[LTP] [PATCH 08/10] Add landlock04 test
Andrea Cervesato
andrea.cervesato@suse.com
Wed Jul 3 15:42:13 CEST 2024
Comments below.
On 7/2/24 14:22, Li Wang wrote:
>
>
> On Tue, Jul 2, 2024 at 4:00 PM Li Wang <liwang@redhat.com> wrote:
>
>
>
> On Mon, Jul 1, 2024 at 11:44 PM Andrea Cervesato
> <andrea.cervesato@suse.de> wrote:
>
> From: Andrea Cervesato <andrea.cervesato@suse.com>
>
> This test verifies that all landlock rules are working properly.
> The way we do it is to verify that all disabled syscalls are not
> working but the one we enabled via specifc landlock rules.
>
> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> ---
> runtest/syscalls | 1 +
> testcases/kernel/syscalls/landlock/.gitignore | 2 +
> testcases/kernel/syscalls/landlock/Makefile | 5 +
> testcases/kernel/syscalls/landlock/landlock04.c | 143
> +++++++++
> testcases/kernel/syscalls/landlock/landlock_exec.c | 9 +
> .../kernel/syscalls/landlock/landlock_tester.h | 350
> +++++++++++++++++++++
> 6 files changed, 510 insertions(+)
>
> diff --git a/runtest/syscalls b/runtest/syscalls
> index 1e2d682e3..9acdaf760 100644
> --- a/runtest/syscalls
> +++ b/runtest/syscalls
> @@ -687,6 +687,7 @@ kill13 kill13
> landlock01 landlock01
> landlock02 landlock02
> landlock03 landlock03
> +landlock04 landlock04
>
> lchown01 lchown01
> lchown01_16 lchown01_16
> diff --git a/testcases/kernel/syscalls/landlock/.gitignore
> b/testcases/kernel/syscalls/landlock/.gitignore
> index f79cd090b..4fe8d7cba 100644
> --- a/testcases/kernel/syscalls/landlock/.gitignore
> +++ b/testcases/kernel/syscalls/landlock/.gitignore
> @@ -1,3 +1,5 @@
> +landlock_exec
> landlock01
> landlock02
> landlock03
> +landlock04
> diff --git a/testcases/kernel/syscalls/landlock/Makefile
> b/testcases/kernel/syscalls/landlock/Makefile
> index 4b3e3fd8f..bdc6bd2d4 100644
> --- a/testcases/kernel/syscalls/landlock/Makefile
> +++ b/testcases/kernel/syscalls/landlock/Makefile
> @@ -8,3 +8,8 @@ include $(top_srcdir)/include/mk/testcases.mk
> <http://testcases.mk>
> LDLIBS += -lc
>
> include $(top_srcdir)/include/mk/generic_leaf_target.mk
> <http://generic_leaf_target.mk>
> +
> +# the reason why landlock_exec test binary is statically
> linked, is that
> +# we can't read libc out of the sandboxed folder once
> LANDLOCK_ACCESS_FS_EXECUTE
> +# has been activated
> +landlock_exec: LDLIBS += -static -fPIC
>
>
> And, if we decided to build the program as static, we'd better
> adding glibc-static into the dependency list, otherwise it always
> failed to link the binary on RHEL distributions.
>
We found a solution for this. We compile landlock_exec with dynamic
linking, then we apply READ + EXEC rules to /lib and /lib64.
In this way we can easily execute the binary and we don't need more LTP
dependences.
> --- a/ci/fedora.sh
> +++ b/ci/fedora.sh
> @@ -17,6 +17,7 @@ $yum \
> numactl-devel \
> libtirpc \
> libtirpc-devel \
> + libc-static \
> perl-JSON \
> perl-libwww-perl \
> pkg-config \
>
>
>
> --
> Regards,
> Li Wang
Andrea
More information about the ltp
mailing list