[LTP] [PATCH v3 3/4] landlock: add landlock09 test

Andrea Cervesato andrea.cervesato@suse.de
Fri Mar 28 15:24:55 CET 2025 

From: Andrea Cervesato <andrea.cervesato@suse.com>

Create landlock09 test in order to verify that sandboxed processes
enforced with LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET rule can't
connect to any UNIX socket from non-sandboxed processes.

Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
 runtest/syscalls                                   |   1 +
 testcases/kernel/syscalls/landlock/.gitignore      |   1 +
 testcases/kernel/syscalls/landlock/landlock09.c    | 131 +++++++++++++++++++++
 .../kernel/syscalls/landlock/landlock_common.h     |  11 ++
 4 files changed, 144 insertions(+)

diff --git a/runtest/syscalls b/runtest/syscalls
index 05b3e0d376fae3adf1eb29c22c0b83fa49eee56f..e3ed1738922a954493b56240be12cc40de691b6e 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -710,6 +710,7 @@ landlock05 landlock05
 landlock06 landlock06
 landlock07 landlock07
 landlock08 landlock08
+landlock09 landlock09
 
 lchown01 lchown01
 lchown01_16 lchown01_16
diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore
index fc7317394948c4ac20cd14c3cd7ba7a47282b2bf..cda8d871e051ec88abba4634a2bcda4b10470d9f 100644
--- a/testcases/kernel/syscalls/landlock/.gitignore
+++ b/testcases/kernel/syscalls/landlock/.gitignore
@@ -7,3 +7,4 @@ landlock05
 landlock06
 landlock07
 landlock08
+landlock09
diff --git a/testcases/kernel/syscalls/landlock/landlock09.c b/testcases/kernel/syscalls/landlock/landlock09.c
new file mode 100644
index 0000000000000000000000000000000000000000..2e7f0021299152a1dbd0d7d7594487f551f04a24
--- /dev/null
+++ b/testcases/kernel/syscalls/landlock/landlock09.c
@@ -0,0 +1,131 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2025 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com>
+ */
+
+/*\
+ * Verify that landlock's LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET rule reject any
+ * connect() coming from a client on a different server domain, but accept any
+ * connection.
+ */
+
+#include <stddef.h>
+#include "tst_test.h"
+#include "landlock_common.h"
+
+#define SOCKET_NAME "test.sock"
+#define ABSTRACT_SOCKET_NAME "\0"SOCKET_NAME
+#define SOCKET_LENGTH (offsetof(struct sockaddr_un, sun_path) + strlen(SOCKET_NAME) + 1)
+
+enum {
+	DOMAIN_CLIENT = 0,
+	DOMAIN_SERVER,
+	DOMAIN_BOTH,
+};
+
+static struct tst_landlock_ruleset_attr_abi6 *ruleset_attr;
+
+static void scoped_sandbox(const char *from)
+{
+	tst_res(TINFO, "Enforcing rule LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET on %s", from);
+
+	ruleset_attr->scoped = LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET;
+	apply_landlock_scoped_layer(ruleset_attr, sizeof(*ruleset_attr));
+}
+
+static void run_client(void)
+{
+	if (tst_variant == DOMAIN_CLIENT)
+		scoped_sandbox("client");
+
+	int sendsock;
+	struct sockaddr_un addr = {
+		.sun_family = AF_UNIX,
+		.sun_path = ABSTRACT_SOCKET_NAME,
+	};
+
+	TST_CHECKPOINT_WAIT(0);
+
+	tst_res(TINFO, "Connecting to UNIX socket");
+
+	sendsock = SAFE_SOCKET(AF_UNIX, SOCK_STREAM, 0);
+
+	if (tst_variant != DOMAIN_CLIENT)
+		TST_EXP_PASS(connect(sendsock, (struct sockaddr *)&addr, SOCKET_LENGTH));
+	else
+		TST_EXP_FAIL(connect(sendsock, (struct sockaddr *)&addr, SOCKET_LENGTH), EPERM);
+
+	SAFE_CLOSE(sendsock);
+
+	TST_CHECKPOINT_WAKE(0);
+}
+
+static void run_server(void)
+{
+	if (tst_variant == DOMAIN_SERVER)
+		scoped_sandbox("server");
+
+	int recvsock;
+	struct sockaddr_un addr = {
+		.sun_family = AF_UNIX,
+		.sun_path = ABSTRACT_SOCKET_NAME,
+	};
+
+	recvsock = SAFE_SOCKET(AF_UNIX, SOCK_STREAM, 0);
+
+	SAFE_BIND(recvsock, (struct sockaddr *)&addr, SOCKET_LENGTH);
+	SAFE_LISTEN(recvsock, 5);
+
+	tst_res(TINFO, "Listening on UNIX socket");
+
+	TST_CHECKPOINT_WAKE_AND_WAIT(0);
+
+	SAFE_CLOSE(recvsock);
+}
+
+static void run(void)
+{
+	/* isolate test inside a process so we won't stack too many
+	 * layers (-E2BIG) when there are multiple test's iterations
+	 */
+	if (SAFE_FORK())
+		return;
+
+	if (tst_variant == DOMAIN_BOTH)
+		scoped_sandbox("server and client");
+
+	if (!SAFE_FORK()) {
+		run_client();
+		exit(0);
+	}
+
+	run_server();
+
+	tst_reap_children();
+}
+
+static void setup(void)
+{
+	int abi;
+
+	abi = verify_landlock_is_enabled();
+	if (abi < 6)
+		tst_brk(TCONF, "LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET is unsupported on ABI < 6");
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.setup = setup,
+	.needs_root = 1,
+	.forks_child = 1,
+	.needs_checkpoints = 1,
+	.test_variants = 3,
+	.bufs = (struct tst_buffers []) {
+		{&ruleset_attr, .size = sizeof(struct tst_landlock_ruleset_attr_abi6)},
+		{},
+	},
+	.caps = (struct tst_cap []) {
+		TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN),
+		{}
+	},
+};
diff --git a/testcases/kernel/syscalls/landlock/landlock_common.h b/testcases/kernel/syscalls/landlock/landlock_common.h
index 4aa11b7d2ad46915cd1ce1592bdaa2fb6ad77628..8857745d6f1c1c30fc914924b8d0da381b36059f 100644
--- a/testcases/kernel/syscalls/landlock/landlock_common.h
+++ b/testcases/kernel/syscalls/landlock/landlock_common.h
@@ -115,6 +115,17 @@ static inline void apply_landlock_net_layer(
 	SAFE_CLOSE(ruleset_fd);
 }
 
+static inline void apply_landlock_scoped_layer(
+	void *ruleset_attr, size_t attr_size)
+{
+	int ruleset_fd;
+
+	ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(ruleset_attr, attr_size, 0);
+	enforce_ruleset(ruleset_fd);
+
+	SAFE_CLOSE(ruleset_fd);
+}
+
 static inline in_port_t getsocket_port(struct socket_data *socket,
 	const int addr_family)
 {

-- 
2.43.0

More information about the ltp mailing list