[LTP] [PATCH 2/5] Network helpers in landlock suite common functions
Andrea Cervesato
andrea.cervesato@suse.de
Thu Sep 19 12:23:08 CEST 2024
From: Andrea Cervesato <andrea.cervesato@suse.com>
Landlock suite helpers functions don't support network features. This
patch adds apply_landlock_net_layer() helper that can be used to apply a
network landlock rule in the current sandbox.
Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
testcases/kernel/syscalls/landlock/landlock05.c | 4 +--
testcases/kernel/syscalls/landlock/landlock06.c | 2 +-
.../kernel/syscalls/landlock/landlock_common.h | 39 ++++++++++++++++++++--
3 files changed, 39 insertions(+), 6 deletions(-)
diff --git a/testcases/kernel/syscalls/landlock/landlock05.c b/testcases/kernel/syscalls/landlock/landlock05.c
index 4efe19eb5..f0afad11a 100644
--- a/testcases/kernel/syscalls/landlock/landlock05.c
+++ b/testcases/kernel/syscalls/landlock/landlock05.c
@@ -70,13 +70,13 @@ static void setup(void)
ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
ruleset_attr, sizeof(struct tst_landlock_ruleset_attr), 0);
- apply_landlock_rule(
+ apply_landlock_fs_rule(
path_beneath_attr,
ruleset_fd,
LANDLOCK_ACCESS_FS_REFER,
DIR1);
- apply_landlock_rule(
+ apply_landlock_fs_rule(
path_beneath_attr,
ruleset_fd,
LANDLOCK_ACCESS_FS_REFER,
diff --git a/testcases/kernel/syscalls/landlock/landlock06.c b/testcases/kernel/syscalls/landlock/landlock06.c
index 39e0856e3..f04df2ff1 100644
--- a/testcases/kernel/syscalls/landlock/landlock06.c
+++ b/testcases/kernel/syscalls/landlock/landlock06.c
@@ -59,7 +59,7 @@ static void setup(void)
ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
ruleset_attr, sizeof(struct tst_landlock_ruleset_attr), 0);
- apply_landlock_layer(
+ apply_landlock_fs_layer(
ruleset_attr,
path_beneath_attr,
MNTPOINT,
diff --git a/testcases/kernel/syscalls/landlock/landlock_common.h b/testcases/kernel/syscalls/landlock/landlock_common.h
index c0bf88e4c..a955340bf 100644
--- a/testcases/kernel/syscalls/landlock/landlock_common.h
+++ b/testcases/kernel/syscalls/landlock/landlock_common.h
@@ -33,7 +33,7 @@ static inline int verify_landlock_is_enabled(void)
return abi;
}
-static inline void apply_landlock_rule(
+static inline void apply_landlock_fs_rule(
struct landlock_path_beneath_attr *path_beneath_attr,
const int ruleset_fd,
const int access,
@@ -51,13 +51,29 @@ static inline void apply_landlock_rule(
SAFE_CLOSE(path_beneath_attr->parent_fd);
}
+static inline void apply_landlock_net_rule(
+ struct landlock_net_port_attr *net_attr,
+ const int ruleset_fd,
+ const uint64_t port,
+ const uint64_t access)
+{
+ net_attr->port = port;
+ net_attr->allowed_access = access;
+
+ SAFE_LANDLOCK_ADD_RULE(
+ ruleset_fd,
+ LANDLOCK_RULE_NET_PORT,
+ net_attr,
+ 0);
+}
+
static inline void enforce_ruleset(const int ruleset_fd)
{
SAFE_PRCTL(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
SAFE_LANDLOCK_RESTRICT_SELF(ruleset_fd, 0);
}
-static inline void apply_landlock_layer(
+static inline void apply_landlock_fs_layer(
struct tst_landlock_ruleset_attr *ruleset_attr,
struct landlock_path_beneath_attr *path_beneath_attr,
const char *path,
@@ -68,7 +84,24 @@ static inline void apply_landlock_layer(
ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
ruleset_attr, sizeof(struct tst_landlock_ruleset_attr), 0);
- apply_landlock_rule(path_beneath_attr, ruleset_fd, access, path);
+ apply_landlock_fs_rule(path_beneath_attr, ruleset_fd, access, path);
+ enforce_ruleset(ruleset_fd);
+
+ SAFE_CLOSE(ruleset_fd);
+}
+
+static inline void apply_landlock_net_layer(
+ struct tst_landlock_ruleset_attr *ruleset_attr,
+ struct landlock_net_port_attr *net_port_attr,
+ const uint64_t port,
+ const uint64_t access)
+{
+ int ruleset_fd;
+
+ ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
+ ruleset_attr, sizeof(struct tst_landlock_ruleset_attr), 0);
+
+ apply_landlock_net_rule(net_port_attr, ruleset_fd, port, access);
enforce_ruleset(ruleset_fd);
SAFE_CLOSE(ruleset_fd);
--
2.43.0
More information about the ltp
mailing list