From patchwork Mon Jul 1 15:42:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1954812 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=W8PaKJKB; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=jBnJm9Cm; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=W8PaKJKB; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=jBnJm9Cm; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WCVkW6CfSz1xpf for ; Tue, 2 Jul 2024 01:45:55 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 903653D3FF6 for ; Mon, 1 Jul 2024 17:45:53 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-7.smtp.seeweb.it (in-7.smtp.seeweb.it [IPv6:2001:4b78:1:20::7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 37C383D3FE1 for ; Mon, 1 Jul 2024 17:42:58 +0200 (CEST) Authentication-Results: in-7.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=2a07:de40:b251:101:10:150:64:2; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2a07:de40:b251:101:10:150:64:2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-7.smtp.seeweb.it (Postfix) with ESMTPS id 6675720118F for ; Mon, 1 Jul 2024 17:42:55 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 1AD7C1FB51; Mon, 1 Jul 2024 15:42:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1719848574; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=As8ay3HIm5emxm7z55JrjZ4UHlYQ0h3j0G6QPGOqSPg=; b=W8PaKJKB09Avmo/dmH6Mkh1oUMTC/u+3fZjkLB2GPNJovRFTnSI+a4NupiODy6jIZL49p8 Ob6hYhOkDc8SO1EWkJvFYTOenE4oBqR+kfoYM/4THXs/QPLwpbSu3fDrl4qDHCBNOhjYmr wuBqwQAGM9iqCrMUDEsQ6xWtCrpG9ho= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1719848574; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=As8ay3HIm5emxm7z55JrjZ4UHlYQ0h3j0G6QPGOqSPg=; b=jBnJm9CmZAacYqUK6iLs7fNbxuDl0Q25clIP6M/dfrKZdFQtUKQigTMvHFjTpboGLHcPqc Skka0B/ra2VjqiDQ== Authentication-Results: smtp-out2.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=W8PaKJKB; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=jBnJm9Cm DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1719848574; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=As8ay3HIm5emxm7z55JrjZ4UHlYQ0h3j0G6QPGOqSPg=; b=W8PaKJKB09Avmo/dmH6Mkh1oUMTC/u+3fZjkLB2GPNJovRFTnSI+a4NupiODy6jIZL49p8 Ob6hYhOkDc8SO1EWkJvFYTOenE4oBqR+kfoYM/4THXs/QPLwpbSu3fDrl4qDHCBNOhjYmr wuBqwQAGM9iqCrMUDEsQ6xWtCrpG9ho= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1719848574; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=As8ay3HIm5emxm7z55JrjZ4UHlYQ0h3j0G6QPGOqSPg=; b=jBnJm9CmZAacYqUK6iLs7fNbxuDl0Q25clIP6M/dfrKZdFQtUKQigTMvHFjTpboGLHcPqc Skka0B/ra2VjqiDQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id EB7DA13A92; Mon, 1 Jul 2024 15:42:53 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id uD5jN33OgmZfCAAAD6G6ig (envelope-from ); Mon, 01 Jul 2024 15:42:53 +0000 From: Andrea Cervesato Date: Mon, 01 Jul 2024 17:42:06 +0200 MIME-Version: 1.0 Message-Id: <20240701-landlock-v1-1-58e9af649a72@suse.com> References: <20240701-landlock-v1-0-58e9af649a72@suse.com> In-Reply-To: <20240701-landlock-v1-0-58e9af649a72@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=7662; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=U0omUv1OaYCChlqTr9cV14UoTcJ6DOVonEFFqTckFbA=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmgs50uw/IdDn0BNJiWfC/iEcxKKZ90+tnfBxF2 7xndpw1hkCJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZoLOdAAKCRDLzBqyILPm RhkmC/42Uz8ZhU3Y0mnjqki0J9vILwMQeUmFbcHILkB7r5rFaLMhVI0C0laV0NZj9T48OxgeMhO bhLMIcc3dxlFbX2Qmo0VrMYth5ZBIRrNrU+u7bXGJN6XNrLVZ80DIVYXLl/Hl5hwqVuCHBeL70N dexZrPjK6N4hMZl3werGwgxT3tiXLo9muiu69xdQkwSlO2v1zlfjXB9CG215WT1Wz5I7Rqv4gbR F6E+k+uFySuJj5fTbft10xwBpu1m5Ck2Bcus5vTvEyHE2mu6EpE+hwbK6ZPhjhgx9ScWjJ4gJtA WPhaEQeiWLiE5Pre/ftWgiqhXE4gcxvyJPQvKCX2vGNxW2t/iDxFOUIrO1wOt7ySbX7VbaolD5V H8UMfum2ELKfInVxLyW6gjNVom62svNPPk+9FVDv/nY6i+rAGOeJEn6w+2fVuiPHdBfjHRnGLJQ 0KYoOOxqwc277ISRSjm636f11dOvsGn2dVeAwAV432j7w9CaIUm5MhmspA6PvT5uoPHX4= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Rspamd-Queue-Id: 1AD7C1FB51 X-Spam-Score: -4.51 X-Spam-Level: X-Spamd-Result: default: False [-4.51 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns,suse.de:dkim,suse.com:email]; RCVD_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[suse.de:+] X-Rspamd-Action: no action X-Rspamd-Server: rspamd1.dmz-prg2.suse.org X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-7.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-7.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH 01/10] Add landlock syscalls definitions X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato Signed-off-by: Andrea Cervesato Reviewed-by: Li Wang --- include/lapi/syscalls/aarch64.in | 3 +++ include/lapi/syscalls/arc.in | 3 +++ include/lapi/syscalls/arm.in | 3 +++ include/lapi/syscalls/hppa.in | 3 +++ include/lapi/syscalls/i386.in | 3 +++ include/lapi/syscalls/ia64.in | 3 +++ include/lapi/syscalls/mips_n32.in | 3 +++ include/lapi/syscalls/mips_n64.in | 3 +++ include/lapi/syscalls/mips_o32.in | 3 +++ include/lapi/syscalls/powerpc.in | 3 +++ include/lapi/syscalls/powerpc64.in | 3 +++ include/lapi/syscalls/s390.in | 3 +++ include/lapi/syscalls/s390x.in | 3 +++ include/lapi/syscalls/sh.in | 3 +++ include/lapi/syscalls/sparc.in | 3 +++ include/lapi/syscalls/sparc64.in | 3 +++ include/lapi/syscalls/x86_64.in | 3 +++ 17 files changed, 51 insertions(+) diff --git a/include/lapi/syscalls/aarch64.in b/include/lapi/syscalls/aarch64.in index 2cb6c2d87..3e7797718 100644 --- a/include/lapi/syscalls/aarch64.in +++ b/include/lapi/syscalls/aarch64.in @@ -296,5 +296,8 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 _sysctl 1078 diff --git a/include/lapi/syscalls/arc.in b/include/lapi/syscalls/arc.in index 3e2ee9061..7fde1d263 100644 --- a/include/lapi/syscalls/arc.in +++ b/include/lapi/syscalls/arc.in @@ -316,4 +316,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/arm.in b/include/lapi/syscalls/arm.in index 7bdbca533..693644f83 100644 --- a/include/lapi/syscalls/arm.in +++ b/include/lapi/syscalls/arm.in @@ -394,4 +394,7 @@ pidfd_getfd (__NR_SYSCALL_BASE+438) faccessat2 (__NR_SYSCALL_BASE+439) epoll_pwait2 (__NR_SYSCALL_BASE+441) quotactl_fd (__NR_SYSCALL_BASE+443) +landlock_create_ruleset (__NR_SYSCALL_BASE+444) +landlock_add_rule (__NR_SYSCALL_BASE+445) +landlock_restrict_self (__NR_SYSCALL_BASE+446) futex_waitv (__NR_SYSCALL_BASE+449) diff --git a/include/lapi/syscalls/hppa.in b/include/lapi/syscalls/hppa.in index 8ebdafafb..60c02aff2 100644 --- a/include/lapi/syscalls/hppa.in +++ b/include/lapi/syscalls/hppa.in @@ -43,4 +43,7 @@ close_range 436 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/i386.in b/include/lapi/syscalls/i386.in index 1472631c4..31ec1ecb2 100644 --- a/include/lapi/syscalls/i386.in +++ b/include/lapi/syscalls/i386.in @@ -430,4 +430,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/ia64.in b/include/lapi/syscalls/ia64.in index 0ea6e9722..2e56da7f9 100644 --- a/include/lapi/syscalls/ia64.in +++ b/include/lapi/syscalls/ia64.in @@ -343,4 +343,7 @@ pidfd_getfd 1462 faccessat2 1463 epoll_pwait2 1465 quotactl_fd 1467 +landlock_create_ruleset 1468 +landlock_add_rule 1469 +landlock_restrict_self 1470 futex_waitv 1473 diff --git a/include/lapi/syscalls/mips_n32.in b/include/lapi/syscalls/mips_n32.in index e818c9d92..5f0fe65eb 100644 --- a/include/lapi/syscalls/mips_n32.in +++ b/include/lapi/syscalls/mips_n32.in @@ -370,4 +370,7 @@ process_madvise 6440 epoll_pwait2 6441 mount_setattr 6442 quotactl_fd 6443 +landlock_create_ruleset 6444 +landlock_add_rule 6445 +landlock_restrict_self 6446 futex_waitv 6449 diff --git a/include/lapi/syscalls/mips_n64.in b/include/lapi/syscalls/mips_n64.in index 6e15f43b3..f81c60e66 100644 --- a/include/lapi/syscalls/mips_n64.in +++ b/include/lapi/syscalls/mips_n64.in @@ -346,4 +346,7 @@ process_madvise 5440 epoll_pwait2 5441 mount_setattr 5442 quotactl_fd 5443 +landlock_create_ruleset 5444 +landlock_add_rule 5445 +landlock_restrict_self 5446 futex_waitv 5449 diff --git a/include/lapi/syscalls/mips_o32.in b/include/lapi/syscalls/mips_o32.in index 921d5d331..c2beffb75 100644 --- a/include/lapi/syscalls/mips_o32.in +++ b/include/lapi/syscalls/mips_o32.in @@ -416,4 +416,7 @@ process_madvise 4440 epoll_pwait2 4441 mount_setattr 4442 quotactl_fd 4443 +landlock_create_ruleset 4444 +landlock_add_rule 4445 +landlock_restrict_self 4446 futex_waitv 4449 diff --git a/include/lapi/syscalls/powerpc.in b/include/lapi/syscalls/powerpc.in index 545d9d3d6..5460e4197 100644 --- a/include/lapi/syscalls/powerpc.in +++ b/include/lapi/syscalls/powerpc.in @@ -423,4 +423,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/powerpc64.in b/include/lapi/syscalls/powerpc64.in index 545d9d3d6..5460e4197 100644 --- a/include/lapi/syscalls/powerpc64.in +++ b/include/lapi/syscalls/powerpc64.in @@ -423,4 +423,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/s390.in b/include/lapi/syscalls/s390.in index 7213ac5f8..275b27f47 100644 --- a/include/lapi/syscalls/s390.in +++ b/include/lapi/syscalls/s390.in @@ -410,4 +410,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/s390x.in b/include/lapi/syscalls/s390x.in index 879012e2b..c200d02b2 100644 --- a/include/lapi/syscalls/s390x.in +++ b/include/lapi/syscalls/s390x.in @@ -358,4 +358,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/sh.in b/include/lapi/syscalls/sh.in index 7d5192a27..6f482a77b 100644 --- a/include/lapi/syscalls/sh.in +++ b/include/lapi/syscalls/sh.in @@ -404,4 +404,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/sparc.in b/include/lapi/syscalls/sparc.in index 91d2fb1c2..7181e80a0 100644 --- a/include/lapi/syscalls/sparc.in +++ b/include/lapi/syscalls/sparc.in @@ -409,4 +409,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/sparc64.in b/include/lapi/syscalls/sparc64.in index 1f2fc59b7..c96ab2021 100644 --- a/include/lapi/syscalls/sparc64.in +++ b/include/lapi/syscalls/sparc64.in @@ -374,4 +374,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/x86_64.in b/include/lapi/syscalls/x86_64.in index dc61aa56e..3082ca110 100644 --- a/include/lapi/syscalls/x86_64.in +++ b/include/lapi/syscalls/x86_64.in @@ -351,6 +351,9 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 rt_sigaction 512 rt_sigreturn 513 From patchwork Mon Jul 1 15:42:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1954802 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=08UV5SeG; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=yjqXHJeS; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=08UV5SeG; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=yjqXHJeS; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WCVgK2Pb4z1xpc for ; Tue, 2 Jul 2024 01:43:08 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 835623D3FDD for ; Mon, 1 Jul 2024 17:42:59 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-6.smtp.seeweb.it (in-6.smtp.seeweb.it [217.194.8.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 13ACD3D0E3E for ; Mon, 1 Jul 2024 17:42:55 +0200 (CEST) Authentication-Results: in-6.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.131; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-6.smtp.seeweb.it (Postfix) with ESMTPS id 5FEED1401102 for ; Mon, 1 Jul 2024 17:42:54 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 458E61FB52; Mon, 1 Jul 2024 15:42:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1719848574; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/dN/WA9W+/Kdn1esLn/xmNoGL8phVxiE/3+JFK4pDbc=; b=08UV5SeG3Y5kriPe5PMHsFxkoKnL2juLyVNWGoQO93vfC6EQl1jUc8R2KhVw4tZnXLewhV J1qxsnW/AizUU0InE9LkhohOJHr+Igzwvi92gX9q+8AvkUngVj308EKAN+4b7qsMGp2FP0 Xcn3rpCgedyGrCFdIH4CIpitnU7l1Ss= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1719848574; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/dN/WA9W+/Kdn1esLn/xmNoGL8phVxiE/3+JFK4pDbc=; b=yjqXHJeSvnl+Pc5ekzYcvDoVR6W3fdQE1VTfTSYkZNF89Xi/ohmn1Dj3I6bGvjSsOmYIA9 fJlveBC0Ncv1v+Ag== Authentication-Results: smtp-out2.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=08UV5SeG; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=yjqXHJeS DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1719848574; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/dN/WA9W+/Kdn1esLn/xmNoGL8phVxiE/3+JFK4pDbc=; b=08UV5SeG3Y5kriPe5PMHsFxkoKnL2juLyVNWGoQO93vfC6EQl1jUc8R2KhVw4tZnXLewhV J1qxsnW/AizUU0InE9LkhohOJHr+Igzwvi92gX9q+8AvkUngVj308EKAN+4b7qsMGp2FP0 Xcn3rpCgedyGrCFdIH4CIpitnU7l1Ss= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1719848574; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/dN/WA9W+/Kdn1esLn/xmNoGL8phVxiE/3+JFK4pDbc=; b=yjqXHJeSvnl+Pc5ekzYcvDoVR6W3fdQE1VTfTSYkZNF89Xi/ohmn1Dj3I6bGvjSsOmYIA9 fJlveBC0Ncv1v+Ag== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 22D7A13AA4; Mon, 1 Jul 2024 15:42:54 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id WFBlBn7OgmZfCAAAD6G6ig (envelope-from ); Mon, 01 Jul 2024 15:42:54 +0000 From: Andrea Cervesato Date: Mon, 01 Jul 2024 17:42:07 +0200 MIME-Version: 1.0 Message-Id: <20240701-landlock-v1-2-58e9af649a72@suse.com> References: <20240701-landlock-v1-0-58e9af649a72@suse.com> In-Reply-To: <20240701-landlock-v1-0-58e9af649a72@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=5007; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=lajnZbrFF5H3nnNmTc3UFvzTlSXFNArLCb6hiRCLg48=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmgs50BhkQbOgylhVXT+8fW/QXyA27v14e/93rD FL7hrOFTSqJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZoLOdAAKCRDLzBqyILPm Rp/mC/9jefMzheSYts9eWg7vXV+H2ojx+T+V/T/x/E95SYwu99rC91qE/2tALBGzqqdK7ot9oJU 7cYnz7v+RT6Svwvr6T0QpOB3S6O21+CjoNkjHmWzfUGCowlWHNH+NsRgDAZEmMGwp8MJA2y+MFm 1pp2F3XowJE+Z6zd6NtxunIo10VHlY4foBKpdMQbVq4YSBHHZd56xEOpOZhadDKWek2RO6m4bgH GPEmhgWL5jIWu7l34ER89YhGPxIn2uI5r16et16J/eEjYQSgsYQuJ7uZpYwueOWonD9SB6vt5bg XRVVDc2CCcYGf0/I0aNKRLwcGAgFhwS2fSVQ/806aeQDkWsoVX4voqNeGseHbpddwZttx1pEgik y6gXMMAUjEnf013ynFpLuHLJbvFG6N+3SAZOg4GcqQ6tGm+YER2M99M+nQmek3HsHMps7DIEHY7 S/nSpVYT6Sob0GrtKZxEprqAxoFpXQjfnuFS+nHvzvdKivmEmoQk1TSDnneto9Jx256dQ= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Rspamd-Queue-Id: 458E61FB52 X-Spam-Score: -4.51 X-Spam-Level: X-Spamd-Result: default: False [-4.51 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns,suse.de:dkim,suse.com:email]; RCVD_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[suse.de:+] X-Rspamd-Action: no action X-Rspamd-Server: rspamd1.dmz-prg2.suse.org X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-6.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-6.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH 02/10] Add lapi/landlock.h fallback X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato Signed-off-by: Andrea Cervesato --- configure.ac | 5 ++ include/lapi/landlock.h | 120 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 125 insertions(+) diff --git a/configure.ac b/configure.ac index 82969b8d3..e5f0c9f77 100644 --- a/configure.ac +++ b/configure.ac @@ -157,6 +157,7 @@ AC_CHECK_FUNCS_ONCE([ \ AC_CHECK_FUNCS(mkdtemp,[],AC_MSG_ERROR(mkdtemp() not found!)) AC_CHECK_MEMBERS([struct fanotify_event_info_fid.fsid.__val],,,[#include ]) +AC_CHECK_MEMBERS([struct landlock_ruleset_attr.handled_access_net],,,[#include ]) AC_CHECK_MEMBERS([struct perf_event_mmap_page.aux_head],,,[#include ]) AC_CHECK_MEMBERS([struct sigaction.sa_sigaction],[],[],[#include ]) AC_CHECK_MEMBERS([struct statx.stx_mnt_id, struct statx.stx_dio_mem_align],,,[ @@ -170,6 +171,7 @@ AC_CHECK_MEMBERS([struct utsname.domainname],,,[ ]) AC_CHECK_TYPES([enum kcmp_type],,,[#include ]) +AC_CHECK_TYPES([enum landlock_rule_type],,,[#include ]) AC_CHECK_TYPES([struct acct_v3],,,[#include ]) AC_CHECK_TYPES([struct af_alg_iv, struct sockaddr_alg],,,[# include ]) AC_CHECK_TYPES([struct fanotify_event_info_fid, struct fanotify_event_info_error, @@ -190,6 +192,9 @@ AC_CHECK_TYPES([struct if_nextdqblk],,,[#include ]) AC_CHECK_TYPES([struct iovec],,,[#include ]) AC_CHECK_TYPES([struct ipc64_perm],,,[#include ]) AC_CHECK_TYPES([struct loop_config],,,[#include ]) +AC_CHECK_TYPES([struct landlock_ruleset_attr],,,[#include ]) +AC_CHECK_TYPES([struct landlock_path_beneath_attr],,,[#include ]) +AC_CHECK_TYPES([struct landlock_net_port_attr],,,[#include + */ + +#ifndef LAPI_LANDLOCK_H__ +#define LAPI_LANDLOCK_H__ + +#include "config.h" +#include "lapi/syscalls.h" + +#ifndef HAVE_STRUCT_LANDLOCK_RULESET_ATTR +struct landlock_ruleset_attr +{ + uint64_t handled_access_fs; + uint64_t handled_access_net; +}; +#endif + +#ifndef HAVE_STRUCT_LANDLOCK_PATH_BENEATH_ATTR +struct landlock_path_beneath_attr +{ + uint64_t allowed_access; + int32_t parent_fd; +} __attribute__((packed)); +#endif + +#ifndef HAVE_ENUM_LANDLOCK_RULE_TYPE +enum landlock_rule_type +{ + LANDLOCK_RULE_PATH_BENEATH = 1, + LANDLOCK_RULE_NET_PORT, +}; +#endif + +#ifndef HAVE_STRUCT_LANDLOCK_NET_PORT_ATTR +struct landlock_net_port_attr +{ + uint64_t allowed_access; + uint64_t port; +}; +#endif + +#ifndef LANDLOCK_CREATE_RULESET_VERSION +# define LANDLOCK_CREATE_RULESET_VERSION (1U << 0) +#endif + +#ifndef LANDLOCK_ACCESS_FS_EXECUTE +# define LANDLOCK_ACCESS_FS_EXECUTE (1ULL << 0) +#endif + +#ifndef LANDLOCK_ACCESS_FS_WRITE_FILE +# define LANDLOCK_ACCESS_FS_WRITE_FILE (1ULL << 1) +#endif + +#ifndef LANDLOCK_ACCESS_FS_READ_FILE +# define LANDLOCK_ACCESS_FS_READ_FILE (1ULL << 2) +#endif + +#ifndef LANDLOCK_ACCESS_FS_READ_DIR +# define LANDLOCK_ACCESS_FS_READ_DIR (1ULL << 3) +#endif + +#ifndef LANDLOCK_ACCESS_FS_REMOVE_DIR +# define LANDLOCK_ACCESS_FS_REMOVE_DIR (1ULL << 4) +#endif + +#ifndef LANDLOCK_ACCESS_FS_REMOVE_FILE +# define LANDLOCK_ACCESS_FS_REMOVE_FILE (1ULL << 5) +#endif + +#ifndef LANDLOCK_ACCESS_FS_MAKE_CHAR +# define LANDLOCK_ACCESS_FS_MAKE_CHAR (1ULL << 6) +#endif + +#ifndef LANDLOCK_ACCESS_FS_MAKE_DIR +# define LANDLOCK_ACCESS_FS_MAKE_DIR (1ULL << 7) +#endif + +#ifndef LANDLOCK_ACCESS_FS_MAKE_REG +# define LANDLOCK_ACCESS_FS_MAKE_REG (1ULL << 8) +#endif + +#ifndef LANDLOCK_ACCESS_FS_MAKE_SOCK +# define LANDLOCK_ACCESS_FS_MAKE_SOCK (1ULL << 9) +#endif + +#ifndef LANDLOCK_ACCESS_FS_MAKE_FIFO +# define LANDLOCK_ACCESS_FS_MAKE_FIFO (1ULL << 10) +#endif + +#ifndef LANDLOCK_ACCESS_FS_MAKE_BLOCK +# define LANDLOCK_ACCESS_FS_MAKE_BLOCK (1ULL << 11) +#endif + +#ifndef LANDLOCK_ACCESS_FS_MAKE_SYM +# define LANDLOCK_ACCESS_FS_MAKE_SYM (1ULL << 12) +#endif + +#ifndef LANDLOCK_ACCESS_FS_REFER +# define LANDLOCK_ACCESS_FS_REFER (1ULL << 13) +#endif + +#ifndef LANDLOCK_ACCESS_FS_TRUNCATE +# define LANDLOCK_ACCESS_FS_TRUNCATE (1ULL << 14) +#endif + +#ifndef LANDLOCK_ACCESS_FS_IOCTL_DEV +# define LANDLOCK_ACCESS_FS_IOCTL_DEV (1ULL << 15) +#endif + +#ifndef LANDLOCK_ACCESS_NET_BIND_TCP +# define LANDLOCK_ACCESS_NET_BIND_TCP (1ULL << 0) +#endif + +#ifndef LANDLOCK_ACCESS_NET_CONNECT_TCP +# define LANDLOCK_ACCESS_NET_CONNECT_TCP (1ULL << 1) +#endif + +#endif From patchwork Mon Jul 1 15:42:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1954804 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=Nsszyqlm; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=Juh+PNs0; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=Nsszyqlm; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=Juh+PNs0; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WCVgp2wmPz1xpc for ; Tue, 2 Jul 2024 01:43:34 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 27D093D3FDA for ; Mon, 1 Jul 2024 17:43:32 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-6.smtp.seeweb.it (in-6.smtp.seeweb.it [IPv6:2001:4b78:1:20::6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 47AAB3D0E3E for ; Mon, 1 Jul 2024 17:42:56 +0200 (CEST) Authentication-Results: in-6.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=2a07:de40:b251:101:10:150:64:1; helo=smtp-out1.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out1.suse.de (smtp-out1.suse.de [IPv6:2a07:de40:b251:101:10:150:64:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-6.smtp.seeweb.it (Postfix) with ESMTPS id B11071401117 for ; Mon, 1 Jul 2024 17:42:55 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 785F421A62; Mon, 1 Jul 2024 15:42:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1719848574; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OQXnUaAOe7pfbxG6gsWpsK5fDK8Ud/IvLVxn9g3lnMM=; b=NsszyqlmZvmw9h842U6lf5fE37h9b1JPPi2s9h2yRWsx73e+6wFJ2TuNDJX5hVP8wgLO8Q pMojfh49IAOtUERA5GQrLBwvYnma//MzHF1YoCAUUJZXo0MrmF9HPT98jLdLhYQ88pZ/tv e3Y/XVJ5vyXIUUHOyHojgxsVxf15wEM= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1719848574; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OQXnUaAOe7pfbxG6gsWpsK5fDK8Ud/IvLVxn9g3lnMM=; b=Juh+PNs0vmKMSmDIxVl/uq32fUo4QIvv+Lz3E4OGSi5BWmRmZ7fjDh2AL9w+5swb6kPFdo GMWJBhm1Ve7Y/vCg== Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1719848574; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OQXnUaAOe7pfbxG6gsWpsK5fDK8Ud/IvLVxn9g3lnMM=; b=NsszyqlmZvmw9h842U6lf5fE37h9b1JPPi2s9h2yRWsx73e+6wFJ2TuNDJX5hVP8wgLO8Q pMojfh49IAOtUERA5GQrLBwvYnma//MzHF1YoCAUUJZXo0MrmF9HPT98jLdLhYQ88pZ/tv e3Y/XVJ5vyXIUUHOyHojgxsVxf15wEM= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1719848574; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OQXnUaAOe7pfbxG6gsWpsK5fDK8Ud/IvLVxn9g3lnMM=; b=Juh+PNs0vmKMSmDIxVl/uq32fUo4QIvv+Lz3E4OGSi5BWmRmZ7fjDh2AL9w+5swb6kPFdo GMWJBhm1Ve7Y/vCg== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 4E1D913800; Mon, 1 Jul 2024 15:42:54 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id sDEDEX7OgmZfCAAAD6G6ig (envelope-from ); Mon, 01 Jul 2024 15:42:54 +0000 From: Andrea Cervesato Date: Mon, 01 Jul 2024 17:42:08 +0200 MIME-Version: 1.0 Message-Id: <20240701-landlock-v1-3-58e9af649a72@suse.com> References: <20240701-landlock-v1-0-58e9af649a72@suse.com> In-Reply-To: <20240701-landlock-v1-0-58e9af649a72@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3352; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=2UoUSa1uVa3/Bd6ki/TKmyPoazpmULBc4patfzKrnOQ=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmgs50WA7T/MT7grnuM5gjoD+rsAlpSyI4RMQth S602fSC0oiJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZoLOdAAKCRDLzBqyILPm RiZlDACkn6RY+TuT/4zO4O1Py6up/kMvQult1ZwCXb4uZXvj3BKrWlnPgqe+czQaHx9my7DAPAO xlsKjSzB2NRlvubXrg4W7ljRjrwgcr9TRuhXKh1CmgrQJ0OOMPJgIAwY2M8pLPdidudH8G/Hsyc 8eRwlaxWB4JyXUH4t8dO0stc0kCo0E1XTBCCbiVCoTprTRnFAPLBx0l0bripZ76G3EkELa/x5Vv WZu62OKeOZOH6tAT7CfmAehq8wfEbcgVUYI91qKRjZ6gXvYRwLOAojGfAURE82GuGCQd+FEQt1R 2oXwGmGazgHQZl7ibWEymypYdNGtCRzfqbNl8q3F6I0xCY7uHajOZPu5kpGi2RZwj59ycDqSMFQ KYqw1GsnoP9dwH6hxCuDtG8rDyqcfY2BPj4G9TK3QkC2tCTkVSqvt1nDsy+5nx6jC0pz7M/Mcf7 jKsp93UzveJJDThmFbgrLeqf0sQ543MtWJjFwL4/edEXY7CvWOBpsifbLbv1srhvUVbBY= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spamd-Result: default: False [-4.30 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.20)[-0.999]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,suse.com:email] X-Spam-Score: -4.30 X-Spam-Level: X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-6.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-6.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH 03/10] Add landlock SAFE_* macros X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato Added three more SAFE_* macros for landlock sandbox: - SAFE_LANDLOCK_CREATE_RULESET - SAFE_LANDLOCK_ADD_RULE - SAFE_LANDLOCK_RESTRICT_SELF Signed-off-by: Andrea Cervesato Reviewed-by: Li Wang --- include/tst_safe_macros.h | 19 ++++++++++++++++++ lib/tst_safe_macros.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 69 insertions(+) diff --git a/include/tst_safe_macros.h b/include/tst_safe_macros.h index 08b8e930a..7748bd34f 100644 --- a/include/tst_safe_macros.h +++ b/include/tst_safe_macros.h @@ -14,6 +14,7 @@ #include #include #include +#include #include #include #include @@ -503,4 +504,22 @@ int safe_sscanf(const char *file, const int lineno, const char *restrict buffer, #define SAFE_SSCANF(buffer, format, ...) \ safe_sscanf(__FILE__, __LINE__, (buffer), (format), ##__VA_ARGS__) +int safe_landlock_create_ruleset(const char *file, const int lineno, + const struct landlock_ruleset_attr *attr, + size_t size , uint32_t flags); +#define SAFE_LANDLOCK_CREATE_RULESET(attr, size, flags) \ + safe_landlock_create_ruleset(__FILE__, __LINE__, (attr), (size), (flags)) + +int safe_landlock_add_rule(const char *file, const int lineno, + int ruleset_fd, enum landlock_rule_type rule_type, + const void *rule_attr, uint32_t flags); +#define SAFE_LANDLOCK_ADD_RULE(ruleset_fd, rule_type, rule_attr, flags) \ + safe_landlock_add_rule(__FILE__, __LINE__, \ + (ruleset_fd), (rule_type), (rule_attr), (flags)) + +int safe_landlock_restrict_self(const char *file, const int lineno, + int ruleset_fd, int flags); +#define SAFE_LANDLOCK_RESTRICT_SELF(ruleset_fd, flags) \ + safe_landlock_restrict_self(__FILE__, __LINE__, (ruleset_fd), (flags)) + #endif /* TST_SAFE_MACROS_H__ */ diff --git a/lib/tst_safe_macros.c b/lib/tst_safe_macros.c index 4e48c427b..ba997eb7c 100644 --- a/lib/tst_safe_macros.c +++ b/lib/tst_safe_macros.c @@ -710,3 +710,53 @@ int safe_mprotect(const char *file, const int lineno, return rval; } + + +int safe_landlock_create_ruleset(const char *file, const int lineno, + const struct landlock_ruleset_attr *attr, + size_t size , uint32_t flags) +{ + int rval; + + rval = tst_syscall(__NR_landlock_create_ruleset, attr, size, flags); + if (rval == -1) { + tst_brk_(file, lineno, TBROK | TERRNO, + "landlock_create_ruleset(%p, %lu, %u)", + attr, size, flags); + } + + return rval; +} + +int safe_landlock_add_rule(const char *file, const int lineno, + int ruleset_fd, enum landlock_rule_type rule_type, + const void *rule_attr, uint32_t flags) +{ + int rval; + + rval = tst_syscall(__NR_landlock_add_rule, + ruleset_fd, rule_type, rule_attr, flags); + + if (rval == -1) { + tst_brk_(file, lineno, TBROK | TERRNO, + "landlock_add_rule(%d, %d, %p, %u)", + ruleset_fd, rule_type, rule_attr, flags); + } + + return rval; +} + +int safe_landlock_restrict_self(const char *file, const int lineno, + int ruleset_fd, int flags) +{ + int rval; + + rval = tst_syscall(__NR_landlock_restrict_self, ruleset_fd, flags); + if (rval == -1) { + tst_brk_(file, lineno, TBROK | TERRNO, + "landlock_restrict_self(%d, %u)", + ruleset_fd, flags); + } + + return rval; +} From patchwork Mon Jul 1 15:42:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1954805 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=LAUHGMBX; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=/v8ohOZP; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=LAUHGMBX; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=/v8ohOZP; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WCVh60NyKz1xpc for ; Tue, 2 Jul 2024 01:43:50 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id CD1FE3D3FF5 for ; Mon, 1 Jul 2024 17:43:47 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-7.smtp.seeweb.it (in-7.smtp.seeweb.it [217.194.8.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 4CFC63D3FD6 for ; Mon, 1 Jul 2024 17:42:56 +0200 (CEST) Authentication-Results: in-7.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=2a07:de40:b251:101:10:150:64:1; helo=smtp-out1.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out1.suse.de (smtp-out1.suse.de [IPv6:2a07:de40:b251:101:10:150:64:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-7.smtp.seeweb.it (Postfix) with ESMTPS id ABCA020119F for ; Mon, 1 Jul 2024 17:42:55 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 9840121A66; Mon, 1 Jul 2024 15:42:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1719848574; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Z4i7nZ28ApPk+SEPXSpLm30pY8wvsfTKPhT8mDxgfo8=; b=LAUHGMBXRcbiuh/nWhwNInbPrUpE3Gyd//E21F3sZcd3lMybNdhFaRebfLqQ/og7PMC+/3 uCJ126Kon36zfswPzrth5i3EQS3KVStiVMoc0+qHgcJV4+aVwnPR8sgpiOGlQtMJMWc24F IQkBfY0hkP09VLwMlc6UtBwIcOE8MdE= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1719848574; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Z4i7nZ28ApPk+SEPXSpLm30pY8wvsfTKPhT8mDxgfo8=; b=/v8ohOZPwt3hY5l6yrkeh2ZiyOMPqZaSP6DJkFKswhM+cuq7aCa2+VKhl4pgKXMX1Rvorq oldLmLns9NalWRAQ== Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1719848574; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Z4i7nZ28ApPk+SEPXSpLm30pY8wvsfTKPhT8mDxgfo8=; b=LAUHGMBXRcbiuh/nWhwNInbPrUpE3Gyd//E21F3sZcd3lMybNdhFaRebfLqQ/og7PMC+/3 uCJ126Kon36zfswPzrth5i3EQS3KVStiVMoc0+qHgcJV4+aVwnPR8sgpiOGlQtMJMWc24F IQkBfY0hkP09VLwMlc6UtBwIcOE8MdE= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1719848574; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Z4i7nZ28ApPk+SEPXSpLm30pY8wvsfTKPhT8mDxgfo8=; b=/v8ohOZPwt3hY5l6yrkeh2ZiyOMPqZaSP6DJkFKswhM+cuq7aCa2+VKhl4pgKXMX1Rvorq oldLmLns9NalWRAQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 79C1D13A92; Mon, 1 Jul 2024 15:42:54 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id KN22G37OgmZfCAAAD6G6ig (envelope-from ); Mon, 01 Jul 2024 15:42:54 +0000 From: Andrea Cervesato Date: Mon, 01 Jul 2024 17:42:09 +0200 MIME-Version: 1.0 Message-Id: <20240701-landlock-v1-4-58e9af649a72@suse.com> References: <20240701-landlock-v1-0-58e9af649a72@suse.com> In-Reply-To: <20240701-landlock-v1-0-58e9af649a72@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1986; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=BO8gdE3NoNYlyz8mlH1egGwJcVXoZKOzCIuXqWj8aLY=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmgs50aumbiDQw6f5NbJhjqBK0H+rHfx39W0EMf yKHx9S4L66JAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZoLOdAAKCRDLzBqyILPm RgmRC/0QAL8eBDRDwKvfRPlWBenuYeZzP5ro0HorkIchp5k5ifi8Fp3Ab4P2OCUsw5la73gm2Pt 7gRYC+6hb0fFbAqeV0XPPCYOYc3875IjJ2DZ15x/zakGLjQcnlwXcmnzcBSS4A1Lid9vgPUokm0 FNlybhQvvZtFbkwBun8/CrTkhOHyNr0rbJNMV2zF+b+O9hxfECikOcvtWO0t4jLZOR/HvWljJBF 9ca8Zxgthl92YQk0od3785ycrRaWtOv1v233mV12+3TB/Qatz+xKNR+DxnwHZBusWhu9YxaX7gU 2ORiaGvRe/XUN7IFN1g1hrIeQD/32s/bPbN2u/6oTPUciYpYY3w7ZaCKat7Ojpum+9kIMnvq9hM YdnYFO5fUqsRTYQCVyap9p97RC1jjXs2XSwB3kLPtJ5luZDo1Q1leaJp5CPxLrN82PJTxLf5Lpq 6+daLe9tBeBnJBcXsVenZ2KcSW6Pw/pWogJgqVIATL7elUA3vAe6j/43/pFIOGiKH0Dug= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spam-Score: -4.30 X-Spam-Level: X-Spamd-Result: default: False [-4.30 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.20)[-0.999]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,suse.com:email] X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-7.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-7.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH 04/10] Add SAFE_PRCTL macro X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato Signed-off-by: Andrea Cervesato Reviewed-by: Li Wang Reviewed-by: Petr Vorel --- include/tst_safe_macros.h | 6 ++++++ lib/tst_safe_macros.c | 16 ++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/include/tst_safe_macros.h b/include/tst_safe_macros.h index 7748bd34f..733a2506e 100644 --- a/include/tst_safe_macros.h +++ b/include/tst_safe_macros.h @@ -504,6 +504,12 @@ int safe_sscanf(const char *file, const int lineno, const char *restrict buffer, #define SAFE_SSCANF(buffer, format, ...) \ safe_sscanf(__FILE__, __LINE__, (buffer), (format), ##__VA_ARGS__) +int safe_prctl(const char *file, const int lineno, + int option, unsigned long arg2, unsigned long arg3, + unsigned long arg4, unsigned long arg5); +#define SAFE_PRCTL(option, arg2, arg3, arg4, arg5) \ + safe_prctl(__FILE__, __LINE__, (option), (arg2), (arg3), (arg4), (arg5)) + int safe_landlock_create_ruleset(const char *file, const int lineno, const struct landlock_ruleset_attr *attr, size_t size , uint32_t flags); diff --git a/lib/tst_safe_macros.c b/lib/tst_safe_macros.c index ba997eb7c..a81037161 100644 --- a/lib/tst_safe_macros.c +++ b/lib/tst_safe_macros.c @@ -10,6 +10,7 @@ #include #include #include +#include #include "config.h" #ifdef HAVE_SYS_FANOTIFY_H # include @@ -711,6 +712,21 @@ int safe_mprotect(const char *file, const int lineno, return rval; } +int safe_prctl(const char *file, const int lineno, + int option, unsigned long arg2, unsigned long arg3, + unsigned long arg4, unsigned long arg5) +{ + int rval; + + rval = prctl(option, arg2, arg3, arg4, arg5); + if (rval == -1) { + tst_brk_(file, lineno, TBROK | TERRNO, + "prctl(%d, %lu, %lu, %lu, %lu)", + option, arg2, arg3, arg4, arg5); + } + + return rval; +} int safe_landlock_create_ruleset(const char *file, const int lineno, const struct landlock_ruleset_attr *attr, From patchwork Mon Jul 1 15:42:10 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1954803 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=kaleZu5r; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=ioLXNM5Z; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=kaleZu5r; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=ioLXNM5Z; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WCVgV4yCPz1xpc for ; Tue, 2 Jul 2024 01:43:18 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 821913D3FE4 for ; Mon, 1 Jul 2024 17:43:16 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-2.smtp.seeweb.it (in-2.smtp.seeweb.it [217.194.8.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 37E653D3F9D for ; Mon, 1 Jul 2024 17:42:56 +0200 (CEST) Authentication-Results: in-2.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.131; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-2.smtp.seeweb.it (Postfix) with ESMTPS id 52A03601995 for ; Mon, 1 Jul 2024 17:42:55 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id C3F421FB53; Mon, 1 Jul 2024 15:42:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1719848574; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5+jdx5ITsWidb8+t43RlGHYbcIsct7mXAwhMPRzor6g=; b=kaleZu5rxp+DwCGAhfwWPpLrDTbWrmfhjrOJWzYw1nMs1LkqsT4EJn8QAONokTJ+GNfufv J8N0Fjd9V9mfi9pFYuzcomthkGHVxgjvOIEg/rp2jZPRmxCyA89/iFN2n01E9KEZLeO10A BNErfLurOwWPYXz2Uk8+ddVRbyyHm5o= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1719848574; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5+jdx5ITsWidb8+t43RlGHYbcIsct7mXAwhMPRzor6g=; b=ioLXNM5ZP5083egrTpdHspL3AiKo4GwPQrRcmHLqPPPZPdImY0Q/W9+MXgjYR8IXF+KEgh vQWMtcDigwIV8+BQ== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1719848574; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5+jdx5ITsWidb8+t43RlGHYbcIsct7mXAwhMPRzor6g=; b=kaleZu5rxp+DwCGAhfwWPpLrDTbWrmfhjrOJWzYw1nMs1LkqsT4EJn8QAONokTJ+GNfufv J8N0Fjd9V9mfi9pFYuzcomthkGHVxgjvOIEg/rp2jZPRmxCyA89/iFN2n01E9KEZLeO10A BNErfLurOwWPYXz2Uk8+ddVRbyyHm5o= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1719848574; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5+jdx5ITsWidb8+t43RlGHYbcIsct7mXAwhMPRzor6g=; b=ioLXNM5ZP5083egrTpdHspL3AiKo4GwPQrRcmHLqPPPZPdImY0Q/W9+MXgjYR8IXF+KEgh vQWMtcDigwIV8+BQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id A4FCA13800; Mon, 1 Jul 2024 15:42:54 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id WA4tJn7OgmZfCAAAD6G6ig (envelope-from ); Mon, 01 Jul 2024 15:42:54 +0000 From: Andrea Cervesato Date: Mon, 01 Jul 2024 17:42:10 +0200 MIME-Version: 1.0 Message-Id: <20240701-landlock-v1-5-58e9af649a72@suse.com> References: <20240701-landlock-v1-0-58e9af649a72@suse.com> In-Reply-To: <20240701-landlock-v1-0-58e9af649a72@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=6500; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=1FAMkLeqbo98rllmd5GrPeIsgyvXSKk77/mPoVRUd6A=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmgs50lVU4diqzMxPZEyvwoKtEsBdAL7QQ5gICL G1PBh4r2xWJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZoLOdAAKCRDLzBqyILPm Rv9xC/97JtFcXJ3x/gqPlZ3l6ySDWHAJhKz6sVJy1T4/qknpdSLXXA+BQ2RO6NqNGZ53haD7LMJ MZ69UNzh0DpDJ18+5DS8q2eKTIRtAXDLY3QgU6MAu1bpq2rMsy/VuS0LKKLYK1GXyAPIbB8WKY/ wnObM94GoFZfJ1ifm//vFnS60r1xwfhb6tWg2Rvv88MEyafcadciUI5zmXSGB0Dum4+zeZhKE2u n4PnLvr5/JbnJUAMY7czthWRTXpJtCFHhEMRIaSEELoEiobVelbakoCQwIVkdvvU9Hy9Z+gM2wr eA50ctUs2h6R5dMihIux/S6IRVJR2UaJZ+q8l57ejFxoAJJ9NjjP7NhtYT11NtpFZKhbdKUws3L 0RdT+Wx0yDVbsC9GYYFAbwUKqyJU4EgeUk7+nL3+dLs8jX2vUpyMwG3F2zWKr6umY7dXz6qpr5u MKu/D6vwuoUoBiNvDbFAzy0gjk7S24qIPQQgYOq18vHYsBFneR6BqqHvxR1d+96qjVZL4= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spamd-Result: default: False [-4.30 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.20)[-0.999]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email,imap1.dmz-prg2.suse.org:helo] X-Spam-Score: -4.30 X-Spam-Level: X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-2.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-2.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH 05/10] Add landlock01 test X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato This test verifies that landlock_create_ruleset syscall fails with the right error codes: - EINVAL Unknown flags, or unknown access, or too small size - E2BIG size is too big - EFAULT attr was not a valid address - ENOMSG Empty accesses (i.e., attr->handled_access_fs is 0) Signed-off-by: Andrea Cervesato Reviewed-by: Li Wang --- runtest/syscalls | 2 + testcases/kernel/syscalls/landlock/.gitignore | 1 + testcases/kernel/syscalls/landlock/Makefile | 10 +++ testcases/kernel/syscalls/landlock/landlock01.c | 87 ++++++++++++++++++++++ .../kernel/syscalls/landlock/landlock_common.h | 74 ++++++++++++++++++ 5 files changed, 174 insertions(+) diff --git a/runtest/syscalls b/runtest/syscalls index 44a577db3..4c566d95f 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -684,6 +684,8 @@ kill11 kill11 kill12 kill12 kill13 kill13 +landlock01 landlock01 + lchown01 lchown01 lchown01_16 lchown01_16 lchown02 lchown02 diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore new file mode 100644 index 000000000..b69f9b94a --- /dev/null +++ b/testcases/kernel/syscalls/landlock/.gitignore @@ -0,0 +1 @@ +landlock01 diff --git a/testcases/kernel/syscalls/landlock/Makefile b/testcases/kernel/syscalls/landlock/Makefile new file mode 100644 index 000000000..4b3e3fd8f --- /dev/null +++ b/testcases/kernel/syscalls/landlock/Makefile @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (C) 2024 SUSE LLC Andrea Cervesato + +top_srcdir ?= ../../../.. + +include $(top_srcdir)/include/mk/testcases.mk + +LDLIBS += -lc + +include $(top_srcdir)/include/mk/generic_leaf_target.mk diff --git a/testcases/kernel/syscalls/landlock/landlock01.c b/testcases/kernel/syscalls/landlock/landlock01.c new file mode 100644 index 000000000..9f8c6489c --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock01.c @@ -0,0 +1,87 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +/*\ + * [Description] + * + * This test verifies that landlock_create_ruleset syscall fails with the right + * error codes: + * + * - EINVAL Unknown flags, or unknown access, or too small size + * - E2BIG size is too big + * - EFAULT attr was not a valid address + * - ENOMSG Empty accesses (i.e., attr->handled_access_fs is 0) + */ + +#include "landlock_common.h" + +static struct landlock_ruleset_attr *ruleset_attr; +static struct landlock_ruleset_attr *null_attr; +static size_t rule_size; +static size_t rule_small_size; +static size_t rule_big_size; + +static struct tcase { + struct landlock_ruleset_attr **attr; + uint64_t access_fs; + size_t *size; + uint32_t flags; + int exp_errno; + char *msg; +} tcases[] = { + {&ruleset_attr, -1, &rule_size, 0, EINVAL, "Unknown access"}, + {&ruleset_attr, 0, &rule_small_size, 0, EINVAL, "Size is too small"}, + {&ruleset_attr, 0, &rule_size, -1, EINVAL, "Unknown flags"}, + {&ruleset_attr, 0, &rule_big_size, 0, E2BIG, "Size is too big"}, + {&null_attr, 0, &rule_size, 0, EFAULT, "Invalid attr address"}, + {&ruleset_attr, 0, &rule_size, 0, ENOMSG, "Empty accesses"}, +}; + +static void run(unsigned int n) +{ + struct tcase *tc = &tcases[n]; + + if (*tc->attr) + (*tc->attr)->handled_access_fs = tc->access_fs; + + TST_EXP_FAIL(tst_syscall(__NR_landlock_create_ruleset, + *tc->attr, *tc->size, tc->flags), + tc->exp_errno, + "%s", + tc->msg); + + if (TST_RET >= 0) + SAFE_CLOSE(TST_RET); +} + +static void setup(void) +{ + verify_landlock_is_enabled(); + + rule_size = sizeof(struct landlock_ruleset_attr); + + rule_small_size = rule_size - 1; + rule_big_size = SAFE_SYSCONF(_SC_PAGESIZE) + 1; +} + +static struct tst_test test = { + .test = run, + .tcnt = ARRAY_SIZE(tcases), + .setup = setup, + .min_kver = "5.13", + .needs_root = 1, + .needs_kconfigs = (const char *[]) { + "CONFIG_SECURITY_LANDLOCK=y", + NULL + }, + .bufs = (struct tst_buffers []) { + {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {}, + }, + .caps = (struct tst_cap []) { + TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN), + {} + }, +}; diff --git a/testcases/kernel/syscalls/landlock/landlock_common.h b/testcases/kernel/syscalls/landlock/landlock_common.h new file mode 100644 index 000000000..66f8fd19a --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock_common.h @@ -0,0 +1,74 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +#ifndef LANDLOCK_COMMON_H + +#include "tst_test.h" +#include "lapi/prctl.h" +#include "lapi/fcntl.h" +#include "lapi/landlock.h" + +static inline void verify_landlock_is_enabled(void) +{ + int abi; + + abi = tst_syscall(__NR_landlock_create_ruleset, + NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); + + if (abi < 0) { + if (errno == EOPNOTSUPP) { + tst_brk(TCONF, "Landlock is currently disabled. " + "Please enable it either via CONFIG_LSM or " + "'lsm' kernel parameter."); + } + + tst_brk(TBROK | TERRNO, "landlock_create_ruleset error"); + } + + tst_res(TINFO, "Landlock ABI v%d", abi); +} + +static inline void apply_landlock_rule( + struct landlock_path_beneath_attr *path_beneath_attr, + const int ruleset_fd, + const int access, + const char *path) +{ + path_beneath_attr->allowed_access = access; + path_beneath_attr->parent_fd = SAFE_OPEN(path, O_PATH | O_CLOEXEC); + + SAFE_LANDLOCK_ADD_RULE( + ruleset_fd, + LANDLOCK_RULE_PATH_BENEATH, + path_beneath_attr, + 0); + + SAFE_CLOSE(path_beneath_attr->parent_fd); +} + +static inline void enforce_ruleset(const int ruleset_fd) +{ + SAFE_PRCTL(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + SAFE_LANDLOCK_RESTRICT_SELF(ruleset_fd, 0); +} + +static inline void apply_landlock_layer( + struct landlock_ruleset_attr *ruleset_attr, + struct landlock_path_beneath_attr *path_beneath_attr, + const char *path, + const int access) +{ + int ruleset_fd; + + ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET( + ruleset_attr, sizeof(struct landlock_ruleset_attr), 0); + + apply_landlock_rule(path_beneath_attr, ruleset_fd, access, path); + enforce_ruleset(ruleset_fd); + + SAFE_CLOSE(ruleset_fd); +} + +#endif From patchwork Mon Jul 1 15:42:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1954808 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=sVA1Xq5S; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=mle45jdl; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=vWMtTGTn; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=c63PpiRS; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WCVj14BnTz1xpc for ; Tue, 2 Jul 2024 01:44:37 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 6D91E3D3FE0 for ; Mon, 1 Jul 2024 17:44:35 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-5.smtp.seeweb.it (in-5.smtp.seeweb.it [IPv6:2001:4b78:1:20::5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 026FA3D3FD6 for ; Mon, 1 Jul 2024 17:42:56 +0200 (CEST) Authentication-Results: in-5.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=2a07:de40:b251:101:10:150:64:1; helo=smtp-out1.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out1.suse.de (smtp-out1.suse.de [IPv6:2a07:de40:b251:101:10:150:64:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-5.smtp.seeweb.it (Postfix) with ESMTPS id 0AC39600F9F for ; Mon, 1 Jul 2024 17:42:56 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id EF35821A7B; Mon, 1 Jul 2024 15:42:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1719848575; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vmMYXHS/ti6xRn95/EPfCTvJsV4LVm2j9KTLCro6uxQ=; b=sVA1Xq5Sra59qxC91SHa5gmNTfKol+QPeXFcH3MZ02baTjY0DFK//HgvV1jV6JC52TJYeF 5RmtxQIgHERJU0H8jPxpdq1i2O9Qg9k11wBOmSGP9ImLjT59uZ7yinlBsMdjhaWsLpoABw kNYzV6p95kwdLVWxxHHmc4c6gfW3xsE= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1719848575; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vmMYXHS/ti6xRn95/EPfCTvJsV4LVm2j9KTLCro6uxQ=; b=mle45jdlTavFfjUlY5Sme0GeLXWZej1rjze3qcE9Jjfbo0V4NwWrkWJ29FmIdBKrS0fGdo 2WKQ5r+lbXteAaCA== Authentication-Results: smtp-out1.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=vWMtTGTn; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=c63PpiRS DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1719848574; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vmMYXHS/ti6xRn95/EPfCTvJsV4LVm2j9KTLCro6uxQ=; b=vWMtTGTnCItP6SPS6XtXHcuELLcq7GJ4nFnYFrNKQVy5MYsE4l8yMgV+Rx5JA7LzGLfnbZ UkaKw10qk1U+u0a5DnunKSo3eH1MLH+x3DBl+yJVOgmLOyHiu1pOc7C2U4t+ubAwr/UWJY UNOrwNzUTu3CymQXp6Pf7KhP6jaLXro= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1719848574; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vmMYXHS/ti6xRn95/EPfCTvJsV4LVm2j9KTLCro6uxQ=; b=c63PpiRSW9WRhjmuAM/95as/JwJC6Gc/hFdIOGfgJB5fX2k7i51bY7P3OC7nfi/itQ6gml szVn4KiPioNi1xBw== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id CFF2413A92; Mon, 1 Jul 2024 15:42:54 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id EOe0MH7OgmZfCAAAD6G6ig (envelope-from ); Mon, 01 Jul 2024 15:42:54 +0000 From: Andrea Cervesato Date: Mon, 01 Jul 2024 17:42:11 +0200 MIME-Version: 1.0 Message-Id: <20240701-landlock-v1-6-58e9af649a72@suse.com> References: <20240701-landlock-v1-0-58e9af649a72@suse.com> In-Reply-To: <20240701-landlock-v1-0-58e9af649a72@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=5028; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=SLsjsp+nE3n90DYcc8GA2yCV510snY7lzjXoOkV8oyI=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmgs50g7jtrC4Yitf9zUV8aNVQeSWZHPR5aDC0K RDUV+ekEqGJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZoLOdAAKCRDLzBqyILPm RsawC/0aKIWJSoR1n0+uw0dodFLZVMzJVbQkQiSY0BWUtqA4imhIt7Nw3DjYQ65zDvrkbUl5cX7 TAjjcDdrCNWD/8AhKG8ZYy/DD73F5s3PTfF6Wv1SB6MZCBk16Y1soxezfbR57pRv6+rsZ5Zcn4H T0aH5JDC0Imr6MDLsshpA8DaIsKMGYgixssRa1zyToJ02IUABOkNeH0qcU1wxS7ucxvU4d1cLsk 34dqOHfUouEI7h8JmK3XKJeq4YJhsHsw5VF5sBBtfjqiP2eKRrK2H3oSx4hCC6xL6EJi7msYELq yEXoWgcljHlHCIsjl6lLW2bDLP18/X+GUvCHVLUm9gT6H3/HB7JNb1DnCspTX7zIG6otEym++Kq 6jPuXqfMqB+X1h9XNZJNzQZ8v9lj/MggZ7wk3dEqnqGWc+4n60JRJXMof3QDuPKO4XbWzCmEAd5 fzUEbZpO5huPL4012fcoMzVUcBYviJzJorEstyJb2Lv76uCctn2H4PC1bZ8LSpM8eof9Q= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Rspamd-Queue-Id: EF35821A7B X-Spam-Score: -4.51 X-Spam-Level: X-Spamd-Result: default: False [-4.51 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:dkim,suse.com:email,imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns]; RCVD_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[suse.de:+] X-Rspamd-Action: no action X-Rspamd-Server: rspamd1.dmz-prg2.suse.org X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-5.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-5.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH 06/10] Add landlock02 test X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato This test verifies that landlock_add_rule syscall fails with the right error codes: - EINVAL flags is not 0, or the rule accesses are inconsistent - ENOMSG Empty accesses (i.e., rule_attr->allowed_access is 0) - EBADF ruleset_fd is not a file descriptor for the current thread, or a member of rule_attr is not a file descriptor as expected - EBADFD ruleset_fd is not a ruleset file descriptor, or a member of rule_attr is not the expected file descriptor type - EFAULT rule_attr was not a valid address Signed-off-by: Andrea Cervesato Reviewed-by: Li Wang --- runtest/syscalls | 1 + testcases/kernel/syscalls/landlock/.gitignore | 1 + testcases/kernel/syscalls/landlock/landlock02.c | 153 ++++++++++++++++++++++++ 3 files changed, 155 insertions(+) diff --git a/runtest/syscalls b/runtest/syscalls index 4c566d95f..7f9c83292 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -685,6 +685,7 @@ kill12 kill12 kill13 kill13 landlock01 landlock01 +landlock02 landlock02 lchown01 lchown01 lchown01_16 lchown01_16 diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore index b69f9b94a..ffed4abd2 100644 --- a/testcases/kernel/syscalls/landlock/.gitignore +++ b/testcases/kernel/syscalls/landlock/.gitignore @@ -1 +1,2 @@ landlock01 +landlock02 diff --git a/testcases/kernel/syscalls/landlock/landlock02.c b/testcases/kernel/syscalls/landlock/landlock02.c new file mode 100644 index 000000000..0e2da7ef5 --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock02.c @@ -0,0 +1,153 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +/*\ + * [Description] + * + * This test verifies that landlock_add_rule syscall fails with the right + * error codes: + * + * - EINVAL flags is not 0, or the rule accesses are inconsistent + * - ENOMSG Empty accesses (i.e., rule_attr->allowed_access is 0) + * - EBADF ruleset_fd is not a file descriptor for the current thread, + * or a member of rule_attr is not a file descriptor as expected + * - EBADFD ruleset_fd is not a ruleset file descriptor, or a member of + * rule_attr is not the expected file descriptor type + * - EFAULT rule_attr was not a valid address + */ + +#include "landlock_common.h" + +static struct landlock_ruleset_attr *ruleset_attr; +static struct landlock_path_beneath_attr *path_beneath_attr; +static struct landlock_path_beneath_attr *rule_null; +static int ruleset_fd; +static int invalid_fd = -1; + +static struct tcase { + int *fd; + enum landlock_rule_type rule_type; + struct landlock_path_beneath_attr **attr; + int access; + int parent_fd; + uint32_t flags; + int exp_errno; + char *msg; +} tcases[] = { + { + &ruleset_fd, + 0, + &path_beneath_attr, + LANDLOCK_ACCESS_FS_EXECUTE, + 0, + 1, + EINVAL, + "Invalid flags" + }, + { + &ruleset_fd, + 0, + &path_beneath_attr, + LANDLOCK_ACCESS_FS_EXECUTE, + 0, + 0, + EINVAL, + "Invalid rule type" + }, + { + &ruleset_fd, + LANDLOCK_RULE_PATH_BENEATH, + &path_beneath_attr, + 0, + 0, + 0, + ENOMSG, + "Empty accesses" + }, + { + &invalid_fd, + 0, + &path_beneath_attr, + LANDLOCK_ACCESS_FS_EXECUTE, + 0, + 0, + EBADF, + "Invalid file descriptor" + }, + { + &ruleset_fd, + LANDLOCK_RULE_PATH_BENEATH, + &path_beneath_attr, + LANDLOCK_ACCESS_FS_EXECUTE, + -1, + 0, + EBADF, + "Invalid parent fd" + }, + { + &ruleset_fd, + LANDLOCK_RULE_PATH_BENEATH, + &rule_null, + 0, + 0, + 0, + EFAULT, + "Invalid rule attr" + }, +}; + +static void run(unsigned int n) +{ + struct tcase *tc = &tcases[n]; + + if (*tc->attr) { + (*tc->attr)->allowed_access = tc->access; + (*tc->attr)->parent_fd = tc->parent_fd; + } + + TST_EXP_FAIL(tst_syscall(__NR_landlock_add_rule, + *tc->fd, tc->rule_type, *tc->attr, tc->flags), + tc->exp_errno, + "%s", + tc->msg); +} + +static void setup(void) +{ + verify_landlock_is_enabled(); + + ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE; + + ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset, + ruleset_attr, sizeof(struct landlock_ruleset_attr), 0)); +} + +static void cleanup(void) +{ + if (ruleset_fd != -1) + SAFE_CLOSE(ruleset_fd); +} + +static struct tst_test test = { + .test = run, + .tcnt = ARRAY_SIZE(tcases), + .setup = setup, + .cleanup = cleanup, + .min_kver = "5.13", + .needs_root = 1, + .needs_kconfigs = (const char *[]) { + "CONFIG_SECURITY_LANDLOCK=y", + NULL + }, + .bufs = (struct tst_buffers []) { + {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)}, + {}, + }, + .caps = (struct tst_cap []) { + TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN), + {} + }, +}; From patchwork Mon Jul 1 15:42:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1954807 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=P6DUnUfb; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=fMoNMOTr; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=P6DUnUfb; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=fMoNMOTr; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WCVhj3zcFz1xpc for ; Tue, 2 Jul 2024 01:44:21 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 46BD63D3FF6 for ; Mon, 1 Jul 2024 17:44:19 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-4.smtp.seeweb.it (in-4.smtp.seeweb.it [IPv6:2001:4b78:1:20::4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 019273D3F9D for ; Mon, 1 Jul 2024 17:42:56 +0200 (CEST) Authentication-Results: in-4.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=2a07:de40:b251:101:10:150:64:2; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2a07:de40:b251:101:10:150:64:2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-4.smtp.seeweb.it (Postfix) with ESMTPS id 2AB8E10000C0 for ; Mon, 1 Jul 2024 17:42:56 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 24CAD1FB56; Mon, 1 Jul 2024 15:42:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1719848575; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=M9yV9LmnfgyYMQ8/mmJ6Q1eCBlLrr66uCQYO68K4z7U=; b=P6DUnUfbFGZsqsdUS69Gpt+r8+dfNIj0QcVeQlp7WItlfpdZyrQOM5WhvcqCopFY3S5ryF JtfkAuYGkk2WpIzOukHZqi8yHlU+gMqOeGjQAWozvZY8c2p+gL36XP2oYwq1Nxp2ss7CAJ L9lcfH2vXYmUglc1+SIK9s6szo1s5Ko= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1719848575; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=M9yV9LmnfgyYMQ8/mmJ6Q1eCBlLrr66uCQYO68K4z7U=; b=fMoNMOTrYWtWJZkA9giOH+LkQ95T7jqQvtuCdrF4xD6aPJfnULuashKbhQgwVAJKcrdakR LY0T/JJ4HwhT1aBA== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1719848575; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=M9yV9LmnfgyYMQ8/mmJ6Q1eCBlLrr66uCQYO68K4z7U=; b=P6DUnUfbFGZsqsdUS69Gpt+r8+dfNIj0QcVeQlp7WItlfpdZyrQOM5WhvcqCopFY3S5ryF JtfkAuYGkk2WpIzOukHZqi8yHlU+gMqOeGjQAWozvZY8c2p+gL36XP2oYwq1Nxp2ss7CAJ L9lcfH2vXYmUglc1+SIK9s6szo1s5Ko= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1719848575; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=M9yV9LmnfgyYMQ8/mmJ6Q1eCBlLrr66uCQYO68K4z7U=; b=fMoNMOTrYWtWJZkA9giOH+LkQ95T7jqQvtuCdrF4xD6aPJfnULuashKbhQgwVAJKcrdakR LY0T/JJ4HwhT1aBA== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 06D3213800; Mon, 1 Jul 2024 15:42:54 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id GL5IO37OgmZfCAAAD6G6ig (envelope-from ); Mon, 01 Jul 2024 15:42:54 +0000 From: Andrea Cervesato Date: Mon, 01 Jul 2024 17:42:12 +0200 MIME-Version: 1.0 Message-Id: <20240701-landlock-v1-7-58e9af649a72@suse.com> References: <20240701-landlock-v1-0-58e9af649a72@suse.com> In-Reply-To: <20240701-landlock-v1-0-58e9af649a72@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4573; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=2/lNUd5bW7QKVkwUVxegiByd1ep6eDDUFLWQiWignXc=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmgs503Senu302aob3eBa1nVsHtBrhAZEXiJXIX B8/3rSlk8uJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZoLOdAAKCRDLzBqyILPm RsylC/9c+mwyTJlfmdt1Vg9TYU2DxVjqg8msa/lTzJiCyOEOILXKk9Jy0cLhjwIEVL06SaGluCH iId1q3EejWckQABxHrANcMgCbTJGra+Ylxnar4QMxml3UipqEH1Syf6Ece8Igy+AgBDAffU1lHj 7AZUXccy7LnnxxBfpYtisOpNnWHVxLAr1lTuIsLMQrk1VjV/pQVleUcW7qoScBMmH5v2hewbZkL lFa7XJc752Lt2b1p8AH98c2Pw3m0+wajQlcKkuBiEnWxfLlRpPhiGoWoVbKNhja8ASYf2S/gVsy lXq5hoeJYDufjneRoossjWj9gUeop9nKHMIO2NgaNFWGiqlX2Z8ilYC35TzkUK7btwNXIuRaEPe d+9Q+Wd9AqqdF08ExEcDRj33OP1AEXrDN6giqGUE0kZ8XQKNaxe26r0O5IgefEgiW5bfUXtO7tz 1B0ipBjds/N2hdpH53ZcAkM0htkb4QWh07E4eonCR+ecumf8MfjoLCuqESSu48r5MCepY= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spamd-Result: default: False [-4.30 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.20)[-0.999]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,suse.com:email] X-Spam-Score: -4.30 X-Spam-Level: X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-4.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-4.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH 07/10] Add landlock03 test X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato This test verifies that landlock_restrict_self syscall fails with the right error codes: - EINVAL flags is not 0 - EBADF ruleset_fd is not a file descriptor for the current thread - EBADFD ruleset_fd is not a ruleset file descriptor - EPERM ruleset doesn't have CAP_SYS_ADMIN in its namespace - E2BIG The maximum number of stacked rulesets is reached for the current thread Signed-off-by: Andrea Cervesato Reviewed-by: Li Wang --- runtest/syscalls | 1 + testcases/kernel/syscalls/landlock/.gitignore | 1 + testcases/kernel/syscalls/landlock/landlock03.c | 119 ++++++++++++++++++++++++ 3 files changed, 121 insertions(+) diff --git a/runtest/syscalls b/runtest/syscalls index 7f9c83292..1e2d682e3 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -686,6 +686,7 @@ kill13 kill13 landlock01 landlock01 landlock02 landlock02 +landlock03 landlock03 lchown01 lchown01 lchown01_16 lchown01_16 diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore index ffed4abd2..f79cd090b 100644 --- a/testcases/kernel/syscalls/landlock/.gitignore +++ b/testcases/kernel/syscalls/landlock/.gitignore @@ -1,2 +1,3 @@ landlock01 landlock02 +landlock03 diff --git a/testcases/kernel/syscalls/landlock/landlock03.c b/testcases/kernel/syscalls/landlock/landlock03.c new file mode 100644 index 000000000..6511e24a7 --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock03.c @@ -0,0 +1,119 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +/*\ + * [Description] + * + * This test verifies that landlock_restrict_self syscall fails with the right + * error codes: + * + * - EINVAL flags is not 0 + * - EBADF ruleset_fd is not a file descriptor for the current thread + * - EBADFD ruleset_fd is not a ruleset file descriptor + * - EPERM ruleset doesn't have CAP_SYS_ADMIN in its namespace + * - E2BIG The maximum number of stacked rulesets is reached for the current + * thread + */ + +#include "landlock_common.h" + +#define MAX_STACKED_RULESETS 16 + +static struct landlock_ruleset_attr *ruleset_attr; +static int ruleset_fd = -1; +static int ruleset_invalid = -1; +static int file_fd = -1; + +static struct tst_cap dropadmin = { + .action = TST_CAP_DROP, + .id = CAP_SYS_ADMIN, + .name = "CAP_SYS_ADMIN", +}; + +static struct tst_cap needadmin = { + .action = TST_CAP_REQ, + .id = CAP_SYS_ADMIN, + .name = "CAP_SYS_ADMIN", +}; + +static struct tcase { + int *fd; + uint32_t flags; + int exp_errno; + char *msg; +} tcases[] = { + {&ruleset_fd, -1, EINVAL, "Invalid flags"}, + {&ruleset_invalid, 0, EBADF, "Invalid file descriptor"}, + {&file_fd, 0, EBADFD, "Not a ruleset file descriptor"}, + {&ruleset_fd, 0, EPERM, "File descriptor doesn't have CAP_SYS_ADMIN"}, + {&ruleset_fd, 0, E2BIG, "Maximum number of stacked rulesets is reached"}, +}; + +static void run(unsigned int n) +{ + struct tcase *tc = &tcases[n]; + + if (tc->exp_errno == EPERM) + tst_cap_action(&dropadmin); + + if (tc->exp_errno == E2BIG) { + for (int i = 0; i < MAX_STACKED_RULESETS; i++) { + TST_EXP_PASS_SILENT(tst_syscall(__NR_landlock_restrict_self, + *tc->fd, tc->flags)); + if (TST_RET == -1) + return; + } + } + + TST_EXP_FAIL(tst_syscall(__NR_landlock_restrict_self, *tc->fd, tc->flags), + tc->exp_errno, + "%s", tc->msg); + + if (tc->exp_errno == EPERM) + tst_cap_action(&needadmin); +} + +static void setup(void) +{ + verify_landlock_is_enabled(); + + ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE; + + ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset, + ruleset_attr, sizeof(struct landlock_ruleset_attr), 0)); + + file_fd = SAFE_OPEN("junk.bin", O_CREAT, 0777); +} + +static void cleanup(void) +{ + if (ruleset_fd != -1) + SAFE_CLOSE(ruleset_fd); + + if (file_fd != -1) + SAFE_CLOSE(file_fd); +} + +static struct tst_test test = { + .test = run, + .tcnt = ARRAY_SIZE(tcases), + .setup = setup, + .cleanup = cleanup, + .min_kver = "5.13", + .needs_tmpdir = 1, + .needs_root = 1, + .needs_kconfigs = (const char *[]) { + "CONFIG_SECURITY_LANDLOCK=y", + NULL + }, + .bufs = (struct tst_buffers []) { + {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {}, + }, + .caps = (struct tst_cap []) { + TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN), + {} + }, +}; From patchwork Mon Jul 1 15:42:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1954806 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=XeDgVp/F; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=gAs7N5JV; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=XeDgVp/F; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=gAs7N5JV; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WCVhP3QBBz1xpc for ; Tue, 2 Jul 2024 01:44:05 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 4CBB43D3FF9 for ; Mon, 1 Jul 2024 17:44:03 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-7.smtp.seeweb.it (in-7.smtp.seeweb.it [217.194.8.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id EAB733D0E3E for ; Mon, 1 Jul 2024 17:42:56 +0200 (CEST) Authentication-Results: in-7.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.131; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-7.smtp.seeweb.it (Postfix) with ESMTPS id 317CC20117F for ; Mon, 1 Jul 2024 17:42:56 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 56D0F1FB59; Mon, 1 Jul 2024 15:42:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1719848575; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yINXEuaviqPoFRRl4HDKirbQrSfHAzOuCQFOiwsHGiM=; b=XeDgVp/FFa0AkCKAiRJy+uSTHLY3H9ofmQk4vzegkiCEmVl3tR4zUrqBltpgvDJwSo5gYZ /jtvgg6E5adpWaVKyivgJLXwqFzIXYtgSgtwsiRjCdJLH496k9f2q01EgzGCiMf3JxTveH n+eXEoLtEp9nVt9PtpF4oUUCMiDSkZg= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1719848575; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yINXEuaviqPoFRRl4HDKirbQrSfHAzOuCQFOiwsHGiM=; b=gAs7N5JVv9sUEXq/T/s5Gb7AeerrO4/LflbvEmW8XyVhqx5IfT/NSGNYTOcj7TX99c+36j bvgcHyvVaUvfScDg== Authentication-Results: smtp-out2.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b="XeDgVp/F"; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=gAs7N5JV DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1719848575; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yINXEuaviqPoFRRl4HDKirbQrSfHAzOuCQFOiwsHGiM=; b=XeDgVp/FFa0AkCKAiRJy+uSTHLY3H9ofmQk4vzegkiCEmVl3tR4zUrqBltpgvDJwSo5gYZ /jtvgg6E5adpWaVKyivgJLXwqFzIXYtgSgtwsiRjCdJLH496k9f2q01EgzGCiMf3JxTveH n+eXEoLtEp9nVt9PtpF4oUUCMiDSkZg= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1719848575; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yINXEuaviqPoFRRl4HDKirbQrSfHAzOuCQFOiwsHGiM=; b=gAs7N5JVv9sUEXq/T/s5Gb7AeerrO4/LflbvEmW8XyVhqx5IfT/NSGNYTOcj7TX99c+36j bvgcHyvVaUvfScDg== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 30A4013A92; Mon, 1 Jul 2024 15:42:55 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id IPPnCX/OgmZfCAAAD6G6ig (envelope-from ); Mon, 01 Jul 2024 15:42:55 +0000 From: Andrea Cervesato Date: Mon, 01 Jul 2024 17:42:13 +0200 MIME-Version: 1.0 Message-Id: <20240701-landlock-v1-8-58e9af649a72@suse.com> References: <20240701-landlock-v1-0-58e9af649a72@suse.com> In-Reply-To: <20240701-landlock-v1-0-58e9af649a72@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=15104; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=PeyU9xfFgUU0KzItO86J0Hn112R3r0UWnalzu9+edEk=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmgs51FZnOVsosAwt7f/knzEnwVXvNc9cfAj7FN L0F8gFNVnCJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZoLOdQAKCRDLzBqyILPm Rma6C/9T90YfJKHc97UAA/ryfpO+sRXb1Fcc1OxXlffWFQ6jjWNIXoluq3zf6ij4B3p/Z2rLjma KlDI0egCKdxcMBWHaSTtgL0nMIME4ivQlxcWcsy+aD8MCVWuURYEq505aE6d7NeEtCjBwEzSPLR 3Z16075P0bntEnzS6xe6cfH30O90HEzZHJUGIXT95EYqek1HHC4GZBpaqb9vgdDMCHZtLdoRQA5 krzCG79auCRI5gUaIGihF2oBSB3kxppiYd3C1r0OIRgsDeqbSwiMNhpiOKziavR7sgjsp90FxlM oj2gmhU+NtVCRiYZsVHieDwkHv04Q4BdsqPQkt73+qQgJFIS0JpIE8Ennp/k5XvNPBr2OBO2VfP Y9Z8TdVArKDfzMfXU1hoYVikXEgVrCkwXmroDqJa5kq64S5pRhCogOy0+ZDG1KBRsBKZ6OZlH6P 3uTH2zDVwvq1BmC7V8cJ+BtVScGrifJ71EzJWw2k9Zxr/NVop8yeIur28h0nPuVGmqjHQ= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Rspamd-Queue-Id: 56D0F1FB59 X-Spam-Score: -4.51 X-Spam-Level: X-Spamd-Result: default: False [-4.51 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:dkim,imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns,suse.com:email]; RCVD_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[suse.de:+] X-Rspamd-Action: no action X-Rspamd-Server: rspamd1.dmz-prg2.suse.org X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-7.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-7.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH 08/10] Add landlock04 test X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato This test verifies that all landlock rules are working properly. The way we do it is to verify that all disabled syscalls are not working but the one we enabled via specifc landlock rules. Signed-off-by: Andrea Cervesato --- runtest/syscalls | 1 + testcases/kernel/syscalls/landlock/.gitignore | 2 + testcases/kernel/syscalls/landlock/Makefile | 5 + testcases/kernel/syscalls/landlock/landlock04.c | 143 +++++++++ testcases/kernel/syscalls/landlock/landlock_exec.c | 9 + .../kernel/syscalls/landlock/landlock_tester.h | 350 +++++++++++++++++++++ 6 files changed, 510 insertions(+) diff --git a/runtest/syscalls b/runtest/syscalls index 1e2d682e3..9acdaf760 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -687,6 +687,7 @@ kill13 kill13 landlock01 landlock01 landlock02 landlock02 landlock03 landlock03 +landlock04 landlock04 lchown01 lchown01 lchown01_16 lchown01_16 diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore index f79cd090b..4fe8d7cba 100644 --- a/testcases/kernel/syscalls/landlock/.gitignore +++ b/testcases/kernel/syscalls/landlock/.gitignore @@ -1,3 +1,5 @@ +landlock_exec landlock01 landlock02 landlock03 +landlock04 diff --git a/testcases/kernel/syscalls/landlock/Makefile b/testcases/kernel/syscalls/landlock/Makefile index 4b3e3fd8f..bdc6bd2d4 100644 --- a/testcases/kernel/syscalls/landlock/Makefile +++ b/testcases/kernel/syscalls/landlock/Makefile @@ -8,3 +8,8 @@ include $(top_srcdir)/include/mk/testcases.mk LDLIBS += -lc include $(top_srcdir)/include/mk/generic_leaf_target.mk + +# the reason why landlock_exec test binary is statically linked, is that +# we can't read libc out of the sandboxed folder once LANDLOCK_ACCESS_FS_EXECUTE +# has been activated +landlock_exec: LDLIBS += -static -fPIC diff --git a/testcases/kernel/syscalls/landlock/landlock04.c b/testcases/kernel/syscalls/landlock/landlock04.c new file mode 100644 index 000000000..1e7c6f3d1 --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock04.c @@ -0,0 +1,143 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +/*\ + * [Description] + * + * This test verifies that all landlock rules are working properly. The way we + * do it is to verify that all disabled syscalls are not working but the one we + * enabled via specifc landlock rules. + */ + +#include "landlock_common.h" +#include "landlock_tester.h" + +#define ACCESS_NAME(x) #x + +static struct landlock_ruleset_attr *ruleset_attr; +static struct landlock_path_beneath_attr *path_beneath_attr; + +static struct tvariant { + int access; + char *desc; +} tvariants[] = { + { + LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_EXECUTE, + ACCESS_NAME(LANDLOCK_ACCESS_FS_EXECUTE) + }, + { + LANDLOCK_ACCESS_FS_WRITE_FILE, + ACCESS_NAME(LANDLOCK_ACCESS_FS_WRITE_FILE) + }, + { + LANDLOCK_ACCESS_FS_READ_FILE, + ACCESS_NAME(LANDLOCK_ACCESS_FS_READ_FILE) + }, + { + LANDLOCK_ACCESS_FS_READ_DIR, + ACCESS_NAME(LANDLOCK_ACCESS_FS_READ_DIR) + }, + { + LANDLOCK_ACCESS_FS_REMOVE_DIR, + ACCESS_NAME(LANDLOCK_ACCESS_FS_REMOVE_DIR) + }, + { + LANDLOCK_ACCESS_FS_REMOVE_FILE, + ACCESS_NAME(LANDLOCK_ACCESS_FS_REMOVE_FILE) + }, + { + LANDLOCK_ACCESS_FS_MAKE_CHAR, + ACCESS_NAME(LANDLOCK_ACCESS_FS_MAKE_CHAR) + }, + { + LANDLOCK_ACCESS_FS_MAKE_BLOCK, + ACCESS_NAME(LANDLOCK_ACCESS_FS_MAKE_BLOCK) + }, + { + LANDLOCK_ACCESS_FS_MAKE_REG, + ACCESS_NAME(LANDLOCK_ACCESS_FS_MAKE_REG) + }, + { + LANDLOCK_ACCESS_FS_MAKE_SOCK, + ACCESS_NAME(LANDLOCK_ACCESS_FS_MAKE_SOCK) + }, + { + LANDLOCK_ACCESS_FS_MAKE_FIFO, + ACCESS_NAME(LANDLOCK_ACCESS_FS_MAKE_FIFO) + }, + { + LANDLOCK_ACCESS_FS_MAKE_SYM, + ACCESS_NAME(LANDLOCK_ACCESS_FS_MAKE_SYM) + }, + { + LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE, + ACCESS_NAME(LANDLOCK_ACCESS_FS_TRUNCATE) + }, +}; + +static void run(void) +{ + if (!SAFE_FORK()) { + struct tvariant variant = tvariants[tst_variant]; + + tester_run_all_rules(variant.access); + _exit(0); + } +} + +static void setup(void) +{ + struct tvariant variant = tvariants[tst_variant]; + + verify_landlock_is_enabled(); + tester_create_tree(); + + tst_res(TINFO, "Testing %s", variant.desc); + + ruleset_attr->handled_access_fs = tester_get_all_rules(); + + apply_landlock_layer( + ruleset_attr, + path_beneath_attr, + SANDBOX_FOLDER, + variant.access); +} + +static struct tst_test test = { + .test_all = run, + .setup = setup, + .min_kver = "5.13", + .forks_child = 1, + .needs_tmpdir = 1, + .needs_root = 1, + .test_variants = ARRAY_SIZE(tvariants), + .resource_files = (const char *[]) { + TESTAPP, + NULL, + }, + .needs_kconfigs = (const char *[]) { + "CONFIG_SECURITY_LANDLOCK=y", + NULL + }, + .bufs = (struct tst_buffers []) { + {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)}, + {}, + }, + .caps = (struct tst_cap []) { + TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN), + TST_CAP(TST_CAP_REQ, CAP_MKNOD), + {} + }, + .format_device = 1, + .mount_device = 1, + .mntpoint = SANDBOX_FOLDER, + .all_filesystems = 1, + .skip_filesystems = (const char *[]) { + "vfat", + NULL + }, + .max_runtime = 3600, +}; diff --git a/testcases/kernel/syscalls/landlock/landlock_exec.c b/testcases/kernel/syscalls/landlock/landlock_exec.c new file mode 100644 index 000000000..aae5c76b2 --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock_exec.c @@ -0,0 +1,9 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +int main(void) +{ + return 0; +} diff --git a/testcases/kernel/syscalls/landlock/landlock_tester.h b/testcases/kernel/syscalls/landlock/landlock_tester.h new file mode 100644 index 000000000..89ca085d7 --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock_tester.h @@ -0,0 +1,350 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +#ifndef LANDLOCK_TESTER_H + +#include "tst_test.h" +#include "lapi/landlock.h" +#include + +#define PERM_MODE 0700 + +#define SANDBOX_FOLDER "sandbox" +#define TESTAPP "landlock_exec" + +#define FILE_EXEC SANDBOX_FOLDER"/"TESTAPP +#define FILE_READ SANDBOX_FOLDER"/file_read" +#define FILE_WRITE SANDBOX_FOLDER"/file_write" +#define FILE_REMOVE SANDBOX_FOLDER"/file_remove" +#define FILE_UNLINK SANDBOX_FOLDER"/file_unlink" +#define FILE_UNLINKAT SANDBOX_FOLDER"/file_unlinkat" +#define FILE_TRUNCATE SANDBOX_FOLDER"/file_truncate" +#define FILE_REGULAR SANDBOX_FOLDER"/regular0" +#define FILE_SOCKET SANDBOX_FOLDER"/socket0" +#define FILE_FIFO SANDBOX_FOLDER"/fifo0" +#define FILE_SYM0 SANDBOX_FOLDER"/symbolic0" +#define FILE_SYM1 SANDBOX_FOLDER"/symbolic1" +#define DIR_READDIR SANDBOX_FOLDER"/dir_readdir" +#define DIR_RMDIR SANDBOX_FOLDER"/dir_rmdir" +#define DEV_CHAR0 SANDBOX_FOLDER"/chardev0" +#define DEV_BLK0 SANDBOX_FOLDER"/blkdev0" + +#define ALL_RULES (\ + LANDLOCK_ACCESS_FS_EXECUTE | \ + LANDLOCK_ACCESS_FS_WRITE_FILE | \ + LANDLOCK_ACCESS_FS_READ_FILE | \ + LANDLOCK_ACCESS_FS_READ_DIR | \ + LANDLOCK_ACCESS_FS_REMOVE_DIR | \ + LANDLOCK_ACCESS_FS_REMOVE_FILE | \ + LANDLOCK_ACCESS_FS_MAKE_CHAR | \ + LANDLOCK_ACCESS_FS_MAKE_DIR | \ + LANDLOCK_ACCESS_FS_MAKE_REG | \ + LANDLOCK_ACCESS_FS_MAKE_SOCK | \ + LANDLOCK_ACCESS_FS_MAKE_FIFO | \ + LANDLOCK_ACCESS_FS_MAKE_BLOCK | \ + LANDLOCK_ACCESS_FS_MAKE_SYM | \ + LANDLOCK_ACCESS_FS_REFER | \ + LANDLOCK_ACCESS_FS_TRUNCATE | \ + LANDLOCK_ACCESS_NET_BIND_TCP | \ + LANDLOCK_ACCESS_NET_CONNECT_TCP | \ + LANDLOCK_ACCESS_FS_IOCTL_DEV) + +static char *readdir_files[] = { + DIR_READDIR"/file0", + DIR_READDIR"/file1", + DIR_READDIR"/file2", +}; + +static int dev_chr; +static int dev_blk; + +static int tester_get_all_rules(void) +{ + int abi; + int all_rules = ALL_RULES; + + abi = SAFE_LANDLOCK_CREATE_RULESET( + NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); + + if (abi < 2) + all_rules &= ~LANDLOCK_ACCESS_FS_REFER; + + if (abi < 3) + all_rules &= ~LANDLOCK_ACCESS_FS_TRUNCATE; + + if (abi < 4) { + all_rules &= ~(LANDLOCK_ACCESS_NET_BIND_TCP | + LANDLOCK_ACCESS_NET_CONNECT_TCP); + } + + if (abi < 5) + all_rules &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV; + + return all_rules; +} + +static void tester_create_tree(void) +{ + if (access(SANDBOX_FOLDER, F_OK) == -1) + SAFE_MKDIR(SANDBOX_FOLDER, PERM_MODE); + + /* folders */ + SAFE_MKDIR(DIR_RMDIR, PERM_MODE); + SAFE_MKDIR(DIR_READDIR, PERM_MODE); + for (size_t i = 0; i < ARRAY_SIZE(readdir_files); i++) + SAFE_TOUCH(readdir_files[i], PERM_MODE, NULL); + + /* files */ + tst_fill_file(FILE_READ, 'a', getpagesize(), 1); + SAFE_TOUCH(FILE_WRITE, PERM_MODE, NULL); + SAFE_TOUCH(FILE_REMOVE, PERM_MODE, NULL); + SAFE_TOUCH(FILE_UNLINK, PERM_MODE, NULL); + SAFE_TOUCH(FILE_UNLINKAT, PERM_MODE, NULL); + SAFE_TOUCH(FILE_TRUNCATE, PERM_MODE, NULL); + SAFE_TOUCH(FILE_SYM0, PERM_MODE, NULL); + SAFE_CP(TESTAPP, FILE_EXEC); + + /* devices */ + dev_chr = makedev(1, 3); + dev_blk = makedev(7, 0); +} + +static void _test_exec(const int result) +{ + int status; + pid_t pid; + char *const args[] = {(char *)FILE_EXEC, NULL}; + + tst_res(TINFO, "Test binary execution"); + + pid = SAFE_FORK(); + if (!pid) { + int rval; + + if (result == TPASS) { + rval = execve(FILE_EXEC, args, NULL); + if (rval == -1) + tst_res(TFAIL | TERRNO, "Failed to execute test binary"); + } else { + TST_EXP_FAIL(execve(FILE_EXEC, args, NULL), EACCES); + } + + _exit(1); + } + + SAFE_WAITPID(pid, &status, 0); + if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) + return; + + tst_res(result, "Test binary has been executed"); +} + +static void _test_write(const int result) +{ + tst_res(TINFO, "Test writing file"); + + if (result == TPASS) + TST_EXP_FD(open(FILE_WRITE, O_WRONLY, PERM_MODE)); + else + TST_EXP_FAIL(open(FILE_WRITE, O_WRONLY, PERM_MODE), EACCES); + + if (TST_RET != -1) + SAFE_CLOSE(TST_RET); +} + +static void _test_read(const int result) +{ + tst_res(TINFO, "Test reading file"); + + if (result == TPASS) + TST_EXP_FD(open(FILE_READ, O_RDONLY, PERM_MODE)); + else + TST_EXP_FAIL(open(FILE_READ, O_RDONLY, PERM_MODE), EACCES); + + if (TST_RET != -1) + SAFE_CLOSE(TST_RET); +} + +static void _test_readdir(const int result) +{ + tst_res(TINFO, "Test reading directory"); + + DIR *dir; + struct dirent *de; + int files_counted = 0; + + dir = opendir(DIR_READDIR); + if (!dir) { + tst_res(result == TPASS ? TFAIL : TPASS, + "Can't read '%s' directory", DIR_READDIR); + + return; + } + + tst_res(result, "Can read '%s' directory", DIR_READDIR); + if (result == TFAIL) + return; + + while ((de = readdir(dir)) != NULL) { + if (de->d_type != DT_REG) + continue; + + for (size_t i = 0; i < ARRAY_SIZE(readdir_files); i++) { + if (readdir_files[i] == NULL) + continue; + + if (strstr(readdir_files[i], de->d_name) != NULL) + files_counted++; + } + } + + SAFE_CLOSEDIR(dir); + + TST_EXP_EQ_LI(files_counted, ARRAY_SIZE(readdir_files)); +} + +static void _test_rmdir(const int result) +{ + tst_res(TINFO, "Test removing directory"); + + if (result == TPASS) + TST_EXP_PASS(rmdir(DIR_RMDIR)); + else + TST_EXP_FAIL(rmdir(DIR_RMDIR), EACCES); +} + +static void _test_rmfile(const int result) +{ + tst_res(TINFO, "Test removing file"); + + if (result == TPASS) { + TST_EXP_PASS(unlink(FILE_UNLINK)); + TST_EXP_PASS(remove(FILE_REMOVE)); + } else { + TST_EXP_FAIL(unlink(FILE_UNLINK), EACCES); + TST_EXP_FAIL(remove(FILE_REMOVE), EACCES); + } +} + +static void _test_make( + const char *path, + const int type, + const int dev, + const int result) +{ + tst_res(TINFO, "Test normal or special files creation"); + + if (result == TPASS) + TST_EXP_PASS(mknod(path, type | 0400, dev)); + else + TST_EXP_FAIL(mknod(path, type | 0400, dev), EACCES); +} + +static void _test_symbolic(const int result) +{ + tst_res(TINFO, "Test symbolic links"); + + if (result == TPASS) + TST_EXP_PASS(symlink(FILE_SYM0, FILE_SYM1)); + else + TST_EXP_FAIL(symlink(FILE_SYM0, FILE_SYM1), EACCES); +} + +static void _test_truncate(const int result) +{ + int fd; + + tst_res(TINFO, "Test truncating file"); + + if (result == TPASS) { + TST_EXP_PASS(truncate(FILE_TRUNCATE, 10)); + + fd = TST_EXP_FD(open(FILE_TRUNCATE, O_WRONLY, PERM_MODE)); + if (fd != -1) { + TST_EXP_PASS(ftruncate(fd, 10)); + SAFE_CLOSE(fd); + } + + fd = TST_EXP_FD(open(FILE_TRUNCATE, O_WRONLY | O_TRUNC, PERM_MODE)); + if (fd != -1) + SAFE_CLOSE(fd); + } else { + TST_EXP_FAIL(truncate(FILE_TRUNCATE, 10), EACCES); + + fd = open(FILE_TRUNCATE, O_WRONLY, PERM_MODE); + if (fd != -1) { + TST_EXP_FAIL(ftruncate(fd, 10), EACCES); + SAFE_CLOSE(fd); + } + + TST_EXP_FAIL(open(FILE_TRUNCATE, O_WRONLY | O_TRUNC, PERM_MODE), + EACCES); + + if (TST_RET != -1) + SAFE_CLOSE(TST_RET); + } +} + +static void tester_run_rules(const int rules, const int result) +{ + if (rules & LANDLOCK_ACCESS_FS_EXECUTE) + _test_exec(result); + + if (rules & LANDLOCK_ACCESS_FS_WRITE_FILE) + _test_write(result); + + if (rules & LANDLOCK_ACCESS_FS_READ_FILE) + _test_read(result); + + if (rules & LANDLOCK_ACCESS_FS_READ_DIR) + _test_readdir(result); + + if (rules & LANDLOCK_ACCESS_FS_REMOVE_DIR) + _test_rmdir(result); + + if (rules & LANDLOCK_ACCESS_FS_REMOVE_FILE) + _test_rmfile(result); + + if (rules & LANDLOCK_ACCESS_FS_MAKE_CHAR) + _test_make(DEV_CHAR0, S_IFCHR, dev_chr, result); + + if (rules & LANDLOCK_ACCESS_FS_MAKE_BLOCK) + _test_make(DEV_BLK0, S_IFBLK, dev_blk, result); + + if (rules & LANDLOCK_ACCESS_FS_MAKE_REG) + _test_make(FILE_REGULAR, S_IFREG, 0, result); + + if (rules & LANDLOCK_ACCESS_FS_MAKE_SOCK) + _test_make(FILE_SOCKET, S_IFSOCK, 0, result); + + if (rules & LANDLOCK_ACCESS_FS_MAKE_FIFO) + _test_make(FILE_FIFO, S_IFIFO, 0, result); + + if (rules & LANDLOCK_ACCESS_FS_MAKE_SYM) + _test_symbolic(result); + + if (rules & LANDLOCK_ACCESS_FS_TRUNCATE) { + if ((tst_kvercmp(6, 2, 0)) < 0) { + tst_res(TINFO, "Skip truncate test. Minimum kernel version is 6.2"); + return; + } + + _test_truncate(result); + } +} + +static inline void tester_run_all_rules(const int pass_rules) +{ + int fail_rules; + int all_rules; + + all_rules = tester_get_all_rules(); + fail_rules = all_rules & ~pass_rules; + + tester_run_rules(pass_rules, TPASS); + tester_run_rules(fail_rules, TFAIL); +} + +#endif From patchwork Mon Jul 1 15:42:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1954809 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=EaugrlQ6; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=DMjN+KZs; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=EaugrlQ6; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=DMjN+KZs; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WCVjR68Q9z1xpc for ; Tue, 2 Jul 2024 01:44:59 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id AC1CD3D3FE6 for ; Mon, 1 Jul 2024 17:44:57 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-2.smtp.seeweb.it (in-2.smtp.seeweb.it [217.194.8.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 3025F3D0E3E for ; Mon, 1 Jul 2024 17:42:57 +0200 (CEST) Authentication-Results: in-2.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=2a07:de40:b251:101:10:150:64:1; helo=smtp-out1.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out1.suse.de (smtp-out1.suse.de [IPv6:2a07:de40:b251:101:10:150:64:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-2.smtp.seeweb.it (Postfix) with ESMTPS id 8ADBC601A37 for ; Mon, 1 Jul 2024 17:42:56 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 82E4221A85; Mon, 1 Jul 2024 15:42:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1719848575; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pBXH7fG5uHJnoXRlFy9vwkD7v9m9DRqXNpEY80F4Vew=; b=EaugrlQ6/4a5LBSgAqGyFM9xt555bF3PgkGt7D7vbnPoI8CUiZ1bVlL+nj1Ux5GE4MG1Cj 3Us3riLJHuWgnHyjhBB6F5NOWPfRIxSDzks4otBpDmbLUj4pq9t4nEgo9ArMVVvVd3QlQF C0YJFYnCZV2SPJhj74Sd+qVQ4tdCF3c= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1719848575; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pBXH7fG5uHJnoXRlFy9vwkD7v9m9DRqXNpEY80F4Vew=; b=DMjN+KZswlSmD1/tmDpW2QB19ivbyR49jVnU6CSpBECTijq8foI589qLpKtaN5nwGsNm/M O84FpeqAT4TcWUDw== Authentication-Results: smtp-out1.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=EaugrlQ6; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=DMjN+KZs DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1719848575; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pBXH7fG5uHJnoXRlFy9vwkD7v9m9DRqXNpEY80F4Vew=; b=EaugrlQ6/4a5LBSgAqGyFM9xt555bF3PgkGt7D7vbnPoI8CUiZ1bVlL+nj1Ux5GE4MG1Cj 3Us3riLJHuWgnHyjhBB6F5NOWPfRIxSDzks4otBpDmbLUj4pq9t4nEgo9ArMVVvVd3QlQF C0YJFYnCZV2SPJhj74Sd+qVQ4tdCF3c= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1719848575; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pBXH7fG5uHJnoXRlFy9vwkD7v9m9DRqXNpEY80F4Vew=; b=DMjN+KZswlSmD1/tmDpW2QB19ivbyR49jVnU6CSpBECTijq8foI589qLpKtaN5nwGsNm/M O84FpeqAT4TcWUDw== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 62D0713800; Mon, 1 Jul 2024 15:42:55 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id gGcHFn/OgmZfCAAAD6G6ig (envelope-from ); Mon, 01 Jul 2024 15:42:55 +0000 From: Andrea Cervesato Date: Mon, 01 Jul 2024 17:42:14 +0200 MIME-Version: 1.0 Message-Id: <20240701-landlock-v1-9-58e9af649a72@suse.com> References: <20240701-landlock-v1-0-58e9af649a72@suse.com> In-Reply-To: <20240701-landlock-v1-0-58e9af649a72@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3991; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=v1VKiX98hsrmlh4h26DuW3DZTdiXlAnDlGkwGbrWz+8=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmgs51QAZp1/nZgHaCYRcuZyaht1ONNerz26Nfp LYRHx7Vjb2JAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZoLOdQAKCRDLzBqyILPm Rl8aC/0ejRYzc0h5TVtH1M61AT9F0BSeApZb0KRHENfoIHs4YwGos50YMvsXYiZCot0l+gSp5DE JrmSPtgo4l7Nfm0vXTVsHObDhFi5I7yr1H6299tC4lG7QbDft9KWM01pPxOJnpcigeRZFDuhL3f B29OkCpMq9Hl3fz+uLs5ALeUOH0Tm3nXwefqiZ7xULMw4hpY9x65ZgSbV3avJI9+SkvjKmzmCC9 3L4GtYmnQivjG/mEe0Ev9RyMkuscWVOL9CGgsPzn57g5SWyxqVqPnjmju/tt5h6YfI6YCWBJcAH Aa+hlCBt5N3EfMpqoZXk8XuLWQ7WoSmmM47dNsrNIFgIYuX630H2fTomfzCPukRjEac1DxpORIp vdFj1gq0+lJ0btSN/SClIKL4BlThRjm4uZc2U/jFhNnZjIApHGQMg6GEjBtdZ1HQ+g0hp/X2DBE iofbP+uwpdBvgYBsG04IjGFccBm76HFjdV/R/ExQM/QY0LqWc6JdK7t0e780A+W3qP/Q4= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spamd-Result: default: False [-4.51 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:dkim,suse.com:email,imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns]; RCVD_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[suse.de:+] X-Rspamd-Action: no action X-Rspamd-Server: rspamd2.dmz-prg2.suse.org X-Rspamd-Queue-Id: 82E4221A85 X-Spam-Score: -4.51 X-Spam-Level: X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-2.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-2.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH 09/10] Add landlock05 test X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato This test verifies LANDLOCK_ACCESS_FS_REFER access in the landlock sandbox. The feature is available since kernel 5.19. Signed-off-by: Andrea Cervesato Reviewed-by: Li Wang --- runtest/syscalls | 1 + testcases/kernel/syscalls/landlock/.gitignore | 1 + testcases/kernel/syscalls/landlock/landlock05.c | 113 ++++++++++++++++++++++++ 3 files changed, 115 insertions(+) diff --git a/runtest/syscalls b/runtest/syscalls index 9acdaf760..a3ade6dc1 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -688,6 +688,7 @@ landlock01 landlock01 landlock02 landlock02 landlock03 landlock03 landlock04 landlock04 +landlock05 landlock05 lchown01 lchown01 lchown01_16 lchown01_16 diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore index 4fe8d7cba..a7ea6be2e 100644 --- a/testcases/kernel/syscalls/landlock/.gitignore +++ b/testcases/kernel/syscalls/landlock/.gitignore @@ -3,3 +3,4 @@ landlock01 landlock02 landlock03 landlock04 +landlock05 diff --git a/testcases/kernel/syscalls/landlock/landlock05.c b/testcases/kernel/syscalls/landlock/landlock05.c new file mode 100644 index 000000000..57ed67e9f --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock05.c @@ -0,0 +1,113 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +/*\ + * [Description] + * + * This test verifies LANDLOCK_ACCESS_FS_REFER access in the + * landlock sandbox. + * + * [Algorithm] + * + * - apply LANDLOCK_ACCESS_FS_REFER in the folder1 + * - apply LANDLOCK_ACCESS_FS_REFER in the folder2 + * - create folder3 + * - verify that file can be moved from folder1 to folder2 + * - verify that file can't be moved from folder1 to folder3 + */ + +#include "landlock_common.h" + +#define MNTPOINT "sandbox" +#define DIR1 MNTPOINT"/folder1" +#define DIR2 MNTPOINT"/folder2" +#define DIR3 MNTPOINT"/folder3" +#define FILENAME1 DIR1"/file" +#define FILENAME2 DIR2"/file" +#define FILENAME3 DIR3"/file" + +static struct landlock_ruleset_attr *ruleset_attr; +static struct landlock_path_beneath_attr *path_beneath_attr; + +static void run(void) +{ + if (!SAFE_FORK()) { + TST_EXP_PASS(rename(FILENAME1, FILENAME2)); + if (TST_RET == -1) + return; + + TST_EXP_FAIL(rename(FILENAME2, FILENAME3), EXDEV); + + _exit(0); + } +} + +static void setup(void) +{ + int ruleset_fd; + + verify_landlock_is_enabled(); + + SAFE_MKDIR(DIR1, 0640); + SAFE_MKDIR(DIR2, 0640); + SAFE_MKDIR(DIR3, 0640); + SAFE_TOUCH(FILENAME1, 0640, NULL); + + tst_res(TINFO, "Applying LANDLOCK_ACCESS_FS_REFER"); + + ruleset_attr->handled_access_fs = + LANDLOCK_ACCESS_FS_READ_FILE | + LANDLOCK_ACCESS_FS_WRITE_FILE | + LANDLOCK_ACCESS_FS_REFER; + + ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET( + ruleset_attr, sizeof(struct landlock_ruleset_attr), 0); + + apply_landlock_rule( + path_beneath_attr, + ruleset_fd, + LANDLOCK_ACCESS_FS_REFER, + DIR1); + + apply_landlock_rule( + path_beneath_attr, + ruleset_fd, + LANDLOCK_ACCESS_FS_REFER, + DIR2); + + enforce_ruleset(ruleset_fd); + + SAFE_CLOSE(ruleset_fd); +} + +static struct tst_test test = { + .test_all = run, + .setup = setup, + .min_kver = "5.19", + .needs_tmpdir = 1, + .needs_root = 1, + .forks_child = 1, + .needs_kconfigs = (const char *[]) { + "CONFIG_SECURITY_LANDLOCK=y", + NULL + }, + .bufs = (struct tst_buffers []) { + {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)}, + {}, + }, + .caps = (struct tst_cap []) { + TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN), + {} + }, + .format_device = 1, + .mount_device = 1, + .mntpoint = MNTPOINT, + .all_filesystems = 1, + .skip_filesystems = (const char *[]) { + "vfat", + NULL + }, +}; From patchwork Mon Jul 1 15:42:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1954810 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=T5BQLVc0; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=R274j1BH; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=T5BQLVc0; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=R274j1BH; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WCVjr6JNJz1xpf for ; Tue, 2 Jul 2024 01:45:20 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id AD2CD3D3FE1 for ; Mon, 1 Jul 2024 17:45:18 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-5.smtp.seeweb.it (in-5.smtp.seeweb.it [217.194.8.5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 6F8013D0E3E for ; Mon, 1 Jul 2024 17:42:57 +0200 (CEST) Authentication-Results: in-5.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=2a07:de40:b251:101:10:150:64:2; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2a07:de40:b251:101:10:150:64:2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-5.smtp.seeweb.it (Postfix) with ESMTPS id BB618600FBA for ; Mon, 1 Jul 2024 17:42:56 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id AD4711FB5C; Mon, 1 Jul 2024 15:42:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1719848575; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=EXjIbU2ef6UAXS/BWN5VUw0ewqdRd+Gl78NNomTJZfA=; b=T5BQLVc015wGHTCC2uQazwEb9mmK0ILI1yU2yHT0tZB8X+B8T+J8HDx+6owAxjIdEb00oG 9+dySFFVTUaDrXcyA7HidUgNOOvihnsvnvO/oJVs2BIdlwtzoY+V9LRVn33QjTJmU9FYcc 8daISmNF1cZgnrCwKTdTKtyUgGBl7eM= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1719848575; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=EXjIbU2ef6UAXS/BWN5VUw0ewqdRd+Gl78NNomTJZfA=; b=R274j1BHJA46w5mCQPx6O6/nTDbWiPPcEQy3BRHsJp7k9ewrMb/jsvHbVCyXNU9hSuJ+JQ 6Jb2z3HHi7UxOXAA== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1719848575; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=EXjIbU2ef6UAXS/BWN5VUw0ewqdRd+Gl78NNomTJZfA=; b=T5BQLVc015wGHTCC2uQazwEb9mmK0ILI1yU2yHT0tZB8X+B8T+J8HDx+6owAxjIdEb00oG 9+dySFFVTUaDrXcyA7HidUgNOOvihnsvnvO/oJVs2BIdlwtzoY+V9LRVn33QjTJmU9FYcc 8daISmNF1cZgnrCwKTdTKtyUgGBl7eM= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1719848575; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=EXjIbU2ef6UAXS/BWN5VUw0ewqdRd+Gl78NNomTJZfA=; b=R274j1BHJA46w5mCQPx6O6/nTDbWiPPcEQy3BRHsJp7k9ewrMb/jsvHbVCyXNU9hSuJ+JQ 6Jb2z3HHi7UxOXAA== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 8E49A13A92; Mon, 1 Jul 2024 15:42:55 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id 6AO3IH/OgmZfCAAAD6G6ig (envelope-from ); Mon, 01 Jul 2024 15:42:55 +0000 From: Andrea Cervesato Date: Mon, 01 Jul 2024 17:42:15 +0200 MIME-Version: 1.0 Message-Id: <20240701-landlock-v1-10-58e9af649a72@suse.com> References: <20240701-landlock-v1-0-58e9af649a72@suse.com> In-Reply-To: <20240701-landlock-v1-0-58e9af649a72@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4170; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=OgNTCDeg3CpitNIHU/rrJ7XpZWqUf/RBlxnWd9WXZPA=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmgs512xda4NETH/ezenYFA9vPOXbAFAdwANbHL gN8VL3fPIuJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZoLOdQAKCRDLzBqyILPm Ri+KC/wIa+SPdKifO1IkD+87WzVQRhMUSxhLcoLfzhcvyzRG2O8KKNQa+XsK15ZS6Or3aTIrmiD 3SQzV02MvmErUJD0befbY3b8KZKUvPysIq9AD0kU3dV5e1j3WK4s31wlXYZnviXXXG2iJXqU3h0 xDAPobq0G5KtDW5GvuwVCdzdb6bbP4yEsxZjo2lGiiUu4NtYirJC9UO0KCoA6Z0lFWVBrVskvDt rluJNrKBLETIxIcKPLf1w174FMX0wrnlbxIy6leOGXbMY3MDHsMdjJrmMoK/nxXnNEHd0oJuhLo TYakxKKLj63ncayU+rklJqDv7tR/ABc99EPSMjj/bqOv7IoPit7dhhlwQZWrHWcb5IY7EkKtJz5 f1LKz0/QSBQzBW1YcgYjZcgHBqDg02QWu5x388alVD3cyRhfq18vs02E2HTE1cfyZSivRWYUOjH uyYzsI829XNgX47xqt7FPaGt/dpWH+pAAJq5gvVuMwijfXQ5iLBkv6+0+POZLxrG+jO1o= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spam-Score: -4.30 X-Spam-Level: X-Spamd-Result: default: False [-4.30 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.20)[-0.999]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email,imap1.dmz-prg2.suse.org:helo] X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-5.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-5.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH 10/10] Add landlock06 test X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato This test verifies LANDLOCK_ACCESS_FS_IOCTL_DEV access in the landlock sandbox by creating a pipe and testing that ioctl() can be executed on it. The test is also verifying that some of the I/O operations can be always executed no matter the sandbox rules. This feature is available since kernel 6.10. Signed-off-by: Andrea Cervesato Reviewed-by: Li Wang --- runtest/syscalls | 1 + testcases/kernel/syscalls/landlock/.gitignore | 1 + testcases/kernel/syscalls/landlock/landlock06.c | 110 ++++++++++++++++++++++++ 3 files changed, 112 insertions(+) diff --git a/runtest/syscalls b/runtest/syscalls index a3ade6dc1..ebaf8dea4 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -689,6 +689,7 @@ landlock02 landlock02 landlock03 landlock03 landlock04 landlock04 landlock05 landlock05 +landlock06 landlock06 lchown01 lchown01 lchown01_16 lchown01_16 diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore index a7ea6be2e..315ac1dca 100644 --- a/testcases/kernel/syscalls/landlock/.gitignore +++ b/testcases/kernel/syscalls/landlock/.gitignore @@ -4,3 +4,4 @@ landlock02 landlock03 landlock04 landlock05 +landlock06 diff --git a/testcases/kernel/syscalls/landlock/landlock06.c b/testcases/kernel/syscalls/landlock/landlock06.c new file mode 100644 index 000000000..3281c2d2d --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock06.c @@ -0,0 +1,110 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +/*\ + * [Description] + * + * This test verifies LANDLOCK_ACCESS_FS_IOCTL_DEV access in the + * landlock sandbox by creating a pipe and testing that ioctl() can be executed + * on it. The test is also verifying that some of the I/O operations can be + * always executed no matter the sandbox rules. + */ + +#include "landlock_common.h" +#include + +#define MNTPOINT "sandbox" +#define FILENAME MNTPOINT"/fifo" + +static struct landlock_ruleset_attr *ruleset_attr; +static struct landlock_path_beneath_attr *path_beneath_attr; +static int file_fd; +static int dev_fd; + +static void run(void) +{ + if (!SAFE_FORK()) { + int flag; + size_t sz = 0; + + TST_EXP_PASS(ioctl(file_fd, FIONREAD, &sz)); + + /* check unrestrictable commands */ + TST_EXP_PASS(ioctl(dev_fd, FIOCLEX)); + TST_EXP_PASS(ioctl(dev_fd, FIONCLEX)); + TST_EXP_PASS(ioctl(dev_fd, FIONBIO, &flag)); + TST_EXP_PASS(ioctl(dev_fd, FIOASYNC, &flag)); + + _exit(0); + } +} + +static void setup(void) +{ + int ruleset_fd; + + verify_landlock_is_enabled(); + + SAFE_MKFIFO(FILENAME, 0640); + + file_fd = SAFE_OPEN(FILENAME, O_RDONLY | O_NONBLOCK, 0640); + dev_fd = SAFE_OPEN("/dev/zero", O_RDONLY | O_NONBLOCK, 0640); + + tst_res(TINFO, "Applying LANDLOCK_ACCESS_FS_IOCTL_DEV"); + + ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV; + + ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET( + ruleset_attr, sizeof(struct landlock_ruleset_attr), 0); + + apply_landlock_layer( + ruleset_attr, + path_beneath_attr, + MNTPOINT, + LANDLOCK_ACCESS_FS_IOCTL_DEV + ); + + SAFE_CLOSE(ruleset_fd); +} + +static void cleanup(void) +{ + if (dev_fd != -1) + SAFE_CLOSE(dev_fd); + + if (file_fd != -1) + SAFE_CLOSE(file_fd); +} + +static struct tst_test test = { + .test_all = run, + .setup = setup, + .cleanup = cleanup, + .min_kver = "6.10", + .needs_tmpdir = 1, + .needs_root = 1, + .forks_child = 1, + .needs_kconfigs = (const char *[]) { + "CONFIG_SECURITY_LANDLOCK=y", + NULL + }, + .bufs = (struct tst_buffers []) { + {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)}, + {}, + }, + .caps = (struct tst_cap []) { + TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN), + {} + }, + .format_device = 1, + .mount_device = 1, + .mntpoint = MNTPOINT, + .all_filesystems = 1, + .skip_filesystems = (const char *[]) { + "vfat", + NULL + }, +};