From: "Günther Noack" <gnoack3000@gmail.com>
To: Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com>
Cc: mic@digikod.net, gnoack@google.com,
willemdebruijn.kernel@gmail.com, matthieu@buffet.re,
linux-security-module@vger.kernel.org, netdev@vger.kernel.org,
netfilter-devel@vger.kernel.org, yusongping@huawei.com,
artem.kuzin@huawei.com, konstantin.meskhidze@huawei.com
Subject: Re: [RFC PATCH v4 12/19] selftests/landlock: Test socketpair(2) restriction
Date: Sat, 22 Nov 2025 11:16:00 +0100 [thread overview]
Message-ID: <20251122.4795c4c3bb03@gnoack.org> (raw)
In-Reply-To: <20251118134639.3314803-13-ivanov.mikhail1@huawei-partners.com>
On Tue, Nov 18, 2025 at 09:46:32PM +0800, Mikhail Ivanov wrote:
> diff --git a/tools/testing/selftests/landlock/socket_test.c b/tools/testing/selftests/landlock/socket_test.c
> index e22e10edb103..d1a004c2e0f5 100644
> --- a/tools/testing/selftests/landlock/socket_test.c
> +++ b/tools/testing/selftests/landlock/socket_test.c
> @@ -866,4 +866,59 @@ TEST_F(tcp_protocol, alias_restriction)
> }
> }
>
> +static int test_socketpair(int family, int type, int protocol)
> +{
> + int fds[2];
> + int err;
> +
> + err = socketpair(family, type | SOCK_CLOEXEC, protocol, fds);
> + if (err)
> + return errno;
> + /*
> + * Mixing error codes from close(2) and socketpair(2) should not lead to
> + * any (access type) confusion for this test.
> + */
> + if (close(fds[0]) != 0)
> + return errno;
> + if (close(fds[1]) != 0)
> + return errno;
Very minor nit: the function leaks an FD if it returns early after the
first close() call failed. (Highly unlikely to happen though.)
> + return 0;
> +}
> +
> +TEST_F(mini, socketpair)
> +{
> + const struct landlock_ruleset_attr ruleset_attr = {
> + .handled_access_socket = LANDLOCK_ACCESS_SOCKET_CREATE,
> + };
> + const struct landlock_socket_attr unix_socket_create = {
> + .allowed_access = LANDLOCK_ACCESS_SOCKET_CREATE,
> + .family = AF_UNIX,
> + .type = SOCK_STREAM,
> + .protocol = 0,
> + };
> + int ruleset_fd;
> +
> + /* Tries to create socket when ruleset is not established. */
> + ASSERT_EQ(0, test_socketpair(AF_UNIX, SOCK_STREAM, 0));
> + ruleset_fd =
> + landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
> + ASSERT_LE(0, ruleset_fd);
> +
> + ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_SOCKET,
> + &unix_socket_create, 0));
> + enforce_ruleset(_metadata, ruleset_fd);
> + ASSERT_EQ(0, close(ruleset_fd));
> +
> + /* Tries to create socket when protocol is allowed */
> + EXPECT_EQ(0, test_socketpair(AF_UNIX, SOCK_STREAM, 0));
> +
> + ruleset_fd =
> + landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
You may want to check that landlock_create_ruleset() succeeded here:
ASSERT_LE(0, ruleset_fd)
> + enforce_ruleset(_metadata, ruleset_fd);
> + ASSERT_EQ(0, close(ruleset_fd));
> +
> + /* Tries to create socket when protocol is restricted. */
> + EXPECT_EQ(EACCES, test_socketpair(AF_UNIX, SOCK_STREAM, 0));
> +}
> +
> TEST_HARNESS_MAIN
> --
> 2.34.1
>
Otherwise, looks good.
–Günther
next prev parent reply other threads:[~2025-11-22 10:16 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-18 13:46 [RFC PATCH v4 00/19] Support socket access-control Mikhail Ivanov
2025-11-18 13:46 ` [RFC PATCH v4 01/19] landlock: " Mikhail Ivanov
2025-11-22 10:49 ` Günther Noack
2025-11-22 11:13 ` Mikhail Ivanov
2025-11-22 12:18 ` Günther Noack
2025-11-22 16:51 ` Mikhail Ivanov
2026-04-18 11:29 ` Mikhail Ivanov
2026-05-08 13:29 ` Mickaël Salaün
2025-11-18 13:46 ` [RFC PATCH v4 02/19] selftests/landlock: Test creating a ruleset with unknown access Mikhail Ivanov
2025-11-18 13:46 ` [RFC PATCH v4 03/19] selftests/landlock: Test adding a socket rule Mikhail Ivanov
2025-11-18 13:46 ` [RFC PATCH v4 04/19] selftests/landlock: Testing adding rule with wildcard value Mikhail Ivanov
2025-11-18 13:46 ` [RFC PATCH v4 05/19] selftests/landlock: Test acceptable ranges of socket rule key Mikhail Ivanov
2025-11-18 13:46 ` [RFC PATCH v4 06/19] landlock: Add hook on socket creation Mikhail Ivanov
2025-11-22 11:41 ` Günther Noack
2025-11-22 17:19 ` Mikhail Ivanov
2025-11-18 13:46 ` [RFC PATCH v4 07/19] selftests/landlock: Test basic socket restriction Mikhail Ivanov
2025-11-18 13:46 ` [RFC PATCH v4 08/19] selftests/landlock: Test network stack error code consistency Mikhail Ivanov
2025-11-18 13:46 ` [RFC PATCH v4 09/19] selftests/landlock: Test overlapped rulesets with rules of protocol ranges Mikhail Ivanov
2025-11-18 13:46 ` [RFC PATCH v4 10/19] selftests/landlock: Test that kernel space sockets are not restricted Mikhail Ivanov
2025-11-18 13:46 ` [RFC PATCH v4 11/19] selftests/landlock: Test protocol mappings Mikhail Ivanov
2025-11-18 13:46 ` [RFC PATCH v4 12/19] selftests/landlock: Test socketpair(2) restriction Mikhail Ivanov
2025-11-22 10:16 ` Günther Noack [this message]
2025-11-22 10:21 ` Mikhail Ivanov
2025-11-18 13:46 ` [RFC PATCH v4 13/19] selftests/landlock: Test SCTP peeloff restriction Mikhail Ivanov
2025-11-18 13:46 ` [RFC PATCH v4 14/19] selftests/landlock: Test that accept(2) is not restricted Mikhail Ivanov
2025-11-18 13:46 ` [RFC PATCH v4 15/19] lsm: Support logging socket common data Mikhail Ivanov
2025-11-18 13:46 ` [RFC PATCH v4 16/19] landlock: Log socket creation denials Mikhail Ivanov
2025-11-18 13:46 ` [RFC PATCH v4 17/19] selftests/landlock: Test socket creation denial log for audit Mikhail Ivanov
2025-11-18 13:46 ` [RFC PATCH v4 18/19] samples/landlock: Support socket protocol restrictions Mikhail Ivanov
2025-11-18 13:46 ` [RFC PATCH v4 19/19] landlock: Document socket rule type support Mikhail Ivanov
2026-04-08 10:26 ` [RFC PATCH v4 00/19] Support socket access-control Mickaël Salaün
2026-04-13 17:11 ` Mikhail Ivanov
2026-04-14 14:27 ` Mickaël Salaün
2026-04-14 19:45 ` Mikhail Ivanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251122.4795c4c3bb03@gnoack.org \
--to=gnoack3000@gmail.com \
--cc=artem.kuzin@huawei.com \
--cc=gnoack@google.com \
--cc=ivanov.mikhail1@huawei-partners.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-security-module@vger.kernel.org \
--cc=matthieu@buffet.re \
--cc=mic@digikod.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=willemdebruijn.kernel@gmail.com \
--cc=yusongping@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.