[LTP] [PATCH v3 07/11] Add landlock03 test

Tue Jul 16 19:15:20 CEST 2024

Hi Andrea, Li,

...
> +static struct tcase {
> +	int *fd;
> +	uint32_t flags;
> +	int exp_errno;
> +	char *msg;
> +} tcases[] = {
> +	{&ruleset_fd, -1, EINVAL, "Invalid flags"},
> +	{&ruleset_invalid, 0, EBADF, "Invalid file descriptor"},
> +	{&file_fd, 0, EBADFD, "Not a ruleset file descriptor"},
> +	{&ruleset_fd, 0, EPERM, "File descriptor doesn't have CAP_SYS_ADMIN"},
> +	{&ruleset_fd, 0, E2BIG, "Maximum number of stacked rulesets is reached"},

I was going to merge this, but the last E2BIG does not work with -i2:

# ./landlock03 -i2
tst_kconfig.c:88: TINFO: Parsing kernel config '/boot/config-6.6.15-amd64'
tst_buffers.c:57: TINFO: Test is using guarded buffers
tst_test.c:1806: TINFO: LTP version: 20240524-99-gf651e2dd5
tst_test.c:1650: TINFO: Timeout per run is 0h 00m 30s
landlock_common.h:30: TINFO: Landlock ABI v3
landlock03.c:70: TPASS: Invalid flags : EINVAL (22)
landlock03.c:70: TPASS: Invalid file descriptor : EBADF (9)
landlock03.c:70: TPASS: Not a ruleset file descriptor : EBADFD (77)
tst_capability.c:29: TINFO: Dropping CAP_SYS_ADMIN(21)
landlock03.c:70: TPASS: File descriptor doesn't have CAP_SYS_ADMIN : EPERM (1)
tst_capability.c:41: TINFO: Permitting CAP_SYS_ADMIN(21)
landlock03.c:70: TPASS: Maximum number of stacked rulesets is reached : E2BIG (7)
landlock03.c:70: TPASS: Invalid flags : EINVAL (22)
landlock03.c:70: TPASS: Invalid file descriptor : EBADF (9)
landlock03.c:70: TPASS: Not a ruleset file descriptor : EBADFD (77)
tst_capability.c:29: TINFO: Dropping CAP_SYS_ADMIN(21)
landlock03.c:70: TPASS: File descriptor doesn't have CAP_SYS_ADMIN : EPERM (1)
tst_capability.c:41: TINFO: Permitting CAP_SYS_ADMIN(21)
landlock03.c:63: TFAIL: tst_syscall(__NR_landlock_restrict_self, *tc->fd, tc->flags) failed: E2BIG (7)

> +};
> +
> +static void run(unsigned int n)
> +{
> +	struct tcase *tc = &tcases[n];
> +
> +	if (tc->exp_errno == EPERM)
> +		tst_cap_action(&dropadmin);
> +
> +	if (tc->exp_errno == E2BIG) {
> +		for (int i = 0; i < MAX_STACKED_RULESETS; i++) {
> +			TST_EXP_PASS_SILENT(tst_syscall(__NR_landlock_restrict_self,
> +				*tc->fd, tc->flags));

I suppose any later call for E2BIG will fail, because we reached maximum of the
rulests, right? (That's why there is below TST_EXP_FAIL). Can we somehow undo
landlock rulestes?

It looks to me it's not possible:
https://docs.kernel.org/userspace-api/landlock.html#ruleset-layers
man page does not mention it either:
https://man7.org/linux/man-pages/man2/landlock_restrict_self.2.html
https://man7.org/linux/man-pages/man2/landlock_create_ruleset.2.html

Tomorrow I'll try to have look into the sources, but I guess we will need to
skip this last test for other iterations, right?

> +			if (TST_RET == -1)
> +				return;
> +		}
> +	}
> +
> +	TST_EXP_FAIL(tst_syscall(__NR_landlock_restrict_self, *tc->fd, tc->flags),
> +		tc->exp_errno,
> +		"%s", tc->msg);

Kind regards,
Petr
> +
> +	if (tc->exp_errno == EPERM)
> +		tst_cap_action(&needadmin);
> +}