[LTP] [PATCH 08/10] Add landlock04 test
Li Wang
liwang@redhat.com
Tue Jul 2 10:00:22 CEST 2024
On Mon, Jul 1, 2024 at 11:44 PM Andrea Cervesato <andrea.cervesato@suse.de>
wrote:
> From: Andrea Cervesato <andrea.cervesato@suse.com>
>
> This test verifies that all landlock rules are working properly.
> The way we do it is to verify that all disabled syscalls are not
> working but the one we enabled via specifc landlock rules.
>
> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> ---
> runtest/syscalls | 1 +
> testcases/kernel/syscalls/landlock/.gitignore | 2 +
> testcases/kernel/syscalls/landlock/Makefile | 5 +
> testcases/kernel/syscalls/landlock/landlock04.c | 143 +++++++++
> testcases/kernel/syscalls/landlock/landlock_exec.c | 9 +
> .../kernel/syscalls/landlock/landlock_tester.h | 350
> +++++++++++++++++++++
> 6 files changed, 510 insertions(+)
>
> diff --git a/runtest/syscalls b/runtest/syscalls
> index 1e2d682e3..9acdaf760 100644
> --- a/runtest/syscalls
> +++ b/runtest/syscalls
> @@ -687,6 +687,7 @@ kill13 kill13
> landlock01 landlock01
> landlock02 landlock02
> landlock03 landlock03
> +landlock04 landlock04
>
> lchown01 lchown01
> lchown01_16 lchown01_16
> diff --git a/testcases/kernel/syscalls/landlock/.gitignore
> b/testcases/kernel/syscalls/landlock/.gitignore
> index f79cd090b..4fe8d7cba 100644
> --- a/testcases/kernel/syscalls/landlock/.gitignore
> +++ b/testcases/kernel/syscalls/landlock/.gitignore
> @@ -1,3 +1,5 @@
> +landlock_exec
> landlock01
> landlock02
> landlock03
> +landlock04
> diff --git a/testcases/kernel/syscalls/landlock/Makefile
> b/testcases/kernel/syscalls/landlock/Makefile
> index 4b3e3fd8f..bdc6bd2d4 100644
> --- a/testcases/kernel/syscalls/landlock/Makefile
> +++ b/testcases/kernel/syscalls/landlock/Makefile
> @@ -8,3 +8,8 @@ include $(top_srcdir)/include/mk/testcases.mk
> LDLIBS += -lc
>
> include $(top_srcdir)/include/mk/generic_leaf_target.mk
> +
> +# the reason why landlock_exec test binary is statically linked, is that
> +# we can't read libc out of the sandboxed folder once
> LANDLOCK_ACCESS_FS_EXECUTE
> +# has been activated
> +landlock_exec: LDLIBS += -static -fPIC
> diff --git a/testcases/kernel/syscalls/landlock/landlock04.c
> b/testcases/kernel/syscalls/landlock/landlock04.c
> new file mode 100644
> index 000000000..1e7c6f3d1
> --- /dev/null
> +++ b/testcases/kernel/syscalls/landlock/landlock04.c
> @@ -0,0 +1,143 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (C) 2024 SUSE LLC Andrea Cervesato <
> andrea.cervesato@suse.com>
> + */
> +
> +/*\
> + * [Description]
> + *
> + * This test verifies that all landlock rules are working properly. The
> way we
> + * do it is to verify that all disabled syscalls are not working but the
> one we
> + * enabled via specifc landlock rules.
> + */
> +
> +#include "landlock_common.h"
> +#include "landlock_tester.h"
> +
> +#define ACCESS_NAME(x) #x
> +
> +static struct landlock_ruleset_attr *ruleset_attr;
> +static struct landlock_path_beneath_attr *path_beneath_attr;
> +
> +static struct tvariant {
> + int access;
> + char *desc;
> +} tvariants[] = {
> + {
> + LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_EXECUTE,
> + ACCESS_NAME(LANDLOCK_ACCESS_FS_EXECUTE)
> + },
> + {
> + LANDLOCK_ACCESS_FS_WRITE_FILE,
> + ACCESS_NAME(LANDLOCK_ACCESS_FS_WRITE_FILE)
> + },
> + {
> + LANDLOCK_ACCESS_FS_READ_FILE,
> + ACCESS_NAME(LANDLOCK_ACCESS_FS_READ_FILE)
> + },
> + {
> + LANDLOCK_ACCESS_FS_READ_DIR,
> + ACCESS_NAME(LANDLOCK_ACCESS_FS_READ_DIR)
> + },
> + {
> + LANDLOCK_ACCESS_FS_REMOVE_DIR,
> + ACCESS_NAME(LANDLOCK_ACCESS_FS_REMOVE_DIR)
> + },
> + {
> + LANDLOCK_ACCESS_FS_REMOVE_FILE,
> + ACCESS_NAME(LANDLOCK_ACCESS_FS_REMOVE_FILE)
> + },
> + {
> + LANDLOCK_ACCESS_FS_MAKE_CHAR,
> + ACCESS_NAME(LANDLOCK_ACCESS_FS_MAKE_CHAR)
> + },
> + {
> + LANDLOCK_ACCESS_FS_MAKE_BLOCK,
> + ACCESS_NAME(LANDLOCK_ACCESS_FS_MAKE_BLOCK)
> + },
> + {
> + LANDLOCK_ACCESS_FS_MAKE_REG,
> + ACCESS_NAME(LANDLOCK_ACCESS_FS_MAKE_REG)
> + },
> + {
> + LANDLOCK_ACCESS_FS_MAKE_SOCK,
> + ACCESS_NAME(LANDLOCK_ACCESS_FS_MAKE_SOCK)
> + },
> + {
> + LANDLOCK_ACCESS_FS_MAKE_FIFO,
> + ACCESS_NAME(LANDLOCK_ACCESS_FS_MAKE_FIFO)
> + },
> + {
> + LANDLOCK_ACCESS_FS_MAKE_SYM,
> + ACCESS_NAME(LANDLOCK_ACCESS_FS_MAKE_SYM)
> + },
> + {
> + LANDLOCK_ACCESS_FS_WRITE_FILE |
> LANDLOCK_ACCESS_FS_TRUNCATE,
> + ACCESS_NAME(LANDLOCK_ACCESS_FS_TRUNCATE)
> + },
> +};
> +
> +static void run(void)
> +{
> + if (!SAFE_FORK()) {
> + struct tvariant variant = tvariants[tst_variant];
> +
> + tester_run_all_rules(variant.access);
> + _exit(0);
> + }
> +}
> +
> +static void setup(void)
> +{
> + struct tvariant variant = tvariants[tst_variant];
> +
> + verify_landlock_is_enabled();
> + tester_create_tree();
> +
> + tst_res(TINFO, "Testing %s", variant.desc);
> +
> + ruleset_attr->handled_access_fs = tester_get_all_rules();
> +
> + apply_landlock_layer(
> + ruleset_attr,
> + path_beneath_attr,
> + SANDBOX_FOLDER,
> + variant.access);
> +}
> +
> +static struct tst_test test = {
> + .test_all = run,
> + .setup = setup,
> + .min_kver = "5.13",
> + .forks_child = 1,
> + .needs_tmpdir = 1,
> + .needs_root = 1,
> + .test_variants = ARRAY_SIZE(tvariants),
> + .resource_files = (const char *[]) {
> + TESTAPP,
> + NULL,
> + },
> + .needs_kconfigs = (const char *[]) {
> + "CONFIG_SECURITY_LANDLOCK=y",
> + NULL
> + },
> + .bufs = (struct tst_buffers []) {
> + {&ruleset_attr, .size = sizeof(struct
> landlock_ruleset_attr)},
> + {&path_beneath_attr, .size = sizeof(struct
> landlock_path_beneath_attr)},
> + {},
> + },
> + .caps = (struct tst_cap []) {
> + TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN),
> + TST_CAP(TST_CAP_REQ, CAP_MKNOD),
>
We have to define CAP_MKNOD in the include/lapi/capability.h,
otherwise it can't be built on some platform.
landlock04.c:131:38: error: ‘CAP_MKNOD’ undeclared here (not in a
function); did you mean ‘SAFE_MKNOD’?
131 | TST_CAP(TST_CAP_REQ, CAP_MKNOD),
--
Regards,
Li Wang
More information about the ltp
mailing list