From patchwork Thu Aug 1 12:08:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1967635 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=kecVvDhy; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=6igLIo3T; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=kecVvDhy; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=6igLIo3T; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WZSSp3LQGz1ybX for ; Thu, 1 Aug 2024 22:09:46 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 307463D1EEB for ; Thu, 1 Aug 2024 14:09:44 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-5.smtp.seeweb.it (in-5.smtp.seeweb.it [217.194.8.5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 1D7F33D1073 for ; Thu, 1 Aug 2024 14:08:52 +0200 (CEST) Authentication-Results: in-5.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.130; helo=smtp-out1.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-5.smtp.seeweb.it (Postfix) with ESMTPS id 0ED1F608A7C for ; Thu, 1 Aug 2024 14:08:50 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 12211219E2; Thu, 1 Aug 2024 12:08:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1722514130; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Fk/d4E103Y5ZE19EPXSdP91vreryAA0nYQGgMSXVuQM=; b=kecVvDhyR//cVyiWDoWZcMuVyYrzc/dqCA+ug8c2nKYNeHEquraYtTDmUjDFiebOTPFW2d drkETjWuxE+1+wM1fHSAtX70NDVl/X4Rh8Y5fAEcxpUo8hAjnBm5m8NLiUi26gi944niV/ /G/hAv7jmYu7G+E7JomT/wAZacmGg+U= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1722514130; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Fk/d4E103Y5ZE19EPXSdP91vreryAA0nYQGgMSXVuQM=; b=6igLIo3TQ6LEE+uESafQu7teVZuYVOOMy+/ZjmIw38vQptN9Qv3RfGakeWnHRIOpXTsikv ZljgLBFgO6IObgBg== Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1722514130; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Fk/d4E103Y5ZE19EPXSdP91vreryAA0nYQGgMSXVuQM=; b=kecVvDhyR//cVyiWDoWZcMuVyYrzc/dqCA+ug8c2nKYNeHEquraYtTDmUjDFiebOTPFW2d drkETjWuxE+1+wM1fHSAtX70NDVl/X4Rh8Y5fAEcxpUo8hAjnBm5m8NLiUi26gi944niV/ /G/hAv7jmYu7G+E7JomT/wAZacmGg+U= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1722514130; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Fk/d4E103Y5ZE19EPXSdP91vreryAA0nYQGgMSXVuQM=; b=6igLIo3TQ6LEE+uESafQu7teVZuYVOOMy+/ZjmIw38vQptN9Qv3RfGakeWnHRIOpXTsikv ZljgLBFgO6IObgBg== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id D3E5213ADB; Thu, 1 Aug 2024 12:08:49 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id MMaIMNF6q2aiVwAAD6G6ig (envelope-from ); Thu, 01 Aug 2024 12:08:49 +0000 From: Andrea Cervesato Date: Thu, 01 Aug 2024 14:08:38 +0200 MIME-Version: 1.0 Message-Id: <20240801-landlock-v5-1-663d7383b335@suse.com> References: <20240801-landlock-v5-0-663d7383b335@suse.com> In-Reply-To: <20240801-landlock-v5-0-663d7383b335@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=937; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=lEb4RXtUvB+vkg/DUtniB4MEsUe79+7QaMidd1Qk3qg=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmq3rQmvdNVQCbpK9R9NOzhoPnwYTIcnUHZd4tf SWMT38cCfKJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZqt60AAKCRDLzBqyILPm RhOqDACkr93P8fLv5DACzriRLX4nk3sUOCXvD6Wt6P4ff1lIB/D0aey32GcbfRKFHgM0wQIEiFQ ABamoek3uC5TAQkdOXXCtILHgiRrFFXJ117+vBICqbQB36qR8+aBrkZ2e+S5dEhnj61DMt2PctJ RjY+xnn4A+YdNXJv+tAetqRW8msASc/n61z8ofyhHw/Il8GGUcS/nBixIgZdHiWUWrgpSe/Cy5R uqTBgTk1JoM9f1hlHc/rRXNDDMFCRPstnhBH+DgbvEYjGeN8oC1Waxyn70lCYG0x1+Fg4gWVn8n UxNZCnHyBdAj1bI7OlP9PbdvpfXhvukGMntU27Yw5yBouuOqMc1YZyv2FMIldBvfyo/oTmu52I5 VXSJqaKwkUiF9MeZm1FjG29qqWvdU/FPtwRoxgRa7RN8EsijQ1IuXxHsCV7WBDZE3lwzJv0xf63 IBxLnY4uj0DYeOO9iTRgvpru9IUkepmdzR6IlLou+fHbI9NZ1YeDCxbaqJKKmWkPBJxws= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spam-Level: X-Spamd-Result: default: False [-1.10 / 50.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; TO_DN_SOME(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email] X-Spam-Score: -1.10 X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-5.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-5.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v5 1/6] Get ABI version from landlock common library X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato Return the ABI version when verify_landlock_is_enabled() is called. Signed-off-by: Andrea Cervesato Reviewed-by: Petr Vorel --- testcases/kernel/syscalls/landlock/landlock_common.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/testcases/kernel/syscalls/landlock/landlock_common.h b/testcases/kernel/syscalls/landlock/landlock_common.h index 66f8fd19a..1d3864934 100644 --- a/testcases/kernel/syscalls/landlock/landlock_common.h +++ b/testcases/kernel/syscalls/landlock/landlock_common.h @@ -10,7 +10,7 @@ #include "lapi/fcntl.h" #include "lapi/landlock.h" -static inline void verify_landlock_is_enabled(void) +static inline int verify_landlock_is_enabled(void) { int abi; @@ -28,6 +28,8 @@ static inline void verify_landlock_is_enabled(void) } tst_res(TINFO, "Landlock ABI v%d", abi); + + return abi; } static inline void apply_landlock_rule( From patchwork Thu Aug 1 12:08:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1967637 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=oHsL0Pa0; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=QlNJzoyo; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=oHsL0Pa0; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=QlNJzoyo; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WZSTR0yWhz1ybV for ; Thu, 1 Aug 2024 22:10:19 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id D6BAC3D1C12 for ; Thu, 1 Aug 2024 14:10:16 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-6.smtp.seeweb.it (in-6.smtp.seeweb.it [217.194.8.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 873B83D1073 for ; Thu, 1 Aug 2024 14:08:53 +0200 (CEST) Authentication-Results: in-6.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=2a07:de40:b251:101:10:150:64:1; helo=smtp-out1.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out1.suse.de (smtp-out1.suse.de [IPv6:2a07:de40:b251:101:10:150:64:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-6.smtp.seeweb.it (Postfix) with ESMTPS id CA6A31400E03 for ; Thu, 1 Aug 2024 14:08:52 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 5026F219E3; Thu, 1 Aug 2024 12:08:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1722514130; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lwxL6x9ojNMWLGfxd169k0V4S3vAdbUcoqM0qDs6LXc=; b=oHsL0Pa0UrxffrGThGB35FexzJ4U06uYARpLm7Zta81W6/oVVj85YWGZwg8pikx4328M4Q Y3wLnWUBKPYm0WkzWRL/83s46EuhoxqSwUvS3rMGI/3Z+OEqmMjCsxAc8dEsbknw7+S9ef hCRtaz1Z8Qm2dw9AjqvDRCdc8yN/ZOM= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1722514130; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lwxL6x9ojNMWLGfxd169k0V4S3vAdbUcoqM0qDs6LXc=; b=QlNJzoyovLFvp/8HQyNTcr9ZMee7Z6Muv3ZHFi5fNxNEae3ScoAyBNb9jzu+byDqH23pcS YJhmvDBdSL9n98CA== Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1722514130; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lwxL6x9ojNMWLGfxd169k0V4S3vAdbUcoqM0qDs6LXc=; b=oHsL0Pa0UrxffrGThGB35FexzJ4U06uYARpLm7Zta81W6/oVVj85YWGZwg8pikx4328M4Q Y3wLnWUBKPYm0WkzWRL/83s46EuhoxqSwUvS3rMGI/3Z+OEqmMjCsxAc8dEsbknw7+S9ef hCRtaz1Z8Qm2dw9AjqvDRCdc8yN/ZOM= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1722514130; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lwxL6x9ojNMWLGfxd169k0V4S3vAdbUcoqM0qDs6LXc=; b=QlNJzoyovLFvp/8HQyNTcr9ZMee7Z6Muv3ZHFi5fNxNEae3ScoAyBNb9jzu+byDqH23pcS YJhmvDBdSL9n98CA== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 1B1C713946; Thu, 1 Aug 2024 12:08:50 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id 8OrkA9J6q2aiVwAAD6G6ig (envelope-from ); Thu, 01 Aug 2024 12:08:50 +0000 From: Andrea Cervesato Date: Thu, 01 Aug 2024 14:08:39 +0200 MIME-Version: 1.0 Message-Id: <20240801-landlock-v5-2-663d7383b335@suse.com> References: <20240801-landlock-v5-0-663d7383b335@suse.com> In-Reply-To: <20240801-landlock-v5-0-663d7383b335@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=805; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=I5hW96VlmW8BZ5/r39V5osTTOpFT20UL1w7cD37/4bg=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmq3rQDiYu5M00P3PYicHMpqPKxO4ZwzrCyioiL umEBlU+DQqJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZqt60AAKCRDLzBqyILPm RkUbC/wOzrKyaSzzS2xH4qNpf1qQieCbIV3HEzirT8F6xbW/MdtG2rt3qjEI7GrmY4VE7DchCLU DQ7Z2eQPnqE5ThvkedSvC5STiO5qp9eZDLGWLabjEB0WV53aabqr4iVmrCd5kg1W1R+CdXr569Q 3H2un6v6ZI0vgSsAVX7RbKky3jRgkMAboSuAGMl2RxXXWjNan4DAfqUMvnF6M0faV72BwqoQOyo cY5EqWvBF3K71uFDtSvFRUeXzL2bBkhlANXFWx/TjyCaLyHfZai6vPXF7iJNN7PYvayxHlXxye3 xAQZfly/Ia/YnJKKUb66fgmJN8kz/UI5mq9reGbZdUvpRihyh39A/uF5bljCZ7H6mggy4jYI9kC 5Sid6zpkfXVZ7SIv4Q7ioZ6q75oKcPEw8ai9KUeo/c6w2bLHStey693VDA81yXoANNor+sjaKU/ mXvnU7t4huHHNopt6dYsYXK9VdRvdSJpi4l2S1eRm1zzhYD9ITj9w+fNZQaqGIp31pMOQ= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spamd-Result: default: False [-4.10 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; TO_DN_SOME(0.00)[]; MIME_TRACE(0.00)[0:+]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email] X-Spam-Level: X-Spam-Score: -4.10 X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-6.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-6.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v5 2/6] Add CAP_MKNOD fallback in lapi/capability.h X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato Reviewed-by: Li Wang Signed-off-by: Andrea Cervesato Reviewed-by: Petr Vorel --- include/lapi/capability.h | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/include/lapi/capability.h b/include/lapi/capability.h index 2b593797c..0f317d6d7 100644 --- a/include/lapi/capability.h +++ b/include/lapi/capability.h @@ -44,14 +44,18 @@ # define CAP_SYS_TIME 25 #endif -#ifndef CAP_AUDIT_READ -# define CAP_AUDIT_READ 37 -#endif - #ifndef CAP_SYS_RESOURCE # define CAP_SYS_RESOURCE 24 #endif +#ifndef CAP_MKNOD +# define CAP_MKNOD 27 +#endif + +#ifndef CAP_AUDIT_READ +# define CAP_AUDIT_READ 37 +#endif + #ifndef CAP_BPF # define CAP_BPF 39 #endif From patchwork Thu Aug 1 12:08:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1967632 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=HOpmCjmh; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=EUnF0dod; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=HOpmCjmh; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=EUnF0dod; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WZSRt6d54z1ybX for ; Thu, 1 Aug 2024 22:08:57 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 1CC3B3D1EF3 for ; Thu, 1 Aug 2024 14:08:55 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-2.smtp.seeweb.it (in-2.smtp.seeweb.it [IPv6:2001:4b78:1:20::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 5FF4F3D1073 for ; Thu, 1 Aug 2024 14:08:51 +0200 (CEST) Authentication-Results: in-2.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.131; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-2.smtp.seeweb.it (Postfix) with ESMTPS id 4A0FD602086 for ; Thu, 1 Aug 2024 14:08:51 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 88FF61FB4D; Thu, 1 Aug 2024 12:08:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1722514130; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TO7QOD89YzOr9AiPnHH21yq6WGGs/tr8RnISGKNJbpU=; b=HOpmCjmh7ZPCjG7V1GJUlqC2z3VK5ac6lDYZoQ0l33zdF/C34UIY2OmdCFWsbUD+mZEPVk kdGXca7VqQiS3P5uIE7e3s85oe67fhI665nA1VPVDVcztLZ4gRYmwboAyAuhU151yRXNpp gA//loJ+mIj0DOyi9L2szyg7X4nUW5Q= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1722514130; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TO7QOD89YzOr9AiPnHH21yq6WGGs/tr8RnISGKNJbpU=; b=EUnF0dodJWKFrNYwVz8QVEA/+VaqRF4RknrdpY3MBuZQcX9RjPLWcN6tPUeW+3i0U+ah0n KwJVgvXTmWSd+BAQ== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1722514130; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TO7QOD89YzOr9AiPnHH21yq6WGGs/tr8RnISGKNJbpU=; b=HOpmCjmh7ZPCjG7V1GJUlqC2z3VK5ac6lDYZoQ0l33zdF/C34UIY2OmdCFWsbUD+mZEPVk kdGXca7VqQiS3P5uIE7e3s85oe67fhI665nA1VPVDVcztLZ4gRYmwboAyAuhU151yRXNpp gA//loJ+mIj0DOyi9L2szyg7X4nUW5Q= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1722514130; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TO7QOD89YzOr9AiPnHH21yq6WGGs/tr8RnISGKNJbpU=; b=EUnF0dodJWKFrNYwVz8QVEA/+VaqRF4RknrdpY3MBuZQcX9RjPLWcN6tPUeW+3i0U+ah0n KwJVgvXTmWSd+BAQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 60FF913ADB; Thu, 1 Aug 2024 12:08:50 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id qBDOFNJ6q2aiVwAAD6G6ig (envelope-from ); Thu, 01 Aug 2024 12:08:50 +0000 From: Andrea Cervesato Date: Thu, 01 Aug 2024 14:08:40 +0200 MIME-Version: 1.0 Message-Id: <20240801-landlock-v5-3-663d7383b335@suse.com> References: <20240801-landlock-v5-0-663d7383b335@suse.com> In-Reply-To: <20240801-landlock-v5-0-663d7383b335@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1989; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=cDKP9t45/813OOiOnGDBhLPvLSWYhnYP5FEzZem15aY=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmq3rQYXDiJXN4MSIBoGm/GueI26j+J7ViBTCHQ 78vsy8rGBmJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZqt60AAKCRDLzBqyILPm Rqo4DACY0z2wm8syyM6AC2EHd77v0emJI4FMWWWazezJWfu+knzbjfXoBnXTUPGlY4BqoWxYMTB Wlq1CXg2KYlBkb6qZOOZMT6Wgp2g7TWsyXdilsbuXoQBg25aR2Kf9mBoffAuyAppfUJqBgRN7iB yFFwPGruVQSquo+Ja7qz2cKPU5jBZEQ7RyG1A1R6UlLby/RpC7yK6fi63BWY5f/BPBs8cQbHyXu egIscIfvti7Gi/bpJS7Dnk7FAMmQJJxiiTRzk37q9PwFmE4X5/fDMCgIzuELs+3ifoFHq06xIe9 0yQyt3tHe9SfVokMkd9sA9iyiEzv3k+X7ulaF6//HPOQVIjDGazmODggNVF6oePgtODX09lHt4S gQIJtrQdMiYhpg7aXmTTQubZ+gFWtNx/XXced5GM0t/9OEKkjF+04AgfhW7RlP1rE3zVFuHhu3C u+JZJtQlNGRCmzrWDymPQZxI0Njov99W2crmih9+Qav4IP6C+l1xO/c28gH32glK0K0w4= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spam-Level: X-Spamd-Result: default: False [-1.10 / 50.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; TO_DN_SOME(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email] X-Spam-Score: -1.10 X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-2.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-2.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v5 3/6] Disable kernel version check in landlock tests X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato The reason why we remove kernel version check is that we use verify_landlock_is_enabled() function in order to check if landlock is present in the system. This is really helpful when landlock support has been backported into old kernels. Signed-off-by: Andrea Cervesato Reviewed-by: Petr Vorel --- testcases/kernel/syscalls/landlock/landlock01.c | 1 - testcases/kernel/syscalls/landlock/landlock02.c | 1 - testcases/kernel/syscalls/landlock/landlock03.c | 1 - 3 files changed, 3 deletions(-) diff --git a/testcases/kernel/syscalls/landlock/landlock01.c b/testcases/kernel/syscalls/landlock/landlock01.c index 0c50b55d8..db2ffe89b 100644 --- a/testcases/kernel/syscalls/landlock/landlock01.c +++ b/testcases/kernel/syscalls/landlock/landlock01.c @@ -75,7 +75,6 @@ static struct tst_test test = { .test = run, .tcnt = ARRAY_SIZE(tcases), .setup = setup, - .min_kver = "5.13", .needs_root = 1, .needs_kconfigs = (const char *[]) { "CONFIG_SECURITY_LANDLOCK=y", diff --git a/testcases/kernel/syscalls/landlock/landlock02.c b/testcases/kernel/syscalls/landlock/landlock02.c index c29ff1e83..2b3e31f69 100644 --- a/testcases/kernel/syscalls/landlock/landlock02.c +++ b/testcases/kernel/syscalls/landlock/landlock02.c @@ -120,7 +120,6 @@ static struct tst_test test = { .tcnt = ARRAY_SIZE(tcases), .setup = setup, .cleanup = cleanup, - .min_kver = "5.13", .needs_root = 1, .needs_kconfigs = (const char *[]) { "CONFIG_SECURITY_LANDLOCK=y", diff --git a/testcases/kernel/syscalls/landlock/landlock03.c b/testcases/kernel/syscalls/landlock/landlock03.c index 9bf358d1c..5661b6b29 100644 --- a/testcases/kernel/syscalls/landlock/landlock03.c +++ b/testcases/kernel/syscalls/landlock/landlock03.c @@ -108,7 +108,6 @@ static struct tst_test test = { .tcnt = ARRAY_SIZE(tcases), .setup = setup, .cleanup = cleanup, - .min_kver = "5.13", .needs_tmpdir = 1, .needs_root = 1, .forks_child = 1, From patchwork Thu Aug 1 12:08:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1967634 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=lcGWD/SP; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=KTaCITJe; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=lcGWD/SP; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=KTaCITJe; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WZSSV6mYnz1ybX for ; Thu, 1 Aug 2024 22:09:30 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id C30253D1F3C for ; Thu, 1 Aug 2024 14:09:28 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-5.smtp.seeweb.it (in-5.smtp.seeweb.it [217.194.8.5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 2A2053D1DCB for ; Thu, 1 Aug 2024 14:08:53 +0200 (CEST) Authentication-Results: in-5.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=2a07:de40:b251:101:10:150:64:2; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2a07:de40:b251:101:10:150:64:2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-5.smtp.seeweb.it (Postfix) with ESMTPS id 18941608A7D for ; Thu, 1 Aug 2024 14:08:51 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id E30581FB54; Thu, 1 Aug 2024 12:08:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1722514130; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=g6q289gKRooaShWW/5FyrV1WXvaAZWC4NyE+czjsiOE=; b=lcGWD/SPndH58UDbzkuO0XzQDTM6/VHQuDZ+toF3x8qC8KLpBXmfyj5Gu+gu3EpwiX7OHr JqMVlNi+cLk3XHERNhQDYsmCQtmHz+AYvlx9QXUE0hxMHP04kItmli6CxyQL/4toWO+Ube /Tbsnq4oQ7MtgsoTEbMqMPRCKBclWPc= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1722514130; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=g6q289gKRooaShWW/5FyrV1WXvaAZWC4NyE+czjsiOE=; b=KTaCITJeoDf3OGWj7kbfdbUJZQgGob6GUVzuWvWb436/GfS22unfpFllkkES+XPuzpoIL2 OUJw3yyFoq8henCw== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1722514130; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=g6q289gKRooaShWW/5FyrV1WXvaAZWC4NyE+czjsiOE=; b=lcGWD/SPndH58UDbzkuO0XzQDTM6/VHQuDZ+toF3x8qC8KLpBXmfyj5Gu+gu3EpwiX7OHr JqMVlNi+cLk3XHERNhQDYsmCQtmHz+AYvlx9QXUE0hxMHP04kItmli6CxyQL/4toWO+Ube /Tbsnq4oQ7MtgsoTEbMqMPRCKBclWPc= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1722514130; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=g6q289gKRooaShWW/5FyrV1WXvaAZWC4NyE+czjsiOE=; b=KTaCITJeoDf3OGWj7kbfdbUJZQgGob6GUVzuWvWb436/GfS22unfpFllkkES+XPuzpoIL2 OUJw3yyFoq8henCw== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 9A08813946; Thu, 1 Aug 2024 12:08:50 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id 6JXmItJ6q2aiVwAAD6G6ig (envelope-from ); Thu, 01 Aug 2024 12:08:50 +0000 From: Andrea Cervesato Date: Thu, 01 Aug 2024 14:08:41 +0200 MIME-Version: 1.0 Message-Id: <20240801-landlock-v5-4-663d7383b335@suse.com> References: <20240801-landlock-v5-0-663d7383b335@suse.com> In-Reply-To: <20240801-landlock-v5-0-663d7383b335@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=17426; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=uiOWIc2KocB8kn5TlksEzmecwM0qoaP+inZRF27b1Lo=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmq3rQ5sxLIdiXOs2MSUaiaNQ6v26Pj4iuTOmN7 3bSJKnnsd2JAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZqt60AAKCRDLzBqyILPm RnwWDACF33xvUvbo/KIAVI6op7dNBCKdYbeMBSLqc/5mbQeEcIHBEDRiUpcRretjr8rOYDNdN9H ldG9cg/h6Vatb3ouqaQApsHE6Bn1Y6w9JvJ21qdD30/OlQ4Sxuvhk+r4FXI/ONWY/WzAjNDYsyk GouS/aZB/9AJZxdQ/c7Z6bGvDDVEJxZeqTi1MvlXcj864w43/o2h7s5sjtzrSID65bmcFtVLoir fdrxVFL0vujKvJjX2wPDKe3c0J8W6h1Vy5Wz/zjx3weDYh7pJWnayr04wpvGPhTSxv05vmmWX46 qAZZFwKvhZN6zSjrvqDqmZOxvtuwFZWkL4cg4aZ6Sd9+1MIHzv5CqyZWRT+SFeXDOIbhx4qSggZ 2f+Kx3ukPzg4DZjiusMvFZc0snXK+RgKiQ6hXPDDLVSTQaBSQwcO+bGUJx+eeCWGMRmNr04oUOL 9XM8/U2Cg2NDYy1g+fYSj2OrlFMKEyZeTBY8KH2sNycGp/g924JzM9hl1eVkHUxS4/9Kg= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spamd-Result: default: False [-4.10 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; TO_DN_SOME(0.00)[]; MIME_TRACE(0.00)[0:+]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email] X-Spam-Level: X-Spam-Score: -4.10 X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-5.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-5.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v5 4/6] Add landlock04 test X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato This test verifies that all landlock rules are working properly. The way we do it is to verify that all disabled syscalls are not working but the one we enabled via specifc landlock rules. Reviewed-by: Li Wang Reviewed-by: Petr Vorel Signed-off-by: Andrea Cervesato --- runtest/syscalls | 1 + testcases/kernel/syscalls/landlock/.gitignore | 2 + testcases/kernel/syscalls/landlock/landlock04.c | 212 +++++++++++ testcases/kernel/syscalls/landlock/landlock_exec.c | 9 + .../kernel/syscalls/landlock/landlock_tester.h | 393 +++++++++++++++++++++ 5 files changed, 617 insertions(+) diff --git a/runtest/syscalls b/runtest/syscalls index 9b3cba667..67b2e2758 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -699,6 +699,7 @@ kill13 kill13 landlock01 landlock01 landlock02 landlock02 landlock03 landlock03 +landlock04 landlock04 lchown01 lchown01 lchown01_16 lchown01_16 diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore index f79cd090b..4fe8d7cba 100644 --- a/testcases/kernel/syscalls/landlock/.gitignore +++ b/testcases/kernel/syscalls/landlock/.gitignore @@ -1,3 +1,5 @@ +landlock_exec landlock01 landlock02 landlock03 +landlock04 diff --git a/testcases/kernel/syscalls/landlock/landlock04.c b/testcases/kernel/syscalls/landlock/landlock04.c new file mode 100644 index 000000000..82d9a5a4e --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock04.c @@ -0,0 +1,212 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +/*\ + * [Description] + * + * This test verifies that all landlock filesystem rules are working properly. + * The way we do it is to verify that all disabled syscalls are not working but + * the one we enabled via specifc landlock rules. + */ + +#include "landlock_common.h" +#include "landlock_tester.h" +#include "tst_safe_stdio.h" + +static struct landlock_ruleset_attr *ruleset_attr; +static struct landlock_path_beneath_attr *path_beneath_attr; +static int ruleset_fd = -1; + +static struct tvariant { + int access; + char *desc; +} tvariants[] = { + { + LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_EXECUTE, + TST_TO_STR_(LANDLOCK_ACCESS_FS_EXECUTE) + }, + { + LANDLOCK_ACCESS_FS_WRITE_FILE, + TST_TO_STR_(LANDLOCK_ACCESS_FS_WRITE_FILE) + }, + { + LANDLOCK_ACCESS_FS_READ_FILE, + TST_TO_STR_(LANDLOCK_ACCESS_FS_READ_FILE) + }, + { + LANDLOCK_ACCESS_FS_READ_DIR, + TST_TO_STR_(LANDLOCK_ACCESS_FS_READ_DIR) + }, + { + LANDLOCK_ACCESS_FS_REMOVE_DIR, + TST_TO_STR_(LANDLOCK_ACCESS_FS_REMOVE_DIR) + }, + { + LANDLOCK_ACCESS_FS_REMOVE_FILE, + TST_TO_STR_(LANDLOCK_ACCESS_FS_REMOVE_FILE) + }, + { + LANDLOCK_ACCESS_FS_MAKE_CHAR, + TST_TO_STR_(LANDLOCK_ACCESS_FS_MAKE_CHAR) + }, + { + LANDLOCK_ACCESS_FS_MAKE_BLOCK, + TST_TO_STR_(LANDLOCK_ACCESS_FS_MAKE_BLOCK) + }, + { + LANDLOCK_ACCESS_FS_MAKE_REG, + TST_TO_STR_(LANDLOCK_ACCESS_FS_MAKE_REG) + }, + { + LANDLOCK_ACCESS_FS_MAKE_SOCK, + TST_TO_STR_(LANDLOCK_ACCESS_FS_MAKE_SOCK) + }, + { + LANDLOCK_ACCESS_FS_MAKE_FIFO, + TST_TO_STR_(LANDLOCK_ACCESS_FS_MAKE_FIFO) + }, + { + LANDLOCK_ACCESS_FS_MAKE_SYM, + TST_TO_STR_(LANDLOCK_ACCESS_FS_MAKE_SYM) + }, + { + LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE, + TST_TO_STR_(LANDLOCK_ACCESS_FS_TRUNCATE) + }, +}; + +static void run(void) +{ + struct tvariant variant = tvariants[tst_variant]; + + tester_setup_files(); + + if (!SAFE_FORK()) { + enforce_ruleset(ruleset_fd); + tester_run_all_fs_rules(variant.access); + + _exit(0); + } + + tst_reap_children(); + tester_cleanup_files(); +} + +static void enable_exec_libs(const int ruleset_fd) +{ + FILE *fp; + char line[1024]; + char path[PATH_MAX]; + char dependency[8][PATH_MAX]; + int count = 0; + int duplicate = 0; + + fp = SAFE_FOPEN("/proc/self/maps", "r"); + + while (fgets(line, sizeof(line), fp)) { + if (strstr(line, ".so") == NULL) + continue; + + SAFE_SSCANF(line, "%*x-%*x %*s %*x %*s %*d %s", path); + + for (int i = 0; i < count; i++) { + if (strcmp(path, dependency[i]) == 0) { + duplicate = 1; + break; + } + } + + if (duplicate) { + duplicate = 0; + continue; + } + + strncpy(dependency[count], path, PATH_MAX); + count++; + + tst_res(TINFO, "Enable read/exec permissions for %s", path); + + path_beneath_attr->allowed_access = + LANDLOCK_ACCESS_FS_READ_FILE | + LANDLOCK_ACCESS_FS_EXECUTE; + path_beneath_attr->parent_fd = SAFE_OPEN(path, O_PATH | O_CLOEXEC); + + SAFE_LANDLOCK_ADD_RULE( + ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, path_beneath_attr, 0); + + SAFE_CLOSE(path_beneath_attr->parent_fd); + } + + SAFE_FCLOSE(fp); +} + +static void setup(void) +{ + struct tvariant variant = tvariants[tst_variant]; + + verify_landlock_is_enabled(); + + tst_res(TINFO, "Testing %s", variant.desc); + + ruleset_attr->handled_access_fs = tester_get_all_fs_rules(); + + ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET( + ruleset_attr, sizeof(struct landlock_ruleset_attr), 0); + + /* since our binary is dynamically linked, we need to enable dependences + * to be read and executed + */ + enable_exec_libs(ruleset_fd); + + /* sandbox folder has to exist before creating the rule */ + if (access(SANDBOX_FOLDER, F_OK) == -1) + SAFE_MKDIR(SANDBOX_FOLDER, PERM_MODE); + + path_beneath_attr->allowed_access = variant.access; + path_beneath_attr->parent_fd = SAFE_OPEN( + SANDBOX_FOLDER, O_PATH | O_CLOEXEC); + + SAFE_LANDLOCK_ADD_RULE( + ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, path_beneath_attr, 0); + + SAFE_CLOSE(path_beneath_attr->parent_fd); +} + +static void cleanup(void) +{ + if (ruleset_fd != -1) + SAFE_CLOSE(ruleset_fd); +} + +static struct tst_test test = { + .test_all = run, + .setup = setup, + .cleanup = cleanup, + .forks_child = 1, + .needs_root = 1, + .test_variants = ARRAY_SIZE(tvariants), + .resource_files = (const char *[]) { + TESTAPP, + NULL, + }, + .needs_kconfigs = (const char *[]) { + "CONFIG_SECURITY_LANDLOCK=y", + NULL + }, + .bufs = (struct tst_buffers []) { + {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)}, + {}, + }, + .caps = (struct tst_cap []) { + TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN), + TST_CAP(TST_CAP_REQ, CAP_MKNOD), + {} + }, + .mount_device = 1, + .mntpoint = SANDBOX_FOLDER, + .all_filesystems = 1, + .max_runtime = 360, +}; diff --git a/testcases/kernel/syscalls/landlock/landlock_exec.c b/testcases/kernel/syscalls/landlock/landlock_exec.c new file mode 100644 index 000000000..aae5c76b2 --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock_exec.c @@ -0,0 +1,9 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +int main(void) +{ + return 0; +} diff --git a/testcases/kernel/syscalls/landlock/landlock_tester.h b/testcases/kernel/syscalls/landlock/landlock_tester.h new file mode 100644 index 000000000..dcebc45cd --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock_tester.h @@ -0,0 +1,393 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +#ifndef LANDLOCK_TESTER_H__ + +#include "tst_test.h" +#include "lapi/landlock.h" +#include + +#define PERM_MODE 0700 + +#define SANDBOX_FOLDER "sandbox" +#define TESTAPP "landlock_exec" + +#define FILE_EXEC SANDBOX_FOLDER"/"TESTAPP +#define FILE_READ SANDBOX_FOLDER"/file_read" +#define FILE_WRITE SANDBOX_FOLDER"/file_write" +#define FILE_REMOVE SANDBOX_FOLDER"/file_remove" +#define FILE_UNLINK SANDBOX_FOLDER"/file_unlink" +#define FILE_UNLINKAT SANDBOX_FOLDER"/file_unlinkat" +#define FILE_TRUNCATE SANDBOX_FOLDER"/file_truncate" +#define FILE_REGULAR SANDBOX_FOLDER"/regular0" +#define FILE_SOCKET SANDBOX_FOLDER"/socket0" +#define FILE_FIFO SANDBOX_FOLDER"/fifo0" +#define FILE_SYM0 SANDBOX_FOLDER"/symbolic0" +#define FILE_SYM1 SANDBOX_FOLDER"/symbolic1" +#define DIR_READDIR SANDBOX_FOLDER"/dir_readdir" +#define DIR_RMDIR SANDBOX_FOLDER"/dir_rmdir" +#define DEV_CHAR0 SANDBOX_FOLDER"/chardev0" +#define DEV_BLK0 SANDBOX_FOLDER"/blkdev0" + +#define ALL_RULES (\ + LANDLOCK_ACCESS_FS_EXECUTE | \ + LANDLOCK_ACCESS_FS_WRITE_FILE | \ + LANDLOCK_ACCESS_FS_READ_FILE | \ + LANDLOCK_ACCESS_FS_READ_DIR | \ + LANDLOCK_ACCESS_FS_REMOVE_DIR | \ + LANDLOCK_ACCESS_FS_REMOVE_FILE | \ + LANDLOCK_ACCESS_FS_MAKE_CHAR | \ + LANDLOCK_ACCESS_FS_MAKE_DIR | \ + LANDLOCK_ACCESS_FS_MAKE_REG | \ + LANDLOCK_ACCESS_FS_MAKE_SOCK | \ + LANDLOCK_ACCESS_FS_MAKE_FIFO | \ + LANDLOCK_ACCESS_FS_MAKE_BLOCK | \ + LANDLOCK_ACCESS_FS_MAKE_SYM | \ + LANDLOCK_ACCESS_FS_REFER | \ + LANDLOCK_ACCESS_FS_TRUNCATE | \ + LANDLOCK_ACCESS_FS_IOCTL_DEV) + +static char *readdir_files[] = { + DIR_READDIR"/file0", + DIR_READDIR"/file1", + DIR_READDIR"/file2", +}; + +static int dev_chr; +static int dev_blk; + +static int tester_get_all_fs_rules(void) +{ + int abi; + int all_rules = ALL_RULES; + + abi = SAFE_LANDLOCK_CREATE_RULESET( + NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); + + if (abi < 2) + all_rules &= ~LANDLOCK_ACCESS_FS_REFER; + + if (abi < 3) + all_rules &= ~LANDLOCK_ACCESS_FS_TRUNCATE; + + if (abi < 5) + all_rules &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV; + + return all_rules; +} + +/* This function setup the sandbox folder before running the test. + * Run it __before__ enforcing the sandbox rules and ensure that SANDBOX_FOLDER + * has been created already. + */ +static void tester_setup_files(void) +{ + /* folders */ + SAFE_MKDIR(DIR_RMDIR, PERM_MODE); + SAFE_MKDIR(DIR_READDIR, PERM_MODE); + for (size_t i = 0; i < ARRAY_SIZE(readdir_files); i++) + SAFE_TOUCH(readdir_files[i], PERM_MODE, NULL); + + /* files */ + tst_fill_file(FILE_READ, 'a', getpagesize(), 1); + SAFE_TOUCH(FILE_WRITE, PERM_MODE, NULL); + SAFE_TOUCH(FILE_REMOVE, PERM_MODE, NULL); + SAFE_TOUCH(FILE_UNLINK, PERM_MODE, NULL); + SAFE_TOUCH(FILE_UNLINKAT, PERM_MODE, NULL); + SAFE_TOUCH(FILE_TRUNCATE, PERM_MODE, NULL); + SAFE_TOUCH(FILE_SYM0, PERM_MODE, NULL); + SAFE_CP(TESTAPP, FILE_EXEC); + + /* devices */ + dev_chr = makedev(1, 3); + dev_blk = makedev(7, 0); +} + +static void _remove_file(const char *path) +{ + if (access(path, F_OK) != -1) + SAFE_UNLINK(path); +} + +/* This function cleanup the sandbox folder after running the tests. + * Run it after getting out from the sandbox. + */ +static void tester_cleanup_files(void) +{ + if (access(DIR_RMDIR, F_OK) != -1) + SAFE_RMDIR(DIR_RMDIR); + + for (size_t i = 0; i < ARRAY_SIZE(readdir_files); i++) + _remove_file(readdir_files[i]); + + if (access(DIR_READDIR, F_OK) != -1) + SAFE_RMDIR(DIR_READDIR); + + struct stat st; + + if (lstat(FILE_SYM1, &st) != -1) + SAFE_UNLINK(FILE_SYM1); + + _remove_file(FILE_READ); + _remove_file(FILE_WRITE); + _remove_file(FILE_REMOVE); + _remove_file(FILE_UNLINK); + _remove_file(FILE_UNLINKAT); + _remove_file(FILE_TRUNCATE); + _remove_file(FILE_SYM0); + _remove_file(FILE_EXEC); + + _remove_file(DEV_BLK0); + _remove_file(DEV_CHAR0); + _remove_file(FILE_FIFO); + _remove_file(FILE_SOCKET); + _remove_file(FILE_REGULAR); +} + +static void _test_exec(const int result) +{ + int status; + pid_t pid; + char *const args[] = {(char *)FILE_EXEC, NULL}; + + tst_res(TINFO, "Test binary execution"); + + pid = SAFE_FORK(); + if (!pid) { + int rval; + + if (result == TPASS) { + rval = execve(FILE_EXEC, args, NULL); + if (rval == -1) + tst_res(TFAIL | TERRNO, "Failed to execute test binary"); + } else { + TST_EXP_FAIL(execve(FILE_EXEC, args, NULL), EACCES); + } + + _exit(1); + } + + SAFE_WAITPID(pid, &status, 0); + if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) + return; + + tst_res(result, "Test binary has been executed"); +} + +static void _test_write(const int result) +{ + tst_res(TINFO, "Test writing file"); + + if (result == TPASS) + TST_EXP_FD(open(FILE_WRITE, O_WRONLY, PERM_MODE)); + else + TST_EXP_FAIL(open(FILE_WRITE, O_WRONLY, PERM_MODE), EACCES); + + if (TST_RET != -1) + SAFE_CLOSE(TST_RET); +} + +static void _test_read(const int result) +{ + tst_res(TINFO, "Test reading file"); + + if (result == TPASS) + TST_EXP_FD(open(FILE_READ, O_RDONLY, PERM_MODE)); + else + TST_EXP_FAIL(open(FILE_READ, O_RDONLY, PERM_MODE), EACCES); + + if (TST_RET != -1) + SAFE_CLOSE(TST_RET); +} + +static void _test_readdir(const int result) +{ + tst_res(TINFO, "Test reading directory"); + + DIR *dir; + struct dirent *de; + int files_counted = 0; + + dir = opendir(DIR_READDIR); + if (!dir) { + tst_res(result == TPASS ? TFAIL : TPASS, + "Can't read '%s' directory", DIR_READDIR); + + return; + } + + tst_res(result, "Can read '%s' directory", DIR_READDIR); + if (result == TFAIL) + return; + + while ((de = readdir(dir)) != NULL) { + if (de->d_type != DT_REG) + continue; + + for (size_t i = 0; i < ARRAY_SIZE(readdir_files); i++) { + if (readdir_files[i] == NULL) + continue; + + if (strstr(readdir_files[i], de->d_name) != NULL) + files_counted++; + } + } + + SAFE_CLOSEDIR(dir); + + TST_EXP_EQ_LI(files_counted, ARRAY_SIZE(readdir_files)); +} + +static void _test_rmdir(const int result) +{ + tst_res(TINFO, "Test removing directory"); + + if (result == TPASS) + TST_EXP_PASS(rmdir(DIR_RMDIR)); + else + TST_EXP_FAIL(rmdir(DIR_RMDIR), EACCES); +} + +static void _test_rmfile(const int result) +{ + tst_res(TINFO, "Test removing file"); + + if (result == TPASS) { + TST_EXP_PASS(unlink(FILE_UNLINK)); + TST_EXP_PASS(remove(FILE_REMOVE)); + } else { + TST_EXP_FAIL(unlink(FILE_UNLINK), EACCES); + TST_EXP_FAIL(remove(FILE_REMOVE), EACCES); + } +} + +static void _test_make( + const char *path, + const int type, + const int dev, + const int result) +{ + tst_res(TINFO, "Test normal or special files creation"); + + if (result == TPASS) + TST_EXP_PASS(mknod(path, type | 0400, dev)); + else + TST_EXP_FAIL(mknod(path, type | 0400, dev), EACCES); +} + +static void _test_symbolic(const int result) +{ + tst_res(TINFO, "Test symbolic links"); + + if (result == TPASS) + TST_EXP_PASS(symlink(FILE_SYM0, FILE_SYM1)); + else + TST_EXP_FAIL(symlink(FILE_SYM0, FILE_SYM1), EACCES); +} + +static void _test_truncate(const int result) +{ + int fd; + + tst_res(TINFO, "Test truncating file"); + + if (result == TPASS) { + TST_EXP_PASS(truncate(FILE_TRUNCATE, 10)); + + fd = SAFE_OPEN(FILE_TRUNCATE, O_WRONLY, PERM_MODE); + if (fd != -1) { + TST_EXP_PASS(ftruncate(fd, 10)); + SAFE_CLOSE(fd); + } + + fd = TST_EXP_FD(open(FILE_TRUNCATE, O_WRONLY | O_TRUNC, PERM_MODE)); + if (fd != -1) + SAFE_CLOSE(fd); + } else { + TST_EXP_FAIL(truncate(FILE_TRUNCATE, 10), EACCES); + + fd = open(FILE_TRUNCATE, O_WRONLY, PERM_MODE); + if (fd != -1) { + TST_EXP_FAIL(ftruncate(fd, 10), EACCES); + SAFE_CLOSE(fd); + } + + TST_EXP_FAIL(open(FILE_TRUNCATE, O_WRONLY | O_TRUNC, PERM_MODE), + EACCES); + + if (TST_RET != -1) + SAFE_CLOSE(TST_RET); + } +} + +static void tester_run_fs_rules(const int rules, const int result) +{ + if (rules & LANDLOCK_ACCESS_FS_EXECUTE) + _test_exec(result); + + if (rules & LANDLOCK_ACCESS_FS_WRITE_FILE) + _test_write(result); + + if (rules & LANDLOCK_ACCESS_FS_READ_FILE) + _test_read(result); + + if (rules & LANDLOCK_ACCESS_FS_READ_DIR) + _test_readdir(result); + + if (rules & LANDLOCK_ACCESS_FS_REMOVE_DIR) + _test_rmdir(result); + + if (rules & LANDLOCK_ACCESS_FS_REMOVE_FILE) + _test_rmfile(result); + + if (rules & LANDLOCK_ACCESS_FS_MAKE_REG) + _test_make(FILE_REGULAR, S_IFREG, 0, result); + + if (strcmp(tst_device->fs_type, "vfat") && + strcmp(tst_device->fs_type, "exfat")) { + if (rules & LANDLOCK_ACCESS_FS_MAKE_CHAR) + _test_make(DEV_CHAR0, S_IFCHR, dev_chr, result); + + if (rules & LANDLOCK_ACCESS_FS_MAKE_BLOCK) + _test_make(DEV_BLK0, S_IFBLK, dev_blk, result); + + if (rules & LANDLOCK_ACCESS_FS_MAKE_SOCK) + _test_make(FILE_SOCKET, S_IFSOCK, 0, result); + + if (rules & LANDLOCK_ACCESS_FS_MAKE_FIFO) + _test_make(FILE_FIFO, S_IFIFO, 0, result); + + if (rules & LANDLOCK_ACCESS_FS_MAKE_SYM) + _test_symbolic(result); + } + + if (rules & LANDLOCK_ACCESS_FS_TRUNCATE) { + int abi; + + abi = SAFE_LANDLOCK_CREATE_RULESET( + NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); + + if (abi < 3) { + tst_res(TINFO, "Skip truncate test. Minimum ABI version is 3"); + return; + } + + _test_truncate(result); + } +} + +static inline void tester_run_all_fs_rules(const int pass_rules) +{ + int fail_rules; + int all_rules; + + all_rules = tester_get_all_fs_rules(); + fail_rules = all_rules & ~pass_rules; + + tester_run_fs_rules(pass_rules, TPASS); + tester_run_fs_rules(fail_rules, TFAIL); +} + +#endif From patchwork Thu Aug 1 12:08:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1967633 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=vsqIw83c; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=4gl1TgJv; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=vsqIw83c; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=4gl1TgJv; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WZSSB5xsMz1ybX for ; Thu, 1 Aug 2024 22:09:14 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 899F73D1F3C for ; Thu, 1 Aug 2024 14:09:12 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-7.smtp.seeweb.it (in-7.smtp.seeweb.it [217.194.8.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id DFEA33D1073 for ; Thu, 1 Aug 2024 14:08:52 +0200 (CEST) Authentication-Results: in-7.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=2a07:de40:b251:101:10:150:64:2; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2a07:de40:b251:101:10:150:64:2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-7.smtp.seeweb.it (Postfix) with ESMTPS id 3EB3A208F9F for ; Thu, 1 Aug 2024 14:08:52 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 32C381FB55; Thu, 1 Aug 2024 12:08:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1722514131; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lI7sn5yaI/doXe0Lq0+2qALVsxtc7gqUtQGQRy3KLI4=; b=vsqIw83cLvpCN6ewluvI8gQjsMUXZwltuFKOVEiBTfosXxugt4ym8X/JvRN8V9eV4mEgGE G5x8IezJte7uQ0OehQtfKw4gNhNx+ea9BsAvLjXyTruVIDMd1KxHSkMr0CaZXODILpNXyA fwvy/7ULx40E33meXJeLqNcVkghAxcI= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1722514131; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lI7sn5yaI/doXe0Lq0+2qALVsxtc7gqUtQGQRy3KLI4=; b=4gl1TgJvIZQMeZL0sBRoXNVkZDmxVloR41N6tZUC9qkhBANVoWyH/WkEp8ZfbPOp7yhamP 9HvIzVkkygQgZgDw== Authentication-Results: smtp-out2.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=vsqIw83c; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=4gl1TgJv DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1722514131; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lI7sn5yaI/doXe0Lq0+2qALVsxtc7gqUtQGQRy3KLI4=; b=vsqIw83cLvpCN6ewluvI8gQjsMUXZwltuFKOVEiBTfosXxugt4ym8X/JvRN8V9eV4mEgGE G5x8IezJte7uQ0OehQtfKw4gNhNx+ea9BsAvLjXyTruVIDMd1KxHSkMr0CaZXODILpNXyA fwvy/7ULx40E33meXJeLqNcVkghAxcI= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1722514131; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lI7sn5yaI/doXe0Lq0+2qALVsxtc7gqUtQGQRy3KLI4=; b=4gl1TgJvIZQMeZL0sBRoXNVkZDmxVloR41N6tZUC9qkhBANVoWyH/WkEp8ZfbPOp7yhamP 9HvIzVkkygQgZgDw== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 0081313ADB; Thu, 1 Aug 2024 12:08:50 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id GKQFOdJ6q2aiVwAAD6G6ig (envelope-from ); Thu, 01 Aug 2024 12:08:50 +0000 From: Andrea Cervesato Date: Thu, 01 Aug 2024 14:08:42 +0200 MIME-Version: 1.0 Message-Id: <20240801-landlock-v5-5-663d7383b335@suse.com> References: <20240801-landlock-v5-0-663d7383b335@suse.com> In-Reply-To: <20240801-landlock-v5-0-663d7383b335@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4180; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=1ACIATj/k9PdjZeDGypNvynAwejxTwZu/WREIYNhsqY=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmq3rQXfVEzqQhKO5kqNqQLKsu7nILu85iMw1Ey euhwgLYFbCJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZqt60AAKCRDLzBqyILPm RnlNC/9UPtEd3usw4EOFPR5Jr2oxzR2W3FPxSx3rZf3i/Pv5hHrs4GHc3ij76Jm5WCpgct1v5Gm ro6GdpTkGA1DDp3b0ldOuApq2XAfldFJrRuJ7vSAHvZMruuG/pb94U1ec+EKe440QBgI30YMYLQ jExT1RI1vIxlHLIjXHvCVy4vQxG93apJAVgxtOtdjoELFTARjUOa9rg7cg65CNLE7ql6K8MZlw+ dZsFp/1coGyFAt3ddrKBHcADHlBwr2Kzq7fBL++zzydd8lwEd7dKSBwEFemVGAnp6WHMdxl5qkw 23Pgr4cyXvBzMTGqZ+BvQwQeC03FxDqne06vTa7W4FEvmqoISR8ZIJij5KYpsOnSOQr1780M4hq GTnr9Ufbjkuc5qrt5FYfn7HizdmUvdQDr8fnLy1EGng8o9liSSG/BqQgJPoAINfBoMS4sf9cw1c XlOZabgl3o9PPFEvi1B4RtgSE/axfUFi91OSbXEmGpJ5xelZgVYaI/G51HNTzfBwb8EVk= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spam-Level: X-Rspamd-Server: rspamd2.dmz-prg2.suse.org X-Spamd-Result: default: False [-1.31 / 50.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; DWL_DNSWL_BLOCKED(0.00)[suse.de:dkim]; FUZZY_BLOCKED(0.00)[rspamd.com]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; FROM_EQ_ENVFROM(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:dkim,suse.com:email]; RCVD_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[suse.de:+] X-Rspamd-Action: no action X-Spam-Score: -1.31 X-Rspamd-Queue-Id: 32C381FB55 X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-7.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-7.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v5 5/6] Add landlock05 test X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato This test verifies LANDLOCK_ACCESS_FS_REFER access in the landlock sandbox. The feature is available since kernel 5.19. Reviewed-by: Li Wang Signed-off-by: Andrea Cervesato --- runtest/syscalls | 1 + testcases/kernel/syscalls/landlock/.gitignore | 1 + testcases/kernel/syscalls/landlock/landlock05.c | 118 ++++++++++++++++++++++++ 3 files changed, 120 insertions(+) diff --git a/runtest/syscalls b/runtest/syscalls index 67b2e2758..6522f5bc7 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -700,6 +700,7 @@ landlock01 landlock01 landlock02 landlock02 landlock03 landlock03 landlock04 landlock04 +landlock05 landlock05 lchown01 lchown01 lchown01_16 lchown01_16 diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore index 4fe8d7cba..a7ea6be2e 100644 --- a/testcases/kernel/syscalls/landlock/.gitignore +++ b/testcases/kernel/syscalls/landlock/.gitignore @@ -3,3 +3,4 @@ landlock01 landlock02 landlock03 landlock04 +landlock05 diff --git a/testcases/kernel/syscalls/landlock/landlock05.c b/testcases/kernel/syscalls/landlock/landlock05.c new file mode 100644 index 000000000..5083fe12b --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock05.c @@ -0,0 +1,118 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +/*\ + * [Description] + * + * This test verifies LANDLOCK_ACCESS_FS_REFER access in the + * landlock sandbox. + * + * [Algorithm] + * + * - apply LANDLOCK_ACCESS_FS_REFER in the folder1 + * - apply LANDLOCK_ACCESS_FS_REFER in the folder2 + * - create folder3 + * - verify that file can be moved from folder1 to folder2 + * - verify that file can't be moved from folder1 to folder3 + */ + +#include "landlock_common.h" + +#define MNTPOINT "sandbox" +#define DIR1 MNTPOINT"/folder1" +#define DIR2 MNTPOINT"/folder2" +#define DIR3 MNTPOINT"/folder3" +#define FILENAME1 DIR1"/file" +#define FILENAME2 DIR2"/file" +#define FILENAME3 DIR3"/file" + +static struct landlock_ruleset_attr *ruleset_attr; +static struct landlock_path_beneath_attr *path_beneath_attr; + +static void run(void) +{ + if (SAFE_FORK()) + return; + + TST_EXP_PASS(rename(FILENAME1, FILENAME2)); + if (TST_RET == -1) + return; + + TST_EXP_FAIL(rename(FILENAME2, FILENAME3), EXDEV); + TST_EXP_PASS(rename(FILENAME2, FILENAME1)); + + _exit(0); +} + +static void setup(void) +{ + int abi; + int ruleset_fd; + + abi = verify_landlock_is_enabled(); + if (abi < 2) + tst_brk(TCONF, "LANDLOCK_ACCESS_FS_REFER is unsupported on ABI < 2"); + + SAFE_MKDIR(DIR1, 0640); + SAFE_MKDIR(DIR2, 0640); + SAFE_MKDIR(DIR3, 0640); + SAFE_TOUCH(FILENAME1, 0640, NULL); + + tst_res(TINFO, "Applying LANDLOCK_ACCESS_FS_REFER"); + + ruleset_attr->handled_access_fs = + LANDLOCK_ACCESS_FS_READ_FILE | + LANDLOCK_ACCESS_FS_WRITE_FILE | + LANDLOCK_ACCESS_FS_REFER; + + ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET( + ruleset_attr, sizeof(struct landlock_ruleset_attr), 0); + + apply_landlock_rule( + path_beneath_attr, + ruleset_fd, + LANDLOCK_ACCESS_FS_REFER, + DIR1); + + apply_landlock_rule( + path_beneath_attr, + ruleset_fd, + LANDLOCK_ACCESS_FS_REFER, + DIR2); + + enforce_ruleset(ruleset_fd); + + SAFE_CLOSE(ruleset_fd); +} + +static struct tst_test test = { + .test_all = run, + .setup = setup, + .needs_tmpdir = 1, + .needs_root = 1, + .forks_child = 1, + .needs_kconfigs = (const char *[]) { + "CONFIG_SECURITY_LANDLOCK=y", + NULL + }, + .bufs = (struct tst_buffers []) { + {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)}, + {}, + }, + .caps = (struct tst_cap []) { + TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN), + {} + }, + .format_device = 1, + .mount_device = 1, + .mntpoint = MNTPOINT, + .all_filesystems = 1, + .skip_filesystems = (const char *[]) { + "vfat", + "exfat", + NULL + }, +}; From patchwork Thu Aug 1 12:08:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Cervesato X-Patchwork-Id: 1967636 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=nU1mOFbE; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=3z79V1Ke; dkim=fail reason="signature verification failed" (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=nU1mOFbE; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=3z79V1Ke; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=patchwork.ozlabs.org) Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WZST75xp2z1ybX for ; Thu, 1 Aug 2024 22:10:03 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 8F70C3D1F53 for ; Thu, 1 Aug 2024 14:10:01 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-5.smtp.seeweb.it (in-5.smtp.seeweb.it [217.194.8.5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by picard.linux.it (Postfix) with ESMTPS id 1EFE33D1C12 for ; Thu, 1 Aug 2024 14:08:52 +0200 (CEST) Authentication-Results: in-5.smtp.seeweb.it; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=195.135.223.131; helo=smtp-out2.suse.de; envelope-from=andrea.cervesato@suse.de; receiver=lists.linux.it) Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by in-5.smtp.seeweb.it (Postfix) with ESMTPS id 03845608A6D for ; Thu, 1 Aug 2024 14:08:51 +0200 (CEST) Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 838D01FB57; Thu, 1 Aug 2024 12:08:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1722514131; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ThNefKoblqvUWRG/R6H70Wl0w/OvEti+bJgDXeLl1fw=; b=nU1mOFbEvG4zp+9kX/m0R3ALFMmfXGI84Wf74WxiWaHVetAmhmvxhK93q0LZ9/lQeNPxLA qOnmkhMSeISlfIpS0RlY8yZhXUSlpGQuHej6kMhIS3pIxkDgN9C6Bmd9vtiG2lNGOMkrs1 M36eMA+IHPRWmMymYP0T+rvN1TgZPME= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1722514131; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ThNefKoblqvUWRG/R6H70Wl0w/OvEti+bJgDXeLl1fw=; b=3z79V1KeqmibOtVDvl/99Vk1X+KgtiNFvK0YPH6N/fhYAbtNVQYNC14MMgUwQaesDKsv2F azqNbI6Qc3iw3hCg== Authentication-Results: smtp-out2.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=nU1mOFbE; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=3z79V1Ke DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1722514131; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ThNefKoblqvUWRG/R6H70Wl0w/OvEti+bJgDXeLl1fw=; b=nU1mOFbEvG4zp+9kX/m0R3ALFMmfXGI84Wf74WxiWaHVetAmhmvxhK93q0LZ9/lQeNPxLA qOnmkhMSeISlfIpS0RlY8yZhXUSlpGQuHej6kMhIS3pIxkDgN9C6Bmd9vtiG2lNGOMkrs1 M36eMA+IHPRWmMymYP0T+rvN1TgZPME= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1722514131; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ThNefKoblqvUWRG/R6H70Wl0w/OvEti+bJgDXeLl1fw=; b=3z79V1KeqmibOtVDvl/99Vk1X+KgtiNFvK0YPH6N/fhYAbtNVQYNC14MMgUwQaesDKsv2F azqNbI6Qc3iw3hCg== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 44FCB13946; Thu, 1 Aug 2024 12:08:51 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id QBQWDtN6q2aiVwAAD6G6ig (envelope-from ); Thu, 01 Aug 2024 12:08:51 +0000 From: Andrea Cervesato Date: Thu, 01 Aug 2024 14:08:43 +0200 MIME-Version: 1.0 Message-Id: <20240801-landlock-v5-6-663d7383b335@suse.com> References: <20240801-landlock-v5-0-663d7383b335@suse.com> In-Reply-To: <20240801-landlock-v5-0-663d7383b335@suse.com> To: ltp@lists.linux.it X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4234; i=andrea.cervesato@suse.com; h=from:subject:message-id; bh=EN7kKMw4B3L+nkJ4ap/ahyW9y/CcW4Zt8amNDaGA3h4=; b=owEB7QES/pANAwAIAcvMGrIgs+ZGAcsmYgBmq3rQhiQp9ouR+5Q4qJoLP1tfuS5nGvgaJ+6LN uc9vFXlEJCJAbMEAAEIAB0WIQT1ysFzUKRW0sIb39jLzBqyILPmRgUCZqt60AAKCRDLzBqyILPm RmiMC/9jNVunYER2Q1YK9zX9z7KuDROc2HCZP6ne/TWvpJdllLOIIjAg7YwYN/YUAploFdX/oXs jOC3sWDZsF616pBuBKboEBXi04NTAXMEdFr7X2gkKbYDfBbTM4V7E8ZNnOlwfvOsmTnR2KiGyWC wmmDNIoU4dxX79OFINEYent9e0qKlwXIE8YBGBkvVuIEcVsUyGxR39cllsPvcrLIdoliDDwc+J3 LhIKEoBX3vbRbfSxRN/OCt1F/TrG6TZGph8r29V3yPqgNStYTp3FGlDz8A4772devv/LxZJqqxQ 3XtPm/Ssg0d5Sfsb/9obhNQtThGkXKIBXQHh4WdQ4DJBvRAPPIO3U3IYxrxpt8DYloS4B5H3TQb ujplwNe3lppqZ6OrGip8avL6+99fEhqvBe62jBAR04CyJ6kNX5LUrigOfew0oYfFOex0rVglwDA KLf1xMHUW3mLK2I0QGPLeiDZh0URoMH2CxsevByDez8pu5stmAtj1bxzsBXbt8wOZfjeM= X-Developer-Key: i=andrea.cervesato@suse.com; a=openpgp; fpr=F5CAC17350A456D2C21BDFD8CBCC1AB220B3E646 X-Spam-Level: X-Rspamd-Server: rspamd2.dmz-prg2.suse.org X-Spamd-Result: default: False [-1.31 / 50.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; DWL_DNSWL_BLOCKED(0.00)[suse.de:dkim]; FUZZY_BLOCKED(0.00)[rspamd.com]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; FROM_EQ_ENVFROM(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email,suse.de:dkim]; RCVD_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[suse.de:+] X-Rspamd-Action: no action X-Spam-Score: -1.31 X-Rspamd-Queue-Id: 838D01FB57 X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=disabled version=4.0.0 X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on in-5.smtp.seeweb.it X-Virus-Scanned: clamav-milter 1.0.3 at in-5.smtp.seeweb.it X-Virus-Status: Clean Subject: [LTP] [PATCH v5 6/6] Add landlock06 test X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Andrea Cervesato This test verifies LANDLOCK_ACCESS_FS_IOCTL_DEV access in the landlock sandbox by creating a pipe and testing that ioctl() can be executed on it. The test is also verifying that some of the I/O operations can be always executed no matter the sandbox rules. This feature is available since kernel 6.10. Reviewed-by: Li Wang Reviewed-by: Petr Vorel Signed-off-by: Andrea Cervesato --- runtest/syscalls | 1 + testcases/kernel/syscalls/landlock/.gitignore | 1 + testcases/kernel/syscalls/landlock/landlock06.c | 107 ++++++++++++++++++++++++ 3 files changed, 109 insertions(+) diff --git a/runtest/syscalls b/runtest/syscalls index 6522f5bc7..7ebdb41d8 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -701,6 +701,7 @@ landlock02 landlock02 landlock03 landlock03 landlock04 landlock04 landlock05 landlock05 +landlock06 landlock06 lchown01 lchown01 lchown01_16 lchown01_16 diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore index a7ea6be2e..315ac1dca 100644 --- a/testcases/kernel/syscalls/landlock/.gitignore +++ b/testcases/kernel/syscalls/landlock/.gitignore @@ -4,3 +4,4 @@ landlock02 landlock03 landlock04 landlock05 +landlock06 diff --git a/testcases/kernel/syscalls/landlock/landlock06.c b/testcases/kernel/syscalls/landlock/landlock06.c new file mode 100644 index 000000000..2b6e475e8 --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock06.c @@ -0,0 +1,107 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato + */ + +/*\ + * [Description] + * + * This test verifies LANDLOCK_ACCESS_FS_IOCTL_DEV access in the + * landlock sandbox by creating a pipe and testing that ioctl() can be executed + * on it. The test is also verifying that some of the I/O operations can be + * always executed no matter the sandbox rules. + */ + +#include "landlock_common.h" +#include + +#define MNTPOINT "sandbox" +#define FILENAME MNTPOINT"/fifo" + +static struct landlock_ruleset_attr *ruleset_attr; +static struct landlock_path_beneath_attr *path_beneath_attr; +static int file_fd = -1; +static int dev_fd = -1; + +static void run(void) +{ + if (SAFE_FORK()) + return; + + int flag; + size_t sz = 0; + + TST_EXP_PASS(ioctl(file_fd, FIONREAD, &sz)); + TST_EXP_PASS(ioctl(dev_fd, FIOCLEX)); + TST_EXP_PASS(ioctl(dev_fd, FIONCLEX)); + TST_EXP_PASS(ioctl(dev_fd, FIONBIO, &flag)); + TST_EXP_PASS(ioctl(dev_fd, FIOASYNC, &flag)); + + _exit(0); +} + +static void setup(void) +{ + int ruleset_fd; + + if (verify_landlock_is_enabled() < 5) + tst_brk(TCONF, "LANDLOCK_ACCESS_FS_IOCTL_DEV is not supported"); + + SAFE_TOUCH(FILENAME, 0640, NULL); + + file_fd = SAFE_OPEN(FILENAME, O_RDONLY | O_NONBLOCK, 0640); + dev_fd = SAFE_OPEN("/dev/zero", O_RDONLY | O_NONBLOCK, 0640); + + tst_res(TINFO, "Applying LANDLOCK_ACCESS_FS_IOCTL_DEV"); + + ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV; + + ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET( + ruleset_attr, sizeof(struct landlock_ruleset_attr), 0); + + apply_landlock_layer( + ruleset_attr, + path_beneath_attr, + MNTPOINT, + LANDLOCK_ACCESS_FS_IOCTL_DEV + ); + + SAFE_CLOSE(ruleset_fd); +} + +static void cleanup(void) +{ + if (dev_fd != -1) + SAFE_CLOSE(dev_fd); + + if (file_fd != -1) + SAFE_CLOSE(file_fd); +} + +static struct tst_test test = { + .test_all = run, + .setup = setup, + .cleanup = cleanup, + .needs_root = 1, + .forks_child = 1, + .needs_kconfigs = (const char *[]) { + "CONFIG_SECURITY_LANDLOCK=y", + NULL + }, + .bufs = (struct tst_buffers []) { + {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)}, + {}, + }, + .caps = (struct tst_cap []) { + TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN), + {} + }, + .mount_device = 1, + .mntpoint = MNTPOINT, + .all_filesystems = 1, + .skip_filesystems = (const char *[]) { + "vfat", + NULL + }, +};