_ACCESS_FS_EXECUTE,
> +               0,
> +               0,
> +               EINVAL,
> +               "Invalid rule type"
> +       },
> +       {
> +               &ruleset_fd,
> +               LANDLOCK_RULE_PATH_BENEATH,
> +               &path_beneath_attr,
> +               0,
> +               0,
> +               0,
> +               ENOMSG,
> +               "Empty accesses"
> +       },
> +       {
> +               &invalid_fd,
> +               0,
> +               &path_beneath_attr,
> +               LANDLOCK_ACCESS_FS_EXECUTE,
> +               0,
> +               0,
> +               EBADF,
> +               "Invalid file descriptor"
> +       },
> +       {
> +               &ruleset_fd,
> +               LANDLOCK_RULE_PATH_BENEATH,
> +               &path_beneath_attr,
> +               LANDLOCK_ACCESS_FS_EXECUTE,
> +               -1,
> +               0,
> +               EBADF,
> +               "Invalid parent fd"
> +       },
> +       {
> +               &ruleset_fd,
> +               LANDLOCK_RULE_PATH_BENEATH,
> +               &rule_null,
> +               0,
> +               0,
> +               0,
> +               EFAULT,
> +               "Invalid rule attr"
> +       },
> +};
> +
> +static void run(unsigned int n)
> +{
> +       struct tcase *tc = &tcases[n];
> +
> +       if (*tc->attr) {
> +               (*tc->attr)->allowed_access = tc->access;
> +               (*tc->attr)->parent_fd = tc->parent_fd;
> +       }
> +
> +       TST_EXP_FAIL(tst_syscall(__NR_landlock_add_rule,
> +                       *tc->fd, tc->rule_type, *tc->attr, tc->flags),
> +               tc->exp_errno,
> +               "%s",
> +               tc->msg);
> +}
> +
> +static void setup(void)
> +{
> +       verify_landlock_is_enabled();
> +
> +       ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE;
> +
> +       ruleset_fd =
> TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset,
> +               ruleset_attr, sizeof(struct landlock_ruleset_attr), 0));
> +}
> +
> +static void cleanup(void)
> +{
> +       if (ruleset_fd != -1)
> +               SAFE_CLOSE(ruleset_fd);
> +}
> +
> +static struct tst_test test = {
> +       .test = run,
> +       .tcnt = ARRAY_SIZE(tcases),
> +       .setup = setup,
> +       .cleanup = cleanup,
> +       .min_kver = "5.13",
> +       .needs_root = 1,
> +       .needs_kconfigs = (const char *[]) {
> +               "CONFIG_SECURITY_LANDLOCK=y",
> +               NULL
> +       },
> +       .bufs = (struct tst_buffers []) {
> +               {&ruleset_attr, .size = sizeof(struct
> landlock_ruleset_attr)},
> +               {&path_beneath_attr, .size = sizeof(struct
> landlock_path_beneath_attr)},
> +               {},
> +       },
> +       .caps = (struct tst_cap []) {
> +               TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN),
> +               {}
> +       },
> +};
>
> --
> 2.43.0
>
>
> --
> Mailing list info: https://lists.linux.it/listinfo/ltp
>
>

diff --git a/runtest/syscalls b/runtest/syscalls
index 4c566d95f..7f9c83292 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -685,6 +685,7 @@  kill12 kill12
 kill13 kill13
 
 landlock01 landlock01
+landlock02 landlock02
 
 lchown01 lchown01
 lchown01_16 lchown01_16
diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore
index b69f9b94a..ffed4abd2 100644
--- a/testcases/kernel/syscalls/landlock/.gitignore
+++ b/testcases/kernel/syscalls/landlock/.gitignore
@@ -1 +1,2 @@ 
 landlock01
+landlock02
diff --git a/testcases/kernel/syscalls/landlock/landlock02.c b/testcases/kernel/syscalls/landlock/landlock02.c
new file mode 100644
index 000000000..0e2da7ef5
--- /dev/null
+++ b/testcases/kernel/syscalls/landlock/landlock02.c
@@ -0,0 +1,153 @@ 
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2024 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com>
+ */
+
+/*\
+ * [Description]
+ *
+ * This test verifies that landlock_add_rule syscall fails with the right
+ * error codes:
+ *
+ * - EINVAL flags is not 0, or the rule accesses are inconsistent
+ * - ENOMSG Empty accesses (i.e., rule_attr->allowed_access is 0)
+ * - EBADF ruleset_fd  is  not  a  file  descriptor  for  the  current  thread,
+ *   or a member of rule_attr is not a file descriptor as expected
+ * - EBADFD ruleset_fd is not a ruleset file descriptor, or a member of
+ *   rule_attr is not the expected file descriptor type
+ * - EFAULT rule_attr was not a valid address
+ */
+
+#include "landlock_common.h"
+
+static struct landlock_ruleset_attr *ruleset_attr;
+static struct landlock_path_beneath_attr *path_beneath_attr;
+static struct landlock_path_beneath_attr *rule_null;
+static int ruleset_fd;
+static int invalid_fd = -1;
+
+static struct tcase {
+	int *fd;
+	enum landlock_rule_type rule_type;
+	struct landlock_path_beneath_attr **attr;
+	int access;
+	int parent_fd;
+	uint32_t flags;
+	int exp_errno;
+	char *msg;
+} tcases[] = {
+	{
+		&ruleset_fd,
+		0,
+		&path_beneath_attr,
+		LANDLOCK_ACCESS_FS_EXECUTE,
+		0,
+		1,
+		EINVAL,
+		"Invalid flags"
+	},
+	{
+		&ruleset_fd,
+		0,
+		&path_beneath_attr,
+		LANDLOCK_ACCESS_FS_EXECUTE,
+		0,
+		0,
+		EINVAL,
+		"Invalid rule type"
+	},
+	{
+		&ruleset_fd,
+		LANDLOCK_RULE_PATH_BENEATH,
+		&path_beneath_attr,
+		0,
+		0,
+		0,
+		ENOMSG,
+		"Empty accesses"
+	},
+	{
+		&invalid_fd,
+		0,
+		&path_beneath_attr,
+		LANDLOCK_ACCESS_FS_EXECUTE,
+		0,
+		0,
+		EBADF,
+		"Invalid file descriptor"
+	},
+	{
+		&ruleset_fd,
+		LANDLOCK_RULE_PATH_BENEATH,
+		&path_beneath_attr,
+		LANDLOCK_ACCESS_FS_EXECUTE,
+		-1,
+		0,
+		EBADF,
+		"Invalid parent fd"
+	},
+	{
+		&ruleset_fd,
+		LANDLOCK_RULE_PATH_BENEATH,
+		&rule_null,
+		0,
+		0,
+		0,
+		EFAULT,
+		"Invalid rule attr"
+	},
+};
+
+static void run(unsigned int n)
+{
+	struct tcase *tc = &tcases[n];
+
+	if (*tc->attr) {
+		(*tc->attr)->allowed_access = tc->access;
+		(*tc->attr)->parent_fd = tc->parent_fd;
+	}
+
+	TST_EXP_FAIL(tst_syscall(__NR_landlock_add_rule,
+			*tc->fd, tc->rule_type, *tc->attr, tc->flags),
+		tc->exp_errno,
+		"%s",
+		tc->msg);
+}
+
+static void setup(void)
+{
+	verify_landlock_is_enabled();
+
+	ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE;
+
+	ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset,
+		ruleset_attr, sizeof(struct landlock_ruleset_attr), 0));
+}
+
+static void cleanup(void)
+{
+	if (ruleset_fd != -1)
+		SAFE_CLOSE(ruleset_fd);
+}
+
+static struct tst_test test = {
+	.test = run,
+	.tcnt = ARRAY_SIZE(tcases),
+	.setup = setup,
+	.cleanup = cleanup,
+	.min_kver = "5.13",
+	.needs_root = 1,
+	.needs_kconfigs = (const char *[]) {
+		"CONFIG_SECURITY_LANDLOCK=y",
+		NULL
+	},
+	.bufs = (struct tst_buffers []) {
+		{&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)},
+		{&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)},
+		{},
+	},
+	.caps = (struct tst_cap []) {
+		TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN),
+		{}
+	},
+};

[06/10] Add landlock02 test

Commit Message

Comments

Patch