| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271427242734274427542764277427842794280428142824283428442854286428742884289429042914292429342944295429642974298429943004301430243034304430543064307430843094310431143124313431443154316431743184319432043214322432343244325432643274328432943304331433243334334433543364337433843394340434143424343434443454346434743484349435043514352435343544355435643574358435943604361436243634364436543664367436843694370437143724373437443754376437743784379438043814382438343844385438643874388438943904391439243934394439543964397439843994400440144024403440444054406440744084409441044114412441344144415441644174418441944204421442244234424442544264427442844294430443144324433443444354436443744384439444044414442444344444445444644474448444944504451445244534454445544564457445844594460446144624463446444654466446744684469447044714472447344744475447644774478447944804481448244834484448544864487448844894490449144924493449444954496449744984499450045014502450345044505450645074508450945104511451245134514451545164517451845194520452145224523452445254526452745284529453045314532453345344535453645374538453945404541454245434544454545464547454845494550455145524553455445554556455745584559456045614562456345644565456645674568456945704571457245734574457545764577457845794580458145824583458445854586458745884589459045914592459345944595459645974598459946004601460246034604460546064607460846094610461146124613461446154616461746184619462046214622462346244625462646274628462946304631463246334634463546364637463846394640464146424643464446454646464746484649465046514652465346544655465646574658465946604661466246634664466546664667466846694670467146724673467446754676467746784679468046814682468346844685468646874688468946904691469246934694469546964697469846994700470147024703470447054706470747084709471047114712471347144715471647174718471947204721472247234724472547264727472847294730473147324733473447354736473747384739474047414742474347444745474647474748474947504751475247534754475547564757475847594760476147624763476447654766476747684769477047714772477347744775477647774778477947804781478247834784478547864787478847894790479147924793479447954796479747984799480048014802480348044805480648074808480948104811481248134814481548164817481848194820482148224823482448254826482748284829483048314832483348344835483648374838483948404841484248434844484548464847484848494850485148524853485448554856485748584859486048614862486348644865486648674868486948704871487248734874487548764877487848794880488148824883488448854886488748884889489048914892489348944895489648974898489949004901490249034904490549064907490849094910491149124913491449154916491749184919492049214922492349244925492649274928492949304931493249334934493549364937493849394940494149424943494449454946494749484949495049514952495349544955495649574958495949604961496249634964496549664967496849694970497149724973497449754976497749784979498049814982498349844985498649874988498949904991499249934994499549964997499849995000500150025003500450055006500750085009501050115012501350145015501650175018501950205021502250235024502550265027502850295030503150325033503450355036503750385039504050415042504350445045504650475048504950505051505250535054505550565057505850595060506150625063506450655066506750685069507050715072507350745075507650775078507950805081508250835084508550865087508850895090509150925093509450955096509750985099510051015102510351045105510651075108510951105111511251135114511551165117511851195120512151225123512451255126512751285129513051315132513351345135513651375138513951405141514251435144514551465147514851495150515151525153515451555156515751585159516051615162516351645165516651675168516951705171517251735174517551765177517851795180518151825183518451855186518751885189519051915192519351945195519651975198519952005201520252035204520552065207520852095210521152125213521452155216521752185219522052215222522352245225522652275228522952305231523252335234523552365237523852395240524152425243524452455246524752485249525052515252525352545255525652575258525952605261526252635264526552665267526852695270527152725273527452755276527752785279528052815282528352845285528652875288528952905291529252935294529552965297529852995300530153025303530453055306530753085309531053115312531353145315531653175318531953205321532253235324532553265327532853295330533153325333533453355336533753385339534053415342534353445345534653475348534953505351535253535354535553565357535853595360536153625363536453655366536753685369537053715372537353745375537653775378537953805381538253835384538553865387538853895390539153925393539453955396539753985399540054015402540354045405540654075408540954105411541254135414541554165417541854195420542154225423542454255426542754285429543054315432543354345435543654375438543954405441544254435444544554465447544854495450545154525453545454555456545754585459546054615462546354645465546654675468546954705471547254735474547554765477547854795480548154825483548454855486548754885489549054915492549354945495549654975498549955005501550255035504550555065507550855095510551155125513551455155516551755185519552055215522552355245525552655275528552955305531553255335534553555365537553855395540554155425543554455455546554755485549555055515552555355545555555655575558555955605561556255635564556555665567556855695570557155725573557455755576557755785579558055815582558355845585558655875588558955905591559255935594559555965597559855995600560156025603560456055606560756085609561056115612561356145615561656175618561956205621562256235624562556265627562856295630563156325633563456355636563756385639564056415642564356445645564656475648564956505651565256535654565556565657565856595660566156625663566456655666566756685669567056715672567356745675567656775678567956805681568256835684568556865687568856895690569156925693569456955696569756985699570057015702570357045705570657075708570957105711571257135714571557165717571857195720572157225723572457255726572757285729573057315732573357345735573657375738573957405741574257435744574557465747574857495750575157525753575457555756575757585759576057615762576357645765576657675768576957705771577257735774577557765777577857795780578157825783578457855786578757885789579057915792579357945795579657975798579958005801580258035804580558065807580858095810581158125813581458155816581758185819582058215822582358245825582658275828582958305831583258335834583558365837583858395840584158425843584458455846584758485849585058515852585358545855585658575858585958605861586258635864586558665867586858695870587158725873587458755876587758785879588058815882588358845885588658875888588958905891589258935894589558965897589858995900590159025903590459055906590759085909591059115912591359145915591659175918591959205921592259235924592559265927592859295930593159325933593459355936593759385939594059415942594359445945594659475948594959505951595259535954595559565957595859595960596159625963596459655966596759685969597059715972597359745975597659775978597959805981598259835984598559865987598859895990599159925993599459955996599759985999600060016002600360046005600660076008600960106011601260136014601560166017601860196020602160226023602460256026602760286029603060316032603360346035603660376038603960406041604260436044604560466047604860496050605160526053605460556056605760586059606060616062606360646065606660676068606960706071607260736074607560766077607860796080608160826083608460856086608760886089609060916092609360946095609660976098609961006101610261036104610561066107610861096110611161126113611461156116611761186119612061216122612361246125612661276128612961306131613261336134613561366137613861396140614161426143614461456146614761486149615061516152615361546155615661576158615961606161616261636164616561666167616861696170617161726173617461756176617761786179618061816182618361846185618661876188618961906191619261936194619561966197619861996200620162026203620462056206620762086209621062116212621362146215621662176218621962206221622262236224622562266227622862296230623162326233623462356236623762386239624062416242624362446245624662476248624962506251625262536254625562566257625862596260626162626263626462656266626762686269627062716272627362746275627662776278627962806281628262836284628562866287628862896290629162926293629462956296629762986299630063016302630363046305630663076308630963106311631263136314631563166317631863196320632163226323632463256326632763286329633063316332633363346335633663376338633963406341634263436344634563466347634863496350635163526353635463556356635763586359636063616362636363646365636663676368636963706371637263736374637563766377637863796380638163826383638463856386638763886389639063916392639363946395639663976398639964006401640264036404640564066407640864096410641164126413641464156416641764186419642064216422642364246425642664276428642964306431643264336434643564366437643864396440644164426443644464456446644764486449645064516452645364546455645664576458645964606461646264636464646564666467646864696470647164726473647464756476647764786479648064816482648364846485648664876488648964906491649264936494649564966497649864996500650165026503650465056506650765086509651065116512651365146515651665176518651965206521652265236524652565266527652865296530653165326533653465356536653765386539654065416542654365446545654665476548654965506551655265536554655565566557655865596560656165626563656465656566656765686569657065716572657365746575657665776578657965806581658265836584658565866587658865896590659165926593659465956596659765986599660066016602660366046605660666076608660966106611661266136614661566166617661866196620662166226623662466256626662766286629663066316632663366346635663666376638663966406641664266436644664566466647664866496650665166526653665466556656665766586659666066616662666366646665666666676668666966706671667266736674667566766677667866796680668166826683668466856686668766886689669066916692669366946695669666976698669967006701670267036704670567066707670867096710671167126713671467156716671767186719672067216722672367246725672667276728672967306731673267336734673567366737673867396740674167426743674467456746674767486749675067516752675367546755675667576758675967606761676267636764676567666767676867696770677167726773677467756776677767786779678067816782678367846785678667876788678967906791679267936794679567966797679867996800680168026803680468056806680768086809681068116812681368146815681668176818681968206821682268236824682568266827682868296830683168326833683468356836683768386839684068416842684368446845684668476848684968506851685268536854685568566857685868596860686168626863686468656866686768686869687068716872687368746875687668776878687968806881688268836884688568866887688868896890689168926893689468956896689768986899690069016902690369046905690669076908690969106911691269136914691569166917691869196920692169226923692469256926692769286929693069316932693369346935693669376938693969406941694269436944694569466947694869496950695169526953695469556956695769586959696069616962696369646965696669676968696969706971697269736974697569766977697869796980698169826983698469856986698769886989699069916992699369946995699669976998699970007001700270037004700570067007700870097010701170127013701470157016701770187019702070217022702370247025702670277028702970307031703270337034703570367037703870397040704170427043704470457046704770487049705070517052705370547055705670577058705970607061706270637064706570667067706870697070707170727073707470757076707770787079708070817082708370847085708670877088708970907091709270937094709570967097709870997100710171027103710471057106710771087109711071117112711371147115711671177118711971207121712271237124712571267127712871297130713171327133713471357136713771387139714071417142714371447145714671477148714971507151715271537154715571567157715871597160716171627163716471657166716771687169717071717172717371747175717671777178717971807181718271837184718571867187718871897190719171927193719471957196719771987199720072017202720372047205720672077208720972107211721272137214721572167217721872197220722172227223722472257226722772287229723072317232723372347235723672377238723972407241724272437244724572467247724872497250725172527253725472557256725772587259726072617262726372647265726672677268726972707271727272737274727572767277727872797280728172827283728472857286728772887289729072917292729372947295729672977298729973007301730273037304730573067307730873097310731173127313731473157316731773187319732073217322732373247325732673277328732973307331733273337334733573367337733873397340734173427343734473457346734773487349735073517352735373547355735673577358735973607361736273637364736573667367736873697370737173727373737473757376737773787379738073817382738373847385738673877388738973907391739273937394739573967397739873997400740174027403740474057406740774087409741074117412741374147415741674177418741974207421742274237424742574267427742874297430743174327433743474357436743774387439744074417442744374447445744674477448744974507451745274537454745574567457745874597460746174627463746474657466746774687469747074717472747374747475747674777478747974807481748274837484748574867487748874897490749174927493749474957496749774987499750075017502750375047505750675077508750975107511751275137514751575167517751875197520752175227523752475257526752775287529753075317532753375347535753675377538753975407541754275437544754575467547754875497550755175527553755475557556755775587559756075617562756375647565756675677568756975707571757275737574757575767577757875797580758175827583758475857586758775887589759075917592759375947595759675977598759976007601760276037604760576067607760876097610761176127613761476157616761776187619762076217622762376247625762676277628762976307631763276337634763576367637763876397640764176427643764476457646 |
- // SPDX-License-Identifier: GPL-2.0
- /*
- * Landlock tests - Filesystem
- *
- * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
- * Copyright © 2020 ANSSI
- * Copyright © 2020-2022 Microsoft Corporation
- */
- #define _GNU_SOURCE
- #include <asm/termbits.h>
- #include <fcntl.h>
- #include <libgen.h>
- #include <linux/fiemap.h>
- #include <linux/landlock.h>
- #include <linux/magic.h>
- #include <sched.h>
- #include <stddef.h>
- #include <stdio.h>
- #include <string.h>
- #include <sys/capability.h>
- #include <sys/ioctl.h>
- #include <sys/mount.h>
- #include <sys/prctl.h>
- #include <sys/sendfile.h>
- #include <sys/socket.h>
- #include <sys/stat.h>
- #include <sys/sysmacros.h>
- #include <sys/un.h>
- #include <sys/vfs.h>
- #include <unistd.h>
- /*
- * Intentionally included last to work around header conflict.
- * See https://sourceware.org/glibc/wiki/Synchronizing_Headers.
- */
- #include <linux/fs.h>
- #include <linux/mount.h>
- /* Defines AT_EXECVE_CHECK without type conflicts. */
- #define _ASM_GENERIC_FCNTL_H
- #include <linux/fcntl.h>
- #include "audit.h"
- #include "common.h"
- #ifndef renameat2
- int renameat2(int olddirfd, const char *oldpath, int newdirfd,
- const char *newpath, unsigned int flags)
- {
- return syscall(__NR_renameat2, olddirfd, oldpath, newdirfd, newpath,
- flags);
- }
- #endif
- #ifndef open_tree
- int open_tree(int dfd, const char *filename, unsigned int flags)
- {
- return syscall(__NR_open_tree, dfd, filename, flags);
- }
- #endif
- static int sys_execveat(int dirfd, const char *pathname, char *const argv[],
- char *const envp[], int flags)
- {
- return syscall(__NR_execveat, dirfd, pathname, argv, envp, flags);
- }
- #ifndef RENAME_EXCHANGE
- #define RENAME_EXCHANGE (1 << 1)
- #endif
- static const char bin_true[] = "./true";
- /* Paths (sibling number and depth) */
- static const char dir_s1d1[] = TMP_DIR "/s1d1";
- static const char file1_s1d1[] = TMP_DIR "/s1d1/f1";
- static const char file2_s1d1[] = TMP_DIR "/s1d1/f2";
- static const char dir_s1d2[] = TMP_DIR "/s1d1/s1d2";
- static const char file1_s1d2[] = TMP_DIR "/s1d1/s1d2/f1";
- static const char file2_s1d2[] = TMP_DIR "/s1d1/s1d2/f2";
- static const char dir_s1d3[] = TMP_DIR "/s1d1/s1d2/s1d3";
- static const char file1_s1d3[] = TMP_DIR "/s1d1/s1d2/s1d3/f1";
- static const char file2_s1d3[] = TMP_DIR "/s1d1/s1d2/s1d3/f2";
- static const char dir_s2d1[] = TMP_DIR "/s2d1";
- static const char file1_s2d1[] = TMP_DIR "/s2d1/f1";
- static const char dir_s2d2[] = TMP_DIR "/s2d1/s2d2";
- static const char file1_s2d2[] = TMP_DIR "/s2d1/s2d2/f1";
- static const char dir_s2d3[] = TMP_DIR "/s2d1/s2d2/s2d3";
- static const char file1_s2d3[] = TMP_DIR "/s2d1/s2d2/s2d3/f1";
- static const char file2_s2d3[] = TMP_DIR "/s2d1/s2d2/s2d3/f2";
- static const char dir_s3d1[] = TMP_DIR "/s3d1";
- static const char file1_s3d1[] = TMP_DIR "/s3d1/f1";
- /* dir_s3d2 is a mount point. */
- static const char dir_s3d2[] = TMP_DIR "/s3d1/s3d2";
- static const char dir_s3d3[] = TMP_DIR "/s3d1/s3d2/s3d3";
- static const char file1_s3d3[] = TMP_DIR "/s3d1/s3d2/s3d3/f1";
- static const char dir_s3d4[] = TMP_DIR "/s3d1/s3d2/s3d4";
- static const char file1_s3d4[] = TMP_DIR "/s3d1/s3d2/s3d4/f1";
- /*
- * layout1 hierarchy:
- *
- * tmp
- * ├── s1d1
- * │ ├── f1
- * │ ├── f2
- * │ └── s1d2
- * │ ├── f1
- * │ ├── f2
- * │ └── s1d3
- * │ ├── f1
- * │ └── f2
- * ├── s2d1
- * │ ├── f1
- * │ └── s2d2
- * │ ├── f1
- * │ └── s2d3
- * │ ├── f1
- * │ └── f2
- * └── s3d1
- * ├── f1
- * └── s3d2 [mount point]
- * ├── s3d3
- * │ └── f1
- * └── s3d4
- * └── f1
- */
- static bool fgrep(FILE *const inf, const char *const str)
- {
- char line[32];
- const int slen = strlen(str);
- while (!feof(inf)) {
- if (!fgets(line, sizeof(line), inf))
- break;
- if (strncmp(line, str, slen))
- continue;
- return true;
- }
- return false;
- }
- static bool supports_filesystem(const char *const filesystem)
- {
- char str[32];
- int len;
- bool res = true;
- FILE *const inf = fopen("/proc/filesystems", "r");
- /*
- * Consider that the filesystem is supported if we cannot get the
- * supported ones.
- */
- if (!inf)
- return true;
- /* filesystem can be null for bind mounts. */
- if (!filesystem)
- goto out;
- len = snprintf(str, sizeof(str), "nodev\t%s\n", filesystem);
- if (len >= sizeof(str))
- /* Ignores too-long filesystem names. */
- goto out;
- res = fgrep(inf, str);
- out:
- fclose(inf);
- return res;
- }
- static bool cwd_matches_fs(unsigned int fs_magic)
- {
- struct statfs statfs_buf;
- if (!fs_magic)
- return true;
- if (statfs(".", &statfs_buf))
- return true;
- return statfs_buf.f_type == fs_magic;
- }
- static void mkdir_parents(struct __test_metadata *const _metadata,
- const char *const path)
- {
- char *walker;
- const char *parent;
- int i, err;
- ASSERT_NE(path[0], '\0');
- walker = strdup(path);
- ASSERT_NE(NULL, walker);
- parent = walker;
- for (i = 1; walker[i]; i++) {
- if (walker[i] != '/')
- continue;
- walker[i] = '\0';
- err = mkdir(parent, 0700);
- ASSERT_FALSE(err && errno != EEXIST)
- {
- TH_LOG("Failed to create directory \"%s\": %s", parent,
- strerror(errno));
- }
- walker[i] = '/';
- }
- free(walker);
- }
- static void create_directory(struct __test_metadata *const _metadata,
- const char *const path)
- {
- mkdir_parents(_metadata, path);
- ASSERT_EQ(0, mkdir(path, 0700))
- {
- TH_LOG("Failed to create directory \"%s\": %s", path,
- strerror(errno));
- }
- }
- static void create_file(struct __test_metadata *const _metadata,
- const char *const path)
- {
- mkdir_parents(_metadata, path);
- ASSERT_EQ(0, mknod(path, S_IFREG | 0700, 0))
- {
- TH_LOG("Failed to create file \"%s\": %s", path,
- strerror(errno));
- }
- }
- static int remove_path(const char *const path)
- {
- char *walker;
- int i, ret, err = 0;
- walker = strdup(path);
- if (!walker) {
- err = ENOMEM;
- goto out;
- }
- if (unlink(path) && rmdir(path)) {
- if (errno != ENOENT && errno != ENOTDIR)
- err = errno;
- goto out;
- }
- for (i = strlen(walker); i > 0; i--) {
- if (walker[i] != '/')
- continue;
- walker[i] = '\0';
- ret = rmdir(walker);
- if (ret) {
- if (errno != ENOTEMPTY && errno != EBUSY)
- err = errno;
- goto out;
- }
- if (strcmp(walker, TMP_DIR) == 0)
- goto out;
- }
- out:
- free(walker);
- return err;
- }
- struct mnt_opt {
- const char *const source;
- const char *const type;
- const unsigned long flags;
- const char *const data;
- };
- #define MNT_TMP_DATA "size=4m,mode=700"
- static const struct mnt_opt mnt_tmp = {
- .type = "tmpfs",
- .data = MNT_TMP_DATA,
- };
- static int mount_opt(const struct mnt_opt *const mnt, const char *const target)
- {
- return mount(mnt->source ?: mnt->type, target, mnt->type, mnt->flags,
- mnt->data);
- }
- static void prepare_layout_opt(struct __test_metadata *const _metadata,
- const struct mnt_opt *const mnt)
- {
- disable_caps(_metadata);
- umask(0077);
- create_directory(_metadata, TMP_DIR);
- /*
- * Do not pollute the rest of the system: creates a private mount point
- * for tests relying on pivot_root(2) and move_mount(2).
- */
- set_cap(_metadata, CAP_SYS_ADMIN);
- ASSERT_EQ(0, unshare(CLONE_NEWNS | CLONE_NEWCGROUP));
- ASSERT_EQ(0, mount_opt(mnt, TMP_DIR))
- {
- TH_LOG("Failed to mount the %s filesystem: %s", mnt->type,
- strerror(errno));
- /*
- * FIXTURE_TEARDOWN() is not called when FIXTURE_SETUP()
- * failed, so we need to explicitly do a minimal cleanup to
- * avoid cascading errors with other tests that don't depend on
- * the same filesystem.
- */
- remove_path(TMP_DIR);
- }
- ASSERT_EQ(0, mount(NULL, TMP_DIR, NULL, MS_PRIVATE | MS_REC, NULL));
- clear_cap(_metadata, CAP_SYS_ADMIN);
- }
- static void prepare_layout(struct __test_metadata *const _metadata)
- {
- prepare_layout_opt(_metadata, &mnt_tmp);
- }
- static void cleanup_layout(struct __test_metadata *const _metadata)
- {
- set_cap(_metadata, CAP_SYS_ADMIN);
- if (umount(TMP_DIR)) {
- /*
- * According to the test environment, the mount point of the
- * current directory may be shared or not, which changes the
- * visibility of the nested TMP_DIR mount point for the test's
- * parent process doing this cleanup.
- */
- ASSERT_EQ(EINVAL, errno);
- }
- clear_cap(_metadata, CAP_SYS_ADMIN);
- EXPECT_EQ(0, remove_path(TMP_DIR));
- }
- /* clang-format off */
- FIXTURE(layout0) {};
- /* clang-format on */
- FIXTURE_SETUP(layout0)
- {
- prepare_layout(_metadata);
- }
- FIXTURE_TEARDOWN_PARENT(layout0)
- {
- cleanup_layout(_metadata);
- }
- static void create_layout1(struct __test_metadata *const _metadata)
- {
- create_file(_metadata, file1_s1d1);
- create_file(_metadata, file1_s1d2);
- create_file(_metadata, file1_s1d3);
- create_file(_metadata, file2_s1d1);
- create_file(_metadata, file2_s1d2);
- create_file(_metadata, file2_s1d3);
- create_file(_metadata, file1_s2d1);
- create_file(_metadata, file1_s2d2);
- create_file(_metadata, file1_s2d3);
- create_file(_metadata, file2_s2d3);
- create_file(_metadata, file1_s3d1);
- create_directory(_metadata, dir_s3d2);
- set_cap(_metadata, CAP_SYS_ADMIN);
- ASSERT_EQ(0, mount_opt(&mnt_tmp, dir_s3d2));
- clear_cap(_metadata, CAP_SYS_ADMIN);
- create_file(_metadata, file1_s3d3);
- create_file(_metadata, file1_s3d4);
- }
- static void remove_layout1(struct __test_metadata *const _metadata)
- {
- EXPECT_EQ(0, remove_path(file2_s1d3));
- EXPECT_EQ(0, remove_path(file2_s1d2));
- EXPECT_EQ(0, remove_path(file2_s1d1));
- EXPECT_EQ(0, remove_path(file1_s1d3));
- EXPECT_EQ(0, remove_path(file1_s1d2));
- EXPECT_EQ(0, remove_path(file1_s1d1));
- EXPECT_EQ(0, remove_path(dir_s1d3));
- EXPECT_EQ(0, remove_path(file2_s2d3));
- EXPECT_EQ(0, remove_path(file1_s2d3));
- EXPECT_EQ(0, remove_path(file1_s2d2));
- EXPECT_EQ(0, remove_path(file1_s2d1));
- EXPECT_EQ(0, remove_path(dir_s2d2));
- EXPECT_EQ(0, remove_path(file1_s3d1));
- EXPECT_EQ(0, remove_path(file1_s3d3));
- EXPECT_EQ(0, remove_path(file1_s3d4));
- set_cap(_metadata, CAP_SYS_ADMIN);
- umount(dir_s3d2);
- clear_cap(_metadata, CAP_SYS_ADMIN);
- EXPECT_EQ(0, remove_path(dir_s3d2));
- }
- /* clang-format off */
- FIXTURE(layout1) {};
- /* clang-format on */
- FIXTURE_SETUP(layout1)
- {
- prepare_layout(_metadata);
- create_layout1(_metadata);
- }
- FIXTURE_TEARDOWN_PARENT(layout1)
- {
- remove_layout1(_metadata);
- cleanup_layout(_metadata);
- }
- /*
- * This helper enables to use the ASSERT_* macros and print the line number
- * pointing to the test caller.
- */
- static int test_open_rel(const int dirfd, const char *const path,
- const int flags)
- {
- int fd;
- /* Works with file and directories. */
- fd = openat(dirfd, path, flags | O_CLOEXEC);
- if (fd < 0)
- return errno;
- /*
- * Mixing error codes from close(2) and open(2) should not lead to any
- * (access type) confusion for this test.
- */
- if (close(fd) != 0)
- return errno;
- return 0;
- }
- static int test_open(const char *const path, const int flags)
- {
- return test_open_rel(AT_FDCWD, path, flags);
- }
- TEST_F_FORK(layout1, no_restriction)
- {
- ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
- ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
- ASSERT_EQ(0, test_open(file2_s1d1, O_RDONLY));
- ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY));
- ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
- ASSERT_EQ(0, test_open(file2_s1d2, O_RDONLY));
- ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY));
- ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
- ASSERT_EQ(0, test_open(dir_s2d1, O_RDONLY));
- ASSERT_EQ(0, test_open(file1_s2d1, O_RDONLY));
- ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY));
- ASSERT_EQ(0, test_open(file1_s2d2, O_RDONLY));
- ASSERT_EQ(0, test_open(dir_s2d3, O_RDONLY));
- ASSERT_EQ(0, test_open(file1_s2d3, O_RDONLY));
- ASSERT_EQ(0, test_open(dir_s3d1, O_RDONLY));
- ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY));
- ASSERT_EQ(0, test_open(dir_s3d3, O_RDONLY));
- }
- TEST_F_FORK(layout1, inval)
- {
- struct landlock_path_beneath_attr path_beneath = {
- .allowed_access = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_WRITE_FILE,
- .parent_fd = -1,
- };
- struct landlock_ruleset_attr ruleset_attr = {
- .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_WRITE_FILE,
- };
- int ruleset_fd;
- path_beneath.parent_fd =
- open(dir_s1d2, O_PATH | O_DIRECTORY | O_CLOEXEC);
- ASSERT_LE(0, path_beneath.parent_fd);
- ruleset_fd = open(dir_s1d1, O_PATH | O_DIRECTORY | O_CLOEXEC);
- ASSERT_LE(0, ruleset_fd);
- ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
- &path_beneath, 0));
- /* Returns EBADF because ruleset_fd is not a landlock-ruleset FD. */
- ASSERT_EQ(EBADF, errno);
- ASSERT_EQ(0, close(ruleset_fd));
- ruleset_fd = open(dir_s1d1, O_DIRECTORY | O_CLOEXEC);
- ASSERT_LE(0, ruleset_fd);
- ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
- &path_beneath, 0));
- /* Returns EBADFD because ruleset_fd is not a valid ruleset. */
- ASSERT_EQ(EBADFD, errno);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Gets a real ruleset. */
- ruleset_fd =
- landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
- ASSERT_LE(0, ruleset_fd);
- ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
- &path_beneath, 0));
- ASSERT_EQ(0, close(path_beneath.parent_fd));
- /* Tests without O_PATH. */
- path_beneath.parent_fd = open(dir_s1d2, O_DIRECTORY | O_CLOEXEC);
- ASSERT_LE(0, path_beneath.parent_fd);
- ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
- &path_beneath, 0));
- ASSERT_EQ(0, close(path_beneath.parent_fd));
- /* Tests with a ruleset FD. */
- path_beneath.parent_fd = ruleset_fd;
- ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
- &path_beneath, 0));
- ASSERT_EQ(EBADFD, errno);
- /* Checks unhandled allowed_access. */
- path_beneath.parent_fd =
- open(dir_s1d2, O_PATH | O_DIRECTORY | O_CLOEXEC);
- ASSERT_LE(0, path_beneath.parent_fd);
- /* Test with legitimate values. */
- path_beneath.allowed_access |= LANDLOCK_ACCESS_FS_EXECUTE;
- ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
- &path_beneath, 0));
- ASSERT_EQ(EINVAL, errno);
- path_beneath.allowed_access &= ~LANDLOCK_ACCESS_FS_EXECUTE;
- /* Tests with denied-by-default access right. */
- path_beneath.allowed_access |= LANDLOCK_ACCESS_FS_REFER;
- ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
- &path_beneath, 0));
- ASSERT_EQ(EINVAL, errno);
- path_beneath.allowed_access &= ~LANDLOCK_ACCESS_FS_REFER;
- /* Test with unknown (64-bits) value. */
- path_beneath.allowed_access |= (1ULL << 60);
- ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
- &path_beneath, 0));
- ASSERT_EQ(EINVAL, errno);
- path_beneath.allowed_access &= ~(1ULL << 60);
- /* Test with no access. */
- path_beneath.allowed_access = 0;
- ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
- &path_beneath, 0));
- ASSERT_EQ(ENOMSG, errno);
- path_beneath.allowed_access &= ~(1ULL << 60);
- ASSERT_EQ(0, close(path_beneath.parent_fd));
- /* Enforces the ruleset. */
- ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));
- ASSERT_EQ(0, landlock_restrict_self(ruleset_fd, 0));
- ASSERT_EQ(0, close(ruleset_fd));
- }
- /* clang-format off */
- #define ACCESS_FILE ( \
- LANDLOCK_ACCESS_FS_EXECUTE | \
- LANDLOCK_ACCESS_FS_WRITE_FILE | \
- LANDLOCK_ACCESS_FS_READ_FILE | \
- LANDLOCK_ACCESS_FS_TRUNCATE | \
- LANDLOCK_ACCESS_FS_IOCTL_DEV)
- #define ACCESS_LAST LANDLOCK_ACCESS_FS_IOCTL_DEV
- #define ACCESS_ALL ( \
- ACCESS_FILE | \
- LANDLOCK_ACCESS_FS_READ_DIR | \
- LANDLOCK_ACCESS_FS_REMOVE_DIR | \
- LANDLOCK_ACCESS_FS_REMOVE_FILE | \
- LANDLOCK_ACCESS_FS_MAKE_CHAR | \
- LANDLOCK_ACCESS_FS_MAKE_DIR | \
- LANDLOCK_ACCESS_FS_MAKE_REG | \
- LANDLOCK_ACCESS_FS_MAKE_SOCK | \
- LANDLOCK_ACCESS_FS_MAKE_FIFO | \
- LANDLOCK_ACCESS_FS_MAKE_BLOCK | \
- LANDLOCK_ACCESS_FS_MAKE_SYM | \
- LANDLOCK_ACCESS_FS_REFER)
- /* clang-format on */
- TEST_F_FORK(layout1, file_and_dir_access_rights)
- {
- __u64 access;
- int err;
- struct landlock_path_beneath_attr path_beneath_file = {},
- path_beneath_dir = {};
- struct landlock_ruleset_attr ruleset_attr = {
- .handled_access_fs = ACCESS_ALL,
- };
- const int ruleset_fd =
- landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
- ASSERT_LE(0, ruleset_fd);
- /* Tests access rights for files. */
- path_beneath_file.parent_fd = open(file1_s1d2, O_PATH | O_CLOEXEC);
- ASSERT_LE(0, path_beneath_file.parent_fd);
- /* Tests access rights for directories. */
- path_beneath_dir.parent_fd =
- open(dir_s1d2, O_PATH | O_DIRECTORY | O_CLOEXEC);
- ASSERT_LE(0, path_beneath_dir.parent_fd);
- for (access = 1; access <= ACCESS_LAST; access <<= 1) {
- path_beneath_dir.allowed_access = access;
- ASSERT_EQ(0, landlock_add_rule(ruleset_fd,
- LANDLOCK_RULE_PATH_BENEATH,
- &path_beneath_dir, 0));
- path_beneath_file.allowed_access = access;
- err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
- &path_beneath_file, 0);
- if (access & ACCESS_FILE) {
- ASSERT_EQ(0, err);
- } else {
- ASSERT_EQ(-1, err);
- ASSERT_EQ(EINVAL, errno);
- }
- }
- ASSERT_EQ(0, close(path_beneath_file.parent_fd));
- ASSERT_EQ(0, close(path_beneath_dir.parent_fd));
- ASSERT_EQ(0, close(ruleset_fd));
- }
- TEST_F_FORK(layout0, ruleset_with_unknown_access)
- {
- __u64 access_mask;
- for (access_mask = 1ULL << 63; access_mask != ACCESS_LAST;
- access_mask >>= 1) {
- struct landlock_ruleset_attr ruleset_attr = {
- .handled_access_fs = access_mask,
- };
- ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr,
- sizeof(ruleset_attr), 0));
- ASSERT_EQ(EINVAL, errno);
- }
- }
- TEST_F_FORK(layout0, rule_with_unknown_access)
- {
- __u64 access;
- struct landlock_path_beneath_attr path_beneath = {};
- const struct landlock_ruleset_attr ruleset_attr = {
- .handled_access_fs = ACCESS_ALL,
- };
- const int ruleset_fd =
- landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
- ASSERT_LE(0, ruleset_fd);
- path_beneath.parent_fd =
- open(TMP_DIR, O_PATH | O_DIRECTORY | O_CLOEXEC);
- ASSERT_LE(0, path_beneath.parent_fd);
- for (access = 1ULL << 63; access != ACCESS_LAST; access >>= 1) {
- path_beneath.allowed_access = access;
- EXPECT_EQ(-1, landlock_add_rule(ruleset_fd,
- LANDLOCK_RULE_PATH_BENEATH,
- &path_beneath, 0));
- EXPECT_EQ(EINVAL, errno);
- }
- ASSERT_EQ(0, close(path_beneath.parent_fd));
- ASSERT_EQ(0, close(ruleset_fd));
- }
- TEST_F_FORK(layout1, rule_with_unhandled_access)
- {
- struct landlock_ruleset_attr ruleset_attr = {
- .handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE,
- };
- struct landlock_path_beneath_attr path_beneath = {};
- int ruleset_fd;
- __u64 access;
- ruleset_fd =
- landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
- ASSERT_LE(0, ruleset_fd);
- path_beneath.parent_fd = open(file1_s1d2, O_PATH | O_CLOEXEC);
- ASSERT_LE(0, path_beneath.parent_fd);
- for (access = 1; access > 0; access <<= 1) {
- int err;
- path_beneath.allowed_access = access;
- err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
- &path_beneath, 0);
- if (access == ruleset_attr.handled_access_fs) {
- EXPECT_EQ(0, err);
- } else {
- EXPECT_EQ(-1, err);
- EXPECT_EQ(EINVAL, errno);
- }
- }
- EXPECT_EQ(0, close(path_beneath.parent_fd));
- EXPECT_EQ(0, close(ruleset_fd));
- }
- static void add_path_beneath(struct __test_metadata *const _metadata,
- const int ruleset_fd, const __u64 allowed_access,
- const char *const path)
- {
- struct landlock_path_beneath_attr path_beneath = {
- .allowed_access = allowed_access,
- };
- path_beneath.parent_fd = open(path, O_PATH | O_CLOEXEC);
- ASSERT_LE(0, path_beneath.parent_fd)
- {
- TH_LOG("Failed to open directory \"%s\": %s", path,
- strerror(errno));
- }
- ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
- &path_beneath, 0))
- {
- TH_LOG("Failed to update the ruleset with \"%s\": %s", path,
- strerror(errno));
- }
- ASSERT_EQ(0, close(path_beneath.parent_fd));
- }
- struct rule {
- const char *path;
- __u64 access;
- };
- /* clang-format off */
- #define ACCESS_RO ( \
- LANDLOCK_ACCESS_FS_READ_FILE | \
- LANDLOCK_ACCESS_FS_READ_DIR)
- #define ACCESS_RW ( \
- ACCESS_RO | \
- LANDLOCK_ACCESS_FS_WRITE_FILE)
- /* clang-format on */
- static int create_ruleset(struct __test_metadata *const _metadata,
- const __u64 handled_access_fs,
- const struct rule rules[])
- {
- int ruleset_fd, i;
- struct landlock_ruleset_attr ruleset_attr = {
- .handled_access_fs = handled_access_fs,
- };
- ASSERT_NE(NULL, rules)
- {
- TH_LOG("No rule list");
- }
- ASSERT_NE(NULL, rules[0].path)
- {
- TH_LOG("Empty rule list");
- }
- ruleset_fd =
- landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
- ASSERT_LE(0, ruleset_fd)
- {
- TH_LOG("Failed to create a ruleset: %s", strerror(errno));
- }
- for (i = 0; rules[i].path; i++) {
- if (!rules[i].access)
- continue;
- add_path_beneath(_metadata, ruleset_fd, rules[i].access,
- rules[i].path);
- }
- return ruleset_fd;
- }
- TEST_F_FORK(layout0, proc_nsfs)
- {
- const struct rule rules[] = {
- {
- .path = "/dev/null",
- .access = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_WRITE_FILE,
- },
- {},
- };
- struct landlock_path_beneath_attr path_beneath;
- const int ruleset_fd = create_ruleset(
- _metadata, rules[0].access | LANDLOCK_ACCESS_FS_READ_DIR,
- rules);
- ASSERT_LE(0, ruleset_fd);
- ASSERT_EQ(0, test_open("/proc/self/ns/mnt", O_RDONLY));
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
- ASSERT_EQ(EACCES, test_open("/dev", O_RDONLY));
- ASSERT_EQ(0, test_open("/dev/null", O_RDONLY));
- ASSERT_EQ(EACCES, test_open("/dev/full", O_RDONLY));
- ASSERT_EQ(EACCES, test_open("/proc", O_RDONLY));
- ASSERT_EQ(EACCES, test_open("/proc/self", O_RDONLY));
- ASSERT_EQ(EACCES, test_open("/proc/self/ns", O_RDONLY));
- /*
- * Because nsfs is an internal filesystem, /proc/self/ns/mnt is a
- * disconnected path. Such path cannot be identified and must then be
- * allowed.
- */
- ASSERT_EQ(0, test_open("/proc/self/ns/mnt", O_RDONLY));
- /*
- * Checks that it is not possible to add nsfs-like filesystem
- * references to a ruleset.
- */
- path_beneath.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_WRITE_FILE,
- path_beneath.parent_fd = open("/proc/self/ns/mnt", O_PATH | O_CLOEXEC);
- ASSERT_LE(0, path_beneath.parent_fd);
- ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
- &path_beneath, 0));
- ASSERT_EQ(EBADFD, errno);
- ASSERT_EQ(0, close(path_beneath.parent_fd));
- }
- TEST_F_FORK(layout0, unpriv)
- {
- const struct rule rules[] = {
- {
- .path = TMP_DIR,
- .access = ACCESS_RO,
- },
- {},
- };
- int ruleset_fd;
- drop_caps(_metadata);
- ruleset_fd = create_ruleset(_metadata, ACCESS_RO, rules);
- ASSERT_LE(0, ruleset_fd);
- ASSERT_EQ(-1, landlock_restrict_self(ruleset_fd, 0));
- ASSERT_EQ(EPERM, errno);
- /* enforce_ruleset() calls prctl(no_new_privs). */
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- }
- TEST_F_FORK(layout1, effective_access)
- {
- const struct rule rules[] = {
- {
- .path = dir_s1d2,
- .access = ACCESS_RO,
- },
- {
- .path = file1_s2d2,
- .access = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_WRITE_FILE,
- },
- {},
- };
- const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
- char buf;
- int reg_fd;
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Tests on a directory (with or without O_PATH). */
- ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
- ASSERT_EQ(0, test_open("/", O_RDONLY | O_PATH));
- ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY));
- ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY | O_PATH));
- ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
- ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY | O_PATH));
- ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY));
- ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
- ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY));
- ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
- /* Tests on a file (with or without O_PATH). */
- ASSERT_EQ(EACCES, test_open(dir_s2d2, O_RDONLY));
- ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY | O_PATH));
- ASSERT_EQ(0, test_open(file1_s2d2, O_RDONLY));
- /* Checks effective read and write actions. */
- reg_fd = open(file1_s2d2, O_RDWR | O_CLOEXEC);
- ASSERT_LE(0, reg_fd);
- ASSERT_EQ(1, write(reg_fd, ".", 1));
- ASSERT_LE(0, lseek(reg_fd, 0, SEEK_SET));
- ASSERT_EQ(1, read(reg_fd, &buf, 1));
- ASSERT_EQ('.', buf);
- ASSERT_EQ(0, close(reg_fd));
- /* Just in case, double-checks effective actions. */
- reg_fd = open(file1_s2d2, O_RDONLY | O_CLOEXEC);
- ASSERT_LE(0, reg_fd);
- ASSERT_EQ(-1, write(reg_fd, &buf, 1));
- ASSERT_EQ(EBADF, errno);
- ASSERT_EQ(0, close(reg_fd));
- }
- TEST_F_FORK(layout1, unhandled_access)
- {
- const struct rule rules[] = {
- {
- .path = dir_s1d2,
- .access = ACCESS_RO,
- },
- {},
- };
- /* Here, we only handle read accesses, not write accesses. */
- const int ruleset_fd = create_ruleset(_metadata, ACCESS_RO, rules);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /*
- * Because the policy does not handle LANDLOCK_ACCESS_FS_WRITE_FILE,
- * opening for write-only should be allowed, but not read-write.
- */
- ASSERT_EQ(0, test_open(file1_s1d1, O_WRONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
- ASSERT_EQ(0, test_open(file1_s1d2, O_WRONLY));
- ASSERT_EQ(0, test_open(file1_s1d2, O_RDWR));
- }
- TEST_F_FORK(layout1, ruleset_overlap)
- {
- const struct rule rules[] = {
- /* These rules should be ORed among them. */
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_WRITE_FILE,
- },
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_READ_DIR,
- },
- {},
- };
- const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks s1d1 hierarchy. */
- ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
- ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
- /* Checks s1d2 hierarchy. */
- ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
- ASSERT_EQ(0, test_open(file1_s1d2, O_WRONLY));
- ASSERT_EQ(0, test_open(file1_s1d2, O_RDWR));
- ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
- /* Checks s1d3 hierarchy. */
- ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
- ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY));
- ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
- ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
- }
- TEST_F_FORK(layout1, layer_rule_unions)
- {
- const struct rule layer1[] = {
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- /* dir_s1d3 should allow READ_FILE and WRITE_FILE (O_RDWR). */
- {
- .path = dir_s1d3,
- .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
- },
- {},
- };
- const struct rule layer2[] = {
- /* Doesn't change anything from layer1. */
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_WRITE_FILE,
- },
- {},
- };
- const struct rule layer3[] = {
- /* Only allows write (but not read) to dir_s1d3. */
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
- },
- {},
- };
- int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks s1d1 hierarchy with layer1. */
- ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
- ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
- /* Checks s1d2 hierarchy with layer1. */
- ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR));
- ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
- /* Checks s1d3 hierarchy with layer1. */
- ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
- ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY));
- /* dir_s1d3 should allow READ_FILE and WRITE_FILE (O_RDWR). */
- ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
- ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
- /* Doesn't change anything from layer1. */
- ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks s1d1 hierarchy with layer2. */
- ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
- ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
- /* Checks s1d2 hierarchy with layer2. */
- ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR));
- ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
- /* Checks s1d3 hierarchy with layer2. */
- ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
- ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY));
- /* dir_s1d3 should allow READ_FILE and WRITE_FILE (O_RDWR). */
- ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
- ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
- /* Only allows write (but not read) to dir_s1d3. */
- ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer3);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks s1d1 hierarchy with layer3. */
- ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
- ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
- /* Checks s1d2 hierarchy with layer3. */
- ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR));
- ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
- /* Checks s1d3 hierarchy with layer3. */
- ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDONLY));
- ASSERT_EQ(0, test_open(file1_s1d3, O_WRONLY));
- /* dir_s1d3 should now deny READ_FILE and WRITE_FILE (O_RDWR). */
- ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDWR));
- ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
- }
- TEST_F_FORK(layout1, non_overlapping_accesses)
- {
- const struct rule layer1[] = {
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_MAKE_REG,
- },
- {},
- };
- const struct rule layer2[] = {
- {
- .path = dir_s1d3,
- .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
- },
- {},
- };
- int ruleset_fd;
- ASSERT_EQ(0, unlink(file1_s1d1));
- ASSERT_EQ(0, unlink(file1_s1d2));
- ruleset_fd =
- create_ruleset(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, layer1);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- ASSERT_EQ(-1, mknod(file1_s1d1, S_IFREG | 0700, 0));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(0, mknod(file1_s1d2, S_IFREG | 0700, 0));
- ASSERT_EQ(0, unlink(file1_s1d2));
- ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_REMOVE_FILE,
- layer2);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Unchanged accesses for file creation. */
- ASSERT_EQ(-1, mknod(file1_s1d1, S_IFREG | 0700, 0));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(0, mknod(file1_s1d2, S_IFREG | 0700, 0));
- /* Checks file removing. */
- ASSERT_EQ(-1, unlink(file1_s1d2));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(0, unlink(file1_s1d3));
- }
- TEST_F_FORK(layout1, interleaved_masked_accesses)
- {
- /*
- * Checks overly restrictive rules:
- * layer 1: allows R s1d1/s1d2/s1d3/file1
- * layer 2: allows RW s1d1/s1d2/s1d3
- * allows W s1d1/s1d2
- * denies R s1d1/s1d2
- * layer 3: allows R s1d1
- * layer 4: allows R s1d1/s1d2
- * denies W s1d1/s1d2
- * layer 5: allows R s1d1/s1d2
- * layer 6: allows X ----
- * layer 7: allows W s1d1/s1d2
- * denies R s1d1/s1d2
- */
- const struct rule layer1_read[] = {
- /* Allows read access to file1_s1d3 with the first layer. */
- {
- .path = file1_s1d3,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {},
- };
- /* First rule with write restrictions. */
- const struct rule layer2_read_write[] = {
- /* Start by granting read-write access via its parent directory... */
- {
- .path = dir_s1d3,
- .access = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_WRITE_FILE,
- },
- /* ...but also denies read access via its grandparent directory. */
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
- },
- {},
- };
- const struct rule layer3_read[] = {
- /* Allows read access via its great-grandparent directory. */
- {
- .path = dir_s1d1,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {},
- };
- const struct rule layer4_read_write[] = {
- /*
- * Try to confuse the deny access by denying write (but not
- * read) access via its grandparent directory.
- */
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {},
- };
- const struct rule layer5_read[] = {
- /*
- * Try to override layer2's deny read access by explicitly
- * allowing read access via file1_s1d3's grandparent.
- */
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {},
- };
- const struct rule layer6_execute[] = {
- /*
- * Restricts an unrelated file hierarchy with a new access
- * (non-overlapping) type.
- */
- {
- .path = dir_s2d1,
- .access = LANDLOCK_ACCESS_FS_EXECUTE,
- },
- {},
- };
- const struct rule layer7_read_write[] = {
- /*
- * Finally, denies read access to file1_s1d3 via its
- * grandparent.
- */
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
- },
- {},
- };
- int ruleset_fd;
- ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE,
- layer1_read);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks that read access is granted for file1_s1d3 with layer 1. */
- ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
- ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
- ASSERT_EQ(0, test_open(file2_s1d3, O_WRONLY));
- ruleset_fd = create_ruleset(_metadata,
- LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_WRITE_FILE,
- layer2_read_write);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks that previous access rights are unchanged with layer 2. */
- ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
- ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
- ASSERT_EQ(0, test_open(file2_s1d3, O_WRONLY));
- ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE,
- layer3_read);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks that previous access rights are unchanged with layer 3. */
- ASSERT_EQ(0, test_open(file1_s1d3, O_RDWR));
- ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
- ASSERT_EQ(0, test_open(file2_s1d3, O_WRONLY));
- /* This time, denies write access for the file hierarchy. */
- ruleset_fd = create_ruleset(_metadata,
- LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_WRITE_FILE,
- layer4_read_write);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /*
- * Checks that the only change with layer 4 is that write access is
- * denied.
- */
- ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
- ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY));
- ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE,
- layer5_read);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks that previous access rights are unchanged with layer 5. */
- ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
- ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY));
- ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
- ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_EXECUTE,
- layer6_execute);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks that previous access rights are unchanged with layer 6. */
- ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
- ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY));
- ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
- ruleset_fd = create_ruleset(_metadata,
- LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_WRITE_FILE,
- layer7_read_write);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks read access is now denied with layer 7. */
- ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
- ASSERT_EQ(EACCES, test_open(file2_s1d3, O_WRONLY));
- ASSERT_EQ(EACCES, test_open(file2_s1d3, O_RDONLY));
- }
- TEST_F_FORK(layout1, inherit_subset)
- {
- const struct rule rules[] = {
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_READ_DIR,
- },
- {},
- };
- const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
- ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
- /* Write access is forbidden. */
- ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
- /* Readdir access is allowed. */
- ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
- /* Write access is forbidden. */
- ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
- /* Readdir access is allowed. */
- ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
- /*
- * Tests shared rule extension: the following rules should not grant
- * any new access, only remove some. Once enforced, these rules are
- * ANDed with the previous ones.
- */
- add_path_beneath(_metadata, ruleset_fd, LANDLOCK_ACCESS_FS_WRITE_FILE,
- dir_s1d2);
- /*
- * According to ruleset_fd, dir_s1d2 should now have the
- * LANDLOCK_ACCESS_FS_READ_FILE and LANDLOCK_ACCESS_FS_WRITE_FILE
- * access rights (even if this directory is opened a second time).
- * However, when enforcing this updated ruleset, the ruleset tied to
- * the current process (i.e. its domain) will still only have the
- * dir_s1d2 with LANDLOCK_ACCESS_FS_READ_FILE and
- * LANDLOCK_ACCESS_FS_READ_DIR accesses, but
- * LANDLOCK_ACCESS_FS_WRITE_FILE must not be allowed because it would
- * be a privilege escalation.
- */
- enforce_ruleset(_metadata, ruleset_fd);
- /* Same tests and results as above. */
- ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
- ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
- /* It is still forbidden to write in file1_s1d2. */
- ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
- /* Readdir access is still allowed. */
- ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
- /* It is still forbidden to write in file1_s1d3. */
- ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
- /* Readdir access is still allowed. */
- ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
- /*
- * Try to get more privileges by adding new access rights to the parent
- * directory: dir_s1d1.
- */
- add_path_beneath(_metadata, ruleset_fd, ACCESS_RW, dir_s1d1);
- enforce_ruleset(_metadata, ruleset_fd);
- /* Same tests and results as above. */
- ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
- ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
- /* It is still forbidden to write in file1_s1d2. */
- ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
- /* Readdir access is still allowed. */
- ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
- /* It is still forbidden to write in file1_s1d3. */
- ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
- /* Readdir access is still allowed. */
- ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
- /*
- * Now, dir_s1d3 get a new rule tied to it, only allowing
- * LANDLOCK_ACCESS_FS_WRITE_FILE. The (kernel internal) difference is
- * that there was no rule tied to it before.
- */
- add_path_beneath(_metadata, ruleset_fd, LANDLOCK_ACCESS_FS_WRITE_FILE,
- dir_s1d3);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /*
- * Same tests and results as above, except for open(dir_s1d3) which is
- * now denied because the new rule mask the rule previously inherited
- * from dir_s1d2.
- */
- /* Same tests and results as above. */
- ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
- ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
- /* It is still forbidden to write in file1_s1d2. */
- ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
- /* Readdir access is still allowed. */
- ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
- /* It is still forbidden to write in file1_s1d3. */
- ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
- /*
- * Readdir of dir_s1d3 is still allowed because of the OR policy inside
- * the same layer.
- */
- ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
- }
- TEST_F_FORK(layout1, inherit_superset)
- {
- const struct rule rules[] = {
- {
- .path = dir_s1d3,
- .access = ACCESS_RO,
- },
- {},
- };
- const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- /* Readdir access is denied for dir_s1d2. */
- ASSERT_EQ(EACCES, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
- /* Readdir access is allowed for dir_s1d3. */
- ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
- /* File access is allowed for file1_s1d3. */
- ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
- /* Now dir_s1d2, parent of dir_s1d3, gets a new rule tied to it. */
- add_path_beneath(_metadata, ruleset_fd,
- LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_READ_DIR,
- dir_s1d2);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Readdir access is still denied for dir_s1d2. */
- ASSERT_EQ(EACCES, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
- /* Readdir access is still allowed for dir_s1d3. */
- ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
- /* File access is still allowed for file1_s1d3. */
- ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
- }
- TEST_F_FORK(layout0, max_layers)
- {
- int i, err;
- const struct rule rules[] = {
- {
- .path = TMP_DIR,
- .access = ACCESS_RO,
- },
- {},
- };
- const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
- ASSERT_LE(0, ruleset_fd);
- for (i = 0; i < 16; i++)
- enforce_ruleset(_metadata, ruleset_fd);
- for (i = 0; i < 2; i++) {
- err = landlock_restrict_self(ruleset_fd, 0);
- ASSERT_EQ(-1, err);
- ASSERT_EQ(E2BIG, errno);
- }
- ASSERT_EQ(0, close(ruleset_fd));
- }
- TEST_F_FORK(layout1, empty_or_same_ruleset)
- {
- struct landlock_ruleset_attr ruleset_attr = {};
- int ruleset_fd;
- /* Tests empty handled_access_fs. */
- ruleset_fd =
- landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
- ASSERT_LE(-1, ruleset_fd);
- ASSERT_EQ(ENOMSG, errno);
- /* Enforces policy which deny read access to all files. */
- ruleset_attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE;
- ruleset_fd =
- landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
- ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
- /* Nests a policy which deny read access to all directories. */
- ruleset_attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_DIR;
- ruleset_fd =
- landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY));
- /* Enforces a second time with the same ruleset. */
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- }
- TEST_F_FORK(layout1, rule_on_mountpoint)
- {
- const struct rule rules[] = {
- {
- .path = dir_s1d1,
- .access = ACCESS_RO,
- },
- {
- /* dir_s3d2 is a mount point. */
- .path = dir_s3d2,
- .access = ACCESS_RO,
- },
- {},
- };
- const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(dir_s2d1, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(dir_s3d1, O_RDONLY));
- ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY));
- ASSERT_EQ(0, test_open(dir_s3d3, O_RDONLY));
- }
- TEST_F_FORK(layout1, rule_over_mountpoint)
- {
- const struct rule rules[] = {
- {
- .path = dir_s1d1,
- .access = ACCESS_RO,
- },
- {
- /* dir_s3d2 is a mount point. */
- .path = dir_s3d1,
- .access = ACCESS_RO,
- },
- {},
- };
- const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(dir_s2d1, O_RDONLY));
- ASSERT_EQ(0, test_open(dir_s3d1, O_RDONLY));
- ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY));
- ASSERT_EQ(0, test_open(dir_s3d3, O_RDONLY));
- }
- /*
- * This test verifies that we can apply a landlock rule on the root directory
- * (which might require special handling).
- */
- TEST_F_FORK(layout1, rule_over_root_allow_then_deny)
- {
- struct rule rules[] = {
- {
- .path = "/",
- .access = ACCESS_RO,
- },
- {},
- };
- int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks allowed access. */
- ASSERT_EQ(0, test_open("/", O_RDONLY));
- ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
- rules[0].access = LANDLOCK_ACCESS_FS_READ_FILE;
- ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks denied access (on a directory). */
- ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
- ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY));
- }
- TEST_F_FORK(layout1, rule_over_root_deny)
- {
- const struct rule rules[] = {
- {
- .path = "/",
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {},
- };
- const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks denied access (on a directory). */
- ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
- ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY));
- }
- TEST_F_FORK(layout1, rule_inside_mount_ns)
- {
- const struct rule rules[] = {
- {
- .path = "s3d3",
- .access = ACCESS_RO,
- },
- {},
- };
- int ruleset_fd;
- set_cap(_metadata, CAP_SYS_ADMIN);
- ASSERT_EQ(0, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3))
- {
- TH_LOG("Failed to pivot root: %s", strerror(errno));
- };
- ASSERT_EQ(0, chdir("/"));
- clear_cap(_metadata, CAP_SYS_ADMIN);
- ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- ASSERT_EQ(0, test_open("s3d3", O_RDONLY));
- ASSERT_EQ(EACCES, test_open("/", O_RDONLY));
- }
- TEST_F_FORK(layout1, mount_and_pivot)
- {
- const struct rule rules[] = {
- {
- .path = dir_s3d2,
- .access = ACCESS_RO,
- },
- {},
- };
- const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- set_cap(_metadata, CAP_SYS_ADMIN);
- ASSERT_EQ(-1, mount(NULL, dir_s3d2, NULL, MS_RDONLY, NULL));
- ASSERT_EQ(EPERM, errno);
- ASSERT_EQ(-1, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3));
- ASSERT_EQ(EPERM, errno);
- clear_cap(_metadata, CAP_SYS_ADMIN);
- }
- TEST_F_FORK(layout1, move_mount)
- {
- const struct rule rules[] = {
- {
- .path = dir_s3d2,
- .access = ACCESS_RO,
- },
- {},
- };
- const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
- ASSERT_LE(0, ruleset_fd);
- set_cap(_metadata, CAP_SYS_ADMIN);
- ASSERT_EQ(0, syscall(__NR_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD,
- dir_s1d2, 0))
- {
- TH_LOG("Failed to move mount: %s", strerror(errno));
- }
- ASSERT_EQ(0, syscall(__NR_move_mount, AT_FDCWD, dir_s1d2, AT_FDCWD,
- dir_s3d2, 0));
- clear_cap(_metadata, CAP_SYS_ADMIN);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- set_cap(_metadata, CAP_SYS_ADMIN);
- ASSERT_EQ(-1, syscall(__NR_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD,
- dir_s1d2, 0));
- ASSERT_EQ(EPERM, errno);
- clear_cap(_metadata, CAP_SYS_ADMIN);
- }
- TEST_F_FORK(layout1, topology_changes_with_net_only)
- {
- const struct landlock_ruleset_attr ruleset_net = {
- .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
- LANDLOCK_ACCESS_NET_CONNECT_TCP,
- };
- int ruleset_fd;
- /* Add network restrictions. */
- ruleset_fd =
- landlock_create_ruleset(&ruleset_net, sizeof(ruleset_net), 0);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Mount, remount, move_mount, umount, and pivot_root checks. */
- set_cap(_metadata, CAP_SYS_ADMIN);
- ASSERT_EQ(0, mount_opt(&mnt_tmp, dir_s1d2));
- ASSERT_EQ(0, mount(NULL, dir_s1d2, NULL, MS_PRIVATE | MS_REC, NULL));
- ASSERT_EQ(0, syscall(__NR_move_mount, AT_FDCWD, dir_s1d2, AT_FDCWD,
- dir_s2d2, 0));
- ASSERT_EQ(0, umount(dir_s2d2));
- ASSERT_EQ(0, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3));
- ASSERT_EQ(0, chdir("/"));
- clear_cap(_metadata, CAP_SYS_ADMIN);
- }
- TEST_F_FORK(layout1, topology_changes_with_net_and_fs)
- {
- const struct landlock_ruleset_attr ruleset_net_fs = {
- .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
- LANDLOCK_ACCESS_NET_CONNECT_TCP,
- .handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE,
- };
- int ruleset_fd;
- /* Add network and filesystem restrictions. */
- ruleset_fd = landlock_create_ruleset(&ruleset_net_fs,
- sizeof(ruleset_net_fs), 0);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Mount, remount, move_mount, umount, and pivot_root checks. */
- set_cap(_metadata, CAP_SYS_ADMIN);
- ASSERT_EQ(-1, mount_opt(&mnt_tmp, dir_s1d2));
- ASSERT_EQ(EPERM, errno);
- ASSERT_EQ(-1, mount(NULL, dir_s3d2, NULL, MS_PRIVATE | MS_REC, NULL));
- ASSERT_EQ(EPERM, errno);
- ASSERT_EQ(-1, syscall(__NR_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD,
- dir_s2d2, 0));
- ASSERT_EQ(EPERM, errno);
- ASSERT_EQ(-1, umount(dir_s3d2));
- ASSERT_EQ(EPERM, errno);
- ASSERT_EQ(-1, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3));
- ASSERT_EQ(EPERM, errno);
- clear_cap(_metadata, CAP_SYS_ADMIN);
- }
- TEST_F_FORK(layout1, release_inodes)
- {
- const struct rule rules[] = {
- {
- .path = dir_s1d1,
- .access = ACCESS_RO,
- },
- {
- .path = dir_s3d2,
- .access = ACCESS_RO,
- },
- {
- .path = dir_s3d3,
- .access = ACCESS_RO,
- },
- {},
- };
- const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
- ASSERT_LE(0, ruleset_fd);
- /* Unmount a file hierarchy while it is being used by a ruleset. */
- set_cap(_metadata, CAP_SYS_ADMIN);
- ASSERT_EQ(0, umount(dir_s3d2));
- clear_cap(_metadata, CAP_SYS_ADMIN);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(dir_s3d2, O_RDONLY));
- /* This dir_s3d3 would not be allowed and does not exist anyway. */
- ASSERT_EQ(ENOENT, test_open(dir_s3d3, O_RDONLY));
- }
- /*
- * This test checks that a rule on a directory used as a mount point does not
- * grant access to the mount covering it. It is a generalization of the bind
- * mount case in layout3_fs.hostfs.release_inodes that tests hidden mount points.
- */
- TEST_F_FORK(layout1, covered_rule)
- {
- const struct rule layer1[] = {
- {
- .path = dir_s3d2,
- .access = LANDLOCK_ACCESS_FS_READ_DIR,
- },
- {},
- };
- int ruleset_fd;
- /* Unmount to simplify FIXTURE_TEARDOWN. */
- set_cap(_metadata, CAP_SYS_ADMIN);
- ASSERT_EQ(0, umount(dir_s3d2));
- clear_cap(_metadata, CAP_SYS_ADMIN);
- /* Creates a ruleset with the future hidden directory. */
- ruleset_fd =
- create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_DIR, layer1);
- ASSERT_LE(0, ruleset_fd);
- /* Covers with a new mount point. */
- set_cap(_metadata, CAP_SYS_ADMIN);
- ASSERT_EQ(0, mount_opt(&mnt_tmp, dir_s3d2));
- clear_cap(_metadata, CAP_SYS_ADMIN);
- ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY));
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks that access to the new mount point is denied. */
- ASSERT_EQ(EACCES, test_open(dir_s3d2, O_RDONLY));
- }
- enum relative_access {
- REL_OPEN,
- REL_CHDIR,
- REL_CHROOT_ONLY,
- REL_CHROOT_CHDIR,
- };
- static void test_relative_path(struct __test_metadata *const _metadata,
- const enum relative_access rel)
- {
- /*
- * Common layer to check that chroot doesn't ignore it (i.e. a chroot
- * is not a disconnected root directory).
- */
- const struct rule layer1_base[] = {
- {
- .path = TMP_DIR,
- .access = ACCESS_RO,
- },
- {},
- };
- const struct rule layer2_subs[] = {
- {
- .path = dir_s1d2,
- .access = ACCESS_RO,
- },
- {
- .path = dir_s2d2,
- .access = ACCESS_RO,
- },
- {},
- };
- int dirfd, ruleset_fd;
- ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1_base);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2_subs);
- ASSERT_LE(0, ruleset_fd);
- switch (rel) {
- case REL_OPEN:
- case REL_CHDIR:
- break;
- case REL_CHROOT_ONLY:
- ASSERT_EQ(0, chdir(dir_s2d2));
- break;
- case REL_CHROOT_CHDIR:
- ASSERT_EQ(0, chdir(dir_s1d2));
- break;
- default:
- ASSERT_TRUE(false);
- return;
- }
- set_cap(_metadata, CAP_SYS_CHROOT);
- enforce_ruleset(_metadata, ruleset_fd);
- switch (rel) {
- case REL_OPEN:
- dirfd = open(dir_s1d2, O_DIRECTORY);
- ASSERT_LE(0, dirfd);
- break;
- case REL_CHDIR:
- ASSERT_EQ(0, chdir(dir_s1d2));
- dirfd = AT_FDCWD;
- break;
- case REL_CHROOT_ONLY:
- /* Do chroot into dir_s1d2 (relative to dir_s2d2). */
- ASSERT_EQ(0, chroot("../../s1d1/s1d2"))
- {
- TH_LOG("Failed to chroot: %s", strerror(errno));
- }
- dirfd = AT_FDCWD;
- break;
- case REL_CHROOT_CHDIR:
- /* Do chroot into dir_s1d2. */
- ASSERT_EQ(0, chroot("."))
- {
- TH_LOG("Failed to chroot: %s", strerror(errno));
- }
- dirfd = AT_FDCWD;
- break;
- }
- ASSERT_EQ((rel == REL_CHROOT_CHDIR) ? 0 : EACCES,
- test_open_rel(dirfd, "..", O_RDONLY));
- ASSERT_EQ(0, test_open_rel(dirfd, ".", O_RDONLY));
- if (rel == REL_CHROOT_ONLY) {
- /* The current directory is dir_s2d2. */
- ASSERT_EQ(0, test_open_rel(dirfd, "./s2d3", O_RDONLY));
- } else {
- /* The current directory is dir_s1d2. */
- ASSERT_EQ(0, test_open_rel(dirfd, "./s1d3", O_RDONLY));
- }
- if (rel == REL_CHROOT_ONLY || rel == REL_CHROOT_CHDIR) {
- /* Checks the root dir_s1d2. */
- ASSERT_EQ(0, test_open_rel(dirfd, "/..", O_RDONLY));
- ASSERT_EQ(0, test_open_rel(dirfd, "/", O_RDONLY));
- ASSERT_EQ(0, test_open_rel(dirfd, "/f1", O_RDONLY));
- ASSERT_EQ(0, test_open_rel(dirfd, "/s1d3", O_RDONLY));
- }
- if (rel != REL_CHROOT_CHDIR) {
- ASSERT_EQ(EACCES, test_open_rel(dirfd, "../../s1d1", O_RDONLY));
- ASSERT_EQ(0, test_open_rel(dirfd, "../../s1d1/s1d2", O_RDONLY));
- ASSERT_EQ(0, test_open_rel(dirfd, "../../s1d1/s1d2/s1d3",
- O_RDONLY));
- ASSERT_EQ(EACCES, test_open_rel(dirfd, "../../s2d1", O_RDONLY));
- ASSERT_EQ(0, test_open_rel(dirfd, "../../s2d1/s2d2", O_RDONLY));
- ASSERT_EQ(0, test_open_rel(dirfd, "../../s2d1/s2d2/s2d3",
- O_RDONLY));
- }
- if (rel == REL_OPEN)
- ASSERT_EQ(0, close(dirfd));
- ASSERT_EQ(0, close(ruleset_fd));
- }
- TEST_F_FORK(layout1, relative_open)
- {
- test_relative_path(_metadata, REL_OPEN);
- }
- TEST_F_FORK(layout1, relative_chdir)
- {
- test_relative_path(_metadata, REL_CHDIR);
- }
- TEST_F_FORK(layout1, relative_chroot_only)
- {
- test_relative_path(_metadata, REL_CHROOT_ONLY);
- }
- TEST_F_FORK(layout1, relative_chroot_chdir)
- {
- test_relative_path(_metadata, REL_CHROOT_CHDIR);
- }
- static void copy_file(struct __test_metadata *const _metadata,
- const char *const src_path, const char *const dst_path)
- {
- int dst_fd, src_fd;
- struct stat statbuf;
- dst_fd = open(dst_path, O_WRONLY | O_TRUNC | O_CLOEXEC);
- ASSERT_LE(0, dst_fd)
- {
- TH_LOG("Failed to open \"%s\": %s", dst_path, strerror(errno));
- }
- src_fd = open(src_path, O_RDONLY | O_CLOEXEC);
- ASSERT_LE(0, src_fd)
- {
- TH_LOG("Failed to open \"%s\": %s", src_path, strerror(errno));
- }
- ASSERT_EQ(0, fstat(src_fd, &statbuf));
- ASSERT_EQ(statbuf.st_size,
- sendfile(dst_fd, src_fd, 0, statbuf.st_size));
- ASSERT_EQ(0, close(src_fd));
- ASSERT_EQ(0, close(dst_fd));
- }
- static void test_execute(struct __test_metadata *const _metadata, const int err,
- const char *const path)
- {
- int status;
- char *const argv[] = { (char *)path, NULL };
- const pid_t child = fork();
- ASSERT_LE(0, child);
- if (child == 0) {
- ASSERT_EQ(err ? -1 : 0, execve(path, argv, NULL))
- {
- TH_LOG("Failed to execute \"%s\": %s", path,
- strerror(errno));
- };
- ASSERT_EQ(err, errno);
- _exit(__test_passed(_metadata) ? 2 : 1);
- return;
- }
- ASSERT_EQ(child, waitpid(child, &status, 0));
- ASSERT_EQ(1, WIFEXITED(status));
- ASSERT_EQ(err ? 2 : 0, WEXITSTATUS(status))
- {
- TH_LOG("Unexpected return code for \"%s\"", path);
- };
- }
- static void test_check_exec(struct __test_metadata *const _metadata,
- const int err, const char *const path)
- {
- int ret;
- char *const argv[] = { (char *)path, NULL };
- ret = sys_execveat(AT_FDCWD, path, argv, NULL,
- AT_EMPTY_PATH | AT_EXECVE_CHECK);
- if (err) {
- EXPECT_EQ(-1, ret);
- EXPECT_EQ(errno, err);
- } else {
- EXPECT_EQ(0, ret);
- }
- }
- TEST_F_FORK(layout1, execute)
- {
- const struct rule rules[] = {
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_EXECUTE,
- },
- {},
- };
- const int ruleset_fd =
- create_ruleset(_metadata, rules[0].access, rules);
- ASSERT_LE(0, ruleset_fd);
- copy_file(_metadata, bin_true, file1_s1d1);
- copy_file(_metadata, bin_true, file1_s1d2);
- copy_file(_metadata, bin_true, file1_s1d3);
- /* Checks before file1_s1d1 being denied. */
- test_execute(_metadata, 0, file1_s1d1);
- test_check_exec(_metadata, 0, file1_s1d1);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
- ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
- test_execute(_metadata, EACCES, file1_s1d1);
- test_check_exec(_metadata, EACCES, file1_s1d1);
- ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY));
- ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
- test_execute(_metadata, 0, file1_s1d2);
- test_check_exec(_metadata, 0, file1_s1d2);
- ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY));
- ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
- test_execute(_metadata, 0, file1_s1d3);
- test_check_exec(_metadata, 0, file1_s1d3);
- }
- TEST_F_FORK(layout1, umount_sandboxer)
- {
- int pipe_child[2], pipe_parent[2];
- char buf_parent;
- pid_t child;
- int status;
- copy_file(_metadata, bin_sandbox_and_launch, file1_s3d3);
- ASSERT_EQ(0, pipe2(pipe_child, 0));
- ASSERT_EQ(0, pipe2(pipe_parent, 0));
- child = fork();
- ASSERT_LE(0, child);
- if (child == 0) {
- char pipe_child_str[12], pipe_parent_str[12];
- char *const argv[] = { (char *)file1_s3d3,
- (char *)bin_wait_pipe, pipe_child_str,
- pipe_parent_str, NULL };
- /* Passes the pipe FDs to the executed binary and its child. */
- EXPECT_EQ(0, close(pipe_child[0]));
- EXPECT_EQ(0, close(pipe_parent[1]));
- snprintf(pipe_child_str, sizeof(pipe_child_str), "%d",
- pipe_child[1]);
- snprintf(pipe_parent_str, sizeof(pipe_parent_str), "%d",
- pipe_parent[0]);
- /*
- * We need bin_sandbox_and_launch (copied inside the mount as
- * file1_s3d3) to execute bin_wait_pipe (outside the mount) to
- * make sure the mount point will not be EBUSY because of
- * file1_s3d3 being in use. This avoids a potential race
- * condition between the following read() and umount() calls.
- */
- ASSERT_EQ(0, execve(argv[0], argv, NULL))
- {
- TH_LOG("Failed to execute \"%s\": %s", argv[0],
- strerror(errno));
- };
- _exit(1);
- return;
- }
- EXPECT_EQ(0, close(pipe_child[1]));
- EXPECT_EQ(0, close(pipe_parent[0]));
- /* Waits for the child to sandbox itself. */
- EXPECT_EQ(1, read(pipe_child[0], &buf_parent, 1));
- /* Tests that the sandboxer is tied to its mount point. */
- set_cap(_metadata, CAP_SYS_ADMIN);
- EXPECT_EQ(-1, umount(dir_s3d2));
- EXPECT_EQ(EBUSY, errno);
- clear_cap(_metadata, CAP_SYS_ADMIN);
- /* Signals the child to launch a grandchild. */
- EXPECT_EQ(1, write(pipe_parent[1], ".", 1));
- /* Waits for the grandchild. */
- EXPECT_EQ(1, read(pipe_child[0], &buf_parent, 1));
- /* Tests that the domain's sandboxer is not tied to its mount point. */
- set_cap(_metadata, CAP_SYS_ADMIN);
- EXPECT_EQ(0, umount(dir_s3d2))
- {
- TH_LOG("Failed to umount \"%s\": %s", dir_s3d2,
- strerror(errno));
- };
- clear_cap(_metadata, CAP_SYS_ADMIN);
- /* Signals the grandchild to terminate. */
- EXPECT_EQ(1, write(pipe_parent[1], ".", 1));
- ASSERT_EQ(child, waitpid(child, &status, 0));
- ASSERT_EQ(1, WIFEXITED(status));
- ASSERT_EQ(0, WEXITSTATUS(status));
- }
- TEST_F_FORK(layout1, link)
- {
- const struct rule layer1[] = {
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_MAKE_REG,
- },
- {},
- };
- const struct rule layer2[] = {
- {
- .path = dir_s1d3,
- .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
- },
- {},
- };
- int ruleset_fd = create_ruleset(_metadata, layer1[0].access, layer1);
- ASSERT_LE(0, ruleset_fd);
- ASSERT_EQ(0, unlink(file1_s1d1));
- ASSERT_EQ(0, unlink(file1_s1d2));
- ASSERT_EQ(0, unlink(file1_s1d3));
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1));
- ASSERT_EQ(EACCES, errno);
- /* Denies linking because of reparenting. */
- ASSERT_EQ(-1, link(file1_s2d1, file1_s1d2));
- ASSERT_EQ(EXDEV, errno);
- ASSERT_EQ(-1, link(file2_s1d2, file1_s1d3));
- ASSERT_EQ(EXDEV, errno);
- ASSERT_EQ(-1, link(file2_s1d3, file1_s1d2));
- ASSERT_EQ(EXDEV, errno);
- ASSERT_EQ(0, link(file2_s1d2, file1_s1d2));
- ASSERT_EQ(0, link(file2_s1d3, file1_s1d3));
- /* Prepares for next unlinks. */
- ASSERT_EQ(0, unlink(file2_s1d2));
- ASSERT_EQ(0, unlink(file2_s1d3));
- ruleset_fd = create_ruleset(_metadata, layer2[0].access, layer2);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks that linkind doesn't require the ability to delete a file. */
- ASSERT_EQ(0, link(file1_s1d2, file2_s1d2));
- ASSERT_EQ(0, link(file1_s1d3, file2_s1d3));
- }
- static int test_rename(const char *const oldpath, const char *const newpath)
- {
- if (rename(oldpath, newpath))
- return errno;
- return 0;
- }
- static int test_exchange(const char *const oldpath, const char *const newpath)
- {
- if (renameat2(AT_FDCWD, oldpath, AT_FDCWD, newpath, RENAME_EXCHANGE))
- return errno;
- return 0;
- }
- static int test_renameat(int olddirfd, const char *oldpath, int newdirfd,
- const char *newpath)
- {
- if (renameat2(olddirfd, oldpath, newdirfd, newpath, 0))
- return errno;
- return 0;
- }
- static int test_exchangeat(int olddirfd, const char *oldpath, int newdirfd,
- const char *newpath)
- {
- if (renameat2(olddirfd, oldpath, newdirfd, newpath, RENAME_EXCHANGE))
- return errno;
- return 0;
- }
- TEST_F_FORK(layout1, rename_file)
- {
- const struct rule rules[] = {
- {
- .path = dir_s1d3,
- .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
- },
- {
- .path = dir_s2d2,
- .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
- },
- {},
- };
- const int ruleset_fd =
- create_ruleset(_metadata, rules[0].access, rules);
- ASSERT_LE(0, ruleset_fd);
- ASSERT_EQ(0, unlink(file1_s1d2));
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /*
- * Tries to replace a file, from a directory that allows file removal,
- * but to a different directory (which also allows file removal).
- */
- ASSERT_EQ(-1, rename(file1_s2d3, file1_s1d3));
- ASSERT_EQ(EXDEV, errno);
- ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, file1_s1d3,
- RENAME_EXCHANGE));
- ASSERT_EQ(EXDEV, errno);
- ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, dir_s1d3,
- RENAME_EXCHANGE));
- ASSERT_EQ(EXDEV, errno);
- /*
- * Tries to replace a file, from a directory that denies file removal,
- * to a different directory (which allows file removal).
- */
- ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file1_s1d3,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d2, AT_FDCWD, file1_s1d3,
- RENAME_EXCHANGE));
- ASSERT_EQ(EXDEV, errno);
- /* Exchanges files and directories that partially allow removal. */
- ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d2, AT_FDCWD, file1_s2d1,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- /* Checks that file1_s2d1 cannot be removed (instead of ENOTDIR). */
- ASSERT_EQ(-1, rename(dir_s2d2, file1_s2d1));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, dir_s2d2,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- /* Checks that file1_s1d1 cannot be removed (instead of EISDIR). */
- ASSERT_EQ(-1, rename(file1_s1d1, dir_s1d2));
- ASSERT_EQ(EACCES, errno);
- /* Renames files with different parents. */
- ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d2));
- ASSERT_EQ(EXDEV, errno);
- ASSERT_EQ(0, unlink(file1_s1d3));
- ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3));
- ASSERT_EQ(EACCES, errno);
- /* Exchanges and renames files with same parent. */
- ASSERT_EQ(0, renameat2(AT_FDCWD, file2_s2d3, AT_FDCWD, file1_s2d3,
- RENAME_EXCHANGE));
- ASSERT_EQ(0, rename(file2_s2d3, file1_s2d3));
- /* Exchanges files and directories with same parent, twice. */
- ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s2d3,
- RENAME_EXCHANGE));
- ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s2d3,
- RENAME_EXCHANGE));
- }
- TEST_F_FORK(layout1, rename_dir)
- {
- const struct rule rules[] = {
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_REMOVE_DIR,
- },
- {
- .path = dir_s2d1,
- .access = LANDLOCK_ACCESS_FS_REMOVE_DIR,
- },
- {},
- };
- const int ruleset_fd =
- create_ruleset(_metadata, rules[0].access, rules);
- ASSERT_LE(0, ruleset_fd);
- /* Empties dir_s1d3 to allow renaming. */
- ASSERT_EQ(0, unlink(file1_s1d3));
- ASSERT_EQ(0, unlink(file2_s1d3));
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Exchanges and renames directory to a different parent. */
- ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_s1d3,
- RENAME_EXCHANGE));
- ASSERT_EQ(EXDEV, errno);
- ASSERT_EQ(-1, rename(dir_s2d3, dir_s1d3));
- ASSERT_EQ(EXDEV, errno);
- ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s1d3,
- RENAME_EXCHANGE));
- ASSERT_EQ(EXDEV, errno);
- /*
- * Exchanges directory to the same parent, which doesn't allow
- * directory removal.
- */
- ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s1d1, AT_FDCWD, dir_s2d1,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- /* Checks that dir_s1d2 cannot be removed (instead of ENOTDIR). */
- ASSERT_EQ(-1, rename(dir_s1d2, file1_s1d1));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, dir_s1d2,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- /* Checks that dir_s1d2 cannot be removed (instead of EISDIR). */
- ASSERT_EQ(-1, rename(file1_s1d1, dir_s1d2));
- ASSERT_EQ(EACCES, errno);
- /*
- * Exchanges and renames directory to the same parent, which allows
- * directory removal.
- */
- ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, file1_s1d2,
- RENAME_EXCHANGE));
- ASSERT_EQ(0, unlink(dir_s1d3));
- ASSERT_EQ(0, mkdir(dir_s1d3, 0700));
- ASSERT_EQ(0, rename(file1_s1d2, dir_s1d3));
- ASSERT_EQ(0, rmdir(dir_s1d3));
- }
- TEST_F_FORK(layout1, reparent_refer)
- {
- const struct rule layer1[] = {
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_REFER,
- },
- {
- .path = dir_s2d2,
- .access = LANDLOCK_ACCESS_FS_REFER,
- },
- {},
- };
- int ruleset_fd =
- create_ruleset(_metadata, LANDLOCK_ACCESS_FS_REFER, layer1);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d1));
- ASSERT_EQ(EXDEV, errno);
- ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d2));
- ASSERT_EQ(EXDEV, errno);
- ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d3));
- ASSERT_EQ(EXDEV, errno);
- ASSERT_EQ(-1, rename(dir_s1d3, dir_s2d1));
- ASSERT_EQ(EXDEV, errno);
- ASSERT_EQ(-1, rename(dir_s1d3, dir_s2d2));
- ASSERT_EQ(EXDEV, errno);
- /*
- * Moving should only be allowed when the source and the destination
- * parent directory have REFER.
- */
- ASSERT_EQ(-1, rename(dir_s1d3, dir_s2d3));
- ASSERT_EQ(ENOTEMPTY, errno);
- ASSERT_EQ(0, unlink(file1_s2d3));
- ASSERT_EQ(0, unlink(file2_s2d3));
- ASSERT_EQ(0, rename(dir_s1d3, dir_s2d3));
- }
- /* Checks renames beneath dir_s1d1. */
- static void refer_denied_by_default(struct __test_metadata *const _metadata,
- const struct rule layer1[],
- const int layer1_err,
- const struct rule layer2[])
- {
- int ruleset_fd;
- ASSERT_EQ(0, unlink(file1_s1d2));
- ruleset_fd = create_ruleset(_metadata, layer1[0].access, layer1);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /*
- * If the first layer handles LANDLOCK_ACCESS_FS_REFER (according to
- * layer1_err), then it allows some different-parent renames and links.
- */
- ASSERT_EQ(layer1_err, test_rename(file1_s1d1, file1_s1d2));
- if (layer1_err == 0)
- ASSERT_EQ(layer1_err, test_rename(file1_s1d2, file1_s1d1));
- ASSERT_EQ(layer1_err, test_exchange(file2_s1d1, file2_s1d2));
- ASSERT_EQ(layer1_err, test_exchange(file2_s1d2, file2_s1d1));
- ruleset_fd = create_ruleset(_metadata, layer2[0].access, layer2);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /*
- * Now, either the first or the second layer does not handle
- * LANDLOCK_ACCESS_FS_REFER, which means that any different-parent
- * renames and links are denied, thus making the layer handling
- * LANDLOCK_ACCESS_FS_REFER null and void.
- */
- ASSERT_EQ(EXDEV, test_rename(file1_s1d1, file1_s1d2));
- ASSERT_EQ(EXDEV, test_exchange(file2_s1d1, file2_s1d2));
- ASSERT_EQ(EXDEV, test_exchange(file2_s1d2, file2_s1d1));
- }
- const struct rule layer_dir_s1d1_refer[] = {
- {
- .path = dir_s1d1,
- .access = LANDLOCK_ACCESS_FS_REFER,
- },
- {},
- };
- const struct rule layer_dir_s1d1_execute[] = {
- {
- /* Matches a parent directory. */
- .path = dir_s1d1,
- .access = LANDLOCK_ACCESS_FS_EXECUTE,
- },
- {},
- };
- const struct rule layer_dir_s2d1_execute[] = {
- {
- /* Does not match a parent directory. */
- .path = dir_s2d1,
- .access = LANDLOCK_ACCESS_FS_EXECUTE,
- },
- {},
- };
- /*
- * Tests precedence over renames: denied by default for different parent
- * directories, *with* a rule matching a parent directory, but not directly
- * denying access (with MAKE_REG nor REMOVE).
- */
- TEST_F_FORK(layout1, refer_denied_by_default1)
- {
- refer_denied_by_default(_metadata, layer_dir_s1d1_refer, 0,
- layer_dir_s1d1_execute);
- }
- /*
- * Same test but this time turning around the ABI version order: the first
- * layer does not handle LANDLOCK_ACCESS_FS_REFER.
- */
- TEST_F_FORK(layout1, refer_denied_by_default2)
- {
- refer_denied_by_default(_metadata, layer_dir_s1d1_execute, EXDEV,
- layer_dir_s1d1_refer);
- }
- /*
- * Tests precedence over renames: denied by default for different parent
- * directories, *without* a rule matching a parent directory, but not directly
- * denying access (with MAKE_REG nor REMOVE).
- */
- TEST_F_FORK(layout1, refer_denied_by_default3)
- {
- refer_denied_by_default(_metadata, layer_dir_s1d1_refer, 0,
- layer_dir_s2d1_execute);
- }
- /*
- * Same test but this time turning around the ABI version order: the first
- * layer does not handle LANDLOCK_ACCESS_FS_REFER.
- */
- TEST_F_FORK(layout1, refer_denied_by_default4)
- {
- refer_denied_by_default(_metadata, layer_dir_s2d1_execute, EXDEV,
- layer_dir_s1d1_refer);
- }
- /*
- * Tests walking through a denied root mount.
- */
- TEST_F_FORK(layout1, refer_mount_root_deny)
- {
- const struct landlock_ruleset_attr ruleset_attr = {
- .handled_access_fs = LANDLOCK_ACCESS_FS_MAKE_DIR,
- };
- int root_fd, ruleset_fd;
- /* Creates a mount object from a non-mount point. */
- set_cap(_metadata, CAP_SYS_ADMIN);
- root_fd =
- open_tree(AT_FDCWD, dir_s1d1,
- AT_EMPTY_PATH | OPEN_TREE_CLONE | OPEN_TREE_CLOEXEC);
- clear_cap(_metadata, CAP_SYS_ADMIN);
- ASSERT_LE(0, root_fd);
- ruleset_fd =
- landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
- ASSERT_LE(0, ruleset_fd);
- ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));
- ASSERT_EQ(0, landlock_restrict_self(ruleset_fd, 0));
- EXPECT_EQ(0, close(ruleset_fd));
- /* Link denied by Landlock: EACCES. */
- EXPECT_EQ(-1, linkat(root_fd, ".", root_fd, "does_not_exist", 0));
- EXPECT_EQ(EACCES, errno);
- /* renameat2() always returns EBUSY. */
- EXPECT_EQ(-1, renameat2(root_fd, ".", root_fd, "does_not_exist", 0));
- EXPECT_EQ(EBUSY, errno);
- EXPECT_EQ(0, close(root_fd));
- }
- TEST_F_FORK(layout1, refer_part_mount_tree_is_allowed)
- {
- const struct rule layer1[] = {
- {
- /* Parent mount point. */
- .path = dir_s3d1,
- .access = LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_MAKE_REG,
- },
- {
- /*
- * Removing the source file is allowed because its
- * access rights are already a superset of the
- * destination.
- */
- .path = dir_s3d4,
- .access = LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_MAKE_REG |
- LANDLOCK_ACCESS_FS_REMOVE_FILE,
- },
- {},
- };
- int ruleset_fd;
- ASSERT_EQ(0, unlink(file1_s3d3));
- ruleset_fd = create_ruleset(_metadata,
- LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_MAKE_REG |
- LANDLOCK_ACCESS_FS_REMOVE_FILE,
- layer1);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- ASSERT_EQ(0, rename(file1_s3d4, file1_s3d3));
- }
- TEST_F_FORK(layout1, reparent_link)
- {
- const struct rule layer1[] = {
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_MAKE_REG,
- },
- {
- .path = dir_s1d3,
- .access = LANDLOCK_ACCESS_FS_REFER,
- },
- {
- .path = dir_s2d2,
- .access = LANDLOCK_ACCESS_FS_REFER,
- },
- {
- .path = dir_s2d3,
- .access = LANDLOCK_ACCESS_FS_MAKE_REG,
- },
- {},
- };
- const int ruleset_fd = create_ruleset(
- _metadata,
- LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_REFER, layer1);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- ASSERT_EQ(0, unlink(file1_s1d1));
- ASSERT_EQ(0, unlink(file1_s1d2));
- ASSERT_EQ(0, unlink(file1_s1d3));
- /* Denies linking because of missing MAKE_REG. */
- ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1));
- ASSERT_EQ(EACCES, errno);
- /* Denies linking because of missing source and destination REFER. */
- ASSERT_EQ(-1, link(file1_s2d1, file1_s1d2));
- ASSERT_EQ(EXDEV, errno);
- /* Denies linking because of missing source REFER. */
- ASSERT_EQ(-1, link(file1_s2d1, file1_s1d3));
- ASSERT_EQ(EXDEV, errno);
- /* Denies linking because of missing MAKE_REG. */
- ASSERT_EQ(-1, link(file1_s2d2, file1_s1d1));
- ASSERT_EQ(EACCES, errno);
- /* Denies linking because of missing destination REFER. */
- ASSERT_EQ(-1, link(file1_s2d2, file1_s1d2));
- ASSERT_EQ(EXDEV, errno);
- /* Allows linking because of REFER and MAKE_REG. */
- ASSERT_EQ(0, link(file1_s2d2, file1_s1d3));
- ASSERT_EQ(0, unlink(file1_s2d2));
- /* Reverse linking denied because of missing MAKE_REG. */
- ASSERT_EQ(-1, link(file1_s1d3, file1_s2d2));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(0, unlink(file1_s2d3));
- /* Checks reverse linking. */
- ASSERT_EQ(0, link(file1_s1d3, file1_s2d3));
- ASSERT_EQ(0, unlink(file1_s1d3));
- /*
- * This is OK for a file link, but it should not be allowed for a
- * directory rename (because of the superset of access rights.
- */
- ASSERT_EQ(0, link(file1_s2d3, file1_s1d3));
- ASSERT_EQ(0, unlink(file1_s1d3));
- ASSERT_EQ(-1, link(file2_s1d2, file1_s1d3));
- ASSERT_EQ(EXDEV, errno);
- ASSERT_EQ(-1, link(file2_s1d3, file1_s1d2));
- ASSERT_EQ(EXDEV, errno);
- ASSERT_EQ(0, link(file2_s1d2, file1_s1d2));
- ASSERT_EQ(0, link(file2_s1d3, file1_s1d3));
- }
- TEST_F_FORK(layout1, reparent_rename)
- {
- /* Same rules as for reparent_link. */
- const struct rule layer1[] = {
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_MAKE_REG,
- },
- {
- .path = dir_s1d3,
- .access = LANDLOCK_ACCESS_FS_REFER,
- },
- {
- .path = dir_s2d2,
- .access = LANDLOCK_ACCESS_FS_REFER,
- },
- {
- .path = dir_s2d3,
- .access = LANDLOCK_ACCESS_FS_MAKE_REG,
- },
- {},
- };
- const int ruleset_fd = create_ruleset(
- _metadata,
- LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_REFER, layer1);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- ASSERT_EQ(0, unlink(file1_s1d2));
- ASSERT_EQ(0, unlink(file1_s1d3));
- /* Denies renaming because of missing MAKE_REG. */
- ASSERT_EQ(-1, renameat2(AT_FDCWD, file2_s1d1, AT_FDCWD, file1_s1d1,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, file2_s1d1,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(0, unlink(file1_s1d1));
- ASSERT_EQ(-1, rename(file2_s1d1, file1_s1d1));
- ASSERT_EQ(EACCES, errno);
- /* Even denies same file exchange. */
- ASSERT_EQ(-1, renameat2(AT_FDCWD, file2_s1d1, AT_FDCWD, file2_s1d1,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- /* Denies renaming because of missing source and destination REFER. */
- ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d2));
- ASSERT_EQ(EXDEV, errno);
- /*
- * Denies renaming because of missing MAKE_REG, source and destination
- * REFER.
- */
- ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file2_s1d1,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, renameat2(AT_FDCWD, file2_s1d1, AT_FDCWD, file1_s2d1,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- /* Denies renaming because of missing source REFER. */
- ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3));
- ASSERT_EQ(EXDEV, errno);
- /* Denies renaming because of missing MAKE_REG. */
- ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file2_s1d3,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- /* Denies renaming because of missing MAKE_REG. */
- ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d1));
- ASSERT_EQ(EACCES, errno);
- /* Denies renaming because of missing destination REFER*/
- ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d2));
- ASSERT_EQ(EXDEV, errno);
- /* Denies exchange because of one missing MAKE_REG. */
- ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, file2_s1d3,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- /* Allows renaming because of REFER and MAKE_REG. */
- ASSERT_EQ(0, rename(file1_s2d2, file1_s1d3));
- /* Reverse renaming denied because of missing MAKE_REG. */
- ASSERT_EQ(-1, rename(file1_s1d3, file1_s2d2));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(0, unlink(file1_s2d3));
- ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3));
- /* Tests reverse renaming. */
- ASSERT_EQ(0, rename(file1_s2d3, file1_s1d3));
- ASSERT_EQ(0, renameat2(AT_FDCWD, file2_s2d3, AT_FDCWD, file1_s1d3,
- RENAME_EXCHANGE));
- ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3));
- /*
- * This is OK for a file rename, but it should not be allowed for a
- * directory rename (because of the superset of access rights).
- */
- ASSERT_EQ(0, rename(file1_s2d3, file1_s1d3));
- ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3));
- /*
- * Tests superset restrictions applied to directories. Not only the
- * dir_s2d3's parent (dir_s2d2) should be taken into account but also
- * access rights tied to dir_s2d3. dir_s2d2 is missing one access right
- * compared to dir_s1d3/file1_s1d3 (MAKE_REG) but it is provided
- * directly by the moved dir_s2d3.
- */
- ASSERT_EQ(0, rename(dir_s2d3, file1_s1d3));
- ASSERT_EQ(0, rename(file1_s1d3, dir_s2d3));
- /*
- * The first rename is allowed but not the exchange because dir_s1d3's
- * parent (dir_s1d2) doesn't have REFER.
- */
- ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, dir_s1d3,
- RENAME_EXCHANGE));
- ASSERT_EQ(EXDEV, errno);
- ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, file1_s2d3,
- RENAME_EXCHANGE));
- ASSERT_EQ(EXDEV, errno);
- ASSERT_EQ(-1, rename(file1_s2d3, dir_s1d3));
- ASSERT_EQ(EXDEV, errno);
- ASSERT_EQ(-1, rename(file2_s1d2, file1_s1d3));
- ASSERT_EQ(EXDEV, errno);
- ASSERT_EQ(-1, rename(file2_s1d3, file1_s1d2));
- ASSERT_EQ(EXDEV, errno);
- /* Renaming in the same directory is always allowed. */
- ASSERT_EQ(0, rename(file2_s1d2, file1_s1d2));
- ASSERT_EQ(0, rename(file2_s1d3, file1_s1d3));
- ASSERT_EQ(0, unlink(file1_s1d2));
- /* Denies because of missing source MAKE_REG and destination REFER. */
- ASSERT_EQ(-1, rename(dir_s2d3, file1_s1d2));
- ASSERT_EQ(EXDEV, errno);
- ASSERT_EQ(0, unlink(file1_s1d3));
- /* Denies because of missing source MAKE_REG and REFER. */
- ASSERT_EQ(-1, rename(dir_s2d2, file1_s1d3));
- ASSERT_EQ(EXDEV, errno);
- }
- static void
- reparent_exdev_layers_enforce1(struct __test_metadata *const _metadata)
- {
- const struct rule layer1[] = {
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_REFER,
- },
- {
- /* Interesting for the layer2 tests. */
- .path = dir_s1d3,
- .access = LANDLOCK_ACCESS_FS_MAKE_REG,
- },
- {
- .path = dir_s2d2,
- .access = LANDLOCK_ACCESS_FS_REFER,
- },
- {
- .path = dir_s2d3,
- .access = LANDLOCK_ACCESS_FS_MAKE_REG,
- },
- {},
- };
- const int ruleset_fd = create_ruleset(
- _metadata,
- LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_REFER, layer1);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- }
- static void
- reparent_exdev_layers_enforce2(struct __test_metadata *const _metadata)
- {
- const struct rule layer2[] = {
- {
- .path = dir_s2d3,
- .access = LANDLOCK_ACCESS_FS_MAKE_DIR,
- },
- {},
- };
- /*
- * Same checks as before but with a second layer and a new MAKE_DIR
- * rule (and no explicit handling of REFER).
- */
- const int ruleset_fd =
- create_ruleset(_metadata, LANDLOCK_ACCESS_FS_MAKE_DIR, layer2);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- }
- TEST_F_FORK(layout1, reparent_exdev_layers_rename1)
- {
- ASSERT_EQ(0, unlink(file1_s2d2));
- ASSERT_EQ(0, unlink(file1_s2d3));
- reparent_exdev_layers_enforce1(_metadata);
- /*
- * Moving the dir_s1d3 directory below dir_s2d2 is allowed by Landlock
- * because it doesn't inherit new access rights.
- */
- ASSERT_EQ(0, rename(dir_s1d3, file1_s2d2));
- ASSERT_EQ(0, rename(file1_s2d2, dir_s1d3));
- /*
- * Moving the dir_s1d3 directory below dir_s2d3 is allowed, even if it
- * gets a new inherited access rights (MAKE_REG), because MAKE_REG is
- * already allowed for dir_s1d3.
- */
- ASSERT_EQ(0, rename(dir_s1d3, file1_s2d3));
- ASSERT_EQ(0, rename(file1_s2d3, dir_s1d3));
- /*
- * However, moving the file1_s1d3 file below dir_s2d3 is allowed
- * because it cannot inherit MAKE_REG right (which is dedicated to
- * directories).
- */
- ASSERT_EQ(0, rename(file1_s1d3, file1_s2d3));
- reparent_exdev_layers_enforce2(_metadata);
- /*
- * Moving the dir_s1d3 directory below dir_s2d2 is now denied because
- * MAKE_DIR is not tied to dir_s2d2.
- */
- ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d2));
- ASSERT_EQ(EACCES, errno);
- /*
- * Moving the dir_s1d3 directory below dir_s2d3 is forbidden because it
- * would grants MAKE_REG and MAKE_DIR rights to it.
- */
- ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d3));
- ASSERT_EQ(EXDEV, errno);
- /*
- * Moving the file2_s1d3 file below dir_s2d3 is denied because the
- * second layer does not handle REFER, which is always denied by
- * default.
- */
- ASSERT_EQ(-1, rename(file2_s1d3, file1_s2d3));
- ASSERT_EQ(EXDEV, errno);
- }
- TEST_F_FORK(layout1, reparent_exdev_layers_rename2)
- {
- reparent_exdev_layers_enforce1(_metadata);
- /* Checks EACCES predominance over EXDEV. */
- ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d2));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, rename(file1_s1d2, file1_s2d2));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d3));
- ASSERT_EQ(EXDEV, errno);
- /* Modify layout! */
- ASSERT_EQ(0, rename(file1_s1d2, file1_s2d3));
- /* Without REFER source. */
- ASSERT_EQ(-1, rename(dir_s1d1, file1_s2d2));
- ASSERT_EQ(EXDEV, errno);
- ASSERT_EQ(-1, rename(dir_s1d2, file1_s2d2));
- ASSERT_EQ(EXDEV, errno);
- reparent_exdev_layers_enforce2(_metadata);
- /* Checks EACCES predominance over EXDEV. */
- ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d2));
- ASSERT_EQ(EACCES, errno);
- /* Checks with actual file2_s1d2. */
- ASSERT_EQ(-1, rename(file2_s1d2, file1_s2d2));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d3));
- ASSERT_EQ(EXDEV, errno);
- /*
- * Modifying the layout is now denied because the second layer does not
- * handle REFER, which is always denied by default.
- */
- ASSERT_EQ(-1, rename(file2_s1d2, file1_s2d3));
- ASSERT_EQ(EXDEV, errno);
- /* Without REFER source, EACCES wins over EXDEV. */
- ASSERT_EQ(-1, rename(dir_s1d1, file1_s2d2));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, rename(dir_s1d2, file1_s2d2));
- ASSERT_EQ(EACCES, errno);
- }
- TEST_F_FORK(layout1, reparent_exdev_layers_exchange1)
- {
- const char *const dir_file1_s1d2 = file1_s1d2, *const dir_file2_s2d3 =
- file2_s2d3;
- ASSERT_EQ(0, unlink(file1_s1d2));
- ASSERT_EQ(0, mkdir(file1_s1d2, 0700));
- ASSERT_EQ(0, unlink(file2_s2d3));
- ASSERT_EQ(0, mkdir(file2_s2d3, 0700));
- reparent_exdev_layers_enforce1(_metadata);
- /* Error predominance with file exchange: returns EXDEV and EACCES. */
- ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, file1_s2d3,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, file1_s1d1,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- /*
- * Checks with directories which creation could be allowed, but denied
- * because of access rights that would be inherited.
- */
- ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD,
- dir_file2_s2d3, RENAME_EXCHANGE));
- ASSERT_EQ(EXDEV, errno);
- ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD,
- dir_file1_s1d2, RENAME_EXCHANGE));
- ASSERT_EQ(EXDEV, errno);
- /* Checks with same access rights. */
- ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, dir_s2d3,
- RENAME_EXCHANGE));
- ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_s1d3,
- RENAME_EXCHANGE));
- /* Checks with different (child-only) access rights. */
- ASSERT_EQ(0, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_file1_s1d2,
- RENAME_EXCHANGE));
- ASSERT_EQ(0, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD, dir_s2d3,
- RENAME_EXCHANGE));
- /*
- * Checks that exchange between file and directory are consistent.
- *
- * Moving a file (file1_s2d2) to a directory which only grants more
- * directory-related access rights is allowed, and at the same time
- * moving a directory (dir_file2_s2d3) to another directory which
- * grants less access rights is allowed too.
- *
- * See layout1.reparent_exdev_layers_exchange3 for inverted arguments.
- */
- ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3,
- RENAME_EXCHANGE));
- /*
- * However, moving back the directory is denied because it would get
- * more access rights than the current state and because file creation
- * is forbidden (in dir_s2d2).
- */
- ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- reparent_exdev_layers_enforce2(_metadata);
- /* Error predominance with file exchange: returns EXDEV and EACCES. */
- ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, file1_s2d3,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d3, AT_FDCWD, file1_s1d1,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- /* Checks with directories which creation is now denied. */
- ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD,
- dir_file2_s2d3, RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD,
- dir_file1_s1d2, RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- /* Checks with different (child-only) access rights. */
- ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s1d3, AT_FDCWD, dir_s2d3,
- RENAME_EXCHANGE));
- /* Denied because of MAKE_DIR. */
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_s1d3,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- /* Checks with different (child-only) access rights. */
- ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d3, AT_FDCWD, dir_file1_s1d2,
- RENAME_EXCHANGE));
- /* Denied because of MAKE_DIR. */
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file1_s1d2, AT_FDCWD, dir_s2d3,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- /* See layout1.reparent_exdev_layers_exchange2 for complement. */
- }
- TEST_F_FORK(layout1, reparent_exdev_layers_exchange2)
- {
- const char *const dir_file2_s2d3 = file2_s2d3;
- ASSERT_EQ(0, unlink(file2_s2d3));
- ASSERT_EQ(0, mkdir(file2_s2d3, 0700));
- reparent_exdev_layers_enforce1(_metadata);
- reparent_exdev_layers_enforce2(_metadata);
- /* Checks that exchange between file and directory are consistent. */
- ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- }
- TEST_F_FORK(layout1, reparent_exdev_layers_exchange3)
- {
- const char *const dir_file2_s2d3 = file2_s2d3;
- ASSERT_EQ(0, unlink(file2_s2d3));
- ASSERT_EQ(0, mkdir(file2_s2d3, 0700));
- reparent_exdev_layers_enforce1(_metadata);
- /*
- * Checks that exchange between file and directory are consistent,
- * including with inverted arguments (see
- * layout1.reparent_exdev_layers_exchange1).
- */
- ASSERT_EQ(0, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2,
- RENAME_EXCHANGE));
- ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_file2_s2d3,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_file2_s2d3, AT_FDCWD, file1_s2d2,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- }
- TEST_F_FORK(layout1, reparent_remove)
- {
- const struct rule layer1[] = {
- {
- .path = dir_s1d1,
- .access = LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_REMOVE_DIR,
- },
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
- },
- {
- .path = dir_s2d1,
- .access = LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_REMOVE_FILE,
- },
- {},
- };
- const int ruleset_fd = create_ruleset(
- _metadata,
- LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_REMOVE_DIR |
- LANDLOCK_ACCESS_FS_REMOVE_FILE,
- layer1);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Access denied because of wrong/swapped remove file/dir. */
- ASSERT_EQ(-1, rename(file1_s1d1, dir_s2d2));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, rename(dir_s2d2, file1_s1d1));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, dir_s2d2,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, dir_s2d3,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- /* Access allowed thanks to the matching rights. */
- ASSERT_EQ(-1, rename(file1_s2d1, dir_s1d2));
- ASSERT_EQ(EISDIR, errno);
- ASSERT_EQ(-1, rename(dir_s1d2, file1_s2d1));
- ASSERT_EQ(ENOTDIR, errno);
- ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d1));
- ASSERT_EQ(ENOTDIR, errno);
- ASSERT_EQ(0, unlink(file1_s2d1));
- ASSERT_EQ(0, unlink(file1_s1d3));
- ASSERT_EQ(0, unlink(file2_s1d3));
- ASSERT_EQ(0, rename(dir_s1d3, file1_s2d1));
- /* Effectively removes a file and a directory by exchanging them. */
- ASSERT_EQ(0, mkdir(dir_s1d3, 0700));
- ASSERT_EQ(0, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s1d3,
- RENAME_EXCHANGE));
- ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d2, AT_FDCWD, dir_s1d3,
- RENAME_EXCHANGE));
- ASSERT_EQ(EACCES, errno);
- }
- TEST_F_FORK(layout1, reparent_dom_superset)
- {
- const struct rule layer1[] = {
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_REFER,
- },
- {
- .path = file1_s1d2,
- .access = LANDLOCK_ACCESS_FS_EXECUTE,
- },
- {
- .path = dir_s1d3,
- .access = LANDLOCK_ACCESS_FS_MAKE_SOCK |
- LANDLOCK_ACCESS_FS_EXECUTE,
- },
- {
- .path = dir_s2d2,
- .access = LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_EXECUTE |
- LANDLOCK_ACCESS_FS_MAKE_SOCK,
- },
- {
- .path = dir_s2d3,
- .access = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_MAKE_FIFO,
- },
- {},
- };
- int ruleset_fd = create_ruleset(_metadata,
- LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_EXECUTE |
- LANDLOCK_ACCESS_FS_MAKE_SOCK |
- LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_MAKE_FIFO,
- layer1);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- ASSERT_EQ(-1, rename(file1_s1d2, file1_s2d1));
- ASSERT_EQ(EXDEV, errno);
- /*
- * Moving file1_s1d2 beneath dir_s2d3 would grant it the READ_FILE
- * access right.
- */
- ASSERT_EQ(-1, rename(file1_s1d2, file1_s2d3));
- ASSERT_EQ(EXDEV, errno);
- /*
- * Moving file1_s1d2 should be allowed even if dir_s2d2 grants a
- * superset of access rights compared to dir_s1d2, because file1_s1d2
- * already has these access rights anyway.
- */
- ASSERT_EQ(0, rename(file1_s1d2, file1_s2d2));
- ASSERT_EQ(0, rename(file1_s2d2, file1_s1d2));
- ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d1));
- ASSERT_EQ(EXDEV, errno);
- /*
- * Moving dir_s1d3 beneath dir_s2d3 would grant it the MAKE_FIFO access
- * right.
- */
- ASSERT_EQ(-1, rename(dir_s1d3, file1_s2d3));
- ASSERT_EQ(EXDEV, errno);
- /*
- * Moving dir_s1d3 should be allowed even if dir_s2d2 grants a superset
- * of access rights compared to dir_s1d2, because dir_s1d3 already has
- * these access rights anyway.
- */
- ASSERT_EQ(0, rename(dir_s1d3, file1_s2d2));
- ASSERT_EQ(0, rename(file1_s2d2, dir_s1d3));
- /*
- * Moving file1_s2d3 beneath dir_s1d2 is allowed, but moving it back
- * will be denied because the new inherited access rights from dir_s1d2
- * will be less than the destination (original) dir_s2d3. This is a
- * sinkhole scenario where we cannot move back files or directories.
- */
- ASSERT_EQ(0, rename(file1_s2d3, file2_s1d2));
- ASSERT_EQ(-1, rename(file2_s1d2, file1_s2d3));
- ASSERT_EQ(EXDEV, errno);
- ASSERT_EQ(0, unlink(file2_s1d2));
- ASSERT_EQ(0, unlink(file2_s2d3));
- /*
- * Checks similar directory one-way move: dir_s2d3 loses EXECUTE and
- * MAKE_SOCK which were inherited from dir_s1d3.
- */
- ASSERT_EQ(0, rename(dir_s2d3, file2_s1d2));
- ASSERT_EQ(-1, rename(file2_s1d2, dir_s2d3));
- ASSERT_EQ(EXDEV, errno);
- }
- TEST_F_FORK(layout1, remove_dir)
- {
- const struct rule rules[] = {
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_REMOVE_DIR,
- },
- {},
- };
- const int ruleset_fd =
- create_ruleset(_metadata, rules[0].access, rules);
- ASSERT_LE(0, ruleset_fd);
- ASSERT_EQ(0, unlink(file1_s1d1));
- ASSERT_EQ(0, unlink(file1_s1d2));
- ASSERT_EQ(0, unlink(file1_s1d3));
- ASSERT_EQ(0, unlink(file2_s1d3));
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- ASSERT_EQ(0, rmdir(dir_s1d3));
- ASSERT_EQ(0, mkdir(dir_s1d3, 0700));
- ASSERT_EQ(0, unlinkat(AT_FDCWD, dir_s1d3, AT_REMOVEDIR));
- /* dir_s1d2 itself cannot be removed. */
- ASSERT_EQ(-1, rmdir(dir_s1d2));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, unlinkat(AT_FDCWD, dir_s1d2, AT_REMOVEDIR));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, rmdir(dir_s1d1));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, unlinkat(AT_FDCWD, dir_s1d1, AT_REMOVEDIR));
- ASSERT_EQ(EACCES, errno);
- }
- TEST_F_FORK(layout1, remove_file)
- {
- const struct rule rules[] = {
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_REMOVE_FILE,
- },
- {},
- };
- const int ruleset_fd =
- create_ruleset(_metadata, rules[0].access, rules);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- ASSERT_EQ(-1, unlink(file1_s1d1));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, unlinkat(AT_FDCWD, file1_s1d1, 0));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(0, unlink(file1_s1d2));
- ASSERT_EQ(0, unlinkat(AT_FDCWD, file1_s1d3, 0));
- }
- static void test_make_file(struct __test_metadata *const _metadata,
- const __u64 access, const mode_t mode,
- const dev_t dev)
- {
- const struct rule rules[] = {
- {
- .path = dir_s1d2,
- .access = access,
- },
- {},
- };
- const int ruleset_fd = create_ruleset(_metadata, access, rules);
- ASSERT_LE(0, ruleset_fd);
- ASSERT_EQ(0, unlink(file1_s1d1));
- ASSERT_EQ(0, unlink(file2_s1d1));
- ASSERT_EQ(0, mknod(file2_s1d1, mode | 0400, dev))
- {
- TH_LOG("Failed to make file \"%s\": %s", file2_s1d1,
- strerror(errno));
- };
- ASSERT_EQ(0, unlink(file1_s1d2));
- ASSERT_EQ(0, unlink(file2_s1d2));
- ASSERT_EQ(0, unlink(file1_s1d3));
- ASSERT_EQ(0, unlink(file2_s1d3));
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- ASSERT_EQ(-1, mknod(file1_s1d1, mode | 0400, dev));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, rename(file2_s1d1, file1_s1d1));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(0, mknod(file1_s1d2, mode | 0400, dev))
- {
- TH_LOG("Failed to make file \"%s\": %s", file1_s1d2,
- strerror(errno));
- };
- ASSERT_EQ(0, link(file1_s1d2, file2_s1d2));
- ASSERT_EQ(0, unlink(file2_s1d2));
- ASSERT_EQ(0, rename(file1_s1d2, file2_s1d2));
- ASSERT_EQ(0, mknod(file1_s1d3, mode | 0400, dev));
- ASSERT_EQ(0, link(file1_s1d3, file2_s1d3));
- ASSERT_EQ(0, unlink(file2_s1d3));
- ASSERT_EQ(0, rename(file1_s1d3, file2_s1d3));
- }
- TEST_F_FORK(layout1, make_char)
- {
- /* Creates a /dev/null device. */
- set_cap(_metadata, CAP_MKNOD);
- test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_CHAR, S_IFCHR,
- makedev(1, 3));
- }
- TEST_F_FORK(layout1, make_block)
- {
- /* Creates a /dev/loop0 device. */
- set_cap(_metadata, CAP_MKNOD);
- test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_BLOCK, S_IFBLK,
- makedev(7, 0));
- }
- TEST_F_FORK(layout1, make_reg_1)
- {
- test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, S_IFREG, 0);
- }
- TEST_F_FORK(layout1, make_reg_2)
- {
- test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, 0, 0);
- }
- TEST_F_FORK(layout1, make_sock)
- {
- test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_SOCK, S_IFSOCK, 0);
- }
- TEST_F_FORK(layout1, make_fifo)
- {
- test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_FIFO, S_IFIFO, 0);
- }
- TEST_F_FORK(layout1, make_sym)
- {
- const struct rule rules[] = {
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_MAKE_SYM,
- },
- {},
- };
- const int ruleset_fd =
- create_ruleset(_metadata, rules[0].access, rules);
- ASSERT_LE(0, ruleset_fd);
- ASSERT_EQ(0, unlink(file1_s1d1));
- ASSERT_EQ(0, unlink(file2_s1d1));
- ASSERT_EQ(0, symlink("none", file2_s1d1));
- ASSERT_EQ(0, unlink(file1_s1d2));
- ASSERT_EQ(0, unlink(file2_s1d2));
- ASSERT_EQ(0, unlink(file1_s1d3));
- ASSERT_EQ(0, unlink(file2_s1d3));
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- ASSERT_EQ(-1, symlink("none", file1_s1d1));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(-1, rename(file2_s1d1, file1_s1d1));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(0, symlink("none", file1_s1d2));
- ASSERT_EQ(0, link(file1_s1d2, file2_s1d2));
- ASSERT_EQ(0, unlink(file2_s1d2));
- ASSERT_EQ(0, rename(file1_s1d2, file2_s1d2));
- ASSERT_EQ(0, symlink("none", file1_s1d3));
- ASSERT_EQ(0, link(file1_s1d3, file2_s1d3));
- ASSERT_EQ(0, unlink(file2_s1d3));
- ASSERT_EQ(0, rename(file1_s1d3, file2_s1d3));
- }
- TEST_F_FORK(layout1, make_dir)
- {
- const struct rule rules[] = {
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_MAKE_DIR,
- },
- {},
- };
- const int ruleset_fd =
- create_ruleset(_metadata, rules[0].access, rules);
- ASSERT_LE(0, ruleset_fd);
- ASSERT_EQ(0, unlink(file1_s1d1));
- ASSERT_EQ(0, unlink(file1_s1d2));
- ASSERT_EQ(0, unlink(file1_s1d3));
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Uses file_* as directory names. */
- ASSERT_EQ(-1, mkdir(file1_s1d1, 0700));
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(0, mkdir(file1_s1d2, 0700));
- ASSERT_EQ(0, mkdir(file1_s1d3, 0700));
- }
- static int open_proc_fd(struct __test_metadata *const _metadata, const int fd,
- const int open_flags)
- {
- static const char path_template[] = "/proc/self/fd/%d";
- char procfd_path[sizeof(path_template) + 10];
- const int procfd_path_size =
- snprintf(procfd_path, sizeof(procfd_path), path_template, fd);
- ASSERT_LT(procfd_path_size, sizeof(procfd_path));
- return open(procfd_path, open_flags);
- }
- TEST_F_FORK(layout1, proc_unlinked_file)
- {
- const struct rule rules[] = {
- {
- .path = file1_s1d2,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {},
- };
- int reg_fd, proc_fd;
- const int ruleset_fd = create_ruleset(
- _metadata,
- LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_WRITE_FILE,
- rules);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDWR));
- ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
- reg_fd = open(file1_s1d2, O_RDONLY | O_CLOEXEC);
- ASSERT_LE(0, reg_fd);
- ASSERT_EQ(0, unlink(file1_s1d2));
- proc_fd = open_proc_fd(_metadata, reg_fd, O_RDONLY | O_CLOEXEC);
- ASSERT_LE(0, proc_fd);
- ASSERT_EQ(0, close(proc_fd));
- proc_fd = open_proc_fd(_metadata, reg_fd, O_RDWR | O_CLOEXEC);
- ASSERT_EQ(-1, proc_fd)
- {
- TH_LOG("Successfully opened /proc/self/fd/%d: %s", reg_fd,
- strerror(errno));
- }
- ASSERT_EQ(EACCES, errno);
- ASSERT_EQ(0, close(reg_fd));
- }
- TEST_F_FORK(layout1, proc_pipe)
- {
- int proc_fd;
- int pipe_fds[2];
- char buf = '\0';
- const struct rule rules[] = {
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_WRITE_FILE,
- },
- {},
- };
- /* Limits read and write access to files tied to the filesystem. */
- const int ruleset_fd =
- create_ruleset(_metadata, rules[0].access, rules);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks enforcement for normal files. */
- ASSERT_EQ(0, test_open(file1_s1d2, O_RDWR));
- ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDWR));
- /* Checks access to pipes through FD. */
- ASSERT_EQ(0, pipe2(pipe_fds, O_CLOEXEC));
- ASSERT_EQ(1, write(pipe_fds[1], ".", 1))
- {
- TH_LOG("Failed to write in pipe: %s", strerror(errno));
- }
- ASSERT_EQ(1, read(pipe_fds[0], &buf, 1));
- ASSERT_EQ('.', buf);
- /* Checks write access to pipe through /proc/self/fd . */
- proc_fd = open_proc_fd(_metadata, pipe_fds[1], O_WRONLY | O_CLOEXEC);
- ASSERT_LE(0, proc_fd);
- ASSERT_EQ(1, write(proc_fd, ".", 1))
- {
- TH_LOG("Failed to write through /proc/self/fd/%d: %s",
- pipe_fds[1], strerror(errno));
- }
- ASSERT_EQ(0, close(proc_fd));
- /* Checks read access to pipe through /proc/self/fd . */
- proc_fd = open_proc_fd(_metadata, pipe_fds[0], O_RDONLY | O_CLOEXEC);
- ASSERT_LE(0, proc_fd);
- buf = '\0';
- ASSERT_EQ(1, read(proc_fd, &buf, 1))
- {
- TH_LOG("Failed to read through /proc/self/fd/%d: %s",
- pipe_fds[1], strerror(errno));
- }
- ASSERT_EQ(0, close(proc_fd));
- ASSERT_EQ(0, close(pipe_fds[0]));
- ASSERT_EQ(0, close(pipe_fds[1]));
- }
- /* Invokes truncate(2) and returns its errno or 0. */
- static int test_truncate(const char *const path)
- {
- if (truncate(path, 10) < 0)
- return errno;
- return 0;
- }
- /*
- * Invokes creat(2) and returns its errno or 0.
- * Closes the opened file descriptor on success.
- */
- static int test_creat(const char *const path)
- {
- int fd = creat(path, 0600);
- if (fd < 0)
- return errno;
- /*
- * Mixing error codes from close(2) and creat(2) should not lead to any
- * (access type) confusion for this test.
- */
- if (close(fd) < 0)
- return errno;
- return 0;
- }
- /*
- * Exercises file truncation when it's not restricted,
- * as it was the case before LANDLOCK_ACCESS_FS_TRUNCATE existed.
- */
- TEST_F_FORK(layout1, truncate_unhandled)
- {
- const char *const file_r = file1_s1d1;
- const char *const file_w = file2_s1d1;
- const char *const file_none = file1_s1d2;
- const struct rule rules[] = {
- {
- .path = file_r,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {
- .path = file_w,
- .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
- },
- /* Implicitly: No rights for file_none. */
- {},
- };
- const __u64 handled = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_WRITE_FILE;
- int ruleset_fd;
- /* Enables Landlock. */
- ruleset_fd = create_ruleset(_metadata, handled, rules);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /*
- * Checks read right: truncate and open with O_TRUNC work, unless the
- * file is attempted to be opened for writing.
- */
- EXPECT_EQ(0, test_truncate(file_r));
- EXPECT_EQ(0, test_open(file_r, O_RDONLY | O_TRUNC));
- EXPECT_EQ(EACCES, test_open(file_r, O_WRONLY | O_TRUNC));
- EXPECT_EQ(EACCES, test_creat(file_r));
- /*
- * Checks write right: truncate and open with O_TRUNC work, unless the
- * file is attempted to be opened for reading.
- */
- EXPECT_EQ(0, test_truncate(file_w));
- EXPECT_EQ(EACCES, test_open(file_w, O_RDONLY | O_TRUNC));
- EXPECT_EQ(0, test_open(file_w, O_WRONLY | O_TRUNC));
- EXPECT_EQ(0, test_creat(file_w));
- /*
- * Checks "no rights" case: truncate works but all open attempts fail,
- * including creat.
- */
- EXPECT_EQ(0, test_truncate(file_none));
- EXPECT_EQ(EACCES, test_open(file_none, O_RDONLY | O_TRUNC));
- EXPECT_EQ(EACCES, test_open(file_none, O_WRONLY | O_TRUNC));
- EXPECT_EQ(EACCES, test_creat(file_none));
- }
- TEST_F_FORK(layout1, truncate)
- {
- const char *const file_rwt = file1_s1d1;
- const char *const file_rw = file2_s1d1;
- const char *const file_rt = file1_s1d2;
- const char *const file_t = file2_s1d2;
- const char *const file_none = file1_s1d3;
- const char *const dir_t = dir_s2d1;
- const char *const file_in_dir_t = file1_s2d1;
- const char *const dir_w = dir_s3d1;
- const char *const file_in_dir_w = file1_s3d1;
- const struct rule rules[] = {
- {
- .path = file_rwt,
- .access = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_WRITE_FILE |
- LANDLOCK_ACCESS_FS_TRUNCATE,
- },
- {
- .path = file_rw,
- .access = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_WRITE_FILE,
- },
- {
- .path = file_rt,
- .access = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_TRUNCATE,
- },
- {
- .path = file_t,
- .access = LANDLOCK_ACCESS_FS_TRUNCATE,
- },
- /* Implicitly: No access rights for file_none. */
- {
- .path = dir_t,
- .access = LANDLOCK_ACCESS_FS_TRUNCATE,
- },
- {
- .path = dir_w,
- .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
- },
- {},
- };
- const __u64 handled = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_WRITE_FILE |
- LANDLOCK_ACCESS_FS_TRUNCATE;
- int ruleset_fd;
- /* Enables Landlock. */
- ruleset_fd = create_ruleset(_metadata, handled, rules);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks read, write and truncate rights: truncation works. */
- EXPECT_EQ(0, test_truncate(file_rwt));
- EXPECT_EQ(0, test_open(file_rwt, O_RDONLY | O_TRUNC));
- EXPECT_EQ(0, test_open(file_rwt, O_WRONLY | O_TRUNC));
- /* Checks read and write rights: no truncate variant works. */
- EXPECT_EQ(EACCES, test_truncate(file_rw));
- EXPECT_EQ(EACCES, test_open(file_rw, O_RDONLY | O_TRUNC));
- EXPECT_EQ(EACCES, test_open(file_rw, O_WRONLY | O_TRUNC));
- /*
- * Checks read and truncate rights: truncation works.
- *
- * Note: Files can get truncated using open() even with O_RDONLY.
- */
- EXPECT_EQ(0, test_truncate(file_rt));
- EXPECT_EQ(0, test_open(file_rt, O_RDONLY | O_TRUNC));
- EXPECT_EQ(EACCES, test_open(file_rt, O_WRONLY | O_TRUNC));
- /* Checks truncate right: truncate works, but can't open file. */
- EXPECT_EQ(0, test_truncate(file_t));
- EXPECT_EQ(EACCES, test_open(file_t, O_RDONLY | O_TRUNC));
- EXPECT_EQ(EACCES, test_open(file_t, O_WRONLY | O_TRUNC));
- /* Checks "no rights" case: No form of truncation works. */
- EXPECT_EQ(EACCES, test_truncate(file_none));
- EXPECT_EQ(EACCES, test_open(file_none, O_RDONLY | O_TRUNC));
- EXPECT_EQ(EACCES, test_open(file_none, O_WRONLY | O_TRUNC));
- /*
- * Checks truncate right on directory: truncate works on contained
- * files.
- */
- EXPECT_EQ(0, test_truncate(file_in_dir_t));
- EXPECT_EQ(EACCES, test_open(file_in_dir_t, O_RDONLY | O_TRUNC));
- EXPECT_EQ(EACCES, test_open(file_in_dir_t, O_WRONLY | O_TRUNC));
- /*
- * Checks creat in dir_w: This requires the truncate right when
- * overwriting an existing file, but does not require it when the file
- * is new.
- */
- EXPECT_EQ(EACCES, test_creat(file_in_dir_w));
- ASSERT_EQ(0, unlink(file_in_dir_w));
- EXPECT_EQ(0, test_creat(file_in_dir_w));
- }
- /* Invokes ftruncate(2) and returns its errno or 0. */
- static int test_ftruncate(int fd)
- {
- if (ftruncate(fd, 10) < 0)
- return errno;
- return 0;
- }
- TEST_F_FORK(layout1, ftruncate)
- {
- /*
- * This test opens a new file descriptor at different stages of
- * Landlock restriction:
- *
- * without restriction: ftruncate works
- * something else but truncate restricted: ftruncate works
- * truncate restricted and permitted: ftruncate works
- * truncate restricted and not permitted: ftruncate fails
- *
- * Whether this works or not is expected to depend on the time when the
- * FD was opened, not to depend on the time when ftruncate() was
- * called.
- */
- const char *const path = file1_s1d1;
- const __u64 handled1 = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_WRITE_FILE;
- const struct rule layer1[] = {
- {
- .path = path,
- .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
- },
- {},
- };
- const __u64 handled2 = LANDLOCK_ACCESS_FS_TRUNCATE;
- const struct rule layer2[] = {
- {
- .path = path,
- .access = LANDLOCK_ACCESS_FS_TRUNCATE,
- },
- {},
- };
- const __u64 handled3 = LANDLOCK_ACCESS_FS_TRUNCATE |
- LANDLOCK_ACCESS_FS_WRITE_FILE;
- const struct rule layer3[] = {
- {
- .path = path,
- .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
- },
- {},
- };
- int fd_layer0, fd_layer1, fd_layer2, fd_layer3, ruleset_fd;
- fd_layer0 = open(path, O_WRONLY);
- EXPECT_EQ(0, test_ftruncate(fd_layer0));
- ruleset_fd = create_ruleset(_metadata, handled1, layer1);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- fd_layer1 = open(path, O_WRONLY);
- EXPECT_EQ(0, test_ftruncate(fd_layer0));
- EXPECT_EQ(0, test_ftruncate(fd_layer1));
- ruleset_fd = create_ruleset(_metadata, handled2, layer2);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- fd_layer2 = open(path, O_WRONLY);
- EXPECT_EQ(0, test_ftruncate(fd_layer0));
- EXPECT_EQ(0, test_ftruncate(fd_layer1));
- EXPECT_EQ(0, test_ftruncate(fd_layer2));
- ruleset_fd = create_ruleset(_metadata, handled3, layer3);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- fd_layer3 = open(path, O_WRONLY);
- EXPECT_EQ(0, test_ftruncate(fd_layer0));
- EXPECT_EQ(0, test_ftruncate(fd_layer1));
- EXPECT_EQ(0, test_ftruncate(fd_layer2));
- EXPECT_EQ(EACCES, test_ftruncate(fd_layer3));
- ASSERT_EQ(0, close(fd_layer0));
- ASSERT_EQ(0, close(fd_layer1));
- ASSERT_EQ(0, close(fd_layer2));
- ASSERT_EQ(0, close(fd_layer3));
- }
- /* clang-format off */
- FIXTURE(ftruncate) {};
- /* clang-format on */
- FIXTURE_SETUP(ftruncate)
- {
- prepare_layout(_metadata);
- create_file(_metadata, file1_s1d1);
- }
- FIXTURE_TEARDOWN_PARENT(ftruncate)
- {
- EXPECT_EQ(0, remove_path(file1_s1d1));
- cleanup_layout(_metadata);
- }
- FIXTURE_VARIANT(ftruncate)
- {
- const __u64 handled;
- const __u64 allowed;
- const int expected_open_result;
- const int expected_ftruncate_result;
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(ftruncate, w_w) {
- /* clang-format on */
- .handled = LANDLOCK_ACCESS_FS_WRITE_FILE,
- .allowed = LANDLOCK_ACCESS_FS_WRITE_FILE,
- .expected_open_result = 0,
- .expected_ftruncate_result = 0,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(ftruncate, t_t) {
- /* clang-format on */
- .handled = LANDLOCK_ACCESS_FS_TRUNCATE,
- .allowed = LANDLOCK_ACCESS_FS_TRUNCATE,
- .expected_open_result = 0,
- .expected_ftruncate_result = 0,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(ftruncate, wt_w) {
- /* clang-format on */
- .handled = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE,
- .allowed = LANDLOCK_ACCESS_FS_WRITE_FILE,
- .expected_open_result = 0,
- .expected_ftruncate_result = EACCES,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(ftruncate, wt_wt) {
- /* clang-format on */
- .handled = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE,
- .allowed = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE,
- .expected_open_result = 0,
- .expected_ftruncate_result = 0,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(ftruncate, wt_t) {
- /* clang-format on */
- .handled = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE,
- .allowed = LANDLOCK_ACCESS_FS_TRUNCATE,
- .expected_open_result = EACCES,
- };
- TEST_F_FORK(ftruncate, open_and_ftruncate)
- {
- const char *const path = file1_s1d1;
- const struct rule rules[] = {
- {
- .path = path,
- .access = variant->allowed,
- },
- {},
- };
- int fd, ruleset_fd;
- /* Enables Landlock. */
- ruleset_fd = create_ruleset(_metadata, variant->handled, rules);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- fd = open(path, O_WRONLY);
- EXPECT_EQ(variant->expected_open_result, (fd < 0 ? errno : 0));
- if (fd >= 0) {
- EXPECT_EQ(variant->expected_ftruncate_result,
- test_ftruncate(fd));
- ASSERT_EQ(0, close(fd));
- }
- }
- TEST_F_FORK(ftruncate, open_and_ftruncate_in_different_processes)
- {
- int child, fd, status;
- int socket_fds[2];
- ASSERT_EQ(0, socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0,
- socket_fds));
- child = fork();
- ASSERT_LE(0, child);
- if (child == 0) {
- /*
- * Enables Landlock in the child process, open a file descriptor
- * where truncation is forbidden and send it to the
- * non-landlocked parent process.
- */
- const char *const path = file1_s1d1;
- const struct rule rules[] = {
- {
- .path = path,
- .access = variant->allowed,
- },
- {},
- };
- int fd, ruleset_fd;
- ruleset_fd = create_ruleset(_metadata, variant->handled, rules);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- fd = open(path, O_WRONLY);
- ASSERT_EQ(variant->expected_open_result, (fd < 0 ? errno : 0));
- if (fd >= 0) {
- ASSERT_EQ(0, send_fd(socket_fds[0], fd));
- ASSERT_EQ(0, close(fd));
- }
- ASSERT_EQ(0, close(socket_fds[0]));
- _exit(_metadata->exit_code);
- return;
- }
- if (variant->expected_open_result == 0) {
- fd = recv_fd(socket_fds[1]);
- ASSERT_LE(0, fd);
- EXPECT_EQ(variant->expected_ftruncate_result,
- test_ftruncate(fd));
- ASSERT_EQ(0, close(fd));
- }
- ASSERT_EQ(child, waitpid(child, &status, 0));
- ASSERT_EQ(1, WIFEXITED(status));
- ASSERT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
- ASSERT_EQ(0, close(socket_fds[0]));
- ASSERT_EQ(0, close(socket_fds[1]));
- }
- /* Invokes the FS_IOC_GETFLAGS IOCTL and returns its errno or 0. */
- static int test_fs_ioc_getflags_ioctl(int fd)
- {
- uint32_t flags;
- if (ioctl(fd, FS_IOC_GETFLAGS, &flags) < 0)
- return errno;
- return 0;
- }
- TEST(memfd_ftruncate_and_ioctl)
- {
- const struct landlock_ruleset_attr attr = {
- .handled_access_fs = ACCESS_ALL,
- };
- int ruleset_fd, fd, i;
- /*
- * We exercise the same test both with and without Landlock enabled, to
- * ensure that it behaves the same in both cases.
- */
- for (i = 0; i < 2; i++) {
- /* Creates a new memfd. */
- fd = memfd_create("name", MFD_CLOEXEC);
- ASSERT_LE(0, fd);
- /*
- * Checks that operations associated with the opened file
- * (ftruncate, ioctl) are permitted on file descriptors that are
- * created in ways other than open(2).
- */
- EXPECT_EQ(0, test_ftruncate(fd));
- EXPECT_EQ(0, test_fs_ioc_getflags_ioctl(fd));
- ASSERT_EQ(0, close(fd));
- /* Enables Landlock. */
- ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- }
- }
- static int test_fionread_ioctl(int fd)
- {
- size_t sz = 0;
- if (ioctl(fd, FIONREAD, &sz) < 0 && errno == EACCES)
- return errno;
- return 0;
- }
- TEST_F_FORK(layout1, o_path_ftruncate_and_ioctl)
- {
- const struct landlock_ruleset_attr attr = {
- .handled_access_fs = ACCESS_ALL,
- };
- int ruleset_fd, fd;
- /*
- * Checks that for files opened with O_PATH, both ioctl(2) and
- * ftruncate(2) yield EBADF, as it is documented in open(2) for the
- * O_PATH flag.
- */
- fd = open(dir_s1d1, O_PATH | O_CLOEXEC);
- ASSERT_LE(0, fd);
- EXPECT_EQ(EBADF, test_ftruncate(fd));
- EXPECT_EQ(EBADF, test_fs_ioc_getflags_ioctl(fd));
- ASSERT_EQ(0, close(fd));
- /* Enables Landlock. */
- ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /*
- * Checks that after enabling Landlock,
- * - the file can still be opened with O_PATH
- * - both ioctl and truncate still yield EBADF (not EACCES).
- */
- fd = open(dir_s1d1, O_PATH | O_CLOEXEC);
- ASSERT_LE(0, fd);
- EXPECT_EQ(EBADF, test_ftruncate(fd));
- EXPECT_EQ(EBADF, test_fs_ioc_getflags_ioctl(fd));
- ASSERT_EQ(0, close(fd));
- }
- /*
- * ioctl_error - generically call the given ioctl with a pointer to a
- * sufficiently large zeroed-out memory region.
- *
- * Returns the IOCTLs error, or 0.
- */
- static int ioctl_error(struct __test_metadata *const _metadata, int fd,
- unsigned int cmd)
- {
- char buf[128]; /* sufficiently large */
- int res, stdinbak_fd;
- /*
- * Depending on the IOCTL command, parts of the zeroed-out buffer might
- * be interpreted as file descriptor numbers. We do not want to
- * accidentally operate on file descriptor 0 (stdin), so we temporarily
- * move stdin to a different FD and close FD 0 for the IOCTL call.
- */
- stdinbak_fd = dup(0);
- ASSERT_LT(0, stdinbak_fd);
- ASSERT_EQ(0, close(0));
- /* Invokes the IOCTL with a zeroed-out buffer. */
- bzero(&buf, sizeof(buf));
- res = ioctl(fd, cmd, &buf);
- /* Restores the old FD 0 and closes the backup FD. */
- ASSERT_EQ(0, dup2(stdinbak_fd, 0));
- ASSERT_EQ(0, close(stdinbak_fd));
- if (res < 0)
- return errno;
- return 0;
- }
- /* Define some linux/falloc.h IOCTL commands which are not available in uapi headers. */
- struct space_resv {
- __s16 l_type;
- __s16 l_whence;
- __s64 l_start;
- __s64 l_len; /* len == 0 means until end of file */
- __s32 l_sysid;
- __u32 l_pid;
- __s32 l_pad[4]; /* reserved area */
- };
- #define FS_IOC_RESVSP _IOW('X', 40, struct space_resv)
- #define FS_IOC_UNRESVSP _IOW('X', 41, struct space_resv)
- #define FS_IOC_RESVSP64 _IOW('X', 42, struct space_resv)
- #define FS_IOC_UNRESVSP64 _IOW('X', 43, struct space_resv)
- #define FS_IOC_ZERO_RANGE _IOW('X', 57, struct space_resv)
- /*
- * Tests a series of blanket-permitted and denied IOCTLs.
- */
- TEST_F_FORK(layout1, blanket_permitted_ioctls)
- {
- const struct landlock_ruleset_attr attr = {
- .handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV,
- };
- int ruleset_fd, fd;
- /* Enables Landlock. */
- ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- fd = open("/dev/null", O_RDWR | O_CLOEXEC);
- ASSERT_LE(0, fd);
- /*
- * Checks permitted commands.
- * These ones may return errors, but should not be blocked by Landlock.
- */
- EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIOCLEX));
- EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIONCLEX));
- EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIONBIO));
- EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIOASYNC));
- EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIOQSIZE));
- EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIFREEZE));
- EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FITHAW));
- EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FS_IOC_FIEMAP));
- EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIGETBSZ));
- EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FICLONE));
- EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FICLONERANGE));
- EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIDEDUPERANGE));
- EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FS_IOC_GETFSUUID));
- EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FS_IOC_GETFSSYSFSPATH));
- /*
- * Checks blocked commands.
- * A call to a blocked IOCTL command always returns EACCES.
- */
- EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FIONREAD));
- EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_GETFLAGS));
- EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_SETFLAGS));
- EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_FSGETXATTR));
- EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_FSSETXATTR));
- EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FIBMAP));
- EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_RESVSP));
- EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_RESVSP64));
- EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_UNRESVSP));
- EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_UNRESVSP64));
- EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_ZERO_RANGE));
- /* Default case is also blocked. */
- EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, 0xc00ffeee));
- ASSERT_EQ(0, close(fd));
- }
- /*
- * Named pipes are not governed by the LANDLOCK_ACCESS_FS_IOCTL_DEV right,
- * because they are not character or block devices.
- */
- TEST_F_FORK(layout1, named_pipe_ioctl)
- {
- pid_t child_pid;
- int fd, ruleset_fd;
- const char *const path = file1_s1d1;
- const struct landlock_ruleset_attr attr = {
- .handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV,
- };
- ASSERT_EQ(0, unlink(path));
- ASSERT_EQ(0, mkfifo(path, 0600));
- /* Enables Landlock. */
- ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* The child process opens the pipe for writing. */
- child_pid = fork();
- ASSERT_NE(-1, child_pid);
- if (child_pid == 0) {
- fd = open(path, O_WRONLY);
- close(fd);
- exit(0);
- }
- fd = open(path, O_RDONLY);
- ASSERT_LE(0, fd);
- /* FIONREAD is implemented by pipefifo_fops. */
- EXPECT_EQ(0, test_fionread_ioctl(fd));
- ASSERT_EQ(0, close(fd));
- ASSERT_EQ(0, unlink(path));
- ASSERT_EQ(child_pid, waitpid(child_pid, NULL, 0));
- }
- /* For named UNIX domain sockets, no IOCTL restrictions apply. */
- TEST_F_FORK(layout1, named_unix_domain_socket_ioctl)
- {
- const char *const path = file1_s1d1;
- int srv_fd, cli_fd, ruleset_fd;
- struct sockaddr_un srv_un = {
- .sun_family = AF_UNIX,
- };
- struct sockaddr_un cli_un = {
- .sun_family = AF_UNIX,
- };
- const struct landlock_ruleset_attr attr = {
- .handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV,
- };
- /* Sets up a server */
- ASSERT_EQ(0, unlink(path));
- srv_fd = socket(AF_UNIX, SOCK_STREAM, 0);
- ASSERT_LE(0, srv_fd);
- strncpy(srv_un.sun_path, path, sizeof(srv_un.sun_path));
- ASSERT_EQ(0, bind(srv_fd, (struct sockaddr *)&srv_un, sizeof(srv_un)));
- ASSERT_EQ(0, listen(srv_fd, 10 /* qlen */));
- /* Enables Landlock. */
- ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Sets up a client connection to it */
- cli_fd = socket(AF_UNIX, SOCK_STREAM, 0);
- ASSERT_LE(0, cli_fd);
- strncpy(cli_un.sun_path, path, sizeof(cli_un.sun_path));
- ASSERT_EQ(0,
- connect(cli_fd, (struct sockaddr *)&cli_un, sizeof(cli_un)));
- /* FIONREAD and other IOCTLs should not be forbidden. */
- EXPECT_EQ(0, test_fionread_ioctl(cli_fd));
- EXPECT_EQ(0, close(cli_fd));
- EXPECT_EQ(0, close(srv_fd));
- }
- /* clang-format off */
- FIXTURE(ioctl) {};
- FIXTURE_SETUP(ioctl) {};
- FIXTURE_TEARDOWN(ioctl) {};
- /* clang-format on */
- FIXTURE_VARIANT(ioctl)
- {
- const __u64 handled;
- const __u64 allowed;
- const mode_t open_mode;
- /*
- * FIONREAD is used as a characteristic device-specific IOCTL command.
- * It is implemented in fs/ioctl.c for regular files,
- * but we do not blanket-permit it for devices.
- */
- const int expected_fionread_result;
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(ioctl, handled_i_allowed_none) {
- /* clang-format on */
- .handled = LANDLOCK_ACCESS_FS_IOCTL_DEV,
- .allowed = 0,
- .open_mode = O_RDWR,
- .expected_fionread_result = EACCES,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(ioctl, handled_i_allowed_i) {
- /* clang-format on */
- .handled = LANDLOCK_ACCESS_FS_IOCTL_DEV,
- .allowed = LANDLOCK_ACCESS_FS_IOCTL_DEV,
- .open_mode = O_RDWR,
- .expected_fionread_result = 0,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(ioctl, unhandled) {
- /* clang-format on */
- .handled = LANDLOCK_ACCESS_FS_EXECUTE,
- .allowed = LANDLOCK_ACCESS_FS_EXECUTE,
- .open_mode = O_RDWR,
- .expected_fionread_result = 0,
- };
- TEST_F_FORK(ioctl, handle_dir_access_file)
- {
- const int flag = 0;
- const struct rule rules[] = {
- {
- .path = "/dev",
- .access = variant->allowed,
- },
- {},
- };
- int file_fd, ruleset_fd;
- /* Enables Landlock. */
- ruleset_fd = create_ruleset(_metadata, variant->handled, rules);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- file_fd = open("/dev/zero", variant->open_mode);
- ASSERT_LE(0, file_fd);
- /* Checks that IOCTL commands return the expected errors. */
- EXPECT_EQ(variant->expected_fionread_result,
- test_fionread_ioctl(file_fd));
- /* Checks that unrestrictable commands are unrestricted. */
- EXPECT_EQ(0, ioctl(file_fd, FIOCLEX));
- EXPECT_EQ(0, ioctl(file_fd, FIONCLEX));
- EXPECT_EQ(0, ioctl(file_fd, FIONBIO, &flag));
- EXPECT_EQ(0, ioctl(file_fd, FIOASYNC, &flag));
- EXPECT_EQ(0, ioctl(file_fd, FIGETBSZ, &flag));
- ASSERT_EQ(0, close(file_fd));
- }
- TEST_F_FORK(ioctl, handle_dir_access_dir)
- {
- const int flag = 0;
- const struct rule rules[] = {
- {
- .path = "/dev",
- .access = variant->allowed,
- },
- {},
- };
- int dir_fd, ruleset_fd;
- /* Enables Landlock. */
- ruleset_fd = create_ruleset(_metadata, variant->handled, rules);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /*
- * Ignore variant->open_mode for this test, as we intend to open a
- * directory. If the directory can not be opened, the variant is
- * infeasible to test with an opened directory.
- */
- dir_fd = open("/dev", O_RDONLY);
- if (dir_fd < 0)
- return;
- /*
- * Checks that IOCTL commands return the expected errors.
- * We do not use the expected values from the fixture here.
- *
- * When using IOCTL on a directory, no Landlock restrictions apply.
- */
- EXPECT_EQ(0, test_fionread_ioctl(dir_fd));
- /* Checks that unrestrictable commands are unrestricted. */
- EXPECT_EQ(0, ioctl(dir_fd, FIOCLEX));
- EXPECT_EQ(0, ioctl(dir_fd, FIONCLEX));
- EXPECT_EQ(0, ioctl(dir_fd, FIONBIO, &flag));
- EXPECT_EQ(0, ioctl(dir_fd, FIOASYNC, &flag));
- EXPECT_EQ(0, ioctl(dir_fd, FIGETBSZ, &flag));
- ASSERT_EQ(0, close(dir_fd));
- }
- TEST_F_FORK(ioctl, handle_file_access_file)
- {
- const int flag = 0;
- const struct rule rules[] = {
- {
- .path = "/dev/zero",
- .access = variant->allowed,
- },
- {},
- };
- int file_fd, ruleset_fd;
- /* Enables Landlock. */
- ruleset_fd = create_ruleset(_metadata, variant->handled, rules);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- file_fd = open("/dev/zero", variant->open_mode);
- ASSERT_LE(0, file_fd)
- {
- TH_LOG("Failed to open /dev/zero: %s", strerror(errno));
- }
- /* Checks that IOCTL commands return the expected errors. */
- EXPECT_EQ(variant->expected_fionread_result,
- test_fionread_ioctl(file_fd));
- /* Checks that unrestrictable commands are unrestricted. */
- EXPECT_EQ(0, ioctl(file_fd, FIOCLEX));
- EXPECT_EQ(0, ioctl(file_fd, FIONCLEX));
- EXPECT_EQ(0, ioctl(file_fd, FIONBIO, &flag));
- EXPECT_EQ(0, ioctl(file_fd, FIOASYNC, &flag));
- EXPECT_EQ(0, ioctl(file_fd, FIGETBSZ, &flag));
- ASSERT_EQ(0, close(file_fd));
- }
- /* clang-format off */
- FIXTURE(layout1_bind) {};
- /* clang-format on */
- static const char bind_dir_s1d3[] = TMP_DIR "/s2d1/s2d2/s1d3";
- static const char bind_file1_s1d3[] = TMP_DIR "/s2d1/s2d2/s1d3/f1";
- /* Move targets for disconnected path tests. */
- static const char dir_s4d1[] = TMP_DIR "/s4d1";
- static const char file1_s4d1[] = TMP_DIR "/s4d1/f1";
- static const char file2_s4d1[] = TMP_DIR "/s4d1/f2";
- static const char dir_s4d2[] = TMP_DIR "/s4d1/s4d2";
- static const char file1_s4d2[] = TMP_DIR "/s4d1/s4d2/f1";
- static const char file1_name[] = "f1";
- static const char file2_name[] = "f2";
- FIXTURE_SETUP(layout1_bind)
- {
- prepare_layout(_metadata);
- create_layout1(_metadata);
- set_cap(_metadata, CAP_SYS_ADMIN);
- ASSERT_EQ(0, mount(dir_s1d2, dir_s2d2, NULL, MS_BIND, NULL));
- clear_cap(_metadata, CAP_SYS_ADMIN);
- }
- FIXTURE_TEARDOWN_PARENT(layout1_bind)
- {
- /* umount(dir_s2d2)) is handled by namespace lifetime. */
- remove_path(file1_s4d1);
- remove_path(file2_s4d1);
- remove_layout1(_metadata);
- cleanup_layout(_metadata);
- }
- /*
- * layout1_bind hierarchy:
- *
- * tmp
- * ├── s1d1
- * │ ├── f1
- * │ ├── f2
- * │ └── s1d2
- * │ ├── f1
- * │ ├── f2
- * │ └── s1d3 [disconnected by path_disconnected]
- * │ ├── f1
- * │ └── f2
- * ├── s2d1
- * │ ├── f1
- * │ └── s2d2 [bind mount from s1d2]
- * │ ├── f1
- * │ ├── f2
- * │ └── s1d3
- * │ ├── f1
- * │ └── f2
- * ├── s3d1
- * │ └── s3d2
- * │ └── s3d3
- * └── s4d1 [renamed from s1d3 by path_disconnected]
- * ├── f1
- * ├── f2
- * └── s4d2
- * └── f1
- */
- TEST_F_FORK(layout1_bind, no_restriction)
- {
- ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
- ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
- ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY));
- ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
- ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY));
- ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
- ASSERT_EQ(0, test_open(dir_s2d1, O_RDONLY));
- ASSERT_EQ(0, test_open(file1_s2d1, O_RDONLY));
- ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY));
- ASSERT_EQ(0, test_open(file1_s2d2, O_RDONLY));
- ASSERT_EQ(ENOENT, test_open(dir_s2d3, O_RDONLY));
- ASSERT_EQ(ENOENT, test_open(file1_s2d3, O_RDONLY));
- ASSERT_EQ(0, test_open(bind_dir_s1d3, O_RDONLY));
- ASSERT_EQ(0, test_open(bind_file1_s1d3, O_RDONLY));
- ASSERT_EQ(0, test_open(dir_s3d1, O_RDONLY));
- }
- TEST_F_FORK(layout1_bind, same_content_same_file)
- {
- /*
- * Sets access right on parent directories of both source and
- * destination mount points.
- */
- const struct rule layer1_parent[] = {
- {
- .path = dir_s1d1,
- .access = ACCESS_RO,
- },
- {
- .path = dir_s2d1,
- .access = ACCESS_RW,
- },
- {},
- };
- /*
- * Sets access rights on the same bind-mounted directories. The result
- * should be ACCESS_RW for both directories, but not both hierarchies
- * because of the first layer.
- */
- const struct rule layer2_mount_point[] = {
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {
- .path = dir_s2d2,
- .access = ACCESS_RW,
- },
- {},
- };
- /* Only allow read-access to the s1d3 hierarchies. */
- const struct rule layer3_source[] = {
- {
- .path = dir_s1d3,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {},
- };
- /* Removes all access rights. */
- const struct rule layer4_destination[] = {
- {
- .path = bind_file1_s1d3,
- .access = LANDLOCK_ACCESS_FS_WRITE_FILE,
- },
- {},
- };
- int ruleset_fd;
- /* Sets rules for the parent directories. */
- ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1_parent);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks source hierarchy. */
- ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
- ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
- ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
- ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
- /* Checks destination hierarchy. */
- ASSERT_EQ(0, test_open(file1_s2d1, O_RDWR));
- ASSERT_EQ(0, test_open(dir_s2d1, O_RDONLY | O_DIRECTORY));
- ASSERT_EQ(0, test_open(file1_s2d2, O_RDWR));
- ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY | O_DIRECTORY));
- /* Sets rules for the mount points. */
- ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2_mount_point);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks source hierarchy. */
- ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
- ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY));
- ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
- ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
- /* Checks destination hierarchy. */
- ASSERT_EQ(EACCES, test_open(file1_s2d1, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(file1_s2d1, O_WRONLY));
- ASSERT_EQ(EACCES, test_open(dir_s2d1, O_RDONLY | O_DIRECTORY));
- ASSERT_EQ(0, test_open(file1_s2d2, O_RDWR));
- ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY | O_DIRECTORY));
- ASSERT_EQ(0, test_open(bind_dir_s1d3, O_RDONLY | O_DIRECTORY));
- /* Sets a (shared) rule only on the source. */
- ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer3_source);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks source hierarchy. */
- ASSERT_EQ(EACCES, test_open(file1_s1d2, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d2, O_WRONLY));
- ASSERT_EQ(EACCES, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY));
- ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
- ASSERT_EQ(EACCES, test_open(dir_s1d3, O_RDONLY | O_DIRECTORY));
- /* Checks destination hierarchy. */
- ASSERT_EQ(EACCES, test_open(file1_s2d2, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(file1_s2d2, O_WRONLY));
- ASSERT_EQ(EACCES, test_open(dir_s2d2, O_RDONLY | O_DIRECTORY));
- ASSERT_EQ(0, test_open(bind_file1_s1d3, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(bind_file1_s1d3, O_WRONLY));
- ASSERT_EQ(EACCES, test_open(bind_dir_s1d3, O_RDONLY | O_DIRECTORY));
- /* Sets a (shared) rule only on the destination. */
- ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer4_destination);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks source hierarchy. */
- ASSERT_EQ(EACCES, test_open(file1_s1d3, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(file1_s1d3, O_WRONLY));
- /* Checks destination hierarchy. */
- ASSERT_EQ(EACCES, test_open(bind_file1_s1d3, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(bind_file1_s1d3, O_WRONLY));
- }
- TEST_F_FORK(layout1_bind, reparent_cross_mount)
- {
- const struct rule layer1[] = {
- {
- /* dir_s2d1 is beneath the dir_s2d2 mount point. */
- .path = dir_s2d1,
- .access = LANDLOCK_ACCESS_FS_REFER,
- },
- {
- .path = bind_dir_s1d3,
- .access = LANDLOCK_ACCESS_FS_EXECUTE,
- },
- {},
- };
- int ruleset_fd = create_ruleset(
- _metadata,
- LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_EXECUTE, layer1);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks basic denied move. */
- ASSERT_EQ(-1, rename(file1_s1d1, file1_s1d2));
- ASSERT_EQ(EXDEV, errno);
- /* Checks real cross-mount move (Landlock is not involved). */
- ASSERT_EQ(-1, rename(file1_s2d1, file1_s2d2));
- ASSERT_EQ(EXDEV, errno);
- /* Checks move that will give more accesses. */
- ASSERT_EQ(-1, rename(file1_s2d2, bind_file1_s1d3));
- ASSERT_EQ(EXDEV, errno);
- /* Checks legitimate downgrade move. */
- ASSERT_EQ(0, rename(bind_file1_s1d3, file1_s2d2));
- }
- /*
- * Make sure access to file through a disconnected path works as expected.
- * This test moves s1d3 to s4d1.
- */
- TEST_F_FORK(layout1_bind, path_disconnected)
- {
- const struct rule layer1_allow_all[] = {
- {
- .path = TMP_DIR,
- .access = ACCESS_ALL,
- },
- {},
- };
- const struct rule layer2_allow_just_f1[] = {
- {
- .path = file1_s1d3,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {},
- };
- const struct rule layer3_only_s1d2[] = {
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {},
- };
- /* Landlock should not deny access just because it is disconnected. */
- int ruleset_fd_l1 =
- create_ruleset(_metadata, ACCESS_ALL, layer1_allow_all);
- /* Creates the new ruleset now before we move the dir containing the file. */
- int ruleset_fd_l2 =
- create_ruleset(_metadata, ACCESS_RW, layer2_allow_just_f1);
- int ruleset_fd_l3 =
- create_ruleset(_metadata, ACCESS_RW, layer3_only_s1d2);
- int bind_s1d3_fd;
- ASSERT_LE(0, ruleset_fd_l1);
- ASSERT_LE(0, ruleset_fd_l2);
- ASSERT_LE(0, ruleset_fd_l3);
- enforce_ruleset(_metadata, ruleset_fd_l1);
- EXPECT_EQ(0, close(ruleset_fd_l1));
- bind_s1d3_fd = open(bind_dir_s1d3, O_PATH | O_CLOEXEC);
- ASSERT_LE(0, bind_s1d3_fd);
- /* Tests access is possible before we move. */
- EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY));
- EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file2_name, O_RDONLY));
- EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, "..", O_RDONLY | O_DIRECTORY));
- /* Makes it disconnected. */
- ASSERT_EQ(0, rename(dir_s1d3, dir_s4d1))
- {
- TH_LOG("Failed to rename %s to %s: %s", dir_s1d3, dir_s4d1,
- strerror(errno));
- }
- /* Tests that access is still possible. */
- EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY));
- EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file2_name, O_RDONLY));
- /*
- * Tests that ".." is not possible (not because of Landlock, but just
- * because it's disconnected).
- */
- EXPECT_EQ(ENOENT,
- test_open_rel(bind_s1d3_fd, "..", O_RDONLY | O_DIRECTORY));
- /* This should still work with a narrower rule. */
- enforce_ruleset(_metadata, ruleset_fd_l2);
- EXPECT_EQ(0, close(ruleset_fd_l2));
- EXPECT_EQ(0, test_open(file1_s4d1, O_RDONLY));
- /*
- * Accessing a file through a disconnected file descriptor can still be
- * allowed by a rule tied to this file, even if it is no longer visible in
- * its mount point.
- */
- EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY));
- EXPECT_EQ(EACCES, test_open_rel(bind_s1d3_fd, file2_name, O_RDONLY));
- enforce_ruleset(_metadata, ruleset_fd_l3);
- EXPECT_EQ(0, close(ruleset_fd_l3));
- EXPECT_EQ(EACCES, test_open(file1_s4d1, O_RDONLY));
- /*
- * Accessing a file through a disconnected file descriptor can still be
- * allowed by a rule tied to the original mount point, even if it is no
- * longer visible in its mount point.
- */
- EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY));
- EXPECT_EQ(EACCES, test_open_rel(bind_s1d3_fd, file2_name, O_RDONLY));
- }
- /*
- * Test that renameat with disconnected paths works under Landlock. This test
- * moves s1d3 to s4d2, so that we can have a rule allowing refers on the move
- * target's immediate parent.
- */
- TEST_F_FORK(layout1_bind, path_disconnected_rename)
- {
- const struct rule layer1[] = {
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_MAKE_DIR |
- LANDLOCK_ACCESS_FS_REMOVE_DIR |
- LANDLOCK_ACCESS_FS_MAKE_REG |
- LANDLOCK_ACCESS_FS_REMOVE_FILE |
- LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {
- .path = dir_s4d1,
- .access = LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_MAKE_DIR |
- LANDLOCK_ACCESS_FS_REMOVE_DIR |
- LANDLOCK_ACCESS_FS_MAKE_REG |
- LANDLOCK_ACCESS_FS_REMOVE_FILE |
- LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {}
- };
- /* This layer only handles LANDLOCK_ACCESS_FS_READ_FILE. */
- const struct rule layer2_only_s1d2[] = {
- {
- .path = dir_s1d2,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {},
- };
- int ruleset_fd_l1, ruleset_fd_l2;
- pid_t child_pid;
- int bind_s1d3_fd, status;
- ASSERT_EQ(0, mkdir(dir_s4d1, 0755))
- {
- TH_LOG("Failed to create %s: %s", dir_s4d1, strerror(errno));
- }
- ruleset_fd_l1 = create_ruleset(_metadata, ACCESS_ALL, layer1);
- ruleset_fd_l2 = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE,
- layer2_only_s1d2);
- ASSERT_LE(0, ruleset_fd_l1);
- ASSERT_LE(0, ruleset_fd_l2);
- enforce_ruleset(_metadata, ruleset_fd_l1);
- EXPECT_EQ(0, close(ruleset_fd_l1));
- bind_s1d3_fd = open(bind_dir_s1d3, O_PATH | O_CLOEXEC);
- ASSERT_LE(0, bind_s1d3_fd);
- EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY));
- /* Tests ENOENT priority over EACCES for disconnected directory. */
- EXPECT_EQ(EACCES, test_open_rel(bind_s1d3_fd, "..", O_DIRECTORY));
- ASSERT_EQ(0, rename(dir_s1d3, dir_s4d2))
- {
- TH_LOG("Failed to rename %s to %s: %s", dir_s1d3, dir_s4d2,
- strerror(errno));
- }
- EXPECT_EQ(ENOENT, test_open_rel(bind_s1d3_fd, "..", O_DIRECTORY));
- /*
- * The file is no longer under s1d2 but we should still be able to access it
- * with layer 2 because its mount point is evaluated as the first valid
- * directory because it was initially a parent. Do a fork to test this so
- * we don't prevent ourselves from renaming it back later.
- */
- child_pid = fork();
- ASSERT_LE(0, child_pid);
- if (child_pid == 0) {
- enforce_ruleset(_metadata, ruleset_fd_l2);
- EXPECT_EQ(0, close(ruleset_fd_l2));
- EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY));
- EXPECT_EQ(EACCES, test_open(file1_s4d2, O_RDONLY));
- /*
- * Tests that access widening checks indeed prevents us from renaming it
- * back.
- */
- EXPECT_EQ(-1, rename(dir_s4d2, dir_s1d3));
- EXPECT_EQ(EXDEV, errno);
- /*
- * Including through the now disconnected fd (but it should return
- * EXDEV).
- */
- EXPECT_EQ(-1, renameat(bind_s1d3_fd, file1_name, AT_FDCWD,
- file1_s2d2));
- EXPECT_EQ(EXDEV, errno);
- _exit(_metadata->exit_code);
- return;
- }
- EXPECT_EQ(child_pid, waitpid(child_pid, &status, 0));
- EXPECT_EQ(1, WIFEXITED(status));
- EXPECT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
- ASSERT_EQ(0, rename(dir_s4d2, dir_s1d3))
- {
- TH_LOG("Failed to rename %s back to %s: %s", dir_s4d1, dir_s1d3,
- strerror(errno));
- }
- /* Now checks that we can access it under l2. */
- child_pid = fork();
- ASSERT_LE(0, child_pid);
- if (child_pid == 0) {
- enforce_ruleset(_metadata, ruleset_fd_l2);
- EXPECT_EQ(0, close(ruleset_fd_l2));
- EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY));
- EXPECT_EQ(0, test_open(file1_s1d3, O_RDONLY));
- _exit(_metadata->exit_code);
- return;
- }
- EXPECT_EQ(child_pid, waitpid(child_pid, &status, 0));
- EXPECT_EQ(1, WIFEXITED(status));
- EXPECT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
- /*
- * Also test that we can rename via a disconnected path. We move the
- * dir back to the disconnected place first, then we rename file1 to
- * file2 through our dir fd.
- */
- ASSERT_EQ(0, rename(dir_s1d3, dir_s4d2))
- {
- TH_LOG("Failed to rename %s to %s: %s", dir_s1d3, dir_s4d2,
- strerror(errno));
- }
- ASSERT_EQ(0,
- renameat(bind_s1d3_fd, file1_name, bind_s1d3_fd, file2_name))
- {
- TH_LOG("Failed to rename %s to %s within disconnected %s: %s",
- file1_name, file2_name, bind_dir_s1d3, strerror(errno));
- }
- EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file2_name, O_RDONLY));
- ASSERT_EQ(0, renameat(bind_s1d3_fd, file2_name, AT_FDCWD, file1_s2d2))
- {
- TH_LOG("Failed to rename %s to %s through disconnected %s: %s",
- file2_name, file1_s2d2, bind_dir_s1d3, strerror(errno));
- }
- EXPECT_EQ(0, test_open(file1_s2d2, O_RDONLY));
- EXPECT_EQ(0, test_open(file1_s1d2, O_RDONLY));
- /* Move it back using the disconnected path as the target. */
- ASSERT_EQ(0, renameat(AT_FDCWD, file1_s2d2, bind_s1d3_fd, file1_name))
- {
- TH_LOG("Failed to rename %s to %s through disconnected %s: %s",
- file1_s1d2, file1_name, bind_dir_s1d3, strerror(errno));
- }
- /* Now make it connected again. */
- ASSERT_EQ(0, rename(dir_s4d2, dir_s1d3))
- {
- TH_LOG("Failed to rename %s back to %s: %s", dir_s4d2, dir_s1d3,
- strerror(errno));
- }
- /* Checks again that we can access it under l2. */
- enforce_ruleset(_metadata, ruleset_fd_l2);
- EXPECT_EQ(0, close(ruleset_fd_l2));
- EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY));
- EXPECT_EQ(0, test_open(file1_s1d3, O_RDONLY));
- }
- /*
- * Test that linkat(2) with disconnected paths works under Landlock. This
- * test moves s1d3 to s4d1.
- */
- TEST_F_FORK(layout1_bind, path_disconnected_link)
- {
- /* Ruleset to be applied after renaming s1d3 to s4d1. */
- const struct rule layer1[] = {
- {
- .path = dir_s4d1,
- .access = LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_MAKE_REG |
- LANDLOCK_ACCESS_FS_REMOVE_FILE,
- },
- {
- .path = dir_s2d2,
- .access = LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_MAKE_REG |
- LANDLOCK_ACCESS_FS_REMOVE_FILE,
- },
- {}
- };
- int ruleset_fd, bind_s1d3_fd;
- /* Removes unneeded files created by layout1, otherwise it will EEXIST. */
- ASSERT_EQ(0, unlink(file1_s1d2));
- ASSERT_EQ(0, unlink(file2_s1d3));
- bind_s1d3_fd = open(bind_dir_s1d3, O_PATH | O_CLOEXEC);
- ASSERT_LE(0, bind_s1d3_fd);
- EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY));
- /* Disconnects bind_s1d3_fd. */
- ASSERT_EQ(0, rename(dir_s1d3, dir_s4d1))
- {
- TH_LOG("Failed to rename %s to %s: %s", dir_s1d3, dir_s4d1,
- strerror(errno));
- }
- /* Need this later to test different parent link. */
- ASSERT_EQ(0, mkdir(dir_s4d2, 0755))
- {
- TH_LOG("Failed to create %s: %s", dir_s4d2, strerror(errno));
- }
- ruleset_fd = create_ruleset(_metadata, ACCESS_ALL, layer1);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- EXPECT_EQ(0, close(ruleset_fd));
- /* From disconnected to connected. */
- ASSERT_EQ(0, linkat(bind_s1d3_fd, file1_name, AT_FDCWD, file1_s2d2, 0))
- {
- TH_LOG("Failed to link %s to %s via disconnected %s: %s",
- file1_name, file1_s2d2, bind_dir_s1d3, strerror(errno));
- }
- /* Tests that we can access via the new link... */
- EXPECT_EQ(0, test_open(file1_s2d2, O_RDONLY))
- {
- TH_LOG("Failed to open newly linked %s: %s", file1_s2d2,
- strerror(errno));
- }
- /* ...as well as the old one. */
- EXPECT_EQ(0, test_open(file1_s4d1, O_RDONLY))
- {
- TH_LOG("Failed to open original %s: %s", file1_s4d1,
- strerror(errno));
- }
- /* From connected to disconnected. */
- ASSERT_EQ(0, unlink(file1_s4d1));
- ASSERT_EQ(0, linkat(AT_FDCWD, file1_s2d2, bind_s1d3_fd, file2_name, 0))
- {
- TH_LOG("Failed to link %s to %s via disconnected %s: %s",
- file1_s2d2, file2_name, bind_dir_s1d3, strerror(errno));
- }
- EXPECT_EQ(0, test_open(file2_s4d1, O_RDONLY));
- ASSERT_EQ(0, unlink(file1_s2d2));
- /* From disconnected to disconnected (same parent). */
- ASSERT_EQ(0,
- linkat(bind_s1d3_fd, file2_name, bind_s1d3_fd, file1_name, 0))
- {
- TH_LOG("Failed to link %s to %s within disconnected %s: %s",
- file2_name, file1_name, bind_dir_s1d3, strerror(errno));
- }
- EXPECT_EQ(0, test_open(file1_s4d1, O_RDONLY))
- {
- TH_LOG("Failed to open newly linked %s: %s", file1_s4d1,
- strerror(errno));
- }
- EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY))
- {
- TH_LOG("Failed to open %s through newly created link under disconnected path: %s",
- file1_name, strerror(errno));
- }
- ASSERT_EQ(0, unlink(file2_s4d1));
- /* From disconnected to disconnected (different parent). */
- ASSERT_EQ(0,
- linkat(bind_s1d3_fd, file1_name, bind_s1d3_fd, "s4d2/f1", 0))
- {
- TH_LOG("Failed to link %s to %s within disconnected %s: %s",
- file1_name, "s4d2/f1", bind_dir_s1d3, strerror(errno));
- }
- EXPECT_EQ(0, test_open(file1_s4d2, O_RDONLY))
- {
- TH_LOG("Failed to open %s after link: %s", file1_s4d2,
- strerror(errno));
- }
- EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, "s4d2/f1", O_RDONLY))
- {
- TH_LOG("Failed to open %s through disconnected path after link: %s",
- "s4d2/f1", strerror(errno));
- }
- }
- /*
- * layout4_disconnected_leafs with bind mount and renames:
- *
- * tmp
- * ├── s1d1
- * │ └── s1d2 [source of the bind mount]
- * │ ├── s1d31
- * │ │ └── s1d41 [now renamed beneath s3d1]
- * │ │ ├── f1
- * │ │ └── f2
- * │ └── s1d32
- * │ └── s1d42 [now renamed beneath s4d1]
- * │ ├── f3
- * │ └── f4
- * ├── s2d1
- * │ └── s2d2 [bind mount of s1d2]
- * │ ├── s1d31
- * │ │ └── s1d41 [opened FD, now renamed beneath s3d1]
- * │ │ ├── f1
- * │ │ └── f2
- * │ └── s1d32
- * │ └── s1d42 [opened FD, now renamed beneath s4d1]
- * │ ├── f3
- * │ └── f4
- * ├── s3d1
- * │ └── s1d41 [renamed here]
- * │ ├── f1
- * │ └── f2
- * └── s4d1
- * └── s1d42 [renamed here]
- * ├── f3
- * └── f4
- */
- /* clang-format off */
- FIXTURE(layout4_disconnected_leafs) {
- int s2d2_fd;
- };
- /* clang-format on */
- FIXTURE_SETUP(layout4_disconnected_leafs)
- {
- prepare_layout(_metadata);
- create_file(_metadata, TMP_DIR "/s1d1/s1d2/s1d31/s1d41/f1");
- create_file(_metadata, TMP_DIR "/s1d1/s1d2/s1d31/s1d41/f2");
- create_file(_metadata, TMP_DIR "/s1d1/s1d2/s1d32/s1d42/f3");
- create_file(_metadata, TMP_DIR "/s1d1/s1d2/s1d32/s1d42/f4");
- create_directory(_metadata, TMP_DIR "/s2d1/s2d2");
- create_directory(_metadata, TMP_DIR "/s3d1");
- create_directory(_metadata, TMP_DIR "/s4d1");
- self->s2d2_fd =
- open(TMP_DIR "/s2d1/s2d2", O_DIRECTORY | O_PATH | O_CLOEXEC);
- ASSERT_LE(0, self->s2d2_fd);
- set_cap(_metadata, CAP_SYS_ADMIN);
- ASSERT_EQ(0, mount(TMP_DIR "/s1d1/s1d2", TMP_DIR "/s2d1/s2d2", NULL,
- MS_BIND, NULL));
- clear_cap(_metadata, CAP_SYS_ADMIN);
- }
- FIXTURE_TEARDOWN_PARENT(layout4_disconnected_leafs)
- {
- /* umount(TMP_DIR "/s2d1") is handled by namespace lifetime. */
- /* Removes files after renames. */
- remove_path(TMP_DIR "/s3d1/s1d41/f1");
- remove_path(TMP_DIR "/s3d1/s1d41/f2");
- remove_path(TMP_DIR "/s4d1/s1d42/f1");
- remove_path(TMP_DIR "/s4d1/s1d42/f3");
- remove_path(TMP_DIR "/s4d1/s1d42/f4");
- remove_path(TMP_DIR "/s4d1/s1d42/f5");
- cleanup_layout(_metadata);
- }
- FIXTURE_VARIANT(layout4_disconnected_leafs)
- {
- /*
- * Parent of the bind mount source. It should always be ignored when
- * testing against files under the s1d41 or s1d42 disconnected directories.
- */
- const __u64 allowed_s1d1;
- /*
- * Source of bind mount (to s2d2). It should always be enforced when
- * testing against files under the s1d41 or s1d42 disconnected directories.
- */
- const __u64 allowed_s1d2;
- /*
- * Original parent of s1d41. It should always be ignored when testing
- * against files under the s1d41 disconnected directory.
- */
- const __u64 allowed_s1d31;
- /*
- * Original parent of s1d42. It should always be ignored when testing
- * against files under the s1d42 disconnected directory.
- */
- const __u64 allowed_s1d32;
- /*
- * Opened and disconnected source directory. It should always be enforced
- * when testing against files under the s1d41 disconnected directory.
- */
- const __u64 allowed_s1d41;
- /*
- * Opened and disconnected source directory. It should always be enforced
- * when testing against files under the s1d42 disconnected directory.
- */
- const __u64 allowed_s1d42;
- /*
- * File in the s1d41 disconnected directory. It should always be enforced
- * when testing against itself under the s1d41 disconnected directory.
- */
- const __u64 allowed_f1;
- /*
- * File in the s1d41 disconnected directory. It should always be enforced
- * when testing against itself under the s1d41 disconnected directory.
- */
- const __u64 allowed_f2;
- /*
- * File in the s1d42 disconnected directory. It should always be enforced
- * when testing against itself under the s1d42 disconnected directory.
- */
- const __u64 allowed_f3;
- /*
- * Parent of the bind mount destination. It should always be enforced when
- * testing against files under the s1d41 or s1d42 disconnected directories.
- */
- const __u64 allowed_s2d1;
- /*
- * Directory covered by the bind mount. It should always be ignored when
- * testing against files under the s1d41 or s1d42 disconnected directories.
- */
- const __u64 allowed_s2d2;
- /*
- * New parent of the renamed s1d41. It should always be ignored when
- * testing against files under the s1d41 disconnected directory.
- */
- const __u64 allowed_s3d1;
- /*
- * New parent of the renamed s1d42. It should always be ignored when
- * testing against files under the s1d42 disconnected directory.
- */
- const __u64 allowed_s4d1;
- /* Expected result of the call to open([fd:s1d41]/f1, O_RDONLY). */
- const int expected_read_result;
- /* Expected result of the call to renameat([fd:s1d41]/f1, [fd:s1d42]/f1). */
- const int expected_rename_result;
- /*
- * Expected result of the call to renameat([fd:s1d41]/f2, [fd:s1d42]/f3,
- * RENAME_EXCHANGE).
- */
- const int expected_exchange_result;
- /* Expected result of the call to renameat([fd:s1d42]/f4, [fd:s1d42]/f5). */
- const int expected_same_dir_rename_result;
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s1d1_mount_src_parent) {
- /* clang-format on */
- .allowed_s1d1 = LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_EXECUTE |
- LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = EACCES,
- .expected_same_dir_rename_result = EACCES,
- .expected_rename_result = EACCES,
- .expected_exchange_result = EACCES,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s1d2_mount_src_refer) {
- /* clang-format on */
- .allowed_s1d2 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_READ_FILE,
- .expected_read_result = 0,
- .expected_same_dir_rename_result = EACCES,
- .expected_rename_result = EACCES,
- .expected_exchange_result = EACCES,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s1d2_mount_src_create) {
- /* clang-format on */
- .allowed_s1d2 = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = 0,
- .expected_same_dir_rename_result = 0,
- .expected_rename_result = EXDEV,
- .expected_exchange_result = EXDEV,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s1d2_mount_src_rename) {
- /* clang-format on */
- .allowed_s1d2 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = EACCES,
- .expected_same_dir_rename_result = 0,
- .expected_rename_result = 0,
- .expected_exchange_result = 0,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s1d31_s1d32_old_parent) {
- /* clang-format on */
- .allowed_s1d31 = LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_EXECUTE |
- LANDLOCK_ACCESS_FS_MAKE_REG,
- .allowed_s1d32 = LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_EXECUTE |
- LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = EACCES,
- .expected_same_dir_rename_result = EACCES,
- .expected_rename_result = EACCES,
- .expected_exchange_result = EACCES,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s1d41_s1d42_disconnected_refer) {
- /* clang-format on */
- .allowed_s1d41 = LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_READ_FILE,
- .allowed_s1d42 = LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_READ_FILE,
- .expected_read_result = 0,
- .expected_same_dir_rename_result = EACCES,
- .expected_rename_result = EACCES,
- .expected_exchange_result = EACCES,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s1d41_s1d42_disconnected_create) {
- /* clang-format on */
- .allowed_s1d41 = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_MAKE_REG,
- .allowed_s1d42 = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = 0,
- .expected_same_dir_rename_result = 0,
- .expected_rename_result = EXDEV,
- .expected_exchange_result = EXDEV,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s1d41_s1d42_disconnected_rename_even) {
- /* clang-format on */
- .allowed_s1d41 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
- .allowed_s1d42 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = EACCES,
- .expected_same_dir_rename_result = 0,
- .expected_rename_result = 0,
- .expected_exchange_result = 0,
- };
- /* The destination directory has more access right. */
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s1d41_s1d42_disconnected_rename_more) {
- /* clang-format on */
- .allowed_s1d41 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
- .allowed_s1d42 = LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_MAKE_REG |
- LANDLOCK_ACCESS_FS_EXECUTE,
- .expected_read_result = EACCES,
- .expected_same_dir_rename_result = 0,
- /* Access denied. */
- .expected_rename_result = EXDEV,
- .expected_exchange_result = EXDEV,
- };
- /* The destination directory has less access right. */
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s1d41_s1d42_disconnected_rename_less) {
- /* clang-format on */
- .allowed_s1d41 = LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_MAKE_REG |
- LANDLOCK_ACCESS_FS_EXECUTE,
- .allowed_s1d42 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = EACCES,
- .expected_same_dir_rename_result = 0,
- /* Access allowed. */
- .expected_rename_result = 0,
- .expected_exchange_result = EXDEV,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s2d1_mount_dst_parent_create) {
- /* clang-format on */
- .allowed_s2d1 = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = 0,
- .expected_same_dir_rename_result = 0,
- .expected_rename_result = EXDEV,
- .expected_exchange_result = EXDEV,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s2d1_mount_dst_parent_refer) {
- /* clang-format on */
- .allowed_s2d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_READ_FILE,
- .expected_read_result = 0,
- .expected_same_dir_rename_result = EACCES,
- .expected_rename_result = EACCES,
- .expected_exchange_result = EACCES,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s2d1_mount_dst_parent_mini) {
- /* clang-format on */
- .allowed_s2d1 = LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = 0,
- .expected_same_dir_rename_result = 0,
- .expected_rename_result = 0,
- .expected_exchange_result = 0,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s2d2_covered_by_mount) {
- /* clang-format on */
- .allowed_s2d2 = LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_EXECUTE |
- LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = EACCES,
- .expected_same_dir_rename_result = EACCES,
- .expected_rename_result = EACCES,
- .expected_exchange_result = EACCES,
- };
- /* Tests collect_domain_accesses(). */
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s3d1_s4d1_new_parent_refer) {
- /* clang-format on */
- .allowed_s3d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_READ_FILE,
- .allowed_s4d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_READ_FILE,
- .expected_read_result = 0,
- .expected_same_dir_rename_result = EACCES,
- .expected_rename_result = EACCES,
- .expected_exchange_result = EACCES,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s3d1_s4d1_new_parent_create) {
- /* clang-format on */
- .allowed_s3d1 = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_MAKE_REG,
- .allowed_s4d1 = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = 0,
- .expected_same_dir_rename_result = 0,
- .expected_rename_result = EXDEV,
- .expected_exchange_result = EXDEV,
- };
- FIXTURE_VARIANT_ADD(layout4_disconnected_leafs,
- s3d1_s4d1_disconnected_rename_even){
- /* clang-format on */
- .allowed_s3d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
- .allowed_s4d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = EACCES,
- .expected_same_dir_rename_result = 0,
- .expected_rename_result = 0,
- .expected_exchange_result = 0,
- };
- /* The destination directory has more access right. */
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s3d1_s4d1_disconnected_rename_more) {
- /* clang-format on */
- .allowed_s3d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
- .allowed_s4d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG |
- LANDLOCK_ACCESS_FS_EXECUTE,
- .expected_read_result = EACCES,
- .expected_same_dir_rename_result = 0,
- /* Access denied. */
- .expected_rename_result = EXDEV,
- .expected_exchange_result = EXDEV,
- };
- /* The destination directory has less access right. */
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, s3d1_s4d1_disconnected_rename_less) {
- /* clang-format on */
- .allowed_s3d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG |
- LANDLOCK_ACCESS_FS_EXECUTE,
- .allowed_s4d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = EACCES,
- .expected_same_dir_rename_result = 0,
- /* Access allowed. */
- .expected_rename_result = 0,
- .expected_exchange_result = EXDEV,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout4_disconnected_leafs, f1_f2_f3) {
- /* clang-format on */
- .allowed_f1 = LANDLOCK_ACCESS_FS_READ_FILE,
- .allowed_f2 = LANDLOCK_ACCESS_FS_READ_FILE,
- .allowed_f3 = LANDLOCK_ACCESS_FS_READ_FILE,
- .expected_read_result = 0,
- .expected_same_dir_rename_result = EACCES,
- .expected_rename_result = EACCES,
- .expected_exchange_result = EACCES,
- };
- TEST_F_FORK(layout4_disconnected_leafs, read_rename_exchange)
- {
- const __u64 handled_access =
- LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_EXECUTE | LANDLOCK_ACCESS_FS_MAKE_REG;
- const struct rule rules[] = {
- {
- .path = TMP_DIR "/s1d1",
- .access = variant->allowed_s1d1,
- },
- {
- .path = TMP_DIR "/s1d1/s1d2",
- .access = variant->allowed_s1d2,
- },
- {
- .path = TMP_DIR "/s1d1/s1d2/s1d31",
- .access = variant->allowed_s1d31,
- },
- {
- .path = TMP_DIR "/s1d1/s1d2/s1d32",
- .access = variant->allowed_s1d32,
- },
- {
- .path = TMP_DIR "/s1d1/s1d2/s1d31/s1d41",
- .access = variant->allowed_s1d41,
- },
- {
- .path = TMP_DIR "/s1d1/s1d2/s1d32/s1d42",
- .access = variant->allowed_s1d42,
- },
- {
- .path = TMP_DIR "/s1d1/s1d2/s1d31/s1d41/f1",
- .access = variant->allowed_f1,
- },
- {
- .path = TMP_DIR "/s1d1/s1d2/s1d31/s1d41/f2",
- .access = variant->allowed_f2,
- },
- {
- .path = TMP_DIR "/s1d1/s1d2/s1d32/s1d42/f3",
- .access = variant->allowed_f3,
- },
- {
- .path = TMP_DIR "/s2d1",
- .access = variant->allowed_s2d1,
- },
- /* s2d2_fd */
- {
- .path = TMP_DIR "/s3d1",
- .access = variant->allowed_s3d1,
- },
- {
- .path = TMP_DIR "/s4d1",
- .access = variant->allowed_s4d1,
- },
- {},
- };
- int ruleset_fd, s1d41_bind_fd, s1d42_bind_fd;
- ruleset_fd = create_ruleset(_metadata, handled_access, rules);
- ASSERT_LE(0, ruleset_fd);
- /* Adds rule for the covered directory. */
- if (variant->allowed_s2d2) {
- ASSERT_EQ(0, landlock_add_rule(
- ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
- &(struct landlock_path_beneath_attr){
- .parent_fd = self->s2d2_fd,
- .allowed_access =
- variant->allowed_s2d2,
- },
- 0));
- }
- EXPECT_EQ(0, close(self->s2d2_fd));
- s1d41_bind_fd = open(TMP_DIR "/s2d1/s2d2/s1d31/s1d41",
- O_DIRECTORY | O_PATH | O_CLOEXEC);
- ASSERT_LE(0, s1d41_bind_fd);
- s1d42_bind_fd = open(TMP_DIR "/s2d1/s2d2/s1d32/s1d42",
- O_DIRECTORY | O_PATH | O_CLOEXEC);
- ASSERT_LE(0, s1d42_bind_fd);
- /* Disconnects and checks source and destination directories. */
- EXPECT_EQ(0, test_open_rel(s1d41_bind_fd, "..", O_DIRECTORY));
- EXPECT_EQ(0, test_open_rel(s1d42_bind_fd, "..", O_DIRECTORY));
- /* Renames to make it accessible through s3d1/s1d41 */
- ASSERT_EQ(0, test_renameat(AT_FDCWD, TMP_DIR "/s1d1/s1d2/s1d31/s1d41",
- AT_FDCWD, TMP_DIR "/s3d1/s1d41"));
- /* Renames to make it accessible through s4d1/s1d42 */
- ASSERT_EQ(0, test_renameat(AT_FDCWD, TMP_DIR "/s1d1/s1d2/s1d32/s1d42",
- AT_FDCWD, TMP_DIR "/s4d1/s1d42"));
- EXPECT_EQ(ENOENT, test_open_rel(s1d41_bind_fd, "..", O_DIRECTORY));
- EXPECT_EQ(ENOENT, test_open_rel(s1d42_bind_fd, "..", O_DIRECTORY));
- enforce_ruleset(_metadata, ruleset_fd);
- EXPECT_EQ(0, close(ruleset_fd));
- EXPECT_EQ(variant->expected_read_result,
- test_open_rel(s1d41_bind_fd, "f1", O_RDONLY));
- EXPECT_EQ(variant->expected_rename_result,
- test_renameat(s1d41_bind_fd, "f1", s1d42_bind_fd, "f1"));
- EXPECT_EQ(variant->expected_exchange_result,
- test_exchangeat(s1d41_bind_fd, "f2", s1d42_bind_fd, "f3"));
- EXPECT_EQ(variant->expected_same_dir_rename_result,
- test_renameat(s1d42_bind_fd, "f4", s1d42_bind_fd, "f5"));
- }
- /*
- * layout5_disconnected_branch before rename:
- *
- * tmp
- * ├── s1d1
- * │ └── s1d2 [source of the first bind mount]
- * │ └── s1d3
- * │ ├── s1d41
- * │ │ ├── f1
- * │ │ └── f2
- * │ └── s1d42
- * │ ├── f3
- * │ └── f4
- * ├── s2d1
- * │ └── s2d2 [source of the second bind mount]
- * │ └── s2d3
- * │ └── s2d4 [first s1d2 bind mount]
- * │ └── s1d3
- * │ ├── s1d41
- * │ │ ├── f1
- * │ │ └── f2
- * │ └── s1d42
- * │ ├── f3
- * │ └── f4
- * ├── s3d1
- * │ └── s3d2 [second s2d2 bind mount]
- * │ └── s2d3
- * │ └── s2d4 [first s1d2 bind mount]
- * │ └── s1d3
- * │ ├── s1d41
- * │ │ ├── f1
- * │ │ └── f2
- * │ └── s1d42
- * │ ├── f3
- * │ └── f4
- * └── s4d1
- *
- * After rename:
- *
- * tmp
- * ├── s1d1
- * │ └── s1d2 [source of the first bind mount]
- * │ └── s1d3
- * │ ├── s1d41
- * │ │ ├── f1
- * │ │ └── f2
- * │ └── s1d42
- * │ ├── f3
- * │ └── f4
- * ├── s2d1
- * │ └── s2d2 [source of the second bind mount]
- * ├── s3d1
- * │ └── s3d2 [second s2d2 bind mount]
- * └── s4d1
- * └── s2d3 [renamed here]
- * └── s2d4 [first s1d2 bind mount]
- * └── s1d3
- * ├── s1d41
- * │ ├── f1
- * │ └── f2
- * └── s1d42
- * ├── f3
- * └── f4
- *
- * Decision path for access from the s3d1/s3d2/s2d3/s2d4/s1d3 file descriptor:
- * 1. first bind mount: s1d3 -> s1d2
- * 2. second bind mount: s2d3
- * 3. tmp mount: s4d1 -> tmp [disconnected branch]
- * 4. second bind mount: s2d2
- * 5. tmp mount: s3d1 -> tmp
- * 6. parent mounts: [...] -> /
- *
- * The s4d1 directory is evaluated even if it is not in the s2d2 mount.
- */
- /* clang-format off */
- FIXTURE(layout5_disconnected_branch) {
- int s2d4_fd, s3d2_fd;
- };
- /* clang-format on */
- FIXTURE_SETUP(layout5_disconnected_branch)
- {
- prepare_layout(_metadata);
- create_file(_metadata, TMP_DIR "/s1d1/s1d2/s1d3/s1d41/f1");
- create_file(_metadata, TMP_DIR "/s1d1/s1d2/s1d3/s1d41/f2");
- create_file(_metadata, TMP_DIR "/s1d1/s1d2/s1d3/s1d42/f3");
- create_file(_metadata, TMP_DIR "/s1d1/s1d2/s1d3/s1d42/f4");
- create_directory(_metadata, TMP_DIR "/s2d1/s2d2/s2d3/s2d4");
- create_directory(_metadata, TMP_DIR "/s3d1/s3d2");
- create_directory(_metadata, TMP_DIR "/s4d1");
- self->s2d4_fd = open(TMP_DIR "/s2d1/s2d2/s2d3/s2d4",
- O_DIRECTORY | O_PATH | O_CLOEXEC);
- ASSERT_LE(0, self->s2d4_fd);
- self->s3d2_fd =
- open(TMP_DIR "/s3d1/s3d2", O_DIRECTORY | O_PATH | O_CLOEXEC);
- ASSERT_LE(0, self->s3d2_fd);
- set_cap(_metadata, CAP_SYS_ADMIN);
- ASSERT_EQ(0, mount(TMP_DIR "/s1d1/s1d2", TMP_DIR "/s2d1/s2d2/s2d3/s2d4",
- NULL, MS_BIND, NULL));
- ASSERT_EQ(0, mount(TMP_DIR "/s2d1/s2d2", TMP_DIR "/s3d1/s3d2", NULL,
- MS_BIND | MS_REC, NULL));
- clear_cap(_metadata, CAP_SYS_ADMIN);
- }
- FIXTURE_TEARDOWN_PARENT(layout5_disconnected_branch)
- {
- /* Bind mounts are handled by namespace lifetime. */
- /* Removes files after renames. */
- remove_path(TMP_DIR "/s1d1/s1d2/s1d3/s1d41/f1");
- remove_path(TMP_DIR "/s1d1/s1d2/s1d3/s1d41/f2");
- remove_path(TMP_DIR "/s1d1/s1d2/s1d3/s1d42/f1");
- remove_path(TMP_DIR "/s1d1/s1d2/s1d3/s1d42/f3");
- remove_path(TMP_DIR "/s1d1/s1d2/s1d3/s1d42/f4");
- remove_path(TMP_DIR "/s1d1/s1d2/s1d3/s1d42/f5");
- cleanup_layout(_metadata);
- }
- FIXTURE_VARIANT(layout5_disconnected_branch)
- {
- /*
- * Parent of all files. It should always be enforced when testing against
- * files under the s1d41 or s1d42 disconnected directories.
- */
- const __u64 allowed_base;
- /*
- * Parent of the first bind mount source. It should always be ignored when
- * testing against files under the s1d41 or s1d42 disconnected directories.
- */
- const __u64 allowed_s1d1;
- const __u64 allowed_s1d2;
- const __u64 allowed_s1d3;
- const __u64 allowed_s2d1;
- const __u64 allowed_s2d2;
- const __u64 allowed_s2d3;
- const __u64 allowed_s2d4;
- const __u64 allowed_s3d1;
- const __u64 allowed_s3d2;
- const __u64 allowed_s4d1;
- /* Expected result of the call to open([fd:s1d3]/s1d41/f1, O_RDONLY). */
- const int expected_read_result;
- /*
- * Expected result of the call to renameat([fd:s1d3]/s1d41/f1,
- * [fd:s1d3]/s1d42/f1).
- */
- const int expected_rename_result;
- /*
- * Expected result of the call to renameat([fd:s1d3]/s1d41/f2,
- * [fd:s1d3]/s1d42/f3, RENAME_EXCHANGE).
- */
- const int expected_exchange_result;
- /*
- * Expected result of the call to renameat([fd:s1d3]/s1d42/f4,
- * [fd:s1d3]/s1d42/f5).
- */
- const int expected_same_dir_rename_result;
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s1d1_mount1_src_parent) {
- /* clang-format on */
- .allowed_s1d1 = LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_EXECUTE |
- LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = EACCES,
- .expected_same_dir_rename_result = EACCES,
- .expected_rename_result = EACCES,
- .expected_exchange_result = EACCES,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s1d2_mount1_src_refer) {
- /* clang-format on */
- .allowed_s1d2 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_READ_FILE,
- .expected_read_result = 0,
- .expected_same_dir_rename_result = EACCES,
- .expected_rename_result = EACCES,
- .expected_exchange_result = EACCES,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s1d2_mount1_src_create) {
- /* clang-format on */
- .allowed_s1d2 = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = 0,
- .expected_same_dir_rename_result = 0,
- .expected_rename_result = EXDEV,
- .expected_exchange_result = EXDEV,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s1d2_mount1_src_rename) {
- /* clang-format on */
- .allowed_s1d2 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = EACCES,
- .expected_same_dir_rename_result = 0,
- .expected_rename_result = 0,
- .expected_exchange_result = 0,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s1d3_fd_refer) {
- /* clang-format on */
- .allowed_s1d3 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_READ_FILE,
- .expected_read_result = 0,
- .expected_same_dir_rename_result = EACCES,
- .expected_rename_result = EACCES,
- .expected_exchange_result = EACCES,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s1d3_fd_create) {
- /* clang-format on */
- .allowed_s1d3 = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = 0,
- .expected_same_dir_rename_result = 0,
- .expected_rename_result = EXDEV,
- .expected_exchange_result = EXDEV,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s1d3_fd_rename) {
- /* clang-format on */
- .allowed_s1d3 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = EACCES,
- .expected_same_dir_rename_result = 0,
- .expected_rename_result = 0,
- .expected_exchange_result = 0,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s1d3_fd_full) {
- /* clang-format on */
- .allowed_s1d3 = LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_EXECUTE |
- LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = 0,
- .expected_same_dir_rename_result = 0,
- .expected_rename_result = 0,
- .expected_exchange_result = 0,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s2d1_mount2_src_parent) {
- /* clang-format on */
- .allowed_s2d1 = LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_EXECUTE |
- LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = EACCES,
- .expected_same_dir_rename_result = EACCES,
- .expected_rename_result = EACCES,
- .expected_exchange_result = EACCES,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s2d2_mount2_src_refer) {
- /* clang-format on */
- .allowed_s2d2 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_READ_FILE,
- .expected_read_result = 0,
- .expected_same_dir_rename_result = EACCES,
- .expected_rename_result = EACCES,
- .expected_exchange_result = EACCES,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s2d2_mount2_src_create) {
- /* clang-format on */
- .allowed_s2d2 = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = 0,
- .expected_same_dir_rename_result = 0,
- .expected_rename_result = EXDEV,
- .expected_exchange_result = EXDEV,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s2d2_mount2_src_rename) {
- /* clang-format on */
- .allowed_s2d2 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = EACCES,
- .expected_same_dir_rename_result = 0,
- .expected_rename_result = 0,
- .expected_exchange_result = 0,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s2d3_mount1_dst_parent_refer) {
- /* clang-format on */
- .allowed_s2d3 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_READ_FILE,
- .expected_read_result = 0,
- .expected_same_dir_rename_result = EACCES,
- .expected_rename_result = EACCES,
- .expected_exchange_result = EACCES,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s2d3_mount1_dst_parent_create) {
- /* clang-format on */
- .allowed_s2d3 = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = 0,
- .expected_same_dir_rename_result = 0,
- .expected_rename_result = EXDEV,
- .expected_exchange_result = EXDEV,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s2d3_mount1_dst_parent_rename) {
- /* clang-format on */
- .allowed_s2d3 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = EACCES,
- .expected_same_dir_rename_result = 0,
- .expected_rename_result = 0,
- .expected_exchange_result = 0,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s2d4_mount1_dst) {
- /* clang-format on */
- .allowed_s2d4 = LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_EXECUTE |
- LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = EACCES,
- .expected_same_dir_rename_result = EACCES,
- .expected_rename_result = EACCES,
- .expected_exchange_result = EACCES,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s3d1_mount2_dst_parent_refer) {
- /* clang-format on */
- .allowed_s3d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_READ_FILE,
- .expected_read_result = 0,
- .expected_same_dir_rename_result = EACCES,
- .expected_rename_result = EACCES,
- .expected_exchange_result = EACCES,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s3d1_mount2_dst_parent_create) {
- /* clang-format on */
- .allowed_s3d1 = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = 0,
- .expected_same_dir_rename_result = 0,
- .expected_rename_result = EXDEV,
- .expected_exchange_result = EXDEV,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s3d1_mount2_dst_parent_rename) {
- /* clang-format on */
- .allowed_s3d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = EACCES,
- .expected_same_dir_rename_result = 0,
- .expected_rename_result = 0,
- .expected_exchange_result = 0,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s3d2_mount1_dst) {
- /* clang-format on */
- .allowed_s3d2 = LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_EXECUTE |
- LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = EACCES,
- .expected_same_dir_rename_result = EACCES,
- .expected_rename_result = EACCES,
- .expected_exchange_result = EACCES,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s4d1_rename_parent_refer) {
- /* clang-format on */
- .allowed_s4d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_READ_FILE,
- .expected_read_result = 0,
- .expected_same_dir_rename_result = EACCES,
- .expected_rename_result = EACCES,
- .expected_exchange_result = EACCES,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s4d1_rename_parent_create) {
- /* clang-format on */
- .allowed_s4d1 = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = 0,
- .expected_same_dir_rename_result = 0,
- .expected_rename_result = EXDEV,
- .expected_exchange_result = EXDEV,
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout5_disconnected_branch, s4d1_rename_parent_rename) {
- /* clang-format on */
- .allowed_s4d1 = LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_MAKE_REG,
- .expected_read_result = EACCES,
- .expected_same_dir_rename_result = 0,
- .expected_rename_result = 0,
- .expected_exchange_result = 0,
- };
- TEST_F_FORK(layout5_disconnected_branch, read_rename_exchange)
- {
- const __u64 handled_access =
- LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_EXECUTE | LANDLOCK_ACCESS_FS_MAKE_REG;
- const struct rule rules[] = {
- {
- .path = TMP_DIR "/s1d1",
- .access = variant->allowed_s1d1,
- },
- {
- .path = TMP_DIR "/s1d1/s1d2",
- .access = variant->allowed_s1d2,
- },
- {
- .path = TMP_DIR "/s1d1/s1d2/s1d3",
- .access = variant->allowed_s1d3,
- },
- {
- .path = TMP_DIR "/s2d1",
- .access = variant->allowed_s2d1,
- },
- {
- .path = TMP_DIR "/s2d1/s2d2",
- .access = variant->allowed_s2d2,
- },
- {
- .path = TMP_DIR "/s2d1/s2d2/s2d3",
- .access = variant->allowed_s2d3,
- },
- /* s2d4_fd */
- {
- .path = TMP_DIR "/s3d1",
- .access = variant->allowed_s3d1,
- },
- /* s3d2_fd */
- {
- .path = TMP_DIR "/s4d1",
- .access = variant->allowed_s4d1,
- },
- {},
- };
- int ruleset_fd, s1d3_bind_fd;
- ruleset_fd = create_ruleset(_metadata, handled_access, rules);
- ASSERT_LE(0, ruleset_fd);
- /* Adds rules for the covered directories. */
- if (variant->allowed_s2d4) {
- ASSERT_EQ(0, landlock_add_rule(
- ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
- &(struct landlock_path_beneath_attr){
- .parent_fd = self->s2d4_fd,
- .allowed_access =
- variant->allowed_s2d4,
- },
- 0));
- }
- EXPECT_EQ(0, close(self->s2d4_fd));
- if (variant->allowed_s3d2) {
- ASSERT_EQ(0, landlock_add_rule(
- ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
- &(struct landlock_path_beneath_attr){
- .parent_fd = self->s3d2_fd,
- .allowed_access =
- variant->allowed_s3d2,
- },
- 0));
- }
- EXPECT_EQ(0, close(self->s3d2_fd));
- s1d3_bind_fd = open(TMP_DIR "/s3d1/s3d2/s2d3/s2d4/s1d3",
- O_DIRECTORY | O_PATH | O_CLOEXEC);
- ASSERT_LE(0, s1d3_bind_fd);
- /* Disconnects and checks source and destination directories. */
- EXPECT_EQ(0, test_open_rel(s1d3_bind_fd, "..", O_DIRECTORY));
- EXPECT_EQ(0, test_open_rel(s1d3_bind_fd, "../..", O_DIRECTORY));
- /* Renames to make it accessible through s3d1/s1d41 */
- ASSERT_EQ(0, test_renameat(AT_FDCWD, TMP_DIR "/s2d1/s2d2/s2d3",
- AT_FDCWD, TMP_DIR "/s4d1/s2d3"));
- EXPECT_EQ(0, test_open_rel(s1d3_bind_fd, "..", O_DIRECTORY));
- EXPECT_EQ(ENOENT, test_open_rel(s1d3_bind_fd, "../..", O_DIRECTORY));
- enforce_ruleset(_metadata, ruleset_fd);
- EXPECT_EQ(0, close(ruleset_fd));
- EXPECT_EQ(variant->expected_read_result,
- test_open_rel(s1d3_bind_fd, "s1d41/f1", O_RDONLY));
- EXPECT_EQ(variant->expected_rename_result,
- test_renameat(s1d3_bind_fd, "s1d41/f1", s1d3_bind_fd,
- "s1d42/f1"));
- EXPECT_EQ(variant->expected_exchange_result,
- test_exchangeat(s1d3_bind_fd, "s1d41/f2", s1d3_bind_fd,
- "s1d42/f3"));
- EXPECT_EQ(variant->expected_same_dir_rename_result,
- test_renameat(s1d3_bind_fd, "s1d42/f4", s1d3_bind_fd,
- "s1d42/f5"));
- }
- #define LOWER_BASE TMP_DIR "/lower"
- #define LOWER_DATA LOWER_BASE "/data"
- static const char lower_fl1[] = LOWER_DATA "/fl1";
- static const char lower_dl1[] = LOWER_DATA "/dl1";
- static const char lower_dl1_fl2[] = LOWER_DATA "/dl1/fl2";
- static const char lower_fo1[] = LOWER_DATA "/fo1";
- static const char lower_do1[] = LOWER_DATA "/do1";
- static const char lower_do1_fo2[] = LOWER_DATA "/do1/fo2";
- static const char lower_do1_fl3[] = LOWER_DATA "/do1/fl3";
- static const char (*lower_base_files[])[] = {
- &lower_fl1,
- &lower_fo1,
- NULL,
- };
- static const char (*lower_base_directories[])[] = {
- &lower_dl1,
- &lower_do1,
- NULL,
- };
- static const char (*lower_sub_files[])[] = {
- &lower_dl1_fl2,
- &lower_do1_fo2,
- &lower_do1_fl3,
- NULL,
- };
- #define UPPER_BASE TMP_DIR "/upper"
- #define UPPER_DATA UPPER_BASE "/data"
- #define UPPER_WORK UPPER_BASE "/work"
- static const char upper_fu1[] = UPPER_DATA "/fu1";
- static const char upper_du1[] = UPPER_DATA "/du1";
- static const char upper_du1_fu2[] = UPPER_DATA "/du1/fu2";
- static const char upper_fo1[] = UPPER_DATA "/fo1";
- static const char upper_do1[] = UPPER_DATA "/do1";
- static const char upper_do1_fo2[] = UPPER_DATA "/do1/fo2";
- static const char upper_do1_fu3[] = UPPER_DATA "/do1/fu3";
- static const char (*upper_base_files[])[] = {
- &upper_fu1,
- &upper_fo1,
- NULL,
- };
- static const char (*upper_base_directories[])[] = {
- &upper_du1,
- &upper_do1,
- NULL,
- };
- static const char (*upper_sub_files[])[] = {
- &upper_du1_fu2,
- &upper_do1_fo2,
- &upper_do1_fu3,
- NULL,
- };
- #define MERGE_BASE TMP_DIR "/merge"
- #define MERGE_DATA MERGE_BASE "/data"
- static const char merge_fl1[] = MERGE_DATA "/fl1";
- static const char merge_dl1[] = MERGE_DATA "/dl1";
- static const char merge_dl1_fl2[] = MERGE_DATA "/dl1/fl2";
- static const char merge_fu1[] = MERGE_DATA "/fu1";
- static const char merge_du1[] = MERGE_DATA "/du1";
- static const char merge_du1_fu2[] = MERGE_DATA "/du1/fu2";
- static const char merge_fo1[] = MERGE_DATA "/fo1";
- static const char merge_do1[] = MERGE_DATA "/do1";
- static const char merge_do1_fo2[] = MERGE_DATA "/do1/fo2";
- static const char merge_do1_fl3[] = MERGE_DATA "/do1/fl3";
- static const char merge_do1_fu3[] = MERGE_DATA "/do1/fu3";
- static const char (*merge_base_files[])[] = {
- &merge_fl1,
- &merge_fu1,
- &merge_fo1,
- NULL,
- };
- static const char (*merge_base_directories[])[] = {
- &merge_dl1,
- &merge_du1,
- &merge_do1,
- NULL,
- };
- static const char (*merge_sub_files[])[] = {
- &merge_dl1_fl2, &merge_du1_fu2, &merge_do1_fo2,
- &merge_do1_fl3, &merge_do1_fu3, NULL,
- };
- /*
- * layout2_overlay hierarchy:
- *
- * tmp
- * ├── lower
- * │ └── data
- * │ ├── dl1
- * │ │ └── fl2
- * │ ├── do1
- * │ │ ├── fl3
- * │ │ └── fo2
- * │ ├── fl1
- * │ └── fo1
- * ├── merge
- * │ └── data
- * │ ├── dl1
- * │ │ └── fl2
- * │ ├── do1
- * │ │ ├── fl3
- * │ │ ├── fo2
- * │ │ └── fu3
- * │ ├── du1
- * │ │ └── fu2
- * │ ├── fl1
- * │ ├── fo1
- * │ └── fu1
- * └── upper
- * ├── data
- * │ ├── do1
- * │ │ ├── fo2
- * │ │ └── fu3
- * │ ├── du1
- * │ │ └── fu2
- * │ ├── fo1
- * │ └── fu1
- * └── work
- * └── work
- */
- FIXTURE(layout2_overlay)
- {
- bool skip_test;
- };
- FIXTURE_SETUP(layout2_overlay)
- {
- if (!supports_filesystem("overlay")) {
- self->skip_test = true;
- SKIP(return, "overlayfs is not supported (setup)");
- }
- prepare_layout(_metadata);
- create_directory(_metadata, LOWER_BASE);
- set_cap(_metadata, CAP_SYS_ADMIN);
- /* Creates tmpfs mount points to get deterministic overlayfs. */
- ASSERT_EQ(0, mount_opt(&mnt_tmp, LOWER_BASE));
- clear_cap(_metadata, CAP_SYS_ADMIN);
- create_file(_metadata, lower_fl1);
- create_file(_metadata, lower_dl1_fl2);
- create_file(_metadata, lower_fo1);
- create_file(_metadata, lower_do1_fo2);
- create_file(_metadata, lower_do1_fl3);
- create_directory(_metadata, UPPER_BASE);
- set_cap(_metadata, CAP_SYS_ADMIN);
- ASSERT_EQ(0, mount_opt(&mnt_tmp, UPPER_BASE));
- clear_cap(_metadata, CAP_SYS_ADMIN);
- create_file(_metadata, upper_fu1);
- create_file(_metadata, upper_du1_fu2);
- create_file(_metadata, upper_fo1);
- create_file(_metadata, upper_do1_fo2);
- create_file(_metadata, upper_do1_fu3);
- ASSERT_EQ(0, mkdir(UPPER_WORK, 0700));
- create_directory(_metadata, MERGE_DATA);
- set_cap(_metadata, CAP_SYS_ADMIN);
- set_cap(_metadata, CAP_DAC_OVERRIDE);
- ASSERT_EQ(0, mount("overlay", MERGE_DATA, "overlay", 0,
- "lowerdir=" LOWER_DATA ",upperdir=" UPPER_DATA
- ",workdir=" UPPER_WORK));
- clear_cap(_metadata, CAP_DAC_OVERRIDE);
- clear_cap(_metadata, CAP_SYS_ADMIN);
- }
- FIXTURE_TEARDOWN_PARENT(layout2_overlay)
- {
- if (self->skip_test)
- SKIP(return, "overlayfs is not supported (teardown)");
- EXPECT_EQ(0, remove_path(lower_do1_fl3));
- EXPECT_EQ(0, remove_path(lower_dl1_fl2));
- EXPECT_EQ(0, remove_path(lower_fl1));
- EXPECT_EQ(0, remove_path(lower_do1_fo2));
- EXPECT_EQ(0, remove_path(lower_fo1));
- /* umount(LOWER_BASE)) is handled by namespace lifetime. */
- EXPECT_EQ(0, remove_path(LOWER_BASE));
- EXPECT_EQ(0, remove_path(upper_do1_fu3));
- EXPECT_EQ(0, remove_path(upper_du1_fu2));
- EXPECT_EQ(0, remove_path(upper_fu1));
- EXPECT_EQ(0, remove_path(upper_do1_fo2));
- EXPECT_EQ(0, remove_path(upper_fo1));
- EXPECT_EQ(0, remove_path(UPPER_WORK "/work"));
- /* umount(UPPER_BASE)) is handled by namespace lifetime. */
- EXPECT_EQ(0, remove_path(UPPER_BASE));
- /* umount(MERGE_DATA)) is handled by namespace lifetime. */
- EXPECT_EQ(0, remove_path(MERGE_DATA));
- cleanup_layout(_metadata);
- }
- TEST_F_FORK(layout2_overlay, no_restriction)
- {
- if (self->skip_test)
- SKIP(return, "overlayfs is not supported (test)");
- ASSERT_EQ(0, test_open(lower_fl1, O_RDONLY));
- ASSERT_EQ(0, test_open(lower_dl1, O_RDONLY));
- ASSERT_EQ(0, test_open(lower_dl1_fl2, O_RDONLY));
- ASSERT_EQ(0, test_open(lower_fo1, O_RDONLY));
- ASSERT_EQ(0, test_open(lower_do1, O_RDONLY));
- ASSERT_EQ(0, test_open(lower_do1_fo2, O_RDONLY));
- ASSERT_EQ(0, test_open(lower_do1_fl3, O_RDONLY));
- ASSERT_EQ(0, test_open(upper_fu1, O_RDONLY));
- ASSERT_EQ(0, test_open(upper_du1, O_RDONLY));
- ASSERT_EQ(0, test_open(upper_du1_fu2, O_RDONLY));
- ASSERT_EQ(0, test_open(upper_fo1, O_RDONLY));
- ASSERT_EQ(0, test_open(upper_do1, O_RDONLY));
- ASSERT_EQ(0, test_open(upper_do1_fo2, O_RDONLY));
- ASSERT_EQ(0, test_open(upper_do1_fu3, O_RDONLY));
- ASSERT_EQ(0, test_open(merge_fl1, O_RDONLY));
- ASSERT_EQ(0, test_open(merge_dl1, O_RDONLY));
- ASSERT_EQ(0, test_open(merge_dl1_fl2, O_RDONLY));
- ASSERT_EQ(0, test_open(merge_fu1, O_RDONLY));
- ASSERT_EQ(0, test_open(merge_du1, O_RDONLY));
- ASSERT_EQ(0, test_open(merge_du1_fu2, O_RDONLY));
- ASSERT_EQ(0, test_open(merge_fo1, O_RDONLY));
- ASSERT_EQ(0, test_open(merge_do1, O_RDONLY));
- ASSERT_EQ(0, test_open(merge_do1_fo2, O_RDONLY));
- ASSERT_EQ(0, test_open(merge_do1_fl3, O_RDONLY));
- ASSERT_EQ(0, test_open(merge_do1_fu3, O_RDONLY));
- }
- #define for_each_path(path_list, path_entry, i) \
- for (i = 0, path_entry = *path_list[i]; path_list[i]; \
- path_entry = *path_list[++i])
- TEST_F_FORK(layout2_overlay, same_content_different_file)
- {
- /* Sets access right on parent directories of both layers. */
- const struct rule layer1_base[] = {
- {
- .path = LOWER_BASE,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {
- .path = UPPER_BASE,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {
- .path = MERGE_BASE,
- .access = ACCESS_RW,
- },
- {},
- };
- const struct rule layer2_data[] = {
- {
- .path = LOWER_DATA,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {
- .path = UPPER_DATA,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {
- .path = MERGE_DATA,
- .access = ACCESS_RW,
- },
- {},
- };
- /* Sets access right on directories inside both layers. */
- const struct rule layer3_subdirs[] = {
- {
- .path = lower_dl1,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {
- .path = lower_do1,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {
- .path = upper_du1,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {
- .path = upper_do1,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {
- .path = merge_dl1,
- .access = ACCESS_RW,
- },
- {
- .path = merge_du1,
- .access = ACCESS_RW,
- },
- {
- .path = merge_do1,
- .access = ACCESS_RW,
- },
- {},
- };
- /* Tighten access rights to the files. */
- const struct rule layer4_files[] = {
- {
- .path = lower_dl1_fl2,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {
- .path = lower_do1_fo2,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {
- .path = lower_do1_fl3,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {
- .path = upper_du1_fu2,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {
- .path = upper_do1_fo2,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {
- .path = upper_do1_fu3,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {
- .path = merge_dl1_fl2,
- .access = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_WRITE_FILE,
- },
- {
- .path = merge_du1_fu2,
- .access = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_WRITE_FILE,
- },
- {
- .path = merge_do1_fo2,
- .access = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_WRITE_FILE,
- },
- {
- .path = merge_do1_fl3,
- .access = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_WRITE_FILE,
- },
- {
- .path = merge_do1_fu3,
- .access = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_WRITE_FILE,
- },
- {},
- };
- const struct rule layer5_merge_only[] = {
- {
- .path = MERGE_DATA,
- .access = LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_WRITE_FILE,
- },
- {},
- };
- int ruleset_fd;
- size_t i;
- const char *path_entry;
- if (self->skip_test)
- SKIP(return, "overlayfs is not supported (test)");
- /* Sets rules on base directories (i.e. outside overlay scope). */
- ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer1_base);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks lower layer. */
- for_each_path(lower_base_files, path_entry, i) {
- ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
- }
- for_each_path(lower_base_directories, path_entry, i) {
- ASSERT_EQ(EACCES,
- test_open(path_entry, O_RDONLY | O_DIRECTORY));
- }
- for_each_path(lower_sub_files, path_entry, i) {
- ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
- }
- /* Checks upper layer. */
- for_each_path(upper_base_files, path_entry, i) {
- ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
- }
- for_each_path(upper_base_directories, path_entry, i) {
- ASSERT_EQ(EACCES,
- test_open(path_entry, O_RDONLY | O_DIRECTORY));
- }
- for_each_path(upper_sub_files, path_entry, i) {
- ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
- }
- /*
- * Checks that access rights are independent from the lower and upper
- * layers: write access to upper files viewed through the merge point
- * is still allowed, and write access to lower file viewed (and copied)
- * through the merge point is still allowed.
- */
- for_each_path(merge_base_files, path_entry, i) {
- ASSERT_EQ(0, test_open(path_entry, O_RDWR));
- }
- for_each_path(merge_base_directories, path_entry, i) {
- ASSERT_EQ(0, test_open(path_entry, O_RDONLY | O_DIRECTORY));
- }
- for_each_path(merge_sub_files, path_entry, i) {
- ASSERT_EQ(0, test_open(path_entry, O_RDWR));
- }
- /* Sets rules on data directories (i.e. inside overlay scope). */
- ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer2_data);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks merge. */
- for_each_path(merge_base_files, path_entry, i) {
- ASSERT_EQ(0, test_open(path_entry, O_RDWR));
- }
- for_each_path(merge_base_directories, path_entry, i) {
- ASSERT_EQ(0, test_open(path_entry, O_RDONLY | O_DIRECTORY));
- }
- for_each_path(merge_sub_files, path_entry, i) {
- ASSERT_EQ(0, test_open(path_entry, O_RDWR));
- }
- /* Same checks with tighter rules. */
- ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer3_subdirs);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks changes for lower layer. */
- for_each_path(lower_base_files, path_entry, i) {
- ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY));
- }
- /* Checks changes for upper layer. */
- for_each_path(upper_base_files, path_entry, i) {
- ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY));
- }
- /* Checks all merge accesses. */
- for_each_path(merge_base_files, path_entry, i) {
- ASSERT_EQ(EACCES, test_open(path_entry, O_RDWR));
- }
- for_each_path(merge_base_directories, path_entry, i) {
- ASSERT_EQ(0, test_open(path_entry, O_RDONLY | O_DIRECTORY));
- }
- for_each_path(merge_sub_files, path_entry, i) {
- ASSERT_EQ(0, test_open(path_entry, O_RDWR));
- }
- /* Sets rules directly on overlayed files. */
- ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer4_files);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks unchanged accesses on lower layer. */
- for_each_path(lower_sub_files, path_entry, i) {
- ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
- }
- /* Checks unchanged accesses on upper layer. */
- for_each_path(upper_sub_files, path_entry, i) {
- ASSERT_EQ(0, test_open(path_entry, O_RDONLY));
- ASSERT_EQ(EACCES, test_open(path_entry, O_WRONLY));
- }
- /* Checks all merge accesses. */
- for_each_path(merge_base_files, path_entry, i) {
- ASSERT_EQ(EACCES, test_open(path_entry, O_RDWR));
- }
- for_each_path(merge_base_directories, path_entry, i) {
- ASSERT_EQ(EACCES,
- test_open(path_entry, O_RDONLY | O_DIRECTORY));
- }
- for_each_path(merge_sub_files, path_entry, i) {
- ASSERT_EQ(0, test_open(path_entry, O_RDWR));
- }
- /* Only allowes access to the merge hierarchy. */
- ruleset_fd = create_ruleset(_metadata, ACCESS_RW, layer5_merge_only);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks new accesses on lower layer. */
- for_each_path(lower_sub_files, path_entry, i) {
- ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY));
- }
- /* Checks new accesses on upper layer. */
- for_each_path(upper_sub_files, path_entry, i) {
- ASSERT_EQ(EACCES, test_open(path_entry, O_RDONLY));
- }
- /* Checks all merge accesses. */
- for_each_path(merge_base_files, path_entry, i) {
- ASSERT_EQ(EACCES, test_open(path_entry, O_RDWR));
- }
- for_each_path(merge_base_directories, path_entry, i) {
- ASSERT_EQ(EACCES,
- test_open(path_entry, O_RDONLY | O_DIRECTORY));
- }
- for_each_path(merge_sub_files, path_entry, i) {
- ASSERT_EQ(0, test_open(path_entry, O_RDWR));
- }
- }
- FIXTURE(layout3_fs)
- {
- bool has_created_dir;
- bool has_created_file;
- bool skip_test;
- };
- FIXTURE_VARIANT(layout3_fs)
- {
- const struct mnt_opt mnt;
- const char *const file_path;
- unsigned int cwd_fs_magic;
- };
- /* clang-format off */
- FIXTURE_VARIANT_ADD(layout3_fs, tmpfs) {
- /* clang-format on */
- .mnt = {
- .type = "tmpfs",
- .data = MNT_TMP_DATA,
- },
- .file_path = file1_s1d1,
- };
- FIXTURE_VARIANT_ADD(layout3_fs, ramfs) {
- .mnt = {
- .type = "ramfs",
- .data = "mode=700",
- },
- .file_path = TMP_DIR "/dir/file",
- };
- FIXTURE_VARIANT_ADD(layout3_fs, cgroup2) {
- .mnt = {
- .type = "cgroup2",
- },
- .file_path = TMP_DIR "/test/cgroup.procs",
- };
- FIXTURE_VARIANT_ADD(layout3_fs, proc) {
- .mnt = {
- .type = "proc",
- },
- .file_path = TMP_DIR "/self/status",
- };
- FIXTURE_VARIANT_ADD(layout3_fs, sysfs) {
- .mnt = {
- .type = "sysfs",
- },
- .file_path = TMP_DIR "/kernel/notes",
- };
- FIXTURE_VARIANT_ADD(layout3_fs, hostfs) {
- .mnt = {
- .source = TMP_DIR,
- .flags = MS_BIND,
- },
- .file_path = TMP_DIR "/dir/file",
- .cwd_fs_magic = HOSTFS_SUPER_MAGIC,
- };
- static char *dirname_alloc(const char *path)
- {
- char *dup;
- if (!path)
- return NULL;
- dup = strdup(path);
- if (!dup)
- return NULL;
- return dirname(dup);
- }
- FIXTURE_SETUP(layout3_fs)
- {
- struct stat statbuf;
- char *dir_path = dirname_alloc(variant->file_path);
- if (!supports_filesystem(variant->mnt.type) ||
- !cwd_matches_fs(variant->cwd_fs_magic)) {
- self->skip_test = true;
- SKIP(return, "this filesystem is not supported (setup)");
- }
- prepare_layout_opt(_metadata, &variant->mnt);
- /* Creates directory when required. */
- if (stat(dir_path, &statbuf)) {
- set_cap(_metadata, CAP_DAC_OVERRIDE);
- EXPECT_EQ(0, mkdir(dir_path, 0700))
- {
- TH_LOG("Failed to create directory \"%s\": %s",
- dir_path, strerror(errno));
- }
- self->has_created_dir = true;
- clear_cap(_metadata, CAP_DAC_OVERRIDE);
- }
- /* Creates file when required. */
- if (stat(variant->file_path, &statbuf)) {
- int fd;
- set_cap(_metadata, CAP_DAC_OVERRIDE);
- fd = creat(variant->file_path, 0600);
- EXPECT_LE(0, fd)
- {
- TH_LOG("Failed to create file \"%s\": %s",
- variant->file_path, strerror(errno));
- }
- EXPECT_EQ(0, close(fd));
- self->has_created_file = true;
- clear_cap(_metadata, CAP_DAC_OVERRIDE);
- }
- free(dir_path);
- }
- FIXTURE_TEARDOWN_PARENT(layout3_fs)
- {
- if (self->skip_test)
- SKIP(return, "this filesystem is not supported (teardown)");
- if (self->has_created_file) {
- set_cap(_metadata, CAP_DAC_OVERRIDE);
- /*
- * Don't check for error because the file might already
- * have been removed (cf. release_inode test).
- */
- unlink(variant->file_path);
- clear_cap(_metadata, CAP_DAC_OVERRIDE);
- }
- if (self->has_created_dir) {
- char *dir_path = dirname_alloc(variant->file_path);
- set_cap(_metadata, CAP_DAC_OVERRIDE);
- /*
- * Don't check for error because the directory might already
- * have been removed (cf. release_inode test).
- */
- rmdir(dir_path);
- clear_cap(_metadata, CAP_DAC_OVERRIDE);
- free(dir_path);
- }
- cleanup_layout(_metadata);
- }
- static void layer3_fs_tag_inode(struct __test_metadata *const _metadata,
- FIXTURE_DATA(layout3_fs) * self,
- const FIXTURE_VARIANT(layout3_fs) * variant,
- const char *const rule_path)
- {
- const struct rule layer1_allow_read_file[] = {
- {
- .path = rule_path,
- .access = LANDLOCK_ACCESS_FS_READ_FILE,
- },
- {},
- };
- const struct landlock_ruleset_attr layer2_deny_everything_attr = {
- .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE,
- };
- const char *const dev_null_path = "/dev/null";
- int ruleset_fd;
- if (self->skip_test)
- SKIP(return, "this filesystem is not supported (test)");
- /* Checks without Landlock. */
- EXPECT_EQ(0, test_open(dev_null_path, O_RDONLY | O_CLOEXEC));
- EXPECT_EQ(0, test_open(variant->file_path, O_RDONLY | O_CLOEXEC));
- ruleset_fd = create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE,
- layer1_allow_read_file);
- EXPECT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- EXPECT_EQ(0, close(ruleset_fd));
- EXPECT_EQ(EACCES, test_open(dev_null_path, O_RDONLY | O_CLOEXEC));
- EXPECT_EQ(0, test_open(variant->file_path, O_RDONLY | O_CLOEXEC));
- /* Forbids directory reading. */
- ruleset_fd =
- landlock_create_ruleset(&layer2_deny_everything_attr,
- sizeof(layer2_deny_everything_attr), 0);
- EXPECT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- EXPECT_EQ(0, close(ruleset_fd));
- /* Checks with Landlock and forbidden access. */
- EXPECT_EQ(EACCES, test_open(dev_null_path, O_RDONLY | O_CLOEXEC));
- EXPECT_EQ(EACCES, test_open(variant->file_path, O_RDONLY | O_CLOEXEC));
- }
- /* Matrix of tests to check file hierarchy evaluation. */
- TEST_F_FORK(layout3_fs, tag_inode_dir_parent)
- {
- /* The current directory must not be the root for this test. */
- layer3_fs_tag_inode(_metadata, self, variant, ".");
- }
- TEST_F_FORK(layout3_fs, tag_inode_dir_mnt)
- {
- layer3_fs_tag_inode(_metadata, self, variant, TMP_DIR);
- }
- TEST_F_FORK(layout3_fs, tag_inode_dir_child)
- {
- char *dir_path = dirname_alloc(variant->file_path);
- layer3_fs_tag_inode(_metadata, self, variant, dir_path);
- free(dir_path);
- }
- TEST_F_FORK(layout3_fs, tag_inode_file)
- {
- layer3_fs_tag_inode(_metadata, self, variant, variant->file_path);
- }
- /* Light version of layout1.release_inodes */
- TEST_F_FORK(layout3_fs, release_inodes)
- {
- const struct rule layer1[] = {
- {
- .path = TMP_DIR,
- .access = LANDLOCK_ACCESS_FS_READ_DIR,
- },
- {},
- };
- int ruleset_fd;
- if (self->skip_test)
- SKIP(return, "this filesystem is not supported (test)");
- /* Clean up for the teardown to not fail. */
- if (self->has_created_file)
- EXPECT_EQ(0, remove_path(variant->file_path));
- if (self->has_created_dir) {
- char *dir_path = dirname_alloc(variant->file_path);
- /* Don't check for error because of cgroup specificities. */
- remove_path(dir_path);
- free(dir_path);
- }
- ruleset_fd =
- create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_DIR, layer1);
- ASSERT_LE(0, ruleset_fd);
- /* Unmount the filesystem while it is being used by a ruleset. */
- set_cap(_metadata, CAP_SYS_ADMIN);
- ASSERT_EQ(0, umount(TMP_DIR));
- clear_cap(_metadata, CAP_SYS_ADMIN);
- /* Replaces with a new mount point to simplify FIXTURE_TEARDOWN. */
- set_cap(_metadata, CAP_SYS_ADMIN);
- ASSERT_EQ(0, mount_opt(&mnt_tmp, TMP_DIR));
- clear_cap(_metadata, CAP_SYS_ADMIN);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- /* Checks that access to the new mount point is denied. */
- ASSERT_EQ(EACCES, test_open(TMP_DIR, O_RDONLY));
- }
- static int matches_log_fs_extra(struct __test_metadata *const _metadata,
- int audit_fd, const char *const blockers,
- const char *const path, const char *const extra)
- {
- static const char log_template[] = REGEX_LANDLOCK_PREFIX
- " blockers=fs\\.%s path=\"%s\" dev=\"[^\"]\\+\" ino=[0-9]\\+$";
- char *absolute_path = NULL;
- size_t log_match_remaining = sizeof(log_template) + strlen(blockers) +
- PATH_MAX * 2 +
- (extra ? strlen(extra) : 0) + 1;
- char log_match[log_match_remaining];
- char *log_match_cursor = log_match;
- size_t chunk_len;
- chunk_len = snprintf(log_match_cursor, log_match_remaining,
- REGEX_LANDLOCK_PREFIX " blockers=%s path=\"",
- blockers);
- if (chunk_len < 0 || chunk_len >= log_match_remaining)
- return -E2BIG;
- /*
- * It is assumed that absolute_path does not contain control
- * characters nor spaces, see audit_string_contains_control().
- */
- absolute_path = realpath(path, NULL);
- if (!absolute_path)
- return -errno;
- log_match_remaining -= chunk_len;
- log_match_cursor += chunk_len;
- log_match_cursor = regex_escape(absolute_path, log_match_cursor,
- log_match_remaining);
- free(absolute_path);
- if (log_match_cursor < 0)
- return (long long)log_match_cursor;
- log_match_remaining -= log_match_cursor - log_match;
- chunk_len = snprintf(log_match_cursor, log_match_remaining,
- "\" dev=\"[^\"]\\+\" ino=[0-9]\\+%s$",
- extra ?: "");
- if (chunk_len < 0 || chunk_len >= log_match_remaining)
- return -E2BIG;
- return audit_match_record(audit_fd, AUDIT_LANDLOCK_ACCESS, log_match,
- NULL);
- }
- static int matches_log_fs(struct __test_metadata *const _metadata, int audit_fd,
- const char *const blockers, const char *const path)
- {
- return matches_log_fs_extra(_metadata, audit_fd, blockers, path, NULL);
- }
- FIXTURE(audit_layout1)
- {
- struct audit_filter audit_filter;
- int audit_fd;
- };
- FIXTURE_SETUP(audit_layout1)
- {
- prepare_layout(_metadata);
- create_layout1(_metadata);
- set_cap(_metadata, CAP_AUDIT_CONTROL);
- self->audit_fd = audit_init_with_exe_filter(&self->audit_filter);
- EXPECT_LE(0, self->audit_fd);
- disable_caps(_metadata);
- }
- FIXTURE_TEARDOWN_PARENT(audit_layout1)
- {
- remove_layout1(_metadata);
- cleanup_layout(_metadata);
- EXPECT_EQ(0, audit_cleanup(-1, NULL));
- }
- TEST_F(audit_layout1, execute_make)
- {
- struct audit_records records;
- copy_file(_metadata, bin_true, file1_s1d1);
- test_execute(_metadata, 0, file1_s1d1);
- test_check_exec(_metadata, 0, file1_s1d1);
- drop_access_rights(_metadata,
- &(struct landlock_ruleset_attr){
- .handled_access_fs =
- LANDLOCK_ACCESS_FS_EXECUTE,
- });
- test_execute(_metadata, EACCES, file1_s1d1);
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.execute",
- file1_s1d1));
- test_check_exec(_metadata, EACCES, file1_s1d1);
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.execute",
- file1_s1d1));
- EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
- EXPECT_EQ(0, records.access);
- EXPECT_EQ(0, records.domain);
- }
- /*
- * Using a set of handled/denied access rights make it possible to check that
- * only the blocked ones are logged.
- */
- /* clang-format off */
- static const __u64 access_fs_16 =
- LANDLOCK_ACCESS_FS_EXECUTE |
- LANDLOCK_ACCESS_FS_WRITE_FILE |
- LANDLOCK_ACCESS_FS_READ_FILE |
- LANDLOCK_ACCESS_FS_READ_DIR |
- LANDLOCK_ACCESS_FS_REMOVE_DIR |
- LANDLOCK_ACCESS_FS_REMOVE_FILE |
- LANDLOCK_ACCESS_FS_MAKE_CHAR |
- LANDLOCK_ACCESS_FS_MAKE_DIR |
- LANDLOCK_ACCESS_FS_MAKE_REG |
- LANDLOCK_ACCESS_FS_MAKE_SOCK |
- LANDLOCK_ACCESS_FS_MAKE_FIFO |
- LANDLOCK_ACCESS_FS_MAKE_BLOCK |
- LANDLOCK_ACCESS_FS_MAKE_SYM |
- LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_TRUNCATE |
- LANDLOCK_ACCESS_FS_IOCTL_DEV;
- /* clang-format on */
- TEST_F(audit_layout1, execute_read)
- {
- struct audit_records records;
- copy_file(_metadata, bin_true, file1_s1d1);
- test_execute(_metadata, 0, file1_s1d1);
- test_check_exec(_metadata, 0, file1_s1d1);
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
- .handled_access_fs = access_fs_16,
- });
- /*
- * The only difference with the previous audit_layout1.execute_read test is
- * the extra ",fs\\.read_file" blocked by the executable file.
- */
- test_execute(_metadata, EACCES, file1_s1d1);
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
- "fs\\.execute,fs\\.read_file", file1_s1d1));
- test_check_exec(_metadata, EACCES, file1_s1d1);
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
- "fs\\.execute,fs\\.read_file", file1_s1d1));
- EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
- EXPECT_EQ(0, records.access);
- EXPECT_EQ(0, records.domain);
- }
- TEST_F(audit_layout1, write_file)
- {
- struct audit_records records;
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
- .handled_access_fs = access_fs_16,
- });
- EXPECT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY));
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
- "fs\\.write_file", file1_s1d1));
- EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
- EXPECT_EQ(0, records.access);
- EXPECT_EQ(1, records.domain);
- }
- TEST_F(audit_layout1, read_file)
- {
- struct audit_records records;
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
- .handled_access_fs = access_fs_16,
- });
- EXPECT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY));
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.read_file",
- file1_s1d1));
- EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
- EXPECT_EQ(0, records.access);
- EXPECT_EQ(1, records.domain);
- }
- TEST_F(audit_layout1, read_dir)
- {
- struct audit_records records;
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
- .handled_access_fs = access_fs_16,
- });
- EXPECT_EQ(EACCES, test_open(dir_s1d1, O_DIRECTORY));
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.read_dir",
- dir_s1d1));
- EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
- EXPECT_EQ(0, records.access);
- EXPECT_EQ(1, records.domain);
- }
- TEST_F(audit_layout1, remove_dir)
- {
- struct audit_records records;
- EXPECT_EQ(0, unlink(file1_s1d3));
- EXPECT_EQ(0, unlink(file2_s1d3));
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
- .handled_access_fs = access_fs_16,
- });
- EXPECT_EQ(-1, rmdir(dir_s1d3));
- EXPECT_EQ(EACCES, errno);
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
- "fs\\.remove_dir", dir_s1d2));
- EXPECT_EQ(-1, unlinkat(AT_FDCWD, dir_s1d3, AT_REMOVEDIR));
- EXPECT_EQ(EACCES, errno);
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
- "fs\\.remove_dir", dir_s1d2));
- EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
- EXPECT_EQ(0, records.access);
- EXPECT_EQ(0, records.domain);
- }
- TEST_F(audit_layout1, remove_file)
- {
- struct audit_records records;
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
- .handled_access_fs = access_fs_16,
- });
- EXPECT_EQ(-1, unlink(file1_s1d3));
- EXPECT_EQ(EACCES, errno);
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
- "fs\\.remove_file", dir_s1d3));
- EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
- EXPECT_EQ(0, records.access);
- EXPECT_EQ(1, records.domain);
- }
- TEST_F(audit_layout1, make_char)
- {
- struct audit_records records;
- EXPECT_EQ(0, unlink(file1_s1d3));
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
- .handled_access_fs = access_fs_16,
- });
- EXPECT_EQ(-1, mknod(file1_s1d3, S_IFCHR | 0644, 0));
- EXPECT_EQ(EACCES, errno);
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.make_char",
- dir_s1d3));
- EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
- EXPECT_EQ(0, records.access);
- EXPECT_EQ(1, records.domain);
- }
- TEST_F(audit_layout1, make_dir)
- {
- struct audit_records records;
- EXPECT_EQ(0, unlink(file1_s1d3));
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
- .handled_access_fs = access_fs_16,
- });
- EXPECT_EQ(-1, mkdir(file1_s1d3, 0755));
- EXPECT_EQ(EACCES, errno);
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.make_dir",
- dir_s1d3));
- EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
- EXPECT_EQ(0, records.access);
- EXPECT_EQ(1, records.domain);
- }
- TEST_F(audit_layout1, make_reg)
- {
- struct audit_records records;
- EXPECT_EQ(0, unlink(file1_s1d3));
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
- .handled_access_fs = access_fs_16,
- });
- EXPECT_EQ(-1, mknod(file1_s1d3, S_IFREG | 0644, 0));
- EXPECT_EQ(EACCES, errno);
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.make_reg",
- dir_s1d3));
- EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
- EXPECT_EQ(0, records.access);
- EXPECT_EQ(1, records.domain);
- }
- TEST_F(audit_layout1, make_sock)
- {
- struct audit_records records;
- EXPECT_EQ(0, unlink(file1_s1d3));
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
- .handled_access_fs = access_fs_16,
- });
- EXPECT_EQ(-1, mknod(file1_s1d3, S_IFSOCK | 0644, 0));
- EXPECT_EQ(EACCES, errno);
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.make_sock",
- dir_s1d3));
- EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
- EXPECT_EQ(0, records.access);
- EXPECT_EQ(1, records.domain);
- }
- TEST_F(audit_layout1, make_fifo)
- {
- struct audit_records records;
- EXPECT_EQ(0, unlink(file1_s1d3));
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
- .handled_access_fs = access_fs_16,
- });
- EXPECT_EQ(-1, mknod(file1_s1d3, S_IFIFO | 0644, 0));
- EXPECT_EQ(EACCES, errno);
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.make_fifo",
- dir_s1d3));
- EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
- EXPECT_EQ(0, records.access);
- EXPECT_EQ(1, records.domain);
- }
- TEST_F(audit_layout1, make_block)
- {
- struct audit_records records;
- EXPECT_EQ(0, unlink(file1_s1d3));
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
- .handled_access_fs = access_fs_16,
- });
- EXPECT_EQ(-1, mknod(file1_s1d3, S_IFBLK | 0644, 0));
- EXPECT_EQ(EACCES, errno);
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
- "fs\\.make_block", dir_s1d3));
- EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
- EXPECT_EQ(0, records.access);
- EXPECT_EQ(1, records.domain);
- }
- TEST_F(audit_layout1, make_sym)
- {
- struct audit_records records;
- EXPECT_EQ(0, unlink(file1_s1d3));
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
- .handled_access_fs = access_fs_16,
- });
- EXPECT_EQ(-1, symlink("target", file1_s1d3));
- EXPECT_EQ(EACCES, errno);
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.make_sym",
- dir_s1d3));
- EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
- EXPECT_EQ(0, records.access);
- EXPECT_EQ(1, records.domain);
- }
- TEST_F(audit_layout1, refer_handled)
- {
- struct audit_records records;
- EXPECT_EQ(0, unlink(file1_s1d3));
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
- .handled_access_fs =
- LANDLOCK_ACCESS_FS_REFER,
- });
- EXPECT_EQ(-1, link(file1_s1d1, file1_s1d3));
- EXPECT_EQ(EXDEV, errno);
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.refer",
- dir_s1d1));
- EXPECT_EQ(0,
- matches_log_domain_allocated(self->audit_fd, getpid(), NULL));
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.refer",
- dir_s1d3));
- EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
- EXPECT_EQ(0, records.access);
- EXPECT_EQ(0, records.domain);
- }
- TEST_F(audit_layout1, refer_make)
- {
- struct audit_records records;
- EXPECT_EQ(0, unlink(file1_s1d3));
- drop_access_rights(_metadata,
- &(struct landlock_ruleset_attr){
- .handled_access_fs =
- LANDLOCK_ACCESS_FS_MAKE_REG |
- LANDLOCK_ACCESS_FS_REFER,
- });
- EXPECT_EQ(-1, link(file1_s1d1, file1_s1d3));
- EXPECT_EQ(EACCES, errno);
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.refer",
- dir_s1d1));
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
- "fs\\.make_reg,fs\\.refer", dir_s1d3));
- EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
- EXPECT_EQ(0, records.access);
- EXPECT_EQ(0, records.domain);
- }
- TEST_F(audit_layout1, refer_rename)
- {
- struct audit_records records;
- EXPECT_EQ(0, unlink(file1_s1d3));
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
- .handled_access_fs = access_fs_16,
- });
- EXPECT_EQ(EACCES, test_rename(file1_s1d2, file1_s2d3));
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
- "fs\\.remove_file,fs\\.refer", dir_s1d2));
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
- "fs\\.remove_file,fs\\.make_reg,fs\\.refer",
- dir_s2d3));
- EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
- EXPECT_EQ(0, records.access);
- EXPECT_EQ(0, records.domain);
- }
- TEST_F(audit_layout1, refer_exchange)
- {
- struct audit_records records;
- EXPECT_EQ(0, unlink(file1_s1d3));
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
- .handled_access_fs = access_fs_16,
- });
- /*
- * The only difference with the previous audit_layout1.refer_rename test is
- * the extra ",fs\\.make_reg" blocked by the source directory.
- */
- EXPECT_EQ(EACCES, test_exchange(file1_s1d2, file1_s2d3));
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
- "fs\\.remove_file,fs\\.make_reg,fs\\.refer",
- dir_s1d2));
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
- "fs\\.remove_file,fs\\.make_reg,fs\\.refer",
- dir_s2d3));
- EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
- EXPECT_EQ(0, records.access);
- EXPECT_EQ(0, records.domain);
- }
- /*
- * This test checks that the audit record is correctly generated when the
- * operation is only partially denied. This is the case for rename(2) when the
- * source file is allowed to be referenced but the destination directory is not.
- *
- * This is also a regression test for commit d617f0d72d80 ("landlock: Optimize
- * file path walks and prepare for audit support") and commit 058518c20920
- * ("landlock: Align partial refer access checks with final ones").
- */
- TEST_F(audit_layout1, refer_rename_half)
- {
- struct audit_records records;
- const struct rule layer1[] = {
- {
- .path = dir_s2d2,
- .access = LANDLOCK_ACCESS_FS_REFER,
- },
- {},
- };
- int ruleset_fd =
- create_ruleset(_metadata, LANDLOCK_ACCESS_FS_REFER, layer1);
- ASSERT_LE(0, ruleset_fd);
- enforce_ruleset(_metadata, ruleset_fd);
- ASSERT_EQ(0, close(ruleset_fd));
- ASSERT_EQ(-1, rename(dir_s1d2, dir_s2d3));
- ASSERT_EQ(EXDEV, errno);
- /* Only half of the request is denied. */
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.refer",
- dir_s1d1));
- EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
- EXPECT_EQ(0, records.access);
- EXPECT_EQ(1, records.domain);
- }
- TEST_F(audit_layout1, truncate)
- {
- struct audit_records records;
- drop_access_rights(_metadata, &(struct landlock_ruleset_attr){
- .handled_access_fs = access_fs_16,
- });
- EXPECT_EQ(-1, truncate(file1_s1d3, 0));
- EXPECT_EQ(EACCES, errno);
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd, "fs\\.truncate",
- file1_s1d3));
- EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
- EXPECT_EQ(0, records.access);
- EXPECT_EQ(1, records.domain);
- }
- TEST_F(audit_layout1, ioctl_dev)
- {
- struct audit_records records;
- int fd;
- drop_access_rights(_metadata,
- &(struct landlock_ruleset_attr){
- .handled_access_fs =
- access_fs_16 &
- ~LANDLOCK_ACCESS_FS_READ_FILE,
- });
- fd = open("/dev/null", O_RDONLY | O_CLOEXEC);
- ASSERT_LE(0, fd);
- EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FIONREAD));
- EXPECT_EQ(0, matches_log_fs_extra(_metadata, self->audit_fd,
- "fs\\.ioctl_dev", "/dev/null",
- " ioctlcmd=0x541b"));
- EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
- EXPECT_EQ(0, records.access);
- EXPECT_EQ(1, records.domain);
- }
- TEST_F(audit_layout1, mount)
- {
- struct audit_records records;
- drop_access_rights(_metadata,
- &(struct landlock_ruleset_attr){
- .handled_access_fs =
- LANDLOCK_ACCESS_FS_EXECUTE,
- });
- set_cap(_metadata, CAP_SYS_ADMIN);
- EXPECT_EQ(-1, mount(NULL, dir_s3d2, NULL, MS_RDONLY, NULL));
- EXPECT_EQ(EPERM, errno);
- clear_cap(_metadata, CAP_SYS_ADMIN);
- EXPECT_EQ(0, matches_log_fs(_metadata, self->audit_fd,
- "fs\\.change_topology", dir_s3d2));
- EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
- EXPECT_EQ(0, records.access);
- EXPECT_EQ(1, records.domain);
- }
- TEST_HARNESS_MAIN
|