From patchwork Wed Jul 10 18:01:56 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1958972 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=BTzKVvuw; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=LsJ0J2sd; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=BTzKVvuw; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=LsJ0J2sd; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WK5PG2LX8z1xpN for ; Thu, 11 Jul 2024 04:05:22 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 221063D0B06 for ; Wed, 10 Jul 2024 20:05:20 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-6.smtp.seeweb.it (in-6.smtp.seeweb.it [IPv6:2001:4b78:1:20::6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id D11B73D387A for ; Wed, 10 Jul 2024 20:02:23 +0200 (CEST) Authentication-Results: in-6.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.131; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-6.smtp.seeweb.it (Postfix) with ESMTPS id DB3AB14060A5 for ; Wed, 10 Jul 2024 20:02:19 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 073581F84E; Wed, 10 Jul 2024 18:02:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=As8ay3HIm5emxm7z55JrjZ4UHlYQ0h3j0G6QPGOqSPg=; b=BTzKVvuw2FL9n15boKppWSy54cVFoFzAM4lojt4ZYfmOHg73vxFiJ7eN1M38kpwcW1YktT NrDTgHcHH/+A1jqPF7H4zf7HTkTwCAUHBW+3p5+/fl4bTyK4yxdXqYI0Y22+jPjLfiGsxv YOvbsizzdThoaCj0Zzup8UlqxL1c9uM= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=As8ay3HIm5emxm7z55JrjZ4UHlYQ0h3j0G6QPGOqSPg=; b=LsJ0J2sdLYrKo5L4p3YnoBFx+TyQ89/dkj4L2dN4mtdZLBvwhUnW6btJelbSwcYZ/t5Lxp jyp3dKkgdtOdgMCA== Authentication-Results: smtp-out2.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=BTzKVvuw; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=LsJ0J2sd DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=As8ay3HIm5emxm7z55JrjZ4UHlYQ0h3j0G6QPGOqSPg=; b=BTzKVvuw2FL9n15boKppWSy54cVFoFzAM4lojt4ZYfmOHg73vxFiJ7eN1M38kpwcW1YktT NrDTgHcHH/+A1jqPF7H4zf7HTkTwCAUHBW+3p5+/fl4bTyK4yxdXqYI0Y22+jPjLfiGsxv YOvbsizzdThoaCj0Zzup8UlqxL1c9uM= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=As8ay3HIm5emxm7z55JrjZ4UHlYQ0h3j0G6QPGOqSPg=; b=LsJ0J2sdLYrKo5L4p3YnoBFx+TyQ89/dkj4L2dN4mtdZLBvwhUnW6btJelbSwcYZ/t5Lxp jyp3dKkgdtOdgMCA== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id DEDD513942; Wed, 10 Jul 2024 18:02:18 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id iDgeNarMjmZJfAAAD6G6ig (envelope-from ); Wed, 10 Jul 2024 18:02:18 +0000 From: Andrea Cervesato Date: Wed, 10 Jul 2024 20:01:56 +0200 MIME-Version: 1.0 Message-Id: <20240710-landlock-v2-1-ff79db017d57@suse.com> References: <20240710-landlock-v2-0-ff79db017d57@suse.com> In-Reply-To: <20240710-landlock-v2-0-ff79db017d57@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=7662; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=U0omUv1OaYCChlqTr9cV14UoTcJ6DOVonEFFqTckFbA=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmjsydYA1WJz7gjIH9y6hjLqG6TDVqgfaTVHWsH axRUybotQuJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZo7MnQAKCRDLzBqyILPm RnxQC/43cB3Ma3bc133oczj9IWCIUZw4KtH597AH8DxGI7GSCsRtN9B7jZtCEtWrAkPfH/t8J/z +lyJbFLWfqzlHhlQFg+TgQp6jaCTLe0I8eeVMH+/Ori1i+cPgrvJE0CoaKYNnAYxiIWJ31OK4Rw N6ejYhgE9duujusmm6lbQ2+3Xo/9j5OcYEGf2QX2mtSxB7dXaLd5wUZEQ8fPwB10fzU9aTmkoDh VUFRzD5S90cV/kYIbqG83BvvI8kraYDMMlJGKiirorwi6LofbMWvyZXmLAvYDhPPeCqc6Nd3rSt 6u/FU5FDykZ9njYiZnrpzyjynynxrereI/4xhdF+RwT/5hcTvrgciBrdaCo6suC3XsR9+Hq6GND 8MmgzYQ+T7hUbmAZzBIalWBXD/SB26PsGpuEEesOtneIRvnYInZKrZwXptuWqKX3bi702ObPvmv aKYSKSkovhauZWxgNQiJiX9ycQRs1MrtLkNdKhvYa1XyE64BZ2Z0migPI63M9mDCOCKSY= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Rspamd-Queue-Id: 073581F84E X-Spam-Score: -4.51 X-Spam-Level: X-Spamd-Result: default: False [-4.51 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; RECEIVED_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:106:10:150:64:167:received]; RBL_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:104:10:150:64:97:from]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; TO_DN_SOME(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; SPAMHAUS_XBL(0.00)[2a07:de40:b281:104:10:150:64:97:from]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_BLOCKED(0.00)[suse.de:dkim]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:dkim,suse.com:email,imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; DKIM_TRACE(0.00)[suse.de:+] X-Rspamd-Action: no action X-Rspamd-Server: rspamd1.dmz-prg2.suse.org X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-6.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-6.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v2 01/11] Add landlock syscalls definitions X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato Signed-off-by: Andrea Cervesato Reviewed-by: Li Wang --- include/lapi/syscalls/aarch64.in | 3 +++ include/lapi/syscalls/arc.in | 3 +++ include/lapi/syscalls/arm.in | 3 +++ include/lapi/syscalls/hppa.in | 3 +++ include/lapi/syscalls/i386.in | 3 +++ include/lapi/syscalls/ia64.in | 3 +++ include/lapi/syscalls/mips_n32.in | 3 +++ include/lapi/syscalls/mips_n64.in | 3 +++ include/lapi/syscalls/mips_o32.in | 3 +++ include/lapi/syscalls/powerpc.in | 3 +++ include/lapi/syscalls/powerpc64.in | 3 +++ include/lapi/syscalls/s390.in | 3 +++ include/lapi/syscalls/s390x.in | 3 +++ include/lapi/syscalls/sh.in | 3 +++ include/lapi/syscalls/sparc.in | 3 +++ include/lapi/syscalls/sparc64.in | 3 +++ include/lapi/syscalls/x86_64.in | 3 +++ 17 files changed, 51 insertions(+) diff --git a/include/lapi/syscalls/aarch64.in b/include/lapi/syscalls/aarch64.in index 2cb6c2d87..3e7797718 100644 --- a/include/lapi/syscalls/aarch64.in +++ b/include/lapi/syscalls/aarch64.in @@ -296,5 +296,8 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 _sysctl 1078 diff --git a/include/lapi/syscalls/arc.in b/include/lapi/syscalls/arc.in index 3e2ee9061..7fde1d263 100644 --- a/include/lapi/syscalls/arc.in +++ b/include/lapi/syscalls/arc.in @@ -316,4 +316,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/arm.in b/include/lapi/syscalls/arm.in index 7bdbca533..693644f83 100644 --- a/include/lapi/syscalls/arm.in +++ b/include/lapi/syscalls/arm.in @@ -394,4 +394,7 @@ pidfd_getfd (__NR_SYSCALL_BASE+438) faccessat2 (__NR_SYSCALL_BASE+439) epoll_pwait2 (__NR_SYSCALL_BASE+441) quotactl_fd (__NR_SYSCALL_BASE+443) +landlock_create_ruleset (__NR_SYSCALL_BASE+444) +landlock_add_rule (__NR_SYSCALL_BASE+445) +landlock_restrict_self (__NR_SYSCALL_BASE+446) futex_waitv (__NR_SYSCALL_BASE+449) diff --git a/include/lapi/syscalls/hppa.in b/include/lapi/syscalls/hppa.in index 8ebdafafb..60c02aff2 100644 --- a/include/lapi/syscalls/hppa.in +++ b/include/lapi/syscalls/hppa.in @@ -43,4 +43,7 @@ close_range 436 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/i386.in b/include/lapi/syscalls/i386.in index 1472631c4..31ec1ecb2 100644 --- a/include/lapi/syscalls/i386.in +++ b/include/lapi/syscalls/i386.in @@ -430,4 +430,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/ia64.in b/include/lapi/syscalls/ia64.in index 0ea6e9722..2e56da7f9 100644 --- a/include/lapi/syscalls/ia64.in +++ b/include/lapi/syscalls/ia64.in @@ -343,4 +343,7 @@ pidfd_getfd 1462 faccessat2 1463 epoll_pwait2 1465 quotactl_fd 1467 +landlock_create_ruleset 1468 +landlock_add_rule 1469 +landlock_restrict_self 1470 futex_waitv 1473 diff --git a/include/lapi/syscalls/mips_n32.in b/include/lapi/syscalls/mips_n32.in index e818c9d92..5f0fe65eb 100644 --- a/include/lapi/syscalls/mips_n32.in +++ b/include/lapi/syscalls/mips_n32.in @@ -370,4 +370,7 @@ process_madvise 6440 epoll_pwait2 6441 mount_setattr 6442 quotactl_fd 6443 +landlock_create_ruleset 6444 +landlock_add_rule 6445 +landlock_restrict_self 6446 futex_waitv 6449 diff --git a/include/lapi/syscalls/mips_n64.in b/include/lapi/syscalls/mips_n64.in index 6e15f43b3..f81c60e66 100644 --- a/include/lapi/syscalls/mips_n64.in +++ b/include/lapi/syscalls/mips_n64.in @@ -346,4 +346,7 @@ process_madvise 5440 epoll_pwait2 5441 mount_setattr 5442 quotactl_fd 5443 +landlock_create_ruleset 5444 +landlock_add_rule 5445 +landlock_restrict_self 5446 futex_waitv 5449 diff --git a/include/lapi/syscalls/mips_o32.in b/include/lapi/syscalls/mips_o32.in index 921d5d331..c2beffb75 100644 --- a/include/lapi/syscalls/mips_o32.in +++ b/include/lapi/syscalls/mips_o32.in @@ -416,4 +416,7 @@ process_madvise 4440 epoll_pwait2 4441 mount_setattr 4442 quotactl_fd 4443 +landlock_create_ruleset 4444 +landlock_add_rule 4445 +landlock_restrict_self 4446 futex_waitv 4449 diff --git a/include/lapi/syscalls/powerpc.in b/include/lapi/syscalls/powerpc.in index 545d9d3d6..5460e4197 100644 --- a/include/lapi/syscalls/powerpc.in +++ b/include/lapi/syscalls/powerpc.in @@ -423,4 +423,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/powerpc64.in b/include/lapi/syscalls/powerpc64.in index 545d9d3d6..5460e4197 100644 --- a/include/lapi/syscalls/powerpc64.in +++ b/include/lapi/syscalls/powerpc64.in @@ -423,4 +423,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/s390.in b/include/lapi/syscalls/s390.in index 7213ac5f8..275b27f47 100644 --- a/include/lapi/syscalls/s390.in +++ b/include/lapi/syscalls/s390.in @@ -410,4 +410,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/s390x.in b/include/lapi/syscalls/s390x.in index 879012e2b..c200d02b2 100644 --- a/include/lapi/syscalls/s390x.in +++ b/include/lapi/syscalls/s390x.in @@ -358,4 +358,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/sh.in b/include/lapi/syscalls/sh.in index 7d5192a27..6f482a77b 100644 --- a/include/lapi/syscalls/sh.in +++ b/include/lapi/syscalls/sh.in @@ -404,4 +404,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/sparc.in b/include/lapi/syscalls/sparc.in index 91d2fb1c2..7181e80a0 100644 --- a/include/lapi/syscalls/sparc.in +++ b/include/lapi/syscalls/sparc.in @@ -409,4 +409,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/sparc64.in b/include/lapi/syscalls/sparc64.in index 1f2fc59b7..c96ab2021 100644 --- a/include/lapi/syscalls/sparc64.in +++ b/include/lapi/syscalls/sparc64.in @@ -374,4 +374,7 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 diff --git a/include/lapi/syscalls/x86_64.in b/include/lapi/syscalls/x86_64.in index dc61aa56e..3082ca110 100644 --- a/include/lapi/syscalls/x86_64.in +++ b/include/lapi/syscalls/x86_64.in @@ -351,6 +351,9 @@ pidfd_getfd 438 faccessat2 439 epoll_pwait2 441 quotactl_fd 443 +landlock_create_ruleset 444 +landlock_add_rule 445 +landlock_restrict_self 446 futex_waitv 449 rt_sigaction 512 rt_sigreturn 513 From patchwork Wed Jul 10 18:01:57 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1958963 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=YQacwYVK; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=F8fRfjb6; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=YQacwYVK; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=F8fRfjb6; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WK5L92StFz1xpd for ; Thu, 11 Jul 2024 04:02:41 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 192713D38D3 for ; Wed, 10 Jul 2024 20:02:39 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-3.smtp.seeweb.it (in-3.smtp.seeweb.it [217.194.8.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id BAAA23D073A for ; Wed, 10 Jul 2024 20:02:20 +0200 (CEST) Authentication-Results: in-3.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.130; helo=smtp-out1.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-3.smtp.seeweb.it (Postfix) with ESMTPS id E95561A0199B for ; Wed, 10 Jul 2024 20:02:19 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 2083D21BEC; Wed, 10 Jul 2024 18:02:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vm2AJvkraYOL74Iwtnjcb+jGQdkRSLGhlPZebJXMEhY=; b=YQacwYVKa9CQiaLPM/76qSPdvuSH6fjmtNCHwscP3BqTh/BvOXwsTyhz0yMYmDkclKVnrQ ohoWw4ADPf1HCrrkY9QnukKgx/qSWwWUPDJps5AbPCnxhJl3fwzAobkii5xIEJAX5BphVq 6BmdsJ2kqxRvXAbvoE05gLC/NTLpyXg= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vm2AJvkraYOL74Iwtnjcb+jGQdkRSLGhlPZebJXMEhY=; b=F8fRfjb6ubQB1+mSSgGXcHCnqwENIjZhWiXmNrxBkJUQJbYYo22oTtRsCpC5ItR/dXUZx/ mxN2wPdWXb1670Aw== Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vm2AJvkraYOL74Iwtnjcb+jGQdkRSLGhlPZebJXMEhY=; b=YQacwYVKa9CQiaLPM/76qSPdvuSH6fjmtNCHwscP3BqTh/BvOXwsTyhz0yMYmDkclKVnrQ ohoWw4ADPf1HCrrkY9QnukKgx/qSWwWUPDJps5AbPCnxhJl3fwzAobkii5xIEJAX5BphVq 6BmdsJ2kqxRvXAbvoE05gLC/NTLpyXg= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vm2AJvkraYOL74Iwtnjcb+jGQdkRSLGhlPZebJXMEhY=; b=F8fRfjb6ubQB1+mSSgGXcHCnqwENIjZhWiXmNrxBkJUQJbYYo22oTtRsCpC5ItR/dXUZx/ mxN2wPdWXb1670Aw== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 06E8A13A7F; Wed, 10 Jul 2024 18:02:19 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id wGpmAKvMjmZJfAAAD6G6ig (envelope-from ); Wed, 10 Jul 2024 18:02:19 +0000 From: Andrea Cervesato Date: Wed, 10 Jul 2024 20:01:57 +0200 MIME-Version: 1.0 Message-Id: <20240710-landlock-v2-2-ff79db017d57@suse.com> References: <20240710-landlock-v2-0-ff79db017d57@suse.com> In-Reply-To: <20240710-landlock-v2-0-ff79db017d57@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=5266; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=PIlr3YNUI4JK/TLFWWC7ua6B3VDbex9F79cx4cd/XY8=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmjsydA0OlmTPR6n2TCMw+piZrcqvFf4d6dg0Oz 5/WkGC1ZM+JAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZo7MnQAKCRDLzBqyILPm RtolC/9zyMnDiA3NotRy6ptj6jj6wUgRYoenRz4YezLP5XzfFxbks4YPQeTapm5Y7+zsw0BCWx7 X4UyoaAQEP1eTMVzlSIaxvzGs9ExkDQ2NSks5eZt3JgMHGoTPCmYpmCEj32FT2uPcy6eMsaeJ6O vqZXa2x8FQtUo1e15KVySVHSAoQ8inVL85kvk19Je+DztJ9GRuuaJLnMh7W4or1btmwrdqICbHU sMNNBbBezs6APTAI4HBZCpZV8V1aNP4d4iLZgJnbfzqUVyaeuMlh+M5QT1v0DprzCdONctX3V3u xw8Qh+EDlejrsVlX5Y2V9SGIUxCEq3RIEFXvEGmndypSiFRErI2wVkIMy1GhT+tb1ooG8SO3gCv mMBya14SPCOUD1SGtlx+ux5rI6sdkh5bb31dfUqOPV6S3DGdKzzg1x8Cand0TGg/d+d5+shXhbY o1HNIj+6GtQY08n9oyC2X6PQSBxBQnaAtZ7+VDrEr3U96U40lzbcKxahcMy+p88/KkV44= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spam-Score: -4.30 X-Spam-Level: X-Spamd-Result: default: False [-4.30 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.20)[-0.999]; MIME_GOOD(-0.10)[text/plain]; FUZZY_BLOCKED(0.00)[rspamd.com]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_TLS_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCVD_VIA_SMTP_AUTH(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email,imap1.dmz-prg2.suse.org:helo] X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-3.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-3.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v2 02/11] Add lapi/landlock.h fallback X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato Signed-off-by: Andrea Cervesato Reviewed-by: Li Wang --- configure.ac | 6 +++ include/lapi/landlock.h | 123 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 129 insertions(+) diff --git a/configure.ac b/configure.ac index 82969b8d3..1f8796c87 100644 --- a/configure.ac +++ b/configure.ac @@ -60,6 +60,7 @@ AC_CHECK_HEADERS_ONCE([ \ linux/io_uring.h \ linux/ioprio.h \ linux/keyctl.h \ + linux/landlock.h \ linux/mempolicy.h \ linux/module.h \ linux/mount.h \ @@ -157,6 +158,7 @@ AC_CHECK_FUNCS_ONCE([ \ AC_CHECK_FUNCS(mkdtemp,[],AC_MSG_ERROR(mkdtemp() not found!)) AC_CHECK_MEMBERS([struct fanotify_event_info_fid.fsid.__val],,,[#include ]) +AC_CHECK_MEMBERS([struct landlock_ruleset_attr.handled_access_net],,,[#include ]) AC_CHECK_MEMBERS([struct perf_event_mmap_page.aux_head],,,[#include ]) AC_CHECK_MEMBERS([struct sigaction.sa_sigaction],[],[],[#include ]) AC_CHECK_MEMBERS([struct statx.stx_mnt_id, struct statx.stx_dio_mem_align],,,[ @@ -170,6 +172,7 @@ AC_CHECK_MEMBERS([struct utsname.domainname],,,[ ]) AC_CHECK_TYPES([enum kcmp_type],,,[#include ]) +AC_CHECK_TYPES([enum landlock_rule_type],,,[#include ]) AC_CHECK_TYPES([struct acct_v3],,,[#include ]) AC_CHECK_TYPES([struct af_alg_iv, struct sockaddr_alg],,,[# include ]) AC_CHECK_TYPES([struct fanotify_event_info_fid, struct fanotify_event_info_error, @@ -190,6 +193,9 @@ AC_CHECK_TYPES([struct if_nextdqblk],,,[#include ]) AC_CHECK_TYPES([struct iovec],,,[#include ]) AC_CHECK_TYPES([struct ipc64_perm],,,[#include ]) AC_CHECK_TYPES([struct loop_config],,,[#include ]) +AC_CHECK_TYPES([struct landlock_ruleset_attr],,,[#include ]) +AC_CHECK_TYPES([struct landlock_path_beneath_attr],,,[#include ]) +AC_CHECK_TYPES([struct landlock_net_port_attr],,,[#include ]) AC_CHECK_TYPES([struct mmsghdr],,,[ #define _GNU_SOURCE diff --git a/include/lapi/landlock.h b/include/lapi/landlock.h new file mode 100644 index 000000000..2ee51b340 --- /dev/null +++ b/include/lapi/landlock.h @@ -0,0 +1,123 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +#ifndef LAPI_LANDLOCK_H__ +#define LAPI_LANDLOCK_H__ + +#include "config.h" + +#ifdef HAVE_LINUX_LANDLOCK_H +# include +#endif + +#ifndef HAVE_STRUCT_LANDLOCK_RULESET_ATTR +struct landlock_ruleset_attr +{ + uint64_t handled_access_fs; + uint64_t handled_access_net; +}; +#endif + +#ifndef HAVE_STRUCT_LANDLOCK_PATH_BENEATH_ATTR +struct landlock_path_beneath_attr +{ + uint64_t allowed_access; + int32_t parent_fd; +} __attribute__((packed)); +#endif + +#ifndef HAVE_ENUM_LANDLOCK_RULE_TYPE +enum landlock_rule_type +{ + LANDLOCK_RULE_PATH_BENEATH = 1, + LANDLOCK_RULE_NET_PORT, +}; +#endif + +#ifndef HAVE_STRUCT_LANDLOCK_NET_PORT_ATTR +struct landlock_net_port_attr +{ + uint64_t allowed_access; + uint64_t port; +}; +#endif + +#ifndef LANDLOCK_CREATE_RULESET_VERSION +# define LANDLOCK_CREATE_RULESET_VERSION (1U << 0) +#endif + +#ifndef LANDLOCK_ACCESS_FS_EXECUTE +# define LANDLOCK_ACCESS_FS_EXECUTE (1ULL << 0) +#endif + +#ifndef LANDLOCK_ACCESS_FS_WRITE_FILE +# define LANDLOCK_ACCESS_FS_WRITE_FILE (1ULL << 1) +#endif + +#ifndef LANDLOCK_ACCESS_FS_READ_FILE +# define LANDLOCK_ACCESS_FS_READ_FILE (1ULL << 2) +#endif + +#ifndef LANDLOCK_ACCESS_FS_READ_DIR +# define LANDLOCK_ACCESS_FS_READ_DIR (1ULL << 3) +#endif + +#ifndef LANDLOCK_ACCESS_FS_REMOVE_DIR +# define LANDLOCK_ACCESS_FS_REMOVE_DIR (1ULL << 4) +#endif + +#ifndef LANDLOCK_ACCESS_FS_REMOVE_FILE +# define LANDLOCK_ACCESS_FS_REMOVE_FILE (1ULL << 5) +#endif + +#ifndef LANDLOCK_ACCESS_FS_MAKE_CHAR +# define LANDLOCK_ACCESS_FS_MAKE_CHAR (1ULL << 6) +#endif + +#ifndef LANDLOCK_ACCESS_FS_MAKE_DIR +# define LANDLOCK_ACCESS_FS_MAKE_DIR (1ULL << 7) +#endif + +#ifndef LANDLOCK_ACCESS_FS_MAKE_REG +# define LANDLOCK_ACCESS_FS_MAKE_REG (1ULL << 8) +#endif + +#ifndef LANDLOCK_ACCESS_FS_MAKE_SOCK +# define LANDLOCK_ACCESS_FS_MAKE_SOCK (1ULL << 9) +#endif + +#ifndef LANDLOCK_ACCESS_FS_MAKE_FIFO +# define LANDLOCK_ACCESS_FS_MAKE_FIFO (1ULL << 10) +#endif + +#ifndef LANDLOCK_ACCESS_FS_MAKE_BLOCK +# define LANDLOCK_ACCESS_FS_MAKE_BLOCK (1ULL << 11) +#endif + +#ifndef LANDLOCK_ACCESS_FS_MAKE_SYM +# define LANDLOCK_ACCESS_FS_MAKE_SYM (1ULL << 12) +#endif + +#ifndef LANDLOCK_ACCESS_FS_REFER +# define LANDLOCK_ACCESS_FS_REFER (1ULL << 13) +#endif + +#ifndef LANDLOCK_ACCESS_FS_TRUNCATE +# define LANDLOCK_ACCESS_FS_TRUNCATE (1ULL << 14) +#endif + +#ifndef LANDLOCK_ACCESS_FS_IOCTL_DEV +# define LANDLOCK_ACCESS_FS_IOCTL_DEV (1ULL << 15) +#endif + +#ifndef LANDLOCK_ACCESS_NET_BIND_TCP +# define LANDLOCK_ACCESS_NET_BIND_TCP (1ULL << 0) +#endif + +#ifndef LANDLOCK_ACCESS_NET_CONNECT_TCP +# define LANDLOCK_ACCESS_NET_CONNECT_TCP (1ULL << 1) +#endif + +#endif From patchwork Wed Jul 10 18:01:58 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1958962 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=gA6baUJG; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=iJuP3j+I; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=gA6baUJG; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=iJuP3j+I; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WK5Ks2NnDz1xpd for ; Thu, 11 Jul 2024 04:02:25 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id EFE603D386B for ; Wed, 10 Jul 2024 20:02:22 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-4.smtp.seeweb.it (in-4.smtp.seeweb.it [IPv6:2001:4b78:1:20::4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 70C743D073A for ; Wed, 10 Jul 2024 20:02:20 +0200 (CEST) Authentication-Results: in-4.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.131; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-4.smtp.seeweb.it (Postfix) with ESMTPS id D10781007C86 for ; Wed, 10 Jul 2024 20:02:19 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 38E001F851; Wed, 10 Jul 2024 18:02:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xzrWvInCh61FwiyZVot96/S93WEOFLlda4g1a8Rvbtg=; b=gA6baUJGd0Hj3qbXZgoeGJx8eTVZs3r6RV/r/IidlW7nZlUzuXe3uxYy3LBXUP7lWi3lnI yX7oldH5yK3iISGauTlYeRRCSh/e5UA9dObDoYz4QF3V03fCPBXZ2b+AsiBvtJF93isi+Z zvjG/axhAQNIHnjY0GD+r5Pa6FZa1C4= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xzrWvInCh61FwiyZVot96/S93WEOFLlda4g1a8Rvbtg=; b=iJuP3j+IeICbprnkXd3nQkQNxNrPRH63/sdievmYISw6Jumo09n5zK9gN3Wb8vmi4pqp12 6X7sdF/DVEOfQmDg== Authentication-Results: smtp-out2.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=gA6baUJG; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=iJuP3j+I DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xzrWvInCh61FwiyZVot96/S93WEOFLlda4g1a8Rvbtg=; b=gA6baUJGd0Hj3qbXZgoeGJx8eTVZs3r6RV/r/IidlW7nZlUzuXe3uxYy3LBXUP7lWi3lnI yX7oldH5yK3iISGauTlYeRRCSh/e5UA9dObDoYz4QF3V03fCPBXZ2b+AsiBvtJF93isi+Z zvjG/axhAQNIHnjY0GD+r5Pa6FZa1C4= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xzrWvInCh61FwiyZVot96/S93WEOFLlda4g1a8Rvbtg=; b=iJuP3j+IeICbprnkXd3nQkQNxNrPRH63/sdievmYISw6Jumo09n5zK9gN3Wb8vmi4pqp12 6X7sdF/DVEOfQmDg== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 229C413ABC; Wed, 10 Jul 2024 18:02:19 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id kIsjB6vMjmZJfAAAD6G6ig (envelope-from ); Wed, 10 Jul 2024 18:02:19 +0000 From: Andrea Cervesato Date: Wed, 10 Jul 2024 20:01:58 +0200 MIME-Version: 1.0 Message-Id: <20240710-landlock-v2-3-ff79db017d57@suse.com> References: <20240710-landlock-v2-0-ff79db017d57@suse.com> In-Reply-To: <20240710-landlock-v2-0-ff79db017d57@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2466; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=ykWuBdEgfNf7D56fkwQsx2Fd28bSbk9Xmt+WjsB/+7Q=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmjsyeFSCHnVU24UjJOGG/X4Ku6v0w0cvf/kfos Wz2edBwx5aJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZo7MngAKCRDLzBqyILPm Rm3SC/0Xy/Ta3C9+1UU7lmGtcPvAvHyo/YFur2LPyVr03QW7/47znaxXZLbQkfIjlEYt3iIV2Wg zl/SUrtrgZoK6MYkVJx/0wN/ZKm5z+IE7gs5XAodcdfLKiBVjD9ZecraqpueKPmdLQ1Zvt8/Vhm CM+/A62gi4037i9p030QAXZloRy/i55EkEn3oGZoXodw6kng2W09IEoL8rkKo6RHcPQrB/nFkRx 73GplvK/5jZLrhhm6gSdhzEflYBG9YIIs5Cfa5ftZ8kUoKGg48FkXTmCC4pP1I2E9fgjVNft9Vn G6Bl1b7NuIfcwGav794Ko/0HNxc6H3eOiFw6yam4OuhX4uyGOT4+4jM0FIcOsLnumDDhh6gYAOF 2kLoE2vbhD5PbTxVIVNDU8ix7CuQfueRPsre8dBfSkt28szzjirLJoWHbco2dNoYOawkXrU+HR3 omX8eYy7lKdQBmHCvPJZ+Tah7NKC1V8pIWdNRwE5Ee2ee4qZE5ixI6iaM4Di2CncNnbU0= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spamd-Result: default: False [-4.51 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; RBL_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:104:10:150:64:97:from]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; RECEIVED_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:106:10:150:64:167:received]; TO_DN_SOME(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; SPAMHAUS_XBL(0.00)[2a07:de40:b281:104:10:150:64:97:from]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_BLOCKED(0.00)[suse.de:dkim]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns,suse.de:dkim,suse.com:email]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; DKIM_TRACE(0.00)[suse.de:+] X-Rspamd-Action: no action X-Rspamd-Server: rspamd2.dmz-prg2.suse.org X-Rspamd-Queue-Id: 38E001F851 X-Spam-Score: -4.51 X-Spam-Level: X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-4.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-4.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v2 03/11] Added three more SAFE_* macros for landlock sandbox: X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato - SAFE_LANDLOCK_CREATE_RULESET - SAFE_LANDLOCK_ADD_RULE - SAFE_LANDLOCK_RESTRICT_SELF Signed-off-by: Andrea Cervesato Reviewed-by: Li Wang --- include/lapi/landlock.h | 61 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/include/lapi/landlock.h b/include/lapi/landlock.h index 2ee51b340..6d85eb12e 100644 --- a/include/lapi/landlock.h +++ b/include/lapi/landlock.h @@ -12,6 +12,8 @@ # include #endif +#include "lapi/syscalls.h" + #ifndef HAVE_STRUCT_LANDLOCK_RULESET_ATTR struct landlock_ruleset_attr { @@ -120,4 +122,63 @@ struct landlock_net_port_attr # define LANDLOCK_ACCESS_NET_CONNECT_TCP (1ULL << 1) #endif +static inline int safe_landlock_create_ruleset(const char *file, const int lineno, + const struct landlock_ruleset_attr *attr, + size_t size , uint32_t flags) +{ + int rval; + + rval = tst_syscall(__NR_landlock_create_ruleset, attr, size, flags); + if (rval == -1) { + tst_brk_(file, lineno, TBROK | TERRNO, + "landlock_create_ruleset(%p, %lu, %u)", + attr, size, flags); + } + + return rval; +} + +static inline int safe_landlock_add_rule(const char *file, const int lineno, + int ruleset_fd, enum landlock_rule_type rule_type, + const void *rule_attr, uint32_t flags) +{ + int rval; + + rval = tst_syscall(__NR_landlock_add_rule, + ruleset_fd, rule_type, rule_attr, flags); + + if (rval == -1) { + tst_brk_(file, lineno, TBROK | TERRNO, + "landlock_add_rule(%d, %d, %p, %u)", + ruleset_fd, rule_type, rule_attr, flags); + } + + return rval; +} + +static inline int safe_landlock_restrict_self(const char *file, const int lineno, + int ruleset_fd, int flags) +{ + int rval; + + rval = tst_syscall(__NR_landlock_restrict_self, ruleset_fd, flags); + if (rval == -1) { + tst_brk_(file, lineno, TBROK | TERRNO, + "landlock_restrict_self(%d, %u)", + ruleset_fd, flags); + } + + return rval; +} + +#define SAFE_LANDLOCK_CREATE_RULESET(attr, size, flags) \ + safe_landlock_create_ruleset(__FILE__, __LINE__, (attr), (size), (flags)) + +#define SAFE_LANDLOCK_ADD_RULE(ruleset_fd, rule_type, rule_attr, flags) \ + safe_landlock_add_rule(__FILE__, __LINE__, \ + (ruleset_fd), (rule_type), (rule_attr), (flags)) + +#define SAFE_LANDLOCK_RESTRICT_SELF(ruleset_fd, flags) \ + safe_landlock_restrict_self(__FILE__, __LINE__, (ruleset_fd), (flags)) + #endif From patchwork Wed Jul 10 18:01:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1958964 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=yeHdfKpg; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=P7ycokpS; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=yeHdfKpg; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=P7ycokpS; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WK5LT2qXBz1xpd for ; Thu, 11 Jul 2024 04:02:57 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 354BE3D38F1 for ; Wed, 10 Jul 2024 20:02:55 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-7.smtp.seeweb.it (in-7.smtp.seeweb.it [IPv6:2001:4b78:1:20::7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id D2DDD3D0B0F for ; Wed, 10 Jul 2024 20:02:20 +0200 (CEST) Authentication-Results: in-7.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.131; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-7.smtp.seeweb.it (Postfix) with ESMTPS id E1FA220819C for ; Wed, 10 Jul 2024 20:02:19 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 55F161FB55; Wed, 10 Jul 2024 18:02:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=r9BvmrVXMCyppbaf5Wn62XLNZV3L5BR1kKs2XDBWFfs=; b=yeHdfKpgj4w9XF2fSPDb9ZWxHQHEsfjibSFF5GaH/gV4aqtZzsH8niaK+j9eVXnWuileOG rujaJZEMjCD7J49UHEkDxWOfsSS3nlZbCDoRXV3lG7mwKx8O/mgVkY/x3ELuLWWAf0XWWo 21024c+irlo3Yfxpw6M6XPCQE/8mWaI= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=r9BvmrVXMCyppbaf5Wn62XLNZV3L5BR1kKs2XDBWFfs=; b=P7ycokpStNxWVjK4PLdcwPiLJgjgNSRIYiEmC0w2FLkCCOWMKrP4HeJ+n5biINjVtWB3DB 7QmVQfUfEwfR+QAQ== Authentication-Results: smtp-out2.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=yeHdfKpg; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=P7ycokpS DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=r9BvmrVXMCyppbaf5Wn62XLNZV3L5BR1kKs2XDBWFfs=; b=yeHdfKpgj4w9XF2fSPDb9ZWxHQHEsfjibSFF5GaH/gV4aqtZzsH8niaK+j9eVXnWuileOG rujaJZEMjCD7J49UHEkDxWOfsSS3nlZbCDoRXV3lG7mwKx8O/mgVkY/x3ELuLWWAf0XWWo 21024c+irlo3Yfxpw6M6XPCQE/8mWaI= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=r9BvmrVXMCyppbaf5Wn62XLNZV3L5BR1kKs2XDBWFfs=; b=P7ycokpStNxWVjK4PLdcwPiLJgjgNSRIYiEmC0w2FLkCCOWMKrP4HeJ+n5biINjVtWB3DB 7QmVQfUfEwfR+QAQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 3F01B137D2; Wed, 10 Jul 2024 18:02:19 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id wF4UDqvMjmZJfAAAD6G6ig (envelope-from ); Wed, 10 Jul 2024 18:02:19 +0000 From: Andrea Cervesato Date: Wed, 10 Jul 2024 20:01:59 +0200 MIME-Version: 1.0 Message-Id: <20240710-landlock-v2-4-ff79db017d57@suse.com> References: <20240710-landlock-v2-0-ff79db017d57@suse.com> In-Reply-To: <20240710-landlock-v2-0-ff79db017d57@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1756; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=T7tHaRlEgGRHiBMGbKNiyTpuc+0hqp/7GV5XapEXOls=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmjsyeAR5RZ9nWuHS/cCUd//XUARDP/7vi5vudE WYzv6GEwLGJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZo7MngAKCRDLzBqyILPm RrfmC/4jSfUQCbebNDSQLv5E+6N/vEngnnGxRfAxT4IeaKvfo8F4PnkkAhXtfqBnjX9LtnBqONE 1z46uTZmWNKpDZH6yEGDFY3DPpJg8qLhZ77ho5t2euimLBMP3ZgC31B1MxZxScSoOO1HRBGVRTz sIhFVCCLW6llH1AUZ9HBT/HZukEIev6k5Pfvgt+alXMhY2gwAE9CtG2/Cuf/W/VoAiwS3ezjwc3 rJeULxxmTQnMYQEq/6wBWUxsxqKSPSBQS2GC9zBgN8cph7YvdOHoCcHlJpo0kCgtbR0JvgxNFRN 7gqLkpJ9VMK2US0FCxiq8tfAHDdmpIBPvNm4Y60SniGmybCCiPl/9zzRY+MteCamwvs21tSz5Wz JM81Ica5x6DQ0fQ+U3dRzFIgLkJ0KXeZG1cH4IcTBw8XzN3U0YhLjR/74Kldy6rMiesEflGHxxM cTSjAmbWt6KWQI9IMeG3xFZr3+ZvSvHSTWvfBwFbag61tpzw7q71OyghhZ0ZKVjIEY7u4= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Rspamd-Queue-Id: 55F161FB55 X-Spam-Score: -4.51 X-Spam-Level: X-Spamd-Result: default: False [-4.51 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; RBL_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:104:10:150:64:97:from]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; RECEIVED_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:106:10:150:64:167:received]; TO_DN_SOME(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; SPAMHAUS_XBL(0.00)[2a07:de40:b281:104:10:150:64:97:from]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_BLOCKED(0.00)[suse.de:dkim]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns,suse.com:email,suse.de:dkim]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; DKIM_TRACE(0.00)[suse.de:+] X-Rspamd-Action: no action X-Rspamd-Server: rspamd1.dmz-prg2.suse.org X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-7.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-7.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v2 04/11] Add SAFE_PRCTL macro X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato Signed-off-by: Andrea Cervesato --- include/tst_safe_macros.h | 6 ++++++ lib/tst_safe_macros.c | 17 +++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/include/tst_safe_macros.h b/include/tst_safe_macros.h index 08b8e930a..92b9bc119 100644 --- a/include/tst_safe_macros.h +++ b/include/tst_safe_macros.h @@ -503,4 +503,10 @@ int safe_sscanf(const char *file, const int lineno, const char *restrict buffer, #define SAFE_SSCANF(buffer, format, ...) \ safe_sscanf(__FILE__, __LINE__, (buffer), (format), ##__VA_ARGS__) +int safe_prctl(const char *file, const int lineno, + int option, unsigned long arg2, unsigned long arg3, + unsigned long arg4, unsigned long arg5); +#define SAFE_PRCTL(option, arg2, arg3, arg4, arg5) \ + safe_prctl(__FILE__, __LINE__, (option), (arg2), (arg3), (arg4), (arg5)) + #endif /* TST_SAFE_MACROS_H__ */ diff --git a/lib/tst_safe_macros.c b/lib/tst_safe_macros.c index 4e48c427b..9301f3dd2 100644 --- a/lib/tst_safe_macros.c +++ b/lib/tst_safe_macros.c @@ -10,6 +10,7 @@ #include #include #include +#include #include "config.h" #ifdef HAVE_SYS_FANOTIFY_H # include @@ -710,3 +711,19 @@ int safe_mprotect(const char *file, const int lineno, return rval; } + +int safe_prctl(const char *file, const int lineno, + int option, unsigned long arg2, unsigned long arg3, + unsigned long arg4, unsigned long arg5) +{ + int rval; + + rval = prctl(option, arg2, arg3, arg4, arg5); + if (rval == -1) { + tst_brk_(file, lineno, TBROK | TERRNO, + "prctl(%d, %lu, %lu, %lu, %lu)", + option, arg2, arg3, arg4, arg5); + } + + return rval; +} From patchwork Wed Jul 10 18:02:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1958966 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=shJB7srM; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=JcILdc3W; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=shJB7srM; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=JcILdc3W; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WK5MB5Dsqz1xpd for ; Thu, 11 Jul 2024 04:03:34 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 713D73D3879 for ; Wed, 10 Jul 2024 20:03:32 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-2.smtp.seeweb.it (in-2.smtp.seeweb.it [IPv6:2001:4b78:1:20::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 1EA733D0B0F for ; Wed, 10 Jul 2024 20:02:20 +0200 (CEST) Authentication-Results: in-2.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.131; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-2.smtp.seeweb.it (Postfix) with ESMTPS id EA37E60281D for ; Wed, 10 Jul 2024 20:02:19 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 7747E1FCD9; Wed, 10 Jul 2024 18:02:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bqaHv+Iv/WeXlJgg0aFzwOACzkQzBjwQLVzM9NfnMHQ=; b=shJB7srMLIDEnd+s9yvKiYaQ7uUTObF13jKiiEx2UQVa8/KaIpp8oG9vB0O5Q4qdJxQG0M pPDZpEh+rhgbqOopKRQ0tguFVfL85HUfi7qipKXuXNuJZ27+BjaxjrM0kuby9pReUMpPWV 38yWvXofjBYiE1OgnIcSE4p1pZuihcA= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bqaHv+Iv/WeXlJgg0aFzwOACzkQzBjwQLVzM9NfnMHQ=; b=JcILdc3WNfyWWN2D+M1PW7JTP4XwPWdYUJqVKMieywNL0eqQ5+HGAt7p9DZh2mGrrBN3tp f/ubbBlFrsrgYbBg== Authentication-Results: smtp-out2.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=shJB7srM; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=JcILdc3W DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bqaHv+Iv/WeXlJgg0aFzwOACzkQzBjwQLVzM9NfnMHQ=; b=shJB7srMLIDEnd+s9yvKiYaQ7uUTObF13jKiiEx2UQVa8/KaIpp8oG9vB0O5Q4qdJxQG0M pPDZpEh+rhgbqOopKRQ0tguFVfL85HUfi7qipKXuXNuJZ27+BjaxjrM0kuby9pReUMpPWV 38yWvXofjBYiE1OgnIcSE4p1pZuihcA= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bqaHv+Iv/WeXlJgg0aFzwOACzkQzBjwQLVzM9NfnMHQ=; b=JcILdc3WNfyWWN2D+M1PW7JTP4XwPWdYUJqVKMieywNL0eqQ5+HGAt7p9DZh2mGrrBN3tp f/ubbBlFrsrgYbBg== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 5AD3913942; Wed, 10 Jul 2024 18:02:19 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id kH7mFKvMjmZJfAAAD6G6ig (envelope-from ); Wed, 10 Jul 2024 18:02:19 +0000 From: Andrea Cervesato Date: Wed, 10 Jul 2024 20:02:00 +0200 MIME-Version: 1.0 Message-Id: <20240710-landlock-v2-5-ff79db017d57@suse.com> References: <20240710-landlock-v2-0-ff79db017d57@suse.com> In-Reply-To: <20240710-landlock-v2-0-ff79db017d57@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=6650; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=FZf2hhjKM8DtalE29v+BLL7XqC+LJQXVb38N+QYvZiY=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmjsyeWzR08+0O5WcXel3Nf9hLcF6kaxUmYwxtI Hn1scYrfZ2JAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZo7MngAKCRDLzBqyILPm Rs07C/4oPtF3xUCy6dVNdAXwVN2wsLXJnOjHpBVge4K/XzwpOb41UkgWfrnGBv6aXeqLi8fB37E PDc45nwSa+B3aoD3CDvSMSU7RadMkhvHcyIHdzHZwcXrkbeS4dO0/BCoqG6Rdh/Mb6oTSrZuB6a RvRRKJZeH+xayar92igAh+DIzOvTgIBPuba9mW74Y4wyez8NTdats0a6usQYcM6vh9SIjsZDvCq IJB9+eiT/sT4BL9BuxYyZvzrH4WqgrsPoRv139JRQpMRAbbH5r1TS6XwmatJfWfniGcxBI9n7FL 5cLIm3UV1TMIjSPbXB/gPzA8w/2xjcb/21xst2+FWvxbmR+4H/jw6eW+L44eX1u6JT8Ou/IAr1l XSyQXVYBgft2sMS6DTtr4LZhNUBYOSNzSUp2lY8OBobNBjvuQ0yTVlgAt5X69braVj2jvc3bCKw zO2PANlrUU02HeI5l2vkfcU3EJBBohX15ZFDMWiY9cXN+HUKvpG1T6vwn5anyk9/TWnMg= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spamd-Result: default: False [-4.51 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; RBL_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:104:10:150:64:97:from]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RECEIVED_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:106:10:150:64:167:received]; SPAMHAUS_XBL(0.00)[2a07:de40:b281:104:10:150:64:97:from]; TO_DN_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; RCPT_COUNT_THREE(0.00)[3]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_BLOCKED(0.00)[suse.de:dkim]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:dkim,suse.com:email,imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; DKIM_TRACE(0.00)[suse.de:+] X-Rspamd-Action: no action X-Rspamd-Server: rspamd2.dmz-prg2.suse.org X-Rspamd-Queue-Id: 7747E1FCD9 X-Spam-Score: -4.51 X-Spam-Level: X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-2.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-2.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v2 05/11] Add landlock01 test X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato This test verifies that landlock_create_ruleset syscall fails with the right error codes: - EINVAL Unknown flags, or unknown access, or too small size - E2BIG size is too big - EFAULT attr was not a valid address - ENOMSG Empty accesses (i.e., attr->handled_access_fs is 0) Reviewed-by: Li Wang Signed-off-by: Andrea Cervesato --- runtest/syscalls | 2 + testcases/kernel/syscalls/landlock/.gitignore | 1 + testcases/kernel/syscalls/landlock/Makefile | 7 ++ testcases/kernel/syscalls/landlock/landlock01.c | 92 ++++++++++++++++++++++ .../kernel/syscalls/landlock/landlock_common.h | 74 +++++++++++++++++ 5 files changed, 176 insertions(+) diff --git a/runtest/syscalls b/runtest/syscalls index b6cadb2df..667e419a3 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -684,6 +684,8 @@ kill11 kill11 kill12 kill12 kill13 kill13 +landlock01 landlock01 + lchown01 lchown01 lchown01_16 lchown01_16 lchown02 lchown02 diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore new file mode 100644 index 000000000..b69f9b94a --- /dev/null +++ b/testcases/kernel/syscalls/landlock/.gitignore @@ -0,0 +1 @@ +landlock01 diff --git a/testcases/kernel/syscalls/landlock/Makefile b/testcases/kernel/syscalls/landlock/Makefile new file mode 100644 index 000000000..8cf1b9024 --- /dev/null +++ b/testcases/kernel/syscalls/landlock/Makefile @@ -0,0 +1,7 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (C) 2024 SUSE LLC Andrea Cervesato + +top_srcdir ?= ../../../.. + +include $(top_srcdir)/include/mk/testcases.mk +include $(top_srcdir)/include/mk/generic_leaf_target.mk diff --git a/testcases/kernel/syscalls/landlock/landlock01.c b/testcases/kernel/syscalls/landlock/landlock01.c new file mode 100644 index 000000000..90f338fb0 --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock01.c @@ -0,0 +1,92 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +/*\ + * [Description] + * + * This test verifies that landlock_create_ruleset syscall fails with the right + * error codes: + * + * - EINVAL Unknown flags, or unknown access, or too small size + * - E2BIG size is too big + * - EFAULT attr was not a valid address + * - ENOMSG Empty accesses (i.e., attr->handled_access_fs is 0) + */ + +#include "landlock_common.h" + +static struct landlock_ruleset_attr *ruleset_attr; +static struct landlock_ruleset_attr *null_attr; +static size_t rule_size; +static size_t rule_small_size; +static size_t rule_big_size; + +static struct tcase { + struct landlock_ruleset_attr **attr; + uint64_t access_fs; + size_t *size; + uint32_t flags; + int exp_errno; + char *msg; +} tcases[] = { + {&ruleset_attr, -1, &rule_size, 0, EINVAL, "Unknown access"}, + {&ruleset_attr, 0, &rule_small_size, 0, EINVAL, "Size is too small"}, + {&ruleset_attr, 0, &rule_size, -1, EINVAL, "Unknown flags"}, + {&ruleset_attr, 0, &rule_big_size, 0, E2BIG, "Size is too big"}, + {&null_attr, 0, &rule_size, 0, EFAULT, "Invalid attr address"}, + {&ruleset_attr, 0, &rule_size, 0, ENOMSG, "Empty accesses"}, +}; + +static void run(unsigned int n) +{ + struct tcase *tc = &tcases[n]; + + if (*tc->attr) + (*tc->attr)->handled_access_fs = tc->access_fs; + + TST_EXP_FAIL(tst_syscall(__NR_landlock_create_ruleset, + *tc->attr, *tc->size, tc->flags), + tc->exp_errno, + "%s", + tc->msg); + + if (TST_RET >= 0) + SAFE_CLOSE(TST_RET); +} + +static void setup(void) +{ + verify_landlock_is_enabled(); + + rule_size = sizeof(struct landlock_ruleset_attr); + +#ifdef HAVE_STRUCT_LANDLOCK_RULESET_ATTR_HANDLED_ACCESS_NET + rule_small_size = rule_size - sizeof(uint64_t); +#else + rule_small_size = rule_size - 1; +#endif + + rule_big_size = SAFE_SYSCONF(_SC_PAGESIZE) + 1; +} + +static struct tst_test test = { + .test = run, + .tcnt = ARRAY_SIZE(tcases), + .setup = setup, + .min_kver = "5.13", + .needs_root = 1, + .needs_kconfigs = (const char *[]) { + "CONFIG_SECURITY_LANDLOCK=y", + NULL + }, + .bufs = (struct tst_buffers []) { + {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {}, + }, + .caps = (struct tst_cap []) { + TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN), + {} + }, +}; diff --git a/testcases/kernel/syscalls/landlock/landlock_common.h b/testcases/kernel/syscalls/landlock/landlock_common.h new file mode 100644 index 000000000..66f8fd19a --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock_common.h @@ -0,0 +1,74 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +#ifndef LANDLOCK_COMMON_H + +#include "tst_test.h" +#include "lapi/prctl.h" +#include "lapi/fcntl.h" +#include "lapi/landlock.h" + +static inline void verify_landlock_is_enabled(void) +{ + int abi; + + abi = tst_syscall(__NR_landlock_create_ruleset, + NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); + + if (abi < 0) { + if (errno == EOPNOTSUPP) { + tst_brk(TCONF, "Landlock is currently disabled. " + "Please enable it either via CONFIG_LSM or " + "'lsm' kernel parameter."); + } + + tst_brk(TBROK | TERRNO, "landlock_create_ruleset error"); + } + + tst_res(TINFO, "Landlock ABI v%d", abi); +} + +static inline void apply_landlock_rule( + struct landlock_path_beneath_attr *path_beneath_attr, + const int ruleset_fd, + const int access, + const char *path) +{ + path_beneath_attr->allowed_access = access; + path_beneath_attr->parent_fd = SAFE_OPEN(path, O_PATH | O_CLOEXEC); + + SAFE_LANDLOCK_ADD_RULE( + ruleset_fd, + LANDLOCK_RULE_PATH_BENEATH, + path_beneath_attr, + 0); + + SAFE_CLOSE(path_beneath_attr->parent_fd); +} + +static inline void enforce_ruleset(const int ruleset_fd) +{ + SAFE_PRCTL(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + SAFE_LANDLOCK_RESTRICT_SELF(ruleset_fd, 0); +} + +static inline void apply_landlock_layer( + struct landlock_ruleset_attr *ruleset_attr, + struct landlock_path_beneath_attr *path_beneath_attr, + const char *path, + const int access) +{ + int ruleset_fd; + + ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET( + ruleset_attr, sizeof(struct landlock_ruleset_attr), 0); + + apply_landlock_rule(path_beneath_attr, ruleset_fd, access, path); + enforce_ruleset(ruleset_fd); + + SAFE_CLOSE(ruleset_fd); +} + +#endif From patchwork Wed Jul 10 18:02:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1958968 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=Htv7M+55; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=kjB654GV; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=Htv7M+55; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=kjB654GV; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WK5Mv5BpZz1xpd for ; Thu, 11 Jul 2024 04:04:11 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 7620C3D3FD2 for ; Wed, 10 Jul 2024 20:04:09 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-4.smtp.seeweb.it (in-4.smtp.seeweb.it [217.194.8.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 622253D073A for ; Wed, 10 Jul 2024 20:02:21 +0200 (CEST) Authentication-Results: in-4.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=2a07:de40:b251:101:10:150:64:1; helo=smtp-out1.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out1.suse.de (smtp-out1.suse.de [IPv6:2a07:de40:b251:101:10:150:64:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-4.smtp.seeweb.it (Postfix) with ESMTPS id B2EAC1007C95 for ; Wed, 10 Jul 2024 20:02:20 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 96E6021BF1; Wed, 10 Jul 2024 18:02:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TyGT0Y/vEGPZPNmAaPeltdIkPkxSua/Qv+7CrPAY9vY=; b=Htv7M+55U76s8QCIgTT0hrDUPT2FDtXTxZUOgbUUa7MBhSqe0OakYHDj7QvSASfrT6B4IP V44QIMFWq+3GatB2QAmSMIkLyrRFERECDthOdMoORjSig+aAgeycNgIc3w/FAC5u1QpeDE nO+Hg492KDMMRgC+7+gKg5IDvagqgJs= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TyGT0Y/vEGPZPNmAaPeltdIkPkxSua/Qv+7CrPAY9vY=; b=kjB654GVb63kdXw18X9is2wimI2H1Vybg8LJcTZUnehxVVMRDmvlp7OGCapPDjxHhw9dNR opq+QqAnUSRIadBw== Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TyGT0Y/vEGPZPNmAaPeltdIkPkxSua/Qv+7CrPAY9vY=; b=Htv7M+55U76s8QCIgTT0hrDUPT2FDtXTxZUOgbUUa7MBhSqe0OakYHDj7QvSASfrT6B4IP V44QIMFWq+3GatB2QAmSMIkLyrRFERECDthOdMoORjSig+aAgeycNgIc3w/FAC5u1QpeDE nO+Hg492KDMMRgC+7+gKg5IDvagqgJs= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TyGT0Y/vEGPZPNmAaPeltdIkPkxSua/Qv+7CrPAY9vY=; b=kjB654GVb63kdXw18X9is2wimI2H1Vybg8LJcTZUnehxVVMRDmvlp7OGCapPDjxHhw9dNR opq+QqAnUSRIadBw== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 7C24F137D2; Wed, 10 Jul 2024 18:02:19 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id sPgCHavMjmZJfAAAD6G6ig (envelope-from ); Wed, 10 Jul 2024 18:02:19 +0000 From: Andrea Cervesato Date: Wed, 10 Jul 2024 20:02:01 +0200 MIME-Version: 1.0 Message-Id: <20240710-landlock-v2-6-ff79db017d57@suse.com> References: <20240710-landlock-v2-0-ff79db017d57@suse.com> In-Reply-To: <20240710-landlock-v2-0-ff79db017d57@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=5070; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=e0RkwiMeII0OEPo08C0G8E8ubmaPiBzM5Vxl+KW2RGM=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmjsye/eG+yXBwcR6EgM/XF70Xw3qLqR1aN0lml rJ0oznNjP+JAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZo7MngAKCRDLzBqyILPm RmYxC/9ytTb6eJdolg8aDBYSqbK5R8qN9bJi8Jt+4H60e3dHnq1F3kBPEgUswQE9/MRqb4+HUw1 AF0vN7/uwSNjgqGvcOrJC9C8DmJiMKZI1DVQT+mXjgRnM4WqXUnFkpc19d4LkDfCaDrHJz9ZzMQ NffVOMBRyS6unj4oau72z/HxQNo5rHs6LfIH3spTCza4Ypq82gCouHPZhvDkygdO0/Db9OmmUnQ AX929z0WnPUHcTcMi2mZlbv2LjcPNAHrlg64KcK/7DPKYYTAsdWdDAPzV7odBjl2kvksxT2V/wT QbsxWdE4vT0NWeSDhNd0e/FSy0Fmq/DfskBbdmUcjaoyUhBCQ27chyicxXNs7fh4hABwByKiJQ8 2BeqTHisHqEJuUmczCgOvVxHbrVDHjPeGWBYSyHc8x4NcsqEt0Z6hAznkdE37G8VDSDQj4PRdA7 jJ9i4w1Lop5s+UQzrcHaZLBJOPtUM7Ktm73tJ6zGJ82RFVXBrSbhJeo+kLyVtrb/yoMtM= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spam-Score: -4.30 X-Spam-Level: X-Spamd-Result: default: False [-4.30 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,suse.com:email] X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-4.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-4.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v2 06/11] Add landlock02 test X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato This test verifies that landlock_add_rule syscall fails with the right error codes: - EINVAL flags is not 0, or the rule accesses are inconsistent - ENOMSG Empty accesses (i.e., rule_attr->allowed_access is 0) - EBADF ruleset_fd is not a file descriptor for the current thread, or a member of rule_attr is not a file descriptor as expected - EBADFD ruleset_fd is not a ruleset file descriptor, or a member of rule_attr is not the expected file descriptor type - EFAULT rule_attr was not a valid address Reviewed-by: Li Wang Signed-off-by: Andrea Cervesato --- runtest/syscalls | 1 + testcases/kernel/syscalls/landlock/.gitignore | 1 + testcases/kernel/syscalls/landlock/landlock02.c | 153 ++++++++++++++++++++++++ 3 files changed, 155 insertions(+) diff --git a/runtest/syscalls b/runtest/syscalls index 667e419a3..25a99e6f1 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -685,6 +685,7 @@ kill12 kill12 kill13 kill13 landlock01 landlock01 +landlock02 landlock02 lchown01 lchown01 lchown01_16 lchown01_16 diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore index b69f9b94a..ffed4abd2 100644 --- a/testcases/kernel/syscalls/landlock/.gitignore +++ b/testcases/kernel/syscalls/landlock/.gitignore @@ -1 +1,2 @@ landlock01 +landlock02 diff --git a/testcases/kernel/syscalls/landlock/landlock02.c b/testcases/kernel/syscalls/landlock/landlock02.c new file mode 100644 index 000000000..0e2da7ef5 --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock02.c @@ -0,0 +1,153 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +/*\ + * [Description] + * + * This test verifies that landlock_add_rule syscall fails with the right + * error codes: + * + * - EINVAL flags is not 0, or the rule accesses are inconsistent + * - ENOMSG Empty accesses (i.e., rule_attr->allowed_access is 0) + * - EBADF ruleset_fd is not a file descriptor for the current thread, + * or a member of rule_attr is not a file descriptor as expected + * - EBADFD ruleset_fd is not a ruleset file descriptor, or a member of + * rule_attr is not the expected file descriptor type + * - EFAULT rule_attr was not a valid address + */ + +#include "landlock_common.h" + +static struct landlock_ruleset_attr *ruleset_attr; +static struct landlock_path_beneath_attr *path_beneath_attr; +static struct landlock_path_beneath_attr *rule_null; +static int ruleset_fd; +static int invalid_fd = -1; + +static struct tcase { + int *fd; + enum landlock_rule_type rule_type; + struct landlock_path_beneath_attr **attr; + int access; + int parent_fd; + uint32_t flags; + int exp_errno; + char *msg; +} tcases[] = { + { + &ruleset_fd, + 0, + &path_beneath_attr, + LANDLOCK_ACCESS_FS_EXECUTE, + 0, + 1, + EINVAL, + "Invalid flags" + }, + { + &ruleset_fd, + 0, + &path_beneath_attr, + LANDLOCK_ACCESS_FS_EXECUTE, + 0, + 0, + EINVAL, + "Invalid rule type" + }, + { + &ruleset_fd, + LANDLOCK_RULE_PATH_BENEATH, + &path_beneath_attr, + 0, + 0, + 0, + ENOMSG, + "Empty accesses" + }, + { + &invalid_fd, + 0, + &path_beneath_attr, + LANDLOCK_ACCESS_FS_EXECUTE, + 0, + 0, + EBADF, + "Invalid file descriptor" + }, + { + &ruleset_fd, + LANDLOCK_RULE_PATH_BENEATH, + &path_beneath_attr, + LANDLOCK_ACCESS_FS_EXECUTE, + -1, + 0, + EBADF, + "Invalid parent fd" + }, + { + &ruleset_fd, + LANDLOCK_RULE_PATH_BENEATH, + &rule_null, + 0, + 0, + 0, + EFAULT, + "Invalid rule attr" + }, +}; + +static void run(unsigned int n) +{ + struct tcase *tc = &tcases[n]; + + if (*tc->attr) { + (*tc->attr)->allowed_access = tc->access; + (*tc->attr)->parent_fd = tc->parent_fd; + } + + TST_EXP_FAIL(tst_syscall(__NR_landlock_add_rule, + *tc->fd, tc->rule_type, *tc->attr, tc->flags), + tc->exp_errno, + "%s", + tc->msg); +} + +static void setup(void) +{ + verify_landlock_is_enabled(); + + ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE; + + ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset, + ruleset_attr, sizeof(struct landlock_ruleset_attr), 0)); +} + +static void cleanup(void) +{ + if (ruleset_fd != -1) + SAFE_CLOSE(ruleset_fd); +} + +static struct tst_test test = { + .test = run, + .tcnt = ARRAY_SIZE(tcases), + .setup = setup, + .cleanup = cleanup, + .min_kver = "5.13", + .needs_root = 1, + .needs_kconfigs = (const char *[]) { + "CONFIG_SECURITY_LANDLOCK=y", + NULL + }, + .bufs = (struct tst_buffers []) { + {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)}, + {}, + }, + .caps = (struct tst_cap []) { + TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN), + {} + }, +}; From patchwork Wed Jul 10 18:02:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1958965 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=NVlqj7he; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=8GLRYPXE; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=NVlqj7he; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=8GLRYPXE; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WK5Ln1Qjhz1xpd for ; Thu, 11 Jul 2024 04:03:13 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 07B293D38F6 for ; Wed, 10 Jul 2024 20:03:11 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-6.smtp.seeweb.it (in-6.smtp.seeweb.it [217.194.8.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id F0CF73D073A for ; Wed, 10 Jul 2024 20:02:20 +0200 (CEST) Authentication-Results: in-6.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.130; helo=smtp-out1.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-6.smtp.seeweb.it (Postfix) with ESMTPS id 3457714060A7 for ; Wed, 10 Jul 2024 20:02:20 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id B81D721BF2; Wed, 10 Jul 2024 18:02:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iUbO1hbdVu1HM9hhS/xB7D4ptVEQ8sClRhRF94m1TSU=; b=NVlqj7hec0+K3onYpYZDopxJtyuJV/HOHHtpi057Gvb5uNIZNaq2k1BlFnsBErjtFIDcsU y/sxRGhihsSJqoiO7kr/m9qZZWea1bTqpZllJkZ0VdmCzQE/CTRyxkFYprxXjn/DmpSJKN 04U4YPrjfnj3/coA8r4R/HhdgR/MsDc= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iUbO1hbdVu1HM9hhS/xB7D4ptVEQ8sClRhRF94m1TSU=; b=8GLRYPXEdKK41rhYBJoYjUs0CSOimEa29GngWuQbGeZb1HVdmOUPFiee1fUnxChkl0GT9q I1teKstrpyw9J3Bw== Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iUbO1hbdVu1HM9hhS/xB7D4ptVEQ8sClRhRF94m1TSU=; b=NVlqj7hec0+K3onYpYZDopxJtyuJV/HOHHtpi057Gvb5uNIZNaq2k1BlFnsBErjtFIDcsU y/sxRGhihsSJqoiO7kr/m9qZZWea1bTqpZllJkZ0VdmCzQE/CTRyxkFYprxXjn/DmpSJKN 04U4YPrjfnj3/coA8r4R/HhdgR/MsDc= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iUbO1hbdVu1HM9hhS/xB7D4ptVEQ8sClRhRF94m1TSU=; b=8GLRYPXEdKK41rhYBJoYjUs0CSOimEa29GngWuQbGeZb1HVdmOUPFiee1fUnxChkl0GT9q I1teKstrpyw9J3Bw== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 9D61E13942; Wed, 10 Jul 2024 18:02:19 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id 0DcUJavMjmZJfAAAD6G6ig (envelope-from ); Wed, 10 Jul 2024 18:02:19 +0000 From: Andrea Cervesato Date: Wed, 10 Jul 2024 20:02:02 +0200 MIME-Version: 1.0 Message-Id: <20240710-landlock-v2-7-ff79db017d57@suse.com> References: <20240710-landlock-v2-0-ff79db017d57@suse.com> In-Reply-To: <20240710-landlock-v2-0-ff79db017d57@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4615; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=I65CG4OFA8c95lJSnWS2Ev39wVPWqRfrwggdzP/0rIw=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmjsye/KoT0yDmQbtjX1KwpYkrSyRZGUgCpUYTe IN91EXuX4iJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZo7MngAKCRDLzBqyILPm RhhfC/90/B+R03V7CntMAtg91moo4Jl7TqEBvK1viOMpVbUtBZDa0/Ao16tepFgViR3c5ZLYDvN O0X5A9Pn5AdUnfqZBB8g1ggmVZvz/mv8B+RXe+hG3hZSurIZHyyMDvsoLOcLsSsKWPqQnGlqJ5m +Onv72GhXdzDP4TTTpuK17BgyCdBs18gOX8mcV2xM1nVNflihE5irs2bKI3DExvgC+uAb3zdOLQ quecxXMBbzZ8LuFjHkOCQ59CziYW0zJtEsT6FhNXAg7O7SyAjNO9w2HqaQNdy6/JyPFzyPLTYHj Cfb9HeVnb8Tkzz94HBaGF2dioFZ3oYkZPaA3JGRQMJL4jUCjpCiYrmPbKHRiVCknm/RwWgG9Kwu XXOAVUU59NbBwuynqZfkrmma8zXkBXUOM1oweG/K/x8xxBXGSY5x1/AOFqzyIDXzhvU2UeC/dsL xSH5vhIc0lP3Acfn+toSBvj1LZrgni0KWxeqpsWld64PgZAyRim35fTb/b2oTP2qUZc+k= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spamd-Result: default: False [-4.30 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,suse.com:email] X-Spam-Score: -4.30 X-Spam-Level: X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-6.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-6.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v2 07/11] Add landlock03 test X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato This test verifies that landlock_restrict_self syscall fails with the right error codes: - EINVAL flags is not 0 - EBADF ruleset_fd is not a file descriptor for the current thread - EBADFD ruleset_fd is not a ruleset file descriptor - EPERM ruleset doesn't have CAP_SYS_ADMIN in its namespace - E2BIG The maximum number of stacked rulesets is reached for the current thread Reviewed-by: Li Wang Signed-off-by: Andrea Cervesato --- runtest/syscalls | 1 + testcases/kernel/syscalls/landlock/.gitignore | 1 + testcases/kernel/syscalls/landlock/landlock03.c | 119 ++++++++++++++++++++++++ 3 files changed, 121 insertions(+) diff --git a/runtest/syscalls b/runtest/syscalls index 25a99e6f1..269cf24b1 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -686,6 +686,7 @@ kill13 kill13 landlock01 landlock01 landlock02 landlock02 +landlock03 landlock03 lchown01 lchown01 lchown01_16 lchown01_16 diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore index ffed4abd2..f79cd090b 100644 --- a/testcases/kernel/syscalls/landlock/.gitignore +++ b/testcases/kernel/syscalls/landlock/.gitignore @@ -1,2 +1,3 @@ landlock01 landlock02 +landlock03 diff --git a/testcases/kernel/syscalls/landlock/landlock03.c b/testcases/kernel/syscalls/landlock/landlock03.c new file mode 100644 index 000000000..6511e24a7 --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock03.c @@ -0,0 +1,119 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +/*\ + * [Description] + * + * This test verifies that landlock_restrict_self syscall fails with the right + * error codes: + * + * - EINVAL flags is not 0 + * - EBADF ruleset_fd is not a file descriptor for the current thread + * - EBADFD ruleset_fd is not a ruleset file descriptor + * - EPERM ruleset doesn't have CAP_SYS_ADMIN in its namespace + * - E2BIG The maximum number of stacked rulesets is reached for the current + * thread + */ + +#include "landlock_common.h" + +#define MAX_STACKED_RULESETS 16 + +static struct landlock_ruleset_attr *ruleset_attr; +static int ruleset_fd = -1; +static int ruleset_invalid = -1; +static int file_fd = -1; + +static struct tst_cap dropadmin = { + .action = TST_CAP_DROP, + .id = CAP_SYS_ADMIN, + .name = "CAP_SYS_ADMIN", +}; + +static struct tst_cap needadmin = { + .action = TST_CAP_REQ, + .id = CAP_SYS_ADMIN, + .name = "CAP_SYS_ADMIN", +}; + +static struct tcase { + int *fd; + uint32_t flags; + int exp_errno; + char *msg; +} tcases[] = { + {&ruleset_fd, -1, EINVAL, "Invalid flags"}, + {&ruleset_invalid, 0, EBADF, "Invalid file descriptor"}, + {&file_fd, 0, EBADFD, "Not a ruleset file descriptor"}, + {&ruleset_fd, 0, EPERM, "File descriptor doesn't have CAP_SYS_ADMIN"}, + {&ruleset_fd, 0, E2BIG, "Maximum number of stacked rulesets is reached"}, +}; + +static void run(unsigned int n) +{ + struct tcase *tc = &tcases[n]; + + if (tc->exp_errno == EPERM) + tst_cap_action(&dropadmin); + + if (tc->exp_errno == E2BIG) { + for (int i = 0; i < MAX_STACKED_RULESETS; i++) { + TST_EXP_PASS_SILENT(tst_syscall(__NR_landlock_restrict_self, + *tc->fd, tc->flags)); + if (TST_RET == -1) + return; + } + } + + TST_EXP_FAIL(tst_syscall(__NR_landlock_restrict_self, *tc->fd, tc->flags), + tc->exp_errno, + "%s", tc->msg); + + if (tc->exp_errno == EPERM) + tst_cap_action(&needadmin); +} + +static void setup(void) +{ + verify_landlock_is_enabled(); + + ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE; + + ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset, + ruleset_attr, sizeof(struct landlock_ruleset_attr), 0)); + + file_fd = SAFE_OPEN("junk.bin", O_CREAT, 0777); +} + +static void cleanup(void) +{ + if (ruleset_fd != -1) + SAFE_CLOSE(ruleset_fd); + + if (file_fd != -1) + SAFE_CLOSE(file_fd); +} + +static struct tst_test test = { + .test = run, + .tcnt = ARRAY_SIZE(tcases), + .setup = setup, + .cleanup = cleanup, + .min_kver = "5.13", + .needs_tmpdir = 1, + .needs_root = 1, + .needs_kconfigs = (const char *[]) { + "CONFIG_SECURITY_LANDLOCK=y", + NULL + }, + .bufs = (struct tst_buffers []) { + {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {}, + }, + .caps = (struct tst_cap []) { + TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN), + {} + }, +}; From patchwork Wed Jul 10 18:02:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1958969 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=AshCEhNj; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=lx2805E9; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=AshCEhNj; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=lx2805E9; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WK5NK694Fz1xpd for ; Thu, 11 Jul 2024 04:04:33 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 689C23D3953 for ; Wed, 10 Jul 2024 20:04:31 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-3.smtp.seeweb.it (in-3.smtp.seeweb.it [IPv6:2001:4b78:1:20::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 2DD7A3D386A for ; Wed, 10 Jul 2024 20:02:21 +0200 (CEST) Authentication-Results: in-3.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=2a07:de40:b251:101:10:150:64:2; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2a07:de40:b251:101:10:150:64:2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-3.smtp.seeweb.it (Postfix) with ESMTPS id 290DC1A01981 for ; Wed, 10 Jul 2024 20:02:21 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id D52C01FCDC; Wed, 10 Jul 2024 18:02:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LL3MUfjhU5KoBwQO1eFr+3tB6DL+se9OifpN+0svvkw=; b=AshCEhNjecaQnGVBbjezbr1/y7M0/r9WJ4rlV/rcRbYMfYD2Evwu1045s/MpAvB4oB08cc Lpv7LyCLy2lmKbh2TnzUIhJXWA9J/95dutbyzs+/bq2k/hcSOJmd/WUexQPsz9fUta4ht6 msPp0mXUPilg/O9G9Fkvjb5yv128lo8= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LL3MUfjhU5KoBwQO1eFr+3tB6DL+se9OifpN+0svvkw=; b=lx2805E946/KyCmieOWc9Wv60Rch4X9bo7sKqzjctgcjlx+wP1ne+eoJgU9E5v7ngGZWYt F70/Y5tVV872jsCw== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LL3MUfjhU5KoBwQO1eFr+3tB6DL+se9OifpN+0svvkw=; b=AshCEhNjecaQnGVBbjezbr1/y7M0/r9WJ4rlV/rcRbYMfYD2Evwu1045s/MpAvB4oB08cc Lpv7LyCLy2lmKbh2TnzUIhJXWA9J/95dutbyzs+/bq2k/hcSOJmd/WUexQPsz9fUta4ht6 msPp0mXUPilg/O9G9Fkvjb5yv128lo8= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720634539; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LL3MUfjhU5KoBwQO1eFr+3tB6DL+se9OifpN+0svvkw=; b=lx2805E946/KyCmieOWc9Wv60Rch4X9bo7sKqzjctgcjlx+wP1ne+eoJgU9E5v7ngGZWYt F70/Y5tVV872jsCw== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id BF608137D2; Wed, 10 Jul 2024 18:02:19 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id YKlfLavMjmZJfAAAD6G6ig (envelope-from ); Wed, 10 Jul 2024 18:02:19 +0000 From: Andrea Cervesato Date: Wed, 10 Jul 2024 20:02:03 +0200 MIME-Version: 1.0 Message-Id: <20240710-landlock-v2-8-ff79db017d57@suse.com> References: <20240710-landlock-v2-0-ff79db017d57@suse.com> In-Reply-To: <20240710-landlock-v2-0-ff79db017d57@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=763; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=4dBf0txYyHkxBTNlYjHZpRF7TwNuDuKi/1tKq5F+cQ4=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmjsyetBoqrxRVkRF6UFpLfV+0hfi0L5d152CH5 o0GHJAXIcqJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZo7MngAKCRDLzBqyILPm Rpy2C/4ix5Xu3db8Dgqfilavv6T0ZtAh47RuBY3YYpl5vt5RQpJ9xUgy7avBLQmrMOkfRhUvOZO kKDqQcM6CjPZlk+9qPM5XQAbpD+3mv8vL5MeXwRHmKdNEkNXCe4KrcI6k+VYilWHaikuDt3fOlZ IQo1v3UV857EyQ6HI/wW9wH5WGB6BCm24s5zJCFKWimu4T/7HApE6oGVrYfsf4zPqOwi6nK3XqD 3G53vaaZaVJKDo+Bri5r4VkuJPeZy7+yxqAWYLUTKLoS/9s9aFRdVWuTbyGPM38KNU7gT+R+ORv gnr0Y1I0OVgQHtdK1jzA5EHNku9sLMhDxil0uyXACfVXHEIiBLZVLV2DUo9QvfX/oy2m7leUu0O azt7cc4gPVtg1eP703j5c+tpequjJU6Xk5Zk8MPiO4ulJp8DEtGZvwKntvt91q6mGakO5gpw9Gs In3MGhNP3EzoBe3d4GUOgSZw5jqy6OIDopBNfe1fgeAuH3BG0TyMsfB1Zw4fwLWsSJb14= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spam-Score: -4.30 X-Spam-Level: X-Spamd-Result: default: False [-4.30 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.20)[-0.999]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,suse.com:email] X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-3.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-3.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v2 08/11] Add CAP_MKNOD fallback in lapi/capability.h X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato Signed-off-by: Andrea Cervesato Reviewed-by: Li Wang --- include/lapi/capability.h | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/include/lapi/capability.h b/include/lapi/capability.h index 2b593797c..0f317d6d7 100644 --- a/include/lapi/capability.h +++ b/include/lapi/capability.h @@ -44,14 +44,18 @@ # define CAP_SYS_TIME 25 #endif -#ifndef CAP_AUDIT_READ -# define CAP_AUDIT_READ 37 -#endif - #ifndef CAP_SYS_RESOURCE # define CAP_SYS_RESOURCE 24 #endif +#ifndef CAP_MKNOD +# define CAP_MKNOD 27 +#endif + +#ifndef CAP_AUDIT_READ +# define CAP_AUDIT_READ 37 +#endif + #ifndef CAP_BPF # define CAP_BPF 39 #endif From patchwork Wed Jul 10 18:02:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1958971 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=ELeUzy/J; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=uZWNub8c; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=ELeUzy/J; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=uZWNub8c; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WK5Nx3Nxgz1xpd for ; Thu, 11 Jul 2024 04:05:05 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 1CD143D3A16 for ; Wed, 10 Jul 2024 20:05:03 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-5.smtp.seeweb.it (in-5.smtp.seeweb.it [IPv6:2001:4b78:1:20::5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 26EAA3D388B for ; Wed, 10 Jul 2024 20:02:23 +0200 (CEST) Authentication-Results: in-5.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=2a07:de40:b251:101:10:150:64:1; helo=smtp-out1.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out1.suse.de (smtp-out1.suse.de [IPv6:2a07:de40:b251:101:10:150:64:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-5.smtp.seeweb.it (Postfix) with ESMTPS id 6DA64609A39 for ; Wed, 10 Jul 2024 20:02:21 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 0203821BF3; Wed, 10 Jul 2024 18:02:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720634540; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NiquYT62z6r7Qx4rPBHnCs6Nk9SPOFdvGBmU2MBv/Wc=; b=ELeUzy/JUU5I5GqM56IXmv5P7rjlMB67hduaiiNiUOLehXdhKsJvZntGiF814fNZnJazze osISR1KaUrFm1CS3xTAeewegJp7X0wAFLhC68ft1YGkzBlpPwdu9XZJpvsns2TjSoqnugp Vj3gEfIadAJpKdszSokNoFDCKJeNjao= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720634540; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NiquYT62z6r7Qx4rPBHnCs6Nk9SPOFdvGBmU2MBv/Wc=; b=uZWNub8cB/YYAEFbmK/Yx/8MXiEb+avd049K26UT8b+mYGL6TrZq7noCsrEk3YYAN5AecV s+pxJE23fAcyBRAw== Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720634540; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NiquYT62z6r7Qx4rPBHnCs6Nk9SPOFdvGBmU2MBv/Wc=; b=ELeUzy/JUU5I5GqM56IXmv5P7rjlMB67hduaiiNiUOLehXdhKsJvZntGiF814fNZnJazze osISR1KaUrFm1CS3xTAeewegJp7X0wAFLhC68ft1YGkzBlpPwdu9XZJpvsns2TjSoqnugp Vj3gEfIadAJpKdszSokNoFDCKJeNjao= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720634540; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NiquYT62z6r7Qx4rPBHnCs6Nk9SPOFdvGBmU2MBv/Wc=; b=uZWNub8cB/YYAEFbmK/Yx/8MXiEb+avd049K26UT8b+mYGL6TrZq7noCsrEk3YYAN5AecV s+pxJE23fAcyBRAw== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id DB74513942; Wed, 10 Jul 2024 18:02:19 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id QFpKNKvMjmZJfAAAD6G6ig (envelope-from ); Wed, 10 Jul 2024 18:02:19 +0000 From: Andrea Cervesato Date: Wed, 10 Jul 2024 20:02:04 +0200 MIME-Version: 1.0 Message-Id: <20240710-landlock-v2-9-ff79db017d57@suse.com> References: <20240710-landlock-v2-0-ff79db017d57@suse.com> In-Reply-To: <20240710-landlock-v2-0-ff79db017d57@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=15387; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=8cGf2mIKMXNVbpT2Wr9eJmQiH/C6xjYF2sjLtmRB2uE=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmjsyeAJvkX0ilQBfmD8Al3gNDmvez3JDykE2kl URD4CHAtQKJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZo7MngAKCRDLzBqyILPm RjyTC/9OvKLy2UMuHF3P6lf0jBBnIVTysMTjpksJmZ3uzn74keYhEEEfMCxNfTTgKPH4xUjLe5W R4ZzH/qRRwMzkZkW2WtmqFVoy0AbqNehyDEaAbIi+vKk+lE9LIqbMhFjGS9cGC4PvDVobOmlvsr agZUplPi9QlsmIfgwgMKN65Iw7tiK2JqHd1hiOHnTNn2UgtEVq0/F6M1PzTd8G869TcA5pdQScM QG2ByKa49Mff/ODj2s7dSDGyLKH7ZtM8+LrDUvfEMRJ9yBDue78IyJm1UdtIjpST1J51iTvWW9N DpNllZRzobk/cAColkmByh8AHfSR1WFM+Wqg14UdFV5MNjEuL9xiQB0SXiO3xEhR8/7sNuGGn9E Nq2TGiYV2/PyLDW7KtjZ1qm+7PVHssBBgCPnvBKbXBvQkibijSsEzX2B4YTsGtsjijOOhs+DDfO dUcbUcW/uT/TfY497JQ7ohmpUqF1P8YF1Dm0og9ayPomrVvzFDK5fgI6bI5lhT8yKCtvY= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spamd-Result: default: False [-4.30 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.20)[-0.999]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email,imap1.dmz-prg2.suse.org:helo] X-Spam-Score: -4.30 X-Spam-Level: X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-5.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-5.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v2 09/11] Add landlock04 test X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato This test verifies that all landlock rules are working properly. The way we do it is to verify that all disabled syscalls are not working but the one we enabled via specifc landlock rules. Signed-off-by: Andrea Cervesato --- runtest/syscalls | 1 + testcases/kernel/syscalls/landlock/.gitignore | 2 + testcases/kernel/syscalls/landlock/landlock04.c | 176 +++++++++++ testcases/kernel/syscalls/landlock/landlock_exec.c | 9 + .../kernel/syscalls/landlock/landlock_tester.h | 350 +++++++++++++++++++++ 5 files changed, 538 insertions(+) diff --git a/runtest/syscalls b/runtest/syscalls index 269cf24b1..10b54ae84 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -687,6 +687,7 @@ kill13 kill13 landlock01 landlock01 landlock02 landlock02 landlock03 landlock03 +landlock04 landlock04 lchown01 lchown01 lchown01_16 lchown01_16 diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore index f79cd090b..4fe8d7cba 100644 --- a/testcases/kernel/syscalls/landlock/.gitignore +++ b/testcases/kernel/syscalls/landlock/.gitignore @@ -1,3 +1,5 @@ +landlock_exec landlock01 landlock02 landlock03 +landlock04 diff --git a/testcases/kernel/syscalls/landlock/landlock04.c b/testcases/kernel/syscalls/landlock/landlock04.c new file mode 100644 index 000000000..1567328bb --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock04.c @@ -0,0 +1,176 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +/*\ + * [Description] + * + * This test verifies that all landlock rules are working properly. The way we + * do it is to verify that all disabled syscalls are not working but the one we + * enabled via specifc landlock rules. + */ + +#include "landlock_common.h" +#include "landlock_tester.h" + +#define ACCESS_NAME(x) #x + +static struct landlock_ruleset_attr *ruleset_attr; +static struct landlock_path_beneath_attr *path_beneath_attr; + +struct rule_access { + char *path; + int access; +}; + +static struct tvariant { + int access; + char *desc; +} tvariants[] = { + { + LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_EXECUTE, + ACCESS_NAME(LANDLOCK_ACCESS_FS_EXECUTE) + }, + { + LANDLOCK_ACCESS_FS_WRITE_FILE, + ACCESS_NAME(LANDLOCK_ACCESS_FS_WRITE_FILE) + }, + { + LANDLOCK_ACCESS_FS_READ_FILE, + ACCESS_NAME(LANDLOCK_ACCESS_FS_READ_FILE) + }, + { + LANDLOCK_ACCESS_FS_READ_DIR, + ACCESS_NAME(LANDLOCK_ACCESS_FS_READ_DIR) + }, + { + LANDLOCK_ACCESS_FS_REMOVE_DIR, + ACCESS_NAME(LANDLOCK_ACCESS_FS_REMOVE_DIR) + }, + { + LANDLOCK_ACCESS_FS_REMOVE_FILE, + ACCESS_NAME(LANDLOCK_ACCESS_FS_REMOVE_FILE) + }, + { + LANDLOCK_ACCESS_FS_MAKE_CHAR, + ACCESS_NAME(LANDLOCK_ACCESS_FS_MAKE_CHAR) + }, + { + LANDLOCK_ACCESS_FS_MAKE_BLOCK, + ACCESS_NAME(LANDLOCK_ACCESS_FS_MAKE_BLOCK) + }, + { + LANDLOCK_ACCESS_FS_MAKE_REG, + ACCESS_NAME(LANDLOCK_ACCESS_FS_MAKE_REG) + }, + { + LANDLOCK_ACCESS_FS_MAKE_SOCK, + ACCESS_NAME(LANDLOCK_ACCESS_FS_MAKE_SOCK) + }, + { + LANDLOCK_ACCESS_FS_MAKE_FIFO, + ACCESS_NAME(LANDLOCK_ACCESS_FS_MAKE_FIFO) + }, + { + LANDLOCK_ACCESS_FS_MAKE_SYM, + ACCESS_NAME(LANDLOCK_ACCESS_FS_MAKE_SYM) + }, + { + LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE, + ACCESS_NAME(LANDLOCK_ACCESS_FS_TRUNCATE) + }, +}; + +static void run(void) +{ + if (!SAFE_FORK()) { + struct tvariant variant = tvariants[tst_variant]; + + tester_run_all_rules(variant.access); + _exit(0); + } +} + +static void setup(void) +{ + struct tvariant variant = tvariants[tst_variant]; + int ruleset_fd; + + verify_landlock_is_enabled(); + tester_create_tree(); + + tst_res(TINFO, "Testing %s", variant.desc); + + ruleset_attr->handled_access_fs = tester_get_all_rules(); + + ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET( + ruleset_attr, sizeof(struct landlock_ruleset_attr), 0); + + /* since our binary is dynamically linked, we need to enable libraries + * to be read and executed + */ + struct rule_access rules[] = { + {"/lib", LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_EXECUTE}, + {"/lib64", LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_EXECUTE}, + {SANDBOX_FOLDER, variant.access} + }; + int num_of_rules = ARRAY_SIZE(rules); + + for (int i = 0; i < num_of_rules; i++) { + if (access(rules[i].path, F_OK) == -1) + continue; + + path_beneath_attr->allowed_access = rules[i].access; + path_beneath_attr->parent_fd = SAFE_OPEN(rules[i].path, O_PATH | O_CLOEXEC); + + SAFE_LANDLOCK_ADD_RULE( + ruleset_fd, + LANDLOCK_RULE_PATH_BENEATH, + path_beneath_attr, + 0); + + SAFE_CLOSE(path_beneath_attr->parent_fd); + } + + enforce_ruleset(ruleset_fd); + SAFE_CLOSE(ruleset_fd); +} + +static struct tst_test test = { + .test_all = run, + .setup = setup, + .min_kver = "5.13", + .forks_child = 1, + .needs_tmpdir = 1, + .needs_root = 1, + .test_variants = ARRAY_SIZE(tvariants), + .resource_files = (const char *[]) { + TESTAPP, + NULL, + }, + .needs_kconfigs = (const char *[]) { + "CONFIG_SECURITY_LANDLOCK=y", + NULL + }, + .bufs = (struct tst_buffers []) { + {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)}, + {}, + }, + .caps = (struct tst_cap []) { + TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN), + TST_CAP(TST_CAP_REQ, CAP_MKNOD), + {} + }, + .format_device = 1, + .mount_device = 1, + .mntpoint = SANDBOX_FOLDER, + .all_filesystems = 1, + .skip_filesystems = (const char *[]) { + "vfat", + "exfat", + NULL + }, + .max_runtime = 3600, +}; diff --git a/testcases/kernel/syscalls/landlock/landlock_exec.c b/testcases/kernel/syscalls/landlock/landlock_exec.c new file mode 100644 index 000000000..aae5c76b2 --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock_exec.c @@ -0,0 +1,9 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +int main(void) +{ + return 0; +} diff --git a/testcases/kernel/syscalls/landlock/landlock_tester.h b/testcases/kernel/syscalls/landlock/landlock_tester.h new file mode 100644 index 000000000..89ca085d7 --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock_tester.h @@ -0,0 +1,350 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +#ifndef LANDLOCK_TESTER_H + +#include "tst_test.h" +#include "lapi/landlock.h" +#include + +#define PERM_MODE 0700 + +#define SANDBOX_FOLDER "sandbox" +#define TESTAPP "landlock_exec" + +#define FILE_EXEC SANDBOX_FOLDER"/"TESTAPP +#define FILE_READ SANDBOX_FOLDER"/file_read" +#define FILE_WRITE SANDBOX_FOLDER"/file_write" +#define FILE_REMOVE SANDBOX_FOLDER"/file_remove" +#define FILE_UNLINK SANDBOX_FOLDER"/file_unlink" +#define FILE_UNLINKAT SANDBOX_FOLDER"/file_unlinkat" +#define FILE_TRUNCATE SANDBOX_FOLDER"/file_truncate" +#define FILE_REGULAR SANDBOX_FOLDER"/regular0" +#define FILE_SOCKET SANDBOX_FOLDER"/socket0" +#define FILE_FIFO SANDBOX_FOLDER"/fifo0" +#define FILE_SYM0 SANDBOX_FOLDER"/symbolic0" +#define FILE_SYM1 SANDBOX_FOLDER"/symbolic1" +#define DIR_READDIR SANDBOX_FOLDER"/dir_readdir" +#define DIR_RMDIR SANDBOX_FOLDER"/dir_rmdir" +#define DEV_CHAR0 SANDBOX_FOLDER"/chardev0" +#define DEV_BLK0 SANDBOX_FOLDER"/blkdev0" + +#define ALL_RULES (\ + LANDLOCK_ACCESS_FS_EXECUTE | \ + LANDLOCK_ACCESS_FS_WRITE_FILE | \ + LANDLOCK_ACCESS_FS_READ_FILE | \ + LANDLOCK_ACCESS_FS_READ_DIR | \ + LANDLOCK_ACCESS_FS_REMOVE_DIR | \ + LANDLOCK_ACCESS_FS_REMOVE_FILE | \ + LANDLOCK_ACCESS_FS_MAKE_CHAR | \ + LANDLOCK_ACCESS_FS_MAKE_DIR | \ + LANDLOCK_ACCESS_FS_MAKE_REG | \ + LANDLOCK_ACCESS_FS_MAKE_SOCK | \ + LANDLOCK_ACCESS_FS_MAKE_FIFO | \ + LANDLOCK_ACCESS_FS_MAKE_BLOCK | \ + LANDLOCK_ACCESS_FS_MAKE_SYM | \ + LANDLOCK_ACCESS_FS_REFER | \ + LANDLOCK_ACCESS_FS_TRUNCATE | \ + LANDLOCK_ACCESS_NET_BIND_TCP | \ + LANDLOCK_ACCESS_NET_CONNECT_TCP | \ + LANDLOCK_ACCESS_FS_IOCTL_DEV) + +static char *readdir_files[] = { + DIR_READDIR"/file0", + DIR_READDIR"/file1", + DIR_READDIR"/file2", +}; + +static int dev_chr; +static int dev_blk; + +static int tester_get_all_rules(void) +{ + int abi; + int all_rules = ALL_RULES; + + abi = SAFE_LANDLOCK_CREATE_RULESET( + NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); + + if (abi < 2) + all_rules &= ~LANDLOCK_ACCESS_FS_REFER; + + if (abi < 3) + all_rules &= ~LANDLOCK_ACCESS_FS_TRUNCATE; + + if (abi < 4) { + all_rules &= ~(LANDLOCK_ACCESS_NET_BIND_TCP | + LANDLOCK_ACCESS_NET_CONNECT_TCP); + } + + if (abi < 5) + all_rules &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV; + + return all_rules; +} + +static void tester_create_tree(void) +{ + if (access(SANDBOX_FOLDER, F_OK) == -1) + SAFE_MKDIR(SANDBOX_FOLDER, PERM_MODE); + + /* folders */ + SAFE_MKDIR(DIR_RMDIR, PERM_MODE); + SAFE_MKDIR(DIR_READDIR, PERM_MODE); + for (size_t i = 0; i < ARRAY_SIZE(readdir_files); i++) + SAFE_TOUCH(readdir_files[i], PERM_MODE, NULL); + + /* files */ + tst_fill_file(FILE_READ, 'a', getpagesize(), 1); + SAFE_TOUCH(FILE_WRITE, PERM_MODE, NULL); + SAFE_TOUCH(FILE_REMOVE, PERM_MODE, NULL); + SAFE_TOUCH(FILE_UNLINK, PERM_MODE, NULL); + SAFE_TOUCH(FILE_UNLINKAT, PERM_MODE, NULL); + SAFE_TOUCH(FILE_TRUNCATE, PERM_MODE, NULL); + SAFE_TOUCH(FILE_SYM0, PERM_MODE, NULL); + SAFE_CP(TESTAPP, FILE_EXEC); + + /* devices */ + dev_chr = makedev(1, 3); + dev_blk = makedev(7, 0); +} + +static void _test_exec(const int result) +{ + int status; + pid_t pid; + char *const args[] = {(char *)FILE_EXEC, NULL}; + + tst_res(TINFO, "Test binary execution"); + + pid = SAFE_FORK(); + if (!pid) { + int rval; + + if (result == TPASS) { + rval = execve(FILE_EXEC, args, NULL); + if (rval == -1) + tst_res(TFAIL | TERRNO, "Failed to execute test binary"); + } else { + TST_EXP_FAIL(execve(FILE_EXEC, args, NULL), EACCES); + } + + _exit(1); + } + + SAFE_WAITPID(pid, &status, 0); + if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) + return; + + tst_res(result, "Test binary has been executed"); +} + +static void _test_write(const int result) +{ + tst_res(TINFO, "Test writing file"); + + if (result == TPASS) + TST_EXP_FD(open(FILE_WRITE, O_WRONLY, PERM_MODE)); + else + TST_EXP_FAIL(open(FILE_WRITE, O_WRONLY, PERM_MODE), EACCES); + + if (TST_RET != -1) + SAFE_CLOSE(TST_RET); +} + +static void _test_read(const int result) +{ + tst_res(TINFO, "Test reading file"); + + if (result == TPASS) + TST_EXP_FD(open(FILE_READ, O_RDONLY, PERM_MODE)); + else + TST_EXP_FAIL(open(FILE_READ, O_RDONLY, PERM_MODE), EACCES); + + if (TST_RET != -1) + SAFE_CLOSE(TST_RET); +} + +static void _test_readdir(const int result) +{ + tst_res(TINFO, "Test reading directory"); + + DIR *dir; + struct dirent *de; + int files_counted = 0; + + dir = opendir(DIR_READDIR); + if (!dir) { + tst_res(result == TPASS ? TFAIL : TPASS, + "Can't read '%s' directory", DIR_READDIR); + + return; + } + + tst_res(result, "Can read '%s' directory", DIR_READDIR); + if (result == TFAIL) + return; + + while ((de = readdir(dir)) != NULL) { + if (de->d_type != DT_REG) + continue; + + for (size_t i = 0; i < ARRAY_SIZE(readdir_files); i++) { + if (readdir_files[i] == NULL) + continue; + + if (strstr(readdir_files[i], de->d_name) != NULL) + files_counted++; + } + } + + SAFE_CLOSEDIR(dir); + + TST_EXP_EQ_LI(files_counted, ARRAY_SIZE(readdir_files)); +} + +static void _test_rmdir(const int result) +{ + tst_res(TINFO, "Test removing directory"); + + if (result == TPASS) + TST_EXP_PASS(rmdir(DIR_RMDIR)); + else + TST_EXP_FAIL(rmdir(DIR_RMDIR), EACCES); +} + +static void _test_rmfile(const int result) +{ + tst_res(TINFO, "Test removing file"); + + if (result == TPASS) { + TST_EXP_PASS(unlink(FILE_UNLINK)); + TST_EXP_PASS(remove(FILE_REMOVE)); + } else { + TST_EXP_FAIL(unlink(FILE_UNLINK), EACCES); + TST_EXP_FAIL(remove(FILE_REMOVE), EACCES); + } +} + +static void _test_make( + const char *path, + const int type, + const int dev, + const int result) +{ + tst_res(TINFO, "Test normal or special files creation"); + + if (result == TPASS) + TST_EXP_PASS(mknod(path, type | 0400, dev)); + else + TST_EXP_FAIL(mknod(path, type | 0400, dev), EACCES); +} + +static void _test_symbolic(const int result) +{ + tst_res(TINFO, "Test symbolic links"); + + if (result == TPASS) + TST_EXP_PASS(symlink(FILE_SYM0, FILE_SYM1)); + else + TST_EXP_FAIL(symlink(FILE_SYM0, FILE_SYM1), EACCES); +} + +static void _test_truncate(const int result) +{ + int fd; + + tst_res(TINFO, "Test truncating file"); + + if (result == TPASS) { + TST_EXP_PASS(truncate(FILE_TRUNCATE, 10)); + + fd = TST_EXP_FD(open(FILE_TRUNCATE, O_WRONLY, PERM_MODE)); + if (fd != -1) { + TST_EXP_PASS(ftruncate(fd, 10)); + SAFE_CLOSE(fd); + } + + fd = TST_EXP_FD(open(FILE_TRUNCATE, O_WRONLY | O_TRUNC, PERM_MODE)); + if (fd != -1) + SAFE_CLOSE(fd); + } else { + TST_EXP_FAIL(truncate(FILE_TRUNCATE, 10), EACCES); + + fd = open(FILE_TRUNCATE, O_WRONLY, PERM_MODE); + if (fd != -1) { + TST_EXP_FAIL(ftruncate(fd, 10), EACCES); + SAFE_CLOSE(fd); + } + + TST_EXP_FAIL(open(FILE_TRUNCATE, O_WRONLY | O_TRUNC, PERM_MODE), + EACCES); + + if (TST_RET != -1) + SAFE_CLOSE(TST_RET); + } +} + +static void tester_run_rules(const int rules, const int result) +{ + if (rules & LANDLOCK_ACCESS_FS_EXECUTE) + _test_exec(result); + + if (rules & LANDLOCK_ACCESS_FS_WRITE_FILE) + _test_write(result); + + if (rules & LANDLOCK_ACCESS_FS_READ_FILE) + _test_read(result); + + if (rules & LANDLOCK_ACCESS_FS_READ_DIR) + _test_readdir(result); + + if (rules & LANDLOCK_ACCESS_FS_REMOVE_DIR) + _test_rmdir(result); + + if (rules & LANDLOCK_ACCESS_FS_REMOVE_FILE) + _test_rmfile(result); + + if (rules & LANDLOCK_ACCESS_FS_MAKE_CHAR) + _test_make(DEV_CHAR0, S_IFCHR, dev_chr, result); + + if (rules & LANDLOCK_ACCESS_FS_MAKE_BLOCK) + _test_make(DEV_BLK0, S_IFBLK, dev_blk, result); + + if (rules & LANDLOCK_ACCESS_FS_MAKE_REG) + _test_make(FILE_REGULAR, S_IFREG, 0, result); + + if (rules & LANDLOCK_ACCESS_FS_MAKE_SOCK) + _test_make(FILE_SOCKET, S_IFSOCK, 0, result); + + if (rules & LANDLOCK_ACCESS_FS_MAKE_FIFO) + _test_make(FILE_FIFO, S_IFIFO, 0, result); + + if (rules & LANDLOCK_ACCESS_FS_MAKE_SYM) + _test_symbolic(result); + + if (rules & LANDLOCK_ACCESS_FS_TRUNCATE) { + if ((tst_kvercmp(6, 2, 0)) < 0) { + tst_res(TINFO, "Skip truncate test. Minimum kernel version is 6.2"); + return; + } + + _test_truncate(result); + } +} + +static inline void tester_run_all_rules(const int pass_rules) +{ + int fail_rules; + int all_rules; + + all_rules = tester_get_all_rules(); + fail_rules = all_rules & ~pass_rules; + + tester_run_rules(pass_rules, TPASS); + tester_run_rules(fail_rules, TFAIL); +} + +#endif From patchwork Wed Jul 10 18:02:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1958967 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=sZMas+Ha; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=6HHMuh9L; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=sZMas+Ha; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=6HHMuh9L; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WK5MV1Cjhz1xpd for ; Thu, 11 Jul 2024 04:03:50 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 049CD3D3901 for ; Wed, 10 Jul 2024 20:03:48 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-4.smtp.seeweb.it (in-4.smtp.seeweb.it [217.194.8.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 3086C3D073A for ; Wed, 10 Jul 2024 20:02:21 +0200 (CEST) Authentication-Results: in-4.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.131; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-4.smtp.seeweb.it (Postfix) with ESMTPS id 97E061007C86 for ; Wed, 10 Jul 2024 20:02:20 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 2420E1FCDE; Wed, 10 Jul 2024 18:02:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720634540; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=REz6xYKSjt649+nIMXtZ2tSMpwkz6gP/mvw4GeuwShE=; b=sZMas+HaVKtQh3zdjdxiYKdHckNNd9XVTqjbBI8CRHW9VVfvhXgezWVz+OCIOCsiTTLEis VWH+/MprpfspHN9aF5efyTUNfmM00xqYRO1GJsqSzUx1fd1xMTp12LgudAIb4GAQ7ntV9i VfDTzP6pb3zR8VBTEeHQm4H9iligTu0= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720634540; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=REz6xYKSjt649+nIMXtZ2tSMpwkz6gP/mvw4GeuwShE=; b=6HHMuh9LoJRb1wHlwP4CSLm3+1oWr2KRExRENEVxlLMfuSstRLtdm7WVXPeSlYpUyBwEsq WPRBwVt2QNhzeJCw== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720634540; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=REz6xYKSjt649+nIMXtZ2tSMpwkz6gP/mvw4GeuwShE=; b=sZMas+HaVKtQh3zdjdxiYKdHckNNd9XVTqjbBI8CRHW9VVfvhXgezWVz+OCIOCsiTTLEis VWH+/MprpfspHN9aF5efyTUNfmM00xqYRO1GJsqSzUx1fd1xMTp12LgudAIb4GAQ7ntV9i VfDTzP6pb3zR8VBTEeHQm4H9iligTu0= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720634540; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=REz6xYKSjt649+nIMXtZ2tSMpwkz6gP/mvw4GeuwShE=; b=6HHMuh9LoJRb1wHlwP4CSLm3+1oWr2KRExRENEVxlLMfuSstRLtdm7WVXPeSlYpUyBwEsq WPRBwVt2QNhzeJCw== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 086D6137D2; Wed, 10 Jul 2024 18:02:20 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id mE+4AKzMjmZJfAAAD6G6ig (envelope-from ); Wed, 10 Jul 2024 18:02:20 +0000 From: Andrea Cervesato Date: Wed, 10 Jul 2024 20:02:05 +0200 MIME-Version: 1.0 Message-Id: <20240710-landlock-v2-10-ff79db017d57@suse.com> References: <20240710-landlock-v2-0-ff79db017d57@suse.com> In-Reply-To: <20240710-landlock-v2-0-ff79db017d57@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4081; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=5XlK4rtEjskkE4URmCuJ7dSUhd84VCQnT8Q0PdXWOm8=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmjsyegq4J7RI3GmAn9g3DCpMNaWsJe+5r/M9JP A8riLgqf1GJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZo7MngAKCRDLzBqyILPm Riu4C/4uLMW+eXOWv1JbC4HKGiPsMEE5f8Wl7Y2xu8dRdE57j+iN4Ln+8n+GFuMMfaMM+RH3Z4M 34hFdgoG649hK2dg6KREm7BCm0iXo+5hQ/0ZHmgyUGaAns6q0eEeBm60SHwo8c7xOJbVPkG6krZ 3So9Xua1uxBxfvYwLaua+iFy5klF9lmLpwQ5sKjSI+pwj6XcoqbgGVvB8TsqkYc+/wRPZFHYrrz JH1zMEVStPwpoeMU4EOPiQ4ZTKgCkNdEcGh9glwKBiNyNWFFsW3bTndKFn4oZLmPzInFfWdHOVG ce7fFWfzbboCV5U9GQL4zlOI+hNSYGX4CHv96a0Q1eKkPSb/I5LC1W3ZyT0y9UfiHNgPxeAT8GJ gPNVPLSeIydOPWo59r02b4d7EdqQVBfYi3d+MH9znxQswZAQ4J6GXEizKEW5f2kvNTBDveyQOs6 MS2KdjXGcTAb/NmCzxJQ6M77XoFk8cpFRaJtxoUUxv8degH0nwY5axnz8UdTTwIxfCtEM= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spam-Score: -4.30 X-Spam-Level: X-Spamd-Result: default: False [-4.30 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,suse.com:email] X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-4.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-4.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v2 10/11] Add landlock05 test X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato This test verifies LANDLOCK_ACCESS_FS_REFER access in the landlock sandbox. The feature is available since kernel 5.19. Reviewed-by: Li Wang Signed-off-by: Andrea Cervesato --- runtest/syscalls | 1 + testcases/kernel/syscalls/landlock/.gitignore | 1 + testcases/kernel/syscalls/landlock/landlock05.c | 114 ++++++++++++++++++++++++ 3 files changed, 116 insertions(+) diff --git a/runtest/syscalls b/runtest/syscalls index 10b54ae84..bb54538ed 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -688,6 +688,7 @@ landlock01 landlock01 landlock02 landlock02 landlock03 landlock03 landlock04 landlock04 +landlock05 landlock05 lchown01 lchown01 lchown01_16 lchown01_16 diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore index 4fe8d7cba..a7ea6be2e 100644 --- a/testcases/kernel/syscalls/landlock/.gitignore +++ b/testcases/kernel/syscalls/landlock/.gitignore @@ -3,3 +3,4 @@ landlock01 landlock02 landlock03 landlock04 +landlock05 diff --git a/testcases/kernel/syscalls/landlock/landlock05.c b/testcases/kernel/syscalls/landlock/landlock05.c new file mode 100644 index 000000000..0ab93efbd --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock05.c @@ -0,0 +1,114 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +/*\ + * [Description] + * + * This test verifies LANDLOCK_ACCESS_FS_REFER access in the + * landlock sandbox. + * + * [Algorithm] + * + * - apply LANDLOCK_ACCESS_FS_REFER in the folder1 + * - apply LANDLOCK_ACCESS_FS_REFER in the folder2 + * - create folder3 + * - verify that file can be moved from folder1 to folder2 + * - verify that file can't be moved from folder1 to folder3 + */ + +#include "landlock_common.h" + +#define MNTPOINT "sandbox" +#define DIR1 MNTPOINT"/folder1" +#define DIR2 MNTPOINT"/folder2" +#define DIR3 MNTPOINT"/folder3" +#define FILENAME1 DIR1"/file" +#define FILENAME2 DIR2"/file" +#define FILENAME3 DIR3"/file" + +static struct landlock_ruleset_attr *ruleset_attr; +static struct landlock_path_beneath_attr *path_beneath_attr; + +static void run(void) +{ + if (!SAFE_FORK()) { + TST_EXP_PASS(rename(FILENAME1, FILENAME2)); + if (TST_RET == -1) + return; + + TST_EXP_FAIL(rename(FILENAME2, FILENAME3), EXDEV); + TST_EXP_PASS(rename(FILENAME2, FILENAME1)); + + _exit(0); + } +} + +static void setup(void) +{ + int ruleset_fd; + + verify_landlock_is_enabled(); + + SAFE_MKDIR(DIR1, 0640); + SAFE_MKDIR(DIR2, 0640); + SAFE_MKDIR(DIR3, 0640); + SAFE_TOUCH(FILENAME1, 0640, NULL); + + tst_res(TINFO, "Applying LANDLOCK_ACCESS_FS_REFER"); + + ruleset_attr->handled_access_fs = + LANDLOCK_ACCESS_FS_READ_FILE | + LANDLOCK_ACCESS_FS_WRITE_FILE | + LANDLOCK_ACCESS_FS_REFER; + + ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET( + ruleset_attr, sizeof(struct landlock_ruleset_attr), 0); + + apply_landlock_rule( + path_beneath_attr, + ruleset_fd, + LANDLOCK_ACCESS_FS_REFER, + DIR1); + + apply_landlock_rule( + path_beneath_attr, + ruleset_fd, + LANDLOCK_ACCESS_FS_REFER, + DIR2); + + enforce_ruleset(ruleset_fd); + + SAFE_CLOSE(ruleset_fd); +} + +static struct tst_test test = { + .test_all = run, + .setup = setup, + .min_kver = "5.19", + .needs_tmpdir = 1, + .needs_root = 1, + .forks_child = 1, + .needs_kconfigs = (const char *[]) { + "CONFIG_SECURITY_LANDLOCK=y", + NULL + }, + .bufs = (struct tst_buffers []) { + {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)}, + {}, + }, + .caps = (struct tst_cap []) { + TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN), + {} + }, + .format_device = 1, + .mount_device = 1, + .mntpoint = MNTPOINT, + .all_filesystems = 1, + .skip_filesystems = (const char *[]) { + "vfat", + NULL + }, +}; From patchwork Wed Jul 10 18:02:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1958970 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=V+K6Amdn; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=PkiNR6FF; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=V+K6Amdn; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=PkiNR6FF; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WK5Nd10QMz1xpd for ; Thu, 11 Jul 2024 04:04:49 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id D33FC3D47D9 for ; Wed, 10 Jul 2024 20:04:46 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-2.smtp.seeweb.it (in-2.smtp.seeweb.it [217.194.8.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 69AE83D385B for ; Wed, 10 Jul 2024 20:02:22 +0200 (CEST) Authentication-Results: in-2.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=2a07:de40:b251:101:10:150:64:2; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2a07:de40:b251:101:10:150:64:2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-2.smtp.seeweb.it (Postfix) with ESMTPS id 5656D60281D for ; Wed, 10 Jul 2024 20:02:21 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 460A21F851; Wed, 10 Jul 2024 18:02:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720634540; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6Uus/tkiwpYRYw+MQKPc4v2pWTru1cuQ9ronz7ToJEQ=; b=V+K6AmdnjoJ7Gcra2uqnJn9SjgrcqYY4LGsrpKshESI5yOP8F9QUred/yjhZlmn9Oc6Dv/ 8pie1iEypniiGtv3HGVotvWab5wqSd1/wukTIygpMrJ7t/CJPD7MlpRlWV3frn5fZcUaV5 tPt6A5hsj4wQD3SIhJf73DmBfyFA7m0= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720634540; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6Uus/tkiwpYRYw+MQKPc4v2pWTru1cuQ9ronz7ToJEQ=; b=PkiNR6FF12nT6xhHjdFcoWIbEWPW7tt6phzKmI9ULOKyRvVh4m22wSgihUwp08tGw2OyC6 VOgux8xUkYiThQDA== Authentication-Results: smtp-out2.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=V+K6Amdn; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=PkiNR6FF DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1720634540; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6Uus/tkiwpYRYw+MQKPc4v2pWTru1cuQ9ronz7ToJEQ=; b=V+K6AmdnjoJ7Gcra2uqnJn9SjgrcqYY4LGsrpKshESI5yOP8F9QUred/yjhZlmn9Oc6Dv/ 8pie1iEypniiGtv3HGVotvWab5wqSd1/wukTIygpMrJ7t/CJPD7MlpRlWV3frn5fZcUaV5 tPt6A5hsj4wQD3SIhJf73DmBfyFA7m0= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1720634540; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6Uus/tkiwpYRYw+MQKPc4v2pWTru1cuQ9ronz7ToJEQ=; b=PkiNR6FF12nT6xhHjdFcoWIbEWPW7tt6phzKmI9ULOKyRvVh4m22wSgihUwp08tGw2OyC6 VOgux8xUkYiThQDA== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 2A3AF13942; Wed, 10 Jul 2024 18:02:20 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id gAD+CKzMjmZJfAAAD6G6ig (envelope-from ); Wed, 10 Jul 2024 18:02:20 +0000 From: Andrea Cervesato Date: Wed, 10 Jul 2024 20:02:06 +0200 MIME-Version: 1.0 Message-Id: <20240710-landlock-v2-11-ff79db017d57@suse.com> References: <20240710-landlock-v2-0-ff79db017d57@suse.com> In-Reply-To: <20240710-landlock-v2-0-ff79db017d57@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4212; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=/DPbW9WJA9B7SM9pvBVukc8X4nU69D6R+pJqeZjdNOA=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmjsyeTUxKDq2vqaMGQypCy2KMfoM75ccrRNNNe naGRPUer7eJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZo7MngAKCRDLzBqyILPm Ros6C/9y7Z5LaWmtnhIsUbaxNbAeMvMWANxD2Phn38NcykdDtxHVrljsfXerchA35HonXqEPx05 SJXY8Yv4gGOaM0x1uvwBkKyCb7veRIIuEEGSW55LaYT3rGKzoKYVG4+jdGKZfOB6cSkH/IfxiiK r6Oo692Kj/LAI7MKrTFtIFPd1UdaV7t8yeucEeZqM/Abt9deLUNhNZSgiqjbXFyBfsjXxWwLzwE sb0cvCoyy09Z/RuubTxbSCh0dof2SE5cXRmagQJfgId/HJ91ydOXUYViSWKJ+CgBYpY5lEiuOFQ evghOY6mIdPyE96UKsXvTwOsIrfP8aXZb8kbHpSnRUHN2eL0i+iMk+n/xhxuMAFLaNb/GlhFX/9 OyPcHLqE1Yx7DYAfY8KcK9ScfxyKaiHDKve09t/KjJzKxDSBkIiBuIezlDmB5DPSYSqZa1CdbxJ UV6RjMPy2KmNBbdpjiEKbDtvabR6UmmzxUf3Tupeb5BPFDrtU9Rz80iFav1XGaEXyMgdI= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spamd-Result: default: False [-4.51 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; RBL_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:104:10:150:64:97:from]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RECEIVED_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:106:10:150:64:167:received]; SPAMHAUS_XBL(0.00)[2a07:de40:b281:104:10:150:64:97:from]; TO_DN_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; RCPT_COUNT_THREE(0.00)[3]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_BLOCKED(0.00)[suse.de:dkim]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:dkim,imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns,suse.com:email]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; DKIM_TRACE(0.00)[suse.de:+] X-Rspamd-Action: no action X-Rspamd-Server: rspamd2.dmz-prg2.suse.org X-Rspamd-Queue-Id: 460A21F851 X-Spam-Score: -4.51 X-Spam-Level: X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-2.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-2.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v2 11/11] Add landlock06 test X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato This test verifies LANDLOCK_ACCESS_FS_IOCTL_DEV access in the landlock sandbox by creating a pipe and testing that ioctl() can be executed on it. The test is also verifying that some of the I/O operations can be always executed no matter the sandbox rules. This feature is available since kernel 6.10. Reviewed-by: Li Wang Signed-off-by: Andrea Cervesato Reviewed-by: Petr Vorel --- runtest/syscalls | 1 + testcases/kernel/syscalls/landlock/.gitignore | 1 + testcases/kernel/syscalls/landlock/landlock06.c | 110 ++++++++++++++++++++++++ 3 files changed, 112 insertions(+) diff --git a/runtest/syscalls b/runtest/syscalls index bb54538ed..e2d32895e 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -689,6 +689,7 @@ landlock02 landlock02 landlock03 landlock03 landlock04 landlock04 landlock05 landlock05 +landlock06 landlock06 lchown01 lchown01 lchown01_16 lchown01_16 diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore index a7ea6be2e..315ac1dca 100644 --- a/testcases/kernel/syscalls/landlock/.gitignore +++ b/testcases/kernel/syscalls/landlock/.gitignore @@ -4,3 +4,4 @@ landlock02 landlock03 landlock04 landlock05 +landlock06 diff --git a/testcases/kernel/syscalls/landlock/landlock06.c b/testcases/kernel/syscalls/landlock/landlock06.c new file mode 100644 index 000000000..3281c2d2d --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock06.c @@ -0,0 +1,110 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +/*\ + * [Description] + * + * This test verifies LANDLOCK_ACCESS_FS_IOCTL_DEV access in the + * landlock sandbox by creating a pipe and testing that ioctl() can be executed + * on it. The test is also verifying that some of the I/O operations can be + * always executed no matter the sandbox rules. + */ + +#include "landlock_common.h" +#include + +#define MNTPOINT "sandbox" +#define FILENAME MNTPOINT"/fifo" + +static struct landlock_ruleset_attr *ruleset_attr; +static struct landlock_path_beneath_attr *path_beneath_attr; +static int file_fd; +static int dev_fd; + +static void run(void) +{ + if (!SAFE_FORK()) { + int flag; + size_t sz = 0; + + TST_EXP_PASS(ioctl(file_fd, FIONREAD, &sz)); + + /* check unrestrictable commands */ + TST_EXP_PASS(ioctl(dev_fd, FIOCLEX)); + TST_EXP_PASS(ioctl(dev_fd, FIONCLEX)); + TST_EXP_PASS(ioctl(dev_fd, FIONBIO, &flag)); + TST_EXP_PASS(ioctl(dev_fd, FIOASYNC, &flag)); + + _exit(0); + } +} + +static void setup(void) +{ + int ruleset_fd; + + verify_landlock_is_enabled(); + + SAFE_MKFIFO(FILENAME, 0640); + + file_fd = SAFE_OPEN(FILENAME, O_RDONLY | O_NONBLOCK, 0640); + dev_fd = SAFE_OPEN("/dev/zero", O_RDONLY | O_NONBLOCK, 0640); + + tst_res(TINFO, "Applying LANDLOCK_ACCESS_FS_IOCTL_DEV"); + + ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV; + + ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET( + ruleset_attr, sizeof(struct landlock_ruleset_attr), 0); + + apply_landlock_layer( + ruleset_attr, + path_beneath_attr, + MNTPOINT, + LANDLOCK_ACCESS_FS_IOCTL_DEV + ); + + SAFE_CLOSE(ruleset_fd); +} + +static void cleanup(void) +{ + if (dev_fd != -1) + SAFE_CLOSE(dev_fd); + + if (file_fd != -1) + SAFE_CLOSE(file_fd); +} + +static struct tst_test test = { + .test_all = run, + .setup = setup, + .cleanup = cleanup, + .min_kver = "6.10", + .needs_tmpdir = 1, + .needs_root = 1, + .forks_child = 1, + .needs_kconfigs = (const char *[]) { + "CONFIG_SECURITY_LANDLOCK=y", + NULL + }, + .bufs = (struct tst_buffers []) { + {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)}, + {}, + }, + .caps = (struct tst_cap []) { + TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN), + {} + }, + .format_device = 1, + .mount_device = 1, + .mntpoint = MNTPOINT, + .all_filesystems = 1, + .skip_filesystems = (const char *[]) { + "vfat", + NULL + }, +};