[LTP] [PATCH 1/5] Fallback landlock network support
Andrea Cervesato
andrea.cervesato@suse.de
Thu Sep 19 12:23:07 CEST 2024
From: Andrea Cervesato <andrea.cervesato@suse.com>
Landlock network support has been added in the ABI v4, adding features
for bind() and connect() syscalls. It also defined one more member in
the landlock_ruleset_attr struct, breaking our LTP fallbacks, used to
build landlock testing suite. For this reason, we introduce a
tst_landlock_ruleset_attr struct that wraps the base struct definition
and it adds the handled_access_net member.
This struct is then passed to the SAFE_LANDLOCK_CREATE_RULESET in order
to create our ruleset.
Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
configure.ac | 1 -
include/lapi/landlock.h | 39 +++++++++++++++-------
testcases/kernel/syscalls/landlock/landlock01.c | 18 +++++-----
testcases/kernel/syscalls/landlock/landlock02.c | 10 +++---
testcases/kernel/syscalls/landlock/landlock03.c | 8 ++---
testcases/kernel/syscalls/landlock/landlock04.c | 8 ++---
testcases/kernel/syscalls/landlock/landlock05.c | 8 ++---
testcases/kernel/syscalls/landlock/landlock06.c | 8 ++---
testcases/kernel/syscalls/landlock/landlock07.c | 8 ++---
.../kernel/syscalls/landlock/landlock_common.h | 4 +--
10 files changed, 63 insertions(+), 49 deletions(-)
diff --git a/configure.ac b/configure.ac
index ebbf49e28..52860ecdc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -172,7 +172,6 @@ AC_CHECK_MEMBERS([struct utsname.domainname],,,[
])
AC_CHECK_TYPES([enum kcmp_type],,,[#include <linux/kcmp.h>])
-AC_CHECK_TYPES([enum landlock_rule_type],,,[#include <linux/landlock.h>])
AC_CHECK_TYPES([struct acct_v3],,,[#include <sys/acct.h>])
AC_CHECK_TYPES([struct af_alg_iv, struct sockaddr_alg],,,[# include <linux/if_alg.h>])
AC_CHECK_TYPES([struct fanotify_event_info_fid, struct fanotify_event_info_error,
diff --git a/include/lapi/landlock.h b/include/lapi/landlock.h
index 211d171eb..326e9c7b6 100644
--- a/include/lapi/landlock.h
+++ b/include/lapi/landlock.h
@@ -7,6 +7,7 @@
#define LAPI_LANDLOCK_H__
#include "config.h"
+#include <stdint.h>
#ifdef HAVE_LINUX_LANDLOCK_H
# include <linux/landlock.h>
@@ -14,13 +15,27 @@
#include "lapi/syscalls.h"
-#ifndef HAVE_STRUCT_LANDLOCK_RULESET_ATTR
-struct landlock_ruleset_attr
+/*
+ * This is a complete fallback struct for the landlock_ruleset_attr struct
+ */
+struct tst_landlock_ruleset_attr_fallback
{
uint64_t handled_access_fs;
uint64_t handled_access_net;
};
-#endif
+
+struct tst_landlock_ruleset_attr
+{
+ union {
+#if !defined(HAVE_STRUCT_LANDLOCK_RULESET_ATTR) || \
+ !defined(HAVE_STRUCT_LANDLOCK_RULESET_ATTR_HANDLED_ACCESS_NET)
+ struct tst_landlock_ruleset_attr_fallback base;
+#else
+ struct landlock_ruleset_attr base;
+#endif
+ struct tst_landlock_ruleset_attr_fallback data;
+ };
+};
#ifndef HAVE_STRUCT_LANDLOCK_PATH_BENEATH_ATTR
struct landlock_path_beneath_attr
@@ -30,12 +45,12 @@ struct landlock_path_beneath_attr
} __attribute__((packed));
#endif
-#ifndef HAVE_ENUM_LANDLOCK_RULE_TYPE
-enum landlock_rule_type
-{
- LANDLOCK_RULE_PATH_BENEATH = 1,
- LANDLOCK_RULE_NET_PORT,
-};
+#ifndef LANDLOCK_RULE_PATH_BENEATH
+# define LANDLOCK_RULE_PATH_BENEATH 1
+#endif
+
+#ifndef LANDLOCK_RULE_NET_PORT
+# define LANDLOCK_RULE_NET_PORT 2
#endif
#ifndef HAVE_STRUCT_LANDLOCK_NET_PORT_ATTR
@@ -123,12 +138,12 @@ struct landlock_net_port_attr
#endif
static inline int safe_landlock_create_ruleset(const char *file, const int lineno,
- const struct landlock_ruleset_attr *attr,
+ const struct tst_landlock_ruleset_attr *attr,
size_t size , uint32_t flags)
{
int rval;
- rval = tst_syscall(__NR_landlock_create_ruleset, attr, size, flags);
+ rval = tst_syscall(__NR_landlock_create_ruleset, &attr->base, size, flags);
if (rval == -1) {
tst_brk_(file, lineno, TBROK | TERRNO,
"landlock_create_ruleset(%p, %zi, %u)",
@@ -143,7 +158,7 @@ static inline int safe_landlock_create_ruleset(const char *file, const int linen
}
static inline int safe_landlock_add_rule(const char *file, const int lineno,
- int ruleset_fd, enum landlock_rule_type rule_type,
+ int ruleset_fd, int rule_type,
const void *rule_attr, uint32_t flags)
{
int rval;
diff --git a/testcases/kernel/syscalls/landlock/landlock01.c b/testcases/kernel/syscalls/landlock/landlock01.c
index 083685c64..7f767c007 100644
--- a/testcases/kernel/syscalls/landlock/landlock01.c
+++ b/testcases/kernel/syscalls/landlock/landlock01.c
@@ -17,14 +17,14 @@
#include "landlock_common.h"
-static struct landlock_ruleset_attr *ruleset_attr;
-static struct landlock_ruleset_attr *null_attr;
+static struct tst_landlock_ruleset_attr *ruleset_attr;
+static struct tst_landlock_ruleset_attr *null_attr;
static size_t rule_size;
static size_t rule_small_size;
static size_t rule_big_size;
static struct tcase {
- struct landlock_ruleset_attr **attr;
+ struct tst_landlock_ruleset_attr **attr;
uint64_t access_fs;
size_t *size;
uint32_t flags;
@@ -44,10 +44,10 @@ static void run(unsigned int n)
struct tcase *tc = &tcases[n];
if (*tc->attr)
- (*tc->attr)->handled_access_fs = tc->access_fs;
+ (*tc->attr)->base.handled_access_fs = tc->access_fs;
TST_EXP_FAIL(tst_syscall(__NR_landlock_create_ruleset,
- *tc->attr, *tc->size, tc->flags),
+ &(*tc->attr)->base, *tc->size, tc->flags),
tc->exp_errno,
"%s",
tc->msg);
@@ -60,12 +60,12 @@ static void setup(void)
{
verify_landlock_is_enabled();
- rule_size = sizeof(struct landlock_ruleset_attr);
+ rule_size = sizeof(struct tst_landlock_ruleset_attr);
#ifdef HAVE_STRUCT_LANDLOCK_RULESET_ATTR_HANDLED_ACCESS_NET
- rule_small_size = rule_size - sizeof(uint64_t) - 1;
+ rule_small_size = rule_size - 2*sizeof(uint64_t) - 1;
#else
- rule_small_size = rule_size - 1;
+ rule_small_size = rule_size - sizeof(uint64_t) - 1;
#endif
rule_big_size = SAFE_SYSCONF(_SC_PAGESIZE) + 1;
@@ -77,7 +77,7 @@ static struct tst_test test = {
.setup = setup,
.needs_root = 1,
.bufs = (struct tst_buffers []) {
- {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)},
+ {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr)},
{},
},
.caps = (struct tst_cap []) {
diff --git a/testcases/kernel/syscalls/landlock/landlock02.c b/testcases/kernel/syscalls/landlock/landlock02.c
index 1a3df69c9..bdef57b55 100644
--- a/testcases/kernel/syscalls/landlock/landlock02.c
+++ b/testcases/kernel/syscalls/landlock/landlock02.c
@@ -20,7 +20,7 @@
#include "landlock_common.h"
-static struct landlock_ruleset_attr *ruleset_attr;
+static struct tst_landlock_ruleset_attr *ruleset_attr;
static struct landlock_path_beneath_attr *path_beneath_attr;
static struct landlock_path_beneath_attr *rule_null;
static int ruleset_fd;
@@ -28,7 +28,7 @@ static int invalid_fd = -1;
static struct tcase {
int *fd;
- enum landlock_rule_type rule_type;
+ int rule_type;
struct landlock_path_beneath_attr **attr;
int access;
int parent_fd;
@@ -103,10 +103,10 @@ static void setup(void)
{
verify_landlock_is_enabled();
- ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE;
+ ruleset_attr->base.handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE;
ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset,
- ruleset_attr, sizeof(struct landlock_ruleset_attr), 0));
+ &ruleset_attr->base, sizeof(struct tst_landlock_ruleset_attr), 0));
}
static void cleanup(void)
@@ -122,7 +122,7 @@ static struct tst_test test = {
.cleanup = cleanup,
.needs_root = 1,
.bufs = (struct tst_buffers []) {
- {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)},
+ {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr)},
{&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)},
{},
},
diff --git a/testcases/kernel/syscalls/landlock/landlock03.c b/testcases/kernel/syscalls/landlock/landlock03.c
index 224482255..15ed9bca0 100644
--- a/testcases/kernel/syscalls/landlock/landlock03.c
+++ b/testcases/kernel/syscalls/landlock/landlock03.c
@@ -21,7 +21,7 @@
#define MAX_STACKED_RULESETS 16
-static struct landlock_ruleset_attr *ruleset_attr;
+static struct tst_landlock_ruleset_attr *ruleset_attr;
static int ruleset_fd = -1;
static int ruleset_invalid = -1;
static int file_fd = -1;
@@ -86,10 +86,10 @@ static void setup(void)
{
verify_landlock_is_enabled();
- ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE;
+ ruleset_attr->base.handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE;
ruleset_fd = TST_EXP_FD_SILENT(tst_syscall(__NR_landlock_create_ruleset,
- ruleset_attr, sizeof(struct landlock_ruleset_attr), 0));
+ &ruleset_attr->base, sizeof(struct tst_landlock_ruleset_attr), 0));
file_fd = SAFE_OPEN("junk.bin", O_CREAT, 0777);
}
@@ -112,7 +112,7 @@ static struct tst_test test = {
.needs_root = 1,
.forks_child = 1,
.bufs = (struct tst_buffers []) {
- {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)},
+ {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr)},
{},
},
.caps = (struct tst_cap []) {
diff --git a/testcases/kernel/syscalls/landlock/landlock04.c b/testcases/kernel/syscalls/landlock/landlock04.c
index e9dedd450..c0644f4d6 100644
--- a/testcases/kernel/syscalls/landlock/landlock04.c
+++ b/testcases/kernel/syscalls/landlock/landlock04.c
@@ -15,7 +15,7 @@
#include "landlock_tester.h"
#include "tst_safe_stdio.h"
-static struct landlock_ruleset_attr *ruleset_attr;
+static struct tst_landlock_ruleset_attr *ruleset_attr;
static struct landlock_path_beneath_attr *path_beneath_attr;
static int ruleset_fd = -1;
@@ -150,10 +150,10 @@ static void setup(void)
tst_res(TINFO, "Testing %s", variant.desc);
- ruleset_attr->handled_access_fs = tester_get_all_fs_rules();
+ ruleset_attr->data.handled_access_fs = tester_get_all_fs_rules();
ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
- ruleset_attr, sizeof(struct landlock_ruleset_attr), 0);
+ ruleset_attr, sizeof(struct tst_landlock_ruleset_attr), 0);
/* since our binary is dynamically linked, we need to enable dependences
* to be read and executed
@@ -192,7 +192,7 @@ static struct tst_test test = {
NULL,
},
.bufs = (struct tst_buffers []) {
- {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)},
+ {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr)},
{&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)},
{},
},
diff --git a/testcases/kernel/syscalls/landlock/landlock05.c b/testcases/kernel/syscalls/landlock/landlock05.c
index 703f7d81c..4efe19eb5 100644
--- a/testcases/kernel/syscalls/landlock/landlock05.c
+++ b/testcases/kernel/syscalls/landlock/landlock05.c
@@ -28,7 +28,7 @@
#define FILENAME2 DIR2"/file"
#define FILENAME3 DIR3"/file"
-static struct landlock_ruleset_attr *ruleset_attr;
+static struct tst_landlock_ruleset_attr *ruleset_attr;
static struct landlock_path_beneath_attr *path_beneath_attr;
static void run(void)
@@ -62,13 +62,13 @@ static void setup(void)
tst_res(TINFO, "Applying LANDLOCK_ACCESS_FS_REFER");
- ruleset_attr->handled_access_fs =
+ ruleset_attr->data.handled_access_fs =
LANDLOCK_ACCESS_FS_READ_FILE |
LANDLOCK_ACCESS_FS_WRITE_FILE |
LANDLOCK_ACCESS_FS_REFER;
ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
- ruleset_attr, sizeof(struct landlock_ruleset_attr), 0);
+ ruleset_attr, sizeof(struct tst_landlock_ruleset_attr), 0);
apply_landlock_rule(
path_beneath_attr,
@@ -93,7 +93,7 @@ static struct tst_test test = {
.needs_root = 1,
.forks_child = 1,
.bufs = (struct tst_buffers []) {
- {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)},
+ {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr)},
{&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)},
{},
},
diff --git a/testcases/kernel/syscalls/landlock/landlock06.c b/testcases/kernel/syscalls/landlock/landlock06.c
index 1a6e59241..39e0856e3 100644
--- a/testcases/kernel/syscalls/landlock/landlock06.c
+++ b/testcases/kernel/syscalls/landlock/landlock06.c
@@ -18,7 +18,7 @@
#define MNTPOINT "sandbox"
#define FILENAME MNTPOINT"/fifo"
-static struct landlock_ruleset_attr *ruleset_attr;
+static struct tst_landlock_ruleset_attr *ruleset_attr;
static struct landlock_path_beneath_attr *path_beneath_attr;
static int file_fd = -1;
static int dev_fd = -1;
@@ -54,10 +54,10 @@ static void setup(void)
tst_res(TINFO, "Applying LANDLOCK_ACCESS_FS_IOCTL_DEV");
- ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV;
+ ruleset_attr->data.handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV;
ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
- ruleset_attr, sizeof(struct landlock_ruleset_attr), 0);
+ ruleset_attr, sizeof(struct tst_landlock_ruleset_attr), 0);
apply_landlock_layer(
ruleset_attr,
@@ -85,7 +85,7 @@ static struct tst_test test = {
.needs_root = 1,
.forks_child = 1,
.bufs = (struct tst_buffers []) {
- {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)},
+ {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr)},
{&path_beneath_attr, .size = sizeof(struct landlock_path_beneath_attr)},
{},
},
diff --git a/testcases/kernel/syscalls/landlock/landlock07.c b/testcases/kernel/syscalls/landlock/landlock07.c
index 6115ad538..bb9f22df7 100644
--- a/testcases/kernel/syscalls/landlock/landlock07.c
+++ b/testcases/kernel/syscalls/landlock/landlock07.c
@@ -25,7 +25,7 @@
#include "lapi/prctl.h"
#include "landlock_common.h"
-static struct landlock_ruleset_attr *ruleset_attr;
+static struct tst_landlock_ruleset_attr *ruleset_attr;
static int ruleset_fd;
static pid_t spawn_houdini(void)
@@ -74,10 +74,10 @@ static void setup(void)
{
verify_landlock_is_enabled();
- ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_WRITE_FILE;
+ ruleset_attr->data.handled_access_fs = LANDLOCK_ACCESS_FS_WRITE_FILE;
ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
ruleset_attr,
- sizeof(struct landlock_ruleset_attr),
+ sizeof(struct tst_landlock_ruleset_attr),
0);
}
@@ -93,7 +93,7 @@ static struct tst_test test = {
.cleanup = cleanup,
.forks_child = 1,
.bufs = (struct tst_buffers []) {
- {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)},
+ {&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr)},
{},
},
.caps = (struct tst_cap []) {
diff --git a/testcases/kernel/syscalls/landlock/landlock_common.h b/testcases/kernel/syscalls/landlock/landlock_common.h
index da91daeab..c0bf88e4c 100644
--- a/testcases/kernel/syscalls/landlock/landlock_common.h
+++ b/testcases/kernel/syscalls/landlock/landlock_common.h
@@ -58,7 +58,7 @@ static inline void enforce_ruleset(const int ruleset_fd)
}
static inline void apply_landlock_layer(
- struct landlock_ruleset_attr *ruleset_attr,
+ struct tst_landlock_ruleset_attr *ruleset_attr,
struct landlock_path_beneath_attr *path_beneath_attr,
const char *path,
const int access)
@@ -66,7 +66,7 @@ static inline void apply_landlock_layer(
int ruleset_fd;
ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
- ruleset_attr, sizeof(struct landlock_ruleset_attr), 0);
+ ruleset_attr, sizeof(struct tst_landlock_ruleset_attr), 0);
apply_landlock_rule(path_beneath_attr, ruleset_fd, access, path);
enforce_ruleset(ruleset_fd);
--
2.43.0
More information about the ltp
mailing list