fs_test.c 215 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271427242734274427542764277427842794280428142824283428442854286428742884289429042914292429342944295429642974298429943004301430243034304430543064307430843094310431143124313431443154316431743184319432043214322432343244325432643274328432943304331433243334334433543364337433843394340434143424343434443454346434743484349435043514352435343544355435643574358435943604361436243634364436543664367436843694370437143724373437443754376437743784379438043814382438343844385438643874388438943904391439243934394439543964397439843994400440144024403440444054406440744084409441044114412441344144415441644174418441944204421442244234424442544264427442844294430443144324433443444354436443744384439444044414442444344444445444644474448444944504451445244534454445544564457445844594460446144624463446444654466446744684469447044714472447344744475447644774478447944804481448244834484448544864487448844894490449144924493449444954496449744984499450045014502450345044505450645074508450945104511451245134514451545164517451845194520452145224523452445254526452745284529453045314532453345344535453645374538453945404541454245434544454545464547454845494550455145524553455445554556455745584559456045614562456345644565456645674568456945704571457245734574457545764577457845794580458145824583458445854586458745884589459045914592459345944595459645974598459946004601460246034604460546064607460846094610461146124613461446154616461746184619462046214622462346244625462646274628462946304631463246334634463546364637463846394640464146424643464446454646464746484649465046514652465346544655465646574658465946604661466246634664466546664667466846694670467146724673467446754676467746784679468046814682468346844685468646874688468946904691469246934694469546964697469846994700470147024703470447054706470747084709471047114712471347144715471647174718471947204721472247234724472547264727472847294730473147324733473447354736473747384739474047414742474347444745474647474748474947504751475247534754475547564757475847594760476147624763476447654766476747684769477047714772477347744775477647774778477947804781478247834784478547864787478847894790479147924793479447954796479747984799480048014802480348044805480648074808480948104811481248134814481548164817481848194820482148224823482448254826482748284829483048314832483348344835483648374838483948404841484248434844484548464847484848494850485148524853485448554856485748584859486048614862486348644865486648674868486948704871487248734874487548764877487848794880488148824883488448854886488748884889489048914892489348944895489648974898489949004901490249034904490549064907490849094910491149124913491449154916491749184919492049214922492349244925492649274928492949304931493249334934493549364937493849394940494149424943494449454946494749484949495049514952495349544955495649574958495949604961496249634964496549664967496849694970497149724973497449754976497749784979498049814982498349844985498649874988498949904991499249934994499549964997499849995000500150025003500450055006500750085009501050115012501350145015501650175018501950205021502250235024502550265027502850295030503150325033503450355036503750385039504050415042504350445045504650475048504950505051505250535054505550565057505850595060506150625063506450655066506750685069507050715072507350745075507650775078507950805081508250835084508550865087508850895090509150925093509450955096509750985099510051015102510351045105510651075108510951105111511251135114511551165117511851195120512151225123512451255126512751285129513051315132513351345135513651375138513951405141514251435144514551465147514851495150515151525153515451555156515751585159516051615162516351645165516651675168516951705171517251735174517551765177517851795180518151825183518451855186518751885189519051915192519351945195519651975198519952005201520252035204520552065207520852095210521152125213521452155216521752185219522052215222522352245225522652275228522952305231523252335234523552365237523852395240524152425243524452455246524752485249525052515252525352545255525652575258525952605261526252635264526552665267526852695270527152725273527452755276527752785279528052815282528352845285528652875288528952905291529252935294529552965297529852995300530153025303530453055306530753085309531053115312531353145315531653175318531953205321532253235324532553265327532853295330533153325333533453355336533753385339534053415342534353445345534653475348534953505351535253535354535553565357535853595360536153625363536453655366536753685369537053715372537353745375537653775378537953805381538253835384538553865387538853895390539153925393539453955396539753985399540054015402540354045405540654075408540954105411541254135414541554165417541854195420542154225423542454255426542754285429543054315432543354345435543654375438543954405441544254435444544554465447544854495450545154525453545454555456545754585459546054615462546354645465546654675468546954705471547254735474547554765477547854795480548154825483548454855486548754885489549054915492549354945495549654975498549955005501550255035504550555065507550855095510551155125513551455155516551755185519552055215522552355245525552655275528552955305531553255335534553555365537553855395540554155425543554455455546554755485549555055515552555355545555555655575558555955605561556255635564556555665567556855695570557155725573557455755576557755785579558055815582558355845585558655875588558955905591559255935594559555965597559855995600560156025603560456055606560756085609561056115612561356145615561656175618561956205621562256235624562556265627562856295630563156325633563456355636563756385639564056415642564356445645564656475648564956505651565256535654565556565657565856595660566156625663566456655666566756685669567056715672567356745675567656775678567956805681568256835684568556865687568856895690569156925693569456955696569756985699570057015702570357045705570657075708570957105711571257135714571557165717571857195720572157225723572457255726572757285729573057315732573357345735573657375738573957405741574257435744574557465747574857495750575157525753575457555756575757585759576057615762576357645765576657675768576957705771577257735774577557765777577857795780578157825783578457855786578757885789579057915792579357945795579657975798579958005801580258035804580558065807580858095810581158125813581458155816581758185819582058215822582358245825582658275828582958305831583258335834583558365837583858395840584158425843584458455846584758485849585058515852585358545855585658575858585958605861586258635864586558665867586858695870587158725873587458755876587758785879588058815882588358845885588658875888588958905891589258935894589558965897589858995900590159025903590459055906590759085909591059115912591359145915591659175918591959205921592259235924592559265927592859295930593159325933593459355936593759385939594059415942594359445945594659475948594959505951595259535954595559565957595859595960596159625963596459655966596759685969597059715972597359745975597659775978597959805981598259835984598559865987598859895990599159925993599459955996599759985999600060016002600360046005600660076008600960106011601260136014601560166017601860196020602160226023602460256026602760286029603060316032603360346035603660376038603960406041604260436044604560466047604860496050605160526053605460556056605760586059606060616062606360646065606660676068606960706071607260736074607560766077607860796080608160826083608460856086608760886089609060916092609360946095609660976098609961006101610261036104610561066107610861096110611161126113611461156116611761186119612061216122612361246125612661276128612961306131613261336134613561366137613861396140614161426143614461456146614761486149615061516152615361546155615661576158615961606161616261636164616561666167616861696170617161726173617461756176617761786179618061816182618361846185618661876188618961906191619261936194619561966197619861996200620162026203620462056206620762086209621062116212621362146215621662176218621962206221622262236224622562266227622862296230623162326233623462356236623762386239624062416242624362446245624662476248624962506251625262536254625562566257625862596260626162626263626462656266626762686269627062716272627362746275627662776278627962806281628262836284628562866287628862896290629162926293629462956296629762986299630063016302630363046305630663076308630963106311631263136314631563166317631863196320632163226323632463256326632763286329633063316332633363346335633663376338633963406341634263436344634563466347634863496350635163526353635463556356635763586359636063616362636363646365636663676368636963706371637263736374637563766377637863796380638163826383638463856386638763886389639063916392639363946395639663976398639964006401640264036404640564066407640864096410641164126413641464156416641764186419642064216422642364246425642664276428642964306431643264336434643564366437643864396440644164426443644464456446644764486449645064516452645364546455645664576458645964606461646264636464646564666467646864696470647164726473647464756476647764786479648064816482648364846485648664876488648964906491649264936494649564966497649864996500650165026503650465056506650765086509651065116512651365146515651665176518651965206521652265236524652565266527652865296530653165326533653465356536653765386539654065416542654365446545654665476548654965506551655265536554655565566557655865596560656165626563656465656566656765686569657065716572657365746575657665776578657965806581658265836584658565866587658865896590659165926593659465956596659765986599660066016602660366046605660666076608660966106611661266136614661566166617661866196620662166226623662466256626662766286629663066316632663366346635663666376638663966406641664266436644664566466647664866496650665166526653665466556656665766586659666066616662666366646665666666676668666966706671667266736674667566766677667866796680668166826683668466856686668766886689669066916692669366946695669666976698669967006701670267036704670567066707670867096710671167126713671467156716671767186719672067216722672367246725672667276728672967306731673267336734673567366737673867396740674167426743674467456746674767486749675067516752675367546755675667576758675967606761676267636764676567666767676867696770677167726773677467756776677767786779678067816782678367846785678667876788678967906791679267936794679567966797679867996800680168026803680468056806680768086809681068116812681368146815681668176818681968206821682268236824682568266827682868296830683168326833683468356836683768386839684068416842684368446845684668476848684968506851685268536854685568566857685868596860686168626863686468656866686768686869687068716872687368746875687668776878687968806881688268836884688568866887688868896890689168926893689468956896689768986899690069016902690369046905690669076908690969106911691269136914691569166917691869196920692169226923692469256926692769286929693069316932693369346935693669376938693969406941694269436944694569466947694869496950695169526953695469556956695769586959696069616962696369646965696669676968696969706971697269736974697569766977697869796980698169826983698469856986698769886989699069916992699369946995699669976998699970007001700270037004700570067007700870097010701170127013701470157016701770187019702070217022702370247025702670277028702970307031703270337034703570367037703870397040704170427043704470457046704770487049705070517052705370547055705670577058705970607061706270637064706570667067706870697070707170727073707470757076707770787079708070817082708370847085708670877088708970907091709270937094709570967097709870997100710171027103710471057106710771087109711071117112711371147115711671177118711971207121712271237124712571267127712871297130713171327133713471357136713771387139714071417142714371447145714671477148714971507151715271537154715571567157715871597160716171627163716471657166716771687169717071717172717371747175717671777178717971807181718271837184718571867187718871897190719171927193719471957196719771987199720072017202720372047205720672077208720972107211721272137214721572167217721872197220722172227223722472257226722772287229723072317232723372347235723672377238723972407241724272437244724572467247724872497250725172527253725472557256725772587259726072617262726372647265726672677268726972707271727272737274727572767277727872797280728172827283728472857286728772887289729072917292729372947295729672977298729973007301730273037304730573067307730873097310731173127313731473157316731773187319732073217322732373247325732673277328732973307331733273337334733573367337733873397340734173427343734473457346734773487349735073517352735373547355735673577358735973607361736273637364736573667367736873697370737173727373737473757376737773787379738073817382738373847385738673877388738973907391739273937394739573967397739873997400740174027403740474057406740774087409741074117412741374147415741674177418741974207421742274237424742574267427742874297430743174327433743474357436743774387439744074417442744374447445744674477448744974507451745274537454745574567457745874597460746174627463746474657466746774687469747074717472747374747475747674777478747974807481748274837484748574867487748874897490749174927493749474957496749774987499750075017502750375047505750675077508750975107511751275137514751575167517751875197520752175227523752475257526752775287529753075317532753375347535753675377538753975407541754275437544754575467547754875497550755175527553755475557556755775587559756075617562756375647565756675677568756975707571757275737574757575767577757875797580758175827583758475857586758775887589759075917592759375947595759675977598759976007601760276037604760576067607760876097610761176127613761476157616761776187619762076217622762376247625762676277628762976307631763276337634763576367637763876397640764176427643764476457646
  1. // SPDX-License-Identifier: GPL-2.0
  2. /*
  3. * Landlock tests - Filesystem
  4. *
  5. * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
  6. * Copyright © 2020 ANSSI
  7. * Copyright © 2020-2022 Microsoft Corporation
  8. */
  9. #define _GNU_SOURCE
  10. #include <asm/termbits.h>
  11. #include <fcntl.h>
  12. #include <libgen.h>
  13. #include <linux/fiemap.h>
  14. #include <linux/landlock.h>
  15. #include <linux/magic.h>
  16. #include <sched.h>
  17. #include <stddef.h>
  18. #include <stdio.h>
  19. #include <string.h>
  20. #include <sys/capability.h>
  21. #include <sys/ioctl.h>
  22. #include <sys/mount.h>
  23. #include <sys/prctl.h>
  24. #include <sys/sendfile.h>
  25. #include <sys/socket.h>
  26. #include <sys/stat.h>
  27. #include <sys/sysmacros.h>
  28. #include <sys/un.h>
  29. #include <sys/vfs.h>
  30. #include <unistd.h>
  31. /*
  32. * Intentionally included last to work around header conflict.
  33. * See https://sourceware.org/glibc/wiki/Synchronizing_Headers.
  34. */
  35. #include <linux/fs.h>
  36. #include <linux/mount.h>
  37. /* Defines AT_EXECVE_CHECK without type conflicts. */
  38. #define _ASM_GENERIC_FCNTL_H
  39. #include <linux/fcntl.h>
  40. #include "audit.h"
  41. #include "common.h"
  42. #ifndef renameat2
  43. int renameat2(int olddirfd, const char *oldpath, int newdirfd,
  44. const char *newpath, unsigned int flags)
  45. {
  46. return syscall(__NR_renameat2, olddirfd, oldpath, newdirfd, newpath,
  47. flags);
  48. }
  49. #endif
  50. #ifndef open_tree
  51. int open_tree(int dfd, const char *filename, unsigned int flags)
  52. {
  53. return syscall(__NR_open_tree, dfd, filename, flags);
  54. }
  55. #endif
  56. static int sys_execveat(int dirfd, const char *pathname, char *const argv[],
  57. char *const envp[], int flags)
  58. {
  59. return syscall(__NR_execveat, dirfd, pathname, argv, envp, flags);
  60. }
  61. #ifndef RENAME_EXCHANGE
  62. #define RENAME_EXCHANGE (1 << 1)
  63. #endif
  64. static const char bin_true[] = "./true";
  65. /* Paths (sibling number and depth) */
  66. static const char dir_s1d1[] = TMP_DIR "/s1d1";
  67. static const char file1_s1d1[] = TMP_DIR "/s1d1/f1";
  68. static const char file2_s1d1[] = TMP_DIR "/s1d1/f2";
  69. static const char dir_s1d2[] = TMP_DIR "/s1d1/s1d2";
  70. static const char file1_s1d2[] = TMP_DIR "/s1d1/s1d2/f1";
  71. static const char file2_s1d2[] = TMP_DIR "/s1d1/s1d2/f2";
  72. static const char dir_s1d3[] = TMP_DIR "/s1d1/s1d2/s1d3";
  73. static const char file1_s1d3[] = TMP_DIR "/s1d1/s1d2/s1d3/f1";
  74. static const char file2_s1d3[] = TMP_DIR "/s1d1/s1d2/s1d3/f2";
  75. static const char dir_s2d1[] = TMP_DIR "/s2d1";
  76. static const char file1_s2d1[] = TMP_DIR "/s2d1/f1";
  77. static const char dir_s2d2[] = TMP_DIR "/s2d1/s2d2";
  78. static const char file1_s2d2[] = TMP_DIR "/s2d1/s2d2/f1";
  79. static const char dir_s2d3[] = TMP_DIR "/s2d1/s2d2/s2d3";
  80. static const char file1_s2d3[] = TMP_DIR "/s2d1/s2d2/s2d3/f1";
  81. static const char file2_s2d3[] = TMP_DIR "/s2d1/s2d2/s2d3/f2";
  82. static const char dir_s3d1[] = TMP_DIR "/s3d1";
  83. static const char file1_s3d1[] = TMP_DIR "/s3d1/f1";
  84. /* dir_s3d2 is a mount point. */
  85. static const char dir_s3d2[] = TMP_DIR "/s3d1/s3d2";
  86. static const char dir_s3d3[] = TMP_DIR "/s3d1/s3d2/s3d3";
  87. static const char file1_s3d3[] = TMP_DIR "/s3d1/s3d2/s3d3/f1";
  88. static const char dir_s3d4[] = TMP_DIR "/s3d1/s3d2/s3d4";
  89. static const char file1_s3d4[] = TMP_DIR "/s3d1/s3d2/s3d4/f1";
  90. /*
  91. * layout1 hierarchy:
  92. *
  93. * tmp
  94. * ├── s1d1
  95. * │   ├── f1
  96. * │   ├── f2
  97. * │   └── s1d2
  98. * │   ├── f1
  99. * │   ├── f2
  100. * │   └── s1d3
  101. * │   ├── f1
  102. * │   └── f2
  103. * ├── s2d1
  104. * │   ├── f1
  105. * │   └── s2d2
  106. * │   ├── f1
  107. * │   └── s2d3
  108. * │   ├── f1
  109. * │   └── f2
  110. * └── s3d1
  111. *    ├── f1
  112. * └── s3d2 [mount point]
  113. *    ├── s3d3
  114. *    │ └── f1
  115. *    └── s3d4
  116. *    └── f1
  117. */
  118. static bool fgrep(FILE *const inf, const char *const str)
  119. {
  120. char line[32];
  121. const int slen = strlen(str);
  122. while (!feof(inf)) {
  123. if (!fgets(line, sizeof(line), inf))
  124. break;
  125. if (strncmp(line, str, slen))
  126. continue;
  127. return true;
  128. }
  129. return false;
  130. }
  131. static bool supports_filesystem(const char *const filesystem)
  132. {
  133. char str[32];
  134. int len;
  135. bool res = true;
  136. FILE *const inf = fopen("/proc/filesystems", "r");
  137. /*
  138. * Consider that the filesystem is supported if we cannot get the
  139. * supported ones.
  140. */
  141. if (!inf)
  142. return true;
  143. /* filesystem can be null for bind mounts. */
  144. if (!filesystem)
  145. goto out;
  146. len = snprintf(str, sizeof(str), "nodev\t%s\n", filesystem);
  147. if (len >= sizeof(str))
  148. /* Ignores too-long filesystem names. */
  149. goto out;
  150. res = fgrep(inf, str);
  151. out:
  152. fclose(inf);
  153. return res;
  154. }
  155. static bool cwd_matches_fs(unsigned int fs_magic)
  156. {
  157. struct statfs statfs_buf;
  158. if (!fs_magic)
  159. return true;
  160. if (statfs(".", &statfs_buf))
  161. return true;
  162. return statfs_buf.f_type == fs_magic;
  163. }
  164. static void mkdir_parents(struct __test_metadata *const _metadata,
  165. const char *const path)
  166. {
  167. char *walker;
  168. const char *parent;
  169. int i, err;
  170. ASSERT_NE(path[0], '\0');
  171. walker = strdup(path);
  172. ASSERT_NE(NULL, walker);
  173. parent = walker;
  174. for (i = 1; walker[i]; i++) {
  175. if (walker[i] != '/')
  176. continue;
  177. walker[i] = '\0';
  178. err = mkdir(parent, 0700);
  179. ASSERT_FALSE(err && errno != EEXIST)
  180. {
  181. TH_LOG("Failed to create directory \"%s\": %s", parent,
  182. strerror(errno));
  183. }
  184. walker[i] = '/';
  185. }
  186. free(walker);
  187. }
  188. static void create_directory(struct __test_metadata *const _metadata,
  189. const char *const path)
  190. {
  191. mkdir_parents(_metadata, path);
  192. ASSERT_EQ(0, mkdir(path, 0700))
  193. {
  194. TH_LOG("Failed to create directory \"%s\": %s", path,
  195. strerror(errno));
  196. }
  197. }
  198. static void create_file(struct __test_metadata *const _metadata,
  199. const char *const path)
  200. {
  201. mkdir_parents(_metadata, path);
  202. ASSERT_EQ(0, mknod(path, S_IFREG | 0700, 0))
  203. {
  204. TH_LOG("Failed to create file \"%s\": %s", path,
  205. strerror(errno));
  206. }
  207. }
  208. static int remove_path(const char *const path)
  209. {
  210. char *walker;
  211. int i, ret, err = 0;
  212. walker = strdup(path);
  213. if (!walker) {
  214. err = ENOMEM;
  215. goto out;
  216. }
  217. if (unlink(path) && rmdir(path)) {
  218. if (errno != ENOENT && errno != ENOTDIR)
  219. err = errno;
  220. goto out;
  221. }
  222. for (i = strlen(walker); i > 0; i--) {
  223. if (walker[i] != '/')
  224. continue;
  225. walker[i] = '\0';
  226. ret = rmdir(walker);
  227. if (ret) {
  228. if (errno != ENOTEMPTY && errno != EBUSY)
  229. err = errno;
  230. goto out;
  231. }
  232. if (strcmp(walker, TMP_DIR) == 0)
  233. goto out;
  234. }
  235. out:
  236. free(walker);
  237. return err;
  238. }
  239. struct mnt_opt {
  240. const char *const source;
  241. const char *const type;
  242. const unsigned long flags;
  243. const char *const data;
  244. };
  245. #define MNT_TMP_DATA "size=4m,mode=700"
  246. static const struct mnt_opt mnt_tmp = {
  247. .type = "tmpfs",
  248. .data = MNT_TMP_DATA,
  249. };
  250. static int mount_opt(const struct mnt_opt *const mnt, const char *const target)
  251. {
  252. return mount(mnt->source ?: mnt->type, target, mnt->type, mnt->flags,
  253. mnt->data);
  254. }
  255. static void prepare_layout_opt(struct __test_metadata *const _metadata,
  256. const struct mnt_opt *const mnt)
  257. {
  258. disable_caps(_metadata);
  259. umask(0077);
  260. create_directory(_metadata, TMP_DIR);
  261. /*
  262. * Do not pollute the rest of the system: creates a private mount point
  263. * for tests relying on pivot_root(2) and move_mount(2).
  264. */
  265. set_cap(_metadata, CAP_SYS_ADMIN);
  266. ASSERT_EQ(0, unshare(CLONE_NEWNS | CLONE_NEWCGROUP));
  267. ASSERT_EQ(0, mount_opt(mnt, TMP_DIR))
  268. {
  269. TH_LOG("Failed to mount the %s filesystem: %s", mnt->type,
  270. strerror(errno));
  271. /*
  272. * FIXTURE_TEARDOWN() is not called when FIXTURE_SETUP()
  273. * failed, so we need to explicitly do a minimal cleanup to
  274. * avoid cascading errors with other tests that don't depend on
  275. * the same filesystem.
  276. */
  277. remove_path(TMP_DIR);
  278. }
  279. ASSERT_EQ(0, mount(NULL, TMP_DIR, NULL, MS_PRIVATE | MS_REC, NULL));
  280. clear_cap(_metadata, CAP_SYS_ADMIN);
  281. }
  282. static void prepare_layout(struct __test_metadata *const _metadata)
  283. {
  284. prepare_layout_opt(_metadata, &mnt_tmp);
  285. }
  286. static void cleanup_layout(struct __test_metadata *const _metadata)
  287. {
  288. set_cap(_metadata, CAP_SYS_ADMIN);
  289. if (umount(TMP_DIR)) {
  290. /*
  291. * According to the test environment, the mount point of the
  292. * current directory may be shared or not, which changes the
  293. * visibility of the nested TMP_DIR mount point for the test's
  294. * parent process doing this cleanup.
  295. */
  296. ASSERT_EQ(EINVAL, errno);
  297. }
  298. clear_cap(_metadata, CAP_SYS_ADMIN);
  299. EXPECT_EQ(0, remove_path(TMP_DIR));
  300. }
  301. /* clang-format off */
  302. FIXTURE(layout0) {};
  303. /* clang-format on */
  304. FIXTURE_SETUP(layout0)
  305. {
  306. prepare_layout(_metadata);
  307. }
  308. FIXTURE_TEARDOWN_PARENT(layout0)
  309. {
  310. cleanup_layout(_metadata);
  311. }
  312. static void create_layout1(struct __test_metadata *const _metadata)
  313. {
  314. create_file(_metadata, file1_s1d1);
  315. create_file(_metadata, file1_s1d2);
  316. create_file(_metadata, file1_s1d3);
  317. create_file(_metadata, file2_s1d1);
  318. create_file(_metadata, file2_s1d2);
  319. create_file(_metadata, file2_s1d3);
  320. create_file(_metadata, file1_s2d1);
  321. create_file(_metadata, file1_s2d2);
  322. create_file(_metadata, file1_s2d3);
  323. create_file(_metadata, file2_s2d3);
  324. create_file(_metadata, file1_s3d1);
  325. create_directory(_metadata, dir_s3d2);
  326. set_cap(_metadata, CAP_SYS_ADMIN);
  327. ASSERT_EQ(0, mount_opt(&mnt_tmp, dir_s3d2));
  328. clear_cap(_metadata, CAP_SYS_ADMIN);
  329. create_file(_metadata, file1_s3d3);
  330. create_file(_metadata, file1_s3d4);
  331. }
  332. static void remove_layout1(struct __test_metadata *const _metadata)
  333. {
  334. EXPECT_EQ(0, remove_path(file2_s1d3));
  335. EXPECT_EQ(0, remove_path(file2_s1d2));
  336. EXPECT_EQ(0, remove_path(file2_s1d1));
  337. EXPECT_EQ(0, remove_path(file1_s1d3));
  338. EXPECT_EQ(0, remove_path(file1_s1d2));
  339. EXPECT_EQ(0, remove_path(file1_s1d1));
  340. EXPECT_EQ(0, remove_path(dir_s1d3));
  341. EXPECT_EQ(0, remove_path(file2_s2d3));
  342. EXPECT_EQ(0, remove_path(file1_s2d3));
  343. EXPECT_EQ(0, remove_path(file1_s2d2));
  344. EXPECT_EQ(0, remove_path(file1_s2d1));
  345. EXPECT_EQ(0, remove_path(dir_s2d2));
  346. EXPECT_EQ(0, remove_path(file1_s3d1));
  347. EXPECT_EQ(0, remove_path(file1_s3d3));
  348. EXPECT_EQ(0, remove_path(file1_s3d4));
  349. set_cap(_metadata, CAP_SYS_ADMIN);
  350. umount(dir_s3d2);
  351. clear_cap(_metadata, CAP_SYS_ADMIN);
  352. EXPECT_EQ(0, remove_path(dir_s3d2));
  353. }
  354. /* clang-format off */
  355. FIXTURE(layout1) {};
  356. /* clang-format on */
  357. FIXTURE_SETUP(layout1)
  358. {
  359. prepare_layout(_metadata);
  360. create_layout1(_metadata);
  361. }
  362. FIXTURE_TEARDOWN_PARENT(layout1)
  363. {
  364. remove_layout1(_metadata);
  365. cleanup_layout(_metadata);
  366. }
  367. /*
  368. * This helper enables to use the ASSERT_* macros and print the line number
  369. * pointing to the test caller.
  370. */
  371. static int test_open_rel(const int dirfd, const char *const path,
  372. const int flags)
  373. {
  374. int fd;
  375. /* Works with file and directories. */
  376. fd = openat(dirfd, path, flags | O_CLOEXEC);
  377. if (fd < 0)
  378. return errno;
  379. /*
  380. * Mixing error codes from close(2) and open(2) should not lead to any
  381. * (access type) confusion for this test.
  382. */
  383. if (close(fd) != 0)
  384. return errno;
  385. return 0;
  386. }
  387. static int test_open(const char *const path, const int flags)
  388. {
  389. return test_open_rel(AT_FDCWD, path, flags);
  390. }
  391. TEST_F_FORK(layout1, no_restriction)
  392. {
  393. ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
  394. ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
  395. ASSERT_EQ(0, test_open(file2_s1d1, O_RDONLY));
  396. ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY));
  397. ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
  398. ASSERT_EQ(0, test_open(file2_s1d2, O_RDONLY));
  399. ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY));
  400. ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
  401. ASSERT_EQ(0, test_open(dir_s2d1, O_RDONLY));
  402. ASSERT_EQ(0, test_open(file1_s2d1, O_RDONLY));
  403. ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY));
  404. ASSERT_EQ(0, test_open(file1_s2d2, O_RDONLY));
  405. ASSERT_EQ(0, test_open(dir_s2d3, O_RDONLY));
  406. ASSERT_EQ(0, test_open(file1_s2d3, O_RDONLY));
  407. ASSERT_EQ(0, test_open(dir_s3d1, O_RDONLY));
  408. ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY));
  409. ASSERT_EQ(0, test_open(dir_s3d3, O_RDONLY));
  410. }
  411. TEST_F_FORK(layout1, inval)
  412. {
  413. struct landlock_path_beneath_attr path_beneath = {
  414. .allowed_access = LANDLOCK_ACCESS_FS_READ_FILE |
  415. LANDLOCK_ACCESS_FS_WRITE_FILE,
  416. .parent_fd = -1,
  417. };
  418. struct landlock_ruleset_attr ruleset_attr = {
  419. .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE |
  420. LANDLOCK_ACCESS_FS_WRITE_FILE,
  421. };
  422. int ruleset_fd;
  423. path_beneath.parent_fd =
  424. open(dir_s1d2, O_PATH | O_DIRECTORY | O_CLOEXEC);
  425. ASSERT_LE(0, path_beneath.parent_fd);
  426. ruleset_fd = open(dir_s1d1, O_PATH | O_DIRECTORY | O_CLOEXEC);
  427. ASSERT_LE(0, ruleset_fd);
  428. ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
  429. &path_beneath, 0));
  430. /* Returns EBADF because ruleset_fd is not a landlock-ruleset FD. */
  431. ASSERT_EQ(EBADF, errno);
  432. ASSERT_EQ(0, close(ruleset_fd));
  433. ruleset_fd = open(dir_s1d1, O_DIRECTORY | O_CLOEXEC);
  434. ASSERT_LE(0, ruleset_fd);
  435. ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
  436. &path_beneath, 0));
  437. /* Returns EBADFD because ruleset_fd is not a valid ruleset. */
  438. ASSERT_EQ(EBADFD, errno);
  439. ASSERT_EQ(0, close(ruleset_fd));
  440. /* Gets a real ruleset. */
  441. ruleset_fd =
  442. landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
  443. ASSERT_LE(0, ruleset_fd);
  444. ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
  445. &path_beneath, 0));
  446. ASSERT_EQ(0, close(path_beneath.parent_fd));
  447. /* Tests without O_PATH. */
  448. path_beneath.parent_fd = open(dir_s1d2, O_DIRECTORY | O_CLOEXEC);
  449. ASSERT_LE(0, path_beneath.parent_fd);
  450. ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
  451. &path_beneath, 0));
  452. ASSERT_EQ(0, close(path_beneath.parent_fd));
  453. /* Tests with a ruleset FD. */
  454. path_beneath.parent_fd = ruleset_fd;
  455. ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
  456. &path_beneath, 0));
  457. ASSERT_EQ(EBADFD, errno);
  458. /* Checks unhandled allowed_access. */
  459. path_beneath.parent_fd =
  460. open(dir_s1d2, O_PATH | O_DIRECTORY | O_CLOEXEC);
  461. ASSERT_LE(0, path_beneath.parent_fd);
  462. /* Test with legitimate values. */
  463. path_beneath.allowed_access |= LANDLOCK_ACCESS_FS_EXECUTE;
  464. ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
  465. &path_beneath, 0));
  466. ASSERT_EQ(EINVAL, errno);
  467. path_beneath.allowed_access &= ~LANDLOCK_ACCESS_FS_EXECUTE;
  468. /* Tests with denied-by-default access right. */
  469. path_beneath.allowed_access |= LANDLOCK_ACCESS_FS_REFER;
  470. ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
  471. &path_beneath, 0));
  472. ASSERT_EQ(EINVAL, errno);
  473. path_beneath.allowed_access &= ~LANDLOCK_ACCESS_FS_REFER;
  474. /* Test with unknown (64-bits) value. */
  475. path_beneath.allowed_access |= (1ULL << 60);
  476. ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
  477. &path_beneath, 0));
  478. ASSERT_EQ(EINVAL, errno);
  479. path_beneath.allowed_access &= ~(1ULL << 60);
  480. /* Test with no access. */
  481. path_beneath.allowed_access = 0;
  482. ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
  483. &path_beneath, 0));
  484. ASSERT_EQ(ENOMSG, errno);
  485. path_beneath.allowed_access &= ~(1ULL << 60);
  486. ASSERT_EQ(0, close(path_beneath.parent_fd));
  487. /* Enforces the ruleset. */
  488. ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));
  489. ASSERT_EQ(0, landlock_restrict_self(ruleset_fd, 0));
  490. ASSERT_EQ(0, close(ruleset_fd));
  491. }
  492. /* clang-format off */
  493. #define ACCESS_FILE ( \
  494. LANDLOCK_ACCESS_FS_EXECUTE | \
  495. LANDLOCK_ACCESS_FS_WRITE_FILE | \
  496. LANDLOCK_ACCESS_FS_READ_FILE | \
  497. LANDLOCK_ACCESS_FS_TRUNCATE | \
  498. LANDLOCK_ACCESS_FS_IOCTL_DEV)
  499. #define ACCESS_LAST LANDLOCK_ACCESS_FS_IOCTL_DEV
  500. #define ACCESS_ALL ( \
  501. ACCESS_FILE | \
  502. LANDLOCK_ACCESS_FS_READ_DIR | \
  503. LANDLOCK_ACCESS_FS_REMOVE_DIR | \
  504. LANDLOCK_ACCESS_FS_REMOVE_FILE | \
  505. LANDLOCK_ACCESS_FS_MAKE_CHAR | \
  506. LANDLOCK_ACCESS_FS_MAKE_DIR | \
  507. LANDLOCK_ACCESS_FS_MAKE_REG | \
  508. LANDLOCK_ACCESS_FS_MAKE_SOCK | \
  509. LANDLOCK_ACCESS_FS_MAKE_FIFO | \
  510. LANDLOCK_ACCESS_FS_MAKE_BLOCK | \
  511. LANDLOCK_ACCESS_FS_MAKE_SYM | \
  512. LANDLOCK_ACCESS_FS_REFER)
  513. /* clang-format on */
  514. TEST_F_FORK(layout1, file_and_dir_access_rights)
  515. {
  516. __u64 access;
  517. int err;
  518. struct landlock_path_beneath_attr path_beneath_file = {},
  519. path_beneath_dir = {};
  520. struct landlock_ruleset_attr ruleset_attr = {
  521. .handled_access_fs = ACCESS_ALL,
  522. };
  523. const int ruleset_fd =
  524. landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
  525. ASSERT_LE(0, ruleset_fd);
  526. /* Tests access rights for files. */
  527. path_beneath_file.parent_fd = open(file1_s1d2, O_PATH | O_CLOEXEC);
  528. ASSERT_LE(0, path_beneath_file.parent_fd);
  529. /* Tests access rights for directories. */
  530. path_beneath_dir.parent_fd =
  531. open(dir_s1d2, O_PATH | O_DIRECTORY | O_CLOEXEC);
  532. ASSERT_LE(0, path_beneath_dir.parent_fd);
  533. for (access = 1; access <= ACCESS_LAST; access <<= 1) {
  534. path_beneath_dir.allowed_access = access;
  535. ASSERT_EQ(0, landlock_add_rule(ruleset_fd,
  536. LANDLOCK_RULE_PATH_BENEATH,
  537. &path_beneath_dir, 0));
  538. path_beneath_file.allowed_access = access;
  539. err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
  540. &path_beneath_file, 0);
  541. if (access & ACCESS_FILE) {
  542. ASSERT_EQ(0, err);
  543. } else {
  544. ASSERT_EQ(-1, err);
  545. ASSERT_EQ(EINVAL, errno);
  546. }
  547. }
  548. ASSERT_EQ(0, close(path_beneath_file.parent_fd));
  549. ASSERT_EQ(0, close(path_beneath_dir.parent_fd));
  550. ASSERT_EQ(0, close(ruleset_fd));
  551. }
  552. TEST_F_FORK(layout0, ruleset_with_unknown_access)
  553. {
  554. __u64 access_mask;
  555. for (access_mask = 1ULL << 63; access_mask != ACCESS_LAST;
  556. access_mask >>= 1) {
  557. struct landlock_ruleset_attr ruleset_attr = {
  558. .handled_access_fs = access_mask,
  559. };
  560. ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr,
  561. sizeof(ruleset_attr), 0));
  562. ASSERT_EQ(EINVAL, errno);
  563. }
  564. }
  565. TEST_F_FORK(layout0, rule_with_unknown_access)
  566. {
  567. __u64 access;
  568. struct landlock_path_beneath_attr path_beneath = {};
  569. const struct landlock_ruleset_attr ruleset_attr = {
  570. .handled_access_fs = ACCESS_ALL,
  571. };
  572. const int ruleset_fd =
  573. landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
  574. ASSERT_LE(0, ruleset_fd);
  575. path_beneath.parent_fd =
  576. open(TMP_DIR, O_PATH | O_DIRECTORY | O_CLOEXEC);
  577. ASSERT_LE(0, path_beneath.parent_fd);
  578. for (access = 1ULL << 63; access != ACCESS_LAST; access >>= 1) {
  579. path_beneath.allowed_access = access;
  580. EXPECT_EQ(-1, landlock_add_rule(ruleset_fd,
  581. LANDLOCK_RULE_PATH_BENEATH,
  582. &path_beneath, 0));
  583. EXPECT_EQ(EINVAL, errno);
  584. }
  585. ASSERT_EQ(0, close(path_beneath.parent_fd));
  586. ASSERT_EQ(0, close(ruleset_fd));
  587. }
  588. TEST_F_FORK(layout1, rule_with_unhandled_access)
  589. {
  590. struct landlock_ruleset_attr ruleset_attr = {
  591. .handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE,
  592. };
  593. struct landlock_path_beneath_attr path_beneath = {};
  594. int ruleset_fd;
  595. __u64 access;
  596. ruleset_fd =
  597. landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
  598. ASSERT_LE(0, ruleset_fd);
  599. path_beneath.parent_fd = open(file1_s1d2, O_PATH | O_CLOEXEC);
  600. ASSERT_LE(0, path_beneath.parent_fd);
  601. for (access = 1; access > 0; access <<= 1) {
  602. int err;
  603. path_beneath.allowed_access = access;
  604. err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
  605. &path_beneath, 0);
  606. if (access == ruleset_attr.handled_access_fs) {
  607. EXPECT_EQ(0, err);
  608. } else {
  609. EXPECT_EQ(-1, err);
  610. EXPECT_EQ(EINVAL, errno);
  611. }
  612. }
  613. EXPECT_EQ(0, close(path_beneath.parent_fd));
  614. EXPECT_EQ(0, close(ruleset_fd));
  615. }
  616. static void add_path_beneath(struct __test_metadata *const _metadata,
  617. const int ruleset_fd, const __u64 allowed_access,
  618. const char *const path)
  619. {
  620. struct landlock_path_beneath_attr path_beneath = {
  621. .allowed_access = allowed_access,
  622. };
  623. path_beneath.parent_fd = open(path, O_PATH | O_CLOEXEC);
  624. ASSERT_LE(0, path_beneath.parent_fd)
  625. {
  626. TH_LOG("Failed to open directory \"%s\": %s", path,
  627. strerror(errno));
  628. }
  629. ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
  630. &path_beneath, 0))
  631. {
  632. TH_LOG("Failed to update the ruleset with \"%s\": %s", path,
  633. strerror(errno));
  634. }
  635. ASSERT_EQ(0, close(path_beneath.parent_fd));
  636. }
  637. struct rule {
  638. const char *path;
  639. __u64 access;
  640. };
  641. /* clang-format off */
  642. #define ACCESS_RO ( \
  643. LANDLOCK_ACCESS_FS_READ_FILE | \
  644. LANDLOCK_ACCESS_FS_READ_DIR)
  645. #define ACCESS_RW ( \
  646. ACCESS_RO | \
  647. LANDLOCK_ACCESS_FS_WRITE_FILE)
  648. /* clang-format on */
  649. static int create_ruleset(struct __test_metadata *const _metadata,
  650. const __u64 handled_access_fs,
  651. const struct rule rules[])
  652. {
  653. int ruleset_fd, i;
  654. struct landlock_ruleset_attr ruleset_attr = {
  655. .handled_access_fs = handled_access_fs,
  656. };
  657. ASSERT_NE(NULL, rules)
  658. {
  659. TH_LOG("No rule list");
  660. }
  661. ASSERT_NE(NULL, rules[0].path)
  662. {
  663. TH_LOG("Empty rule list");
  664. }
  665. ruleset_fd =
  666. landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
  667. ASSERT_LE(0, ruleset_fd)
  668. {
  669. TH_LOG("Failed to create a ruleset: %s", strerror(errno));
  670. }
  671. for (i = 0; rules[i].path; i++) {
  672. if (!rules[i].access)
  673. continue;
  674. add_path_beneath(_metadata, ruleset_fd, rules[i].access,
  675. rules[i].path);
  676. }
  677. return ruleset_fd;
  678. }
  679. TEST_F_FORK(layout0, proc_nsfs)
  680. {
  681. const struct rule rules[] = {
  682. {
  683. .path = "/dev/null",
  684. .access = LANDLOCK_ACCESS_FS_READ_FILE |
  685. LANDLOCK_ACCESS_FS_WRITE_FILE,
  686. },
  687. {},
  688. };
  689. struct landlock_path_beneath_attr path_beneath;
  690. const int ruleset_fd = create_ruleset(
  691. _metadata, rules[0].access | LANDLOCK_ACCESS_FS_READ_DIR,
  692. rules);
  693. ASSERT_LE(0, ruleset_fd);
  694. ASSERT_EQ(0, test_open("/proc/self/ns/mnt", O_RDONLY));
  695. enforce_ruleset(_metadata, ruleset_fd);
  696. ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
  697. ASSERT_EQ(EACCES, test_open("/dev", O_RDONLY));
  698. ASSERT_EQ(0, test_open("/dev/null", O_RDONLY));
  699. ASSERT_EQ(EACCES, test_open("/dev/full", O_RDONLY));
  700. ASSERT_EQ(EACCES, test_open("/proc", O_RDONLY));
  701. ASSERT_EQ(EACCES, test_open("/proc/self", O_RDONLY));
  702. ASSERT_EQ(EACCES, test_open("/proc/self/ns", O_RDONLY));
  703. /*
  704. * Because nsfs is an internal filesystem, /proc/self/ns/mnt is a
  705. * disconnected path. Such path cannot be identified and must then be
  706. * allowed.
  707. */
  708. ASSERT_EQ(0, test_open("/proc/self/ns/mnt", O_RDONLY));
  709. /*
  710. * Checks that it is not possible to add nsfs-like filesystem
  711. * references to a ruleset.
  712. */
  713. path_beneath.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE |
  714. LANDLOCK_ACCESS_FS_WRITE_FILE,
  715. path_beneath.parent_fd = open("/proc/self/ns/mnt", O_PATH | O_CLOEXEC);
  716. ASSERT_LE(0, path_beneath.parent_fd);
  717. ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
  718. &path_beneath, 0));
  719. ASSERT_EQ(EBADFD, errno);
  720. ASSERT_EQ(0, close(path_beneath.parent_fd));
  721. }
  722. TEST_F_FORK(layout0, unpriv)
  723. {
  724. const struct rule rules[] = {
  725. {
  726. .path = TMP_DIR,
  727. .access = ACCESS_RO,
  728. },
  729. {},
  730. };
  731. int ruleset_fd;
  732. drop_caps(_metadata);
  733. ruleset_fd = create_ruleset(_metadata, ACCESS_RO, rules);
  734. ASSERT_LE(0, ruleset_fd);
  735. ASSERT_EQ(-1, landlock_restrict_self(ruleset_fd, 0));
  736. ASSERT_EQ(EPERM, errno);
  737. /* enforce_ruleset() calls prctl(no_new_privs). */
  738. enforce_ruleset(_metadata, ruleset_fd);
  739. ASSERT_EQ(0, close(ruleset_fd));
  740. }
  741. TEST_F_FORK(layout1, effective_access)
  742. {
  743. const struct rule rules[] = {
  744. {
  745. .path = dir_s1d2,
  746. .access = ACCESS_RO,
  747. },
  748. {
  749. .path = file1_s2d2,
  750. .access = LANDLOCK_ACCESS_FS_READ_FILE |
  751. LANDLOCK_ACCESS_FS_WRITE_FILE,
  752. },
  753. {},
  754. };
  755. const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
  756. char buf;
  757. int reg_fd;
  758. ASSERT_LE(0, ruleset_fd);
  759. enforce_ruleset(_metadata, ruleset_fd);
  760. ASSERT_EQ(0, close(ruleset_fd));
  761. /* Tests on a directory (with or without O_PATH). */
  762. ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
  763. ASSERT_EQ(0, test_open("/", O_RDONLY | O_PATH));
  764. ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY));
  765. ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY | O_PATH));
  766. ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
  767. ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY | O_PATH));
  768. ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY));
  769. ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
  770. ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY));
  771. ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
  772. /* Tests on a file (with or without O_PATH). */
  773. ASSERT_EQ(EACCES, test_open(dir_s2d2, O_RDONLY));
  774. ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY | O_PATH));
  775. ASSERT_EQ(0, test_open(file1_s2d2, O_RDONLY));
  776. /* Checks effective read and write actions. */
  777. reg_fd = open(file1_s2d2, O_RDWR | O_CLOEXEC);
  778. ASSERT_LE(0, reg_fd);
  779. ASSERT_EQ(1, write(reg_fd, ".", 1));
  780. ASSERT_LE(0, lseek(reg_fd, 0, SEEK_SET));
  781. ASSERT_EQ(1, read(reg_fd, &buf, 1));
  782. ASSERT_EQ('.', buf);
  783. ASSERT_EQ(0, close(reg_fd));
  784. /* Just in case, double-checks effective actions. */
  785. reg_fd = open(file1_s2d2, O_RDONLY | O_CLOEXEC);
  786. ASSERT_LE(0, reg_fd);
  787. ASSERT_EQ(-1, write(reg_fd, &buf, 1));
  788. ASSERT_EQ(EBADF, errno);
  789. ASSERT_EQ(0, close(reg_fd));
  790. }
  791. TEST_F_FORK(layout1, unhandled_access)
  792. {
  793. const struct rule rules[] = {
  794. {
  795. .path = dir_s1d2,
  796. .access = ACCESS_RO,
  797. },
  798. {},
  799. };
  800. /* Here, we only handle read accesses, not write accesses. */
  801. const int ruleset_fd = create_ruleset(_metadata, ACCESS_RO, rules);
  802. ASSERT_LE(0, ruleset_fd);
  803. enforce_ruleset(_metadata, ruleset_fd);
  804. ASSERT_EQ(0, close(ruleset_fd));
  805. /*
  806. * Because the policy does not handle LANDLOCK_ACCESS_FS_WRITE_FILE,
  807. * opening for write-only should be allowed, but not read-write.
  808. */
  809. ASSERT_EQ(0, test_open(file1_s1d1, O_WRONLY));
  810. ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
  811. ASSERT_EQ(0, test_open(file1_s1d2, O_WRONLY));
  812. ASSERT_EQ(0, test_open(file1_s1d2, O_RDWR));
  813. }
  814. TEST_F_FORK(layout1, ruleset_overlap)
  815. {
  816. const struct rule rules[] = {
  817. /* These rules should be ORed among them. */
  818. {
  819. .path = dir_s1d2,
  820. .access = LANDLOCK_ACCESS_FS_READ_FILE |
  821. LANDLOCK_ACCESS_FS_WRITE_FILE,
  822. },
  823. {
  824. .path = dir_s1d2,
  825. .access = LANDLOCK_ACCESS_FS_READ_FILE |
  826. LANDLOCK_ACCESS_FS_READ_DIR,
  827. },
  828. {},
  829. };
  830. const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
  831. ASSERT_LE(0, ruleset_fd);
  832. enforce_ruleset(_metadata, ruleset_fd);
  833. ASSERT_EQ(0, close(ruleset_fd));
  834. /* Checks s1d1 hierarchy. */
  835. ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
  836. ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
  837. ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
  838. ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
  839. /* Checks s1d2 hierarchy. */
  840. ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
  841. ASSERT_EQ(0, test_open(file1_s1d2, O_WRONLY));
  842. ASSERT_EQ(0, test_open(file1_s1d2, O_RDWR));
  843. ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
  844. /* Checks s1d3 hierarchy. */
  845. ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
  846. ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY));
  847. ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
  848. ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
  849. }
  850. TEST_F_FORK(layout1, layer_rule_unions)
  851. {
  852. const struct rule layer1[] = {
  853. {
  854. .path = dir_s1d2,
  855. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  856. },
  857. /* dir_s1d3 should allow READ_FILE and WRITE_FILE (O_RDWR). */
  858. {
  859. .path = dir_s1d3,
  860. .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
  861. },
  862. {},
  863. };
  864. const struct rule layer2[] = {
  865. /* Doesn't change anything from layer1. */
  866. {
  867. .path = dir_s1d2,
  868. .access = LANDLOCK_ACCESS_FS_READ_FILE |
  869. LANDLOCK_ACCESS_FS_WRITE_FILE,
  870. },
  871. {},
  872. };
  873. const struct rule layer3[] = {
  874. /* Only allows write (but not read) to dir_s1d3. */
  875. {
  876. .path = dir_s1d2,
  877. .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
  878. },
  879. {},
  880. };
  881. int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1);
  882. ASSERT_LE(0, ruleset_fd);
  883. enforce_ruleset(_metadata, ruleset_fd);
  884. ASSERT_EQ(0, close(ruleset_fd));
  885. /* Checks s1d1 hierarchy with layer1. */
  886. ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
  887. ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
  888. ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
  889. ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
  890. /* Checks s1d2 hierarchy with layer1. */
  891. ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
  892. ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
  893. ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR));
  894. ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
  895. /* Checks s1d3 hierarchy with layer1. */
  896. ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
  897. ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY));
  898. /* dir_s1d3 should allow READ_FILE and WRITE_FILE (O_RDWR). */
  899. ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
  900. ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
  901. /* Doesn't change anything from layer1. */
  902. ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2);
  903. ASSERT_LE(0, ruleset_fd);
  904. enforce_ruleset(_metadata, ruleset_fd);
  905. ASSERT_EQ(0, close(ruleset_fd));
  906. /* Checks s1d1 hierarchy with layer2. */
  907. ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
  908. ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
  909. ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
  910. ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
  911. /* Checks s1d2 hierarchy with layer2. */
  912. ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
  913. ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
  914. ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR));
  915. ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
  916. /* Checks s1d3 hierarchy with layer2. */
  917. ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
  918. ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY));
  919. /* dir_s1d3 should allow READ_FILE and WRITE_FILE (O_RDWR). */
  920. ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
  921. ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
  922. /* Only allows write (but not read) to dir_s1d3. */
  923. ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer3);
  924. ASSERT_LE(0, ruleset_fd);
  925. enforce_ruleset(_metadata, ruleset_fd);
  926. ASSERT_EQ(0, close(ruleset_fd));
  927. /* Checks s1d1 hierarchy with layer3. */
  928. ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
  929. ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
  930. ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
  931. ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
  932. /* Checks s1d2 hierarchy with layer3. */
  933. ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDONLY));
  934. ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
  935. ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR));
  936. ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
  937. /* Checks s1d3 hierarchy with layer3. */
  938. ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDONLY));
  939. ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY));
  940. /* dir_s1d3 should now deny READ_FILE and WRITE_FILE (O_RDWR). */
  941. ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDWR));
  942. ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
  943. }
  944. TEST_F_FORK(layout1, non_overlapping_accesses)
  945. {
  946. const struct rule layer1[] = {
  947. {
  948. .path = dir_s1d2,
  949. .access = LANDLOCK_ACCESS_FS_MAKE_REG,
  950. },
  951. {},
  952. };
  953. const struct rule layer2[] = {
  954. {
  955. .path = dir_s1d3,
  956. .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
  957. },
  958. {},
  959. };
  960. int ruleset_fd;
  961. ASSERT_EQ(0, unlink(file1_s1d1));
  962. ASSERT_EQ(0, unlink(file1_s1d2));
  963. ruleset_fd =
  964. create_ruleset(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, layer1);
  965. ASSERT_LE(0, ruleset_fd);
  966. enforce_ruleset(_metadata, ruleset_fd);
  967. ASSERT_EQ(0, close(ruleset_fd));
  968. ASSERT_EQ(-1, mknod(file1_s1d1, S_IFREG | 0700, 0));
  969. ASSERT_EQ(EACCES, errno);
  970. ASSERT_EQ(0, mknod(file1_s1d2, S_IFREG | 0700, 0));
  971. ASSERT_EQ(0, unlink(file1_s1d2));
  972. ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_REMOVE_FILE,
  973. layer2);
  974. ASSERT_LE(0, ruleset_fd);
  975. enforce_ruleset(_metadata, ruleset_fd);
  976. ASSERT_EQ(0, close(ruleset_fd));
  977. /* Unchanged accesses for file creation. */
  978. ASSERT_EQ(-1, mknod(file1_s1d1, S_IFREG | 0700, 0));
  979. ASSERT_EQ(EACCES, errno);
  980. ASSERT_EQ(0, mknod(file1_s1d2, S_IFREG | 0700, 0));
  981. /* Checks file removing. */
  982. ASSERT_EQ(-1, unlink(file1_s1d2));
  983. ASSERT_EQ(EACCES, errno);
  984. ASSERT_EQ(0, unlink(file1_s1d3));
  985. }
  986. TEST_F_FORK(layout1, interleaved_masked_accesses)
  987. {
  988. /*
  989. * Checks overly restrictive rules:
  990. * layer 1: allows R s1d1/s1d2/s1d3/file1
  991. * layer 2: allows RW s1d1/s1d2/s1d3
  992. * allows W s1d1/s1d2
  993. * denies R s1d1/s1d2
  994. * layer 3: allows R s1d1
  995. * layer 4: allows R s1d1/s1d2
  996. * denies W s1d1/s1d2
  997. * layer 5: allows R s1d1/s1d2
  998. * layer 6: allows X ----
  999. * layer 7: allows W s1d1/s1d2
  1000. * denies R s1d1/s1d2
  1001. */
  1002. const struct rule layer1_read[] = {
  1003. /* Allows read access to file1_s1d3 with the first layer. */
  1004. {
  1005. .path = file1_s1d3,
  1006. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  1007. },
  1008. {},
  1009. };
  1010. /* First rule with write restrictions. */
  1011. const struct rule layer2_read_write[] = {
  1012. /* Start by granting read-write access via its parent directory... */
  1013. {
  1014. .path = dir_s1d3,
  1015. .access = LANDLOCK_ACCESS_FS_READ_FILE |
  1016. LANDLOCK_ACCESS_FS_WRITE_FILE,
  1017. },
  1018. /* ...but also denies read access via its grandparent directory. */
  1019. {
  1020. .path = dir_s1d2,
  1021. .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
  1022. },
  1023. {},
  1024. };
  1025. const struct rule layer3_read[] = {
  1026. /* Allows read access via its great-grandparent directory. */
  1027. {
  1028. .path = dir_s1d1,
  1029. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  1030. },
  1031. {},
  1032. };
  1033. const struct rule layer4_read_write[] = {
  1034. /*
  1035. * Try to confuse the deny access by denying write (but not
  1036. * read) access via its grandparent directory.
  1037. */
  1038. {
  1039. .path = dir_s1d2,
  1040. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  1041. },
  1042. {},
  1043. };
  1044. const struct rule layer5_read[] = {
  1045. /*
  1046. * Try to override layer2's deny read access by explicitly
  1047. * allowing read access via file1_s1d3's grandparent.
  1048. */
  1049. {
  1050. .path = dir_s1d2,
  1051. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  1052. },
  1053. {},
  1054. };
  1055. const struct rule layer6_execute[] = {
  1056. /*
  1057. * Restricts an unrelated file hierarchy with a new access
  1058. * (non-overlapping) type.
  1059. */
  1060. {
  1061. .path = dir_s2d1,
  1062. .access = LANDLOCK_ACCESS_FS_EXECUTE,
  1063. },
  1064. {},
  1065. };
  1066. const struct rule layer7_read_write[] = {
  1067. /*
  1068. * Finally, denies read access to file1_s1d3 via its
  1069. * grandparent.
  1070. */
  1071. {
  1072. .path = dir_s1d2,
  1073. .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
  1074. },
  1075. {},
  1076. };
  1077. int ruleset_fd;
  1078. ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE,
  1079. layer1_read);
  1080. ASSERT_LE(0, ruleset_fd);
  1081. enforce_ruleset(_metadata, ruleset_fd);
  1082. ASSERT_EQ(0, close(ruleset_fd));
  1083. /* Checks that read access is granted for file1_s1d3 with layer 1. */
  1084. ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
  1085. ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
  1086. ASSERT_EQ(0, test_open(file2_s1d3, O_WRONLY));
  1087. ruleset_fd = create_ruleset(_metadata,
  1088. LANDLOCK_ACCESS_FS_READ_FILE |
  1089. LANDLOCK_ACCESS_FS_WRITE_FILE,
  1090. layer2_read_write);
  1091. ASSERT_LE(0, ruleset_fd);
  1092. enforce_ruleset(_metadata, ruleset_fd);
  1093. ASSERT_EQ(0, close(ruleset_fd));
  1094. /* Checks that previous access rights are unchanged with layer 2. */
  1095. ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
  1096. ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
  1097. ASSERT_EQ(0, test_open(file2_s1d3, O_WRONLY));
  1098. ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE,
  1099. layer3_read);
  1100. ASSERT_LE(0, ruleset_fd);
  1101. enforce_ruleset(_metadata, ruleset_fd);
  1102. ASSERT_EQ(0, close(ruleset_fd));
  1103. /* Checks that previous access rights are unchanged with layer 3. */
  1104. ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
  1105. ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
  1106. ASSERT_EQ(0, test_open(file2_s1d3, O_WRONLY));
  1107. /* This time, denies write access for the file hierarchy. */
  1108. ruleset_fd = create_ruleset(_metadata,
  1109. LANDLOCK_ACCESS_FS_READ_FILE |
  1110. LANDLOCK_ACCESS_FS_WRITE_FILE,
  1111. layer4_read_write);
  1112. ASSERT_LE(0, ruleset_fd);
  1113. enforce_ruleset(_metadata, ruleset_fd);
  1114. ASSERT_EQ(0, close(ruleset_fd));
  1115. /*
  1116. * Checks that the only change with layer 4 is that write access is
  1117. * denied.
  1118. */
  1119. ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
  1120. ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
  1121. ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
  1122. ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY));
  1123. ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE,
  1124. layer5_read);
  1125. ASSERT_LE(0, ruleset_fd);
  1126. enforce_ruleset(_metadata, ruleset_fd);
  1127. ASSERT_EQ(0, close(ruleset_fd));
  1128. /* Checks that previous access rights are unchanged with layer 5. */
  1129. ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
  1130. ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
  1131. ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY));
  1132. ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
  1133. ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_EXECUTE,
  1134. layer6_execute);
  1135. ASSERT_LE(0, ruleset_fd);
  1136. enforce_ruleset(_metadata, ruleset_fd);
  1137. ASSERT_EQ(0, close(ruleset_fd));
  1138. /* Checks that previous access rights are unchanged with layer 6. */
  1139. ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
  1140. ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
  1141. ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY));
  1142. ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
  1143. ruleset_fd = create_ruleset(_metadata,
  1144. LANDLOCK_ACCESS_FS_READ_FILE |
  1145. LANDLOCK_ACCESS_FS_WRITE_FILE,
  1146. layer7_read_write);
  1147. ASSERT_LE(0, ruleset_fd);
  1148. enforce_ruleset(_metadata, ruleset_fd);
  1149. ASSERT_EQ(0, close(ruleset_fd));
  1150. /* Checks read access is now denied with layer 7. */
  1151. ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDONLY));
  1152. ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
  1153. ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY));
  1154. ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
  1155. }
  1156. TEST_F_FORK(layout1, inherit_subset)
  1157. {
  1158. const struct rule rules[] = {
  1159. {
  1160. .path = dir_s1d2,
  1161. .access = LANDLOCK_ACCESS_FS_READ_FILE |
  1162. LANDLOCK_ACCESS_FS_READ_DIR,
  1163. },
  1164. {},
  1165. };
  1166. const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
  1167. ASSERT_LE(0, ruleset_fd);
  1168. enforce_ruleset(_metadata, ruleset_fd);
  1169. ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
  1170. ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
  1171. /* Write access is forbidden. */
  1172. ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
  1173. /* Readdir access is allowed. */
  1174. ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
  1175. /* Write access is forbidden. */
  1176. ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
  1177. /* Readdir access is allowed. */
  1178. ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
  1179. /*
  1180. * Tests shared rule extension: the following rules should not grant
  1181. * any new access, only remove some. Once enforced, these rules are
  1182. * ANDed with the previous ones.
  1183. */
  1184. add_path_beneath(_metadata, ruleset_fd, LANDLOCK_ACCESS_FS_WRITE_FILE,
  1185. dir_s1d2);
  1186. /*
  1187. * According to ruleset_fd, dir_s1d2 should now have the
  1188. * LANDLOCK_ACCESS_FS_READ_FILE and LANDLOCK_ACCESS_FS_WRITE_FILE
  1189. * access rights (even if this directory is opened a second time).
  1190. * However, when enforcing this updated ruleset, the ruleset tied to
  1191. * the current process (i.e. its domain) will still only have the
  1192. * dir_s1d2 with LANDLOCK_ACCESS_FS_READ_FILE and
  1193. * LANDLOCK_ACCESS_FS_READ_DIR accesses, but
  1194. * LANDLOCK_ACCESS_FS_WRITE_FILE must not be allowed because it would
  1195. * be a privilege escalation.
  1196. */
  1197. enforce_ruleset(_metadata, ruleset_fd);
  1198. /* Same tests and results as above. */
  1199. ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
  1200. ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
  1201. /* It is still forbidden to write in file1_s1d2. */
  1202. ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
  1203. /* Readdir access is still allowed. */
  1204. ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
  1205. /* It is still forbidden to write in file1_s1d3. */
  1206. ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
  1207. /* Readdir access is still allowed. */
  1208. ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
  1209. /*
  1210. * Try to get more privileges by adding new access rights to the parent
  1211. * directory: dir_s1d1.
  1212. */
  1213. add_path_beneath(_metadata, ruleset_fd, ACCESS_RW, dir_s1d1);
  1214. enforce_ruleset(_metadata, ruleset_fd);
  1215. /* Same tests and results as above. */
  1216. ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
  1217. ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
  1218. /* It is still forbidden to write in file1_s1d2. */
  1219. ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
  1220. /* Readdir access is still allowed. */
  1221. ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
  1222. /* It is still forbidden to write in file1_s1d3. */
  1223. ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
  1224. /* Readdir access is still allowed. */
  1225. ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
  1226. /*
  1227. * Now, dir_s1d3 get a new rule tied to it, only allowing
  1228. * LANDLOCK_ACCESS_FS_WRITE_FILE. The (kernel internal) difference is
  1229. * that there was no rule tied to it before.
  1230. */
  1231. add_path_beneath(_metadata, ruleset_fd, LANDLOCK_ACCESS_FS_WRITE_FILE,
  1232. dir_s1d3);
  1233. enforce_ruleset(_metadata, ruleset_fd);
  1234. ASSERT_EQ(0, close(ruleset_fd));
  1235. /*
  1236. * Same tests and results as above, except for open(dir_s1d3) which is
  1237. * now denied because the new rule mask the rule previously inherited
  1238. * from dir_s1d2.
  1239. */
  1240. /* Same tests and results as above. */
  1241. ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
  1242. ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
  1243. /* It is still forbidden to write in file1_s1d2. */
  1244. ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
  1245. /* Readdir access is still allowed. */
  1246. ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
  1247. /* It is still forbidden to write in file1_s1d3. */
  1248. ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
  1249. /*
  1250. * Readdir of dir_s1d3 is still allowed because of the OR policy inside
  1251. * the same layer.
  1252. */
  1253. ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
  1254. }
  1255. TEST_F_FORK(layout1, inherit_superset)
  1256. {
  1257. const struct rule rules[] = {
  1258. {
  1259. .path = dir_s1d3,
  1260. .access = ACCESS_RO,
  1261. },
  1262. {},
  1263. };
  1264. const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
  1265. ASSERT_LE(0, ruleset_fd);
  1266. enforce_ruleset(_metadata, ruleset_fd);
  1267. /* Readdir access is denied for dir_s1d2. */
  1268. ASSERT_EQ(EACCES, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
  1269. /* Readdir access is allowed for dir_s1d3. */
  1270. ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
  1271. /* File access is allowed for file1_s1d3. */
  1272. ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
  1273. /* Now dir_s1d2, parent of dir_s1d3, gets a new rule tied to it. */
  1274. add_path_beneath(_metadata, ruleset_fd,
  1275. LANDLOCK_ACCESS_FS_READ_FILE |
  1276. LANDLOCK_ACCESS_FS_READ_DIR,
  1277. dir_s1d2);
  1278. enforce_ruleset(_metadata, ruleset_fd);
  1279. ASSERT_EQ(0, close(ruleset_fd));
  1280. /* Readdir access is still denied for dir_s1d2. */
  1281. ASSERT_EQ(EACCES, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
  1282. /* Readdir access is still allowed for dir_s1d3. */
  1283. ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
  1284. /* File access is still allowed for file1_s1d3. */
  1285. ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
  1286. }
  1287. TEST_F_FORK(layout0, max_layers)
  1288. {
  1289. int i, err;
  1290. const struct rule rules[] = {
  1291. {
  1292. .path = TMP_DIR,
  1293. .access = ACCESS_RO,
  1294. },
  1295. {},
  1296. };
  1297. const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
  1298. ASSERT_LE(0, ruleset_fd);
  1299. for (i = 0; i < 16; i++)
  1300. enforce_ruleset(_metadata, ruleset_fd);
  1301. for (i = 0; i < 2; i++) {
  1302. err = landlock_restrict_self(ruleset_fd, 0);
  1303. ASSERT_EQ(-1, err);
  1304. ASSERT_EQ(E2BIG, errno);
  1305. }
  1306. ASSERT_EQ(0, close(ruleset_fd));
  1307. }
  1308. TEST_F_FORK(layout1, empty_or_same_ruleset)
  1309. {
  1310. struct landlock_ruleset_attr ruleset_attr = {};
  1311. int ruleset_fd;
  1312. /* Tests empty handled_access_fs. */
  1313. ruleset_fd =
  1314. landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
  1315. ASSERT_LE(-1, ruleset_fd);
  1316. ASSERT_EQ(ENOMSG, errno);
  1317. /* Enforces policy which deny read access to all files. */
  1318. ruleset_attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE;
  1319. ruleset_fd =
  1320. landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
  1321. ASSERT_LE(0, ruleset_fd);
  1322. enforce_ruleset(_metadata, ruleset_fd);
  1323. ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
  1324. ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
  1325. /* Nests a policy which deny read access to all directories. */
  1326. ruleset_attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_DIR;
  1327. ruleset_fd =
  1328. landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
  1329. ASSERT_LE(0, ruleset_fd);
  1330. enforce_ruleset(_metadata, ruleset_fd);
  1331. ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
  1332. ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY));
  1333. /* Enforces a second time with the same ruleset. */
  1334. enforce_ruleset(_metadata, ruleset_fd);
  1335. ASSERT_EQ(0, close(ruleset_fd));
  1336. }
  1337. TEST_F_FORK(layout1, rule_on_mountpoint)
  1338. {
  1339. const struct rule rules[] = {
  1340. {
  1341. .path = dir_s1d1,
  1342. .access = ACCESS_RO,
  1343. },
  1344. {
  1345. /* dir_s3d2 is a mount point. */
  1346. .path = dir_s3d2,
  1347. .access = ACCESS_RO,
  1348. },
  1349. {},
  1350. };
  1351. const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
  1352. ASSERT_LE(0, ruleset_fd);
  1353. enforce_ruleset(_metadata, ruleset_fd);
  1354. ASSERT_EQ(0, close(ruleset_fd));
  1355. ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
  1356. ASSERT_EQ(EACCES, test_open(dir_s2d1, O_RDONLY));
  1357. ASSERT_EQ(EACCES, test_open(dir_s3d1, O_RDONLY));
  1358. ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY));
  1359. ASSERT_EQ(0, test_open(dir_s3d3, O_RDONLY));
  1360. }
  1361. TEST_F_FORK(layout1, rule_over_mountpoint)
  1362. {
  1363. const struct rule rules[] = {
  1364. {
  1365. .path = dir_s1d1,
  1366. .access = ACCESS_RO,
  1367. },
  1368. {
  1369. /* dir_s3d2 is a mount point. */
  1370. .path = dir_s3d1,
  1371. .access = ACCESS_RO,
  1372. },
  1373. {},
  1374. };
  1375. const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
  1376. ASSERT_LE(0, ruleset_fd);
  1377. enforce_ruleset(_metadata, ruleset_fd);
  1378. ASSERT_EQ(0, close(ruleset_fd));
  1379. ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
  1380. ASSERT_EQ(EACCES, test_open(dir_s2d1, O_RDONLY));
  1381. ASSERT_EQ(0, test_open(dir_s3d1, O_RDONLY));
  1382. ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY));
  1383. ASSERT_EQ(0, test_open(dir_s3d3, O_RDONLY));
  1384. }
  1385. /*
  1386. * This test verifies that we can apply a landlock rule on the root directory
  1387. * (which might require special handling).
  1388. */
  1389. TEST_F_FORK(layout1, rule_over_root_allow_then_deny)
  1390. {
  1391. struct rule rules[] = {
  1392. {
  1393. .path = "/",
  1394. .access = ACCESS_RO,
  1395. },
  1396. {},
  1397. };
  1398. int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
  1399. ASSERT_LE(0, ruleset_fd);
  1400. enforce_ruleset(_metadata, ruleset_fd);
  1401. ASSERT_EQ(0, close(ruleset_fd));
  1402. /* Checks allowed access. */
  1403. ASSERT_EQ(0, test_open("/", O_RDONLY));
  1404. ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
  1405. rules[0].access = LANDLOCK_ACCESS_FS_READ_FILE;
  1406. ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
  1407. ASSERT_LE(0, ruleset_fd);
  1408. enforce_ruleset(_metadata, ruleset_fd);
  1409. ASSERT_EQ(0, close(ruleset_fd));
  1410. /* Checks denied access (on a directory). */
  1411. ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
  1412. ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY));
  1413. }
  1414. TEST_F_FORK(layout1, rule_over_root_deny)
  1415. {
  1416. const struct rule rules[] = {
  1417. {
  1418. .path = "/",
  1419. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  1420. },
  1421. {},
  1422. };
  1423. const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
  1424. ASSERT_LE(0, ruleset_fd);
  1425. enforce_ruleset(_metadata, ruleset_fd);
  1426. ASSERT_EQ(0, close(ruleset_fd));
  1427. /* Checks denied access (on a directory). */
  1428. ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
  1429. ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY));
  1430. }
  1431. TEST_F_FORK(layout1, rule_inside_mount_ns)
  1432. {
  1433. const struct rule rules[] = {
  1434. {
  1435. .path = "s3d3",
  1436. .access = ACCESS_RO,
  1437. },
  1438. {},
  1439. };
  1440. int ruleset_fd;
  1441. set_cap(_metadata, CAP_SYS_ADMIN);
  1442. ASSERT_EQ(0, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3))
  1443. {
  1444. TH_LOG("Failed to pivot root: %s", strerror(errno));
  1445. };
  1446. ASSERT_EQ(0, chdir("/"));
  1447. clear_cap(_metadata, CAP_SYS_ADMIN);
  1448. ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
  1449. ASSERT_LE(0, ruleset_fd);
  1450. enforce_ruleset(_metadata, ruleset_fd);
  1451. ASSERT_EQ(0, close(ruleset_fd));
  1452. ASSERT_EQ(0, test_open("s3d3", O_RDONLY));
  1453. ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
  1454. }
  1455. TEST_F_FORK(layout1, mount_and_pivot)
  1456. {
  1457. const struct rule rules[] = {
  1458. {
  1459. .path = dir_s3d2,
  1460. .access = ACCESS_RO,
  1461. },
  1462. {},
  1463. };
  1464. const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
  1465. ASSERT_LE(0, ruleset_fd);
  1466. enforce_ruleset(_metadata, ruleset_fd);
  1467. ASSERT_EQ(0, close(ruleset_fd));
  1468. set_cap(_metadata, CAP_SYS_ADMIN);
  1469. ASSERT_EQ(-1, mount(NULL, dir_s3d2, NULL, MS_RDONLY, NULL));
  1470. ASSERT_EQ(EPERM, errno);
  1471. ASSERT_EQ(-1, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3));
  1472. ASSERT_EQ(EPERM, errno);
  1473. clear_cap(_metadata, CAP_SYS_ADMIN);
  1474. }
  1475. TEST_F_FORK(layout1, move_mount)
  1476. {
  1477. const struct rule rules[] = {
  1478. {
  1479. .path = dir_s3d2,
  1480. .access = ACCESS_RO,
  1481. },
  1482. {},
  1483. };
  1484. const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
  1485. ASSERT_LE(0, ruleset_fd);
  1486. set_cap(_metadata, CAP_SYS_ADMIN);
  1487. ASSERT_EQ(0, syscall(__NR_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD,
  1488. dir_s1d2, 0))
  1489. {
  1490. TH_LOG("Failed to move mount: %s", strerror(errno));
  1491. }
  1492. ASSERT_EQ(0, syscall(__NR_move_mount, AT_FDCWD, dir_s1d2, AT_FDCWD,
  1493. dir_s3d2, 0));
  1494. clear_cap(_metadata, CAP_SYS_ADMIN);
  1495. enforce_ruleset(_metadata, ruleset_fd);
  1496. ASSERT_EQ(0, close(ruleset_fd));
  1497. set_cap(_metadata, CAP_SYS_ADMIN);
  1498. ASSERT_EQ(-1, syscall(__NR_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD,
  1499. dir_s1d2, 0));
  1500. ASSERT_EQ(EPERM, errno);
  1501. clear_cap(_metadata, CAP_SYS_ADMIN);
  1502. }
  1503. TEST_F_FORK(layout1, topology_changes_with_net_only)
  1504. {
  1505. const struct landlock_ruleset_attr ruleset_net = {
  1506. .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
  1507. LANDLOCK_ACCESS_NET_CONNECT_TCP,
  1508. };
  1509. int ruleset_fd;
  1510. /* Add network restrictions. */
  1511. ruleset_fd =
  1512. landlock_create_ruleset(&ruleset_net, sizeof(ruleset_net), 0);
  1513. ASSERT_LE(0, ruleset_fd);
  1514. enforce_ruleset(_metadata, ruleset_fd);
  1515. ASSERT_EQ(0, close(ruleset_fd));
  1516. /* Mount, remount, move_mount, umount, and pivot_root checks. */
  1517. set_cap(_metadata, CAP_SYS_ADMIN);
  1518. ASSERT_EQ(0, mount_opt(&mnt_tmp, dir_s1d2));
  1519. ASSERT_EQ(0, mount(NULL, dir_s1d2, NULL, MS_PRIVATE | MS_REC, NULL));
  1520. ASSERT_EQ(0, syscall(__NR_move_mount, AT_FDCWD, dir_s1d2, AT_FDCWD,
  1521. dir_s2d2, 0));
  1522. ASSERT_EQ(0, umount(dir_s2d2));
  1523. ASSERT_EQ(0, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3));
  1524. ASSERT_EQ(0, chdir("/"));
  1525. clear_cap(_metadata, CAP_SYS_ADMIN);
  1526. }
  1527. TEST_F_FORK(layout1, topology_changes_with_net_and_fs)
  1528. {
  1529. const struct landlock_ruleset_attr ruleset_net_fs = {
  1530. .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
  1531. LANDLOCK_ACCESS_NET_CONNECT_TCP,
  1532. .handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE,
  1533. };
  1534. int ruleset_fd;
  1535. /* Add network and filesystem restrictions. */
  1536. ruleset_fd = landlock_create_ruleset(&ruleset_net_fs,
  1537. sizeof(ruleset_net_fs), 0);
  1538. ASSERT_LE(0, ruleset_fd);
  1539. enforce_ruleset(_metadata, ruleset_fd);
  1540. ASSERT_EQ(0, close(ruleset_fd));
  1541. /* Mount, remount, move_mount, umount, and pivot_root checks. */
  1542. set_cap(_metadata, CAP_SYS_ADMIN);
  1543. ASSERT_EQ(-1, mount_opt(&mnt_tmp, dir_s1d2));
  1544. ASSERT_EQ(EPERM, errno);
  1545. ASSERT_EQ(-1, mount(NULL, dir_s3d2, NULL, MS_PRIVATE | MS_REC, NULL));
  1546. ASSERT_EQ(EPERM, errno);
  1547. ASSERT_EQ(-1, syscall(__NR_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD,
  1548. dir_s2d2, 0));
  1549. ASSERT_EQ(EPERM, errno);
  1550. ASSERT_EQ(-1, umount(dir_s3d2));
  1551. ASSERT_EQ(EPERM, errno);
  1552. ASSERT_EQ(-1, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3));
  1553. ASSERT_EQ(EPERM, errno);
  1554. clear_cap(_metadata, CAP_SYS_ADMIN);
  1555. }
  1556. TEST_F_FORK(layout1, release_inodes)
  1557. {
  1558. const struct rule rules[] = {
  1559. {
  1560. .path = dir_s1d1,
  1561. .access = ACCESS_RO,
  1562. },
  1563. {
  1564. .path = dir_s3d2,
  1565. .access = ACCESS_RO,
  1566. },
  1567. {
  1568. .path = dir_s3d3,
  1569. .access = ACCESS_RO,
  1570. },
  1571. {},
  1572. };
  1573. const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
  1574. ASSERT_LE(0, ruleset_fd);
  1575. /* Unmount a file hierarchy while it is being used by a ruleset. */
  1576. set_cap(_metadata, CAP_SYS_ADMIN);
  1577. ASSERT_EQ(0, umount(dir_s3d2));
  1578. clear_cap(_metadata, CAP_SYS_ADMIN);
  1579. enforce_ruleset(_metadata, ruleset_fd);
  1580. ASSERT_EQ(0, close(ruleset_fd));
  1581. ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
  1582. ASSERT_EQ(EACCES, test_open(dir_s3d2, O_RDONLY));
  1583. /* This dir_s3d3 would not be allowed and does not exist anyway. */
  1584. ASSERT_EQ(ENOENT, test_open(dir_s3d3, O_RDONLY));
  1585. }
  1586. /*
  1587. * This test checks that a rule on a directory used as a mount point does not
  1588. * grant access to the mount covering it. It is a generalization of the bind
  1589. * mount case in layout3_fs.hostfs.release_inodes that tests hidden mount points.
  1590. */
  1591. TEST_F_FORK(layout1, covered_rule)
  1592. {
  1593. const struct rule layer1[] = {
  1594. {
  1595. .path = dir_s3d2,
  1596. .access = LANDLOCK_ACCESS_FS_READ_DIR,
  1597. },
  1598. {},
  1599. };
  1600. int ruleset_fd;
  1601. /* Unmount to simplify FIXTURE_TEARDOWN. */
  1602. set_cap(_metadata, CAP_SYS_ADMIN);
  1603. ASSERT_EQ(0, umount(dir_s3d2));
  1604. clear_cap(_metadata, CAP_SYS_ADMIN);
  1605. /* Creates a ruleset with the future hidden directory. */
  1606. ruleset_fd =
  1607. create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_DIR, layer1);
  1608. ASSERT_LE(0, ruleset_fd);
  1609. /* Covers with a new mount point. */
  1610. set_cap(_metadata, CAP_SYS_ADMIN);
  1611. ASSERT_EQ(0, mount_opt(&mnt_tmp, dir_s3d2));
  1612. clear_cap(_metadata, CAP_SYS_ADMIN);
  1613. ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY));
  1614. enforce_ruleset(_metadata, ruleset_fd);
  1615. ASSERT_EQ(0, close(ruleset_fd));
  1616. /* Checks that access to the new mount point is denied. */
  1617. ASSERT_EQ(EACCES, test_open(dir_s3d2, O_RDONLY));
  1618. }
  1619. enum relative_access {
  1620. REL_OPEN,
  1621. REL_CHDIR,
  1622. REL_CHROOT_ONLY,
  1623. REL_CHROOT_CHDIR,
  1624. };
  1625. static void test_relative_path(struct __test_metadata *const _metadata,
  1626. const enum relative_access rel)
  1627. {
  1628. /*
  1629. * Common layer to check that chroot doesn't ignore it (i.e. a chroot
  1630. * is not a disconnected root directory).
  1631. */
  1632. const struct rule layer1_base[] = {
  1633. {
  1634. .path = TMP_DIR,
  1635. .access = ACCESS_RO,
  1636. },
  1637. {},
  1638. };
  1639. const struct rule layer2_subs[] = {
  1640. {
  1641. .path = dir_s1d2,
  1642. .access = ACCESS_RO,
  1643. },
  1644. {
  1645. .path = dir_s2d2,
  1646. .access = ACCESS_RO,
  1647. },
  1648. {},
  1649. };
  1650. int dirfd, ruleset_fd;
  1651. ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1_base);
  1652. ASSERT_LE(0, ruleset_fd);
  1653. enforce_ruleset(_metadata, ruleset_fd);
  1654. ASSERT_EQ(0, close(ruleset_fd));
  1655. ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2_subs);
  1656. ASSERT_LE(0, ruleset_fd);
  1657. switch (rel) {
  1658. case REL_OPEN:
  1659. case REL_CHDIR:
  1660. break;
  1661. case REL_CHROOT_ONLY:
  1662. ASSERT_EQ(0, chdir(dir_s2d2));
  1663. break;
  1664. case REL_CHROOT_CHDIR:
  1665. ASSERT_EQ(0, chdir(dir_s1d2));
  1666. break;
  1667. default:
  1668. ASSERT_TRUE(false);
  1669. return;
  1670. }
  1671. set_cap(_metadata, CAP_SYS_CHROOT);
  1672. enforce_ruleset(_metadata, ruleset_fd);
  1673. switch (rel) {
  1674. case REL_OPEN:
  1675. dirfd = open(dir_s1d2, O_DIRECTORY);
  1676. ASSERT_LE(0, dirfd);
  1677. break;
  1678. case REL_CHDIR:
  1679. ASSERT_EQ(0, chdir(dir_s1d2));
  1680. dirfd = AT_FDCWD;
  1681. break;
  1682. case REL_CHROOT_ONLY:
  1683. /* Do chroot into dir_s1d2 (relative to dir_s2d2). */
  1684. ASSERT_EQ(0, chroot("../../s1d1/s1d2"))
  1685. {
  1686. TH_LOG("Failed to chroot: %s", strerror(errno));
  1687. }
  1688. dirfd = AT_FDCWD;
  1689. break;
  1690. case REL_CHROOT_CHDIR:
  1691. /* Do chroot into dir_s1d2. */
  1692. ASSERT_EQ(0, chroot("."))
  1693. {
  1694. TH_LOG("Failed to chroot: %s", strerror(errno));
  1695. }
  1696. dirfd = AT_FDCWD;
  1697. break;
  1698. }
  1699. ASSERT_EQ((rel == REL_CHROOT_CHDIR) ? 0 : EACCES,
  1700. test_open_rel(dirfd, "..", O_RDONLY));
  1701. ASSERT_EQ(0, test_open_rel(dirfd, ".", O_RDONLY));
  1702. if (rel == REL_CHROOT_ONLY) {
  1703. /* The current directory is dir_s2d2. */
  1704. ASSERT_EQ(0, test_open_rel(dirfd, "./s2d3", O_RDONLY));
  1705. } else {
  1706. /* The current directory is dir_s1d2. */
  1707. ASSERT_EQ(0, test_open_rel(dirfd, "./s1d3", O_RDONLY));
  1708. }
  1709. if (rel == REL_CHROOT_ONLY || rel == REL_CHROOT_CHDIR) {
  1710. /* Checks the root dir_s1d2. */
  1711. ASSERT_EQ(0, test_open_rel(dirfd, "/..", O_RDONLY));
  1712. ASSERT_EQ(0, test_open_rel(dirfd, "/", O_RDONLY));
  1713. ASSERT_EQ(0, test_open_rel(dirfd, "/f1", O_RDONLY));
  1714. ASSERT_EQ(0, test_open_rel(dirfd, "/s1d3", O_RDONLY));
  1715. }
  1716. if (rel != REL_CHROOT_CHDIR) {
  1717. ASSERT_EQ(EACCES, test_open_rel(dirfd, "../../s1d1", O_RDONLY));
  1718. ASSERT_EQ(0, test_open_rel(dirfd, "../../s1d1/s1d2", O_RDONLY));
  1719. ASSERT_EQ(0, test_open_rel(dirfd, "../../s1d1/s1d2/s1d3",
  1720. O_RDONLY));
  1721. ASSERT_EQ(EACCES, test_open_rel(dirfd, "../../s2d1", O_RDONLY));
  1722. ASSERT_EQ(0, test_open_rel(dirfd, "../../s2d1/s2d2", O_RDONLY));
  1723. ASSERT_EQ(0, test_open_rel(dirfd, "../../s2d1/s2d2/s2d3",
  1724. O_RDONLY));
  1725. }
  1726. if (rel == REL_OPEN)
  1727. ASSERT_EQ(0, close(dirfd));
  1728. ASSERT_EQ(0, close(ruleset_fd));
  1729. }
  1730. TEST_F_FORK(layout1, relative_open)
  1731. {
  1732. test_relative_path(_metadata, REL_OPEN);
  1733. }
  1734. TEST_F_FORK(layout1, relative_chdir)
  1735. {
  1736. test_relative_path(_metadata, REL_CHDIR);
  1737. }
  1738. TEST_F_FORK(layout1, relative_chroot_only)
  1739. {
  1740. test_relative_path(_metadata, REL_CHROOT_ONLY);
  1741. }
  1742. TEST_F_FORK(layout1, relative_chroot_chdir)
  1743. {
  1744. test_relative_path(_metadata, REL_CHROOT_CHDIR);
  1745. }
  1746. static void copy_file(struct __test_metadata *const _metadata,
  1747. const char *const src_path, const char *const dst_path)
  1748. {
  1749. int dst_fd, src_fd;
  1750. struct stat statbuf;
  1751. dst_fd = open(dst_path, O_WRONLY | O_TRUNC | O_CLOEXEC);
  1752. ASSERT_LE(0, dst_fd)
  1753. {
  1754. TH_LOG("Failed to open \"%s\": %s", dst_path, strerror(errno));
  1755. }
  1756. src_fd = open(src_path, O_RDONLY | O_CLOEXEC);
  1757. ASSERT_LE(0, src_fd)
  1758. {
  1759. TH_LOG("Failed to open \"%s\": %s", src_path, strerror(errno));
  1760. }
  1761. ASSERT_EQ(0, fstat(src_fd, &statbuf));
  1762. ASSERT_EQ(statbuf.st_size,
  1763. sendfile(dst_fd, src_fd, 0, statbuf.st_size));
  1764. ASSERT_EQ(0, close(src_fd));
  1765. ASSERT_EQ(0, close(dst_fd));
  1766. }
  1767. static void test_execute(struct __test_metadata *const _metadata, const int err,
  1768. const char *const path)
  1769. {
  1770. int status;
  1771. char *const argv[] = { (char *)path, NULL };
  1772. const pid_t child = fork();
  1773. ASSERT_LE(0, child);
  1774. if (child == 0) {
  1775. ASSERT_EQ(err ? -1 : 0, execve(path, argv, NULL))
  1776. {
  1777. TH_LOG("Failed to execute \"%s\": %s", path,
  1778. strerror(errno));
  1779. };
  1780. ASSERT_EQ(err, errno);
  1781. _exit(__test_passed(_metadata) ? 2 : 1);
  1782. return;
  1783. }
  1784. ASSERT_EQ(child, waitpid(child, &status, 0));
  1785. ASSERT_EQ(1, WIFEXITED(status));
  1786. ASSERT_EQ(err ? 2 : 0, WEXITSTATUS(status))
  1787. {
  1788. TH_LOG("Unexpected return code for \"%s\"", path);
  1789. };
  1790. }
  1791. static void test_check_exec(struct __test_metadata *const _metadata,
  1792. const int err, const char *const path)
  1793. {
  1794. int ret;
  1795. char *const argv[] = { (char *)path, NULL };
  1796. ret = sys_execveat(AT_FDCWD, path, argv, NULL,
  1797. AT_EMPTY_PATH | AT_EXECVE_CHECK);
  1798. if (err) {
  1799. EXPECT_EQ(-1, ret);
  1800. EXPECT_EQ(errno, err);
  1801. } else {
  1802. EXPECT_EQ(0, ret);
  1803. }
  1804. }
  1805. TEST_F_FORK(layout1, execute)
  1806. {
  1807. const struct rule rules[] = {
  1808. {
  1809. .path = dir_s1d2,
  1810. .access = LANDLOCK_ACCESS_FS_EXECUTE,
  1811. },
  1812. {},
  1813. };
  1814. const int ruleset_fd =
  1815. create_ruleset(_metadata, rules[0].access, rules);
  1816. ASSERT_LE(0, ruleset_fd);
  1817. copy_file(_metadata, bin_true, file1_s1d1);
  1818. copy_file(_metadata, bin_true, file1_s1d2);
  1819. copy_file(_metadata, bin_true, file1_s1d3);
  1820. /* Checks before file1_s1d1 being denied. */
  1821. test_execute(_metadata, 0, file1_s1d1);
  1822. test_check_exec(_metadata, 0, file1_s1d1);
  1823. enforce_ruleset(_metadata, ruleset_fd);
  1824. ASSERT_EQ(0, close(ruleset_fd));
  1825. ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
  1826. ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
  1827. test_execute(_metadata, EACCES, file1_s1d1);
  1828. test_check_exec(_metadata, EACCES, file1_s1d1);
  1829. ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY));
  1830. ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
  1831. test_execute(_metadata, 0, file1_s1d2);
  1832. test_check_exec(_metadata, 0, file1_s1d2);
  1833. ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY));
  1834. ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
  1835. test_execute(_metadata, 0, file1_s1d3);
  1836. test_check_exec(_metadata, 0, file1_s1d3);
  1837. }
  1838. TEST_F_FORK(layout1, umount_sandboxer)
  1839. {
  1840. int pipe_child[2], pipe_parent[2];
  1841. char buf_parent;
  1842. pid_t child;
  1843. int status;
  1844. copy_file(_metadata, bin_sandbox_and_launch, file1_s3d3);
  1845. ASSERT_EQ(0, pipe2(pipe_child, 0));
  1846. ASSERT_EQ(0, pipe2(pipe_parent, 0));
  1847. child = fork();
  1848. ASSERT_LE(0, child);
  1849. if (child == 0) {
  1850. char pipe_child_str[12], pipe_parent_str[12];
  1851. char *const argv[] = { (char *)file1_s3d3,
  1852. (char *)bin_wait_pipe, pipe_child_str,
  1853. pipe_parent_str, NULL };
  1854. /* Passes the pipe FDs to the executed binary and its child. */
  1855. EXPECT_EQ(0, close(pipe_child[0]));
  1856. EXPECT_EQ(0, close(pipe_parent[1]));
  1857. snprintf(pipe_child_str, sizeof(pipe_child_str), "%d",
  1858. pipe_child[1]);
  1859. snprintf(pipe_parent_str, sizeof(pipe_parent_str), "%d",
  1860. pipe_parent[0]);
  1861. /*
  1862. * We need bin_sandbox_and_launch (copied inside the mount as
  1863. * file1_s3d3) to execute bin_wait_pipe (outside the mount) to
  1864. * make sure the mount point will not be EBUSY because of
  1865. * file1_s3d3 being in use. This avoids a potential race
  1866. * condition between the following read() and umount() calls.
  1867. */
  1868. ASSERT_EQ(0, execve(argv[0], argv, NULL))
  1869. {
  1870. TH_LOG("Failed to execute \"%s\": %s", argv[0],
  1871. strerror(errno));
  1872. };
  1873. _exit(1);
  1874. return;
  1875. }
  1876. EXPECT_EQ(0, close(pipe_child[1]));
  1877. EXPECT_EQ(0, close(pipe_parent[0]));
  1878. /* Waits for the child to sandbox itself. */
  1879. EXPECT_EQ(1, read(pipe_child[0], &buf_parent, 1));
  1880. /* Tests that the sandboxer is tied to its mount point. */
  1881. set_cap(_metadata, CAP_SYS_ADMIN);
  1882. EXPECT_EQ(-1, umount(dir_s3d2));
  1883. EXPECT_EQ(EBUSY, errno);
  1884. clear_cap(_metadata, CAP_SYS_ADMIN);
  1885. /* Signals the child to launch a grandchild. */
  1886. EXPECT_EQ(1, write(pipe_parent[1], ".", 1));
  1887. /* Waits for the grandchild. */
  1888. EXPECT_EQ(1, read(pipe_child[0], &buf_parent, 1));
  1889. /* Tests that the domain's sandboxer is not tied to its mount point. */
  1890. set_cap(_metadata, CAP_SYS_ADMIN);
  1891. EXPECT_EQ(0, umount(dir_s3d2))
  1892. {
  1893. TH_LOG("Failed to umount \"%s\": %s", dir_s3d2,
  1894. strerror(errno));
  1895. };
  1896. clear_cap(_metadata, CAP_SYS_ADMIN);
  1897. /* Signals the grandchild to terminate. */
  1898. EXPECT_EQ(1, write(pipe_parent[1], ".", 1));
  1899. ASSERT_EQ(child, waitpid(child, &status, 0));
  1900. ASSERT_EQ(1, WIFEXITED(status));
  1901. ASSERT_EQ(0, WEXITSTATUS(status));
  1902. }
  1903. TEST_F_FORK(layout1, link)
  1904. {
  1905. const struct rule layer1[] = {
  1906. {
  1907. .path = dir_s1d2,
  1908. .access = LANDLOCK_ACCESS_FS_MAKE_REG,
  1909. },
  1910. {},
  1911. };
  1912. const struct rule layer2[] = {
  1913. {
  1914. .path = dir_s1d3,
  1915. .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
  1916. },
  1917. {},
  1918. };
  1919. int ruleset_fd = create_ruleset(_metadata, layer1[0].access, layer1);
  1920. ASSERT_LE(0, ruleset_fd);
  1921. ASSERT_EQ(0, unlink(file1_s1d1));
  1922. ASSERT_EQ(0, unlink(file1_s1d2));
  1923. ASSERT_EQ(0, unlink(file1_s1d3));
  1924. enforce_ruleset(_metadata, ruleset_fd);
  1925. ASSERT_EQ(0, close(ruleset_fd));
  1926. ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1));
  1927. ASSERT_EQ(EACCES, errno);
  1928. /* Denies linking because of reparenting. */
  1929. ASSERT_EQ(-1, link(file1_s2d1, file1_s1d2));
  1930. ASSERT_EQ(EXDEV, errno);
  1931. ASSERT_EQ(-1, link(file2_s1d2, file1_s1d3));
  1932. ASSERT_EQ(EXDEV, errno);
  1933. ASSERT_EQ(-1, link(file2_s1d3, file1_s1d2));
  1934. ASSERT_EQ(EXDEV, errno);
  1935. ASSERT_EQ(0, link(file2_s1d2, file1_s1d2));
  1936. ASSERT_EQ(0, link(file2_s1d3, file1_s1d3));
  1937. /* Prepares for next unlinks. */
  1938. ASSERT_EQ(0, unlink(file2_s1d2));
  1939. ASSERT_EQ(0, unlink(file2_s1d3));
  1940. ruleset_fd = create_ruleset(_metadata, layer2[0].access, layer2);
  1941. ASSERT_LE(0, ruleset_fd);
  1942. enforce_ruleset(_metadata, ruleset_fd);
  1943. ASSERT_EQ(0, close(ruleset_fd));
  1944. /* Checks that linkind doesn't require the ability to delete a file. */
  1945. ASSERT_EQ(0, link(file1_s1d2, file2_s1d2));
  1946. ASSERT_EQ(0, link(file1_s1d3, file2_s1d3));
  1947. }
  1948. static int test_rename(const char *const oldpath, const char *const newpath)
  1949. {
  1950. if (rename(oldpath, newpath))
  1951. return errno;
  1952. return 0;
  1953. }
  1954. static int test_exchange(const char *const oldpath, const char *const newpath)
  1955. {
  1956. if (renameat2(AT_FDCWD, oldpath, AT_FDCWD, newpath, RENAME_EXCHANGE))
  1957. return errno;
  1958. return 0;
  1959. }
  1960. static int test_renameat(int olddirfd, const char *oldpath, int newdirfd,
  1961. const char *newpath)
  1962. {
  1963. if (renameat2(olddirfd, oldpath, newdirfd, newpath, 0))
  1964. return errno;
  1965. return 0;
  1966. }
  1967. static int test_exchangeat(int olddirfd, const char *oldpath, int newdirfd,
  1968. const char *newpath)
  1969. {
  1970. if (renameat2(olddirfd, oldpath, newdirfd, newpath, RENAME_EXCHANGE))
  1971. return errno;
  1972. return 0;
  1973. }
  1974. TEST_F_FORK(layout1, rename_file)
  1975. {
  1976. const struct rule rules[] = {
  1977. {
  1978. .path = dir_s1d3,
  1979. .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
  1980. },
  1981. {
  1982. .path = dir_s2d2,
  1983. .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
  1984. },
  1985. {},
  1986. };
  1987. const int ruleset_fd =
  1988. create_ruleset(_metadata, rules[0].access, rules);
  1989. ASSERT_LE(0, ruleset_fd);
  1990. ASSERT_EQ(0, unlink(file1_s1d2));
  1991. enforce_ruleset(_metadata, ruleset_fd);
  1992. ASSERT_EQ(0, close(ruleset_fd));
  1993. /*
  1994. * Tries to replace a file, from a directory that allows file removal,
  1995. * but to a different directory (which also allows file removal).
  1996. */
  1997. ASSERT_EQ(-1, rename(file1_s2d3, file1_s1d3));
  1998. ASSERT_EQ(EXDEV, errno);
  1999. ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, file1_s1d3,
  2000. RENAME_EXCHANGE));
  2001. ASSERT_EQ(EXDEV, errno);
  2002. ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, dir_s1d3,
  2003. RENAME_EXCHANGE));
  2004. ASSERT_EQ(EXDEV, errno);
  2005. /*
  2006. * Tries to replace a file, from a directory that denies file removal,
  2007. * to a different directory (which allows file removal).
  2008. */
  2009. ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3));
  2010. ASSERT_EQ(EACCES, errno);
  2011. ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file1_s1d3,
  2012. RENAME_EXCHANGE));
  2013. ASSERT_EQ(EACCES, errno);
  2014. ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d2, AT_FDCWD, file1_s1d3,
  2015. RENAME_EXCHANGE));
  2016. ASSERT_EQ(EXDEV, errno);
  2017. /* Exchanges files and directories that partially allow removal. */
  2018. ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d2, AT_FDCWD, file1_s2d1,
  2019. RENAME_EXCHANGE));
  2020. ASSERT_EQ(EACCES, errno);
  2021. /* Checks that file1_s2d1 cannot be removed (instead of ENOTDIR). */
  2022. ASSERT_EQ(-1, rename(dir_s2d2, file1_s2d1));
  2023. ASSERT_EQ(EACCES, errno);
  2024. ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, dir_s2d2,
  2025. RENAME_EXCHANGE));
  2026. ASSERT_EQ(EACCES, errno);
  2027. /* Checks that file1_s1d1 cannot be removed (instead of EISDIR). */
  2028. ASSERT_EQ(-1, rename(file1_s1d1, dir_s1d2));
  2029. ASSERT_EQ(EACCES, errno);
  2030. /* Renames files with different parents. */
  2031. ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d2));
  2032. ASSERT_EQ(EXDEV, errno);
  2033. ASSERT_EQ(0, unlink(file1_s1d3));
  2034. ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3));
  2035. ASSERT_EQ(EACCES, errno);
  2036. /* Exchanges and renames files with same parent. */
  2037. ASSERT_EQ(0, renameat2(AT_FDCWD, file2_s2d3, AT_FDCWD, file1_s2d3,
  2038. RENAME_EXCHANGE));
  2039. ASSERT_EQ(0, rename(file2_s2d3, file1_s2d3));
  2040. /* Exchanges files and directories with same parent, twice. */
  2041. ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s2d3,
  2042. RENAME_EXCHANGE));
  2043. ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s2d3,
  2044. RENAME_EXCHANGE));
  2045. }
  2046. TEST_F_FORK(layout1, rename_dir)
  2047. {
  2048. const struct rule rules[] = {
  2049. {
  2050. .path = dir_s1d2,
  2051. .access = LANDLOCK_ACCESS_FS_REMOVE_DIR,
  2052. },
  2053. {
  2054. .path = dir_s2d1,
  2055. .access = LANDLOCK_ACCESS_FS_REMOVE_DIR,
  2056. },
  2057. {},
  2058. };
  2059. const int ruleset_fd =
  2060. create_ruleset(_metadata, rules[0].access, rules);
  2061. ASSERT_LE(0, ruleset_fd);
  2062. /* Empties dir_s1d3 to allow renaming. */
  2063. ASSERT_EQ(0, unlink(file1_s1d3));
  2064. ASSERT_EQ(0, unlink(file2_s1d3));
  2065. enforce_ruleset(_metadata, ruleset_fd);
  2066. ASSERT_EQ(0, close(ruleset_fd));
  2067. /* Exchanges and renames directory to a different parent. */
  2068. ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_s1d3,
  2069. RENAME_EXCHANGE));
  2070. ASSERT_EQ(EXDEV, errno);
  2071. ASSERT_EQ(-1, rename(dir_s2d3, dir_s1d3));
  2072. ASSERT_EQ(EXDEV, errno);
  2073. ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s1d3,
  2074. RENAME_EXCHANGE));
  2075. ASSERT_EQ(EXDEV, errno);
  2076. /*
  2077. * Exchanges directory to the same parent, which doesn't allow
  2078. * directory removal.
  2079. */
  2080. ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s1d1, AT_FDCWD, dir_s2d1,
  2081. RENAME_EXCHANGE));
  2082. ASSERT_EQ(EACCES, errno);
  2083. /* Checks that dir_s1d2 cannot be removed (instead of ENOTDIR). */
  2084. ASSERT_EQ(-1, rename(dir_s1d2, file1_s1d1));
  2085. ASSERT_EQ(EACCES, errno);
  2086. ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, dir_s1d2,
  2087. RENAME_EXCHANGE));
  2088. ASSERT_EQ(EACCES, errno);
  2089. /* Checks that dir_s1d2 cannot be removed (instead of EISDIR). */
  2090. ASSERT_EQ(-1, rename(file1_s1d1, dir_s1d2));
  2091. ASSERT_EQ(EACCES, errno);
  2092. /*
  2093. * Exchanges and renames directory to the same parent, which allows
  2094. * directory removal.
  2095. */
  2096. ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, file1_s1d2,
  2097. RENAME_EXCHANGE));
  2098. ASSERT_EQ(0, unlink(dir_s1d3));
  2099. ASSERT_EQ(0, mkdir(dir_s1d3, 0700));
  2100. ASSERT_EQ(0, rename(file1_s1d2, dir_s1d3));
  2101. ASSERT_EQ(0, rmdir(dir_s1d3));
  2102. }
  2103. TEST_F_FORK(layout1, reparent_refer)
  2104. {
  2105. const struct rule layer1[] = {
  2106. {
  2107. .path = dir_s1d2,
  2108. .access = LANDLOCK_ACCESS_FS_REFER,
  2109. },
  2110. {
  2111. .path = dir_s2d2,
  2112. .access = LANDLOCK_ACCESS_FS_REFER,
  2113. },
  2114. {},
  2115. };
  2116. int ruleset_fd =
  2117. create_ruleset(_metadata, LANDLOCK_ACCESS_FS_REFER, layer1);
  2118. ASSERT_LE(0, ruleset_fd);
  2119. enforce_ruleset(_metadata, ruleset_fd);
  2120. ASSERT_EQ(0, close(ruleset_fd));
  2121. ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d1));
  2122. ASSERT_EQ(EXDEV, errno);
  2123. ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d2));
  2124. ASSERT_EQ(EXDEV, errno);
  2125. ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d3));
  2126. ASSERT_EQ(EXDEV, errno);
  2127. ASSERT_EQ(-1, rename(dir_s1d3, dir_s2d1));
  2128. ASSERT_EQ(EXDEV, errno);
  2129. ASSERT_EQ(-1, rename(dir_s1d3, dir_s2d2));
  2130. ASSERT_EQ(EXDEV, errno);
  2131. /*
  2132. * Moving should only be allowed when the source and the destination
  2133. * parent directory have REFER.
  2134. */
  2135. ASSERT_EQ(-1, rename(dir_s1d3, dir_s2d3));
  2136. ASSERT_EQ(ENOTEMPTY, errno);
  2137. ASSERT_EQ(0, unlink(file1_s2d3));
  2138. ASSERT_EQ(0, unlink(file2_s2d3));
  2139. ASSERT_EQ(0, rename(dir_s1d3, dir_s2d3));
  2140. }
  2141. /* Checks renames beneath dir_s1d1. */
  2142. static void refer_denied_by_default(struct __test_metadata *const _metadata,
  2143. const struct rule layer1[],
  2144. const int layer1_err,
  2145. const struct rule layer2[])
  2146. {
  2147. int ruleset_fd;
  2148. ASSERT_EQ(0, unlink(file1_s1d2));
  2149. ruleset_fd = create_ruleset(_metadata, layer1[0].access, layer1);
  2150. ASSERT_LE(0, ruleset_fd);
  2151. enforce_ruleset(_metadata, ruleset_fd);
  2152. ASSERT_EQ(0, close(ruleset_fd));
  2153. /*
  2154. * If the first layer handles LANDLOCK_ACCESS_FS_REFER (according to
  2155. * layer1_err), then it allows some different-parent renames and links.
  2156. */
  2157. ASSERT_EQ(layer1_err, test_rename(file1_s1d1, file1_s1d2));
  2158. if (layer1_err == 0)
  2159. ASSERT_EQ(layer1_err, test_rename(file1_s1d2, file1_s1d1));
  2160. ASSERT_EQ(layer1_err, test_exchange(file2_s1d1, file2_s1d2));
  2161. ASSERT_EQ(layer1_err, test_exchange(file2_s1d2, file2_s1d1));
  2162. ruleset_fd = create_ruleset(_metadata, layer2[0].access, layer2);
  2163. ASSERT_LE(0, ruleset_fd);
  2164. enforce_ruleset(_metadata, ruleset_fd);
  2165. ASSERT_EQ(0, close(ruleset_fd));
  2166. /*
  2167. * Now, either the first or the second layer does not handle
  2168. * LANDLOCK_ACCESS_FS_REFER, which means that any different-parent
  2169. * renames and links are denied, thus making the layer handling
  2170. * LANDLOCK_ACCESS_FS_REFER null and void.
  2171. */
  2172. ASSERT_EQ(EXDEV, test_rename(file1_s1d1, file1_s1d2));
  2173. ASSERT_EQ(EXDEV, test_exchange(file2_s1d1, file2_s1d2));
  2174. ASSERT_EQ(EXDEV, test_exchange(file2_s1d2, file2_s1d1));
  2175. }
  2176. const struct rule layer_dir_s1d1_refer[] = {
  2177. {
  2178. .path = dir_s1d1,
  2179. .access = LANDLOCK_ACCESS_FS_REFER,
  2180. },
  2181. {},
  2182. };
  2183. const struct rule layer_dir_s1d1_execute[] = {
  2184. {
  2185. /* Matches a parent directory. */
  2186. .path = dir_s1d1,
  2187. .access = LANDLOCK_ACCESS_FS_EXECUTE,
  2188. },
  2189. {},
  2190. };
  2191. const struct rule layer_dir_s2d1_execute[] = {
  2192. {
  2193. /* Does not match a parent directory. */
  2194. .path = dir_s2d1,
  2195. .access = LANDLOCK_ACCESS_FS_EXECUTE,
  2196. },
  2197. {},
  2198. };
  2199. /*
  2200. * Tests precedence over renames: denied by default for different parent
  2201. * directories, *with* a rule matching a parent directory, but not directly
  2202. * denying access (with MAKE_REG nor REMOVE).
  2203. */
  2204. TEST_F_FORK(layout1, refer_denied_by_default1)
  2205. {
  2206. refer_denied_by_default(_metadata, layer_dir_s1d1_refer, 0,
  2207. layer_dir_s1d1_execute);
  2208. }
  2209. /*
  2210. * Same test but this time turning around the ABI version order: the first
  2211. * layer does not handle LANDLOCK_ACCESS_FS_REFER.
  2212. */
  2213. TEST_F_FORK(layout1, refer_denied_by_default2)
  2214. {
  2215. refer_denied_by_default(_metadata, layer_dir_s1d1_execute, EXDEV,
  2216. layer_dir_s1d1_refer);
  2217. }
  2218. /*
  2219. * Tests precedence over renames: denied by default for different parent
  2220. * directories, *without* a rule matching a parent directory, but not directly
  2221. * denying access (with MAKE_REG nor REMOVE).
  2222. */
  2223. TEST_F_FORK(layout1, refer_denied_by_default3)
  2224. {
  2225. refer_denied_by_default(_metadata, layer_dir_s1d1_refer, 0,
  2226. layer_dir_s2d1_execute);
  2227. }
  2228. /*
  2229. * Same test but this time turning around the ABI version order: the first
  2230. * layer does not handle LANDLOCK_ACCESS_FS_REFER.
  2231. */
  2232. TEST_F_FORK(layout1, refer_denied_by_default4)
  2233. {
  2234. refer_denied_by_default(_metadata, layer_dir_s2d1_execute, EXDEV,
  2235. layer_dir_s1d1_refer);
  2236. }
  2237. /*
  2238. * Tests walking through a denied root mount.
  2239. */
  2240. TEST_F_FORK(layout1, refer_mount_root_deny)
  2241. {
  2242. const struct landlock_ruleset_attr ruleset_attr = {
  2243. .handled_access_fs = LANDLOCK_ACCESS_FS_MAKE_DIR,
  2244. };
  2245. int root_fd, ruleset_fd;
  2246. /* Creates a mount object from a non-mount point. */
  2247. set_cap(_metadata, CAP_SYS_ADMIN);
  2248. root_fd =
  2249. open_tree(AT_FDCWD, dir_s1d1,
  2250. AT_EMPTY_PATH | OPEN_TREE_CLONE | OPEN_TREE_CLOEXEC);
  2251. clear_cap(_metadata, CAP_SYS_ADMIN);
  2252. ASSERT_LE(0, root_fd);
  2253. ruleset_fd =
  2254. landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
  2255. ASSERT_LE(0, ruleset_fd);
  2256. ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));
  2257. ASSERT_EQ(0, landlock_restrict_self(ruleset_fd, 0));
  2258. EXPECT_EQ(0, close(ruleset_fd));
  2259. /* Link denied by Landlock: EACCES. */
  2260. EXPECT_EQ(-1, linkat(root_fd, ".", root_fd, "does_not_exist", 0));
  2261. EXPECT_EQ(EACCES, errno);
  2262. /* renameat2() always returns EBUSY. */
  2263. EXPECT_EQ(-1, renameat2(root_fd, ".", root_fd, "does_not_exist", 0));
  2264. EXPECT_EQ(EBUSY, errno);
  2265. EXPECT_EQ(0, close(root_fd));
  2266. }
  2267. TEST_F_FORK(layout1, refer_part_mount_tree_is_allowed)
  2268. {
  2269. const struct rule layer1[] = {
  2270. {
  2271. /* Parent mount point. */
  2272. .path = dir_s3d1,
  2273. .access = LANDLOCK_ACCESS_FS_REFER |
  2274. LANDLOCK_ACCESS_FS_MAKE_REG,
  2275. },
  2276. {
  2277. /*
  2278. * Removing the source file is allowed because its
  2279. * access rights are already a superset of the
  2280. * destination.
  2281. */
  2282. .path = dir_s3d4,
  2283. .access = LANDLOCK_ACCESS_FS_REFER |
  2284. LANDLOCK_ACCESS_FS_MAKE_REG |
  2285. LANDLOCK_ACCESS_FS_REMOVE_FILE,
  2286. },
  2287. {},
  2288. };
  2289. int ruleset_fd;
  2290. ASSERT_EQ(0, unlink(file1_s3d3));
  2291. ruleset_fd = create_ruleset(_metadata,
  2292. LANDLOCK_ACCESS_FS_REFER |
  2293. LANDLOCK_ACCESS_FS_MAKE_REG |
  2294. LANDLOCK_ACCESS_FS_REMOVE_FILE,
  2295. layer1);
  2296. ASSERT_LE(0, ruleset_fd);
  2297. enforce_ruleset(_metadata, ruleset_fd);
  2298. ASSERT_EQ(0, close(ruleset_fd));
  2299. ASSERT_EQ(0, rename(file1_s3d4, file1_s3d3));
  2300. }
  2301. TEST_F_FORK(layout1, reparent_link)
  2302. {
  2303. const struct rule layer1[] = {
  2304. {
  2305. .path = dir_s1d2,
  2306. .access = LANDLOCK_ACCESS_FS_MAKE_REG,
  2307. },
  2308. {
  2309. .path = dir_s1d3,
  2310. .access = LANDLOCK_ACCESS_FS_REFER,
  2311. },
  2312. {
  2313. .path = dir_s2d2,
  2314. .access = LANDLOCK_ACCESS_FS_REFER,
  2315. },
  2316. {
  2317. .path = dir_s2d3,
  2318. .access = LANDLOCK_ACCESS_FS_MAKE_REG,
  2319. },
  2320. {},
  2321. };
  2322. const int ruleset_fd = create_ruleset(
  2323. _metadata,
  2324. LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_REFER, layer1);
  2325. ASSERT_LE(0, ruleset_fd);
  2326. enforce_ruleset(_metadata, ruleset_fd);
  2327. ASSERT_EQ(0, close(ruleset_fd));
  2328. ASSERT_EQ(0, unlink(file1_s1d1));
  2329. ASSERT_EQ(0, unlink(file1_s1d2));
  2330. ASSERT_EQ(0, unlink(file1_s1d3));
  2331. /* Denies linking because of missing MAKE_REG. */
  2332. ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1));
  2333. ASSERT_EQ(EACCES, errno);
  2334. /* Denies linking because of missing source and destination REFER. */
  2335. ASSERT_EQ(-1, link(file1_s2d1, file1_s1d2));
  2336. ASSERT_EQ(EXDEV, errno);
  2337. /* Denies linking because of missing source REFER. */
  2338. ASSERT_EQ(-1, link(file1_s2d1, file1_s1d3));
  2339. ASSERT_EQ(EXDEV, errno);
  2340. /* Denies linking because of missing MAKE_REG. */
  2341. ASSERT_EQ(-1, link(file1_s2d2, file1_s1d1));
  2342. ASSERT_EQ(EACCES, errno);
  2343. /* Denies linking because of missing destination REFER. */
  2344. ASSERT_EQ(-1, link(file1_s2d2, file1_s1d2));
  2345. ASSERT_EQ(EXDEV, errno);
  2346. /* Allows linking because of REFER and MAKE_REG. */
  2347. ASSERT_EQ(0, link(file1_s2d2, file1_s1d3));
  2348. ASSERT_EQ(0, unlink(file1_s2d2));
  2349. /* Reverse linking denied because of missing MAKE_REG. */
  2350. ASSERT_EQ(-1, link(file1_s1d3, file1_s2d2));
  2351. ASSERT_EQ(EACCES, errno);
  2352. ASSERT_EQ(0, unlink(file1_s2d3));
  2353. /* Checks reverse linking. */
  2354. ASSERT_EQ(0, link(file1_s1d3, file1_s2d3));
  2355. ASSERT_EQ(0, unlink(file1_s1d3));
  2356. /*
  2357. * This is OK for a file link, but it should not be allowed for a
  2358. * directory rename (because of the superset of access rights.
  2359. */
  2360. ASSERT_EQ(0, link(file1_s2d3, file1_s1d3));
  2361. ASSERT_EQ(0, unlink(file1_s1d3));
  2362. ASSERT_EQ(-1, link(file2_s1d2, file1_s1d3));
  2363. ASSERT_EQ(EXDEV, errno);
  2364. ASSERT_EQ(-1, link(file2_s1d3, file1_s1d2));
  2365. ASSERT_EQ(EXDEV, errno);
  2366. ASSERT_EQ(0, link(file2_s1d2, file1_s1d2));
  2367. ASSERT_EQ(0, link(file2_s1d3, file1_s1d3));
  2368. }
  2369. TEST_F_FORK(layout1, reparent_rename)
  2370. {
  2371. /* Same rules as for reparent_link. */
  2372. const struct rule layer1[] = {
  2373. {
  2374. .path = dir_s1d2,
  2375. .access = LANDLOCK_ACCESS_FS_MAKE_REG,
  2376. },
  2377. {
  2378. .path = dir_s1d3,
  2379. .access = LANDLOCK_ACCESS_FS_REFER,
  2380. },
  2381. {
  2382. .path = dir_s2d2,
  2383. .access = LANDLOCK_ACCESS_FS_REFER,
  2384. },
  2385. {
  2386. .path = dir_s2d3,
  2387. .access = LANDLOCK_ACCESS_FS_MAKE_REG,
  2388. },
  2389. {},
  2390. };
  2391. const int ruleset_fd = create_ruleset(
  2392. _metadata,
  2393. LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_REFER, layer1);
  2394. ASSERT_LE(0, ruleset_fd);
  2395. enforce_ruleset(_metadata, ruleset_fd);
  2396. ASSERT_EQ(0, close(ruleset_fd));
  2397. ASSERT_EQ(0, unlink(file1_s1d2));
  2398. ASSERT_EQ(0, unlink(file1_s1d3));
  2399. /* Denies renaming because of missing MAKE_REG. */
  2400. ASSERT_EQ(-1, renameat2(AT_FDCWD, file2_s1d1, AT_FDCWD, file1_s1d1,
  2401. RENAME_EXCHANGE));
  2402. ASSERT_EQ(EACCES, errno);
  2403. ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, file2_s1d1,
  2404. RENAME_EXCHANGE));
  2405. ASSERT_EQ(EACCES, errno);
  2406. ASSERT_EQ(0, unlink(file1_s1d1));
  2407. ASSERT_EQ(-1, rename(file2_s1d1, file1_s1d1));
  2408. ASSERT_EQ(EACCES, errno);
  2409. /* Even denies same file exchange. */
  2410. ASSERT_EQ(-1, renameat2(AT_FDCWD, file2_s1d1, AT_FDCWD, file2_s1d1,
  2411. RENAME_EXCHANGE));
  2412. ASSERT_EQ(EACCES, errno);
  2413. /* Denies renaming because of missing source and destination REFER. */
  2414. ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d2));
  2415. ASSERT_EQ(EXDEV, errno);
  2416. /*
  2417. * Denies renaming because of missing MAKE_REG, source and destination
  2418. * REFER.
  2419. */
  2420. ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file2_s1d1,
  2421. RENAME_EXCHANGE));
  2422. ASSERT_EQ(EACCES, errno);
  2423. ASSERT_EQ(-1, renameat2(AT_FDCWD, file2_s1d1, AT_FDCWD, file1_s2d1,
  2424. RENAME_EXCHANGE));
  2425. ASSERT_EQ(EACCES, errno);
  2426. /* Denies renaming because of missing source REFER. */
  2427. ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3));
  2428. ASSERT_EQ(EXDEV, errno);
  2429. /* Denies renaming because of missing MAKE_REG. */
  2430. ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file2_s1d3,
  2431. RENAME_EXCHANGE));
  2432. ASSERT_EQ(EACCES, errno);
  2433. /* Denies renaming because of missing MAKE_REG. */
  2434. ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d1));
  2435. ASSERT_EQ(EACCES, errno);
  2436. /* Denies renaming because of missing destination REFER*/
  2437. ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d2));
  2438. ASSERT_EQ(EXDEV, errno);
  2439. /* Denies exchange because of one missing MAKE_REG. */
  2440. ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, file2_s1d3,
  2441. RENAME_EXCHANGE));
  2442. ASSERT_EQ(EACCES, errno);
  2443. /* Allows renaming because of REFER and MAKE_REG. */
  2444. ASSERT_EQ(0, rename(file1_s2d2, file1_s1d3));
  2445. /* Reverse renaming denied because of missing MAKE_REG. */
  2446. ASSERT_EQ(-1, rename(file1_s1d3, file1_s2d2));
  2447. ASSERT_EQ(EACCES, errno);
  2448. ASSERT_EQ(0, unlink(file1_s2d3));
  2449. ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3));
  2450. /* Tests reverse renaming. */
  2451. ASSERT_EQ(0, rename(file1_s2d3, file1_s1d3));
  2452. ASSERT_EQ(0, renameat2(AT_FDCWD, file2_s2d3, AT_FDCWD, file1_s1d3,
  2453. RENAME_EXCHANGE));
  2454. ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3));
  2455. /*
  2456. * This is OK for a file rename, but it should not be allowed for a
  2457. * directory rename (because of the superset of access rights).
  2458. */
  2459. ASSERT_EQ(0, rename(file1_s2d3, file1_s1d3));
  2460. ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3));
  2461. /*
  2462. * Tests superset restrictions applied to directories. Not only the
  2463. * dir_s2d3's parent (dir_s2d2) should be taken into account but also
  2464. * access rights tied to dir_s2d3. dir_s2d2 is missing one access right
  2465. * compared to dir_s1d3/file1_s1d3 (MAKE_REG) but it is provided
  2466. * directly by the moved dir_s2d3.
  2467. */
  2468. ASSERT_EQ(0, rename(dir_s2d3, file1_s1d3));
  2469. ASSERT_EQ(0, rename(file1_s1d3, dir_s2d3));
  2470. /*
  2471. * The first rename is allowed but not the exchange because dir_s1d3's
  2472. * parent (dir_s1d2) doesn't have REFER.
  2473. */
  2474. ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, dir_s1d3,
  2475. RENAME_EXCHANGE));
  2476. ASSERT_EQ(EXDEV, errno);
  2477. ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, file1_s2d3,
  2478. RENAME_EXCHANGE));
  2479. ASSERT_EQ(EXDEV, errno);
  2480. ASSERT_EQ(-1, rename(file1_s2d3, dir_s1d3));
  2481. ASSERT_EQ(EXDEV, errno);
  2482. ASSERT_EQ(-1, rename(file2_s1d2, file1_s1d3));
  2483. ASSERT_EQ(EXDEV, errno);
  2484. ASSERT_EQ(-1, rename(file2_s1d3, file1_s1d2));
  2485. ASSERT_EQ(EXDEV, errno);
  2486. /* Renaming in the same directory is always allowed. */
  2487. ASSERT_EQ(0, rename(file2_s1d2, file1_s1d2));
  2488. ASSERT_EQ(0, rename(file2_s1d3, file1_s1d3));
  2489. ASSERT_EQ(0, unlink(file1_s1d2));
  2490. /* Denies because of missing source MAKE_REG and destination REFER. */
  2491. ASSERT_EQ(-1, rename(dir_s2d3, file1_s1d2));
  2492. ASSERT_EQ(EXDEV, errno);
  2493. ASSERT_EQ(0, unlink(file1_s1d3));
  2494. /* Denies because of missing source MAKE_REG and REFER. */
  2495. ASSERT_EQ(-1, rename(dir_s2d2, file1_s1d3));
  2496. ASSERT_EQ(EXDEV, errno);
  2497. }
  2498. static void
  2499. reparent_exdev_layers_enforce1(struct __test_metadata *const _metadata)
  2500. {
  2501. const struct rule layer1[] = {
  2502. {
  2503. .path = dir_s1d2,
  2504. .access = LANDLOCK_ACCESS_FS_REFER,
  2505. },
  2506. {
  2507. /* Interesting for the layer2 tests. */
  2508. .path = dir_s1d3,
  2509. .access = LANDLOCK_ACCESS_FS_MAKE_REG,
  2510. },
  2511. {
  2512. .path = dir_s2d2,
  2513. .access = LANDLOCK_ACCESS_FS_REFER,
  2514. },
  2515. {
  2516. .path = dir_s2d3,
  2517. .access = LANDLOCK_ACCESS_FS_MAKE_REG,
  2518. },
  2519. {},
  2520. };
  2521. const int ruleset_fd = create_ruleset(
  2522. _metadata,
  2523. LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_REFER, layer1);
  2524. ASSERT_LE(0, ruleset_fd);
  2525. enforce_ruleset(_metadata, ruleset_fd);
  2526. ASSERT_EQ(0, close(ruleset_fd));
  2527. }
  2528. static void
  2529. reparent_exdev_layers_enforce2(struct __test_metadata *const _metadata)
  2530. {
  2531. const struct rule layer2[] = {
  2532. {
  2533. .path = dir_s2d3,
  2534. .access = LANDLOCK_ACCESS_FS_MAKE_DIR,
  2535. },
  2536. {},
  2537. };
  2538. /*
  2539. * Same checks as before but with a second layer and a new MAKE_DIR
  2540. * rule (and no explicit handling of REFER).
  2541. */
  2542. const int ruleset_fd =
  2543. create_ruleset(_metadata, LANDLOCK_ACCESS_FS_MAKE_DIR, layer2);
  2544. ASSERT_LE(0, ruleset_fd);
  2545. enforce_ruleset(_metadata, ruleset_fd);
  2546. ASSERT_EQ(0, close(ruleset_fd));
  2547. }
  2548. TEST_F_FORK(layout1, reparent_exdev_layers_rename1)
  2549. {
  2550. ASSERT_EQ(0, unlink(file1_s2d2));
  2551. ASSERT_EQ(0, unlink(file1_s2d3));
  2552. reparent_exdev_layers_enforce1(_metadata);
  2553. /*
  2554. * Moving the dir_s1d3 directory below dir_s2d2 is allowed by Landlock
  2555. * because it doesn't inherit new access rights.
  2556. */
  2557. ASSERT_EQ(0, rename(dir_s1d3, file1_s2d2));
  2558. ASSERT_EQ(0, rename(file1_s2d2, dir_s1d3));
  2559. /*
  2560. * Moving the dir_s1d3 directory below dir_s2d3 is allowed, even if it
  2561. * gets a new inherited access rights (MAKE_REG), because MAKE_REG is
  2562. * already allowed for dir_s1d3.
  2563. */
  2564. ASSERT_EQ(0, rename(dir_s1d3, file1_s2d3));
  2565. ASSERT_EQ(0, rename(file1_s2d3, dir_s1d3));
  2566. /*
  2567. * However, moving the file1_s1d3 file below dir_s2d3 is allowed
  2568. * because it cannot inherit MAKE_REG right (which is dedicated to
  2569. * directories).
  2570. */
  2571. ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3));
  2572. reparent_exdev_layers_enforce2(_metadata);
  2573. /*
  2574. * Moving the dir_s1d3 directory below dir_s2d2 is now denied because
  2575. * MAKE_DIR is not tied to dir_s2d2.
  2576. */
  2577. ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d2));
  2578. ASSERT_EQ(EACCES, errno);
  2579. /*
  2580. * Moving the dir_s1d3 directory below dir_s2d3 is forbidden because it
  2581. * would grants MAKE_REG and MAKE_DIR rights to it.
  2582. */
  2583. ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d3));
  2584. ASSERT_EQ(EXDEV, errno);
  2585. /*
  2586. * Moving the file2_s1d3 file below dir_s2d3 is denied because the
  2587. * second layer does not handle REFER, which is always denied by
  2588. * default.
  2589. */
  2590. ASSERT_EQ(-1, rename(file2_s1d3, file1_s2d3));
  2591. ASSERT_EQ(EXDEV, errno);
  2592. }
  2593. TEST_F_FORK(layout1, reparent_exdev_layers_rename2)
  2594. {
  2595. reparent_exdev_layers_enforce1(_metadata);
  2596. /* Checks EACCES predominance over EXDEV. */
  2597. ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d2));
  2598. ASSERT_EQ(EACCES, errno);
  2599. ASSERT_EQ(-1, rename(file1_s1d2, file1_s2d2));
  2600. ASSERT_EQ(EACCES, errno);
  2601. ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d3));
  2602. ASSERT_EQ(EXDEV, errno);
  2603. /* Modify layout! */
  2604. ASSERT_EQ(0, rename(file1_s1d2, file1_s2d3));
  2605. /* Without REFER source. */
  2606. ASSERT_EQ(-1, rename(dir_s1d1, file1_s2d2));
  2607. ASSERT_EQ(EXDEV, errno);
  2608. ASSERT_EQ(-1, rename(dir_s1d2, file1_s2d2));
  2609. ASSERT_EQ(EXDEV, errno);
  2610. reparent_exdev_layers_enforce2(_metadata);
  2611. /* Checks EACCES predominance over EXDEV. */
  2612. ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d2));
  2613. ASSERT_EQ(EACCES, errno);
  2614. /* Checks with actual file2_s1d2. */
  2615. ASSERT_EQ(-1, rename(file2_s1d2, file1_s2d2));
  2616. ASSERT_EQ(EACCES, errno);
  2617. ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d3));
  2618. ASSERT_EQ(EXDEV, errno);
  2619. /*
  2620. * Modifying the layout is now denied because the second layer does not
  2621. * handle REFER, which is always denied by default.
  2622. */
  2623. ASSERT_EQ(-1, rename(file2_s1d2, file1_s2d3));
  2624. ASSERT_EQ(EXDEV, errno);
  2625. /* Without REFER source, EACCES wins over EXDEV. */
  2626. ASSERT_EQ(-1, rename(dir_s1d1, file1_s2d2));
  2627. ASSERT_EQ(EACCES, errno);
  2628. ASSERT_EQ(-1, rename(dir_s1d2, file1_s2d2));
  2629. ASSERT_EQ(EACCES, errno);
  2630. }
  2631. TEST_F_FORK(layout1, reparent_exdev_layers_exchange1)
  2632. {
  2633. const char *const dir_file1_s1d2 = file1_s1d2, *const dir_file2_s2d3 =
  2634. file2_s2d3;
  2635. ASSERT_EQ(0, unlink(file1_s1d2));
  2636. ASSERT_EQ(0, mkdir(file1_s1d2, 0700));
  2637. ASSERT_EQ(0, unlink(file2_s2d3));
  2638. ASSERT_EQ(0, mkdir(file2_s2d3, 0700));
  2639. reparent_exdev_layers_enforce1(_metadata);
  2640. /* Error predominance with file exchange: returns EXDEV and EACCES. */
  2641. ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, file1_s2d3,
  2642. RENAME_EXCHANGE));
  2643. ASSERT_EQ(EACCES, errno);
  2644. ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, file1_s1d1,
  2645. RENAME_EXCHANGE));
  2646. ASSERT_EQ(EACCES, errno);
  2647. /*
  2648. * Checks with directories which creation could be allowed, but denied
  2649. * because of access rights that would be inherited.
  2650. */
  2651. ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD,
  2652. dir_file2_s2d3, RENAME_EXCHANGE));
  2653. ASSERT_EQ(EXDEV, errno);
  2654. ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD,
  2655. dir_file1_s1d2, RENAME_EXCHANGE));
  2656. ASSERT_EQ(EXDEV, errno);
  2657. /* Checks with same access rights. */
  2658. ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, dir_s2d3,
  2659. RENAME_EXCHANGE));
  2660. ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_s1d3,
  2661. RENAME_EXCHANGE));
  2662. /* Checks with different (child-only) access rights. */
  2663. ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_file1_s1d2,
  2664. RENAME_EXCHANGE));
  2665. ASSERT_EQ(0, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD, dir_s2d3,
  2666. RENAME_EXCHANGE));
  2667. /*
  2668. * Checks that exchange between file and directory are consistent.
  2669. *
  2670. * Moving a file (file1_s2d2) to a directory which only grants more
  2671. * directory-related access rights is allowed, and at the same time
  2672. * moving a directory (dir_file2_s2d3) to another directory which
  2673. * grants less access rights is allowed too.
  2674. *
  2675. * See layout1.reparent_exdev_layers_exchange3 for inverted arguments.
  2676. */
  2677. ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3,
  2678. RENAME_EXCHANGE));
  2679. /*
  2680. * However, moving back the directory is denied because it would get
  2681. * more access rights than the current state and because file creation
  2682. * is forbidden (in dir_s2d2).
  2683. */
  2684. ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2,
  2685. RENAME_EXCHANGE));
  2686. ASSERT_EQ(EACCES, errno);
  2687. ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3,
  2688. RENAME_EXCHANGE));
  2689. ASSERT_EQ(EACCES, errno);
  2690. reparent_exdev_layers_enforce2(_metadata);
  2691. /* Error predominance with file exchange: returns EXDEV and EACCES. */
  2692. ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, file1_s2d3,
  2693. RENAME_EXCHANGE));
  2694. ASSERT_EQ(EACCES, errno);
  2695. ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, file1_s1d1,
  2696. RENAME_EXCHANGE));
  2697. ASSERT_EQ(EACCES, errno);
  2698. /* Checks with directories which creation is now denied. */
  2699. ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD,
  2700. dir_file2_s2d3, RENAME_EXCHANGE));
  2701. ASSERT_EQ(EACCES, errno);
  2702. ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD,
  2703. dir_file1_s1d2, RENAME_EXCHANGE));
  2704. ASSERT_EQ(EACCES, errno);
  2705. /* Checks with different (child-only) access rights. */
  2706. ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, dir_s2d3,
  2707. RENAME_EXCHANGE));
  2708. /* Denied because of MAKE_DIR. */
  2709. ASSERT_EQ(EACCES, errno);
  2710. ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_s1d3,
  2711. RENAME_EXCHANGE));
  2712. ASSERT_EQ(EACCES, errno);
  2713. /* Checks with different (child-only) access rights. */
  2714. ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_file1_s1d2,
  2715. RENAME_EXCHANGE));
  2716. /* Denied because of MAKE_DIR. */
  2717. ASSERT_EQ(EACCES, errno);
  2718. ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD, dir_s2d3,
  2719. RENAME_EXCHANGE));
  2720. ASSERT_EQ(EACCES, errno);
  2721. /* See layout1.reparent_exdev_layers_exchange2 for complement. */
  2722. }
  2723. TEST_F_FORK(layout1, reparent_exdev_layers_exchange2)
  2724. {
  2725. const char *const dir_file2_s2d3 = file2_s2d3;
  2726. ASSERT_EQ(0, unlink(file2_s2d3));
  2727. ASSERT_EQ(0, mkdir(file2_s2d3, 0700));
  2728. reparent_exdev_layers_enforce1(_metadata);
  2729. reparent_exdev_layers_enforce2(_metadata);
  2730. /* Checks that exchange between file and directory are consistent. */
  2731. ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3,
  2732. RENAME_EXCHANGE));
  2733. ASSERT_EQ(EACCES, errno);
  2734. ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2,
  2735. RENAME_EXCHANGE));
  2736. ASSERT_EQ(EACCES, errno);
  2737. }
  2738. TEST_F_FORK(layout1, reparent_exdev_layers_exchange3)
  2739. {
  2740. const char *const dir_file2_s2d3 = file2_s2d3;
  2741. ASSERT_EQ(0, unlink(file2_s2d3));
  2742. ASSERT_EQ(0, mkdir(file2_s2d3, 0700));
  2743. reparent_exdev_layers_enforce1(_metadata);
  2744. /*
  2745. * Checks that exchange between file and directory are consistent,
  2746. * including with inverted arguments (see
  2747. * layout1.reparent_exdev_layers_exchange1).
  2748. */
  2749. ASSERT_EQ(0, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2,
  2750. RENAME_EXCHANGE));
  2751. ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3,
  2752. RENAME_EXCHANGE));
  2753. ASSERT_EQ(EACCES, errno);
  2754. ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2,
  2755. RENAME_EXCHANGE));
  2756. ASSERT_EQ(EACCES, errno);
  2757. }
  2758. TEST_F_FORK(layout1, reparent_remove)
  2759. {
  2760. const struct rule layer1[] = {
  2761. {
  2762. .path = dir_s1d1,
  2763. .access = LANDLOCK_ACCESS_FS_REFER |
  2764. LANDLOCK_ACCESS_FS_REMOVE_DIR,
  2765. },
  2766. {
  2767. .path = dir_s1d2,
  2768. .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
  2769. },
  2770. {
  2771. .path = dir_s2d1,
  2772. .access = LANDLOCK_ACCESS_FS_REFER |
  2773. LANDLOCK_ACCESS_FS_REMOVE_FILE,
  2774. },
  2775. {},
  2776. };
  2777. const int ruleset_fd = create_ruleset(
  2778. _metadata,
  2779. LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_REMOVE_DIR |
  2780. LANDLOCK_ACCESS_FS_REMOVE_FILE,
  2781. layer1);
  2782. ASSERT_LE(0, ruleset_fd);
  2783. enforce_ruleset(_metadata, ruleset_fd);
  2784. ASSERT_EQ(0, close(ruleset_fd));
  2785. /* Access denied because of wrong/swapped remove file/dir. */
  2786. ASSERT_EQ(-1, rename(file1_s1d1, dir_s2d2));
  2787. ASSERT_EQ(EACCES, errno);
  2788. ASSERT_EQ(-1, rename(dir_s2d2, file1_s1d1));
  2789. ASSERT_EQ(EACCES, errno);
  2790. ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, dir_s2d2,
  2791. RENAME_EXCHANGE));
  2792. ASSERT_EQ(EACCES, errno);
  2793. ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, dir_s2d3,
  2794. RENAME_EXCHANGE));
  2795. ASSERT_EQ(EACCES, errno);
  2796. /* Access allowed thanks to the matching rights. */
  2797. ASSERT_EQ(-1, rename(file1_s2d1, dir_s1d2));
  2798. ASSERT_EQ(EISDIR, errno);
  2799. ASSERT_EQ(-1, rename(dir_s1d2, file1_s2d1));
  2800. ASSERT_EQ(ENOTDIR, errno);
  2801. ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d1));
  2802. ASSERT_EQ(ENOTDIR, errno);
  2803. ASSERT_EQ(0, unlink(file1_s2d1));
  2804. ASSERT_EQ(0, unlink(file1_s1d3));
  2805. ASSERT_EQ(0, unlink(file2_s1d3));
  2806. ASSERT_EQ(0, rename(dir_s1d3, file1_s2d1));
  2807. /* Effectively removes a file and a directory by exchanging them. */
  2808. ASSERT_EQ(0, mkdir(dir_s1d3, 0700));
  2809. ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s1d3,
  2810. RENAME_EXCHANGE));
  2811. ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s1d3,
  2812. RENAME_EXCHANGE));
  2813. ASSERT_EQ(EACCES, errno);
  2814. }
  2815. TEST_F_FORK(layout1, reparent_dom_superset)
  2816. {
  2817. const struct rule layer1[] = {
  2818. {
  2819. .path = dir_s1d2,
  2820. .access = LANDLOCK_ACCESS_FS_REFER,
  2821. },
  2822. {
  2823. .path = file1_s1d2,
  2824. .access = LANDLOCK_ACCESS_FS_EXECUTE,
  2825. },
  2826. {
  2827. .path = dir_s1d3,
  2828. .access = LANDLOCK_ACCESS_FS_MAKE_SOCK |
  2829. LANDLOCK_ACCESS_FS_EXECUTE,
  2830. },
  2831. {
  2832. .path = dir_s2d2,
  2833. .access = LANDLOCK_ACCESS_FS_REFER |
  2834. LANDLOCK_ACCESS_FS_EXECUTE |
  2835. LANDLOCK_ACCESS_FS_MAKE_SOCK,
  2836. },
  2837. {
  2838. .path = dir_s2d3,
  2839. .access = LANDLOCK_ACCESS_FS_READ_FILE |
  2840. LANDLOCK_ACCESS_FS_MAKE_FIFO,
  2841. },
  2842. {},
  2843. };
  2844. int ruleset_fd = create_ruleset(_metadata,
  2845. LANDLOCK_ACCESS_FS_REFER |
  2846. LANDLOCK_ACCESS_FS_EXECUTE |
  2847. LANDLOCK_ACCESS_FS_MAKE_SOCK |
  2848. LANDLOCK_ACCESS_FS_READ_FILE |
  2849. LANDLOCK_ACCESS_FS_MAKE_FIFO,
  2850. layer1);
  2851. ASSERT_LE(0, ruleset_fd);
  2852. enforce_ruleset(_metadata, ruleset_fd);
  2853. ASSERT_EQ(0, close(ruleset_fd));
  2854. ASSERT_EQ(-1, rename(file1_s1d2, file1_s2d1));
  2855. ASSERT_EQ(EXDEV, errno);
  2856. /*
  2857. * Moving file1_s1d2 beneath dir_s2d3 would grant it the READ_FILE
  2858. * access right.
  2859. */
  2860. ASSERT_EQ(-1, rename(file1_s1d2, file1_s2d3));
  2861. ASSERT_EQ(EXDEV, errno);
  2862. /*
  2863. * Moving file1_s1d2 should be allowed even if dir_s2d2 grants a
  2864. * superset of access rights compared to dir_s1d2, because file1_s1d2
  2865. * already has these access rights anyway.
  2866. */
  2867. ASSERT_EQ(0, rename(file1_s1d2, file1_s2d2));
  2868. ASSERT_EQ(0, rename(file1_s2d2, file1_s1d2));
  2869. ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d1));
  2870. ASSERT_EQ(EXDEV, errno);
  2871. /*
  2872. * Moving dir_s1d3 beneath dir_s2d3 would grant it the MAKE_FIFO access
  2873. * right.
  2874. */
  2875. ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d3));
  2876. ASSERT_EQ(EXDEV, errno);
  2877. /*
  2878. * Moving dir_s1d3 should be allowed even if dir_s2d2 grants a superset
  2879. * of access rights compared to dir_s1d2, because dir_s1d3 already has
  2880. * these access rights anyway.
  2881. */
  2882. ASSERT_EQ(0, rename(dir_s1d3, file1_s2d2));
  2883. ASSERT_EQ(0, rename(file1_s2d2, dir_s1d3));
  2884. /*
  2885. * Moving file1_s2d3 beneath dir_s1d2 is allowed, but moving it back
  2886. * will be denied because the new inherited access rights from dir_s1d2
  2887. * will be less than the destination (original) dir_s2d3. This is a
  2888. * sinkhole scenario where we cannot move back files or directories.
  2889. */
  2890. ASSERT_EQ(0, rename(file1_s2d3, file2_s1d2));
  2891. ASSERT_EQ(-1, rename(file2_s1d2, file1_s2d3));
  2892. ASSERT_EQ(EXDEV, errno);
  2893. ASSERT_EQ(0, unlink(file2_s1d2));
  2894. ASSERT_EQ(0, unlink(file2_s2d3));
  2895. /*
  2896. * Checks similar directory one-way move: dir_s2d3 loses EXECUTE and
  2897. * MAKE_SOCK which were inherited from dir_s1d3.
  2898. */
  2899. ASSERT_EQ(0, rename(dir_s2d3, file2_s1d2));
  2900. ASSERT_EQ(-1, rename(file2_s1d2, dir_s2d3));
  2901. ASSERT_EQ(EXDEV, errno);
  2902. }
  2903. TEST_F_FORK(layout1, remove_dir)
  2904. {
  2905. const struct rule rules[] = {
  2906. {
  2907. .path = dir_s1d2,
  2908. .access = LANDLOCK_ACCESS_FS_REMOVE_DIR,
  2909. },
  2910. {},
  2911. };
  2912. const int ruleset_fd =
  2913. create_ruleset(_metadata, rules[0].access, rules);
  2914. ASSERT_LE(0, ruleset_fd);
  2915. ASSERT_EQ(0, unlink(file1_s1d1));
  2916. ASSERT_EQ(0, unlink(file1_s1d2));
  2917. ASSERT_EQ(0, unlink(file1_s1d3));
  2918. ASSERT_EQ(0, unlink(file2_s1d3));
  2919. enforce_ruleset(_metadata, ruleset_fd);
  2920. ASSERT_EQ(0, close(ruleset_fd));
  2921. ASSERT_EQ(0, rmdir(dir_s1d3));
  2922. ASSERT_EQ(0, mkdir(dir_s1d3, 0700));
  2923. ASSERT_EQ(0, unlinkat(AT_FDCWD, dir_s1d3, AT_REMOVEDIR));
  2924. /* dir_s1d2 itself cannot be removed. */
  2925. ASSERT_EQ(-1, rmdir(dir_s1d2));
  2926. ASSERT_EQ(EACCES, errno);
  2927. ASSERT_EQ(-1, unlinkat(AT_FDCWD, dir_s1d2, AT_REMOVEDIR));
  2928. ASSERT_EQ(EACCES, errno);
  2929. ASSERT_EQ(-1, rmdir(dir_s1d1));
  2930. ASSERT_EQ(EACCES, errno);
  2931. ASSERT_EQ(-1, unlinkat(AT_FDCWD, dir_s1d1, AT_REMOVEDIR));
  2932. ASSERT_EQ(EACCES, errno);
  2933. }
  2934. TEST_F_FORK(layout1, remove_file)
  2935. {
  2936. const struct rule rules[] = {
  2937. {
  2938. .path = dir_s1d2,
  2939. .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
  2940. },
  2941. {},
  2942. };
  2943. const int ruleset_fd =
  2944. create_ruleset(_metadata, rules[0].access, rules);
  2945. ASSERT_LE(0, ruleset_fd);
  2946. enforce_ruleset(_metadata, ruleset_fd);
  2947. ASSERT_EQ(0, close(ruleset_fd));
  2948. ASSERT_EQ(-1, unlink(file1_s1d1));
  2949. ASSERT_EQ(EACCES, errno);
  2950. ASSERT_EQ(-1, unlinkat(AT_FDCWD, file1_s1d1, 0));
  2951. ASSERT_EQ(EACCES, errno);
  2952. ASSERT_EQ(0, unlink(file1_s1d2));
  2953. ASSERT_EQ(0, unlinkat(AT_FDCWD, file1_s1d3, 0));
  2954. }
  2955. static void test_make_file(struct __test_metadata *const _metadata,
  2956. const __u64 access, const mode_t mode,
  2957. const dev_t dev)
  2958. {
  2959. const struct rule rules[] = {
  2960. {
  2961. .path = dir_s1d2,
  2962. .access = access,
  2963. },
  2964. {},
  2965. };
  2966. const int ruleset_fd = create_ruleset(_metadata, access, rules);
  2967. ASSERT_LE(0, ruleset_fd);
  2968. ASSERT_EQ(0, unlink(file1_s1d1));
  2969. ASSERT_EQ(0, unlink(file2_s1d1));
  2970. ASSERT_EQ(0, mknod(file2_s1d1, mode | 0400, dev))
  2971. {
  2972. TH_LOG("Failed to make file \"%s\": %s", file2_s1d1,
  2973. strerror(errno));
  2974. };
  2975. ASSERT_EQ(0, unlink(file1_s1d2));
  2976. ASSERT_EQ(0, unlink(file2_s1d2));
  2977. ASSERT_EQ(0, unlink(file1_s1d3));
  2978. ASSERT_EQ(0, unlink(file2_s1d3));
  2979. enforce_ruleset(_metadata, ruleset_fd);
  2980. ASSERT_EQ(0, close(ruleset_fd));
  2981. ASSERT_EQ(-1, mknod(file1_s1d1, mode | 0400, dev));
  2982. ASSERT_EQ(EACCES, errno);
  2983. ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1));
  2984. ASSERT_EQ(EACCES, errno);
  2985. ASSERT_EQ(-1, rename(file2_s1d1, file1_s1d1));
  2986. ASSERT_EQ(EACCES, errno);
  2987. ASSERT_EQ(0, mknod(file1_s1d2, mode | 0400, dev))
  2988. {
  2989. TH_LOG("Failed to make file \"%s\": %s", file1_s1d2,
  2990. strerror(errno));
  2991. };
  2992. ASSERT_EQ(0, link(file1_s1d2, file2_s1d2));
  2993. ASSERT_EQ(0, unlink(file2_s1d2));
  2994. ASSERT_EQ(0, rename(file1_s1d2, file2_s1d2));
  2995. ASSERT_EQ(0, mknod(file1_s1d3, mode | 0400, dev));
  2996. ASSERT_EQ(0, link(file1_s1d3, file2_s1d3));
  2997. ASSERT_EQ(0, unlink(file2_s1d3));
  2998. ASSERT_EQ(0, rename(file1_s1d3, file2_s1d3));
  2999. }
  3000. TEST_F_FORK(layout1, make_char)
  3001. {
  3002. /* Creates a /dev/null device. */
  3003. set_cap(_metadata, CAP_MKNOD);
  3004. test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_CHAR, S_IFCHR,
  3005. makedev(1, 3));
  3006. }
  3007. TEST_F_FORK(layout1, make_block)
  3008. {
  3009. /* Creates a /dev/loop0 device. */
  3010. set_cap(_metadata, CAP_MKNOD);
  3011. test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_BLOCK, S_IFBLK,
  3012. makedev(7, 0));
  3013. }
  3014. TEST_F_FORK(layout1, make_reg_1)
  3015. {
  3016. test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, S_IFREG, 0);
  3017. }
  3018. TEST_F_FORK(layout1, make_reg_2)
  3019. {
  3020. test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, 0, 0);
  3021. }
  3022. TEST_F_FORK(layout1, make_sock)
  3023. {
  3024. test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_SOCK, S_IFSOCK, 0);
  3025. }
  3026. TEST_F_FORK(layout1, make_fifo)
  3027. {
  3028. test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_FIFO, S_IFIFO, 0);
  3029. }
  3030. TEST_F_FORK(layout1, make_sym)
  3031. {
  3032. const struct rule rules[] = {
  3033. {
  3034. .path = dir_s1d2,
  3035. .access = LANDLOCK_ACCESS_FS_MAKE_SYM,
  3036. },
  3037. {},
  3038. };
  3039. const int ruleset_fd =
  3040. create_ruleset(_metadata, rules[0].access, rules);
  3041. ASSERT_LE(0, ruleset_fd);
  3042. ASSERT_EQ(0, unlink(file1_s1d1));
  3043. ASSERT_EQ(0, unlink(file2_s1d1));
  3044. ASSERT_EQ(0, symlink("none", file2_s1d1));
  3045. ASSERT_EQ(0, unlink(file1_s1d2));
  3046. ASSERT_EQ(0, unlink(file2_s1d2));
  3047. ASSERT_EQ(0, unlink(file1_s1d3));
  3048. ASSERT_EQ(0, unlink(file2_s1d3));
  3049. enforce_ruleset(_metadata, ruleset_fd);
  3050. ASSERT_EQ(0, close(ruleset_fd));
  3051. ASSERT_EQ(-1, symlink("none", file1_s1d1));
  3052. ASSERT_EQ(EACCES, errno);
  3053. ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1));
  3054. ASSERT_EQ(EACCES, errno);
  3055. ASSERT_EQ(-1, rename(file2_s1d1, file1_s1d1));
  3056. ASSERT_EQ(EACCES, errno);
  3057. ASSERT_EQ(0, symlink("none", file1_s1d2));
  3058. ASSERT_EQ(0, link(file1_s1d2, file2_s1d2));
  3059. ASSERT_EQ(0, unlink(file2_s1d2));
  3060. ASSERT_EQ(0, rename(file1_s1d2, file2_s1d2));
  3061. ASSERT_EQ(0, symlink("none", file1_s1d3));
  3062. ASSERT_EQ(0, link(file1_s1d3, file2_s1d3));
  3063. ASSERT_EQ(0, unlink(file2_s1d3));
  3064. ASSERT_EQ(0, rename(file1_s1d3, file2_s1d3));
  3065. }
  3066. TEST_F_FORK(layout1, make_dir)
  3067. {
  3068. const struct rule rules[] = {
  3069. {
  3070. .path = dir_s1d2,
  3071. .access = LANDLOCK_ACCESS_FS_MAKE_DIR,
  3072. },
  3073. {},
  3074. };
  3075. const int ruleset_fd =
  3076. create_ruleset(_metadata, rules[0].access, rules);
  3077. ASSERT_LE(0, ruleset_fd);
  3078. ASSERT_EQ(0, unlink(file1_s1d1));
  3079. ASSERT_EQ(0, unlink(file1_s1d2));
  3080. ASSERT_EQ(0, unlink(file1_s1d3));
  3081. enforce_ruleset(_metadata, ruleset_fd);
  3082. ASSERT_EQ(0, close(ruleset_fd));
  3083. /* Uses file_* as directory names. */
  3084. ASSERT_EQ(-1, mkdir(file1_s1d1, 0700));
  3085. ASSERT_EQ(EACCES, errno);
  3086. ASSERT_EQ(0, mkdir(file1_s1d2, 0700));
  3087. ASSERT_EQ(0, mkdir(file1_s1d3, 0700));
  3088. }
  3089. static int open_proc_fd(struct __test_metadata *const _metadata, const int fd,
  3090. const int open_flags)
  3091. {
  3092. static const char path_template[] = "/proc/self/fd/%d";
  3093. char procfd_path[sizeof(path_template) + 10];
  3094. const int procfd_path_size =
  3095. snprintf(procfd_path, sizeof(procfd_path), path_template, fd);
  3096. ASSERT_LT(procfd_path_size, sizeof(procfd_path));
  3097. return open(procfd_path, open_flags);
  3098. }
  3099. TEST_F_FORK(layout1, proc_unlinked_file)
  3100. {
  3101. const struct rule rules[] = {
  3102. {
  3103. .path = file1_s1d2,
  3104. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  3105. },
  3106. {},
  3107. };
  3108. int reg_fd, proc_fd;
  3109. const int ruleset_fd = create_ruleset(
  3110. _metadata,
  3111. LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_WRITE_FILE,
  3112. rules);
  3113. ASSERT_LE(0, ruleset_fd);
  3114. enforce_ruleset(_metadata, ruleset_fd);
  3115. ASSERT_EQ(0, close(ruleset_fd));
  3116. ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR));
  3117. ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
  3118. reg_fd = open(file1_s1d2, O_RDONLY | O_CLOEXEC);
  3119. ASSERT_LE(0, reg_fd);
  3120. ASSERT_EQ(0, unlink(file1_s1d2));
  3121. proc_fd = open_proc_fd(_metadata, reg_fd, O_RDONLY | O_CLOEXEC);
  3122. ASSERT_LE(0, proc_fd);
  3123. ASSERT_EQ(0, close(proc_fd));
  3124. proc_fd = open_proc_fd(_metadata, reg_fd, O_RDWR | O_CLOEXEC);
  3125. ASSERT_EQ(-1, proc_fd)
  3126. {
  3127. TH_LOG("Successfully opened /proc/self/fd/%d: %s", reg_fd,
  3128. strerror(errno));
  3129. }
  3130. ASSERT_EQ(EACCES, errno);
  3131. ASSERT_EQ(0, close(reg_fd));
  3132. }
  3133. TEST_F_FORK(layout1, proc_pipe)
  3134. {
  3135. int proc_fd;
  3136. int pipe_fds[2];
  3137. char buf = '\0';
  3138. const struct rule rules[] = {
  3139. {
  3140. .path = dir_s1d2,
  3141. .access = LANDLOCK_ACCESS_FS_READ_FILE |
  3142. LANDLOCK_ACCESS_FS_WRITE_FILE,
  3143. },
  3144. {},
  3145. };
  3146. /* Limits read and write access to files tied to the filesystem. */
  3147. const int ruleset_fd =
  3148. create_ruleset(_metadata, rules[0].access, rules);
  3149. ASSERT_LE(0, ruleset_fd);
  3150. enforce_ruleset(_metadata, ruleset_fd);
  3151. ASSERT_EQ(0, close(ruleset_fd));
  3152. /* Checks enforcement for normal files. */
  3153. ASSERT_EQ(0, test_open(file1_s1d2, O_RDWR));
  3154. ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
  3155. /* Checks access to pipes through FD. */
  3156. ASSERT_EQ(0, pipe2(pipe_fds, O_CLOEXEC));
  3157. ASSERT_EQ(1, write(pipe_fds[1], ".", 1))
  3158. {
  3159. TH_LOG("Failed to write in pipe: %s", strerror(errno));
  3160. }
  3161. ASSERT_EQ(1, read(pipe_fds[0], &buf, 1));
  3162. ASSERT_EQ('.', buf);
  3163. /* Checks write access to pipe through /proc/self/fd . */
  3164. proc_fd = open_proc_fd(_metadata, pipe_fds[1], O_WRONLY | O_CLOEXEC);
  3165. ASSERT_LE(0, proc_fd);
  3166. ASSERT_EQ(1, write(proc_fd, ".", 1))
  3167. {
  3168. TH_LOG("Failed to write through /proc/self/fd/%d: %s",
  3169. pipe_fds[1], strerror(errno));
  3170. }
  3171. ASSERT_EQ(0, close(proc_fd));
  3172. /* Checks read access to pipe through /proc/self/fd . */
  3173. proc_fd = open_proc_fd(_metadata, pipe_fds[0], O_RDONLY | O_CLOEXEC);
  3174. ASSERT_LE(0, proc_fd);
  3175. buf = '\0';
  3176. ASSERT_EQ(1, read(proc_fd, &buf, 1))
  3177. {
  3178. TH_LOG("Failed to read through /proc/self/fd/%d: %s",
  3179. pipe_fds[1], strerror(errno));
  3180. }
  3181. ASSERT_EQ(0, close(proc_fd));
  3182. ASSERT_EQ(0, close(pipe_fds[0]));
  3183. ASSERT_EQ(0, close(pipe_fds[1]));
  3184. }
  3185. /* Invokes truncate(2) and returns its errno or 0. */
  3186. static int test_truncate(const char *const path)
  3187. {
  3188. if (truncate(path, 10) < 0)
  3189. return errno;
  3190. return 0;
  3191. }
  3192. /*
  3193. * Invokes creat(2) and returns its errno or 0.
  3194. * Closes the opened file descriptor on success.
  3195. */
  3196. static int test_creat(const char *const path)
  3197. {
  3198. int fd = creat(path, 0600);
  3199. if (fd < 0)
  3200. return errno;
  3201. /*
  3202. * Mixing error codes from close(2) and creat(2) should not lead to any
  3203. * (access type) confusion for this test.
  3204. */
  3205. if (close(fd) < 0)
  3206. return errno;
  3207. return 0;
  3208. }
  3209. /*
  3210. * Exercises file truncation when it's not restricted,
  3211. * as it was the case before LANDLOCK_ACCESS_FS_TRUNCATE existed.
  3212. */
  3213. TEST_F_FORK(layout1, truncate_unhandled)
  3214. {
  3215. const char *const file_r = file1_s1d1;
  3216. const char *const file_w = file2_s1d1;
  3217. const char *const file_none = file1_s1d2;
  3218. const struct rule rules[] = {
  3219. {
  3220. .path = file_r,
  3221. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  3222. },
  3223. {
  3224. .path = file_w,
  3225. .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
  3226. },
  3227. /* Implicitly: No rights for file_none. */
  3228. {},
  3229. };
  3230. const __u64 handled = LANDLOCK_ACCESS_FS_READ_FILE |
  3231. LANDLOCK_ACCESS_FS_WRITE_FILE;
  3232. int ruleset_fd;
  3233. /* Enables Landlock. */
  3234. ruleset_fd = create_ruleset(_metadata, handled, rules);
  3235. ASSERT_LE(0, ruleset_fd);
  3236. enforce_ruleset(_metadata, ruleset_fd);
  3237. ASSERT_EQ(0, close(ruleset_fd));
  3238. /*
  3239. * Checks read right: truncate and open with O_TRUNC work, unless the
  3240. * file is attempted to be opened for writing.
  3241. */
  3242. EXPECT_EQ(0, test_truncate(file_r));
  3243. EXPECT_EQ(0, test_open(file_r, O_RDONLY | O_TRUNC));
  3244. EXPECT_EQ(EACCES, test_open(file_r, O_WRONLY | O_TRUNC));
  3245. EXPECT_EQ(EACCES, test_creat(file_r));
  3246. /*
  3247. * Checks write right: truncate and open with O_TRUNC work, unless the
  3248. * file is attempted to be opened for reading.
  3249. */
  3250. EXPECT_EQ(0, test_truncate(file_w));
  3251. EXPECT_EQ(EACCES, test_open(file_w, O_RDONLY | O_TRUNC));
  3252. EXPECT_EQ(0, test_open(file_w, O_WRONLY | O_TRUNC));
  3253. EXPECT_EQ(0, test_creat(file_w));
  3254. /*
  3255. * Checks "no rights" case: truncate works but all open attempts fail,
  3256. * including creat.
  3257. */
  3258. EXPECT_EQ(0, test_truncate(file_none));
  3259. EXPECT_EQ(EACCES, test_open(file_none, O_RDONLY | O_TRUNC));
  3260. EXPECT_EQ(EACCES, test_open(file_none, O_WRONLY | O_TRUNC));
  3261. EXPECT_EQ(EACCES, test_creat(file_none));
  3262. }
  3263. TEST_F_FORK(layout1, truncate)
  3264. {
  3265. const char *const file_rwt = file1_s1d1;
  3266. const char *const file_rw = file2_s1d1;
  3267. const char *const file_rt = file1_s1d2;
  3268. const char *const file_t = file2_s1d2;
  3269. const char *const file_none = file1_s1d3;
  3270. const char *const dir_t = dir_s2d1;
  3271. const char *const file_in_dir_t = file1_s2d1;
  3272. const char *const dir_w = dir_s3d1;
  3273. const char *const file_in_dir_w = file1_s3d1;
  3274. const struct rule rules[] = {
  3275. {
  3276. .path = file_rwt,
  3277. .access = LANDLOCK_ACCESS_FS_READ_FILE |
  3278. LANDLOCK_ACCESS_FS_WRITE_FILE |
  3279. LANDLOCK_ACCESS_FS_TRUNCATE,
  3280. },
  3281. {
  3282. .path = file_rw,
  3283. .access = LANDLOCK_ACCESS_FS_READ_FILE |
  3284. LANDLOCK_ACCESS_FS_WRITE_FILE,
  3285. },
  3286. {
  3287. .path = file_rt,
  3288. .access = LANDLOCK_ACCESS_FS_READ_FILE |
  3289. LANDLOCK_ACCESS_FS_TRUNCATE,
  3290. },
  3291. {
  3292. .path = file_t,
  3293. .access = LANDLOCK_ACCESS_FS_TRUNCATE,
  3294. },
  3295. /* Implicitly: No access rights for file_none. */
  3296. {
  3297. .path = dir_t,
  3298. .access = LANDLOCK_ACCESS_FS_TRUNCATE,
  3299. },
  3300. {
  3301. .path = dir_w,
  3302. .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
  3303. },
  3304. {},
  3305. };
  3306. const __u64 handled = LANDLOCK_ACCESS_FS_READ_FILE |
  3307. LANDLOCK_ACCESS_FS_WRITE_FILE |
  3308. LANDLOCK_ACCESS_FS_TRUNCATE;
  3309. int ruleset_fd;
  3310. /* Enables Landlock. */
  3311. ruleset_fd = create_ruleset(_metadata, handled, rules);
  3312. ASSERT_LE(0, ruleset_fd);
  3313. enforce_ruleset(_metadata, ruleset_fd);
  3314. ASSERT_EQ(0, close(ruleset_fd));
  3315. /* Checks read, write and truncate rights: truncation works. */
  3316. EXPECT_EQ(0, test_truncate(file_rwt));
  3317. EXPECT_EQ(0, test_open(file_rwt, O_RDONLY | O_TRUNC));
  3318. EXPECT_EQ(0, test_open(file_rwt, O_WRONLY | O_TRUNC));
  3319. /* Checks read and write rights: no truncate variant works. */
  3320. EXPECT_EQ(EACCES, test_truncate(file_rw));
  3321. EXPECT_EQ(EACCES, test_open(file_rw, O_RDONLY | O_TRUNC));
  3322. EXPECT_EQ(EACCES, test_open(file_rw, O_WRONLY | O_TRUNC));
  3323. /*
  3324. * Checks read and truncate rights: truncation works.
  3325. *
  3326. * Note: Files can get truncated using open() even with O_RDONLY.
  3327. */
  3328. EXPECT_EQ(0, test_truncate(file_rt));
  3329. EXPECT_EQ(0, test_open(file_rt, O_RDONLY | O_TRUNC));
  3330. EXPECT_EQ(EACCES, test_open(file_rt, O_WRONLY | O_TRUNC));
  3331. /* Checks truncate right: truncate works, but can't open file. */
  3332. EXPECT_EQ(0, test_truncate(file_t));
  3333. EXPECT_EQ(EACCES, test_open(file_t, O_RDONLY | O_TRUNC));
  3334. EXPECT_EQ(EACCES, test_open(file_t, O_WRONLY | O_TRUNC));
  3335. /* Checks "no rights" case: No form of truncation works. */
  3336. EXPECT_EQ(EACCES, test_truncate(file_none));
  3337. EXPECT_EQ(EACCES, test_open(file_none, O_RDONLY | O_TRUNC));
  3338. EXPECT_EQ(EACCES, test_open(file_none, O_WRONLY | O_TRUNC));
  3339. /*
  3340. * Checks truncate right on directory: truncate works on contained
  3341. * files.
  3342. */
  3343. EXPECT_EQ(0, test_truncate(file_in_dir_t));
  3344. EXPECT_EQ(EACCES, test_open(file_in_dir_t, O_RDONLY | O_TRUNC));
  3345. EXPECT_EQ(EACCES, test_open(file_in_dir_t, O_WRONLY | O_TRUNC));
  3346. /*
  3347. * Checks creat in dir_w: This requires the truncate right when
  3348. * overwriting an existing file, but does not require it when the file
  3349. * is new.
  3350. */
  3351. EXPECT_EQ(EACCES, test_creat(file_in_dir_w));
  3352. ASSERT_EQ(0, unlink(file_in_dir_w));
  3353. EXPECT_EQ(0, test_creat(file_in_dir_w));
  3354. }
  3355. /* Invokes ftruncate(2) and returns its errno or 0. */
  3356. static int test_ftruncate(int fd)
  3357. {
  3358. if (ftruncate(fd, 10) < 0)
  3359. return errno;
  3360. return 0;
  3361. }
  3362. TEST_F_FORK(layout1, ftruncate)
  3363. {
  3364. /*
  3365. * This test opens a new file descriptor at different stages of
  3366. * Landlock restriction:
  3367. *
  3368. * without restriction: ftruncate works
  3369. * something else but truncate restricted: ftruncate works
  3370. * truncate restricted and permitted: ftruncate works
  3371. * truncate restricted and not permitted: ftruncate fails
  3372. *
  3373. * Whether this works or not is expected to depend on the time when the
  3374. * FD was opened, not to depend on the time when ftruncate() was
  3375. * called.
  3376. */
  3377. const char *const path = file1_s1d1;
  3378. const __u64 handled1 = LANDLOCK_ACCESS_FS_READ_FILE |
  3379. LANDLOCK_ACCESS_FS_WRITE_FILE;
  3380. const struct rule layer1[] = {
  3381. {
  3382. .path = path,
  3383. .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
  3384. },
  3385. {},
  3386. };
  3387. const __u64 handled2 = LANDLOCK_ACCESS_FS_TRUNCATE;
  3388. const struct rule layer2[] = {
  3389. {
  3390. .path = path,
  3391. .access = LANDLOCK_ACCESS_FS_TRUNCATE,
  3392. },
  3393. {},
  3394. };
  3395. const __u64 handled3 = LANDLOCK_ACCESS_FS_TRUNCATE |
  3396. LANDLOCK_ACCESS_FS_WRITE_FILE;
  3397. const struct rule layer3[] = {
  3398. {
  3399. .path = path,
  3400. .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
  3401. },
  3402. {},
  3403. };
  3404. int fd_layer0, fd_layer1, fd_layer2, fd_layer3, ruleset_fd;
  3405. fd_layer0 = open(path, O_WRONLY);
  3406. EXPECT_EQ(0, test_ftruncate(fd_layer0));
  3407. ruleset_fd = create_ruleset(_metadata, handled1, layer1);
  3408. ASSERT_LE(0, ruleset_fd);
  3409. enforce_ruleset(_metadata, ruleset_fd);
  3410. ASSERT_EQ(0, close(ruleset_fd));
  3411. fd_layer1 = open(path, O_WRONLY);
  3412. EXPECT_EQ(0, test_ftruncate(fd_layer0));
  3413. EXPECT_EQ(0, test_ftruncate(fd_layer1));
  3414. ruleset_fd = create_ruleset(_metadata, handled2, layer2);
  3415. ASSERT_LE(0, ruleset_fd);
  3416. enforce_ruleset(_metadata, ruleset_fd);
  3417. ASSERT_EQ(0, close(ruleset_fd));
  3418. fd_layer2 = open(path, O_WRONLY);
  3419. EXPECT_EQ(0, test_ftruncate(fd_layer0));
  3420. EXPECT_EQ(0, test_ftruncate(fd_layer1));
  3421. EXPECT_EQ(0, test_ftruncate(fd_layer2));
  3422. ruleset_fd = create_ruleset(_metadata, handled3, layer3);
  3423. ASSERT_LE(0, ruleset_fd);
  3424. enforce_ruleset(_metadata, ruleset_fd);
  3425. ASSERT_EQ(0, close(ruleset_fd));
  3426. fd_layer3 = open(path, O_WRONLY);
  3427. EXPECT_EQ(0, test_ftruncate(fd_layer0));
  3428. EXPECT_EQ(0, test_ftruncate(fd_layer1));
  3429. EXPECT_EQ(0, test_ftruncate(fd_layer2));
  3430. EXPECT_EQ(EACCES, test_ftruncate(fd_layer3));
  3431. ASSERT_EQ(0, close(fd_layer0));
  3432. ASSERT_EQ(0, close(fd_layer1));
  3433. ASSERT_EQ(0, close(fd_layer2));
  3434. ASSERT_EQ(0, close(fd_layer3));
  3435. }
  3436. /* clang-format off */
  3437. FIXTURE(ftruncate) {};
  3438. /* clang-format on */
  3439. FIXTURE_SETUP(ftruncate)
  3440. {
  3441. prepare_layout(_metadata);
  3442. create_file(_metadata, file1_s1d1);
  3443. }
  3444. FIXTURE_TEARDOWN_PARENT(ftruncate)
  3445. {
  3446. EXPECT_EQ(0, remove_path(file1_s1d1));
  3447. cleanup_layout(_metadata);
  3448. }
  3449. FIXTURE_VARIANT(ftruncate)
  3450. {
  3451. const __u64 handled;
  3452. const __u64 allowed;
  3453. const int expected_open_result;
  3454. const int expected_ftruncate_result;
  3455. };
  3456. /* clang-format off */
  3457. FIXTURE_VARIANT_ADD(ftruncate, w_w) {
  3458. /* clang-format on */
  3459. .handled = LANDLOCK_ACCESS_FS_WRITE_FILE,
  3460. .allowed = LANDLOCK_ACCESS_FS_WRITE_FILE,
  3461. .expected_open_result = 0,
  3462. .expected_ftruncate_result = 0,
  3463. };
  3464. /* clang-format off */
  3465. FIXTURE_VARIANT_ADD(ftruncate, t_t) {
  3466. /* clang-format on */
  3467. .handled = LANDLOCK_ACCESS_FS_TRUNCATE,
  3468. .allowed = LANDLOCK_ACCESS_FS_TRUNCATE,
  3469. .expected_open_result = 0,
  3470. .expected_ftruncate_result = 0,
  3471. };
  3472. /* clang-format off */
  3473. FIXTURE_VARIANT_ADD(ftruncate, wt_w) {
  3474. /* clang-format on */
  3475. .handled = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE,
  3476. .allowed = LANDLOCK_ACCESS_FS_WRITE_FILE,
  3477. .expected_open_result = 0,
  3478. .expected_ftruncate_result = EACCES,
  3479. };
  3480. /* clang-format off */
  3481. FIXTURE_VARIANT_ADD(ftruncate, wt_wt) {
  3482. /* clang-format on */
  3483. .handled = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE,
  3484. .allowed = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE,
  3485. .expected_open_result = 0,
  3486. .expected_ftruncate_result = 0,
  3487. };
  3488. /* clang-format off */
  3489. FIXTURE_VARIANT_ADD(ftruncate, wt_t) {
  3490. /* clang-format on */
  3491. .handled = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE,
  3492. .allowed = LANDLOCK_ACCESS_FS_TRUNCATE,
  3493. .expected_open_result = EACCES,
  3494. };
  3495. TEST_F_FORK(ftruncate, open_and_ftruncate)
  3496. {
  3497. const char *const path = file1_s1d1;
  3498. const struct rule rules[] = {
  3499. {
  3500. .path = path,
  3501. .access = variant->allowed,
  3502. },
  3503. {},
  3504. };
  3505. int fd, ruleset_fd;
  3506. /* Enables Landlock. */
  3507. ruleset_fd = create_ruleset(_metadata, variant->handled, rules);
  3508. ASSERT_LE(0, ruleset_fd);
  3509. enforce_ruleset(_metadata, ruleset_fd);
  3510. ASSERT_EQ(0, close(ruleset_fd));
  3511. fd = open(path, O_WRONLY);
  3512. EXPECT_EQ(variant->expected_open_result, (fd < 0 ? errno : 0));
  3513. if (fd >= 0) {
  3514. EXPECT_EQ(variant->expected_ftruncate_result,
  3515. test_ftruncate(fd));
  3516. ASSERT_EQ(0, close(fd));
  3517. }
  3518. }
  3519. TEST_F_FORK(ftruncate, open_and_ftruncate_in_different_processes)
  3520. {
  3521. int child, fd, status;
  3522. int socket_fds[2];
  3523. ASSERT_EQ(0, socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0,
  3524. socket_fds));
  3525. child = fork();
  3526. ASSERT_LE(0, child);
  3527. if (child == 0) {
  3528. /*
  3529. * Enables Landlock in the child process, open a file descriptor
  3530. * where truncation is forbidden and send it to the
  3531. * non-landlocked parent process.
  3532. */
  3533. const char *const path = file1_s1d1;
  3534. const struct rule rules[] = {
  3535. {
  3536. .path = path,
  3537. .access = variant->allowed,
  3538. },
  3539. {},
  3540. };
  3541. int fd, ruleset_fd;
  3542. ruleset_fd = create_ruleset(_metadata, variant->handled, rules);
  3543. ASSERT_LE(0, ruleset_fd);
  3544. enforce_ruleset(_metadata, ruleset_fd);
  3545. ASSERT_EQ(0, close(ruleset_fd));
  3546. fd = open(path, O_WRONLY);
  3547. ASSERT_EQ(variant->expected_open_result, (fd < 0 ? errno : 0));
  3548. if (fd >= 0) {
  3549. ASSERT_EQ(0, send_fd(socket_fds[0], fd));
  3550. ASSERT_EQ(0, close(fd));
  3551. }
  3552. ASSERT_EQ(0, close(socket_fds[0]));
  3553. _exit(_metadata->exit_code);
  3554. return;
  3555. }
  3556. if (variant->expected_open_result == 0) {
  3557. fd = recv_fd(socket_fds[1]);
  3558. ASSERT_LE(0, fd);
  3559. EXPECT_EQ(variant->expected_ftruncate_result,
  3560. test_ftruncate(fd));
  3561. ASSERT_EQ(0, close(fd));
  3562. }
  3563. ASSERT_EQ(child, waitpid(child, &status, 0));
  3564. ASSERT_EQ(1, WIFEXITED(status));
  3565. ASSERT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
  3566. ASSERT_EQ(0, close(socket_fds[0]));
  3567. ASSERT_EQ(0, close(socket_fds[1]));
  3568. }
  3569. /* Invokes the FS_IOC_GETFLAGS IOCTL and returns its errno or 0. */
  3570. static int test_fs_ioc_getflags_ioctl(int fd)
  3571. {
  3572. uint32_t flags;
  3573. if (ioctl(fd, FS_IOC_GETFLAGS, &flags) < 0)
  3574. return errno;
  3575. return 0;
  3576. }
  3577. TEST(memfd_ftruncate_and_ioctl)
  3578. {
  3579. const struct landlock_ruleset_attr attr = {
  3580. .handled_access_fs = ACCESS_ALL,
  3581. };
  3582. int ruleset_fd, fd, i;
  3583. /*
  3584. * We exercise the same test both with and without Landlock enabled, to
  3585. * ensure that it behaves the same in both cases.
  3586. */
  3587. for (i = 0; i < 2; i++) {
  3588. /* Creates a new memfd. */
  3589. fd = memfd_create("name", MFD_CLOEXEC);
  3590. ASSERT_LE(0, fd);
  3591. /*
  3592. * Checks that operations associated with the opened file
  3593. * (ftruncate, ioctl) are permitted on file descriptors that are
  3594. * created in ways other than open(2).
  3595. */
  3596. EXPECT_EQ(0, test_ftruncate(fd));
  3597. EXPECT_EQ(0, test_fs_ioc_getflags_ioctl(fd));
  3598. ASSERT_EQ(0, close(fd));
  3599. /* Enables Landlock. */
  3600. ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
  3601. ASSERT_LE(0, ruleset_fd);
  3602. enforce_ruleset(_metadata, ruleset_fd);
  3603. ASSERT_EQ(0, close(ruleset_fd));
  3604. }
  3605. }
  3606. static int test_fionread_ioctl(int fd)
  3607. {
  3608. size_t sz = 0;
  3609. if (ioctl(fd, FIONREAD, &sz) < 0 && errno == EACCES)
  3610. return errno;
  3611. return 0;
  3612. }
  3613. TEST_F_FORK(layout1, o_path_ftruncate_and_ioctl)
  3614. {
  3615. const struct landlock_ruleset_attr attr = {
  3616. .handled_access_fs = ACCESS_ALL,
  3617. };
  3618. int ruleset_fd, fd;
  3619. /*
  3620. * Checks that for files opened with O_PATH, both ioctl(2) and
  3621. * ftruncate(2) yield EBADF, as it is documented in open(2) for the
  3622. * O_PATH flag.
  3623. */
  3624. fd = open(dir_s1d1, O_PATH | O_CLOEXEC);
  3625. ASSERT_LE(0, fd);
  3626. EXPECT_EQ(EBADF, test_ftruncate(fd));
  3627. EXPECT_EQ(EBADF, test_fs_ioc_getflags_ioctl(fd));
  3628. ASSERT_EQ(0, close(fd));
  3629. /* Enables Landlock. */
  3630. ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
  3631. ASSERT_LE(0, ruleset_fd);
  3632. enforce_ruleset(_metadata, ruleset_fd);
  3633. ASSERT_EQ(0, close(ruleset_fd));
  3634. /*
  3635. * Checks that after enabling Landlock,
  3636. * - the file can still be opened with O_PATH
  3637. * - both ioctl and truncate still yield EBADF (not EACCES).
  3638. */
  3639. fd = open(dir_s1d1, O_PATH | O_CLOEXEC);
  3640. ASSERT_LE(0, fd);
  3641. EXPECT_EQ(EBADF, test_ftruncate(fd));
  3642. EXPECT_EQ(EBADF, test_fs_ioc_getflags_ioctl(fd));
  3643. ASSERT_EQ(0, close(fd));
  3644. }
  3645. /*
  3646. * ioctl_error - generically call the given ioctl with a pointer to a
  3647. * sufficiently large zeroed-out memory region.
  3648. *
  3649. * Returns the IOCTLs error, or 0.
  3650. */
  3651. static int ioctl_error(struct __test_metadata *const _metadata, int fd,
  3652. unsigned int cmd)
  3653. {
  3654. char buf[128]; /* sufficiently large */
  3655. int res, stdinbak_fd;
  3656. /*
  3657. * Depending on the IOCTL command, parts of the zeroed-out buffer might
  3658. * be interpreted as file descriptor numbers. We do not want to
  3659. * accidentally operate on file descriptor 0 (stdin), so we temporarily
  3660. * move stdin to a different FD and close FD 0 for the IOCTL call.
  3661. */
  3662. stdinbak_fd = dup(0);
  3663. ASSERT_LT(0, stdinbak_fd);
  3664. ASSERT_EQ(0, close(0));
  3665. /* Invokes the IOCTL with a zeroed-out buffer. */
  3666. bzero(&buf, sizeof(buf));
  3667. res = ioctl(fd, cmd, &buf);
  3668. /* Restores the old FD 0 and closes the backup FD. */
  3669. ASSERT_EQ(0, dup2(stdinbak_fd, 0));
  3670. ASSERT_EQ(0, close(stdinbak_fd));
  3671. if (res < 0)
  3672. return errno;
  3673. return 0;
  3674. }
  3675. /* Define some linux/falloc.h IOCTL commands which are not available in uapi headers. */
  3676. struct space_resv {
  3677. __s16 l_type;
  3678. __s16 l_whence;
  3679. __s64 l_start;
  3680. __s64 l_len; /* len == 0 means until end of file */
  3681. __s32 l_sysid;
  3682. __u32 l_pid;
  3683. __s32 l_pad[4]; /* reserved area */
  3684. };
  3685. #define FS_IOC_RESVSP _IOW('X', 40, struct space_resv)
  3686. #define FS_IOC_UNRESVSP _IOW('X', 41, struct space_resv)
  3687. #define FS_IOC_RESVSP64 _IOW('X', 42, struct space_resv)
  3688. #define FS_IOC_UNRESVSP64 _IOW('X', 43, struct space_resv)
  3689. #define FS_IOC_ZERO_RANGE _IOW('X', 57, struct space_resv)
  3690. /*
  3691. * Tests a series of blanket-permitted and denied IOCTLs.
  3692. */
  3693. TEST_F_FORK(layout1, blanket_permitted_ioctls)
  3694. {
  3695. const struct landlock_ruleset_attr attr = {
  3696. .handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV,
  3697. };
  3698. int ruleset_fd, fd;
  3699. /* Enables Landlock. */
  3700. ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
  3701. ASSERT_LE(0, ruleset_fd);
  3702. enforce_ruleset(_metadata, ruleset_fd);
  3703. ASSERT_EQ(0, close(ruleset_fd));
  3704. fd = open("/dev/null", O_RDWR | O_CLOEXEC);
  3705. ASSERT_LE(0, fd);
  3706. /*
  3707. * Checks permitted commands.
  3708. * These ones may return errors, but should not be blocked by Landlock.
  3709. */
  3710. EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIOCLEX));
  3711. EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIONCLEX));
  3712. EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIONBIO));
  3713. EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIOASYNC));
  3714. EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIOQSIZE));
  3715. EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIFREEZE));
  3716. EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FITHAW));
  3717. EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FS_IOC_FIEMAP));
  3718. EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIGETBSZ));
  3719. EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FICLONE));
  3720. EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FICLONERANGE));
  3721. EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIDEDUPERANGE));
  3722. EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FS_IOC_GETFSUUID));
  3723. EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FS_IOC_GETFSSYSFSPATH));
  3724. /*
  3725. * Checks blocked commands.
  3726. * A call to a blocked IOCTL command always returns EACCES.
  3727. */
  3728. EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FIONREAD));
  3729. EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_GETFLAGS));
  3730. EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_SETFLAGS));
  3731. EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_FSGETXATTR));
  3732. EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_FSSETXATTR));
  3733. EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FIBMAP));
  3734. EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_RESVSP));
  3735. EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_RESVSP64));
  3736. EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_UNRESVSP));
  3737. EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_UNRESVSP64));
  3738. EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_ZERO_RANGE));
  3739. /* Default case is also blocked. */
  3740. EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, 0xc00ffeee));
  3741. ASSERT_EQ(0, close(fd));
  3742. }
  3743. /*
  3744. * Named pipes are not governed by the LANDLOCK_ACCESS_FS_IOCTL_DEV right,
  3745. * because they are not character or block devices.
  3746. */
  3747. TEST_F_FORK(layout1, named_pipe_ioctl)
  3748. {
  3749. pid_t child_pid;
  3750. int fd, ruleset_fd;
  3751. const char *const path = file1_s1d1;
  3752. const struct landlock_ruleset_attr attr = {
  3753. .handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV,
  3754. };
  3755. ASSERT_EQ(0, unlink(path));
  3756. ASSERT_EQ(0, mkfifo(path, 0600));
  3757. /* Enables Landlock. */
  3758. ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
  3759. ASSERT_LE(0, ruleset_fd);
  3760. enforce_ruleset(_metadata, ruleset_fd);
  3761. ASSERT_EQ(0, close(ruleset_fd));
  3762. /* The child process opens the pipe for writing. */
  3763. child_pid = fork();
  3764. ASSERT_NE(-1, child_pid);
  3765. if (child_pid == 0) {
  3766. fd = open(path, O_WRONLY);
  3767. close(fd);
  3768. exit(0);
  3769. }
  3770. fd = open(path, O_RDONLY);
  3771. ASSERT_LE(0, fd);
  3772. /* FIONREAD is implemented by pipefifo_fops. */
  3773. EXPECT_EQ(0, test_fionread_ioctl(fd));
  3774. ASSERT_EQ(0, close(fd));
  3775. ASSERT_EQ(0, unlink(path));
  3776. ASSERT_EQ(child_pid, waitpid(child_pid, NULL, 0));
  3777. }
  3778. /* For named UNIX domain sockets, no IOCTL restrictions apply. */
  3779. TEST_F_FORK(layout1, named_unix_domain_socket_ioctl)
  3780. {
  3781. const char *const path = file1_s1d1;
  3782. int srv_fd, cli_fd, ruleset_fd;
  3783. struct sockaddr_un srv_un = {
  3784. .sun_family = AF_UNIX,
  3785. };
  3786. struct sockaddr_un cli_un = {
  3787. .sun_family = AF_UNIX,
  3788. };
  3789. const struct landlock_ruleset_attr attr = {
  3790. .handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV,
  3791. };
  3792. /* Sets up a server */
  3793. ASSERT_EQ(0, unlink(path));
  3794. srv_fd = socket(AF_UNIX, SOCK_STREAM, 0);
  3795. ASSERT_LE(0, srv_fd);
  3796. strncpy(srv_un.sun_path, path, sizeof(srv_un.sun_path));
  3797. ASSERT_EQ(0, bind(srv_fd, (struct sockaddr *)&srv_un, sizeof(srv_un)));
  3798. ASSERT_EQ(0, listen(srv_fd, 10 /* qlen */));
  3799. /* Enables Landlock. */
  3800. ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
  3801. ASSERT_LE(0, ruleset_fd);
  3802. enforce_ruleset(_metadata, ruleset_fd);
  3803. ASSERT_EQ(0, close(ruleset_fd));
  3804. /* Sets up a client connection to it */
  3805. cli_fd = socket(AF_UNIX, SOCK_STREAM, 0);
  3806. ASSERT_LE(0, cli_fd);
  3807. strncpy(cli_un.sun_path, path, sizeof(cli_un.sun_path));
  3808. ASSERT_EQ(0,
  3809. connect(cli_fd, (struct sockaddr *)&cli_un, sizeof(cli_un)));
  3810. /* FIONREAD and other IOCTLs should not be forbidden. */
  3811. EXPECT_EQ(0, test_fionread_ioctl(cli_fd));
  3812. EXPECT_EQ(0, close(cli_fd));
  3813. EXPECT_EQ(0, close(srv_fd));
  3814. }
  3815. /* clang-format off */
  3816. FIXTURE(ioctl) {};
  3817. FIXTURE_SETUP(ioctl) {};
  3818. FIXTURE_TEARDOWN(ioctl) {};
  3819. /* clang-format on */
  3820. FIXTURE_VARIANT(ioctl)
  3821. {
  3822. const __u64 handled;
  3823. const __u64 allowed;
  3824. const mode_t open_mode;
  3825. /*
  3826. * FIONREAD is used as a characteristic device-specific IOCTL command.
  3827. * It is implemented in fs/ioctl.c for regular files,
  3828. * but we do not blanket-permit it for devices.
  3829. */
  3830. const int expected_fionread_result;
  3831. };
  3832. /* clang-format off */
  3833. FIXTURE_VARIANT_ADD(ioctl, handled_i_allowed_none) {
  3834. /* clang-format on */
  3835. .handled = LANDLOCK_ACCESS_FS_IOCTL_DEV,
  3836. .allowed = 0,
  3837. .open_mode = O_RDWR,
  3838. .expected_fionread_result = EACCES,
  3839. };
  3840. /* clang-format off */
  3841. FIXTURE_VARIANT_ADD(ioctl, handled_i_allowed_i) {
  3842. /* clang-format on */
  3843. .handled = LANDLOCK_ACCESS_FS_IOCTL_DEV,
  3844. .allowed = LANDLOCK_ACCESS_FS_IOCTL_DEV,
  3845. .open_mode = O_RDWR,
  3846. .expected_fionread_result = 0,
  3847. };
  3848. /* clang-format off */
  3849. FIXTURE_VARIANT_ADD(ioctl, unhandled) {
  3850. /* clang-format on */
  3851. .handled = LANDLOCK_ACCESS_FS_EXECUTE,
  3852. .allowed = LANDLOCK_ACCESS_FS_EXECUTE,
  3853. .open_mode = O_RDWR,
  3854. .expected_fionread_result = 0,
  3855. };
  3856. TEST_F_FORK(ioctl, handle_dir_access_file)
  3857. {
  3858. const int flag = 0;
  3859. const struct rule rules[] = {
  3860. {
  3861. .path = "/dev",
  3862. .access = variant->allowed,
  3863. },
  3864. {},
  3865. };
  3866. int file_fd, ruleset_fd;
  3867. /* Enables Landlock. */
  3868. ruleset_fd = create_ruleset(_metadata, variant->handled, rules);
  3869. ASSERT_LE(0, ruleset_fd);
  3870. enforce_ruleset(_metadata, ruleset_fd);
  3871. ASSERT_EQ(0, close(ruleset_fd));
  3872. file_fd = open("/dev/zero", variant->open_mode);
  3873. ASSERT_LE(0, file_fd);
  3874. /* Checks that IOCTL commands return the expected errors. */
  3875. EXPECT_EQ(variant->expected_fionread_result,
  3876. test_fionread_ioctl(file_fd));
  3877. /* Checks that unrestrictable commands are unrestricted. */
  3878. EXPECT_EQ(0, ioctl(file_fd, FIOCLEX));
  3879. EXPECT_EQ(0, ioctl(file_fd, FIONCLEX));
  3880. EXPECT_EQ(0, ioctl(file_fd, FIONBIO, &flag));
  3881. EXPECT_EQ(0, ioctl(file_fd, FIOASYNC, &flag));
  3882. EXPECT_EQ(0, ioctl(file_fd, FIGETBSZ, &flag));
  3883. ASSERT_EQ(0, close(file_fd));
  3884. }
  3885. TEST_F_FORK(ioctl, handle_dir_access_dir)
  3886. {
  3887. const int flag = 0;
  3888. const struct rule rules[] = {
  3889. {
  3890. .path = "/dev",
  3891. .access = variant->allowed,
  3892. },
  3893. {},
  3894. };
  3895. int dir_fd, ruleset_fd;
  3896. /* Enables Landlock. */
  3897. ruleset_fd = create_ruleset(_metadata, variant->handled, rules);
  3898. ASSERT_LE(0, ruleset_fd);
  3899. enforce_ruleset(_metadata, ruleset_fd);
  3900. ASSERT_EQ(0, close(ruleset_fd));
  3901. /*
  3902. * Ignore variant->open_mode for this test, as we intend to open a
  3903. * directory. If the directory can not be opened, the variant is
  3904. * infeasible to test with an opened directory.
  3905. */
  3906. dir_fd = open("/dev", O_RDONLY);
  3907. if (dir_fd < 0)
  3908. return;
  3909. /*
  3910. * Checks that IOCTL commands return the expected errors.
  3911. * We do not use the expected values from the fixture here.
  3912. *
  3913. * When using IOCTL on a directory, no Landlock restrictions apply.
  3914. */
  3915. EXPECT_EQ(0, test_fionread_ioctl(dir_fd));
  3916. /* Checks that unrestrictable commands are unrestricted. */
  3917. EXPECT_EQ(0, ioctl(dir_fd, FIOCLEX));
  3918. EXPECT_EQ(0, ioctl(dir_fd, FIONCLEX));
  3919. EXPECT_EQ(0, ioctl(dir_fd, FIONBIO, &flag));
  3920. EXPECT_EQ(0, ioctl(dir_fd, FIOASYNC, &flag));
  3921. EXPECT_EQ(0, ioctl(dir_fd, FIGETBSZ, &flag));
  3922. ASSERT_EQ(0, close(dir_fd));
  3923. }
  3924. TEST_F_FORK(ioctl, handle_file_access_file)
  3925. {
  3926. const int flag = 0;
  3927. const struct rule rules[] = {
  3928. {
  3929. .path = "/dev/zero",
  3930. .access = variant->allowed,
  3931. },
  3932. {},
  3933. };
  3934. int file_fd, ruleset_fd;
  3935. /* Enables Landlock. */
  3936. ruleset_fd = create_ruleset(_metadata, variant->handled, rules);
  3937. ASSERT_LE(0, ruleset_fd);
  3938. enforce_ruleset(_metadata, ruleset_fd);
  3939. ASSERT_EQ(0, close(ruleset_fd));
  3940. file_fd = open("/dev/zero", variant->open_mode);
  3941. ASSERT_LE(0, file_fd)
  3942. {
  3943. TH_LOG("Failed to open /dev/zero: %s", strerror(errno));
  3944. }
  3945. /* Checks that IOCTL commands return the expected errors. */
  3946. EXPECT_EQ(variant->expected_fionread_result,
  3947. test_fionread_ioctl(file_fd));
  3948. /* Checks that unrestrictable commands are unrestricted. */
  3949. EXPECT_EQ(0, ioctl(file_fd, FIOCLEX));
  3950. EXPECT_EQ(0, ioctl(file_fd, FIONCLEX));
  3951. EXPECT_EQ(0, ioctl(file_fd, FIONBIO, &flag));
  3952. EXPECT_EQ(0, ioctl(file_fd, FIOASYNC, &flag));
  3953. EXPECT_EQ(0, ioctl(file_fd, FIGETBSZ, &flag));
  3954. ASSERT_EQ(0, close(file_fd));
  3955. }
  3956. /* clang-format off */
  3957. FIXTURE(layout1_bind) {};
  3958. /* clang-format on */
  3959. static const char bind_dir_s1d3[] = TMP_DIR "/s2d1/s2d2/s1d3";
  3960. static const char bind_file1_s1d3[] = TMP_DIR "/s2d1/s2d2/s1d3/f1";
  3961. /* Move targets for disconnected path tests. */
  3962. static const char dir_s4d1[] = TMP_DIR "/s4d1";
  3963. static const char file1_s4d1[] = TMP_DIR "/s4d1/f1";
  3964. static const char file2_s4d1[] = TMP_DIR "/s4d1/f2";
  3965. static const char dir_s4d2[] = TMP_DIR "/s4d1/s4d2";
  3966. static const char file1_s4d2[] = TMP_DIR "/s4d1/s4d2/f1";
  3967. static const char file1_name[] = "f1";
  3968. static const char file2_name[] = "f2";
  3969. FIXTURE_SETUP(layout1_bind)
  3970. {
  3971. prepare_layout(_metadata);
  3972. create_layout1(_metadata);
  3973. set_cap(_metadata, CAP_SYS_ADMIN);
  3974. ASSERT_EQ(0, mount(dir_s1d2, dir_s2d2, NULL, MS_BIND, NULL));
  3975. clear_cap(_metadata, CAP_SYS_ADMIN);
  3976. }
  3977. FIXTURE_TEARDOWN_PARENT(layout1_bind)
  3978. {
  3979. /* umount(dir_s2d2)) is handled by namespace lifetime. */
  3980. remove_path(file1_s4d1);
  3981. remove_path(file2_s4d1);
  3982. remove_layout1(_metadata);
  3983. cleanup_layout(_metadata);
  3984. }
  3985. /*
  3986. * layout1_bind hierarchy:
  3987. *
  3988. * tmp
  3989. * ├── s1d1
  3990. * │   ├── f1
  3991. * │   ├── f2
  3992. * │   └── s1d2
  3993. * │   ├── f1
  3994. * │   ├── f2
  3995. * │   └── s1d3 [disconnected by path_disconnected]
  3996. * │   ├── f1
  3997. * │   └── f2
  3998. * ├── s2d1
  3999. * │   ├── f1
  4000. * │   └── s2d2 [bind mount from s1d2]
  4001. * │   ├── f1
  4002. * │   ├── f2
  4003. * │   └── s1d3
  4004. * │   ├── f1
  4005. * │   └── f2
  4006. * ├── s3d1
  4007. * │   └── s3d2
  4008. * │   └── s3d3
  4009. * └── s4d1 [renamed from s1d3 by path_disconnected]
  4010. *    ├── f1
  4011. *    ├── f2
  4012. * └── s4d2
  4013. * └── f1
  4014. */
  4015. TEST_F_FORK(layout1_bind, no_restriction)
  4016. {
  4017. ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
  4018. ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
  4019. ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY));
  4020. ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
  4021. ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY));
  4022. ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
  4023. ASSERT_EQ(0, test_open(dir_s2d1, O_RDONLY));
  4024. ASSERT_EQ(0, test_open(file1_s2d1, O_RDONLY));
  4025. ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY));
  4026. ASSERT_EQ(0, test_open(file1_s2d2, O_RDONLY));
  4027. ASSERT_EQ(ENOENT, test_open(dir_s2d3, O_RDONLY));
  4028. ASSERT_EQ(ENOENT, test_open(file1_s2d3, O_RDONLY));
  4029. ASSERT_EQ(0, test_open(bind_dir_s1d3, O_RDONLY));
  4030. ASSERT_EQ(0, test_open(bind_file1_s1d3, O_RDONLY));
  4031. ASSERT_EQ(0, test_open(dir_s3d1, O_RDONLY));
  4032. }
  4033. TEST_F_FORK(layout1_bind, same_content_same_file)
  4034. {
  4035. /*
  4036. * Sets access right on parent directories of both source and
  4037. * destination mount points.
  4038. */
  4039. const struct rule layer1_parent[] = {
  4040. {
  4041. .path = dir_s1d1,
  4042. .access = ACCESS_RO,
  4043. },
  4044. {
  4045. .path = dir_s2d1,
  4046. .access = ACCESS_RW,
  4047. },
  4048. {},
  4049. };
  4050. /*
  4051. * Sets access rights on the same bind-mounted directories. The result
  4052. * should be ACCESS_RW for both directories, but not both hierarchies
  4053. * because of the first layer.
  4054. */
  4055. const struct rule layer2_mount_point[] = {
  4056. {
  4057. .path = dir_s1d2,
  4058. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  4059. },
  4060. {
  4061. .path = dir_s2d2,
  4062. .access = ACCESS_RW,
  4063. },
  4064. {},
  4065. };
  4066. /* Only allow read-access to the s1d3 hierarchies. */
  4067. const struct rule layer3_source[] = {
  4068. {
  4069. .path = dir_s1d3,
  4070. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  4071. },
  4072. {},
  4073. };
  4074. /* Removes all access rights. */
  4075. const struct rule layer4_destination[] = {
  4076. {
  4077. .path = bind_file1_s1d3,
  4078. .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
  4079. },
  4080. {},
  4081. };
  4082. int ruleset_fd;
  4083. /* Sets rules for the parent directories. */
  4084. ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1_parent);
  4085. ASSERT_LE(0, ruleset_fd);
  4086. enforce_ruleset(_metadata, ruleset_fd);
  4087. ASSERT_EQ(0, close(ruleset_fd));
  4088. /* Checks source hierarchy. */
  4089. ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
  4090. ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
  4091. ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
  4092. ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
  4093. ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
  4094. ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
  4095. /* Checks destination hierarchy. */
  4096. ASSERT_EQ(0, test_open(file1_s2d1, O_RDWR));
  4097. ASSERT_EQ(0, test_open(dir_s2d1, O_RDONLY | O_DIRECTORY));
  4098. ASSERT_EQ(0, test_open(file1_s2d2, O_RDWR));
  4099. ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY | O_DIRECTORY));
  4100. /* Sets rules for the mount points. */
  4101. ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2_mount_point);
  4102. ASSERT_LE(0, ruleset_fd);
  4103. enforce_ruleset(_metadata, ruleset_fd);
  4104. ASSERT_EQ(0, close(ruleset_fd));
  4105. /* Checks source hierarchy. */
  4106. ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
  4107. ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
  4108. ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
  4109. ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
  4110. ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
  4111. ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
  4112. /* Checks destination hierarchy. */
  4113. ASSERT_EQ(EACCES, test_open(file1_s2d1, O_RDONLY));
  4114. ASSERT_EQ(EACCES, test_open(file1_s2d1, O_WRONLY));
  4115. ASSERT_EQ(EACCES, test_open(dir_s2d1, O_RDONLY | O_DIRECTORY));
  4116. ASSERT_EQ(0, test_open(file1_s2d2, O_RDWR));
  4117. ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY | O_DIRECTORY));
  4118. ASSERT_EQ(0, test_open(bind_dir_s1d3, O_RDONLY | O_DIRECTORY));
  4119. /* Sets a (shared) rule only on the source. */
  4120. ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer3_source);
  4121. ASSERT_LE(0, ruleset_fd);
  4122. enforce_ruleset(_metadata, ruleset_fd);
  4123. ASSERT_EQ(0, close(ruleset_fd));
  4124. /* Checks source hierarchy. */
  4125. ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDONLY));
  4126. ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
  4127. ASSERT_EQ(EACCES, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
  4128. ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
  4129. ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
  4130. ASSERT_EQ(EACCES, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
  4131. /* Checks destination hierarchy. */
  4132. ASSERT_EQ(EACCES, test_open(file1_s2d2, O_RDONLY));
  4133. ASSERT_EQ(EACCES, test_open(file1_s2d2, O_WRONLY));
  4134. ASSERT_EQ(EACCES, test_open(dir_s2d2, O_RDONLY | O_DIRECTORY));
  4135. ASSERT_EQ(0, test_open(bind_file1_s1d3, O_RDONLY));
  4136. ASSERT_EQ(EACCES, test_open(bind_file1_s1d3, O_WRONLY));
  4137. ASSERT_EQ(EACCES, test_open(bind_dir_s1d3, O_RDONLY | O_DIRECTORY));
  4138. /* Sets a (shared) rule only on the destination. */
  4139. ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer4_destination);
  4140. ASSERT_LE(0, ruleset_fd);
  4141. enforce_ruleset(_metadata, ruleset_fd);
  4142. ASSERT_EQ(0, close(ruleset_fd));
  4143. /* Checks source hierarchy. */
  4144. ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDONLY));
  4145. ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
  4146. /* Checks destination hierarchy. */
  4147. ASSERT_EQ(EACCES, test_open(bind_file1_s1d3, O_RDONLY));
  4148. ASSERT_EQ(EACCES, test_open(bind_file1_s1d3, O_WRONLY));
  4149. }
  4150. TEST_F_FORK(layout1_bind, reparent_cross_mount)
  4151. {
  4152. const struct rule layer1[] = {
  4153. {
  4154. /* dir_s2d1 is beneath the dir_s2d2 mount point. */
  4155. .path = dir_s2d1,
  4156. .access = LANDLOCK_ACCESS_FS_REFER,
  4157. },
  4158. {
  4159. .path = bind_dir_s1d3,
  4160. .access = LANDLOCK_ACCESS_FS_EXECUTE,
  4161. },
  4162. {},
  4163. };
  4164. int ruleset_fd = create_ruleset(
  4165. _metadata,
  4166. LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_EXECUTE, layer1);
  4167. ASSERT_LE(0, ruleset_fd);
  4168. enforce_ruleset(_metadata, ruleset_fd);
  4169. ASSERT_EQ(0, close(ruleset_fd));
  4170. /* Checks basic denied move. */
  4171. ASSERT_EQ(-1, rename(file1_s1d1, file1_s1d2));
  4172. ASSERT_EQ(EXDEV, errno);
  4173. /* Checks real cross-mount move (Landlock is not involved). */
  4174. ASSERT_EQ(-1, rename(file1_s2d1, file1_s2d2));
  4175. ASSERT_EQ(EXDEV, errno);
  4176. /* Checks move that will give more accesses. */
  4177. ASSERT_EQ(-1, rename(file1_s2d2, bind_file1_s1d3));
  4178. ASSERT_EQ(EXDEV, errno);
  4179. /* Checks legitimate downgrade move. */
  4180. ASSERT_EQ(0, rename(bind_file1_s1d3, file1_s2d2));
  4181. }
  4182. /*
  4183. * Make sure access to file through a disconnected path works as expected.
  4184. * This test moves s1d3 to s4d1.
  4185. */
  4186. TEST_F_FORK(layout1_bind, path_disconnected)
  4187. {
  4188. const struct rule layer1_allow_all[] = {
  4189. {
  4190. .path = TMP_DIR,
  4191. .access = ACCESS_ALL,
  4192. },
  4193. {},
  4194. };
  4195. const struct rule layer2_allow_just_f1[] = {
  4196. {
  4197. .path = file1_s1d3,
  4198. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  4199. },
  4200. {},
  4201. };
  4202. const struct rule layer3_only_s1d2[] = {
  4203. {
  4204. .path = dir_s1d2,
  4205. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  4206. },
  4207. {},
  4208. };
  4209. /* Landlock should not deny access just because it is disconnected. */
  4210. int ruleset_fd_l1 =
  4211. create_ruleset(_metadata, ACCESS_ALL, layer1_allow_all);
  4212. /* Creates the new ruleset now before we move the dir containing the file. */
  4213. int ruleset_fd_l2 =
  4214. create_ruleset(_metadata, ACCESS_RW, layer2_allow_just_f1);
  4215. int ruleset_fd_l3 =
  4216. create_ruleset(_metadata, ACCESS_RW, layer3_only_s1d2);
  4217. int bind_s1d3_fd;
  4218. ASSERT_LE(0, ruleset_fd_l1);
  4219. ASSERT_LE(0, ruleset_fd_l2);
  4220. ASSERT_LE(0, ruleset_fd_l3);
  4221. enforce_ruleset(_metadata, ruleset_fd_l1);
  4222. EXPECT_EQ(0, close(ruleset_fd_l1));
  4223. bind_s1d3_fd = open(bind_dir_s1d3, O_PATH | O_CLOEXEC);
  4224. ASSERT_LE(0, bind_s1d3_fd);
  4225. /* Tests access is possible before we move. */
  4226. EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY));
  4227. EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file2_name, O_RDONLY));
  4228. EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, "..", O_RDONLY | O_DIRECTORY));
  4229. /* Makes it disconnected. */
  4230. ASSERT_EQ(0, rename(dir_s1d3, dir_s4d1))
  4231. {
  4232. TH_LOG("Failed to rename %s to %s: %s", dir_s1d3, dir_s4d1,
  4233. strerror(errno));
  4234. }
  4235. /* Tests that access is still possible. */
  4236. EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY));
  4237. EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file2_name, O_RDONLY));
  4238. /*
  4239. * Tests that ".." is not possible (not because of Landlock, but just
  4240. * because it's disconnected).
  4241. */
  4242. EXPECT_EQ(ENOENT,
  4243. test_open_rel(bind_s1d3_fd, "..", O_RDONLY | O_DIRECTORY));
  4244. /* This should still work with a narrower rule. */
  4245. enforce_ruleset(_metadata, ruleset_fd_l2);
  4246. EXPECT_EQ(0, close(ruleset_fd_l2));
  4247. EXPECT_EQ(0, test_open(file1_s4d1, O_RDONLY));
  4248. /*
  4249. * Accessing a file through a disconnected file descriptor can still be
  4250. * allowed by a rule tied to this file, even if it is no longer visible in
  4251. * its mount point.
  4252. */
  4253. EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY));
  4254. EXPECT_EQ(EACCES, test_open_rel(bind_s1d3_fd, file2_name, O_RDONLY));
  4255. enforce_ruleset(_metadata, ruleset_fd_l3);
  4256. EXPECT_EQ(0, close(ruleset_fd_l3));
  4257. EXPECT_EQ(EACCES, test_open(file1_s4d1, O_RDONLY));
  4258. /*
  4259. * Accessing a file through a disconnected file descriptor can still be
  4260. * allowed by a rule tied to the original mount point, even if it is no
  4261. * longer visible in its mount point.
  4262. */
  4263. EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY));
  4264. EXPECT_EQ(EACCES, test_open_rel(bind_s1d3_fd, file2_name, O_RDONLY));
  4265. }
  4266. /*
  4267. * Test that renameat with disconnected paths works under Landlock. This test
  4268. * moves s1d3 to s4d2, so that we can have a rule allowing refers on the move
  4269. * target's immediate parent.
  4270. */
  4271. TEST_F_FORK(layout1_bind, path_disconnected_rename)
  4272. {
  4273. const struct rule layer1[] = {
  4274. {
  4275. .path = dir_s1d2,
  4276. .access = LANDLOCK_ACCESS_FS_REFER |
  4277. LANDLOCK_ACCESS_FS_MAKE_DIR |
  4278. LANDLOCK_ACCESS_FS_REMOVE_DIR |
  4279. LANDLOCK_ACCESS_FS_MAKE_REG |
  4280. LANDLOCK_ACCESS_FS_REMOVE_FILE |
  4281. LANDLOCK_ACCESS_FS_READ_FILE,
  4282. },
  4283. {
  4284. .path = dir_s4d1,
  4285. .access = LANDLOCK_ACCESS_FS_REFER |
  4286. LANDLOCK_ACCESS_FS_MAKE_DIR |
  4287. LANDLOCK_ACCESS_FS_REMOVE_DIR |
  4288. LANDLOCK_ACCESS_FS_MAKE_REG |
  4289. LANDLOCK_ACCESS_FS_REMOVE_FILE |
  4290. LANDLOCK_ACCESS_FS_READ_FILE,
  4291. },
  4292. {}
  4293. };
  4294. /* This layer only handles LANDLOCK_ACCESS_FS_READ_FILE. */
  4295. const struct rule layer2_only_s1d2[] = {
  4296. {
  4297. .path = dir_s1d2,
  4298. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  4299. },
  4300. {},
  4301. };
  4302. int ruleset_fd_l1, ruleset_fd_l2;
  4303. pid_t child_pid;
  4304. int bind_s1d3_fd, status;
  4305. ASSERT_EQ(0, mkdir(dir_s4d1, 0755))
  4306. {
  4307. TH_LOG("Failed to create %s: %s", dir_s4d1, strerror(errno));
  4308. }
  4309. ruleset_fd_l1 = create_ruleset(_metadata, ACCESS_ALL, layer1);
  4310. ruleset_fd_l2 = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE,
  4311. layer2_only_s1d2);
  4312. ASSERT_LE(0, ruleset_fd_l1);
  4313. ASSERT_LE(0, ruleset_fd_l2);
  4314. enforce_ruleset(_metadata, ruleset_fd_l1);
  4315. EXPECT_EQ(0, close(ruleset_fd_l1));
  4316. bind_s1d3_fd = open(bind_dir_s1d3, O_PATH | O_CLOEXEC);
  4317. ASSERT_LE(0, bind_s1d3_fd);
  4318. EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY));
  4319. /* Tests ENOENT priority over EACCES for disconnected directory. */
  4320. EXPECT_EQ(EACCES, test_open_rel(bind_s1d3_fd, "..", O_DIRECTORY));
  4321. ASSERT_EQ(0, rename(dir_s1d3, dir_s4d2))
  4322. {
  4323. TH_LOG("Failed to rename %s to %s: %s", dir_s1d3, dir_s4d2,
  4324. strerror(errno));
  4325. }
  4326. EXPECT_EQ(ENOENT, test_open_rel(bind_s1d3_fd, "..", O_DIRECTORY));
  4327. /*
  4328. * The file is no longer under s1d2 but we should still be able to access it
  4329. * with layer 2 because its mount point is evaluated as the first valid
  4330. * directory because it was initially a parent. Do a fork to test this so
  4331. * we don't prevent ourselves from renaming it back later.
  4332. */
  4333. child_pid = fork();
  4334. ASSERT_LE(0, child_pid);
  4335. if (child_pid == 0) {
  4336. enforce_ruleset(_metadata, ruleset_fd_l2);
  4337. EXPECT_EQ(0, close(ruleset_fd_l2));
  4338. EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY));
  4339. EXPECT_EQ(EACCES, test_open(file1_s4d2, O_RDONLY));
  4340. /*
  4341. * Tests that access widening checks indeed prevents us from renaming it
  4342. * back.
  4343. */
  4344. EXPECT_EQ(-1, rename(dir_s4d2, dir_s1d3));
  4345. EXPECT_EQ(EXDEV, errno);
  4346. /*
  4347. * Including through the now disconnected fd (but it should return
  4348. * EXDEV).
  4349. */
  4350. EXPECT_EQ(-1, renameat(bind_s1d3_fd, file1_name, AT_FDCWD,
  4351. file1_s2d2));
  4352. EXPECT_EQ(EXDEV, errno);
  4353. _exit(_metadata->exit_code);
  4354. return;
  4355. }
  4356. EXPECT_EQ(child_pid, waitpid(child_pid, &status, 0));
  4357. EXPECT_EQ(1, WIFEXITED(status));
  4358. EXPECT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
  4359. ASSERT_EQ(0, rename(dir_s4d2, dir_s1d3))
  4360. {
  4361. TH_LOG("Failed to rename %s back to %s: %s", dir_s4d1, dir_s1d3,
  4362. strerror(errno));
  4363. }
  4364. /* Now checks that we can access it under l2. */
  4365. child_pid = fork();
  4366. ASSERT_LE(0, child_pid);
  4367. if (child_pid == 0) {
  4368. enforce_ruleset(_metadata, ruleset_fd_l2);
  4369. EXPECT_EQ(0, close(ruleset_fd_l2));
  4370. EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY));
  4371. EXPECT_EQ(0, test_open(file1_s1d3, O_RDONLY));
  4372. _exit(_metadata->exit_code);
  4373. return;
  4374. }
  4375. EXPECT_EQ(child_pid, waitpid(child_pid, &status, 0));
  4376. EXPECT_EQ(1, WIFEXITED(status));
  4377. EXPECT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
  4378. /*
  4379. * Also test that we can rename via a disconnected path. We move the
  4380. * dir back to the disconnected place first, then we rename file1 to
  4381. * file2 through our dir fd.
  4382. */
  4383. ASSERT_EQ(0, rename(dir_s1d3, dir_s4d2))
  4384. {
  4385. TH_LOG("Failed to rename %s to %s: %s", dir_s1d3, dir_s4d2,
  4386. strerror(errno));
  4387. }
  4388. ASSERT_EQ(0,
  4389. renameat(bind_s1d3_fd, file1_name, bind_s1d3_fd, file2_name))
  4390. {
  4391. TH_LOG("Failed to rename %s to %s within disconnected %s: %s",
  4392. file1_name, file2_name, bind_dir_s1d3, strerror(errno));
  4393. }
  4394. EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file2_name, O_RDONLY));
  4395. ASSERT_EQ(0, renameat(bind_s1d3_fd, file2_name, AT_FDCWD, file1_s2d2))
  4396. {
  4397. TH_LOG("Failed to rename %s to %s through disconnected %s: %s",
  4398. file2_name, file1_s2d2, bind_dir_s1d3, strerror(errno));
  4399. }
  4400. EXPECT_EQ(0, test_open(file1_s2d2, O_RDONLY));
  4401. EXPECT_EQ(0, test_open(file1_s1d2, O_RDONLY));
  4402. /* Move it back using the disconnected path as the target. */
  4403. ASSERT_EQ(0, renameat(AT_FDCWD, file1_s2d2, bind_s1d3_fd, file1_name))
  4404. {
  4405. TH_LOG("Failed to rename %s to %s through disconnected %s: %s",
  4406. file1_s1d2, file1_name, bind_dir_s1d3, strerror(errno));
  4407. }
  4408. /* Now make it connected again. */
  4409. ASSERT_EQ(0, rename(dir_s4d2, dir_s1d3))
  4410. {
  4411. TH_LOG("Failed to rename %s back to %s: %s", dir_s4d2, dir_s1d3,
  4412. strerror(errno));
  4413. }
  4414. /* Checks again that we can access it under l2. */
  4415. enforce_ruleset(_metadata, ruleset_fd_l2);
  4416. EXPECT_EQ(0, close(ruleset_fd_l2));
  4417. EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY));
  4418. EXPECT_EQ(0, test_open(file1_s1d3, O_RDONLY));
  4419. }
  4420. /*
  4421. * Test that linkat(2) with disconnected paths works under Landlock. This
  4422. * test moves s1d3 to s4d1.
  4423. */
  4424. TEST_F_FORK(layout1_bind, path_disconnected_link)
  4425. {
  4426. /* Ruleset to be applied after renaming s1d3 to s4d1. */
  4427. const struct rule layer1[] = {
  4428. {
  4429. .path = dir_s4d1,
  4430. .access = LANDLOCK_ACCESS_FS_REFER |
  4431. LANDLOCK_ACCESS_FS_READ_FILE |
  4432. LANDLOCK_ACCESS_FS_MAKE_REG |
  4433. LANDLOCK_ACCESS_FS_REMOVE_FILE,
  4434. },
  4435. {
  4436. .path = dir_s2d2,
  4437. .access = LANDLOCK_ACCESS_FS_REFER |
  4438. LANDLOCK_ACCESS_FS_READ_FILE |
  4439. LANDLOCK_ACCESS_FS_MAKE_REG |
  4440. LANDLOCK_ACCESS_FS_REMOVE_FILE,
  4441. },
  4442. {}
  4443. };
  4444. int ruleset_fd, bind_s1d3_fd;
  4445. /* Removes unneeded files created by layout1, otherwise it will EEXIST. */
  4446. ASSERT_EQ(0, unlink(file1_s1d2));
  4447. ASSERT_EQ(0, unlink(file2_s1d3));
  4448. bind_s1d3_fd = open(bind_dir_s1d3, O_PATH | O_CLOEXEC);
  4449. ASSERT_LE(0, bind_s1d3_fd);
  4450. EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY));
  4451. /* Disconnects bind_s1d3_fd. */
  4452. ASSERT_EQ(0, rename(dir_s1d3, dir_s4d1))
  4453. {
  4454. TH_LOG("Failed to rename %s to %s: %s", dir_s1d3, dir_s4d1,
  4455. strerror(errno));
  4456. }
  4457. /* Need this later to test different parent link. */
  4458. ASSERT_EQ(0, mkdir(dir_s4d2, 0755))
  4459. {
  4460. TH_LOG("Failed to create %s: %s", dir_s4d2, strerror(errno));
  4461. }
  4462. ruleset_fd = create_ruleset(_metadata, ACCESS_ALL, layer1);
  4463. ASSERT_LE(0, ruleset_fd);
  4464. enforce_ruleset(_metadata, ruleset_fd);
  4465. EXPECT_EQ(0, close(ruleset_fd));
  4466. /* From disconnected to connected. */
  4467. ASSERT_EQ(0, linkat(bind_s1d3_fd, file1_name, AT_FDCWD, file1_s2d2, 0))
  4468. {
  4469. TH_LOG("Failed to link %s to %s via disconnected %s: %s",
  4470. file1_name, file1_s2d2, bind_dir_s1d3, strerror(errno));
  4471. }
  4472. /* Tests that we can access via the new link... */
  4473. EXPECT_EQ(0, test_open(file1_s2d2, O_RDONLY))
  4474. {
  4475. TH_LOG("Failed to open newly linked %s: %s", file1_s2d2,
  4476. strerror(errno));
  4477. }
  4478. /* ...as well as the old one. */
  4479. EXPECT_EQ(0, test_open(file1_s4d1, O_RDONLY))
  4480. {
  4481. TH_LOG("Failed to open original %s: %s", file1_s4d1,
  4482. strerror(errno));
  4483. }
  4484. /* From connected to disconnected. */
  4485. ASSERT_EQ(0, unlink(file1_s4d1));
  4486. ASSERT_EQ(0, linkat(AT_FDCWD, file1_s2d2, bind_s1d3_fd, file2_name, 0))
  4487. {
  4488. TH_LOG("Failed to link %s to %s via disconnected %s: %s",
  4489. file1_s2d2, file2_name, bind_dir_s1d3, strerror(errno));
  4490. }
  4491. EXPECT_EQ(0, test_open(file2_s4d1, O_RDONLY));
  4492. ASSERT_EQ(0, unlink(file1_s2d2));
  4493. /* From disconnected to disconnected (same parent). */
  4494. ASSERT_EQ(0,
  4495. linkat(bind_s1d3_fd, file2_name, bind_s1d3_fd, file1_name, 0))
  4496. {
  4497. TH_LOG("Failed to link %s to %s within disconnected %s: %s",
  4498. file2_name, file1_name, bind_dir_s1d3, strerror(errno));
  4499. }
  4500. EXPECT_EQ(0, test_open(file1_s4d1, O_RDONLY))
  4501. {
  4502. TH_LOG("Failed to open newly linked %s: %s", file1_s4d1,
  4503. strerror(errno));
  4504. }
  4505. EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY))
  4506. {
  4507. TH_LOG("Failed to open %s through newly created link under disconnected path: %s",
  4508. file1_name, strerror(errno));
  4509. }
  4510. ASSERT_EQ(0, unlink(file2_s4d1));
  4511. /* From disconnected to disconnected (different parent). */
  4512. ASSERT_EQ(0,
  4513. linkat(bind_s1d3_fd, file1_name, bind_s1d3_fd, "s4d2/f1", 0))
  4514. {
  4515. TH_LOG("Failed to link %s to %s within disconnected %s: %s",
  4516. file1_name, "s4d2/f1", bind_dir_s1d3, strerror(errno));
  4517. }
  4518. EXPECT_EQ(0, test_open(file1_s4d2, O_RDONLY))
  4519. {
  4520. TH_LOG("Failed to open %s after link: %s", file1_s4d2,
  4521. strerror(errno));
  4522. }
  4523. EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, "s4d2/f1", O_RDONLY))
  4524. {
  4525. TH_LOG("Failed to open %s through disconnected path after link: %s",
  4526. "s4d2/f1", strerror(errno));
  4527. }
  4528. }
  4529. /*
  4530. * layout4_disconnected_leafs with bind mount and renames:
  4531. *
  4532. * tmp
  4533. * ├── s1d1
  4534. * │   └── s1d2 [source of the bind mount]
  4535. * │ ├── s1d31
  4536. * │   │ └── s1d41 [now renamed beneath s3d1]
  4537. * │ │ ├── f1
  4538. * │ │ └── f2
  4539. * │   └── s1d32
  4540. * │ └── s1d42 [now renamed beneath s4d1]
  4541. * │ ├── f3
  4542. * │ └── f4
  4543. * ├── s2d1
  4544. * │   └── s2d2 [bind mount of s1d2]
  4545. * │ ├── s1d31
  4546. * │   │ └── s1d41 [opened FD, now renamed beneath s3d1]
  4547. * │ │ ├── f1
  4548. * │ │ └── f2
  4549. * │   └── s1d32
  4550. * │ └── s1d42 [opened FD, now renamed beneath s4d1]
  4551. * │ ├── f3
  4552. * │ └── f4
  4553. * ├── s3d1
  4554. * │  └── s1d41 [renamed here]
  4555. * │ ├── f1
  4556. * │ └── f2
  4557. * └── s4d1
  4558. * └── s1d42 [renamed here]
  4559. * ├── f3
  4560. * └── f4
  4561. */
  4562. /* clang-format off */
  4563. FIXTURE(layout4_disconnected_leafs) {
  4564. int s2d2_fd;
  4565. };
  4566. /* clang-format on */
  4567. FIXTURE_SETUP(layout4_disconnected_leafs)
  4568. {
  4569. prepare_layout(_metadata);
  4570. create_file(_metadata, TMP_DIR "/s1d1/s1d2/s1d31/s1d41/f1");
  4571. create_file(_metadata, TMP_DIR "/s1d1/s1d2/s1d31/s1d41/f2");
  4572. create_file(_metadata, TMP_DIR "/s1d1/s1d2/s1d32/s1d42/f3");
  4573. create_file(_metadata, TMP_DIR "/s1d1/s1d2/s1d32/s1d42/f4");
  4574. create_directory(_metadata, TMP_DIR "/s2d1/s2d2");
  4575. create_directory(_metadata, TMP_DIR "/s3d1");
  4576. create_directory(_metadata, TMP_DIR "/s4d1");
  4577. self->s2d2_fd =
  4578. open(TMP_DIR "/s2d1/s2d2", O_DIRECTORY | O_PATH | O_CLOEXEC);
  4579. ASSERT_LE(0, self->s2d2_fd);
  4580. set_cap(_metadata, CAP_SYS_ADMIN);
  4581. ASSERT_EQ(0, mount(TMP_DIR "/s1d1/s1d2", TMP_DIR "/s2d1/s2d2", NULL,
  4582. MS_BIND, NULL));
  4583. clear_cap(_metadata, CAP_SYS_ADMIN);
  4584. }
  4585. FIXTURE_TEARDOWN_PARENT(layout4_disconnected_leafs)
  4586. {
  4587. /* umount(TMP_DIR "/s2d1") is handled by namespace lifetime. */
  4588. /* Removes files after renames. */
  4589. remove_path(TMP_DIR "/s3d1/s1d41/f1");
  4590. remove_path(TMP_DIR "/s3d1/s1d41/f2");
  4591. remove_path(TMP_DIR "/s4d1/s1d42/f1");
  4592. remove_path(TMP_DIR "/s4d1/s1d42/f3");
  4593. remove_path(TMP_DIR "/s4d1/s1d42/f4");
  4594. remove_path(TMP_DIR "/s4d1/s1d42/f5");
  4595. cleanup_layout(_metadata);
  4596. }
  4597. FIXTURE_VARIANT(layout4_disconnected_leafs)
  4598. {
  4599. /*
  4600. * Parent of the bind mount source. It should always be ignored when
  4601. * testing against files under the s1d41 or s1d42 disconnected directories.
  4602. */
  4603. const __u64 allowed_s1d1;
  4604. /*
  4605. * Source of bind mount (to s2d2). It should always be enforced when
  4606. * testing against files under the s1d41 or s1d42 disconnected directories.
  4607. */
  4608. const __u64 allowed_s1d2;
  4609. /*
  4610. * Original parent of s1d41. It should always be ignored when testing
  4611. * against files under the s1d41 disconnected directory.
  4612. */
  4613. const __u64 allowed_s1d31;
  4614. /*
  4615. * Original parent of s1d42. It should always be ignored when testing
  4616. * against files under the s1d42 disconnected directory.
  4617. */
  4618. const __u64 allowed_s1d32;
  4619. /*
  4620. * Opened and disconnected source directory. It should always be enforced
  4621. * when testing against files under the s1d41 disconnected directory.
  4622. */
  4623. const __u64 allowed_s1d41;
  4624. /*
  4625. * Opened and disconnected source directory. It should always be enforced
  4626. * when testing against files under the s1d42 disconnected directory.
  4627. */
  4628. const __u64 allowed_s1d42;
  4629. /*
  4630. * File in the s1d41 disconnected directory. It should always be enforced
  4631. * when testing against itself under the s1d41 disconnected directory.
  4632. */
  4633. const __u64 allowed_f1;
  4634. /*
  4635. * File in the s1d41 disconnected directory. It should always be enforced
  4636. * when testing against itself under the s1d41 disconnected directory.
  4637. */
  4638. const __u64 allowed_f2;
  4639. /*
  4640. * File in the s1d42 disconnected directory. It should always be enforced
  4641. * when testing against itself under the s1d42 disconnected directory.
  4642. */
  4643. const __u64 allowed_f3;
  4644. /*
  4645. * Parent of the bind mount destination. It should always be enforced when
  4646. * testing against files under the s1d41 or s1d42 disconnected directories.
  4647. */
  4648. const __u64 allowed_s2d1;
  4649. /*
  4650. * Directory covered by the bind mount. It should always be ignored when
  4651. * testing against files under the s1d41 or s1d42 disconnected directories.
  4652. */
  4653. const __u64 allowed_s2d2;
  4654. /*
  4655. * New parent of the renamed s1d41. It should always be ignored when
  4656. * testing against files under the s1d41 disconnected directory.
  4657. */
  4658. const __u64 allowed_s3d1;
  4659. /*
  4660. * New parent of the renamed s1d42. It should always be ignored when
  4661. * testing against files under the s1d42 disconnected directory.
  4662. */
  4663. const __u64 allowed_s4d1;
  4664. /* Expected result of the call to open([fd:s1d41]/f1, O_RDONLY). */
  4665. const int expected_read_result;
  4666. /* Expected result of the call to renameat([fd:s1d41]/f1, [fd:s1d42]/f1). */
  4667. const int expected_rename_result;
  4668. /*
  4669. * Expected result of the call to renameat([fd:s1d41]/f2, [fd:s1d42]/f3,
  4670. * RENAME_EXCHANGE).
  4671. */
  4672. const int expected_exchange_result;
  4673. /* Expected result of the call to renameat([fd:s1d42]/f4, [fd:s1d42]/f5). */
  4674. const int expected_same_dir_rename_result;
  4675. };
  4676. /* clang-format off */
  4677. FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s1d1_mount_src_parent) {
  4678. /* clang-format on */
  4679. .allowed_s1d1 = LANDLOCK_ACCESS_FS_REFER |
  4680. LANDLOCK_ACCESS_FS_READ_FILE |
  4681. LANDLOCK_ACCESS_FS_EXECUTE |
  4682. LANDLOCK_ACCESS_FS_MAKE_REG,
  4683. .expected_read_result = EACCES,
  4684. .expected_same_dir_rename_result = EACCES,
  4685. .expected_rename_result = EACCES,
  4686. .expected_exchange_result = EACCES,
  4687. };
  4688. /* clang-format off */
  4689. FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s1d2_mount_src_refer) {
  4690. /* clang-format on */
  4691. .allowed_s1d2 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_READ_FILE,
  4692. .expected_read_result = 0,
  4693. .expected_same_dir_rename_result = EACCES,
  4694. .expected_rename_result = EACCES,
  4695. .expected_exchange_result = EACCES,
  4696. };
  4697. /* clang-format off */
  4698. FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s1d2_mount_src_create) {
  4699. /* clang-format on */
  4700. .allowed_s1d2 = LANDLOCK_ACCESS_FS_READ_FILE |
  4701. LANDLOCK_ACCESS_FS_MAKE_REG,
  4702. .expected_read_result = 0,
  4703. .expected_same_dir_rename_result = 0,
  4704. .expected_rename_result = EXDEV,
  4705. .expected_exchange_result = EXDEV,
  4706. };
  4707. /* clang-format off */
  4708. FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s1d2_mount_src_rename) {
  4709. /* clang-format on */
  4710. .allowed_s1d2 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
  4711. .expected_read_result = EACCES,
  4712. .expected_same_dir_rename_result = 0,
  4713. .expected_rename_result = 0,
  4714. .expected_exchange_result = 0,
  4715. };
  4716. /* clang-format off */
  4717. FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s1d31_s1d32_old_parent) {
  4718. /* clang-format on */
  4719. .allowed_s1d31 = LANDLOCK_ACCESS_FS_REFER |
  4720. LANDLOCK_ACCESS_FS_READ_FILE |
  4721. LANDLOCK_ACCESS_FS_EXECUTE |
  4722. LANDLOCK_ACCESS_FS_MAKE_REG,
  4723. .allowed_s1d32 = LANDLOCK_ACCESS_FS_REFER |
  4724. LANDLOCK_ACCESS_FS_READ_FILE |
  4725. LANDLOCK_ACCESS_FS_EXECUTE |
  4726. LANDLOCK_ACCESS_FS_MAKE_REG,
  4727. .expected_read_result = EACCES,
  4728. .expected_same_dir_rename_result = EACCES,
  4729. .expected_rename_result = EACCES,
  4730. .expected_exchange_result = EACCES,
  4731. };
  4732. /* clang-format off */
  4733. FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s1d41_s1d42_disconnected_refer) {
  4734. /* clang-format on */
  4735. .allowed_s1d41 = LANDLOCK_ACCESS_FS_REFER |
  4736. LANDLOCK_ACCESS_FS_READ_FILE,
  4737. .allowed_s1d42 = LANDLOCK_ACCESS_FS_REFER |
  4738. LANDLOCK_ACCESS_FS_READ_FILE,
  4739. .expected_read_result = 0,
  4740. .expected_same_dir_rename_result = EACCES,
  4741. .expected_rename_result = EACCES,
  4742. .expected_exchange_result = EACCES,
  4743. };
  4744. /* clang-format off */
  4745. FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s1d41_s1d42_disconnected_create) {
  4746. /* clang-format on */
  4747. .allowed_s1d41 = LANDLOCK_ACCESS_FS_READ_FILE |
  4748. LANDLOCK_ACCESS_FS_MAKE_REG,
  4749. .allowed_s1d42 = LANDLOCK_ACCESS_FS_READ_FILE |
  4750. LANDLOCK_ACCESS_FS_MAKE_REG,
  4751. .expected_read_result = 0,
  4752. .expected_same_dir_rename_result = 0,
  4753. .expected_rename_result = EXDEV,
  4754. .expected_exchange_result = EXDEV,
  4755. };
  4756. /* clang-format off */
  4757. FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s1d41_s1d42_disconnected_rename_even) {
  4758. /* clang-format on */
  4759. .allowed_s1d41 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
  4760. .allowed_s1d42 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
  4761. .expected_read_result = EACCES,
  4762. .expected_same_dir_rename_result = 0,
  4763. .expected_rename_result = 0,
  4764. .expected_exchange_result = 0,
  4765. };
  4766. /* The destination directory has more access right. */
  4767. /* clang-format off */
  4768. FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s1d41_s1d42_disconnected_rename_more) {
  4769. /* clang-format on */
  4770. .allowed_s1d41 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
  4771. .allowed_s1d42 = LANDLOCK_ACCESS_FS_REFER |
  4772. LANDLOCK_ACCESS_FS_MAKE_REG |
  4773. LANDLOCK_ACCESS_FS_EXECUTE,
  4774. .expected_read_result = EACCES,
  4775. .expected_same_dir_rename_result = 0,
  4776. /* Access denied. */
  4777. .expected_rename_result = EXDEV,
  4778. .expected_exchange_result = EXDEV,
  4779. };
  4780. /* The destination directory has less access right. */
  4781. /* clang-format off */
  4782. FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s1d41_s1d42_disconnected_rename_less) {
  4783. /* clang-format on */
  4784. .allowed_s1d41 = LANDLOCK_ACCESS_FS_REFER |
  4785. LANDLOCK_ACCESS_FS_MAKE_REG |
  4786. LANDLOCK_ACCESS_FS_EXECUTE,
  4787. .allowed_s1d42 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
  4788. .expected_read_result = EACCES,
  4789. .expected_same_dir_rename_result = 0,
  4790. /* Access allowed. */
  4791. .expected_rename_result = 0,
  4792. .expected_exchange_result = EXDEV,
  4793. };
  4794. /* clang-format off */
  4795. FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s2d1_mount_dst_parent_create) {
  4796. /* clang-format on */
  4797. .allowed_s2d1 = LANDLOCK_ACCESS_FS_READ_FILE |
  4798. LANDLOCK_ACCESS_FS_MAKE_REG,
  4799. .expected_read_result = 0,
  4800. .expected_same_dir_rename_result = 0,
  4801. .expected_rename_result = EXDEV,
  4802. .expected_exchange_result = EXDEV,
  4803. };
  4804. /* clang-format off */
  4805. FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s2d1_mount_dst_parent_refer) {
  4806. /* clang-format on */
  4807. .allowed_s2d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_READ_FILE,
  4808. .expected_read_result = 0,
  4809. .expected_same_dir_rename_result = EACCES,
  4810. .expected_rename_result = EACCES,
  4811. .expected_exchange_result = EACCES,
  4812. };
  4813. /* clang-format off */
  4814. FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s2d1_mount_dst_parent_mini) {
  4815. /* clang-format on */
  4816. .allowed_s2d1 = LANDLOCK_ACCESS_FS_REFER |
  4817. LANDLOCK_ACCESS_FS_READ_FILE |
  4818. LANDLOCK_ACCESS_FS_MAKE_REG,
  4819. .expected_read_result = 0,
  4820. .expected_same_dir_rename_result = 0,
  4821. .expected_rename_result = 0,
  4822. .expected_exchange_result = 0,
  4823. };
  4824. /* clang-format off */
  4825. FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s2d2_covered_by_mount) {
  4826. /* clang-format on */
  4827. .allowed_s2d2 = LANDLOCK_ACCESS_FS_REFER |
  4828. LANDLOCK_ACCESS_FS_READ_FILE |
  4829. LANDLOCK_ACCESS_FS_EXECUTE |
  4830. LANDLOCK_ACCESS_FS_MAKE_REG,
  4831. .expected_read_result = EACCES,
  4832. .expected_same_dir_rename_result = EACCES,
  4833. .expected_rename_result = EACCES,
  4834. .expected_exchange_result = EACCES,
  4835. };
  4836. /* Tests collect_domain_accesses(). */
  4837. /* clang-format off */
  4838. FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s3d1_s4d1_new_parent_refer) {
  4839. /* clang-format on */
  4840. .allowed_s3d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_READ_FILE,
  4841. .allowed_s4d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_READ_FILE,
  4842. .expected_read_result = 0,
  4843. .expected_same_dir_rename_result = EACCES,
  4844. .expected_rename_result = EACCES,
  4845. .expected_exchange_result = EACCES,
  4846. };
  4847. /* clang-format off */
  4848. FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s3d1_s4d1_new_parent_create) {
  4849. /* clang-format on */
  4850. .allowed_s3d1 = LANDLOCK_ACCESS_FS_READ_FILE |
  4851. LANDLOCK_ACCESS_FS_MAKE_REG,
  4852. .allowed_s4d1 = LANDLOCK_ACCESS_FS_READ_FILE |
  4853. LANDLOCK_ACCESS_FS_MAKE_REG,
  4854. .expected_read_result = 0,
  4855. .expected_same_dir_rename_result = 0,
  4856. .expected_rename_result = EXDEV,
  4857. .expected_exchange_result = EXDEV,
  4858. };
  4859. FIXTURE_VARIANT_ADD(layout4_disconnected_leafs,
  4860. s3d1_s4d1_disconnected_rename_even){
  4861. /* clang-format on */
  4862. .allowed_s3d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
  4863. .allowed_s4d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
  4864. .expected_read_result = EACCES,
  4865. .expected_same_dir_rename_result = 0,
  4866. .expected_rename_result = 0,
  4867. .expected_exchange_result = 0,
  4868. };
  4869. /* The destination directory has more access right. */
  4870. /* clang-format off */
  4871. FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s3d1_s4d1_disconnected_rename_more) {
  4872. /* clang-format on */
  4873. .allowed_s3d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
  4874. .allowed_s4d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG |
  4875. LANDLOCK_ACCESS_FS_EXECUTE,
  4876. .expected_read_result = EACCES,
  4877. .expected_same_dir_rename_result = 0,
  4878. /* Access denied. */
  4879. .expected_rename_result = EXDEV,
  4880. .expected_exchange_result = EXDEV,
  4881. };
  4882. /* The destination directory has less access right. */
  4883. /* clang-format off */
  4884. FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s3d1_s4d1_disconnected_rename_less) {
  4885. /* clang-format on */
  4886. .allowed_s3d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG |
  4887. LANDLOCK_ACCESS_FS_EXECUTE,
  4888. .allowed_s4d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
  4889. .expected_read_result = EACCES,
  4890. .expected_same_dir_rename_result = 0,
  4891. /* Access allowed. */
  4892. .expected_rename_result = 0,
  4893. .expected_exchange_result = EXDEV,
  4894. };
  4895. /* clang-format off */
  4896. FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, f1_f2_f3) {
  4897. /* clang-format on */
  4898. .allowed_f1 = LANDLOCK_ACCESS_FS_READ_FILE,
  4899. .allowed_f2 = LANDLOCK_ACCESS_FS_READ_FILE,
  4900. .allowed_f3 = LANDLOCK_ACCESS_FS_READ_FILE,
  4901. .expected_read_result = 0,
  4902. .expected_same_dir_rename_result = EACCES,
  4903. .expected_rename_result = EACCES,
  4904. .expected_exchange_result = EACCES,
  4905. };
  4906. TEST_F_FORK(layout4_disconnected_leafs, read_rename_exchange)
  4907. {
  4908. const __u64 handled_access =
  4909. LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_READ_FILE |
  4910. LANDLOCK_ACCESS_FS_EXECUTE | LANDLOCK_ACCESS_FS_MAKE_REG;
  4911. const struct rule rules[] = {
  4912. {
  4913. .path = TMP_DIR "/s1d1",
  4914. .access = variant->allowed_s1d1,
  4915. },
  4916. {
  4917. .path = TMP_DIR "/s1d1/s1d2",
  4918. .access = variant->allowed_s1d2,
  4919. },
  4920. {
  4921. .path = TMP_DIR "/s1d1/s1d2/s1d31",
  4922. .access = variant->allowed_s1d31,
  4923. },
  4924. {
  4925. .path = TMP_DIR "/s1d1/s1d2/s1d32",
  4926. .access = variant->allowed_s1d32,
  4927. },
  4928. {
  4929. .path = TMP_DIR "/s1d1/s1d2/s1d31/s1d41",
  4930. .access = variant->allowed_s1d41,
  4931. },
  4932. {
  4933. .path = TMP_DIR "/s1d1/s1d2/s1d32/s1d42",
  4934. .access = variant->allowed_s1d42,
  4935. },
  4936. {
  4937. .path = TMP_DIR "/s1d1/s1d2/s1d31/s1d41/f1",
  4938. .access = variant->allowed_f1,
  4939. },
  4940. {
  4941. .path = TMP_DIR "/s1d1/s1d2/s1d31/s1d41/f2",
  4942. .access = variant->allowed_f2,
  4943. },
  4944. {
  4945. .path = TMP_DIR "/s1d1/s1d2/s1d32/s1d42/f3",
  4946. .access = variant->allowed_f3,
  4947. },
  4948. {
  4949. .path = TMP_DIR "/s2d1",
  4950. .access = variant->allowed_s2d1,
  4951. },
  4952. /* s2d2_fd */
  4953. {
  4954. .path = TMP_DIR "/s3d1",
  4955. .access = variant->allowed_s3d1,
  4956. },
  4957. {
  4958. .path = TMP_DIR "/s4d1",
  4959. .access = variant->allowed_s4d1,
  4960. },
  4961. {},
  4962. };
  4963. int ruleset_fd, s1d41_bind_fd, s1d42_bind_fd;
  4964. ruleset_fd = create_ruleset(_metadata, handled_access, rules);
  4965. ASSERT_LE(0, ruleset_fd);
  4966. /* Adds rule for the covered directory. */
  4967. if (variant->allowed_s2d2) {
  4968. ASSERT_EQ(0, landlock_add_rule(
  4969. ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
  4970. &(struct landlock_path_beneath_attr){
  4971. .parent_fd = self->s2d2_fd,
  4972. .allowed_access =
  4973. variant->allowed_s2d2,
  4974. },
  4975. 0));
  4976. }
  4977. EXPECT_EQ(0, close(self->s2d2_fd));
  4978. s1d41_bind_fd = open(TMP_DIR "/s2d1/s2d2/s1d31/s1d41",
  4979. O_DIRECTORY | O_PATH | O_CLOEXEC);
  4980. ASSERT_LE(0, s1d41_bind_fd);
  4981. s1d42_bind_fd = open(TMP_DIR "/s2d1/s2d2/s1d32/s1d42",
  4982. O_DIRECTORY | O_PATH | O_CLOEXEC);
  4983. ASSERT_LE(0, s1d42_bind_fd);
  4984. /* Disconnects and checks source and destination directories. */
  4985. EXPECT_EQ(0, test_open_rel(s1d41_bind_fd, "..", O_DIRECTORY));
  4986. EXPECT_EQ(0, test_open_rel(s1d42_bind_fd, "..", O_DIRECTORY));
  4987. /* Renames to make it accessible through s3d1/s1d41 */
  4988. ASSERT_EQ(0, test_renameat(AT_FDCWD, TMP_DIR "/s1d1/s1d2/s1d31/s1d41",
  4989. AT_FDCWD, TMP_DIR "/s3d1/s1d41"));
  4990. /* Renames to make it accessible through s4d1/s1d42 */
  4991. ASSERT_EQ(0, test_renameat(AT_FDCWD, TMP_DIR "/s1d1/s1d2/s1d32/s1d42",
  4992. AT_FDCWD, TMP_DIR "/s4d1/s1d42"));
  4993. EXPECT_EQ(ENOENT, test_open_rel(s1d41_bind_fd, "..", O_DIRECTORY));
  4994. EXPECT_EQ(ENOENT, test_open_rel(s1d42_bind_fd, "..", O_DIRECTORY));
  4995. enforce_ruleset(_metadata, ruleset_fd);
  4996. EXPECT_EQ(0, close(ruleset_fd));
  4997. EXPECT_EQ(variant->expected_read_result,
  4998. test_open_rel(s1d41_bind_fd, "f1", O_RDONLY));
  4999. EXPECT_EQ(variant->expected_rename_result,
  5000. test_renameat(s1d41_bind_fd, "f1", s1d42_bind_fd, "f1"));
  5001. EXPECT_EQ(variant->expected_exchange_result,
  5002. test_exchangeat(s1d41_bind_fd, "f2", s1d42_bind_fd, "f3"));
  5003. EXPECT_EQ(variant->expected_same_dir_rename_result,
  5004. test_renameat(s1d42_bind_fd, "f4", s1d42_bind_fd, "f5"));
  5005. }
  5006. /*
  5007. * layout5_disconnected_branch before rename:
  5008. *
  5009. * tmp
  5010. * ├── s1d1
  5011. * │   └── s1d2 [source of the first bind mount]
  5012. * │   └── s1d3
  5013. * │   ├── s1d41
  5014. * │   │   ├── f1
  5015. * │   │   └── f2
  5016. * │   └── s1d42
  5017. * │   ├── f3
  5018. * │   └── f4
  5019. * ├── s2d1
  5020. * │   └── s2d2 [source of the second bind mount]
  5021. * │   └── s2d3
  5022. * │   └── s2d4 [first s1d2 bind mount]
  5023. * │   └── s1d3
  5024. * │   ├── s1d41
  5025. * │   │   ├── f1
  5026. * │   │   └── f2
  5027. * │   └── s1d42
  5028. * │   ├── f3
  5029. * │   └── f4
  5030. * ├── s3d1
  5031. * │   └── s3d2 [second s2d2 bind mount]
  5032. * │   └── s2d3
  5033. * │   └── s2d4 [first s1d2 bind mount]
  5034. * │   └── s1d3
  5035. * │   ├── s1d41
  5036. * │   │   ├── f1
  5037. * │   │   └── f2
  5038. * │   └── s1d42
  5039. * │   ├── f3
  5040. * │   └── f4
  5041. * └── s4d1
  5042. *
  5043. * After rename:
  5044. *
  5045. * tmp
  5046. * ├── s1d1
  5047. * │   └── s1d2 [source of the first bind mount]
  5048. * │   └── s1d3
  5049. * │   ├── s1d41
  5050. * │   │   ├── f1
  5051. * │   │   └── f2
  5052. * │   └── s1d42
  5053. * │   ├── f3
  5054. * │   └── f4
  5055. * ├── s2d1
  5056. * │   └── s2d2 [source of the second bind mount]
  5057. * ├── s3d1
  5058. * │   └── s3d2 [second s2d2 bind mount]
  5059. * └── s4d1
  5060. * └── s2d3 [renamed here]
  5061. * └── s2d4 [first s1d2 bind mount]
  5062. * └── s1d3
  5063. * ├── s1d41
  5064. * │   ├── f1
  5065. * │   └── f2
  5066. * └── s1d42
  5067. * ├── f3
  5068. * └── f4
  5069. *
  5070. * Decision path for access from the s3d1/s3d2/s2d3/s2d4/s1d3 file descriptor:
  5071. * 1. first bind mount: s1d3 -> s1d2
  5072. * 2. second bind mount: s2d3
  5073. * 3. tmp mount: s4d1 -> tmp [disconnected branch]
  5074. * 4. second bind mount: s2d2
  5075. * 5. tmp mount: s3d1 -> tmp
  5076. * 6. parent mounts: [...] -> /
  5077. *
  5078. * The s4d1 directory is evaluated even if it is not in the s2d2 mount.
  5079. */
  5080. /* clang-format off */
  5081. FIXTURE(layout5_disconnected_branch) {
  5082. int s2d4_fd, s3d2_fd;
  5083. };
  5084. /* clang-format on */
  5085. FIXTURE_SETUP(layout5_disconnected_branch)
  5086. {
  5087. prepare_layout(_metadata);
  5088. create_file(_metadata, TMP_DIR "/s1d1/s1d2/s1d3/s1d41/f1");
  5089. create_file(_metadata, TMP_DIR "/s1d1/s1d2/s1d3/s1d41/f2");
  5090. create_file(_metadata, TMP_DIR "/s1d1/s1d2/s1d3/s1d42/f3");
  5091. create_file(_metadata, TMP_DIR "/s1d1/s1d2/s1d3/s1d42/f4");
  5092. create_directory(_metadata, TMP_DIR "/s2d1/s2d2/s2d3/s2d4");
  5093. create_directory(_metadata, TMP_DIR "/s3d1/s3d2");
  5094. create_directory(_metadata, TMP_DIR "/s4d1");
  5095. self->s2d4_fd = open(TMP_DIR "/s2d1/s2d2/s2d3/s2d4",
  5096. O_DIRECTORY | O_PATH | O_CLOEXEC);
  5097. ASSERT_LE(0, self->s2d4_fd);
  5098. self->s3d2_fd =
  5099. open(TMP_DIR "/s3d1/s3d2", O_DIRECTORY | O_PATH | O_CLOEXEC);
  5100. ASSERT_LE(0, self->s3d2_fd);
  5101. set_cap(_metadata, CAP_SYS_ADMIN);
  5102. ASSERT_EQ(0, mount(TMP_DIR "/s1d1/s1d2", TMP_DIR "/s2d1/s2d2/s2d3/s2d4",
  5103. NULL, MS_BIND, NULL));
  5104. ASSERT_EQ(0, mount(TMP_DIR "/s2d1/s2d2", TMP_DIR "/s3d1/s3d2", NULL,
  5105. MS_BIND | MS_REC, NULL));
  5106. clear_cap(_metadata, CAP_SYS_ADMIN);
  5107. }
  5108. FIXTURE_TEARDOWN_PARENT(layout5_disconnected_branch)
  5109. {
  5110. /* Bind mounts are handled by namespace lifetime. */
  5111. /* Removes files after renames. */
  5112. remove_path(TMP_DIR "/s1d1/s1d2/s1d3/s1d41/f1");
  5113. remove_path(TMP_DIR "/s1d1/s1d2/s1d3/s1d41/f2");
  5114. remove_path(TMP_DIR "/s1d1/s1d2/s1d3/s1d42/f1");
  5115. remove_path(TMP_DIR "/s1d1/s1d2/s1d3/s1d42/f3");
  5116. remove_path(TMP_DIR "/s1d1/s1d2/s1d3/s1d42/f4");
  5117. remove_path(TMP_DIR "/s1d1/s1d2/s1d3/s1d42/f5");
  5118. cleanup_layout(_metadata);
  5119. }
  5120. FIXTURE_VARIANT(layout5_disconnected_branch)
  5121. {
  5122. /*
  5123. * Parent of all files. It should always be enforced when testing against
  5124. * files under the s1d41 or s1d42 disconnected directories.
  5125. */
  5126. const __u64 allowed_base;
  5127. /*
  5128. * Parent of the first bind mount source. It should always be ignored when
  5129. * testing against files under the s1d41 or s1d42 disconnected directories.
  5130. */
  5131. const __u64 allowed_s1d1;
  5132. const __u64 allowed_s1d2;
  5133. const __u64 allowed_s1d3;
  5134. const __u64 allowed_s2d1;
  5135. const __u64 allowed_s2d2;
  5136. const __u64 allowed_s2d3;
  5137. const __u64 allowed_s2d4;
  5138. const __u64 allowed_s3d1;
  5139. const __u64 allowed_s3d2;
  5140. const __u64 allowed_s4d1;
  5141. /* Expected result of the call to open([fd:s1d3]/s1d41/f1, O_RDONLY). */
  5142. const int expected_read_result;
  5143. /*
  5144. * Expected result of the call to renameat([fd:s1d3]/s1d41/f1,
  5145. * [fd:s1d3]/s1d42/f1).
  5146. */
  5147. const int expected_rename_result;
  5148. /*
  5149. * Expected result of the call to renameat([fd:s1d3]/s1d41/f2,
  5150. * [fd:s1d3]/s1d42/f3, RENAME_EXCHANGE).
  5151. */
  5152. const int expected_exchange_result;
  5153. /*
  5154. * Expected result of the call to renameat([fd:s1d3]/s1d42/f4,
  5155. * [fd:s1d3]/s1d42/f5).
  5156. */
  5157. const int expected_same_dir_rename_result;
  5158. };
  5159. /* clang-format off */
  5160. FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s1d1_mount1_src_parent) {
  5161. /* clang-format on */
  5162. .allowed_s1d1 = LANDLOCK_ACCESS_FS_REFER |
  5163. LANDLOCK_ACCESS_FS_READ_FILE |
  5164. LANDLOCK_ACCESS_FS_EXECUTE |
  5165. LANDLOCK_ACCESS_FS_MAKE_REG,
  5166. .expected_read_result = EACCES,
  5167. .expected_same_dir_rename_result = EACCES,
  5168. .expected_rename_result = EACCES,
  5169. .expected_exchange_result = EACCES,
  5170. };
  5171. /* clang-format off */
  5172. FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s1d2_mount1_src_refer) {
  5173. /* clang-format on */
  5174. .allowed_s1d2 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_READ_FILE,
  5175. .expected_read_result = 0,
  5176. .expected_same_dir_rename_result = EACCES,
  5177. .expected_rename_result = EACCES,
  5178. .expected_exchange_result = EACCES,
  5179. };
  5180. /* clang-format off */
  5181. FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s1d2_mount1_src_create) {
  5182. /* clang-format on */
  5183. .allowed_s1d2 = LANDLOCK_ACCESS_FS_READ_FILE |
  5184. LANDLOCK_ACCESS_FS_MAKE_REG,
  5185. .expected_read_result = 0,
  5186. .expected_same_dir_rename_result = 0,
  5187. .expected_rename_result = EXDEV,
  5188. .expected_exchange_result = EXDEV,
  5189. };
  5190. /* clang-format off */
  5191. FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s1d2_mount1_src_rename) {
  5192. /* clang-format on */
  5193. .allowed_s1d2 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
  5194. .expected_read_result = EACCES,
  5195. .expected_same_dir_rename_result = 0,
  5196. .expected_rename_result = 0,
  5197. .expected_exchange_result = 0,
  5198. };
  5199. /* clang-format off */
  5200. FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s1d3_fd_refer) {
  5201. /* clang-format on */
  5202. .allowed_s1d3 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_READ_FILE,
  5203. .expected_read_result = 0,
  5204. .expected_same_dir_rename_result = EACCES,
  5205. .expected_rename_result = EACCES,
  5206. .expected_exchange_result = EACCES,
  5207. };
  5208. /* clang-format off */
  5209. FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s1d3_fd_create) {
  5210. /* clang-format on */
  5211. .allowed_s1d3 = LANDLOCK_ACCESS_FS_READ_FILE |
  5212. LANDLOCK_ACCESS_FS_MAKE_REG,
  5213. .expected_read_result = 0,
  5214. .expected_same_dir_rename_result = 0,
  5215. .expected_rename_result = EXDEV,
  5216. .expected_exchange_result = EXDEV,
  5217. };
  5218. /* clang-format off */
  5219. FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s1d3_fd_rename) {
  5220. /* clang-format on */
  5221. .allowed_s1d3 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
  5222. .expected_read_result = EACCES,
  5223. .expected_same_dir_rename_result = 0,
  5224. .expected_rename_result = 0,
  5225. .expected_exchange_result = 0,
  5226. };
  5227. /* clang-format off */
  5228. FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s1d3_fd_full) {
  5229. /* clang-format on */
  5230. .allowed_s1d3 = LANDLOCK_ACCESS_FS_REFER |
  5231. LANDLOCK_ACCESS_FS_READ_FILE |
  5232. LANDLOCK_ACCESS_FS_EXECUTE |
  5233. LANDLOCK_ACCESS_FS_MAKE_REG,
  5234. .expected_read_result = 0,
  5235. .expected_same_dir_rename_result = 0,
  5236. .expected_rename_result = 0,
  5237. .expected_exchange_result = 0,
  5238. };
  5239. /* clang-format off */
  5240. FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s2d1_mount2_src_parent) {
  5241. /* clang-format on */
  5242. .allowed_s2d1 = LANDLOCK_ACCESS_FS_REFER |
  5243. LANDLOCK_ACCESS_FS_READ_FILE |
  5244. LANDLOCK_ACCESS_FS_EXECUTE |
  5245. LANDLOCK_ACCESS_FS_MAKE_REG,
  5246. .expected_read_result = EACCES,
  5247. .expected_same_dir_rename_result = EACCES,
  5248. .expected_rename_result = EACCES,
  5249. .expected_exchange_result = EACCES,
  5250. };
  5251. /* clang-format off */
  5252. FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s2d2_mount2_src_refer) {
  5253. /* clang-format on */
  5254. .allowed_s2d2 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_READ_FILE,
  5255. .expected_read_result = 0,
  5256. .expected_same_dir_rename_result = EACCES,
  5257. .expected_rename_result = EACCES,
  5258. .expected_exchange_result = EACCES,
  5259. };
  5260. /* clang-format off */
  5261. FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s2d2_mount2_src_create) {
  5262. /* clang-format on */
  5263. .allowed_s2d2 = LANDLOCK_ACCESS_FS_READ_FILE |
  5264. LANDLOCK_ACCESS_FS_MAKE_REG,
  5265. .expected_read_result = 0,
  5266. .expected_same_dir_rename_result = 0,
  5267. .expected_rename_result = EXDEV,
  5268. .expected_exchange_result = EXDEV,
  5269. };
  5270. /* clang-format off */
  5271. FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s2d2_mount2_src_rename) {
  5272. /* clang-format on */
  5273. .allowed_s2d2 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
  5274. .expected_read_result = EACCES,
  5275. .expected_same_dir_rename_result = 0,
  5276. .expected_rename_result = 0,
  5277. .expected_exchange_result = 0,
  5278. };
  5279. /* clang-format off */
  5280. FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s2d3_mount1_dst_parent_refer) {
  5281. /* clang-format on */
  5282. .allowed_s2d3 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_READ_FILE,
  5283. .expected_read_result = 0,
  5284. .expected_same_dir_rename_result = EACCES,
  5285. .expected_rename_result = EACCES,
  5286. .expected_exchange_result = EACCES,
  5287. };
  5288. /* clang-format off */
  5289. FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s2d3_mount1_dst_parent_create) {
  5290. /* clang-format on */
  5291. .allowed_s2d3 = LANDLOCK_ACCESS_FS_READ_FILE |
  5292. LANDLOCK_ACCESS_FS_MAKE_REG,
  5293. .expected_read_result = 0,
  5294. .expected_same_dir_rename_result = 0,
  5295. .expected_rename_result = EXDEV,
  5296. .expected_exchange_result = EXDEV,
  5297. };
  5298. /* clang-format off */
  5299. FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s2d3_mount1_dst_parent_rename) {
  5300. /* clang-format on */
  5301. .allowed_s2d3 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
  5302. .expected_read_result = EACCES,
  5303. .expected_same_dir_rename_result = 0,
  5304. .expected_rename_result = 0,
  5305. .expected_exchange_result = 0,
  5306. };
  5307. /* clang-format off */
  5308. FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s2d4_mount1_dst) {
  5309. /* clang-format on */
  5310. .allowed_s2d4 = LANDLOCK_ACCESS_FS_REFER |
  5311. LANDLOCK_ACCESS_FS_READ_FILE |
  5312. LANDLOCK_ACCESS_FS_EXECUTE |
  5313. LANDLOCK_ACCESS_FS_MAKE_REG,
  5314. .expected_read_result = EACCES,
  5315. .expected_same_dir_rename_result = EACCES,
  5316. .expected_rename_result = EACCES,
  5317. .expected_exchange_result = EACCES,
  5318. };
  5319. /* clang-format off */
  5320. FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s3d1_mount2_dst_parent_refer) {
  5321. /* clang-format on */
  5322. .allowed_s3d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_READ_FILE,
  5323. .expected_read_result = 0,
  5324. .expected_same_dir_rename_result = EACCES,
  5325. .expected_rename_result = EACCES,
  5326. .expected_exchange_result = EACCES,
  5327. };
  5328. /* clang-format off */
  5329. FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s3d1_mount2_dst_parent_create) {
  5330. /* clang-format on */
  5331. .allowed_s3d1 = LANDLOCK_ACCESS_FS_READ_FILE |
  5332. LANDLOCK_ACCESS_FS_MAKE_REG,
  5333. .expected_read_result = 0,
  5334. .expected_same_dir_rename_result = 0,
  5335. .expected_rename_result = EXDEV,
  5336. .expected_exchange_result = EXDEV,
  5337. };
  5338. /* clang-format off */
  5339. FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s3d1_mount2_dst_parent_rename) {
  5340. /* clang-format on */
  5341. .allowed_s3d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
  5342. .expected_read_result = EACCES,
  5343. .expected_same_dir_rename_result = 0,
  5344. .expected_rename_result = 0,
  5345. .expected_exchange_result = 0,
  5346. };
  5347. /* clang-format off */
  5348. FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s3d2_mount1_dst) {
  5349. /* clang-format on */
  5350. .allowed_s3d2 = LANDLOCK_ACCESS_FS_REFER |
  5351. LANDLOCK_ACCESS_FS_READ_FILE |
  5352. LANDLOCK_ACCESS_FS_EXECUTE |
  5353. LANDLOCK_ACCESS_FS_MAKE_REG,
  5354. .expected_read_result = EACCES,
  5355. .expected_same_dir_rename_result = EACCES,
  5356. .expected_rename_result = EACCES,
  5357. .expected_exchange_result = EACCES,
  5358. };
  5359. /* clang-format off */
  5360. FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s4d1_rename_parent_refer) {
  5361. /* clang-format on */
  5362. .allowed_s4d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_READ_FILE,
  5363. .expected_read_result = 0,
  5364. .expected_same_dir_rename_result = EACCES,
  5365. .expected_rename_result = EACCES,
  5366. .expected_exchange_result = EACCES,
  5367. };
  5368. /* clang-format off */
  5369. FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s4d1_rename_parent_create) {
  5370. /* clang-format on */
  5371. .allowed_s4d1 = LANDLOCK_ACCESS_FS_READ_FILE |
  5372. LANDLOCK_ACCESS_FS_MAKE_REG,
  5373. .expected_read_result = 0,
  5374. .expected_same_dir_rename_result = 0,
  5375. .expected_rename_result = EXDEV,
  5376. .expected_exchange_result = EXDEV,
  5377. };
  5378. /* clang-format off */
  5379. FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s4d1_rename_parent_rename) {
  5380. /* clang-format on */
  5381. .allowed_s4d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
  5382. .expected_read_result = EACCES,
  5383. .expected_same_dir_rename_result = 0,
  5384. .expected_rename_result = 0,
  5385. .expected_exchange_result = 0,
  5386. };
  5387. TEST_F_FORK(layout5_disconnected_branch, read_rename_exchange)
  5388. {
  5389. const __u64 handled_access =
  5390. LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_READ_FILE |
  5391. LANDLOCK_ACCESS_FS_EXECUTE | LANDLOCK_ACCESS_FS_MAKE_REG;
  5392. const struct rule rules[] = {
  5393. {
  5394. .path = TMP_DIR "/s1d1",
  5395. .access = variant->allowed_s1d1,
  5396. },
  5397. {
  5398. .path = TMP_DIR "/s1d1/s1d2",
  5399. .access = variant->allowed_s1d2,
  5400. },
  5401. {
  5402. .path = TMP_DIR "/s1d1/s1d2/s1d3",
  5403. .access = variant->allowed_s1d3,
  5404. },
  5405. {
  5406. .path = TMP_DIR "/s2d1",
  5407. .access = variant->allowed_s2d1,
  5408. },
  5409. {
  5410. .path = TMP_DIR "/s2d1/s2d2",
  5411. .access = variant->allowed_s2d2,
  5412. },
  5413. {
  5414. .path = TMP_DIR "/s2d1/s2d2/s2d3",
  5415. .access = variant->allowed_s2d3,
  5416. },
  5417. /* s2d4_fd */
  5418. {
  5419. .path = TMP_DIR "/s3d1",
  5420. .access = variant->allowed_s3d1,
  5421. },
  5422. /* s3d2_fd */
  5423. {
  5424. .path = TMP_DIR "/s4d1",
  5425. .access = variant->allowed_s4d1,
  5426. },
  5427. {},
  5428. };
  5429. int ruleset_fd, s1d3_bind_fd;
  5430. ruleset_fd = create_ruleset(_metadata, handled_access, rules);
  5431. ASSERT_LE(0, ruleset_fd);
  5432. /* Adds rules for the covered directories. */
  5433. if (variant->allowed_s2d4) {
  5434. ASSERT_EQ(0, landlock_add_rule(
  5435. ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
  5436. &(struct landlock_path_beneath_attr){
  5437. .parent_fd = self->s2d4_fd,
  5438. .allowed_access =
  5439. variant->allowed_s2d4,
  5440. },
  5441. 0));
  5442. }
  5443. EXPECT_EQ(0, close(self->s2d4_fd));
  5444. if (variant->allowed_s3d2) {
  5445. ASSERT_EQ(0, landlock_add_rule(
  5446. ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
  5447. &(struct landlock_path_beneath_attr){
  5448. .parent_fd = self->s3d2_fd,
  5449. .allowed_access =
  5450. variant->allowed_s3d2,
  5451. },
  5452. 0));
  5453. }
  5454. EXPECT_EQ(0, close(self->s3d2_fd));
  5455. s1d3_bind_fd = open(TMP_DIR "/s3d1/s3d2/s2d3/s2d4/s1d3",
  5456. O_DIRECTORY | O_PATH | O_CLOEXEC);
  5457. ASSERT_LE(0, s1d3_bind_fd);
  5458. /* Disconnects and checks source and destination directories. */
  5459. EXPECT_EQ(0, test_open_rel(s1d3_bind_fd, "..", O_DIRECTORY));
  5460. EXPECT_EQ(0, test_open_rel(s1d3_bind_fd, "../..", O_DIRECTORY));
  5461. /* Renames to make it accessible through s3d1/s1d41 */
  5462. ASSERT_EQ(0, test_renameat(AT_FDCWD, TMP_DIR "/s2d1/s2d2/s2d3",
  5463. AT_FDCWD, TMP_DIR "/s4d1/s2d3"));
  5464. EXPECT_EQ(0, test_open_rel(s1d3_bind_fd, "..", O_DIRECTORY));
  5465. EXPECT_EQ(ENOENT, test_open_rel(s1d3_bind_fd, "../..", O_DIRECTORY));
  5466. enforce_ruleset(_metadata, ruleset_fd);
  5467. EXPECT_EQ(0, close(ruleset_fd));
  5468. EXPECT_EQ(variant->expected_read_result,
  5469. test_open_rel(s1d3_bind_fd, "s1d41/f1", O_RDONLY));
  5470. EXPECT_EQ(variant->expected_rename_result,
  5471. test_renameat(s1d3_bind_fd, "s1d41/f1", s1d3_bind_fd,
  5472. "s1d42/f1"));
  5473. EXPECT_EQ(variant->expected_exchange_result,
  5474. test_exchangeat(s1d3_bind_fd, "s1d41/f2", s1d3_bind_fd,
  5475. "s1d42/f3"));
  5476. EXPECT_EQ(variant->expected_same_dir_rename_result,
  5477. test_renameat(s1d3_bind_fd, "s1d42/f4", s1d3_bind_fd,
  5478. "s1d42/f5"));
  5479. }
  5480. #define LOWER_BASE TMP_DIR "/lower"
  5481. #define LOWER_DATA LOWER_BASE "/data"
  5482. static const char lower_fl1[] = LOWER_DATA "/fl1";
  5483. static const char lower_dl1[] = LOWER_DATA "/dl1";
  5484. static const char lower_dl1_fl2[] = LOWER_DATA "/dl1/fl2";
  5485. static const char lower_fo1[] = LOWER_DATA "/fo1";
  5486. static const char lower_do1[] = LOWER_DATA "/do1";
  5487. static const char lower_do1_fo2[] = LOWER_DATA "/do1/fo2";
  5488. static const char lower_do1_fl3[] = LOWER_DATA "/do1/fl3";
  5489. static const char (*lower_base_files[])[] = {
  5490. &lower_fl1,
  5491. &lower_fo1,
  5492. NULL,
  5493. };
  5494. static const char (*lower_base_directories[])[] = {
  5495. &lower_dl1,
  5496. &lower_do1,
  5497. NULL,
  5498. };
  5499. static const char (*lower_sub_files[])[] = {
  5500. &lower_dl1_fl2,
  5501. &lower_do1_fo2,
  5502. &lower_do1_fl3,
  5503. NULL,
  5504. };
  5505. #define UPPER_BASE TMP_DIR "/upper"
  5506. #define UPPER_DATA UPPER_BASE "/data"
  5507. #define UPPER_WORK UPPER_BASE "/work"
  5508. static const char upper_fu1[] = UPPER_DATA "/fu1";
  5509. static const char upper_du1[] = UPPER_DATA "/du1";
  5510. static const char upper_du1_fu2[] = UPPER_DATA "/du1/fu2";
  5511. static const char upper_fo1[] = UPPER_DATA "/fo1";
  5512. static const char upper_do1[] = UPPER_DATA "/do1";
  5513. static const char upper_do1_fo2[] = UPPER_DATA "/do1/fo2";
  5514. static const char upper_do1_fu3[] = UPPER_DATA "/do1/fu3";
  5515. static const char (*upper_base_files[])[] = {
  5516. &upper_fu1,
  5517. &upper_fo1,
  5518. NULL,
  5519. };
  5520. static const char (*upper_base_directories[])[] = {
  5521. &upper_du1,
  5522. &upper_do1,
  5523. NULL,
  5524. };
  5525. static const char (*upper_sub_files[])[] = {
  5526. &upper_du1_fu2,
  5527. &upper_do1_fo2,
  5528. &upper_do1_fu3,
  5529. NULL,
  5530. };
  5531. #define MERGE_BASE TMP_DIR "/merge"
  5532. #define MERGE_DATA MERGE_BASE "/data"
  5533. static const char merge_fl1[] = MERGE_DATA "/fl1";
  5534. static const char merge_dl1[] = MERGE_DATA "/dl1";
  5535. static const char merge_dl1_fl2[] = MERGE_DATA "/dl1/fl2";
  5536. static const char merge_fu1[] = MERGE_DATA "/fu1";
  5537. static const char merge_du1[] = MERGE_DATA "/du1";
  5538. static const char merge_du1_fu2[] = MERGE_DATA "/du1/fu2";
  5539. static const char merge_fo1[] = MERGE_DATA "/fo1";
  5540. static const char merge_do1[] = MERGE_DATA "/do1";
  5541. static const char merge_do1_fo2[] = MERGE_DATA "/do1/fo2";
  5542. static const char merge_do1_fl3[] = MERGE_DATA "/do1/fl3";
  5543. static const char merge_do1_fu3[] = MERGE_DATA "/do1/fu3";
  5544. static const char (*merge_base_files[])[] = {
  5545. &merge_fl1,
  5546. &merge_fu1,
  5547. &merge_fo1,
  5548. NULL,
  5549. };
  5550. static const char (*merge_base_directories[])[] = {
  5551. &merge_dl1,
  5552. &merge_du1,
  5553. &merge_do1,
  5554. NULL,
  5555. };
  5556. static const char (*merge_sub_files[])[] = {
  5557. &merge_dl1_fl2, &merge_du1_fu2, &merge_do1_fo2,
  5558. &merge_do1_fl3, &merge_do1_fu3, NULL,
  5559. };
  5560. /*
  5561. * layout2_overlay hierarchy:
  5562. *
  5563. * tmp
  5564. * ├── lower
  5565. * │   └── data
  5566. * │   ├── dl1
  5567. * │   │   └── fl2
  5568. * │   ├── do1
  5569. * │   │   ├── fl3
  5570. * │   │   └── fo2
  5571. * │   ├── fl1
  5572. * │   └── fo1
  5573. * ├── merge
  5574. * │   └── data
  5575. * │   ├── dl1
  5576. * │   │   └── fl2
  5577. * │   ├── do1
  5578. * │   │   ├── fl3
  5579. * │   │   ├── fo2
  5580. * │   │   └── fu3
  5581. * │   ├── du1
  5582. * │   │   └── fu2
  5583. * │   ├── fl1
  5584. * │   ├── fo1
  5585. * │   └── fu1
  5586. * └── upper
  5587. * ├── data
  5588. * │   ├── do1
  5589. * │   │   ├── fo2
  5590. * │   │   └── fu3
  5591. * │   ├── du1
  5592. * │   │   └── fu2
  5593. * │   ├── fo1
  5594. * │   └── fu1
  5595. * └── work
  5596. * └── work
  5597. */
  5598. FIXTURE(layout2_overlay)
  5599. {
  5600. bool skip_test;
  5601. };
  5602. FIXTURE_SETUP(layout2_overlay)
  5603. {
  5604. if (!supports_filesystem("overlay")) {
  5605. self->skip_test = true;
  5606. SKIP(return, "overlayfs is not supported (setup)");
  5607. }
  5608. prepare_layout(_metadata);
  5609. create_directory(_metadata, LOWER_BASE);
  5610. set_cap(_metadata, CAP_SYS_ADMIN);
  5611. /* Creates tmpfs mount points to get deterministic overlayfs. */
  5612. ASSERT_EQ(0, mount_opt(&mnt_tmp, LOWER_BASE));
  5613. clear_cap(_metadata, CAP_SYS_ADMIN);
  5614. create_file(_metadata, lower_fl1);
  5615. create_file(_metadata, lower_dl1_fl2);
  5616. create_file(_metadata, lower_fo1);
  5617. create_file(_metadata, lower_do1_fo2);
  5618. create_file(_metadata, lower_do1_fl3);
  5619. create_directory(_metadata, UPPER_BASE);
  5620. set_cap(_metadata, CAP_SYS_ADMIN);
  5621. ASSERT_EQ(0, mount_opt(&mnt_tmp, UPPER_BASE));
  5622. clear_cap(_metadata, CAP_SYS_ADMIN);
  5623. create_file(_metadata, upper_fu1);
  5624. create_file(_metadata, upper_du1_fu2);
  5625. create_file(_metadata, upper_fo1);
  5626. create_file(_metadata, upper_do1_fo2);
  5627. create_file(_metadata, upper_do1_fu3);
  5628. ASSERT_EQ(0, mkdir(UPPER_WORK, 0700));
  5629. create_directory(_metadata, MERGE_DATA);
  5630. set_cap(_metadata, CAP_SYS_ADMIN);
  5631. set_cap(_metadata, CAP_DAC_OVERRIDE);
  5632. ASSERT_EQ(0, mount("overlay", MERGE_DATA, "overlay", 0,
  5633. "lowerdir=" LOWER_DATA ",upperdir=" UPPER_DATA
  5634. ",workdir=" UPPER_WORK));
  5635. clear_cap(_metadata, CAP_DAC_OVERRIDE);
  5636. clear_cap(_metadata, CAP_SYS_ADMIN);
  5637. }
  5638. FIXTURE_TEARDOWN_PARENT(layout2_overlay)
  5639. {
  5640. if (self->skip_test)
  5641. SKIP(return, "overlayfs is not supported (teardown)");
  5642. EXPECT_EQ(0, remove_path(lower_do1_fl3));
  5643. EXPECT_EQ(0, remove_path(lower_dl1_fl2));
  5644. EXPECT_EQ(0, remove_path(lower_fl1));
  5645. EXPECT_EQ(0, remove_path(lower_do1_fo2));
  5646. EXPECT_EQ(0, remove_path(lower_fo1));
  5647. /* umount(LOWER_BASE)) is handled by namespace lifetime. */
  5648. EXPECT_EQ(0, remove_path(LOWER_BASE));
  5649. EXPECT_EQ(0, remove_path(upper_do1_fu3));
  5650. EXPECT_EQ(0, remove_path(upper_du1_fu2));
  5651. EXPECT_EQ(0, remove_path(upper_fu1));
  5652. EXPECT_EQ(0, remove_path(upper_do1_fo2));
  5653. EXPECT_EQ(0, remove_path(upper_fo1));
  5654. EXPECT_EQ(0, remove_path(UPPER_WORK "/work"));
  5655. /* umount(UPPER_BASE)) is handled by namespace lifetime. */
  5656. EXPECT_EQ(0, remove_path(UPPER_BASE));
  5657. /* umount(MERGE_DATA)) is handled by namespace lifetime. */
  5658. EXPECT_EQ(0, remove_path(MERGE_DATA));
  5659. cleanup_layout(_metadata);
  5660. }
  5661. TEST_F_FORK(layout2_overlay, no_restriction)
  5662. {
  5663. if (self->skip_test)
  5664. SKIP(return, "overlayfs is not supported (test)");
  5665. ASSERT_EQ(0, test_open(lower_fl1, O_RDONLY));
  5666. ASSERT_EQ(0, test_open(lower_dl1, O_RDONLY));
  5667. ASSERT_EQ(0, test_open(lower_dl1_fl2, O_RDONLY));
  5668. ASSERT_EQ(0, test_open(lower_fo1, O_RDONLY));
  5669. ASSERT_EQ(0, test_open(lower_do1, O_RDONLY));
  5670. ASSERT_EQ(0, test_open(lower_do1_fo2, O_RDONLY));
  5671. ASSERT_EQ(0, test_open(lower_do1_fl3, O_RDONLY));
  5672. ASSERT_EQ(0, test_open(upper_fu1, O_RDONLY));
  5673. ASSERT_EQ(0, test_open(upper_du1, O_RDONLY));
  5674. ASSERT_EQ(0, test_open(upper_du1_fu2, O_RDONLY));
  5675. ASSERT_EQ(0, test_open(upper_fo1, O_RDONLY));
  5676. ASSERT_EQ(0, test_open(upper_do1, O_RDONLY));
  5677. ASSERT_EQ(0, test_open(upper_do1_fo2, O_RDONLY));
  5678. ASSERT_EQ(0, test_open(upper_do1_fu3, O_RDONLY));
  5679. ASSERT_EQ(0, test_open(merge_fl1, O_RDONLY));
  5680. ASSERT_EQ(0, test_open(merge_dl1, O_RDONLY));
  5681. ASSERT_EQ(0, test_open(merge_dl1_fl2, O_RDONLY));
  5682. ASSERT_EQ(0, test_open(merge_fu1, O_RDONLY));
  5683. ASSERT_EQ(0, test_open(merge_du1, O_RDONLY));
  5684. ASSERT_EQ(0, test_open(merge_du1_fu2, O_RDONLY));
  5685. ASSERT_EQ(0, test_open(merge_fo1, O_RDONLY));
  5686. ASSERT_EQ(0, test_open(merge_do1, O_RDONLY));
  5687. ASSERT_EQ(0, test_open(merge_do1_fo2, O_RDONLY));
  5688. ASSERT_EQ(0, test_open(merge_do1_fl3, O_RDONLY));
  5689. ASSERT_EQ(0, test_open(merge_do1_fu3, O_RDONLY));
  5690. }
  5691. #define for_each_path(path_list, path_entry, i) \
  5692. for (i = 0, path_entry = *path_list[i]; path_list[i]; \
  5693. path_entry = *path_list[++i])
  5694. TEST_F_FORK(layout2_overlay, same_content_different_file)
  5695. {
  5696. /* Sets access right on parent directories of both layers. */
  5697. const struct rule layer1_base[] = {
  5698. {
  5699. .path = LOWER_BASE,
  5700. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  5701. },
  5702. {
  5703. .path = UPPER_BASE,
  5704. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  5705. },
  5706. {
  5707. .path = MERGE_BASE,
  5708. .access = ACCESS_RW,
  5709. },
  5710. {},
  5711. };
  5712. const struct rule layer2_data[] = {
  5713. {
  5714. .path = LOWER_DATA,
  5715. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  5716. },
  5717. {
  5718. .path = UPPER_DATA,
  5719. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  5720. },
  5721. {
  5722. .path = MERGE_DATA,
  5723. .access = ACCESS_RW,
  5724. },
  5725. {},
  5726. };
  5727. /* Sets access right on directories inside both layers. */
  5728. const struct rule layer3_subdirs[] = {
  5729. {
  5730. .path = lower_dl1,
  5731. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  5732. },
  5733. {
  5734. .path = lower_do1,
  5735. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  5736. },
  5737. {
  5738. .path = upper_du1,
  5739. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  5740. },
  5741. {
  5742. .path = upper_do1,
  5743. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  5744. },
  5745. {
  5746. .path = merge_dl1,
  5747. .access = ACCESS_RW,
  5748. },
  5749. {
  5750. .path = merge_du1,
  5751. .access = ACCESS_RW,
  5752. },
  5753. {
  5754. .path = merge_do1,
  5755. .access = ACCESS_RW,
  5756. },
  5757. {},
  5758. };
  5759. /* Tighten access rights to the files. */
  5760. const struct rule layer4_files[] = {
  5761. {
  5762. .path = lower_dl1_fl2,
  5763. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  5764. },
  5765. {
  5766. .path = lower_do1_fo2,
  5767. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  5768. },
  5769. {
  5770. .path = lower_do1_fl3,
  5771. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  5772. },
  5773. {
  5774. .path = upper_du1_fu2,
  5775. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  5776. },
  5777. {
  5778. .path = upper_do1_fo2,
  5779. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  5780. },
  5781. {
  5782. .path = upper_do1_fu3,
  5783. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  5784. },
  5785. {
  5786. .path = merge_dl1_fl2,
  5787. .access = LANDLOCK_ACCESS_FS_READ_FILE |
  5788. LANDLOCK_ACCESS_FS_WRITE_FILE,
  5789. },
  5790. {
  5791. .path = merge_du1_fu2,
  5792. .access = LANDLOCK_ACCESS_FS_READ_FILE |
  5793. LANDLOCK_ACCESS_FS_WRITE_FILE,
  5794. },
  5795. {
  5796. .path = merge_do1_fo2,
  5797. .access = LANDLOCK_ACCESS_FS_READ_FILE |
  5798. LANDLOCK_ACCESS_FS_WRITE_FILE,
  5799. },
  5800. {
  5801. .path = merge_do1_fl3,
  5802. .access = LANDLOCK_ACCESS_FS_READ_FILE |
  5803. LANDLOCK_ACCESS_FS_WRITE_FILE,
  5804. },
  5805. {
  5806. .path = merge_do1_fu3,
  5807. .access = LANDLOCK_ACCESS_FS_READ_FILE |
  5808. LANDLOCK_ACCESS_FS_WRITE_FILE,
  5809. },
  5810. {},
  5811. };
  5812. const struct rule layer5_merge_only[] = {
  5813. {
  5814. .path = MERGE_DATA,
  5815. .access = LANDLOCK_ACCESS_FS_READ_FILE |
  5816. LANDLOCK_ACCESS_FS_WRITE_FILE,
  5817. },
  5818. {},
  5819. };
  5820. int ruleset_fd;
  5821. size_t i;
  5822. const char *path_entry;
  5823. if (self->skip_test)
  5824. SKIP(return, "overlayfs is not supported (test)");
  5825. /* Sets rules on base directories (i.e. outside overlay scope). */
  5826. ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1_base);
  5827. ASSERT_LE(0, ruleset_fd);
  5828. enforce_ruleset(_metadata, ruleset_fd);
  5829. ASSERT_EQ(0, close(ruleset_fd));
  5830. /* Checks lower layer. */
  5831. for_each_path(lower_base_files, path_entry, i) {
  5832. ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
  5833. ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
  5834. }
  5835. for_each_path(lower_base_directories, path_entry, i) {
  5836. ASSERT_EQ(EACCES,
  5837. test_open(path_entry, O_RDONLY | O_DIRECTORY));
  5838. }
  5839. for_each_path(lower_sub_files, path_entry, i) {
  5840. ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
  5841. ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
  5842. }
  5843. /* Checks upper layer. */
  5844. for_each_path(upper_base_files, path_entry, i) {
  5845. ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
  5846. ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
  5847. }
  5848. for_each_path(upper_base_directories, path_entry, i) {
  5849. ASSERT_EQ(EACCES,
  5850. test_open(path_entry, O_RDONLY | O_DIRECTORY));
  5851. }
  5852. for_each_path(upper_sub_files, path_entry, i) {
  5853. ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
  5854. ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
  5855. }
  5856. /*
  5857. * Checks that access rights are independent from the lower and upper
  5858. * layers: write access to upper files viewed through the merge point
  5859. * is still allowed, and write access to lower file viewed (and copied)
  5860. * through the merge point is still allowed.
  5861. */
  5862. for_each_path(merge_base_files, path_entry, i) {
  5863. ASSERT_EQ(0, test_open(path_entry, O_RDWR));
  5864. }
  5865. for_each_path(merge_base_directories, path_entry, i) {
  5866. ASSERT_EQ(0, test_open(path_entry, O_RDONLY | O_DIRECTORY));
  5867. }
  5868. for_each_path(merge_sub_files, path_entry, i) {
  5869. ASSERT_EQ(0, test_open(path_entry, O_RDWR));
  5870. }
  5871. /* Sets rules on data directories (i.e. inside overlay scope). */
  5872. ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2_data);
  5873. ASSERT_LE(0, ruleset_fd);
  5874. enforce_ruleset(_metadata, ruleset_fd);
  5875. ASSERT_EQ(0, close(ruleset_fd));
  5876. /* Checks merge. */
  5877. for_each_path(merge_base_files, path_entry, i) {
  5878. ASSERT_EQ(0, test_open(path_entry, O_RDWR));
  5879. }
  5880. for_each_path(merge_base_directories, path_entry, i) {
  5881. ASSERT_EQ(0, test_open(path_entry, O_RDONLY | O_DIRECTORY));
  5882. }
  5883. for_each_path(merge_sub_files, path_entry, i) {
  5884. ASSERT_EQ(0, test_open(path_entry, O_RDWR));
  5885. }
  5886. /* Same checks with tighter rules. */
  5887. ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer3_subdirs);
  5888. ASSERT_LE(0, ruleset_fd);
  5889. enforce_ruleset(_metadata, ruleset_fd);
  5890. ASSERT_EQ(0, close(ruleset_fd));
  5891. /* Checks changes for lower layer. */
  5892. for_each_path(lower_base_files, path_entry, i) {
  5893. ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY));
  5894. }
  5895. /* Checks changes for upper layer. */
  5896. for_each_path(upper_base_files, path_entry, i) {
  5897. ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY));
  5898. }
  5899. /* Checks all merge accesses. */
  5900. for_each_path(merge_base_files, path_entry, i) {
  5901. ASSERT_EQ(EACCES, test_open(path_entry, O_RDWR));
  5902. }
  5903. for_each_path(merge_base_directories, path_entry, i) {
  5904. ASSERT_EQ(0, test_open(path_entry, O_RDONLY | O_DIRECTORY));
  5905. }
  5906. for_each_path(merge_sub_files, path_entry, i) {
  5907. ASSERT_EQ(0, test_open(path_entry, O_RDWR));
  5908. }
  5909. /* Sets rules directly on overlayed files. */
  5910. ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer4_files);
  5911. ASSERT_LE(0, ruleset_fd);
  5912. enforce_ruleset(_metadata, ruleset_fd);
  5913. ASSERT_EQ(0, close(ruleset_fd));
  5914. /* Checks unchanged accesses on lower layer. */
  5915. for_each_path(lower_sub_files, path_entry, i) {
  5916. ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
  5917. ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
  5918. }
  5919. /* Checks unchanged accesses on upper layer. */
  5920. for_each_path(upper_sub_files, path_entry, i) {
  5921. ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
  5922. ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
  5923. }
  5924. /* Checks all merge accesses. */
  5925. for_each_path(merge_base_files, path_entry, i) {
  5926. ASSERT_EQ(EACCES, test_open(path_entry, O_RDWR));
  5927. }
  5928. for_each_path(merge_base_directories, path_entry, i) {
  5929. ASSERT_EQ(EACCES,
  5930. test_open(path_entry, O_RDONLY | O_DIRECTORY));
  5931. }
  5932. for_each_path(merge_sub_files, path_entry, i) {
  5933. ASSERT_EQ(0, test_open(path_entry, O_RDWR));
  5934. }
  5935. /* Only allowes access to the merge hierarchy. */
  5936. ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer5_merge_only);
  5937. ASSERT_LE(0, ruleset_fd);
  5938. enforce_ruleset(_metadata, ruleset_fd);
  5939. ASSERT_EQ(0, close(ruleset_fd));
  5940. /* Checks new accesses on lower layer. */
  5941. for_each_path(lower_sub_files, path_entry, i) {
  5942. ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY));
  5943. }
  5944. /* Checks new accesses on upper layer. */
  5945. for_each_path(upper_sub_files, path_entry, i) {
  5946. ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY));
  5947. }
  5948. /* Checks all merge accesses. */
  5949. for_each_path(merge_base_files, path_entry, i) {
  5950. ASSERT_EQ(EACCES, test_open(path_entry, O_RDWR));
  5951. }
  5952. for_each_path(merge_base_directories, path_entry, i) {
  5953. ASSERT_EQ(EACCES,
  5954. test_open(path_entry, O_RDONLY | O_DIRECTORY));
  5955. }
  5956. for_each_path(merge_sub_files, path_entry, i) {
  5957. ASSERT_EQ(0, test_open(path_entry, O_RDWR));
  5958. }
  5959. }
  5960. FIXTURE(layout3_fs)
  5961. {
  5962. bool has_created_dir;
  5963. bool has_created_file;
  5964. bool skip_test;
  5965. };
  5966. FIXTURE_VARIANT(layout3_fs)
  5967. {
  5968. const struct mnt_opt mnt;
  5969. const char *const file_path;
  5970. unsigned int cwd_fs_magic;
  5971. };
  5972. /* clang-format off */
  5973. FIXTURE_VARIANT_ADD(layout3_fs, tmpfs) {
  5974. /* clang-format on */
  5975. .mnt = {
  5976. .type = "tmpfs",
  5977. .data = MNT_TMP_DATA,
  5978. },
  5979. .file_path = file1_s1d1,
  5980. };
  5981. FIXTURE_VARIANT_ADD(layout3_fs, ramfs) {
  5982. .mnt = {
  5983. .type = "ramfs",
  5984. .data = "mode=700",
  5985. },
  5986. .file_path = TMP_DIR "/dir/file",
  5987. };
  5988. FIXTURE_VARIANT_ADD(layout3_fs, cgroup2) {
  5989. .mnt = {
  5990. .type = "cgroup2",
  5991. },
  5992. .file_path = TMP_DIR "/test/cgroup.procs",
  5993. };
  5994. FIXTURE_VARIANT_ADD(layout3_fs, proc) {
  5995. .mnt = {
  5996. .type = "proc",
  5997. },
  5998. .file_path = TMP_DIR "/self/status",
  5999. };
  6000. FIXTURE_VARIANT_ADD(layout3_fs, sysfs) {
  6001. .mnt = {
  6002. .type = "sysfs",
  6003. },
  6004. .file_path = TMP_DIR "/kernel/notes",
  6005. };
  6006. FIXTURE_VARIANT_ADD(layout3_fs, hostfs) {
  6007. .mnt = {
  6008. .source = TMP_DIR,
  6009. .flags = MS_BIND,
  6010. },
  6011. .file_path = TMP_DIR "/dir/file",
  6012. .cwd_fs_magic = HOSTFS_SUPER_MAGIC,
  6013. };
  6014. static char *dirname_alloc(const char *path)
  6015. {
  6016. char *dup;
  6017. if (!path)
  6018. return NULL;
  6019. dup = strdup(path);
  6020. if (!dup)
  6021. return NULL;
  6022. return dirname(dup);
  6023. }
  6024. FIXTURE_SETUP(layout3_fs)
  6025. {
  6026. struct stat statbuf;
  6027. char *dir_path = dirname_alloc(variant->file_path);
  6028. if (!supports_filesystem(variant->mnt.type) ||
  6029. !cwd_matches_fs(variant->cwd_fs_magic)) {
  6030. self->skip_test = true;
  6031. SKIP(return, "this filesystem is not supported (setup)");
  6032. }
  6033. prepare_layout_opt(_metadata, &variant->mnt);
  6034. /* Creates directory when required. */
  6035. if (stat(dir_path, &statbuf)) {
  6036. set_cap(_metadata, CAP_DAC_OVERRIDE);
  6037. EXPECT_EQ(0, mkdir(dir_path, 0700))
  6038. {
  6039. TH_LOG("Failed to create directory \"%s\": %s",
  6040. dir_path, strerror(errno));
  6041. }
  6042. self->has_created_dir = true;
  6043. clear_cap(_metadata, CAP_DAC_OVERRIDE);
  6044. }
  6045. /* Creates file when required. */
  6046. if (stat(variant->file_path, &statbuf)) {
  6047. int fd;
  6048. set_cap(_metadata, CAP_DAC_OVERRIDE);
  6049. fd = creat(variant->file_path, 0600);
  6050. EXPECT_LE(0, fd)
  6051. {
  6052. TH_LOG("Failed to create file \"%s\": %s",
  6053. variant->file_path, strerror(errno));
  6054. }
  6055. EXPECT_EQ(0, close(fd));
  6056. self->has_created_file = true;
  6057. clear_cap(_metadata, CAP_DAC_OVERRIDE);
  6058. }
  6059. free(dir_path);
  6060. }
  6061. FIXTURE_TEARDOWN_PARENT(layout3_fs)
  6062. {
  6063. if (self->skip_test)
  6064. SKIP(return, "this filesystem is not supported (teardown)");
  6065. if (self->has_created_file) {
  6066. set_cap(_metadata, CAP_DAC_OVERRIDE);
  6067. /*
  6068. * Don't check for error because the file might already
  6069. * have been removed (cf. release_inode test).
  6070. */
  6071. unlink(variant->file_path);
  6072. clear_cap(_metadata, CAP_DAC_OVERRIDE);
  6073. }
  6074. if (self->has_created_dir) {
  6075. char *dir_path = dirname_alloc(variant->file_path);
  6076. set_cap(_metadata, CAP_DAC_OVERRIDE);
  6077. /*
  6078. * Don't check for error because the directory might already
  6079. * have been removed (cf. release_inode test).
  6080. */
  6081. rmdir(dir_path);
  6082. clear_cap(_metadata, CAP_DAC_OVERRIDE);
  6083. free(dir_path);
  6084. }
  6085. cleanup_layout(_metadata);
  6086. }
  6087. static void layer3_fs_tag_inode(struct __test_metadata *const _metadata,
  6088. FIXTURE_DATA(layout3_fs) * self,
  6089. const FIXTURE_VARIANT(layout3_fs) * variant,
  6090. const char *const rule_path)
  6091. {
  6092. const struct rule layer1_allow_read_file[] = {
  6093. {
  6094. .path = rule_path,
  6095. .access = LANDLOCK_ACCESS_FS_READ_FILE,
  6096. },
  6097. {},
  6098. };
  6099. const struct landlock_ruleset_attr layer2_deny_everything_attr = {
  6100. .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE,
  6101. };
  6102. const char *const dev_null_path = "/dev/null";
  6103. int ruleset_fd;
  6104. if (self->skip_test)
  6105. SKIP(return, "this filesystem is not supported (test)");
  6106. /* Checks without Landlock. */
  6107. EXPECT_EQ(0, test_open(dev_null_path, O_RDONLY | O_CLOEXEC));
  6108. EXPECT_EQ(0, test_open(variant->file_path, O_RDONLY | O_CLOEXEC));
  6109. ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE,
  6110. layer1_allow_read_file);
  6111. EXPECT_LE(0, ruleset_fd);
  6112. enforce_ruleset(_metadata, ruleset_fd);
  6113. EXPECT_EQ(0, close(ruleset_fd));
  6114. EXPECT_EQ(EACCES, test_open(dev_null_path, O_RDONLY | O_CLOEXEC));
  6115. EXPECT_EQ(0, test_open(variant->file_path, O_RDONLY | O_CLOEXEC));
  6116. /* Forbids directory reading. */
  6117. ruleset_fd =
  6118. landlock_create_ruleset(&layer2_deny_everything_attr,
  6119. sizeof(layer2_deny_everything_attr), 0);
  6120. EXPECT_LE(0, ruleset_fd);
  6121. enforce_ruleset(_metadata, ruleset_fd);
  6122. EXPECT_EQ(0, close(ruleset_fd));
  6123. /* Checks with Landlock and forbidden access. */
  6124. EXPECT_EQ(EACCES, test_open(dev_null_path, O_RDONLY | O_CLOEXEC));
  6125. EXPECT_EQ(EACCES, test_open(variant->file_path, O_RDONLY | O_CLOEXEC));
  6126. }
  6127. /* Matrix of tests to check file hierarchy evaluation. */
  6128. TEST_F_FORK(layout3_fs, tag_inode_dir_parent)
  6129. {
  6130. /* The current directory must not be the root for this test. */
  6131. layer3_fs_tag_inode(_metadata, self, variant, ".");
  6132. }
  6133. TEST_F_FORK(layout3_fs, tag_inode_dir_mnt)
  6134. {
  6135. layer3_fs_tag_inode(_metadata, self, variant, TMP_DIR);
  6136. }
  6137. TEST_F_FORK(layout3_fs, tag_inode_dir_child)
  6138. {
  6139. char *dir_path = dirname_alloc(variant->file_path);
  6140. layer3_fs_tag_inode(_metadata, self, variant, dir_path);
  6141. free(dir_path);
  6142. }
  6143. TEST_F_FORK(layout3_fs, tag_inode_file)
  6144. {
  6145. layer3_fs_tag_inode(_metadata, self, variant, variant->file_path);
  6146. }
  6147. /* Light version of layout1.release_inodes */
  6148. TEST_F_FORK(layout3_fs, release_inodes)
  6149. {
  6150. const struct rule layer1[] = {
  6151. {
  6152. .path = TMP_DIR,
  6153. .access = LANDLOCK_ACCESS_FS_READ_DIR,
  6154. },
  6155. {},
  6156. };
  6157. int ruleset_fd;
  6158. if (self->skip_test)
  6159. SKIP(return, "this filesystem is not supported (test)");
  6160. /* Clean up for the teardown to not fail. */
  6161. if (self->has_created_file)
  6162. EXPECT_EQ(0, remove_path(variant->file_path));
  6163. if (self->has_created_dir) {
  6164. char *dir_path = dirname_alloc(variant->file_path);
  6165. /* Don't check for error because of cgroup specificities. */
  6166. remove_path(dir_path);
  6167. free(dir_path);
  6168. }
  6169. ruleset_fd =
  6170. create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_DIR, layer1);
  6171. ASSERT_LE(0, ruleset_fd);
  6172. /* Unmount the filesystem while it is being used by a ruleset. */
  6173. set_cap(_metadata, CAP_SYS_ADMIN);
  6174. ASSERT_EQ(0, umount(TMP_DIR));
  6175. clear_cap(_metadata, CAP_SYS_ADMIN);
  6176. /* Replaces with a new mount point to simplify FIXTURE_TEARDOWN. */
  6177. set_cap(_metadata, CAP_SYS_ADMIN);
  6178. ASSERT_EQ(0, mount_opt(&mnt_tmp, TMP_DIR));
  6179. clear_cap(_metadata, CAP_SYS_ADMIN);
  6180. enforce_ruleset(_metadata, ruleset_fd);
  6181. ASSERT_EQ(0, close(ruleset_fd));
  6182. /* Checks that access to the new mount point is denied. */
  6183. ASSERT_EQ(EACCES, test_open(TMP_DIR, O_RDONLY));
  6184. }
  6185. static int matches_log_fs_extra(struct __test_metadata *const _metadata,
  6186. int audit_fd, const char *const blockers,
  6187. const char *const path, const char *const extra)
  6188. {
  6189. static const char log_template[] = REGEX_LANDLOCK_PREFIX
  6190. " blockers=fs\\.%s path=\"%s\" dev=\"[^\"]\\+\" ino=[0-9]\\+$";
  6191. char *absolute_path = NULL;
  6192. size_t log_match_remaining = sizeof(log_template) + strlen(blockers) +
  6193. PATH_MAX * 2 +
  6194. (extra ? strlen(extra) : 0) + 1;
  6195. char log_match[log_match_remaining];
  6196. char *log_match_cursor = log_match;
  6197. size_t chunk_len;
  6198. chunk_len = snprintf(log_match_cursor, log_match_remaining,
  6199. REGEX_LANDLOCK_PREFIX " blockers=%s path=\"",
  6200. blockers);
  6201. if (chunk_len < 0 || chunk_len >= log_match_remaining)
  6202. return -E2BIG;
  6203. /*
  6204. * It is assumed that absolute_path does not contain control
  6205. * characters nor spaces, see audit_string_contains_control().
  6206. */
  6207. absolute_path = realpath(path, NULL);
  6208. if (!absolute_path)
  6209. return -errno;
  6210. log_match_remaining -= chunk_len;
  6211. log_match_cursor += chunk_len;
  6212. log_match_cursor = regex_escape(absolute_path, log_match_cursor,
  6213. log_match_remaining);
  6214. free(absolute_path);
  6215. if (log_match_cursor < 0)
  6216. return (long long)log_match_cursor;
  6217. log_match_remaining -= log_match_cursor - log_match;
  6218. chunk_len = snprintf(log_match_cursor, log_match_remaining,
  6219. "\" dev=\"[^\"]\\+\" ino=[0-9]\\+%s$",
  6220. extra ?: "");
  6221. if (chunk_len < 0 || chunk_len >= log_match_remaining)
  6222. return -E2BIG;
  6223. return audit_match_record(audit_fd, AUDIT_LANDLOCK_ACCESS, log_match,
  6224. NULL);
  6225. }
  6226. static int matches_log_fs(struct __test_metadata *const _metadata, int audit_fd,
  6227. const char *const blockers, const char *const path)
  6228. {
  6229. return matches_log_fs_extra(_metadata, audit_fd, blockers, path, NULL);
  6230. }
  6231. FIXTURE(audit_layout1)
  6232. {
  6233. struct audit_filter audit_filter;
  6234. int audit_fd;
  6235. };
  6236. FIXTURE_SETUP(audit_layout1)
  6237. {
  6238. prepare_layout(_metadata);
  6239. create_layout1(_metadata);
  6240. set_cap(_metadata, CAP_AUDIT_CONTROL);
  6241. self->audit_fd = audit_init_with_exe_filter(&self->audit_filter);
  6242. EXPECT_LE(0, self->audit_fd);
  6243. disable_caps(_metadata);
  6244. }
  6245. FIXTURE_TEARDOWN_PARENT(audit_layout1)
  6246. {
  6247. remove_layout1(_metadata);
  6248. cleanup_layout(_metadata);
  6249. EXPECT_EQ(0, audit_cleanup(-1, NULL));
  6250. }
  6251. TEST_F(audit_layout1, execute_make)
  6252. {
  6253. struct audit_records records;
  6254. copy_file(_metadata, bin_true, file1_s1d1);
  6255. test_execute(_metadata, 0, file1_s1d1);
  6256. test_check_exec(_metadata, 0, file1_s1d1);
  6257. drop_access_rights(_metadata,
  6258. &(struct landlock_ruleset_attr){
  6259. .handled_access_fs =
  6260. LANDLOCK_ACCESS_FS_EXECUTE,
  6261. });
  6262. test_execute(_metadata, EACCES, file1_s1d1);
  6263. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.execute",
  6264. file1_s1d1));
  6265. test_check_exec(_metadata, EACCES, file1_s1d1);
  6266. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.execute",
  6267. file1_s1d1));
  6268. EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
  6269. EXPECT_EQ(0, records.access);
  6270. EXPECT_EQ(0, records.domain);
  6271. }
  6272. /*
  6273. * Using a set of handled/denied access rights make it possible to check that
  6274. * only the blocked ones are logged.
  6275. */
  6276. /* clang-format off */
  6277. static const __u64 access_fs_16 =
  6278. LANDLOCK_ACCESS_FS_EXECUTE |
  6279. LANDLOCK_ACCESS_FS_WRITE_FILE |
  6280. LANDLOCK_ACCESS_FS_READ_FILE |
  6281. LANDLOCK_ACCESS_FS_READ_DIR |
  6282. LANDLOCK_ACCESS_FS_REMOVE_DIR |
  6283. LANDLOCK_ACCESS_FS_REMOVE_FILE |
  6284. LANDLOCK_ACCESS_FS_MAKE_CHAR |
  6285. LANDLOCK_ACCESS_FS_MAKE_DIR |
  6286. LANDLOCK_ACCESS_FS_MAKE_REG |
  6287. LANDLOCK_ACCESS_FS_MAKE_SOCK |
  6288. LANDLOCK_ACCESS_FS_MAKE_FIFO |
  6289. LANDLOCK_ACCESS_FS_MAKE_BLOCK |
  6290. LANDLOCK_ACCESS_FS_MAKE_SYM |
  6291. LANDLOCK_ACCESS_FS_REFER |
  6292. LANDLOCK_ACCESS_FS_TRUNCATE |
  6293. LANDLOCK_ACCESS_FS_IOCTL_DEV;
  6294. /* clang-format on */
  6295. TEST_F(audit_layout1, execute_read)
  6296. {
  6297. struct audit_records records;
  6298. copy_file(_metadata, bin_true, file1_s1d1);
  6299. test_execute(_metadata, 0, file1_s1d1);
  6300. test_check_exec(_metadata, 0, file1_s1d1);
  6301. drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
  6302. .handled_access_fs = access_fs_16,
  6303. });
  6304. /*
  6305. * The only difference with the previous audit_layout1.execute_read test is
  6306. * the extra ",fs\\.read_file" blocked by the executable file.
  6307. */
  6308. test_execute(_metadata, EACCES, file1_s1d1);
  6309. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
  6310. "fs\\.execute,fs\\.read_file", file1_s1d1));
  6311. test_check_exec(_metadata, EACCES, file1_s1d1);
  6312. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
  6313. "fs\\.execute,fs\\.read_file", file1_s1d1));
  6314. EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
  6315. EXPECT_EQ(0, records.access);
  6316. EXPECT_EQ(0, records.domain);
  6317. }
  6318. TEST_F(audit_layout1, write_file)
  6319. {
  6320. struct audit_records records;
  6321. drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
  6322. .handled_access_fs = access_fs_16,
  6323. });
  6324. EXPECT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
  6325. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
  6326. "fs\\.write_file", file1_s1d1));
  6327. EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
  6328. EXPECT_EQ(0, records.access);
  6329. EXPECT_EQ(1, records.domain);
  6330. }
  6331. TEST_F(audit_layout1, read_file)
  6332. {
  6333. struct audit_records records;
  6334. drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
  6335. .handled_access_fs = access_fs_16,
  6336. });
  6337. EXPECT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
  6338. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.read_file",
  6339. file1_s1d1));
  6340. EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
  6341. EXPECT_EQ(0, records.access);
  6342. EXPECT_EQ(1, records.domain);
  6343. }
  6344. TEST_F(audit_layout1, read_dir)
  6345. {
  6346. struct audit_records records;
  6347. drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
  6348. .handled_access_fs = access_fs_16,
  6349. });
  6350. EXPECT_EQ(EACCES, test_open(dir_s1d1, O_DIRECTORY));
  6351. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.read_dir",
  6352. dir_s1d1));
  6353. EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
  6354. EXPECT_EQ(0, records.access);
  6355. EXPECT_EQ(1, records.domain);
  6356. }
  6357. TEST_F(audit_layout1, remove_dir)
  6358. {
  6359. struct audit_records records;
  6360. EXPECT_EQ(0, unlink(file1_s1d3));
  6361. EXPECT_EQ(0, unlink(file2_s1d3));
  6362. drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
  6363. .handled_access_fs = access_fs_16,
  6364. });
  6365. EXPECT_EQ(-1, rmdir(dir_s1d3));
  6366. EXPECT_EQ(EACCES, errno);
  6367. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
  6368. "fs\\.remove_dir", dir_s1d2));
  6369. EXPECT_EQ(-1, unlinkat(AT_FDCWD, dir_s1d3, AT_REMOVEDIR));
  6370. EXPECT_EQ(EACCES, errno);
  6371. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
  6372. "fs\\.remove_dir", dir_s1d2));
  6373. EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
  6374. EXPECT_EQ(0, records.access);
  6375. EXPECT_EQ(0, records.domain);
  6376. }
  6377. TEST_F(audit_layout1, remove_file)
  6378. {
  6379. struct audit_records records;
  6380. drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
  6381. .handled_access_fs = access_fs_16,
  6382. });
  6383. EXPECT_EQ(-1, unlink(file1_s1d3));
  6384. EXPECT_EQ(EACCES, errno);
  6385. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
  6386. "fs\\.remove_file", dir_s1d3));
  6387. EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
  6388. EXPECT_EQ(0, records.access);
  6389. EXPECT_EQ(1, records.domain);
  6390. }
  6391. TEST_F(audit_layout1, make_char)
  6392. {
  6393. struct audit_records records;
  6394. EXPECT_EQ(0, unlink(file1_s1d3));
  6395. drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
  6396. .handled_access_fs = access_fs_16,
  6397. });
  6398. EXPECT_EQ(-1, mknod(file1_s1d3, S_IFCHR | 0644, 0));
  6399. EXPECT_EQ(EACCES, errno);
  6400. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.make_char",
  6401. dir_s1d3));
  6402. EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
  6403. EXPECT_EQ(0, records.access);
  6404. EXPECT_EQ(1, records.domain);
  6405. }
  6406. TEST_F(audit_layout1, make_dir)
  6407. {
  6408. struct audit_records records;
  6409. EXPECT_EQ(0, unlink(file1_s1d3));
  6410. drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
  6411. .handled_access_fs = access_fs_16,
  6412. });
  6413. EXPECT_EQ(-1, mkdir(file1_s1d3, 0755));
  6414. EXPECT_EQ(EACCES, errno);
  6415. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.make_dir",
  6416. dir_s1d3));
  6417. EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
  6418. EXPECT_EQ(0, records.access);
  6419. EXPECT_EQ(1, records.domain);
  6420. }
  6421. TEST_F(audit_layout1, make_reg)
  6422. {
  6423. struct audit_records records;
  6424. EXPECT_EQ(0, unlink(file1_s1d3));
  6425. drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
  6426. .handled_access_fs = access_fs_16,
  6427. });
  6428. EXPECT_EQ(-1, mknod(file1_s1d3, S_IFREG | 0644, 0));
  6429. EXPECT_EQ(EACCES, errno);
  6430. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.make_reg",
  6431. dir_s1d3));
  6432. EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
  6433. EXPECT_EQ(0, records.access);
  6434. EXPECT_EQ(1, records.domain);
  6435. }
  6436. TEST_F(audit_layout1, make_sock)
  6437. {
  6438. struct audit_records records;
  6439. EXPECT_EQ(0, unlink(file1_s1d3));
  6440. drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
  6441. .handled_access_fs = access_fs_16,
  6442. });
  6443. EXPECT_EQ(-1, mknod(file1_s1d3, S_IFSOCK | 0644, 0));
  6444. EXPECT_EQ(EACCES, errno);
  6445. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.make_sock",
  6446. dir_s1d3));
  6447. EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
  6448. EXPECT_EQ(0, records.access);
  6449. EXPECT_EQ(1, records.domain);
  6450. }
  6451. TEST_F(audit_layout1, make_fifo)
  6452. {
  6453. struct audit_records records;
  6454. EXPECT_EQ(0, unlink(file1_s1d3));
  6455. drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
  6456. .handled_access_fs = access_fs_16,
  6457. });
  6458. EXPECT_EQ(-1, mknod(file1_s1d3, S_IFIFO | 0644, 0));
  6459. EXPECT_EQ(EACCES, errno);
  6460. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.make_fifo",
  6461. dir_s1d3));
  6462. EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
  6463. EXPECT_EQ(0, records.access);
  6464. EXPECT_EQ(1, records.domain);
  6465. }
  6466. TEST_F(audit_layout1, make_block)
  6467. {
  6468. struct audit_records records;
  6469. EXPECT_EQ(0, unlink(file1_s1d3));
  6470. drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
  6471. .handled_access_fs = access_fs_16,
  6472. });
  6473. EXPECT_EQ(-1, mknod(file1_s1d3, S_IFBLK | 0644, 0));
  6474. EXPECT_EQ(EACCES, errno);
  6475. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
  6476. "fs\\.make_block", dir_s1d3));
  6477. EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
  6478. EXPECT_EQ(0, records.access);
  6479. EXPECT_EQ(1, records.domain);
  6480. }
  6481. TEST_F(audit_layout1, make_sym)
  6482. {
  6483. struct audit_records records;
  6484. EXPECT_EQ(0, unlink(file1_s1d3));
  6485. drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
  6486. .handled_access_fs = access_fs_16,
  6487. });
  6488. EXPECT_EQ(-1, symlink("target", file1_s1d3));
  6489. EXPECT_EQ(EACCES, errno);
  6490. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.make_sym",
  6491. dir_s1d3));
  6492. EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
  6493. EXPECT_EQ(0, records.access);
  6494. EXPECT_EQ(1, records.domain);
  6495. }
  6496. TEST_F(audit_layout1, refer_handled)
  6497. {
  6498. struct audit_records records;
  6499. EXPECT_EQ(0, unlink(file1_s1d3));
  6500. drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
  6501. .handled_access_fs =
  6502. LANDLOCK_ACCESS_FS_REFER,
  6503. });
  6504. EXPECT_EQ(-1, link(file1_s1d1, file1_s1d3));
  6505. EXPECT_EQ(EXDEV, errno);
  6506. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.refer",
  6507. dir_s1d1));
  6508. EXPECT_EQ(0,
  6509. matches_log_domain_allocated(self->audit_fd, getpid(), NULL));
  6510. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.refer",
  6511. dir_s1d3));
  6512. EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
  6513. EXPECT_EQ(0, records.access);
  6514. EXPECT_EQ(0, records.domain);
  6515. }
  6516. TEST_F(audit_layout1, refer_make)
  6517. {
  6518. struct audit_records records;
  6519. EXPECT_EQ(0, unlink(file1_s1d3));
  6520. drop_access_rights(_metadata,
  6521. &(struct landlock_ruleset_attr){
  6522. .handled_access_fs =
  6523. LANDLOCK_ACCESS_FS_MAKE_REG |
  6524. LANDLOCK_ACCESS_FS_REFER,
  6525. });
  6526. EXPECT_EQ(-1, link(file1_s1d1, file1_s1d3));
  6527. EXPECT_EQ(EACCES, errno);
  6528. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.refer",
  6529. dir_s1d1));
  6530. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
  6531. "fs\\.make_reg,fs\\.refer", dir_s1d3));
  6532. EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
  6533. EXPECT_EQ(0, records.access);
  6534. EXPECT_EQ(0, records.domain);
  6535. }
  6536. TEST_F(audit_layout1, refer_rename)
  6537. {
  6538. struct audit_records records;
  6539. EXPECT_EQ(0, unlink(file1_s1d3));
  6540. drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
  6541. .handled_access_fs = access_fs_16,
  6542. });
  6543. EXPECT_EQ(EACCES, test_rename(file1_s1d2, file1_s2d3));
  6544. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
  6545. "fs\\.remove_file,fs\\.refer", dir_s1d2));
  6546. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
  6547. "fs\\.remove_file,fs\\.make_reg,fs\\.refer",
  6548. dir_s2d3));
  6549. EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
  6550. EXPECT_EQ(0, records.access);
  6551. EXPECT_EQ(0, records.domain);
  6552. }
  6553. TEST_F(audit_layout1, refer_exchange)
  6554. {
  6555. struct audit_records records;
  6556. EXPECT_EQ(0, unlink(file1_s1d3));
  6557. drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
  6558. .handled_access_fs = access_fs_16,
  6559. });
  6560. /*
  6561. * The only difference with the previous audit_layout1.refer_rename test is
  6562. * the extra ",fs\\.make_reg" blocked by the source directory.
  6563. */
  6564. EXPECT_EQ(EACCES, test_exchange(file1_s1d2, file1_s2d3));
  6565. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
  6566. "fs\\.remove_file,fs\\.make_reg,fs\\.refer",
  6567. dir_s1d2));
  6568. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
  6569. "fs\\.remove_file,fs\\.make_reg,fs\\.refer",
  6570. dir_s2d3));
  6571. EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
  6572. EXPECT_EQ(0, records.access);
  6573. EXPECT_EQ(0, records.domain);
  6574. }
  6575. /*
  6576. * This test checks that the audit record is correctly generated when the
  6577. * operation is only partially denied. This is the case for rename(2) when the
  6578. * source file is allowed to be referenced but the destination directory is not.
  6579. *
  6580. * This is also a regression test for commit d617f0d72d80 ("landlock: Optimize
  6581. * file path walks and prepare for audit support") and commit 058518c20920
  6582. * ("landlock: Align partial refer access checks with final ones").
  6583. */
  6584. TEST_F(audit_layout1, refer_rename_half)
  6585. {
  6586. struct audit_records records;
  6587. const struct rule layer1[] = {
  6588. {
  6589. .path = dir_s2d2,
  6590. .access = LANDLOCK_ACCESS_FS_REFER,
  6591. },
  6592. {},
  6593. };
  6594. int ruleset_fd =
  6595. create_ruleset(_metadata, LANDLOCK_ACCESS_FS_REFER, layer1);
  6596. ASSERT_LE(0, ruleset_fd);
  6597. enforce_ruleset(_metadata, ruleset_fd);
  6598. ASSERT_EQ(0, close(ruleset_fd));
  6599. ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d3));
  6600. ASSERT_EQ(EXDEV, errno);
  6601. /* Only half of the request is denied. */
  6602. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.refer",
  6603. dir_s1d1));
  6604. EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
  6605. EXPECT_EQ(0, records.access);
  6606. EXPECT_EQ(1, records.domain);
  6607. }
  6608. TEST_F(audit_layout1, truncate)
  6609. {
  6610. struct audit_records records;
  6611. drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
  6612. .handled_access_fs = access_fs_16,
  6613. });
  6614. EXPECT_EQ(-1, truncate(file1_s1d3, 0));
  6615. EXPECT_EQ(EACCES, errno);
  6616. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.truncate",
  6617. file1_s1d3));
  6618. EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
  6619. EXPECT_EQ(0, records.access);
  6620. EXPECT_EQ(1, records.domain);
  6621. }
  6622. TEST_F(audit_layout1, ioctl_dev)
  6623. {
  6624. struct audit_records records;
  6625. int fd;
  6626. drop_access_rights(_metadata,
  6627. &(struct landlock_ruleset_attr){
  6628. .handled_access_fs =
  6629. access_fs_16 &
  6630. ~LANDLOCK_ACCESS_FS_READ_FILE,
  6631. });
  6632. fd = open("/dev/null", O_RDONLY | O_CLOEXEC);
  6633. ASSERT_LE(0, fd);
  6634. EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FIONREAD));
  6635. EXPECT_EQ(0, matches_log_fs_extra(_metadata, self->audit_fd,
  6636. "fs\\.ioctl_dev", "/dev/null",
  6637. " ioctlcmd=0x541b"));
  6638. EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
  6639. EXPECT_EQ(0, records.access);
  6640. EXPECT_EQ(1, records.domain);
  6641. }
  6642. TEST_F(audit_layout1, mount)
  6643. {
  6644. struct audit_records records;
  6645. drop_access_rights(_metadata,
  6646. &(struct landlock_ruleset_attr){
  6647. .handled_access_fs =
  6648. LANDLOCK_ACCESS_FS_EXECUTE,
  6649. });
  6650. set_cap(_metadata, CAP_SYS_ADMIN);
  6651. EXPECT_EQ(-1, mount(NULL, dir_s3d2, NULL, MS_RDONLY, NULL));
  6652. EXPECT_EQ(EPERM, errno);
  6653. clear_cap(_metadata, CAP_SYS_ADMIN);
  6654. EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
  6655. "fs\\.change_topology", dir_s3d2));
  6656. EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
  6657. EXPECT_EQ(0, records.access);
  6658. EXPECT_EQ(1, records.domain);
  6659. }
  6660. TEST_HARNESS_MAIN