From: "Mickaël Salaün" <mic@digikod.net>
To: "Günther Noack" <gnoack3000@gmail.com>
Cc: John Johansen <john.johansen@canonical.com>,
linux-security-module@vger.kernel.org,
Tingmao Wang <m@maowtm.org>,
Justin Suess <utilityemal77@gmail.com>,
Samasth Norway Ananda <samasth.norway.ananda@oracle.com>,
Matthieu Buffet <matthieu@buffet.re>,
Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com>,
konstantin.meskhidze@huawei.com,
Demi Marie Obenour <demiobenour@gmail.com>,
Alyssa Ross <hi@alyssa.is>, Jann Horn <jannh@google.com>,
Tahera Fahimi <fahimitahera@gmail.com>,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
Kuniyuki Iwashima <kuniyu@google.com>
Subject: Re: [PATCH v6 6/9] landlock/selftests: Audit test for LANDLOCK_ACCESS_FS_RESOLVE_UNIX
Date: Wed, 18 Mar 2026 17:53:38 +0100 [thread overview]
Message-ID: <20260318.chiMaiyuf6mo@digikod.net> (raw)
In-Reply-To: <20260315222150.121952-7-gnoack3000@gmail.com>
On Sun, Mar 15, 2026 at 11:21:47PM +0100, Günther Noack wrote:
> Add an audit test to check that Landlock denials from
> LANDLOCK_ACCESS_FS_RESOLVE_UNIX result in audit logs in the expected
> format. (There is one audit test for each filesystem access right, so
> we should add one for LANDLOCK_ACCESS_FS_RESOLVE_UNIX as well.)
>
> Signed-off-by: Günther Noack <gnoack3000@gmail.com>
> ---
> tools/testing/selftests/landlock/fs_test.c | 43 +++++++++++++++++++++-
> 1 file changed, 42 insertions(+), 1 deletion(-)
>
> diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
> index fdbb024da774..4198148e172f 100644
> --- a/tools/testing/selftests/landlock/fs_test.c
> +++ b/tools/testing/selftests/landlock/fs_test.c
> @@ -7538,7 +7538,8 @@ static const __u64 access_fs_16 =
> LANDLOCK_ACCESS_FS_MAKE_SYM |
> LANDLOCK_ACCESS_FS_REFER |
> LANDLOCK_ACCESS_FS_TRUNCATE |
> - LANDLOCK_ACCESS_FS_IOCTL_DEV;
> + LANDLOCK_ACCESS_FS_IOCTL_DEV |
> + LANDLOCK_ACCESS_FS_RESOLVE_UNIX;
The variable access_fs_16 contains 16 access rights. The idea was to
not need to change this variable with new FS access rights because the
tests should not change. I guess that was not a good choice because
new tests like audit_layout1.resolve_unix may not change the result of
existing tests (and then improve coverage). This variable can then be
replaced with ACCESS_ALL (in a dedicated patch please). If we need
exceptions we can mask the problematic access rights (see
audit_layout1.ioctl_dev).
> /* clang-format on */
>
> TEST_F(audit_layout1, execute_read)
> @@ -7983,6 +7984,46 @@ TEST_F(audit_layout1, ioctl_dev)
> EXPECT_EQ(1, records.domain);
> }
>
> +TEST_F(audit_layout1, resolve_unix)
> +{
> + struct audit_records records;
> + const char *const path = "sock";
> + int srv_fd, cli_fd, status;
> + pid_t child_pid;
> +
> + srv_fd = set_up_named_unix_server(_metadata, SOCK_STREAM, path);
> +
> + child_pid = fork();
> + ASSERT_LE(0, child_pid);
> + if (!child_pid) {
> + drop_access_rights(_metadata,
> + &(struct landlock_ruleset_attr){
> + .handled_access_fs = access_fs_16,
> + });
> +
> + cli_fd = socket(AF_UNIX, SOCK_STREAM, 0);
> + ASSERT_LE(0, cli_fd);
> + EXPECT_EQ(EACCES,
> + test_connect_named_unix(_metadata, cli_fd, path));
> +
> + EXPECT_EQ(0, close(cli_fd));
> + _exit(_metadata->exit_code);
> + }
> +
> + ASSERT_EQ(child_pid, waitpid(child_pid, &status, 0));
> + EXPECT_EQ(1, WIFEXITED(status));
> + EXPECT_EQ(EXIT_SUCCESS, WEXITSTATUS(status));
> +
> + EXPECT_EQ(0, matches_log_fs_extra(_metadata, self->audit_fd,
> + "fs\\.resolve_unix", path, NULL));
> +
> + EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
> + EXPECT_EQ(0, records.access);
> + EXPECT_EQ(1, records.domain);
> +
> + EXPECT_EQ(0, close(srv_fd));
> +}
> +
> TEST_F(audit_layout1, mount)
> {
> struct audit_records records;
> --
> 2.53.0
>
next prev parent reply other threads:[~2026-03-18 16:53 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-15 22:21 [PATCH v6 0/9] landlock: UNIX connect() control by pathname and scope Günther Noack
2026-03-15 22:21 ` [PATCH v6 1/9] lsm: Add LSM hook security_unix_find Günther Noack
2026-03-17 21:14 ` Mickaël Salaün
2026-03-17 21:34 ` Paul Moore
2026-03-17 23:20 ` [PATCH v7 " Justin Suess
2026-03-18 1:28 ` Paul Moore
2026-03-18 8:48 ` [PATCH v6 " Mickaël Salaün
2026-03-18 14:44 ` Paul Moore
2026-03-18 16:22 ` Mickaël Salaün
2026-03-18 16:43 ` Paul Moore
2026-03-23 14:37 ` Georgia Garcia
2026-03-23 20:26 ` Paul Moore
2026-03-18 16:51 ` Mickaël Salaün
2026-03-15 22:21 ` [PATCH v6 2/9] landlock: use mem_is_zero() in is_layer_masks_allowed() Günther Noack
2026-03-18 16:52 ` Mickaël Salaün
2026-03-20 10:50 ` Günther Noack
2026-03-15 22:21 ` [PATCH v6 3/9] landlock: Control pathname UNIX domain socket resolution by path Günther Noack
2026-03-18 11:15 ` Sebastian Andrzej Siewior
2026-03-18 14:14 ` Justin Suess
2026-03-18 15:05 ` Sebastian Andrzej Siewior
2026-03-18 16:26 ` Mickaël Salaün
2026-03-18 16:43 ` Justin Suess
2026-03-18 17:52 ` Mickaël Salaün
2026-03-20 12:28 ` Günther Noack
2026-03-18 16:52 ` Mickaël Salaün
2026-03-20 16:15 ` Günther Noack
2026-03-20 17:51 ` Mickaël Salaün
2026-03-20 22:25 ` Günther Noack
2026-03-21 9:09 ` Mickaël Salaün
2026-03-23 15:31 ` Günther Noack
2026-03-15 22:21 ` [PATCH v6 4/9] samples/landlock: Add support for named UNIX domain socket restrictions Günther Noack
2026-03-15 22:21 ` [PATCH v6 5/9] landlock/selftests: Test LANDLOCK_ACCESS_FS_RESOLVE_UNIX Günther Noack
2026-03-18 16:53 ` Mickaël Salaün
2026-03-20 10:51 ` Günther Noack
2026-03-15 22:21 ` [PATCH v6 6/9] landlock/selftests: Audit test for LANDLOCK_ACCESS_FS_RESOLVE_UNIX Günther Noack
2026-03-18 16:53 ` Mickaël Salaün [this message]
2026-03-15 22:21 ` [PATCH v6 7/9] landlock/selftests: Check that coredump sockets stay unrestricted Günther Noack
2026-03-18 16:53 ` Mickaël Salaün
2026-03-20 16:44 ` Günther Noack
2026-03-15 22:21 ` [PATCH v6 8/9] landlock/selftests: fs_test: Simplify ruleset creation and enforcement Günther Noack
2026-03-15 22:21 ` [PATCH v6 9/9] landlock: Document FS access right for pathname UNIX sockets Günther Noack
2026-03-18 16:54 ` Mickaël Salaün
2026-03-20 17:04 ` Günther Noack
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260318.chiMaiyuf6mo@digikod.net \
--to=mic@digikod.net \
--cc=bigeasy@linutronix.de \
--cc=demiobenour@gmail.com \
--cc=fahimitahera@gmail.com \
--cc=gnoack3000@gmail.com \
--cc=hi@alyssa.is \
--cc=ivanov.mikhail1@huawei-partners.com \
--cc=jannh@google.com \
--cc=john.johansen@canonical.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=kuniyu@google.com \
--cc=linux-security-module@vger.kernel.org \
--cc=m@maowtm.org \
--cc=matthieu@buffet.re \
--cc=samasth.norway.ananda@oracle.com \
--cc=utilityemal77@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.